[pass] Signed .gpg-id file

p0intless at mailbox.org p0intless at mailbox.org
Wed Aug 12 20:04:28 CEST 2015

I propose that the .gpg-id file should be signed, otherwise in a shared
environment somebody could simply add 
their key-id to the file and all the entries created after that would be
readable for that person, without the 
knowledge of the creator.

The key-id of the signer of any .gpg-id files must be in the .gpg-id file
of the parent directory. If the parent 
directory has not got a .gpg-id file its parent or eventually the .gpg-id
file of the root folder will be used.

The key-ids in the .gpg-id file of the root folder are the highest in the
trust chain, they are the admins of the 
repository. Every user of the repository signs the root .gpg-id file and
therefore trusts the admins.

When a users uses the repo for the first time (or the root .gpg-id file
changes) they will be prompted the list 
of admins (email and key-id ideally). The user can than chose to trust the
admins and sign .key-id file.

This ensures that all th .gpg-id files are cryptographically protected. I
think this is a lot better than simply 
write-protecting it on the file system level. This ensures securety when
the repository is shared on a fileserver 
and also on a compromised machine.

Aditionaly I think the .gpg-id file should contain the name, email and
key-id (full length) of the keys.

The .gpg-id file could also regulate who can create subdirectories and add
users to these.

I'd like to implement these changes, what do you think? Any Ideas or

More information about the Password-Store mailing list