Or how to migrate away from Safari
After Mac’s Safari 13 completely dropped the extension feature, thus uBlock no longer works there, I want to move away from Safari. Which is a bit tricky because Keychain no longer works with other browser, so step 0 for moving away from Safari as default browser.
On iOS all other available browser also available with all the basic required features. Tab syncing, and what not. Password management isn’t an issue on iOS side because the way iOS handle password submission, and you can set the default password manager in the Settings.
Enters pass. Pass is a developer friendly password manager that uses GnuPG for encryption. So simple that the basic interface for it is just a plain command line, we’ll need to use other extension / plugins for it to work seamlessly. Pass also use git to handle the syncing, pro tip: GitHub now allows private repo 😉
Step 1: Extract KeyChain’s Password
First thing first, we need to get the passwords out of Keychain, for that we’ll use MrC’s AppleScript. It was meant for 1Password, but it’ll work for us as well. Download and extract the zip file, and run
Get_Safari12_Passwords.applescript. It’ll slowly extract your passwords into
pm_export.csv on your Desktop.
Step 2: Get Pass Up and Running
$ brew install pass $ gpg --gen-key $ gpg --list-keys
Note the “fingerprint”, which is the last column on the
$ gpg --export-secret-keys --armor <fingerprint> > privkey.asc $ gpg --export --armor <fingerprint> > pubkey.asc
Backup the public and private key, I upload this to my private server — make sure you can set the file to be publicly accessible as needed, it’ll be used by the iOS app.
$ pass init <fingerprint>
Step 3: GitHub
Since github allows unlimited private repo, I’m going to use it as the password manager sync server. Now create an empty private repo on GitHub.
$ pass git init $ pass git remote add origin https://github.com/user/repo $ pass git push --set-upstream origin master
Step 3: pass-import
Download and install all the dependencies. Everything is available in homebrew.
$ git clone https://github.com/roddhjav/pass-import/ $ cd pass-import $ make $ make install PREFIX=/usr/local
Next, we just need to import the passwords
$ pass import csv ~/Desktop/pm_export.csv —cols ‘title,url,login,password,comments’ $ pass git push
Step 4: BrowserPass
It’s prettier than passff, but before the browser extension can be used, we need to install pinentry-mac and the native messaging host for browserpass.
$ brew install pinentry-mac $ brew tap amar1729/formulae $ brew install browserpass
Next we need to configure browserpass native messaging host to work with the firefox extension
$ cd /usr/local/lib/browserpass $ sudo PREFIX=/usr/local make hosts-firefox
Almost there, we need to reconfigure the gpg-agent open
$ vi ~/.gnupg/gpg-agent.conf and add
pinentry-program /usr/local/bin/pinentry-mac. Save and quit. Restart the gpg-agent
$ gpgconf --kill gpg-agent
Now the browserpass extension should be up and running.
Step 5: iOS
This is very easy, just install the app, go to settings, enter your repo. Then download the PGP Key. Remember to set the files back to private.
Next go to iOS Settings.app > Passwords and Accounts > AutoFill Passwords, untick iCloud Keychain and tick Pass.
Step 6: New or Other Mac
$ brew install pass $ gpg --import pubkey.asc $ gpg --import privkey.asc $ gpg --list-key $ pass init <fingerprint> $ git clone https://user:firstname.lastname@example.org/user/repo $ mv repo ~/.password-store
The details of the commands above has been described on previous steps. You may need to remove the original .password-store directory before renaming it from the repo. Now test the installation by showing a password of a known url
$ pass show github.com. If the password is shown, then it's done. Jump back to step 4 for the browserpass installation on the new computer.
$ man pass
Heh. Really, retrieving passwords shouldn’t be an issue at this point. Keychain’s Safari integration made password generation so simple and straightforward, sadly, this isn’t the case for pass. This is the only downside.
There are several way of approaching this, but I prefer to generate a password first, then edit the entry for the username and url according to pass’ format. Just follow the example below;
$ pass generate -n auth0 [length] $ pass edit auth0
Add two more lines below the password
[password] login: [username or email] url:*.auth0.com
git push to sync the passwords.
There you have it. Creating new account isn’t as smooth as Keychain, but at this point, you’re no longer locked-in. And have a completely secure and free cloud synced password manager.
2021-10-01: Here's how to renew GPG Key.