Actually, we don't use --sign for gpg, for signing. Instead we use git's signing feature, which invokes gpg --sign internally to sign *commits*. This way, the entire directory tree is signed, not just the contents of files. This prevents tampering with the overall structure of the repo.
_______________________________________________ Password-Store mailing list [email protected] http://lists.zx2c4.com/mailman/listinfo/password-store
