browserpass-extension uses the relative path to determine what site the password is for, so an attacker with write access could copy good-site.example.com.gpg to attacker-controlled.example.net.gpg, then collect the password on attacker-controlled.example.net.
I just thought about one more thing. Would it be possible for the
signature to include the relative path too?
- apply PASSWORD_STORE_SIGNING_KEY to password files too? David Mandelberg
- Re: apply PASSWORD_STORE_SIGNING_KEY to password fil... David Mandelberg
- Re: apply PASSWORD_STORE_SIGNING_KEY to password... Alexander Kjäll
