Create accountLogin

Recent searches

No recent searches

Search options

Only available when logged in.
mastodon.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
The original server operated by the Mastodon gGmbH non-profit

Administered by:

Server stats:

337K
active users

mastodon.social: AboutStatusProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.4.0-nightly.2025-04-15

#gpg

6 posts5 participants0 posts today
Public
daltux
"The treta has been planted."

@ :debian: Sid

apt-listchanges: News
---------------------

gnupg2 (2.4.7-4) experimental; urgency=medium

  The upstream GnuPG project now explicitly and deliberately diverges from
  the OpenPGP standard.  Debian's own workflows rely heavily on OpenPGP,
  and we ship several different OpenPGP implementations, so
  interoperability via standardization is a priority for the project.

  While Debian still has significant dependencies on GnuPG, the version of
  GnuPG shipped in Debian will default to emitting only OpenPGP-compatible
  artifacts if at all possible.  As of 2.4.7-4, the default
  is --compliance=openpgp, and we apply several patches to ensure that
  this mode is respected.

  If you observe GnuPG in Debian emitting a non-OpenPGP artifact in a
  scenario where a standard OpenPGP artifact is intended or expected,
  please open a critical bug report in the Debian BTS.

  If you want Debian's GnuPG to emit non-standardized artifacts, in line
  with upstream's deliberate divergence, you can explicitly pass
  --compliance=gnupg (or set the corresponding option in
  ~/.gnupg/gpg.conf).  If you revert to compliance with upstream defaults,
  do not expect the material you produce to be interoperable with other
  OpenPGP implementations.

 -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Fri, 07 Feb 2025 23:35:29 -0500
#Debian #GnuPG #GPG #OpenPGP #GNU
Public *
Mika

It's pretty stupid that you could neither name a #GPG key registered to #GitLab, or see which may have expired. My key has expired, I've renewed it locally, and now am updating it on both #GitHub and GitLab.

On GH, it's easy to know which key I'd have to replace since it lets you know which of them has expired, and when registering it for the first time, you have to give it an identifier. On GL, there's no (human) identifier whatsoever, and it doesn't tell you which of them has expired either.

Better find a way to identify it correctly tho or you might risk deleting the wrong GPG key, and potentially cause your verified commits to be deemed unverified.

---

Edit: Figured it out. When you list your GPG key on your system like this:

gpg --list-secret-keys --keyid-format long

and get something like this:
/home/user/.gnupg/pubring.kbx
------------------------------
sec   ed25519/1H89FHO4MGAJTJ9Z 2024-01-15 [SC] [expires: 2026-01-15]
    0A41C9F6335DBF47A1A186FAC82F22229FCCE1BF

While on GH, you can identify your key either through the 1) name you gave it or 2) the "short key" i.e. 1H89FHO4MGAJTJ9Z, on GL you identify it through its "long key" i.e. 0A41C9F6335DBF47....

Likewise, on GH, it tags each "Key ID" and "Subkey" as Expired if they're expired - easy enough to understand, meanwhile on GL, it tags valid, non-expired keys as Verified, which may be somewhat confusing or vague.. especially when users coming into this setting is either adding a new GPG key or renewing an outdated one.
Public
radhitya.org

I have a mini Intel Atom-powered home server in my house.

However, I’ve overlooked two things:

How do I back up data and keep it safe (from both security and quality perspectives)?

I’m still a newbie at GnuPG Privacy Guard. How do I secure the backup of my private keys?

#gpg#gnupg#privacy
Public *
Eric G.

Quoting myself in a mood today at work

```#GPG keys have two parts: the private key (which is fiercely protected) and the public key (which is handed out like sleazy leaflets on a Las Vegas street corner.)```

Public
Ankur Sinha "FranciscoD"

Made a few updates and released a new version of #calliope , a #bash script based utility to write a journal using #LaTeX. Since it's #LaTeX based, you can pretty much add whatever you wish to your journal---images, other PDFs, beautiful maths, and of course, you can customise it as you wish to suit your needs. It's all managed by #Git and if you'd like you can encrypt your journal entries using #gpg

Check it out on #GitHub : github.com/sanjayankur31/calli

Simple script for journal writing using LaTeX. Contribute to sanjayankur31/calliope development by creating an account on GitHub.
GitHubGitHub - sanjayankur31/calliope: Simple script for journal writing using LaTeXSimple script for journal writing using LaTeX. Contribute to sanjayankur31/calliope development by creating an account on GitHub.
#AcademicChatter
Public
Teddy / Domingo (🇨🇵/🇬🇧)

Non, #Google ne proposera pas un vrai #chiffrement de bout en bout sur #Gmail. Le mécanisme proposé n'est pas considéré comme un véritable chiffrement "E2EE" par certains experts. En effet, il implique un serveur de gestion de clés interne à l'entreprise.
clubic.com/actualite-560031-no
Mieux vaut utiliser soit #protonmail soit #thunderbird avec #gpg et une adresse mail chez un hébergeur non #gafam respectant les #donneespersonnelles

clubic.com · Non, Google ne proposera pas un vrai chiffrement de bout en bout sur GmailEn début de semaine, Google annonçait vouloir simplifier le chiffrement de bout en bout des emails. Cependant, le mécanisme proposé n'est pas considéré comme un véritable chiffrement "E2EE" par certains experts. En effet, il implique un serveur de gestion de clés interne à l'entreprise.
Replied in thread
Public
Preston Maness ☭

@Xeniax Totally nerdsniped :D I'd love to be a part of the study.

I don't think that #KeyServers are dead. I think they evolved into Verifying Key Servers (VKS), like the one run by a few folks from the OpenPGP ecosystem at keys.openpgp.org/about . More generally, I believe that #PGP / #GPG / #OpenPGP retains important use-cases where accountability is prioritized, as contrasted with ecosystems (like #Matrix, #SignalMessenger) where deniability (and Perfect Forward Secrecy generally) is prioritized. Further, PGP can still serve to bootstrap those other ecosystems by way of signature notations (see the #KeyOxide project).

Ultimately, the needs of asynchronous and synchronous cryptographic systems are, at certain design points, mutually exclusive (in my amateur estimation, anyway). I don't think that implies that email encryption is somehow a dead-end or pointless. Email merely, by virtue of being an asynchronous protocol, cannot meaningfully offer PFS (or can it? Some smart people over at crypto.stackexchange.com seem to think there might be papers floating around that can get at it: crypto.stackexchange.com/quest).

To me, the killer feature of PGP is actually not encryption per se. It's certification, signatures, and authentication/authorization. I'm more concerned with "so-and-so definitely said/attested to this" than "i need to keep what so-and-so said strictly private/confidential forever and ever." What smaller countries like Croatia have done with #PKI leaves me green with envy.

keys.openpgp.orgkeys.openpgp.org
ExploreLive feeds
About