git bash gpg_与git gpg共享密码并通过

最新推荐文章于 2025-03-21 14:31:55 发布

weixin_26747751

最新推荐文章于 2025-03-21 14:31:55 发布

阅读量475

点赞数

文章标签： python java

原文链接：https://medium.com/@thoferon/sharing-passwords-with-git-gpg-and-pass-628c2db2a9de

版权

本文介绍如何利用Git, GPG和pass工具安全地管理和共享密码，包括GPG密钥的生成与管理，pass的个人及团队使用方法，以及如何与团队成员共享密码。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

git bash gpg

Many companies rely on tools such as LastPass or 1Password to manage and share passwords. These tools are very useful if you care about security, as of course you should but they also come with their own set of problems.

许多公司依靠LastPass或1Password等工具来管理和共享密码。当然，如果您关心安全性，这些工具将非常有用，但是它们也会带来一系列问题。

I have always been a bit frustrated using these and had been on the lookout for a better alternative. I wanted a tool that didn’t rely on a third-party and that could be used inside a terminal. pass filled this need perfectly and I have been a happy user for more than a year.

我一直对使用这些工具感到沮丧，并且一直在寻找更好的选择。我想要一个不依赖第三方的工具，并且可以在终端内使用。 pass完全满足了这种需求，并且我已经成为一个快乐的用户了一年多。

Contrary to other tools, pass (website) is a very simple command-line tool which means you can integrate it with pretty much anything. It encrypts passwords with your and potentially other people's GPG keys and integrates with Git for sharing or simply synchronising between different computers.

与其他工具相反， pass ( website )是一个非常简单的命令行工具，这意味着您可以将其与几乎所有东西集成。它使用您以及潜在的其他人的GPG密钥对密码进行加密，并与Git集成以在不同计算机之间共享或简单地进行同步。

Before you can start using pass, you need to set up GnuPG and generate keys if you don't have any already. You can also use these keys to encrypt emails for example. This post is a good start if you want to dig deeper into GPG.

在开始使用pass之前，您需要设置GnuPG并生成密钥(如果还没有密钥的话)。例如，您还可以使用这些密钥来加密电子邮件。如果您想深入了解GPG，则此文章是一个好的开始。

设置GnuPG (Setting up GnuPG)

We will generate two keys (or rather pairs of keys): a master key and an encryption subkey. The (private) master key should ideally be kept offline for maximum security while the subkey can be stored on your computer. In case your system is compromised, the master key is still safe and it can be used to issue a revocation certificate for the subkey.

我们将生成两个密钥(或更确切地说，成对的密钥)：一个主密钥和一个加密子密钥。理想情况下，(私有)主密钥应保持脱机状态，以实现最大安全性，而子密钥可以存储在您的计算机上。万一您的系统受到威胁，主密钥仍然是安全的，并且可以用来为子密钥颁发吊销证书。

After having installed GnuPG using your favourite package manager, the command gpg2, or alternatively just gpg, should be available. We can now generate some keys. The most security-conscious people will want to do that offline, or even on a system that is never to be connected again.

使用您最喜欢的软件包管理器安装GnuPG之后，应该可以使用命令gpg2或gpg 。现在，我们可以生成一些密钥。最注重安全性的人们将希望离线执行此操作，甚至希望在不再连接的系统上执行此操作。

$ gpg2 --full-generate-key
gpg (GnuPG) 2.2.17; Copyright (C) 2019 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 5y
Key expires at Sat 23 Nov 2024 07:31:30 GMT
Is this correct? (y/N) yGnuPG needs to construct a user ID to identify your key.Real name: Alice
Email address: alice@example.org
Comment: 
You selected this USER-ID:
    "Alice <alice@example.org>"Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
#
# At this moment, a prompt pops up asking to choose a passphrase.
#
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: /home/alice/trustdb.gpg: trustdb created
gpg: key 2C8607E19D882192 marked as ultimately trusted
gpg: directory '/home/alice/openpgp-revocs.d' created
gpg: revocation certificate stored as '/home/alice/openpgp-revocs.d/2D73209777E12843C8483F4B2C8607E19D882192.rev'
public and secret key created and signed.pub   rsa4096 2019-11-25 [SC] [expires: 2024-11-23]
      2D73209777E12843C8483F4B2C8607E19D882192
uid                      Alice <alice@example.org>
sub   rsa4096 2019-11-25 [E] [expires: 2024-11-23]

This command has generated a master key and an encryption key, both valid for 5 years. You might want to change that. I use 5 years for my master key and 1 year for subkeys. This post is however not about GnuPG, so I kept this section as short as possible.

该命令已生成一个主密钥和一个加密密钥，均有效期为5年。您可能要更改它。我的主密钥使用5年，子密钥使用1年。但是，这篇文章与GnuPG无关，因此我将这一部分的内容尽量缩短。

Passwords not only need to be encrypted but also signed, so we need to add a new subkey for signature. The ID passed to the command is the one shown by gpg2 --list-keys. Note that you can set up Git to sign your commits with your key now if you wish to.

密码不仅需要加密，还需要签名，因此我们需要添加一个新的子密钥进行签名。传递给命令的ID是gpg2 --list-keys显示的gpg2 --list-keys 。请注意，如果需要，您可以立即设置Git以使用密钥对提交进行签名。

$ gpg2 --edit-key 2D73209777E12843C8483F4B2C8607E19D882192
gpg (GnuPG) 2.2.17; Copyright (C) 2019 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.Secret key is available.sec  rsa4096/2C8607E19D882192
     created: 2019-11-25  expires: 2024-11-23  usage: SC  
     trust: ultimate      validity: ultimate
ssb  rsa4096/81E8016ABB301F1E
     created: 2019-11-25  expires: 2024-11-23  usage: E   
[ultimate] (1). Alice <alice@example.org>gpg> addkey
Please select what kind of key you want:
   (3) DSA (sign only)
   (4) RSA (sign only)
   (5) Elgamal (encrypt only)
   (6) RSA (encrypt only)
Your selection? 4
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 1y
Key expires at Wed 25 Nov 2020 07:25:06 GMT
Is this correct? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.sec  rsa4096/2C8607E19D882192
     created: 2019-11-25  expires: 2024-11-23  usage: SC  
     trust: ultimate      validity: ultimate
ssb  rsa4096/81E8016ABB301F1E
     created: 2019-11-25  expires: 2024-11-23  usage: E   
ssb  rsa4096/AC541E94C6016EE4
     created: 2019-11-26  expires: 2020-11-25  usage: S   
[ultimate] (1). Alice <alice@example.org>

A quick tip before setting up pass: use shred -u instead of rm when deleting sensitive files from your disk such as private keys that you would transfer to a safer place. shred overwrites the file's contents with random data and -u causes it to delete the file.

设置pass之前的快速提示：从磁盘删除敏感文件(例如要转移到更安全地方的私钥)时，请使用shred -u而不是rm 。 shred用随机数据覆盖文件的内容， -u导致它删除文件。

个人使用`pass` (`pass` for personal use)

First, the password store — the directory containing all encrypted passwords — needs to be initialised. It’s also best to synchronise it with Git to avoid losing access to all your accounts if you spill your coffee on your laptop.

首先，密码存储(包含所有加密密码的目录)需要初始化。最好将它与Git同步，以免将咖啡洒在笔记本电脑上而失去对所有帐户的访问权限。

$ gpg2 --list-keys
/home/alice/.gnupg/pubring.kbx
-------------------------------
pub   rsa4096 2019-11-25 [SC] [expires: 2024-11-23]
      2D73209777E12843C8483F4B2C8607E19D882192
uid           [ultimate] Alice <alice@example.org>
sub   rsa4096 2019-11-25 [E] [expires: 2024-11-23]
sub   rsa4096 2019-11-26 [S] [expires: 2020-11-25]$ pass init 2D73209777E12843C8483F4B2C8607E19D882192
Password store initialized for 2D73209777E12843C8483F4B2C8607E19D882192
$ pass git init
Initialized empty Git repository in /home/alice/.password-store/.git/
$ pass git remote add origin git@github.com:alice/pass.git

It is now ready for new passwords to be generated. Let’s generate one for your bank account.

现在已准备好生成新密码。让我们为您的银行帐户生成一个。

$ pass generate -c bigbank 30
[master (root-commit) 6c0f9b0] Add generated password for bigbank.
 4 files changed, 2 insertions(+)
 create mode 100644 .gitattributes
 create mode 100644 .gpg-id
 create mode 100644 bigbank.gpg
Copied bigbank to clipboard. Will clear in 45 seconds.

This will generate a 30-character random password, encrypt it with your public GPG key and — as you can see — create a new commit in the repository. pass git is simply a wrapper around git so you can use it as you normally do for other repositories.

这将生成一个30个字符的随机密码，并使用您的公共GPG密钥对其进行加密，并且-如您所见-在存储库中创建一个新的提交。 pass git它仅仅是一个包装git ，所以你可以使用它作为您通常用于其他存储库做。

The -c option is copying the password to your system clipboard for 45 seconds. Another useful option is --no-symbols to only alphanumerical characters.

-c选项会将密码复制到系统剪贴板45秒钟。另一个有用的选项是仅字母数字字符的--no-symbols 。

Later on, you can retrieve the password by using pass show -c bigbank or just pass -c bigbank to copy it to the clipboard. Similarly, pass bigbang will print the password on stdout.

稍后，您可以使用pass show -c bigbank或仅pass -c bigbank将密码复制到剪贴板来检索密码。同样， pass bigbang将在stdout上打印密码。

Let’s push the commit to Github.

让我们将提交推向Github。

$ pass git push
Enumerating objects: 6, done.
Counting objects: 100% (6/6), done.
Delta compression using up to 12 threads
Compressing objects: 100% (4/4), done.
Writing objects: 100% (6/6), 2.24 KiB | 2.24 MiB/s, done.
Total 6 (delta 0), reused 0 (delta 0)
To git@github.com:alice/pass.git
 * [new branch]      master -> master

存储其他信息 (Storing additional information)

pass -c bigbank will only copy the first line of the file to the clipboard. That means you can store the password on the first line and any other information in the rest of the file such as your username.

pass -c bigbank只会将文件的第一行复制到剪贴板。这意味着您可以将密码存储在第一行，并将其他信息(例如用户名)存储在文件的其余部分。

$ pass edit bigbank
[master ad24857] Edit password for bigbank using nvim.
 1 file changed, 0 insertions(+), 0 deletions(-)
 rewrite bigbank.gpg (100%)

This command opens your editor and allows you to edit the file. You can set the environment variable EDITOR to your editor of choice.

此命令将打开编辑器，并允许您编辑文件。您可以将环境变量EDITOR设置为您选择的编辑器。

替换旧密码 (Replacing old passwords)

Using a password manager doesn’t mean passwords don’t need to be changed on a regular basis. Issuing the same command as above will work but will overwrite the whole file, including any additional information that you may have added. The correct way to do it is to use --in-place.

使用密码管理器并不意味着不需要定期更改密码。发出与上面相同的命令将起作用，但是将覆盖整个文件，包括您可能添加的任何其他信息。正确的方法是使用--in-place 。

$ pass generate --in-place -c bigbank 30
[master 097075e] Replace generated password for bigbank.
 1 file changed, 0 insertions(+), 0 deletions(-)
 rewrite bigbank.gpg (100%)
Copied bigbank to clipboard. Will clear in 45 seconds.

与团队共享密码 (Sharing passwords with a team)

Passwords of your organisation could be shared in their own repository which you could then configure as a Git submodule (or better, a Gib subtree) of your personal password repository. That way, they would appear in ~/.password-strore/your-organisation/ and you could use pass -c your-organisation/admin. This approach still requires you (and other teammates) to do some maintenance though.

您可以在自己的存储库中共享组织的密码，然后您可以将其配置为个人密码存储库的Git子模块(或更好的Gib子树 )。这样，它们将出现在~/.password-strore/your-organisation/ ，您可以使用pass -c your-organisation/admin 。但是，这种方法仍然需要您(和其他队友)进行一些维护。

In this section, I’ll take a different approach where passwords are stored in a subdirectory of your project’s repository and I will use direnv (website) to automatically set things up.

在本节中，我将采用不同的方法，其中密码存储在项目存储库的子目录中，并且我将使用direnv ( website )自动进行设置。

First, we need to create the password store and initialise it with the public keys of team members.

首先，我们需要创建密码存储库，并使用团队成员的公共密钥对其进行初始化。

$ PASSWORD_STORE_DIR=~/awesome-project/secrets pass init 2D73209777E12843C8483F4B2C8607E19D882192
mkdir: created directory '/home/alice/awesome-project/secrets/'
Password store initialized for 2D73209777E12843C8483F4B2C8607E19D882192

As you can see, the environment variable PASSWORD_STORE_DIR allows us to specify a different directory for the password store. Having to remember to set this variable every time you want a password would be annoying though, so let's create a .envrc file at the root of the repository.

如您所见，环境变量PASSWORD_STORE_DIR允许我们为密码存储指定其他目录。不过，每次都要记住要记住设置此变量很烦人，因此让我们在存储库的根目录下创建一个.envrc文件。

#!/usr/bin/env bashset -euxo pipefailexport PASSWORD_STORE_DIR="$PWD/secrets"

After running direnv allow, this script will automatically be picked up and ran by direnv when you cd into the repository.

运行direnv allow ，当您进入存储库cd时， direnv将自动拾取并运行此脚本。

Let’s commit these.

让我们提交这些。

$ git add -p .envrc secrets/.gpg-id 
$ git commit -m "Initialise password store"
[master (root-commit) b13567d] Initialise password store
 2 files changed, 6 insertions(+)
 create mode 100644 .envrc
 create mode 100644 secrets/.gpg-id

添加和删除队友 (Adding and removing team mates)

After having set up GnuPG, Bob, a new team member, can communicate his public key to the rest of the team. The public key can be exported with gpg.

设置了GnuPG之后，新的团队成员Bob可以将其公钥传达给团队的其他成员。可以使用gpg导出公共密钥。

$ gpg2 --export --armor 4C7D8DE51D2780E898B0BF230B48F5750A41A46B > ~/publickey

Alice can then import it, tell GPG she trusts the key really belongs to Bob and add the key to the password store.

然后，爱丽丝可以导入它，告诉GPG她信任密钥确实属于鲍勃，并将密钥添加到密码存储中。

$ gpg2 --import ~/publickey
gpg: key 0B48F5750A41A46B: public key "Bob <bob@example.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1$ gpg2 --edit-key 4C7D8DE51D2780E898B0BF230B48F5750A41A46B
# ...
> trust
# ...
# pass requires an ultimate trust in the keys used to encrypt passwords
Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)  1 = I don't know or won't say
  2 = I do NOT trust
  3 = I trust marginally
  4 = I trust fully
  5 = I trust ultimately
  m = back to the main menuYour decision? 5
Do you really want to set this key to ultimate trust? (y/N) y
# ...$ pass init `cat secrets/.gpg-id` 4C7D8DE51D2780E898B0BF230B48F5750A41A46B
Password store initialized for 2D73209777E12843C8483F4B2C8607E19D882192, 4C7D8DE51D2780E898B0BF230B48F5750A41A46A
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   2  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 2u
gpg: next trustdb check due at 2023-07-23
example: reencrypting to 81E8016ABB301F1E DD2FFD3598EBCD77

pass re-encrypts passwords with the new key. And that's it. You only one push away from sharing secrets with somebody new.

pass使用新密钥重新加密密码。就是这样。您只需要一步步就可以与新朋友分享秘密。

But now imagine Bob was only hired for a mission of 6 months. What happens then?

但是现在想象鲍勃只被雇用了六个月。那会发生什么呢？

$ pass init `cat secrets/.gpg-id | grep -v 4C7D8DE51D2780E898B0BF230B48F5750A41A46B`
Password store initialized for 2D73209777E12843C8483F4B2C8607E19D882192
example: reencrypting to 81E8016ABB301F1E

Removing somebody from the team is a bit more complicated than that, though. Indeed, simply removing the key is not enough. That person might have a copy of the repository on her laptop with passwords encrypted with his public key or have copied them somewhere else. There is only one solution: change your passwords.

但是，从团队中删除人员要比这复杂一些。实际上，仅删除密钥是不够的。该人可能在她的笔记本电脑上拥有该存储库的副本，并用他的公钥加密了密码，或者将其复制到其他地方。只有一种解决方案：更改密码。

One last thing worth noting. Scripts in the repository can now make use of encrypted passwords by calling pass as follows.

最后一件事值得注意。现在，存储库中的脚本可以pass如下调用pass来使用加密的密码。

#!/usr/bin/env bashset -euxo pipefailsome-command --user developer --password "$(pass example)"

`pass`生态系统 (Ecosystem around `pass`)

On top of the very simple command-line tool, there is a whole bunch of extensions and programs built on top of it as well of migrators.

在非常简单的命令行工具之上，还有大量扩展程序和程序以及基于它的迁移器。

The only one I personally use is passmenu, a dmenu script. I use dmenu together with XMonad. After pressing Super+p, I can type passmenu and access all my passwords. This is so convenient that it replaces any need for browser extensions and such.

我个人唯一使用的是passmenu ( dmenu脚本)。我将dmenu与XMonad一起使用。按Super+p ，我可以输入passmenu并访问所有密码。这是如此方便，以至于它取代了对浏览器扩展等的任何需求。

There is an extension for OTP (One-Time Password, read 2-factor authentication), although it completely defeats the point of 2FA if you have both the password and the OTP in the same password manager.

尽管您在同一密码管理器中同时拥有密码和OTP，但OTP却有一个扩展(一次性密码，读取2因子身份验证)，尽管它完全不能满足2FA的要求。

Speaking of which, there are extensions for Firefox and Chrome. If you are on Mac OS X, you can add it to Alfred. There is also a client for iOS and Android.

说到其中，有针对Firefox和Chrome的扩展。如果您使用的是Mac OS X，则可以将其添加到Alfred中。还有一个适用于iOS和Android的客户端。

If (like me) you are not comfortable with sharing all your passwords with your phone, you can easily share a single password when you really need to by using pass -q example. It will show a QR code with the password so you don't have to type it manually.

如果(像我一样)不喜欢与手机共享所有密码，那么在需要时可以使用pass -q example轻松共享一个密码。它将显示带有密码的QR码，因此您无需手动输入。

You can find the full list on the website.

您可以在网站上找到完整列表。

`pass`缺点 (Shortcomings of `pass`)

Of course, pass is still a niche tool. Not everybody is ready or capable to handle GPG keys and Git. There is however no reason you couldn't use both pass for developers and a more traditional password manager for the rest of the business.

当然， pass仍然是一个利基工具。不是每个人都准备好或有能力处理GPG密钥和Git。但是，没有理由您不能同时为开发人员使用pass和对其他业务使用更传统的密码管理器。

Even for developers and other technically-inclined people, it comes for a steeper — although far from insurmountable — learning curve.

即使对于开发人员和其他技术娴熟的人员，它也带来了更陡峭的学习曲线，尽管这并非遥不可及。

The main shortcoming is the difficulty of handling GPG keys. It is a fair amount of work which you might not want or have the time to do. It is not however entirely lost as they can be used to encrypt files and emails, sign Git commits and such.

主要缺点是难以处理GPG密钥。这是您可能不希望或有时间要做的大量工作。但是，它并没有完全丢失，因为它们可用于加密文件和电子邮件，签署Git提交等。

As you have probably have understood by now, it doesn’t come for free but can very well be worth it.

正如您现在可能已经了解的那样，它不是免费提供的，但非常值得。

If you have any (good or bad) experience working with pass for yourself or in a team setting, feel free to share.

如果您有任何(好或坏)自己或在团队合作中使用pass经验，请随时分享。

Every week (or two,) I gather the best resources I found about software engineering and related topics and share them with you by email. If you liked a story I posted on Medium and want to stay tuned about new stories, I also put a link to them in this newsletter.

每个星期(或两个星期)，我都会收集有关软件工程和相关主题的最佳资源，并通过电子邮件与您分享。如果您喜欢我在Medium上发布的故事，并希望随时关注新故事，则在本新闻通讯中也添加了指向它们的链接。

翻译自: https://medium.com/@thoferon/sharing-passwords-with-git-gpg-and-pass-628c2db2a9de

git bash gpg

git bash gpg_与git gpg共享密码并通过

设置GnuPG (Setting up GnuPG)

个人使用pass (pass for personal use)

存储其他信息 (Storing additional information)

替换旧密码 (Replacing old passwords)

与团队共享密码 (Sharing passwords with a team)

添加和删​​除队友 (Adding and removing team mates)

pass生态系统 (Ecosystem around pass)

pass缺点 (Shortcomings of pass)

个人使用`pass` (`pass` for personal use)

添加和删除队友 (Adding and removing team mates)

`pass`生态系统 (Ecosystem around `pass`)

`pass`缺点 (Shortcomings of `pass`)