[pass] [PATCH] Team pass: enable multiple keys and per directory

Brian Shore brian at networkredux.com
Wed Mar 19 18:38:59 CET 2014

On Wed, Mar 19, 2014 at 10:06 AM, Jan-Frode Myklebust
<janfrode at tanso.net> wrote:
> I agree it's a pain to distribute, and change keys, but am uncertain about if I'd want to blindly trust a keyring distributed together with the password store. Actually, even trusting the list of keyid's instead of a group name defined outside of the git repo is opening up an easy attack by changing the list of id's git-serverside to steal new passwords.
> The .gpg_id (or keyring) should probably be signed by someone we trust outside of the password-store before use.

Why not sign the .gpg_id files after creation as part of the init
process?  Does it need to be signed by someone who doesn't use the
password store?

Brian Shore
Senior Systems Engineer, Security Architect
Network Redux, LLC
5200 SW Macadam Ave Ste 450
Portland, Oregon 97239
Desk:  503-274-9905 x503

More information about the Password-Store mailing list