• This repository has been archived on 01/Feb/2023
  • Stars
    star
    344
  • Rank 123,066 (Top 3 %)
  • Language
    Python
  • License
    GNU General Publi...
  • Created almost 9 years ago
  • Updated almost 2 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

🔒 GPG Sync is designed to let users always have up-to-date public keys for other members of their organization

GPG Sync

GPG Sync

GPG Sync is designed to let users always have up-to-date OpenPGP public keys for other members of their organization.

If you're part of an organization that uses GPG internally you might notice that it doesn't scale well. New people join and create new keys and existing people revoke their old keys and transition to new ones. It quickly becomes unwieldy to ensure that everyone has a copy of everyone else's current key, and that old revoked keys get refreshed to prevent users from accidentally using them.

GPG Sync solves this problem by offloading the complexity of GPG to a single trusted person in your organization. As a member of an organization, you install GPG Sync on your computer, configure it with a few settings, and then you forget about it. GPG Sync takes care of everything else.

A single keylist is used by GPG Sync to keep keys in sync. This keylist must follow a specific JSON format, see our example for guidance on creating one for your organization if it does not already exist. GPG Sync complies with the in-progress Distributing OpenPGP Keys with Signed Keylist Subscriptions internet standard draft.

Learn More

To learn how GPG Sync works and how to use it, check out the Wiki.

Getting GPG Sync

To install GPG Sync, follow these instructions.

Important note about keyservers

By default, GPG Sync downloads PGP public keys from keys.openpgp.org, a modern abuse-resistent keyserver. (The old SKS keyserver pool is vulnerable to certificate flooding attacks, and it's based on unmaintained software that will likely never get fixed.)

For this reason, it's important that your authority key, as well as every key on your keylist, has a user ID that contains an email address and that all users must opt-in to allowing their email addresses on this keyserver. You can opt-in by uploading your public key here, requesting to verify each email address on it, and then clicking the links you receive in those verification emails.

If a member of your organization doesn't opt-in to allowing their email addresses on this keyserver, then when subscribers of your keylist refresh it, the public key that GPG Sync will import won't contain the information necessary to be able to send that member an encrypted email. GPG Sync still supports the legacy, vulnerable SKS keyserver network; this can be enabled in the advanced settings of each keylist.

Test Status

CircleCI

Screenshot

More Repositories

1

pdf-redact-tools

a set of tools to help with securely redacting and stripping metadata from documents before publishing
Python
524
star
2

react-scripts

⚙ shared react app configs
JavaScript
220
star
3

autocanary

Makes generating machine-readable, digitally signed warrant canary statements simpler
Python
147
star
4

dangerzone-converter

dangerzone has moved to https://github.com/freedomofpress/dangerzone
Python
39
star
5

aws-profile-gpg

🔐 ☁️ Run aws-cli commands using IAM Access Keys stored in a GPG-encrypted credentials file
Python
37
star
6

flock-agent

🦉 Agent for Flock, the privacy-preserving fleet management system
Python
32
star
7

flock-server

🦉 Flock is a privacy-preserving fleet management system powered by osquery and the Elastic Stack
Python
19
star
8

keylist-rfc

🔏 turning the system behind GPG Sync into an Internet standard
Makefile
16
star
9

gpgsync-firstlook-fingerprints

Signed list of OpenPGP fingerprints for First Look employees
15
star
10

firstlookmedia.github.io

11
star
11

deployables

🗑️ a basket of deploy scripts
Shell
10
star
12

homebrew-firstlookmedia

🍻 homebrew tap for first look media projects
Ruby
3
star
13

dangerzone.rocks

dangerzone has moved to https://github.com/freedomofpress/dangerzone
CSS
3
star
14

hagrid-verifier

Submit all the keys on a keylist to keys.openpgp.org, and request email verification for all UIDs
Python
3
star
15

whistleblower

Headless browser testing utils via Jest and Puppeteer
JavaScript
2
star
16

deployables2

Python
2
star
17

keylist

First Look Media's keylist
Python
2
star
18

listcrunch

A JS port of MuckRock's listcrunch python library
TypeScript
1
star
19

ecstatic

:squirrel: 🔍 automatically update ecs agents and report issues via webhook
Python
1
star
20

pst

Clojure library to parse PFF databases.
Clojure
1
star
21

docker-placeholder-app

HTTP app intended to be used as a placeholder when spinning up an ECS cluster
Shell
1
star
22

docker-https-redirect

↩️ redirect http to https
1
star