#minisign — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #minisign, aggregated by home.social.
-
Sehr geiler Talk von @95p und @49016 über Schwachstellen in #GnuPG und ein paar weiteren Programmen. Insgesamt fanden beide 14 Schwachstellen.
Große Anerkennung an @filippo, der live die Bugbounty überreicht.
Details auch auf https://gpg.fail/
https://media.ccc.de/v/39c3-to-sign-or-not-to-sign-practical-vulnerabilities-i
-
Use MiniSign to sign documents, archive the folder with signed documents and their signature files (*.minisig) in the usual way
https://jedisct1.github.io/minisign
My signing key
RWRK8XFYuCHjYX1J/7cKCUy6eQKNYVAurb/70Q6pK8kjGHALVORZGJ+o -
I’ve updated my public keys. In future #minisign will be used to #sign important information, instead of #OpenPGP. https://sami-lehtinen.net/public-keys Sami Lehtinen minisign key:
RWRzsYlYTs5IJRJqnEoFRpSbhJBaeym9zb2bs7hMbj9rOZrNYC+HYmrY -
1/2
Today I was playing with Minisign and Cosign to evaluate whether it’s worth signing some of my OSS software with something other than PGP.Here’s my verdict: Minisign is promising… Much easier to use than PGP. That simplicity, of course, comes at the cost of giving up a few features.
#OSS #SoftwareSigning #ArtifactSigning #PGP #Minisign #Cosign #Sigstore
-
1/2
Today I was playing with Minisign and Cosign to evaluate whether it’s worth signing some of my OSS software with something other than PGP.Here’s my verdict: Minisign is promising… Much easier to use than PGP. That simplicity, of course, comes at the cost of giving up a few features.
#OSS #SoftwareSigning #ArtifactSigning #PGP #Minisign #Cosign #Sigstore
-
1/2
Today I was playing with Minisign and Cosign to evaluate whether it’s worth signing some of my OSS software with something other than PGP.Here’s my verdict: Minisign is promising… Much easier to use than PGP. That simplicity, of course, comes at the cost of giving up a few features.
#OSS #SoftwareSigning #ArtifactSigning #PGP #Minisign #Cosign #Sigstore
-
1/2
Today I was playing with Minisign and Cosign to evaluate whether it’s worth signing some of my OSS software with something other than PGP.Here’s my verdict: Minisign is promising… Much easier to use than PGP. That simplicity, of course, comes at the cost of giving up a few features.
#OSS #SoftwareSigning #ArtifactSigning #PGP #Minisign #Cosign #Sigstore
-
Tinkering and learning about #AGE and #Minisign and how they compare to #GPG. Wrote a "very" basic BASH script (may improve on it later, I dunno) to automate some AGE features without having to memorize the syntax.
-
Thinking of email using #Neomutt, #AgeEncryption , and #Minisign
Setup a signed webpage with my public keys & explaining how to decrypt files and how verify signatures
Add a link to this webpage to my usual email signature text.
By default an email is an unencrypted, unsigned postcard ¯\_(ツ)_/¯
But when used to send important private data, sign and/or encrypt the files & send them as attachment to a cover letter explaining how to decrypt and verify signatures & a link to webpage above
-
Thinking of email using #Neomutt, #AgeEncryption , and #Minisign
Setup a signed webpage with my public keys & explaining how to decrypt files and how verify signatures
Add a link to this webpage to my usual email signature text.
By default an email is an unencrypted, unsigned postcard ¯\_(ツ)_/¯
But when used to send important private data, sign and/or encrypt the files & send them as attachment to a cover letter explaining how to decrypt and verify signatures & a link to webpage above
-
The PGP Problem
https://www.latacora.com/blog/2019/07/16/the-pgp-problem/
#OpenPGP #GnuPG #PGP #GPG #PublicKey #Email
#AgeEncryption https://age-encryption.org
#Minisign https://jedisct1.github.io/minisign/#AgePublicKey
age1s3n5ehvm8h3xjkc985hzjznw9cv0lk9ezj5heyy4m7l654rkzslq07ylps#MinisignPublicKey
RWRK8XFYuCHjYX1J/7cKCUy6eQKNYVAurb/70Q6pK8kjGHALVORZGJ+o -
The PGP Problem
https://www.latacora.com/blog/2019/07/16/the-pgp-problem/
#OpenPGP #GnuPG #PGP #GPG #PublicKey #Email
#AgeEncryption https://age-encryption.org
#Minisign https://jedisct1.github.io/minisign/#AgePublicKey
age1s3n5ehvm8h3xjkc985hzjznw9cv0lk9ezj5heyy4m7l654rkzslq07ylps#MinisignPublicKey
RWRK8XFYuCHjYX1J/7cKCUy6eQKNYVAurb/70Q6pK8kjGHALVORZGJ+o -
The PGP Problem
https://www.latacora.com/blog/2019/07/16/the-pgp-problem/
#OpenPGP #GnuPG #PGP #GPG #PublicKey #Email
#AgeEncryption https://age-encryption.org
#Minisign https://jedisct1.github.io/minisign/#AgePublicKey
age1s3n5ehvm8h3xjkc985hzjznw9cv0lk9ezj5heyy4m7l654rkzslq07ylps#MinisignPublicKey
RWRK8XFYuCHjYX1J/7cKCUy6eQKNYVAurb/70Q6pK8kjGHALVORZGJ+o -
The PGP Problem
https://www.latacora.com/blog/2019/07/16/the-pgp-problem/
#OpenPGP #GnuPG #PGP #GPG #PublicKey #Email
#AgeEncryption https://age-encryption.org
#Minisign https://jedisct1.github.io/minisign/#AgePublicKey
age1s3n5ehvm8h3xjkc985hzjznw9cv0lk9ezj5heyy4m7l654rkzslq07ylps#MinisignPublicKey
RWRK8XFYuCHjYX1J/7cKCUy6eQKNYVAurb/70Q6pK8kjGHALVORZGJ+o -
The PGP Problem
https://www.latacora.com/blog/2019/07/16/the-pgp-problem/
#OpenPGP #GnuPG #PGP #GPG #PublicKey #Email
#AgeEncryption https://age-encryption.org
#Minisign https://jedisct1.github.io/minisign/#AgePublicKey
age1s3n5ehvm8h3xjkc985hzjznw9cv0lk9ezj5heyy4m7l654rkzslq07ylps#MinisignPublicKey
RWRK8XFYuCHjYX1J/7cKCUy6eQKNYVAurb/70Q6pK8kjGHALVORZGJ+o -
I added #minisign key to my #mitra #selfhosted intance account, now what? 😄
-
thought it might be nice to sign #sphinx releases with #minisign and #ssh #eddsa keys, straight outta sphinx. minisign #privkeys are okish (they do need 40 B of entropy, 8 extra for a "keyid"). but did you know, that in ssh the public key is stored 3x in the ed25519 private #key? one time i can understand (could be 0 though), but 3 times? what have they been drinking? #fileformats
-
thought it might be nice to sign #sphinx releases with #minisign and #ssh #eddsa keys, straight outta sphinx. minisign #privkeys are okish (they do need 40 B of entropy, 8 extra for a "keyid"). but did you know, that in ssh the public key is stored 3x in the ed25519 private #key? one time i can understand (could be 0 though), but 3 times? what have they been drinking? #fileformats
-
thought it might be nice to sign #sphinx releases with #minisign and #ssh #eddsa keys, straight outta sphinx. minisign #privkeys are okish (they do need 40 B of entropy, 8 extra for a "keyid"). but did you know, that in ssh the public key is stored 3x in the ed25519 private #key? one time i can understand (could be 0 though), but 3 times? what have they been drinking? #fileformats
-
How to set up key-based identity in Mitra
Mitra implements a mechanism for migrating your connections from one server to another, which works even if your current server is offline. At the moment, this mechanism is only supported by Mitra. People who use different software won't be able to connect automatically to your new account, so the more of your contacts use #Mitra, the less connections you lose during migration. It's not very difficult for other developers to implement it though, and it's documented in FEP-7628 and FEP-c390.
For migration to work, two accounts must be linked to the same cryptographic key. To do that, you need to add a public key to your profile, then create a signature to prove the possession of the corresponding private key. You can think of this key as something that represents your primary identity and your fediverse accounts as temporary aliases. Mitra currently supports two signing tools: Minisign and Metamask.
Minisign
#Minisign is a command line tool. It might be difficult to use, but it is secure and doesn't violate your privacy.
1. Install Minisign. The tool is available in most Linux distros. For example, on Debian you can simply run
apt install minisign.
2. Generate a key pair:minisign -G.
3. Go to your profile page, click on three dots to open the profile menu and select "Link minisign key".
4. Tell Minisign to export your public key:minisign -R -f -p minisign.pubCopy the text from
minisign.pubfile and paste it into the form. Press "Generate message" button.5. Run displayed commands to create a signature. The first one (starting with
printf) creates a file that needs to be signed. The second oneminisign -S -l -m message -x message.sigcreates a signature. Copy the text from
message.sigfile and paste it into the form. Press "Submit".Now, back up your social graph. Go to "Settings" and scroll down to the "Export" section. Download both follows and followers lists.
Metamask
#Metamask is a browser extension and a cryptocurrency wallet. It leaks the hash of your public key to third parties, has non-free license and has other shortcomings.
However, it is much easier to use than Minisign. If you have it installed, just go to your profile page, open dropdown menu and select "Link ethereum address". Follow the instructions and approve the signature request. Done!
Migration
If you need to migrate your connections, repeat the linking procedure with your new account. Then go to "Settings", find the "Experiments" section with "Import follows" and "Move followers" buttons, and upload your previously backed up lists. That's all.
In the future more identity verification methods will be added. For example, a client may generate a private key for you, and let you back it up as a passphrase. This is less secure, because you have to trust the server admin to not steal your private key, but it is much easier than using Minisign. Arguably, the tradeoff is acceptable.
-
A few hours ago,
1e050e7hit the #minisign master branch to switch it to pre-hashing by default. Pre-hashing has previously been available with the-Hoption, and made signing large files much easier.Metadata about this is now added to the trusted comment to prevent conflation between pure and pre-hashed versions. Issue 104 describes how the conflation between ed25519 and ed25519ph could aid in signature forgery.
-
Rust implementation #rsign2 https://docs.rs/crate/rsign2/0.5.7 of #minisign https://jedisct1.github.io/minisign/
There are some UI/UX funnies, but it very nearly does what I want.