Merge pull request 'Mullvad Browser Documentation' (#85) from haihige/passff-host:mullvad-documentation into main

Reviewed-on: https://codeberg.org/PassFF/passff-host/pulls/85

CHANGELOG.md

@@ -1,9 +1,22 @@
 # Changelog
 All notable changes to this project will be documented in this file.
 
-The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/)
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/)
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.2.4] - 2023-12-06
+### Added
+- Include debug outputs from GPG to allow improved error messages in PassFF
+- Add installer support for gopass
+
+## [1.2.3] - 2021-11-03
+### Added
+- Add support for LibreWolf
+
+## [1.2.2] - 2021-10-06
+### Added
+- Add support for gopass when renamed to pass
+
 ## [1.2.1] - 2019-04-25
 ### Fixed
 - Python 3.5 support
@@ -18,11 +31,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - [OTP](https://github.com/tadfisher/pass-otp) support
 
 ### Changed
-- Makefile refactored and [usage](https://github.com/passff/passff-host#latest-from-github) updated
+- Makefile refactored and [usage](https://codeberg.org/PassFF/passff-host#latest-from-git) updated
 
 ### Fixed
 - Flake8 conformance & documentation improved
-- [Passff not comunicating with passff-host](https://github.com/passff/passff-host/issues/27)
+- [Passff not comunicating with passff-host](https://codeberg.org/PassFF/passff-host/issues/27)
 
 ## [1.0.2] - 2018-07-01
 ### Added
@@ -42,8 +55,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Added
 - Initial Release
 
-[Unreleased]: https://github.com/passff/passff-host/compare/1.1.0...HEAD
-[1.1.0]: https://github.com/passff/passff-host/compare/1.0.2...1.1.0
-[1.0.2]: https://github.com/passff/passff-host/compare/1.0.1...1.0.2
-[1.0.1]: https://github.com/passff/passff-host/compare/1.0...1.0.1
-[1.0.0]: https://github.com/passff/passff-host/releases/tag/1.0
+[Unreleased]: https://codeberg.org/PassFF/passff-host/compare/1.2.4...HEAD
+[1.2.4]: https://codeberg.org/PassFF/passff-host/compare/1.2.3...1.2.4
+[1.2.3]: https://codeberg.org/PassFF/passff-host/compare/1.2.2...1.2.3
+[1.2.2]: https://codeberg.org/PassFF/passff-host/compare/1.2.1...1.2.2
+[1.2.1]: https://codeberg.org/PassFF/passff-host/compare/1.2.0...1.2.1
+[1.2.0]: https://codeberg.org/PassFF/passff-host/compare/1.1.0...1.2.0
+[1.1.0]: https://codeberg.org/PassFF/passff-host/compare/1.0.2...1.1.0
+[1.0.2]: https://codeberg.org/PassFF/passff-host/compare/1.0.1...1.0.2
+[1.0.1]: https://codeberg.org/PassFF/passff-host/compare/1.0...1.0.1
+[1.0.0]: https://codeberg.org/PassFF/passff-host/releases/tag/1.0

README.md

@@ -1,8 +1,6 @@
 passff-host
 ===========
 
-[![Join the chat at https://gitter.im/jvenant/passff](https://badges.gitter.im/Join%20Chat.svg)](https://gitter.im/jvenant/passff?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)
-
 Host app for the WebExtension **[PassFF](https://addons.mozilla.org/firefox/addon/passff)**
 
 ### Overview
@@ -14,6 +12,8 @@ This piece of software wraps around the **[zx2c4 pass](http://www.zx2c4.com/proj
 * [`python3`](https://docs.python.org/3.5/) (>= 3.5)
 * [`pass`](https://www.passwordstore.org/)
 
+In most cases, a **graphical *pinentry* program** is also needed for use with the PassFF browser extension. For that, please refer to the instructions given in the [PassFF repository](https://codeberg.org/PassFF/passff#a-graphical-pinentry-program).
+
 #### For the install script (except Windows)
 * `curl`
 * `sed`
@@ -22,38 +22,77 @@ This piece of software wraps around the **[zx2c4 pass](http://www.zx2c4.com/proj
 
 #### Linux, MacOS, * BSD
 
-Download the latest `install_host_app.sh` script from [our releases page](https://github.com/passff/passff-host/releases) and execute it. As an example, Firefox users can do this in one line like so:
+Download the latest `install_host_app.sh` script from [our releases page](https://codeberg.org/PassFF/passff-host/releases) and execute it. As an example, Firefox users can do this in one line like so:
 
-```
-$ curl -sSL github.com/passff/passff-host/releases/latest/download/install_host_app.sh | bash -s -- firefox
+```bash
+curl -sSL https://codeberg.org/PassFF/passff-host/releases/download/latest/install_host_app.sh | bash -s -- firefox
 ```
 
-Users of other supported browsers need to replace the last argument (`firefox`) by `chrome`, `opera`, `chromium` or `vivaldi`.
+Users of other supported browsers need to replace the last argument (`firefox`) by `librewolf`, `chrome`, `opera`, `chromium` or `vivaldi`.
 The script will download the host application (a small python script) and the add-on's manifest file (a JSON config file) and put them in the right place.
+
 If you're concerned about executing a script that downloads files from the web, you can download the files yourself and run the script with the `--local` option instead or link the files yourself. Details below.
 
+##### Unveil restrictions on OpenBSD
+For **OpenBSD** users (cf. [issue #67](https://codeberg.org/PassFF/passff-host/issues/67)), note that Firefox is patched with the [unveil(2)](https://man.openbsd.org/unveil.2) system call to restrict access to the filesystem, in order to make Firefox more secure. Therefore, Firefox on OpenBSD can only execute files for which execution is explicitly permitted in a local configuration file. To allow execution of the PassFF host script, add the following line to the file `/etc/firefox/unveil.main` on your OpenBSD system:
+```
+~/.mozilla/native-messaging-hosts rx
+```
+Please keep in mind that this does still lessen the security provided by the default OpenBSD settings. Make the change at your own risk!
+
+##### AppArmor restrictions on Linux
+For **Linux** users running apparmor, Firefox might be running an apparmor profile that restricts execution of binaries, which can be fixed by adding an override to allow execution of `pass.py`. If this is the case, the passff UI will show "`ls -> (-1) PassFF failed to execute the host app`" and the systemd journal (`journalctl -f`) will typically contain something like:
+
+```
+kernel: audit: type=1400 audit(1730744626.014:1382): apparmor="DENIED" operation="exec" class="file" profile="firefox" name="/home/user/.mozilla/native-messaging-hosts/passff.py" pid=31846 comm=444F4D20576F726B6572 requested_mask="x" denied_mask="x" fsuid=1000 ouid=1000
+```
+
+For example on Ubuntu with Firefox from the [Mozillateam PPA](https://launchpad.net/~mozillateam/+archive/ubuntu/ppa) this restriction seems to have been introduced somewhere in 2024 with the `/etc/apparmor.d/usr.bin.firefox` file. Since that file contains an include directive for local overrides, you can fix the issue by creating or modifiying `/etc/apparmor.d/local/usr.bin.firefox` with:
+
+```
+owner @{HOME}/.mozilla/native-messaging-hosts/passff.py ixr,
+/usr/bin/pass uxr,
+```
+
+These rules allow executing `passff.py` with the same limitations as firefox and allow executing the `pass` binary without further limitations (`ux` for unconfined execute), since `pass` uses `bash`, `getopt`, `which` and some other tools that would otherwise need to be explicitly allowed. Please keep in mind that this does still lessen the security provided by the default AppArmor settings. Make the change at your own risk!
+
+After creating or modifying this file, you can reboot or run ` sudo aa-enforce /etc/apparmor.d/usr.bin.firefox` to reload the AppArmor profile (but in Ubuntu 22.10 there seems to be an issue with multiple firefox profiles that prevent reloading it this way, rebooting does work as expected).
+
 #### Windows
-Download the `install_host_app.bat` script from [our releases page](https://github.com/passff/passff-host/releases) and execute it from within a shell with a correct PATH, mentioning your browser in the last argument (i.e., replace `firefox` by `chrome`, `opera`, `chromium` or `vivaldi` if necessary).
+Download the `install_host_app.bat` script from [our releases page](https://codeberg.org/PassFF/passff-host/releases) and execute it from within a shell with a correct PATH, mentioning your browser in the last argument (i.e., replace `firefox` by `librewolf`, `chrome`, `opera`, `chromium` or `vivaldi` if necessary).
 *The rule of thumb is: if you can execute pass and python from your shell, then your host application will be installed correctly.*
 
 ```
-> install_host_app.bat firefox
+install_host_app.bat firefox
 ```
 
 Note: Older Windows versions might require powershell to be installed manually as the install script uses powershell internally. Windows 10 users should be fine out of the box.
 
-#### Latest from GitHub
+#### NixOS linux
+
+Install the version without extensions to pass with:
+
+    environment.systemPackages = with pkgs; [
+    ...
+    (firefox.override { extraNativeMessagingHosts = [passff-host]; })
+    ...];
+
+The string "..." is to be replaced by the list of all other packages installed by root on your NixOS. Instructions to add extensions like pass-otp to pass under NixOS are in the preferences section below.
+
+
+#### Latest from git
+
 This is not recommended! Only for developers and for testing purposes!
 
 Clone the repository. Then, run the following command.
 
-```
-$ make [VERSION=testing|...] [BROWSER=firefox|chrome|opera|chromium|vivaldi] install
+```bash
+make [VERSION=testing|...] [BROWSER=firefox|librewolf|chrome|opera|chromium|vivaldi] install
 ```
 
 This will generate the host application and installation scripts for the given `VERSION` (`testing` by default), and copy the host application and manifest files to the right place for your `BROWSER` (`firefox` by default).
 
-This uses the `--local` option of the `install_host_app.sh` script, which instructs it to use the files on disk rather than downloading them from GitHub.
+This uses the `--local` option of the `install_host_app.sh` script, which instructs it to use the files on disk rather than downloading them from the official git repository.
 
 If this doesn't work, you can link the files yourself. First, change the `path` value in the `passff.json` file to be the absolute path to the project's `bin/testing/passff.py` file. Then symlink (or copy) the file `bin/testing/passff.json` to the appropriate location for your browser and OS:
 
@@ -67,6 +106,16 @@ If this doesn't work, you can link the files yourself. First, change the `path`
   - Windows
     - Per-user: `Path contained in registry key HKEY_CURRENT_USER\Software\Mozilla\NativeMessagingHosts\passff`
     - System-wide: `Path contained in registry key HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\NativeMessagingHosts\passff`
+- LibreWolf
+  - Linux
+    - Per-user: `~/.librewolf/native-messaging-hosts/passff.json`
+    - System-wide: `/usr/{lib,lib64,share}/librewolf/native-messaging-hosts/passff.json`
+  - OS X
+    - Per-user: `~/Library/Application Support/LibreWolf/NativeMessagingHosts/passff.json`
+    - System-wide: `/Library/Application Support/LibreWolf/NativeMessagingHosts/passff.json`
+  - Windows
+    - Per-user: `Path contained in registry key HKEY_CURRENT_USER\Software\LibreWolf\NativeMessagingHosts\passff`
+    - System-wide: `Path contained in registry key HKEY_LOCAL_MACHINE\SOFTWARE\LibreWolf\NativeMessagingHosts\passff`
 - Chrome
   - Linux
     - Per-user: `~/.config/google-chrome/NativeMessagingHosts/passff.json`
@@ -93,6 +142,19 @@ If this doesn't work, you can link the files yourself. First, change the `path`
   - OS X
     - Per-user: `~/Library/Application Support/Vivaldi/NativeMessagingHosts/passff.json`
     - System-wide: `/Library/Application Support/Vivaldi/NativeMessagingHosts/passff.json`
+- Mullvad Browser (based on TorBrowser)
+  - Linux
+    - `mullvad-browser/Data/native-messaging-hosts/passff.json`
+    - The key used for `pass` needs to be added to Mullvad's `.gnugp` directory:
+      - `gpg --homedir mullvad-browser/Browser/.gnupg --list-keys` (if this returns an error, kill the process it shows)
+      - `gpg --homedir mullvad-browser/Browser/.gnupg --import /path/to/key`
+      - Get the ID from `gpg --homedir mullvad-browser/Browser/.gnupg --list-keys` and set the trust to "ultimate":
+        ```bash
+        $ gpg --homedir mullvad-browser/Browser/.gnupg --edit-key your_key_id
+        > trust
+        > 5
+        ```
+    - Restart the computer, and use Mullvad to access `pass` before accessing via the CLI
 
 ### Troubleshooting
 
@@ -100,7 +162,7 @@ If this doesn't work, you can link the files yourself. First, change the `path`
 #### Connection to the host app failed or returned an unexpected result
 
 > Connection to the host app failed or returned an unexpected result!
-> Make sure you have the latest version of the PassFF host app installed by following the installation instructions on GitHub.
+> Make sure you have the latest version of the PassFF host app installed by following the installation instructions in the official git repository.
 
 > Script execution failed.
 
@@ -125,7 +187,7 @@ See the section above.
 
 ###### Set a correct PATH in the `passff.py` script
 When the PATH variable is not set correctly, `pass` will complain about not finding `getopt` and then loop forever. You can reproduce this behavior on the command line:
-```
+```bash
 PATH="$(which bash | xargs dirname)" $(which pass)
 ```
 
@@ -144,9 +206,23 @@ In the preferences of PassFF, you can enable the status bar and debug logs in th
 * The typical output for an empty store is:
   * `{"stderr": "", "version": "1.0.1", "exitCode": 0, "stdout": "Password Store\n"}`
 
+#### Check the error code on failure
+```console
+$ strace -f --trace=execve --string-limit=256 firefox 2>&1 |grep passff
+[pid 73124] execve("/home/<USER>/.mozilla/native-messaging-hosts/passff.py", ["/home/<USER>/.mozilla/native-messaging-hosts/passff.py", "/home/<USER>/.mozilla/native-messaging-hosts/passff.json", "passff@invicem.pro"], 0x7fce6a83e500 /* 77 vars */) = -1 EACCES (Permission denied)
+```
+
+#### Check the security module configuration
+If your browser is confined by a security module such as AppArmor, then its policies might deny the execution of the host application, resulting in syslog entries like this:
+```console
+$ grep passff /var/log/syslog
+Apr 22 19:55:24 <HOST> kernel: [70746.170024] audit: type=1400 audit(1650650124.793:2258): apparmor="DENIED" operation="exec" profile="firefox" name="/home/<USER>/.mozilla/native-messaging-hosts/passff.py" pid=73124 comm=444F4D20576F726B6572 requested_mask="x" denied_mask="x" fsuid=1000 ouid=1000
+```
+Similarly, OpenBSD has its own ways to restrict execution of scripts by Firefox. See the "Installation" section above for instructions on how to remove those restrictions.
+
 #### Testing OTP support
 ```console
-$ echo -e "\x19\x00\x00\x00[\"otp\",\"/www/github.com\"]" | /path/to/passff.py | tail -c +4; echo
+$ echo -e "\x19\x00\x00\x00[\"otp\",\"/www/example.com\"]" | /path/to/passff.py | tail -c +4; echo
 {"exitCode": 0, "stderr": "", "stdout": "123456\n", "version": "1.0.1"}
 ```
 
@@ -158,3 +234,15 @@ By modifying the *preferences section* in `passff.py`, you will be able to set:
   - `COMMAND_ARGS`: additional command line arguments that are passed to `pass`,
   - `COMMAND_ENV`: additional environment variables,
   - `CHARSET`: the shell stdout charset.
+
+If you are using [NixOS linux](https://github.com/tadfisher/pass-otp#nixnixos), you can install extensions like pass-otp in passff-host with:
+
+    environment.systemPackages = with pkgs; [
+    ...
+    (pass.withExtensions (ext: with ext; [pass-otp]))
+    (firefox.override { extraNativeMessagingHosts = [(passff-host.overrideAttrs (old: { dontStrip = true; patchPhase = ''
+    sed -i 's#COMMAND = "pass"#COMMAND = "${pass.withExtensions (ext: with ext; [pass-otp])}/bin/pass"#' src/passff.py
+    ''; }))]; })
+    ...];
+
+The string "..." is to be replaced by the list of all other packages installed by root on your NixOS.

src/install_host_app.bat

@@ -3,8 +3,8 @@ SETLOCAL
 
 SET "APP_NAME=passff"
 SET "VERSION=_VERSIONHOLDER_"
-SET "HOST_URL=https://github.com/passff/passff-host/releases/download/%VERSION%/passff.py"
-SET "MANIFEST_URL=https://github.com/passff/passff-host/releases/download/%VERSION%/passff.json"
+SET "HOST_URL=https://codeberg.org/PassFF/passff-host/releases/download/%VERSION%/passff.py"
+SET "MANIFEST_URL=https://codeberg.org/PassFF/passff-host/releases/download/%VERSION%/passff.json"
 
 SET "TARGET_DIR=%APPDATA%\%APP_NAME%"
 SET "HOST_MANIFEST=%APP_NAME%.json"
@@ -34,19 +34,22 @@ IF NOT "%1"=="" (
     ) ELSE IF "%1"=="firefox" (
         SET "TARGET_REG=HKCU\SOFTWARE\Mozilla\NativeMessagingHosts\%APP_NAME%"
         SHIFT
+    ) ELSE IF "%1"=="librewolf" (
+        SET "TARGET_REG=HKCU\SOFTWARE\LibreWolf\NativeMessagingHosts\%APP_NAME%"
+        SHIFT
     ) ELSE IF "%1"=="chrome"  (
         SET "TARGET_REG=HKCU\Software\Google\Chrome\NativeMessagingHosts\%APP_NAME%"
         SHIFT
     ) ELSE IF "%1"=="chromium"  (
-        ECHO Chromium registry key location for Native Messaging Hosts is undocumented. Assuming key for Chrome. Please provide feedback if this worked: https://github.com/passff/passff/issues/202
+        ECHO Chromium registry key location for Native Messaging Hosts is undocumented. Assuming key for Chrome. Please provide feedback if this worked: https://codeberg.org/PassFF/passff/issues/202
         SET "TARGET_REG=HKCU\Software\Google\Chrome\NativeMessagingHosts\%APP_NAME%"
         SHIFT
     ) ELSE IF "%1"=="opera"  (
-        ECHO Opera registry key location for Native Messaging Hosts is undocumented. Assuming key for Chrome. Please provide feedback if this worked: https://github.com/passff/passff/issues/202
+        ECHO Opera registry key location for Native Messaging Hosts is undocumented. Assuming key for Chrome. Please provide feedback if this worked: https://codeberg.org/PassFF/passff/issues/202
         SET "TARGET_REG=HKCU\Software\Google\Chrome\NativeMessagingHosts\%APP_NAME%"
         SHIFT
     ) ELSE IF "%1"=="vivaldi"  (
-        ECHO Vivaldi registry key location for Native Messaging Hosts is undocumented. Assuming key for Chrome. Please provide feedback if this worked: https://github.com/passff/passff/issues/202
+        ECHO Vivaldi registry key location for Native Messaging Hosts is undocumented. Assuming key for Chrome. Please provide feedback if this worked: https://codeberg.org/PassFF/passff/issues/202
         SET "TARGET_REG=HKCU\Software\Google\Chrome\NativeMessagingHosts\%APP_NAME%"
         SHIFT
     ) ELSE (
@@ -101,7 +104,7 @@ REG ADD "%TARGET_REG%" /ve /d "%HOST_MANIFEST_FULL%" /f || (
 EXIT /B
 
 :help
-ECHO Usage: %0 [OPTION] [chrome^|chromium^|firefox^|opera^|vivaldi]
+ECHO Usage: %0 [OPTION] [chrome^|chromium^|firefox^|opera^|vivaldi^|librewolf]
 ECHO
 ECHO Options:
 ECHO   --local    Install files from disk instead of downloading them

src/install_host_app.sh

@@ -7,8 +7,8 @@ set -e
 
 APP_NAME="passff"
 VERSION="_VERSIONHOLDER_"
-HOST_URL="https://github.com/passff/passff-host/releases/download/$VERSION/passff.py"
-MANIFEST_URL="https://github.com/passff/passff-host/releases/download/$VERSION/passff.json"
+HOST_URL="https://codeberg.org/PassFF/passff-host/releases/download/$VERSION/passff.py"
+MANIFEST_URL="https://codeberg.org/PassFF/passff-host/releases/download/$VERSION/passff.json"
 KERNEL_NAME=$(uname -s)
 
 # Find target dirs for various browsers & OS'es
@@ -20,11 +20,13 @@ if [ "$KERNEL_NAME" = 'Darwin' ]; then
     TARGET_DIR_CHROMIUM="/Library/Application Support/Chromium/NativeMessagingHosts"
     TARGET_DIR_FIREFOX="/Library/Application Support/Mozilla/NativeMessagingHosts"
     TARGET_DIR_VIVALDI="/Library/Application Support/Vivaldi/NativeMessagingHosts"
+    TARGET_DIR_LIBREWOLF="/Library/Application Support/LibreWolf/NativeMessagingHosts"
   else
     TARGET_DIR_CHROME="$HOME/Library/Application Support/Google/Chrome/NativeMessagingHosts"
     TARGET_DIR_CHROMIUM="$HOME/Library/Application Support/Chromium/NativeMessagingHosts"
     TARGET_DIR_FIREFOX="$HOME/Library/Application Support/Mozilla/NativeMessagingHosts"
     TARGET_DIR_VIVALDI="$HOME/Library/Application Support/Vivaldi/NativeMessagingHosts"
+    TARGET_DIR_LIBREWOLF="$HOME/Library/Application Support/LibreWolf/NativeMessagingHosts"
   fi
 else
   if [ "$(whoami)" = "root" ]; then
@@ -32,16 +34,18 @@ else
     TARGET_DIR_CHROMIUM="/etc/chromium/native-messaging-hosts"
     TARGET_DIR_FIREFOX="/usr/lib/mozilla/native-messaging-hosts"
     TARGET_DIR_VIVALDI="/etc/vivaldi/native-messaging-hosts"
+    TARGET_DIR_LIBREWOLF="/usr/lib/librewolf/native-messaging-hosts"
   else
     TARGET_DIR_CHROME="$HOME/.config/google-chrome/NativeMessagingHosts"
     TARGET_DIR_CHROMIUM="$HOME/.config/chromium/NativeMessagingHosts"
     TARGET_DIR_FIREFOX="$HOME/.mozilla/native-messaging-hosts"
     TARGET_DIR_VIVALDI="$HOME/.config/vivaldi/NativeMessagingHosts"
+    TARGET_DIR_LIBREWOLF="$HOME/.librewolf/native-messaging-hosts"
   fi
 fi
 
 usage() {
-  echo "Usage: $0 [OPTION] [chrome|chromium|firefox|opera|vivaldi]
+  echo "Usage: $0 [OPTION] [chrome|chromium|firefox|opera|vivaldi|librewolf]
 
   Example:
     $0 firefox   # Install host app for Mozilla Firefox
@@ -65,6 +69,10 @@ while [ $# -gt 0 ]; do
       BROWSER_NAME="Firefox"
       TARGET_DIR="$TARGET_DIR_FIREFOX"
       ;;
+    librewolf)
+      BROWSER_NAME="Librewolf"
+      TARGET_DIR="$TARGET_DIR_LIBREWOLF"
+      ;;
     opera)
       BROWSER_NAME="Opera"
       TARGET_DIR="$TARGET_DIR_VIVALDI"
@@ -96,7 +104,7 @@ else
   exit 1
 fi
 
-PASS_PATH="$(which pass)"
+PASS_PATH="$(which pass || which gopass)"
 if [ -x "$PASS_PATH" ]; then
   echo "Pass executable located at $PASS_PATH"
 else

src/passff.py

@@ -6,6 +6,8 @@
 
 import json
 import os
+import re
+import shlex
 import struct
 import subprocess
 import sys
@@ -52,6 +54,24 @@ def sendMessage(encodedMessage):
     sys.stdout.flush()
 
 
+def setPassGpgOpts(env, opts_dict):
+    """ Add arguments to PASSWORD_STORE_GPG_OPTS. """
+    opts = env.get('PASSWORD_STORE_GPG_OPTS', '')
+    for opt, value in opts_dict.items():
+        re_opt = new_opt = opt
+        if value is not None:
+            re_opt = rf"{opt}(?:=|\s+)\S*"
+            new_opt = (
+                f"{opt}={shlex.quote(value)}"
+                if opt.startswith("--") else
+                f"{opt} {shlex.quote(value)}"
+            )
+        # If the user's environment sets this opt, remove it.
+        opts = re.sub(re_opt, '', opts)
+        opts = f"{new_opt} {opts}"
+    env['PASSWORD_STORE_GPG_OPTS'] = opts.strip()
+
+
 if __name__ == "__main__":
     # Read message from standard input
     receivedMessage = getMessage()
@@ -93,6 +113,7 @@ if __name__ == "__main__":
         env["HOME"] = os.path.expanduser('~')
     for key, val in COMMAND_ENV.items():
         env[key] = val
+    setPassGpgOpts(env, {'--status-fd': '2', '--debug': 'ipc'})
 
     # Set up subprocess params
     cmd = [COMMAND] + opt_args + ['--'] + pos_args
@@ -106,11 +127,21 @@ if __name__ == "__main__":
     # Run and communicate with pass script
     proc = subprocess.run(cmd, **proc_params)
 
+    responseMessage = {
+        "exitCode": proc.returncode,
+        "stdout": proc.stdout.decode(CHARSET),
+        "stderr": proc.stderr.decode(CHARSET),
+        "version": VERSION
+    }
+
+    if (
+        responseMessage["exitCode"] == 0
+        and opt_args[0] == "grep"
+    ):
+        # GPG debug outputs for `grep` over the whole password store
+        # can easily exceed the size limit for native messages (1 MB).
+        # In case of exit code 0, they are not used anyways.
+        responseMessage["stderr"] = ""
+
     # Send response
-    sendMessage(
-        encodeMessage({
-            "exitCode": proc.returncode,
-            "stdout": proc.stdout.decode(CHARSET),
-            "stderr": proc.stderr.decode(CHARSET),
-            "version": VERSION
-        }))
+    sendMessage(encodeMessage(responseMessage))