On Tue, Apr 29 2014, Joey Hess <[email protected]> wrote:
> It seems that assword fails if the key used to sign the file is not
> marked as ultimately trusted. Personally, I have no use for gpg's
> trustdb (it's slow, and I don't trust transitively), and so I have
> no-auto-check-trustdb set, and had not set a trust level on my key. I
> think that assword should still function in this configuration.

Agreed.  I guess we have a couple of options here:

0) don't sign the db file at all
1) sign but don't fail on sig check invalid
2) add option to sign the db and check sig validity

I added the signing and validation as means to protect against db
tampering, but I'm not sure how useful it actually is.  I'll try to get
more feedback from other users.

Either way, both of these issues will be fixed in the next release.

jamie.

Attachment: pgpngEomD_d6o.pgp
Description: PGP signature

Reply via email to