Hi, anonym wrote (20 Oct 2014 16:39:34 GMT) : > I don't get why we install hopenpgp-tools. We don't use it anywhere, the > tools themselves are quite poorly documented, and it's not obvious that > they offer any useful functionality that plain ol' gpg doesn't, at least > the stuff that we expect from users. Well, `hokey --lint` looked pretty > nice, as did some of `hkt`'s graphing commands, but all this is pretty > arcane.
Our internal security policy mandates that we follow the OpenPGP Best Practices [1]. I think we should make it easier, both for Tails contributors and other users, to self-check their compliance. In the current state of things, one has to do something non-trivial like commit ab2a4954 to get hokey installed. IMO that's not good enough. Regarding functionality that GnuPG doesn't offer, indeed there's not much there. But if you look at the "OpenPGP key checks" section in that document, you'll notice that indeed, `hokey lint' does, in one single command, a lot of things that require running several obscure commands if you want to do it with GnuPG, such as that one and a few similar others: gpg --export-options export-minimal --export '<fingerprint>' | gpg --list-packets | grep -A2 'public key' | grep 'pkey\[0\]:' hokey lint's output is also, I would argue, way easier to understand and draw conclusions from; colors help. So, basically, `hokey lint' is IMO the best available tool right now for anyone to do a lot of basic sanity checks on their keys. It's probably still "arcane", but we simply haven't anything better to achieve these goals yet. [1] https://help.riseup.net/en/security/message-security/openpgp/best-practices Cheers! -- intrigeri _______________________________________________ Tails-dev mailing list [email protected] https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to [email protected].
