Author: Stephen Gregoratto <firstname.lastname@example.org>
Date: Tue, 23 Jul 2019 23:41:04 +1000
add gpg sync keys post
1 file changed, 65 insertions(+), 0 deletions(-)
diff --git a/content/blog/gpg-sync-all-pub-keys.md b/content/blog/gpg-sync-all-pub-keys.md
@@ -0,0 +1,65 @@
+title: "Updating All Public Keys in GPG"
+GPG and other OpenPGP implementations aren't well known for their ease of
+use[^1][^2][^3], and the general view among many professional
+cryptographers[^4][^5][^6][^7][^8] is that the entire ecosystem is a dud, and
+should be replaced with more modern, specialised tools.
+Even when signing/encrypting emails --- the thing that PGP was designed for ---
+GPG is a letdown.
+Recently, `mutt` alerted me that the public key for a mailing list user had
+expired. I sent a friendly message letting them know, and received this in
+> What keyserver did you pull from?
+> I pushed a new expiry date at least a month ago.
+So, even though I set GPG to auto-download keys, it won't update them.
+Rather than wade through GPG's option list,
+I decided it would be simpler to just extract a list of public keys and feed
+that to `--recv-keys`:
+# The command expansion outputs a "machine readable" list of public keys
+gpg --recv-keys $(gpg --keyid-format long --list-public-keys --with-colons |
+ grep '^fpr' | cut -d ':' -f 10)
+Smugly, I plopped this in my `scripts` folder and called it a day.
+Then I actually looked at the gpg(1) manpage and found there was in fact an
+option that did exactly this:
+ Request updates from a keyserver for keys that already exist on the
+ local keyring. This is useful for updating a key with the latest
+ signatures, user IDs, etc. Calling this with no arguments will
+ refresh the entire keyring.
+This experience has made me question why I put up with this UI hell.
+My interactions with GPG are limited to email encryption/signing (sparingly)
+and file encryption via [password-store][pass].
+I used to sign all my commits too like a good boy,
+before realising that nobody really checks them
+(especially not from little ol' me).
+Recently I've moved secure communications to [Signal][signal] *because* of its
+simplicity over PGP.
+If Filippo can get around to releasing his [age][age] tool,
+then I could finally dispose of this broken ecosystem and fully transition to
+modern, simpler crypto.
+[^1]: [Why Johnny Can't Encrypt](https://people.eecs.berkeley.edu/~tygar/papers/Why_Johnny_Cant_Encrypt/OReilly.pdf)
+[^2]: [Why Johnny Still Can't Encrypt](https://cups.cs.cmu.edu/soups/2006/posters/sheng-poster_abstract.pdf)
+[^3]: [Why Johnny Still, Still Can't Encrypt](https://arxiv.org/pdf/1510.08555.pdf)
+[^4]: [Matthew Green --- What's the matter with PGP?](https://blog.cryptographyengineering.com/2014/08/13/whats-matter-with-pgp/)
+[^5]: [Moxie Marlinspike --- GPG And Me](https://moxie.org/blog/gpg-and-me/)
+[^6]: [Bruce Schneier --- Giving Up on PGP](https://www.schneier.com/blog/archives/2016/12/giving_up_on_pg.html)
+[^7]: [Filippo Valsorda --- I'm throwing in the towel on PGP](https://arstechnica.com/information-technology/2016/12/op-ed-im-giving-up-on-pgp/)
+[^8]: [Filippo Valsorda --- OpenPGP Is Broken](https://buttondown.email/cryptography-dispatches/archive/cryptography-dispatches-hello-world-and-openpgp/)