<div dir="ltr">Then you need to decide whether you should trust the decrypted output or remove it from the password store. That should only happen if a user revokes their public key (or becomes untrusted for some other reason) after the password was originally imported.</div>
<div class="gmail_extra"><br><br><div class="gmail_quote">On Mon, Jul 21, 2014 at 2:27 AM, Allan Odgaard <span dir="ltr"><<a href="mailto:lists+pass@simplit.com" target="_blank">lists+pass@simplit.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On 21 Jul 2014, at 12:28, James Wald wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
[…] It would have to add the '--sign' option […] need to validate signatures against trustdb.gpg. I<br>
feel that gpg's signing is the right solution for this problem […]<br>
</blockquote>
<br>
And the problem is that untrusted people can write to your password store?<br>
<br>
Using GPG signing would not be how I would solve such problem, and I wouldn’t consider it an acceptable solution. Say you need the password for <a href="mailto:foo@example.com" target="_blank">foo@example.com</a> and ‘pass’ reports that this password is not signed by a trusted user, so now what?<br>
______________________________<u></u>_________________<br>
Password-Store mailing list<br>
<a href="mailto:Password-Store@lists.zx2c4.com" target="_blank">Password-Store@lists.zx2c4.com</a><br>
<a href="http://lists.zx2c4.com/mailman/listinfo/password-store" target="_blank">http://lists.zx2c4.com/<u></u>mailman/listinfo/password-<u></u>store</a><br>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div dir="ltr">James</div>
</div>