On Sun, Jul 20, 2014 at 08:49:38PM -1000, James Wald wrote: > After evaluating a dozen options I've decided to go with pass. I > love the integration with git and the fact that I can rebase and > merge across all of my machines. I have a question regarding gpg, > passphrases, and signing. Please correct me if anything I describe > is blatantly wrong, I'm still learning how to use pass and gpg > effectively. > > I've created unique subkey pairs (encryption & signing) for each > machine that I use. When I read passwords from pass, I am required > to enter my subkey's passphrase. When inserting passwords, I found > it somewhat surprising that I wasn't asked for my passphrase. It > appears that additions to pass are not signed by default? I > understand that anyone can encrypt data using my public key, so the > passphrase wouldn't be required for unsigned files.
No, the inserts are signed using your public key, for which no passphrase is required. You can verify this by using "gpg --decrypt < file" on one of the files in the password store. I might be wrong, but it looks like there's no check at insert time that you have the capability to decrypt. I'm fine with it this way. > I found the 'pass git config --bool --add pass.signcommits true' > option which works because I'm currently using a single git > repository so this option is good enough for now. In the future I > would like the flexibility to share pass files from untrusted > sources such as 3rd party git repos, emails, and other file sharing > services without adding manual, error prone sign and verify steps. > > I think it would be more flexible and secure (not everyone will rely > on signed git commits) if the individual gpg files were signed. pass > would also need a new command to import gpg files with signature > verification. > > Am I totally off the rails here? Apologies if this has already been > discussed on the mailing list. -- James Cameron http://quozl.linux.org.au/ _______________________________________________ Password-Store mailing list [email protected] http://lists.zx2c4.com/mailman/listinfo/password-store
