-
Notifications
You must be signed in to change notification settings - Fork 477
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: Support YubiKeys in KeePassXC open mode #3911
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The changes look good to me, but I have the same problem as you for testing.
Thanks for the quick response. I tested it and the arguments and the command are in correct order, but unfortunately chezmoi does not wait for confirmation (user has to physically touch the device/key) to confirm authentication. Here is the debug output: time=2024-08-21T00:13:30.841+02:00 level=INFO msg=Start cmd="/home/<user>/.local/share/devbox/global/default/.devbox/nix/profile/default/bin/keepassxc-cli open --no-password --yubikey 1:2343434 /home/<user>/Documents/digital-identity/KeePass.kdbx" start=2024-08-21T00:13:30.841+02:00 err=<nil>
chezmoi: .config/rclone/rclone.conf: template: dot_config/rclone/rclone.conf.tmpl:2:3: executing "dot_config/rclone/rclone.conf.tmpl" at <keepassxcAttribute "rclone-config" "rclone.conf">: error calling keepassxcAttribute: Please present or touch your YubiKey to continue. Steps: Immediately after the message, chezmoi exits, while the keys confirmation light is on (meaning it is waiting for confirmation). Edit: It did wait for the confirmation in using non "open" mode in prev version. Edit 2: Here is the output for the standard show using the new build (is the same as before): time=2024-08-21T00:26:47.827+02:00 level=INFO msg=ReadFile component=system name=/home/<user>miha/repos/personal/dotfiles/home/dot_config/rclone/rclone.conf.tmpl size=98 data="{{ if not (env \"ENCRYPTED\") -}}\n{{ keepassxcAttribute \"rclone-co..."
Hardware key error: operation would block On |
Any clue as to what options or output KeePassXC gives before it can accept further commands? The relevant code is at chezmoi/internal/cmd/keepassxctemplatefuncs.go Lines 193 to 272 in 0493ea5
Edit: link to code in this PR. |
When doing both So, how it gets to As for the code, I don't have any clues. I did look up, and it seems it is not that trivial, this thread (last comment in particular) might give some hints keepassxreboot/keepassxc#8969. Unfortunately, I am not that familiar with bash scripting to give an answer. |
I did test right now with the template command:
|
Thanks for the testing! Note that chezmoi already uses The reason for this error message:
is that chezmoi was expecting an I've pushed an second commit to PR that makes chezmoi expect the Would you be able to test this? I don't have a recent YubiKey or use KeePassXC, so this might take a few iterations to get right with you doing the testing and me writing the code. I hope you're OK with that - I'd like to get this working :) |
Minor update: I found a YubiKey 5C NFC in my box of stuff and have set up KeePassXC to work with this. So, I can now test locally. |
I was trying to debug using latest commit: ❯ /usr/local/bin/chezmoi --version
chezmoi version dev, commit 2b2a25d3b242b13b7245dc48d524489ca4d0130d, built at 2024-08-25T22:20:42Z
# I added some modifications on how the outputs are here
❯ /usr/local/bin/chezmoi execute-template '{{ keepassxcAttribute "git-config" "gitconfig" }}' --verbose
matched keepassxcPleasePresentOrTouchYourYubiKeyToContinueRx
not matched keepassxcPromptRx
chezmoi: template: arg1:1:3: executing "arg1" at <keepassxcAttribute "git-config" "gitconfig">: error calling keepassxcAttribute: "\r\n": unexpected prompt The error I am not sure if we can change Edit: If I change to |
Thanks again for the testing! I've updated this PR with new code which works locally for me. My test config contains: [keepassxc]
database = "/home/twp/Passwords.kdbx"
openArgs = ["--no-password", "--yubikey", "2:18281566"]
mode = "open" Example run: $ chezmoi execute-template '{{ keepassxc "chezmoi test" | toJson }}'
Please present or touch your YubiKey to continue.
{"Notes":"","Password":"'rW*b25hhsP91a.*bX#C","Tags":"","Title":"chezmoi test","URL":"","UserName":"","Uuid":"{2d7c6567-1f44-4139-bafb-5f886b2e08b7}"}% Would you be able to test this version? |
Tested and can confirm that it works. And is much faster than non Would it be possible to have just |
Yes, this makes sense because |
Tested and works as before. Thank you. |
Great! I'll merge once the CI checks are complete. I'll likely do the next release of chezmoi towards the end of the week (the release cycle is roughly every two weeks). |
Fixes #3910.
@mihakrumpestar would you be able to test this? tl;dr replace
keepassxc.args
withkeepassxc.openArgs
in your config file and it should work.It's not easy for me to write a test for it because I don't use KeePassXC, don't have a YubiKey, and the "open" mode has two processes communicating with each other through a terminal.