passforios icon indicating copy to clipboard operation
passforios copied to clipboard

Published 20 hours ago verified publisher icon mssun

Why download GPG key from URL?

Open ghost opened this issue 4 years ago • 6 comments

I don't understand why the 'download from URL' feature exists for the GPG key. Why should someone ever put their private key on a publicly accessible URL?

ghost avatar Aug 10 '21 20:08 ghost

It's not required to put your private key on a public server. The web server can just run on your PC in your local network to transfer the keys from the PC to your phone.

SimplyDanny avatar Aug 10 '21 21:08 SimplyDanny

Hmm… still think it's a little bit iffy. Might misdirect some people to expose their private key on the net.

ghost avatar Aug 13 '21 06:08 ghost

I think its for something like qrcp. Its starts a temporary server and displays the url as a qrcode.

Parrot7483 avatar Aug 27 '21 11:08 Parrot7483

I trust people who use a password manager based on Git, SSH and PGP to know what they are doing. Not publishing private keys is probably the first thing they have learned. 😉

SimplyDanny avatar Sep 18 '21 17:09 SimplyDanny

Going to jump in and say I thought this option was ridiculous, too... Until I found out it was the only easy way for me to get my private key onto my iPhone. I'm only on this issue list because I wanted to make sure that Pass didn't have a known bug that would leak my private key. :sweat_smile:

As to why it became my only option:

  • my iPhone is the only apple device I own (hand-me-down)
  • My Linux desktops aren't set up for file transfer with an iOS device
  • my GPG keys are too big to be transferred by ascii armored qr code (Is there some kind of "strip identities and signatures" deal to fix this?)

...and I forgot to go on the app store to look for a workable SFTP client, so I bit the bullet and used lighttpd through my local network. If I had one suggestion, providing a minimal SFTP/ssh/scp interface that does nothing but grab key files from sftp:// or ssh:// urls would solve this problem neatly, since setting up any of those would be easier, if not already done as part of managing the password-store. Surely integrating scp is easier than git.

Or, at the very least, impressing the importance of doing this on a private, trusted network, watching the access logs like a hawk and being ready to take everything down if it turns out anyone but you is listening. "Use https", while a nice touch, is a much smaller security benefit than mentioning the above, while being a much bigger hassle that I only did because the app told me to.

dther avatar Sep 30 '21 03:09 dther

@dther I feel you hard there. I'm a dual-iPhone user and had to go through Nextcloud to get mine transferred over. 😓

thearchivalone avatar Dec 20 '21 16:12 thearchivalone