mtn & GPG signatures [Was: [Monotone-devel] WARNING: ~/.monotone/keys CONSIDERED HARMFUL]

[Lapo Luchini]

Brian May wrote:
> Lapo Luchini wrote:
>> 1. GPG-sign your monotone public key: this way people that trust your
>> GPG key know that they can trust your monotone signatures (if they trust
>> monotone itself, that is)
>>   
> You still need some way of being able to tell that the revision was
> signed with the same key that was GPG signed. The keyid in monotone, as
> is, does not tell you this. It is possible to have multiple keys with
> the same keyid, possibly accidentally, or possibly a deliberate attempt
> to breach security.

But I said "sign your public key", not "sign your keyid" ;-)

Signing the key material, not the name, as in:

% mtn pubkey address@hidden|gpg --clearsign
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

[pubkey address@hidden
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC42sZJ3et4gl5Xqnfta3zjyh56satjQ/RN
rYVPBFhvXi0JaCkAQjuvsQDm256bcwbDqg9RQ0yFoh50sX1LXztUuC7/syeMiIOlQV7fon5e
FHRyuY7UJ+IFFkU4v8xbbv4eJ78bwFMN7EC5WATGIViLXcYxbhETQDrV8SMObOJ6LQIDAQAB
[end]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (FreeBSD)

iQIcBAEBCAAGBQJI/ZhdAAoJEJLw0EUVBG941fgP/jJAhahhLKgrXECeLnAL6o0I
W/Lsy1A18YHxASGiV8B+HhgdK1JhpdzBfN+vLwm8ncdCO8mcEVbRq1zp5T+RHkhd
ufGjZUFz1LeZgcmMiL9VByP5gWpuKDKI3DpAVAMfpTNsOCeYtsFU13KNjEC9A9X7
QKNvF6VQ7CKP1xKYK3ftryTprTFntam9AqchqCDlAK0Is9TzXGqumGfr6jivT49d
6gTY0fDMbj9YgbaKqzA0vJLM5oWq9HZDuCbrNmogdk+PPQ/hcjDNSdpMDErX59GY
galPBGMd07lie3FabjhL8/+hepBQKfPDu+zhces0rrR5LRxKb+y4j3rm9e9Idz8t
cAsyucgxc7w2ABxG6ehc/ZrwUFljYk8RjxgoDtDSM1McILE29ZsDCge8lSUySPlZ
nOxGRaK7hok7zeWv6uc60Jk0U3aTHvNTTpIxzsex5Cc8caz9o9hRqRHpsRdZbZvX
mOPEs6ypMsodvs5Ndx7Y53KSHWOB0Cf1xwlNmb7AbSuuIfezc6ucwJCkBK26stRi
Yx0VB/2lfRUKu/qaoYIJQcjFoVCdfeFJGTsw+hyKE0qKCrx62MESqoscYaJlspLe
dtV2tJ3tMRh93WgLedrOXctuhsMQfvkZ8Gv8JGn/Ba4CqH+nQ5L6OXIxvp4UNgio
8frRGYTcsCFiAPX+fGBB
=h1Qw
-----END PGP SIGNATURE-----

There, now you can trust my mtn key as much as you can trust my GPG key.

(yes I know, it's not easy to check it's the *same* mtn key that's in
your DB as "address@hidden" and you received using netsync… and that part
of the UI must be improved to show some unique hash at least when keyids
collide, but in the meantime you can probably simply "mtn read" it and
either it's the same one, or you'll get a warning)

-- 
Lapo Luchini - http://lapo.it/

“Two can keep a secret if one is dead.” (anonymous)