On Wed, Mar 19, 2014 at 6:01 AM, Josh Cartwright <[email protected]> wrote: > How do you deal with getting all the team's public keys to all the > users? Or is that outside the scope of this patch? > > Perhaps instead of maintaining a .gpg_id key list, a keyring with the > teams' public keys should be used.
I find using a keyserver to be more convenient that having a dedicated keyring that needs to be manually updated with exported keys, and then all users having to export that keyring and import. Using gpg's recv-keys or refresh commands handle these tasks well. You can run a private keyserver if you like, but public keyservers get the job done and require no maintenance on your part. New users could even fetch keys with something like this after pulling from git (note: untested code): find ~/.password-store/ -name .gpg_id -print0 |xargs -0 -n 1 gpg --recv-keys I think it's important to note, however, than getting the keys themselves is easier than validating them (especially if using a keyserver). When you have a bunch of people sharing a password store, each user must trust every other user's key, and this is not something that pass can address. One option, of course, is for every user to verify and sign every other key. If you have more than a few users, you might prefer to designate a couple (gpg-savvy) adminstrators who validate all users' keys, and let all users validate and trust just the admins' keys. -- Brian Shore Senior Systems Engineer, Security Architect Network Redux, LLC 5200 SW Macadam Ave Ste 450 Portland, Oregon 97239 Desk: 503-274-9905 x503 _______________________________________________ Password-Store mailing list [email protected] http://lists.zx2c4.com/mailman/listinfo/password-store
