fix typo

content/index.md

@@ -1,4 +1,4 @@
 # Minimal Setups
 
-![](/static/IMG_3019.png)
+![](/static/IMG_3019.jpg)
 

content/keys.md

@@ -1,15 +1,6 @@
 ## My Public GPG and SSH Keys
 
-### SSH Keys
 
-* [My SSH Keys](/static/mysshkeys.txt)
+The overview on keys is at [static.hottis.de](https://static.hottis.de)
 
 
-### GPG Keys
-
-* [`2306AA47A6D7A534B1B7446C836E9E1192A6B132`](/static/2306AA47A6D7A534B1B7446C836E9E1192A6B132.txt)
-* [`082071E0415E0A2D87A2385B5159E88B93B67538`](/static/082071E0415E0A2D87A2385B5159E88B93B67538.txt)
-* [`7B5C0BB6AFCADDC8E3435746B76E53073EE19643`](/static/7B5C0BB6AFCADDC8E3435746B76E53073EE19643.txt)
-* [`90E1D1E935FC6AB94444B15B18FDFA577A8871AD`](/static/90E1D1E935FC6AB94444B15B18FDFA577A8871AD.txt)
-* [`BDB9F424842252FB4D8EEDDCE49AF3B9EF6DD469`](/static/BDB9F424842252FB4D8EEDDCE49AF3B9EF6DD469.txt) (Dell Laptop, USB-A nano)
-* [`F53691B26F457823DF3E954BB3E461281CF3CE5D`](/static/F53691B26F457823DF3E954BB3E461281CF3CE5D.txt) (Keychain, USB-C)

content/snippets/0270-docker-on-apple-silicon.md

@@ -42,7 +42,7 @@ Here also
 
 ```
 finch vm init
-finch vm stop
+finch vm start
 ```
 
 is required and afterwards containers can be executed:

content/snippets/0280-secure-enclave-on-mac.md

@@ -0,0 +1,70 @@
+<!--
+title: SSH Keys in Secure Enclave on Mac
+date: 2025-05-12
+-->
+
+# SSH Keys in Secure Enclave on Mac
+
+The Secure Enclave on the Mac is a security device to generate, hold and utilize keys. A key generated in the Secure Enclave can not be read or copied, it just can be used. Comparable to keys on OpenPGP cards or YubiKeys.
+
+## Secretive
+
+[https://github.com/maxgoedjen/secretive](https://github.com/maxgoedjen/secretive) is a tool to generate keys and to act as an ssh agent, very important for agent-forwarding (using a key on a server where you logged in using that key).
+
+It can be installed via brew:
+
+```
+brew install --cask secretive
+```
+
+After installation, run it, add the proposed snippets into the `~/.ssh/config` and the `~/.bashrc` (or rc file of another shell):
+
+*`~/.ssh/config`*
+```
+Host *
+  IdentityAgent /Users/wn/Library/Containers/com.maxgoedjen.Secretive.SecretAgent/Data/socket.ssh
+```
+
+*`~/.bashrc`*
+```
+SSH_AUTH_SOCK=/Users/wn/Library/Containers/com.maxgoedjen.Secretive.SecretAgent/Data/socket.ssh
+export SSH_AUTH_SOCK
+```
+
+(Obviously, use the right username.)
+
+It worked out of the box for me!
+
+
+## Git Signing using the Key
+
+This were also just a few lines in the `~/.gitconfig`:
+
+*`~/.gitconfig`*
+```
+[user]
+        name = Wolfgang Hottgenroth
+        email = wolfgang.hottgenroth@icloud.com
+        signingkey = /Users/wn/Library/Containers/com.maxgoedjen.Secretive.SecretAgent/Data/PublicKeys/0ca69636d28c45bc99e4ac5b40785e8c.pub
+[gpg]
+        format = ssh
+[commit]
+        gpgsign = true
+[gpg "ssh"]
+        allowedSignersFile = /Users/wn/.ssh/allowed_signers
+```
+
+To verify signatures locally using `git log --show-signature` the `allowed_signars` file mentioned in the last line above is required.
+
+It holds the email address followed by the public ssh key.
+
+That's it!
+
+I've added the key in my local Gitea instance. Cloning via ssh worked immediately, as expected. The verification of commits was only shown after verifying the key on the keys page in the setting. Just one commandline:
+
+```
+echo -n 'a-long-token-presented-to-you-by-gitea' | ssh-keygen -Y sign -n gitea -f /path_to_PrivateKey_or_RelatedPublicKey
+```
+
+Don't be confused or scared: You list the path of the public key at `user.signingkey`, but obviously not the public key is used for signing. It is just used to identify the right private key in the Secure Enclave to be used for signing.
+

content/snippets/0290-secrets-in-repos.md

@@ -0,0 +1,54 @@
+<!--
+title: Secrets in Repos
+date: 2025-05-22
+-->
+
+# Secrets in Repos
+
+Storing secrets in cleartext in a repo is forbidden, obviously.
+
+I use this approach to store secrets in ciphertext in a repo.
+
+The secrets shall be in a file, for instance `secrets.txt`. To encrypt this file I use
+
+```
+gpg --symmetric --cipher-algo AES256 --armor --output secrets.asc secrets.txt
+```
+
+The passphrase for the encryption must be entered on the prompt from gpg.
+
+To decrypt the file, in a CI script I use
+
+```
+gpg --decrypt --passphrase $GPG_PASSPHRASE --yes --batch --homedir /tmp/.gnupg --output secrets.txt secrets.asc
+```
+
+The passphrase must be set in the environment variable `GPG_PASSPHRASE`.
+
+To decrypt interactively the commandline
+
+```
+gpg --decrypt --output secrets.txt secrets.asc
+```
+
+can be used.
+
+Make sure to store the passphrase safely and securely in a password manager or so, otherwise you can not get to your data any longer or everyone can do so.
+
+
+## Remark: Problems with passphrase input
+
+Sometimes, gpg tries to ask for the passphrase via the configured pinentry app, which sometimes fails. In those cases add
+
+```
+--pinentry-mode loopback
+```
+
+to the commandline:
+
+
+```
+gpg --pinentry-mode=loopback --symmetric --cipher-algo AES256 --armor --output secrets.asc secrets.txt
+
+gpg --pinentry-mode=loopback --decrypt --output secrets.txt secrets.asc
+```

content/static/0ca69636d28c45bc99e4ac5b40785e8c.txt

@@ -0,0 +1 @@
+ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBC9ZZTUmyplzGlcEGktJu24Y58eOTujMyCdZNR8u8H7xTkZycvHqsszFYM5Y+5wAr9+bfDTSRdjHKB3LeIEPz7Y= 0x0CA69636

content/static/8bf09b3cc425c12c482b03fb45dbee57.txt

@@ -0,0 +1 @@
+ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFm/2lNnOernN9XClZyyGl7gxx/eK8I7zFgDzyxK0clA8hkw0JsA+mGUajeXja8mwzOyjJWDDQYLHYZeXoutzBM= 0x8BF09B3C

content/static/mysshkeys.txt

@@ -7,3 +7,5 @@ ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDA76VvXrpw03opLO6nWnY+hOsxUkba1uDl8CRG6JXl
 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC+9wuMSMxDylwcKNJzr8Z+HkyuuxEi1MKiV9lEDD4o4FuCuo3COqfhxl4hx2+B8e2hPiCUmEhNhRDIQZ25JS+LEywOdDUAqODNnrD0Tc8ueb6zI9MEqwg4mHa+F6LoJJLfNBX1BSdDgg5AVZpH5wu5n6f6YAhPo+ZbzEmObNt/38PcZsl2FO5q0lNpf0phGowDze8oteuATc21tM96K+1CYony5rzDtB2J6554WlRltNufzH4UcUUBvOceiqKu6n/KhkTuVFq76Wp3ERstF0TGMP7M5jEB58cI1hdhfEiC/GL3WIwpbhMAMsrFZrFlJJiDdivvqBnWDPxjfaRLKPEtXryyQ5NPuvN27TpjiQGvLVqskFbPmkaVH5iI4F835g2xrk+qKKQGRTNNh0rVHPqCCPSvYvS/7cRkrfepB2V1bYGAdMHdF6NvJpe9VqWb5lcl3uJxcLQY4evvv+53HLVPAz2DIjr/IF/8mmoHLvdxHlihHmCDlem7Yg4NIWFrl8v48uEHCbaBxtGU+aWbleE0Lr3Lo1OqoqMyAyBMQSl11WfOgq4PELK39OEkJipCAvMFI/FSc9plVSmaHWMuJzGsHCsrBPWnD/CS/G38LLaxgg1mXNt6GHLmDwrWw38PTbN0sNtXm80x5ReVjpvvVooIUZerYJ18sb8bOZ7O2jLE5w== openpgp:0x591AFDCE
 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDWP/CfohVMxpsuryOPwh5F0o6TNret5patWZTF3hstZop5/ghlDO8vm5LRg2/a6VrP1e0rOnU24tGjO6VlhZguWfz7ixQAHx7AbjllnD+NIY5nKXSk6RtKk2D42NzO9c8XDbReaVYfd91UNswxe6SpAPw6SuKaMY/zL7as2qYpBsFdrr1oyKbgZMI2yPRJloJjklqlznJcUC4SzEaxtVSnZRIUdx3ANLzt5xNxWhYZ7048oGen4cRfiOtiTypW5uAOwovQulJVtpavo2GTD9sSpnFF9UQhgRkqT+oFRgHQnnOHUqazLsc4uRv0h6/6wSBl9SkKys33x0Zxl1zpxM+0iJDFVnn8HnXLvuRLMCXAg9QWCmKkrQJ/SFU213Qg21O62Nbet6bRfFGz+uz0+9GeMaARmhPbxEGEgqBrscaadeO+JRWntEcoULupKsU0Mc77/DX3UfEYGUgvA8FIFTgpiPnOuGI2K/6kP/QLMqZzLXRAgYO4U+vyOniPy9kHadQ9ZEuCX5inhZhOFi5v/ofI7532skXktbbm1ue46j+7xGHSVcoeuz02dZNtnLZP36vCCi8UkE3CAvuU0hLa/ZBeos6M3GNogdIQ+pzesZ6htQhZcGUR7XHmrFLDwAwV4JTJUfXZ5nMwm78+Oh1CptLyH7Ww4z/k3an8caggxP2+QQ== openpgp:0xCD137F0B
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPJB1WXrw8nMK+L09KAoDVZQ7t5UzLII1+6hxXDQnBh0 openpgp:0x27A0A980
+ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBC9ZZTUmyplzGlcEGktJu24Y58eOTujMyCdZNR8u8H7xTkZycvHqsszFYM5Y+5wAr9+bfDTSRdjHKB3LeIEPz7Y= 0x0CA69636
+ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFm/2lNnOernN9XClZyyGl7gxx/eK8I7zFgDzyxK0clA8hkw0JsA+mGUajeXja8mwzOyjJWDDQYLHYZeXoutzBM= 0x8BF09B3C

readme.md

@@ -2,3 +2,4 @@
    - to serve it locally, use `hugo server --bind 0.0.0.0 --baseURL http://172.16.3.33:1313`
 
 
+