[pass] Patch/discussion: allow signing/verifying .gpg-id files

[Őry Máté]

Hi,


If you use password store on a non-trusted git service (you wouldnt even
need encryption if it were trusted), you may not notice if the .gpg-id file
is tampered. You may encrypt a new password for someone you didn't want.

Find attached a patch that implents signature and verification of gpg-id
files. The solution is NOT complete, because the signed data doesn't
mention the purpose of the signature, nor the target. You could freely copy
a signed gpg-id file from an other repository used by the signer. The same
is the case with subpaths.

I have some ideas of fixing this, but not sura about which is the best:


A snapshot should be held about .gpg-id files' content, and a diff shown to
the user if it changes?
An other environment variable should contain the name/uuid of the
repository, which is appended to the signed data?

Or breaking generality, git-specificly:
Git annotated tags should be used on the init -- or even all -- commits? Or
the signature should contain the commit id of the last change of the gpg-id?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zx2c4.com/pipermail/password-store/attachments/20160208/84a07d7d/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-allow-signing-verifying-.gpg-id-files.patch
Type: text/x-patch
Size: 2545 bytes
Desc: not available
URL: <http://lists.zx2c4.com/pipermail/password-store/attachments/20160208/84a07d7d/attachment-0001.bin>