Or how to migrate away from Safari
After Mac’s Safari 13 completely dropped the extension feature, thus uBlock no longer works there, I want to move away from Safari. Which is a bit tricky because Keychain no longer works with other browser, so step 0 for moving away from Safari as default browser.
On iOS all other available browser also available with all the basic required features. Tab syncing, and what not. Password management isn’t an issue on iOS side because the way iOS handle password submission, and you can set the default password manager in the Settings.
Enters pass. Pass is a developer friendly password manager that uses GnuPG for encryption. So simple that the basic interface for it is just a plain command line, we’ll need to use other extension / plugins for it to work seamlessly. Pass also use git to handle the syncing, pro tip: GitHub now allows private repo 😉
Step 1: Extract KeyChain’s Password
First thing first, we need to get the passwords out of Keychain, for that we’ll use MrC’s AppleScript. It was meant for 1Password, but it’ll work for us as well. Download and extract the zip file, and run Get_Safari12_Passwords.applescript
. It’ll slowly extract your passwords into pm_export.csv
on your Desktop.
Step 2: Get Pass Up and Running
$ brew install pass
$ gpg --gen-key
$ gpg --list-keys
Note the “fingerprint”, which is the last column on the pub
row.
$ gpg --export-secret-keys --armor <fingerprint> > privkey.asc
$ gpg --export --armor <fingerprint> > pubkey.asc
Backup the public and private key, I upload this to my private server — make sure you can set the file to be publicly accessible as needed, it’ll be used by the iOS app.
$ pass init <fingerprint>
Step 3: GitHub
Since github allows unlimited private repo, I’m going to use it as the password manager sync server. Now create an empty private repo on GitHub.
$ pass git init
$ pass git remote add origin https://github.com/user/repo
$ pass git push --set-upstream origin master
Step 3: pass-import
Download and install all the dependencies. Everything is available in homebrew.
$ git clone https://github.com/roddhjav/pass-import/
$ cd pass-import
$ make
$ make install PREFIX=/usr/local
Next, we just need to import the passwords
$ pass import csv ~/Desktop/pm_export.csv —cols ‘title,url,login,password,comments’
$ pass git push
Step 4: BrowserPass
It’s prettier than passff, but before the browser extension can be used, we need to install pinentry-mac and the native messaging host for browserpass.
First let's install the native BrowserPass
- Download the latest release of BrowserPass -- select the darwin-arm64 version for Arm Mac.
- Extract and jump into the folder
make BIN=browserpass-darwin-arm64 PREFIX=/usr/local configure
sudo make BIN=browserpass-darwin-arm64 PREFIX=/usr/local install
sudo make BIN=browserpass-darwin-arm64 PREFIX=/usr/local hosts-firefox
vi .password-store/.browserpass.json
and put in
{
"gpgPath": "/opt/homebrew/bin/gpg"
}
Next is the pinentry
brew install pinentry-mac
brew tap jorgelbg/tap
brew install pinentry-touchid
/opt/homebrew/bin/pinentry-touchid -fix
vi ~/.gnupg/gpg-agent.conf
and enterpinentry-program /opt/homebrew/bin/pinentry-touchid
gpg-connect-agent reloadagent /bye
orgpgconf --kill gpg-agent
or sometimespkill gpg-agent
is needed.defaults write org.gpgtools.common DisableKeychain -bool yes
- And finally to test it:
pass show github-token
You'll need to enter the passphrase once, then next occasion will just need Touch ID to unlock the passwords.
Step 5: iOS
This is very easy, just install the app, go to settings, enter your repo. Then download the PGP Key. Remember to set the files back to private.
Next go to iOS Settings.app > Passwords and Accounts > AutoFill Passwords, untick iCloud Keychain and tick Pass.
Step 6: New or Other Mac
$ brew install pass
$ gpg --import pubkey.asc
$ gpg --import privkey.asc
$ gpg --list-key
$ pass init <fingerprint>
$ git clone https://user:password@github.com/user/repo
$ mv repo ~/.password-store
The details of the commands above has been described on previous steps. You may need to remove the original .password-store directory before renaming it from the repo. Now test the installation by showing a password of a known url $ pass show github.com
. If the password is shown, then it's done. Jump back to step 4 for the browserpass installation on the new computer.
Usage
$ man pass
Heh. Really, retrieving passwords shouldn’t be an issue at this point. Keychain’s Safari integration made password generation so simple and straightforward, sadly, this isn’t the case for pass. This is the only downside.
There are several way of approaching this, but I prefer to generate a password first, then edit the entry for the username and url according to pass’ format. Just follow the example below;
$ pass generate -n auth0 [length]
$ pass edit auth0
Add two more lines below the password
[password]
login: [username or email]
url:*.auth0.com
Remember to git push
to sync the passwords.
Conclusion
There you have it. Creating new account isn’t as smooth as Keychain, but at this point, you’re no longer locked-in. And have a completely secure and free cloud synced password manager.
Troubleshooting
- Error: gpg: public key decryption failed: No pinentry. Try:
gpg-connect-agent reloadagent /bye
orgpgconf --kill gpg-agent
orpkill gpg-agent
. One of those command should fix it.
Update
- 2021-10-01: Here's how to renew GPG Key.
- 2023-03-21: Complying with the new M-series Macs.
- 2023-07-02: Added Troubleshooting.