Soemarko Ridwan

iOS & Web Developer ⟡ Coffee Addict ⟡ Scuba Diver

Complete Guide for PasswordStore on MacOS

Or how to migrate away from Safari

After Mac’s Safari 13 completely dropped the extension feature, thus uBlock no longer works there, I want to move away from Safari. Which is a bit tricky because Keychain no longer works with other browser, so step 0 for moving away from Safari as default browser.

On iOS all other available browser also available with all the basic required features. Tab syncing, and what not. Password management isn’t an issue on iOS side because the way iOS handle password submission, and you can set the default password manager in the Settings.

Enters pass. Pass is a developer friendly password manager that uses GnuPG for encryption. So simple that the basic interface for it is just a plain command line, we’ll need to use other extension / plugins for it to work seamlessly. Pass also use git to handle the syncing, pro tip: GitHub now allows private repo 😉

Step 1: Extract KeyChain’s Password

First thing first, we need to get the passwords out of Keychain, for that we’ll use MrC’s AppleScript. It was meant for 1Password, but it’ll work for us as well. Download and extract the zip file, and run Get_Safari12_Passwords.applescript. It’ll slowly extract your passwords into pm_export.csv on your Desktop.

Step 2: Get Pass Up and Running

$ brew install pass
$ gpg --gen-key
$ gpg --list-keys

Note the “fingerprint”, which is the last column on the pub row.

$ gpg --export-secret-keys --armor <fingerprint> > privkey.asc
$ gpg --export --armor <fingerprint> > pubkey.asc

Backup the public and private key, I upload this to my private server — make sure you can set the file to be publicly accessible as needed, it’ll be used by the iOS app.

$ pass init <fingerprint>

Step 3: GitHub

Since github allows unlimited private repo, I’m going to use it as the password manager sync server. Now create an empty private repo on GitHub.

$ pass git init
$ pass git remote add origin
$ pass git push --set-upstream origin master

Step 3: pass-import

Download and install all the dependencies. Everything is available in homebrew.

$ git clone
$ cd pass-import
$ make
$ make install PREFIX=/usr/local

Next, we just need to import the passwords

$ pass import csv ~/Desktop/pm_export.csv —cols ‘title,url,login,password,comments’
$ pass git push

Step 4: BrowserPass

It’s prettier than passff, but before the browser extension can be used, we need to install pinentry-mac and the native messaging host for browserpass.

$ brew install pinentry-mac
$ brew tap amar1729/formulae
$ brew install browserpass

Next we need to configure browserpass native messaging host to work with the firefox extension

$ cd /usr/local/lib/browserpass
$ sudo PREFIX=/usr/local make hosts-firefox

Almost there, we need to reconfigure the gpg-agent open $ vi ~/.gnupg/gpg-agent.conf and add pinentry-program /usr/local/bin/pinentry-mac. Save and quit. Restart the gpg-agent

$ gpgconf --kill gpg-agent

Now the browserpass extension should be up and running.

Step 5: iOS

This is very easy, just install the app, go to settings, enter your repo. Then download the PGP Key. Remember to set the files back to private.

Next go to iOS > Passwords and Accounts > AutoFill Passwords, untick iCloud Keychain and tick Pass.

Step 6: New or Other Mac

$ brew install pass
$ gpg --import pubkey.asc
$ gpg --import privkey.asc
$ gpg --list-key
$ pass init <fingerprint>
$ git clone
$ mv repo ~/.password-store

The details of the commands above has been described on previous steps. You may need to remove the original .password-store directory before renaming it from the repo. Now test the installation by showing a password of a known url $ pass show If the password is shown, then it's done. Jump back to step 4 for the browserpass installation on the new computer.


$ man pass

Heh. Really, retrieving passwords shouldn’t be an issue at this point. Keychain’s Safari integration made password generation so simple and straightforward, sadly, this isn’t the case for pass. This is the only downside.

There are several way of approaching this, but I prefer to generate a password first, then edit the entry for the username and url according to pass’ format. Just follow the example below;

$ pass generate -n auth0 [length]
$ pass edit auth0

Add two more lines below the password

login: [username or email]

Remember to git push to sync the passwords.


There you have it. Creating new account isn’t as smooth as Keychain, but at this point, you’re no longer locked-in. And have a completely secure and free cloud synced password manager.


2021-10-01: Here's how to renew GPG Key.