Allow users to update their OpenPGP pubkey

Document URLs for settings controller actions
No need to read the route sources all the time
2024-09-23 18:13:39 +02:00 · 2024-09-23 16:07:02 +02:00 · 2024-09-23 16:03:02 +02:00 · 2024-09-23 15:20:00 +02:00
38 changed files with 459 additions and 572 deletions
--- a/.npmrc
+++ b/.npmrc
@@ -1 +0,0 @@
-@jsr:registry=https://npm.jsr.io
--- a/2
+++ b/2
@@ -11,7 +11,7 @@ RUN apt-get update && apt-get install -y nodejs

 WORKDIR /akkounts

-COPY ["Gemfile", "Gemfile.lock", "package.json", "yarn.lock", "./"]
+COPY ["Gemfile", "Gemfile.lock", "package.json", "./"]

 RUN bundle install
 RUN gem install foreman
--- a/2
+++ b/2
@@ -44,6 +44,8 @@ gem 'pagy', '~> 6.0', '>= 6.0.2'
 gem 'flipper'
 gem 'flipper-active_record'
 gem 'flipper-ui'
+gem 'gpgme', '~> 2.0.24'
+gem 'zbase32', '~> 0.1.1'

 # HTTP requests
 gem 'faraday'
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -197,6 +197,8 @@ GEM
      raabro (~> 1.4)
    globalid (1.2.1)
      activesupport (>= 6.1)
+    gpgme (2.0.24)
+      mini_portile2 (~> 2.7)
    hashdiff (1.1.0)
    i18n (1.14.1)
      concurrent-ruby (~> 1.0)
@@ -483,6 +485,7 @@ GEM
    xpath (3.2.0)
      nokogiri (~> 1.8)
    yard (0.9.34)
+    zbase32 (0.1.1)
    zeitwerk (2.6.12)

 PLATFORMS
@@ -507,6 +510,7 @@ DEPENDENCIES
  flipper
  flipper-active_record
  flipper-ui
+  gpgme (~> 2.0.24)
  image_processing (~> 1.12.2)
  importmap-rails
  jbuilder (~> 2.7)
@@ -540,6 +544,7 @@ DEPENDENCIES
  warden
  web-console (~> 4.2)
  webmock
+  zbase32 (~> 0.1.1)

 BUNDLED WITH
-   2.5.11
+   2.5.5
--- a/app/controllers/admin/users_controller.rb
+++ b/app/controllers/admin/users_controller.rb
@@ -30,7 +30,7 @@ class Admin::UsersController < Admin::BaseController
    amount = params[:amount].to_i
    notify_user = ActiveRecord::Type::Boolean.new.cast(params[:notify_user])

-    CreateInvitations.call(user: @user, amount: amount, notify: notify_user)
+    UserManager::CreateInvitations.call(user: @user, amount: amount, notify: notify_user)

    redirect_to admin_user_path(@user.cn), flash: {
      success: "Added #{amount} invitations to #{@user.cn}'s account"
--- a/app/controllers/settings_controller.rb
+++ b/app/controllers/settings_controller.rb
@@ -21,10 +21,12 @@ class SettingsController < ApplicationController
    end
  end

+  # PUT /settings/:section
  def update
    @user.preferences.merge!(user_params[:preferences] || {})
    @user.display_name = user_params[:display_name]
-    @user.avatar_new = user_params[:avatar]
+    @user.avatar_new   = user_params[:avatar]
+    @user.pgp_pubkey   = user_params[:pgp_pubkey]

    if @user.save
      if @user.display_name && (@user.display_name != @user.ldap_entry[:display_name])
@@ -35,6 +37,10 @@ class SettingsController < ApplicationController
        LdapManager::UpdateAvatar.call(dn: @user.dn, file: @user.avatar_new)
      end

+      if @user.pgp_pubkey && (@user.pgp_pubkey != @user.ldap_entry[:pgp_key])
+        UserManager::UpdatePgpKey.call(user: @user)
+      end
+
      redirect_to setting_path(@settings_section), flash: {
        success: 'Settings saved.'
      }
@@ -44,6 +50,7 @@ class SettingsController < ApplicationController
    end
  end

+  # POST /settings/update_email
  def update_email
    if @user.valid_ldap_authentication?(security_params[:current_password])
      if @user.update email: email_params[:email]
@@ -61,6 +68,7 @@ class SettingsController < ApplicationController
    end
  end

+  # POST /settings/reset_email_password
  def reset_email_password
    @user.current_password = security_params[:current_password]

@@ -83,6 +91,7 @@ class SettingsController < ApplicationController
    end
  end

+  # POST /settings/reset_password
  def reset_password
    current_user.send_reset_password_instructions
    sign_out current_user
@@ -90,6 +99,7 @@ class SettingsController < ApplicationController
    redirect_to check_your_email_path, notice: msg
  end

+  # POST /settings/set_nostr_pubkey
  def set_nostr_pubkey
    signed_event = Nostr::Event.new(**nostr_event_from_params)

@@ -152,7 +162,8 @@ class SettingsController < ApplicationController

    def user_params
      params.require(:user).permit(
-        :display_name, :avatar, preferences: UserPreferences.pref_keys
+        :display_name, :avatar, :pgp_pubkey,
+        preferences: UserPreferences.pref_keys
      )
    end

--- a/app/controllers/signup_controller.rb
+++ b/app/controllers/signup_controller.rb
@@ -96,7 +96,7 @@ class SignupController < ApplicationController
    session[:new_user] = nil
    session[:validation_error] = nil

-    CreateAccount.call(account: {
+    UserManager::CreateAccount.call(account: {
      username: @user.cn,
      domain: Setting.primary_domain,
      email: @user.email,
--- a/app/javascript/controllers/nostr_login_controller.js
+++ b/app/javascript/controllers/nostr_login_controller.js
@@ -1,5 +1,4 @@
 import { Controller } from "@hotwired/stimulus"
-// import { Nostrify } from '@nostrify/nostrify';

 // Connects to data-controller="nostr-login"
 export default class extends Controller {
@@ -7,9 +6,6 @@ export default class extends Controller {
  static values  = { site: String, sharedSecret: String }

  connect() {
-    // window.Nostrify = Nostrify;
-    // console.log(Nostrify);
-
    if (window.nostr) {
      this.loginButtonTarget.disabled = false
      this.loginFormTarget.classList.remove("hidden")
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -3,9 +3,10 @@ require 'nostr'
 class User < ApplicationRecord
  include EmailValidatable

-  attr_accessor :display_name
-  attr_accessor :avatar_new
  attr_accessor :current_password
+  attr_accessor :avatar_new
+  attr_accessor :display_name
+  attr_accessor :pgp_pubkey

  serialize :preferences, coder: UserPreferences

@@ -51,6 +52,8 @@ class User < ApplicationRecord

  validate :acceptable_avatar

+  validate :acceptable_pgp_key_format, if: -> { defined?(@pgp_pubkey) && @pgp_pubkey.present? }
+
  #
  # Scopes
  #
@@ -165,6 +168,23 @@ class User < ApplicationRecord
    Nostr::PublicKey.new(nostr_pubkey).to_bech32
  end

+  def pgp_pubkey
+    @pgp_pubkey ||= ldap_entry[:pgp_key]
+  end
+
+  def gnupg_key
+    return nil unless pgp_pubkey.present?
+    @gnupg_key ||= GPGME::Key.get(pgp_fpr)
+  end
+
+  def pgp_pubkey_contains_user_address?
+    gnupg_key.uids.map(&:email).include?(address)
+  end
+
+  def wkd_hash
+    ZBase32.encode(Digest::SHA1.digest(cn))
+  end
+
  def avatar
    @avatar_base64 ||= LdapManager::FetchAvatar.call(cn: cn)
  end
@@ -214,4 +234,10 @@ class User < ApplicationRecord
        errors.add(:avatar, "must be a JPEG or PNG file")
      end
    end
+
+    def acceptable_pgp_key_format
+      unless GPGME::Key.valid?(pgp_pubkey)
+        errors.add(:pgp_pubkey, 'is not a valid armored PGP public key block')
+      end
+    end
 end
--- a/app/services/create_account.rb
+++ b/app/services/create_account.rb
@@ -1,54 +0,0 @@
-class CreateAccount < ApplicationService
-  def initialize(account:)
-    @username   = account[:username]
-    @domain     = account[:ou] || Setting.primary_domain
-    @email      = account[:email]
-    @password   = account[:password]
-    @invitation = account[:invitation]
-    @confirmed  = account[:confirmed]
-  end
-
-  def call
-    user = create_user_in_database
-    add_ldap_document
-    create_lndhub_account(user) if Setting.lndhub_enabled
-
-    if @invitation.present?
-      update_invitation(user.id)
-    end
-  end
-
-  private
-
-  def create_user_in_database
-    User.create!(
-      cn: @username,
-      ou: @domain,
-      email: @email,
-      password: @password,
-      password_confirmation: @password,
-      confirmed_at: @confirmed ? DateTime.now : nil
-    )
-  end
-
-  def update_invitation(user_id)
-    @invitation.update! invited_user_id: user_id, used_at: DateTime.now
-  end
-
-  def add_ldap_document
-    hashed_pw = Devise.ldap_auth_password_builder.call(@password)
-    CreateLdapUserJob.perform_later(
-      username: @username,
-      domain: @domain,
-      email: @email,
-      hashed_pw: hashed_pw,
-      confirmed: @confirmed
-    )
-  end
-
-  def create_lndhub_account(user)
-    #TODO enable in development when we have a local lndhub (mock?) API
-    return if Rails.env.development?
-    CreateLndhubAccountJob.perform_later(user)
-  end
-end
--- a/app/services/create_invitations.rb
+++ b/app/services/create_invitations.rb
@@ -1,17 +0,0 @@
-class CreateInvitations < ApplicationService
-  def initialize(user:, amount:, notify: true)
-    @user = user
-    @amount = amount
-    @notify = notify
-  end
-
-  def call
-    @amount.times do
-      Invitation.create(user: @user)
-    end
-
-    if @notify
-      NotificationMailer.with(user: @user).new_invitations_available.deliver_later
-    end
-  end
-end
--- a/app/services/ldap_manager/update_pgp_key.rb
+++ b/app/services/ldap_manager/update_pgp_key.rb
@@ -0,0 +1,16 @@
+module LdapManager
+  class UpdatePgpKey < LdapManagerService
+    def initialize(dn:, pubkey:)
+      @dn = dn
+      @pubkey = pubkey
+    end
+
+    def call
+      if @pubkey.present?
+        replace_attribute @dn, :pgpKey, @pubkey
+      else
+        delete_attribute @dn, :pgpKey
+      end
+    end
+  end
+end
--- a/app/services/ldap_service.rb
+++ b/app/services/ldap_service.rb
@@ -58,7 +58,7 @@ class LdapService < ApplicationService

    attributes = %w[
      dn cn uid mail displayName admin serviceEnabled
-      mailRoutingAddress mailpassword nostrKey
+      mailRoutingAddress mailpassword nostrKey pgpKey
    ]
    filter = Net::LDAP::Filter.eq("uid", args[:uid] || "*")

@@ -73,7 +73,8 @@ class LdapService < ApplicationService
        services_enabled: e.try(:serviceEnabled),
        email_maildrop: e.try(:mailRoutingAddress),
        email_password: e.try(:mailpassword),
-        nostr_key: e.try(:nostrKey) ? e.nostrKey.first : nil
+        nostr_key: e.try(:nostrKey) ? e.nostrKey.first : nil,
+        pgp_key: e.try(:pgpKey) ? e.pgpKey.first : nil
      }
    end
  end
@@ -101,7 +102,7 @@ class LdapService < ApplicationService
    dn = "ou=#{ou},cn=users,#{ldap_suffix}"

    aci = <<-EOS
-(target="ldap:///cn=*,ou=#{ou},cn=users,#{ldap_suffix}")(targetattr="cn || sn || uid || userPassword || mail || mailRoutingAddress || serviceEnabled || nostrKey || nsRole || objectClass") (version 3.0; acl "service-#{ou.gsub(".", "-")}-read-search"; allow (read,search) userdn="ldap:///uid=service,ou=#{ou},cn=applications,#{ldap_suffix}";)
+(target="ldap:///cn=*,ou=#{ou},cn=users,#{ldap_suffix}")(targetattr="cn || sn || uid || userPassword || mail || mailRoutingAddress || serviceEnabled || nostrKey || pgpKey || nsRole || objectClass") (version 3.0; acl "service-#{ou.gsub(".", "-")}-read-search"; allow (read,search) userdn="ldap:///uid=service,ou=#{ou},cn=applications,#{ldap_suffix}";)
    EOS

    attrs = {
--- a/app/services/user_manager/create_account.rb
+++ b/app/services/user_manager/create_account.rb
@@ -0,0 +1,56 @@
+module UserManager
+  class CreateAccount < UserManagerService
+    def initialize(account:)
+      @username   = account[:username]
+      @domain     = account[:ou] || Setting.primary_domain
+      @email      = account[:email]
+      @password   = account[:password]
+      @invitation = account[:invitation]
+      @confirmed  = account[:confirmed]
+    end
+
+    def call
+      user = create_user_in_database
+      add_ldap_document
+      create_lndhub_account(user) if Setting.lndhub_enabled
+
+      if @invitation.present?
+        update_invitation(user.id)
+      end
+    end
+
+    private
+
+    def create_user_in_database
+      User.create!(
+        cn: @username,
+        ou: @domain,
+        email: @email,
+        password: @password,
+        password_confirmation: @password,
+        confirmed_at: @confirmed ? DateTime.now : nil
+      )
+    end
+
+    def update_invitation(user_id)
+      @invitation.update! invited_user_id: user_id, used_at: DateTime.now
+    end
+
+    def add_ldap_document
+      hashed_pw = Devise.ldap_auth_password_builder.call(@password)
+      CreateLdapUserJob.perform_later(
+        username: @username,
+        domain: @domain,
+        email: @email,
+        hashed_pw: hashed_pw,
+        confirmed: @confirmed
+      )
+    end
+
+    def create_lndhub_account(user)
+      #TODO enable in development when we have a local lndhub (mock?) API
+      return if Rails.env.development?
+      CreateLndhubAccountJob.perform_later(user)
+    end
+  end
+end
--- a/app/services/user_manager/create_invitations.rb
+++ b/app/services/user_manager/create_invitations.rb
@@ -0,0 +1,19 @@
+module UserManager
+  class CreateInvitations < UserManagerService
+    def initialize(user:, amount:, notify: true)
+      @user = user
+      @amount = amount
+      @notify = notify
+    end
+
+    def call
+      @amount.times do
+        Invitation.create(user: @user)
+      end
+
+      if @notify
+        NotificationMailer.with(user: @user).new_invitations_available.deliver_later
+      end
+    end
+  end
+end
--- a/app/services/user_manager/update_pgp_key.rb
+++ b/app/services/user_manager/update_pgp_key.rb
@@ -0,0 +1,24 @@
+module UserManager
+  class UpdatePgpKey < UserManagerService
+    def initialize(user:)
+      @user = user
+    end
+
+    def call
+      if @user.pgp_pubkey.blank?
+        @user.update! pgp_fpr: nil
+      else
+        result = GPGME::Key.import(@user.pgp_pubkey)
+
+        if result.imports.present?
+          @user.update! pgp_fpr: result.imports.first.fpr
+        else
+          # TODO notify Sentry, user
+          raise "Failed to import OpenPGP pubkey"
+        end
+      end
+
+      LdapManager::UpdatePgpKey.call(dn: @user.dn, pubkey: @user.pgp_pubkey)
+    end
+  end
+end
--- a/app/services/user_manager_service.rb
+++ b/app/services/user_manager_service.rb
@@ -0,0 +1,2 @@
+class UserManagerService < ApplicationService
+end
--- a/app/views/admin/users/show.html.erb
+++ b/app/views/admin/users/show.html.erb
@@ -184,7 +184,7 @@
          <td>XMPP (ejabberd)</td>
          <td>
            <%= render FormElements::ToggleComponent.new(
-              enabled: @services_enabled.include?("ejabberd"),
+              enabled: @services_enabled.include?("xmpp"),
              input_enabled: false
            ) %>
          </td>
--- a/app/views/settings/_account.html.erb
+++ b/app/views/settings/_account.html.erb
@@ -1,6 +1,6 @@
 <%= tag.section data: {
      controller: "settings--account--email",
-      "settings--account--email-validation-failed-value": @validation_errors.present?
+      "settings--account--email-validation-failed-value": @validation_errors&.[](:email)&.present?
    } do %>
  <h3>E-Mail</h3>
  <%= form_for(@user, url: update_email_settings_path, method: "post") do |f| %>
@@ -23,7 +23,7 @@
        </span>
      </button>
    </p>
-    <% if @validation_errors.present? && @validation_errors[:email].present? %>
+    <% if @validation_errors&.[](:email)&.present? %>
      <p class="error-msg"><%= @validation_errors[:email].first %></p>
    <% end %>
    <div class="initial-hidden">
@@ -41,10 +41,33 @@
 <% end %>
 <section>
  <h3>Password</h3>
-  <p class="mb-8">Use the following button to request an email with a password reset link:</p>
+  <p class="mb-6">Use the following button to request an email with a password reset link:</p>
  <%= form_with(url: reset_password_settings_path, method: :post) do %>
    <p>
      <%= submit_tag("Send me a password reset link", class: 'btn-md btn-gray w-full sm:w-auto') %>
    </p>
  <% end %>
 </section>
+<%= form_for(@user, url: setting_path(:account), html: { :method => :put }) do |f| %>
+  <section class="!pt-8 sm:!pt-12">
+    <h3>OpenPGP</h3>
+    <ul role="list">
+      <%= render FormElements::FieldsetComponent.new(
+            title: "Public key",
+            description: "Your OpenPGP public key in ASCII Armor format ([example])"
+          ) do %>
+        <%= f.text_area :pgp_pubkey,
+          value: @user.pgp_pubkey,
+          class: "h-24 w-full" %>
+        <% if @validation_errors&.[](:pgp_pubkey)&.present? %>
+          <p class="error-msg">This <%= @validation_errors[:pgp_pubkey].first %></p>
+        <% end %>
+      <% end %>
+    </ul>
+  </section>
+  <section>
+    <p class="pt-6 border-t border-gray-200 text-right">
+      <%= f.submit 'Save', class: "btn-md btn-blue w-full md:w-auto" %>
+    </p>
+  </section>
+<% end %>
--- a/db/migrate/20240922205634_add_pgp_fpr_to_users.rb
+++ b/db/migrate/20240922205634_add_pgp_fpr_to_users.rb
@@ -0,0 +1,5 @@
+class AddPgpFprToUsers < ActiveRecord::Migration[7.1]
+  def change
+    add_column :users, :pgp_fpr, :string
+  end
+end
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -10,7 +10,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.

-ActiveRecord::Schema[7.1].define(version: 2024_06_07_123654) do
+ActiveRecord::Schema[7.1].define(version: 2024_09_22_205634) do
  create_table "active_storage_attachments", force: :cascade do |t|
    t.string "name", null: false
    t.string "record_type", null: false
@@ -132,6 +132,7 @@ ActiveRecord::Schema[7.1].define(version: 2024_06_07_123654) do
    t.datetime "remember_created_at"
    t.string "remember_token"
    t.text "preferences"
+    t.string "pgp_fpr"
    t.index ["email"], name: "index_users_on_email", unique: true
    t.index ["reset_password_token"], name: "index_users_on_reset_password_token", unique: true
  end
--- a/deno.lock
+++ b/deno.lock
@@ -1,245 +0,0 @@
-{
-  "version": "3",
-  "packages": {
-    "specifiers": {
-      "jsr:@deno/cache-dir@0.8": "jsr:@deno/cache-dir@0.8.0",
-      "jsr:@deno/emit": "jsr:@deno/emit@0.45.0",
-      "jsr:@luca/esbuild-deno-loader@0.9": "jsr:@luca/esbuild-deno-loader@0.9.0",
-      "jsr:@std/assert@^0.213.1": "jsr:@std/assert@0.213.1",
-      "jsr:@std/assert@^0.218.2": "jsr:@std/assert@0.218.2",
-      "jsr:@std/assert@^0.223.0": "jsr:@std/assert@0.223.0",
-      "jsr:@std/bytes@^0.218.2": "jsr:@std/bytes@0.218.2",
-      "jsr:@std/encoding@0.213": "jsr:@std/encoding@0.213.1",
-      "jsr:@std/fmt@^0.218.2": "jsr:@std/fmt@0.218.2",
-      "jsr:@std/fs@^0.218.2": "jsr:@std/fs@0.218.2",
-      "jsr:@std/io@^0.218.2": "jsr:@std/io@0.218.2",
-      "jsr:@std/jsonc@0.213": "jsr:@std/jsonc@0.213.1",
-      "jsr:@std/path@0.213": "jsr:@std/path@0.213.1",
-      "jsr:@std/path@^0.218.2": "jsr:@std/path@0.218.2",
-      "jsr:@std/path@^0.223.0": "jsr:@std/path@0.223.0",
-      "npm:esbuild@0.20": "npm:esbuild@0.20.2"
-    },
-    "jsr": {
-      "@deno/cache-dir@0.8.0": {
-        "integrity": "e87e80a404958f6350d903e6238b72afb92468378b0b32111f7a1e4916ac7fe7",
-        "dependencies": [
-          "jsr:@std/fmt@^0.218.2",
-          "jsr:@std/fs@^0.218.2",
-          "jsr:@std/io@^0.218.2",
-          "jsr:@std/path@^0.218.2"
-        ]
-      },
-      "@deno/emit@0.45.0": {
-        "integrity": "b59d632e61dbe4be7e9e61235f02ad08ff124c714c31deb080c4de778da1894d",
-        "dependencies": [
-          "jsr:@deno/cache-dir@0.8",
-          "jsr:@std/path@^0.223.0"
-        ]
-      },
-      "@luca/esbuild-deno-loader@0.9.0": {
-        "integrity": "288bbcede5c8a6f97e635f8fa4df779b13440ee0c0506d9e478fb6537789dc93",
-        "dependencies": [
-          "jsr:@std/encoding@0.213",
-          "jsr:@std/jsonc@0.213",
-          "jsr:@std/path@0.213",
-          "npm:esbuild@0.20"
-        ]
-      },
-      "@std/assert@0.213.1": {
-        "integrity": "24c28178b30c8e0782c18e8e94ea72b16282207569cdd10ffb9d1d26f2edebfe"
-      },
-      "@std/assert@0.218.2": {
-        "integrity": "7f0a5a1a8cf86607cd6c2c030584096e1ffad27fc9271429a8cb48cfbdee5eaf"
-      },
-      "@std/assert@0.223.0": {
-        "integrity": "eb8d6d879d76e1cc431205bd346ed4d88dc051c6366365b1af47034b0670be24"
-      },
-      "@std/bytes@0.218.2": {
-        "integrity": "91fe54b232dcca73856b79a817247f4a651dbb60d51baafafb6408c137241670"
-      },
-      "@std/encoding@0.213.1": {
-        "integrity": "fcbb6928713dde941a18ca5db88ca1544d0755ec8fb20fe61e2dc8144b390c62"
-      },
-      "@std/fmt@0.218.2": {
-        "integrity": "99526449d2505aa758b6cbef81e7dd471d8b28ec0dcb1491d122b284c548788a"
-      },
-      "@std/fs@0.218.2": {
-        "integrity": "dd9431453f7282e8c577cc22c9e6d036055a9a980b5549f887d6012969fabcca"
-      },
-      "@std/io@0.218.2": {
-        "integrity": "c64fbfa087b7c9d4d386c5672f291f607d88cb7d44fc299c20c713e345f2785f",
-        "dependencies": [
-          "jsr:@std/assert@^0.218.2",
-          "jsr:@std/bytes@^0.218.2"
-        ]
-      },
-      "@std/jsonc@0.213.1": {
-        "integrity": "5578f21aa583b7eb7317eed077ffcde47b294f1056bdbb9aacec407758637bfe",
-        "dependencies": [
-          "jsr:@std/assert@^0.213.1"
-        ]
-      },
-      "@std/path@0.213.1": {
-        "integrity": "f187bf278a172752e02fcbacf6bd78a335ed320d080a7ed3a5a59c3e88abc673",
-        "dependencies": [
-          "jsr:@std/assert@^0.213.1"
-        ]
-      },
-      "@std/path@0.218.2": {
-        "integrity": "b568fd923d9e53ad76d17c513e7310bda8e755a3e825e6289a0ce536404e2662",
-        "dependencies": [
-          "jsr:@std/assert@^0.218.2"
-        ]
-      },
-      "@std/path@0.223.0": {
-        "integrity": "593963402d7e6597f5a6e620931661053572c982fc014000459edc1f93cc3989",
-        "dependencies": [
-          "jsr:@std/assert@^0.223.0"
-        ]
-      }
-    },
-    "npm": {
-      "@esbuild/aix-ppc64@0.20.2": {
-        "integrity": "sha512-D+EBOJHXdNZcLJRBkhENNG8Wji2kgc9AZ9KiPr1JuZjsNtyHzrsfLRrY0tk2H2aoFu6RANO1y1iPPUCDYWkb5g==",
-        "dependencies": {}
-      },
-      "@esbuild/android-arm64@0.20.2": {
-        "integrity": "sha512-mRzjLacRtl/tWU0SvD8lUEwb61yP9cqQo6noDZP/O8VkwafSYwZ4yWy24kan8jE/IMERpYncRt2dw438LP3Xmg==",
-        "dependencies": {}
-      },
-      "@esbuild/android-arm@0.20.2": {
-        "integrity": "sha512-t98Ra6pw2VaDhqNWO2Oph2LXbz/EJcnLmKLGBJwEwXX/JAN83Fym1rU8l0JUWK6HkIbWONCSSatf4sf2NBRx/w==",
-        "dependencies": {}
-      },
-      "@esbuild/android-x64@0.20.2": {
-        "integrity": "sha512-btzExgV+/lMGDDa194CcUQm53ncxzeBrWJcncOBxuC6ndBkKxnHdFJn86mCIgTELsooUmwUm9FkhSp5HYu00Rg==",
-        "dependencies": {}
-      },
-      "@esbuild/darwin-arm64@0.20.2": {
-        "integrity": "sha512-4J6IRT+10J3aJH3l1yzEg9y3wkTDgDk7TSDFX+wKFiWjqWp/iCfLIYzGyasx9l0SAFPT1HwSCR+0w/h1ES/MjA==",
-        "dependencies": {}
-      },
-      "@esbuild/darwin-x64@0.20.2": {
-        "integrity": "sha512-tBcXp9KNphnNH0dfhv8KYkZhjc+H3XBkF5DKtswJblV7KlT9EI2+jeA8DgBjp908WEuYll6pF+UStUCfEpdysA==",
-        "dependencies": {}
-      },
-      "@esbuild/freebsd-arm64@0.20.2": {
-        "integrity": "sha512-d3qI41G4SuLiCGCFGUrKsSeTXyWG6yem1KcGZVS+3FYlYhtNoNgYrWcvkOoaqMhwXSMrZRl69ArHsGJ9mYdbbw==",
-        "dependencies": {}
-      },
-      "@esbuild/freebsd-x64@0.20.2": {
-        "integrity": "sha512-d+DipyvHRuqEeM5zDivKV1KuXn9WeRX6vqSqIDgwIfPQtwMP4jaDsQsDncjTDDsExT4lR/91OLjRo8bmC1e+Cw==",
-        "dependencies": {}
-      },
-      "@esbuild/linux-arm64@0.20.2": {
-        "integrity": "sha512-9pb6rBjGvTFNira2FLIWqDk/uaf42sSyLE8j1rnUpuzsODBq7FvpwHYZxQ/It/8b+QOS1RYfqgGFNLRI+qlq2A==",
-        "dependencies": {}
-      },
-      "@esbuild/linux-arm@0.20.2": {
-        "integrity": "sha512-VhLPeR8HTMPccbuWWcEUD1Az68TqaTYyj6nfE4QByZIQEQVWBB8vup8PpR7y1QHL3CpcF6xd5WVBU/+SBEvGTg==",
-        "dependencies": {}
-      },
-      "@esbuild/linux-ia32@0.20.2": {
-        "integrity": "sha512-o10utieEkNPFDZFQm9CoP7Tvb33UutoJqg3qKf1PWVeeJhJw0Q347PxMvBgVVFgouYLGIhFYG0UGdBumROyiig==",
-        "dependencies": {}
-      },
-      "@esbuild/linux-loong64@0.20.2": {
-        "integrity": "sha512-PR7sp6R/UC4CFVomVINKJ80pMFlfDfMQMYynX7t1tNTeivQ6XdX5r2XovMmha/VjR1YN/HgHWsVcTRIMkymrgQ==",
-        "dependencies": {}
-      },
-      "@esbuild/linux-mips64el@0.20.2": {
-        "integrity": "sha512-4BlTqeutE/KnOiTG5Y6Sb/Hw6hsBOZapOVF6njAESHInhlQAghVVZL1ZpIctBOoTFbQyGW+LsVYZ8lSSB3wkjA==",
-        "dependencies": {}
-      },
-      "@esbuild/linux-ppc64@0.20.2": {
-        "integrity": "sha512-rD3KsaDprDcfajSKdn25ooz5J5/fWBylaaXkuotBDGnMnDP1Uv5DLAN/45qfnf3JDYyJv/ytGHQaziHUdyzaAg==",
-        "dependencies": {}
-      },
-      "@esbuild/linux-riscv64@0.20.2": {
-        "integrity": "sha512-snwmBKacKmwTMmhLlz/3aH1Q9T8v45bKYGE3j26TsaOVtjIag4wLfWSiZykXzXuE1kbCE+zJRmwp+ZbIHinnVg==",
-        "dependencies": {}
-      },
-      "@esbuild/linux-s390x@0.20.2": {
-        "integrity": "sha512-wcWISOobRWNm3cezm5HOZcYz1sKoHLd8VL1dl309DiixxVFoFe/o8HnwuIwn6sXre88Nwj+VwZUvJf4AFxkyrQ==",
-        "dependencies": {}
-      },
-      "@esbuild/linux-x64@0.20.2": {
-        "integrity": "sha512-1MdwI6OOTsfQfek8sLwgyjOXAu+wKhLEoaOLTjbijk6E2WONYpH9ZU2mNtR+lZ2B4uwr+usqGuVfFT9tMtGvGw==",
-        "dependencies": {}
-      },
-      "@esbuild/netbsd-x64@0.20.2": {
-        "integrity": "sha512-K8/DhBxcVQkzYc43yJXDSyjlFeHQJBiowJ0uVL6Tor3jGQfSGHNNJcWxNbOI8v5k82prYqzPuwkzHt3J1T1iZQ==",
-        "dependencies": {}
-      },
-      "@esbuild/openbsd-x64@0.20.2": {
-        "integrity": "sha512-eMpKlV0SThJmmJgiVyN9jTPJ2VBPquf6Kt/nAoo6DgHAoN57K15ZghiHaMvqjCye/uU4X5u3YSMgVBI1h3vKrQ==",
-        "dependencies": {}
-      },
-      "@esbuild/sunos-x64@0.20.2": {
-        "integrity": "sha512-2UyFtRC6cXLyejf/YEld4Hajo7UHILetzE1vsRcGL3earZEW77JxrFjH4Ez2qaTiEfMgAXxfAZCm1fvM/G/o8w==",
-        "dependencies": {}
-      },
-      "@esbuild/win32-arm64@0.20.2": {
-        "integrity": "sha512-GRibxoawM9ZCnDxnP3usoUDO9vUkpAxIIZ6GQI+IlVmr5kP3zUq+l17xELTHMWTWzjxa2guPNyrpq1GWmPvcGQ==",
-        "dependencies": {}
-      },
-      "@esbuild/win32-ia32@0.20.2": {
-        "integrity": "sha512-HfLOfn9YWmkSKRQqovpnITazdtquEW8/SoHW7pWpuEeguaZI4QnCRW6b+oZTztdBnZOS2hqJ6im/D5cPzBTTlQ==",
-        "dependencies": {}
-      },
-      "@esbuild/win32-x64@0.20.2": {
-        "integrity": "sha512-N49X4lJX27+l9jbLKSqZ6bKNjzQvHaT8IIFUy+YIqmXQdjYCToGWwOItDrfby14c78aDd5NHQl29xingXfCdLQ==",
-        "dependencies": {}
-      },
-      "esbuild@0.20.2": {
-        "integrity": "sha512-WdOOppmUNU+IbZ0PaDiTst80zjnrOkyJNHoKupIcVyU8Lvla3Ugx94VzkQ32Ijqd7UhHJy75gNWDMUekcrSJ6g==",
-        "dependencies": {
-          "@esbuild/aix-ppc64": "@esbuild/aix-ppc64@0.20.2",
-          "@esbuild/android-arm": "@esbuild/android-arm@0.20.2",
-          "@esbuild/android-arm64": "@esbuild/android-arm64@0.20.2",
-          "@esbuild/android-x64": "@esbuild/android-x64@0.20.2",
-          "@esbuild/darwin-arm64": "@esbuild/darwin-arm64@0.20.2",
-          "@esbuild/darwin-x64": "@esbuild/darwin-x64@0.20.2",
-          "@esbuild/freebsd-arm64": "@esbuild/freebsd-arm64@0.20.2",
-          "@esbuild/freebsd-x64": "@esbuild/freebsd-x64@0.20.2",
-          "@esbuild/linux-arm": "@esbuild/linux-arm@0.20.2",
-          "@esbuild/linux-arm64": "@esbuild/linux-arm64@0.20.2",
-          "@esbuild/linux-ia32": "@esbuild/linux-ia32@0.20.2",
-          "@esbuild/linux-loong64": "@esbuild/linux-loong64@0.20.2",
-          "@esbuild/linux-mips64el": "@esbuild/linux-mips64el@0.20.2",
-          "@esbuild/linux-ppc64": "@esbuild/linux-ppc64@0.20.2",
-          "@esbuild/linux-riscv64": "@esbuild/linux-riscv64@0.20.2",
-          "@esbuild/linux-s390x": "@esbuild/linux-s390x@0.20.2",
-          "@esbuild/linux-x64": "@esbuild/linux-x64@0.20.2",
-          "@esbuild/netbsd-x64": "@esbuild/netbsd-x64@0.20.2",
-          "@esbuild/openbsd-x64": "@esbuild/openbsd-x64@0.20.2",
-          "@esbuild/sunos-x64": "@esbuild/sunos-x64@0.20.2",
-          "@esbuild/win32-arm64": "@esbuild/win32-arm64@0.20.2",
-          "@esbuild/win32-ia32": "@esbuild/win32-ia32@0.20.2",
-          "@esbuild/win32-x64": "@esbuild/win32-x64@0.20.2"
-        }
-      }
-    }
-  },
-  "remote": {
-    "https://deno.land/x/denoflate@1.2.1/mod.ts": "f5628e44b80b3d80ed525afa2ba0f12408e3849db817d47a883b801f9ce69dd6",
-    "https://deno.land/x/denoflate@1.2.1/pkg/denoflate.js": "b9f9ad9457d3f12f28b1fb35c555f57443427f74decb403113d67364e4f2caf4",
-    "https://deno.land/x/denoflate@1.2.1/pkg/denoflate_bg.wasm.js": "d581956245407a2115a3d7e8d85a9641c032940a8e810acbd59ca86afd34d44d",
-    "https://deno.land/x/esbuild@v0.20.1/mod.js": "d50e500b53ce67e31116beba3916b0f9275c0e1cc20bc5cadc0fc1b7a3b06fd9"
-  },
-  "workspace": {
-    "packageJson": {
-      "dependencies": [
-        "npm:@jsr/nostrify__nostrify",
-        "npm:@tailwindcss/forms@^0.5.3",
-        "npm:autoprefixer@^10.4.13",
-        "npm:postcss-flexbugs-fixes@^5.0.2",
-        "npm:postcss-import@^15.0.1",
-        "npm:postcss-nested@^6.0.0",
-        "npm:postcss-preset-env@^7.8.3",
-        "npm:postcss@^8.4.19",
-        "npm:tailwindcss@^3.2.4"
-      ]
-    }
-  }
-}
--- a/lib/tasks/deno.rake
+++ b/lib/tasks/deno.rake
@@ -1,14 +0,0 @@
-namespace :deno do
-  desc "Download and prepare a Deno package for importmap"
-  task :prepare, [:package, :version] => :environment do |t, args|
-    unless args[:package] && args[:version]
-      raise "Usage: rake deno:prepare[package-name,version]"
-    end
-
-    # Build the package
-    system "deno run -A scripts/build_deno_package.ts #{args[:package]} #{args[:version]}"
-
-    # Pin the package using importmap
-    # system "bin/importmap pin #{args[:package]} --to vendor/javascript/#{args[:package]}/build.js"
-  end
-end
--- a/lib/tasks/ldap.rake
+++ b/lib/tasks/ldap.rake
@@ -21,7 +21,7 @@ namespace :ldap do

  desc "Add custom attributes to schema"
  task add_custom_attributes: :environment do |t, args|
-    %w[ admin service_enabled nostr_key ].each do |name|
+    %w[ admin service_enabled nostr_key pgp_key ].each do |name|
      Rake::Task["ldap:modify_ldap_schema"].invoke(name, "add")
      Rake::Task['ldap:modify_ldap_schema'].reenable
    end
@@ -29,7 +29,7 @@ namespace :ldap do

  desc "Delete custom attributes from schema"
  task delete_custom_attributes: :environment do |t, args|
-    %w[ admin service_enabled nostr_key ].each do |name|
+    %w[ admin service_enabled nostr_key pgp_key ].each do |name|
      Rake::Task["ldap:modify_ldap_schema"].invoke(name, "delete")
      Rake::Task['ldap:modify_ldap_schema'].reenable
    end
--- a/package.json
+++ b/package.json
@@ -2,7 +2,6 @@
  "name": "akkounts",
  "private": true,
  "dependencies": {
-    "@nostrify/nostrify": "npm:@jsr/nostrify__nostrify",
    "@tailwindcss/forms": "^0.5.3",
    "autoprefixer": "^10.4.13",
    "postcss": "^8.4.19",
--- a/schemas/ldap/pgp_key.ldif
+++ b/schemas/ldap/pgp_key.ldif
@@ -0,0 +1,8 @@
+dn: cn=schema
+changetype: modify
+add: attributeTypes
+attributeTypes: ( 1.3.6.1.4.1.3401.8.2.11
+  NAME 'pgpKey'
+  DESC 'OpenPGP public key block'
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+  SINGLE-VALUE )
--- a/scripts/build_deno_package.ts
+++ b/scripts/build_deno_package.ts
@@ -1,18 +0,0 @@
-import { bundle } from "jsr:@deno/emit";
-
-const [packageName, version] = Deno.args;
-
-if (!packageName || !version) {
-  console.error('Usage: deno run -A build_deno_package.ts <package-name> <version>');
-  process.exit(1);
-}
-
-const result = await bundle(
-  new URL(`https://jsr.io/${packageName}/${version}/mod.ts`),
-);
-const { code } = result;
-const buildFolder = `vendor/javascript/${packageName}`;
-const buildFile = `${buildFolder}/build.js`
-await Deno.mkdir(buildFolder, { recursive: true });
-
-Deno.writeTextFileSync(buildFile, code);
--- a/spec/features/settings/account_spec.rb
+++ b/spec/features/settings/account_spec.rb
@@ -14,6 +14,7 @@ RSpec.describe 'Account settings', type: :feature do
        .with("invalid password").and_return(false)
      allow_any_instance_of(User).to receive(:valid_ldap_authentication?)
        .with("valid password").and_return(true)
+      allow_any_instance_of(User).to receive(:pgp_pubkey).and_return(nil)
    end

    scenario 'fails with invalid password' do
@@ -55,4 +56,44 @@ RSpec.describe 'Account settings', type: :feature do
      end
    end
  end
+
+  feature "Update OpenPGP key" do
+    let(:invalid_key) { File.read("#{Rails.root}/spec/fixtures/files/pgp_key_invalid.asc") }
+    let(:valid_key_alice) { File.read("#{Rails.root}/spec/fixtures/files/pgp_key_valid_alice.asc") }
+    let(:fingerprint_alice) { "EB85BB5FA33A75E15E944E63F231550C4F47E38E" }
+
+    before do
+      login_as user, :scope => :user
+      allow_any_instance_of(User).to receive(:ldap_entry).and_return({
+        uid: user.cn, ou: user.ou, display_name: nil, pgp_key: nil
+      })
+    end
+
+    scenario 'rejects an invalid key' do
+      expect(UserManager::UpdatePgpKey).not_to receive(:call)
+
+      visit setting_path(:account)
+      fill_in 'Public key', with: invalid_key
+      click_button "Save"
+
+      expect(current_url).to eq(setting_url(:account))
+      within ".error-msg" do
+        expect(page).to have_content("This is not a valid armored PGP public key block")
+      end
+    end
+
+    scenario 'stores a valid key' do
+      expect(UserManager::UpdatePgpKey).to receive(:call)
+        .with(user: user).and_return(true)
+
+      visit setting_path(:account)
+      fill_in 'Public key', with: valid_key_alice
+      click_button "Save"
+
+      expect(current_url).to eq(setting_url(:account))
+      within ".flash-msg" do
+        expect(page).to have_content("Settings saved")
+      end
+    end
+  end
 end
--- a/spec/features/settings/profile_spec.rb
+++ b/spec/features/settings/profile_spec.rb
@@ -9,7 +9,7 @@ RSpec.describe 'Profile settings', type: :feature do
    allow(user).to receive(:display_name).and_return("Mark")
    allow_any_instance_of(User).to receive(:dn).and_return("cn=mwahlberg,ou=kosmos.org,cn=users,dc=kosmos,dc=org")
    allow_any_instance_of(User).to receive(:ldap_entry).and_return({
-      uid: user.cn, ou: user.ou, display_name: "Mark"
+      uid: user.cn, ou: user.ou, display_name: "Mark", pgp_key: nil
    })
    allow_any_instance_of(User).to receive(:avatar).and_return(avatar_base64)

--- a/spec/features/signup_spec.rb
+++ b/spec/features/signup_spec.rb
@@ -52,7 +52,7 @@ RSpec.describe "Signup", type: :feature do
      click_button "Continue"
      expect(page).to have_content("Choose a password")

-      expect(CreateAccount).to receive(:call)
+      expect(UserManager::CreateAccount).to receive(:call)
        .with(account: {
          username: "tony", domain: "kosmos.org",
          email: "tony@example.com", password: "a-valid-password",
@@ -96,7 +96,7 @@ RSpec.describe "Signup", type: :feature do
      click_button "Create account"
      expect(page).to have_content("Password is too short")

-      expect(CreateAccount).to receive(:call)
+      expect(UserManager::CreateAccount).to receive(:call)
        .with(account: {
          username: "tony", domain: "kosmos.org",
          email: "tony@example.com", password: "a-valid-password",
--- a/spec/fixtures/files/pgp_key_invalid.asc
+++ b/spec/fixtures/files/pgp_key_invalid.asc
@@ -0,0 +1,11 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+b7O1u120JkFsaWNlIExvdmVsYWNlIDxhbGljZUBvcGVucGdwLmV4YW1wbGU+iJAE
+ExYIADgCGwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AWIQTrhbtfozp14V6UTmPy
+MVUMT0fjjgUCXaWfOgAKCRDyMVUMT0fjjukrAPoDnHBSogOmsHOsd9qGsiZpgRnO
+dypvbm+QtXZqth9rvwD9HcDC0tC+PHAsO7OTh1S1TC9RiJsvawAfCPaQZoed8gK4
+OARcRwTpEgorBgEEAZdVAQUBAQdAQv8GIa2rSTzgqbXCpDDYMiKRVitCsy203x3s
+E9+eviIDAQgHiHgEGBYIACAWIQTrhbtfozp14V6UTmPyMVUMT0fjjgUCXEcE6QIb
+DAAKCRDyMVUMT0fjjlnQAQDFHUs6TIcxrNTtEZFjUFm1M0PJ1Dng/cDW4xN80fsn
+0QEA22Kr7VkCjeAEC08VSTeV+QFsmz55/lntWkwYWhmvOgE=
+=iIGO
+-----END PGP PUBLIC KEY BLOCK-----
--- a/spec/fixtures/files/pgp_key_valid_alice.asc
+++ b/spec/fixtures/files/pgp_key_valid_alice.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Comment: Alice's OpenPGP certificate
+Comment: https://www.ietf.org/id/draft-bre-openpgp-samples-01.html
+
+mDMEXEcE6RYJKwYBBAHaRw8BAQdArjWwk3FAqyiFbFBKT4TzXcVBqPTB3gmzlC/U
+b7O1u120JkFsaWNlIExvdmVsYWNlIDxhbGljZUBvcGVucGdwLmV4YW1wbGU+iJAE
+ExYIADgCGwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AWIQTrhbtfozp14V6UTmPy
+MVUMT0fjjgUCXaWfOgAKCRDyMVUMT0fjjukrAPoDnHBSogOmsHOsd9qGsiZpgRnO
+dypvbm+QtXZqth9rvwD9HcDC0tC+PHAsO7OTh1S1TC9RiJsvawAfCPaQZoed8gK4
+OARcRwTpEgorBgEEAZdVAQUBAQdAQv8GIa2rSTzgqbXCpDDYMiKRVitCsy203x3s
+E9+eviIDAQgHiHgEGBYIACAWIQTrhbtfozp14V6UTmPyMVUMT0fjjgUCXEcE6QIb
+DAAKCRDyMVUMT0fjjlnQAQDFHUs6TIcxrNTtEZFjUFm1M0PJ1Dng/cDW4xN80fsn
+0QEA22Kr7VkCjeAEC08VSTeV+QFsmz55/lntWkwYWhmvOgE=
+=iIGO
+
+-----END PGP PUBLIC KEY BLOCK-----
--- a/spec/fixtures/files/pgp_key_valid_jimmy.asc
+++ b/spec/fixtures/files/pgp_key_valid_jimmy.asc
@@ -0,0 +1,13 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mDMEZvFjRhYJKwYBBAHaRw8BAQdACUxVX9bGlbuNR0MNYUyHHxTcOgm4qjwq8Bjg
+7P41OFK0GEppbW15IDxqaW1teUBrb3Ntb3Mub3JnPoiZBBMWCgBBFiEEMWv1FiNt
+r3cjaxX2BX2Tly+4YsMFAmbxY0YCGwMFCQWjmoAFCwkIBwICIgIGFQoJCAsCBBYC
+AwECHgcCF4AACgkQBX2Tly+4YsMjHgEAoOOLrv9pWbi8hhrSMkqJ7FJvsBTQF//U
+aJUQRa8CTgoBAI3kyGKZ8gOC8UOOKsUC0LiNCVXPyX45h8T4QFRdEVYKuDgEZvFj
+RhIKKwYBBAGXVQEFAQEHQIomqcQ59UjtQex54pz8qGqyxCj2DPJYUat9pXinDgN8
+AwEIB4h+BBgWCgAmFiEEMWv1FiNtr3cjaxX2BX2Tly+4YsMFAmbxY0YCGwwFCQWj
+moAACgkQBX2Tly+4YsPoVgEA/9Q5Gs1klP4u/nw343V57e9s4RKmEiRSkErnC9wW
+Iu0A/jp6Elz2pDQPB2XLwcb+n7JlgA05HI0zWj1+EoM7TC4J
+=KQbn
+-----END PGP PUBLIC KEY BLOCK-----
--- a/spec/models/user_spec.rb
+++ b/spec/models/user_spec.rb
@@ -1,20 +1,16 @@
 require 'rails_helper'

 RSpec.describe User, type: :model do
-  let(:user) { create :user, cn: "philipp" }
+  let(:user) { create :user, cn: "philipp", ou: "kosmos.org", email: "philipp@example.com" }
  let(:dn) { "cn=philipp,ou=kosmos.org,cn=users,dc=kosmos,dc=org" }

  describe "#address" do
-    let(:user) { build :user, cn: "jimmy", ou: "kosmos.org" }
-
    it "returns the user address" do
-      expect(user.address).to eq("jimmy@kosmos.org")
+      expect(user.address).to eq("philipp@kosmos.org")
    end
  end

  describe "#mastodon_address" do
-    let(:user) { build :user, cn: "jimmy", ou: "kosmos.org" }
-
    context "Mastodon service not configured" do
      before do
        Setting.mastodon_enabled = false
@@ -32,7 +28,7 @@ RSpec.describe User, type: :model do

      describe "domain is the same as primary domain" do
        it "returns the user address" do
-          expect(user.mastodon_address).to eq("jimmy@kosmos.org")
+          expect(user.mastodon_address).to eq("philipp@kosmos.org")
        end
      end

@@ -42,7 +38,7 @@ RSpec.describe User, type: :model do
        end

        it "returns the user address" do
-          expect(user.mastodon_address).to eq("jimmy@kosmos.social")
+          expect(user.mastodon_address).to eq("philipp@kosmos.social")
        end
      end

@@ -239,7 +235,7 @@ RSpec.describe User, type: :model do

  describe "#nostr_pubkey" do
    before do
-      allow_any_instance_of(User).to receive(:ldap_entry)
+      allow(user).to receive(:ldap_entry)
        .and_return({ nostr_key: "07e188a1ff87ce171d517b8ed2bb7a31b1d3453a0db3b15379ec07b724d232f3" })
    end

@@ -250,7 +246,7 @@ RSpec.describe User, type: :model do

  describe "#nostr_pubkey_bech32" do
    before do
-      allow_any_instance_of(User).to receive(:ldap_entry)
+      allow(user).to receive(:ldap_entry)
        .and_return({ nostr_key: "07e188a1ff87ce171d517b8ed2bb7a31b1d3453a0db3b15379ec07b724d232f3" })
    end

@@ -258,4 +254,73 @@ RSpec.describe User, type: :model do
      expect(user.nostr_pubkey_bech32).to eq("npub1qlsc3g0lsl8pw8230w8d9wm6xxcax3f6pkemz5measrmwfxjxteslf2hac")
    end
  end
+
+  describe "OpenPGP key" do
+    let(:alice) { create :user, id: 2, cn: "alice", email: "alice@example.com" }
+    let(:jimmy) { create :user, id: 3, cn: "jimmy", email: "jimmy@example.com" }
+    let(:valid_key_alice) { File.read("#{Rails.root}/spec/fixtures/files/pgp_key_valid_alice.asc") }
+    let(:valid_key_jimmy) { File.read("#{Rails.root}/spec/fixtures/files/pgp_key_valid_jimmy.asc") }
+    let(:fingerprint_alice) { "EB85BB5FA33A75E15E944E63F231550C4F47E38E" }
+    let(:fingerprint_jimmy) { "316BF516236DAF77236B15F6057D93972FB862C3" }
+    let(:invalid_key) { File.read("#{Rails.root}/spec/fixtures/files/pgp_key_invalid.asc") }
+
+    before do
+      GPGME::Key.import(valid_key_alice)
+      GPGME::Key.import(valid_key_jimmy)
+      alice.update pgp_fpr: fingerprint_alice
+      jimmy.update pgp_fpr: fingerprint_jimmy
+      allow(alice).to receive(:ldap_entry).and_return({ pgp_key: valid_key_alice })
+      allow(jimmy).to receive(:ldap_entry).and_return({ pgp_key: valid_key_jimmy })
+    end
+
+    after do
+      alice.gnupg_key.delete!
+      jimmy.gnupg_key.delete!
+    end
+
+    describe "#acceptable_pgp_key_format" do
+      it "validates the record when the key is valid" do
+        alice.pgp_pubkey = valid_key_alice
+        expect(alice).to be_valid
+      end
+
+      it "adds a validation error when the key is not valid" do
+        user.pgp_pubkey = invalid_key
+        expect(user).to_not be_valid
+        expect(user.errors[:pgp_pubkey]).to be_present
+      end
+    end
+
+    describe "#pgp_pubkey" do
+      it "returns the raw pubkey from LDAP" do
+        expect(alice.pgp_pubkey).to eq(valid_key_alice)
+      end
+    end
+
+    describe "#gnupg_key" do
+      subject { alice.gnupg_key }
+
+      it "returns a GPGME::Key object from the system's GPG keyring" do
+        expect(subject).to be_a(GPGME::Key)
+        expect(subject.fingerprint).to eq(fingerprint_alice)
+        expect(subject.email).to eq("alice@openpgp.example")
+      end
+    end
+
+    describe "#pgp_pubkey_contains_user_address?" do
+      it "returns false when the user address is one of the UIDs of the key" do
+        expect(alice.pgp_pubkey_contains_user_address?).to eq(false)
+      end
+
+      it "returns true when the user address is missing from the UIDs of the key" do
+        expect(jimmy.pgp_pubkey_contains_user_address?).to eq(true)
+      end
+    end
+
+    describe "wkd_hash" do
+      it "returns a z-base32 encoded SHA-1 digest of the username" do
+        expect(alice.wkd_hash).to eq("kei1q4tipxxu1yj79k9kfukdhfy631xe")
+      end
+    end
+  end
 end
--- a/spec/services/user_manager/create_account_spec.rb
+++ b/spec/services/user_manager/create_account_spec.rb
@@ -1,8 +1,8 @@
 require 'rails_helper'

-RSpec.describe CreateAccount, type: :model do
+RSpec.describe UserManager::CreateAccount, type: :model do
  describe "#create_user_in_database" do
-    let(:service) { CreateAccount.new(account: {
+    let(:service) { described_class.new(account: {
      username: 'isaacnewton',
      email: 'isaacnewton@example.com',
      password: 'bright-ideas-in-autumn'
@@ -19,7 +19,7 @@ RSpec.describe CreateAccount, type: :model do

  describe "#update_invitation" do
    let(:invitation) { create :invitation }
-    let(:service) { CreateAccount.new(account: {
+    let(:service) { described_class.new(account: {
      username: 'isaacnewton',
      email: 'isaacnewton@example.com',
      password: 'bright-ideas-in-autumn',
@@ -42,7 +42,7 @@ RSpec.describe CreateAccount, type: :model do
  describe "#add_ldap_document" do
    include ActiveJob::TestHelper

-    let(:service) { CreateAccount.new(account: {
+    let(:service) { described_class.new(account: {
      username: 'halfinney',
      email: 'halfinney@example.com',
      password: 'remember-remember-the-5th-of-november'
@@ -68,7 +68,7 @@ RSpec.describe CreateAccount, type: :model do
  describe "#add_ldap_document for pre-confirmed account" do
    include ActiveJob::TestHelper

-    let(:service) { CreateAccount.new(account: {
+    let(:service) { described_class.new(account: {
      username: 'halfinney',
      email: 'halfinney@example.com',
      password: 'remember-remember-the-5th-of-november',
@@ -89,7 +89,7 @@ RSpec.describe CreateAccount, type: :model do
  describe "#create_lndhub_account" do
    include ActiveJob::TestHelper

-    let(:service) { CreateAccount.new(account: {
+    let(:service) { described_class.new(account: {
      username: 'halfinney', email: 'halfinney@example.com',
      password: 'bright-ideas-in-winter'
    })}
--- a/spec/services/user_manager/create_invitations_spec.rb
+++ b/spec/services/user_manager/create_invitations_spec.rb
@@ -1,13 +1,13 @@
 require 'rails_helper'

-RSpec.describe CreateInvitations, type: :model do
+RSpec.describe UserManager::CreateInvitations, type: :model do
  include ActiveJob::TestHelper

  let(:user) { create :user }

  describe "#call" do
    before do
-      CreateInvitations.call(user: user, amount: 5)
+      described_class.call(user: user, amount: 5)
    end

    after(:each) { clear_enqueued_jobs }
@@ -28,7 +28,7 @@ RSpec.describe CreateInvitations, type: :model do

  describe "#call with notification disabled" do
    before do
-      CreateInvitations.call(user: user, amount: 3, notify: false)
+      described_class.call(user: user, amount: 3, notify: false)
    end

    after(:each) { clear_enqueued_jobs }
--- a/spec/services/user_manager/update_pgp_key_spec.rb
+++ b/spec/services/user_manager/update_pgp_key_spec.rb
@@ -0,0 +1,74 @@
+require 'rails_helper'
+
+RSpec.describe UserManager::UpdatePgpKey, type: :model do
+  include ActiveJob::TestHelper
+
+  let(:alice) { create :user, cn: "alice" }
+  let(:dn)    { "cn=alice,ou=kosmos.org,cn=users,dc=kosmos,dc=org" }
+  let(:pubkey_asc) { File.read("#{Rails.root}/spec/fixtures/files/pgp_key_valid_alice.asc") }
+  let(:fingerprint) { "EB85BB5FA33A75E15E944E63F231550C4F47E38E" }
+
+  before do
+    allow(alice).to receive(:dn).and_return(dn)
+    allow(alice).to receive(:ldap_entry).and_return({
+      uid: alice.cn, ou: alice.ou, pgp_key: nil
+    })
+  end
+
+  describe "#call" do
+    context "with valid key" do
+      before do
+        alice.pgp_pubkey = pubkey_asc
+
+        allow(LdapManager::UpdatePgpKey).to receive(:call)
+          .with(dn: alice.dn, pubkey: pubkey_asc)
+      end
+
+      after do
+        alice.gnupg_key.delete!
+      end
+
+      it "imports the key into the GnuPG keychain" do
+        described_class.call(user: alice)
+        expect(alice.gnupg_key).to be_present
+      end
+
+      it "stores the key's fingerprint on the user record" do
+        described_class.call(user: alice)
+        expect(alice.pgp_fpr).to eq(fingerprint)
+      end
+
+      it "updates the user's LDAP entry with the new key" do
+        expect(LdapManager::UpdatePgpKey).to receive(:call)
+          .with(dn: alice.dn, pubkey: pubkey_asc)
+        described_class.call(user: alice)
+      end
+    end
+
+    context "with empty key" do
+      before do
+        alice.update pgp_fpr: fingerprint
+        alice.pgp_pubkey = ""
+
+        allow(LdapManager::UpdatePgpKey).to receive(:call)
+          .with(dn: alice.dn, pubkey: "")
+      end
+
+      it "does not attempt to import the key" do
+        expect(GPGME::Key).not_to receive(:import)
+        described_class.call(user: alice)
+      end
+
+      it "removes the key's fingerprint from the user record" do
+        described_class.call(user: alice)
+        expect(alice.pgp_fpr).to be_nil
+      end
+
+      it "removes the key from the user's LDAP entry" do
+        expect(LdapManager::UpdatePgpKey).to receive(:call)
+          .with(dn: alice.dn, pubkey: "")
+        described_class.call(user: alice)
+      end
+    end
+  end
+end
--- a/yarn.lock
+++ b/yarn.lock
@@ -108,90 +108,6 @@
  resolved "https://registry.npmjs.org/@csstools/selector-specificity/-/selector-specificity-2.0.2.tgz"
  integrity sha512-IkpVW/ehM1hWKln4fCA3NzJU8KwD+kIOvPZA4cqxoJHtE21CCzjyp+Kxbu0i5I4tBNOlXPL9mjwnWlL0VEG4Fg==

-"@jsr/nostrify__types@^0.35.0":
-  version "0.35.0"
-  resolved "https://npm.jsr.io/~/11/@jsr/nostrify__types/0.35.0.tgz#449D2F6DAE75E5FF660595CF3C45437D14409AF4"
-  integrity sha512-dukOLFxyF7JwDvORLvb3PwMFs1HOBIkTyiewkujiGPaQ7FjvvGMiqY/QxbG0qZX5AmTtS65c/lLlg/ni1flrGQ==
-
-"@jsr/std__assert@^0.224.0":
-  version "0.224.0"
-  resolved "https://npm.jsr.io/~/11/@jsr/std__assert/0.224.0.tgz#B6D7D05F367C7991EC67B19758EDB5BD0D86B385"
-  integrity sha512-RB0p0ydybgKSfTba6kHWytfpEJ0CBPi+byxZikLYa51L9uLINW52/j6n4KuiLFoh2cdFfpNZSNMY/dzQPW90DQ==
-  dependencies:
-    "@jsr/std__fmt" "^0.224.0"
-    "@jsr/std__internal" "^0.224.0"
-
-"@jsr/std__crypto@^0.224.0":
-  version "0.224.0"
-  resolved "https://npm.jsr.io/~/11/@jsr/std__crypto/0.224.0.tgz#FA994A4B99E2D48B983E40B25D65A57BB405A04B"
-  integrity sha512-qzZWI8VnH215FS7hmQsAeNafjLMkmSl1OOvexorVUEf1Zl9omHSN87MwIjtmyVXGLtpGRLzIhKXbeup1xO69Zw==
-  dependencies:
-    "@jsr/std__assert" "^0.224.0"
-    "@jsr/std__encoding" "^0.224.0"
-
-"@jsr/std__encoding@^0.224.0", "@jsr/std__encoding@^0.224.1":
-  version "0.224.3"
-  resolved "https://npm.jsr.io/~/11/@jsr/std__encoding/0.224.3.tgz#ADBBF3F2EFA8C4F7A9063CFEF679AFF46B984FF0"
-  integrity sha512-zAuX2QV1zwJ5RSmrnDGVerAtN3pBXpYYNlGzhERW9AiQ1UJd2/xruyB3i5NdTWy2OK2pjETswOj+0+prYTPlxQ==
-
-"@jsr/std__fmt@^0.224.0":
-  version "0.224.0"
-  resolved "https://npm.jsr.io/~/11/@jsr/std__fmt/0.224.0.tgz#8079EB480C2BE2414430ECCF98F24C1C325B1277"
-  integrity sha512-lyrH5LesMB897QW0NIbZlGp72Ucopj2hMZW2wqB0NyZhuXfLH2sPBIUpCSf87kRKTGnx90JV905w4iTp0TD+Sg==
-
-"@jsr/std__internal@^0.224.0":
-  version "0.224.0"
-  resolved "https://npm.jsr.io/~/11/@jsr/std__internal/0.224.0.tgz#939D6DE44B7340EB097C464AFD7E7476E814B6BE"
-  integrity sha512-inYzKOGAFK2tyy1D4NfwlbPiqEcSaXfOms3Tm4Y+1LmKSYOeB9wjqWHF4y/BJuYj8XUv61F7eaHaIw6NIlhBWg==
-  dependencies:
-    "@jsr/std__fmt" "^0.224.0"
-
-"@noble/ciphers@^0.5.1":
-  version "0.5.3"
-  resolved "https://registry.yarnpkg.com/@noble/ciphers/-/ciphers-0.5.3.tgz#48b536311587125e0d0c1535f73ec8375cd76b23"
-  integrity sha512-B0+6IIHiqEs3BPMT0hcRmHvEj2QHOLu+uwt+tqDDeVd0oyVzh7BPrDcPjRnV1PV/5LaknXJJQvOuRGR0zQJz+w==
-
-"@noble/curves@1.2.0":
-  version "1.2.0"
-  resolved "https://registry.yarnpkg.com/@noble/curves/-/curves-1.2.0.tgz#92d7e12e4e49b23105a2555c6984d41733d65c35"
-  integrity sha512-oYclrNgRaM9SsBUBVbb8M6DTV7ZHRTKugureoYEncY5c65HOmRzvSiTE3y5CYaPYJA/GVkrhXEoF0M3Ya9PMnw==
-  dependencies:
-    "@noble/hashes" "1.3.2"
-
-"@noble/curves@~1.1.0":
-  version "1.1.0"
-  resolved "https://registry.yarnpkg.com/@noble/curves/-/curves-1.1.0.tgz#f13fc667c89184bc04cccb9b11e8e7bae27d8c3d"
-  integrity sha512-091oBExgENk/kGj3AZmtBDMpxQPDtxQABR2B9lb1JbVTs6ytdzZNwvhxQ4MWasRNEzlbEH8jCWFCwhF/Obj5AA==
-  dependencies:
-    "@noble/hashes" "1.3.1"
-
-"@noble/curves@~1.6.0":
-  version "1.6.0"
-  resolved "https://registry.yarnpkg.com/@noble/curves/-/curves-1.6.0.tgz#be5296ebcd5a1730fccea4786d420f87abfeb40b"
-  integrity sha512-TlaHRXDehJuRNR9TfZDNQ45mMEd5dwUwmicsafcIX4SsNiqnCHKjE/1alYPd/lDRVhxdhUAlv8uEhMCI5zjIJQ==
-  dependencies:
-    "@noble/hashes" "1.5.0"
-
-"@noble/hashes@1.3.1":
-  version "1.3.1"
-  resolved "https://registry.yarnpkg.com/@noble/hashes/-/hashes-1.3.1.tgz#8831ef002114670c603c458ab8b11328406953a9"
-  integrity sha512-EbqwksQwz9xDRGfDST86whPBgM65E0OH/pCgqW0GBVzO22bNE+NuIbeTb714+IfSjU3aRk47EUvXIb5bTsenKA==
-
-"@noble/hashes@1.3.2":
-  version "1.3.2"
-  resolved "https://registry.yarnpkg.com/@noble/hashes/-/hashes-1.3.2.tgz#6f26dbc8fbc7205873ce3cee2f690eba0d421b39"
-  integrity sha512-MVC8EAQp7MvEcm30KWENFjgR+Mkmf+D189XJTkFIlwohU5hcBbn1ZkKq7KVTi2Hme3PMGF390DaL52beVrIihQ==
-
-"@noble/hashes@1.5.0", "@noble/hashes@~1.5.0":
-  version "1.5.0"
-  resolved "https://registry.yarnpkg.com/@noble/hashes/-/hashes-1.5.0.tgz#abadc5ca20332db2b1b2aa3e496e9af1213570b0"
-  integrity sha512-1j6kQFb7QRru7eKN3ZDvRcP13rugwdxZqCjbiAVZfIJwgj2A65UmT4TgARXGlXgnRkORLTDTrO19ZErt7+QXgA==
-
-"@noble/hashes@~1.3.0", "@noble/hashes@~1.3.1":
-  version "1.3.3"
-  resolved "https://registry.yarnpkg.com/@noble/hashes/-/hashes-1.3.3.tgz#39908da56a4adc270147bb07968bf3b16cfe1699"
-  integrity sha512-V7/fPHgl+jsVPXqqeOzT8egNj2iBIVt+ECeMMG8TdcnTikP3oaBtUVqpT/gYCR68aEBJSF+XbYUxStjbFMqIIA==
-
 "@nodelib/fs.scandir@2.1.5":
  version "2.1.5"
  resolved "https://registry.npmjs.org/@nodelib/fs.scandir/-/fs.scandir-2.1.5.tgz"
@@ -213,66 +129,6 @@
    "@nodelib/fs.scandir" "2.1.5"
    fastq "^1.6.0"

-"@nostrify/nostrify@npm:@jsr/nostrify__nostrify":
-  version "0.36.0"
-  resolved "https://npm.jsr.io/~/11/@jsr/nostrify__nostrify/0.36.0.tgz#9A94131A51DCAA501C2AA69878DEE453E5796653"
-  integrity sha512-8M/VHxP0qS1+nrt+GiDRBu3AtDaZhlOuPMH/BkqPtIyp1tAqBXAb6yCrAhxw/iORGUUronJpet1U8bEQz9K0xg==
-  dependencies:
-    "@jsr/nostrify__types" "^0.35.0"
-    "@jsr/std__crypto" "^0.224.0"
-    "@jsr/std__encoding" "^0.224.1"
-    "@scure/base" "^1.1.6"
-    "@scure/bip32" "^1.4.0"
-    "@scure/bip39" "^1.3.0"
-    lru-cache "^10.2.0"
-    nostr-tools "^2.7.0"
-    websocket-ts "^2.1.5"
-    zod "^3.23.8"
-
-"@scure/base@1.1.1":
-  version "1.1.1"
-  resolved "https://registry.yarnpkg.com/@scure/base/-/base-1.1.1.tgz#ebb651ee52ff84f420097055f4bf46cfba403938"
-  integrity sha512-ZxOhsSyxYwLJj3pLZCefNitxsj093tb2vq90mp2txoYeBqbcjDjqFhyM8eUjq/uFm6zJ+mUuqxlS2FkuSY1MTA==
-
-"@scure/base@^1.1.6", "@scure/base@~1.1.0", "@scure/base@~1.1.7", "@scure/base@~1.1.8":
-  version "1.1.9"
-  resolved "https://registry.yarnpkg.com/@scure/base/-/base-1.1.9.tgz#e5e142fbbfe251091f9c5f1dd4c834ac04c3dbd1"
-  integrity sha512-8YKhl8GHiNI/pU2VMaofa2Tor7PJRAjwQLBBuilkJ9L5+13yVbC7JO/wS7piioAvPSwR3JKM1IJ/u4xQzbcXKg==
-
-"@scure/bip32@1.3.1":
-  version "1.3.1"
-  resolved "https://registry.yarnpkg.com/@scure/bip32/-/bip32-1.3.1.tgz#7248aea723667f98160f593d621c47e208ccbb10"
-  integrity sha512-osvveYtyzdEVbt3OfwwXFr4P2iVBL5u1Q3q4ONBfDY/UpOuXmOlbgwc1xECEboY8wIays8Yt6onaWMUdUbfl0A==
-  dependencies:
-    "@noble/curves" "~1.1.0"
-    "@noble/hashes" "~1.3.1"
-    "@scure/base" "~1.1.0"
-
-"@scure/bip32@^1.4.0":
-  version "1.5.0"
-  resolved "https://registry.yarnpkg.com/@scure/bip32/-/bip32-1.5.0.tgz#dd4a2e1b8a9da60e012e776d954c4186db6328e6"
-  integrity sha512-8EnFYkqEQdnkuGBVpCzKxyIwDCBLDVj3oiX0EKUFre/tOjL/Hqba1D6n/8RcmaQy4f95qQFrO2A8Sr6ybh4NRw==
-  dependencies:
-    "@noble/curves" "~1.6.0"
-    "@noble/hashes" "~1.5.0"
-    "@scure/base" "~1.1.7"
-
-"@scure/bip39@1.2.1":
-  version "1.2.1"
-  resolved "https://registry.yarnpkg.com/@scure/bip39/-/bip39-1.2.1.tgz#5cee8978656b272a917b7871c981e0541ad6ac2a"
-  integrity sha512-Z3/Fsz1yr904dduJD0NpiyRHhRYHdcnyh73FZWiV+/qhWi83wNJ3NWolYqCEN+ZWsUz2TWwajJggcRE9r1zUYg==
-  dependencies:
-    "@noble/hashes" "~1.3.0"
-    "@scure/base" "~1.1.0"
-
-"@scure/bip39@^1.3.0":
-  version "1.4.0"
-  resolved "https://registry.yarnpkg.com/@scure/bip39/-/bip39-1.4.0.tgz#664d4f851564e2e1d4bffa0339f9546ea55960a6"
-  integrity sha512-BEEm6p8IueV/ZTfQLp/0vhw4NPnT9oWf5+28nvmeUICjP99f4vr2d+qc7AVGDDtwRep6ifR43Yed9ERVmiITzw==
-  dependencies:
-    "@noble/hashes" "~1.5.0"
-    "@scure/base" "~1.1.8"
-
 "@tailwindcss/forms@^0.5.3":
  version "0.5.3"
  resolved "https://registry.npmjs.org/@tailwindcss/forms/-/forms-0.5.3.tgz"
@@ -543,11 +399,6 @@ lilconfig@^2.0.5, lilconfig@^2.0.6:
  resolved "https://registry.npmjs.org/lilconfig/-/lilconfig-2.0.6.tgz"
  integrity sha512-9JROoBW7pobfsx+Sq2JsASvCo6Pfo6WWoUW79HuB1BCoBXD4PLWJPqDF6fNj67pqBYTbAHkE57M1kS/+L1neOg==

-lru-cache@^10.2.0:
-  version "10.4.3"
-  resolved "https://registry.yarnpkg.com/lru-cache/-/lru-cache-10.4.3.tgz#410fc8a17b70e598013df257c2446b7f3383f119"
-  integrity sha512-JNAzZcXrCt42VGLuYz0zfAzDfAvJWW6AfYlDBQyDV5DClI2m5sAmK+OIO7s59XfsRsWHp02jAJrRadPRGTt6SQ==
-
 merge2@^1.3.0:
  version "1.4.1"
  resolved "https://registry.npmjs.org/merge2/-/merge2-1.4.1.tgz"
@@ -599,25 +450,6 @@ normalize-range@^0.1.2:
  resolved "https://registry.npmjs.org/normalize-range/-/normalize-range-0.1.2.tgz"
  integrity sha1-LRDAa9/TEuqXd2laTShDlFa3WUI=

-nostr-tools@^2.7.0:
-  version "2.7.2"
-  resolved "https://registry.yarnpkg.com/nostr-tools/-/nostr-tools-2.7.2.tgz#74a6ff543a81da1dcce9563b9317faa17221acce"
-  integrity sha512-Bq3Ug0SZFtgtL1+0wCnAe8AJtI7yx/00/a2nUug9SkhfOwlKS92Tef12iCK9FdwXw+oFZWMtRnSwcLayQso+xA==
-  dependencies:
-    "@noble/ciphers" "^0.5.1"
-    "@noble/curves" "1.2.0"
-    "@noble/hashes" "1.3.1"
-    "@scure/base" "1.1.1"
-    "@scure/bip32" "1.3.1"
-    "@scure/bip39" "1.2.1"
-  optionalDependencies:
-    nostr-wasm v0.1.0
-
-nostr-wasm@v0.1.0:
-  version "0.1.0"
-  resolved "https://registry.yarnpkg.com/nostr-wasm/-/nostr-wasm-0.1.0.tgz#17af486745feb2b7dd29503fdd81613a24058d94"
-  integrity sha512-78BTryCLcLYv96ONU8Ws3Q1JzjlAt+43pWQhIl86xZmWeegYCNLPml7yQ+gG3vR6V5h4XGj+TxO+SS5dsThQIA==
-
 object-hash@^3.0.0:
  version "3.0.0"
  resolved "https://registry.npmjs.org/object-hash/-/object-hash-3.0.0.tgz"
@@ -1069,11 +901,6 @@ util-deprecate@^1.0.2:
  resolved "https://registry.npmjs.org/util-deprecate/-/util-deprecate-1.0.2.tgz"
  integrity sha1-RQ1Nyfpw3nMnYvvS1KKJgUGaDM8=

-websocket-ts@^2.1.5:
-  version "2.1.5"
-  resolved "https://registry.yarnpkg.com/websocket-ts/-/websocket-ts-2.1.5.tgz#b6b51f0afca89d6bc7ff71c9e74540f19ae0262c"
-  integrity sha512-rCNl9w6Hsir1azFm/pbjBEFzLD/gi7Th5ZgOxMifB6STUfTSovYAzryWw0TRvSZ1+Qu1Z5Plw4z42UfTNA9idA==
-
 xtend@^4.0.2:
  version "4.0.2"
  resolved "https://registry.npmjs.org/xtend/-/xtend-4.0.2.tgz"
@@ -1083,8 +910,3 @@ yaml@^1.10.2:
  version "1.10.2"
  resolved "https://registry.npmjs.org/yaml/-/yaml-1.10.2.tgz"
  integrity sha512-r3vXyErRCYJ7wg28yvBY5VSoAF8ZvlcW9/BwUzEtUsjvX/DKs24dIkuwjtuprwJJHsbyUbLApepYTR1BN4uHrg==
-
-zod@^3.23.8:
-  version "3.23.8"
-  resolved "https://registry.yarnpkg.com/zod/-/zod-3.23.8.tgz#e37b957b5d52079769fb8097099b592f0ef4067d"
-  integrity sha512-XBx9AXhXktjUqnepgTiE5flcKIYWi/rme0Eaj+5Y0lftuGBq+jyRu/md4WnuxqgP1ubdpNCsYEYPxrzVHD8d6g==
Author	SHA1	Message	Date
Râu Cao	3042a02a17	Allow users to update their OpenPGP pubkey All checks were successful continuous-integration/drone/push Build is passing Details	2024-09-23 18:13:39 +02:00
Râu Cao	118fddb497	Document URLs for settings controller actions No need to read the route sources all the time	2024-09-23 16:07:02 +02:00
Râu Cao	ba683a7b95	Move some Rails app services to UserManager namespace All checks were successful continuous-integration/drone/push Build is passing Details	2024-09-23 16:03:02 +02:00
Râu Cao	90a8a70c15	Add OpenPGP key to LDAP directory and User model All checks were successful continuous-integration/drone/push Build is passing Details	2024-09-23 15:20:00 +02:00