[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

announce-gen and OpenPGP key servers

From: Simon Josefsson
Subject: announce-gen and OpenPGP key servers
Date: Tue, 27 Jul 2021 11:38:27 +0200
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)

Hi.  Our announce-gen contains:

  If that command fails because you don't have the required public key,
  then run this command to import it:
  gpg --keyserver keys.gnupg.net --recv-keys $gpg_key_id

Given recent OpenPGP key server issues, that doesn't work reliably any
more, and behave different for different GnuPG versions.  What should we
recommend instead?  Werner Koch said:


I like WKD, but not all of us has published their OpenPGP key there, and
some may never be able to (it requires that you can put a file on your
e-mail domains' https server).  Still, I think it is the best long-term

How about the patch below?  It is not meant to be commited, but to start

I think we should do more than the patch.  The OpenPGP web of trust
seems to be under attack and is not as usable any more.

Our announcements doesn't contain the full OpenPGP key fingerprint,
which they should.

The release announcement could include hash checksums of the files too.

Some of us publish our OpenPGP keys at a https URL, and including that
link in the announcement would also help.  That could point to the
Savannah PGP page, but I think few of us keep that maintained and the
URL looks horrible.

Maybe we should involve the ftp-upload@gnu.org people.  Having the
OpenPGP key database they use be published on gnu.org would help.

Let's discuss and see what we can do.


diff --git a/build-aux/announce-gen b/build-aux/announce-gen
index daa478c8e..a696bff89 100755
--- a/build-aux/announce-gen
+++ b/build-aux/announce-gen
@@ -549,7 +549,12 @@ then run this command to import it:
   gpg --keyserver keys.gnupg.net --recv-keys $gpg_key_id
-and rerun the 'gpg --verify' command.
+You may also try other key servers such as keyserver.ubuntu.com or
+pgp.mit.edu.  With newer GnuPG versions you may use the following
+command to download and refresh any expired key:
+  gpg --auto-key-locate=clear,wkd,nodefault --locate-key simon@josefsson.org
   my @tool_versions = get_tool_versions (\@tool_list, $gnulib_version);

Attachment: signature.asc
Description: PGP signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]