New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

GnuPG 2.1 best practices review #451

Open
anarcat opened this Issue Sep 7, 2017 · 8 comments

Comments

Projects
None yet
6 participants
@anarcat
Contributor

anarcat commented Sep 7, 2017

This is a meta-issue to regroup issues surrounding a formal review of the GnuPG best practices after the publication of the GnuPG 2.1 release, which includes some of the recommendations from the document.

  • #294 ca-cert-file option deprecated in GnuPG 2.1
  • #449 Use dirmngr in OpenPGP best practices
  • #450 GPG 2.1 use hkps by default
  • #447 Note hopenpgp-tools broken with GnuPG >= 2.1
  • #452 newer GnuPG releases generate revocation cert
  • #453 update key splitting procedure for GnuPG 2.1
  • #454 mention elliptic curve algorithms in best practices guide
  • #455 review default algorithms recommendations for GPG 2.1
  • #456 clarify that GPG doesn't store keys in pubring.kbx
  • #457 link to the 2.1 review issue

anarcat added a commit to anarcat/riseup_help that referenced this issue Sep 7, 2017

newer GnuPG releases generate revocation cert
Newer GnuPG versions generate a revocation certificate automatically. See #451.
@baldurmen

This comment has been minimized.

Show comment
Hide comment
@baldurmen

baldurmen Oct 25, 2017

Contributor

Just wanted to drop a "thank you" for this thread of bug reports. i've encountered a few quirks with the migration to GPG and it's nice to know people are looking into it ;D

Contributor

baldurmen commented Oct 25, 2017

Just wanted to drop a "thank you" for this thread of bug reports. i've encountered a few quirks with the migration to GPG and it's nice to know people are looking into it ;D

@wiktor-k

This comment has been minimized.

Show comment
Hide comment
@wiktor-k

wiktor-k Jun 26, 2018

Phew, I'm glad that I found this ticket.

I think the best practices guide should either target only modern GnuPG (>2.1) or be split into two - modern and legacy.

Currently it's hard to navigate and a lot of stuff is obsolete in modern gpg (keyserver-options no-honor-keyserver-url is used by default, new keys have 2y expiry automatically, keys are V4, stronger prefs are used by default, the key generation wizard do not ask about Comment)...

There is also stuff that I think is worth adding (for example setting up Web Key Directory on own domain allows easy and secure key discovery using e-mail addresses).

wiktor-k commented Jun 26, 2018

Phew, I'm glad that I found this ticket.

I think the best practices guide should either target only modern GnuPG (>2.1) or be split into two - modern and legacy.

Currently it's hard to navigate and a lot of stuff is obsolete in modern gpg (keyserver-options no-honor-keyserver-url is used by default, new keys have 2y expiry automatically, keys are V4, stronger prefs are used by default, the key generation wizard do not ask about Comment)...

There is also stuff that I think is worth adding (for example setting up Web Key Directory on own domain allows easy and secure key discovery using e-mail addresses).

@anarcat

This comment has been minimized.

Show comment
Hide comment
@anarcat

anarcat Jun 26, 2018

Contributor

pull requests are welcome! :)

Contributor

anarcat commented Jun 26, 2018

pull requests are welcome! :)

@wiktor-k

This comment has been minimized.

Show comment
Hide comment
@wiktor-k

wiktor-k Jun 26, 2018

Excellent idea :)

wiktor-k commented Jun 26, 2018

Excellent idea :)

kradan added a commit to kradan/riseup_help that referenced this issue Jul 9, 2018

@DamianRivas

This comment has been minimized.

Show comment
Hide comment
@DamianRivas

DamianRivas Aug 13, 2018

Hello, thank you for the wonderful guide! I was able to follow every part of the guide, but I'm failing to publish my key to a key server.

I believe this is because gnupg-curl doesn't seem to exist anymore. Are there any known alternatives? I'm on Ubuntu 18.04.

Another weird thing is that https://sks-keyservers.net/sks-keyservers.netCA.pem does not seem to download a file by default. What I did was I right-clicked that link and selected "Save Link As..." Then I was able to save a file called sks-keyservers.netCA.pem. Is this acceptable?

DamianRivas commented Aug 13, 2018

Hello, thank you for the wonderful guide! I was able to follow every part of the guide, but I'm failing to publish my key to a key server.

I believe this is because gnupg-curl doesn't seem to exist anymore. Are there any known alternatives? I'm on Ubuntu 18.04.

Another weird thing is that https://sks-keyservers.net/sks-keyservers.netCA.pem does not seem to download a file by default. What I did was I right-clicked that link and selected "Save Link As..." Then I was able to save a file called sks-keyservers.netCA.pem. Is this acceptable?

@kradan

This comment has been minimized.

Show comment
Hide comment
@kradan

kradan Aug 14, 2018

Contributor
Contributor

kradan commented Aug 14, 2018

@DamianRivas

This comment has been minimized.

Show comment
Hide comment
@DamianRivas

DamianRivas Aug 14, 2018

Hi @kradan! I actually just tried again and it worked for me this time. Perhaps I copied and pasted the fingerprint incorrectly the first time around. And yeah, the command was gpg --send-keys '<fingerprint>' from the publish section of the "Managing OpenPGP Keys" article.

It might be a good idea to explicitly state that dirmngr replaces gnupg-curl. I came across the guide because I'm totally new to encryption, and "Use dirmngr in OpenPGP best practices" didn't mean anything to me until now that I already know to look for that. Just my 2 cents if the goal here is to be welcoming to newbies.

The more I Google, the more it seems that most of the stuff in the riseup guide is deprecated. I realize this is stated in the beginning but considering the amount of information it contains I didn't expect so much to be outdated for newer versions. Although there seems to be some good gems in there like parcimonie.

I don't want to go on a huge tangent, so thanks for the reply and the resources! :)

DamianRivas commented Aug 14, 2018

Hi @kradan! I actually just tried again and it worked for me this time. Perhaps I copied and pasted the fingerprint incorrectly the first time around. And yeah, the command was gpg --send-keys '<fingerprint>' from the publish section of the "Managing OpenPGP Keys" article.

It might be a good idea to explicitly state that dirmngr replaces gnupg-curl. I came across the guide because I'm totally new to encryption, and "Use dirmngr in OpenPGP best practices" didn't mean anything to me until now that I already know to look for that. Just my 2 cents if the goal here is to be welcoming to newbies.

The more I Google, the more it seems that most of the stuff in the riseup guide is deprecated. I realize this is stated in the beginning but considering the amount of information it contains I didn't expect so much to be outdated for newer versions. Although there seems to be some good gems in there like parcimonie.

I don't want to go on a huge tangent, so thanks for the reply and the resources! :)

@heitorPB

This comment has been minimized.

Show comment
Hide comment
@heitorPB

heitorPB Aug 29, 2018

I just added a new issue about the guide: #539

heitorPB commented Aug 29, 2018

I just added a new issue about the guide: #539

kradan added a commit to kradan/riseup_help that referenced this issue Sep 20, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment