Sehr geiler Talk von @95p und @49016 über Schwachstellen in #GnuPG und ein paar weiteren Programmen. Insgesamt fanden beide 14 Schwachstellen.

Große Anerkennung an @filippo, der live die Bugbounty überreicht.

Details auch auf https://gpg.fail/

https://media.ccc.de/v/39c3-to-sign-or-not-to-sign-practical-vulnerabilities-i

#39C3 #age #minisign #Vulnerability

Considering how #Google figures nobody will care if they modify videos using #AI, it makes me want to start using #Minisign to sign the videos I create (posted on my website), as a bulwark (and artistic statement) against such consent-abusive modifications.

I've added my minisign public key to my #Mastodon Bio. Any modified versions will fail the verification:

"Files signed using this key pair can be verified with the following command:

minisign -Vm <file> -P RWSaZ2vD+WizyYrhPuD5B4h8kL7f1BfCumABecgoWyS8SP0hIQl1Q3Sd
"
#OpenSource #debian #trixie

1/2
Today I was playing with Minisign and Cosign to evaluate whether it’s worth signing some of my OSS software with something other than PGP.

Here’s my verdict: Minisign is promising… Much easier to use than PGP. That simplicity, of course, comes at the cost of giving up a few features.

#OSS #SoftwareSigning #ArtifactSigning #PGP #Minisign #Cosign #Sigstore

Tinkering and learning about #AGE and #Minisign and how they compare to #GPG. Wrote a "very" basic BASH script (may improve on it later, I dunno) to automate some AGE features without having to memorize the syntax.

Link: https://gitlab.com/-/snippets/4871977

#Encryption

Use #MiniSign to sign documents, archive the folder with signed documents and their signature files (*.minisig) in the usual way

Use #AgeEncryption to encrypt an file (eg: an archive), send the encrypted file (*.age) by any means to the recipient

#MiniSign
https://jedisct1.github.io/minisign

RWRK8XFYuCHjYX1J/7cKCUy6eQKNYVAurb/70Q6pK8kjGHALVORZGJ+o

#AgeEncryption
https://age-encryption.org

age1s3n5ehvm8h3xjkc985hzjznw9cv0lk9ezj5heyy4m7l654rkzslq07ylps

Alternatively use #GnuPG and email

#OpenPGP #FingerPrint #PublicKey
https://keys.openpgp.org/vks/v1/by-fingerprint/10761F0C272B3AAA52D4D9DB8806B58B124EA2A0

The PGP Problem

https://www.latacora.com/blog/2019/07/16/the-pgp-problem/

#OpenPGP #GnuPG #PGP #GPG #PublicKey #Email

#AgeEncryption https://age-encryption.org
#Minisign https://jedisct1.github.io/minisign/

#AgePublicKey
age1s3n5ehvm8h3xjkc985hzjznw9cv0lk9ezj5heyy4m7l654rkzslq07ylps

#MinisignPublicKey
RWRK8XFYuCHjYX1J/7cKCUy6eQKNYVAurb/70Q6pK8kjGHALVORZGJ+o

How to set up key-based identity in Mitra

Mitra implements a mechanism for migrating your connections from one server to another, which works even if your current server is offline. At the moment, this mechanism is only supported by Mitra. People who use different software won't be able to connect automatically to your new account, so the more of your contacts use #Mitra, the less connections you lose during migration. It's not very difficult for other developers to implement it though, and it's documented in FEP-7628 and FEP-c390.

For migration to work, two accounts must be linked to the same cryptographic key. To do that, you need to add a public key to your profile, then create a signature to prove the possession of the corresponding private key. You can think of this key as something that represents your primary identity and your fediverse accounts as temporary aliases. Mitra currently supports two signing tools: Minisign and Metamask.

Minisign

#Minisign is a command line tool. It might be difficult to use, but it is secure and doesn't violate your privacy.

1. Install Minisign. The tool is available in most Linux distros. For example, on Debian you can simply run apt install minisign.
2. Generate a key pair: minisign -G.
3. Go to your profile page, click on three dots to open the profile menu and select "Link minisign key".
4. Tell Minisign to export your public key:

Copy the text from minisign.pub file and paste it into the form. Press "Generate message" button.

5. Run displayed commands to create a signature. The first one (starting with printf) creates a file that needs to be signed. The second one

creates a signature. Copy the text from message.sig file and paste it into the form. Press "Submit".

Now, back up your social graph. Go to "Settings" and scroll down to the "Export" section. Download both follows and followers lists.

Metamask

#Metamask is a browser extension and a cryptocurrency wallet. It leaks the hash of your public key to third parties, has non-free license and has other shortcomings.

However, it is much easier to use than Minisign. If you have it installed, just go to your profile page, open dropdown menu and select "Link ethereum address". Follow the instructions and approve the signature request. Done!

Migration

If you need to migrate your connections, repeat the linking procedure with your new account. Then go to "Settings", find the "Experiments" section with "Import follows" and "Move followers" buttons, and upload your previously backed up lists. That's all.

In the future more identity verification methods will be added. For example, a client may generate a private key for you, and let you back it up as a passphrase. This is less secure, because you have to trust the server admin to not steal your private key, but it is much easier than using Minisign. Arguably, the tradeoff is acceptable.