Pass
Pass is a password manager that uses GnuPG for encryption and decryption of stored passwords. Strengthen the security of your API key and client authentication certificate password by storing them in Pass.
When your credentials are stored, all DigiCert® Software Trust Manager client tools can pull your credentials from Pass.
Prerequisites
Install GPG on the computer (already included in most Linux distributions)
Install Pass
Create a GPG key
Install Pass
To install Pass on Linux:
Create GPG key
If you don't have a local GPG key, use the following steps to create one:
Run:
gpg2 --full-generate-key
For the key type, select option 1:
Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) Your selection? 1
Specify the key size:
RSA keys may be between 1024 and 4096 bits long. What keysize do you want?
Specify the key validity:
Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n yearsCommand sample:
Key is valid for? (0) 1y Key expires at Fri 21 Jun 2024 17:50:12 CET
Specify Y if the key validity is correct:
Is this correct? (y/N) y
Provide your full name, email address, and comment if necessary to create your user ID (UID):
GnuPG needs to construct a user ID to identify your key. Real name: John Doe Email address: john.doe@example.com Comment: Pass
Select O if the information is correct:
You selected this USER-ID: "John Doe (Pass) john.doe@example.com" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? OSpecify your master password to unlock your pass datastore.
Avvertimento
To use Pass in an automated environment like a CI/CD pipeline:
Don't set a passcode for GPG. Leave the passphrase field empty when prompted and accept the warning that comes up.
If you configure a passphrase, the password prompt from GPG will fail in an automation environment and the client tools will be unable to retrieve credentials.
To identify your GPG key ID required for Pass, run the following command:
gpg2 --list-secret-keys --keyid-format LONG
Review the following sample output:
sec 4096R/ABCD1234ABCD1234 2023-06-21 [expires: 2024-06-21] uid John Doe (Pass) <jdoe@example.com>
To start your pass datastore using your GPG key ID, use the following command:
pass init '<GPG key ID>'
Review the following sample command:
pass init 'ABCD1234ABCD1234'
Save credentials to Pass
You can use this command repeatedly to overwrite the credentials stored.
To save credentials to the Pass, run:
smctl credentials save <API Key> <Client authentication certificate password>
Nota
Once your API key and client authentication certificate password is securely stored in Pass, use the following command to set the host and client authentication certificate in SMCTL:
export SM_HOST=<host URL> export SM_CLIENT_CERT_FILE=<P12 client authentication certificate file path>
Alternatively, you can store these variables in a properties file or persistent variables.
Delete credentials from Pass
To delete credentials saved in the Pass, use the following command:
smctl credentials delete
Pass error
Error message
Failed to retrieve credentials from OS, proceeding without. Error: failed retrieving credentials from linux pass: exit status 2: gpg: decryption failed: No secret key
Description
This error occurs when the GPG ecosystem was set up with a passphrase.
Solution
Export the GPG TTY environment variable using the following command:
export GPG_TTY=$(tty)
Nota
When you rerun the failed command, it should prompt you for the passphrase.
Proxy configuration
Configure the HTTPS_PROXY environment variable if the client tool need to communicate through a proxy.
Anonymous proxy
Use the following command if your proxy doesn't require authentication:
export HTTPS_PROXY=https://<proxy_host>:<proxy_port>
Authenticated proxy
Use the following command if your proxy requires authentication:
export HTTPS_PROXY=https://user:password@<proxy_host>:<proxy_port>