[pass] [PATCH] Team pass: enable multiple keys and per directory

Brian Shore brian at networkredux.com
Wed Mar 19 18:38:59 CET 2014


On Wed, Mar 19, 2014 at 10:06 AM, Jan-Frode Myklebust
<janfrode at tanso.net> wrote:
> I agree it's a pain to distribute, and change keys, but am uncertain about if I'd want to blindly trust a keyring distributed together with the password store. Actually, even trusting the list of keyid's instead of a group name defined outside of the git repo is opening up an easy attack by changing the list of id's git-serverside to steal new passwords.
>
> The .gpg_id (or keyring) should probably be signed by someone we trust outside of the password-store before use.

Why not sign the .gpg_id files after creation as part of the init
process?  Does it need to be signed by someone who doesn't use the
password store?


-- 
Brian Shore
Senior Systems Engineer, Security Architect
Network Redux, LLC
5200 SW Macadam Ave Ste 450
Portland, Oregon 97239
Desk:  503-274-9905 x503


More information about the Password-Store mailing list