[pass] Signing individual pass files

James Cameron quozl at laptop.org
Mon Jul 21 09:27:04 CEST 2014


On Sun, Jul 20, 2014 at 08:49:38PM -1000, James Wald wrote:
> After evaluating a dozen options I've decided to go with pass. I
> love the integration with git and the fact that I can rebase and
> merge across all of my machines. I have a question regarding gpg,
> passphrases, and signing. Please correct me if anything I describe
> is blatantly wrong, I'm still learning how to use pass and gpg
> effectively.
> 
> I've created unique subkey pairs (encryption & signing) for each
> machine that I use. When I read passwords from pass, I am required
> to enter my subkey's passphrase. When inserting passwords, I found
> it somewhat surprising that I wasn't asked for my passphrase. It
> appears that additions to pass are not signed by default? I
> understand that anyone can encrypt data using my public key, so the
> passphrase wouldn't be required for unsigned files.

No, the inserts are signed using your public key, for which no
passphrase is required.  You can verify this by using "gpg --decrypt <
file" on one of the files in the password store.

I might be wrong, but it looks like there's no check at insert time
that you have the capability to decrypt.  I'm fine with it this way.

> I found the 'pass git config --bool --add pass.signcommits true'
> option which works because I'm currently using a single git
> repository so this option is good enough for now. In the future I
> would like the flexibility to share pass files from untrusted
> sources such as 3rd party git repos, emails, and other file sharing
> services without adding manual, error prone sign and verify steps.
> 
> I think it would be more flexible and secure (not everyone will rely
> on signed git commits) if the individual gpg files were signed. pass
> would also need a new command to import gpg files with signature
> verification.
> 
> Am I totally off the rails here? Apologies if this has already been
> discussed on the mailing list.

-- 
James Cameron
http://quozl.linux.org.au/


More information about the Password-Store mailing list