Matthias Apitz wrote:
El día miércoles, febrero 28, 2024 a las 10:32:43 +0100, Werner Koch via
Gnupg-users escribió:
On Tue, 27 Feb 2024 20:52, Jacob Bachmeyer said:
Therefore, pass(1) almost certainly has its own list of keys stored
pass stores the fingerprints of the keys in a .gpg-id file and allows to
set different ones per directories.
Werner,
I have only one .gpg-id file on my L5 mobile in my password-store:
purism@pureos:~$ find .password-store/ -name .gpg-id
.password-store/.gpg-id
purism@pureos:~$ cat .password-store/.gpg-id
CCID L5
That .gpg-id file would be the list I was talking about. It seems that
pass(1) stores the actual keys on your main GPG keyring, but keeps a
list of /which/ keys should be able to decrypt passwords separately.
(Also ensure that there is never a rogue PASSWORD_STORE_KEY variable in
your environment: if set, it overrides the search for a .gpg-id file.)
There is also a facility for maintaining GPG signatures on those .gpg-id
files, which would make sneaking in Mallory's key far more difficult if
you were to use it. I suspect that the pass(1) manpage has more
information and may be interesting reading. Overall, this seems to be a
good design.
I would also suggest using the key fingerprints instead of names when
you reencrypt your password store, as I suspect that your new and old
smartcard keys may have similar names.
As Werner mentioned, you can also have different .gpg-id files for
different parts of your password store, if you wanted some passwords to
only be available with certain smartcards.
-- Jacob
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users