When using gopass in macOS 26 Tahoe, secrets are visible in the Spotlight clipboard manger

[StephenRudolph]

When using the new clipboard history feature in Tahoe, I can see passwords retrieved by gopass.

The macOS clipboard associates type values with each clipboard item and, while gopass does use this type for an empty entry, it does not use it for a subsequent one on line 80 that includes the real password:

clipboard/clipboard_darwin.go

Lines 76 to 80 in 6bb5914

	// The first argument can by anything, but an empty string will do fine.
	"-e", `pb's setString:"" forType:"org.nspasteboard.ConcealedType"`,
	// AppleScript cannot read from stdin, so pipe fd#3 to stdin of cat and read the output.
	// This output is put in the clipboard, setting type = string type
	"-e", `pb's setString:(do shell script "cat 0<&3") forType:type`,

As a quick proof of concept, cribbing from someone that knows more than me here, I verified that this shell script does not result in any visible entries in the clipboard manager, but does still add the password to the clipboard. I believe a similar approach should work for gopass:

#!/usr/bin/env swift
import AppKit

let pboard = NSPasteboard.init(name: NSPasteboard.Name.general)
pboard.clearContents()
pboard.declareTypes(
  [
    .string,
    NSPasteboard.PasteboardType.init("org.nspasteboard.ConcealedType"),
    NSPasteboard.PasteboardType.init("org.nspasteboard.TransientType")
  ],
  owner: nil
)
pboard.setString("secret password", forType: .string)