[pass] Short PGP IDs in pass

Niklas Hambüchen mail at nh2.me
Fri Feb 5 17:00:29 CET 2016

I noticed that ~/.password-store/.gpg-id uses short key IDs, for which
collisions can easily be found (see [1] [2] [3]).

Is this a problem for pass? Especially, assume that I have 2 keys in my
keyring, one mine and one that was constructed by an attacker to have
the same short ID, is it possible that pass will encrypt my passwords
for the other person's key?

Thank you!

[2] http://www.asheesh.org/note/debian/short-key-ids-are-bad-news.html
[3] https://help.riseup.net/en/gpg-best-practices#dont-rely-on-the-key-id

More information about the Password-Store mailing list