sgregoratto.me

gpg-sync-all-pub-keys.md (3497B)

---

 ---
 title: "Updating All Public Keys in GPG"
 date: 2019-07-16T22:33:29+10:00
 draft: false
 ---
 
 GPG and other OpenPGP implementations aren't well known for their ease of
 use[^1][^2][^3][^4], and the general view among many professional
 cryptographers[^5][^6][^7][^8][^9] is that the entire ecosystem is a dud, to be
 replaced with more modern, specialised tools.
 Even when signing/encrypting emails --- the thing it was designed for, mind ---
 GPG is a letdown.
 
 Recently, `mutt` alerted me that the public key for a mailing list user had
 expired. I sent a friendly message letting them know, and received this in
 return:
 
 > What keyserver did you pull from?
 > I pushed a new expiry date at least a month ago.
 
 So even though I set GPG to auto-download keys, it won't update them.
 Rather than wade through GPG's option list,
 I decided it would be simpler to just extract a list of public keys and feed
 that to `--recv-keys`:
 
 ```sh
 #!/bin/sh
 # The command expansion outputs a "machine readable" list of public keys
 gpg --recv-keys $(gpg --keyid-format long --list-public-keys --with-colons |
 		  grep '^fpr' | cut -d ':' -f 10)
 ```
 Smugly, I dropped this in my `scripts` folder and called it a day.
 Then I bothered to look at the gpg(1) manpage and found that there was in fact
 an for this:
 
 ```
 '--refresh-keys'
      Request updates from a keyserver for keys that already exist on the
      local keyring.  This is useful for updating a key with the latest
      signatures, user IDs, etc.  Calling this with no arguments will
      refresh the entire keyring.
 ```
 
 This experience has made me question why I put up with this UI hell.
 My interactions with GPG are limited to email encryption/signing (sparingly)
 and file encryption via [password-store][pass].
 I used to sign all my commits too like a good boy,
 before realising that nobody really checks them
 (especially not from little ol' me).
 Recently I've moved secure communications to [Signal][signal] *because* of its
 simplicity over PGP.
 If Filippo can get around to releasing his [age][age] tool,
 then I could finally dispose of this broken ecosystem and fully transition to
 modern, simpler crypto.
 
 ---
 
 Update: I've reflected on this post a bit, and decided to remove the links to my
 PGP key on my website. I fully believe that PGP is fundamentally broken, and
 intend to revoke my PGP key when age is released.
 
 [pass]: https://www.passwordstore.org/
 [signal]: https://signal.org/
 [age]: https://age-tool.com/
 [^1]: [Why Johnny Can't Encrypt](https://people.eecs.berkeley.edu/~tygar/papers/Why_Johnny_Cant_Encrypt/OReilly.pdf)
 [^2]: [Why Johnny Still Can't Encrypt](https://cups.cs.cmu.edu/soups/2006/posters/sheng-poster_abstract.pdf)
 [^3]: [Why Johnny Still, Still Can't Encrypt](https://arxiv.org/pdf/1510.08555.pdf)
 [^4]: [“Johnny, you are fired!”](https://www.usenix.org/system/files/sec19fall_muller_prepub.pdf)
 [^5]: [Matthew Green --- What's the matter with PGP?](https://blog.cryptographyengineering.com/2014/08/13/whats-matter-with-pgp/)
 [^6]: [Moxie Marlinspike --- GPG And Me](https://moxie.org/blog/gpg-and-me/)
 [^7]: [Bruce Schneier --- Giving Up on PGP](https://www.schneier.com/blog/archives/2016/12/giving_up_on_pg.html)
 [^8]: [Filippo Valsorda --- I'm throwing in the towel on PGP](https://arstechnica.com/information-technology/2016/12/op-ed-im-giving-up-on-pgp/)
 [^9]: [Filippo Valsorda --- OpenPGP Is Broken](https://buttondown.email/cryptography-dispatches/archive/cryptography-dispatches-hello-world-and-openpgp/)