Hello,

The alwaystrust config option has been removed in issue #206 and now the alwaystrust argument is always passed to gpg. If the autoimport feature is enabled (default true), I see a huge security issue.

If an attacker manages to commit to my repository a GPG key I do not trust, and I'm not careful when pulling (can easily be overlooked if there is a lot of changes in the history), next time I work with the repository, I will begin reencoding my passwords with the attacker's public key. My understanding is that if alwaystrust was not set, the pubkey of the attacker would still be added to my keyring, but gopass would not reencrypt my password file with its pubkey (it would probably spit out an error message).

I actually was confronted to this behaviour this very afternoon when trying to set up the tool with a colleague of mine and it certainly does not look like a sane default behaviour. Am I missing something obvious here?

Regards,
Tony