I'd like to introduce a new #foss project: Open PGP Signature Verification or OPSV.
This eliminates the need to rely on #keybase verify function and, therefore, keybase at all.
Time to #DeleteKeybase once and for all
@yarmo thats awesome!
@yarmo What's the need? I'm not familiar with Keybase, but why would one need some external program for a verification function? You can already verify signatures wit standard PGP.
@vitrubio @tobtobxx I really need to dig more into #autocrypt… But I know it's focused on email. This solution here allows me to send a signed message through any IM. The receiver can easily check the authenticity with the message and my wkd.
Being no #autocrypt expert, I hope I did not make a superfluous solution. But I believe the use case to be different
This solution is meant to be easy, so you lose some privacy.
BUT! All processing is done in browser! No data is sent! So it's like downloading a piece of software, but in browser.
As long as you trust your browser and me saying how it works, there's no third party involved.
Compare that to regular programs, where you just have the assembly instructions and you'd have to setup a transparent proxy to monitor all traffic.
Just a thougt...🤷🏼♂️
@tobtobxx yes, you can and I can too. But I know a lot of people in my surroundings who have never touched a terminal in their lives. This is my attempt to help them verify pgp signatures. As far as I know (and please correct me of I'm wrong!), keybase is the only one-click solution that requires no terminal. I want to provide a foss alternative to that.
@yarmo Cool project!!
@yarmo Neat! Get rid of Keybase.
@yarmo Nice one, thanks! I just discovered WKD too, seems a bit of a hassle to setup so I don't know if I'll do it. My key is already on keyservers and I just published it on my blog. 🤷
@Crocmagnon so that's already two out of three supported methods 🤗 wkd is actually not that complicated, you could mostly implement with a redirect, link that particular to a pgp file. If you need help, you know where to find me :)
Yep, WKD is not complicated if you’ve got your own domain (and HTTPS). It’s just putting one file in one specified location.
If you only have your own domain you can also try “WKD as a Service” from keys.openpgp.org: this requires just one CNAME record: https://keys.openpgp.org/about/usage#wkd-as-a-service
@wiktor WKD as a service is a genius creation! But yes, WKD does require a domain. If you don't have one, it's ok, HKP to the rescue.
Hi Gabriel, if you don’t mind me sharing my resource here’s a checker: https://metacode.biz/openpgp/web-key-directory
The idea is you put your e-mail there (I’m not storing them, promise!) it generates you a link and you put your binary (not armored!) key on that exact link. Then you re-check and play around until it’s green enough for you :)
Hope that helps!
@yarmo @wiktor Here's the nginx config. It's cluttered with certbot stuff to handle SSL and redirect http to https. The interesting bit is the "location" part. https://paste.sr.ht/~crocmagnon/1e5ed6752970b4a5439b5b3fee42e5484cd872bb
@yarmo very helpful tool. Had never heard of wkd, and it is even supported out of the box by enigmail and k9. Another thing to add to my to-do list.
Not only by Enigmail and K-9. Basically any modern OpenPGP tool will have lookup by WKD: OpenKeychain, Sequoia even ProtonMail (when composing e-mail) and of course GnuPG that invented it.
Some open-source organizations already provide the developer’s keys via WKD: kernel.org or distros: Arch, Gentoo, Debian…
Highly recommend it if you have your own domain.
@hyploma yes, this! We already have our keys out there, plaintext on website, wkd or uploaded to HKP servers. We DON'T NEED to upload them again to some closed source server for little to no benefit.
@yarmo Tried verifying a test file signed by my main key (ed@edav…) using WKD (https://edavies.me.uk/contact.html - see sidebar for weird link to WKD key) but it failed with “TypeError: NetworkError when attempting to fetch resource”.
I've previously tested my WKD deployment with Enigmail and with @wiktor and just checked it with his checker (very neat!) and it passed for the direct method other than a warning about a missing Access-Control-Allow-Origin header.
Any ideas if it's your problem or mine?
"NetworkError" sounds exactly like a thing that'd pop up if you don’t have the CORS headers set up. I’m not into the details of opsv but I guess it fetches the key via your browser and your browser needs this header to allow other sites to fetch any content from your site.
You can find instructions on how to add that on various guides e.g.: https://keyserver.mattrude.com/guides/web-key-directory/#setting-up-the-web-server This will only expose resources under openpgpkey directory and it matters only for browsers — curl users can download anything anyway :)
@wiktor @yarmo WKD for my key works fine now I've added the Access-Control-Allow-Origin header (and purged my Firefox cache). Validates cleanly for the direct method with @wiktor 's tool, too. Thanks chaps.
But, I'd echo @kravietz that text generated with gpg -sa doesn't work where gpg --clearsign -a generated stuff does.
@yarmo Why does it allow only clear-signed messages? 🤔
@kravietz as opposed to detached signatures? I've yet to implement it, it's a minor tweak, just gotta do it.
Or did you mean something else?
So this works (gpg --armor --clear-sign):
-----BEGIN PGP SIGNED MESSAGE-----
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
@yarmo But this doesn't (gpg --armor --sign) but this is just the same signature, just with the plaintext signed message embedded inside
-----BEGIN PGP MESSAGE-----
-----END PGP MESSAGE-----
Error: No cleartext signed message.
@kravietz thanks! I bet there's an option somewhere to enable that, will look into!
@kravietz Fixed it! Both types of inputs are supported and correctly verified! I guess I need to extract the embedded message now!
@kravietz is it even possible to extract the text? Does it need a private key to decrypt the message first?
No, this PGP MESSAGE is just a wrapper for OpenPGP packets and in this case the packets only contain signed (but not encrypted) content.
@kravietz "Error: Error during parsing. This message / key probably does not conform to a valid OpenPGP format." 🤔
Correct, it was! 👍 That's great service and I'm definitely including into my standard "tools for regular humans" pack 😀
@kravietz it can now also detect userId and keyId making it a truly one-click service (no input of public key needed). Of course, in the case of keyId alone, the website urges you to find another of verifying the keyId or fingerprint to confirm authenticity of signer.
@yarmo WKD works brilliantly 👍 I have just noticed one possible inconsistency as the WKD validator doesn't seem to be trying the "advanced method" first which seems to be a requirement by the draft...
@kravietz ow, nice catch! I'm using the openpgp.js library which falls back to web crypto api if supported.
Can you check if you use the fallback?
If not, I'll have to open an issue with the main devs. Thanks for letting me know!
Fosstodon is an English speaking Mastodon instance that is open to anyone who is interested in technology; particularly free & open source software.