Adding authenticity guarantees to pass by signing (and checking signatures), not just encrypting (and decrypting), the passwords?

[J Rt]

Hi,

Thank you again for an amazing tool.

I have opened an issue on gopass (
https://github.com/gopasspw/gopass/issues/2932 ) to discuss the
possibility of adding signature and signature checking to the
mechanics of the passwords encryption / decryption. I believe this
would mitigate quite a few of the (quite fair) criticisms made in e.g.
https://ro t256.dev/post/pass/ .

Basically, the idea would be that by using sign + encrypt instead of
just encrypt, pass and the likes (gopass) could be safer against
attacks where the synchronization tool used to back up and synchronize
the store would be hijacked (e.g., github being compromised for many
pass users). In theory this would probably be relatively little extra
work since gpg supports --sign --encrypt already? I would believe
that, once this is implemented, trusting the synchronization platform
becomes much less critical?

Do you think something like this could work / be added to pass? :)

Best,

JR