[pass] Signing individual pass files

Grégoire Détrez gregoire at fripost.org
Tue Jul 22 11:12:22 CEST 2014


On Mon, Jul 21, 2014 at 12:28:47AM -1000, James Wald wrote:
> >
> > Uh, isn't 'signed with a public key' completely useless? I mean, it
> > makes sense to encrypt it with the public key, because this is what it'
> > s for -- but for signing, you should need a private key. Else everybody
> > could sign in your name. So, have you just confused signing with
> > encryption? Or is this really
> > happening. - René
> 
> 
> pass uses 'gpg -e' to encrypt files. This means that it does not sign each
> file. It would have to add the '--sign' option, such as 'gpg -e --sign',
> which is the potential change that I'm suggesting. This has a few
> implications such as the need to validate signatures against trustdb.gpg. I
> feel that gpg's signing is the right solution for this problem rather than
> signed git commits which pass currently relies on.
> 
> You're correct that anyone can create pass files using your public key. The
> use case I'm trying to apply is multi-user environments where sharing
> signed git commits is far less practical than emailing a gpg file that's
> been signed by a trusted peer.

I guess your peer could sign her email using gpg.

/ǵ
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.zx2c4.com/pipermail/password-store/attachments/20140722/41fe7981/attachment.asc>


More information about the Password-Store mailing list