sgregoratto.me

Hugo files for www.sgregoratto.me
git clone git://git.sgregoratto.me/sgregoratto.me
Log | Files | Refs

commit 658410bdf911a5aca62af0aed2cecabba9d60272
parent 703c163a257f9a1e88cfcfea817f646a1f17afb7
Author: Stephen Gregoratto <dev@sgregoratto.me>
Date:   Tue, 23 Jul 2019 23:41:04 +1000

add gpg sync keys post

Diffstat:
Acontent/blog/gpg-sync-all-pub-keys.md | 65+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 65 insertions(+), 0 deletions(-)

diff --git a/content/blog/gpg-sync-all-pub-keys.md b/content/blog/gpg-sync-all-pub-keys.md @@ -0,0 +1,65 @@ +--- +title: "Updating All Public Keys in GPG" +date: 2019-07-16T22:33:29+10:00 +draft: false +--- + +GPG and other OpenPGP implementations aren't well known for their ease of +use[^1][^2][^3], and the general view among many professional +cryptographers[^4][^5][^6][^7][^8] is that the entire ecosystem is a dud, and +should be replaced with more modern, specialised tools. +Even when signing/encrypting emails --- the thing that PGP was designed for --- +GPG is a letdown. +Recently, `mutt` alerted me that the public key for a mailing list user had +expired. I sent a friendly message letting them know, and received this in +return: + +> What keyserver did you pull from? +> I pushed a new expiry date at least a month ago. + +So, even though I set GPG to auto-download keys, it won't update them. +Rather than wade through GPG's option list, +I decided it would be simpler to just extract a list of public keys and feed +that to `--recv-keys`: + +```sh +#!/bin/sh +# The command expansion outputs a "machine readable" list of public keys +gpg --recv-keys $(gpg --keyid-format long --list-public-keys --with-colons | + grep '^fpr' | cut -d ':' -f 10) +``` +Smugly, I plopped this in my `scripts` folder and called it a day. +Then I actually looked at the gpg(1) manpage and found there was in fact an +option that did exactly this: + +``` +'--refresh-keys' + Request updates from a keyserver for keys that already exist on the + local keyring. This is useful for updating a key with the latest + signatures, user IDs, etc. Calling this with no arguments will + refresh the entire keyring. +``` + +This experience has made me question why I put up with this UI hell. +My interactions with GPG are limited to email encryption/signing (sparingly) +and file encryption via [password-store][pass]. +I used to sign all my commits too like a good boy, +before realising that nobody really checks them +(especially not from little ol' me). +Recently I've moved secure communications to [Signal][signal] *because* of its +simplicity over PGP. +If Filippo can get around to releasing his [age][age] tool, +then I could finally dispose of this broken ecosystem and fully transition to +modern, simpler crypto. + +[pass]: https://www.passwordstore.org/ +[signal]: https://signal.org/ +[age]: https://age-tool.com/ +[^1]: [Why Johnny Can't Encrypt](https://people.eecs.berkeley.edu/~tygar/papers/Why_Johnny_Cant_Encrypt/OReilly.pdf) +[^2]: [Why Johnny Still Can't Encrypt](https://cups.cs.cmu.edu/soups/2006/posters/sheng-poster_abstract.pdf) +[^3]: [Why Johnny Still, Still Can't Encrypt](https://arxiv.org/pdf/1510.08555.pdf) +[^4]: [Matthew Green --- What's the matter with PGP?](https://blog.cryptographyengineering.com/2014/08/13/whats-matter-with-pgp/) +[^5]: [Moxie Marlinspike --- GPG And Me](https://moxie.org/blog/gpg-and-me/) +[^6]: [Bruce Schneier --- Giving Up on PGP](https://www.schneier.com/blog/archives/2016/12/giving_up_on_pg.html) +[^7]: [Filippo Valsorda --- I'm throwing in the towel on PGP](https://arstechnica.com/information-technology/2016/12/op-ed-im-giving-up-on-pgp/) +[^8]: [Filippo Valsorda --- OpenPGP Is Broken](https://buttondown.email/cryptography-dispatches/archive/cryptography-dispatches-hello-world-and-openpgp/)