On 24.07.2014 19:28, Jason A. Donenfeld wrote: > Actually, we don't use --sign for gpg, for signing. Instead we use git's > signing feature, which invokes gpg --sign internally to sign /commits/. This > way, the entire directory tree is signed, not just the contents of files. > This prevents tampering with the overall structure of the repo. This is nice too, yet I have two comments on this: * this seems to be enabled globally in git config, so what about users who do not wish to sign their work (e.g. don`t have personal GPG key), but do what password files signed ? * if it exists, is the git signature checked (automatically) before the password is retrieved ? I believe not.
-- Jan Rusnacko, Red Hat Product Security _______________________________________________ Password-Store mailing list [email protected] http://lists.zx2c4.com/mailman/listinfo/password-store
