[pass] Signing individual pass files
James Wald
james.wald at gmail.com
Mon Jul 21 15:33:33 CEST 2014
Then you need to decide whether you should trust the decrypted output or
remove it from the password store. That should only happen if a user
revokes their public key (or becomes untrusted for some other reason) after
the password was originally imported.
On Mon, Jul 21, 2014 at 2:27 AM, Allan Odgaard <lists+pass at simplit.com>
wrote:
> On 21 Jul 2014, at 12:28, James Wald wrote:
>
> […] It would have to add the '--sign' option […] need to validate
>> signatures against trustdb.gpg. I
>> feel that gpg's signing is the right solution for this problem […]
>>
>
> And the problem is that untrusted people can write to your password store?
>
> Using GPG signing would not be how I would solve such problem, and I
> wouldn’t consider it an acceptable solution. Say you need the password for
> foo at example.com and ‘pass’ reports that this password is not signed by a
> trusted user, so now what?
> _______________________________________________
> Password-Store mailing list
> Password-Store at lists.zx2c4.com
> http://lists.zx2c4.com/mailman/listinfo/password-store
>
--
James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zx2c4.com/pipermail/password-store/attachments/20140721/62bf8c64/attachment.html>
More information about the Password-Store
mailing list