[pass] [PATCH] Team pass: enable multiple keys and per directory

Jason A. Donenfeld Jason at zx2c4.com
Wed Mar 19 19:29:30 CET 2014


On Wed, Mar 19, 2014 at 11:38 AM, Brian Shore <brian at networkredux.com>wrote:

> On Wed, Mar 19, 2014 at 10:06 AM, Jan-Frode Myklebust
> <janfrode at tanso.net> wrote:
> > I agree it's a pain to distribute, and change keys, but am uncertain
> about if I'd want to blindly trust a keyring distributed together with the
> password store. Actually, even trusting the list of keyid's instead of a
> group name defined outside of the git repo is opening up an easy attack by
> changing the list of id's git-serverside to steal new passwords.
> >
> > The .gpg_id (or keyring) should probably be signed by someone we trust
> outside of the password-store before use.
>
> Why not sign the .gpg_id files after creation as part of the init
> process?  Does it need to be signed by someone who doesn't use the
> password store?


I think issues of password store file integrity and authenticity will be
handled by whatever decision comes out of this thread:
http://lists.zx2c4.com/pipermail/password-store/2014-March/000498.html

Right now we're leaning toward signed git commits.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zx2c4.com/pipermail/password-store/attachments/20140319/ee41a221/attachment-0001.html>


More information about the Password-Store mailing list