commit 39a3f7ed75e953c5072a04e18ea599181c5a1530
parent 9fb0f810e71722c0d79dcc2956e24f69ee6c1704
Author: Stephen Gregoratto <dev@sgregoratto.me>
Date: Thu, 14 Nov 2019 19:58:24 +1100
gpg-article: Indentation settings
Diffstat:
1 file changed, 47 insertions(+), 54 deletions(-)
diff --git a/gpg-sync-all-pub-keys.xml b/gpg-sync-all-pub-keys.xml
@@ -4,53 +4,28 @@
<h1>Updating All Public Keys in GPG</h1>
<time datetime="2019-07-16">July 16, 2019</time>
</header>
- <p>GPG and other OpenPGP implementations aren’t well known for their ease of use
- <sup><a class="footnote" href="#fn1" id="fnref1">1</a></sup>
- and the general view among many professional cryptographers
- <sup><a class="footnote" href="#fn2" id="fnref2">2</a></sup>
- is that the entire ecosystem is a dud, to be replaced with more
- modern, specialised tools. Even when signing/encrypting emails —
- the thing it was designed for, mind — GPG is a letdown.</p>
- <p>Recently, <code>mutt</code> alerted me that the public key for a
- mailing list user had expired. I sent a friendly message letting them
- know, and received this in return:</p>
+ <p>GPG and other OpenPGP implementations aren’t well known for their ease of use <sup><a class="footnote" href="#fn1" id="fnref1">1</a></sup> and the general view among many professional cryptographers <sup><a class="footnote" href="#fn2" id="fnref2">2</a></sup> is that the entire ecosystem is a dud, to be replaced with more modern, specialised tools. Even when signing/encrypting emails—the thing it was designed for, mind—GPG is a letdown.</p>
+ <p>Recently, <code>mutt</code> alerted me that the public key for a mailing list user had expired. I sent a friendly message letting them know, and received this in return:</p>
<blockquote>
- <p>What keyserver did you pull from? I pushed a new expiry date at
- least a month ago.</p>
+ <p>What keyserver did you pull from? I pushed a new expiry date at least a month ago.</p>
</blockquote>
- <p>So even though I set GPG to auto-download keys, it won’t update
- them. Rather than wade through GPG’s option list, I decided it would
- be simpler to just extract a list of public keys and feed that to
- <code>--recv-keys</code>:</p>
-<code><pre class="chroma"><span class="cp">#!/bin/sh
-</span><span class="cp"></span><span class="c1"># The command expansion outputs a "machine readable" list of public keys</span>
+ <p>So even though I set GPG to auto-download keys, it won’t update them. Rather than wade through GPG’s option list, I decided it would be simpler to just extract a list of public keys and feed that to <code>--recv-keys</code>:</p>
+ <code>
+<pre class="chroma"><span class="cp">#!/bin/sh</span>
+<span class="cp"/><span class="c1"># The command expansion outputs a "machine readable" list of public keys</span>
gpg --recv-keys <span class="k">$(</span>gpg --keyid-format long --list-public-keys --with-colons <span class="p">|</span>
- grep <span class="s1">'^fpr'</span> <span class="p">|</span> cut -d <span class="s1">':'</span> -f <span class="m">10</span><span class="k">)</span></pre></code>
- <p>Smugly, I dropped this in my <code>scripts</code> folder and called
- it a day. Then I bothered to look at the gpg(1) manpage and found that
- there was in fact an option for this:</p>
-<pre>'--refresh-keys'
- Request updates from a keyserver for keys that already exist on the
- local keyring. This is useful for updating a key with the latest
- signatures, user IDs, etc. Calling this with no arguments will
- refresh the entire keyring.</pre>
- <p>This experience has made me question why I put up with this UI hell.
- My interactions with GPG are limited to email encryption/signing
- (sparingly) and file encryption via
- <a href="https://www.passwordstore.org/">password-store</a>.
- I used to sign all my commits too like a good boy, before realising
- that nobody really checks them (especially not from little ol’ me).
- Recently I’ve moved secure communications to
- <a href="https://signal.org/">Signal</a> <em>because</em> of its
- simplicity over PGP. If Filippo can get around to releasing his
- <a href="https://age-tool.com/">age</a> tool, then I could finally
- dispose of this broken ecosystem and fully transition to modern,
- simpler crypto.</p>
+ grep <span class="s1">'^fpr'</span> <span class="p">|</span> cut -d <span class="s1">':'</span> -f <span class="m">10</span> <span class="k">)</span></pre>
+ </code>
+ <p>Smugly, I dropped this in my <code>scripts</code> folder and called it a day. Then I bothered to look at the gpg(1) manpage and found that there was in fact an option for this:</p>
+ <blockquote>
+ <dl>
+ <dt>--refresh-keys</dt>
+ <dd>Request updates from a keyserver for keys that already exist on the local keyring. This is useful for updating a key with the latest signatures, user IDs, etc. Calling this with no arguments will refresh the entire keyring.</dd>
+ </dl>
+ </blockquote>
+ <p>This experience has made me question why I put up with this UI hell. My interactions with GPG are limited to email encryption/signing (sparingly) and file encryption via <a href="https://www.passwordstore.org/">password-store</a>. I used to sign all my commits too like a good boy, before realising that nobody really checks them (especially not from little ol’ me). Recently I’ve moved secure communications to <a href="https://signal.org/">Signal</a> <em>because</em> of its simplicity over PGP. If Filippo can get around to releasing his <a href="https://age-tool.com/">age</a> tool, then I could finally dispose of this broken ecosystem and fully transition to modern, simpler crypto.</p>
<hr/>
- <p>Update: I’ve reflected on this post a bit, and decided to remove the
- links to my PGP key on my website. I fully believe that PGP is
- fundamentally broken, and intend to revoke my PGP key when age is
- released.</p>
+ <p>Update: I’ve reflected on this post a bit, and decided to remove the links to my PGP key on my website. I fully believe that PGP is fundamentally broken, and intend to revoke my PGP key when age is released.</p>
<hr/>
<section class="footnotes" role="doc-endnotes">
<p>References:</p>
@@ -58,23 +33,41 @@ gpg --recv-keys <span class="k">$(</span>gpg --keyid-format long --list-public-k
<li id="fn1" role="doc-endnote">
<p>Take your pick:</p>
<ul>
- <li><a href="https://people.eecs.berkeley.edu/~tygar/papers/Why_Johnny_Cant_Encrypt/OReilly.pdf">Why Johnny Can’t Encrypt</a></li>
- <li><a href="https://cups.cs.cmu.edu/soups/2006/posters/sheng-poster_abstract.pdf">Why Johnny Still Can’t Encrypt</a></li>
- <li><a href="https://arxiv.org/pdf/1510.08555.pdf">Why Johnny Still, Still Can’t Encrypt</a></li>
- <li><a href="https://www.usenix.org/system/files/sec19fall_muller_prepub.pdf">“Johnny, you are fired!”</a></li>
+ <li>
+ <a href="https://people.eecs.berkeley.edu/~tygar/papers/Why_Johnny_Cant_Encrypt/OReilly.pdf">Why Johnny Can’t Encrypt</a>
+ </li>
+ <li>
+ <a href="https://cups.cs.cmu.edu/soups/2006/posters/sheng-poster_abstract.pdf">Why Johnny Still Can’t Encrypt</a>
+ </li>
+ <li>
+ <a href="https://arxiv.org/pdf/1510.08555.pdf">Why Johnny Still, Still Can’t Encrypt</a>
+ </li>
+ <li>
+ <a href="https://www.usenix.org/system/files/sec19fall_muller_prepub.pdf">“Johnny, you are fired!”</a>
+ </li>
</ul>
- <a href="#fnref1" class="footnote-back">↩</a>
+ <a class="footnote-back" href="#fnref1">↩</a>
</li>
<li id="fn2" role="doc-endnote">
<p>Ditto:</p>
<ul>
- <li><a href="https://blog.cryptographyengineering.com/2014/08/13/whats-matter-with-pgp/">Matthew Green — What’s the matter with PGP?</a></li>
- <li><a href="https://moxie.org/blog/gpg-and-me/">Moxie Marlinspike — GPG And Me</a></li>
- <li><a href="https://www.schneier.com/blog/archives/2016/12/giving_up_on_pg.html">Bruce Schneier — Giving Up on PGP</a></li>
- <li><a href="https://arstechnica.com/information-technology/2016/12/op-ed-im-giving-up-on-pgp/">Filippo Valsorda — I’m throwing in the towel on PGP</a></li>
- <li><a href="https://buttondown.email/cryptography-dispatches/archive/cryptography-dispatches-hello-world-and-openpgp/">Filippo Valsorda — OpenPGP Is Broken</a></li>
+ <li>
+ <a href="https://blog.cryptographyengineering.com/2014/08/13/whats-matter-with-pgp/">Matthew Green—What’s the matter with PGP?</a>
+ </li>
+ <li>
+ <a href="https://moxie.org/blog/gpg-and-me/">Moxie Marlinspike—GPG And Me</a>
+ </li>
+ <li>
+ <a href="https://www.schneier.com/blog/archives/2016/12/giving_up_on_pg.html">Bruce Schneier—Giving Up on PGP</a>
+ </li>
+ <li>
+ <a href="https://arstechnica.com/information-technology/2016/12/op-ed-im-giving-up-on-pgp/">Filippo Valsorda—I’m throwing in the towel on PGP</a>
+ </li>
+ <li>
+ <a href="https://buttondown.email/cryptography-dispatches/archive/cryptography-dispatches-hello-world-and-openpgp/">Filippo Valsorda—OpenPGP Is Broken</a>
+ </li>
</ul>
- <a href="#fnref1" class="footnote-back">↩</a>
+ <a class="footnote-back" href="#fnref1">↩</a>
</li>
</ol>
</section>