[PATCH] Ensure binary detached signatures

Tim Haase timhaase at gmx.net
Thu Jun 22 08:12:43 UTC 2023

When signing .gpg-id files in `pass init`, pass does not ensure binary
detached signatures. If the user has a gpg.conf file specifying ASCII
armored output as default, pass will create an ASCII armored detached
signature (with the .asc file extension). But pass expects binary
detached signatures (having the .sig file extension). This breaks the
whole signing and verifying process. By using the --no-armor option for
gpg explicitly, pass can ensure the creation of a binary detached
signature regardless of user configuration.
 src/password-store.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/password-store.sh b/src/password-store.sh
index 22e818f..2cc8782 100755
--- a/src/password-store.sh
+++ b/src/password-store.sh
@@ -354,7 +354,7 @@ cmd_init() {
 			for key in $PASSWORD_STORE_SIGNING_KEY; do
 				signing_keys+=( --default-key $key )
-			$GPG "${GPG_OPTS[@]}" "${signing_keys[@]}" --detach-sign "$gpg_id" || die "Could not sign .gpg_id."
+			$GPG "${GPG_OPTS[@]}" "${signing_keys[@]}" --no-armor --detach-sign "$gpg_id" || die "Could not sign .gpg_id."
 			key="$($GPG "${GPG_OPTS[@]}" --verify --status-fd=1 "$gpg_id.sig" "$gpg_id" 2>/dev/null | sed -n 's/^\[GNUPG:\] VALIDSIG [A-F0-9]\{40\} .* \([A-F0-9]\{40\}\)$/\1/p')"
 			[[ -n $key ]] || die "Signing of .gpg_id unsuccessful."
 			git_add_file "$gpg_id.sig" "Signing new GPG id with ${key//[$IFS]/,}."

More information about the Password-Store mailing list