Inactive on Twitter

Created by Steven Baltakatei Sandoval on 2022-11-10T20:14Z under a CC BY-SA 4.0 license and last updated on 2022-11-23T18:42Z.

UPDATE (2022-11-23): My new microblogging feed is at twit.social/@baltakatei , one of many Mastodon servers. My last Twitter post is an announcement of this migration. I chose twit.social since it is operated by Leo Laporte, the host of several podcasts and television shows I have listened to in the past and found trustworthy as far as communicating technology news. I still listen regularly to his and Steve Gibson's Security Now podcast.

I decided to not be active on the microblogging site Twitter after Elon Musk completed his purchase of the publicly traded social media company and promptly fired the CEO and dissolved the board of directors, making himself the only director. I had developed some trust of its original CEO, Jack Dorsey, back when Twitter had been the subject of discussion on Leo Laporte's This Week in Tech podcast in the last 00s. In the 2010s I decided that I would be okay publishing text on Twitter because from the get-go the site explained that what was submitted would be public; in contrast, Facebook (which I deactivated back in the early 2010s, long before Zuckerberg renamed it "Meta"), advertised privacy settings that would allow posts to be only shared with a limited number of contacts (and with Facebook employees); however, the privacy settings were complex and there didn't seem to be a default setting that would stick over time. So, Twitter's transparently public nature seems more honest. My posts would be available and there was no sign that the administrators of the site favored any particular political party; the most common reason I saw for Tweets being removed was due to threats of violence or harassment. Prior to 2022, posts to Twitter could be relied upon to remain unfiltered, provided you weren't threatening violence or spreading misinformation.

That changed in 2022 when I saw Elon Musk purchase the company, making the service his own privately owned property. Now, were I to continue to post to Twitter, I was making a public donation to Musk that he could choose to throw away like he did the company leaders that he fired. That in itself may not have been a dealbreaker for me, but he also proceeded to endorse the Republican Party which continues to rely upon the criminal President who organized the attempted coup of the United States of 2021-01-06. His tweet removed any doubt that he would turn Twitter into a tool to promote the Republican Party. Privileged mechanisms to promote his own political opinions at the expense of silencing others by leveraging his exclusive ownership of Twitter include:

• Removing user-submitted content that criticize him (as he has banned users for adopting his name and image in protest).
• Removing features from his critics (as Congresswoman Alexandria Ocasio-Cortez reported).

I admit that many people are firmly rooted in habit to use Twitter as their default social media space to remain connected to eachother. Choosing to leave Twitter for another space risks losing contact with people who have not yet left. Habitual use of Twitter is like a gravity well that requires a significant activation energy of its inhabitants to escape. However, I stand by my decision for reasons similar to those that compelled me to leave Facebook: I can no longer assume what I post will be secure from censorship.

So, what is my social media space? Without Twitter, Reddit is my default. I'd like to make use of this blog more often, although I will need to figure out a more convenient way to post content Currently, my process is:

• Author posts in Emacs Org mode.
• Export posts into Markdown text.
• Commit the Markdown text to a git repo.
• Push the commit to my reboil.com server.
• Wait for an update script to run or log into the server to run it manually.

I could probably automate all that to a single Emacs function or bash script, given enough time, in order to mimic the simplicity of microblogging. However, for now, these longer form posts satisfy me for now.

Notable Public Keys Update

Created by Steven Baltakatei Sandoval on 2022-11-10T19:06Z under a CC BY-SA 4.0 license and last updated on 2022-11-10T19:13Z.

I updated my Notable Public Keys book (PDF, git, sig, ots) to include a section on KeePassXC, a cross-platform password manager that I recommend to people who lack a password manager and want complete control of their passwords without involving a cloud service like LastPass.

How to install DWSIM 8.0.4 on Debian 10

Created by Steven Baltakatei Sandoval on 2022-07-27T21:23Z under a CC BY-SA 4.0 license and last updated on 2022-07-27T22:44Z.

Summary

These are instructions for installation DWSIM 8.0.4 onto a Debian 10 machine with amd64 CPU architecture (e.g. Intel i9 or AMD Ryzen).

Background

DWSIM is an open source chemical process simulator produced under a GPLv3 license. Although its full-featured version is available only for Windows due to most CAPE-OPEN modules usually intended to be run in Windows, the main developer Daniel Medeiros compiles and publishes a version of DWSIM that can be run in Debian 10). The following instructions may apply to other Debian-derived distributions such as Ubuntu, but some customizations may be rqeuired (e.g. a different Mono Stable repository is required between Ubuntu, Debian)

Setup

Download DWSIM Debian Installer Package

Download the DWSIM Debian Installer Package ( .deb) file from the website. You should get a file with a name resembling this:

dwsim_8.0.4-amd64.deb

1. Don't do this

   Note, if you try to install the .deb file via the usual $ sudo dpkg -i package.deb trick, you will get the following errors, telling you about missing dependencies (read on to solve them):

   $ sudo dpkg -i dwsim_8.0.4-amd64.deb
   [sudo] password for baltakatei: 
   Selecting previously unselected package dwsim.
   (Reading database ... 237740 files and directories currently installed.)
   Preparing to unpack dwsim_8.0.4-amd64.deb ...
   Unpacking dwsim (8.0.4) ...
   dpkg: dependency problems prevent configuration of dwsim:
    dwsim depends on mono-complete (>= 6.8); however:
     Package mono-complete is not installed.
    dwsim depends on mono-vbnc (>= 4.0); however:
     Package mono-vbnc is not installed.
    dwsim depends on gtk-sharp2 (>= 2.12); however:
     Package gtk-sharp2 is not installed.
    dwsim depends on libfontconfig1-dev; however:
     Package libfontconfig1-dev is not installed.
    dwsim depends on coinor-libipopt1v5; however:
     Package coinor-libipopt1v5 is not installed.
   
   dpkg: error processing package dwsim (--install):
    dependency problems - leaving unconfigured
   Errors were encountered while processing:
    dwsim
   

Install DWSIM

With the .deb file downloaded, from here it is possible to use a script (link) I wrote to perform the remaining steps.

However, I will explain the actions it performs in case you wish to do them manually.

1. Enable Mono Stable's Debian 10 repository

   The DWSIM .deb file requires the mono-complete package (version >=6.8) that is available in a non-standard repository hosted by the Mono Project. To configure Debian 10 to download package lists and updates from this repository, run the following commands (taken from the Mono Project's download page):

   sudo apt install apt-transport-https dirmngr gnupg ca-certificates
   sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 3FA7E0328081BFF6A14DA29AA6A19B38D3D831EF
   echo "deb https://download.mono-project.com/repo/debian stable-buster main" | sudo tee /etc/apt/sources.list.d/mono-official-stable.list
   sudo apt update
   

   These commands tell the operating system to trust software produced by the Mono Project and tells the system where to get future updates via apt.

2. Install DWSIM dependencies

   Now that the operating system knows about the Mono repository, install software from Mono:

   $ sudo apt install mono-complete
   $ sudo apt install mono-vbnc gtk-sharp2 libfontconfig1-dev coinor-libipopt1v5
   

3. Install DWSIM

   Now othat the Mono dependencies are installed, dpkg can be used to manually install the .deb file:

   $ sudo dpkg -i dwsim_8.0.4-amd64.deb
   

   Note: if you run this command without the required dependencies being available, you may need to explore using $ sudo apt -f install and related commands to fix things.

Run DWSIM

To run DWSIM, you can run dwsim from the command-line.

$ dwsim

In order to test that DWSIM is working, here is a DWSIM 8.0.4 project file that you can download and open. It is the simple gas compressor. A screenshot of the process flow diagram can be downloaded here.

GNOME Extension: Panel Date Format

Created by Steven Baltakatei Sandoval on 2022-04-28T21:03Z under a CC BY-SA 4.0 license and last updated on 2022-04-28T22:08Z.

Background

I enjoy keeping track of the time using ISO-8601 format. It permits unambiguous big endian time indication in a sortable format. I believe the default time format used in the top bar in Pop!_OS 22 (which is basically Ubuntu 22) depends upon which region the machine is configured for (e.g. "United States", or "Germany", etc.).

My default date time format is something like Apr 28 2022, 21:44 (I'm not sure because I don't care ^_^). What I really want is an ISO-8601 date time format like 2022-04-28T21:45:33+0000. The +0000 explicitly states the time zone my machine is configured for (UTC in this case); this is useful in case I want to communicate the time to someone unambiguously; knowing the time zone is required to do so. Also, time units are sorted in descending fashion (year, month, day, hour, minute, second) instead of the tradition-bound madness that is US date time format (month, day, year, hour, minute, second).

One GNOME Extension that I found works for me in Pop!_OS 22 is "Panel Date Format" (GitHub).

Setup

• Install the GNOME Shell integration add-on for Firefox.

• Go to the Panel Date Format extension page.

  • Enable using the toggle switch on the top right of the page.

• Go to the GitHub repository for the extension.

  • Copy the dconf command into a text editor.

• Modify the dconf command's date format string from "'%Y-%m-%d'" to "'%Y-%m-%dT%H:%M:%S%z'"

  • The command I used is:

    ~$ dconf write /org/gnome/shell/extensions/panel-date-format/format "'%Y-%m-%dT%H:%M:%S%z'"~

• Verify the change is loaded by running $ dconf dump / > dconf_dump.txt and searching this .txt file for a part labelled [org/gnome/shell/extensions/panel-date-format]. (you can also use the dump and load commands to automatically backup settings that use the dconf database; I use yadm's bootstrap function to do this automatically when automatically setting up a new Debian machine).

The date time indicator on the top bar should now look like this:

Conclusion

Using GNOME Extensions and a command in the command line, it is possible to customize the top bar date time indicator to use ISO-8601 formatting in Pop!_OS 22.

Using Open Timestamps with Git

Created by Steven Baltakatei Sandoval on 2022-04-22T15:00Z under a CC BY-SA 4.0 license and last updated on 2022-04-23T13:56Z.

Summary

I learned how to configure git to automatically create Open Timestamps proofs whenever I sign a commit with my OpenPGP key.

Background

Although Bitcoin is mostly popular for its use as digital money, in order for it to properly function in a decentralized manner, it must also act as a timestamping service to itself. Bitcoin does this by requiring miners to mark each candidate block they produce with a timestamp; accuracy is enforced by some rules that cause a block to be rejected. These rules can be roughly summarized as:

1. The timestamp must be in the future (Median Past Time rule)
2. The timestamp must not be too far into the future (Future Block Time rule)

Therefore, provided that the majority of miners are honest (an assumption Bitcoin already requires), the most recent block will likely have a timestamp that can be expected to be accurate to within a few hours.

OpenTimestamps is a timestamping service and set of programs that relies upon this internal timestamping feature of the Bitcoin blockchain. Open Timestamps was created by Peter Todd, a former Bitcoin Core developer. I believe I first heard about Open Timestamps (OTS) while following discussions on the /r/Bitcoin subreddit (possibly from this thread).

The timestamp service works by having a "calendar" server program collect file hashes submitted from client programs at the direction of some users. The hash of each user's file(s) is integrated into a merkle tree by the server. Then, periodically, the calendar server will create and submit a Bitcoin transaction containing the tree's merkle root. Once the transaction is included in the Bitcoin blockchain, the calendar server can then provide a client with the merkle branch leading from the merkle root to the file hash the client submitted; the merkle branch is typically encoded in an .ots file created next to the hashed file; this .ots file permits the client, armed with a copy of the blockchain, to verify that the hashed file existed at least as far back as the timestamp of the block containing the merkle root.

Using OpenTimestamps (OTS)

It is possible to use the opentimestamps.org website to create the .ots file using only a web browser. See the "STAMP & VERIFY" section of the main webpage.

However, client software is also provided in the Python, Javascript, and Java programming languages. Personally, I used the Python implementation which the examples later in this blog post will reference.

Installation

On a fresh Debian-based system, the Python implementation of OTS can be installed via:

$ sudo apt install python3-pip
$ pip3 install opentimestamps-client

The ots and ots-git-gpg-wrapper (to be used later) executables then should be added to the PATH environment variable. This can be done by adding this code to your $HOME/.profile file (or whichever file you use to automatically load custom environment variables; e.g. $HOME/.bashrc):

# set PATH so it includes user's private bin if it exists                                                                                  
if [ -d "$HOME/.local/bin" ] ; then                                                                                                        
    export PATH="$HOME/.local/bin:$PATH"                                                                                                   
fi

Running source ~/.profile (or whichever sh file contains the above code) will then modify PATH. Environment variables set in your current shell can be found by running $ printenv.

OTS CLI Usage

The command line interface for OTS version 0.7.0 works like this:

You want to timestamp a file named THESIS.md. You do can do this by running:

$ ots stamp THESIS.md

This will create a THESIS.md.ots file adjacent to THESIS.md.

However, this .ots file does not contain the full merkle branch data necessary, meaning the calendar server(s) used by ots (several are configured by default) will have to be contacted in order to upgrade the .ots file.

An .ots file can be upgraded via:

$ ots upgrade THESIS.md.ots

If you are okay with the command waiting the (typically) several hours required for a calendar server to provide merkle branch data before exiting, then you can run this from the start:

$ ots --wait stamp THESIS.md

A .ots can be verified by running:

$ ots verify THESIS.md.ots

In any case that results in downloading a proof from a calendar server, ots will save a cache of the merkle branch data in the $HOME/.cache/ots directory. ots looks for proof data here before contacting a calendar server. Also, I suspect that because ots only ever adds files to $HOME/.cache/ots and never modifies files there, multiple machines running the same version of ots can use a file synchronization tool such as syncthing to merge their OTS caches for future reference.

I have used this procedure to timestamp some of my own files for my own amusement and reference.

OTS Git Wrapper

The reason I created this blog post, aside from documenting my own usage of ots, was to document how I started using the ots-git-gpg-wrapper feature.

git (distributed version control software I use in this blog, my Notable Public Keys book, and other projects) can be configured to use ots to improve signed commits. The OTS documentation for this feature can be found within the OTS GitHub repository.

1. Typical Usage

   To summarize, the feature can be activated for all git repositories by running:

   $ path_wrapper="$HOME/.local/share/ots/ots-git-gpg-wrapper.sh"
   $ git config --global gpg.program "$path_wrapper"
   

   If you want to only activate this feature for a single repository, change the working directory to the repository, replace --global to --local, then run the command, like so:

   $ cd $HOME/some_git_repo
   $ path_wrapper="$HOME/.local/share/ots/ots-git-gpg-wrapper.sh"
   $ git config --local gpg.program "$path_wrapper"
   

   The default contents of ots-git-gpg-wrapper.sh are:

   #!/bin/sh
   
   # Wrapper for the ots-git-gpg-wrapper
   #
   # Required because git's gpg.program option doesn't allow you to set command
   # line options; see the doc/git-integration.md
   
   ots-git-gpg-wrapper --gpg-program "`which gpg`" -- "$@"
   

2. Advanced Usage

   To go further, I modified the original wrapper script ots-git-gpg-wrapper.sh to contain:

   #!/bin/sh
   
   # Wrapper for the ots-git-gpg-wrapper
   #
   # Required because git's gpg.program option doesn't allow you to set command
   # line options; see the doc/git-integration.md
   
   # Check if gpg is alias. (see https://unix.stackexchange.com/a/288513 )
   if alias gpg 2>/dev/null; then
       ## Get gpg alias command
       gpg_cmd="$(type gpg)"; # get raw alias definition
       gpg_cmd="${gpg_cmd#*=\'}"; # trim chars before and including first apostrophe
       gpg_cmd="${gpg_cmd%\'*}"; # trim chars after and including last apostrophe
   else
       gpg_cmd="$(which gpg)";
   fi;
   
   # Check if jsonrpc_option file available
   path_jsonrpc_option="$HOME/.local/share/ots/jsonrpc_option.txt";
   if [ -f "$path_jsonrpc_option" ]; then
       jsonrpc_option="$(cat "$path_jsonrpc_option" | head -n1)";
   else
       jsonrpc_option="";
   fi;
   
   eval "ots-git-gpg-wrapper $jsonrpc_option --gpg-program $gpg_cmd -- $@"
   

   To add the --wait option when running ots-git-gpg-wrapper, I copied ots-git-gpg-wrapper.sh to an adjacent file named ots-git-gpg-wrapper-wait.sh containing:

   #!/bin/sh
   
   # Wrapper for the ots-git-gpg-wrapper
   #
   # Required because git's gpg.program option doesn't allow you to set command
   # line options; see the doc/git-integration.md
   
   # Check if gpg is alias. (see https://unix.stackexchange.com/a/288513 )
   if alias gpg 2>/dev/null; then
       ## Get gpg alias command
       gpg_cmd="$(type gpg)"; # get raw alias definition
       gpg_cmd="${gpg_cmd#*=\'}"; # trim chars before and including first apostrophe
       gpg_cmd="${gpg_cmd%\'*}"; # trim chars after and including last apostrophe
   else
       gpg_cmd="$(which gpg)";
   fi;
   
   # Check if jsonrpc_option file available
   path_jsonrpc_option="$HOME/.local/share/ots/jsonrpc_option.txt";
   if [ -f "$path_jsonrpc_option" ]; then
       jsonrpc_option="$(cat "$path_jsonrpc_option" | head -n1)";
   else
       jsonrpc_option="";
   fi;
   
   eval "ots-git-gpg-wrapper --wait $jsonrpc_option --gpg-program $gpg_cmd -- $@"
   

   Part of these modifications take into account the fact that I use the alias function to include custom options whenever I run gpg.

   Additionally, my modifications include permitting ots commands run from my main GNU/Linux Debian-based workstation that is NOT a bitcoin node to connect to a bitcoin node using the --bitcoin-node option for the ots-git-gpg-wrapper command. I do this by loading into a variable the first line of a file named jsonrpc_option.txt that I maintain alongside the ots-git-gpg-wrapper.sh file. The first line of the jsonrpc_option.txt file contains information used to permit connection to a bitcoin node (a Raspiblitz in my case) on the local network at IP address 192.168.0.4 via the RPC interface on port 8332 using username raspibolt and password hunter2. The file contents take the form:

   --bitcoin-node http://raspibolt:hunter2@192.168.0.4:8332/
   

   With those changes in place and the ots-git-gpg-wrapper.sh wrapper script activated via a git config command mentioned earlier, if I create a signed commit and then run git log, I will see:

   commit 626303d06805ee6cd50e231da6988fc0235bd8e8 (HEAD -> master)
   ots: Calendar https://btc.calendar.catallaxy.com: Pending confirmation in Bitcoin blockchain
   ots: Calendar https://finney.calendar.eternitywall.com: Pending confirmation in Bitcoin blockchain
   ots: Calendar https://alice.btc.calendar.opentimestamps.org: Pending confirmation in Bitcoin blockchain
   ots: Calendar https://bob.btc.calendar.opentimestamps.org: Pending confirmation in Bitcoin blockchain
   ots: Could not verify timestamp!
   gpg: Signature made Fri 22 Apr 2022 05:58:35 PM GMT
   gpg:                using RSA key 38F96437C83AC88E28B7A95257DA57D9517E6F86
   gpg: Good signature from "Steven Sandoval <baltakatei@gmail.com>" [ultimate]
   gpg:                 aka "Steven Sandoval <baltakatei@alumni.stanford.edu>" [ultimate]
   gpg:                 aka "[jpeg image of size 1846]" [ultimate]
   Primary key fingerprint: 3457 A265 922A 1F38 39DB  0264 A0A2 95AB DC34 69C9
        Subkey fingerprint: 38F9 6437 C83A C88E 28B7  A952 57DA 57D9 517E 6F86
   Author: Steven Baltakatei Sandoval <baltakatei@gmail.com>
   Date:   2022-04-22T17:57:30+00:00
   
       draft(posts:20220422):using ots with git
   
       - note: testing timestamp feature with example commit
   

   After three hours, this message changed to:

   commit 626303d06805ee6cd50e231da6988fc0235bd8e8 (HEAD -> master)
   ots: Calendar https://btc.calendar.catallaxy.com: Pending confirmation in Bitcoin blockchain
   ots: Calendar https://finney.calendar.eternitywall.com: Pending confirmation in Bitcoin blockchain
   ots: Calendar https://alice.btc.calendar.opentimestamps.org: Pending confirmation in Bitcoin blockchain
   ots: Got 1 attestation(s) from https://bob.btc.calendar.opentimestamps.org
   ots: Success! Bitcoin block 733047 attests existence as of 2022-04-22 GMT
   ots: Good timestamp
   gpg: Signature made Fri 22 Apr 2022 05:58:35 PM GMT
   gpg:                using RSA key 38F96437C83AC88E28B7A95257DA57D9517E6F86
   gpg: Good signature from "Steven Sandoval <baltakatei@gmail.com>" [ultimate]
   gpg:                 aka "Steven Sandoval <baltakatei@alumni.stanford.edu>" [ultimate]
   gpg:                 aka "[jpeg image of size 1846]" [ultimate]
   Primary key fingerprint: 3457 A265 922A 1F38 39DB  0264 A0A2 95AB DC34 69C9
        Subkey fingerprint: 38F9 6437 C83A C88E 28B7  A952 57DA 57D9 517E 6F86
   Author: Steven Baltakatei Sandoval <baltakatei@gmail.com>
   Date:   2022-04-22T17:57:30+00:00
   
       draft(posts:20220422):using ots with git
   
       - note: testing timestamp feature with example commit
   

   The line that matters is the one mentioning block 733047 (probably this transaction, based on the current state of the "bob" opentimestamps.org calendar server).

   ots: Success! Bitcoin block 733047 attests existence as of 2022-04-22 GMT
   

   If I run git log another time, the ots: lines change to indicate the local cache is being used to verify instead of a calendar server.

   commit 626303d06805ee6cd50e231da6988fc0235bd8e8 (HEAD -> master)
   ots: Got 1 attestation(s) from cache
   ots: Success! Bitcoin block 733047 attests existence as of 2022-04-22 GMT
   ots: Good timestamp
   gpg: Signature made Fri 22 Apr 2022 05:58:35 PM GMT
   gpg:                using RSA key 38F96437C83AC88E28B7A95257DA57D9517E6F86
   gpg: Good signature from "Steven Sandoval <baltakatei@gmail.com>" [ultimate]
   gpg:                 aka "Steven Sandoval <baltakatei@alumni.stanford.edu>" [ultimate]
   gpg:                 aka "[jpeg image of size 1846]" [ultimate]
   Primary key fingerprint: 3457 A265 922A 1F38 39DB  0264 A0A2 95AB DC34 69C9
        Subkey fingerprint: 38F9 6437 C83A C88E 28B7  A952 57DA 57D9 517E 6F86
   Author: Steven Baltakatei Sandoval <baltakatei@gmail.com>
   Date:   2022-04-22T17:57:30+00:00
   
       draft(posts:20220422):using ots with git
   
       - note: testing timestamp feature with example commit
   

   If I had instead activated ots-git-gpg-wrapper-wait.sh, then the git commit operation would wait until it received a proof from a calendar server before exiting. This may be useful for for major signed commits and tags where it is desirable to transmit the proof via the git repository itself instead of relying upon a calendar server or the cache files being available in the future. I don't know of a method to upgrade the OTS proof data already included in a git repository.

Use Cases

.ots files

Generating .ots files is easier than messing with the OTS git wrapper script since no knowledge of git is required. For this reason, I imagine timestamping files via Python or the OpenTimestamps.org website would be more common.

Some use cases I can imagine are:

• A reporter timestamping .eml files containing controversial correspondence.
• A lawyer timestamping controversial secret .pdf documents that will be revealed at a later time.
• A civil engineer timestamping a receipt of a .pdf report they create for a building owner about the need to perform expensive repairs.
• A business owner timestamping a contract encoded in a .pdf to help prove when an agreement was made.
• A speedrunner wanting to prove that a world record they recorded in a .mkv video file was made by a certain date in the past.
• A software developer wanting to prove that certain archived versions of their software existed as early as a certain date.

OTS git wrapper

In the abstract, the OTS git wrapper allows me to prove the existence of files in a git repository that I already am using OpenPGP to sign. This is useful for avoiding ambiguities associated with the possibility of some attacker capturing my OpenPGP private key and signing files with forged timestamps in order to try and convince someone to believe their revised history of some event.

Although I personally am not in the business of proving the existence of files for others, I can imagine some software developers who use git who may want to prove who had created a piece of code before a copycat.

Also, git, because it is version control software for file trees, can be used to prove the existence of many files at a time (albeit via SHA1 which, as of 2022, is the best method git supports for hashing data). This may be useful if the number of proofs I need to create is large enough to saturate a significant fraction of public calendar server bandwidth and storage capacities.

Caveats

An OTS timestamp can only prove data existed after a certain date. It cannot prove exactly when data was created.

Also, an attacker could pregenerate a large fraction of all possible permutations of data and create an OTS proof for each permutation. For example, if I wanted to bamboozle people into thinking I could predict the weather anywhere in the world 8 years in advance, I could create a large number of text files containing permutations of the general prediction "I predict in 2022 that on [date in 2030], in [location], it will be [weather type]." I would then create .ots proof files for each prediction and sit on them for 8 years. Then, on the specified date in 2030, I would selectively reveal only the predictions that happened to be true.

Conclusion

OpenTimestamps can be used to prove the existence of files and git commits in a scalable manner using the Bitcoin blockchain.

Notable Public Keys book update (F-Droid, Qubes OS)

Created by Steven Baltakatei Sandoval on 2022-04-11T14:23Z under a CC BY-SA 4.0 license and last updated on 2022-04-12T01:18Z.

I updated the Pubkeys book (PDF, Gitlab).

New Sections

F-Droid

I added the Android app FOSS repository that I use. The developers publish OpenPGP signatures for the downloadable APK of the F-Droid client, a package manager similar to the the Google Play Store app. I had started creating a chapter months ago but hadn't fleshed it out yet due to slow loading times of the F-Droid main website.

From what I can tell, F-Droid didn't publish a OpenPGP signature for their main client's APK file until late 2017. Also, there's no obvious place to download the public key (41E7 044E 1DBA 2E89).

Qubes OS

I saw a Reddit post from someone looking to install Qubes OS and was looking for a method to verify PGP software to verify a Qubes OS installation file. Although I've not yet started a GnuPG chapter (I imagine it will contain a lot of history), I decided I could draft a Qubes OS chapter. Such a chapter would contain the fingerprints necessary to reassure someone looking to download and install Qubes OS for themselves.

I was surprised by how detailed the PGP verification instructions available on the main website were. They have a master key (DDFA 1A3E 3687 9494) that signs each release key; there is one release key per major version (e.g. v1.0, v2.0, etc.).

Future sections

Here's the short list of upcoming chapters I plan on writing next when the fancy strikes me.

• GnuPG. Software often used to perform OpenPGP operations.
• LibreOffice. An alternative to Microsoft Office.
• Red Hat. A popular commercial GNU/Linux operating system / service company I don't have much experience with but which uses OpenPGP signatures to sign software.

TeXmacs: Thermodynamics and Chemistry by Howard DeVoe - done

Created by Steven Baltakatei Sandoval on 2022-03-17T02:21Z under a CC BY-SA 4.0 license and last updated on 2022-03-20T18:18Z.

Summary

Thermodynamics and Chemistry by Howard DeVoe, Version 10, Transcribed to TeXmacs. It's done. See the repository for the source code. Compare to the original compiled from LaTeX here.

This past week I've made an effort to finish off the Bibliography and citations of the thermodynamics textbook transcription job I assigned myself over a year ago.

Bibliography wrangling

I had to figure out how exactly TeXmacs processes bibtex data. It's complicated and usage isn't well-documented but I found a way that works (when inserting an automatically-updating bibliography section via "Insert -> Automatic -> Bibliography", it is possible to specify a file as well as a bibliography style if you examine the <bibliography> tag that is created; the file must be a bibtex file; then, a tag like <cite|author-1999> will trigger the bibliography section to read the file and populate itself with a new bibliography entry and assign the <cite> tag a reference number).

One of DeVoe's bibtex entries kept causing crashes in TeXmacs whenever I tried to update the bibliography. It was the only one of its kind.

@incollection{
clapeyron-1834,
   Author = {Clapeyron, \'{E}.},
   Title = {Memoir on the Motive Power of Heat},
   BookTitle = {Reflections on the Motive Power of Fire: Sadi Carnot and other Papers on the Second Law of Thermodynamics by \'{E}.\ Clapeyron and R.\ Clausius},
   Editor = {Mendoza, E.},
   Publisher = {Dover},
   Address = {Mineola, New York},
   Pages = {71-105},
   Note = {Translation by E.\ Mendoza of ``M\'{e}moire sur la Puissance Motrice de la Chaleur,'' \emph{J.\ de l'\'{E}cole Polytechnique}, \textbf {14}, 153--190 (1834).},
 Year = {1988} }

The problem is with the Note value. There's a lot of what looks like LaTeX code (which I'm not familiar with). I'm using the tm-plain style which seems to be okay with processing some LaTeX'isms in these bibliographical entries (a lot of the markup seems to be used to effect diacritical marks which could be handled by use of UTF-8 characters, but I wasn't about to go down the rabbit hole of figuring out how TeXmacs handles Unicode points in its bibliography processing code). I switched out the Note value to something simpler (that references the title's OCLC code) and now book.tm compiles (clapeyron-1834 was used in a citation in bio-CLAPEYRON.tm).

Note = {See OCLC 559435201; 153--190.},

Two columns in one column document

I also figured out that its possible to get two-column pages in an otherwise single-column TeXmacs document. Basically, you create a two-column page (single page only) in one TeXmacs document (.tm) then <include> it in another document (via "Insert -> Link -> Include"). I'm pretty sure this is stretching what the original developer intended but it seems to work well enough for the single-page biographical sketches that DeVoe included in his book.

Disappearing Dotted Line

A few months into the transcription project, I emailed Howard DeVoe a PDF of a draft. He noted that some figures had dashed lines that changed depending on how far you were zoomed in. Eventually I concluded the cause of that problem was some error / wrong assumption made by either Inkscape, ghostscript, or some converter in between the source Encapsulated Post Script (EPS or .eps) file that DeVoe had emailed me and the .eps file that I got to work when inserted into the TeXmacs documents. Instead of trying to hunt down the cause, I decided to try and fix each issue in each .svg file that Inkscape could produce from each .eps file.

SVG is an XML-like format that I can easily parse with grep, sed, and other command line tools that I'm familiar with; in contrast, EPS is compiled output not meant for direct editing (perhaps decades ago it was meant to be human-editable but SVG seems to be the standard now). So, I converted every EPS file I received from DeVoe into an SVG master file from which I would export EPS or whatever format I needed to make the book work (see ink_export_to_eps.sh). I found that each image with the dynamically chnanging dashed line issue also had a "stroke-dasharray" key value pair; so, I wrote ink_convert_dash.sh (in ref/notes/baltakatei/bash/ in the repository), a script to convert each dashed path object into a path object in which each dash is a subpath; it greatly increases the amount of information requried to define the dashed line but the benefit is that the dashed line appears the same no matter the zoom level; in other words, every single dash is converted into a static object instead of letting whatever vector renderer decide how to draw a dashed line.

While I was patting myself on the back for figuring out how to automatically get Inkscape to process the many SVG files I had, I noticed that some of the images lost some dotted lines. I eventually discovered that some dashed lines had dashes with dash lengths specified so short (zero length), that the Inkscape extension I was using (org.inkscape.filter.dashit.noprefs) was encountering a "divide by zero" error and deleting the path partially or entirely.

Soooooo, I had to write ink_stroke-dasharray_zerofix.sh to run before I ran ink_convert_dash.sh. ink_stroke-dasharray_zerofix.sh would change all the 0's in each stroke-dasharray to something small. I also filed a bug report (which led to a fix that was merged by a Jonathan Neuhauser; thanks!). Testing showed me that a value too close to zero would be the same as if zero were still present. I had to use a relative value of nearby non-zero values in the stroke-dasharray and my code is super brittle (it probably wouldn't work for all dashed paths encoding all possible morse code sequences, but my problem was just with simple dotted lines disappearing). … — …

I debugged the scripts so they'd do what I wanted (fix the dashed paths into paths with static subpaths for each dash/dot). I definitely couldn't do what I did with earlier versions of Inkscape; I downloaded and ran the latest Inkscape version (inkscape 1.2); its command line interface is super slick (although it would be nice if there were a sleep command to let me get a peek at changes).

Long story short, I think I've resolved the dashed line issue, Professor DeVoe. ^^;;

Next steps

The core reason I transcribed the textbook in the first place was so that when I completed the problem sets for my own review and education, I'd be able to have a digital document that I could link to and share with others. That means the next step, now that transcription is done, is to create my own solutions to the problem sets and record them in TeXmacs.

This means I will probably need to use DWSIM more in order to cross-check my thermodynamic calculations and create illustrations / diagrams relevant to each solution. Again, I want to be able to hand someone a ZIP file containing everything they need to learn Chemical Engineering; that means not only textbooks and problem sets, but also simulation software that they might use when applying this knowledge in industry. A ZIP file that I could in good conscience send to the people on the ISS should everyone on the planet's surface be doomed.

Notable Public Keys book update (Electrum, Tails, Veracrypt)

Created by Steven Baltakatei Sandoval on 2022-03-12T12:52Z under a CC BY-SA 4.0 license and last updated on 2022-03-12T13:18Z.

I added three sections to the Notable Public Keys book (PDF, GitLab):

• Tails
• Veracrypt
• Electrum

New Sections

Tails

I added a few of the Tails keys and did some research about the origin of Tails. I didn't know that its name (i.e. "The (Amnesic) Incognito Live System") was a hint at the fact that there used to be two projects that merged together. One was called "Incognito" (a privacy-focused operating system based on Gentoo) and the other was "Amnesia" (also a privacy-focused operating system based on Debian). See the PDF for links and notes.

There are many more Tails keys covering various subgroups of Tails development operations (PR, financial, etc.). I've elected to only link to the page containing these fingerprints and focusing on the fingerprints necessary for verifying downloadable installation .iso images (funnily enough, their mailing list key used to also be an image signing key very early on so I include it).

Veracrypt

This is software I had learned about from Steve Gibson's Security Now podcast. I've used it occasionally over the years; it was one of my first entries in my OpenPGP fingerprint notes that later became the Notable Public Keys book. I guess the reason I haven't added it to the book until today was because I was still using my unpublished notes as a source of fingerprints. It's time to share what I know!

Electrum

Years ago, I uploaded a Youtube video about how to verify the Electrum installer for Windows 10. It's probably now out-of-date but the verification procedure still relies on using Thomas Voegtlin's fingerprint. Lately the Electrum.org download page has linked to two other public keys; one seems to be an ElectrumX developer.

The cost of failure for not checking signatures of this software grows each year as Bitcoin does what it does best: persist. It's my hope that this chapter of the book can help prevent people from losing money, if only by providing a persistent reference through time about which fingerprint to trust.

Updates

I made various updates to the <index> tags so that the Index section can be more organized when TeXmacs generates it. This work actually probably took about as along as researching the histories of Tails and Veracrypt combined but involved many more keypresses due to needing to check each existing chapter's tags.

Future Sections

The next chapters I plan to write are below in descending order of priority.

• GnuPG. Software often used to perform OpenPGP operations.
• F-Droid. An alternative to the Google Play store.
• LibreOffice. An alternative to Microsoft Office.
• Red Hat. A popular commercial GNU/Linux operating system / service company I don't have much experience with but which uses OpenPGP signatures to sign software.

Notable Public Keys book update (Tor Browser, Youtube-dl)

Created by Steven Baltakatei Sandoval on 2022-03-09T18:13Z under a CC BY-SA 4.0 license and last updated on 2022-03-10T01:45Z.

I added two sections to the Notable Public Keys book (PDF, GitLab):

• Tor Browser
• Youtube-dl

New Sections

Tor Browser

Tor Browser, along with Tails, is definitely one of the earliest programs I used that prominently featured verification methods for its installation executables. It also was one of the more prominent victims of a certificate spamming attack years ago. These details I made sure to include in the chapter I wrote. Although several PGP keys are mentioned in various docs, only a single key seems to continuously be used to sign release executables.

Youtube-dl

Although Youtube-dl, a Python2 project, seems to have become idle compared to its Python3 fork (See yt-dlp), it uses OpenPGP keys to sign releases and its GitHub project still sees some occasional updates. The fork, "yt-dlp" doesn't seem to use OpenPGP signatures on release files; however, some of its developers that worked on Youtube-dl do sign commits with OpenPGP so I mentioned their public key fingerprints so my new scan_write_tm_gpgkeys.sh script can save a copy of their public keys in the book repository's ref/pgp_keys/ directory.

Updates

Bitcoin Core

I noticed this week that Bitcoin Core changed the way it signs binary releases. Specifically, last year around 2021-09, its Download page began linking to a signature file (SHA256SUMS.asc) separately from its release hash file (SHA256SUMS). Before, both the hashes and the signature were contained within the same file (SHA256SUMS.asc). This change was made upon release of Bitcoin Core v0.22.0 in order to accommodate the ability for multiple people (besides Wladimir J. van der Laan) to sign the binary release files. I count 12 signatures in the SHA256SUMS.asc file for the v0.22.0 release, none of which are van der Laan's project signing key (90C8 019E 36C2 E964) which has been used to sign v0.11.0 through v0.21.2. Instead, van der Laan's signature was generated from his personal key.

This new method of signing releases makes sense to me if multiple groups wish for their own representative to personally review the code and sign off on it; instead of a group needing to figure out if they can trust van der Laan, they can more simply trust their group's representative.

Scripts

scan_write_tm_gpgkeys.sh

I wrote a bash script to automatically scan the book's source code for strings resembling gpg fingerprints and then checking to see if any public keys matched. Then, the script exports a minimal (non third-party signatures) ASCII-armored version of the public key to a target directory using the full 40-character fingerprint in the file name. I have been meaning to include minimal copies of all public keys I mention in the book in the repository. This script lets me do that. Since I intend the book to be able to be printed out onto paper, I do not plan on including the actual public keys themselves in the book since some of them can be quite large even in minimal format; I don't want to have to write code to strip out extraneous UIDs.

scan_write_http_gpgkeys.sh

After I wrote and tested scan_write_tm_gpgkeys.sh, I realized it wouldn't be too much extra work to adapt a fork of the script to scan webpages for things resembling gpg fingerprints. Several of the projects for which I have written chapters post the fingerprints used to sign files on centralized download pages that are kept updated; whenever their PGP key changes, they update the fingerprint. This script can be a handy tool to quickly identify public keys that I may be missing from my collection when I occasionally sit down to update chapters of the book.

Future Sections

The next chapters I plan to write are below in descending order of priority.

• Electrum. A bitcoin wallet. I believe including this in the book will help prevent some people losing serious amounts of money over time.
• TailsOS. A privacy-focused GNU/Linux operating system that uses tor for all communication. I believe including this in the book will help give journalists and activists more confidence when tackling the intimidating process of installing Tails for the first time.
• VeraCrypt. A filesystem encryption program. An audited successor to TrueCrypt.
• F-Droid. An alternative to the Google Play store.
• LibreOffice. An alternative to Microsoft Office.
• Red Hat. A popular commercial GNU/Linux operating system / service company I don't have much experience with but which uses OpenPGP signatures to sign software.

Notable Public Keys book update (Debian, Satoshi Labs)

Created by Steven Baltakatei Sandoval on 2022-01-03T12:58Z under a CC BY-SA 4.0 license and last updated on 2022-01-03T13:26Z.

I added two sections to my Notable Public Keys book (PDF, GitLab):

• Debian
• Satoshi Labs

Debian

For the Debian chapter I focused on PGP keys used by the "Debian CD" group to sign .iso images used to install Debian onto new systems.

I included this chapter because I use Debian as my main workstation OS. I also know that it is used as the basis for several other popular GNU/Linux distributions such as Ubuntu and some that I've been looking into using such as PopOS.

Because the Debian organization continues to use GnuPG keys as the basis for officially authenticating developer contributions, their use of PGP keys goes back longer than most organizations covered by this book (the oldest Debian CD key I found is dated 1999-01-30).

Satoshi Labs

For the Satoshi Labs chapter I included two recent keys used to sign Trezor software such as Trezor Suite and Trezor Bridge. One of the Satoshi Labs founders named Stick also created signatures included alongside software such as Trezor Bridge. Currently the latest recommended method for using a Trezor hardware wallet is to use Trezor Suite.

I included this chapter because I use a Trezor to store bitcoin. Because money is at stake I have maintained notes about PGP keys used to sign Trezor software. In fact, one of the reasons why I decided to make the book was to gather all my notes into a single coherent text.

Future sections

In the project README I have the following entities whose public keys I am still planning to include in their own sections:

• Electrum
• F-Droid
• LibreOffice
• Red Hat
• TailsOS
• Tor Browser
• Veracrypt