thepwnicornMaybe it's too hot today and my brain isn't working. Can anyone with experience/insight into Forgejo and Gitea explain to me what the point is of the server signing commits (e.g. merge, initial commit, wiki etc.)? Maybe I'm missing something obvious, but the whole point of signing commits is as an authenticity check. If an attacker would gain access to a user's account that has the permission to trigger any of these actions, the signature mechanism does not allow differentiating between a legitimate and compromised commit. The only case I can think of where this might be useful is if someone would try to pass off an unsigned commit to look like it has been done by the server, whereas legitimate commits by the server have been signed. Without an option to block unsigned commits entirely this seems a bit like security theater though, if my threat model isn't entirely wrong. Thoughts?
-=Kernel-Error=-OPENPGPKEY: GPG-Schlüssel direkt im DNS veröffentlichen
GPG-Schluessel direkt als OPENPGPKEY-Record im DNS hinterlegen, ohne Keyserver-Abhaengigkeit oder Web-of-Trust. RFC 7929 erklaert, die SHA-256-Hash-Variante des Local-Part, ein Generator fuer den Record und warum DNSSEC die Voraussetzung ist. Plus Hinweis zur Recordgroesse.https://www.kernel-error.de/2015/04/01/opengpgkey-rr-gpg-key-im-dns/
JordanI wonder if it would benefit some social networks to integrate a PGP/GPG style "trust" (https://phildev.net/pgp/gpgtrust.html) into user accounts.
Accounts could 'trust' other accounts with varying levels so as to vet them for others. Maybe use QR codes for in-person 'signing'?
This may be an effective way to reduce unwanted AI/bot activity since the approach is toward verifying "I know and trust this person" rather than how some karma or reputation systems work.
РаджаПопробовал импортировать на юбикей GPG-ключи с компа. Первый раз что-то натыкал так, что заблокировал нафиг GPG-модуль на ключе.
Нагуглил, как его сбросить через CLI-утилиту (`ykman openpgp reset`)
Потом оказалось, что GPG-модуль в графическом приложении вообще не отображается, а тиранил я PIV-модуль, который за сертификаты отвечает. Его я тоже сбросил на всякий случай. Благо, что тем и другим я не пользовался.
В итоге ключи для подписи и аутентификации я перенёс с помощью CLI, а ключ для шифрования получилось только через Kleopatra. Теперь у меня на юбикее есть копия моего ключа.
Осталось понять, зачем оно мне надо вот это всё.
NatyGetting a verified lock icon for my signed Git commits took longer than expected! It’s all set up now in the end via SSH keys (and not GPG keys) on Codeberg. Email matching was the main culprit.
It's my first time setting up signing commits and I tested it on my new Gist repo!
<https://codeberg.org/burgeonlab/gists>
Hope to add more to it in the near future.
View full note on my website: https://burgeonlab.com/notes/2026/0523-105727/
#100daystooffload #git #gpg #pgp #ssh #codeberg #signingkeys #gists #gist
Dennis Alexis Valin Dittrich"Verbal skills strongly predict educational attainmen while #mathematics skills generate substantially larger earnings returns.
… This divergence operates partly through field-of-study choice: individuals with stronger verbal skills disproportionately select into fields with higher graduation rates but lower earnings returns, while those with stronger mathematics skills enter #STEM and other high-paying majors.
… Gender differences in skills explain the female advantage in college attendance and part of the STEM gap but have little effect on the gender earnings gap due to offsetting effects across these pathways: women's verbal advantage facilitates educational access but also steers them toward lower-return fields."
#LaborEcon #wages #gpg
Johannes KastlOK, so do I get this right? The GPG key for signing ceph packages is so old it is no longer being accepted on RHEL10 and the likes?
```
Certificate E84AC2C0460F3994:
Policy rejects E84AC2C0460F3994: No binding signature at time ...
```
(And there are no builds for EL10 yet, you need to use EL9 packages)
🐈⬛David SommersethPlaying around with Sequoia-PGP again. And it just strikes me how easy it makes it. This time I played with sqop instead of sq.
$ sqop generate-key > key.asc
$ cat file | sqop encrypt key.pub > file.asc
$ cat file.asc | sqop decrypt key.asc > file2
$ sha256sum file file2 | cut -d\ -f1 | uniq -c
2 34fbc467b8c62...
Try doing that gpg without needing any $HOME/.gnupg directory. And then try putting that in a script run by some locked-down user via a cron job.
(I know this should be signed as well, not dug into that yet.)
I've been running #Tumpa CLI for a while on a few selected git repositories, where I use #yubikey for the #PGP key storage.
https://github.com/tumpaproject/tumpa-cli
Today I have globally replaced gpg2 with tcli and tclig in the git config. It does the job very well and is far less annoying than gpg ever was. The tcli agent is also much more nicely behaving than the gpg-agent.
Thank you, @kushal for an excellent work on Tumpa!
And I'm even more impressed that Tumpa even handles multiple Yubikeys plugged in in parallel. It selects the right key for the right identity and the tcli agent even caches the needed passphrase/PIN as expected. This is something which was a complete mess with GnuPG.
"Non-wage attributes are an important driver of job choice: workers frequently choose lowerpaying offers. Amenity valuations are highly dispersed across firms and approximately orthogonal to wages, so amenities do not offset between-firm pay differences. In money-metric units, the signal variance of amenities is about one-third that of wage premia. Conditional on the wage, high-amenity firms tend to be larger, have lower quit rates, and are more favorably reviewed by employees. Amenity preferences vary across demographic groups. Men and women do not value the same firms equally: the correlation between their firm-specific valuations is 0.239. Women work at firms that pay less. They also work at firms that offer them higher amenity value. Using gender-specific valuations, women do not work at firms that offer them lower overall value. In some specifications, they work at firms that offer more."
#LaborMarkets #wages #ExperimentalEcon #gpg