How to find/import public keys? Or is there another problem?
As my resources as an individual seem exhausted, I request assistance from the NMGLUG hive mind re: tom@tom-HP-Notebook:~$ gpg --verify youtube-dl.sig /usr/local/bin/youtube-dl gpg: Signature made Fri 07 Jun 2019 02:48:58 PM MDT gpg: using RSA key ED7F5BF46B3BBED81C87368E2C393E0F18A9236D gpg: Can't check signature: No public key <----? Context from https://ytdl-org.github.io/youtube-dl/download.html: To check the signature, type: |sudo wget https://yt-dl.org/downloads/latest/youtube-dl.sig -O youtube-dl.sig gpg --verify youtube-dl.sig /usr/local/bin/youtube-dl rm youtube-dl.sig| The following GPG keys will be used to sign the binaries and the git tags: * Philipp Hagemeister |7D33 D762 FD6C 3513 0481 347F DB4B 54CB A482 6A18| * Sergey M. |ED7F 5BF4 6B3B BED8 1C87 368E 2C39 3E0F 18A9 236D| Should I be able to do something like this?:
From https://mxlinux.org/wiki/system/signed-iso-files/#MX-15%20and%20later:
... 1. If you have not already downloaded appropriate key, copy/paste this command into a terminal as regular user: /|$ |/|gpg --keyserver ||hkp://keys.gnupg.net| <http://keys.gnupg.net>|--recv-keys 4A0C4F9C 0679EE98 F09C5B1C| This will give you.... Also, all of the above relates to perennial update issues and not having a very clear understanding about how and whether I should have something like a 'youtube-dl. list' file under '/etc/apt/sources.list.d' Thanks, Tom
If you use `git clone`, doesn't it do key-checking as part of the commit tree verification process? That's how I got my latest copy of youtube-dl... —Arlo
Tom Ashcraft writes:
As my resources as an individual seem exhausted, I request assistance from the NMGLUG hive mind re:
tom@tom-HP-Notebook:~$ gpg --verify youtube-dl.sig /usr/local/bin/youtube-dl gpg: Signature made Fri 07 Jun 2019 02:48:58 PM MDT gpg: using RSA key ED7F5BF46B3BBED81C87368E2C393E0F18A9236D gpg: Can't check signature: No public key
I'm curious where you got the /usr/local/bin/youtube-dl to verify. I tried that recently, following the directions to use curl -L https://yt-dl.org/downloads/latest/youtube-dl -o youtube-dl (I omitted the sudo part and ran it as a regular user) and I got a file that starts with #!/usr/bin/env python, but then the rest of it is binary data, not Python. "file" says it's Zip archive data, but unzip won't unpack it because of that Python line at the beginning. Verifying the signature seemed moot since the file wasn't usable. I suspect Arlo's advice is probably a better bet for youtube-dl right now (even though the github README says to use curl): Arlo Barnes writes:
If you use `git clone`, doesn't it do key-checking as part of the commit tree verification process? That's how I got my latest copy of youtube-dl...
It's a little more complicated. If you git clone, then you also have to install the package somehow. You could run python setup.py install as root if you're sure you trust the git repository and you're not worried about conflicting with your distro's youtube-dl package (I prefer to avoid that). Otherwise, this might work: python setup.py install --user I've had weird results with --user so I did what the Python experts recommend and set up a virtualenv, even though it's more steps: python3 -m venv --system-site-packages ~/mypython3env source ~/mypython3env/bin/activate python setup.py install You'll have to source ~/mypython3env/bin/activate every time you want to run youtube-dl, though. Or wait a week or two and maybe your distro will update their youtube-dl package and you won't have to go through any of this. ...Akkana
On Wed, Jun 12, 2019 at 7:45 PM Akkana Peck <akkana@shallowsky.com> wrote:
I got a file that starts with #!/usr/bin/env python, but then the rest of it is binary data, not Python. "file" says it's Zip archive data, but unzip won't unpack it because of that Python line at the beginning. Verifying the signature seemed moot since the file wasn't usable.
It's "pickled". Pickle is Python's own compression algorithm. If you just `python ./ytdl.py` it will know what to do. It's a little more complicated. If you git clone, then you also have to
install the package somehow.
How often does one download YT videos? I just run it from the terminal in whatever working directory I want the file to end up, specifying the path to the script when I do so. Or wait a week or two and maybe your distro will update their youtube-dl
package and you won't have to go through any of this.
YTDL has a fast development cycle, and I think it'll be a while before even Debian Testing (which is what came with my laptop modulo branding) gets to what is now the latest version, which by then will be 'outdated'. It is obviously no big deal to run an old version, unless that is you encounter buggy behaviour, since to report a bug to the devs (by the rules stated in `man youtubedl` anyway) you have to be running the latest stable version. I don't think there are many "wrong" ways to use non-security-critical software, but some are easier than others. Cheers, —Arlo
On 6/12/19 7:58 PM, Arlo Barnes wrote:
YTDL has a fast development cycle, and I think it'll be a while before even Debian Testing (which is what came with my laptop modulo branding) gets to what is now the latest version, which by then will be 'outdated'.
I get youtube-dl from backports. It has version 2019.01.17. This works perfectly for me all the time. Stretch/stable does not work at all. Its very old. For anyone unfamiliar, backports bridges the gap between stable and testing without apt-pinning or other time consuming solutions. https://backports.debian.org/
Bingo. But please see below. Do you think I should follow ALU's advice here, that it should or does apply with youtube-dl? (Off the top of my head I imagine I'd have to edit the PATH variable, which is something I need to get a better grasp of.) Thanks, Tom On 6/12/19 9:18 PM, jason schaefer wrote:
On 6/12/19 7:58 PM, Arlo Barnes wrote:
YTDL has a fast development cycle, and I think it'll be a while before even Debian Testing (which is what came with my laptop modulo branding) gets to what is now the latest version, which by then will be 'outdated'. I get youtube-dl from backports. It has version 2019.01.17. This works perfectly for me all the time. Stretch/stable does not work at all. Its very old. For anyone unfamiliar, backports bridges the gap between stable and testing without apt-pinning or other time consuming solutions. https://backports.debian.org/
https://averagelinuxuser.com/how-not-to-break-your-debian-system/ "However, if you still need some program that is not available in Debian repositories, try NOT to install them system-wide. This is the first rule that will teach you how not to break Debian. Install executable programs locally You can make a folder /Programs/ in your home folder, and place all unofficial programs there. Many Linux programs come as executable files. So, copy program executables to the |~/Programs| folder.
_______________________________________________ nmglug mailing list nmglug@lists.nmglug.org http://lists.nmglug.org/listinfo.cgi/nmglug-nmglug.org
Hi Tom, Tom Ashcraft writes:
As my resources as an individual seem exhausted, I request assistance from the NMGLUG hive mind re:
tom@tom-HP-Notebook:~$ gpg --verify youtube-dl.sig /usr/local/bin/youtube-dl gpg: Signature made Fri 07 Jun 2019 02:48:58 PM MDT gpg: using RSA key ED7F5BF46B3BBED81C87368E2C393E0F18A9236D gpg: Can't check signature: No public key <----?
To check a PGP signature, GPG needs the public key corresponding to the private key the signature was made with. GPG maintains a database in your home folder of all public keys it knows. By default, it knows none; you must add them manually.
The following GPG keys will be used to sign the binaries and the git tags:
* Philipp Hagemeister |7D33 D762 FD6C 3513 0481 347F DB4B 54CB A482 6A18| * Sergey M. |ED7F 5BF4 6B3B BED8 1C87 368E 2C39 3E0F 18A9 236D|
PGP public keys are uniquely identified by their fingerprints (the 40-character values listed here). These are the public keys you need to add to GPG.
$ gpg --keyserver hkp://keys.gnupg.net --recv-keys 4A0C4F9C 0679EE98 F09C5B1C
This is one way to add public keys to the GPG database. It contacts a key server and asks for the three public keys corresponding to the three fingerprints given. This example is insecure though. The reason it's insecure is that it uses 8-character (32-bit) fingerprints as shorthand for the full 40-character fingerprints. Perhaps they were acceptable in the 90s, but these short fingerprints are easy to bruteforce with the hardware of 2019. See: https://evil32.com/ To do this securely, then, run the command but with the full 40-character fingerprints instead: $ gpg --keyserver hkp://keys.gnupg.net --recv-keys \ 'ED7F 5BF4 6B3B BED8 1C87 368E 2C39 3E0F 18A9 236D' \ '7D33 D762 FD6C 3513 0481 347F DB4B 54CB A482 6A18' This will import the keys to GPG's database. (You only have to do this once per public key; next time you check the signature of youtube-dl, you won't need to reimport the public key.) Now, the signature verifies correctly: $ gpg --verify /tmp/youtube-dl.sig /tmp/youtube-dl gpg: Signature made Fri Jun 7 14:48:58 2019 MDT gpg: using RSA key ED7F5BF46B3BBED81C87368E2C393E0F18A9236D gpg: Good signature from "Sergey M. <dstftw@gmail.com>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: ED7F 5BF4 6B3B BED8 1C87 368E 2C39 3E0F 18A9 236D GPG does warn that it has no signature for the key you imported. PGP practice is to meet people in person, verify that their public keys belong to them, and sign those keys, and have other people sign your keys. This is called "Web of Trust". But it's inconvenient to meet people in person, and easy to get wrong. In this situation, we know that Sergey's public key is really the one we want, because we got the fingerprint from a secure source: the HTTPS-protected youtube-dl homepage. So I am comfortable marking it as a trusted key: $ gpg --edit-key 'ED7F 5BF4 6B3B BED8 1C87 368E 2C39 3E0F 18A9 236D' pub rsa4096/2C393E0F18A9236D created: 2016-04-09 expires: never usage: SC trust: unknown validity: unknown sub rsa4096/C3A4FE63297B1CE1 created: 2016-04-09 expires: never usage: E [ unknown] (1). Sergey M. <dstftw@gmail.com> gpg> trust pub rsa4096/2C393E0F18A9236D created: 2016-04-09 expires: never usage: SC trust: unknown validity: unknown sub rsa4096/C3A4FE63297B1CE1 created: 2016-04-09 expires: never usage: E [ unknown] (1). Sergey M. <dstftw@gmail.com> Please decide how far you trust this user to correctly verify other users' keys (by looking at passports, checking fingerprints from different sources, etc.) 1 = I don't know or won't say 2 = I do NOT trust 3 = I trust marginally 4 = I trust fully 5 = I trust ultimately m = back to the main menu Your decision? 5 Do you really want to set this key to ultimate trust? (y/N) y pub rsa4096/2C393E0F18A9236D created: 2016-04-09 expires: never usage: SC trust: full validity: unknown sub rsa4096/C3A4FE63297B1CE1 created: 2016-04-09 expires: never usage: E [ unknown] (1). Sergey M. <dstftw@gmail.com> Please note that the shown key validity is not necessarily correct unless you restart the program. gpg> quit Now, GPG finally tells me what I want to know, that the signature is "good". $ gpg --verify /tmp/youtube-dl.sig /tmp/youtube-dl gpg: Signature made Fri Jun 7 14:48:58 2019 MDT gpg: using RSA key ED7F5BF46B3BBED81C87368E2C393E0F18A9236D gpg: checking the trustdb gpg: marginals needed: 3 completes needed: 1 trust model: pgp gpg: depth: 0 valid: 3 signed: 2 trust: 0-, 0q, 0n, 0m, 0f, 3u gpg: depth: 1 valid: 2 signed: 0 trust: 2-, 0q, 0n, 0m, 0f, 0u gpg: next trustdb check due at 2019-11-01 gpg: Good signature from "Sergey M. <dstftw@gmail.com>" [ultimate] -- Anthony J. Bentley
Hi, I'll be honest: I think PGP is not worth the effort anymore. The key management is too difficult, with far too many options and ways to shoot yourself in the foot. And the software itself is too complicated for practical use. Although I am careful to always download software over HTTPS, I don't check GPG signatures of software. I know how to do it. I've even done it from time to time. But maintaining the key database, setting trust values, rotating as keys expire, avoiding malicious fingerprints and man-in-the-middle attacks... it's just too much. The keys, typically 2048-bit or 4096-bit RSA, are far too large to verify with eyeballs, which means they can only be passed around through dedicated software, never in a tweet or on paper. I mean, look at this, the youtube-dl developer's key that I just imported: $ gpg --export --armor ED7F5BF46B3BBED81C87368E2C393E0F18A9236D -----BEGIN PGP PUBLIC KEY BLOCK----- mQINBFcJbH8BEADGy4sdmhLgGphuEsTWWWu6N4kQLD/kmqjP3Y83OG+v5iGG+vcY XKk1t6qEYB83Pbn6EKHKLquAydqzXwY/wcapqSGbXAjt96DsCQnj5XqS7XKfo9t/ idg40QD9Nbb0HvdzIk83/tKT4hQVB+TJY9ttfmADJXtMQP6CIDInm+x/llo3p+Ih XVNgKuLVWVciVn+ZDaq4/HrXXINGfx5+Tuzqg1cGNOIVUWno94uHQ1PKVkMK7+HQ e0I61Tz3oXLfZTer3OjK9Cr37k/927Rvcp2Adz5zdgucMFjn2Itopux+1t6e+Q3r fL0ttO+PTtuZmJZBklugxcjgv6MbZBrKbAVeHHPfjf6TziG++kPypmJlf2aRj1Fd rY0VukthZNfrjAmMdUGL/HPhmt2PLAb8bqDAdIYIjUNJ7NBuG61Tv2aYvNE9fW2T v0RAHPbVRJmKUCprWzuDFq0NAPFwMSqGw5BjOdRj8zrf7pB17R/oVGnr7Jn4iUZd yzNCOfTPNEWdKs9Qe//nSCUfgP5XdFYP1jhmN0ADg6hXcg2mxI60li0OGVk0mbTK rOM7TDDQSx0JuMqW4Knv6hn6R6bpAy1m7UTZjP3B9tEum6BHbLMOQ6XPgaHJVc/Z uC+VYlnyCF/MXdJS36Pdf2c4dQiBc4UJPxnruwV8Cxt7x+KwGcsAECoJnwARAQAB tBxTZXJnZXkgTS4gPGRzdGZ0d0BnbWFpbC5jb20+iQIcBBABAgAGBQJXds3hAAoJ ENtLVMukgmoYN+8P/ROwsLQfldOE4c4ZOPwIYbdhXl9iBDgs7nLuruDuUmSckS2r A9+aw6uPcCxFyqgtmsPJqMK3xDm6qLgi7KDEMNURB5z5Nyuz7jxWUY34eeRhiOx3 16TraI2xd2jUiId2LXy2kwkJP6nk/ds1AWIPoLhlzrZXo3BNMpOBlVXK38TAIHpl jwYMns1n68rbrnCv6Tl/LANOKa3XUiHaHd3KcLJZiDi9az4yoLe396pdmQPuWRuo b9ut5Rv12EVJzO3wCsbNkVEHTYxgi7QhmCuOIiCkTDDyHLlzNCEvv6OgKxjtEjrO afJae0fgliusszeum4ybf6z7h0+vpqrwd/L3en3sZirD5RfehS5JSQAKVSlYXiTn x7DGwOStUrth4e9LiIxU/JXKorcceHO6IrHgdg61A0+a1Nm3V7vm6QFa+IDEctq4 rS1bTQNY+PiGDBO/B14B2nHvrpyij/v5Y5QYkBsRLtOqv5UbWbqdCjCRpwRsusco UXuHGOa8cVxqzmK/Vnek0Uf2PCpuZs+94PpehBIRyqEPmAiFVFmXVIw1/+72GUWL SoWjVJvlqFW0zgjdKVw+Kxyw4e2yyrYkaCQ5NxvYcxsN0V0wgc2nQTv8TdiYr7nY MPodjdje/ip4Gk7504OGKKo8Y1pgJ9/Kl97c+UjiXpE03AX0HNSLrxpUY87liQIz BBABCAAdFiEEI4/MRryZouhu7mI9cU1Unl62JAAFAljI4eQACgkQcU1Unl62JAAs tg//U7VvdLwYpWfzAupbEKabXTNh8fcCy2dBr/RiTNQWPs69TDuYj4wtPRTvCHfq m24BWpWu3/0CWSl+Ka7Hy0/qINMR0F+GfpslrvYB44P9qqfPQzFoGXK3UnOZ3q+K cgp1SodyUPbmazmAjlolTuQi8x9kNCbpU74Hyh2lo14gJmDmLgaRN0t/7p8PsRtH DQ8a3YUKXC2SDAxQWvLMFDJQ8Y3fsqxwdlV70mhrBZ7Uz6qy4R0ipNhR4SLsd4ZN vsOcTUCA0kh8QoBuXHIlrw1qG3oQo7Ij9BmksH/9UUBDp4IUpnsyGKZ2m7oGyZhk lCIy/gFjr2gjTf5+GDIq4fl80ds3UsfDkXST4CNBwzcWVClgs1sZnanJtnDIRx9e 8o46wLsQGR7e2C5+QPltaWkdpYxjvz0fsV9SnJonOpAec4FIOMeQx5QpR4tynvYy Kg/MBuT1V2E694vGiLgOUe6RC8KeGm4kWy20RVn5UwQ1s+xAl+exyau8BJPEtk4E gDAKfqfvjx4ls4TEKch5DgigV5Xj6ZrzX0uo9eYnqVgPKKG4wy37SEwh7Hf42F8j pDCBaRbPkHmhisW5Krz9Z15YLUymFZv6GwUJP8p+HfS1DUDros/NECLlhEQw4Ziu vK9iLh7V5NIKfggqx0Mm7bNOJomdyKgUtC5lnXg4O4ZMRGeJAjMEEAEKAB0WIQQ4 o8HG657ldT/VGb7npswWjDVbeAUCXH59CAAKCRDnpswWjDVbeNDfEACUAPsh5hGp Y6JGA+BENJIK8WpD30nuP4W5qSc3IFO2Vcoq1JWzFsF042n92lKGzh+QfwgNd9Xd 3etD5H1Pyjkf99hTY8GhkudRvTD6UdBND93M1SQyKW3Hbh5Zbg5Yk+pxeCq+qN9N r+EhZIkzbQ+w6U6za+sLKGL7d4VXJN2cIdsf5715Btd2bw/4bHYQwqpNxlvM5csL GKNYO1q4gOICeh70inVQSaC+Ngxw0XVYLQ6g82yXuJkIh1Ql69/J73RM9ykKvATg 1eEnA5DWJ3S3dM4WE3wKsMP+n30NHsUaO616yu7/8r7g+86/zlpd7OV8FjNe3OVI Xmofe5nI3it4tzeKBRP5JbfhmJ1RJNAWpqvQ3daXJVqb5h2TTn0dvk5zWOYuCWzk fG/Z3NiNI3nPFU3xgojYslyuBgcGzoZPP7YygjqXqUaV1Nh0OWaYQfVBcHELqPMz KiEdKsyhv0jhmVQcNueXYeNRH/2EmD2QDaC57G1bQ9QEbIZGJjL5noNxuyZVg0qw 6gbRE4WJtvmy3l/mKjnzvI99JzcwyEF4AiT5Ppj9lgkRRkQh3PBFxPqEMLWxQEOT Z9klt8yIrcGJ0kwG6u3E3V+m1KDMumlrnVExMlGJoXtcUoUvUNBbPwWWALl0oYFc N9UsnkKAIvgkdIv2vfT2/FrmLLfOTyzFDIkCOAQTAQIAIgUCVwlsfwIbAwYLCQgH AwIGFQgCCQoLBBYCAwECHgECF4AACgkQLDk+DxipI2317BAAjk+LBazvGok8MsW+ GhfsOyvQpZLymOoCsLn4WhGT5LdVTI2fSpdJFJY5fdq36d53yNCsDaFzMOKGwRKu VUh2tI+s4/SYGZNZOVorXXycIuaGepU252XDaKcziCP65GcXz5avPi3y7MSpTI1c U/PDS99W3iE8ageW1j4E8PqAadVIyszCxlBDDQCa+wD3c0kNTJqOEuPsKtugN/h/ OHUF0gfWyxdSGvseKShPHxG+JWKF1Mh9UAHqd10N2L9XUsj3G2FFnMKKwmXPLtp8 LmVqhl6/OC2xAMZlcWoIiJAafwKYSI8whYg5KxoNtkRwkPhKtEE19arsvil6OYNW cAs46lbXz2Len/EelGJKNOVIXqEvgy14GV3KaTQ0ZCpwC6q6S7racxvRFBiYv4g3 Z21KJ8aqfqeKifFxtl4QNiQQuUuUwGugIml8lpGZkeufMfwnXh3blaDnj6KHWAqE e5bYvg5AY5zCDQn8PadC4hjqtFZHghtzm35ktAO3GDCpWM2birIDIowLtTT4R+FE 9CXyoN23LTiyxCZ/kELsMhO9Oy3qYDxATDdYfCxJexg6VnrwH/DjW6NNJTEY5EX3 GxU+aEvq8I9EyDEcmkBAug/CeJKvKJP2E93gumfXz6yXUXx2v23jiTmmsE8n6Nn9 fTKwNxDzDEX4t/CCYcicjjjXFv+5Ag0EVwlsfwEQAL3coGpBOTaSck3jd9jnZXLZ Du5Du8ZUay0t5RXYCXTR9oCDYR92qht5AGKB2vgWnN0viBrcfuTkjNU1/bUTILrV xnDm5hquTlvNUNn85imAYZWP59HlUdnnFwYKhr11ay8yRiDn29DL7oFtpj0EyjEe meXZV6Yeu6pQp9AWnbDNyUsgdfJHrUo8GeaswXXOKQTVC0c6nSbpmmIm7GldyLwM 1kd21OXo7dRisrBarcad2/kggywicmg9bYt9RHkAjuPE2k7eetFegkKO9mBpMCxq H6Gmsx7v9aT7EbgBWxVQylFSXxR2+TwQ9t3jqf2V3RzfTlFH29yn56eXfp7CqFx2 rt0ZlAY9JGoIiFxmQLZo5nvgBIZ3SObYeOVRAB4CqppDi+qypSYzL/cY+XprX/vT IbOYrZB2fMaJQuKtxi7+rhQt9Z+LOWgiD52osWfnXZCTB92ScGooKYFhDWB3n8CW fNVS5JmoIb5AsTLuLJyk77xcJLTiVPK+2zEO43ITbaAkYCTBH3GpYIiCDQ5DV8J6 libPBKBoLLNZB2Am2AMyjyZGd/6Ulv+pCCPL+55M2t9mpMePSk9FoMOXROI9DPqO HCH6httyd0Fm8CLpZdD6OLhRtQ4vtWJe39xvLmNkf1U2tM+TwNW2UWtr8YZ7DWVY LE5LLPHW5WoyyzGWJ8jJABEBAAGJAh8EGAECAAkFAlcJbH8CGwwACgkQLDk+Dxip I221og/+Oqma0UzbLfliHBXRHOaaCvyU3eD4jgTweqO4LCpCKGwRBvg7Kx20FM7U 0XGQudNDUNsYw871LSnGDkOhK7PSMoNOR4iFyI5XCW1P0XcYad6WV3sUeKmrLq1H y/1r+0NmFMI6WXtMAqjg4G4QLdlTZVs8fVMKw8B3FsKCyigIxqC4QbmpcwLxLG5I 0HQU/G1HlQyHf0tV5QVmI3O+Rr5xYyXabxLsejtqArLSYzihxG/rF78ejeov5Rwc kdb5K5FKRwx2kTnEkzxeOt9uoaAyz3ALiMv/A+FFCXMI5g3y+HOL2AXR4tXI5M2D 9Am2jvA7jmGdJMnDYAgI+IDniaEWm37/ztmxoLJpqFuLlgBgA+3rQBYoLtgSpalq iX2ofwAbx6icA617rv2sO4DqVWPwRo91DVQ5aTNG/iqXpjfzGCKvVvM5mkpKxnmE G73h5Vz/f8Gu8/NMtnz99wVxWc465jPdxSAI3Kq4DSEFJdRVHEMKJiDJBv7wK6ub c3ICwHVDhzKf25/WX5P2rMBa198bZPjaPoePAd1coGR+iC6Z9hF5RTMaNbNfeYUf d1NndLjvrYwFtvtdTQ1jB/BH0FSoe0dhENibuhihCUu3Gz6RTu0zcK7L4HzoklXe 33lFX3MPse+YEK76ZuJF60o+tXmYsT1HI/cYW8fMRoraDfFX9KE= =HnNk -----END PGP PUBLIC KEY BLOCK----- How am I supposed to explain to people the difference between trusted keys, untrusted keys, public keys, private keys, secure fingerprints, and insecure fingerprints? I try to read the GPG manpage. It takes well over 150 page-downs in my terminal to reach the end. And at the end, it says I'm not even reading the right manual, and I should be reading the info page instead! https://manpages.debian.org/stretch/gnupg2/gpg2.1.en.html How on earth are people supposed to understand this stuff without being intimately acquainted with how all the pieces fit together? I *do* understand it, and I can't stand to use it. OpenBSD got it right. Look at the documentation for signify, their equivalent to GPG that they use for OS and package signing: https://man.openbsd.org/signify.1 See how concise that manual is. It starts with an overview of the four major operations (generate keys, sign, verify, batch verify). Look at the size of a signify key: $ cat /etc/signify/openbsd-66-base.pub untrusted comment: openbsd 6.6 base public key RWSvK/c+cFe24BIalifKnqoqdvLlXfeZ9MIj3MINndNeKgyYw5PpcWGn That's the whole key! No database to keep track of. No fingerprint. The entire key could fit in a tweet, or be transcribed from paper. OpenBSD used to print the key on the CDs, back when they sold CDs. Unfortunately, the only major piece of software I know of that's signed with signify is OpenBSD itself. It boggles my mind that GPG with all its hideous inscrutable complication is the status quo. How can we encrypt the world when this is the most widespread crypto available? That's my frustrated rant of the day... -- Anthony J. Bentley
Thank you all for the very productive replies, In addition to my broadened perspective, I'm certain I've been saved hours of wasted time. It is so very helpful to me to be provided with contextually appropriate real-world examples of how things are supposed to work. Anthony supplied the piece of the puzzle that I was missing: $ gpg --keyserver hkp://keys.gnupg.net --recv-keys \ 'ED7F 5BF4 6B3B BED8 1C87 368E 2C39 3E0F 18A9 236D' \ '7D33 D762 FD6C 3513 0481 347F DB4B 54CB A482 6A18' How I got into this was that more than a year ago in my (ongoing) condition of "knowing just about enough to be dangerous" I managed to install youtube-dl but wasn't really aware of how the distribution repositories and update processes were supposed to work. I'd notice messages of 'unsigned something or other' when booting, and with increasing frequency various videos I wanted would fail to download. At some point I'd heed an error message and update/reinstall in hap-hazard fashion. This time around I have a bit more comprehension of housekeeping and hygiene. (Thanks in no small part to people in NMGLUG.) Given what Anthony writes below, I presume he would agree that getting a good signature (as I have now done) is probably worth the effort, but that the "web of trust" procedures are a bit beyond reasonable and practical for casual use of the Linux desktop. Until the Revolution or the Great Simplification (whichever comes first), over and out, Tom On 6/12/19 7:41 PM, Anthony J. Bentley wrote:
Hi,
I'll be honest: I think PGP is not worth the effort anymore. The key management is too difficult, with far too many options and ways to shoot yourself in the foot. And the software itself is too complicated for practical use.
Although I am careful to always download software over HTTPS, I don't check GPG signatures of software. I know how to do it. I've even done it from time to time. But maintaining the key database, setting trust values, rotating as keys expire, avoiding malicious fingerprints and man-in-the-middle attacks... it's just too much. The keys, typically 2048-bit or 4096-bit RSA, are far too large to verify with eyeballs, which means they can only be passed around through dedicated software, never in a tweet or on paper. I mean, look at this, the youtube-dl developer's key that I just imported:
$ gpg --export --armor ED7F5BF46B3BBED81C87368E2C393E0F18A9236D -----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBFcJbH8BEADGy4sdmhLgGphuEsTWWWu6N4kQLD/kmqjP3Y83OG+v5iGG+vcY XKk1t6qEYB83Pbn6EKHKLquAydqzXwY/wcapqSGbXAjt96DsCQnj5XqS7XKfo9t/ idg40QD9Nbb0HvdzIk83/tKT4hQVB+TJY9ttfmADJXtMQP6CIDInm+x/llo3p+Ih XVNgKuLVWVciVn+ZDaq4/HrXXINGfx5+Tuzqg1cGNOIVUWno94uHQ1PKVkMK7+HQ e0I61Tz3oXLfZTer3OjK9Cr37k/927Rvcp2Adz5zdgucMFjn2Itopux+1t6e+Q3r fL0ttO+PTtuZmJZBklugxcjgv6MbZBrKbAVeHHPfjf6TziG++kPypmJlf2aRj1Fd rY0VukthZNfrjAmMdUGL/HPhmt2PLAb8bqDAdIYIjUNJ7NBuG61Tv2aYvNE9fW2T v0RAHPbVRJmKUCprWzuDFq0NAPFwMSqGw5BjOdRj8zrf7pB17R/oVGnr7Jn4iUZd yzNCOfTPNEWdKs9Qe//nSCUfgP5XdFYP1jhmN0ADg6hXcg2mxI60li0OGVk0mbTK rOM7TDDQSx0JuMqW4Knv6hn6R6bpAy1m7UTZjP3B9tEum6BHbLMOQ6XPgaHJVc/Z uC+VYlnyCF/MXdJS36Pdf2c4dQiBc4UJPxnruwV8Cxt7x+KwGcsAECoJnwARAQAB tBxTZXJnZXkgTS4gPGRzdGZ0d0BnbWFpbC5jb20+iQIcBBABAgAGBQJXds3hAAoJ ENtLVMukgmoYN+8P/ROwsLQfldOE4c4ZOPwIYbdhXl9iBDgs7nLuruDuUmSckS2r A9+aw6uPcCxFyqgtmsPJqMK3xDm6qLgi7KDEMNURB5z5Nyuz7jxWUY34eeRhiOx3 16TraI2xd2jUiId2LXy2kwkJP6nk/ds1AWIPoLhlzrZXo3BNMpOBlVXK38TAIHpl jwYMns1n68rbrnCv6Tl/LANOKa3XUiHaHd3KcLJZiDi9az4yoLe396pdmQPuWRuo b9ut5Rv12EVJzO3wCsbNkVEHTYxgi7QhmCuOIiCkTDDyHLlzNCEvv6OgKxjtEjrO afJae0fgliusszeum4ybf6z7h0+vpqrwd/L3en3sZirD5RfehS5JSQAKVSlYXiTn x7DGwOStUrth4e9LiIxU/JXKorcceHO6IrHgdg61A0+a1Nm3V7vm6QFa+IDEctq4 rS1bTQNY+PiGDBO/B14B2nHvrpyij/v5Y5QYkBsRLtOqv5UbWbqdCjCRpwRsusco UXuHGOa8cVxqzmK/Vnek0Uf2PCpuZs+94PpehBIRyqEPmAiFVFmXVIw1/+72GUWL SoWjVJvlqFW0zgjdKVw+Kxyw4e2yyrYkaCQ5NxvYcxsN0V0wgc2nQTv8TdiYr7nY MPodjdje/ip4Gk7504OGKKo8Y1pgJ9/Kl97c+UjiXpE03AX0HNSLrxpUY87liQIz BBABCAAdFiEEI4/MRryZouhu7mI9cU1Unl62JAAFAljI4eQACgkQcU1Unl62JAAs tg//U7VvdLwYpWfzAupbEKabXTNh8fcCy2dBr/RiTNQWPs69TDuYj4wtPRTvCHfq m24BWpWu3/0CWSl+Ka7Hy0/qINMR0F+GfpslrvYB44P9qqfPQzFoGXK3UnOZ3q+K cgp1SodyUPbmazmAjlolTuQi8x9kNCbpU74Hyh2lo14gJmDmLgaRN0t/7p8PsRtH DQ8a3YUKXC2SDAxQWvLMFDJQ8Y3fsqxwdlV70mhrBZ7Uz6qy4R0ipNhR4SLsd4ZN vsOcTUCA0kh8QoBuXHIlrw1qG3oQo7Ij9BmksH/9UUBDp4IUpnsyGKZ2m7oGyZhk lCIy/gFjr2gjTf5+GDIq4fl80ds3UsfDkXST4CNBwzcWVClgs1sZnanJtnDIRx9e 8o46wLsQGR7e2C5+QPltaWkdpYxjvz0fsV9SnJonOpAec4FIOMeQx5QpR4tynvYy Kg/MBuT1V2E694vGiLgOUe6RC8KeGm4kWy20RVn5UwQ1s+xAl+exyau8BJPEtk4E gDAKfqfvjx4ls4TEKch5DgigV5Xj6ZrzX0uo9eYnqVgPKKG4wy37SEwh7Hf42F8j pDCBaRbPkHmhisW5Krz9Z15YLUymFZv6GwUJP8p+HfS1DUDros/NECLlhEQw4Ziu vK9iLh7V5NIKfggqx0Mm7bNOJomdyKgUtC5lnXg4O4ZMRGeJAjMEEAEKAB0WIQQ4 o8HG657ldT/VGb7npswWjDVbeAUCXH59CAAKCRDnpswWjDVbeNDfEACUAPsh5hGp Y6JGA+BENJIK8WpD30nuP4W5qSc3IFO2Vcoq1JWzFsF042n92lKGzh+QfwgNd9Xd 3etD5H1Pyjkf99hTY8GhkudRvTD6UdBND93M1SQyKW3Hbh5Zbg5Yk+pxeCq+qN9N r+EhZIkzbQ+w6U6za+sLKGL7d4VXJN2cIdsf5715Btd2bw/4bHYQwqpNxlvM5csL GKNYO1q4gOICeh70inVQSaC+Ngxw0XVYLQ6g82yXuJkIh1Ql69/J73RM9ykKvATg 1eEnA5DWJ3S3dM4WE3wKsMP+n30NHsUaO616yu7/8r7g+86/zlpd7OV8FjNe3OVI Xmofe5nI3it4tzeKBRP5JbfhmJ1RJNAWpqvQ3daXJVqb5h2TTn0dvk5zWOYuCWzk fG/Z3NiNI3nPFU3xgojYslyuBgcGzoZPP7YygjqXqUaV1Nh0OWaYQfVBcHELqPMz KiEdKsyhv0jhmVQcNueXYeNRH/2EmD2QDaC57G1bQ9QEbIZGJjL5noNxuyZVg0qw 6gbRE4WJtvmy3l/mKjnzvI99JzcwyEF4AiT5Ppj9lgkRRkQh3PBFxPqEMLWxQEOT Z9klt8yIrcGJ0kwG6u3E3V+m1KDMumlrnVExMlGJoXtcUoUvUNBbPwWWALl0oYFc N9UsnkKAIvgkdIv2vfT2/FrmLLfOTyzFDIkCOAQTAQIAIgUCVwlsfwIbAwYLCQgH AwIGFQgCCQoLBBYCAwECHgECF4AACgkQLDk+DxipI2317BAAjk+LBazvGok8MsW+ GhfsOyvQpZLymOoCsLn4WhGT5LdVTI2fSpdJFJY5fdq36d53yNCsDaFzMOKGwRKu VUh2tI+s4/SYGZNZOVorXXycIuaGepU252XDaKcziCP65GcXz5avPi3y7MSpTI1c U/PDS99W3iE8ageW1j4E8PqAadVIyszCxlBDDQCa+wD3c0kNTJqOEuPsKtugN/h/ OHUF0gfWyxdSGvseKShPHxG+JWKF1Mh9UAHqd10N2L9XUsj3G2FFnMKKwmXPLtp8 LmVqhl6/OC2xAMZlcWoIiJAafwKYSI8whYg5KxoNtkRwkPhKtEE19arsvil6OYNW cAs46lbXz2Len/EelGJKNOVIXqEvgy14GV3KaTQ0ZCpwC6q6S7racxvRFBiYv4g3 Z21KJ8aqfqeKifFxtl4QNiQQuUuUwGugIml8lpGZkeufMfwnXh3blaDnj6KHWAqE e5bYvg5AY5zCDQn8PadC4hjqtFZHghtzm35ktAO3GDCpWM2birIDIowLtTT4R+FE 9CXyoN23LTiyxCZ/kELsMhO9Oy3qYDxATDdYfCxJexg6VnrwH/DjW6NNJTEY5EX3 GxU+aEvq8I9EyDEcmkBAug/CeJKvKJP2E93gumfXz6yXUXx2v23jiTmmsE8n6Nn9 fTKwNxDzDEX4t/CCYcicjjjXFv+5Ag0EVwlsfwEQAL3coGpBOTaSck3jd9jnZXLZ Du5Du8ZUay0t5RXYCXTR9oCDYR92qht5AGKB2vgWnN0viBrcfuTkjNU1/bUTILrV xnDm5hquTlvNUNn85imAYZWP59HlUdnnFwYKhr11ay8yRiDn29DL7oFtpj0EyjEe meXZV6Yeu6pQp9AWnbDNyUsgdfJHrUo8GeaswXXOKQTVC0c6nSbpmmIm7GldyLwM 1kd21OXo7dRisrBarcad2/kggywicmg9bYt9RHkAjuPE2k7eetFegkKO9mBpMCxq H6Gmsx7v9aT7EbgBWxVQylFSXxR2+TwQ9t3jqf2V3RzfTlFH29yn56eXfp7CqFx2 rt0ZlAY9JGoIiFxmQLZo5nvgBIZ3SObYeOVRAB4CqppDi+qypSYzL/cY+XprX/vT IbOYrZB2fMaJQuKtxi7+rhQt9Z+LOWgiD52osWfnXZCTB92ScGooKYFhDWB3n8CW fNVS5JmoIb5AsTLuLJyk77xcJLTiVPK+2zEO43ITbaAkYCTBH3GpYIiCDQ5DV8J6 libPBKBoLLNZB2Am2AMyjyZGd/6Ulv+pCCPL+55M2t9mpMePSk9FoMOXROI9DPqO HCH6httyd0Fm8CLpZdD6OLhRtQ4vtWJe39xvLmNkf1U2tM+TwNW2UWtr8YZ7DWVY LE5LLPHW5WoyyzGWJ8jJABEBAAGJAh8EGAECAAkFAlcJbH8CGwwACgkQLDk+Dxip I221og/+Oqma0UzbLfliHBXRHOaaCvyU3eD4jgTweqO4LCpCKGwRBvg7Kx20FM7U 0XGQudNDUNsYw871LSnGDkOhK7PSMoNOR4iFyI5XCW1P0XcYad6WV3sUeKmrLq1H y/1r+0NmFMI6WXtMAqjg4G4QLdlTZVs8fVMKw8B3FsKCyigIxqC4QbmpcwLxLG5I 0HQU/G1HlQyHf0tV5QVmI3O+Rr5xYyXabxLsejtqArLSYzihxG/rF78ejeov5Rwc kdb5K5FKRwx2kTnEkzxeOt9uoaAyz3ALiMv/A+FFCXMI5g3y+HOL2AXR4tXI5M2D 9Am2jvA7jmGdJMnDYAgI+IDniaEWm37/ztmxoLJpqFuLlgBgA+3rQBYoLtgSpalq iX2ofwAbx6icA617rv2sO4DqVWPwRo91DVQ5aTNG/iqXpjfzGCKvVvM5mkpKxnmE G73h5Vz/f8Gu8/NMtnz99wVxWc465jPdxSAI3Kq4DSEFJdRVHEMKJiDJBv7wK6ub c3ICwHVDhzKf25/WX5P2rMBa198bZPjaPoePAd1coGR+iC6Z9hF5RTMaNbNfeYUf d1NndLjvrYwFtvtdTQ1jB/BH0FSoe0dhENibuhihCUu3Gz6RTu0zcK7L4HzoklXe 33lFX3MPse+YEK76ZuJF60o+tXmYsT1HI/cYW8fMRoraDfFX9KE= =HnNk -----END PGP PUBLIC KEY BLOCK-----
How am I supposed to explain to people the difference between trusted keys, untrusted keys, public keys, private keys, secure fingerprints, and insecure fingerprints?
I try to read the GPG manpage. It takes well over 150 page-downs in my terminal to reach the end. And at the end, it says I'm not even reading the right manual, and I should be reading the info page instead!
https://manpages.debian.org/stretch/gnupg2/gpg2.1.en.html
How on earth are people supposed to understand this stuff without being intimately acquainted with how all the pieces fit together? I *do* understand it, and I can't stand to use it.
OpenBSD got it right. Look at the documentation for signify, their equivalent to GPG that they use for OS and package signing:
https://man.openbsd.org/signify.1
See how concise that manual is. It starts with an overview of the four major operations (generate keys, sign, verify, batch verify).
Look at the size of a signify key:
$ cat /etc/signify/openbsd-66-base.pub untrusted comment: openbsd 6.6 base public key RWSvK/c+cFe24BIalifKnqoqdvLlXfeZ9MIj3MINndNeKgyYw5PpcWGn
That's the whole key! No database to keep track of. No fingerprint. The entire key could fit in a tweet, or be transcribed from paper. OpenBSD used to print the key on the CDs, back when they sold CDs.
Unfortunately, the only major piece of software I know of that's signed with signify is OpenBSD itself. It boggles my mind that GPG with all its hideous inscrutable complication is the status quo. How can we encrypt the world when this is the most widespread crypto available?
That's my frustrated rant of the day...
participants (5)
-
Akkana Peck -
Anthony J. Bentley -
Arlo Barnes -
jason schaefer -
Tom Ashcraft