sgregoratto.me

source files for www.sgregoratto.me
git clone git://git.sgregoratto.me/sgregoratto.me
Log | Files | Refs

commit 39a3f7ed75e953c5072a04e18ea599181c5a1530
parent 9fb0f810e71722c0d79dcc2956e24f69ee6c1704
Author: Stephen Gregoratto <dev@sgregoratto.me>
Date:   Thu, 14 Nov 2019 19:58:24 +1100

gpg-article: Indentation settings

Diffstat:
Mgpg-sync-all-pub-keys.xml | 101+++++++++++++++++++++++++++++++++++++------------------------------------------
1 file changed, 47 insertions(+), 54 deletions(-)

diff --git a/gpg-sync-all-pub-keys.xml b/gpg-sync-all-pub-keys.xml @@ -4,53 +4,28 @@ <h1>Updating All Public Keys in GPG</h1> <time datetime="2019-07-16">July 16, 2019</time> </header> - <p>GPG and other OpenPGP implementations aren’t well known for their ease of use - <sup><a class="footnote" href="#fn1" id="fnref1">1</a></sup> - and the general view among many professional cryptographers - <sup><a class="footnote" href="#fn2" id="fnref2">2</a></sup> - is that the entire ecosystem is a dud, to be replaced with more - modern, specialised tools. Even when signing/encrypting emails — - the thing it was designed for, mind — GPG is a letdown.</p> - <p>Recently, <code>mutt</code> alerted me that the public key for a - mailing list user had expired. I sent a friendly message letting them - know, and received this in return:</p> + <p>GPG and other OpenPGP implementations aren’t well known for their ease of use <sup><a class="footnote" href="#fn1" id="fnref1">1</a></sup> and the general view among many professional cryptographers <sup><a class="footnote" href="#fn2" id="fnref2">2</a></sup> is that the entire ecosystem is a dud, to be replaced with more modern, specialised tools. Even when signing/encrypting emails⁠—the thing it was designed for, mind⁠—GPG is a letdown.</p> + <p>Recently, <code>mutt</code> alerted me that the public key for a mailing list user had expired. I sent a friendly message letting them know, and received this in return:</p> <blockquote> - <p>What keyserver did you pull from? I pushed a new expiry date at - least a month ago.</p> + <p>What keyserver did you pull from? I pushed a new expiry date at least a month ago.</p> </blockquote> - <p>So even though I set GPG to auto-download keys, it won’t update - them. Rather than wade through GPG’s option list, I decided it would - be simpler to just extract a list of public keys and feed that to - <code>--recv-keys</code>:</p> -<code><pre class="chroma"><span class="cp">#!/bin/sh -</span><span class="cp"></span><span class="c1"># The command expansion outputs a &#34;machine readable&#34; list of public keys</span> + <p>So even though I set GPG to auto-download keys, it won’t update them. Rather than wade through GPG’s option list, I decided it would be simpler to just extract a list of public keys and feed that to <code>--recv-keys</code>:</p> + <code> +<pre class="chroma"><span class="cp">#!/bin/sh</span> +<span class="cp"/><span class="c1"># The command expansion outputs a "machine readable" list of public keys</span> gpg --recv-keys <span class="k">$(</span>gpg --keyid-format long --list-public-keys --with-colons <span class="p">|</span> - grep <span class="s1">&#39;^fpr&#39;</span> <span class="p">|</span> cut -d <span class="s1">&#39;:&#39;</span> -f <span class="m">10</span><span class="k">)</span></pre></code> - <p>Smugly, I dropped this in my <code>scripts</code> folder and called - it a day. Then I bothered to look at the gpg(1) manpage and found that - there was in fact an option for this:</p> -<pre>'--refresh-keys' - Request updates from a keyserver for keys that already exist on the - local keyring. This is useful for updating a key with the latest - signatures, user IDs, etc. Calling this with no arguments will - refresh the entire keyring.</pre> - <p>This experience has made me question why I put up with this UI hell. - My interactions with GPG are limited to email encryption/signing - (sparingly) and file encryption via - <a href="https://www.passwordstore.org/">password-store</a>. - I used to sign all my commits too like a good boy, before realising - that nobody really checks them (especially not from little ol’ me). - Recently I’ve moved secure communications to - <a href="https://signal.org/">Signal</a> <em>because</em> of its - simplicity over PGP. If Filippo can get around to releasing his - <a href="https://age-tool.com/">age</a> tool, then I could finally - dispose of this broken ecosystem and fully transition to modern, - simpler crypto.</p> + grep <span class="s1">'^fpr'</span> <span class="p">|</span> cut -d <span class="s1">':'</span> -f <span class="m">10</span> <span class="k">)</span></pre> + </code> + <p>Smugly, I dropped this in my <code>scripts</code> folder and called it a day. Then I bothered to look at the gpg(1) manpage and found that there was in fact an option for this:</p> + <blockquote> + <dl> + <dt>--refresh-keys</dt> + <dd>Request updates from a keyserver for keys that already exist on the local keyring. This is useful for updating a key with the latest signatures, user IDs, etc. Calling this with no arguments will refresh the entire keyring.</dd> + </dl> + </blockquote> + <p>This experience has made me question why I put up with this UI hell. My interactions with GPG are limited to email encryption/signing (sparingly) and file encryption via <a href="https://www.passwordstore.org/">password-store</a>. I used to sign all my commits too like a good boy, before realising that nobody really checks them (especially not from little ol’ me). Recently I’ve moved secure communications to <a href="https://signal.org/">Signal</a> <em>because</em> of its simplicity over PGP. If Filippo can get around to releasing his <a href="https://age-tool.com/">age</a> tool, then I could finally dispose of this broken ecosystem and fully transition to modern, simpler crypto.</p> <hr/> - <p>Update: I’ve reflected on this post a bit, and decided to remove the - links to my PGP key on my website. I fully believe that PGP is - fundamentally broken, and intend to revoke my PGP key when age is - released.</p> + <p>Update: I’ve reflected on this post a bit, and decided to remove the links to my PGP key on my website. I fully believe that PGP is fundamentally broken, and intend to revoke my PGP key when age is released.</p> <hr/> <section class="footnotes" role="doc-endnotes"> <p>References:</p> @@ -58,23 +33,41 @@ gpg --recv-keys <span class="k">$(</span>gpg --keyid-format long --list-public-k <li id="fn1" role="doc-endnote"> <p>Take your pick:</p> <ul> - <li><a href="https://people.eecs.berkeley.edu/~tygar/papers/Why_Johnny_Cant_Encrypt/OReilly.pdf">Why Johnny Can’t Encrypt</a></li> - <li><a href="https://cups.cs.cmu.edu/soups/2006/posters/sheng-poster_abstract.pdf">Why Johnny Still Can’t Encrypt</a></li> - <li><a href="https://arxiv.org/pdf/1510.08555.pdf">Why Johnny Still, Still Can’t Encrypt</a></li> - <li><a href="https://www.usenix.org/system/files/sec19fall_muller_prepub.pdf">“Johnny, you are fired!”</a></li> + <li> + <a href="https://people.eecs.berkeley.edu/~tygar/papers/Why_Johnny_Cant_Encrypt/OReilly.pdf">Why Johnny Can’t Encrypt</a> + </li> + <li> + <a href="https://cups.cs.cmu.edu/soups/2006/posters/sheng-poster_abstract.pdf">Why Johnny Still Can’t Encrypt</a> + </li> + <li> + <a href="https://arxiv.org/pdf/1510.08555.pdf">Why Johnny Still, Still Can’t Encrypt</a> + </li> + <li> + <a href="https://www.usenix.org/system/files/sec19fall_muller_prepub.pdf">“Johnny, you are fired!”</a> + </li> </ul> - <a href="#fnref1" class="footnote-back">↩</a> + <a class="footnote-back" href="#fnref1">↩</a> </li> <li id="fn2" role="doc-endnote"> <p>Ditto:</p> <ul> - <li><a href="https://blog.cryptographyengineering.com/2014/08/13/whats-matter-with-pgp/">Matthew Green — What’s the matter with PGP?</a></li> - <li><a href="https://moxie.org/blog/gpg-and-me/">Moxie Marlinspike — GPG And Me</a></li> - <li><a href="https://www.schneier.com/blog/archives/2016/12/giving_up_on_pg.html">Bruce Schneier — Giving Up on PGP</a></li> - <li><a href="https://arstechnica.com/information-technology/2016/12/op-ed-im-giving-up-on-pgp/">Filippo Valsorda — I’m throwing in the towel on PGP</a></li> - <li><a href="https://buttondown.email/cryptography-dispatches/archive/cryptography-dispatches-hello-world-and-openpgp/">Filippo Valsorda — OpenPGP Is Broken</a></li> + <li> + <a href="https://blog.cryptographyengineering.com/2014/08/13/whats-matter-with-pgp/">Matthew Green⁠—What’s the matter with PGP?</a> + </li> + <li> + <a href="https://moxie.org/blog/gpg-and-me/">Moxie Marlinspike⁠—GPG And Me</a> + </li> + <li> + <a href="https://www.schneier.com/blog/archives/2016/12/giving_up_on_pg.html">Bruce Schneier⁠—Giving Up on PGP</a> + </li> + <li> + <a href="https://arstechnica.com/information-technology/2016/12/op-ed-im-giving-up-on-pgp/">Filippo Valsorda⁠—I’m throwing in the towel on PGP</a> + </li> + <li> + <a href="https://buttondown.email/cryptography-dispatches/archive/cryptography-dispatches-hello-world-and-openpgp/">Filippo Valsorda⁠—OpenPGP Is Broken</a> + </li> </ul> - <a href="#fnref1" class="footnote-back">↩</a> + <a class="footnote-back" href="#fnref1">↩</a> </li> </ol> </section>