gpg-sync-all-pub-keys.md (3497B)
1 --- 2 title: "Updating All Public Keys in GPG" 3 date: 2019-07-16T22:33:29+10:00 4 draft: false 5 --- 6 7 GPG and other OpenPGP implementations aren't well known for their ease of 8 use[^1][^2][^3][^4], and the general view among many professional 9 cryptographers[^5][^6][^7][^8][^9] is that the entire ecosystem is a dud, to be 10 replaced with more modern, specialised tools. 11 Even when signing/encrypting emails --- the thing it was designed for, mind --- 12 GPG is a letdown. 13 14 Recently, `mutt` alerted me that the public key for a mailing list user had 15 expired. I sent a friendly message letting them know, and received this in 16 return: 17 18 > What keyserver did you pull from? 19 > I pushed a new expiry date at least a month ago. 20 21 So even though I set GPG to auto-download keys, it won't update them. 22 Rather than wade through GPG's option list, 23 I decided it would be simpler to just extract a list of public keys and feed 24 that to `--recv-keys`: 25 26 ```sh 27 #!/bin/sh 28 # The command expansion outputs a "machine readable" list of public keys 29 gpg --recv-keys $(gpg --keyid-format long --list-public-keys --with-colons | 30 grep '^fpr' | cut -d ':' -f 10) 31 ``` 32 Smugly, I dropped this in my `scripts` folder and called it a day. 33 Then I bothered to look at the gpg(1) manpage and found that there was in fact 34 an for this: 35 36 ``` 37 '--refresh-keys' 38 Request updates from a keyserver for keys that already exist on the 39 local keyring. This is useful for updating a key with the latest 40 signatures, user IDs, etc. Calling this with no arguments will 41 refresh the entire keyring. 42 ``` 43 44 This experience has made me question why I put up with this UI hell. 45 My interactions with GPG are limited to email encryption/signing (sparingly) 46 and file encryption via [password-store][pass]. 47 I used to sign all my commits too like a good boy, 48 before realising that nobody really checks them 49 (especially not from little ol' me). 50 Recently I've moved secure communications to [Signal][signal] *because* of its 51 simplicity over PGP. 52 If Filippo can get around to releasing his [age][age] tool, 53 then I could finally dispose of this broken ecosystem and fully transition to 54 modern, simpler crypto. 55 56 --- 57 58 Update: I've reflected on this post a bit, and decided to remove the links to my 59 PGP key on my website. I fully believe that PGP is fundamentally broken, and 60 intend to revoke my PGP key when age is released. 61 62 [pass]: https://www.passwordstore.org/ 63 [signal]: https://signal.org/ 64 [age]: https://age-tool.com/ 65 [^1]: [Why Johnny Can't Encrypt](https://people.eecs.berkeley.edu/~tygar/papers/Why_Johnny_Cant_Encrypt/OReilly.pdf) 66 [^2]: [Why Johnny Still Can't Encrypt](https://cups.cs.cmu.edu/soups/2006/posters/sheng-poster_abstract.pdf) 67 [^3]: [Why Johnny Still, Still Can't Encrypt](https://arxiv.org/pdf/1510.08555.pdf) 68 [^4]: [“Johnny, you are fired!”](https://www.usenix.org/system/files/sec19fall_muller_prepub.pdf) 69 [^5]: [Matthew Green --- What's the matter with PGP?](https://blog.cryptographyengineering.com/2014/08/13/whats-matter-with-pgp/) 70 [^6]: [Moxie Marlinspike --- GPG And Me](https://moxie.org/blog/gpg-and-me/) 71 [^7]: [Bruce Schneier --- Giving Up on PGP](https://www.schneier.com/blog/archives/2016/12/giving_up_on_pg.html) 72 [^8]: [Filippo Valsorda --- I'm throwing in the towel on PGP](https://arstechnica.com/information-technology/2016/12/op-ed-im-giving-up-on-pgp/) 73 [^9]: [Filippo Valsorda --- OpenPGP Is Broken](https://buttondown.email/cryptography-dispatches/archive/cryptography-dispatches-hello-world-and-openpgp/)