💾 Archived View for circumlunar.thebackupbox.net › ~epoch › blog › signed-pt captured on 2024-06-20 at 11:50:33. Gemini links have been rewritten to link to archived content
-=-=-=-=-=-=-
I put my pgp public key into ~/.plan and wanted to have some way for people to make sure the response of my finger daemon wasn't being fucked with.
I decided that the best way to do that was to clearsign the responses using a public key for my finger daemon. Which would push to problem to, how do you get my finger daemon's pgp key?
I'm going to ignore that for now. I /was/ just wrapping the finger response program with a script that fed its output to gpg, but then I figured out I was still vulnerable to replay attacks.
So now I include the current date in the signed response. Which gpg --verify won't check for... So there's not really an automated way of doing it. By the way, to get a non-DSA signing key out of gpg
you have to pass --export along with --full-gen-key, otherwise you just get the boring key options.
P.S.
if you get permission denied problems when playing with gpg, make sure that the user that gpg is running as has permission to open the current $(tty). When I was playing as the finger daemon user (after `su finger`) it did that a few times until I remembered to check `ls -l $(tty)` then `chown $(whoami) $(tty)`. You'll want to change it back after you get done with the `su` too.