mastodon.zunda.ninja is one of the many independent Mastodon servers you can use to participate in the fediverse.
Zundon is a single user instance as home of @zundan as well as a test bed for changes of the code.

Administered by:

Server stats:

1
active users

#openpgp

0 posts0 participants0 posts today
GnuPG<p>According to <span class="h-card" translate="no"><a href="https://social.heise.de/@ct_Magazin" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>ct_Magazin</span></a></span> and the press release <a href="https://merlinux.eu/press/2025-05-14-russia-deltachat.pdf" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">merlinux.eu/press/2025-05-14-r</span><span class="invisible">ussia-deltachat.pdf</span></a> Russia sues the German company merlinux GmbH over Delta Chat, an email and <a href="https://mstdn.social/tags/OpenPGP" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OpenPGP</span></a> based <a href="https://mstdn.social/tags/Endtoendcrypto" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Endtoendcrypto</span></a> messenger.</p>
Andreas Grupp :tux: :opensuse:<p>Neue Version von <a href="https://social.tchncs.de/tags/GnuPG" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>GnuPG</span></a> (v2.5.6) und eine weitere Beta-Version des kommenden <a href="https://social.tchncs.de/tags/Gpg4Win" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Gpg4Win</span></a> 5.0 erschienen.</p><p>Wer Gpg4Win (noch) nicht kennt: Enthält u.a. das MS Outlook-Plugin GpgOL damit dort <a href="https://social.tchncs.de/tags/OpenPGP" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OpenPGP</span></a>-verschlüsselte Mails funktionieren, GpgEX damit man im Explorer Dateien verschlüsseln kann, oder die Schlüssel-/Zertifikats-Verwaltung Kleopatra. Mit 5.0 dann Post Quanten resistant encryption.</p><p>S/MIME gibt es natürlich auch. Das skaliert wegen der Kosten für die zusätzlich zeitlimitierten Zertifikate, in der Bevölkerung aber noch schlechter als OpenPGP. Deshalb plädiere ich für einen Fokus darauf um wenigstens hier eine größere Verbreitung zu schaffen.</p><p>Und von mir ein fettes Danke an den Hauptentwickler der Werkzeuge <span class="h-card" translate="no"><a href="https://social.darc.de/@DD9JN" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>DD9JN</span></a></span> </p><p><a href="https://www.gpg4win.org/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="">gpg4win.org/</span><span class="invisible"></span></a></p>
l<p><span class="h-card" translate="no"><a href="https://mastodon.social/@eff" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>eff</span></a></span> <span class="h-card" translate="no"><a href="https://hachyderm.io/@evacide" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>evacide</span></a></span> <br>GnuPG is not the only way to encrypt email, I use <a href="https://fosstodon.org/tags/OpenPGP" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OpenPGP</span></a> with Thunderbird and <span class="h-card" translate="no"><a href="https://chaos.social/@delta" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>delta</span></a></span>, both don't use GPG.</p><p>Also pages<br><a href="https://ssd.eff.org/module/how-use-pgp-linux" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">ssd.eff.org/module/how-use-pgp</span><span class="invisible">-linux</span></a><br>and<br><a href="https://ssd.eff.org/module/how-use-pgp-windows" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">ssd.eff.org/module/how-use-pgp</span><span class="invisible">-windows</span></a><br>are outdated, Thunderbird now has built-in OpenPGP implementation and Enigmail does not work with the latest versions.</p>
Rachael Ava 💁🏻‍♀️🚨 Important: GPG Key Revoked & Superseded! 🔐
GnuPG<p><a href="https://mstdn.social/tags/GnuPG" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>GnuPG</span></a> 2.4.6 is available. Accumulated fixes and small improvements over the last 7 months. There is even a new tool `gpg-mail-tube` to encrypt an email automatically in a pipe. Give it a try, especially if you use hardware tokens.</p><p><a href="https://lists.gnupg.org/pipermail/gnupg-announce/2024q4/000486.html" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">lists.gnupg.org/pipermail/gnup</span><span class="invisible">g-announce/2024q4/000486.html</span></a></p><p><a href="https://dev.gnupg.org/T7030" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="">dev.gnupg.org/T7030</span><span class="invisible"></span></a></p><p><a href="https://mstdn.social/tags/FreeSoftware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FreeSoftware</span></a> <a href="https://mstdn.social/tags/EndtoEndSecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>EndtoEndSecurity</span></a> <a href="https://mstdn.social/tags/OpenPGP" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OpenPGP</span></a> <a href="https://mstdn.social/tags/LibrePGP" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>LibrePGP</span></a></p>
Theia Institute™<p><span class="h-card" translate="no"><a href="https://mstdn.social/@GnuPG" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>GnuPG</span></a></span> <span class="h-card" translate="no"><a href="https://infosec.exchange/@todd_a_jacobs" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>todd_a_jacobs</span></a></span> Using <a href="https://infosec.exchange/tags/LTFS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>LTFS</span></a> to store <a href="https://infosec.exchange/tags/encrypteddata" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>encrypteddata</span></a> outside of hyper scaler environments without the dedicated <a href="https://infosec.exchange/tags/KMS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>KMS</span></a> components expensive tape libraries use to enable <a href="https://infosec.exchange/tags/LTO9" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>LTO9</span></a> drives' built-in, hardware <a href="https://infosec.exchange/tags/AES256GCM" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>AES256GCM</span></a> support is an area the institute is evaluating, and thinking about how <a href="https://infosec.exchange/tags/GPG" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>GPG</span></a> might fit in has been a facet of our research process.</p><p>All recent generations of <a href="https://infosec.exchange/tags/LTO" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>LTO</span></a> drives support strong, on-the-fly, hardware-accelerated encryption on the drives themselves. Sadly, it's essentially useless in the standalone drives sold to individuals, the <a href="https://infosec.exchange/tags/SOHO" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SOHO</span></a> market, or to other non-enterprise customers because of the high cost of the tape library hardware required to activate it.</p><p>In some ways, the situation is much like the early Intel 386 computers that shipped with missing or disabled math coprocessors even when it stopped being a cost issue. In part, that was a strategic market segmentation decision, and the institute currently believes the lack of accessible LTFS encryption for all encryption-capable drives is no different. </p><p>Even though <a href="https://infosec.exchange/tags/GnuPG" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>GnuPG</span></a> is usually thought of as primarily an email tool, it's actually an important "Swiss Army knife" for a variety of <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a> use cases. It's also on a tragically short list of <a href="https://infosec.exchange/tags/OpenPGP" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OpenPGP</span></a> and telatrd <a href="https://infosec.exchange/tags/cryptography" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cryptography</span></a> tools that remains fully <a href="https://infosec.exchange/tags/opensource" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>opensource</span></a>.</p><p>We're putting this topic on our agenda for further exploration and discussion. Meanwhile, these community conversations and the viewpoints of respected tool developers is an invaluable resource to everyone.</p>
PGPkeys EU<p>In recent weeks, a theoretical downgrade attack against the new default encryption mode used by GnuPG 2.5 has been published. This comes two years after a theoretical downgrade attack was announced against GnuPG's new default *signature* format. Both issues have been addressed in the latest update to the official OpenPGP specification, but GnuPG has declared that it will not implement the fixes.</p><p><a href="https://infosec.exchange/tags/gnupg" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>gnupg</span></a> <a href="https://infosec.exchange/tags/openpgp" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>openpgp</span></a> <a href="https://infosec.exchange/tags/librepgp" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>librepgp</span></a> </p><p><a href="https://blog.pgpkeys.eu/security-issues-librepgp-2024-08.html" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">blog.pgpkeys.eu/security-issue</span><span class="invisible">s-librepgp-2024-08.html</span></a></p>
Dr. Todd A. Jacobs<p><a href="https://infosec.exchange/tags/TIL" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>TIL</span></a> that <span class="h-card" translate="no"><a href="https://mstdn.social/@GnuPG" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>GnuPG</span></a></span> appears to use the <a href="https://infosec.exchange/tags/ustar" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ustar</span></a> tar archive format, likely the version from POSIX.1-1988, for <a href="https://infosec.exchange/tags/gpgtar" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>gpgtar</span></a> rather than either the <a href="https://infosec.exchange/tags/POSIX" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>POSIX</span></a> or Star formats from POSIX.1-2001. Since ustar has serious limitations on filename and pathname lengths, can't store certain file types or metadata, and has a 2GB file size limit, it seems unsuitable for most modern use cases.</p><p>If gpgtar is actually using star, pax, or the GNU tar POSIX mode, it's not in the <a href="https://infosec.exchange/tags/GnuPG" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>GnuPG</span></a> user documentation which explicitly says it uses ustar. I have a lot of respect for the <a href="https://infosec.exchange/tags/GPG" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>GPG</span></a> devs, so I hope this is either just a documentary oversight or something that they can easily fix by linking with newer libraries. In either case, ustar is totally unsuitable for writing large archives to tape, and doesn't even offer the options GNU tar does for creating a separate index file, encrypted or not.</p><p>The gnutar command line doesn't offer the option to write a separate index, and requires a separate pass to list out the index. For example if you wanted to encrypt a 20TiB archive with a separate, encrypted index to make finding files easier, you'd either have to pipe tar through gpg (which can cause shoe-shining or buffering issues on <a href="https://infosec.exchange/tags/LTFS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>LTFS</span></a>) and then encrypt GNU/BSD tar's index, or have <em>triple</em> the online HDD/SDD capacity of your archived data so you can tar up your files, run another pass with GnuPG to extract the index, and then encrypt both the tarball and index separately before writing them out to tape.</p><p>That seems...unreasonable. <a href="https://infosec.exchange/tags/OpenPGP" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OpenPGP</span></a> doesn't support the AES-256-GCM mode built into current <a href="https://infosec.exchange/tags/LTO" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>LTO</span></a> drives, so gpgtar needs to keep up with the massive growth of data storage capacity rather than remaining an afterthought utility. Especially for <a href="https://infosec.exchange/tags/SOHO" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SOHO</span></a> LTO drives, the ability to write encrypted gpgtar archives and indexes directly to LTFS could be a real game-changer!</p>
Alexandre Dulaunoy<p>RFC9580 is finally out. A good refresh to the OpenPGP standard.</p><p><a href="https://infosec.exchange/tags/openpgp" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>openpgp</span></a> <a href="https://infosec.exchange/tags/pgp" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>pgp</span></a> <a href="https://infosec.exchange/tags/gnupg" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>gnupg</span></a> </p><p><a href="https://datatracker.ietf.org/doc/html/rfc9580" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">datatracker.ietf.org/doc/html/</span><span class="invisible">rfc9580</span></a></p>
c't Magazin<p>heise+ | OpenPGP im Umbruch: Implementierungen, bessere Standards und ein großer Streit</p><p>Die OpenPGP-Community modernisiert E-Mail-Sicherheit, doch nach Streitigkeiten der Arbeitsgruppe entstehen nun zwei zueinander inkompatiblen Standards.</p><p><a href="https://www.heise.de/hintergrund/OpenPGP-im-Umbruch-Implementierungen-bessere-Standards-und-ein-grosser-Streit-9790850.html?wt_mc=sm.red.ho.mastodon.mastodon.md_beitraege.md_beitraege&amp;utm_source=mastodon" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">heise.de/hintergrund/OpenPGP-i</span><span class="invisible">m-Umbruch-Implementierungen-bessere-Standards-und-ein-grosser-Streit-9790850.html?wt_mc=sm.red.ho.mastodon.mastodon.md_beitraege.md_beitraege&amp;utm_source=mastodon</span></a></p><p><a href="https://social.heise.de/tags/OpenPGP" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OpenPGP</span></a> <a href="https://social.heise.de/tags/Security" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Security</span></a> <a href="https://social.heise.de/tags/Software" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Software</span></a> <a href="https://social.heise.de/tags/Standards" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Standards</span></a> <a href="https://social.heise.de/tags/Verschl%C3%BCsselung" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Verschlüsselung</span></a> <a href="https://social.heise.de/tags/news" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>news</span></a></p>
Delta Chat<p>some news regarding rPGP, the minimal <a href="https://chaos.social/tags/Rust" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Rust</span></a> <a href="https://chaos.social/tags/OpenPGP" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OpenPGP</span></a> implementation that stably provides end-to-end encryption for Delta users since many years: </p><p>- a new FAQ including questions about IETF specs, Post-Quantum cryptography, Autocrypt, LibrePGP, Seqouia etc. <a href="https://github.com/rpgp/rpgp/blob/master/docs/FAQ.md" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">github.com/rpgp/rpgp/blob/mast</span><span class="invisible">er/docs/FAQ.md</span></a> </p><p>- NLNET just granted <a href="https://chaos.social/tags/OpenPGP" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OpenPGP</span></a> V6 work on rPGP: <a href="https://nlnet.nl/project/rPGP-cryptorefresh/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">nlnet.nl/project/rPGP-cryptore</span><span class="invisible">fresh/</span></a></p><p>rPGP is an independent and stable project which provides good general <a href="https://chaos.social/tags/OpenPGP" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OpenPGP</span></a> interoperability, see "rpgpie" in <a href="https://tests.sequoia-pgp.org/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="">tests.sequoia-pgp.org/</span><span class="invisible"></span></a></p>
Sylvester Tremmel<p>Visited the <a href="https://social.heise.de/tags/OpenPGP" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OpenPGP</span></a> Email Summit yesterday and I rarely met a more open and forward-looking group of people. If anybody can fix the mess that is encrypted email, it's people like this.</p>
Heiko<p>Meet oct-git, a new <a href="https://fosstodon.org/tags/OpenPGP" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OpenPGP</span></a> signing and verification tool for use with the <a href="https://fosstodon.org/tags/Git" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Git</span></a> distributed version control system:</p><p><a href="https://crates.io/crates/openpgp-card-tool-git" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">crates.io/crates/openpgp-card-</span><span class="invisible">tool-git</span></a> 🦀</p><p>oct-git focuses exclusively on ergonomic use with OpenPGP card-based signing keys</p><p>It is designed to be easy to set up, standalone (no long running processes), and entirely hands-off to use (no repeated PIN entry required, by default). It comes with desktop notifications for touch confirmation (if required)</p><p><a href="https://fosstodon.org/tags/RustLang" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>RustLang</span></a> <a href="https://fosstodon.org/tags/PGP" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PGP</span></a> <a href="https://fosstodon.org/tags/GnuPG" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>GnuPG</span></a> <a href="https://fosstodon.org/tags/gpg" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>gpg</span></a> <a href="https://fosstodon.org/tags/Nitrokey" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Nitrokey</span></a> <a href="https://fosstodon.org/tags/YubiKey" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>YubiKey</span></a></p>
Blue Ghost<p>Proton Mail automatically encrypts/decrypts messages between Proton Mail accounts via OpenPGP/PGP.</p><p>Proton Mail supports automatically encrypting/decrypting messages between Proton Mail accounts and external email accounts that support OpenPGP/PGP or GnuPG/GPG.</p><p>Instructions: <a href="https://proton.me/support/how-to-use-pgp" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">proton.me/support/how-to-use-p</span><span class="invisible">gp</span></a><br>GnuPG: <a href="https://mastodon.online/@blueghost/111974048270035570" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">mastodon.online/@blueghost/111</span><span class="invisible">974048270035570</span></a></p><p>Website: <a href="https://proton.me" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="">proton.me</span><span class="invisible"></span></a><br>Mastodon: <span class="h-card" translate="no"><a href="https://mastodon.social/@protonprivacy" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>protonprivacy</span></a></span></p><p><a href="https://mastodon.online/tags/Proton" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Proton</span></a> <a href="https://mastodon.online/tags/ProtonMail" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ProtonMail</span></a> <a href="https://mastodon.online/tags/ProtonPrivacy" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ProtonPrivacy</span></a> <a href="https://mastodon.online/tags/OpenPGP" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OpenPGP</span></a> <a href="https://mastodon.online/tags/PGP" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PGP</span></a> <a href="https://mastodon.online/tags/GnuPG" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>GnuPG</span></a> <a href="https://mastodon.online/tags/GPG" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>GPG</span></a> <a href="https://mastodon.online/tags/Email" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Email</span></a> <a href="https://mastodon.online/tags/Encryption" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Encryption</span></a> <a href="https://mastodon.online/tags/E2EE" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>E2EE</span></a> <a href="https://mastodon.online/tags/InfoSec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>InfoSec</span></a> <a href="https://mastodon.online/tags/Privacy" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Privacy</span></a></p>
Dr. Todd A. Jacobs<p>I was recently asked about whether signed commits would have prevented the <a href="https://infosec.exchange/tags/xz" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>xz</span></a> attack. The tl;dr is "no."</p><p>It's very important that the non <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a> community understands what a <a href="https://infosec.exchange/tags/digitalsignature" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>digitalsignature</span></a> does and doen't do. The notion that there's a <a href="https://infosec.exchange/tags/silverbullet" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>silverbullet</span></a> for every technical, social, or trust problem is part of what makes <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> so hard to implement well.</p><p><a href="https://infosec.exchange/tags/OpenPGP" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OpenPGP</span></a> signatures rely on the system clock for setting the timestamp of a signature when signing the metadata and content of a commit. The author and committer dates can both legitimately differ from the timestamp of the signature for a number of reasons, or be made exactly the same rather trivially. </p><p><a href="https://infosec.exchange/tags/Git" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Git</span></a> history is a directed acyclic graph, not a cryptographic <a href="https://infosec.exchange/tags/blockchain" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>blockchain</span></a>, so a commit is just the delta between objects in the current treeish and the parent treeish in the graph. The signed metadata includes the current parent's SHA hash, but there's nothing stopping you from moving commits around and re-signing the new commits. If you couldn't do this, then you couldn't rebase, squash, do non-fast-forward merges, or cherry-pick.</p><p>This doesn't mean you can forge someone else's signature without access to their key material, but the attack wasn't the result of forged metadata or account impersonation. Signing wouldn't prevent commits by someone with commit access to the repository; it would just show that commits associated with Jia Tan were also signed by Jia Tan's private key. That provides no useful security control here. This was <em>not</em> a Git problem.</p>
Heiko<p>I just released version 0.2.0 of <a href="https://crates.io/crates/rsop" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="">crates.io/crates/rsop</span><span class="invisible"></span></a></p><p><a href="https://fosstodon.org/tags/rsop" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>rsop</span></a> is a "Stateless OpenPGP" CLI tool based on <a href="https://fosstodon.org/tags/rPGP" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>rPGP</span></a>.</p><p>This new version adds more support for handling passphrase-protected private key material, as well as handling of un-armored OpenPGP data.</p><p>See <a href="https://datatracker.ietf.org/doc/draft-dkg-openpgp-stateless-cli/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">datatracker.ietf.org/doc/draft</span><span class="invisible">-dkg-openpgp-stateless-cli/</span></a> for more on SOP.</p><p><a href="https://fosstodon.org/tags/OpenPGP" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OpenPGP</span></a> <a href="https://fosstodon.org/tags/PGP" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PGP</span></a> <a href="https://fosstodon.org/tags/SOP" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SOP</span></a> <a href="https://fosstodon.org/tags/rust" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>rust</span></a> <a href="https://fosstodon.org/tags/rustlang" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>rustlang</span></a></p>
Todd A. Jacobs<p><span class="h-card" translate="no"><a href="https://mstdn.social/@GnuPG" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>GnuPG</span></a></span> <span class="h-card" translate="no"><a href="https://infosec.exchange/@todd_a_jacobs" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>todd_a_jacobs@infosec.exchange</span></a></span> <span class="h-card" translate="no"><a href="https://infosec.exchange/@letsencrypt" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>letsencrypt</span></a></span> I pay for well-written <a href="https://ruby.social/tags/FOSS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FOSS</span></a> software on <a href="https://ruby.social/tags/iOS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>iOS</span></a> all the time. There's nothing that I know of that would prevent <a href="https://ruby.social/tags/GnuPG" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>GnuPG</span></a> itself or their commercial relatives from releasing an <a href="https://ruby.social/tags/iOS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>iOS</span></a> version based on <a href="https://ruby.social/tags/libgcrypt" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>libgcrypt</span></a>, other than the scarcity of developer resources of course.</p><p>There's definitely a gap in the <a href="https://ruby.social/tags/OpenPGP" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OpenPGP</span></a> ecosystem for trustworthy iOS and <a href="https://ruby.social/tags/iPadOS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>iPadOS</span></a> apps. Might be something to consider for the future to fund continued development of GnuPG!</p>
Todd A. Jacobs<p>This is more of a security question, but I currently know way more people on ruby.social than infosec.exchange. I want to use a <a href="https://ruby.social/tags/Yubikey" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Yubikey</span></a> for <a href="https://ruby.social/tags/SMIME" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SMIME</span></a> or <a href="https://ruby.social/tags/GPG" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>GPG</span></a> signing on <a href="https://ruby.social/tags/iOS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>iOS</span></a> &amp; <a href="https://ruby.social/tags/iPadOS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>iPadOS</span></a>, but can't find:</p><p>1. Any documentation about how to integrate it with Apple Mail.</p><p>2. Anyplace that offers <a href="https://ruby.social/tags/x509" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>x509</span></a> certificates for S/MIME at zero or minimal cost the way <span class="h-card" translate="no"><a href="https://infosec.exchange/@letsencrypt" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>letsencrypt</span></a></span> offers free <a href="https://ruby.social/tags/SSL" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SSL</span></a> certs.</p><p>Self-signed S/MIME certs are a non-starter, and there are no full-featured <a href="https://ruby.social/tags/OpenPGP" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OpenPGP</span></a> apps on iOS. Suggestions?</p>
Wiktor Kwapisiewicz<p>PSA: WKD Checker (<a href="https://metacode.biz/openpgp/web-key-directory" rel="nofollow noopener" target="_blank">https://metacode.biz/openpgp/web-key-directory</a>) will be officially sunsetted on 1.05.2024.</p><p>The reasons are two-fold: on one hand the service already succeeded in raising awareness of the protocol on the other I lack the resources to maintain and develop it and leaving unmaintained online services is not the smartest move.</p><p>The service was powered by an open-source component so in case someone badly needs it it’s always possible to host your own: <a href="https://gitlab.com/wiktor/wkd-checker" rel="nofollow noopener" target="_blank">https://gitlab.com/wiktor/wkd-checker</a></p><p>Thanks for all your support and kind words! 👋</p>
David Runge<p>We have just issued the first <a href="https://chaos.social/tags/release" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>release</span></a> of <a href="https://chaos.social/tags/sshd" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>sshd</span></a>-openpgp-auth and <a href="https://chaos.social/tags/ssh" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ssh</span></a>-openpgp-auth.</p><p>Using this server and client-side tooling it is possible to manage the <a href="https://chaos.social/tags/authentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>authentication</span></a> of <a href="https://chaos.social/tags/SSH" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SSH</span></a> host keys with the help of an <a href="https://chaos.social/tags/OpenPGP" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OpenPGP</span></a> certificate as trust anchor.</p><p><a href="https://crates.io/crates/sshd-openpgp-auth" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">crates.io/crates/sshd-openpgp-</span><span class="invisible">auth</span></a></p><p><a href="https://crates.io/crates/ssh-openpgp-auth" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">crates.io/crates/ssh-openpgp-a</span><span class="invisible">uth</span></a></p><p>Many thanks to <span class="h-card" translate="no"><a href="https://metacode.biz/@wiktor" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>wiktor</span></a></span> for the great collaboration and <a href="https://chaos.social/tags/NLnet" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>NLnet</span></a> / <a href="https://chaos.social/tags/NGIAssure" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>NGIAssure</span></a> for funding this work!</p><p><a href="https://chaos.social/tags/DNS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DNS</span></a> <a href="https://chaos.social/tags/KeyOxide" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>KeyOxide</span></a> <a href="https://chaos.social/tags/KnownHosts" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>KnownHosts</span></a> <a href="https://chaos.social/tags/OpenSSH" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OpenSSH</span></a> <a href="https://chaos.social/tags/Rustlang" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Rustlang</span></a> <a href="https://chaos.social/tags/Software" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Software</span></a> <a href="https://chaos.social/tags/WebKeyDirectory" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>WebKeyDirectory</span></a> <a href="https://chaos.social/tags/WebOfTrust" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>WebOfTrust</span></a> <a href="https://chaos.social/tags/WKD" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>WKD</span></a> <a href="https://chaos.social/tags/WoT" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>WoT</span></a></p>