1 |
On Thu, Apr 25, 2019 at 4:34 PM James Le Cuirot <chewi@g.o> wrote: |
2 |
> |
3 |
> On Thu, 25 Apr 2019 11:30:27 -0400 |
4 |
> Alec Warner <antarus@g.o> wrote: |
5 |
> |
6 |
> > > Seeing as separating the primary and the signing key has been part of |
7 |
> > > OpenPGP best practices for a long, long time, I have got highly mixed |
8 |
> > > feelings about this statement. On the one hand, it is not reasonable to |
9 |
> > > expect someone with no or minimal prior knowledge of OpenPGP to master |
10 |
> > > it overnight. On the other, we are not just some random people from Teh |
11 |
> > > Intarwebz and we *have* been using OpenPGP signatures on commits for |
12 |
> > > quite a while now. |
13 |
> > > |
14 |
> > |
15 |
> > This is untrue though; we *are* random people from teh interwebs. |
16 |
> > |
17 |
> > I store my primary key on my desktop. |
18 |
> > I don't have copies of my primary key. |
19 |
> > My primary key is protected by a passphrase. |
20 |
> > Most of the time its cached in gpg-agent, so the passphrase is easily |
21 |
> > stealable by local attackers. |
22 |
> > I've been a dev for like > 10 years. |
23 |
> > |
24 |
> > I assume that every other dev does the same. Obviously some do not (and |
25 |
> > I've spoken to many who have better practices) but I assume |
26 |
> > people do the lazy / easy thing and I highly recommend this assumption. If |
27 |
> > you assume that people have your security practices, you should prepare to |
28 |
> > be disappointed. |
29 |
> > |
30 |
> > Many devs have *no idea* how GPG works. |
31 |
> > GPG is quite possibly the worst program I've even been forced to use in |
32 |
> > terms of doing any operation, particularly around setup (hmm maybe Imation |
33 |
> > Ironkeys were worse?) |
34 |
> > Many devs are just following the wiki instructions and get what they get. |
35 |
> |
36 |
> I can sort of echo this. I believe I'm close to the recommendations now |
37 |
> but it took me several evenings to actually wrap my head around all |
38 |
> this and even then, I still felt very nervous setting it up and I had |
39 |
> to rehearse it beforehand. As a professional software engineer for many |
40 |
> years, it really shouldn't be this hard. People talk about GPG best |
41 |
> practices but it was really difficult to find a reliable update-to-date |
42 |
> guide and it certainly doesn't feel like best practise when you have to |
43 |
> manually delete ~/.gnupg/private-keys-v1.d/KEYGRIP.key, where KEYGRIP |
44 |
> is returned by the obscure --with-keygrip option. |
45 |
|
46 |
I think a big problem is that gpg is sorely lacking in command line |
47 |
commands/options for key management. Almost anything having to do |
48 |
with key management involves a back-and-forth console interaction. |
49 |
|
50 |
This means that you can't just tell somebody to run "gpg --long --list |
51 |
--of --options" and have it just do the right thing. You also can't |
52 |
script anything unless you feed input or even worse use something like |
53 |
expect. Some of the guides I've seen require editing config files |
54 |
because presumably these options can't be set on the command line. |
55 |
|
56 |
I completely get what asymmetric crypto is. It is just a royal PITA |
57 |
to actually get gpg to do something very specific like have a separate |
58 |
signing key without pouring through manpages. Generating a key with |
59 |
the default options is easy, but after that you're on your own |
60 |
largely. |
61 |
|
62 |
Oh sure, once you know how to do it then it isn't a big deal. Until |
63 |
you have to do it again because you don't generate new gpg keys every |
64 |
other week... |
65 |
|
66 |
-- |
67 |
Rich |