[nmglug] How to find/import public keys? Or is there another problem?

Anthony J. Bentley anthony at anjbe.name
Wed Jun 12 18:41:00 PDT 2019


Hi,

I'll be honest: I think PGP is not worth the effort anymore. The key
management is too difficult, with far too many options and ways to
shoot yourself in the foot. And the software itself is too complicated
for practical use.

Although I am careful to always download software over HTTPS, I don't
check GPG signatures of software. I know how to do it. I've even done
it from time to time. But maintaining the key database, setting trust
values, rotating as keys expire, avoiding malicious fingerprints and
man-in-the-middle attacks... it's just too much. The keys, typically
2048-bit or 4096-bit RSA, are far too large to verify with eyeballs,
which means they can only be passed around through dedicated software,
never in a tweet or on paper. I mean, look at this, the youtube-dl
developer's key that I just imported:

$ gpg --export --armor ED7F5BF46B3BBED81C87368E2C393E0F18A9236D
-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBFcJbH8BEADGy4sdmhLgGphuEsTWWWu6N4kQLD/kmqjP3Y83OG+v5iGG+vcY
XKk1t6qEYB83Pbn6EKHKLquAydqzXwY/wcapqSGbXAjt96DsCQnj5XqS7XKfo9t/
idg40QD9Nbb0HvdzIk83/tKT4hQVB+TJY9ttfmADJXtMQP6CIDInm+x/llo3p+Ih
XVNgKuLVWVciVn+ZDaq4/HrXXINGfx5+Tuzqg1cGNOIVUWno94uHQ1PKVkMK7+HQ
e0I61Tz3oXLfZTer3OjK9Cr37k/927Rvcp2Adz5zdgucMFjn2Itopux+1t6e+Q3r
fL0ttO+PTtuZmJZBklugxcjgv6MbZBrKbAVeHHPfjf6TziG++kPypmJlf2aRj1Fd
rY0VukthZNfrjAmMdUGL/HPhmt2PLAb8bqDAdIYIjUNJ7NBuG61Tv2aYvNE9fW2T
v0RAHPbVRJmKUCprWzuDFq0NAPFwMSqGw5BjOdRj8zrf7pB17R/oVGnr7Jn4iUZd
yzNCOfTPNEWdKs9Qe//nSCUfgP5XdFYP1jhmN0ADg6hXcg2mxI60li0OGVk0mbTK
rOM7TDDQSx0JuMqW4Knv6hn6R6bpAy1m7UTZjP3B9tEum6BHbLMOQ6XPgaHJVc/Z
uC+VYlnyCF/MXdJS36Pdf2c4dQiBc4UJPxnruwV8Cxt7x+KwGcsAECoJnwARAQAB
tBxTZXJnZXkgTS4gPGRzdGZ0d0BnbWFpbC5jb20+iQIcBBABAgAGBQJXds3hAAoJ
ENtLVMukgmoYN+8P/ROwsLQfldOE4c4ZOPwIYbdhXl9iBDgs7nLuruDuUmSckS2r
A9+aw6uPcCxFyqgtmsPJqMK3xDm6qLgi7KDEMNURB5z5Nyuz7jxWUY34eeRhiOx3
16TraI2xd2jUiId2LXy2kwkJP6nk/ds1AWIPoLhlzrZXo3BNMpOBlVXK38TAIHpl
jwYMns1n68rbrnCv6Tl/LANOKa3XUiHaHd3KcLJZiDi9az4yoLe396pdmQPuWRuo
b9ut5Rv12EVJzO3wCsbNkVEHTYxgi7QhmCuOIiCkTDDyHLlzNCEvv6OgKxjtEjrO
afJae0fgliusszeum4ybf6z7h0+vpqrwd/L3en3sZirD5RfehS5JSQAKVSlYXiTn
x7DGwOStUrth4e9LiIxU/JXKorcceHO6IrHgdg61A0+a1Nm3V7vm6QFa+IDEctq4
rS1bTQNY+PiGDBO/B14B2nHvrpyij/v5Y5QYkBsRLtOqv5UbWbqdCjCRpwRsusco
UXuHGOa8cVxqzmK/Vnek0Uf2PCpuZs+94PpehBIRyqEPmAiFVFmXVIw1/+72GUWL
SoWjVJvlqFW0zgjdKVw+Kxyw4e2yyrYkaCQ5NxvYcxsN0V0wgc2nQTv8TdiYr7nY
MPodjdje/ip4Gk7504OGKKo8Y1pgJ9/Kl97c+UjiXpE03AX0HNSLrxpUY87liQIz
BBABCAAdFiEEI4/MRryZouhu7mI9cU1Unl62JAAFAljI4eQACgkQcU1Unl62JAAs
tg//U7VvdLwYpWfzAupbEKabXTNh8fcCy2dBr/RiTNQWPs69TDuYj4wtPRTvCHfq
m24BWpWu3/0CWSl+Ka7Hy0/qINMR0F+GfpslrvYB44P9qqfPQzFoGXK3UnOZ3q+K
cgp1SodyUPbmazmAjlolTuQi8x9kNCbpU74Hyh2lo14gJmDmLgaRN0t/7p8PsRtH
DQ8a3YUKXC2SDAxQWvLMFDJQ8Y3fsqxwdlV70mhrBZ7Uz6qy4R0ipNhR4SLsd4ZN
vsOcTUCA0kh8QoBuXHIlrw1qG3oQo7Ij9BmksH/9UUBDp4IUpnsyGKZ2m7oGyZhk
lCIy/gFjr2gjTf5+GDIq4fl80ds3UsfDkXST4CNBwzcWVClgs1sZnanJtnDIRx9e
8o46wLsQGR7e2C5+QPltaWkdpYxjvz0fsV9SnJonOpAec4FIOMeQx5QpR4tynvYy
Kg/MBuT1V2E694vGiLgOUe6RC8KeGm4kWy20RVn5UwQ1s+xAl+exyau8BJPEtk4E
gDAKfqfvjx4ls4TEKch5DgigV5Xj6ZrzX0uo9eYnqVgPKKG4wy37SEwh7Hf42F8j
pDCBaRbPkHmhisW5Krz9Z15YLUymFZv6GwUJP8p+HfS1DUDros/NECLlhEQw4Ziu
vK9iLh7V5NIKfggqx0Mm7bNOJomdyKgUtC5lnXg4O4ZMRGeJAjMEEAEKAB0WIQQ4
o8HG657ldT/VGb7npswWjDVbeAUCXH59CAAKCRDnpswWjDVbeNDfEACUAPsh5hGp
Y6JGA+BENJIK8WpD30nuP4W5qSc3IFO2Vcoq1JWzFsF042n92lKGzh+QfwgNd9Xd
3etD5H1Pyjkf99hTY8GhkudRvTD6UdBND93M1SQyKW3Hbh5Zbg5Yk+pxeCq+qN9N
r+EhZIkzbQ+w6U6za+sLKGL7d4VXJN2cIdsf5715Btd2bw/4bHYQwqpNxlvM5csL
GKNYO1q4gOICeh70inVQSaC+Ngxw0XVYLQ6g82yXuJkIh1Ql69/J73RM9ykKvATg
1eEnA5DWJ3S3dM4WE3wKsMP+n30NHsUaO616yu7/8r7g+86/zlpd7OV8FjNe3OVI
Xmofe5nI3it4tzeKBRP5JbfhmJ1RJNAWpqvQ3daXJVqb5h2TTn0dvk5zWOYuCWzk
fG/Z3NiNI3nPFU3xgojYslyuBgcGzoZPP7YygjqXqUaV1Nh0OWaYQfVBcHELqPMz
KiEdKsyhv0jhmVQcNueXYeNRH/2EmD2QDaC57G1bQ9QEbIZGJjL5noNxuyZVg0qw
6gbRE4WJtvmy3l/mKjnzvI99JzcwyEF4AiT5Ppj9lgkRRkQh3PBFxPqEMLWxQEOT
Z9klt8yIrcGJ0kwG6u3E3V+m1KDMumlrnVExMlGJoXtcUoUvUNBbPwWWALl0oYFc
N9UsnkKAIvgkdIv2vfT2/FrmLLfOTyzFDIkCOAQTAQIAIgUCVwlsfwIbAwYLCQgH
AwIGFQgCCQoLBBYCAwECHgECF4AACgkQLDk+DxipI2317BAAjk+LBazvGok8MsW+
GhfsOyvQpZLymOoCsLn4WhGT5LdVTI2fSpdJFJY5fdq36d53yNCsDaFzMOKGwRKu
VUh2tI+s4/SYGZNZOVorXXycIuaGepU252XDaKcziCP65GcXz5avPi3y7MSpTI1c
U/PDS99W3iE8ageW1j4E8PqAadVIyszCxlBDDQCa+wD3c0kNTJqOEuPsKtugN/h/
OHUF0gfWyxdSGvseKShPHxG+JWKF1Mh9UAHqd10N2L9XUsj3G2FFnMKKwmXPLtp8
LmVqhl6/OC2xAMZlcWoIiJAafwKYSI8whYg5KxoNtkRwkPhKtEE19arsvil6OYNW
cAs46lbXz2Len/EelGJKNOVIXqEvgy14GV3KaTQ0ZCpwC6q6S7racxvRFBiYv4g3
Z21KJ8aqfqeKifFxtl4QNiQQuUuUwGugIml8lpGZkeufMfwnXh3blaDnj6KHWAqE
e5bYvg5AY5zCDQn8PadC4hjqtFZHghtzm35ktAO3GDCpWM2birIDIowLtTT4R+FE
9CXyoN23LTiyxCZ/kELsMhO9Oy3qYDxATDdYfCxJexg6VnrwH/DjW6NNJTEY5EX3
GxU+aEvq8I9EyDEcmkBAug/CeJKvKJP2E93gumfXz6yXUXx2v23jiTmmsE8n6Nn9
fTKwNxDzDEX4t/CCYcicjjjXFv+5Ag0EVwlsfwEQAL3coGpBOTaSck3jd9jnZXLZ
Du5Du8ZUay0t5RXYCXTR9oCDYR92qht5AGKB2vgWnN0viBrcfuTkjNU1/bUTILrV
xnDm5hquTlvNUNn85imAYZWP59HlUdnnFwYKhr11ay8yRiDn29DL7oFtpj0EyjEe
meXZV6Yeu6pQp9AWnbDNyUsgdfJHrUo8GeaswXXOKQTVC0c6nSbpmmIm7GldyLwM
1kd21OXo7dRisrBarcad2/kggywicmg9bYt9RHkAjuPE2k7eetFegkKO9mBpMCxq
H6Gmsx7v9aT7EbgBWxVQylFSXxR2+TwQ9t3jqf2V3RzfTlFH29yn56eXfp7CqFx2
rt0ZlAY9JGoIiFxmQLZo5nvgBIZ3SObYeOVRAB4CqppDi+qypSYzL/cY+XprX/vT
IbOYrZB2fMaJQuKtxi7+rhQt9Z+LOWgiD52osWfnXZCTB92ScGooKYFhDWB3n8CW
fNVS5JmoIb5AsTLuLJyk77xcJLTiVPK+2zEO43ITbaAkYCTBH3GpYIiCDQ5DV8J6
libPBKBoLLNZB2Am2AMyjyZGd/6Ulv+pCCPL+55M2t9mpMePSk9FoMOXROI9DPqO
HCH6httyd0Fm8CLpZdD6OLhRtQ4vtWJe39xvLmNkf1U2tM+TwNW2UWtr8YZ7DWVY
LE5LLPHW5WoyyzGWJ8jJABEBAAGJAh8EGAECAAkFAlcJbH8CGwwACgkQLDk+Dxip
I221og/+Oqma0UzbLfliHBXRHOaaCvyU3eD4jgTweqO4LCpCKGwRBvg7Kx20FM7U
0XGQudNDUNsYw871LSnGDkOhK7PSMoNOR4iFyI5XCW1P0XcYad6WV3sUeKmrLq1H
y/1r+0NmFMI6WXtMAqjg4G4QLdlTZVs8fVMKw8B3FsKCyigIxqC4QbmpcwLxLG5I
0HQU/G1HlQyHf0tV5QVmI3O+Rr5xYyXabxLsejtqArLSYzihxG/rF78ejeov5Rwc
kdb5K5FKRwx2kTnEkzxeOt9uoaAyz3ALiMv/A+FFCXMI5g3y+HOL2AXR4tXI5M2D
9Am2jvA7jmGdJMnDYAgI+IDniaEWm37/ztmxoLJpqFuLlgBgA+3rQBYoLtgSpalq
iX2ofwAbx6icA617rv2sO4DqVWPwRo91DVQ5aTNG/iqXpjfzGCKvVvM5mkpKxnmE
G73h5Vz/f8Gu8/NMtnz99wVxWc465jPdxSAI3Kq4DSEFJdRVHEMKJiDJBv7wK6ub
c3ICwHVDhzKf25/WX5P2rMBa198bZPjaPoePAd1coGR+iC6Z9hF5RTMaNbNfeYUf
d1NndLjvrYwFtvtdTQ1jB/BH0FSoe0dhENibuhihCUu3Gz6RTu0zcK7L4HzoklXe
33lFX3MPse+YEK76ZuJF60o+tXmYsT1HI/cYW8fMRoraDfFX9KE=
=HnNk
-----END PGP PUBLIC KEY BLOCK-----

How am I supposed to explain to people the difference between
trusted keys, untrusted keys, public keys, private keys, secure
fingerprints, and insecure fingerprints?

I try to read the GPG manpage. It takes well over 150 page-downs
in my terminal to reach the end. And at the end, it says I'm not
even reading the right manual, and I should be reading the info
page instead!

https://manpages.debian.org/stretch/gnupg2/gpg2.1.en.html

How on earth are people supposed to understand this stuff without
being intimately acquainted with how all the pieces fit together?
I *do* understand it, and I can't stand to use it.

OpenBSD got it right. Look at the documentation for signify, their
equivalent to GPG that they use for OS and package signing:

https://man.openbsd.org/signify.1

See how concise that manual is. It starts with an overview of the
four major operations (generate keys, sign, verify, batch verify).

Look at the size of a signify key:

$ cat /etc/signify/openbsd-66-base.pub 
untrusted comment: openbsd 6.6 base public key
RWSvK/c+cFe24BIalifKnqoqdvLlXfeZ9MIj3MINndNeKgyYw5PpcWGn

That's the whole key! No database to keep track of. No fingerprint.
The entire key could fit in a tweet, or be transcribed from paper.
OpenBSD used to print the key on the CDs, back when they sold CDs.

Unfortunately, the only major piece of software I know of that's
signed with signify is OpenBSD itself. It boggles my mind that GPG
with all its hideous inscrutable complication is the status quo.
How can we encrypt the world when this is the most widespread
crypto available?

That's my frustrated rant of the day...

-- 
Anthony J. Bentley


More information about the nmglug mailing list