tmsr - Search: from:mirc from:ascii gpg

mircea_popescu: The GPG we inherited fucks clearsigned text blocks inside a larger text block being clearsigned as it is clearsigned for reasons that appear to be related to retardation. << well theoretically it's related to in-band signalling, but practically it was too hard to have a proper parser, take CLOSING signature as the signature, had to have 1step parser which "does not know what to do" if it encounters five dashes mid-documen

mircea_popescu: "latest and greatest" asdf is exactly like all the other gpg 2.0 - gcc 19.firefox & assorted thunderbirds. and François-René Rideau aka fare is still that infantile dumbass.

mircea_popescu: so koch-gpg is, out of the box, worse than useless for archival : tar / zip / etc as they exist on unix-likes are fucked in the head enough such that if there's a byte error, either the remainder of the archive or the bytes past that one in the list are lost ; but this can be mitigated at least by having multiple copies. gpg however, multiple copies are equally useless, if none make it intact the contents is lost, because

mircea_popescu: in other "lulz", in the sense that koch & co are so fucking evil it boggles the mind : gpg has an ascii armored mode, which however contains no error recovery.

mircea_popescu: eventually that could evolve into detaCHED signature. have tmsr-gpg issue a one-line base-whatever tmsr standard detached sig for text.

mircea_popescu: da fuck's next, mod6 's patented "let's pass a gpg'd tarball back and forth" ?

asciilifeform: mp_en_viaje: plox to gpg ssh key you want to use (or otherwise i'ma gen random pw and gpg to mp_en_viaje , and he can put in at leisure )

asciilifeform: diana_coman: atm plan is to properly handle all evacuations ( data, afaik, evacuated, BingoBoingo uploaded gpg'd backups, yours is afaik done but BingoBoingo forgot to send me login to fetch it before went to sleep ) ; after this, publication of cost for evacuations of irons ; after this , auctions of jettisoned irons, liquidation ; then to pay mp_en_viaje , he is owed ; then BingoBoingo returns output re cost of action vs latech ; t

asciilifeform: mod6: lemme know if you want that box of yours housed here, i'ma gpg the postage addr.

asciilifeform: aite, let's ask BingoBoingo to dd if=/dev/thatstick | gzip > diana_coman.img.gz and then gpg to asciilifeform . i'ma modify it strictly as required to sit down on new ip and naught else.

asciilifeform: diana_coman: if you'd like an exact image copy of your old rk, we can work with BingoBoingo , could gpg . otherwise will be 'virginal' as described in my 'gentoo for rk' cookbook.

asciilifeform: vtron imho also oughta go in. and gpg 1.4.10 .

asciilifeform: mp_en_viaje: if you told me he's the man who got o. j. simpson to walk from electric chair, i'd also believe. but gpg -- he had 0 idea about.

asciilifeform: http://logs.ericbenevides.com/log/trilema/2019-10-09#1943177 << the 'master attourney' who mp billed as 'will use gpg' but never heard of any such thing ? him ? yes i'ma pay what mp billed for this 'service' .

asciilifeform: aha ha. then trinque plox to gpg re where it wants to live.

asciilifeform: BingoBoingo: seems like the FGs will be going here, plox to obtain a suitable crate, i'ma gpg addr later today

asciilifeform: with the modest ram, not a rk competitor, but potentially useful for other applications ( has 3 serial ports, so can eat FG ) ; runs 'pogo'-style linux, so can stuff even classic gpg in ; can have nic plug attached, so potentially even host small net proggies ; pulls coupla milliwatt, so could work in radio relays or similar.

asciilifeform: i'm even surprised that gpg ate this

asciilifeform: (i.e. whatever one might plug 'battery gpg' into, could trivially extract privkey via timing side channel)

asciilifeform: diana_coman: whole story of how asciilifeform ended up with peh , if you recall, at one pt asciilifeform wanted to bake a battery-powered 'gpg replacement'. then went and saw what gpg actually consisted of, and found that not only koch liquishit, but broken on ~algo~ level

asciilifeform: as in, it gets auth turd from deedbot and you manually fed it to gpg ??

asciilifeform: (same thing we're doing to gpg's rfc2440 etc)

asciilifeform: ( 'build in' would require explicitly calling the keyboard, also, a la gpg, rather than 'pw from stdin', tape is already coming from stdin )

asciilifeform: e.g alternative of asciilifeform's 'here is my hash of mp's gpg-1.4.10' thing is fundamentally sinful , cuz not in fact vtronically contiguous w/ original

mircea_popescu: and since i've been stuck doing a shitload of these by [slave]hand : the gpg format is fucking TERRIBLE, the small/caps duality is sheer idiocy (90+% of all errors and general slowdown on top of it because of shift) ;

asciilifeform: http://btcbase.org/log/2019-06-22#1919166 << trinque sweated out a draft cuntoo, which sadly i have not had chance to test in anger. i have a physical box that is destined for it , when get chance, and also will be porting it to the sim-mips, ditto. but i promised to mircea_popescu not to undertake any elaborate works until ffa suitable for 'discard gpg' and extension to other (gossipd, trbi, what else is waiting on it) paths ☝︎

asciilifeform: ftr anyone who thinks 'i'ma use other people's tapes blindly' is gearing up for world of pain. peh is less an object like gpg and moar like surface-to-air rocket, reqs some basic grasp of what yer doing

asciilifeform: mp_en_viaje: re gpg, seems like he reimplemented the mechanism in orig v

asciilifeform: cat yer_otp.txt | gpg --decrypt ?

mircea_popescu: and incidentally, trinque 's otp way the fuck smarter than gpg's ascii armor format, slavegirl reports. degree of magnitude faster wetware diode if one needn't handle the shift.

asciilifeform: http://btcbase.org/log/2019-04-07#1907304 << i formerly thought that this was obvious from the docs , but you ~can~ operate on vpatches without a vtron ( they're edible by trad. unix 'patch' util, and you can verify the sigs with anyffin roughly gpg-like , also by hand ) ☝︎☝︎☟︎

asciilifeform: http://btcbase.org/log/2019-03-30#1906193 << interestingly, at 139.2 kloc , still 1 of the heaviest proggies in civilized use; vs, e.g., trb ( http://btcbase.org/log/2018-11-29#1876053 ) ; but lighter than koch gpg ( if minus autoconf, http://btcbase.org/log/2017-07-08#1680705 ) or linux kern. ☝︎☝︎☝︎

mircea_popescu: i dun see the problem, so it takers a minute. current gpg takes as much, and ssh which doesn't is sucja cryptojoke as to not be worth the mention.

asciilifeform: hanbot: if you're concerned re mitm, ask BingoBoingo to log in via console and gpg you the current hostkey to

asciilifeform: mircea_popescu: all of this being said, currently on target for end of apr. for usable gpg replacement.

asciilifeform: ( ftr linus is pretty lulzy example of 'uses gpg' -- erry single time signed MB-weighing ball of ??? that in no conceivable way he could have read or fit in head )

mircea_popescu: "He said that they have also contacted the GNU Arch maintainer about adding GPG signing. Though it may take some time to develop, the addition of GPG signing to commits would be a welcome feature. " << see, because we http://btcbase.org/log/2018-01-24#1775402 over his failure to bring gribble up to spec. ☝︎

mircea_popescu: "To that end, the compromise may actually be a good thing in the long run. Kuhn said that they have contacted the CVS maintainers and have offered to pay for development of features that would allow GPG signing of commits through CVS -- making it much more difficult for changes to be inserted unnoticed into code held in a CVS repository." << guess how far this made it, 15 years later.

asciilifeform: may take some time to develop, the addition of GPG signing to commits would be a welcome feature.' << afaik to this very day no such thing in opensoresdom (outside of linus's releases)

asciilifeform: 'To that end, the compromise may actually be a good thing in the long run. Kuhn said that they have contacted the CVS maintainers and have offered to pay for development of features that would allow GPG signing of commits through CVS -- making it much more difficult for changes to be inserted unnoticed into code held in a CVS repository. He said that they have also contacted the GNU Arch maintainer about adding GPG signing. Though it

asciilifeform: hanbot: it is also possible to bootstrap any vtron using naked gpg, ancient gnupatch, and bare teeth ( manually check sig and patch -p0 < foo.patch, for ea. )

mircea_popescu: pretty sure it was triggered by discussion of gpg "security" features, other-windows-can-read-keystrokes, how and wherefore idiots ended up stuffing everything in the top context and it's not really x's fault and so on.

asciilifeform: btw does mircea_popescu have a apache tarball to sign ('as found') and share for cuntoo etc, a la gpg-1.4 ?

asciilifeform: it is difficult to dispell even the most outrageous lulhypothesis re koch-gpg. sorta what makes it 'speshul', what, 40MB of ???.

asciilifeform: ( not even to mention the fact that -- rare, for a kochism -- the problem dun even exist in stock gpg, which defaulted to 2 subkeys, 1 for sigs and 1 for encipherments )

mircea_popescu: (the view that gpg aka koch-rsa leaks bits via signature isn't entirely dispelled even today)

asciilifeform: the 1 with the gpg fp

asciilifeform: mircea_popescu: correct. the item that needs padtron, is mircea_popescu's specced 'fuckng replace gpg already' ; and possibly also koch-free euloratrons.

asciilifeform: classical gpg (base64) is a 400% neh

mircea_popescu: you "shit-item-5 ; shit-item-6 ; shit-item-7" > tar > gpg -aer pubkey > joe.ftp.server

asciilifeform: ( of much moar, in fact, than $file-length, cuz gpg is retarded )

asciilifeform: i have a half-written bot that takes a deedbot-style gpg wot decrypt and puts out a single-use emulated ftp login thing. but it is not alive, because gnarly in practice ( if single-shot, resumes dunwork; and no crypto, and prolly this is solvable but i dun have currently the time budget for massaging it )

asciilifeform: the copy on my www ( and later cleaned further by diana_coman ) is from gpg 1.4.10 ( itself from signed tar that mircea_popescu dug in in '14 )

asciilifeform: gpg itself is substantially moar crippled than koch's mpi lib

asciilifeform: mircea_popescu: this is tru re gpg per se

asciilifeform: mircea_popescu: to summarize : if phf decides to Do Right Thing and gpg to asciilifeform the goods, then i'ma eat'em and whatever public output will not reveal his informant.

asciilifeform: i proposed gpg of raw material to asciilifeform .

asciilifeform: ( gpg dun look at file names for anyffing )

mircea_popescu: nicoleci, how about you write a "how to gpg on windows" page and put it on eulorum.com

mircea_popescu: hanbot hey, where's the "gpg guide for windows tards" ? i thought we had this on eulora wiki somewhere but drawing blanks. ☟︎

asciilifeform: and that gpg1/2ism has 0 to do with the eggog ( i removed the custom gpg invocation line to 0 effect )

asciilifeform: http://btcbase.org/log/2018-11-13#1871703 << also neato, i expect this'll come in handy when we start extracting moduli / migrating off gpg ☝︎

asciilifeform: mircea_popescu: stallman has plenty to answer for, but i dunno what he has to do specifically with koch's gpg

asciilifeform: i can't think of anyffing to do but a) make flensed version of phf's that actually worx here, i have NO intention of breaking my legacy toolchain in which i still have 90000 unconverted private patches or b) bake an e.g. if gpg.__version__ = phf : ... else .... thing

asciilifeform went to strace to find what gpg binary it actually invokes, and oddly enuff no mentions of EITHER in strace output...

asciilifeform: it always baked a tmp to satisfy gpg's keyring idjicy and nuked it after

asciilifeform: ( on , afaik, all known kochian gpg )

asciilifeform: ( alternatively, does anybody know how to control the gpg binary that python-gnupg sees ? )

asciilifeform: i dun have any cuntoo boxes here yet. all of my dev machines run vintage gentoo, where the gpg that python-gnupg sees is gpg2 (cuz idjit portage pulled it in, long ago). asciilifeform's actual pgp-ing happens on diff machine, naturally, with 1.4.10 . but apparently phf's hack for subkeyism breaks the thing in this combo.

mircea_popescu: asciilifeform you can define hooks for replacement. i suspect this might be a theme thing. mine replaces gpg code with fixed format... apparently her theme replaces :)

asciilifeform: mod6: recall when i went on similarly fruitless expedition into kock.gpg guts, heh

asciilifeform: mircea_popescu: happens to be exactly what i set out to; on top of that, even got a gpg extractor (currently in py, but slated for adaization) , precisely for same ☟︎

mircea_popescu: ideally also has compatibility layer, which allows it to import gpg 2.0 and 1.4 style keys (and converts them to republican format), verify gpg 2.0 and 1.4 sigs and decrypt gpg 2.0 and 1.4 messages (but not encrypt to them).

mircea_popescu: asciilifeform speaking of "taking suggestions" : suppose you bake me a proper drop-in gpg replacement. in ada, constant time, does FG-aware keygen, signing, verification, and encryption/decription. 100% rsa, none of the "cipher" bs as per current. ☟︎

asciilifeform: esp. in re routines not used in ye olde gpg, or used with various constraints

asciilifeform: anybody who wants to be in this list, plox to gpg #.

asciilifeform: mircea_popescu: i'ma gpg you the login to the stats page later today

asciilifeform: gpg --import behaves like this.

asciilifeform: tho it could be artifact of gpg on trinque end, depending on how he keeps these ( if you use the built-in 'import' mechanism, it never throws out cruft )

asciilifeform: confirmed that gpg still thinks 'expired' after eating

asciilifeform: file names are covered by the gpg seal of given patch, tho, so it isn't as if people can get away with blindly renaming items in a patch. so if taking all of mircea_popescu's algo but the hashed-names part, you have a usable algo.

asciilifeform: mircea_popescu: if he's stuck to the old gnudiff format, which per my test appears to be the case, names aint hashed at all ( they're covered by the gpg sig of given patch, but that's it )

asciilifeform: diana_coman: i suspect idea was 'make him manually gpg --verify ... and then press by hand-gnupatch a la pre-v trb, better than signed tar'. but i'ma let phf clarify.

asciilifeform: ( will move when finally kerosene poured on gpg )

asciilifeform: mircea_popescu: birth of trb was 100% powered by 'muscle-powered v' of gpg-signed patches, recall.

asciilifeform: ( recall, we had gpg-signed patches with 0 robotics for yr+ )

asciilifeform: gpg doesn't sign names.

asciilifeform: http://php.net/manual/en/function.gnupg-init.php << to gpg

asciilifeform: loox like callout to gpg

asciilifeform: pretty sure nobody has any other gpg eater than callout to koch

mircea_popescu: 1 gets around the limit on urlencoded puts ; 2 gets around the issues gpg has with command line.

mircea_popescu: http://btcbase.org/log/2018-08-18#1842694 << i'd like to expand on this. 1) to dump a file, the better format is curl -Ls -o /dev/null -w %{url_effective} -X POST -F "pastebox=@file.asc" http://p.bvulpes.com -w %{url_effective} ; 2. to dump a pipe/process, the better format is eg item=`cat ~/.ssh/id_rsa.pub | gpg --yes --no-tty --trust-model always -aer mod6`; echo $(curl -Ls -o /dev/null -w %{url_effective} -X POST -F "paste ☝︎

mircea_popescu: nicoleci when it's done curl http://wot.deedbot.org/027A8D7C0FB8A16643720F40721705A8B71EADAF.asc | gpg --import ; and then item=`cat ~/.ssh/id_rsa`; echo $(curl -Ls -o /dev/null -w %{url_effective} -X POST -F "pastebox=$item" http://wotpaste.cascadianhacker.com -w %{url_effective}) ; it'll spit out a pastebin url, say mod6 <url> when it does.