Matthew writes:

    If the initial decrypt fails then the rest of the line shouldn't
    continue, as it won't be a properly decrypted password being
    re-encrypted and written over the existing passfile.

    One solution to this would be to enable pipefail (set -o pipefail) -
    either just before, or at the start of this script.  This would
    cause the failure of any of the commands in a pipe to set the return
    status of the whole pipeline to non-zero (the last failed command's
    return code is used).

We take his suggestion with this patch. While we're at it, we take a
little bit extra care (though not too much extra care) to select a more
random intermediate password, in case folks have a strange habit of
using a dot-new extension on files.

Suggested-by: Matthew Richardson <m.richardson@ed.ac.uk>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

Suggested-by: Tom Vincent <pass@tlvince.com>

Suggested-by: Matthew Richardson <m.richardson@ed.ac.uk>

Suggested-by: Matthieu Weber <mweber@free.fr>

Repro steps:
1. In KeePass, add some entries as children of the root node
2. Export the KeePass to foo.xml
3. 'keepass2pass.py -f foo.xml'
Expect: all entries imported
Actual: root-level entries are skipped

This patch removes several special characters while attempting to preserve
as much meaning in the filename as possible. These changes are made to the
KeepassX title before it is used as a file password store filename:

   - Spaces between words in file names are replaced with camelCasing.
   - The characters \ | ( ) are each replaced with a hyphen.
   - Trailing hypens are removed.
   - @ is replaced with "At"
   - ' is removed

If `PASSWORD_STORE_DIR:-$HOME/.password-store` is a symlink, Zsh throws:
`_values:compvalues:10: not enough arguments`.

Passing `-L` to find(1) fixes this.

mktemp expects all options before a template. This prevented the
temporary file for "pass edit" mode from being created in /dev/shm.

Fix for c832d464

Some users want to use a different clipboard for pass.

Suggested-by: nand <nand@nand.wakku.to>

We now make sure a previous pass clip restore finishes immediately when
copying another password to the clipboard.

This is currently only implemented on Linux.

The .gpg-id file may now have multiple keys in it, one per line.

If a .gpg-id file exists inside a subdirectory, passwords inside that
directory are encrypted to that/those ids.

The init command has learned a -p/--path option for writing such a sub
directory .gpg-id and now can take several arguments for ids.

According to a forthcoming paper by Alfredo Pironti, OpenPGP compression
can reveal entropy levels. We thus disable compression.

Existing password stores can be reencrypted without compression using
the "--reencrypt" flag for "init".

Reported-by: Alfredo Pironti <alfredo.pironti@inria.fr>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>