I'm unsure if signing my #Git commits is the best idea. When my #GPG key expires, commits will show on #Github as unverified. Should I stop signing my commits? I'm aware you can renew keys. However, if you no longer have access to the key, then it can't be renewed.
If a GPG key could no longer be retrieved, all commits signed with that key would appear as unverified, from what I understand.
Perhaps #boost for more visibility? :blobcatshrug:
#openpgp#gpg#gnupg Does anyone know if there is any sort of plugin you can enable for mastodon that will attempt to automatically verify signed fediverse posts?
Or if not something right in mastodon server. . . maybe a browser plugin that runs locally? That might even be more secure.
Anyone out there with a love for #PGP / #GPG want to take a look at my website where I explain my PGP keys and see if you can think of anything else useful to add?
Bonus points if everyone has any suggestions of stuff to add that isnt pgp specific as well.
After getting my laptop reinstalled, I needed to Migrate my GPG keys to a new machine. Only done this once and thought I should write it down for myself and others.
Sie rufen von deinem e-Perso den Namen ab, du lädst deinen Public Key hoch, wählst eine der User-IDs des Keys aus (wenn du mehrere hast), und wenn der Name der UID mit dem Namen auf dem Perso übereinstimmt, bekommst du an die Mailadresse in der UID eine Signatur von 0xA4BF43D7 "Governikus OpenPGP Signaturservice (Neuer Personalausweis)".
I've missed my train (the first time in years!) while debugging the latest #GPG issue. This is honestly the single worst piece of software ever written.
They reinvent every single thing and they do it badly. When you try to make it work for everyone (i.e. make it use system resolver and honor proxies), it just falls apart.
I would consider making #gemato use #Sequoia, except that #RustLang discriminates against even more users than GPG bugs do.
danke für alles ❤️ nicht zuletzt deine gelebte Toleranz gegen meine Emacs-Affinität. #Schnitzelhaus (und vieles andere) will never be the same without you.
oct-git focuses exclusively on ergonomic use with OpenPGP card-based signing keys
It is designed to be easy to set up, standalone (no long running processes), and entirely hands-off to use (no repeated PIN entry required, by default). It comes with desktop notifications for touch confirmation (if required)
I have upgraded two systems to #Ubuntu 24.04 now and also tried #Thunderbird as snap (which is the default for Ubuntu 24.04) on another machine.
The system upgrades were incredibly smooth. Thunderbird in general also works fine, but it doesn't support #GPG with private keys on a #YubiKey yet (which is my usecase). (Yes,there is a workaround, although clunky.)
So it looks like I'll stay on 23.10 a bit longer on my main machine.
Proton Mail automatically encrypts/decrypts messages between Proton Mail accounts via OpenPGP/PGP.
Proton Mail supports automatically encrypting/decrypting messages between Proton Mail accounts and external email accounts that support OpenPGP/PGP or GnuPG/GPG.
Cryptography came to my rescue today. Thank you #GNUPG! When I had suspicions that a coworker wanted to get me fired I signed a document with my private key. When she summarily accused me of an alteration she made, #gpg revealed that she made the alteration and not me. The infosec officer and HR escorted her out. #Buhbye. I love being underestimated.
oct can now set up cards in #KDF mode, the text output format was improved for readability, and some minor bugs were fixed.
Finally, version 0.11.0 uses #rPGP, a pure #Rust OpenPGP library 🦀.
As a result, the binary on #Linux links to four fewer dynamic libraries, while at the same time being 10% smaller.
I cannot thank @benjaminhollon enough for reigniting my love of the terminal. And poetry. But as far as the terminal goes, he introduced me to #aerc, #gpg, #pass, #restic via BorgBase, #qutebrowser. Did I leave anything out? Oh, #asahilinux and #framework PCs, which are environmentally friendly.
I moved to a Thinkpad w541 with coreboot so I needed to set up my email encryption on Thunderbird again.
It took me more time to reconfigure it again - as usual - so I decided to take notes this time and create a blog post about it. As this might be useful for somebody else … or me in the future :-)
Many of the reasons described in the #letsEncrypt forum are true, which does not mean S/MIME is impossible to fix or use.
There is native support for S/MIME in many email clients both desktop and mobile/tablet, including most of the 'stock' clients installed by default in most of the devices, so this is not an issue.
I think the big problems are basically 2:
1.- Having a throwaway key and certificate every 30 days (as we do with Letsencrypt SSL/TLS) is very inconvenient because we would need to keep a long collection of them in order access old messages.
2.- People access their email from multiple devices, so syncing the private key securely across all of them becomes a challenge.
For the tech savvy, both problems are manageable:
1.- You can get a free S/MIME certificate from #Actalis valid for 1 year here:
Please read a very important reply to this post by @duxsco pointing out to the insecurity of the Actalis certificate, and providing a secure but not free alternative.
2.- You can manually add this certificate to all your devices and keep an encrypted/secure repository with all your old keys and certificates in case you need to access your archived email.
I've been doing exactly that for years and it is just fine for signing my email.
IMHO for 'fixing' the whole signing and encryption of emails, #OpenPGP is conceptually closer to be a more consistent solution, and I use it with everyone who understands it, but I have to admit that the ecosystems is far less ready than for S/MIME (you will need to use specialised apps or installed plugins, etc.), Thunderbird being a shining exception.
PGP has several very powerful advantages:
1.- You don't need a CA for the sole purpose of generating your keys.
2.- You can use the same keys for many years.
3.- People who really trust each other can sign each other's keys creating a web-of-trust.
4.- There is a free network of keyservers where you can upload your public keys and make them available to everyone.
5.- Most people these days have their own website, blog or social media account where they can publish their public keys for cases when they distrust the public servers. They can manually exchange them too.
In the long run I believe we should promote the adoption of OpenPGP instead of S/MIME, with more people using it, native support should follow.
I am not an expert though, so I'd love to hear from others too. 😊
This is more of a security question, but I currently know way more people on ruby.social than infosec.exchange. I want to use a #Yubikey for #SMIME or #GPG signing on #iOS & #iPadOS, but can't find:
Any documentation about how to integrate it with Apple Mail.
Anyplace that offers #x509 certificates for S/MIME at zero or minimal cost the way @letsencrypt offers free #SSL certs.
Self-signed S/MIME certs are a non-starter, and there are no full-featured #OpenPGP apps on iOS. Suggestions?
This crate paves the way for convenient handling of #OpenPGP card User PINs, for users whose threat model allows persisting the PIN locally on the host computer.
If a User PIN is stored, applications can obtain it via this crate, and perform cryptographic operations without prompting the user for PIN entry.
Currently org.freedesktop.Secret is supported for storage.
I think it's telling that #GitHub, #GitLab, and even #Forgejo all don't have a workflow for "renew an #OpenPGP key", i.e. extend its validity before (or after) expiry. On all of them, you have to delete and re-add the key. It's as if nobody is following OpenPGP best practices and everyone is using keys without an expiry date.
«Ende-zu-Ende-Verschlüsselung (E2EE) durch Urteil EU-weit geschützt»
– @tarnkappeinfo
Mal eine positive Nachricht was die #EU und #IT angeht. Die #E2EE ist geschützt und eingesehen das #Privatsphare wichtig ist. Jetzt müssen nur noch die Firmen und Behörden die #Verschlusselung ihrer #Kommunikation, wie zB #EMail mit #GPG, noch konsequent umsetzen. Ich hoffe, die #Schweiz zieht dem nach.
30 years ago today, #PGP 2.6 was released via MIT.
Up to this point, two major issues had been unresolved: The legal status of the use of RSA in PGP, and export of the software from the US to the rest of the world.
With the release of PGP 2.6, the first of these two issues was resolved.