[pass] GPG Compression and Authenticity

Jason A. Donenfeld Jason at zx2c4.com
Thu Mar 20 07:07:48 CET 2014


On Wed, Mar 19, 2014 at 8:06 AM, Alfredo Pironti
<alfredo.pironti at inria.fr> wrote:
> Using git-level signature ensures integrity of the data on the remote
> repository, but not of the local data.

Actually it's possible to ensure before touching the git repository
that the filesystem is in sync with git, and that the git signatures
are valid. (There is probably race condition potential here, but I
imagine the point at which an attacker can swap files to win races,
the security model of a password manager is already compromised,
so...)


More information about the Password-Store mailing list