gopass show: Read a Secret from the Store
gopass show prints a secret from the Git-backed, GPG-encrypted gopass store, optionally just the password line.
gopass is a team password store built on GPG and Git. gopass show reads a secret; in CI the GPG private key must be imported and the store checked out for decryption to work.
What it does
gopass show decrypts the named secret from the local store and prints it. The first line is the password; -o or --password returns just that line, while -f prints the whole entry including any extra fields.
Common usage
gopass show ci/deploy/token
# just the password (first line)
gopass show -o ci/deploy/token
# print the whole entry
gopass show -f ci/deploy/tokenOptions
| Flag | What it does |
|---|---|
| <path> | Store path of the secret to show |
| -o, --password | Print only the password (first line) |
| -f, --force | Print the full entry without confirmation |
| -c, --clip | Copy the password to the clipboard instead of printing |
| GPG_TTY | Env var GPG may need for pinentry (set to $(tty) locally) |
In CI
Import the GPG private key non-interactively (gpg --batch --import), set GNUPGHOME to a job-local dir, and disable pinentry so decryption does not prompt. Use gopass sync or a git pull to get the latest store first. Capture -o output straight into the consumer and mask it.
Common errors in CI
"gpg: decryption failed: No secret key" means the GPG private key for the recipients was not imported into the runner keyring. A "GPG error" or pinentry hang means GPG tried to prompt; run in batch mode with the key trusted. "Entry is not in the password store" means a wrong path or an un-synced store.