JAR signing, v2

[danielcompton]

From this thread: https://twitter.com/tcrawley/status/768640307588104192

There are meaningful security benefits that could be had from signing JARs if we can overcome the horrendous UX problems that they involve. Leaving this as a placeholder for more discussion.

[lvh]

Can we enumerate the UX problems? I'm hardly a GPG UX apologist, but some of the major issues as I understand them include "people don't understand WoT", "nobody actually uses WoT but instead only use keys that came with their machine or keys they signed themselves", and "literally every e-mail plugin is awful". It seems like the main UX issues are around WoT?

I'd agree that keybase is a real solution to this, if keybase focused more on being GPG anchoring (which is how I, as an early adopter, interpreted it), instead of the stuff around it like kbfs, per-device keys, et cetera, which would be their current focus.

[danielcompton]

The main UX problems that I've encountered:

• It is difficult/nigh on impossible for most Windows developers to get GPG setup properly, or at least I've never found a straightforward guide for this. From memory running gpg-agent was particularly troublesome.
• I don't have a good mental model for GPG key management. Compared to SSH, where I can read plain text files in ~/.ssh, with one file per key, GPG has a few opaque binary files which store my key state.
• I don't remember now exactly what the problem was, but I've wrestled with GPG to set it up on new computers.

To me, the web of trust conceptually is pretty simple, although I'm not clear what the mechanics are of managing this (as I've never had a need to).

At least for me, it has all boiled down to not having a clear model of what GPG is doing, which means that when stuff doesn't go quite right, I don't know how to debug this.

For future reference, starting from scratch with Keybase, and using https://gist.github.com/danieleggert/b029d44d4a54b328c0bac65d46ba4c65 worked quite well (though I installed gnupg2 and pinentry-mac from Homebrew).