> > Uh, isn't 'signed with a public key' completely useless? I mean, it > makes sense to encrypt it with the public key, because this is what it' > s for -- but for signing, you should need a private key. Else everybody > could sign in your name. So, have you just confused signing with > encryption? Or is this really > happening. - René
pass uses 'gpg -e' to encrypt files. This means that it does not sign each file. It would have to add the '--sign' option, such as 'gpg -e --sign', which is the potential change that I'm suggesting. This has a few implications such as the need to validate signatures against trustdb.gpg. I feel that gpg's signing is the right solution for this problem rather than signed git commits which pass currently relies on. You're correct that anyone can create pass files using your public key. The use case I'm trying to apply is multi-user environments where sharing signed git commits is far less practical than emailing a gpg file that's been signed by a trusted peer. -- James
_______________________________________________ Password-Store mailing list [email protected] http://lists.zx2c4.com/mailman/listinfo/password-store
