apply PASSWORD_STORE_SIGNING_KEY to password files too?

Alexander Kjäll alexander.kjall at
Wed Nov 10 07:48:25 UTC 2021

I tried sending a patch to fix this vulnerability last year but I
don't think it was applied, and to be honest the patch needed more
work from someone better at shell scripting than me. See for my writeup of

Den ons 10 nov. 2021 kl 01:07 skrev David Mandelberg <david at>:
> I just thought about one more thing. Would it be possible for the
> signature to include the relative path too?
> browserpass-extension uses the relative path to determine what site the
> password is for, so an attacker with write access could copy
> to, then
> collect the password on

More information about the Password-Store mailing list