[pass] Signing individual pass files

[James Wald]

After evaluating a dozen options I've decided to go with pass. I love the
integration with git and the fact that I can rebase and merge across all of
my machines. I have a question regarding gpg, passphrases, and signing.
Please correct me if anything I describe is blatantly wrong, I'm still
learning how to use pass and gpg effectively.

I've created unique subkey pairs (encryption & signing) for each machine
that I use. When I read passwords from pass, I am required to enter my
subkey's passphrase. When inserting passwords, I found it somewhat
surprising that I wasn't asked for my passphrase. It appears that additions
to pass are not signed by default? I understand that anyone can encrypt
data using my public key, so the passphrase wouldn't be required for
unsigned files.

I found the 'pass git config --bool --add pass.signcommits true' option
which works because I'm currently using a single git repository so this
option is good enough for now. In the future I would like the flexibility
to share pass files from untrusted sources such as 3rd party git repos,
emails, and other file sharing services without adding manual, error prone
sign and verify steps.

I think it would be more flexible and secure (not everyone will rely on
signed git commits) if the individual gpg files were signed. pass would
also need a new command to import gpg files with signature verification.

Am I totally off the rails here? Apologies if this has already been
discussed on the mailing list.

Mahalo,
James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zx2c4.com/pipermail/password-store/attachments/20140720/8587e050/attachment.html>