[pass] reencryption: only happens when required now

Jason A. Donenfeld Jason at zx2c4.com
Fri Apr 18 01:29:14 CEST 2014

Hey folks,

We've gained some optimizations for  "pass init -e", "pass mv -e", and
"pass cp -e". We now only reencrypt passwords for files that are encrypted
with a different set of gpg ids than those specified in .gpg-id or

Here's the commit:

The relevant part is:

set_gpg_recipients "$passfile_dir"
[[ $prev_gpg_recipients != "${GPG_RECIPIENTS[@]}" ]] && \
gpg_keys="$(gpg --list-keys --keyid-format long "${GPG_RECIPIENTS[@]}" |
sed -n 's/sub *.*\/\([A-F0-9]\{16\}\) .*/\1/p' | sort | uniq)"
current_keys="$($GPG -v --list-only --keyid-format long "$passfile" 2>&1 |
cut -d ' ' -f 5 | sort | uniq)"
if [[ $gpg_keys != "$current_keys" ]]; then
echo "$passfile_display: reencrypting to ${gpg_keys//$'\n'/ }"
$GPG -d $GPG_OPTS "$passfile" | $GPG -e "${GPG_RECIPIENT_ARGS[@]}" -o
"$passfile.new.$fake_uniqueness_safety" $GPG_OPTS &&
mv "$passfile.new.$fake_uniqueness_safety" "$passfile"

That's prettttttyyy ugly, and perhaps prone to breaking, so if you feel
motivated to test out this new code in a variety of settings, please do so.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zx2c4.com/pipermail/password-store/attachments/20140418/949ff092/attachment-0001.html>

More information about the Password-Store mailing list