setting up gpg web key directory
so we know that were badly done. however, sharing gpg keys seems like a big hassle if we stop using keyservers.
but if you have your own web domain, then it becomes almost too easy, with gpg wkd.
web key directory protocol basically means, gpg looks at the email address of a given key id, and retrieves the key directly from the domain given in the email.
so setting up a web key directory require you have your own domain and an email address with that domain. tough luck to *@gmail.com users (unless you can hack into the gmail.com server root! ;) )
so anyway, here's how to do it:
get the WKD hash of your gpg key:
$ gpg --fingerprint --with-wkd-hash 0xDEADCODEBAADCODE
which outputs
pub rsa2048 2020-02-20 [SC]
A52A 51D0 8ECD D98D 0D72 559D DEAD CODE BAAD CODE
uid [ultimate] YOURNAME <main@YOURDOMAIN.tld>
rzufz5uv2a9bq7youre9cool1pal6yqh@YOURDOMAIN.tld
sub rsa2048 2020-02-20 [E]
the meaningless string upto @
at line 4 is your hash.
you have to export your public key into a file with that hash as its name:
$ gpg --output rzufz5uv2a9bq7youre9cool1pal6yqh --export -a 0xDEADCODEBAADCODE
great! now create a .well-known/openpgpkey/hu
folder in your web server's
public_htmli aka webroot. make sure indexing is disabled for this location in you web server.
then paste the exported publickey file as is into that hu
folder.
also, you have to create an empty file called policy
beside that hu
folder.
so these URLs should point to those two files:
https://YOURDOMAIN.tld/.well-known/openpgpkey/hu/rzufz5uv2a9bq7youre9cool1pal6yqh
https://YOURDOMAIN.tld/.well-known/openpgpkey/policy
and that's done!
now anyone can do:
$ gpg --locate-key mail@YOURDOMAIN.tld
and they're going to get your public key straight from the horse's mouth, so to say.
isn't this cool?
Where's your gpg key?
so gpg keys are the standard methods of identity and a common encryption method on the opensource world and elsewhere. its logically and mathematically sound, and dependable as long as you know the source of the key. so like any good oss citizen, i also have gpg keys of my own, and dutifully put them online on various keyservers.
the web-of-trust model of key trustworthyness sound very good: i trust you, i trust your key, so anyone who trusts me also trusts your key. so people sign each others' keys with my signature, and then anyone who finds those keys knows if it can be trusted by looking at who else had signed it.
but the infrastructure is apparently almost childish. there was a widepsread attack vandalism in the recent past that basically destroyed usability of gpg keyservers.
it goes like this: someone adds a huge number of signatures to public keys, which blows up the the key size, and then reuploads it to keyservers. which makes client software crash when trying to import those giant keyfiles.
i've discovered a new keyserver which tries to mitigate that problem: https://keys.openpgp.org. they make sure the email ids on uploaded keys can be verified, so just anyone can't upload random keys with your email id.
it's sensible. so i uploaded my key there.
also, meanwhile i found one of my older expired keys hanging around on a keyserver like nothing happened while i'd actually revoked it months ago. then deleted the revocation certificate. without uploading it on that particular server. so now that key has become immortal in one place.
by the way, my tilde GPG key is here: bdeshi.pubkey.asc
oh and i'm also on keybase, which wants to be a gpg-based social network!
Tags: gpg, identity, encryption
code progress
the blog's been more or less idle. so typical of me. :/
i've started doing some competitive coding practices on hackerrank and codewars to keep up the 100-days-of-code streak. my solutions are often abysmal, but reviewing others' solutions are great learing opportunities. but maybe some people could be a little less clever. ^_^'
i've been looking for some cool small prjects to beef up my resume ( which is currently pretty much vegetarian :( ).
i'm also trying to figure out how to generate a bintray repo of deb and rpm files through github actions. knee-deep in multiple kinds of documentation so far.
meanwhile, i discovered 6cord, a terminal client for discord. it's pretty cool, but seems to require a auth key argument everytime. another welcome addition to my terminal tool compendium. i could ditch discord completely if all my discusiions were in english. complex characters break up in the grid-based world of terminals, make people sad.
life is putting pressure too. but code saves.
Tags: life, code, software, journal
n days of code
computer magic saves me. but one thing and another led me skip coding for almost the entire year 2019. i've been planning to get back into code by doing a 100-days-of-code run. starting from today.
my plan is to rehash python, make some little game(s), and really just enjoy myself.
the gun goes off and the race starts. hope my shoelaces weren't tied together again.
Bashblog markdowns
previously on this bashblog-built blog, i couldn't find where bashblog was hiding the markdown source files for each post. i've since figured out that actually there was no markdown at all.
turns out bashblog depends
on
(the legendary) Markdown.pl
or some markdown
binary. since my
current tilde home doesn't host either, bb
was defaulting to html
source. i simply didn't notice because the placehold post body contains
barely any html tags, just a p
and a b
.
anyway, i downloaded
and extracted the daring original perl script and moved it to
~/bin
, and after a hash -r
, now ্bb post
starts up new posts in the
plain vanilla barebones version 1 markdown syntax. oh joy.
maybe tildes with bb installed could also include Markdown.pl or some markdown binary (like discount) for a full-featured bashblogging experience from the get-go. 😏
Tags: bashblog, text, linux, tilde, meta
password clipping
i have a dedicated clipboard manager and password manager, yet i keep losing generated passphrases.
it goes like this:
i'd made a simple password generator long ago:
alias genpw="gpg --gen-random 1 16 | gpg --enarmor | sed -n 4p"
i select its output and paste into whatever password field.
but then i forget to save it somewhere else, and immediately lose it by selecting some other text somewhere.
i thought of some overcomplicated system where primary selections are continously appended to a (gpg encrypted) file, but meanwhile i'm making do by just appending this to that passphrase generator pipeline:
| xclip -i -sel c
it's still pasteable, but with ctrl+v instead of middle-click.
yes there are far better solutions for all of this.
first-post
This post was made in bashblog. I have no idea where the source md went.
welcome to my tildeblog by the way. there's nothing interesting here.
Tags: bashblog