Post · bonfire.cafe

Post

Let's look at the output of the "status" command, in three examples:

First, we can check out the contents of my certificate, e.g. by pulling it from a public keyserver, like this:

$ curl -s "https://pgpkeys.eu/pks/lookup?op=get&search=0x23da7c0eaa711f0170013595b518d342eb2d4805" | rpgp status

The output shows the top-level primary key material and its metadata in a first block, followed by a series of subkeys with their respective metadata, and finally a set of four User IDs.

Validity of each component is shown both as emoji and explanatory text.

🧵 2/5

A terminal session that shows the following command and output:

$ curl -s "https://pgpkeys.eu/pks/lookup?op=get&search=0x23da7c0eaa711f0170013595b518d342eb2d4805" | rpgp status
🔐 EdDSA/Curve25519 v4 23da7c0eaa711f0170013595b518d342eb2d4805
⏱️ Created 2023-04-23 03:04:56 UTC
✅ Active, expires 2026-04-22 03:04:56 UTC
🏴 Key flags: Certify

🔑 EdDSA/Curve25519 v4 954fc07eb1a70fc30bfc10f839d6c12995a8d067
⏱️ Created 2023-05-09 21:02:23 UTC
✅ Active, expires 2026-04-22 10:12:46 UTC
🏴 Key flags: Auth

🔑 ECDH/Curve25519 v4 f84f06b6f44c9090f1c27f89c8edabd42aa0c4e8
⏱️ Created 2023-05-09 21:02:12 UTC
✅ Active, expires 2026-04-22 10:12:46 UTC
🏴 Key flags: Encrypt

🔑 EdDSA/Curve25519 v4 03c75b9e40375ce18d815946dae9a9050fccf1eb
⏱️ Created 2023-05-09 21:01:49 UTC
✅ Active, expires 2026-04-22 10:12:46 UTC
🏴 Key flags: Sign

🔑 ECDH/Curve25519 v4 c09cbaaf8dcc628209789ad3c283ad022c2ed0de
⏱️ Created 2023-04-23 03:04:56 UTC
🚫 Revoked (soft): KeySuperseded "subkey is retired", 2023-12-09 23:58:06 UTC

🪪 ID "<heiko.schaefer@posteo.de>"
✅ Active, expires 2026-04-22 10:46:31 UTC

🪪 ID "Heiko Schaefer"
✅ Active, expires 2026-04-22 10:46:31 UTC

🪪 ID "Heiko Schaefer <heiko@schaefer.name>"
✅ Active, expires 2026-04-22 10:46:31 UTC

🪪 ID "Heiko Schaefer <heiko.schaefer@posteo.de>"
✅ Active, expires 2026-04-22 10:46:31 UTC — A terminal session that shows the following command and output: $ curl -s "https://pgpkeys.eu/pks/lookup?op=get&search=0x23da7c0eaa711f0170013595b518d342eb2d4805" | rpgp status 🔐 EdDSA/Curve25519 v4 23da7c0eaa711f0170013595b518d342eb2d4805 ⏱️ Created 2023-04-23 03:04:56 UTC ✅ Active, expires 2026-04-22 03:04:56 UTC 🏴 Key flags: Certify 🔑 EdDSA/Curve25519 v4 954fc07eb1a70fc30bfc10f839d6c12995a8d067 ⏱️ Created 2023-05-09 21:02:23 UTC ✅ Active, expires 2026-04-22 10:12:46 UTC 🏴 Key flags: Auth 🔑 ECDH/Curve25519 v4 f84f06b6f44c9090f1c27f89c8edabd42aa0c4e8 ⏱️ Created 2023-05-09 21:02:12 UTC ✅ Active, expires 2026-04-22 10:12:46 UTC 🏴 Key flags: Encrypt 🔑 EdDSA/Curve25519 v4 03c75b9e40375ce18d815946dae9a9050fccf1eb ⏱️ Created 2023-05-09 21:01:49 UTC ✅ Active, expires 2026-04-22 10:12:46 UTC 🏴 Key flags: Sign 🔑 ECDH/Curve25519 v4 c09cbaaf8dcc628209789ad3c283ad022c2ed0de ⏱️ Created 2023-04-23 03:04:56 UTC 🚫 Revoked (soft): KeySuperseded "subkey is retired", 2023-12-09 23:58:06 UTC 🪪 ID "<heiko.schaefer@posteo.de>" ✅ Active, expires 2026-04-22 10:46:31 UTC 🪪 ID "Heiko Schaefer" ✅ Active, expires 2026-04-22 10:46:31 UTC 🪪 ID "Heiko Schaefer <heiko@schaefer.name>" ✅ Active, expires 2026-04-22 10:46:31 UTC 🪪 ID "Heiko Schaefer <heiko.schaefer@posteo.de>" ✅ Active, expires 2026-04-22 10:46:31 UTC

Heiko

@hko@floss.social replied · 5 months ago

Analogously, we can inspect a modern v6 OpenPGP certificate, which uses up-to-date formats from the very recent RFC 9580.

We'll make a fresh example v6 certificate to look at with the "rsop" tool:

$ rsop generate-key --profile rfc9580 "" | rsop extract-cert > alice_v6.cert

And then look into it with:

$ rpgp status alice_v6.cert

🧵 3/5

Heiko

@hko@floss.social replied · 5 months ago

We can also ask the "rpgp" CLI tool to emit the same certificate status information in #JSON format:

$ rpgp status --json alice_v6.cert

Please be aware that the rpgp JSON output format is in a very early stage, and may be subject to change!

(At some point I will commit to not changing the JSON format on a whim, but that point is not right now.)

🧵 4/5

A terminal session that shows the following command and output:

$ rpgp status --json alice_v6.cert
{
"primary": {
"fingerprint": "9a47c697b8dfa657ad8d2bc31df18da8924a281f2f589600352f7bac05f61a81",
"version": 6,
"created": "2025-08-24T22:26:06Z",
"algorithm": "Ed25519",
"status": {
"valid": {}
},
"key_flags": [
"Certify",
"Sign"
]
},
"subkeys": [
{
"fingerprint": "7e1a88fc27cfbb94ab1e088f32bfc3551bc88b4044a02f8ff685a0b14ad8ff9c",
"version": 6,
"created": "2025-08-24T22:26:06Z",
"algorithm": "X25519",
"status": {
"valid": {}
},
"key_flags": [
"Encrypt"
]
}
],
"user_ids": [
{
"id": "<alice@example.org>",
"primary": true,
"status": {
"valid": {}
}
}
]
} — A terminal session that shows the following command and output: $ rpgp status --json alice_v6.cert { "primary": { "fingerprint": "9a47c697b8dfa657ad8d2bc31df18da8924a281f2f589600352f7bac05f61a81", "version": 6, "created": "2025-08-24T22:26:06Z", "algorithm": "Ed25519", "status": { "valid": {} }, "key_flags": [ "Certify", "Sign" ] }, "subkeys": [ { "fingerprint": "7e1a88fc27cfbb94ab1e088f32bfc3551bc88b4044a02f8ff685a0b14ad8ff9c", "version": 6, "created": "2025-08-24T22:26:06Z", "algorithm": "X25519", "status": { "valid": {} }, "key_flags": [ "Encrypt" ] } ], "user_ids": [ { "id": "<alice@example.org>", "primary": true, "status": { "valid": {} } } ] }

Heiko

@hko@floss.social replied · 5 months ago

Finally, rpgp is just as happy to inspect ancient PGP certificates as it is with modern v6 ones:

$ rpgp status hal_1992.cert

This historical PGP certificate is almost 33 years old today, and uses the prehistoric "v2" key format.

While it's certainly not practically useful to use such keys in the current era, it may still sometimes be helpful (or just plain fun) to inspect them, for informational purposes - or to marvel at the longevity of the OpenPGP format for a minute.

🧵 5/5

A terminal session that shows the following command and output:

$ rpgp status hal_1992.cert
🔐 RSA(1024) v2 515c99ff35994387e2d430173749a06c
⏱️ Created 1992-09-08 05:12:44 UTC
🚫 Invalid: no active signature in primary user id

🪪 ID "Hal Finney <74076.1041@compuserve.com>"
🚫 Invalid: no active signature — A terminal session that shows the following command and output: $ rpgp status hal_1992.cert 🔐 RSA(1024) v2 515c99ff35994387e2d430173749a06c ⏱️ Created 1992-09-08 05:12:44 UTC 🚫 Invalid: no active signature in primary user id 🪪 ID "Hal Finney <74076.1041@compuserve.com>" 🚫 Invalid: no active signature

Heiko

@hko@floss.social replied · 5 months ago

For scale: This v2 public key predates the earliest beginnings of the venerable GnuPG project by around 5 years (see e.g. https://linuxsecurity.com/news/cryptography/a-short-history-of-the-gnu-privacy-guard)

bonfire.cafe

A space for Bonfire maintainers and contributors to communicate

bonfire.cafe: About · Code of conduct · Privacy · Users · Instances

Bonfire social · 1.0.1 no JS en

Automatic federation enabled