Thank you all for the very productive replies, In addition to my broadened perspective, I'm certain I've been saved hours of wasted time. It is so very helpful to me to be provided with contextually appropriate real-world examples of how things are supposed to work. Anthony supplied the piece of the puzzle that I was missing: $ gpg --keyserver hkp://keys.gnupg.net --recv-keys \ 'ED7F 5BF4 6B3B BED8 1C87 368E 2C39 3E0F 18A9 236D' \ '7D33 D762 FD6C 3513 0481 347F DB4B 54CB A482 6A18' How I got into this was that more than a year ago in my (ongoing) condition of "knowing just about enough to be dangerous" I managed to install youtube-dl but wasn't really aware of how the distribution repositories and update processes were supposed to work. I'd notice messages of 'unsigned something or other' when booting, and with increasing frequency various videos I wanted would fail to download. At some point I'd heed an error message and update/reinstall in hap-hazard fashion. This time around I have a bit more comprehension of housekeeping and hygiene. (Thanks in no small part to people in NMGLUG.) Given what Anthony writes below, I presume he would agree that getting a good signature (as I have now done) is probably worth the effort, but that the "web of trust" procedures are a bit beyond reasonable and practical for casual use of the Linux desktop. Until the Revolution or the Great Simplification (whichever comes first), over and out, Tom On 6/12/19 7:41 PM, Anthony J. Bentley wrote:
Hi,
I'll be honest: I think PGP is not worth the effort anymore. The key management is too difficult, with far too many options and ways to shoot yourself in the foot. And the software itself is too complicated for practical use.
Although I am careful to always download software over HTTPS, I don't check GPG signatures of software. I know how to do it. I've even done it from time to time. But maintaining the key database, setting trust values, rotating as keys expire, avoiding malicious fingerprints and man-in-the-middle attacks... it's just too much. The keys, typically 2048-bit or 4096-bit RSA, are far too large to verify with eyeballs, which means they can only be passed around through dedicated software, never in a tweet or on paper. I mean, look at this, the youtube-dl developer's key that I just imported:
$ gpg --export --armor ED7F5BF46B3BBED81C87368E2C393E0F18A9236D -----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBFcJbH8BEADGy4sdmhLgGphuEsTWWWu6N4kQLD/kmqjP3Y83OG+v5iGG+vcY XKk1t6qEYB83Pbn6EKHKLquAydqzXwY/wcapqSGbXAjt96DsCQnj5XqS7XKfo9t/ idg40QD9Nbb0HvdzIk83/tKT4hQVB+TJY9ttfmADJXtMQP6CIDInm+x/llo3p+Ih XVNgKuLVWVciVn+ZDaq4/HrXXINGfx5+Tuzqg1cGNOIVUWno94uHQ1PKVkMK7+HQ e0I61Tz3oXLfZTer3OjK9Cr37k/927Rvcp2Adz5zdgucMFjn2Itopux+1t6e+Q3r fL0ttO+PTtuZmJZBklugxcjgv6MbZBrKbAVeHHPfjf6TziG++kPypmJlf2aRj1Fd rY0VukthZNfrjAmMdUGL/HPhmt2PLAb8bqDAdIYIjUNJ7NBuG61Tv2aYvNE9fW2T v0RAHPbVRJmKUCprWzuDFq0NAPFwMSqGw5BjOdRj8zrf7pB17R/oVGnr7Jn4iUZd yzNCOfTPNEWdKs9Qe//nSCUfgP5XdFYP1jhmN0ADg6hXcg2mxI60li0OGVk0mbTK rOM7TDDQSx0JuMqW4Knv6hn6R6bpAy1m7UTZjP3B9tEum6BHbLMOQ6XPgaHJVc/Z uC+VYlnyCF/MXdJS36Pdf2c4dQiBc4UJPxnruwV8Cxt7x+KwGcsAECoJnwARAQAB tBxTZXJnZXkgTS4gPGRzdGZ0d0BnbWFpbC5jb20+iQIcBBABAgAGBQJXds3hAAoJ ENtLVMukgmoYN+8P/ROwsLQfldOE4c4ZOPwIYbdhXl9iBDgs7nLuruDuUmSckS2r A9+aw6uPcCxFyqgtmsPJqMK3xDm6qLgi7KDEMNURB5z5Nyuz7jxWUY34eeRhiOx3 16TraI2xd2jUiId2LXy2kwkJP6nk/ds1AWIPoLhlzrZXo3BNMpOBlVXK38TAIHpl jwYMns1n68rbrnCv6Tl/LANOKa3XUiHaHd3KcLJZiDi9az4yoLe396pdmQPuWRuo b9ut5Rv12EVJzO3wCsbNkVEHTYxgi7QhmCuOIiCkTDDyHLlzNCEvv6OgKxjtEjrO afJae0fgliusszeum4ybf6z7h0+vpqrwd/L3en3sZirD5RfehS5JSQAKVSlYXiTn x7DGwOStUrth4e9LiIxU/JXKorcceHO6IrHgdg61A0+a1Nm3V7vm6QFa+IDEctq4 rS1bTQNY+PiGDBO/B14B2nHvrpyij/v5Y5QYkBsRLtOqv5UbWbqdCjCRpwRsusco UXuHGOa8cVxqzmK/Vnek0Uf2PCpuZs+94PpehBIRyqEPmAiFVFmXVIw1/+72GUWL SoWjVJvlqFW0zgjdKVw+Kxyw4e2yyrYkaCQ5NxvYcxsN0V0wgc2nQTv8TdiYr7nY MPodjdje/ip4Gk7504OGKKo8Y1pgJ9/Kl97c+UjiXpE03AX0HNSLrxpUY87liQIz BBABCAAdFiEEI4/MRryZouhu7mI9cU1Unl62JAAFAljI4eQACgkQcU1Unl62JAAs tg//U7VvdLwYpWfzAupbEKabXTNh8fcCy2dBr/RiTNQWPs69TDuYj4wtPRTvCHfq m24BWpWu3/0CWSl+Ka7Hy0/qINMR0F+GfpslrvYB44P9qqfPQzFoGXK3UnOZ3q+K cgp1SodyUPbmazmAjlolTuQi8x9kNCbpU74Hyh2lo14gJmDmLgaRN0t/7p8PsRtH DQ8a3YUKXC2SDAxQWvLMFDJQ8Y3fsqxwdlV70mhrBZ7Uz6qy4R0ipNhR4SLsd4ZN vsOcTUCA0kh8QoBuXHIlrw1qG3oQo7Ij9BmksH/9UUBDp4IUpnsyGKZ2m7oGyZhk lCIy/gFjr2gjTf5+GDIq4fl80ds3UsfDkXST4CNBwzcWVClgs1sZnanJtnDIRx9e 8o46wLsQGR7e2C5+QPltaWkdpYxjvz0fsV9SnJonOpAec4FIOMeQx5QpR4tynvYy Kg/MBuT1V2E694vGiLgOUe6RC8KeGm4kWy20RVn5UwQ1s+xAl+exyau8BJPEtk4E gDAKfqfvjx4ls4TEKch5DgigV5Xj6ZrzX0uo9eYnqVgPKKG4wy37SEwh7Hf42F8j pDCBaRbPkHmhisW5Krz9Z15YLUymFZv6GwUJP8p+HfS1DUDros/NECLlhEQw4Ziu vK9iLh7V5NIKfggqx0Mm7bNOJomdyKgUtC5lnXg4O4ZMRGeJAjMEEAEKAB0WIQQ4 o8HG657ldT/VGb7npswWjDVbeAUCXH59CAAKCRDnpswWjDVbeNDfEACUAPsh5hGp Y6JGA+BENJIK8WpD30nuP4W5qSc3IFO2Vcoq1JWzFsF042n92lKGzh+QfwgNd9Xd 3etD5H1Pyjkf99hTY8GhkudRvTD6UdBND93M1SQyKW3Hbh5Zbg5Yk+pxeCq+qN9N r+EhZIkzbQ+w6U6za+sLKGL7d4VXJN2cIdsf5715Btd2bw/4bHYQwqpNxlvM5csL GKNYO1q4gOICeh70inVQSaC+Ngxw0XVYLQ6g82yXuJkIh1Ql69/J73RM9ykKvATg 1eEnA5DWJ3S3dM4WE3wKsMP+n30NHsUaO616yu7/8r7g+86/zlpd7OV8FjNe3OVI Xmofe5nI3it4tzeKBRP5JbfhmJ1RJNAWpqvQ3daXJVqb5h2TTn0dvk5zWOYuCWzk fG/Z3NiNI3nPFU3xgojYslyuBgcGzoZPP7YygjqXqUaV1Nh0OWaYQfVBcHELqPMz KiEdKsyhv0jhmVQcNueXYeNRH/2EmD2QDaC57G1bQ9QEbIZGJjL5noNxuyZVg0qw 6gbRE4WJtvmy3l/mKjnzvI99JzcwyEF4AiT5Ppj9lgkRRkQh3PBFxPqEMLWxQEOT Z9klt8yIrcGJ0kwG6u3E3V+m1KDMumlrnVExMlGJoXtcUoUvUNBbPwWWALl0oYFc N9UsnkKAIvgkdIv2vfT2/FrmLLfOTyzFDIkCOAQTAQIAIgUCVwlsfwIbAwYLCQgH AwIGFQgCCQoLBBYCAwECHgECF4AACgkQLDk+DxipI2317BAAjk+LBazvGok8MsW+ GhfsOyvQpZLymOoCsLn4WhGT5LdVTI2fSpdJFJY5fdq36d53yNCsDaFzMOKGwRKu VUh2tI+s4/SYGZNZOVorXXycIuaGepU252XDaKcziCP65GcXz5avPi3y7MSpTI1c U/PDS99W3iE8ageW1j4E8PqAadVIyszCxlBDDQCa+wD3c0kNTJqOEuPsKtugN/h/ OHUF0gfWyxdSGvseKShPHxG+JWKF1Mh9UAHqd10N2L9XUsj3G2FFnMKKwmXPLtp8 LmVqhl6/OC2xAMZlcWoIiJAafwKYSI8whYg5KxoNtkRwkPhKtEE19arsvil6OYNW cAs46lbXz2Len/EelGJKNOVIXqEvgy14GV3KaTQ0ZCpwC6q6S7racxvRFBiYv4g3 Z21KJ8aqfqeKifFxtl4QNiQQuUuUwGugIml8lpGZkeufMfwnXh3blaDnj6KHWAqE e5bYvg5AY5zCDQn8PadC4hjqtFZHghtzm35ktAO3GDCpWM2birIDIowLtTT4R+FE 9CXyoN23LTiyxCZ/kELsMhO9Oy3qYDxATDdYfCxJexg6VnrwH/DjW6NNJTEY5EX3 GxU+aEvq8I9EyDEcmkBAug/CeJKvKJP2E93gumfXz6yXUXx2v23jiTmmsE8n6Nn9 fTKwNxDzDEX4t/CCYcicjjjXFv+5Ag0EVwlsfwEQAL3coGpBOTaSck3jd9jnZXLZ Du5Du8ZUay0t5RXYCXTR9oCDYR92qht5AGKB2vgWnN0viBrcfuTkjNU1/bUTILrV xnDm5hquTlvNUNn85imAYZWP59HlUdnnFwYKhr11ay8yRiDn29DL7oFtpj0EyjEe meXZV6Yeu6pQp9AWnbDNyUsgdfJHrUo8GeaswXXOKQTVC0c6nSbpmmIm7GldyLwM 1kd21OXo7dRisrBarcad2/kggywicmg9bYt9RHkAjuPE2k7eetFegkKO9mBpMCxq H6Gmsx7v9aT7EbgBWxVQylFSXxR2+TwQ9t3jqf2V3RzfTlFH29yn56eXfp7CqFx2 rt0ZlAY9JGoIiFxmQLZo5nvgBIZ3SObYeOVRAB4CqppDi+qypSYzL/cY+XprX/vT IbOYrZB2fMaJQuKtxi7+rhQt9Z+LOWgiD52osWfnXZCTB92ScGooKYFhDWB3n8CW fNVS5JmoIb5AsTLuLJyk77xcJLTiVPK+2zEO43ITbaAkYCTBH3GpYIiCDQ5DV8J6 libPBKBoLLNZB2Am2AMyjyZGd/6Ulv+pCCPL+55M2t9mpMePSk9FoMOXROI9DPqO HCH6httyd0Fm8CLpZdD6OLhRtQ4vtWJe39xvLmNkf1U2tM+TwNW2UWtr8YZ7DWVY LE5LLPHW5WoyyzGWJ8jJABEBAAGJAh8EGAECAAkFAlcJbH8CGwwACgkQLDk+Dxip I221og/+Oqma0UzbLfliHBXRHOaaCvyU3eD4jgTweqO4LCpCKGwRBvg7Kx20FM7U 0XGQudNDUNsYw871LSnGDkOhK7PSMoNOR4iFyI5XCW1P0XcYad6WV3sUeKmrLq1H y/1r+0NmFMI6WXtMAqjg4G4QLdlTZVs8fVMKw8B3FsKCyigIxqC4QbmpcwLxLG5I 0HQU/G1HlQyHf0tV5QVmI3O+Rr5xYyXabxLsejtqArLSYzihxG/rF78ejeov5Rwc kdb5K5FKRwx2kTnEkzxeOt9uoaAyz3ALiMv/A+FFCXMI5g3y+HOL2AXR4tXI5M2D 9Am2jvA7jmGdJMnDYAgI+IDniaEWm37/ztmxoLJpqFuLlgBgA+3rQBYoLtgSpalq iX2ofwAbx6icA617rv2sO4DqVWPwRo91DVQ5aTNG/iqXpjfzGCKvVvM5mkpKxnmE G73h5Vz/f8Gu8/NMtnz99wVxWc465jPdxSAI3Kq4DSEFJdRVHEMKJiDJBv7wK6ub c3ICwHVDhzKf25/WX5P2rMBa198bZPjaPoePAd1coGR+iC6Z9hF5RTMaNbNfeYUf d1NndLjvrYwFtvtdTQ1jB/BH0FSoe0dhENibuhihCUu3Gz6RTu0zcK7L4HzoklXe 33lFX3MPse+YEK76ZuJF60o+tXmYsT1HI/cYW8fMRoraDfFX9KE= =HnNk -----END PGP PUBLIC KEY BLOCK-----
How am I supposed to explain to people the difference between trusted keys, untrusted keys, public keys, private keys, secure fingerprints, and insecure fingerprints?
I try to read the GPG manpage. It takes well over 150 page-downs in my terminal to reach the end. And at the end, it says I'm not even reading the right manual, and I should be reading the info page instead!
https://manpages.debian.org/stretch/gnupg2/gpg2.1.en.html
How on earth are people supposed to understand this stuff without being intimately acquainted with how all the pieces fit together? I *do* understand it, and I can't stand to use it.
OpenBSD got it right. Look at the documentation for signify, their equivalent to GPG that they use for OS and package signing:
https://man.openbsd.org/signify.1
See how concise that manual is. It starts with an overview of the four major operations (generate keys, sign, verify, batch verify).
Look at the size of a signify key:
$ cat /etc/signify/openbsd-66-base.pub untrusted comment: openbsd 6.6 base public key RWSvK/c+cFe24BIalifKnqoqdvLlXfeZ9MIj3MINndNeKgyYw5PpcWGn
That's the whole key! No database to keep track of. No fingerprint. The entire key could fit in a tweet, or be transcribed from paper. OpenBSD used to print the key on the CDs, back when they sold CDs.
Unfortunately, the only major piece of software I know of that's signed with signify is OpenBSD itself. It boggles my mind that GPG with all its hideous inscrutable complication is the status quo. How can we encrypt the world when this is the most widespread crypto available?
That's my frustrated rant of the day...