Upgrade to Pro — share decks privately, control downloads, hide ads and more …

What is this PGP Thing, and How Can I Use it?

What is this PGP Thing, and How Can I Use it?

The need to keep your personal information, sensitive or nonsensitive, secure from prying eyes isn't new, but recent events have brought it back into the public eye.

In this workshop, we'll build and upload public keys, explore Git commit signing, and learn to sign others' PGP keys. If we have time, we'll exchange key fingerprints and show IDs, then discuss signing and verifying gems.

You'll need a photo ID and your own computer for this workshop.

Presented at RailsConf 2015. http://railsconf.com/program/labs#prop_903

Caleb Hearth

April 15, 2015
Tweet

More Decks by Caleb Hearth

Other Decks in Technology

Transcript

  1. With Trusted GPG • Download GPG signature from https://gpgtools.org •

    Verify signature fingerprint • Import GPGTools developer key from https://gpgtools.org gpg --verify GPG_Suite-2015.03-b6.dmg.sig \ GPG_Suite-2015.03-b6.dmg
  2. Get your signature in as many places as possible •

    GPG can auto-download keys to verify sigs • More ways to establish trust
  3. x

  4. Uses OpenSSL keys • Same sort of keys used for

    SSL / HTTPS keys • Unfortunately, same sort of keys used for SSL/HTTPS keys, which have no good distribution system
  5. Uses certificate authorities • Doesn’t take advantage of much larger

    PGP WoT • Requires you to trust a CA manually
  6. Signatures included in gem pg-0.18.1.gem !"" checksums.yaml.gz !"" checksums.yaml.gz.sig !""

    data.tar.gz !"" data.tar.gz.sig !"" metadata.gz #"" metadata.gz.sig
  7. Required Reading • Signing gems on Gem::Security docs (formatted) •

    rubygems-developers mailing list thread on gem signing • rubygems-openpgp • We Need to Sign Ruby Gems! But How? • Nobody Cares About Signed Gems (archive.org)
  8. Aptitude, Homebrew, etc. automate this • aptitude uses gpg to

    verify • Homebrew checks SHAs of installed packages • RVM distributes signature and automatically verifies during installation
  9. Need automatic verification before installation • Should verify signature •

    Should be configurable to verify trust • Should fail to install if unverifiable
  10. GitHub commit 84d9f998dbbb514c6c127ba91e800c34e8885e35 gpg: Signature made Wed Jan 14 09:56:52

    2015 CST using RSA key ID A0ACE70A gpg: Good signature from "Caleb Thompson <[email protected]>" [ultimate] gpg: aka "Caleb Thompson <[email protected]>" [ultimate] gpg: aka "Caleb Thompson <[email protected]>" [ultimate] Author: Caleb Thompson <[email protected]> Date: Wed Jan 14 09:55:45 2015 -0600 Connect A0ACE70A and @calebthompson
  11. Claim Social Accounts pub 2048R/A0ACE70A 2013-08-12 Key fingerprint = B432

    C068 2FD1 C2D0 6A8B 3951 1621 ADC2 A0AC E70A uid [ultimate] Caleb Thompson <[email protected]> uid [ultimate] Caleb Thompson <[email protected]> uid [ultimate] Caleb Thompson <[email protected]> uid [ultimate] @calebthompson (https://twitter.com/calebthompson/status/) uid [ultimate] @calebthompson (https://github.com/calebthompson/i-am) sub 2048R/545CA4DF 2013-08-12 sub 4096R/379AE326 2015-02-09
  12. Assert that you’ve verified ownership (can use private key) •

    (It’s less common to actually do this step)
  13. Get the key • Mine is included on the USB

    • Usually you find it online as a .asc file someone points to, or on a keyserver