Easier GitHub proofs #89

Closed
opened 1 year ago by wiktor · 5 comments
wiktor commented 1 year ago

Utilize the fact that for any user name one can construct a URL that fetches the OpenPGP key already stored in GitHub (e.g. https://github.com/wiktor-k.gpg ). Verify if the fingerprint of the fetched key is the same as the current one.

Thus we only need the notations on the key... let's call it... gist-less GitHub proofs!

Just an idea for when the backlog dries ;)

Utilize the fact that for any user name one can construct a URL that fetches the OpenPGP key already stored in GitHub (e.g. https://github.com/wiktor-k.gpg ). Verify if the fingerprint of the fetched key is the same as the current one. Thus we only need the notations on the key... let's call it... gist-less GitHub proofs! Just an idea for when the backlog dries ;)
yarmo added the
enhancement
label 1 year ago
yarmo added this to the Feature development project 1 year ago
Owner

Sadly, a drying backlog is not a thing ;)

Smart! So you upload your public key to github and we just check whether that key has the same fingerprint as the profile key? That sounds like the endgame of cryptographic identity verification!

Shouldn't be too difficult to implement.

Sadly, a drying backlog is not a thing ;) Smart! So you upload your public key to github and we just check whether that key has the same fingerprint as the profile key? That sounds like the endgame of cryptographic identity verification! Shouldn't be too difficult to implement.
yarmo added the
low hanging fruit
label 1 year ago
yarmo added the
help wanted
label 1 year ago

Actually GitLab supports the same URL scheme GitHub uses:

To view a user’s public GPG key, you can:

  • Go to https://gitlab.example.com/<username>.gpg.
  • Select View public GPG keys in the top right of the user’s profile.

From Signing commits with GPG

For example:

$ curl -sL https://invent.kde.org/ngraham.gpg | gpg
gpg: WARNING: no command supplied.  Trying to guess what you mean ...                                                 pub   rsa4096 2021-04-01 [SC]
      1B60D5E4692092B3E41E737E3C452E1BBF06A76F
uid           Nate Graham <nate@kde.org>
sub   rsa4096 2021-04-01 [E]

Gitea supports this too:

$ curl -sL https://codeberg.org/yarmo.gpg | gpg -
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
pub   rsa4096 2019-07-10 [SC]
      9F0048AC0B23301E1F77E994909F6BD6F80F485D
uid           Yarmo Mackenbach <yarmo@yarmo.eu>
sub   rsa3072 2019-07-10 [E]
sub   rsa4096 2019-08-16 [S]
Actually GitLab supports the same URL scheme GitHub uses: > To view a user’s public GPG key, you can: > * Go to `https://gitlab.example.com/<username>.gpg`. > * Select View public GPG keys in the top right of the user’s profile. > > From [Signing commits with GPG](https://docs.gitlab.com/ee/user/project/repository/gpg_signed_commits/) For example: ``` $ curl -sL https://invent.kde.org/ngraham.gpg | gpg gpg: WARNING: no command supplied. Trying to guess what you mean ... pub rsa4096 2021-04-01 [SC] 1B60D5E4692092B3E41E737E3C452E1BBF06A76F uid Nate Graham <nate@kde.org> sub rsa4096 2021-04-01 [E] ``` Gitea supports this too: ``` $ curl -sL https://codeberg.org/yarmo.gpg | gpg - gpg: WARNING: no command supplied. Trying to guess what you mean ... pub rsa4096 2019-07-10 [SC] 9F0048AC0B23301E1F77E994909F6BD6F80F485D uid Yarmo Mackenbach <yarmo@yarmo.eu> sub rsa3072 2019-07-10 [E] sub rsa4096 2019-08-16 [S] ```
Poster

Wow, this is very interesting @ShadowRZ! Bad news is that doip.js seems the be designed around JSON proofs but if multiple forges already support this standard then this might be something worth the work.

IIRC Facebook also has a "GPG key" download link but I don't have an account to verify (nor a link to account that has this set up).

Wow, this is very interesting @ShadowRZ! Bad news is that doip.js seems the be designed around JSON proofs but if multiple forges already support this standard then this might be something worth the work. IIRC Facebook also has a "GPG key" download link but I don't have an account to verify (nor a link to account that has this set up).
Owner

Interesting indeed! Well, I think this method should be supported and promoted, it would be great if more service providers allowed uploading a public key.

There is currently work underway to create a spec in the form of a living document that describes the entire keyoxide/doip process. This must be somehow integrated in there.

I'll come back to this thread once the living document is up.

Interesting indeed! Well, I think this method should be supported and promoted, it would be great if more service providers allowed uploading a public key. There is currently work underway to create a spec in the form of a living document that describes the entire keyoxide/doip process. This must be somehow integrated in there. I'll come back to this thread once the living document is up.
Owner

This discussion will be continued in keyoxide/doipjs#19.

This discussion will be continued in https://codeberg.org/keyoxide/doipjs/issues/19.
yarmo closed this issue 2 months ago
Sign in to join this conversation.
No Milestone
No Assignees
3 Participants
Notifications
Due Date

No due date set.

Dependencies

This issue currently doesn't have any dependencies.

Loading…
There is no content yet.