Then you need to decide whether you should trust the decrypted output or remove it from the password store. That should only happen if a user revokes their public key (or becomes untrusted for some other reason) after the password was originally imported.
On Mon, Jul 21, 2014 at 2:27 AM, Allan Odgaard <[email protected]> wrote: > On 21 Jul 2014, at 12:28, James Wald wrote: > > […] It would have to add the '--sign' option […] need to validate >> signatures against trustdb.gpg. I >> feel that gpg's signing is the right solution for this problem […] >> > > And the problem is that untrusted people can write to your password store? > > Using GPG signing would not be how I would solve such problem, and I > wouldn’t consider it an acceptable solution. Say you need the password for > [email protected] and ‘pass’ reports that this password is not signed by a > trusted user, so now what? > _______________________________________________ > Password-Store mailing list > [email protected] > http://lists.zx2c4.com/mailman/listinfo/password-store > -- James
_______________________________________________ Password-Store mailing list [email protected] http://lists.zx2c4.com/mailman/listinfo/password-store
