Have `keybase prove` optionally provide instructions

[nxg]

[I'd be surprised if this isn't already an issue, but I can't find it under any search terms I can think of]

The command keybase prove web example.org requests the passphrase for a secret key, presumably in order to produce the bit of text which is to be made available at example.org/.well-known/keybase.txt. However I'm averse to putting in my passphrase there – can I do it by hand instead?

The point, of course, is that I'm obliged in principle to suspect the keybase application of all sorts of malevolence, and that it's actually about to steal my secret key and passphrase and upload them to the keybase underground lair (the one inside the volcano, with the persian cats and piranhas and stuff). Instead, I want to do the signing by hand, with instructions that keybase provides. The keybase developers have suggested (in for example issue #794) that 'An identity proof [...] can both be generated in GPG with commands we show people how to write.'

So the issue is:

• are such instructions available anywhere (I can't find them, so the issue may just be one of making these more visible); or alternatively
• would it be possible to have keybase prove emit such instructions.

For the latter, I can imagine a mode

% keybase prove --instructions web example.org

which simply emits a proof text and says 'sign this, using gpg ..., and put it at XXX', and analogously for the other proof methods.

[nxg]

By the way, I appreciate that the keybase program is running on my local machine, and understand/believe that it's using the local gpg binary, so 'all I need to do' is to audit the code and then never update it.

I'm not paranoid enough to work through the code, nor indeed to scrupulously run gpg only on an offline machine (nor check the gpg binary's signature every time I use it, nor... etc). But I am paranoid^Wcareful enough to want to be reasonably sure just which program I'm putting my passphrase in to, where that's feasible (which it appears to be in this case).

And it's the principle of the thing.

[nxg]

Aha! Just out of curiosity, I tried doing this via the web UI, and that gives instructions of exactly the type I was suggesting.

Therefore, can I instead suggest the enhancement that keybase prove is also able to generate such a set of instructions, for example with an --instructions option.

As a UI/presentation point, the (clearly faulty) impression I've formed from the website is that any or most of the interactions via the web UI require uploading a private key, so I'd presumed that essentially all of my interactions with the service would be through the command-line. This, I expect, is why I didn't even experiment with the nice friendly links on my profile page. Which is my bad, I'm sure.

[torinthiel]

Except the web UI gives instructions for when adding e.g. a new ID proof.

It would be nice if it would also give instructions for manual verification. It sort of gives them (by listing steps etc), but I'd also like (optionally) something like a more formal transcript of what the CLI does when verifying.