apply PASSWORD_STORE_SIGNING_KEY to password files too?
david at mandelberg.org
Wed Nov 10 00:07:04 UTC 2021
I just thought about one more thing. Would it be possible for the
signature to include the relative path too?
browserpass-extension uses the relative path to determine what site the
password is for, so an attacker with write access could copy
good-site.example.com.gpg to attacker-controlled.example.net.gpg, then
collect the password on attacker-controlled.example.net.
More information about the Password-Store