blog | ~bdeshi

tilde adventures wanderings.

setting up gpg web key directory

February 21, 2020 — ~bdeshi

so we know that were badly done. however, sharing gpg keys seems like a big hassle if we stop using keyservers.

but if you have your own web domain, then it becomes almost too easy, with gpg wkd.

web key directory protocol basically means, gpg looks at the email address of a given key id, and retrieves the key directly from the domain given in the email.

so setting up a web key directory require you have your own domain and an email address with that domain. tough luck to * users (unless you can hack into the server root! ;) )

so anyway, here's how to do it:

get the WKD hash of your gpg key:

$ gpg --fingerprint --with-wkd-hash 0xDEADCODEBAADCODE

which outputs

pub   rsa2048 2020-02-20 [SC]
      A52A 51D0 8ECD D98D 0D72  559D DEAD CODE BAAD CODE
uid           [ultimate] YOURNAME <main@YOURDOMAIN.tld>
sub   rsa2048 2020-02-20 [E]

the meaningless string upto @ at line 4 is your hash.

you have to export your public key into a file with that hash as its name:

$ gpg --output rzufz5uv2a9bq7youre9cool1pal6yqh --export -a 0xDEADCODEBAADCODE

great! now create a .well-known/openpgpkey/hu folder in your web server's public_htmli aka webroot. make sure indexing is disabled for this location in you web server.

then paste the exported publickey file as is into that hu folder.

also, you have to create an empty file called policy beside that hu folder.

so these URLs should point to those two files:

https://YOURDOMAIN.tld/.well-known/openpgpkey/hu/rzufz5uv2a9bq7youre9cool1pal6yqh https://YOURDOMAIN.tld/.well-known/openpgpkey/policy

and that's done!

now anyone can do:

$ gpg --locate-key mail@YOURDOMAIN.tld

and they're going to get your public key straight from the horse's mouth, so to say.

isn't this cool?

Tags: gpg, security, web

Where's your gpg key?

February 12, 2020 — ~bdeshi

so gpg keys are the standard methods of identity and a common encryption method on the opensource world and elsewhere. its logically and mathematically sound, and dependable as long as you know the source of the key. so like any good oss citizen, i also have gpg keys of my own, and dutifully put them online on various keyservers.

the web-of-trust model of key trustworthyness sound very good: i trust you, i trust your key, so anyone who trusts me also trusts your key. so people sign each others' keys with my signature, and then anyone who finds those keys knows if it can be trusted by looking at who else had signed it.

but the infrastructure is apparently almost childish. there was a widepsread attack vandalism in the recent past that basically destroyed usability of gpg keyservers.

it goes like this: someone adds a huge number of signatures to public keys, which blows up the the key size, and then reuploads it to keyservers. which makes client software crash when trying to import those giant keyfiles.

i've discovered a new keyserver which tries to mitigate that problem: they make sure the email ids on uploaded keys can be verified, so just anyone can't upload random keys with your email id.

it's sensible. so i uploaded my key there.

also, meanwhile i found one of my older expired keys hanging around on a keyserver like nothing happened while i'd actually revoked it months ago. then deleted the revocation certificate. without uploading it on that particular server. so now that key has become immortal in one place.

by the way, my tilde GPG key is here: bdeshi.pubkey.asc

oh and i'm also on keybase, which wants to be a gpg-based social network!

Tags: gpg, identity, encryption

code progress

January 24, 2020 — ~bdeshi

the blog's been more or less idle. so typical of me. :/

i've started doing some competitive coding practices on hackerrank and codewars to keep up the 100-days-of-code streak. my solutions are often abysmal, but reviewing others' solutions are great learing opportunities. but maybe some people could be a little less clever. ^_^'

i've been looking for some cool small prjects to beef up my resume ( which is currently pretty much vegetarian :( ).

i'm also trying to figure out how to generate a bintray repo of deb and rpm files through github actions. knee-deep in multiple kinds of documentation so far.

meanwhile, i discovered 6cord, a terminal client for discord. it's pretty cool, but seems to require a auth key argument everytime. another welcome addition to my terminal tool compendium. i could ditch discord completely if all my discusiions were in english. complex characters break up in the grid-based world of terminals, make people sad.

life is putting pressure too. but code saves.

Tags: life, code, software, journal

n days of code

January 01, 2020 — ~bdeshi

computer magic saves me. but one thing and another led me skip coding for almost the entire year 2019. i've been planning to get back into code by doing a 100-days-of-code run. starting from today.

my plan is to rehash python, make some little game(s), and really just enjoy myself.

the gun goes off and the race starts. hope my shoelaces weren't tied together again.

Tags: code, hdoc, progress

Bashblog markdowns

December 18, 2019 — ~bdeshi

previously on this bashblog-built blog, i couldn't find where bashblog was hiding the markdown source files for each post. i've since figured out that actually there was no markdown at all.

turns out bashblog depends on (the legendary) or some markdown binary. since my current tilde home doesn't host either, bb was defaulting to html source. i simply didn't notice because the placehold post body contains barely any html tags, just a p and a b.

anyway, i downloaded and extracted the daring original perl script and moved it to ~/bin, and after a hash -r, now ্bb post starts up new posts in the plain vanilla barebones version 1 markdown syntax. oh joy.

maybe tildes with bb installed could also include or some markdown binary (like discount) for a full-featured bashblogging experience from the get-go. 😏

Tags: bashblog, text, linux, tilde, meta

password clipping

December 18, 2019 — ~bdeshi

i have a dedicated clipboard manager and password manager, yet i keep losing generated passphrases.

it goes like this:

  • i'd made a simple password generator long ago:

    alias genpw="gpg --gen-random 1 16 | gpg --enarmor | sed -n 4p"

  • i select its output and paste into whatever password field.

  • but then i forget to save it somewhere else, and immediately lose it by selecting some other text somewhere.

  • i thought of some overcomplicated system where primary selections are continously appended to a (gpg encrypted) file, but meanwhile i'm making do by just appending this to that passphrase generator pipeline:

    | xclip -i -sel c

  • it's still pasteable, but with ctrl+v instead of middle-click.

  • yes there are far better solutions for all of this.

Tags: shell, linux, xorg


December 18, 2019 — ~bdeshi

This post was made in bashblog. I have no idea where the source md went.

welcome to my tildeblog by the way. there's nothing interesting here.

Tags: bashblog