pass show: Read a Password From the Store
pass show prints the decrypted contents of an entry from the standard Unix password store, which is a tree of GPG-encrypted files.
pass keeps secrets as GPG-encrypted files under ~/.password-store. In CI you import a GPG key, then pass show reads whatever entry the job needs. The first line convention is the password.
What it does
pass show <name> decrypts the file at that path in the store and prints it. -c copies the first line to the clipboard instead of printing (needs a clipboard, so rarely used in CI). You can print a specific line with pass show name | sed -n Np.
Common usage
pass show ci/deploy-token
# just the first line (the password), for use in a variable
TOKEN=$(pass show ci/deploy-token | head -n1)Options
| Flag / usage | What it does |
|---|---|
| pass show <name> | Decrypt and print the entry |
| -c [line] | Copy the given line (default 1) to the clipboard |
| pass <name> | Shorthand for pass show <name> |
| pass ls | List the store tree |
In CI
pass depends on GPG. Import the private key non-interactively (gpg --batch --import) and set GPG_TTY or use a loopback pinentry so decryption does not prompt. Store the store itself in a repo or artifact the job checks out.
Common errors in CI
"Error: password store is empty. Try \"pass init\"." means ~/.password-store has no .gpg-id; run pass init <keyid>. "gpg: decryption failed: No secret key" means the matching private key was not imported. "gpg: public key decryption failed: Inappropriate ioctl for device" means pinentry tried to prompt; set GPG_TTY or configure loopback.