[nmglug] How to find/import public keys? Or is there another problem?
Tom Ashcraft
trailerdog234 at comcast.net
Wed Jun 12 20:58:16 PDT 2019
Thank you all for the very productive replies,
In addition to my broadened perspective, I'm certain I've been saved
hours of wasted time. It is so very helpful to me to be provided with
contextually appropriate real-world examples of how things are supposed
to work.
Anthony supplied the piece of the puzzle that I was missing:
$ gpg --keyserver hkp://keys.gnupg.net --recv-keys \
'ED7F 5BF4 6B3B BED8 1C87 368E 2C39 3E0F 18A9 236D' \
'7D33 D762 FD6C 3513 0481 347F DB4B 54CB A482 6A18'
How I got into this was that more than a year ago in my (ongoing)
condition of "knowing just about enough to be dangerous" I managed to
install youtube-dl but wasn't really aware of how the distribution
repositories and update processes were supposed to work. I'd notice
messages of 'unsigned something or other' when booting, and with
increasing frequency various videos I wanted would fail to download. At
some point I'd heed an error message and update/reinstall in hap-hazard
fashion. This time around I have a bit more comprehension of
housekeeping and hygiene. (Thanks in no small part to people in NMGLUG.)
Given what Anthony writes below, I presume he would agree that getting a
good signature (as I have now done) is probably worth the effort, but
that the "web of trust" procedures are a bit beyond reasonable and
practical for casual use of the Linux desktop.
Until the Revolution or the Great Simplification (whichever comes
first), over and out,
Tom
On 6/12/19 7:41 PM, Anthony J. Bentley wrote:
> Hi,
>
> I'll be honest: I think PGP is not worth the effort anymore. The key
> management is too difficult, with far too many options and ways to
> shoot yourself in the foot. And the software itself is too complicated
> for practical use.
>
> Although I am careful to always download software over HTTPS, I don't
> check GPG signatures of software. I know how to do it. I've even done
> it from time to time. But maintaining the key database, setting trust
> values, rotating as keys expire, avoiding malicious fingerprints and
> man-in-the-middle attacks... it's just too much. The keys, typically
> 2048-bit or 4096-bit RSA, are far too large to verify with eyeballs,
> which means they can only be passed around through dedicated software,
> never in a tweet or on paper. I mean, look at this, the youtube-dl
> developer's key that I just imported:
>
> $ gpg --export --armor ED7F5BF46B3BBED81C87368E2C393E0F18A9236D
> -----BEGIN PGP PUBLIC KEY BLOCK-----
>
> mQINBFcJbH8BEADGy4sdmhLgGphuEsTWWWu6N4kQLD/kmqjP3Y83OG+v5iGG+vcY
> XKk1t6qEYB83Pbn6EKHKLquAydqzXwY/wcapqSGbXAjt96DsCQnj5XqS7XKfo9t/
> idg40QD9Nbb0HvdzIk83/tKT4hQVB+TJY9ttfmADJXtMQP6CIDInm+x/llo3p+Ih
> XVNgKuLVWVciVn+ZDaq4/HrXXINGfx5+Tuzqg1cGNOIVUWno94uHQ1PKVkMK7+HQ
> e0I61Tz3oXLfZTer3OjK9Cr37k/927Rvcp2Adz5zdgucMFjn2Itopux+1t6e+Q3r
> fL0ttO+PTtuZmJZBklugxcjgv6MbZBrKbAVeHHPfjf6TziG++kPypmJlf2aRj1Fd
> rY0VukthZNfrjAmMdUGL/HPhmt2PLAb8bqDAdIYIjUNJ7NBuG61Tv2aYvNE9fW2T
> v0RAHPbVRJmKUCprWzuDFq0NAPFwMSqGw5BjOdRj8zrf7pB17R/oVGnr7Jn4iUZd
> yzNCOfTPNEWdKs9Qe//nSCUfgP5XdFYP1jhmN0ADg6hXcg2mxI60li0OGVk0mbTK
> rOM7TDDQSx0JuMqW4Knv6hn6R6bpAy1m7UTZjP3B9tEum6BHbLMOQ6XPgaHJVc/Z
> uC+VYlnyCF/MXdJS36Pdf2c4dQiBc4UJPxnruwV8Cxt7x+KwGcsAECoJnwARAQAB
> tBxTZXJnZXkgTS4gPGRzdGZ0d0BnbWFpbC5jb20+iQIcBBABAgAGBQJXds3hAAoJ
> ENtLVMukgmoYN+8P/ROwsLQfldOE4c4ZOPwIYbdhXl9iBDgs7nLuruDuUmSckS2r
> A9+aw6uPcCxFyqgtmsPJqMK3xDm6qLgi7KDEMNURB5z5Nyuz7jxWUY34eeRhiOx3
> 16TraI2xd2jUiId2LXy2kwkJP6nk/ds1AWIPoLhlzrZXo3BNMpOBlVXK38TAIHpl
> jwYMns1n68rbrnCv6Tl/LANOKa3XUiHaHd3KcLJZiDi9az4yoLe396pdmQPuWRuo
> b9ut5Rv12EVJzO3wCsbNkVEHTYxgi7QhmCuOIiCkTDDyHLlzNCEvv6OgKxjtEjrO
> afJae0fgliusszeum4ybf6z7h0+vpqrwd/L3en3sZirD5RfehS5JSQAKVSlYXiTn
> x7DGwOStUrth4e9LiIxU/JXKorcceHO6IrHgdg61A0+a1Nm3V7vm6QFa+IDEctq4
> rS1bTQNY+PiGDBO/B14B2nHvrpyij/v5Y5QYkBsRLtOqv5UbWbqdCjCRpwRsusco
> UXuHGOa8cVxqzmK/Vnek0Uf2PCpuZs+94PpehBIRyqEPmAiFVFmXVIw1/+72GUWL
> SoWjVJvlqFW0zgjdKVw+Kxyw4e2yyrYkaCQ5NxvYcxsN0V0wgc2nQTv8TdiYr7nY
> MPodjdje/ip4Gk7504OGKKo8Y1pgJ9/Kl97c+UjiXpE03AX0HNSLrxpUY87liQIz
> BBABCAAdFiEEI4/MRryZouhu7mI9cU1Unl62JAAFAljI4eQACgkQcU1Unl62JAAs
> tg//U7VvdLwYpWfzAupbEKabXTNh8fcCy2dBr/RiTNQWPs69TDuYj4wtPRTvCHfq
> m24BWpWu3/0CWSl+Ka7Hy0/qINMR0F+GfpslrvYB44P9qqfPQzFoGXK3UnOZ3q+K
> cgp1SodyUPbmazmAjlolTuQi8x9kNCbpU74Hyh2lo14gJmDmLgaRN0t/7p8PsRtH
> DQ8a3YUKXC2SDAxQWvLMFDJQ8Y3fsqxwdlV70mhrBZ7Uz6qy4R0ipNhR4SLsd4ZN
> vsOcTUCA0kh8QoBuXHIlrw1qG3oQo7Ij9BmksH/9UUBDp4IUpnsyGKZ2m7oGyZhk
> lCIy/gFjr2gjTf5+GDIq4fl80ds3UsfDkXST4CNBwzcWVClgs1sZnanJtnDIRx9e
> 8o46wLsQGR7e2C5+QPltaWkdpYxjvz0fsV9SnJonOpAec4FIOMeQx5QpR4tynvYy
> Kg/MBuT1V2E694vGiLgOUe6RC8KeGm4kWy20RVn5UwQ1s+xAl+exyau8BJPEtk4E
> gDAKfqfvjx4ls4TEKch5DgigV5Xj6ZrzX0uo9eYnqVgPKKG4wy37SEwh7Hf42F8j
> pDCBaRbPkHmhisW5Krz9Z15YLUymFZv6GwUJP8p+HfS1DUDros/NECLlhEQw4Ziu
> vK9iLh7V5NIKfggqx0Mm7bNOJomdyKgUtC5lnXg4O4ZMRGeJAjMEEAEKAB0WIQQ4
> o8HG657ldT/VGb7npswWjDVbeAUCXH59CAAKCRDnpswWjDVbeNDfEACUAPsh5hGp
> Y6JGA+BENJIK8WpD30nuP4W5qSc3IFO2Vcoq1JWzFsF042n92lKGzh+QfwgNd9Xd
> 3etD5H1Pyjkf99hTY8GhkudRvTD6UdBND93M1SQyKW3Hbh5Zbg5Yk+pxeCq+qN9N
> r+EhZIkzbQ+w6U6za+sLKGL7d4VXJN2cIdsf5715Btd2bw/4bHYQwqpNxlvM5csL
> GKNYO1q4gOICeh70inVQSaC+Ngxw0XVYLQ6g82yXuJkIh1Ql69/J73RM9ykKvATg
> 1eEnA5DWJ3S3dM4WE3wKsMP+n30NHsUaO616yu7/8r7g+86/zlpd7OV8FjNe3OVI
> Xmofe5nI3it4tzeKBRP5JbfhmJ1RJNAWpqvQ3daXJVqb5h2TTn0dvk5zWOYuCWzk
> fG/Z3NiNI3nPFU3xgojYslyuBgcGzoZPP7YygjqXqUaV1Nh0OWaYQfVBcHELqPMz
> KiEdKsyhv0jhmVQcNueXYeNRH/2EmD2QDaC57G1bQ9QEbIZGJjL5noNxuyZVg0qw
> 6gbRE4WJtvmy3l/mKjnzvI99JzcwyEF4AiT5Ppj9lgkRRkQh3PBFxPqEMLWxQEOT
> Z9klt8yIrcGJ0kwG6u3E3V+m1KDMumlrnVExMlGJoXtcUoUvUNBbPwWWALl0oYFc
> N9UsnkKAIvgkdIv2vfT2/FrmLLfOTyzFDIkCOAQTAQIAIgUCVwlsfwIbAwYLCQgH
> AwIGFQgCCQoLBBYCAwECHgECF4AACgkQLDk+DxipI2317BAAjk+LBazvGok8MsW+
> GhfsOyvQpZLymOoCsLn4WhGT5LdVTI2fSpdJFJY5fdq36d53yNCsDaFzMOKGwRKu
> VUh2tI+s4/SYGZNZOVorXXycIuaGepU252XDaKcziCP65GcXz5avPi3y7MSpTI1c
> U/PDS99W3iE8ageW1j4E8PqAadVIyszCxlBDDQCa+wD3c0kNTJqOEuPsKtugN/h/
> OHUF0gfWyxdSGvseKShPHxG+JWKF1Mh9UAHqd10N2L9XUsj3G2FFnMKKwmXPLtp8
> LmVqhl6/OC2xAMZlcWoIiJAafwKYSI8whYg5KxoNtkRwkPhKtEE19arsvil6OYNW
> cAs46lbXz2Len/EelGJKNOVIXqEvgy14GV3KaTQ0ZCpwC6q6S7racxvRFBiYv4g3
> Z21KJ8aqfqeKifFxtl4QNiQQuUuUwGugIml8lpGZkeufMfwnXh3blaDnj6KHWAqE
> e5bYvg5AY5zCDQn8PadC4hjqtFZHghtzm35ktAO3GDCpWM2birIDIowLtTT4R+FE
> 9CXyoN23LTiyxCZ/kELsMhO9Oy3qYDxATDdYfCxJexg6VnrwH/DjW6NNJTEY5EX3
> GxU+aEvq8I9EyDEcmkBAug/CeJKvKJP2E93gumfXz6yXUXx2v23jiTmmsE8n6Nn9
> fTKwNxDzDEX4t/CCYcicjjjXFv+5Ag0EVwlsfwEQAL3coGpBOTaSck3jd9jnZXLZ
> Du5Du8ZUay0t5RXYCXTR9oCDYR92qht5AGKB2vgWnN0viBrcfuTkjNU1/bUTILrV
> xnDm5hquTlvNUNn85imAYZWP59HlUdnnFwYKhr11ay8yRiDn29DL7oFtpj0EyjEe
> meXZV6Yeu6pQp9AWnbDNyUsgdfJHrUo8GeaswXXOKQTVC0c6nSbpmmIm7GldyLwM
> 1kd21OXo7dRisrBarcad2/kggywicmg9bYt9RHkAjuPE2k7eetFegkKO9mBpMCxq
> H6Gmsx7v9aT7EbgBWxVQylFSXxR2+TwQ9t3jqf2V3RzfTlFH29yn56eXfp7CqFx2
> rt0ZlAY9JGoIiFxmQLZo5nvgBIZ3SObYeOVRAB4CqppDi+qypSYzL/cY+XprX/vT
> IbOYrZB2fMaJQuKtxi7+rhQt9Z+LOWgiD52osWfnXZCTB92ScGooKYFhDWB3n8CW
> fNVS5JmoIb5AsTLuLJyk77xcJLTiVPK+2zEO43ITbaAkYCTBH3GpYIiCDQ5DV8J6
> libPBKBoLLNZB2Am2AMyjyZGd/6Ulv+pCCPL+55M2t9mpMePSk9FoMOXROI9DPqO
> HCH6httyd0Fm8CLpZdD6OLhRtQ4vtWJe39xvLmNkf1U2tM+TwNW2UWtr8YZ7DWVY
> LE5LLPHW5WoyyzGWJ8jJABEBAAGJAh8EGAECAAkFAlcJbH8CGwwACgkQLDk+Dxip
> I221og/+Oqma0UzbLfliHBXRHOaaCvyU3eD4jgTweqO4LCpCKGwRBvg7Kx20FM7U
> 0XGQudNDUNsYw871LSnGDkOhK7PSMoNOR4iFyI5XCW1P0XcYad6WV3sUeKmrLq1H
> y/1r+0NmFMI6WXtMAqjg4G4QLdlTZVs8fVMKw8B3FsKCyigIxqC4QbmpcwLxLG5I
> 0HQU/G1HlQyHf0tV5QVmI3O+Rr5xYyXabxLsejtqArLSYzihxG/rF78ejeov5Rwc
> kdb5K5FKRwx2kTnEkzxeOt9uoaAyz3ALiMv/A+FFCXMI5g3y+HOL2AXR4tXI5M2D
> 9Am2jvA7jmGdJMnDYAgI+IDniaEWm37/ztmxoLJpqFuLlgBgA+3rQBYoLtgSpalq
> iX2ofwAbx6icA617rv2sO4DqVWPwRo91DVQ5aTNG/iqXpjfzGCKvVvM5mkpKxnmE
> G73h5Vz/f8Gu8/NMtnz99wVxWc465jPdxSAI3Kq4DSEFJdRVHEMKJiDJBv7wK6ub
> c3ICwHVDhzKf25/WX5P2rMBa198bZPjaPoePAd1coGR+iC6Z9hF5RTMaNbNfeYUf
> d1NndLjvrYwFtvtdTQ1jB/BH0FSoe0dhENibuhihCUu3Gz6RTu0zcK7L4HzoklXe
> 33lFX3MPse+YEK76ZuJF60o+tXmYsT1HI/cYW8fMRoraDfFX9KE=
> =HnNk
> -----END PGP PUBLIC KEY BLOCK-----
>
> How am I supposed to explain to people the difference between
> trusted keys, untrusted keys, public keys, private keys, secure
> fingerprints, and insecure fingerprints?
>
> I try to read the GPG manpage. It takes well over 150 page-downs
> in my terminal to reach the end. And at the end, it says I'm not
> even reading the right manual, and I should be reading the info
> page instead!
>
> https://manpages.debian.org/stretch/gnupg2/gpg2.1.en.html
>
> How on earth are people supposed to understand this stuff without
> being intimately acquainted with how all the pieces fit together?
> I *do* understand it, and I can't stand to use it.
>
> OpenBSD got it right. Look at the documentation for signify, their
> equivalent to GPG that they use for OS and package signing:
>
> https://man.openbsd.org/signify.1
>
> See how concise that manual is. It starts with an overview of the
> four major operations (generate keys, sign, verify, batch verify).
>
> Look at the size of a signify key:
>
> $ cat /etc/signify/openbsd-66-base.pub
> untrusted comment: openbsd 6.6 base public key
> RWSvK/c+cFe24BIalifKnqoqdvLlXfeZ9MIj3MINndNeKgyYw5PpcWGn
>
> That's the whole key! No database to keep track of. No fingerprint.
> The entire key could fit in a tweet, or be transcribed from paper.
> OpenBSD used to print the key on the CDs, back when they sold CDs.
>
> Unfortunately, the only major piece of software I know of that's
> signed with signify is OpenBSD itself. It boggles my mind that GPG
> with all its hideous inscrutable complication is the status quo.
> How can we encrypt the world when this is the most widespread
> crypto available?
>
> That's my frustrated rant of the day...
>
More information about the nmglug
mailing list