This repository has been archived by the owner. It is now read-only.

The GPG key is missing from common keyservers #143

Closed
miroR opened this Issue Jan 31, 2017 · 5 comments

Comments

Projects
None yet
3 participants
@miroR

miroR commented Jan 31, 2017

I checked with gnupg-users:
https://lists.gnupg.org/pipermail/gnupg-users/2017-January/057582.html
and it appears your key is not on servers like:
hkp://pgp.mit.edu and hkp://pool.sks-keyservers.net
If that is so, it should really be good to upload it to any of those pre-github-requiring-public-key-upload servers. Else, (again, if that is so), trying to verify tag or commit fails once a user clones your repo.

LATER NOTE: To clarify what I mean by

else ... trying to verify tag or commit fails once a user clones your repo

It may even be possible (I don' know if it is) to get your public PGP key from github, but I think it is wrong to rely on Github only for all the cryptro verifications. And the community keyservers should be the first option available to Github, as any other, users.
And if I can't get the key from those, this is what happens:

/where-I-cloned-it/decentraleyes $ git verify-commit  560b68932c524736e2b4861fb335966b4262ff90
gpg: Signature made Fri 27 Jan 2017 13:41:09 CET
gpg:                using RSA key CECC45E1E979013C
gpg: Can't check signature: No public key
/where-I-cloned-it/decentraleyes $ 

LATER NOTE END.

Regards!

@Synzvato Synzvato added the observation label Feb 2, 2017

@Synzvato Synzvato changed the title from PGP key not on (usual) keyservers to The GPG key is missing from common keyservers Feb 2, 2017

@Synzvato

This comment has been minimized.

Show comment
Hide comment
@Synzvato

Synzvato Feb 2, 2017

Owner

Many thanks for sharing your concerns! I have since submitted the key. Please try to fetch the key from pool.sks-keyservers.net using the command below, and feel free to let me know if it works.

gpg --keyserver hkp://pool.sks-keyservers.net --recv-key CECC45E1E979013C

To anyone interested in this verification method, use this command to mark the key as trustworthy:

gpg --edit-key CECC45E1E979013C trust
Owner

Synzvato commented Feb 2, 2017

Many thanks for sharing your concerns! I have since submitted the key. Please try to fetch the key from pool.sks-keyservers.net using the command below, and feel free to let me know if it works.

gpg --keyserver hkp://pool.sks-keyservers.net --recv-key CECC45E1E979013C

To anyone interested in this verification method, use this command to mark the key as trustworthy:

gpg --edit-key CECC45E1E979013C trust
@miroR

This comment has been minimized.

Show comment
Hide comment
@miroR

miroR Feb 5, 2017

I finally managed to fetch your key from the keyservers. I'll ask about the issues I had on the GnuPG mailing list in the thread linked above.
But this is how it looks like now (not familiar with markdown, but bear in mind this is just plaintext terminal output originally):

~/decentraleyes $ git log -3
commit 560b689
Author: Thomas Rientjes synzvato@protonmail.com
Date: Fri Jan 27 13:41:08 2017 +0100

Update undetectable tainted domains 

commit 0a664f7
Merge: 8124fe1 28b194b
Author: Thomas Synzvato@users.noreply.github.com
Date: Thu Jan 26 23:05:42 2017 +0100

Apply a minor change to the Dutch localization 
 
Apply a minor change to the Dutch localization 

commit 8124fe1
Merge: 524981b 0428534
Author: Thomas Synzvato@users.noreply.github.com
Date: Thu Jan 26 17:26:48 2017 +0100

Implement support for Pale Moon v27.1 and higher 
 
Implement support for Pale Moon v27.1 and higher 

~/decentraleyes $ git verify-commit 560b689
gpg: Signature made Fri 27 Jan 2017 13:41:09 CET
gpg: using RSA key CECC45E1E979013C
gpg: Good signature from "Thomas Rientjes synzvato@protonmail.com" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: A6B7 BA10 893F E67E E17A 9F8F CECC 45E1 E979 013C
~/decentraleyes $

The issue of inability to successfully just plain "gpg --recv-key CECC45E1E979013C" is for GnuPG because your key (and another one) wouldn't download with plain standard (non-obfuscated) HKP, but only via port 9050 (the Tor port)...

Great to see people understanding how important verification is!
Thanks for the nice extension/plugin... But still no luck deploying it (https://forum.palemoon.org/viewtopic.php?f=46&t=10280&p=105006#p105163 --but I'm sure that will change/I'm sure I will learn; whatever the cause of the non-deployment in my machine)...

miroR commented Feb 5, 2017

I finally managed to fetch your key from the keyservers. I'll ask about the issues I had on the GnuPG mailing list in the thread linked above.
But this is how it looks like now (not familiar with markdown, but bear in mind this is just plaintext terminal output originally):

~/decentraleyes $ git log -3
commit 560b689
Author: Thomas Rientjes synzvato@protonmail.com
Date: Fri Jan 27 13:41:08 2017 +0100

Update undetectable tainted domains 

commit 0a664f7
Merge: 8124fe1 28b194b
Author: Thomas Synzvato@users.noreply.github.com
Date: Thu Jan 26 23:05:42 2017 +0100

Apply a minor change to the Dutch localization 
 
Apply a minor change to the Dutch localization 

commit 8124fe1
Merge: 524981b 0428534
Author: Thomas Synzvato@users.noreply.github.com
Date: Thu Jan 26 17:26:48 2017 +0100

Implement support for Pale Moon v27.1 and higher 
 
Implement support for Pale Moon v27.1 and higher 

~/decentraleyes $ git verify-commit 560b689
gpg: Signature made Fri 27 Jan 2017 13:41:09 CET
gpg: using RSA key CECC45E1E979013C
gpg: Good signature from "Thomas Rientjes synzvato@protonmail.com" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: A6B7 BA10 893F E67E E17A 9F8F CECC 45E1 E979 013C
~/decentraleyes $

The issue of inability to successfully just plain "gpg --recv-key CECC45E1E979013C" is for GnuPG because your key (and another one) wouldn't download with plain standard (non-obfuscated) HKP, but only via port 9050 (the Tor port)...

Great to see people understanding how important verification is!
Thanks for the nice extension/plugin... But still no luck deploying it (https://forum.palemoon.org/viewtopic.php?f=46&t=10280&p=105006#p105163 --but I'm sure that will change/I'm sure I will learn; whatever the cause of the non-deployment in my machine)...

@Bisaloo

This comment has been minimized.

Show comment
Hide comment
@Bisaloo

Bisaloo Feb 6, 2017

@miroR , are you sure you didn't change your settings somewhere and that's what causing this behaviour?

gpg --keyserver hkp://pool.sks-keyservers.net --recv-key E979013C

works fine for me!

Bisaloo commented Feb 6, 2017

@miroR , are you sure you didn't change your settings somewhere and that's what causing this behaviour?

gpg --keyserver hkp://pool.sks-keyservers.net --recv-key E979013C

works fine for me!

@miroR

This comment has been minimized.

Show comment
Hide comment
@miroR

miroR Feb 6, 2017

Sure, it should work for everybody, now...
$ gpg --keyserver hkp://pool.sks-keyservers.net --recv-key E979013C gpg: key CECC45E1E979013C: "Thomas Rientjes <synzvato@protonmail.com>" not changed gpg: Total number processed: 1 gpg: unchanged: 1 $
Just happened: Mon 6 Feb 18:27:52 CET 2017
...
But I've done more research, not pertaining to decentraleyes, but GnuPG, so can't go on about it here, and also, I've not completed the queries for GnuPG mailing list.
BTW, once I do it it should be in that thread linked at the top, in case I don't return within a few days from now...
...
But I have to mention one thing. According to this guy who is at the least advanced user, but probably a developer, and according to this post of his (never mind the title, just...):
Receiving keys as root user
https://lists.gt.net/gnupg/users/68890#68890
...Never mind the title, just this recommendation:

btw, i strongly recommend against using short Key IDs as desscribed
above ("--recv-keys EAE999BD") -- these are trivial to spoof, and using
them as you do above makes it quite likely that you'll pull in keys from
the keyservers that you do not want in your package manager's trusted list.

It really is better to use:
gpg --recv-key CECC45E1E979013C
( also with the --keyserver hkp://pool.sks-keyservers.net or some other keyserver, is just fine, but it's not needed here, it's in the conf here ).
Remember those numbers like EAE999BD may be thousands of billions in decimal, but even those are nowadays (and that post is from 2014) still small change for Quantum PC's used by big surveilling subjects...

miroR commented Feb 6, 2017

Sure, it should work for everybody, now...
$ gpg --keyserver hkp://pool.sks-keyservers.net --recv-key E979013C gpg: key CECC45E1E979013C: "Thomas Rientjes <synzvato@protonmail.com>" not changed gpg: Total number processed: 1 gpg: unchanged: 1 $
Just happened: Mon 6 Feb 18:27:52 CET 2017
...
But I've done more research, not pertaining to decentraleyes, but GnuPG, so can't go on about it here, and also, I've not completed the queries for GnuPG mailing list.
BTW, once I do it it should be in that thread linked at the top, in case I don't return within a few days from now...
...
But I have to mention one thing. According to this guy who is at the least advanced user, but probably a developer, and according to this post of his (never mind the title, just...):
Receiving keys as root user
https://lists.gt.net/gnupg/users/68890#68890
...Never mind the title, just this recommendation:

btw, i strongly recommend against using short Key IDs as desscribed
above ("--recv-keys EAE999BD") -- these are trivial to spoof, and using
them as you do above makes it quite likely that you'll pull in keys from
the keyservers that you do not want in your package manager's trusted list.

It really is better to use:
gpg --recv-key CECC45E1E979013C
( also with the --keyserver hkp://pool.sks-keyservers.net or some other keyserver, is just fine, but it's not needed here, it's in the conf here ).
Remember those numbers like EAE999BD may be thousands of billions in decimal, but even those are nowadays (and that post is from 2014) still small change for Quantum PC's used by big surveilling subjects...

@Synzvato

This comment has been minimized.

Show comment
Hide comment
@Synzvato

Synzvato Mar 8, 2017

Owner

@miroR Great read, thanks! I have since updated the command snippet.

Owner

Synzvato commented Mar 8, 2017

@miroR Great read, thanks! I have since updated the command snippet.

@Synzvato Synzvato closed this Mar 19, 2017

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.