This is a simple tool to find OpenPGP keys associated with a public profile on Twitter, Github or Google Plus. It achieves one of the things a site like keybase.io offers, but without requiring a separate service.
$ java -jar keypan-cli.jar github.com/kbsriram Found key for 'github.com/kbsriram' PGP fingerprint: BF71 A5E8 E8CD 553B DE86 0969 62F4 63C6 73F6 C01F linked on Github by kbsriram <https://github.com/kbsriram> from this gist <https://gist.github.com/c05dca103a252ac0d6ac> linked on Twitter by kbsriram <https://twitter.com/kbsriram> from their profile <https://twitter.com/kbsriram> linked on Google+ by KB Sriram <https://plus.google.com/+KBSriram> from their profile <https://plus.google.com/+KBSriram/about> Save this key? (y/N)
There's also a locally runnable web-server, which offers a nicer-looking interface to the search.
##How it works
I call the approach "key panning", as it lets clients sift through keys published against your public profiles, while adding a basic level of assurance.
- Add your various profile URLs as user-ids on your public key, and push them to key-servers as usual.
- Publish your fingerprint in some 'well-understood' way on each such profile site.
A client can now lookup your key by your profile URL on a key-server. For each valid user id that matches a public profile, the client looks for a confirming fingerprint published at the profile site. It's not an authoritative proof of identity, but it indicates that someone in control of this key was also able to publish to the associated account.
As a secondary benefit, it consolidates your various public profiles directly on your key, and uses the distributed OpenPGP key-servers to propagate your keys.
keypan client is written in Java and needs at least Java 1.6.
To run the command-line client, download keypan-cli.jar and simply run it with a suitable query.
$ java -jar keypan-cli.jar github.com/kbsriram
To run the local webserver, download keypan-web.jar and run it as
$ java -jar keypan-web.jar
and then visit http://localhost:8014
Making your keys visible to
To allow people to lookup your keys with
keypan, add your various
profile URLs to your key, and publish your key fingerprint on each of
###Adding a profile to your key
Here's how to use
gpg to add your social media profiles to your key.
- First add each profile url as a new uid. For example,
$ gpg --allow-freeform-uid --edit-key email@example.com adduid [...] Real name: https://github.com/mygithubid Email address: <CR> Comment: <CR> You selected this USER-ID: "https://github.com/myrealname" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o [...] Enter passphrase: <password> [...] gpg> save $
- Repeat this for each profile URL you want to associate with your key. Then, publish it to the keyservers.
$ gpg --send-keys <yourkeyid> gpg: sending key 12F3C45F to hkps server hkps.pool.sks-keyservers.net $
Publishing your fingerprint on a profile
keypan tool can search for fingerprints from three types of
profiles, Github, Twitter and Google+. To publish your fingerprint on
each of these sites, do the following.
- Github - publish a public gist containing your fingerprint. An example can be found here - https://gist.github.com/kbsriram/c05dca103a252ac0d6ac
- Twitter - go to your profile settings and add your fingerprint to your bio. An example can be found here - https://twitter.com/kbsriram
- Google+ - go to your profile about page and edit your basic information to include your fingerprint. An example can be found here - https://plus.google.com/+KBSriram/about