Keybase and GNUPG and Yubikey (oh my!)

I’ve been meaning to generate PGP keys for my work identity and there is this newfangled social key site named Keybase that is integrated in some tools (Terraform) that I use and I figured I should make it all work with my new Yubikey 4 hardware keystore. So I scoured the Intarwebs for details and could not find the needed incantation.

So, here is my incantation for posterity.

Versions:

These instructions assume that you are starting fresh with no PGP keys in GnuPG or in Keybase.

Install GnuPG, Pinentry Mac, and Keybase.

[user@machine ~]$ brew install gnupg pinentry pinentry-mac
[user@machine ~]$ echo "pinentry-program /usr/local/bin/pinentry-mac" >> ~/.gnupg/gpg-agent.conf
[user@machine ~]$ killall gpg-agent
[user@machine ~]$ brew cask install keybase

Generate a brand new PGP key according to Creating the Perfect GPG Keypair.

[user@machine ~]$ gpg --full-generate-key
gpg (GnuPG) 2.2.4; Copyright (C) 2017 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
        = key expires in n days
      w = key expires in n weeks
      m = key expires in n months
      y = key expires in n years
Key is valid for? (0) 16y
Key expires at Sat Feb 18 21:50:37 2034 EST
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: Michael Arnold
Email address: michaelDOTarnold@clairvoyantsoft.com
Comment:
You selected this USER-ID:
    "Michael Arnold <michaelDOTarnold@clairvoyantsoft.com>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key 30136A9B74C480D0 marked as ultimately trusted
gpg: directory '/Users/user/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/Users/user/.gnupg/openpgp-revocs.d/3AAFAE657EAB4B5EBCAB164C30136A9B74C480D0.rev'
public and secret key created and signed.

pub   rsa4096 2018-02-23 [SC] [expires: 2034-02-19]
      3AAFAE657EAB4B5EBCAB164C30136A9B74C480D0
uid                      Michael Arnold <michaelDOTarnold@clairvoyantsoft.com>
sub   rsa4096 2018-02-23 [E] [expires: 2034-02-19]

Add a photo (optional).

[user@machine ~]$ gpg --edit-key michaelDOTarnold@clairvoyantsoft.com
gpg (GnuPG) 2.2.4; Copyright (C) 2017 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

sec  rsa4096/30136A9B74C480D0
     created: 2018-02-23  expires: 2034-02-19  usage: SC
     trust: ultimate      validity: ultimate
ssb  rsa4096/CC5CD1266D3E420E
     created: 2018-02-23  expires: 2034-02-19  usage: E
[ultimate] (1). Michael Arnold <michaelDOTarnold@clairvoyantsoft.com>

gpg> addphoto

Pick an image to use for your photo ID.  The image must be a JPEG file.
Remember that the image is stored within your public key.  If you use a
very large picture, your key will become very large as well!
Keeping the image close to 240x288 is a good size to use.

Enter JPEG filename for photo ID: /Users/user/Pictures/avatar-gpg.jpg
Is this photo correct (y/N/q)? y

sec  rsa4096/30136A9B74C480D0
     created: 2018-02-23  expires: 2034-02-19  usage: SC
     trust: ultimate      validity: ultimate
ssb  rsa4096/CC5CD1266D3E420E
     created: 2018-02-23  expires: 2034-02-19  usage: E
[ultimate] (1). Michael Arnold <michaelDOTarnold@clairvoyantsoft.com>
[ unknown] (2)  [jpeg image of size 4809]

gpg> save

Generate additional subkeys for signing and authentication.

[user@machine ~]$ gpg --expert --edit-key michaelDOTarnold@clairvoyantsoft.com
gpg (GnuPG) 2.2.4; Copyright (C) 2017 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2034-02-19
sec  rsa4096/30136A9B74C480D0
     created: 2018-02-23  expires: 2034-02-19  usage: SC
     trust: ultimate      validity: ultimate
ssb  rsa4096/CC5CD1266D3E420E
     created: 2018-02-23  expires: 2034-02-19  usage: E
[ultimate] (1). Michael Arnold <michaelDOTarnold@clairvoyantsoft.com>
[ultimate] (2)  [jpeg image of size 4809]

gpg> addkey
Please select what kind of key you want:
   (3) DSA (sign only)
   (4) RSA (sign only)
   (5) Elgamal (encrypt only)
   (6) RSA (encrypt only)
   (7) DSA (set your own capabilities)
   (8) RSA (set your own capabilities)
  (10) ECC (sign only)
  (11) ECC (set your own capabilities)
  (12) ECC (encrypt only)
  (13) Existing key
Your selection? 4
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
        = key expires in n days
      w = key expires in n weeks
      m = key expires in n months
      y = key expires in n years
Key is valid for? (0) 16y
Key expires at Sat Feb 18 22:22:09 2034 EST
Is this correct? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

sec  rsa4096/30136A9B74C480D0
     created: 2018-02-23  expires: 2034-02-19  usage: SC
     trust: ultimate      validity: ultimate
ssb  rsa4096/CC5CD1266D3E420E
     created: 2018-02-23  expires: 2034-02-19  usage: E
ssb  rsa4096/7F40BCD406195F1C
     created: 2018-02-23  expires: 2034-02-19  usage: S
[ultimate] (1). Michael Arnold <michaelDOTarnold@clairvoyantsoft.com>
[ultimate] (2)  [jpeg image of size 4809]

gpg> addkey
Please select what kind of key you want:
   (3) DSA (sign only)
   (4) RSA (sign only)
   (5) Elgamal (encrypt only)
   (6) RSA (encrypt only)
   (7) DSA (set your own capabilities)
   (8) RSA (set your own capabilities)
  (10) ECC (sign only)
  (11) ECC (set your own capabilities)
  (12) ECC (encrypt only)
  (13) Existing key
Your selection? 8

Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions: Sign Encrypt

   (S) Toggle the sign capability
   (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? s

Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions: Encrypt

   (S) Toggle the sign capability
   (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? e

Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions:

   (S) Toggle the sign capability
   (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? a

Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions: Authenticate

   (S) Toggle the sign capability
   (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? q
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
        = key expires in n days
      w = key expires in n weeks
      m = key expires in n months
      y = key expires in n years
Key is valid for? (0) 16y
Key expires at Sat Feb 18 22:23:13 2034 EST
Is this correct? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

sec  rsa4096/30136A9B74C480D0
     created: 2018-02-23  expires: 2034-02-19  usage: SC
     trust: ultimate      validity: ultimate
ssb  rsa4096/CC5CD1266D3E420E
     created: 2018-02-23  expires: 2034-02-19  usage: E
ssb  rsa4096/7F40BCD406195F1C
     created: 2018-02-23  expires: 2034-02-19  usage: S
ssb  rsa4096/B9747BE9941309F1
     created: 2018-02-23  expires: 2034-02-19  usage: A
[ultimate] (1). Michael Arnold <michaelDOTarnold@clairvoyantsoft.com>
[ultimate] (2)  [jpeg image of size 4809]

gpg> save

Export the public and private keys. They should be the only things on your keyrings.

gpg --export-secret-keys --armor private.gpg-key
gpg -c private.gpg-key
rm -P private.gpg-key

gpg --export-secret-subkeys --armor private.subkeysA.gpg-key
gpg -c private.subkeysA.gpg-key
rm -P private.subkeysA.gpg-key

gpg --export --armor public.gpg-key

Download and install the Yubikey PIV Manager. Use it to prepare your Yubikey PIV’s PIN.
I referenced the YubiKey PIV Manager User’s Guide. I am not completely certain that the above is required.

Edit the Yubikey smartcard and customize it. We need to set the Admin PIN and User PIN.

[michael@demotivation ~]$ gpg --card-edit

Reader ...........: Yubico Yubikey 4 OTP U2F CCID
Application ID ...: D2760001240102010006123456780000
Version ..........: 2.1
Manufacturer .....: Yubico
Serial number ....: 12345678
Name of cardholder: [not set]
Language prefs ...: [not set]
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: not forced
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 0 1
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]

gpg/card> admin
Admin commands are allowed

gpg/card> passwd
gpg: OpenPGP card no. D2760001240102010006123456780000 detected

1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit

Your selection? 3
PIN changed.

1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit

Your selection? 1
PIN changed.

1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit

Your selection? q

gpg/card> name
Cardholder's surname: Arnold
Cardholder's given name: Michael

gpg/card> url
URL to retrieve public key: https://keybase.io/razorsedge/key.asc

gpg/card> sex
Sex ((M)ale, (F)emale or space): m

gpg/card> lang
Language preferences: en

gpg/card> list

Reader ...........: Yubico Yubikey 4 OTP U2F CCID
Application ID ...: D2760001240102010006123456780000
Version ..........: 2.1
Manufacturer .....: Yubico
Serial number ....: 12345678
Name of cardholder: Michael Arnold
Language prefs ...: en
Sex ..............: male
URL of public key : https://keybase.io/razorsedge/key.asc
Login data .......: [not set]
Signature PIN ....: not forced
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 0 3
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]

gpg/card> quit

Move the subkeys to the smartcard.

[user@machine ~]$ gpg --edit-key michaelDOTarnold@clairvoyantsoft.com
gpg (GnuPG) 2.2.4; Copyright (C) 2017 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

sec  rsa4096/30136A9B74C480D0
     created: 2018-02-23  expires: 2034-02-19  usage: SC
     trust: ultimate      validity: ultimate
ssb  rsa4096/CC5CD1266D3E420E
     created: 2018-02-23  expires: 2034-02-19  usage: E
ssb  rsa4096/7F40BCD406195F1C
     created: 2018-02-23  expires: 2034-02-19  usage: S
ssb  rsa4096/B9747BE9941309F1
     created: 2018-02-23  expires: 2034-02-19  usage: A
[ultimate] (1). Michael Arnold <michaelDOTarnold@clairvoyantsoft.com>
[ultimate] (2)  [jpeg image of size 4809]

gpg> key 1

sec  rsa4096/30136A9B74C480D0
     created: 2018-02-23  expires: 2034-02-19  usage: SC
     trust: ultimate      validity: ultimate
ssb* rsa4096/CC5CD1266D3E420E
     created: 2018-02-23  expires: 2034-02-19  usage: E
ssb  rsa4096/7F40BCD406195F1C
     created: 2018-02-23  expires: 2034-02-19  usage: S
ssb  rsa4096/B9747BE9941309F1
     created: 2018-02-23  expires: 2034-02-19  usage: A
[ultimate] (1). Michael Arnold <michaelDOTarnold@clairvoyantsoft.com>
[ultimate] (2)  [jpeg image of size 4809]

gpg> keytocard
Please select where to store the key:
   (2) Encryption key
Your selection? 2

sec  rsa4096/30136A9B74C480D0
     created: 2018-02-23  expires: 2034-02-19  usage: SC
     trust: ultimate      validity: ultimate
ssb* rsa4096/CC5CD1266D3E420E
     created: 2018-02-23  expires: 2034-02-19  usage: E
ssb  rsa4096/7F40BCD406195F1C
     created: 2018-02-23  expires: 2034-02-19  usage: S
ssb  rsa4096/B9747BE9941309F1
     created: 2018-02-23  expires: 2034-02-19  usage: A
[ultimate] (1). Michael Arnold <michaelDOTarnold@clairvoyantsoft.com>
[ultimate] (2)  [jpeg image of size 4809]

gpg> key 1

sec  rsa4096/30136A9B74C480D0
     created: 2018-02-23  expires: 2034-02-19  usage: SC
     trust: ultimate      validity: ultimate
ssb  rsa4096/CC5CD1266D3E420E
     created: 2018-02-23  expires: 2034-02-19  usage: E
ssb  rsa4096/7F40BCD406195F1C
     created: 2018-02-23  expires: 2034-02-19  usage: S
ssb  rsa4096/B9747BE9941309F1
     created: 2018-02-23  expires: 2034-02-19  usage: A
[ultimate] (1). Michael Arnold <michaelDOTarnold@clairvoyantsoft.com>
[ultimate] (2)  [jpeg image of size 4809]

gpg> key 2

sec  rsa4096/30136A9B74C480D0
     created: 2018-02-23  expires: 2034-02-19  usage: SC
     trust: ultimate      validity: ultimate
ssb  rsa4096/CC5CD1266D3E420E
     created: 2018-02-23  expires: 2034-02-19  usage: E
ssb* rsa4096/7F40BCD406195F1C
     created: 2018-02-23  expires: 2034-02-19  usage: S
ssb  rsa4096/B9747BE9941309F1
     created: 2018-02-23  expires: 2034-02-19  usage: A
[ultimate] (1). Michael Arnold <michaelDOTarnold@clairvoyantsoft.com>
[ultimate] (2)  [jpeg image of size 4809]

gpg> keytocard
Please select where to store the key:
   (1) Signature key
   (3) Authentication key
Your selection? 1

sec  rsa4096/30136A9B74C480D0
     created: 2018-02-23  expires: 2034-02-19  usage: SC
     trust: ultimate      validity: ultimate
ssb  rsa4096/CC5CD1266D3E420E
     created: 2018-02-23  expires: 2034-02-19  usage: E
ssb* rsa4096/7F40BCD406195F1C
     created: 2018-02-23  expires: 2034-02-19  usage: S
ssb  rsa4096/B9747BE9941309F1
     created: 2018-02-23  expires: 2034-02-19  usage: A
[ultimate] (1). Michael Arnold <michaelDOTarnold@clairvoyantsoft.com>
[ultimate] (2)  [jpeg image of size 4809]

gpg> key 2

sec  rsa4096/30136A9B74C480D0
     created: 2018-02-23  expires: 2034-02-19  usage: SC
     trust: ultimate      validity: ultimate
ssb  rsa4096/CC5CD1266D3E420E
     created: 2018-02-23  expires: 2034-02-19  usage: E
ssb  rsa4096/7F40BCD406195F1C
     created: 2018-02-23  expires: 2034-02-19  usage: S
ssb  rsa4096/B9747BE9941309F1
     created: 2018-02-23  expires: 2034-02-19  usage: A
[ultimate] (1). Michael Arnold <michaelDOTarnold@clairvoyantsoft.com>
[ultimate] (2)  [jpeg image of size 4809]

gpg> key 3

sec  rsa4096/30136A9B74C480D0
     created: 2018-02-23  expires: 2034-02-19  usage: SC
     trust: ultimate      validity: ultimate
ssb  rsa4096/CC5CD1266D3E420E
     created: 2018-02-23  expires: 2034-02-19  usage: E
ssb  rsa4096/7F40BCD406195F1C
     created: 2018-02-23  expires: 2034-02-19  usage: S
ssb* rsa4096/B9747BE9941309F1
     created: 2018-02-23  expires: 2034-02-19  usage: A
[ultimate] (1). Michael Arnold <michaelDOTarnold@clairvoyantsoft.com>
[ultimate] (2)  [jpeg image of size 4809]

gpg> keytocard
Please select where to store the key:
   (3) Authentication key
Your selection? 3

sec  rsa4096/30136A9B74C480D0
     created: 2018-02-23  expires: 2034-02-19  usage: SC
     trust: ultimate      validity: ultimate
ssb  rsa4096/CC5CD1266D3E420E
     created: 2018-02-23  expires: 2034-02-19  usage: E
ssb  rsa4096/7F40BCD406195F1C
     created: 2018-02-23  expires: 2034-02-19  usage: S
ssb* rsa4096/B9747BE9941309F1
     created: 2018-02-23  expires: 2034-02-19  usage: A
[ultimate] (1). Michael Arnold <michaelDOTarnold@clairvoyantsoft.com>
[ultimate] (2)  [jpeg image of size 4809]

gpg> save

Export the private subkeys. You should probably have done this before moving them to the YubiKey. I mistakenly did it in this order.

gpg --export-secret-subkeys --armor private.subkeys.gpg-key
gpg -c private.subkeys.gpg-key
rm -P private.subkeys.gpg-key

We want an Offline Master key.

What I should have done was to delete the file holding my master private key.

"rm $HOME/.gnupg/private-keys-v1.d/KEYGRIP.key", where KEYGRIP is the “keygrip” of the master key which can be found by running “gpg --with-keygrip --list-key YOURMASTERKEYID".

Instead, I used the old GnuPG method of deleting the entire secret key and subkeys from my keychain and then imported the subkeys back in.

[user@machine ~]$ gpg --list-secret-keys
/Users/user/.gnupg/pubring.kbx
---------------------------------
sec   rsa4096 2018-02-23 [SC] [expires: 2034-02-19]
      3AAFAE657EAB4B5EBCAB164C30136A9B74C480D0
uid           [ultimate] Michael Arnold <michaelDOTarnold@clairvoyantsoft.com>
uid           [ultimate] [jpeg image of size 4809]
ssb>  rsa4096 2018-02-23 [E] [expires: 2034-02-19]
ssb>  rsa4096 2018-02-23 [S] [expires: 2034-02-19]
ssb>  rsa4096 2018-02-23 [A] [expires: 2034-02-19]

Delete the secret key and then re-import the subkeys.

[user@machine ~]$ gpg --delete-secret-key michaelDOTarnold@clairvoyantsoft.com
gpg (GnuPG) 2.2.4; Copyright (C) 2017 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.


sec  rsa4096/30136A9B74C480D0 2018-02-23 Michael Arnold <michaelDOTarnold@clairvoyantsoft.com>

Delete this key from the keyring? (y/N) y
This is a secret key! - really delete? (y/N) y
[user@machine ~]$ gpg -d private.subkeys.gpg-key.gpg | gpg --import
gpg: AES encrypted data
gpg: encrypted with 1 passphrase
gpg: key 30136A9B74C480D0: "Michael Arnold <michaelDOTarnold@clairvoyantsoft.com>" not changed
gpg: To migrate 'secring.gpg', with each smartcard, run: gpg --card-status
gpg: key 30136A9B74C480D0: secret key imported
gpg: Total number processed: 1
gpg:              unchanged: 1
gpg:       secret keys read: 1


[user@machine ~]$ gpg --list-secret-keys

[user@machine ~]$ gpg --card-status
...

[user@machine ~]$ gpg --list-secret-keys
/Users/user/.gnupg/pubring.kbx
---------------------------------
sec#  rsa4096 2018-02-23 [SC] [expires: 2034-02-19]
      3AAFAE657EAB4B5EBCAB164C30136A9B74C480D0
uid           [ultimate] Michael Arnold <michaelDOTarnold@clairvoyantsoft.com>
uid           [ultimate] [jpeg image of size 4809]
ssb>  rsa4096 2018-02-23 [E] [expires: 2034-02-19]
ssb>  rsa4096 2018-02-23 [S] [expires: 2034-02-19]
ssb>  rsa4096 2018-02-23 [A] [expires: 2034-02-19]

sec# means that the secret key is not present. ssb> means that the subkey is on a smartcard.


Keybase should not have seen any of your keys up to this point.

[user@machine ~]$ keybase pgp list

Lets tell Keybase about your public key. No worries here as your master secret key is not on your PGP keyring and the subkeys are on the YubiKey.

[user@machine ~]$ keybase pgp select --no-import
#    Algo    Key Id             Created   UserId
=    ====    ======             =======   ======
1    4096R   30136A9B74C480D0             Michael Arnold <michaelDOTarnold@clairvoyantsoft.com>
Choose a key: 1
▶ INFO Bundle unlocked: 30136A9B74C480D0
▶ INFO Generated new PGP key:
▶ INFO   user: Michael Arnold <michaelDOTarnold@clairvoyantsoft.com>
▶ INFO   4096-bit RSA key, ID 30136A9B74C480D0, created 2018-02-22
▶ INFO Key 30136A9B74C480D0 imported

List the keys that Keybase knows about.

[user@machine ~]$ keybase pgp list
Keybase Key ID:  010185d53d35d79ddd0c54fa013efc20b55a257ec2582c5ebfad949670e25463f9d30a
PGP Fingerprint: 3AAF AE65 7EAB 4B5E BCAB 164C 3013 6A9B 74C4 80D0
PGP Identities:
   Michael Arnold <michaelDOTarnold@clairvoyantsoft.com>

Success!

Note that since Keybase does not have your secret keys, you cannot do keybase pgp decrypt however gpg --decrypt does work.

About Michael Arnold
This is where I write about all of my unix hacking experiences so that you may be able to learn from my troubles.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: