I currently sign my git commits, but signing the original files would be even better, I guess. It always felt weird for me that I was able to write to the store without my secret key.
Le mer. 31 août 2016 à 11:48, Brian Candler <[email protected]> a écrit : > On 31/08/2016 16:43, Emile Cantin wrote: > > > In light of the recent Dropbox leak, I wanted to know how old my password > was, and perhaps if I had any other old passwords that would be due for a > rotation. I don't think I can rely on the last modification date on the > files, as a fresh clone of my repo would have today's date, even if the > file was last modified in my repo in 2012. I looked into how to do this > with Git, but it's pretty ungainly: > http://serverfault.com/questions/401437/how-to-retrieve-the-last-modification-date-of-all-files-in-a-git-repository > > Keepass has an "expiration date" field which you can set when generating a > password, and it appears in a different color in the list when expired. > > I think password age is a relevant metric for a password manager, but pass > doesn't currently offer any visibility into this. > > What do you think? > > This is (another) reason why it would be good if pass were to sign its GPG > files. The signature includes a timestamp. >
_______________________________________________ Password-Store mailing list [email protected] http://lists.zx2c4.com/mailman/listinfo/password-store
