[pass] Signed .gpg-id file

Lenz Weber mail at lenzw.de
Sat Aug 22 00:31:33 CEST 2015


It's a bit too complicated, but a good idea.

I'd look at it from another point of view:

In most use cases, a password-store will not have dozens of folders with
different .gpg-ids.

Usually it's more like

|- .gpg-id
|- work/
| | - .gpg-id
| | - work-pw1
| | - work-pw2
| | - work-pw3
|- other-shared-folder/
| | - .gpg-id
| | - sharedpw1
|- private folder a
| | ...
|- private folder b
| | ...
| ...

So in the end, there might be three or four .gpg-id folders.
Even if there are more, most likely the user does not commit to all of
those folders, but some folders are just synced towards him.

Which means, he maybe commits to about one to three folders with
different .gpg-ids

Why not let the user just sign those himself?

The script just checks if the signature has ultimate trust (which in gpg
means: the key is your own) and is happy with it.

If a user writes to many folders with .gpg-ids, he most likely is an
admin. In that case, he would have to sign everything, but that's just
the same as with your proposal.


Am 12.08.2015 um 20:04 schrieb p0intless at mailbox.org:
> I propose that the .gpg-id file should be signed, otherwise in a shared
> environment somebody could simply add 
> their key-id to the file and all the entries created after that would be
> readable for that person, without the 
> knowledge of the creator.
> The key-id of the signer of any .gpg-id files must be in the .gpg-id file
> of the parent directory. If the parent 
> directory has not got a .gpg-id file its parent or eventually the .gpg-id
> file of the root folder will be used.
> The key-ids in the .gpg-id file of the root folder are the highest in the
> trust chain, they are the admins of the 
> repository. Every user of the repository signs the root .gpg-id file and
> therefore trusts the admins.
> When a users uses the repo for the first time (or the root .gpg-id file
> changes) they will be prompted the list 
> of admins (email and key-id ideally). The user can than chose to trust the
> admins and sign .key-id file.
> This ensures that all th .gpg-id files are cryptographically protected. I
> think this is a lot better than simply 
> write-protecting it on the file system level. This ensures securety when
> the repository is shared on a fileserver 
> and also on a compromised machine.
> Aditionaly I think the .gpg-id file should contain the name, email and
> key-id (full length) of the keys.
> The .gpg-id file could also regulate who can create subdirectories and add
> users to these.
> I'd like to implement these changes, what do you think? Any Ideas or
> improvements?
> _______________________________________________
> Password-Store mailing list
> Password-Store at lists.zx2c4.com
> http://lists.zx2c4.com/mailman/listinfo/password-store

More information about the Password-Store mailing list