Yarmo  

I'd like to introduce a new #foss project: Open PGP Signature Verification or OPSV.

yarmo.eu/blog/opsv

This eliminates the need to rely on #keybase verify function and, therefore, keybase at all.

Website: opsv.foss.guru/
Code on @codeberg: codeberg.org/yarmo/opsv
Public stats by #plausible: plausible.io/opsv.foss.guru

Time to #DeleteKeybase once and for all

#opsv #pgp

1+
kravietz πŸ¦‡
Follow

@yarmo Why does it allow only clear-signed messages? πŸ€”

Β· Β· 1 Β· 0 Β· 0
Yarmo  

@kravietz as opposed to detached signatures? I've yet to implement it, it's a minor tweak, just gotta do it.

Or did you mean something else?

1+
kravietz πŸ¦‡  

@yarmo

So this works (gpg --armor --clear-sign):

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

test
-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQRve2u5qbYyVV4aA8Eyrx85xO4D8gUCXuvw0wAKCRAyrx85xO4D
8opLAQDK5Spug8MTQuocZj0PUllamGtcdLzd72xraeg5IfnVngD9H8eXUfSjkTB4
0hHQUL6+tZruzw18gStuMMLNoE2utAY=
=6NcD
-----END PGP SIGNATURE-----

0
kravietz πŸ¦‡  

@yarmo But this doesn't (gpg --armor --sign) but this is just the same signature, just with the plaintext signed message embedded inside

-----BEGIN PGP MESSAGE-----

owGbwMvMwCVmtF7e8sg75k+Mp7mTGOJef/hcklpcwtVRysIgxsUgK6bIkl+dvXPl
NqPQOCnmgzDFrExAlV8YuDgFYCKurAz/zF6LH1nDe+vk+mVn73LdD5PSkT3+ZMsz
qU9qPPLT0uQdTzP8L1u4re2G9bojezsZZVb9bdw4e73DyfvNV6zu3JNdO80+lAsA
=+VXF
-----END PGP MESSAGE-----

Error: No cleartext signed message.

1
Yarmo  

@kravietz thanks! I bet there's an option somewhere to enable that, will look into!

1
Yarmo  

@kravietz Fixed it! Both types of inputs are supported and correctly verified! I guess I need to extract the embedded message now!

1
Yarmo  

@kravietz is it even possible to extract the text? Does it need a private key to decrypt the message first?

1
kravietz πŸ¦‡  

@yarmo

No, this PGP MESSAGE is just a wrapper for OpenPGP packets and in this case the packets only contain signed (but not encrypted) content.

1
Yarmo  

@kravietz "Error: Error during parsing. This message / key probably does not conform to a valid OpenPGP format." πŸ€”

1
Yarmo  

@kravietz fixed it! #opsv can now extract the message from the non-clearsigned signatures! Proof: your message was "test" :)

1
kravietz πŸ¦‡  

@yarmo

Correct, it was! πŸ‘ That's great service and I'm definitely including into my standard "tools for regular humans" pack πŸ˜€

1
Yarmo  

@kravietz it can now also detect userId and keyId making it a truly one-click service (no input of public key needed). Of course, in the case of keyId alone, the website urges you to find another of verifying the keyId or fingerprint to confirm authenticity of signer.

0
kravietz πŸ¦‡  

@yarmo WKD works brilliantly πŸ‘ I have just noticed one possible inconsistency as the WKD validator doesn't seem to be trying the "advanced method" first which seems to be a requirement by the draft...

1
Yarmo  

@kravietz ow, nice catch! I'm using the openpgp.js library which falls back to web crypto api if supported.

Can you check if you use the fallback?

developer.mozilla.org/en-US/do

If not, I'll have to open an issue with the main devs. Thanks for letting me know!

0
Sign in to participate in the conversation
Mastodon πŸ” privacytools.io

Fast, secure and up-to-date instance. PrivacyTools provides knowledge and tools to protect your privacy against global mass surveillance.

Website: privacytools.io
Matrix Chat: chat.privacytools.io
Support us on OpenCollective, many contributions are tax deductible!

Resources

Developers

What is Mastodon?

social.privacytools.io

More…