search

mikedilger / gossip

Gossip is a nostr client
Other
627 stars 74 forks source link

Key to verify signature file? #228

Open vicariousdrama opened 1 year ago

vicariousdrama commented 1 year ago

In the zip file for recent release you've added the SHA256SUM and signature file. Where I can get your public key to verify that?

I tried checking keys.openpgp.org for your email and the fingerprint of the key used Also tried the 2018 PGP key on your site https://mikedilger.com/mikedilger.pgp.txt image

mikedilger commented 1 year ago

I know. I'm rather disappointed. Back in 2018 I crafted a highly secure PGP key set with sub keys, hardware tokens, a separate computer, the works. I never really used it. Now that I have occasion to use it, I can't even verify my own signature!

I posted the SHA256SUMS.txt file on nostr signed by my nostr key, which you probably already know and trust. So check that and proceed as you will.

mikedilger commented 1 year ago

PGP was a great idea, but it grew into a great big complex mess that nobody understands or can use properly anymore. I think it needs to be scrapped and replaced with something else.

mikedilger commented 1 year ago

The key I thought I signed it with is here: https://mikedilger.com/mikedilger.pgp.txt

If you can figure out how to verify the sig with that key (some signing subkey thereof), please help me. I'm already considering it a lost cause.

vicariousdrama commented 1 year ago

I tried that PGP from your site first and that's what failed me. Using Kleopatra, the subkeys I see for that PGP is as follows image None of these fingerprints seem to match.

It seems it may have been signed with another key. Do you see that fingerprint if you do a gpg --list-keys ? For example gpg --list-keys | grep 26BDD242A3BB2C1525CE07C346293A2BCBD2620B

mikedilger commented 1 year ago

No I don't see that key. I wonder why gpg signed it with a different key. I will have to do some experiments later.

vicariousdrama commented 1 year ago

Verifying based on nostr post is kind of a chicken/egg problem, as people can't get to see the post without a client configured with relays and following your pubkey.

I made a simple tool in golang called nostrcheck to be able to verify that he signature of the post you made on nostr was valid after discovering other nostr clients have not been doing verification in the past. The JSON of your post is one of the sample input files, but it will also accept passing in JSON as an argument.

mikedilger commented 1 year ago

I'm cool with that.

Maybe I should just publish a nostr event .json file along with my packages instead of a PGP signature from a PGP key people don't recognize.