Soemarko Ridwan

iOS & Web Developer ⟡ Coffee Addict ⟡ Scuba Diver

complete-guide-for-passwordstore-on-macos
Complete Guide for PasswordStore on MacOS

Or how to migrate away from Safari

After Mac’s Safari 13 completely dropped the extension feature, thus uBlock no longer works there, I want to move away from Safari. Which is a bit tricky because Keychain no longer works with other browser, so step 0 for moving away from Safari as default browser.

On iOS all other available browser also available with all the basic required features. Tab syncing, and what not. Password management isn’t an issue on iOS side because the way iOS handle password submission, and you can set the default password manager in the Settings.

Enters pass. Pass is a developer friendly password manager that uses GnuPG for encryption. So simple that the basic interface for it is just a plain command line, we’ll need to use other extension / plugins for it to work seamlessly. Pass also use git to handle the syncing, pro tip: GitHub now allows private repo 😉

Step 1: Extract KeyChain’s Password

First thing first, we need to get the passwords out of Keychain, for that we’ll use MrC’s AppleScript. It was meant for 1Password, but it’ll work for us as well. Download and extract the zip file, and run Get_Safari12_Passwords.applescript. It’ll slowly extract your passwords into pm_export.csv on your Desktop.

Step 2: Get Pass Up and Running

$ brew install pass
$ gpg --gen-key
$ gpg --list-keys

Note the “fingerprint”, which is the last column on the pub row.

$ gpg --export-secret-keys --armor <fingerprint> > privkey.asc
$ gpg --export --armor <fingerprint> > pubkey.asc

Backup the public and private key, I upload this to my private server — make sure you can set the file to be publicly accessible as needed, it’ll be used by the iOS app.

$ pass init <fingerprint>

Step 3: GitHub

Since github allows unlimited private repo, I’m going to use it as the password manager sync server. Now create an empty private repo on GitHub.

$ pass git init
$ pass git remote add origin https://github.com/user/repo
$ pass git push --set-upstream origin master

Step 3: pass-import

Download and install all the dependencies. Everything is available in homebrew.

$ git clone https://github.com/roddhjav/pass-import/
$ cd pass-import
$ make
$ make install PREFIX=/usr/local

Next, we just need to import the passwords

$ pass import csv ~/Desktop/pm_export.csv —cols ‘title,url,login,password,comments’
$ pass git push

Step 4: BrowserPass

It’s prettier than passff, but before the browser extension can be used, we need to install pinentry-mac and the native messaging host for browserpass.

First let's install the native BrowserPass

  1. Download the latest release of BrowserPass -- select the darwin-arm64 version for Arm Mac.
  2. Extract and jump into the folder
  3. make BIN=browserpass-darwin-arm64 PREFIX=/usr/local configure
  4. sudo make BIN=browserpass-darwin-arm64 PREFIX=/usr/local install
  5. sudo make BIN=browserpass-darwin-arm64 PREFIX=/usr/local hosts-firefox
  6. vi .password-store/.browserpass.json and put in
{
  "gpgPath": "/opt/homebrew/bin/gpg"
}

Next is the pinentry

  1. brew install pinentry-mac
  2. brew tap jorgelbg/tap
  3. brew install pinentry-touchid
  4. /opt/homebrew/bin/pinentry-touchid -fix
  5. vi ~/.gnupg/gpg-agent.conf and enter pinentry-program /opt/homebrew/bin/pinentry-touchid
  6. gpg-connect-agent reloadagent /bye or gpgconf --kill gpg-agent or sometimes pkill gpg-agent is needed.
  7. defaults write org.gpgtools.common DisableKeychain -bool yes
  8. And finally to test it: pass show github-token

You'll need to enter the passphrase once, then next occasion will just need Touch ID to unlock the passwords.

Step 5: iOS

This is very easy, just install the app, go to settings, enter your repo. Then download the PGP Key. Remember to set the files back to private.

Next go to iOS Settings.app > Passwords and Accounts > AutoFill Passwords, untick iCloud Keychain and tick Pass.

Step 6: New or Other Mac

$ brew install pass
$ gpg --import pubkey.asc
$ gpg --import privkey.asc
$ gpg --list-key
$ pass init <fingerprint>
$ git clone https://user:password@github.com/user/repo
$ mv repo ~/.password-store

The details of the commands above has been described on previous steps. You may need to remove the original .password-store directory before renaming it from the repo. Now test the installation by showing a password of a known url $ pass show github.com. If the password is shown, then it's done. Jump back to step 4 for the browserpass installation on the new computer.

Usage

$ man pass

Heh. Really, retrieving passwords shouldn’t be an issue at this point. Keychain’s Safari integration made password generation so simple and straightforward, sadly, this isn’t the case for pass. This is the only downside.

There are several way of approaching this, but I prefer to generate a password first, then edit the entry for the username and url according to pass’ format. Just follow the example below;

$ pass generate -n auth0 [length]
$ pass edit auth0

Add two more lines below the password

[password]
login: [username or email]
url:*.auth0.com

Remember to git push to sync the passwords.

Conclusion

There you have it. Creating new account isn’t as smooth as Keychain, but at this point, you’re no longer locked-in. And have a completely secure and free cloud synced password manager.

Troubleshooting

  • Error: gpg: public key decryption failed: No pinentry. Try: gpg-connect-agent reloadagent /bye or gpgconf --kill gpg-agent or pkill gpg-agent. One of those command should fix it.

Update

  • 2021-10-01: Here's how to renew GPG Key.
  • 2023-03-21: Complying with the new M-series Macs.
  • 2023-07-02: Added Troubleshooting.