-
-
Notifications
You must be signed in to change notification settings - Fork 163
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
support PASSWORD_STORE_SIGNING_KEY
with profiles
#624
Comments
Hi I'm not QtPass developer, but as far as my experience from building pass GUI (native c++ still under development). It is possible to get this info from the To protect the
Did I understood you question correctly? |
what you are mentioning is something different, i.e. the signing of git commits, which is a feature of git itself, independently from pass. the these features are perhaps less interesting when all you do is managing your own passwords. but when working in a team, there should be more control over the public keys defined in in the meantime, we have written a bash script that does the job for us. we might release it once it's tested more. |
I see, you meanThe verification verify_file() {
[[ -n "$PASSWORD_STORE_SIGNING_KEY" ]] || return 0
[[ -f "$1.sig" ]] || die "Signature for $1 does not exist."
local fingerprints fingerprint found=0
fingerprints="$($GPG "${PASSWORD_STORE_GPG_OPTS_ARRAY[@]}" --verify --status-fd=1 "$1.sig" "$1" 2>/dev/null | sed -n 's/\[GNUPG:\] VALIDSIG \([A-F0-9]\{40\}\) .* \([A-F0-9]\{40\}\)$/\1\n\2/p')"
for fingerprint in $PASSWORD_STORE_SIGNING_KEY; do
[[ $fingerprint =~ ^[A-F0-9]{40}$ ]] || continue
[[ $fingerprints == *$fingerprint* ]] && { found=1; break; } I think I understand
and this must be defined for every local user. The problem, is that it was expected to be specific for every repository. The way you managed to solve it was as This is certainly where QtPass shines because it utilize all Personally, I would prefer to prevent tempering with the See: ruby implementation for that in https://git-scm.com/book/en/v2/Customizing-Git-An-Example-Git-Enforced-Policy |
To enable the pass signature check in qtpass, the envvar can be set via
Unfortunately profile selection via command line parameter does not work reliably here, otherwise as a workaround you could have provided scripts to restart qtpass with the right signing key id and store set. |
we've just released our script, hope it's useful for others: https://github.com/C3S/passtore |
Is your feature request related to a problem? Please describe.
we are evaluating the use of pass/QtPass in a team and are trying to figure out a trust model that would not force all team members to learn how to use git. the encryption with defined OpenPGP keys per unit, like pass/QtPass are offering, is exactly what we would like to use, since we are already using OpenPGP anyway. but IIUC, everyone with access to the password store could add key IDs to any .gpg-id files.
Describe the solution you'd like
in the pass docs, the environment variable
PASSWORD_STORE_SIGNING_KEY
is listed with the description:QtPass already supports profiles to switch between password stores, which is a neat feature. unfortunately, it currently doesn't seem to supprt setting the
PASSWORD_STORE_SIGNING_KEY
variable. i think this would need to be set independently per profile to be really useful, i.e. add a "select signing keys" button in a new row next to the profle path.Describe alternatives you've considered
it's not really an alternative, but we are discussing limiting the write access to the password store to designated admins to mitigate the potential damage. we would like to combine this with the signing of .gpg-id files.
The text was updated successfully, but these errors were encountered: