format line wrapping and fix escaped characters

1 files changed, 126 insertions, 140 deletions

diff --git a/content/blog/2022-07-14-gnupg.md b/content/blog/2022-07-14-gnupg.md
index 9bd2e19..8daba99 100644
--- a/content/blog/2022-07-14-gnupg.md
+++ b/content/blog/2022-07-14-gnupg.md
@@ -7,33 +7,31 @@ draft = false
 
 # The History of GPG
 
-[GNU Privacy Guard](https://gnupg.org/), also known as GnuPG and GPG, is
-a free (\"free\" as in both speech and beer) software that fully
-implements the OpenPGP Message Format documented in [RFC
-4880](https://www.rfc-editor.org/rfc/rfc4880).
+[GNU Privacy Guard](https://gnupg.org/), also known as GnuPG and GPG, is a free
+("free" as in both speech and beer) software that fully implements the OpenPGP
+Message Format documented in [RFC 4880](https://www.rfc-editor.org/rfc/rfc4880).
 
-I won\'t go in-depth on the full history of the software in this post,
-but it is important to understand that GPG is not the same as PGP
-(Pretty Good Privacy), which is a different implementation of RFC 4880.
-However, GPG was designed to interoperate with PGP.
+I won't go in-depth on the full history of the software in this post, but it is
+important to understand that GPG is not the same as PGP (Pretty Good Privacy),
+which is a different implementation of RFC 4880. However, GPG was designed to
+interoperate with PGP.
 
 GPG was originally developed in the late 1990s by [Werner
-Koch](https://en.wikipedia.org/wiki/Werner_Koch) and has historically
-been funded generously by the German government.
+Koch](https://en.wikipedia.org/wiki/Werner_Koch) and has historically been
+funded generously by the German government.
 
-Now that we have all the high-level info out of the way, let\'s dive
-into the different aspects of GPG and its uses.
+Now that we have all the high-level info out of the way, let's dive into the
+different aspects of GPG and its uses.
 
 # Encryption Algorithms
 
 GPG supports a wide range of different encryption algorithms, including
-public-key, cipher, hash, and compression algorithms. The support for
-these algorithms has grown since the adoption of the Libgcrypt library
-in the 2.x versions of GPG.
+public-key, cipher, hash, and compression algorithms. The support for these
+algorithms has grown since the adoption of the Libgcrypt library in the 2.x
+versions of GPG.
 
-As you will be able to see below in an example of a full key generation
-with the GPG command line tool, GPG recommends the following algorithms
-to new users:
+As you will be able to see below in an example of a full key generation with the
+GPG command line tool, GPG recommends the following algorithms to new users:
 
 ```sh
 Please select what kind of key you want:
@@ -45,77 +43,71 @@ Please select what kind of key you want:
   (10) ECC (sign only)
 ```
 
-I am not doing an in-depth explanation here in order to keep the focus
-on GPG and not encryption algorithms. If you want a deep dive into
-cryptography or encryption algorithms, please read my other posts:
+I am not doing an in-depth explanation here in order to keep the focus on GPG
+and not encryption algorithms. If you want a deep dive into cryptography or
+encryption algorithms, please read my other posts:
 
--   [AES Encryption](../aes-encryption/) (2018)
--   [Cryptography Basics](../cryptography-basics/) (2020)
+- [AES Encryption](../aes-encryption/) (2018)
+- [Cryptography Basics](../cryptography-basics/) (2020)
 
 ## Vulnerabilities
 
-As of 2022-07-14, there are a few different vulnerabilities associated
-with GPG or the libraries it uses:
-
--   GPG versions 1.0.2--1.2.3 contains a bug where \"as soon as one
-    (GPG-generated) ElGamal signature of an arbitrary message is
-    released, one can recover the signer\'s private key in less than a
-    second on a PC.\"
-    ([Source](https://www.di.ens.fr/~pnguyen/pub_Ng04.htm))
--   GPG versions prior to 1.4.2.1 contain a false positive signature
-    verification bug.
-    ([Source](https://lists.gnupg.%20org/pipermail/gnupg-announce/2006q1/000211.html))
--   GPG versions prior to 1.4.2.2 cannot detect injection of unsigned
-    data. (
-    [Source](https://lists.gnupg.org/pipermail/gnupg-announce/2006q1/000218.html))
--   Libgcrypt, a library used by GPG, contained a bug which enabled full
-    key recovery for RSA-1024 and some RSA-2048 keys. This was resolved
-    in a GPG update in 2017.
-    ([Source](https://lwn.net/Articles/727179/))
--   The [ROCA
-    Vulnerability](https://en.wikipedia.org/wiki/ROCA_vulnerability)
-    affects RSA keys generated by YubiKey 4 tokens.
-    ([Source](https://crocs.fi.%20muni.cz/_media/public/papers/nemec_roca_ccs17_preprint.pdf))
--   The [SigSpoof Attack](https://en.wikipedia.org/wiki/SigSpoof) allows
-    an attacker to spoof digital signatures.
-    ([Source](https://arstechnica.%20com/information-technology/2018/06/decades-old-pgp-bug-allowed-hackers-to-spoof-just-about-anyones-signature/))
--   Libgcrypt 1.9.0 contains a severe flaw related to a heap buffer
-    overflow, fixed in Libgcrypt 1.9.1
-    ([Source](https://web.archive.%20org/web/20210221012505/https://www.theregister.com/2021/01/29/severe_libgcrypt_bug/))
+As of 2022-07-14, there are a few different vulnerabilities associated with GPG
+or the libraries it uses:
+
+- GPG versions 1.0.2--1.2.3 contains a bug where "as soon as one
+  (GPG-generated) ElGamal signature of an arbitrary message is released, one can
+  recover the signer's private key in less than a second on a PC."
+  ([Source](https://www.di.ens.fr/~pnguyen/pub_Ng04.htm))
+- GPG versions prior to 1.4.2.1 contain a false positive signature verification
+  bug.
+  ([Source](https://lists.gnupg.%20org/pipermail/gnupg-announce/2006q1/000211.html))
+- GPG versions prior to 1.4.2.2 cannot detect injection of unsigned data. (
+  [Source](https://lists.gnupg.org/pipermail/gnupg-announce/2006q1/000218.html))
+- Libgcrypt, a library used by GPG, contained a bug which enabled full key
+  recovery for RSA-1024 and some RSA-2048 keys. This was resolved in a GPG
+  update in 2017. ([Source](https://lwn.net/Articles/727179/))
+- The [ROCA Vulnerability](https://en.wikipedia.org/wiki/ROCA_vulnerability)
+  affects RSA keys generated by YubiKey 4 tokens.
+  ([Source](https://crocs.fi.%20muni.cz/_media/public/papers/nemec_roca_ccs17_preprint.pdf))
+- The [SigSpoof Attack](https://en.wikipedia.org/wiki/SigSpoof) allows an
+  attacker to spoof digital signatures.
+  ([Source](https://arstechnica.%20com/information-technology/2018/06/decades-old-pgp-bug-allowed-hackers-to-spoof-just-about-anyones-signature/))
+- Libgcrypt 1.9.0 contains a severe flaw related to a heap buffer overflow,
+  fixed in Libgcrypt 1.9.1
+  ([Source](https://web.archive.%20org/web/20210221012505/https://www.theregister.com/2021/01/29/severe_libgcrypt_bug/))
 
 ### Platforms
 
-Originally developed as a command-line program for \*nix systems, GPG
-now has a wealth of front-end applications and libraries available for
-end-users. However, the most recommended programs remain the same:
+Originally developed as a command-line program for *nix systems, GPG now has a
+wealth of front-end applications and libraries available for end-users. However,
+the most recommended programs remain the same:
 
--   [GnuPG](https://gnupg.org) for Linux (depending on distro)
--   [Gpg4win](https://gpg4win.org) for Windows
--   [GPGTools](https://gpgtools.org) for macOS
+- [GnuPG](https://gnupg.org) for Linux (depending on distro)
+- [Gpg4win](https://gpg4win.org) for Windows
+- [GPGTools](https://gpgtools.org) for macOS
 
 # Creating a Key Pair
 
-In order to create a GPG key pair, a user would first need to install
-GPG on their system. If we\'re assuming that the user is on Fedora
-Linux, they would execute the following:
+In order to create a GPG key pair, a user would first need to install GPG on
+their system. If we're assuming that the user is on Fedora Linux, they would
+execute the following:
 
 ```sh
 sudo dnf install gpg
 ```
 
-Once installed, a user can create a new key pair with the following
-command(s):
+Once installed, a user can create a new key pair with the following command(s):
 
 ```sh
 gpg --full-generate-key
 ```
 
-GPG will walk the user through an interactive setup that asks for an
-algorithm preference, expiration date, name, and email to associate with
-this key.
+GPG will walk the user through an interactive setup that asks for an algorithm
+preference, expiration date, name, and email to associate with this key.
 
-See the following example key set-up for a default key generation using
-the GnuPG command-line interface:
+See the following example key set-up for a default key generation using the
+GnuPG command-line interface:
 
 ```sh
 gpg (GnuPG) 2.3.6; Copyright (C) 2021 Free Software Foundation, Inc.
@@ -178,66 +170,63 @@ interface.
 
 As noted in RFC 4880, the general functions of OpenPGP are as follows:
 
--   digital signatures
--   encryption
--   compression
--   Radix-64 conversion
--   key management and certificate services
+- digital signatures
+- encryption
+- compression
+- Radix-64 conversion
+- key management and certificate services
 
-From this, you can probably gather that the main use of GPG is for
-encrypting data and/or signing the data with a key. The purpose of
-encrypting data with GPG is to ensure that no one except the intended
-recipient(s) can access the data.
+From this, you can probably gather that the main use of GPG is for encrypting
+data and/or signing the data with a key. The purpose of encrypting data with GPG
+is to ensure that no one except the intended recipient(s) can access the data.
 
-Let\'s explore some specific GPG use-cases.
+Let's explore some specific GPG use-cases.
 
 ## Email
 
-One of the more popular uses of GPG is to sign and/or encrypt emails.
-With the use of a GPG keypair, you can encrypt a message, its subject,
-and even the attachments within.
-
-The first process, regarding the signing of a message without any
-encryption, is generally used to provide assurance that an email is
-truly coming from the sender that the message claims. When I send an
-email, and it\'s signed with my public key, the recipient(s) of the
-message can verify that the message was signed with my personal key.
-
-The second process, regarding the actual encryption of the message and
-its contents, works by using a combination of the sender\'s keys and the
-recipient\'s keys. This process may vary slightly by implementation, but
-it most commonly uses asymmetric cryptography, also known as public-key
-cryptography. In this version of encryption, the sender\'s private key
-to sign the message and a combination of the sender\'s keys and the
-recipient\'s public key to encrypt the message.
-
-If two people each have their own private keys and exchange their public
-keys, they can send encrypted messages back and forth with GPG. This is
-also possible with symmetric cryptography, but the process differs since
-there are no key pairs.
-
-Implementation of email encryption varies greatly between email clients,
-so you will need to reference your email client\'s documentation to
-ensure you are setting it up correctly for that specific client.
+One of the more popular uses of GPG is to sign and/or encrypt emails. With the
+use of a GPG keypair, you can encrypt a message, its subject, and even the
+attachments within.
+
+The first process, regarding the signing of a message without any encryption, is
+generally used to provide assurance that an email is truly coming from the
+sender that the message claims. When I send an email, and it's signed with my
+public key, the recipient(s) of the message can verify that the message was
+signed with my personal key.
+
+The second process, regarding the actual encryption of the message and its
+contents, works by using a combination of the sender's keys and the
+recipient's keys. This process may vary slightly by implementation, but it most
+commonly uses asymmetric cryptography, also known as public-key cryptography. In
+this version of encryption, the sender's private key to sign the message and a
+combination of the sender's keys and the recipient's public key to encrypt the
+message.
+
+If two people each have their own private keys and exchange their public keys,
+they can send encrypted messages back and forth with GPG. This is also possible
+with symmetric cryptography, but the process differs since there are no key
+pairs.
+
+Implementation of email encryption varies greatly between email clients, so you
+will need to reference your email client's documentation to ensure you are
+setting it up correctly for that specific client.
 
 ## File Encryption
 
-As noted in the section above regarding emails, GPG enables users to be
-able to send a message to each other if they are both set-up with GPG
-keys. In this example, I am going to show how a user could send a file
-called `example_file.txt` to another user via the
-recipient\'s email.
+As noted in the section above regarding emails, GPG enables users to be able to
+send a message to each other if they are both set-up with GPG keys. In this
+example, I am going to show how a user could send a file called
+`example_file.txt` to another user via the recipient's email.
 
-The sender would find the file they want to send and execute the
-following command:
+The sender would find the file they want to send and execute the following
+command:
 
 ```sh
 gpg --encrypt --output example_file.txt.gpg --recipient \
 recipient@example.com example_file.txt
 ```
 
-Once received, the recipient can decrypt the file with the following
-command:
+Once received, the recipient can decrypt the file with the following command:
 
 ```sh
 gpg --decrypt --output example_file.txt example_file.txt.gpg
@@ -245,29 +234,28 @@ gpg --decrypt --output example_file.txt example_file.txt.gpg
 
 ## Ownership Signatures
 
-One important aspect of GPG, especially for developers, is the ability
-to sign data without encrypting it. For example, developers often sign
-code changes when they commit the changes back to a central repository,
-in order to display ownership of who made the changes. This allows other
-users to look at a code change and determine that the change was valid.
+One important aspect of GPG, especially for developers, is the ability to sign
+data without encrypting it. For example, developers often sign code changes when
+they commit the changes back to a central repository, in order to display
+ownership of who made the changes. This allows other users to look at a code
+change and determine that the change was valid.
 
-In order to do this using [Git](https://git-scm.com), the developer
-simply needs to alter the `git commit` command to include the
-`-S` flag. Here\'s an example:
+In order to do this using [Git](https://git-scm.com), the developer simply needs
+to alter the `git commit` command to include the `-S` flag. Here's an example:
 
 ```sh
 git commit -S -m "my commit message"
 ```
 
-As an expansion of the example above, Git users can configure their
-environment with a default key to use by adding their GPG signature:
+As an expansion of the example above, Git users can configure their environment
+with a default key to use by adding their GPG signature:
 
 ```sh
 git config --global user.signingkey XXXXXXXXXXXXXXXX
 ```
 
-If you\'re not sure what your signature is, you can find it titled
-`sig` in the output of this command:
+If you're not sure what your signature is, you can find it titled `sig` in the
+output of this command:
 
 ```sh
 gpg --list-signatures
@@ -275,12 +263,11 @@ gpg --list-signatures
 
 ## File Integrity
 
-When a person generates a signature for data, they are allowing users
-the ability to verify the signature on that data in the future to ensure
-the data has not been corrupted. This is most common with software
-applications hosted on the internet - developers provide signatures so
-that users can verify a website was not hijacked and download links
-replaced with dangerous software.
+When a person generates a signature for data, they are allowing users the
+ability to verify the signature on that data in the future to ensure the data
+has not been corrupted. This is most common with software applications hosted on
+the internet - developers provide signatures so that users can verify a website
+was not hijacked and download links replaced with dangerous software.
 
 In order to verify signed data, a user needs to have:
 
@@ -288,9 +275,8 @@ In order to verify signed data, a user needs to have:
 2.  A signature file
 3.  The public GPG key of the signer
 
-Once the signer\'s public key is imported on the user\'s system, and
-they have the data and signature, they can verify the data with the
-following commands:
+Once the signer's public key is imported on the user's system, and they have
+the data and signature, they can verify the data with the following commands:
 
 ```sh
 # If the signature is attached to the data
@@ -302,13 +288,13 @@ gpg --verify [signature-file] [original-file]
 
 ### Finding Public Keys
 
-In order to use GPG with others, a user needs to know the other user(s)
-keys. This is easy to do if the user knows the other user(s) in person,
-but may be hard if the relationship is strictly digital. Luckily, there
-are a few options. The first option is to look at a user\'s web page or
-social pages if they have them.
+In order to use GPG with others, a user needs to know the other user(s) keys.
+This is easy to do if the user knows the other user(s) in person, but may be
+hard if the relationship is strictly digital. Luckily, there are a few options.
+The first option is to look at a user's web page or social pages if they have
+them.
 
 Otherwise, the best option is to use a keyserver, such as:
 
--   [pgp.mit.edu](https://pgp.mit.edu)
--   [keys.openpgp.org](https://keys.openpgp.org)
+- [pgp.mit.edu](https://pgp.mit.edu)
+- [keys.openpgp.org](https://keys.openpgp.org)