sgregoratto.me

source files for www.sgregoratto.me
git clone git://git.sgregoratto.me/sgregoratto.me
Log | Files | Refs

gpg-sync-all-pub-keys.xml (4803B)

      1 <?xml version="1.0" encoding="utf-8"?>
      2 <article data-sblg-article="1">
      3 	<header>
      4 		<h1>Updating All Public Keys in GPG</h1>
      5 		<time datetime="2019-07-16">July 16, 2019</time>
      6 	</header>
      7 	<p>GPG and other OpenPGP implementations aren’t well known for their ease of use <sup><a class="footnote" href="#fn1" id="fnref1">1</a></sup> and the general view among many professional cryptographers <sup><a class="footnote" href="#fn2" id="fnref2">2</a></sup> is that the entire ecosystem is a dud, to be replaced with more modern, specialised tools. Even when signing/encrypting emails⁠—the thing it was designed for, mind⁠—GPG is a letdown.</p>
      8 	<p>Recently, <code>mutt</code> alerted me that the public key for a mailing list user had expired. I sent a friendly message letting them know, and received this in return:</p>
      9 	<blockquote>
     10 		<p>What keyserver did you pull from? I pushed a new expiry date at least a month ago.</p>
     11 	</blockquote>
     12 	<p>So even though I set GPG to auto-download keys, it won’t update them. Rather than wade through GPG’s option list, I decided it would be simpler to just extract a list of public keys and feed that to <code>--recv-keys</code>:</p>
     13 	<code>
     14 <pre class="chroma"><span class="cp">#!/bin/sh</span>
     15 <span class="cp"/><span class="c1"># The command expansion outputs a "machine readable" list of public keys</span>
     16 gpg --recv-keys <span class="k">$(</span>gpg --keyid-format long --list-public-keys --with-colons <span class="p">|</span>
     17                   grep <span class="s1">'^fpr'</span> <span class="p">|</span> cut -d <span class="s1">':'</span> -f <span class="m">10</span> <span class="k">)</span></pre>
     18 	</code>
     19 	<p>Smugly, I dropped this in my <code>scripts</code> folder and called it a day. Then I bothered to look at the gpg(1) manpage and found that there was in fact an option for this:</p>
     20 	<blockquote>
     21 		<dl>
     22 			<dt>--refresh-keys</dt>
     23 			<dd>Request updates from a keyserver for keys that already exist on the local keyring. This is useful for updating a key with the latest signatures, user IDs, etc. Calling this with no arguments will refresh the entire keyring.</dd>
     24 		</dl>
     25 	</blockquote>
     26 	<p>This experience has made me question why I put up with this UI hell. My interactions with GPG are limited to email encryption/signing (sparingly) and file encryption via <a href="https://www.passwordstore.org/">password-store</a>. I used to sign all my commits too like a good boy, before realising that nobody really checks them (especially not from little ol’ me). Recently I’ve moved secure communications to <a href="https://signal.org/">Signal</a> <em>because</em> of its simplicity over PGP. If Filippo can get around to releasing his <a href="https://age-tool.com/">age</a> tool, then I could finally dispose of this broken ecosystem and fully transition to modern, simpler crypto.</p>
     27 	<hr/>
     28 	<p>Update: I’ve reflected on this post a bit, and decided to remove the links to my PGP key on my website. I fully believe that PGP is fundamentally broken, and intend to revoke my PGP key when age is released.</p>
     29 	<section class="footnotes" role="doc-endnotes">
     30 		<p>References:</p>
     31 		<ol>
     32 			<li id="fn1" role="doc-endnote">
     33 				<p>Take your pick:</p>
     34 				<ul>
     35 					<li>
     36 						<a href="https://people.eecs.berkeley.edu/~tygar/papers/Why_Johnny_Cant_Encrypt/OReilly.pdf">Why Johnny Can’t Encrypt</a>
     37 					</li>
     38 					<li>
     39 						<a href="https://cups.cs.cmu.edu/soups/2006/posters/sheng-poster_abstract.pdf">Why Johnny Still Can’t Encrypt</a>
     40 					</li>
     41 					<li>
     42 						<a href="https://arxiv.org/pdf/1510.08555.pdf">Why Johnny Still, Still Can’t Encrypt</a>
     43 					</li>
     44 					<li>
     45 						<a href="https://www.usenix.org/system/files/sec19fall_muller_prepub.pdf">“Johnny, you are fired!”</a>
     46 					</li>
     47 				</ul>
     48 				<a class="footnote-back" href="#fnref1">↩</a>
     49 			</li>
     50 			<li id="fn2" role="doc-endnote">
     51 				<p>Ditto:</p>
     52 				<ul>
     53 					<li>
     54 						<a href="https://blog.cryptographyengineering.com/2014/08/13/whats-matter-with-pgp/">Matthew Green⁠—What’s the matter with PGP?</a>
     55 					</li>
     56 					<li>
     57 						<a href="https://moxie.org/blog/gpg-and-me/">Moxie Marlinspike⁠—GPG And Me</a>
     58 					</li>
     59 					<li>
     60 						<a href="https://www.schneier.com/blog/archives/2016/12/giving_up_on_pg.html">Bruce Schneier⁠—Giving Up on PGP</a>
     61 					</li>
     62 					<li>
     63 						<a href="https://arstechnica.com/information-technology/2016/12/op-ed-im-giving-up-on-pgp/">Filippo Valsorda⁠—I’m throwing in the towel on PGP</a>
     64 					</li>
     65 					<li>
     66 						<a href="https://buttondown.email/cryptography-dispatches/archive/cryptography-dispatches-hello-world-and-openpgp/">Filippo Valsorda⁠—OpenPGP Is Broken</a>
     67 					</li>
     68 				</ul>
     69 				<a class="footnote-back" href="#fnref1">↩</a>
     70 			</li>
     71 		</ol>
     72 	</section>
     73 </article>