github.com/keybase/client/go@v0.0.0-20240520164431-4f512a4c85a3/client/help.go (about) 1 // Copyright 2015 Keybase, Inc. All rights reserved. Use of 2 // this source code is governed by the included BSD license. 3 4 package client 5 6 import ( 7 "github.com/keybase/cli" 8 ) 9 10 func GetHelpTopics() []cli.HelpTopic { 11 return []cli.HelpTopic{ 12 advancedHT, 13 gpgHT, 14 keyringHT, 15 torHT, 16 } 17 } 18 19 var advancedHT = cli.HelpTopic{ 20 Name: "advanced", 21 Usage: "Description of advanced global options", 22 Body: `Keybase commands can run with various command line flags to configure global 23 options. To use, add the flags before the command name: 24 25 {{ .Name }} [global options] command [command options] 26 27 GLOBAL OPTIONS: 28 {{range .Flags}}{{ . }} 29 {{end}} 30 `, 31 } 32 33 var gpgHT = cli.HelpTopic{ 34 Name: "gpg", 35 Usage: "Description of how keybase interacts with GPG", 36 Body: `Keybase + GnuPG 37 38 The Keybase client makes selective use of a local installation 39 of GnuPG (gpg) if it can find one. We realize that access to local gpg is 40 sensitive, so we try to tread lightly and only access the local gpg keyrings 41 in a few special cases. 42 43 On Device Provisioning - If you've previously set up a keybase account and host 44 your secret key via gpg locally, the keybase app will need a signature signed with 45 that key to delegate authority to a new local device key. That device key will then 46 do all of the non-PGP work for this machine going forward (e.g., signing follower 47 statements, provisioning new devices, etc.) 48 49 On signup - When you sign up, you can also "select" a PGP key for use with keybase 50 from your local GPG keyring. See "keybase pgp select" below. 51 52 'keybase pgp gen' - Running "gen" will generate a new PGP key via the Go libraries. 53 keybase will save the secret key locally, and will push the public half to the 54 server, after it's been signed and provisioned with your local device key. 55 Additionally, this command will export the secret and public keys to your local 56 GPG keyring. There will be no passphrase protecting this exported secret 57 key, so if this is important to you, run 'gpg edit-key' to supply one. 58 59 'keybase pgp pull' - All PGP keys pulled as a result of 'keybase pgp pull' are 60 exported as public keys to your local gpg keyring. 61 62 'keybase pgp update' - Public PGP keys are exported from your local GPG keyring and 63 sent to the keybase server, where they will supersede PGP keys that have been 64 previously updated. This feature is for updating PGP subkeys, identities, and 65 signatures, but cannot be used to change PGP primary keys. 66 67 'keybase pgp select' - Look at the local GnuGP keychain for available secret keys. 68 It then makes those keys available for use with keybase. The steps involved are: 69 (1a) sign a signature chain link with the selected PGP key and the existing device 70 key; (1b) push this signature and the public PGP key to the server; and if "--import" 71 flag is passed: (2a) copy the PGP secret half into your local Keybase keyring; 72 and (2b) encrypt this secret key with Keybase's local key security mechanism. 73 Keybase optionalls takes steps (2a) and (2b) so that subsequent 74 PGP operations (like sign and decrypt) don't need to access your GPG keyring again. 75 Once running this command, you wind up in state similar to that following 76 "keybase pgp gen" above. The difference is that you've used GnuPG to generate 77 the key rather than keybase. 78 79 'keybase pgp sign/encrypt/verify/decrypt' - These commands don't access your local 80 GPG keyring, they only access the local keybase keyring as described in "select". 81 82 'keybase pgp import' - Doesn't access the GPG keyring at all, only works with 83 keys passed in via standard input or files. A secret key is required for this 84 operation, since a signature for the key is needed in the import process. 85 86 'keybase pgp export' - Doesn't access the GPG keyring at all, just outputs 87 your currently provisioned PGP keys to standard output (or a file). 88 89 'keybase pgp drop' - Disassociates this PGP key from your account, but doesn't 90 access the GPG keyring, and doesn't perform a traditional PGP revocation. 91 `, 92 } 93 94 var keyringHT = cli.HelpTopic{ 95 Name: "keyring", 96 Usage: "Description of how keybase stores secret keys locally", 97 Body: `Keybase's Local Keyring 98 99 Keybase keeps a local per-user keyring to store secret keys. Keyrings can 100 be found: 101 102 * On Linux: $XDG_CONFIG_HOME/.config/keybase/secretkeys.$USER.mpack 103 * On OSX: $HOME/Library/Application\ Support/Keybase/secretkeys.$USER.mpack 104 105 Secret keys are packed in the Msgpack format, and are then Base64-encoded. 106 The input object is an array of objects, each containing a secret key 107 along with associated metadata. 108 109 Secret keys are locally encrypted using Keybase's "Local Key Security" (LKS) 110 system. In LKS, the symmetric secret key is an XOR of: (1) bytes [288:320] of 111 the scrypt of the user's passphrase; and (2) a random 32-byte mask synced with 112 the Keybase remote server (the "server mask"). This secret key is then used as 113 the symmetric secret key in NaCl's SecretBox function, which is then used to 114 encrypt locally stored asymmetric secret keys. 115 116 The three types of keys currently stored in Keybase's keyring are: (1) per-device 117 EdDSA keys; (2) per-device Curve25519 DH keys; and (3) any PGP private keys 118 that are "selected", "imported" or "generated" into Keybase (see "keybase help gpg"). 119 Keys of the first two varieties never leave the device. Keys of the third variety 120 can leave the device if the user explicitly requests a passphrase-encrypted 121 synchronization with the Keybase server, or when the user syncs her PGP private 122 key via 'keybase pgp push-private' and 'keybase pgp pull-private'. All three 123 varieties of keys are protected with LKS encryption as described above. 124 125 When a user on OSX clicks "remember my passphrase" in a dialog box, the 126 symmetric LKS secret key is written to the OS keychain. The encrypted asymmetric 127 secret key stays locally stored on the file system, and is never moved into the 128 OS's keychain. 129 130 Keybase has a passphrase update protocol: if a passphrase is changed 131 on any device, the server mask described above is changed accordingly, so that 132 the user can immediately use her new passphrase across all devices. However, 133 the server cannot decrypt an LKS-protected secret key unless it also 134 has access to the user's passphrase (or can crack it). More details 135 are available on keybase.io in the docs section. 136 `, 137 } 138 139 var torHT = cli.HelpTopic{ 140 Name: "tor", 141 Usage: "Description of how keybase works with Tor", 142 Body: `Keybase + Tor 143 144 Using the --tor-mode flag, you can enable either "strict" mode or "leaky" mode. 145 146 In either mode, we print warnings any time you identify another user with HTTP 147 or DNS proofs, because your Tor exit node will be able to spoof these. 148 149 In leaky mode, all server requests are made over Tor to the Keybase onion URL 150 (http://keybase5wmilwokqirssclfnsqrjdsi7jdir5wy7y7iu3tanwmtp6oid.onion), but 151 the client still sends your session ID and other authentication info as part of 152 its requests. Features that require you to be logged in, like "keybase prove", 153 still work as usual. 154 155 In strict mode, the client tries to avoid identifying you even to the Keybase 156 server. We strip all headers from API requests. Any commands that require 157 authentication will fail. 158 159 As usual with anonymity tools, there is a big list of caveats and warnings that 160 apply. Our strict mode isn't audited, so it's possible that identifying 161 information will creep in. A better guarantee would be to run the client inside 162 of a Tails VM (https://tails.boum.org), with no identifying information 163 available to the client at all. Even still, it's possible for your own behavior 164 to identify you, like if you fetch the PGP keys of all of your friends. 165 166 More details about Tor mode are available in the "Tor support" docs on our 167 website: https://keybase.io/docs/command_line/tor 168 `, 169 } 170 171 // Custom help templates for cli package 172 173 func init() { 174 cli.AppHelpTemplate = AppHelpTemplate 175 cli.CommandHelpTemplate = CommandHelpTemplate 176 cli.SubcommandHelpTemplate = SubcommandHelpTemplate 177 } 178 179 // AppHelpTemplate is used for `keybase help` or `keybase -h`. 180 var AppHelpTemplate = `NAME: 181 {{.Name}} - {{.Usage}} 182 183 USAGE: 184 {{.Name}} {{if .Flags}}[global options]{{end}}{{if .Commands}} command [command options]{{end}} [arguments...] 185 {{if .Version}} 186 VERSION: 187 {{.Version}} 188 {{end}}{{if .Commands}} 189 COMMANDS: 190 {{range .Commands}}{{ if not .Unlisted }}{{ if .Usage }} {{join .Names ", "}}{{ "\t" }}{{.Usage}}{{ "\n" }}{{ end }}{{end}}{{end}}{{end}}{{if .HelpTopics}} 191 ADDITIONAL HELP TOPICS: 192 {{range .HelpTopics}}{{.Name}}{{ "\t\t" }}{{.Usage}} 193 {{end}}{{end}}{{if .Copyright }} 194 COPYRIGHT: 195 {{.Copyright}} 196 {{end}} 197 ` 198 199 // CommandHelpTemplate is used for `keybase help cmd` or 200 // `keybase cmd help subcmd`. 201 var CommandHelpTemplate = `NAME: 202 keybase {{.FullName}} - {{.Usage}} 203 204 USAGE: 205 keybase {{.FullName}}{{ if .Subcommands }} <command>{{ end }}{{if .Flags}} [command options]{{end}} {{ .ArgumentHelp }}{{if .Description}} 206 207 DESCRIPTION: 208 {{.Description}}{{end}}{{ if .Subcommands }} 209 210 COMMANDS: 211 {{range .Subcommands}}{{ if not .Unlisted }}{{if .Usage }} {{join .Names ", "}}{{ "\t" }}{{.Usage}}{{ "\n" }}{{ end }}{{end}}{{end}}{{end}}{{if .Flags}} 212 213 OPTIONS: 214 {{range .Flags}}{{.}} 215 {{end}}{{ end }}{{ if .Examples }} 216 EXAMPLES: 217 {{.ExamplesFormatted}}{{ end }} 218 219 ` 220 221 // SubcommandHelpTemplate is used for `keybase cmd` with no 222 // other arguments when `cmd` has subcommands. 223 // Or for `keybase cmd help` when `cmd` has subcommands. 224 var SubcommandHelpTemplate = `NAME: 225 {{.Name}} - {{.Usage}} 226 227 USAGE: 228 {{.Name}} <command> [arguments...] 229 230 COMMANDS: 231 {{range .Commands}}{{ if not .Unlisted }}{{ if .Usage }} {{join .Names ", "}}{{ "\t" }}{{.Usage}}{{ "\n" }}{{ end }}{{end}}{{end}} 232 `