CertKeyProvider and KPScript - Do they like each other?

[FranzToepfer]

In my setup a KeePass database is used by humans and for build automation both. For build automation, KPScript is a great option to query for settings contained in a KDBX file. Several commands are there, e.g. search for a specific (uniquely named) entry and retrieve stored credentials. Output to be used for next build step, like deploying changes to a database.

Works fine as long using standard Master Password for your KDBX, as KeePass/KPScript both accept (encrpyted) password as command line parameter:

%KEEPASS_SCRIPT% %DATABASE% -c:"GetEntryString" -Field:"UserName" -ref-Title:"MyTitle" -pw-enc:%PASSWORD_ENC%

But how to proceed when changing the KDBX from master password to CertKeyProvider instead? Would like to use KPScript as well, executed with a service account, having its own SMIME certificate. But actually there seems to be no chance to pull-in the password the CertKeyProvider plugin prompts for.

Summary - please extend the CertKeyProdiver plugin to support command line parameters, like KeePass itself. Providing passwords via -pw or -pw-enc parameters would be appreciated.

[FranzToepfer]

Short update on this:

Meanwhile managed to export the private key to my environment. Having the private key in my local key store, KeePass will directly open the KeePass database protected by certificate without prompting for password:

D:\Utilities>KeePass-2.47\KeePass.exe "d:\Utilities\Database.kdbx" -keyfile:"Certificate-protected key"

Well, if this works with KeePass instantly, lets go for KPScript to see whether it potentially will open the database in the same way (having the private key in local store, expectation is that KPScript also will not prompt for password, just like initially requested).

First attempt failed:

D:\Utilities>KeePass-2.47\KPScript.exe -c:"ListEntries" "d:\Utilities\Database.kdbx" -keyfile:"Certificate-protected key"
E: Could not find file 'D:\Utilities\Certificate-protected key'.

Second attempt results in OK message, but providing no results:

D:\Utilities>KeePass-2.47\KPScript.exe -c:"ListEntries" "d:\Utilities\Database.kdbx"
OK: Operation completed successfully.

Looks like KPScript does not work correctly in combination with CertKeyProvider plugin. No chance to open a certificate protected KeePass database via KPScript, at least as per my verification.

Hope somebody will find the time to investigate this and maybe come back with some hint how to proceed...

Thanks in advance!