Check org.gpgtools.common UseKeychain on MacOS (gopasspw#2144)

RELEASE_NOTES=[ENHANCENMENT] Check for MacOS Keychain storing the GPG passphrase. Fixes gopasspw#2137 Signed-off-by: Dominik Schulz <dominik.schulz@gauner.org>
kpitt · Mar 7, 2022 · 772d644 · 772d644
1 parent 26130ac
commit 772d644
Show file tree

Hide file tree

Showing 3 changed files with 66 additions and 0 deletions.
diff --git a/internal/action/reminder.go b/internal/action/reminder.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"os"
 
+	"github.com/gopasspw/gopass/internal/env"
 	"github.com/gopasspw/gopass/internal/out"
 	"github.com/gopasspw/gopass/pkg/ctxutil"
 )
@@ -19,6 +20,18 @@ func (s *Action) printReminder(ctx context.Context) {
 		return
 	}
 
+	// this might be printed along other reminders
+	if s.rem.Overdue("env") {
+		msg, err := env.Check(ctx)
+		if err != nil {
+			out.Warningf(ctx, "Failed to check environment: %s", err)
+		}
+		if msg != "" {
+			out.Warningf(ctx, "%s", msg)
+		}
+		s.rem.Reset("env")
+	}
+
 	// Note: We only want to print one reminder per day (at most).
 	// So we intentionally return after printing one, leaving the others
 	// for the following days.

diff --git a/internal/env/env_darwin.go b/internal/env/env_darwin.go
@@ -0,0 +1,42 @@
+//go:build darwin
+// +build darwin
+
+package env
+
+import (
+	"bytes"
+	"context"
+	"io"
+	"os"
+	"os/exec"
+	"strings"
+)
+
+var (
+	// Stdin is exported for tests.
+	Stdin io.Reader = os.Stdin
+	// Stderr is exported for tests.
+	Stderr io.Writer = os.Stderr
+)
+
+func Check(ctx context.Context) (string, error) {
+	buf := &bytes.Buffer{}
+
+	cmd := exec.CommandContext(ctx, "defaults", "read", "org.gpgtools.common", "UseKeychain")
+	cmd.Stdin = Stdin
+	cmd.Stdout = buf
+	cmd.Stderr = Stderr
+
+	if err := cmd.Run(); err != nil {
+		return "", err
+	}
+
+	// if the keychain is not used, we can skip the rest
+	if strings.ToUpper(strings.TrimSpace(buf.String())) == "NO" {
+		return "", nil
+	}
+
+	// gpg uses the keychain to store the passphrase, warn once in a while that users
+	// might want to change that because it's not secure.
+	return "pinentry-mac will use the MacOS Keychain to store your passphrase indefinitely. Consider running 'defaults write org.gpgtools.common UseKeychain NO' to disable that.", nil
+}
diff --git a/internal/env/env_others.go b/internal/env/env_others.go
@@ -0,0 +1,11 @@
+//go:build !darwin
+// +build !darwin
+
+package env
+
+import "context"
+
+// Check does nothing on these OSes, yet.
+func Check(ctx context.Context) (string, error) {
+	return "", nil
+}