Security Vulnerability: Faulty GPG Signature Checking

Ben Oliver ben at bfoliver.com
Mon Jun 18 08:40:44 CEST 2018


On 18-06-17 21:27:47, Greg Minshall wrote:
>> The command is:
>>
>> file:///usr/share/doc/git/html/user-manual.html
>
>what are downsides to doing this?  is it safe to do this on an already
>populated pass tree?  (i.e., will pass decide that previous commits were
>invalid, something like that?)

No. It only stops people from adding new commits who don't have your GPG 
key.

It should be noted that an attacker can still edit the file tree and you 
might not notice. You could mitigate against this in a number of ways 
though, like maybe having pass check that the last commit is signed if 
you have that option turned on (perhaps it already does?).
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <http://lists.zx2c4.com/pipermail/password-store/attachments/20180618/d9f8c55f/attachment.asc>


More information about the Password-Store mailing list