Merge pull request #4 from pkgxdev/deprefixify

remove pkgx_ prefixes

Author: mxcl

.github/workflows/ci.yaml

@@ -69,6 +69,7 @@ jobs:
       - uses: nosborn/[email protected]
         with:
           files: .
+          ignore_files: ./README.md
 
   test:
     name: Test

Cargo.lock

@@ -1,4 +1,4 @@
 [workspace]
-members = ["bpb-pkgx-cli", "pbp-pkgx-lib"]
-default-members = ["bpb-pkgx-cli"]
+members = ["bpb", "pbp"]
+default-members = ["bpb"]
 resolver = "2"

Cargo.toml

@@ -13,9 +13,9 @@ do.
 ## How to Install
 
 ```sh
-git clone https://github.com/pkgxdev/bpb-pkgx
-cd bpb-pkgx
-cargo install --path bpb-pkgx-cli
+git clone https://github.com/pkgxdev/bpb
+cd bpb
+cargo install --path bpb
 ```
 
 ## How to Set Up
@@ -31,8 +31,8 @@ bpb init "withoutboats <[email protected]>"
 You can pass any string you want as your userid, but `"$NAME <$EMAIL>"` is the
 conventional standard for OpenPGP userids.
 
-This will create a file at ~/.bpb_keys.toml. This file contains your public
-key.
+This will create a file at `~/.config/pkgx/bpb.toml`. This file contains your
+public key.
 
 The private and public keys are output as JSON. This is the only time this
 tool will expose your private key publicly.
@@ -47,13 +47,43 @@ If you want to use it to sign git commits, you also need to inform git to call
 it instead of gpg. You can do this with this command:
 
 ```sh
-git config --global gpg.program bpb_pkgx
+git config --global gpg.program bpb
 ```
 
 You should also provide the public key to people who want to verify your
 commits. Personally, I just upload the public key to GitHub; you may have
 other requirements.
 
+You can print your private key with:
+
+```sh
+security find-generic-password -s "xyz.tea.BASE.bpb" -w
+# ^^ prompts for your login password
+```
+
+
+## Security Considerations
+
+Our mechanism is pretty damn secure. But! We depend on:
+
+> [!IMPORTANT]
+> * The strength of your login password.
+> * The strength of your iCloud password.
+
+Someone desiring your GPG private key would need to steal your computer and
+then brute force your login password. So you should check how long that would
+take.
+
+Your macOS Keychain *may* sync to iCloud. In which case your security also
+depends on the security of your iCloud password. Apple encrypt your keychain
+remotely but that is obviously decrypted by your iCloud password.
+
+Realistically your iCloud password is more important as physical theft is an
+order of magnitude less likely than a remote attack. That can be mitigated by
+preventing iCloud Keychain sync but that’s pretty useful so maybe just have a
+secure iCloud password.
+
+
 ## How it Replaces GPG
 
 If this program receives a `-s` argument, it reads from stdin and then writes
@@ -64,6 +94,7 @@ This means that this program can be used to replace gpg as a signing tool, but
 it does not replace any other functionality. For example, if you want to
 verify the signatures on other peoples' git commits, it will shell out to gpg.
 
+
 ## TODO
 
 - [ ] Move keychain identifiers out to build variables in `main.rs`

README.md

@@ -1,5 +1,5 @@
 [package]
-name = "bpb_pkgx"
+name = "bpb"
 description = "boats's personal barricade - pkgx updates"
 license = "MIT OR Apache-2.0"
 version = "1.1.1"
@@ -16,8 +16,8 @@ serde = "1.0.215"
 hex = "0.3.2"
 failure = "0.1.1"
 
-[dependencies.pbp_pkgx]
-path = "../pbp-pkgx-lib"
+[dependencies.pbp]
+path = "../pbp"
 features = ["dalek"]
 
 [dependencies.ed25519-dalek]

bpb-pkgx-cli/Cargo.toml bpb/Cargo.tomlbpb-pkgx-cli/Cargo.toml renamed to bpb/Cargo.toml

@@ -29,27 +29,27 @@ impl KeyData {
         ))
     }
 
-    pub fn sign(&self, data: &[u8]) -> Result<pbp_pkgx::PgpSig, Error> {
+    pub fn sign(&self, data: &[u8]) -> Result<pbp::PgpSig, Error> {
         let timestamp = SystemTime::now()
             .duration_since(SystemTime::UNIX_EPOCH)?
             .as_secs();
-        Ok(pbp_pkgx::PgpSig::from_dalek::<sha2::Sha256, sha2::Sha512>(
+        Ok(pbp::PgpSig::from_dalek::<sha2::Sha256, sha2::Sha512>(
             &self.keypair,
             data,
             self.fingerprint(),
-            pbp_pkgx::SigType::BinaryDocument,
+            pbp::SigType::BinaryDocument,
             timestamp as u32,
         ))
     }
 
-    pub fn fingerprint(&self) -> pbp_pkgx::Fingerprint {
+    pub fn fingerprint(&self) -> pbp::Fingerprint {
         self.public().fingerprint()
     }
 
-    pub fn public(&self) -> pbp_pkgx::PgpKey {
-        pbp_pkgx::PgpKey::from_dalek::<sha2::Sha256, sha2::Sha512>(
+    pub fn public(&self) -> pbp::PgpKey {
+        pbp::PgpKey::from_dalek::<sha2::Sha256, sha2::Sha512>(
             &self.keypair,
-            pbp_pkgx::KeyFlags::SIGN | pbp_pkgx::KeyFlags::CERTIFY,
+            pbp::KeyFlags::SIGN | pbp::KeyFlags::CERTIFY,
             self.timestamp as u32,
             &self.user_id,
         )