Unable to prove I have the private key

[Morthawt]

I am a windows user and I will never, ever, upload my private key to a system even if it says it will encrypt it on my end first. My private key will never have anything to do with a web browser, nor will I type my password in anything other than a GnuPG password box. So The remaining two options are useless to me. I tried to install ubuntu in a vmware but the new interface is terrible and I could not find anything even a terminal.

To have someone prove that they own the private key all you need to do is generate a random long string, add it to the fingerprint of the person's public key they uploaded and ask them to digitally sign this text, then paste the result in the box provided, at which point the backend system checks and verifies that the person's public key is able to verify the text and that the text that was signed was the text requested to be signed by the system.

So, even though I was invited to test this, I am unable to even test any functionality until I can verify that I have the private key. I highly recommend this be done as soon as possible because not everyone is a linux god who breathes linux every day or is willing to upload their private key online.

[malgorithms]

There are a number of things in the signed statement which are not random. For example, a reference to your previous signature, the state of the site's merkle tree, and so on. So building this statement is a bit more work than you suggest. A goal of the signature isn't just to prove you own the private key, but also to chain such announcements together to avoid the server lying by omission, and other niceties. (See our docs for more info on all this.)

Still, you should be able to do it on any system where you can install curl, perl, bash, and gpg. All of those are available for windows. If you don't want to use any software we wrote, that's your solution. Use them!

Whatever is you want to do:

1. go to the web site
2. start the process
3. choose the last option (example screenshot attached)

It will then give you a command something like the following. Note that it uses that software mentioned, and you'll never expose your private key to either your browser or any software written by keybase staff.

Of course we're not in control of any of that software, so in some respects you are on your own. As the extremely rare windows user who wants the hardest-core mode of security, you are a bit on your own configuring GPG, bash, etc. You can also rewrite any of the steps in that example command to cut out the perl, curl, etc., and/or do it all by hand.

• the URL's in the command will look different from the ones in the screenshot above, as that's generated for my dev server.

[Morthawt]

Well I can forgive the lackings so far because it is alpha level in development. But there has to be something easier than can be done that does not require handing over the private key or performing brain surgery with various CLI programs.

[Morthawt]

I just tried running this from a copy of lubuntu and I made sure I installed curl. I tried to run it and it complained twice about /r not being a valid command or something and then asked for my password for the private key. I typed it and it sat there forever and did nothing. Also by the time I managed to get my key and that long command into the vm the proof screen timed out. This is useless. I hope you make this easier to use else the only people who will be able to use this are linux guru's or gullible people who will upload their public key to a website that tell them it's safe to do it. It does not matter of THIS site treats your key perfectly securely, anyone who would do that based on a web page telling them it is safe will be the same people who get infected with bots and have their paypal accounts hacked because of their ignorance.

Please reply on here when there is a fix and at that time I will give this another attempt, but for now it is useless without handing your private key over which nobody should ever do under any circumstances.

[zQueal]

but the new interface is terrible and I could not find anything even a terminal.

Why not try Ubuntu Server? No GUI, all command line. Seems a bit extreme to run a 600mb OS in a VM just to use Keybase, but that's just me I guess.

[Morthawt]

Because it is one I have already up and running. I am not a linux guy. I know just enough to get me by. I give up. I have no doubt they will improve the user experience in time, but in the alpha its useless unless you are either a linux god or one of the millions of gullible people who get themselves hacked and compromised because a site says something is safe to do. Perhaps later in the alpha or in the beta it will have a better option for people.

[ghost]

If you are unwilling to use command line tools which remove the difficulty of using complex command chains and which are open source and relatively small by source size because of trust issues, why would you use the bloated gnupg where checking the code for malicious parts is way more difficult?

[zQueal]

but in the alpha its useless unless you are either a linux god or one of the millions of gullible people who get themselves hacked and compromised because a site says something is safe to do

I really can't disagree with this statement more. Ubuntu server, and Ubuntu desktop have a very simplistic setup process that even my 8 year old niece was able to accomplish by herself without any guidance. I simply can't be persuaded that the setup and configuration of Ubuntu is difficult.

Additionally, no one is twisting your arm here. You have many options, but it seems that you empirically distrust Keybase--which is good practice. However, if you distrust Keybase so much then why use it at all? In it's most basic essence it's simply a wrapper for gpg with a bunch of other tools to help you use PGP effectively. Keybase suggests that you upload your private key only if you are terrible with the command line (or have zero experience at all) to make it convenient for the technologically challenged among us to be able to use PGP, again, effectively. If that's not you, or you can easily use the command line then simply don't upload your private key. Simple as that.

Personally, I find it a bit funny that instead of simply creating a new key to identify yourself on Keybase (so your actual key stays safe), you'd rather bash Keybase--while it's in public alpha--which is genuinely trying to do some good here.

Lastly, installing nodejs, npm, and keybase is super simple on Debian distributions:

zqueal@dev ~# curl -sL https://deb.nodesource.com/setup | sudo bash -
zqueal@dev ~# sudo apt-get install nodejs build-essential -y
zqueal@dev ~# npm install -g keybase-installer

That's it. Three commands, four if you don't already have curl (sudo apt-get install curl). For my own satisfaction I loaded up a blank Ubuntu Server (14.04) VM and:

Welcome to keybase.io!

You have successfully installed the command-line client to

====>    /usr/bin/keybase    <=======

Please make sure /usr/bin is in your PATH.

and logged in just fine:

zqueal@dev ~# keybase status
{
  "status": {
    "configured": true,
    "logged_in": true
  },
  "user": {
    "name": "zqueal",
    "key": {
      "key_id": "B1DA56DCB73E8516",
      "fingerprint": "7B5A C030 0E2C 74FD 355C CC81 B1DA 56DC B73E 8516"
    },
    "proofs": {
      "twitter": "zqueal",
      "github": "xanza",
      "coinbase": "zqueal",
      "hackernews": "Xanza"
    },
    "cryptocurrency": {
      "bitcoin": "1NWfuMkYyUKJ6QCsk9fQcaNEtqC1AtjnSD"
    }
  }
}

Works perfect and took about 4 minutes start to finish.

[jstorrs]

I don't understand what's so complex about:

1. Download and inspect this text file
2. Go do your thing with whatever PGP client you have, return with an ascii-armored signature
3. Paste signature here
4. Validate

It's not rocket surgery and not everyone in the world wants to setup/install/trust webdev magic tools that do god knows what on their boxes.

[Morthawt]

What? What text file? I see 3 options "in the browser" which I cannot do because I will not nor ever upload my private key or type my password in anything but a local program, "commandline with keybase" I do not have that. I am a windows guy, "command line with [bash + GPG + cURL]" Again I am a windows guy and when I even attempted to do this it failed.

Nowhere is there any mention of downloading a file or pasting a signature anywhere. Where do you get to that? That is exactly what I said should be done. How do I do that?

[jstorrs]

@Morthawt I agree with you completely. My comment was intended as a reply to @Xanza's and @dtiersch's ridiculous comments.

[Morthawt]

I was so dissatisfied I unwatched this thinking I would not get emails about it but I received an email with your response and I thought maybe they added that feature. I guess not. I only hope they resolve this because 99.9% of users will never be able to pull this off unless they gullibly hand over their private key on the promise that the key gets encrypted first. Who knows how well the private key encryption protection is implemented, what possible negative effects could happen typing the password into a web based service. It is bad practice. I can forgive this since it is in alpha but not the unwillingness to consider this point of view and pretty much bash me saying I am trying to bash this when they are trying to do good. My whole point is I love the idea of this and have been looking for validated keyservers that you can be sure the key you get is the actual person's key and not a fake, but you cannot expect people to be a linux expert to pull this off or expect people to hand over their private key. That is seriously bad practice and is not helping users to become safe, savvy and competent computer users by telling them to hand over their private key and that it's ok because you do something to make it ok...

A private key can be a crucially important thing. If you lose control over it you can have serious issues when something is done and signed with your key and then trying to defend you did not do it, not to mention the fact of important communications being able to be decrypted by an attacker who obtains it with the password thanks to some hacker who compromises this site and implants javascript or some other thing to steal the details. This service should only concern it's self with dealing with public keys and signing/verifying, not asking users for their private key.

I love the idea of this service, but you need to consider this point of view instead of just shutting the idea down, else you will do nothing but alienate savvy users who cannot do the linux/strange convoluted method and will encourage users to trust websites with their private key if they say they do something to make it safe for them.

I have now set it to watching again so I can see if anything positive becomes of this now that I see a positive response.

[jokeyrhyme]

You can audit the CLI yourself to confirm that the private key is encrypted prior to transmission. Isn't this the best of both worlds: convenience and auditability?

[Morthawt]

Okay, so I am on windows and I want to verify my key without uploading the private key anywhere under any circumstances. How do I do that? The easy way would be provide the public key (which I did) then give me a text file to sign and then upload the signed file or if it created a detatched signature it would already have the original file to complete the verification. If the signature is valid then the ownership of the key has been verified. But all I see is linux commandline software or the need to have your private key interacting with a web page and apparently uploaded to keybase in an "encrypted" form. As I have said that last option is not acceptable and nobody should ever do that just because the website it's self says it is safe. I am not a linux guru. I attempted to get it to work and failed. So while this is in alpha that is fine, but it cannot be this difficult or require a gullible person to upload their private key in the beta/final release else the only people who will use it are linux experts or gullible users who would hand their private key over to any site that puts up a flashy message saying how it is safe to do so.

That is how I and the other person feel. It should be a simple process to just prove you have the private key.

Another method could be to sign keybase's public key and then export the public key after signing and upload it back to keybase at which point it verifies that their key was signed by the public key supplied by the user. It has to be made easy for people to do safely without requiring more software and knowledge in addition to the software and knowledge to make use of pgp/gnupg.

[pathawks]

I am not a linux guru.

Yes, you may have mentioned that.

You seem to be very angry, but it is difficult to understand what the problem is. You can use the tools that Keybase provides, or you can use your own tools. You seem to be looking for a third option.