Security Vulnerability: Faulty GPG Signature Checking
Tobias Girstmair
junkgir-passwd at yahoo.de
Thu Jun 14 19:49:56 CEST 2018
Thanks for this update -- very much appreciated. :-) A few thoughts below.
On Thu, Jun 14, 2018 at 05:09:35PM +0200, Jason A. Donenfeld wrote:
> Our recommendations for authenticity and integrity
> continue to be to enable git commit signing, which pass has built-in
> support for.
Maybe this should be mentioned/explained on passwordstore.org (grepping
for 'sign' didn't turn up anything useful)
> rearchitecting for a long time. One plan for that would be to simply
> use a cleaner subset of bash -- no use of sed, only bash regular
> expressions. The other would be to rewrite this in a real programming
> language and link to the gpgme library, which ostensibly gives us
> fine-grained verification and checking.
While "pass is just a shell script" was what initially drew me to it, it
also is kinda dangerous (having ~/bin/ in my path would allow e.g.
tail(1) to be replaced by an evil version saving the gpg output
elsewhere).
Therefore, I wouldn't be against a C implementation for example for 2.0.
> latter has been that the appeal of pass is that it's "just" a simple
> bash script;
*simple* bash scripts I've found are either trivial or
{fragile,wrong,buggy,insecure}. Again, I'd support C (or anything widely
supported) for pass 2.0
--
gir.st
More information about the Password-Store
mailing list