With the new year comes a new daily notebook! Since I always carry it around, I typically put a lot of personal data in the first pages of the notebook in the hope that, should I lose it somewhere, it will be found and returned. This time, as I was filling in the info page, I started thinking… Wouldn’t it be nice if I had some other way to prove that this thing is mine, without having to provide so much information? Some time ago I created an account on KeyBase and I used it to prove my identity over several websites. It is really a nice tool to experiment with PGP, so I recommend giving it a try.

This will be one such experiment. The gist is simple:

  1. Create a signed PGP message
  2. Put it inside the notebook
  3. Attach instructions so the reader can verify the message
  4. ???
  5. Profit!

Of course you could do the same with other PGP-based tools, but then you would need to provide the reader with a way to download your public key, and so on and so forth. The main strength of Keybase is that it hides away these sources of complexity. The interested reader could probably start by looking up Keybase threads on Hacker News to make up her mind about its other (dis)advantages. My two cents: just don’t push your private key to the Keybase server and you will probably be fine.

Crafting the message

This tutorial makes use of the keybase app and command-line utility. We will also use qrencode to generate a QR code of our message.

If you’re on a Mac with Homebrew, you can get it all with:

brew install qrencode
brew cask install keybase

Then, carefully follow the instructions in the Keybase app to create your PGP key pair. Setting up a Keybase account is still a bit of a tedious process, but at least I found it to be quite well-explained.

Now, think of a whimsical short message. Then, use the following command to:

  1. Sign your message with your private key;
  2. Strip away some unnecessary lines (the two sed commands);
  3. Generate a QR code with your signed message and save it to out.png.
keybase pgp sign -m "<YOUR MESSAGE>" | sed '/^Version.*/d' | sed '/^Comment.*/d' |  qrencode -o out.png

Step 2 is not really needed, but it makes the resulting QR code a bit less “dense” and thus easier to decode.

In the real world

Now, you should print the QR code, along with some instruction for the reader. Slap it into your notebook/diary/whatevs and you’re good to go!

Template for a PGP signed message

Something like this.

I find that writing the message by hand (rather than printing it along with the QR) is further (informal) proof that you are the owner of both the item and the private key you signed the message with (i.e. you didn’t just paste it on somebody else’s possession).