Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/firstlookmedia/gpgsync
:lock: GPG Sync is designed to let users always have up-to-date public keys for other members of their organization
https://github.com/firstlookmedia/gpgsync
encrypted-email gpg gpg-sync linux openpgp osx pgp techie
Last synced: 6 days ago
JSON representation
:lock: GPG Sync is designed to let users always have up-to-date public keys for other members of their organization
- Host: GitHub
- URL: https://github.com/firstlookmedia/gpgsync
- Owner: firstlookmedia
- License: gpl-3.0
- Archived: true
- Created: 2016-02-11T20:40:18.000Z (over 8 years ago)
- Default Branch: develop
- Last Pushed: 2022-12-08T08:47:23.000Z (almost 2 years ago)
- Last Synced: 2024-08-02T07:11:22.909Z (3 months ago)
- Topics: encrypted-email, gpg, gpg-sync, linux, openpgp, osx, pgp, techie
- Language: Python
- Homepage:
- Size: 1.26 MB
- Stars: 343
- Watchers: 16
- Forks: 28
- Open Issues: 22
-
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- License: LICENSE.md
- Codeowners: .github/CODEOWNERS
Awesome Lists containing this project
- awesome-cybersecurity-blueteam - GPG Sync - Centralize and automate OpenPGP public key distribution, revocation, and updates amongst all members of an organization or team. (Communications security (COMSEC) / Service meshes)
- awesome-cybersecurity-blueteam-cn - GPG Sync - 用于在组织和团队中进行自动化OpenPGP公钥集成和分发。 (通讯安全 / 安全编排自动化与响应)
README
![GPG Sync](./logo/logo.png)
# GPG Sync
GPG Sync is designed to let users always have up-to-date OpenPGP public
keys for other members of their organization.If you're part of an organization that uses GPG internally you might
notice that it doesn't scale well. New people join and create new keys
and existing people revoke their old keys and transition to new ones.
It quickly becomes unwieldy to ensure that everyone has a copy of everyone
else's current key, and that old revoked keys get refreshed to prevent
users from accidentally using them.GPG Sync solves this problem by offloading the complexity of GPG to a
single trusted person in your organization. As a member of an organization,
you install GPG Sync on your computer, configure it with a few settings,
and then you forget about it. GPG Sync takes care of everything else.A single keylist is used by GPG Sync to keep keys in sync. This keylist
must follow a specific JSON format, see [our example](https://github.com/firstlookmedia/gpgsync/blob/develop/example-keylist/keylist.json)
for guidance on creating one for your organization if it does not already
exist. GPG Sync complies with the in-progress
[Distributing OpenPGP Keys with Signed Keylist Subscriptions](https://datatracker.ietf.org/doc/draft-mccain-keylist/)
internet standard draft.## Learn More
To learn how GPG Sync works and how to use it, check out the [Wiki](https://github.com/firstlookmedia/gpgsync/wiki).
## Getting GPG Sync
To install GPG Sync, follow [these instructions](https://github.com/firstlookmedia/gpgsync/wiki/Installing-GPG-Sync).
## Important note about keyservers
By default, GPG Sync downloads PGP public keys from [keys.openpgp.org](https://keys.openpgp.org/about), a modern abuse-resistent keyserver. (The old SKS keyserver pool is vulnerable to [certificate flooding](https://dkg.fifthhorseman.net/blog/openpgp-certificate-flooding.html) attacks, and it's based on unmaintained software that will likely never get fixed.)
For this reason, **it's important that your authority key, as well as every key on your keylist, has a user ID that contains an email address** and that **all users must opt-in to allowing their email addresses** on this keyserver. You can opt-in by uploading your public key [here](https://keys.openpgp.org/upload), requesting to verify each email address on it, and then clicking the links you receive in those verification emails.
If a member of your organization doesn't opt-in to allowing their email addresses on this keyserver, then when subscribers of your keylist refresh it, the public key that GPG Sync will import won't contain the information necessary to be able to send that member an encrypted email. GPG Sync still supports the legacy, vulnerable SKS keyserver network; this can be enabled in the advanced settings of each keylist.
## Test Status
[![CircleCI](https://circleci.com/gh/firstlookmedia/gpgsync.svg?style=shield&circle-token=8c35e705699711e0aff4934b4adef5b9e02e738d)](https://circleci.com/gh/firstlookmedia/gpgsync)
![Screenshot](./logo/screenshot.png)