lee/hpr-knowledge-base
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
41464a124486905eb12372e4b07b9c0d52409bb5
hpr-knowledge-base/hpr_transcripts/hpr3756.txt
Lee Hanken 7c8efd2228 Initial commit: HPR Knowledge Base MCP Server 
- MCP server with stdio transport for local use
- Search episodes, transcripts, hosts, and series
- 4,511 episodes with metadata and transcripts
- Data loader with in-memory JSON storage

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-10-26 10:54:13 +00:00

300 lines
28 KiB
Plaintext
Raw Blame History

Episode: 3756
Title: HPR3756: Verify yourself on Mastodon with PGP and Keyoxide
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr3756/hpr3756.mp3
Transcribed: 2025-10-25 05:01:05
---
This is Hacker Public Radio Episode 3756 from Monday the 26th of December 2022.
Today's show is entitled, Verify Yourself on Mastodon with PGP and Kioxide.
It is hosted by Klaatu and is about 32 minutes long, it carries a clean flag.
The summary is Verify Your Mastodon account using newpg and Kioxide.org.
Hi everybody, this is Klaatu and wow is Mastodon popular all of a sudden.
I want to talk about getting verified, there are air quotes around Verified on Mastodon.
This is a kind of a big topic because as people look at Mastodon as a potential platform
for their micro blogging needs, they apparently want to make sure that they are the only one
of them on that platform, which if you think about it is kind of funny.
As often as there are emails, email addresses, I mean as easy as it is to get an email address
under anybody's name, it seems to me like people would not be that scared of a thing
that didn't have complete certainty that you were the only one of you on the platform.
There's potential for tricking people into thinking that I am someone else online,
a plenty, it's not something that's unique to Mastodon and quite obviously it wasn't unheard of
on what people are going to Mastodon to get away from, which is of course Twitter.
But I guess Twitter had a system by which someone somewhere would award you a blue circle
with a white checkmark in it as long as you could convince them that you were who you said you were.
If you got the blue circle with a white checkmark, then everyone on the internet had to agree
under legal obligation that you were, that account was really you and of course that obviously
doesn't truly check out. That's not a system of verification. That is a system of claiming
an identification. There's no guarantee ever that the person on the other side of the computer
that you are reading the tweets from was the physical DNA specimen that you believe that it was.
But people seem to have a lot of confidence in that blue circle with a white checkmark in it.
And so they want to see something similar on Mastodon. Mastodon does not have a blue circle
with a white checkmark or rather it does if you want to add it to your profile name.
You can find an emoji of that symbol and type it into your profile name and then you suddenly
have a blue circle with a white checkmark in it. But Mastodon does in your profile award green
checkmarks. Well, I say Mastodon. Mastodon doesn't really do anything. It's just a platform.
You are able to give yourself a green checkmark. How do you do that? Well, the easy way
is to go into your profile, go to edit your profile, scroll down through the different
preferences until you find something called verification. Under verification, there is a link.
It's just a normal AH ref. So it's an HTML tag that takes you, that points actually back to Mastodon.
It's a link to your profile. The significant thing about it, though, is that it has a special
attribute called Rell, R-E-L, equals quote, me, close quote. So left angle bracket, A, space,
H ref equals quote, in my case, HTTPS, colon slash slash Mastodon.xyz slash at symbol clatu,
close quote, space, Rell equals quote, me, close quote, right, right angle bracket. Follow me
on social media, left angle bracket slash A, right angle bracket. So it's just a normal old HTML
link hyperlink, except it has the special attribute that claims that Rell equals me. And of
course, the H ref attribute is pointing to your Mastodon profile that you want the green checkmark
to be awarded to. What do you do with this link? Well, you go and put it on a website that people
on the internet agree that you control or that you actually do control. I mean, I guess it doesn't
actually matter that people on the internet acknowledge that, but you can, if you have the ability
to put that link on a website, then you put that link on that website. You tie these two together,
the Mastodon profile, and the random website that you control enough to put that website link onto.
You tie them together by pasting the URL where that link appears into your Mastodon profile.
And then the Mastodon interface sees that there's a web address in your profile. It checks the
location, the destination of that web address. If it finds A, H, F, Blah, Rell equals me at that
location, then it puts a green checkmark by that web address. So all you're doing is confirming
that the same entity controlling your Mastodon account is the same entity controlling a website.
And really, honestly, I mean, that's practically as good as online verification gets. You can
confirm through this that the same person did two different things at two different places, more or
less. And you can't confirm that that person is the same person that you shook hands with
at that one technical conference. They might have someone doing their bidding. You don't know,
but you do know that they have at least that they have knowledge. This person has knowledge of both
knowledge and control over both of these web locations. That's pretty good verification for
internet stuff. About as good as you can get. And I do say about. I was having a conversation with
someone on Mastodon about these concepts. And I found out through this conversation that there's
a new project, I say new, new to me, a project called Key Oxide. That's K-E-Y-O-X-I-D-E.org. Key
Oxide and Key Oxide is a way is a project that wants to sort of tether your PGP key or
GNU PG whatever. You're pretty good privacy cryptographic key. It wants to tether that key between
or rather to your Mastodon profile. This way, you can now confirm to your own encrypted key,
your, well, the public key to which you hold the secret key. So Key Oxide just makes it easy,
well, I say easy, it is attempting to make it easy for you to make changes to your encrypted
key chain that can then be verified by other online applications. The documentation is a little
bit rough. There's no sense of a sort of a workflow. So I'm going to attempt to distill all of that
here now into easy to follow steps so that if you want to verify your Mastodon account or some
other account by your encrypted key, then you're able to do that. The advantage to this by the way
before we get started is of course the web of trust that PGP encourages you to build. Now if
you're like me and you haven't built a web of trust, really it's kind of useless, all you're
doing. Actually, I say I haven't built a web of trust. I've built, I've built a small web of trust,
although I haven't had that web of trust sign my key. It's been a purely functional web of trust.
Certain people do email me with PGP encrypted emails using my key and my public key and I email
them back using their public key. So there is trust there. It's simply that I haven't, I can't prove to
you, dear listener, that there's trust because I haven't had anyone sign my key. So that's,
but that's my shortcoming. And anyway, the point is if you want to build a ring of trust,
you know, a web of trust in your key ring, then you can do that. And then people can look at your
PGP, look at your Mastodon account and other things that you've linked back to your PGP, your key
oxide profile page and kind of confirm that again, the entity controlling this encrypted key,
who other people believe to be authentic because they've met them and signed their key to a test
that yes, this this human does have access to this key. That bolsters trust in that key. And so now
it does start to seem like, yeah, that probably is the same human doing things online because they
keep pointing back to this key, which other humans have confirmed was physically present as it were
along with the actual human whose hand they shook when they were signing the key. Okay, so how do
you work with key oxide? Key oxide, the documentation is there. If you can make heads or tails of it,
congratulations. Here's what I've got for you though. I'm going to take you through the whole process
assuming that without assuming that you have even a key created. Now if you do have a key created,
you should assume you should pretend like you don't have a key created. I'm not saying create a
new key. I'm just saying listen to every step because there were some surprises along the way that
I mean, just really really shocked me because I thought I had GPG as figured out as anybody else could.
I mean, it's a pretty big system. It's a lot to take in. But I mean, I use it a lot. I feel
relatively comfortable with the commands. I felt like I knew where to look when I needed to
reference a command component that I didn't know. And yet there were still surprises. So please,
if you want to go down this path, just pretend like you're completely new to all of this.
You will think yourself later. Okay, so the first thing that you do is you generate,
you want to generate a key. And like I say, if you already have a key generated, then you don't have
to do that. But I'll just pretend like you don't just so we hear all the steps. Okay, so the first
thing you do is let's use GPG 2. I find that easier to use myself. So I'm going to do GPG
dash, dash, full, dash, generate, dash, key. This is the, so these are all the prompts.
And the first question is going to be RSA and RSA, which is the default or you can do DSA
in El Gamal or DSA Sign Only or RSA Sign Only. I'm just going to go one, which is the default.
And then it asks me how, what kind of key do I want? It can be from 1024 to 4096 long. It says
what key size do you want? And the default is 3072. I'm just going to go for broke 4096.
Should this key expire? I'm going to say no. I'll revoke it if I need it to expire. Is this correct?
Yes. Okay, now it needs information about me. So I'm going to put down that my real name is
clatu. My email is clatuatexample.com. A comment. I don't need a comment. Is everything okay? Yes,
everything's okay. Now I need a passphrase for this thing. Bogus 123. Bogus 123. And now it's
asking me to generate some entropy by moving my mouse around and moving windows around. If you're in
a modern system, it doesn't take long. It used to take quite a while. There we go. Looks good. Spits
out sort of a report for me. And that is that I have now a key. And there's this big long string
of numbers 2, 2, 4, 2, 0, e, 4, 4, 3, 8, and so on. That's the that's an identifier for your key.
You're going to need that. So don't don't close your terminal yet. You're going to you're going to use
that next. But before we do that, I'm going to I'm going to pause and I'm going to say what if
you already had a key? If you've already got a key, then all you need to do really is find out
the the big long number, that fingerprint. If you if you don't have that already, it's easy to get
you just do a GPG 2 dash dash list dash secret dash keys. And it gives you a report on all the
secret keys that you hold. Find the one if you have more than one secret key. And you may you
might have a secret key for K wallet, a secret key for your personal emails, a personal key for
your work email. Who knows? So find the one that you actually want to use. Here's the here's
clatsuitexample.com. I'll select that and it shows you the the big long number. So this is good.
That's that's an identifier that you can use pretty consistently throughout this process.
So now you need to we're going to edit this key that we just created. So GPG 2 dash dash edit dash
key. And then you're going to paste in the big long number, the fingerprint. I'll call that the
fingerprint from now on. All right. So that kind of dumps us into a GPG prompt. And right above the
prompt are some details about this about this key. It's telling us things like what is it telling us?
I don't know a secret key. It's a SEC not a PUB public secret. So this is an SEC key that we're
looking at. RSA 4096. Great. Created today. Expires never and so on. So it gives us some
information. What we need to do is add something called a notation. Now I didn't know notation existed.
I didn't know that was a thing until this process. So that's that's one of those things that I
learned from from doing this. So that was kind of cool. But the way that we we do that is we just
type in, well, actually, you know what? Right now you probably only have one user. If you just
created this key, you probably only have one user ID associated with this account. And you see the
name of that user ID. It says ultimate one dot clatu clatuette example dot com. So that's that's
indicating to you that there's one email address associated with this secret key. And that's pretty
typical. Me, I have lots of email addresses associated with my keys because I've either changed
emails or I have different emails for different audiences or whatever, or I have different versions
of the same email. My work email has both my first name and my my first and my last name. I have
both available at my work. So you know, you might have more than one UID. You need to proclaim,
you need to appoint one as the primary user. So if you if if you need to do that, you type in UID,
UID. Oh, okay. Well, I can't do it because I only have one. So you type in UID, you hit return,
and then no, you know what? Maybe I can do it. Yes. Okay. UID space one. That's what you type. Sorry.
UID space one or whatever, you know, one, two, three. Let's say you have three clatuette example,
clatuonzelgonger at example, and clatuettehackerpublicradio.org. Whichever one of those that I want to have
as the primary user of this key, and I do need to designate one, I would do UID space and then the
number of that of that user ID. You then get a little asterisk by that number. That's the selected UID.
Now at the prompt, you just type the word primary. It's asking me for confirmation. So I type in my
password, and I've just designated myself as the primary user of this key. That is significant. You
should do it. Okay. Next, I'm going to add notation. This is the part that key oxide specifically
requires for it, for key oxide to function correctly. This is the thing that key oxide looks at,
actually. So notation, enter the notation. It says, all right. So this is special code that key
oxide recognizes. It is the word proof, pr 0 0f, as in prove it, proof, proof at ariadne, aridna. That's
alpha Romeo indigo alpha delta november echo dot ID. That's indigo delta equals the path
to your mastodon profile. So it could be HTTPS colon slash slash mastodon dot xyz slash at symbol
clatu. That's me on on mastodon. By the way, follow me if you'd like to. That takes you to a profile
page. You need to know your mastodon handle, which is, you know, the at and then some some word. That's
kind of your account. And you need to know the server on which your mastodon account is hosted.
That's the mastodon instance. And there are lots out there. There's mastodon dot social. There's
mastodon dot xyz. There's mastodon tech hub dot dot org or com or something lots of social. I don't
lots are out there. You'll know what it is because that's the site you go to to log into mastodon.
So you're just pointing this proof at ariadne.id to your mastodon user page, the one that you want to
authenticate or rather verify using this key. All right. So I've just hit return again. So
so that's been taken. You don't get to see your notation to see the notation. If you don't believe
that it's there, it hasn't been saved yet, by the way. So to see it, you can do show preff.
All one string show preff s h o w p r e f. Hit return. And then you get to see extra data about your
your key, including notations. So you will see the notation there. I'm going to type save. And that
also that that saves what I've just done. And it it boots me out of gpg. Now I'm back to my normal
terminal prompt. Now stop. If you're familiar with gpg and and you're like me, you probably think
you know what to do next. You think you're going to type in a command to update your key to a key
server somewhere. Don't do that. Honestly, you have to do it a different way. If if if you are
glutton for punishment, please, by all means, do it some other way and let me know what happens
because I had a bunch of failed attempts at this. But and it didn't it didn't work until I did
exactly the steps that I'm about to give you. But I had so many failed attempts that I can't figure
out if the failures were because I was not doing what I'm saying. You should do or whether I was
just doing what I was doing incorrectly. But I honestly think that this is exactly what you have to
do. You have to go to keys.openpgp.org. Now, I mean, everything in me says that there shouldn't
be anything special about that about that about that particular server. And as far as I know,
there isn't. But you do need to, I think, first of all, don't listen to me. There's something special
about that server. You have to do it at openpgp.org or none of this will work. That's what I want to say.
Or that's what I need to say because that that was my result. That's the provable result. I've
done this once and then I got tired of the the the equation and just decided that I was going to use
that as the canonical correct way to do this. You should be able to go to pgp.net.nz colons 11371
or any any of your favorite key servers and do this same process. I'm just telling you that what
worked for me was going to openpgp.org. So if you try a different server and it works, let me know
and just confirm that that I was just doing something wrong all along. But the the the the thing about
keys.openpgp.org is that you can upload a key. And I know you're thinking no class who I don't
need to do this. I've already done this. I've done and I've done a send I've sent it to the servers
in the terminal. It's fine. I'll just do it my way. I'm telling you don't do that. Go to keys.openpgp.org.
Click upload. Even if you've already uploaded your key, click upload. And then it's going to tell
you to upload your key. Well, in order to do that, you need a nice little tidy key file to
to to upload. So back in your terminal, you're going to do gpg dash dash or I think you can do gpg
to dash dash armor dash dash export. And then the the email of the you know the user ID that you
want to to export. So that's or of the key that you want to export. So that's class who at example
for instance in in this scenario. Redirect to pubkey.asc. That's the correct way to export all the
metadata out of your key chain or your key box into a little self contained file. Okay. Now you've
got that. So you can click upload on keys.openpgp.org. Select that.asc file and upload it. If it already
has a key that matches that key, don't worry. It will just update your existing key or whatever it
does. I don't know. I've never run a key server, but overwrite it or patches it or whatever it does.
It's not like you're going to have duplicates on there or anything. You'll just the the most recent
version will be there. When once your file is uploaded and it doesn't take put a moment, it's
very small file. Once it's uploaded, keys.openpgp.org gives you the option to get a confirmation email.
This is the thing that was new to me. I've never seen this before in my life. Didn't know it was a
thing. Didn't know it was possible. I don't know if it's something specific to open pgp.org. I don't
know, but you can click on the confirmation email thing. It will send an email to the email address
that you've got in that key and and then you can respond to that email and then there's confirmation
that yes, that key exists and yes, it actually does have the authority to lay claim to that email
address. Do that. That's the missing component. For me, that was the missing component for about a
day. I kept uploading my key manually in a terminal with the gpg2 option to upload the key
or send dash key and that just wasn't doing it. It wasn't sending you the notation. It wasn't
sending. I think the primary user, there was a bunch of stuff that it just wasn't sending. So
don't don't do that. You got to do it through openpg.keys.openpgp.org or else this whole thing
will be for not. All right, so once you've got that, go go grab a cup of coffee and if you've heard
my podcast, canoeworldorder.info, you'll know that I always tell people to go get a cup of coffee
about halfway through the show, but in this case, I actually mean go get a cup of coffee because
you're going to have to wait for the email, the confirmation email to come through, then you're
going to have to wait for the key servers to synchronize around the globe. So this could take
a wee while. It won't take all day, I don't think, but it could, it'll take a cup of coffee.
So go get a cup of coffee and then come back and complete the mission. What's the mission again?
Oh yes, we're trying to tie this key oxide thing to our mastodon profile. What have we done so far?
Well, we've generated a key. You may or may not have already had a key, so maybe you skip that step,
it's fine. We've added notation to our existing key and we've set a primary user for our existing
key. We have uploaded the key to keys.openpgp.org. We have clicked a button to get a confirmation email.
We have responded to the confirmation email by by clicking the link, you know, in the email,
the little confirmation link. That's where we are right now. This is an exciting moment because
this is where it all comes together. Remember the key fingerprint that I had you remember earlier.
Well, don't worry if you don't. That's fine. It's probably in your history, first of all,
but you can, you can also just do at any, at any time, you can do a GPG2 space dash, dash, show, no,
list, dash, secret, dash, keys. And that'll list your secret keys. Look through there, find the one
associated with your, with the email address in question. And notice that there is a big,
long number just under the, just above the user ID section. That's your, your fingerprint. So
copy that and now go to key and go to keyoxide.org slash hkp slash. And then you paste in the
fingerprint. You see a little profile page for yourself. Now notice you haven't like opened
an account with key oxide. You haven't registered for key oxide. All it's doing is verifying.
It's looking at your key and it's verifying or it's, it's parsing that information. That's all it's
doing. So you are, you're, you're telling keyoxide to go look up that key by that fingerprint.
It is reading the key that it finds and it's parsing it. It's finding out the user ID, the primary
user of that key. It's finding out the email address. It's finding the, the, the fingerprint. And then
I guess most importantly in, in this scenario, it is also finding the link, the proof, proof at
aryadna.id data that you've put into the notation field. And as I look at mine, it does appear here.
In fact, it's, it's a little bit weird looking right now. It just says dash dash dash clad to
at mastodon.xyz. What's the dash dash dash? It looks like some weird signature file or something.
No, this is essentially an unused proof. This, this, this is notation that you've put into your key,
but you haven't utilized anywhere yet. How do you utilize this? Well, go up to the URL bar of your
browser. Just copy. It's keyoxide.org slash hk p slash and then the, the fingerprint go to your
mastodon profile where you got your little verification link in the other exercise. So I'm
just going to go to go to mastodon, click edit profile and then scroll down to a section called
profile metadata. There's four different fields label, label, label, label, content, content, content,
content. And so I'll just type in, I don't know, GPG. And then in the content, I'm going to just
paste the keyoxide link, keyoxide.org slash hk p slash a big long fingerprint looks good. And then
I'm going to click the saved changes, go back to go back to mastodon, click on my, click on my
name. And sure enough, my profile now has a GPG property with a little green tick mark by my keyoxide.org
slash hk p blah, blah, blah. And that's a clickable link too. So if someone was to click on that
and because they don't know what key oxide is yet, they can click on it and they'll, there's my
profile. Like there's the, there's the data from my key. And certainly if, if they're savvy enough
to, to, to know what that means to, to care about that, then they can take that fingerprint.
They can look that up on the key server in within GPG and add that my public key to their,
to their key chain. They can look at who else assigned my key, nobody. And, and, and make a judgment
call, they can decide whether this means that I am more or less trustworthy than had I just
taken a verification link from mastodon profile and put it on a website that I control is one worth
more than the other. Well, like I say, in my case, in its current state, I don't really feel like
this is worth anything beyond what just having a link on a website would offer because I don't
have a ring of trust that I've built. I need to go to a key signing party. I need to meet people.
I need to tell them my actual identity. I need to present them with a key bearing that name
and then have them sign it and, and, and, and so on. That's what I need to do and I haven't done that.
So, so I don't have a web of trust built up around my, my cryptographic key. It's not a worth a
whole lot. Anyone could make a cryptographic key, put my email into it and, and then they would have
a profile on key oxide that claims to be me. Now, would I personally ever link to that key? No,
I wouldn't. And so, there would be the break in, in trust there, the fact that I never reference
that key oxide instance or that, that GPG key. And the same goes, frankly, for a website, right? I mean,
anyone can get a website, put my information into it and say that it's my website. But then
if my mastodon account never links back to that website and vice versa, then, or, or rather, yeah,
then, then, then, then there's no reason to believe that my mastodon instance or my mastodon account
recognizes that website. So this is, in both cases at, at, at their most basic, it's just mutual
confirmation that yes, I acknowledge the existence of this and I can prove to, to, to, to a high level
that I have control over both of these things. But if you go the key oxide slash PGP route,
then you can go out and use the system built into PGP to get other humans to vouch for you,
cryptographically. I hope this has been useful. I think that this is a really kind of important
topic. Verification on the, on the internet is a really tricky subject. I think a lot of people,
I will, I know a lot of people don't really think about it that often. The fact that Twitter
was able to be the deciding factor in who was real or suspect for, for years. I mean, we lived
with Twitter for years. I guess we're still technically living with it. And, and they were the
sole arbiter of whether you got a check mark by your name and, and who was it? Who, who was Twitter?
Why, who, what was the process? There's no transparency there. There's, there's no real trust built
in around Twitter. So at least, at least with GPG, PGP, you have, you do have trust that you can
build in. So this is an important topic. I think it's a big one. So definitely if, if you're,
if you're using GPG or if you're interested in starting to use GPG or pretty good privacy,
then by all means, and you're using mastodon, by all means, have a look at key oxide. The process
is, is not well explained on the website. I have hopefully explained it to you a little bit better
now. Use it, verify. I think you'll be glad that you did. Thanks for listening.
You have been listening to Hacker Public Radio as Hacker Public Radio does work. Today's show was
contributed by a HBR listener like yourself. If you ever thought of recording podcasts,
you click on our contribute link to find out how easy it really is. Hosting for HBR has been
kindly provided by an honesthost.com, the internet archive and our sings.net. On the Sadois
status, today's show is released on their creative commons, attribution, 4.0 International
Reference in New Issue View Git Blame Copy Permalink