Re: [Tails-dev] [review'n'merge:1.2.1] feature/7512-Make-Gnu…

Delete this message

Reply to this message
Autor: intrigeri
Data:  
Dla: The Tails public development discussion list
Temat: Re: [Tails-dev] [review'n'merge:1.2.1] feature/7512-Make-GnuPG-config-closer-to-duraconf-reworked
Hi,

anonym wrote (20 Oct 2014 16:39:34 GMT) :
> I don't get why we install hopenpgp-tools. We don't use it anywhere, the
> tools themselves are quite poorly documented, and it's not obvious that
> they offer any useful functionality that plain ol' gpg doesn't, at least
> the stuff that we expect from users. Well, `hokey --lint` looked pretty
> nice, as did some of `hkt`'s graphing commands, but all this is pretty
> arcane.


Our internal security policy mandates that we follow the OpenPGP Best
Practices [1]. I think we should make it easier, both for Tails
contributors and other users, to self-check their compliance. In the
current state of things, one has to do something non-trivial like
commit ab2a4954 to get hokey installed. IMO that's not good enough.

Regarding functionality that GnuPG doesn't offer, indeed there's not
much there. But if you look at the "OpenPGP key checks" section in
that document, you'll notice that indeed, `hokey lint' does, in one
single command, a lot of things that require running several obscure
commands if you want to do it with GnuPG, such as that one and a few
similar others:

gpg --export-options export-minimal --export '<fingerprint>' | gpg --list-packets | grep -A2 'public key' | grep 'pkey\[0\]:'

hokey lint's output is also, I would argue, way easier to understand
and draw conclusions from; colors help. So, basically, `hokey lint' is
IMO the best available tool right now for anyone to do a lot of basic
sanity checks on their keys. It's probably still "arcane", but we
simply haven't anything better to achieve these goals yet.

[1] https://help.riseup.net/en/security/message-security/openpgp/best-practices

Cheers!
--
intrigeri