Merge pull request #399 from drduh/wip-15oct23

Remove ancient keyservers
author: drduh <github@duh.to> 2023-10-15 21:04:02 -0700
committer: GitHub <noreply@github.com> 2023-10-15 21:04:02 -0700
commit: c41729520faf06c352510118ec9bb042bf4a40e7 (patch)
tree: 091ac89543956c61bbc8df13ec475ff1a2ea43e1 /README.md
parent: Merge pull request #386 from Xronophobe/docs/update-debian-12-live (diff)
parent: Update debian version (diff)
download: YubiKey-Guide-c41729520faf06c352510118ec9bb042bf4a40e7.tar.gz
1 files changed, 19 insertions, 14 deletions
diff --git a/README.md b/README.md
index 84b4376..f5ea43c 100644
--- a/README.md
+++ b/README.md
@@ -2,12 +2,12 @@ This is a guide to using [YubiKey](https://www.yubico.com/products/yubikey-hardw
 
 Keys stored on YubiKey are [non-exportable](http://web.archive.org/web/20201125172759/https://support.yubico.com/hc/en-us/articles/360016614880-Can-I-Duplicate-or-Back-Up-a-YubiKey-) (as opposed to file-based keys that are stored on disk) and are convenient for everyday use. Instead of having to remember and enter passphrases to unlock SSH/GPG keys, YubiKey needs only a physical touch after being unlocked with a PIN. All signing and encryption operations happen on the card, rather than in OS memory.
 
-**Tip** [drduh/Purse](https://github.com/drduh/Purse) is a password manager which uses GPG and YubiKey to securely store and read credentials.
-
-> **Security Note**: If you followed this guide before Jan 2021, your GPG *PIN* and *Admin PIN* may be set to their default values (`123456` and `12345678` respectively). This would allow an attacker to use your Yubikey or reset your PIN. Please see the [Change PIN](#change-pin) section for details on how to change your PINs.
+**Security Note**: If you followed this guide before Jan 2021, your GPG *PIN* and *Admin PIN* may be set to their default values (`123456` and `12345678` respectively). This would allow an attacker to use your Yubikey or reset your PIN. Please see the [Change PIN](#change-pin) section for details on how to change your PINs.
 
 If you have a comment or suggestion, please open an [Issue](https://github.com/drduh/YubiKey-Guide/issues) on GitHub.
 
+**Tip** [drduh/Purse](https://github.com/drduh/Purse) is a password manager which uses GPG and YubiKey to securely store and read credentials.
+
 - [Purchase](#purchase)
 - [Prepare environment](#prepare-environment)
 - [Required software](#required-software)
@@ -132,7 +132,7 @@ Verify the signature of the hashes file with GPG:
 
 ```console
 $ gpg --verify SHA512SUMS.sign SHA512SUMS
-gpg: Signature made Sat 17 Dec 2022 11:06:20 AM PST
+gpg: Signature made Sat 07 Oct 2023 01:24:57 PM PDT
 gpg:                using RSA key DF9B9C49EAA9298432589D76DA87E80D6294BE9B
 gpg: Can't check signature: No public key
 
@@ -142,7 +142,7 @@ gpg: Total number processed: 1
 gpg:               imported: 1
 
 $ gpg --verify SHA512SUMS.sign SHA512SUMS
-gpg: Signature made Sat 17 Dec 2022 11:06:20 AM PST
+gpg: Signature made Sat 07 Oct 2023 01:24:57 PM PDT
 gpg:                using RSA key DF9B9C49EAA9298432589D76DA87E80D6294BE9B
 gpg: Good signature from "Debian CD signing key <debian-cd@lists.debian.org>" [unknown]
 gpg: WARNING: This key is not certified with a trusted signature!
@@ -160,7 +160,7 @@ Ensure the SHA512 hash of the live image matches the one in the signed file - if
 
 ```console
 $ grep $(sha512sum debian-live-*-amd64-xfce.iso) SHA512SUMS
-SHA512SUMS:f9976e2090a54667a26554267941792c293628cceb643963e425bf90449e3c0eeb616e8ededc187070910401c8ab0348fdbc3292b6d04e29dcfb472ac258a542  debian-live-11.6.0-amd64-xfce.iso
+SHA512SUMS:3c74715380c804798d892f55ebe4d2f79ae266be93df2468a066c192cfe1af6ddae3139e1937d5cbfa2fccb6fe291920148401de30f504c0876be2f141811ff1  debian-live-12.2.0-amd64-xfce.iso
 ```
 
 See [Verifying authenticity of Debian CDs](https://www.debian.org/CD/verify) for more information.
@@ -214,7 +214,9 @@ Open the terminal and install required software packages.
 ## Debian and Ubuntu
 
 ```console
-$ sudo apt update ; sudo apt -y upgrade
+$ sudo apt update
+
+$ sudo apt -y upgrade
 
 $ sudo apt -y install wget gnupg2 gnupg-agent dirmngr cryptsetup scdaemon pcscd secure-delete hopenpgp-tools yubikey-personalization
 ```
@@ -265,7 +267,9 @@ $ ~/.local/bin/ykman openpgp info
 
 ```console
 $ sudo dnf install wget
+
 $ wget https://github.com/rpmsphere/noarch/raw/master/r/rpmsphere-release-38-1.noarch.rpm
+
 $ sudo rpm -Uvh rpmsphere-release*rpm
 
 $ sudo dnf install gnupg2 dirmngr cryptsetup gnupg2-smime pcsc-tools opensc pcsc-lite secure-delete pgp-tools yubikey-personalization-gui
@@ -602,6 +606,7 @@ charset utf-8
 fixed-list-mode
 no-comments
 no-emit-version
+no-greeting
 keyid-format 0xlong
 list-options show-uid-validity
 verify-options show-uid-validity
@@ -612,7 +617,7 @@ use-agent
 throw-keyids
 ```
 
-**Important** Disable networking for the remainder of the setup.
+**Tip** Networking can be disabled for the remainder of the setup.
 
 # Master key
 
@@ -646,7 +651,6 @@ Do **not** set the master (certify) key to expire - see [Note #3](#notes).
 
 ```console
 $ gpg --expert --full-generate-key
-
 Please select what kind of key you want:
    (1) RSA and RSA (default)
    (2) DSA and Elgamal
@@ -658,6 +662,7 @@ Please select what kind of key you want:
   (10) ECC (sign only)
   (11) ECC (set your own capabilities)
   (13) Existing key
+  (14) Existing key from card
 Your selection? 8
 
 Possible actions for a RSA key: Sign Certify Encrypt Authenticate
@@ -1408,14 +1413,16 @@ $ gpg -o \path\to\dir\pubkey.gpg --armor --export $KEYID
 ```console
 $ gpg --send-key $KEYID
 
-$ gpg --keyserver pgp.mit.edu --send-key $KEYID
-
 $ gpg --keyserver keys.gnupg.net --send-key $KEYID
 
 $ gpg --keyserver hkps://keyserver.ubuntu.com:443 --send-key $KEYID
 ```
 
-After some time, the public key will propagate to [other](https://pgp.key-server.io/pks/lookup?search=doc%40duh.to&fingerprint=on&op=vindex) [servers](https://pgp.mit.edu/pks/lookup?search=doc%40duh.to&op=index).
+Or if [uploading to keys.openpgp.org](https://keys.openpgp.org/about/usage):
+
+```console
+$ gpg --send-key $KEYID | curl -T - https://keys.openpgp.org
+```
 
 # Configure Smartcard
 
@@ -2321,8 +2328,6 @@ $ gpg --import pubkey.asc
 
 N.B.: The `showpref` command can be issued to ensure that the notions were correctly added.
 
-It is now possible to continue following the Keyoxide guide and upload the key to WKD or to keys.openpgp.org.
-
 # SSH
 
 **Tip** If you want to use a YubiKey for SSH only (and don't really care about PGP/GPG), then [since OpenSSH v8.2](https://www.openssh.com/txt/release-8.2) you alternatively can simply `ssh-keygen -t ed25519-sk` (without requiring anything else from this guide!), as explained [in this guide](https://github.com/vorburger/vorburger.ch-Notes/blob/develop/security/ed25519-sk.md). Yubico also recently announced support for resident ssh keys under OpenSSH 8.2+ on their blue "security key 5 nfc" as mentioned in their [blog post](https://www.yubico.com/blog/github-now-supports-ssh-security-keys/)._
author	drduh <github@duh.to>	2023-10-15 21:04:02 -0700
committer	GitHub <noreply@github.com>	2023-10-15 21:04:02 -0700
commit	c41729520faf06c352510118ec9bb042bf4a40e7 (patch)
tree	091ac89543956c61bbc8df13ec475ff1a2ea43e1 /README.md
parent	Merge pull request #386 from Xronophobe/docs/update-debian-12-live (diff)
parent	Update debian version (diff)
download	YubiKey-Guide-c41729520faf06c352510118ec9bb042bf4a40e7.tar.gz