yarmo/yarmo.eu
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Add blog post
All checks were successful
continuous-integration/drone/push Build is passing
Details

Browse Source
This commit is contained in:
Yarmo Mackenbach 2020-06-17 11:51:55 +02:00
parent 6fff64cbe0
commit 8592e69a82
1 changed files with 128 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

128
content/blog/2020-06-17--opsv.md Normal file
View File

@ -0,0 +1,128 @@
---
title: "OPSV: Open PGP Signature Verification"
author: Yarmo Mackenbach
slug: opsv
date: "2020-06-17 11:51:39"
published: true
---
# Introduction to OPSV
I'd like to introduce a new project of mine named [Open PGP Signature Verification](https://opsv.foss.guru) or OPSV, a FOSS solution for easy PGP signature verification. I have copy-pasted the README from the [Codeberg repo](https://codeberg.org/yarmo/opsv) below and added a "Why make this project?" section containing opinions.
## About
This project uses [openpgp.js](https://openpgpjs.org/) loaded in the browser, meaning all processing is done on the device itself and no data is ever sent to the server. It supports loading public keys directly through:
1. plaintext input
2. web key directory (WKD)
3. HTTP Keyserver Protocol (HKP).
OPSV will always use the first input method it detects in the order described above.
## Usage
Visit https://opsv.foss.guru/. On this website, you can enter a signed message (see example below) and any of the three supported public key inputs to verify that the owner of that public key was indeed the person to have signed that message.
## Example
Let's say I, Yarmo, would really like the world to know that I like pineapple. Using my private key, I've signed that statement so you can verify I wrote that message.
The signed statement:
```text
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
I like pineapple.
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEog/Pt4tEmnyVrrtlNzZ/SvQIetEFAl7p1IEACgkQNzZ/SvQI
etEXkRAAhh0viUkjH0chcwSpOEUnXkpMROy64+zT9VjUuxIWNWHChBXg4JqseEX4
XbvF+916xFPqBVX0p5NCJnJiZc+npEr/Y0U5NND3GW2AoSnqaF5YUxJmjyLKvHCc
sI4cdwEVM5TB6GisBUOZGcIddcXnlbmAIlQ7KhorDBDsD8F3mjAkwigWQa82uzp0
C/KKkllzOLufDS82R33Z6EUTr3xKNEYjcOgz1vuFDN2Mstrm/Remz0wIcGgopYE+
Q1QixnKZOdpslEsvJT9ot1Pm9ISByR8TONN2iPRGblxBCa3ra1iZHOq+vf1KRd/F
mYJu0yEJODtPXdd2B8MNCNrLk5j8ne1aWfQC1vnPRBzmv4eKv5Hdb39LGUttO7jj
lFNEqPTlNqI9zWL6zuFPt5vnaJfe1JwYI4tBpW9Si+vpuIIjgM7C8x7xRw1EipED
2k0//7bt7WjIKdv5fLd7kHpyf+h2mwAcIXqoMX+5q9mAxmXEBV9NXCwwjssbZ9Ub
WV1D2jtN+zSU+PY2/exQ07fcHTYZxnBwwyDhAEvc4JZ2f3ezNuliOi5P+cyT+S/m
/zrFCrcz+G7TN3jzh3mmA4q6dNDIVJ6R04VQzy+Up3n2JlzlAb6aKyJBrDLAKuvC
whF+3jc244bVxfhiQKDL+7mwBZdo0oJ8VC8zFNas5DW8UWpMipQ=
=G0ZY
-----END PGP SIGNATURE-----
```
Use this as "Message" on [OPSV](https://opsv.foss.guru/).
### Using plaintext public key
Now, let's check the signature. Go to [my personal website](https://yarmo.eu/pgp) and copy-paste the "plaintext" key in the "Public Key (1: plaintext)" field.
You will see a green message confirming that my key was used to sign this message. I really do like pineapple.
### Using web key directory (WKD)
Remove the contents from the "Public Key (1: plaintext)" field. Now, in the "Public Key (2: web key directory)", write `yarmo@yarmo.eu` and verify the signature again. It is still verified. Try using `jane@doe.org` or any other input, it won't verify.
### Using HTTP Keyserver Protocol (HKP)
Remove the contents from the "Public Key (2: web key directory)" field. I uploaded my keys to the https://keys.openpgp.org/ HKP server, which is the default server used by OPSV. All you need to do is once again go to [my personal website](https://yarmo.eu/pgp) and copy-paste the "Fingerprint" in the "Public Key (3: HKP)" field (the second field!). Still verified!
### What can a bad actor do?
One could not sign a statement with my private key: I, and only I, have access to it.
One could however simply take any of my signed messages and change the content. Like so:
```text
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
I like privacy invasion.
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEog/Pt4tEmnyVrrtlNzZ/SvQIetEFAl7p1x0ACgkQNzZ/SvQI
etEgwg//e8gkrOVESf9hI5gt0F6PKtPljMPqA9nI/HWjiUbSb/QmFP/ExIYHsnrC
M3aQnVSCQFPBrrGYljNk9m6LCRMZ+WB5rHC+n4IXcgzNqAZ0c4pHNFD5QlOXi3+u
0wimUr6zBY+LDNFlmh/REPLywK/tm/AG0+9PaPy8rLIU7sc+glTb+U6gIXji8rd6
T36xk1Pd3VddRmXg4Rjtjo79q9ofqKiaQfKbQ2lcD0EnEtTcOhfW2zoofJ2gPOs2
oiTY3zsxLQjZ7gPwD/mTHuCu4xiMnZnGOMwmL1pVMeYdUiY0uR7RiAModUBTZ/v1
6lS9glJHAuDcwchcZNjJOAdyOy+YzFRwZ/QXyjV9EqVLS29S8HTMqlag0hMF4DRs
irb3BfAypDXPbkroPrFgAXclE5fuOR3ZT7tvSpSEqPh3LEtsgghEGxB93W2R62bw
0pMrMau4SD0D9aiIplAKGn50gM41x1jVXLCj86/sqHlt2H9erTNKQiBIQsfsovpv
jkzVPfs/HkbR7pkM+Ow8KgixOoT4vDkQw9SsED8gKKdvhGtkDJ6WgEnQWFrA0y+h
kTR47U59256K2ASfElrgjT1z/OwD5dkkfGq50pl/wxg1AoRuM4lEuB1GG4L6RtIz
hRYaIde4Vjx0djPTP6OCLbCbTt1WxekdS2e4cDzcUQlnFKFLn1k=
=EiD6
-----END PGP SIGNATURE-----
```
Given the wording of the statement, you naturally doubt the origin of it being me. You run it through OPSV and indeed, this is not what I wrote!
You know me, "I despise privacy invasion." (hint hint).
## Why make this project? (with opinions)
This project directly targets a specific use-case of [Keybase](https://keybase.io).
It is possible to upload your public key (don't upload your private key…) to the Keybase servers. When you sign a message using your private key, anyone can verify that you wrote that message by simply using their [verify page](https://keybase.io/verify). It's really simple to use, but you'll notice something is missing: a field asking you which key to use for the verification. What Keybase does is check the message against all of the keys it knows about and then let you know which of it users wrote and signed that message.
It is my humble opinion that this is an anti-pattern. By not being able to verify against a single key, you open the door to impersonation: I can make an account named `j0hn` and pretend to be `john`. If I write a false statement and sign it with `j0hn`'s key, Keybase will gladly tell you that the message is legit and signed: it is, but by the wrong person. It is up to the user to then investigate `j0hn`'s Keybase account and figure out if it belongs to `john` or some bad actor.
Considering recent events, namely Keybase's [acquihire by Zoom](https://keybase.io/blog/keybase-joins-zoom) and Zoom's willingness to bend to [US law enforcement](https://www.theguardian.com/technology/2020/jun/03/zoom-privacy-law-enforcement-technology-yuan) and [Chinese](https://www.nytimes.com/2020/06/11/technology/zoom-china-tiananmen-square.html) influence, combined with their [unwillingness to release the server source code](https://github.com/keybase/client/issues/24105), I strongly urge all to [#deletekeybase](https://yarmo.eu/notes/deletekeybase). They are not worthy of your keys and your data. It is a mystery what happens to your keys once you give them to Keybase, and with their employers working for a company eager to please privacy-invading governments, why would you? Seriously, why would you ever give your valuable private keys to Keybase?
I was having this discussion on the fediverse recently and a privacy-minded individual still was forced to use Keybase for the simple reason it was the easiest and beginner-friendly way of verifying PGP signatures that didn't involve installing complicated software and handling PGP keys.
Well now, there is [OPSV](https://opsv.foss.guru). It has the same intuitive copy-paste workflow as Keybase does, with the only additional step of having to copy-paste a plaintext key, email address or fingerprint (which, in my book, is a feature!). Processing is done client-side, so no data is sent to any server.
### Why include privacy-friendly plausible.io stats?
Well, without sounding cocky, I humbly believe this is the first project I made that could actually make a difference to people's workflow on the internet. As such, if usage suddenly spikes, I need to know if the server can handle it.
Because asking users to accept website statistics is much in my opinion, I decided a nice compromise was to make the [statistics public](https://plausible.io/opsv.foss.guru).
If open statistics or any statistics at all is not to your liking, please do let me know by [opening an issue](https://codeberg.org/yarmo/opsv/issues).
## Final words
I hope you like this project, I know I do and I will use it. OPSV allows me to use signed messages more and provide a simple way to verify its authenticity without relying on big evil corporations.