Skip to content
Latchkey

gopass show: Read a Secret from the Store

gopass show prints a secret from the Git-backed, GPG-encrypted gopass store, optionally just the password line.

gopass is a team password store built on GPG and Git. gopass show reads a secret; in CI the GPG private key must be imported and the store checked out for decryption to work.

What it does

gopass show decrypts the named secret from the local store and prints it. The first line is the password; -o or --password returns just that line, while -f prints the whole entry including any extra fields.

Common usage

Terminal
gopass show ci/deploy/token
# just the password (first line)
gopass show -o ci/deploy/token
# print the whole entry
gopass show -f ci/deploy/token

Options

FlagWhat it does
<path>Store path of the secret to show
-o, --passwordPrint only the password (first line)
-f, --forcePrint the full entry without confirmation
-c, --clipCopy the password to the clipboard instead of printing
GPG_TTYEnv var GPG may need for pinentry (set to $(tty) locally)

In CI

Import the GPG private key non-interactively (gpg --batch --import), set GNUPGHOME to a job-local dir, and disable pinentry so decryption does not prompt. Use gopass sync or a git pull to get the latest store first. Capture -o output straight into the consumer and mask it.

Common errors in CI

"gpg: decryption failed: No secret key" means the GPG private key for the recipients was not imported into the runner keyring. A "GPG error" or pinentry hang means GPG tried to prompt; run in batch mode with the key trusted. "Entry is not in the password store" means a wrong path or an un-synced store.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →