
Keybase: Public, Signed Files - wener
https://keybase.pub/
======
dang
Related from yesterday:
[https://news.ycombinator.com/item?id=22202740](https://news.ycombinator.com/item?id=22202740)

------
oconnor663
It might be worth clarifying that, if you're using that keybase.pub website,
you're trusting the Keybase server that hosts it to honestly serve the files.
But if you run the Keybase client locally, and browse the same files under
`/keybase/public/`, your client will check the signatures on everything, and
you are _not_ trusting the server.

~~~
samatman
That's an important clarification, and I would add: it's easier to trust when
you can verify.

That is to say, the website is https, so I trust that the server I'm asking
for the file is the same one that gives it to me. And since I can verify
signatures locally, any time I choose, it would be hard for that server to get
away with modifying file contents only when served through the site, sooner or
later someone would catch them out at it.

But yes, if it's important, definitely get the files from a native client, CLI
or GUI shouldn't matter.

~~~
bathtub365
The time between them modifying the files and someone noticing isn't a trivial
detail. It's the same idea behind 0-day exploits: perform an attack until
someone catches you.

~~~
kasey_junk
Except in this case keybase can only be caught once. Then all of their usage,
prestige, funding, etc goes away.

Considerably different than an anonymous attacker.

~~~
bathtub365
This assumes that Keybase are the attacker

------
teamspirit
Serious question, what is keybase? It started as a identity key verification
service (which I use), then went on to be an encrypted file store (which I
use), then went to be a chat service (again I still use it though it has its
issues), then they added some weird crypto currency thing (feels scammy), and
now they're adding another file serving option (which looks really cool). So,
what do I call keybase when I'm trying to get people to use it?

~~~
kemonocode
A study case in feature (and scope) creep. I really wish they had just stuck
to being an identity verification service as that's the main use case I've
given them, but I feel they're stretching themselves too thin (and just being
that would be probably difficult to monetize)

~~~
teamspirit
This is my worry for them, quantity over quality. Though I have to say their
quality is pretty good. It just feels like too much and really confuses people
when I start to tell them. My issue is still, how can I describe keybase
without people saying to me it looks bloated. Maybe it is and that's the
problem.

------
songzme
I created a site to test it out, it seems the site is immediately updated
after a file change: [https://songz.keybase.pub/](https://songz.keybase.pub/)

Cool!

Accessing the folder, creating a file, and even simple unix commands like `ls`
feels significantly slower than other folders.

The default instructions did not work for me, my file path is actually:

/Volumes/Keybase/public/username

It is different from the one provided in the blog:

/keybase/public/your_username/

When reading the blog, it wasn't obvious how I can find the path to the
correct folder. I had to open the Keybase app and find a notification.

~~~
songgao
Yeah starting from Catalina the / is now read-only. Upgrading from an old
macOS also kills any previously created files or directories at root that were
not shipped with the system. So `/keybase` is gone on Catalina.

------
mturilin
Can anybody explain use cases for Keybase? Why would I choose it over, say,
Telegram group chats? What are some good use cases for public files?

~~~
iknowstuff
Telegram group chats are NOT end to end encrypted. Telegram has an option for
e2ee chats but they won’t sync across devices, last I checked, ans nobody uses
them.

Keybase has an amazing, user friendly e2ee story.

------
tyingq
Is there an easy way to use this without a mounted drive on my PC? Like a gpg
sort of command line thing to expose the file on the Keybase servers like
Firefox Send does?

------
0xff00ffee
Dumb question: why would I want signed public files? (Esp. on a system where
the crypto is home-grown and so is the CA?)

~~~
nickik
The crypto is not home grown, its standard.

Because other people can trust that the files are from you. Lets say you have
some C project on github, you want to release a binary. Put it on Keybase and
people can trust it is from you.

------
blairanderson
Dear Keybase, can you compete with Auth0?

------
sebow
Seems like keybase resolved their account recovery process(you had to
effectively directly contact a staff member prior to this).

Might start using keybase again.

------
nif2ee
Keybase claims to be a modern replacement for PGP yet I don't think they even
have some SDK that acts like gpgme. This is a very rudimentary feature to
implement but it can unleash a whole new world for applications that use
signatures and E2EE.

Keybase is a good idea and they got lucky with getting popular but they
haven't really implemented features that would make them essential. Most
people just sign up and forget about it.

EDIT: Seriously why the downvotes without clarifying? Has Keybase adopted
astroturfing on HN like Brave and DuckDuckGo?

~~~
lallysingh
They're building out plenty of applications themselves. That's the right
approach. PGP didn't unleash a whole new world for applications because it
didn't attack usability, which isn't something you do with an API.

~~~
_jal
You don't unleash a whole new world, period. The old one still exists.

The only way I see us migrating away from our current gpg use cases is if all
the integrations we use somehow went unsupported. There's simply no reason to
assume the risk of inserting Keybase (or anyone else's) dependencies.

~~~
sagichmal
Approximately nobody uses PGP or GPG, there's no reason to backfill those
features or use cases.

~~~
_jal
Approximately no one, except anyone who commits code at the F100 company I
work for, several other F100s I know people at, Debian, Ubuntu, and a number
of other infra projects.

I'm willing to believe nobody in your corner of the world does. That's not the
only corner of the world.

~~~
sagichmal
That must be literally dozens of people.

