Security Vulnerability: Faulty GPG Signature Checking
Sebastian Reuße
seb at wirrsal.net
Fri Jun 15 08:20:58 CEST 2018
Tobias Girstmair <junkgir-passwd at yahoo.de> writes:
> On Thu, Jun 14, 2018 at 05:09:35PM +0200, Jason A. Donenfeld wrote:
>> Our recommendations for authenticity and integrity continue to be to
>> enable git commit signing, which pass has built-in support for.
> Maybe this should be mentioned/explained on passwordstore.org
> (grepping for 'sign' didn't turn up anything useful)
Perhaps it would also make sense for Jason to refer to git-remote-gcrypt
[1], which, in addition to authenticity and integrity, also provides
confidentiality for file-system level metadata (password entry names and
the directory tree) on the remote side, something that has been
discussed here in the past.
[1] <https://spwhitton.name/tech/code/git-remote-gcrypt/>
Kind regards,
SR
--
Insane cobra split the wood
Trader of the lowland breed
Call a jittney, drive away
In the slipstream we will stay
More information about the Password-Store
mailing list