When signing .gpg-id files in `pass init`, pass does not ensure binary detached signatures. If the user has a gpg.conf file specifying ASCII armored output as default, pass will create an ASCII armored detached signature (with the .asc file extension). But pass expects binary detached signatures (having the .sig file extension). This breaks the whole signing and verifying process. By using the --no-armor option for gpg explicitly, pass can ensure the creation of a binary detached signature regardless of user configuration. --- src/password-store.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/password-store.sh b/src/password-store.sh index 22e818f..2cc8782 100755 --- a/src/password-store.sh +++ b/src/password-store.sh @@ -354,7 +354,7 @@ cmd_init() { for key in $PASSWORD_STORE_SIGNING_KEY; do signing_keys+=( --default-key $key ) done - $GPG "${GPG_OPTS[@]}" "${signing_keys[@]}" --detach-sign "$gpg_id" || die "Could not sign .gpg_id." + $GPG "${GPG_OPTS[@]}" "${signing_keys[@]}" --no-armor --detach-sign "$gpg_id" || die "Could not sign .gpg_id." key="$($GPG "${GPG_OPTS[@]}" --verify --status-fd=1 "$gpg_id.sig" "$gpg_id" 2>/dev/null | sed -n 's/^\[GNUPG:\] VALIDSIG [A-F0-9]\{40\} .* \([A-F0-9]\{40\}\)$/\1/p')" [[ -n $key ]] || die "Signing of .gpg_id unsuccessful." git_add_file "$gpg_id.sig" "Signing new GPG id with ${key//[$IFS]/,}." -- 2.41.0