[pass] GPG Compression and Authenticity

Jason A. Donenfeld Jason at zx2c4.com
Wed Mar 19 06:19:52 CET 2014

Hi folks,

Alfredo Pironti, CCd, has written me to point out two issues in pass.
The first is that he believes gpg compression might reveal information
relating to the entropy of the enclosed password. Commit 51f9b6888
fixes this.

The second is something I've known about and considered for a long
time, which is that an attacker can swap out a gpg'd password with a
different one, or rename and/or delete passwords, because we only
encrypt but do not sign incoming passwords or filesystem information.
Apparently this is a big enough deal that a LaTeXified paper is being
submitted to a conference about it. The response toward this which I'm
leaning is that folks who desire tamper-proof password stores should
use the "gpg-sign" option of git-commit, along with hooks for
verification. Thoughts?


More information about the Password-Store mailing list