Follow

I'd like to introduce a new project: Open PGP Signature Verification or OPSV.

yarmo.eu/blog/opsv

This eliminates the need to rely on verify function and, therefore, keybase at all.

Website: opsv.foss.guru/
Code on @codeberg: codeberg.org/yarmo/opsv
Public stats by : plausible.io/opsv.foss.guru

Time to once and for all

Β· Β· 9 Β· 30 Β· 32

@yarmo What's the need? I'm not familiar with Keybase, but why would one need some external program for a verification function? You can already verify signatures wit standard PGP.

@tobtobxx @yarmo even so... what about the process that is handled so easily for non techies by autocrypt.org/ ? how does your project defere from it?

@vitrubio @tobtobxx I really need to dig more into … But I know it's focused on email. This solution here allows me to send a signed message through any IM. The receiver can easily check the authenticity with the message and my wkd.

Being no expert, I hope I did not make a superfluous solution. But I believe the use case to be different

@yarmo @tobtobxx then I understand it, yes autokrypt is for email + gpg

your intention would be great if it could some how verify any message sorce and its source and keep it private.

@vitrubio @tobtobxx

"if it could some how verify any message sorce and its source and keep it private"

Is that not what it does now? Right now, no matter how you got the message, as long as you can copy paste, it will accept it. What do you mean by "keep it private"?

@yarmo
with out a third party verifing it, because then I have to rely on some one else, and... then you lose privacy.

but I am not an expert at all, so please take it as some one learning and asking doubts, not as critics ;-)

@tobtobxx

@vitrubio @tobtobxx yes, I get what you're saying! You lose privacy because you use third party. Best is to use gpg on the command line. Straight import key and message, no one else in between.

This solution is meant to be easy, so you lose some privacy.

BUT! All processing is done in browser! No data is sent! So it's like downloading a piece of software, but in browser.

As long as you trust your browser and me saying how it works, there's no third party involved.

@yarmo @tobtobxx thank you for the explanation short, clear, easy to understand :)))

@yarmo @vitrubio While I'm not directly a fan of "web apps", it is still cool how you can inspect all network calls and the JavaScript being executed, in must cases relatively unobfuscated.
Compare that to regular programs, where you just have the assembly instructions and you'd have to setup a transparent proxy to monitor all traffic.

Just a thougt...πŸ€·πŸΌβ€β™‚οΈ

@tobtobxx yes, you can and I can too. But I know a lot of people in my surroundings who have never touched a terminal in their lives. This is my attempt to help them verify pgp signatures. As far as I know (and please correct me of I'm wrong!), keybase is the only one-click solution that requires no terminal. I want to provide a foss alternative to that.

@yarmo very helpful tool. Had never heard of wkd, and it is even supported out of the box by enigmail and k9. Another thing to add to my to-do list.

Not only by Enigmail and K-9. Basically any modern OpenPGP tool will have lookup by WKD: OpenKeychain, Sequoia even ProtonMail (when composing e-mail) and of course GnuPG that invented it.

Some open-source organizations already provide the developer’s keys via WKD: kernel.org or distros: Arch, Gentoo, Debian…

Highly recommend it if you have your own domain.

@hyploma yes, this! We already have our keys out there, plaintext on website, wkd or uploaded to HKP servers. We DON'T NEED to upload them again to some closed source server for little to no benefit.

@yarmo Tried verifying a test file signed by my main key (ed@edav…) using WKD (edavies.me.uk/contact.html - see sidebar for weird link to WKD key) but it failed with β€œTypeError: NetworkError when attempting to fetch resource”.

I've previously tested my WKD deployment with Enigmail and with @wiktor and just checked it with his checker (very neat!) and it passed for the direct method other than a warning about a missing Access-Control-Allow-Origin header.

Any ideas if it's your problem or mine?

"NetworkError" sounds exactly like a thing that'd pop up if you don’t have the CORS headers set up. I’m not into the details of opsv but I guess it fetches the key via your browser and your browser needs this header to allow other sites to fetch any content from your site.

You can find instructions on how to add that on various guides e.g.: https://keyserver.mattrude.com/guides/web-key-directory/#setting-up-the-web-server This will only expose resources under openpgpkey directory and it matters only for browsers β€” curl users can download anything anyway :)

@wiktor @edavies it indeed does do it via the browser thanks to the openpgp.js library which, if the browser supports it, falls back to the web crypto api.

@wiktor Ah, yes, that makes sense. I'll look into adding the header, but not until I've metabolised the current pint of Guinness in me! @yarmo

@wiktor @yarmo WKD for my key works fine now I've added the Access-Control-Allow-Origin header (and purged my Firefox cache). Validates cleanly for the direct method with @wiktor 's tool, too. Thanks chaps.

But, I'd echo @kravietz that text generated with gpg -sa doesn't work where gpg --clearsign -a generated stuff does.

@kravietz as opposed to detached signatures? I've yet to implement it, it's a minor tweak, just gotta do it.

Or did you mean something else?

@yarmo

So this works (gpg --armor --clear-sign):

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

test
-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQRve2u5qbYyVV4aA8Eyrx85xO4D8gUCXuvw0wAKCRAyrx85xO4D
8opLAQDK5Spug8MTQuocZj0PUllamGtcdLzd72xraeg5IfnVngD9H8eXUfSjkTB4
0hHQUL6+tZruzw18gStuMMLNoE2utAY=
=6NcD
-----END PGP SIGNATURE-----

@yarmo But this doesn't (gpg --armor --sign) but this is just the same signature, just with the plaintext signed message embedded inside

-----BEGIN PGP MESSAGE-----

owGbwMvMwCVmtF7e8sg75k+Mp7mTGOJef/hcklpcwtVRysIgxsUgK6bIkl+dvXPl
NqPQOCnmgzDFrExAlV8YuDgFYCKurAz/zF6LH1nDe+vk+mVn73LdD5PSkT3+ZMsz
qU9qPPLT0uQdTzP8L1u4re2G9bojezsZZVb9bdw4e73DyfvNV6zu3JNdO80+lAsA
=+VXF
-----END PGP MESSAGE-----

Error: No cleartext signed message.

@kravietz thanks! I bet there's an option somewhere to enable that, will look into!

@kravietz Fixed it! Both types of inputs are supported and correctly verified! I guess I need to extract the embedded message now!

@kravietz is it even possible to extract the text? Does it need a private key to decrypt the message first?

@yarmo

No, this PGP MESSAGE is just a wrapper for OpenPGP packets and in this case the packets only contain signed (but not encrypted) content.

@kravietz "Error: Error during parsing. This message / key probably does not conform to a valid OpenPGP format." πŸ€”

@kravietz fixed it! can now extract the message from the non-clearsigned signatures! Proof: your message was "test" :)

@yarmo

Correct, it was! πŸ‘ That's great service and I'm definitely including into my standard "tools for regular humans" pack πŸ˜€

@kravietz it can now also detect userId and keyId making it a truly one-click service (no input of public key needed). Of course, in the case of keyId alone, the website urges you to find another of verifying the keyId or fingerprint to confirm authenticity of signer.

@yarmo WKD works brilliantly πŸ‘ I have just noticed one possible inconsistency as the WKD validator doesn't seem to be trying the "advanced method" first which seems to be a requirement by the draft...

@kravietz ow, nice catch! I'm using the openpgp.js library which falls back to web crypto api if supported.

Can you check if you use the fallback?

developer.mozilla.org/en-US/do

If not, I'll have to open an issue with the main devs. Thanks for letting me know!

Sign in to participate in the conversation
Fosstodon

Fosstodon is an English speaking Mastodon instance that is open to anyone who is interested in technology; particularly free & open source software.