Hugo files for
git clone git://
Log | Files | Refs

commit 658410bdf911a5aca62af0aed2cecabba9d60272
parent 703c163a257f9a1e88cfcfea817f646a1f17afb7
Author: Stephen Gregoratto <>
Date:   Tue, 23 Jul 2019 23:41:04 +1000

add gpg sync keys post

Acontent/blog/ | 65+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 65 insertions(+), 0 deletions(-)

diff --git a/content/blog/ b/content/blog/ @@ -0,0 +1,65 @@ +--- +title: "Updating All Public Keys in GPG" +date: 2019-07-16T22:33:29+10:00 +draft: false +--- + +GPG and other OpenPGP implementations aren't well known for their ease of +use[^1][^2][^3], and the general view among many professional +cryptographers[^4][^5][^6][^7][^8] is that the entire ecosystem is a dud, and +should be replaced with more modern, specialised tools. +Even when signing/encrypting emails --- the thing that PGP was designed for --- +GPG is a letdown. +Recently, `mutt` alerted me that the public key for a mailing list user had +expired. I sent a friendly message letting them know, and received this in +return: + +> What keyserver did you pull from? +> I pushed a new expiry date at least a month ago. + +So, even though I set GPG to auto-download keys, it won't update them. +Rather than wade through GPG's option list, +I decided it would be simpler to just extract a list of public keys and feed +that to `--recv-keys`: + +```sh +#!/bin/sh +# The command expansion outputs a "machine readable" list of public keys +gpg --recv-keys $(gpg --keyid-format long --list-public-keys --with-colons | + grep '^fpr' | cut -d ':' -f 10) +``` +Smugly, I plopped this in my `scripts` folder and called it a day. +Then I actually looked at the gpg(1) manpage and found there was in fact an +option that did exactly this: + +``` +'--refresh-keys' + Request updates from a keyserver for keys that already exist on the + local keyring. This is useful for updating a key with the latest + signatures, user IDs, etc. Calling this with no arguments will + refresh the entire keyring. +``` + +This experience has made me question why I put up with this UI hell. +My interactions with GPG are limited to email encryption/signing (sparingly) +and file encryption via [password-store][pass]. +I used to sign all my commits too like a good boy, +before realising that nobody really checks them +(especially not from little ol' me). +Recently I've moved secure communications to [Signal][signal] *because* of its +simplicity over PGP. +If Filippo can get around to releasing his [age][age] tool, +then I could finally dispose of this broken ecosystem and fully transition to +modern, simpler crypto. + +[pass]: +[signal]: +[age]: +[^1]: [Why Johnny Can't Encrypt]( +[^2]: [Why Johnny Still Can't Encrypt]( +[^3]: [Why Johnny Still, Still Can't Encrypt]( +[^4]: [Matthew Green --- What's the matter with PGP?]( +[^5]: [Moxie Marlinspike --- GPG And Me]( +[^6]: [Bruce Schneier --- Giving Up on PGP]( +[^7]: [Filippo Valsorda --- I'm throwing in the towel on PGP]( +[^8]: [Filippo Valsorda --- OpenPGP Is Broken](