Hacker News new | past | comments | ask | show | jobs | submit login

What you probably want is a signature. Since pass can be a git repo, you could use git to sign your commits [1]. But you'll have to remember to check the git commit signatures or automate checking it somehow.

[1] https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work




Restricting to a git repo and making sure to check that the commit is signed and there's no diff to current would work, but it's easier to just put the login URL (or at least the domain) as the second line of the encrypted file (Pass allows arbitrary metadata).

OpenPGP (GPG / etc.) use a MAC on the file, so an attacker can't modify the encrypted file and still get it to decrypt (at least without some flag to ignore broken MAC). An attacker could create a new password file for you for their domain, but then they'd have to make up a random password for you that's not going to match your FriendFace/Congo/Vigintillion password.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: