Thanks for the quick response.

I tested it and the arguments and the command are in correct order, but unfortunately chezmoi does not wait for confirmation (user has to physically touch the device/key) to confirm authentication.

Here is the debug output:

time=2024-08-21T00:13:30.841+02:00 level=INFO msg=Start cmd="/home/<user>/.local/share/devbox/global/default/.devbox/nix/profile/default/bin/keepassxc-cli open --no-password --yubikey 1:2343434 /home/<user>/Documents/digital-identity/KeePass.kdbx" start=2024-08-21T00:13:30.841+02:00 err=<nil>
chezmoi: .config/rclone/rclone.conf: template: dot_config/rclone/rclone.conf.tmpl:2:3: executing "dot_config/rclone/rclone.conf.tmpl" at <keepassxcAttribute "rclone-config" "rclone.conf">: error calling keepassxcAttribute: Please present or touch your YubiKey to continue.

Steps: Immediately after the message, chezmoi exits, while the keys confirmation light is on (meaning it is waiting for confirmation).
This does work when running the above command ("keepassxc-cli") standalone.

Edit: It did wait for the confirmation in using non "open" mode in prev version.

Edit 2: Here is the output for the standard show using the new build (is the same as before):

time=2024-08-21T00:26:47.827+02:00 level=INFO msg=ReadFile component=system name=/home/<user>miha/repos/personal/dotfiles/home/dot_config/rclone/rclone.conf.tmpl size=98 data="{{ if not (env \"ENCRYPTED\") -}}\n{{ keepassxcAttribute \"rclone-co..."
Hardware key error: operation would block

On Hardware key error: operation would block it was waiting for my confirmation with chezmoi.

I tested it and the arguments and the command are in correct order, but unfortunately chezmoi does not wait for confirmation (user has to physically touch the device/key) to confirm authentication.

Any clue as to what options or output KeePassXC gives before it can accept further commands? The relevant code is at

Edit: link to code in this PR.

Any clue as to what options or output KeePassXC gives before it can accept further commands? The relevant code is at

When doing both show and open in standalone keepassxc-cli, both show Please present or touch your YubiKey to continue..

So, how it gets to Hardware key error: operation would block is a mystery.

As for the code, I don't have any clues. I did look up, and it seems it is not that trivial, this thread (last comment in particular) might give some hints keepassxreboot/keepassxc#8969. Unfortunately, I am not that familiar with bash scripting to give an answer.

I did test right now with the template command:

• Regular mode:

  keepassxc:
    database: "~/Documents/digital-identity/KeePass.kdbx"
    args: ["--no-password", "--yubikey", "1:1097617"]
    prompt: false

  $ /usr/local/bin/chezmoi execute-template '{{ keepassxcAttribute "git-config" "gitconfig" }}' --verbose
  Hardware key error: operation would block
  [url "ssh://git@...

  Works as expected (block execution and then unlocks database).

• Open mode:

  keepassxc:
    database: "~/Documents/digital-identity/KeePass.kdbx"
    openArgs: ["--no-password", "--yubikey", "1:1097617"]
    mode: "open"
    prompt: false

  $ /usr/local/bin/chezmoi execute-template '{{ keepassxcAttribute "git-config" "gitconfig" }}' --verbose
  chezmoi: template: arg1:1:3: executing "arg1" at <keepassxcAttribute "git-config" "gitconfig">: error calling keepassxcAttribute: Please present or touch your YubiKey to continue.

  Does not block execution and immediately exits with YubiKey waiting for confirmation.

  Now, based on this error calling keepassxcAttribute: Please present or touch your YubiKey to continue. it treats this wait as error already.

Thanks for the testing!

Note that chezmoi already uses expect to talk to keepassxc-cli in open mode. This means that chezmoi provides a virtual interactive terminal to keepassxc-cli.

The reason for this error message:

error calling keepassxcAttribute: Please present or touch your YubiKey to continue.

is that chezmoi was expecting an Enter password to unlock... message from keepassxc-cli, but received the Please present or touch... message instead.

I've pushed an second commit to PR that makes chezmoi expect the Please present or touch... message, and also improved the error messages that chezmoi returns when it encounters something that it doesn't expect.

Would you be able to test this?

I don't have a recent YubiKey or use KeePassXC, so this might take a few iterations to get right with you doing the testing and me writing the code. I hope you're OK with that - I'd like to get this working :)

Minor update: I found a YubiKey 5C NFC in my box of stuff and have set up KeePassXC to work with this. So, I can now test locally.

I was trying to debug using latest commit:

❯ /usr/local/bin/chezmoi --version
chezmoi version dev, commit 2b2a25d3b242b13b7245dc48d524489ca4d0130d, built at 2024-08-25T22:20:42Z

# I added some modifications on how the outputs are here
❯ /usr/local/bin/chezmoi execute-template '{{ keepassxcAttribute "git-config" "gitconfig" }}' --verbose
matched keepassxcPleasePresentOrTouchYourYubiKeyToContinueRx
not matched keepassxcPromptRx
chezmoi: template: arg1:1:3: executing "arg1" at <keepassxcAttribute "git-config" "gitconfig">: error calling keepassxcAttribute: "\r\n": unexpected prompt

The error error calling keepassxcAttribute happens on this line. I used strconv.Quote(output) to print escaped characters so it is properly readable in cmd.

I am not sure if we can change keepassxcPromptRx to just match any character.

Edit:

If I change to keepassxcPromptRx = regexp.MustCompile(`^.*>?\`) to account for these characters it does block and wait for prompt, but after confirmation, there is no output (KeePassXC entry output is missing). Execution probably proceeded further (while waiting for confirmation) and tried to get data from KeePassXC without it being unlocked yet.

Thanks again for the testing!

I've updated this PR with new code which works locally for me.

My test config contains:

[keepassxc]
        database = "/home/twp/Passwords.kdbx"
        openArgs = ["--no-password", "--yubikey", "2:18281566"]
        mode = "open"

Example run:

$ chezmoi execute-template '{{ keepassxc "chezmoi test" | toJson }}'
Please present or touch your YubiKey to continue.
{"Notes":"","Password":"'rW*b25hhsP91a.*bX#C","Tags":"","Title":"chezmoi test","URL":"","UserName":"","Uuid":"{2d7c6567-1f44-4139-bafb-5f886b2e08b7}"}%                       

Would you be able to test this version?

Tested and can confirm that it works. And is much faster than non open mode when deploying all the dotfiles.

Would it be possible to have just args instead of having additional openArgs? It seems redundant and definitely confusing, since in the keepassxc-cli, args and openArgs are just args.

Would it be possible to have just args instead of having additional openArgs? It seems redundant and definitely confusing, since in the keepassxc-cli, args and openArgs are just args.

Yes, this makes sense because keepassxc-cli doesn't seem to need/want any arguments before open. I've updated the PR. Could you test this because I will not be able to test this until much later today.

Tested and works as before. Thank you.

Great! I'll merge once the CI checks are complete. I'll likely do the next release of chezmoi towards the end of the week (the release cycle is roughly every two weeks).