Closed owittek closed 1 year ago
I do not believe that this is possible.
I’m looking at the security
command on macOS and I don’t see a way of getting a list of entries and the find-generic-password
subcommand does not appear to understand any sort of wildcards.
Even if this were possible, it would need to be implemented upstream in https://github.com/zalando/go-keyring before it could be taken advantage of by chezmoi.
The chezmoi secret keyring
functionality shouldn’t be considered a password manager and should instead be used to backstop more purpose-suited options, as it exclusively works with *-generic-password
subcommands on security(1)
on macOS and uses GNOME keyring on Linux (and there is no Windows implementation as far as I can tell).
+1 on what @halostatue stays.
The correct solution is here is to use a password manager which manages your secrets across multiple machines.
Which is not to say it wouldn’t be a good idea. There’s just not a way to do it with the underlying tools.
I didn't want to expose access to my password manager to the shell so I chose to use keyring instead.
Thanks for the input!
Another alternative is to configure encryption and use the decrypt
template function in your templates. This gives you a poor man's password cross-platform password manager with the secrets encrypted with either age or gpg.
Is your feature request related to a problem? Please describe.
When working with secrets it's hard to keep track which secrets I've set on which machine and what their values are.
Describe the solution you'd like
I'm not sure how other secret/password managers would be handled but for the usage of
keyring
it be helpful to have something like:chezmoi secret keyring list
to get all services and their userschezmoi secret keyring list --show-secrets
to also list the secret valueschezmoi secret keyring list --service github
to list all the users for a specific serviceDescribe alternatives you've considered
Considering that most other cli tools do something similar (e.g.
pip
&npm
to list settings) I think this is the sanest solution, not sure how else this could be implemented.