[pass] Signing individual pass files

James Wald james.wald at gmail.com
Mon Jul 21 12:28:47 CEST 2014


>
> Uh, isn't 'signed with a public key' completely useless? I mean, it
> makes sense to encrypt it with the public key, because this is what it'
> s for -- but for signing, you should need a private key. Else everybody
> could sign in your name. So, have you just confused signing with
> encryption? Or is this really
> happening. - René


pass uses 'gpg -e' to encrypt files. This means that it does not sign each
file. It would have to add the '--sign' option, such as 'gpg -e --sign',
which is the potential change that I'm suggesting. This has a few
implications such as the need to validate signatures against trustdb.gpg. I
feel that gpg's signing is the right solution for this problem rather than
signed git commits which pass currently relies on.

You're correct that anyone can create pass files using your public key. The
use case I'm trying to apply is multi-user environments where sharing
signed git commits is far less practical than emailing a gpg file that's
been signed by a trusted peer.

-- 
James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zx2c4.com/pipermail/password-store/attachments/20140721/fecc9f9e/attachment.html>


More information about the Password-Store mailing list