Security Vulnerability: Faulty GPG Signature Checking

Ben Oliver ben at bfoliver.com
Thu Jun 14 22:40:31 CEST 2018


On 18-06-14 19:49:56, Tobias Girstmair wrote:
>Thanks for this update -- very much appreciated. :-) A few thoughts below.
>
>On Thu, Jun 14, 2018 at 05:09:35PM +0200, Jason A. Donenfeld wrote:
>> Our recommendations for authenticity and integrity
>> continue to be to enable git commit signing, which pass has built-in
>> support for.
>
>Maybe this should be mentioned/explained on passwordstore.org (grepping
>for 'sign' didn't turn up anything useful)

It is in the man page, but I must admit I did not notice it and only 
enabled it based on this email!

The command is:

    pass git config --bool --add pass.signcommits true
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <http://lists.zx2c4.com/pipermail/password-store/attachments/20180614/36875682/attachment-0001.asc>


More information about the Password-Store mailing list