README.md
1QtPass
2======
3
4[![latest packaged version(s)](https://repology.org/badge/latest-versions/qtpass.svg)](https://repology.org/metapackage/qtpass)
5[![Build Status](https://travis-ci.org/IJHack/QtPass.svg?branch=master)](https://travis-ci.org/IJHack/QtPass)
6[![Build status](https://ci.appveyor.com/api/projects/status/9rjnj72rdir7u9eg/branch/master?svg=true)](https://ci.appveyor.com/project/annejan/qtpass/branch/master)
7[![Coverity scan](https://scan.coverity.com/projects/5266/badge.svg)](https://scan.coverity.com/projects/ijhack-qtpass)
8[![Coverage Status](https://coveralls.io/repos/github/IJHack/QtPass/badge.svg)](https://coveralls.io/github/IJHack/QtPass)
9[![codecov](https://codecov.io/gh/IJhack/QtPass/branch/master/graph/badge.svg)](https://codecov.io/gh/IJhack/QtPass)
10[![CodeFactor](https://www.codefactor.io/repository/github/ijhack/qtpass/badge)](https://www.codefactor.io/repository/github/ijhack/qtpass)
11[![Packaging status](https://repology.org/badge/tiny-repos/qtpass.svg)](https://repology.org/metapackage/qtpass)
12[![Language grade: C/C++](https://img.shields.io/lgtm/grade/cpp/g/IJHack/QtPass.svg?logo=lgtm&logoWidth=18)](https://lgtm.com/projects/g/IJHack/QtPass/context:cpp)
13[![Total alerts](https://img.shields.io/lgtm/alerts/g/IJHack/QtPass.svg?logo=lgtm&logoWidth=18)](https://lgtm.com/projects/g/IJHack/QtPass/alerts/)
14[![FOSSA Status](https://app.fossa.io/api/projects/git%2Bgithub.com%2FIJHack%2FQtPass.svg?type=shield)](https://app.fossa.io/projects/git%2Bgithub.com%2FIJHack%2FQtPass?ref=badge_shield)
15
16QtPass is a GUI for [pass](https://www.passwordstore.org/),
17the standard unix password manager.
18
19Features
20--------
21
22* Using `pass` or `git` and `gpg2` directly
23* Configurable shoulder surfing protection options
24* Cross platform: Linux, BSD, OS X and Windows
25* Per-folder user selection for multi recipient encryption
26* Multiple profiles
27* Easy onboarding
28
29Logo based on [Heart-padlock by AnonMoos](https://commons.wikimedia.org/wiki/File:Heart-padlock.svg).
30
31Installation
32------------
33
34### From package
35
36OpenSUSE & Fedora
37`yum install qtpass`
38`dnf install qtpass`
39
40Debian, Ubuntu and derivates like Mint, Kali & Raspbian
41`apt-get install qtpass`
42
43Arch Linux
44`pacman -S qtpass`
45
46Gentoo
47`emerge -atv qtpass`
48
49Sabayon
50`equo install qtpass`
51
52FreeBSD
53`pkg install qtpass`
54
55macOS
56`brew cask install qtpass`
57
58Windows
59`choco install qtpass`
60
61[![Packaging status](https://repology.org/badge/vertical-allrepos/qtpass.svg)](https://repology.org/metapackage/qtpass)
62
63### From Source
64
65**Dependencies**
66
67* QtPass requires Qt 5.2 or later
68* The Linguist package is required to compile the translations.
69* For use of the fallback icons the SVG library is required.
70
71At runtime the only real dependency is `gpg2` but to make the most of it, you'll need `git` and `pass` too.
72
73Your GPG has to be set-up with a graphical pinentry when applicable, same goes for git authentication.
74On Mac OS X this currently seems to only work best with `pinentry-mac` from homebrew, although gpgtools works too.
75
76On most unix systems all you need is:
77```
78qmake && make && make install
79```
80
81Testing
82-------
83
84This is done with `make check`
85
86Codecoverage can be done with `make lcov`, `make gcov`, `make coveralls` and/or `make codecov`.
87
88Be sure to first run: `make distclean && qmake CONFIG+=coverage qtpass.pro`
89
90Security considerations
91-----------------------
92
93Using this program will not magically keep your passwords secure against
94compromised computers even if you use it in combination with a smartcard.
95
96It does protect future and changed passwords though against anyone with access to
97your password store only but not your keys.
98Used with a smartcard it also protects against anyone just monitoring/copying
99all files/keystrokes on that machine and such an attacker would only gain access
100to the passwords you actually use.
101Once you plug in your smartcard and enter your PIN (or due to CVE-2015-3298
102even without your PIN) all your passwords available to the machine can be
103decrypted by it, if there is malicious software targeted specifically against
104it installed (or at least one that knows how to use a smartcard).
105
106To get better protection out of use with a smartcard even against a targeted
107attack I can think of at least two options:
108
109* The smartcard must require explicit confirmation for each decryption operation.
110 Or if it just provides a counter for decrypted data you could at least notice
111 an attack afterwards, though at quite some effort on your part.
112* Use a different smartcard for each (group of) key.
113* If using a YubiKey or U2F module or similar that requires a "button" press for
114 other authentication methods you can use one OTP/U2F enabled WebDAV account per
115 password (or groups of passwords) as a quite inconvenient workaround.
116 Unfortunately I do not know of any WebDAV service with OTP support except ownCloud
117 (so you would have to run your own server).
118
119Known issues
120------------
121
122* Filtering (searching) breaks the tree/model sometimes
123* Starting without a correctly set password-store folder
124 gives weird results in the tree view
125
126Planned features
127----------------
128
129* Plugins based on field name, plugins follow same format as password files
130* Colour coding folders (possibly disabling folders you can't decrypt)
131* Optional table view of decrypted folder contents
132* Opening of (basic auth) urls in default browser?
133 Possibly with helper plugin for filling out forms?
134* WebDAV (configuration) support
135* Some other form of remote storage that allows for
136 accountability / auditing (web API to retrieve the .gpg files?)
137
138Further reading
139---------------
140
141[FAQ](FAQ.md) and [CONTRIBUTING](CONTRIBUTING.md) documentation.
142[CHANGELOG](CHANGELOG.md)
143
144[Website](https://qtpass.org/)
145[Source code](https://github.com/IJHack/qtpass)
146[Issue queue](https://github.com/IJHack/qtpass/issues)
147[Chat](https://gitter.im/IJHack/qtpass)
148
149
150## License
151### GNU GPL v3.0
152
153[![GNU GPL v3.0](http://www.gnu.org/graphics/gplv3-127x51.png)](http://www.gnu.org/licenses/gpl.html)
154
155View official GNU site <http://www.gnu.org/licenses/gpl.html>.
156
157[![OSI](http://opensource.org/trademarks/opensource/OSI-Approved-License-100x137.png)](https://opensource.org/licenses/GPL-3.0)
158
159[View the Open Source Initiative site.](https://opensource.org/licenses/GPL-3.0)
160
161[![FOSSA Status](https://app.fossa.io/api/projects/git%2Bgithub.com%2FIJHack%2FQtPass.svg?type=large)](https://app.fossa.io/projects/git%2Bgithub.com%2FIJHack%2FQtPass?ref=badge_large)
162