In my spare minutes here and there I’ve been playing with WinAutomation for automatic moderation of WordPress.com blogs.
Thus far I’ve been able to cobble together a job that logs in and checks pending comments. It is (usually) able to determine for each pending comment:
1. If the user is new (by checking a text file containing known usernames and emails for the known usernames)
2. If the user submitted the message via ‘certified’ credentials (wordpress, facebook, gmail or twitter login)
3. If the user’s email address matches the email address in the known user / email file.
What does ‘(usually)’ mean? Well, it doesn’t make mistakes in processing the data, but every once in a while it hangs up. Web page elements aren’t found, or the page doesn’t load properly, or similar stuff. It’d need a good spitpolish before going into real use.
Things that remain to be seen:
1. Can I successfully get WinAutomation to take action; trash comments with email address mismatches from known users?
2. Automatically add the username and email addresses of commenters who use ‘certified’ credentials to the existing authorized user file it keeps?
3. Can I get it to reject TOR browser exit points?
We shall see. 🙂 Eventually I’ll make public the WinAutomation jobs I’m writing, when they’re cleaned up enough.
So, wordpress.com doesn’t allow the blogger to choose plugins. We rule out self hosting due to the hassles.
Note that a mechanism still exists by which functionality similar to a server side plugin can be implemented. This mechanism is simple: automating the interface the blogger actually uses for administration.
We could do this in a lot of ways. We could write programs in several languages to do this. But what if the blogger is not a programmer? Gotta trust some programmer with the keys to my blog? No thanks. Besides, it’s tedious even if you are an experienced developer. Unless you already specialize in it I suppose.
So I just bumped into WinAutomation and started playing with it. In the odd 15 minutes I’ve been looking at it I’ve gotten it to logon to my WordPress admin account. Looks promising; intuitive replay interface, pretty feature rich, it might be possible to get it to do sophisticated things. I particularly like that it can run programs; if a piece of functionality I need is missing it might be possible to write a simple app or three and let WinAutomation invoke them and process the results somehow.
You get 30 days for free, even after that it’s not an unreasonable price tag. I’ll be looking at this early this week.
So, public key signatures aren’t the way to go.
Mebbe something else.
You need to import Bob’s public key into your keyring at least once.
How do we do this?
It’s a bit of pain. But once it’s done it’s done.
1. Copy the public key you want to import into notepad. Save it to some appropriately named file.
For example, if it’s Bob’s public key, save it as ‘bob.asc’.
2. In Kleopatra, click the ‘import certificates’ button near the top left.
3. Find the file you just saved. (Yes, the extension matters, it wants it to be .asc)
4. Click OK.
You’re not quite done. You need to set the trust level.
1. Right click on the certificate you’ve just imported, select Change Owner Trust.
2. Select ‘I believe checks are very accurate’.
Outstanding! Now you’ve got Bob’s public key, you shouldn’t ever need to do that again for Bob.
To verify that a comment is actually from Bob,
1. Copy his signed comment into the clipboard.
2. Alt Tab to Kleopatra or open it if it’s not already up.
3. Click ‘clipboard’
4. Click ‘decrypt/verify’
5. A green dialog saying ‘Signed By’ will pop up if it’s REALLY signed by Bob.
IT’s a red dialog saying ‘Invalid Signature’ if it’s a forgery.
All there is to it!
It’s less complicated than it seems. The idea is, get your comment in the clipboard (by control-C copy), sign it with Kleopatra, and paste it back in for commenting, but bracket it with the <pre> and </pre> tags so WordPress doesn’t mutilate the headers.
1) Type in your comment, but don’t post it yet.
a. Copy your comment (select the text and hit Control C).
b. Run Kleopatra (or Alt-Tab over to it if it’s already up and running).
c. Click on the ‘Clipboard’ button on the top right of the Kleopatra dialog window.
d. Click on ‘OpenPGP-Sign’
e. If it’s not already the default, select your certificate.
f. Remember that passphrase you chose earlier? Time to enter that passphrase now!
g. If God is Good you will see ‘Signing Succeeded.’ The text in the clipboard is now signed! Click OK.
h. Alt Tab back to your browser and your unsigned comment. Wipe it out.
i. IMPORTANT. Type <pre> and press enter.
j. paste in your signed comment by pressing Control V.
k. IMPORTANT. Type </pre> and press enter.
2. Post your signed comment!
So, I haven’t figured out the graceful way to do this from the Kleopatra gui yet.
1) Start, All Programs, Accessories, Command Prompt.
gpg --export -a "user name" > pubkey.txt
a. Be sure to type the user name you entered when creating the keys instead of ‘user name’.
b. Put it in quotes if it’s not all one word; if there’s a space it needs quotes.
3) Now you’ve got a text copy of your public key in the file pubkey.txt
4) Find and open this file in Notepad.
5) Copy it (Control A Control C)
6) Go to the public key page on this website (here)
7) Add a comment with your blog username and email address
a. IMPORTANT. Type <pre> and press enter.
b. Hit Control V to paste in your public key.
c. IMPORTANT. Type </pre> and press enter.
8) post the comment.
1. You ought to now be able to start ‘Kleopatra’.
a. If it’s not on your desktop, go to start (usually in the bottom left corner of your windows screen)
b. all programs
If it’s on your desktop, you can just click that shortcut.
2. Click ‘file’, ‘new certificate’.
3. Select ‘Create a personal OpenPGP Pair’.
a. Enter the name you want to use. Example: Sarah Penelope
b. Enter some fake email address like firstname.lastname@example.org
c. Enter some short meaningless comment about the weather or kittens or something.
d. Click next.
4. Enter a passphrase. This is a password. You have to remember what you type here. It’s only
for you to be able to access your key / certificate. I use the same passphrase for all my local
keys and certificates.
5. With any luck, Gpg4Win will announce ‘Key Pair Successfully Created’. It will give you a bunch of
next step options that I haven’t tried, you can ignore them if you like. Click ‘Finish’.