On Mon, Jul 21, 2014 at 12:28:47AM -1000, James Wald wrote: > > > > Uh, isn't 'signed with a public key' completely useless? I mean, it > > makes sense to encrypt it with the public key, because this is what it' > > s for -- but for signing, you should need a private key. Else everybody > > could sign in your name. So, have you just confused signing with > > encryption? Or is this really > > happening. - René > > > pass uses 'gpg -e' to encrypt files. This means that it does not sign each > file. It would have to add the '--sign' option, such as 'gpg -e --sign', > which is the potential change that I'm suggesting. This has a few > implications such as the need to validate signatures against trustdb.gpg. I > feel that gpg's signing is the right solution for this problem rather than > signed git commits which pass currently relies on. > > You're correct that anyone can create pass files using your public key. The > use case I'm trying to apply is multi-user environments where sharing > signed git commits is far less practical than emailing a gpg file that's > been signed by a trusted peer.
I guess your peer could sign her email using gpg. /ǵ
pgpiiFlVVRslQ.pgp
Description: PGP signature
_______________________________________________ Password-Store mailing list [email protected] http://lists.zx2c4.com/mailman/listinfo/password-store
