[pass] Signing individual pass files

Jan Rusnacko jrusnack at redhat.com
Fri Jul 25 11:37:59 CEST 2014

On 24.07.2014 19:28, Jason A. Donenfeld wrote:
> Actually, we don't use --sign for gpg, for signing. Instead we use git's signing feature, which invokes gpg --sign internally to sign /commits/. This way, the entire directory tree is signed, not just the contents of files. This prevents tampering with the overall structure of the repo.
This is nice too, yet I have two comments on this:
* this seems to be enabled globally in git config, so what about users who do not wish to sign their work (e.g. don`t have personal GPG key), but do what password files signed ?
* if it exists, is the git signature checked (automatically) before the password is retrieved ? I believe not.

Jan Rusnacko, Red Hat Product Security

More information about the Password-Store mailing list