Hi,
If you use password store on a non-trusted git service (you wouldnt even need encryption if it were trusted), you may not notice if the .gpg-id file is tampered. You may encrypt a new password for someone you didn't want. Find attached a patch that implents signature and verification of gpg-id files. The solution is NOT complete, because the signed data doesn't mention the purpose of the signature, nor the target. You could freely copy a signed gpg-id file from an other repository used by the signer. The same is the case with subpaths. I have some ideas of fixing this, but not sura about which is the best: A snapshot should be held about .gpg-id files' content, and a diff shown to the user if it changes? An other environment variable should contain the name/uuid of the repository, which is appended to the signed data? Or breaking generality, git-specificly: Git annotated tags should be used on the init -- or even all -- commits? Or the signature should contain the commit id of the last change of the gpg-id?
From 794c1a11cbac05dfbc1e2912f8edb715b1fdffce Mon Sep 17 00:00:00 2001 From: Mate Ory <[email protected]> Date: Mon, 8 Feb 2016 22:03:43 +0100 Subject: [PATCH] allow signing/verifying .gpg-id files --- man/pass.1 | 5 +++++ src/password-store.sh | 28 +++++++++++++++++++++++++++- 2 files changed, 32 insertions(+), 1 deletion(-) diff --git a/man/pass.1 b/man/pass.1 index 33b6036..c7287c3 100644 --- a/man/pass.1 +++ b/man/pass.1 @@ -420,6 +420,11 @@ Sets the umask of all files modified by pass, by default \fI077\fP. The default password length if the \fIpass-length\fP parameter to \fBgenerate\fP is unspecified. .TP +.I PASSWORD_STORE_TRUSTED_SIGNATURES +Space separated list of hexadecimal key IDs which are trusted to sign the files +listing encryption receipents (\fI.gpg_id\fP). Implies signing the file at +time of initializing the password store. +.TP .I EDITOR The location of the text editor used by \fBedit\fP. .SH SEE ALSO diff --git a/src/password-store.sh b/src/password-store.sh index 63be840..5fe4479 100755 --- a/src/password-store.sh +++ b/src/password-store.sh @@ -75,6 +75,27 @@ set_gpg_recipients() { exit 1 fi + if [ -n "$PASSWORD_STORE_TRUSTED_SIGNATURES" ]; then + sig_file="${current}.sig" + if [ ! -f "$sig_file" ]; then + die "The file listing encryption receipents is not signed." + fi + if ! result=$($GPG "${GPG_OPTS[@]}" --verify "$sig_file" 2>&1); then + echo "$result" + die "Could not verify signature of the file listing encryption receipents." + fi + local verified=0 + for i in $PASSWORD_STORE_TRUSTED_SIGNATURES; do + if grep -qs "\<${i}\>" <<<"$result"; then + verified=1 + break + fi + done + if [ $verified -eq 0 ]; then + die "Signer of the file listing encryption receipents is not listed in PASSWORD_STORE_TRUSTED_SIGNATURES." + fi + fi + local gpg_id while read -r gpg_id; do GPG_RECIPIENT_ARGS+=( "-r" "$gpg_id" ) @@ -285,9 +306,14 @@ cmd_init() { else mkdir -v -p "$PREFIX/$id_path" printf "%s\n" "$@" > "$gpg_id" + + if [ -n "$PASSWORD_STORE_TRUSTED_SIGNATURES" ]; then + $GPG "${GPG_OPTS[@]}" --detach-sign "$gpg_id" + fi + local id_print="$(printf "%s, " "$@")" echo "Password store initialized for ${id_print%, }${id_path:+ ($id_path)}" - git_add_file "$gpg_id" "Set GPG id to ${id_print%, }${id_path:+ ($id_path)}." + git_add_file "$gpg_id*" "Set GPG id to ${id_print%, }${id_path:+ ($id_path)}." fi reencrypt_path "$PREFIX/$id_path" -- 1.9.1
_______________________________________________ Password-Store mailing list [email protected] http://lists.zx2c4.com/mailman/listinfo/password-store
