Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

This relies on a patched version of tree to work, unfortunately.
Hopefully upstream will accept our patch.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

Matthew writes:

    If the initial decrypt fails then the rest of the line shouldn't
    continue, as it won't be a properly decrypted password being
    re-encrypted and written over the existing passfile.

    One solution to this would be to enable pipefail (set -o pipefail) -
    either just before, or at the start of this script.  This would
    cause the failure of any of the commands in a pipe to set the return
    status of the whole pipeline to non-zero (the last failed command's
    return code is used).

We take his suggestion with this patch. While we're at it, we take a
little bit extra care (though not too much extra care) to select a more
random intermediate password, in case folks have a strange habit of
using a dot-new extension on files.

Suggested-by: Matthew Richardson <m.richardson@ed.ac.uk>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

Suggested-by: Tom Vincent <pass@tlvince.com>

Suggested-by: Matthew Richardson <m.richardson@ed.ac.uk>

Suggested-by: Matthieu Weber <mweber@free.fr>

mktemp expects all options before a template. This prevented the
temporary file for "pass edit" mode from being created in /dev/shm.

Some users want to use a different clipboard for pass.

Suggested-by: nand <nand@nand.wakku.to>

We now make sure a previous pass clip restore finishes immediately when
copying another password to the clipboard.

This is currently only implemented on Linux.

The .gpg-id file may now have multiple keys in it, one per line.

If a .gpg-id file exists inside a subdirectory, passwords inside that
directory are encrypted to that/those ids.

The init command has learned a -p/--path option for writing such a sub
directory .gpg-id and now can take several arguments for ids.

According to a forthcoming paper by Alfredo Pironti, OpenPGP compression
can reveal entropy levels. We thus disable compression.

Existing password stores can be reencrypted without compression using
the "--reencrypt" flag for "init".

Reported-by: Alfredo Pironti <alfredo.pironti@inria.fr>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

Make show/ls/list follow links by passing -l to tree.

The `read` builtin accepts backslash notation for common non-printing
characters by default, like `\t` and `\n`. This requires that any
literal backslashes must also be escaped as `\\`.

Given that `gpg -e` does not interpret input, the `read` invocations are
changed to do the same.

Also, the right hand side of an `==` comparison within `[[ ]]` must be
quoted in order to suppress pattern metacharacter expansion. Quoting the
bash manual:

    When the == and != operators are used, the string to the right of
    the operator is considered a pattern and matched according to the
    rules described below under Pattern Matching.