[pass] Shared Pass store for multiple users/pubkeys

Ville Mattila vmattila at csc.fi
Wed Apr 22 06:03:41 CEST 2015 

Hi Jason, list,

Pass is a very nice tool, thanks for supporting and sharing it.

Using Pass for handling passwords of e.g. Linux servers' root account
shared by multiple sysadmins using personal GnuPG keys is a bit
difficult currently, as all the sysadmins must have everyone else's
GnuPG pubkeys imported and trust levels set in their personal keyring to
be able to insert/edit/re-encrypt a password in the Pass store.

In my case there's a centrally managed GnuPG keyring file of all
sysadmins' pubkeys available, securely distributed to all systems. The
problem is there's currently no way to tell Pass to add
'--no-default-keyring --keyring /path/to/sysadmin-keyring.gpg' to gpg
command line options. GnuPG trust model would need to be overridden in
this case, too, with '--trust-model=always'.

There's a patch attached introducing two new environment variables,
PASSWORD_STORE_GPG_KEYRING and PASSWORD_STORE_GPG_TRUST_MODEL, which
make it possible to use a custom keyring instead of the default
~/.gnupg/pubring.gpg and to specify the trust model (and to skip
automatic trustdb checks).

If you think the patch is not suitable as such, please consider the
idea. I'm willing to test/develop alternative implementations, too.

Actually it would be very nice to have some generic way to pass in
command line options to gpg instead of the suggested patch, but I wasn't
able to come up with any nice and clean generic solution as there's
AFAIK no simple way to pass in Bash array variables (which Pass is using
internally, for a very good reason obviosly) to a process as (POSIX)
environment variables.

Thanks,
Ville

-- 
Ville Mattila, CSC
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pass-gpg-special-opts.patch
Type: text/x-patch
Size: 2092 bytes
Desc: not available
URL: <http://lists.zx2c4.com/pipermail/password-store/attachments/20150422/2667d7cf/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.zx2c4.com/pipermail/password-store/attachments/20150422/2667d7cf/attachment.asc>

More information about the Password-Store mailing list