# I am the Watcher. I am your guide through this vast new twtiverse.
#
# Usage:
# https://watcher.sour.is/api/plain/users View list of users and latest twt date.
# https://watcher.sour.is/api/plain/twt View all twts.
# https://watcher.sour.is/api/plain/mentions?uri=:uri View all mentions for uri.
# https://watcher.sour.is/api/plain/conv/:hash View all twts for a conversation subject.
#
# Options:
# uri Filter to show a specific users twts.
# offset Start index for quey.
# limit Count of items to return (going back in time).
#
# twt range = 1 39
# self = https://watcher.sour.is/conv/ptpfohq
I think I’ll give GPG, signed commits, and signed release tarballs another chance. 🤔 Let’s see how big of a headache this is going to be …
I think I’ll give GPG, signed commits, and signed release tarballs another chance. 🤔 Let’s see how big of a headache this is going to be …
I think I’ll give GPG, signed commits, and signed release tarballs another chance. 🤔 Let’s see how big of a headache this is going to be …
@movq I do them all the time, but not sure anyone ever bothers to check the signatures though 🤣
@movq I do them all the time, but not sure anyone ever bothers to check the signatures though 🤣
@prologic Haha, yeah, I saw that you’re signing commits. Now, first question: How do I get your key? gpg --recv-keys ... doesn’t find anything. 😬
@prologic Haha, yeah, I saw that you’re signing commits. Now, first question: How do I get your key? gpg --recv-keys ... doesn’t find anything. 😬
@prologic Haha, yeah, I saw that you’re signing commits. Now, first question: How do I get your key? gpg --recv-keys ... doesn’t find anything. 😬
@movq oh probably because I’ve never published my key on a key server because who the heck knows what a good decent trustworthy GPG key server is anymore? 🤔
@movq oh probably because I’ve never published my key on a key server because who the heck knows what a good decent trustworthy GPG key server is anymore? 🤔
@prologic I don’t. 🤔 🤷 I publish my key(s) on my web site, too, so users have multiple independent sources (key servers + web site + maybe a signed e-mail from me). Not sure if that’s best practice, let alone good UX …
@prologic I don’t. 🤔 🤷 I publish my key(s) on my web site, too, so users have multiple independent sources (key servers + web site + maybe a signed e-mail from me). Not sure if that’s best practice, let alone good UX …
@prologic I don’t. 🤔 🤷 I publish my key(s) on my web site, too, so users have multiple independent sources (key servers + web site + maybe a signed e-mail from me). Not sure if that’s best practice, let alone good UX …
@movq What's considered accepted convention for publishing my GPG public key to my website? Is there a .well-known file/directory structure for this? Or some well-known resource name? 🤔 I _think_ keys.pub expects to find for example keyspub.txt
@movq What's considered accepted convention for publishing my GPG public key to my website? Is there a .well-known file/directory structure for this? Or some well-known resource name? 🤔 I _think_ keys.pub expects to find for example keyspub.txt
@prologic I just put it on my “contact” page and I’ve seen lots of other people do the same. Of course, that doesn’t allow for auto-discovery, but I get the impression, that GPG frowns upon that anyway and that it wants to you jump through several hoops here (build a web of trust, go to key signing parties, …).
@prologic I just put it on my “contact” page and I’ve seen lots of other people do the same. Of course, that doesn’t allow for auto-discovery, but I get the impression, that GPG frowns upon that anyway and that it wants to you jump through several hoops here (build a web of trust, go to key signing parties, …).
@prologic I just put it on my “contact” page and I’ve seen lots of other people do the same. Of course, that doesn’t allow for auto-discovery, but I get the impression, that GPG frowns upon that anyway and that it wants to you jump through several hoops here (build a web of trust, go to key signing parties, …).
@movq I _think_ a "web of trust" is important, but I've never been to a key signing party? Sounds too hip for me 🤣 But yeah, I dunno. 🤷♂️ Trouble I find is that the utility and wide-spread of GPG is basically bupkis 😂
@movq I _think_ a "web of trust" is important, but I've never been to a key signing party? Sounds too hip for me 🤣 But yeah, I dunno. 🤷♂️ Trouble I find is that the utility and wide-spread of GPG is basically bupkis 😂
@movq @prologic It's been definitely more than ten years ago, but I went to one or two key signing parties.
@movq keys.openpgp.org is a descent key server. They only publish a key the at has a valid email.
@movq keys.openpgp.org is a descent key server. They only publish a key the at has a valid email.
@prologic I'm not really big on WoT. (I think openpgp keyserver strips those signatures out. ) there needs to be a better way.
@prologic I'm not really big on WoT. (I think openpgp keyserver strips those signatures out. ) there needs to be a better way.
@xuu
> keys.openpgp.org is a descent key server. They only publish a key the at has a valid email.
Mhh, meh. My key currently has no e-mail address attached to it. 😕 I’d like to avoid this. It just makes this address a target for spam, so I’ll have to block it, meaning people can’t reach me anyway …
@xuu
> keys.openpgp.org is a descent key server. They only publish a key the at has a valid email.
Mhh, meh. My key currently has no e-mail address attached to it. 😕 I’d like to avoid this. It just makes this address a target for spam, so I’ll have to block it, meaning people can’t reach me anyway …
@xuu
> keys.openpgp.org is a descent key server. They only publish a key the at has a valid email.
Mhh, meh. My key currently has no e-mail address attached to it. 😕 I’d like to avoid this. It just makes this address a target for spam, so I’ll have to block it, meaning people can’t reach me anyway …
@prologic
> I’ve never been to a key signing party? Sounds too hip for me [...]
It is dated now, not hip. I went to two or three in the late 1990's. My first and very old---now defunct and gone---PGP RSA key was signed by Zimmermann himself.
@fastidious Some of my friends in college were really excited to actually find other fellow nerds in college willing to engage in a key signing party. They used it to send like 3 or 4 inconsequential emails and then just gave up on it.
@movq While now other parties are involved with this cosign thing, I also believe that what they do is absolute crap, unless I completely misunderstood something. If the signer certificate has expired, also the signed certificate is invalid within a proper certificate validation process.
@meff
> They used it to send like 3 or 4 inconsequential emails and then just gave up on it
Pretty much like the rest of us 😂. I use GnuPG to encrypt anything sensitive that I upload to clouds, and occasionally sign an email (ASCII armoured, not PGP MIME), but that’s pretty much it.
@lyse That sounds weird. 🤔 To be fair, I didn’t dig through all those details. Actually, I stopped reading at “fully automated on Github Actions and fully keyless”, because I figured it’s irrelevant to me anyway.
@lyse That sounds weird. 🤔 To be fair, I didn’t dig through all those details. Actually, I stopped reading at “fully automated on Github Actions and fully keyless”, because I figured it’s irrelevant to me anyway.
@lyse That sounds weird. 🤔 To be fair, I didn’t dig through all those details. Actually, I stopped reading at “fully automated on Github Actions and fully keyless”, because I figured it’s irrelevant to me anyway.