sgregoratto.me

source files for www.sgregoratto.me
git clone git://git.sgregoratto.me/sgregoratto.me
Log | Files | Refs

gpg-sync-all-pub-keys.xml (4691B)


      1 <?xml version="1.0" encoding="utf-8"?>
      2 <article data-sblg-article="1">
      3 	<header>
      4 		<h1>Updating All Public Keys in GPG</h1>
      5 		<time datetime="2019-07-16">July 16, 2019</time>
      6 	</header>
      7 	<p>GPG and other OpenPGP implementations aren’t well known for their ease of use
      8 	<sup><a class="footnote" href="#fn1" id="fnref1">1</a></sup>
      9 	and the general view among many professional cryptographers
     10 	<sup><a class="footnote" href="#fn2" id="fnref2">2</a></sup>
     11 	is that the entire ecosystem is a dud, to be replaced with more
     12 	modern, specialised tools. Even when signing/encrypting emails —
     13 	the thing it was designed for, mind — GPG is a letdown.</p>
     14 	<p>Recently, <code>mutt</code> alerted me that the public key for a
     15 	mailing list user had expired. I sent a friendly message letting them
     16 	know, and received this in return:</p>
     17 	<blockquote>
     18 		<p>What keyserver did you pull from? I pushed a new expiry date at
     19 		least a month ago.</p>
     20 	</blockquote>
     21 	<p>So even though I set GPG to auto-download keys, it won’t update
     22 	them. Rather than wade through GPG’s option list, I decided it would
     23 	be simpler to just extract a list of public keys and feed that to
     24 	<code>--recv-keys</code>:</p>
     25 <code><pre class="chroma"><span class="cp">#!/bin/sh
     26 </span><span class="cp"></span><span class="c1"># The command expansion outputs a &#34;machine readable&#34; list of public keys</span>
     27 gpg --recv-keys <span class="k">$(</span>gpg --keyid-format long --list-public-keys --with-colons <span class="p">|</span>
     28                   grep <span class="s1">&#39;^fpr&#39;</span> <span class="p">|</span> cut -d <span class="s1">&#39;:&#39;</span> -f <span class="m">10</span><span class="k">)</span></pre></code>
     29 	<p>Smugly, I dropped this in my <code>scripts</code> folder and called
     30 	it a day. Then I bothered to look at the gpg(1) manpage and found that
     31 	there was in fact an option for this:</p>
     32 <pre>'--refresh-keys'
     33 	Request updates from a keyserver for keys that already exist on the
     34 	local keyring.  This is useful for updating a key with the latest
     35 	signatures, user IDs, etc.  Calling this with no arguments will
     36 	refresh the entire keyring.</pre>
     37 	<p>This experience has made me question why I put up with this UI hell.
     38 	My interactions with GPG are limited to email encryption/signing
     39 	(sparingly) and file encryption via
     40 	<a href="https://www.passwordstore.org/">password-store</a>.
     41 	I used to sign all my commits too like a good boy, before realising
     42 	that nobody really checks them (especially not from little ol’ me).
     43 	Recently I’ve moved secure communications to
     44 	<a href="https://signal.org/">Signal</a> <em>because</em> of its
     45 	simplicity over PGP. If Filippo can get around to releasing his
     46 	<a href="https://age-tool.com/">age</a> tool, then I could finally
     47 	dispose of this broken ecosystem and fully transition to modern,
     48 	simpler crypto.</p>
     49 	<hr/>
     50 	<p>Update: I’ve reflected on this post a bit, and decided to remove the
     51 	links to my PGP key on my website. I fully believe that PGP is
     52 	fundamentally broken, and intend to revoke my PGP key when age is
     53 	released.</p>
     54 	<hr/>
     55 	<section class="footnotes" role="doc-endnotes">
     56 		<p>References:</p>
     57 		<ol>
     58 			<li id="fn1" role="doc-endnote">
     59 				<p>Take your pick:</p>
     60 				<ul>
     61 					<li><a href="https://people.eecs.berkeley.edu/~tygar/papers/Why_Johnny_Cant_Encrypt/OReilly.pdf">Why Johnny Can’t Encrypt</a></li>
     62 					<li><a href="https://cups.cs.cmu.edu/soups/2006/posters/sheng-poster_abstract.pdf">Why Johnny Still Can’t Encrypt</a></li>
     63 					<li><a href="https://arxiv.org/pdf/1510.08555.pdf">Why Johnny Still, Still Can’t Encrypt</a></li>
     64 					<li><a href="https://www.usenix.org/system/files/sec19fall_muller_prepub.pdf">“Johnny, you are fired!”</a></li>
     65 				</ul>
     66 				<a href="#fnref1" class="footnote-back">↩</a>
     67 			</li>
     68 			<li id="fn2" role="doc-endnote">
     69 				<p>Ditto:</p>
     70 				<ul>
     71 					<li><a href="https://blog.cryptographyengineering.com/2014/08/13/whats-matter-with-pgp/">Matthew Green — What’s the matter with PGP?</a></li>
     72 					<li><a href="https://moxie.org/blog/gpg-and-me/">Moxie Marlinspike — GPG And Me</a></li>
     73 					<li><a href="https://www.schneier.com/blog/archives/2016/12/giving_up_on_pg.html">Bruce Schneier — Giving Up on PGP</a></li>
     74 					<li><a href="https://arstechnica.com/information-technology/2016/12/op-ed-im-giving-up-on-pgp/">Filippo Valsorda — I’m throwing in the towel on PGP</a></li>
     75 					<li><a href="https://buttondown.email/cryptography-dispatches/archive/cryptography-dispatches-hello-world-and-openpgp/">Filippo Valsorda — OpenPGP Is Broken</a></li>
     76 				</ul>
     77 				<a href="#fnref1" class="footnote-back">↩</a>
     78 			</li>
     79 		</ol>
     80 	</section>
     81 </article>