Update README.md #209
Update README.md #209
Conversation
Giving more information about the self-published signature warning. I replicated some words `ipsis litteris` from the community channel for precision.
README.md
Outdated
| @@ -111,6 +111,13 @@ The reponse to this command should include the text: | |||
| ``` | |||
| Good signature from "seedsigner <btc.hardware.solutions@gmail.com>" [unknown] | |||
| ``` | |||
| You will also receive a warning message like the one below, but it only means that SeedSigner's (the person) PGP public key is not registered with an identity verification service; it has been self-published. The critical part is the text above. The warning can be safely ignored as long as you consider the author a reliable source. | |||
There was a problem hiding this comment.
I suggest we write the critical part is "good signature from email address btc.hardware.solutions@gmail.com , as that is the verified email address of the SS project lead.
There was a problem hiding this comment.
Good suggestion, thanks. Let us just wait the answer to the following comment. It might impact the issue more profoundly.
|
*edited for more clarity in para 2. That lead me to: How do we protect the SS private key, and revoke if reqd,. I looked briefly at keybase.io , as a potential option for the SS Public Key:
@SeedSigner - would you ever consider something, like keybase.io ? (i don't love the fact that zoom purchased them, but if my wallet co-ordinator is using it, then thats a good start into this particular rabbit hole. ) . I do not see anywhere that they want anyones real-world identity. they would use your github, website and twitter handle to crossverify you). I find the identity verification space quite interesting, so am willing & able to investigate further if you all like? Thx, Marc |
|
I am not opposed to registering with keybase.io, will look into it. I also noted that Craig uses the "--ignore-missing" flag with shasum, which eliminates some of the potentially confusing error messages associated with that command. Revoke-ability is definitely a plus for routing the workflow through keybase, though unfortunately there's no way to "revoke" a public key that users have already downloaded and added to their keychain; they would still need to hear that a key was revoked via social media, telegram chat, etc. etc. Could we incorporate a simple "key status check" into the verification workflow, as a reminder for users who have already imported a key? Let me know if something about this suggestion is unclear or if I'm misunderstanding anything. |
|
Will wait until the debate is settled, because it might impact the instructions more deeply. |
|
@SeedSigner just bumping this PR. Looks like you added your PGP/GPG to keybase.io (https://keybase.io/seedsigner/pgp_keys.asc?fingerprint=46739b74b56ad88f14b0882ec7ef709007260119 matches https://raw.githubusercontent.com/SeedSigner/seedsigner/main/seedsigner_pubkey.gpg). I also noticed you verified seedsigner.com with keybase (https://seedsigner.com/keybase.txt) |
|
Yes, the project's Twitter profile has been verified as well. Would @mauriciozuardi or @Marc-Gee be willing to revise this PR to incorporate keybase into the verification routine? |
|
Will repeat the process to see what needs to be reflected on the Read Me. Keep you updated! |
|
I tried to simplify the text and make it more assuring for the final users. |
|
This is great news that we are verified on keybase now!! (I must have somehow missed the twitter verification last month). Keybase is such an interesting Digital Identity project. (a pity its only lightly maintained now after the team was bought out into zoom, ), but Keybase is the only one of its kind , until DID:ion fully takes off. (Block/ TBD announced DID:ion support last week as a part of Web5! |
|
I am going to suggest a few more edits later today, and I will prep screenshots too, because the key import command is now different. |
Mauricio - I apologize that I am just learning Github, so I had to make a fork of yours, as i didnt have write access. I have proposed here, some wording on Keybase, and what it actually achieves, vs just a Pubkey download. Confirming its the key that is used in all the online presence of the SS project. Please let me know what you think of the wording and explanation. I still want to cleanup around the key verify command. The warning is still there and I think there are flags/options to remove it. Lastly for tonight, do you have any experience regarding the verify command vs checking the SHA256 sum? I am starting to wonder if the SHA256 check is included in the Verify command, do the documentation is very brief. I will keep looking more at that. also please Let me know if its better for me to [somehow] write my changes over into your branch/fork? Thanks, this was very interesting learning about keybase.io and identity proofing in the online world.! Marc.
Clarified/ improved descriptions of what Keybase proves for the SS community.
Added a TLDR section.
Update to the readme for Keybase.io PubKey and Software signing verification
|
These changes are looking good to me -- it appears everything is set for a merge? |
|
IMHO, yes! |
|
Thanks to you both. Actually, I have a few more edits to do, which i should finish today on the verify section, so please don't merge yet. @SeedSigner, are you happy with the different style of writing? I have made that section more first person, and I also tried out a collapsible section for the TLDR. Please let me know if you suggest changes to that. Keith will probably find lots of grammatical errors, if he reads it! |
| You should now compare the numeric ID which your computer just provided you, to what is displayed on this website | ||
| [Keybase.io/seedsigner](https://www.keybase.io/SeedSigner) | ||
|
|
||
| These numeric ID's are known as the Key's *fingerprint*, so please make sure that the fingerprints **do** match. (The white spaces doesnt matter, its there to help readability.) |
There was a problem hiding this comment.
We are definitely not using apostrophes for plural!!! "These numeric IDs are..."
Also: consider the parenthetical as part of the sentence: "...do match (blah... readability)." Period goes at the very end, outside the parentheses and the inner text should omit its period.
There was a problem hiding this comment.
Many thanks Keith, I will fix those and look for others. I have made a few more edits too and will push those upstream. Do you have a recommendation for a MD editor? Github.com is getting very tiring for long edits like this
There was a problem hiding this comment.
I mainly edit markdown in VSCode. Github actually has a web-based VSCode feature: Just type period on the repo's root github page. Pretty crazy. A little hard to use at first if you're not used to VSCode, though. You'll want to watch an intro tutorial for how the UI integrates with git to submit new changes. I don't recall the details, but there's a way to preview the rendered markdown, too.
There was a problem hiding this comment.
@kdmukai Keith !! press period....holy macaroni, a whole new environment just appeared !!!
toot toot!! that's amazing, thank v v much!
so much easier now!
|
The browser interface is definitely a bit cumbersome, especially when you want to peek at formatting changes as you're typing, but I haven't come across anything better -- also open to suggestions if you come across anything @Marc-Gee. Just let me know when the additional changes you're making are ready and I will review again. |
|
FYI - Mauricio and myself will be submitting a complete revision into this PR tomorrow! today we are learning how to use git with a fork of a fork! yikes.... |
|
Closing this PR since the README it was attempting to update has diverged so much since then. |
Giving more information about the self-published signature warning.
I replicated some words
ipsis litterisfrom the community channel for precision.