Skip to content
Latchkey

pass show: Read a Password From the Store

pass show prints the decrypted contents of an entry from the standard Unix password store, which is a tree of GPG-encrypted files.

pass keeps secrets as GPG-encrypted files under ~/.password-store. In CI you import a GPG key, then pass show reads whatever entry the job needs. The first line convention is the password.

What it does

pass show <name> decrypts the file at that path in the store and prints it. -c copies the first line to the clipboard instead of printing (needs a clipboard, so rarely used in CI). You can print a specific line with pass show name | sed -n Np.

Common usage

Terminal
pass show ci/deploy-token
# just the first line (the password), for use in a variable
TOKEN=$(pass show ci/deploy-token | head -n1)

Options

Flag / usageWhat it does
pass show <name>Decrypt and print the entry
-c [line]Copy the given line (default 1) to the clipboard
pass <name>Shorthand for pass show <name>
pass lsList the store tree

In CI

pass depends on GPG. Import the private key non-interactively (gpg --batch --import) and set GPG_TTY or use a loopback pinentry so decryption does not prompt. Store the store itself in a repo or artifact the job checks out.

Common errors in CI

"Error: password store is empty. Try \"pass init\"." means ~/.password-store has no .gpg-id; run pass init <keyid>. "gpg: decryption failed: No secret key" means the matching private key was not imported. "gpg: public key decryption failed: Inappropriate ioctl for device" means pinentry tried to prompt; set GPG_TTY or configure loopback.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →