[new release] passage (0.2.0)

[thatportugueseguy]

Passage - used to store and manage access to shared secrets

• Project page: https://github.com/ahrefs/passage

CHANGES:

• Update refresh command to handle users and groups via the @<user_or_group> target syntax
• Add --version flag to passage command
• Fix the command description for new

[jmid]

Thanks!

There are runtest failures caused by small differences.
What do you make of these?

On Alpine grep is from the busybox utilities IIRC, meaning that not all options are supported:
https://opam.ci.ocaml.org/github/ocaml/opam-repository/commit/f4f8c2c217d0c6d17fd84e2dc018a63411abb1e2/variant/distributions,alpine-3.22-ocaml-4.14,passage.0.2.0,tests

#=== ERROR while compiling passage.0.2.0 ======================================#
# context              2.5.0~rc1 | linux/x86_64 | ocaml-base-compiler.4.14.2 | pinned(https://github.com/ahrefs/passage/releases/download/0.2.0/passage-0.2.0.tbz)
# path                 ~/.opam/4.14/.opam-switch/build/passage.0.2.0
# command              ~/.opam/opam-init/hooks/sandbox.sh build dune build -p passage -j 71 @install @runtest
# exit-code            1
# env-file             ~/.opam/log/passage-7-8b1e20.env
# output-file          ~/.opam/log/passage-7-8b1e20.out
### output ###
# File "tests/replace_comment_command.t", line 1, characters 0-0:
# /usr/bin/git --no-pager diff --no-index --color=always -u _build/default/tests/replace_comment_command.t _build/default/tests/replace_comment_command.t.corrected
# diff --git a/_build/default/tests/replace_comment_command.t b/_build/default/tests/replace_comment_command.t.corrected
# index c30dc85..07087bd 100644
# --- a/_build/default/tests/replace_comment_command.t
# +++ b/_build/default/tests/replace_comment_command.t.corrected
# @@ -29,34 +29,28 @@ Should succeed - replacing single-line comments with multiline comments
#    $ passage cat 00/secret1
#    (00/secret1) secret: single line
#    
# -  replaced again comments
# -  line 2
# +  replaced again comments\nline 2
#  
#  Should succeed - replacing multiline comments with multiline comments
#    $ echo "new comments\nline 2 of said new comments" | passage replace-comment 00/secret1
#    $ passage cat 00/secret1
#    (00/secret1) secret: single line
#    
# -  new comments
# -  line 2 of said new comments
# +  new comments\nline 2 of said new comments
#  
#  Should succeed - replacing multiline comments with multiline comments - in multiline secret
#    $ setup_multiline_secret_with_comments 00/secret2
#    $ echo "new comments\nline 2 of said new comments" | passage replace-comment 00/secret2
#    $ passage cat 00/secret2
#    
# -  new comments
# -  line 2 of said new comments
# +  new comments\nline 2 of said new comments
#    
#    (00/secret2) secret: line 1
#    (00/secret2) secret: line 2
#  
#  Should fail - comments with empty lines in the middle
#    $ echo "uno commento\n\ndos commentos" | passage replace-comment 00/secret1
# -  E: empty lines are not allowed in the middle of the comments
# -  [1]
#    $ passage cat 00/secret1
#    (00/secret1) secret: single line
#    
# -  new comments
# -  line 2 of said new comments
# +  uno commento\n\ndos commentos
# File "tests/edit_command.t", line 1, characters 0-0:
# /usr/bin/git --no-pager diff --no-index --color=always -u _build/default/tests/edit_command.t _build/default/tests/edit_command.t.corrected
# diff --git a/_build/default/tests/edit_command.t b/_build/default/tests/edit_command.t.corrected
# index bafc72e..244dd4e 100644
# --- a/_build/default/tests/edit_command.t
# +++ b/_build/default/tests/edit_command.t.corrected
# @@ -71,18 +71,142 @@ newly encrypted text should not have leftover content from previous encrypted te
#    502
#    $ check_age_file_format $PASSAGE_DIR/secrets/00/long_to_short_secret.age
#    OK: age file starts with expected -----BEGIN AGE ENCRYPTED FILE-----
# -  OK: age file only has 1 occurrence of -----BEGIN AGE ENCRYPTED FILE-----
# +  grep: unrecognized option: fixed-strings
# +  BusyBox v1.37.0 (2025-11-21 22:40:56 UTC) multi-call binary.
# +  
# +  Usage: grep [-HhnlLoqvsrRiwFE] [-m N] [-A|B|C N] { PATTERN | -e PATTERN... | -f FILE... } [FILE]...
[...]

On Fedora there are escaping differences causing test failures:
https://opam.ci.ocaml.org/github/ocaml/opam-repository/commit/f4f8c2c217d0c6d17fd84e2dc018a63411abb1e2/variant/distributions,fedora-41-ocaml-4.14,passage.0.2.0,tests

#=== ERROR while compiling passage.0.2.0 ======================================#
# context              2.4.1 | linux/x86_64 | ocaml-base-compiler.4.14.2 | pinned(https://github.com/ahrefs/passage/releases/download/0.2.0/passage-0.2.0.tbz)
# path                 ~/.opam/4.14/.opam-switch/build/passage.0.2.0
# command              ~/.opam/opam-init/hooks/sandbox.sh build dune build -p passage -j 255 @install @runtest
# exit-code            1
# env-file             ~/.opam/log/passage-7-85bf9d.env
# output-file          ~/.opam/log/passage-7-85bf9d.out
### output ###
# File "tests/replace_comment_command.t", line 1, characters 0-0:
# /usr/bin/git --no-pager diff --no-index --color=always -u _build/default/tests/replace_comment_command.t _build/default/tests/replace_comment_command.t.corrected
# diff --git a/_build/default/tests/replace_comment_command.t b/_build/default/tests/replace_comment_command.t.corrected
# index c30dc85..07087bd 100644
# --- a/_build/default/tests/replace_comment_command.t
# +++ b/_build/default/tests/replace_comment_command.t.corrected
# @@ -29,34 +29,28 @@ Should succeed - replacing single-line comments with multiline comments
#    $ passage cat 00/secret1
#    (00/secret1) secret: single line
#    
# -  replaced again comments
# -  line 2
# +  replaced again comments\nline 2
#  
#  Should succeed - replacing multiline comments with multiline comments
#    $ echo "new comments\nline 2 of said new comments" | passage replace-comment 00/secret1
#    $ passage cat 00/secret1
#    (00/secret1) secret: single line
#    
# -  new comments
# -  line 2 of said new comments
# +  new comments\nline 2 of said new comments
#  
#  Should succeed - replacing multiline comments with multiline comments - in multiline secret
#    $ setup_multiline_secret_with_comments 00/secret2
#    $ echo "new comments\nline 2 of said new comments" | passage replace-comment 00/secret2
#    $ passage cat 00/secret2
#    
# -  new comments
# -  line 2 of said new comments
# +  new comments\nline 2 of said new comments

[...]

[jmid]

FTR, #28976 addresses the Centos errors.

[thatportugueseguy]

There are runtest failures caused by small differences.
What do you make of these?

We've had these issues since the beginning, different distributions handle escaping and whitespace differently, so we get these errors on tests that are very hard to handle with cram tests. Regarding the alpine fail, i'll fix it for the next release (there's another one to be made soon). I'll also update our x-ci-accept-failures values to match the other fails

And the truth is: currently we only care about debian (and passage is mostly used internally).

FTR, #28976 addresses the Centos errors.

That's awesome, thanks for the fixes.

[jmid]

I just did a close-open dance to retrigger a CI run now that #28976 has been merged.

[jmid]

Here's a small suggestion to silence some of the red flags.

I've also created #28989 as an aid for Centos 10 and OpenSUSE Tumbleweed users where installing the prerequisite conf-libpcre is going to fail.

Looking at the CI log, on macOS homebrew I see relevant test suite failures, for example:
https://opam.ci.ocaml.org/github/ocaml/opam-repository/commit/f4f8c2c217d0c6d17fd84e2dc018a63411abb1e2/variant/macos,macos-homebrew-ocaml-4.14-amd64,passage.0.2.0,tests

# File "tests/everyone_group.t", line 1, characters 0-0:
# /usr/bin/git --no-pager diff --no-index --color=always -u _build/default/tests/everyone_group.t _build/default/tests/everyone_group.t.corrected
# diff --git a/_build/default/tests/everyone_group.t b/_build/default/tests/everyone_group.t.corrected
# index 2016edf..d873951 100644
# --- a/_build/default/tests/everyone_group.t
# +++ b/_build/default/tests/everyone_group.t.corrected
# @@ -41,14 +41,75 @@ EDIT - should allow everyone to edit an existing secret
#    (04/secret1) secret: single line
#  
#    $ PASSAGE_IDENTITY=bobby.bob.key EDITOR=$OVERWRITE_WITH_BYE passage edit 04/secret1
# +  Your system does not have /dev/shm, which means that it may
# +  be difficult to entirely erase the temporary non-encrypted
# +  password file after editing.
# +  
# +  Are you sure you would like to continue? [y/N] passage: internal error, uncaught exception:
# +           End_of_file
# +           Raised at Stdlib.input_line.scan in file "stdlib.ml", line 456, characters 14-31
# +           Called from Passage__Prompt.yesno in file "lib/prompt.ml", line 12, characters 12-24
# +           Called from Passage__Util.Editor.shm_check in file "lib/util.ml", line 28, characters 9-226
# +           Called from CamlinternalLazy.force_lazy_block in file "camlinternalLazy.ml", line 31, characters 17-27
# +           Re-raised at CamlinternalLazy.force_lazy_block in file "camlinternalLazy.ml", line 36, characters 4-11
# +           Called from Passage__Util.Editor.with_secure_tmpfile in file "lib/util.ml", line 40, characters 12-32
# +           Called from Dune__exe__Main.Edit.edit_secret in file "bin/main.ml", line 53, characters 27-61
# +           Called from Cmdliner_term.app.(fun) in file "cmdliner_term.ml", line 24, characters 19-24
# +           Called from Cmdliner_eval.run_parser in file "cmdliner_eval.ml", line 35, characters 37-44
# +  [125]
#    $ PASSAGE_IDENTITY=dobby.dob.key EDITOR=$OVERWRITE_WITH_BYE passage edit 04/secret1
# -  I: secret unchanged
# +  Your system does not have /dev/shm, which means that it may
# +  be difficult to entirely erase the temporary non-encrypted
# +  password file after editing.
# +  
# +  Are you sure you would like to continue? [y/N] passage: internal error, uncaught exception:
# +           End_of_file
# +           Raised at Stdlib.input_line.scan in file "stdlib.ml", line 456, characters 14-31
# +           Called from Passage__Prompt.yesno in file "lib/prompt.ml", line 12, characters 12-24
# +           Called from Passage__Util.Editor.shm_check in file "lib/util.ml", line 28, characters 9-226
# +           Called from CamlinternalLazy.force_lazy_block in file "camlinternalLazy.ml", line 31, characters 17-27
# +           Re-raised at CamlinternalLazy.force_lazy_block in file "camlinternalLazy.ml", line 36, characters 4-11
# +           Called from Passage__Util.Editor.with_secure_tmpfile in file "lib/util.ml", line 40, characters 12-32
# +           Called from Dune__exe__Main.Edit.edit_secret in file "bin/main.ml", line 53, characters 27-61
# +           Called from Cmdliner_term.app.(fun) in file "cmdliner_term.ml", line 24, characters 19-24
# +           Called from Cmdliner_eval.run_parser in file "cmdliner_eval.ml", line 35, characters 37-44
# +  [125]

What do you make of this? 🤔
Something to address or should we quickfix by disabling runtest on macOS?

Finally, would you consider adding an x-maintenance-intent entry?
https://github.com/ocaml/opam-repository/blob/master/governance/policies/archiving.md

[jmid]

Suggested change

	x-commit-hash: "92bc02a41e427353a821125143e0f44d425ed07f"
	x-commit-hash: "92bc02a41e427353a821125143e0f44d425ed07f"
	x-ci-accept-failures: [ # the test suite exhibits small escaping differences on the below platforms
	"centos-9"
	"alpine-3.22"
	"fedora-41"
	"fedora-42"
	"fedora-43"
	]

Here's a concrete suggestion to silence the red CI flags caused by escaping differences.