pull down to refresh

Playing around PGP last night ( yes, late into the game - it takes time to sort things out one by one. ) so here is my understanding of the logic of verifying software:
  1. you import the specific APP's public key from the terminal
  2. download both the software and the signature file (asc)
  3. copy and paste a line of code into the terminal to verify
But how does it work in the background - is it verifying the signature file matches with the public key? and how things be if someone changed the app, the signature then unmatched with the public key? 🤔
Then early this morning, I was playing around with the PGP encrypted message as I want to see how I can take advantage of it; so actually, all you need is someone else's public key, and then you can send them everything, and only the one with the private key can read, which is so cool! ( okay, this is how Nostr works too, but it's leaking metadata ) And then it reminded me that it seems all these so-called encrypted mail providers can only be encrypted within the same providers, however you can solve this problem by using a password in between, but isn't making things more complicated when you can use a simple mail provider but encrypted stuff ourselves? It's like indeed these encrypted mail providers creates convenience, but also it's with limited encryption at the same time?
Now that it's really interesting relearning how to verify things myself instead of depending on a third party. 👀
A long time ago, way before bitcoin, I think in the late 1980s or early 1990s, I was in a PGP message group. There were probably some famous people in there too. I started using PGP for encrypted emails. It worked well and was easy to use, but no one I knew cared about privacy so I didn't use it much. This was either before or around the time the US government tried to ban it.
reply
how do you use PGP now, self-hosting is the way? 👀 I don't use email that much, but curious to see what's the proper way to use it.
I feel these encrypted mail providers take away all the burdens and blend everything with a single password, and then users become "stupid" by default; It feels the same when using custodial wallets without having the burden of safeguarding the seeds yourself, but then how come it's pretty much all "custodial way" in the email case? fascinating.
reply
I don't use it any more. I use protonmail, but you're right. It's easy and I'm ignorant about what goes on beneath the hood.
reply
would it be really cool if email blends with sats one day? 👀
  1. paid to send, no spams.
  2. need private key to decrypt the msg.
  3. all the msg follows the key instead of being stuck in the email provider.
it feels almost the same with DM over LN, only the encrypted message part is missing.
reply
it feels almost the same with DM over LN, only the encrypted message part is missing
It's encrypted, only the receiving node can read it. But on SN, we all share the same node and thus k00b and me could just lookup the decrypted messages in the database.
so the upgraded DMing in SN is you can use the receiver public key to encrypt the message, and only he/she can read it ( but yeah you need to find their public key first, POW! )
why not sending mail directly? well it's more fun sending with sats. 😂
reply
Do you have a link to read about this new DMing? Is it still a LN transaction?
reply
no link to read, I just did a test early today with @ek, all I did is I use his key to encrypted the message and then I send that to him over LN:) ⚡️ really fun!
reply
23 sats \ 8 replies \ @ek 23 Feb
I'm trying to decrypt your message but I am confused and a bit embarrassed lol. It says I don't have the decryption key:
$ gpg --decrypt natalia.asc gpg: encrypted with rsa3072 key, ID 72BBE6ACFD911E48, created 2023-11-23 "ekzyis <ekzyis
It says it was encrypted with rsa3072 key, ID 72BBE6ACFD911E48 but I indeed don't seem to have the decryption key for that:
$ gpg --list-secret-keys --keyid-format long ekzyis
Seems like I used to have a rsa3072 key:
$ gpg --list-keys --keyid-format long ekzyis
And the key that was used for encryption was that one since the ID matches for the encryption key:
sub rsa3072/72BBE6ACFD911E48 2023-11-23 [E] [expires: 2025-11-22]
I guess the rsa4096 key was not used because it is marked as expired in the PGP keyfile that I host here:
$ gpg --show-keys pgp.txt pub rsa3072 2023-11-23 [SC] [expires: 2025-11-22] E13F6708015D2D55082A14F1DEECE3CF8D4D258F uid ekzyis <ekzyis
I think the warning mentions that the message won't be encrypted with that key but only with the rsa3072 key.
The above commands don't show the same expiration date since I manually updated it in the hope I could decrypt and don't have to write this message; mentioning that I wasn't able to decrypt the first PGP message that I received haha.
I uploaded a new PGP keyfile where the rsa4096 key is not expired:
$ gpg --show-keys pgp2.txt pub rsa3072 2023-11-23 [SC] [expires: 2025-11-22] E13F6708015D2D55082A14F1DEECE3CF8D4D258F uid ekzyis <ekzyis
Can you try again @Natalia? I would have loved to read your message! But I will never be able to read the original message now.
Thanks for testing! Didn't know my key expired haha
reply
deleted by author
reply
0 sats \ 6 replies \ @ek 23 Feb
deleted by author
reply
deleted by author
reply
100 sats \ 3 replies \ @ek 23 Feb
-----BEGIN PGP MESSAGE----- hQIMAxB4RYZpBEuvAQ/+O4YIjSXe/qoOHji2+gXIQzU4jDq1st2xKclFt0j20+PG rymw8RsVi7eoDFOYJAqED552DZB5mlI0r8wmWHZV8QgStH/F+6/Fagmou12qtZIY gjMV4LhM0EgievWvKJPBNSKqswGO5DrjRFM4e19MJP8PprLhSrKX7lSXgWQCtDW+ LOFPY61oDhFO/ZMTMX4bOyZvIub9PvXvKFA5STUZsI9TXeS7raAXxT2hKk53GFmf iCq10sPpG32o3MPZzhcNeQ1OTPtmSsBDYhFtJy315TI/agEcZbasj800UDH20m8i g35yA5ifMPCiHlhtFaNwplPPmBb8a6i0XOp7Ml7Z8KwhtlFgdzksPY4lMfKS0w+F LeDXcThzt+rU8SfZCyQ86MjvYUF1nqiy+fDN6Wm19zwnZ2kdB1T2RUF15A1vcpJv CipNGzQJf364z8Jsenq93Di3aAfuokRDwvLyHphZ/V3ZQLFHvdkmRMIrkb04nZfa ISRgw/7FGJA2pqt8JB8SuRKly4U83IomFkNJA3ScgyTJnm33nz/DOJT+dVE/zEGY 0MHLXOEAq6x9kutIfSd/uuUYPnflVl3mhgj0K5xYh1ZLTtmeyUyyl6wlBF2t/asU tfbXDYR52XEwwBpTe1hBJS4gn9lBuHFdKBygke+qwX5m2fmrC0hkQdzvkKeLZBbS wJkB7x+kz/3TYLhF4Neu7XHqgE0BQrWb5NrZrIzJmGFi0P6UU4OCKpT/a8a6b5DV EKhw/rTHJrneTELSCskUX9FGEXqP5UZ6FtSzNJDQaUhRC+j4g3gqwxwVemPD2cfx kO4kkBFN9pQRU4zZ5i03WXvaCUFy9OCngcMiT/bOhTm4dK6JMnsBtY8Y1caH4jhc XPJrT5hzWZBFYYq99l6rJ02oatAlZ2vyvfVEJXGA8507ewFh1K3JbfBDa0gGPxua rUqPS4fQoBANAB+NiipfKA+0TvZyRVJpPd5e+qlGg8UQ1tILwU1k4IdIbJVLFUyZ xDaeA/mldzuSl6J3WIBvYBx7Oc4lGb95tEvN4bVr+bZL3AuHloqB2irjDQNJXdkw Ax+s9DA2n7MWEYVpO5i3wZXZuTfbA4a2ceFODJS4DdReNR+37sSG0VomzibShlXc RfkqnLwfsW4ZE/8= =RAot -----END PGP MESSAGE-----
deleted by author
Software verification with PGP has a terrible UX, and that is what I'm trying to fix with zap.store using nostr
reply
indeed, and the information of each software is in different place, even simple things like the public key of the Devs ( OMG ) which means certain manual work needs to be done, or maybe that's the charm of decentralization instead of depending on Apple or Google to do that for us?
what I'm trying to fix with zap.store using nostr
and how?
reply
480 sats \ 1 reply \ @franzap 24 Feb
You're right!
I wrote about it here: #404908
reply
interesting read - the path of regaining freedom is like saying goodbye to the illusion of security/safety and taking things back into your own hands, from as simple as verifying software to making life decisions.
reply