Keyoxide

3 minute read

Recently this post about Keyoxide came up in my Mastodon timeline and of course made me curious. Turns out Keyoxide is a little like Keybase: based on GPG you can claim an identitiy and have to add a prove then. At first it might be a little confusing because in Keyoxide you cannot just sign up for profile but in fact it’s pretty straight forward and simple - I really like this approach!

What you basically do is edit your GPG key by adding a claim for something, let’s say a domain for example. In order to add this claim you have to be owner of the private key. This makes sure it’s really you who is adding this claim. In a second step you’ll have to add the proof and in this case it would mean to add TXT record to your domain’s DNS records. Only you as the owner of that domain should be able to do so. Then you’ll upload your public key to keys.openpgp.org. If you search for the e-mail address (or the public key fingerprint) at Keyoxide you can see that claim and proof (hopefully) match as it will check the key’s claims and their proofs. That’s it: Keyoxide is looking up your key from keys.openpgp.org and then validating you claims.

Keyoxide is supporting a couple of service providers including DNS, Mastodon, Pixelfed, GitLab, etc. For a complete list check out the documentation. Let’s just go into a little more detail now.

Adding a claim to your key

You will probably start by adding a claim to your GPG key. This is done by adding “Notations” to your key ID. List all your private keys to get the fingerprint:

 $ gpg -K
.
.
sec   rsa4096/0x<FINGERPRINT> <DATE_CREATED> [SC]
  Fingerprint = <FULL_FINGERPRINT>
.
.

Now edit this key, select the uid to edit (the e-mail adress, probably there is only one, so: uid = 1) and add a “notation”:

$ gpg --edit-key <FINGERPRINT>
uid <X>
notation
save

At that point you will need to set the correct claim. To check the syntax lookup the service provider in the documentation, but it’s always like proof@ariadne.id=<CLAIM>. Then save your changes. To check the notation you can run showpref here any time.

Just a few examples for claims:

  • DNS: proof@ariadne.id=dns:<YOUR_DOMAIN>?type=TXT
  • Mastodon: proof@ariadne.id=https://<DOMAIN>/@<USERNAME>
  • Pixelfed: proof@ariadne.id=https://<DOMAIN>/<USERNAME>
  • GitLab: proof@ariadne.id=https://gitlab.com/<USERNAME>/gitlab_proof

Once you’ve saved you changes, export your private key:

$ gpg --armor --export <EMAIL> > pubkey.asc

…and upload pubkey.asc to https://keys.openpgp.org/upload. If it’s the first time you upload that key you’ll have to verify the e-mail address.

Adding the proof

Your GPG key is now claiming that you’re the owner of a domain or a GitLab account for example. So now you’ll have to proof this. For most service providers you can do that with your key’s fingerprint, here called “URI”. (Just check out the list of service providers in the documentation.) The URI will look like openpgp4fpr:<FULL_FINGERPRINT_IN_LOWER_CASE>. Unfortunately gpg is printing the fingerprint usually in upper case and a space every 4 characters. To create a valid URI simply:

$ echo "<FULL_FINGERPRINT>" | sed s'/\ //g' | tr '[:upper:]' '[:lower:]'

You could add this URI now as proof. But maybe let’s go for a “Hashed URI” instead. (See here why this is a good idea.) You can use the input box here to create a hash of the key’s fingerprint. Enter openpgp4fpr:<FULL_FINGERPRINT_IN_LOWER_CASE> and you will receive something starting with $argon2id$v=.... Use this complete line as your “Hashed URI” proof and follow the instructions for each service provider. In case of a domain you’ll simply add a TXT record to your domain’s DNS setup whith the “Hashed URI” as value. For Pixelfed add the “Hashed URI” to your Bio box in your profile page. Again check the details for each service provider in the documentation.

Keyoxide profile

To check a Keyoxide profile you can search for an e-mail address or a key’s fingerprint (probably less obvious ;-) ) on Keyoxide’s startpage or just go straight to the URL, like https://keyoxide.org/hkp/<FINGERPRINT or E_MAIL> (when using E_MAIL, replace “@” by “%40”). In case everything worked out you should see a green check mark for each claim! Clean and simple :-)

There’s also an Android app for Keyoxide available on F-Droid.

Updated: