Security Vulnerability: Faulty GPG Signature Checking
Ben Oliver
ben at bfoliver.com
Mon Jun 18 08:40:44 CEST 2018
On 18-06-17 21:27:47, Greg Minshall wrote:
>> The command is:
>>
>> file:///usr/share/doc/git/html/user-manual.html
>
>what are downsides to doing this? is it safe to do this on an already
>populated pass tree? (i.e., will pass decide that previous commits were
>invalid, something like that?)
No. It only stops people from adding new commits who don't have your GPG
key.
It should be noted that an attacker can still edit the file tree and you
might not notice. You could mitigate against this in a number of ways
though, like maybe having pass check that the last commit is signed if
you have that option turned on (perhaps it already does?).
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <http://lists.zx2c4.com/pipermail/password-store/attachments/20180618/d9f8c55f/attachment.asc>
More information about the Password-Store
mailing list