Follow

I'd like to introduce a new project: Open PGP Signature Verification or OPSV.

yarmo.eu/blog/opsv

This eliminates the need to rely on verify function and, therefore, keybase at all.

Website: opsv.foss.guru/
Code on @codeberg: codeberg.org/yarmo/opsv
Public stats by : plausible.io/opsv.foss.guru

Time to once and for all

@yarmo What's the need? I'm not familiar with Keybase, but why would one need some external program for a verification function? You can already verify signatures wit standard PGP.

@tobtobxx @yarmo even so... what about the process that is handled so easily for non techies by autocrypt.org/ ? how does your project defere from it?

@vitrubio @tobtobxx I really need to dig more into … But I know it's focused on email. This solution here allows me to send a signed message through any IM. The receiver can easily check the authenticity with the message and my wkd.

Being no expert, I hope I did not make a superfluous solution. But I believe the use case to be different

@yarmo @tobtobxx then I understand it, yes autokrypt is for email + gpg

your intention would be great if it could some how verify any message sorce and its source and keep it private.

@vitrubio @tobtobxx

"if it could some how verify any message sorce and its source and keep it private"

Is that not what it does now? Right now, no matter how you got the message, as long as you can copy paste, it will accept it. What do you mean by "keep it private"?

@yarmo
with out a third party verifing it, because then I have to rely on some one else, and... then you lose privacy.

but I am not an expert at all, so please take it as some one learning and asking doubts, not as critics ;-)

@tobtobxx

@vitrubio @tobtobxx yes, I get what you're saying! You lose privacy because you use third party. Best is to use gpg on the command line. Straight import key and message, no one else in between.

This solution is meant to be easy, so you lose some privacy.

BUT! All processing is done in browser! No data is sent! So it's like downloading a piece of software, but in browser.

As long as you trust your browser and me saying how it works, there's no third party involved.

@yarmo @tobtobxx thank you for the explanation short, clear, easy to understand :)))

@yarmo @vitrubio While I'm not directly a fan of "web apps", it is still cool how you can inspect all network calls and the JavaScript being executed, in must cases relatively unobfuscated.
Compare that to regular programs, where you just have the assembly instructions and you'd have to setup a transparent proxy to monitor all traffic.

Just a thougt...🤷🏼‍♂️

@tobtobxx yes, you can and I can too. But I know a lot of people in my surroundings who have never touched a terminal in their lives. This is my attempt to help them verify pgp signatures. As far as I know (and please correct me of I'm wrong!), keybase is the only one-click solution that requires no terminal. I want to provide a foss alternative to that.

@yarmo Nice one, thanks! I just discovered WKD too, seems a bit of a hassle to setup so I don't know if I'll do it. My key is already on keyservers and I just published it on my blog. 🤷

@Crocmagnon so that's already two out of three supported methods 🤗 wkd is actually not that complicated, you could mostly implement with a redirect, link that particular to a pgp file. If you need help, you know where to find me :)

Yep, WKD is not complicated if you’ve got your own domain (and HTTPS). It’s just putting one file in one specified location.

If you only have your own domain you can also try “WKD as a Service” from keys.openpgp.org: this requires just one CNAME record: https://keys.openpgp.org/about/usage#wkd-as-a-service

@wiktor WKD as a service is a genius creation! But yes, WKD does require a domain. If you don't have one, it's ok, HKP to the rescue.

@wiktor @yarmo i have my own domain and I’m able to have https certs with Lets encrypt. What should I do to allow finding me using WKD? Do you have any online resource maybe? 😊 The tutorial on gnupg.org didn’t inspire me much x)

Hi Gabriel, if you don’t mind me sharing my resource here’s a checker: https://metacode.biz/openpgp/web-key-directory

The idea is you put your e-mail there (I’m not storing them, promise!) it generates you a link and you put your binary (not armored!) key on that exact link. Then you re-check and play around until it’s green enough for you :)

Hope that helps!

@wiktor @yarmo wow thanks! Looks very simple indeed 😃

I’ll play with it tonight. Thanks again! 🙏🏻

@wiktor @yarmo Works like a charm! I still have one tiny issue with the openpgpkey subdomain, I'll DM you @wiktor because it may only be an issue with the checker, though I'm not sure.

@Crocmagnon @wiktor nice, you did the "advanced" setup as well? I went with the basic one, it just works… Might include advanced too at some point

But great work 😃

@yarmo Yep, did that one too! Wasn't very hard since I learned how to configure nginx for the first one 😛 @wiktor

@yarmo @wiktor Here's the nginx config. It's cluttered with certbot stuff to handle SSL and redirect http to https. The interesting bit is the "location" part. paste.sr.ht/~crocmagnon/1e5ed6

Bug reports to the checker are always welcome! After all this is a work-in-progress software :)

Basic works well no need to do advanced to check all boxes but if you’ve got that it’s cool too :)

@wiktor @yarmo Yeah, but I like checking boxes so I went with it ^^ Thanks for your great tool!

@yarmo very helpful tool. Had never heard of wkd, and it is even supported out of the box by enigmail and k9. Another thing to add to my to-do list.

Not only by Enigmail and K-9. Basically any modern OpenPGP tool will have lookup by WKD: OpenKeychain, Sequoia even ProtonMail (when composing e-mail) and of course GnuPG that invented it.

Some open-source organizations already provide the developer’s keys via WKD: kernel.org or distros: Arch, Gentoo, Debian…

Highly recommend it if you have your own domain.

@hyploma yes, this! We already have our keys out there, plaintext on website, wkd or uploaded to HKP servers. We DON'T NEED to upload them again to some closed source server for little to no benefit.

@yarmo Tried verifying a test file signed by my main key (ed@edav…) using WKD (edavies.me.uk/contact.html - see sidebar for weird link to WKD key) but it failed with “TypeError: NetworkError when attempting to fetch resource”.

I've previously tested my WKD deployment with Enigmail and with @wiktor and just checked it with his checker (very neat!) and it passed for the direct method other than a warning about a missing Access-Control-Allow-Origin header.

Any ideas if it's your problem or mine?

"NetworkError" sounds exactly like a thing that'd pop up if you don’t have the CORS headers set up. I’m not into the details of opsv but I guess it fetches the key via your browser and your browser needs this header to allow other sites to fetch any content from your site.

You can find instructions on how to add that on various guides e.g.: https://keyserver.mattrude.com/guides/web-key-directory/#setting-up-the-web-server This will only expose resources under openpgpkey directory and it matters only for browsers — curl users can download anything anyway :)

@wiktor @edavies it indeed does do it via the browser thanks to the openpgp.js library which, if the browser supports it, falls back to the web crypto api.

@wiktor Ah, yes, that makes sense. I'll look into adding the header, but not until I've metabolised the current pint of Guinness in me! @yarmo

@wiktor @yarmo WKD for my key works fine now I've added the Access-Control-Allow-Origin header (and purged my Firefox cache). Validates cleanly for the direct method with @wiktor 's tool, too. Thanks chaps.

But, I'd echo @kravietz that text generated with gpg -sa doesn't work where gpg --clearsign -a generated stuff does.

@kravietz as opposed to detached signatures? I've yet to implement it, it's a minor tweak, just gotta do it.

Or did you mean something else?

@yarmo

So this works (gpg --armor --clear-sign):

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

test
-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQRve2u5qbYyVV4aA8Eyrx85xO4D8gUCXuvw0wAKCRAyrx85xO4D
8opLAQDK5Spug8MTQuocZj0PUllamGtcdLzd72xraeg5IfnVngD9H8eXUfSjkTB4
0hHQUL6+tZruzw18gStuMMLNoE2utAY=
=6NcD
-----END PGP SIGNATURE-----

@yarmo But this doesn't (gpg --armor --sign) but this is just the same signature, just with the plaintext signed message embedded inside

-----BEGIN PGP MESSAGE-----

owGbwMvMwCVmtF7e8sg75k+Mp7mTGOJef/hcklpcwtVRysIgxsUgK6bIkl+dvXPl
NqPQOCnmgzDFrExAlV8YuDgFYCKurAz/zF6LH1nDe+vk+mVn73LdD5PSkT3+ZMsz
qU9qPPLT0uQdTzP8L1u4re2G9bojezsZZVb9bdw4e73DyfvNV6zu3JNdO80+lAsA
=+VXF
-----END PGP MESSAGE-----

Error: No cleartext signed message.

@kravietz thanks! I bet there's an option somewhere to enable that, will look into!

@kravietz Fixed it! Both types of inputs are supported and correctly verified! I guess I need to extract the embedded message now!

@kravietz is it even possible to extract the text? Does it need a private key to decrypt the message first?

@yarmo

No, this PGP MESSAGE is just a wrapper for OpenPGP packets and in this case the packets only contain signed (but not encrypted) content.

@kravietz "Error: Error during parsing. This message / key probably does not conform to a valid OpenPGP format." 🤔

@kravietz fixed it! can now extract the message from the non-clearsigned signatures! Proof: your message was "test" :)

@yarmo

Correct, it was! 👍 That's great service and I'm definitely including into my standard "tools for regular humans" pack 😀

@kravietz it can now also detect userId and keyId making it a truly one-click service (no input of public key needed). Of course, in the case of keyId alone, the website urges you to find another of verifying the keyId or fingerprint to confirm authenticity of signer.

@yarmo WKD works brilliantly 👍 I have just noticed one possible inconsistency as the WKD validator doesn't seem to be trying the "advanced method" first which seems to be a requirement by the draft...

@kravietz ow, nice catch! I'm using the openpgp.js library which falls back to web crypto api if supported.

Can you check if you use the fallback?

developer.mozilla.org/en-US/do

If not, I'll have to open an issue with the main devs. Thanks for letting me know!

Sign in to participate in the conversation
Fosstodon

Fosstodon is an English speaking Mastodon instance that is open to anyone who is interested in technology; particularly free & open source software.