[pass] Shared Pass store for multiple users/pubkeys

Ville Mattila vmattila at csc.fi
Tue May 12 12:27:45 CEST 2015


Hi,

On 11/05/15 14:32, Jason A. Donenfeld wrote:
> Why not just override the GNUPGHOME environment variable instead, and
> store a separate keyring and gnupg.conf file elsewhere than ~/.gnupg?
> Are there downsides of that approach?

One downside is that gpg/gpg2 by default checks the $GNUPGHOME ownership
and permissions, and if the directory is writable or owned by anyone but
the user running pass, gpg always prints this:
-----
gpg: WARNING: unsafe ownership on homedir `/etc/pass-gnupghome'
-----

I.e. if GNUPGHOME=/etc/pass-gnupghome owned by root:root the users will
always get a warning.

gpg(1) man page explains why adding 'no-permission-warning' to
$GNUPGHOME/gpg.conf does not help: "the warning for unsafe --homedir
permissions cannot be suppressed in the gpg.conf file, as this would
allow an attacker to place an unsafe gpg.conf file in place"

AFAIK to avoid the homedir ownership/permission warnings the options are:
1. Create the custom $GNUPGHOME and a copy of the custom gpg.conf there
for each of the users separately.
2. Add --no-permission-warning command line option to gpg/gpg2 commands
in Pass (which of course should not be done by default).

Besides the ownership/permission warning the idea of using GNUPGHOME
with special gpg.conf does seem to work.  Here's what I did:
-----
$ export GNUPGHOME=/etc/pass-gnupghome
$ sudo mkdir $GNUPGHOME
$ sudo tee $GNUPGHOME <<EOT_GPG_CONF
trust-model always
trustdb-name ~/.gnupg/trustdb.gpg
no-default-keyring
keyring /etc/pki/gpg/the-separate-keyring.gpg
secret-keyring ~/.gnupg/secring.gpg
no-random-seed-file
EOT_GPG_CONF
-----

Thanks,
Ville

-- 
Ville Mattila, CSC

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.zx2c4.com/pipermail/password-store/attachments/20150512/59dc31b9/attachment.asc>


More information about the Password-Store mailing list