<div dir="ltr"><blockquote style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex" class="gmail_quote">Uh, isn't 'signed with a public key' completely useless? I mean, it<br>
makes sense to encrypt it with the public key, because this is what it'<br>s for -- but for signing, you should need a private key. Else everybody<br>could sign in your name.
So, have you just confused signing with encryption? Or is this really<br>happening.
- René</blockquote><div><br></div><div>pass uses 'gpg -e' to encrypt files. This means that it does not sign each file. It would have to add the '--sign' option, such as 'gpg -e --sign', which is the potential change that I'm suggesting. This has a few implications such as the need to validate signatures against trustdb.gpg. I feel that gpg's signing is the right solution for this problem rather than signed git commits which pass currently relies on.</div>
<div><br></div><div>You're correct that anyone can create pass files using your public key. The use case I'm trying to apply is multi-user environments where sharing signed git commits is far less practical than emailing a gpg file that's been signed by a trusted peer.</div>
<div><br></div>-- <br><div dir="ltr">James</div>
</div>