[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: announce-gen and OpenPGP key servers

From: Jim Meyering
Subject: Re: announce-gen and OpenPGP key servers
Date: Tue, 27 Jul 2021 18:57:15 -0700

On Tue, Jul 27, 2021 at 2:38 AM Simon Josefsson via Gnulib discussion
list <bug-gnulib@gnu.org> wrote:
> Hi.  Our announce-gen contains:
>   If that command fails because you don't have the required public key,
>   then run this command to import it:
>   gpg --keyserver keys.gnupg.net --recv-keys $gpg_key_id
> Given recent OpenPGP key server issues, that doesn't work reliably any
> more, and behave different for different GnuPG versions.  What should we
> recommend instead?  Werner Koch said:
> https://lists.gnupg.org/pipermail/gnupg-devel/2021-July/034937.html
> I like WKD, but not all of us has published their OpenPGP key there, and
> some may never be able to (it requires that you can put a file on your
> e-mail domains' https server).  Still, I think it is the best long-term
> solution.
> How about the patch below?  It is not meant to be commited, but to start
> discussion.
> I think we should do more than the patch.  The OpenPGP web of trust
> seems to be under attack and is not as usable any more.
> Our announcements doesn't contain the full OpenPGP key fingerprint,
> which they should.
> The release announcement could include hash checksums of the files too.
> Some of us publish our OpenPGP keys at a https URL, and including that
> link in the announcement would also help.  That could point to the
> Savannah PGP page, but I think few of us keep that maintained and the
> URL looks horrible.
> Maybe we should involve the ftp-upload@gnu.org people.  Having the
> OpenPGP key database they use be published on gnu.org would help.
> Let's discuss and see what we can do.
> /Simon
> diff --git a/build-aux/announce-gen b/build-aux/announce-gen
> index daa478c8e..a696bff89 100755
> --- a/build-aux/announce-gen
> +++ b/build-aux/announce-gen
> @@ -549,7 +549,12 @@ then run this command to import it:
>    gpg --keyserver keys.gnupg.net --recv-keys $gpg_key_id
> -and rerun the 'gpg --verify' command.
> +You may also try other key servers such as keyserver.ubuntu.com or
> +pgp.mit.edu.  With newer GnuPG versions you may use the following
> +command to download and refresh any expired key:
> +
> +  gpg --auto-key-locate=clear,wkd,nodefault --locate-key simon@josefsson.org

I've just run that, and it failed like this:

  gpg: error retrieving 'simon@josefsson.org' via WKD: General error

I too agree. We must make changes to improve matters.
I was rather dismayed to see recently how hard it was to find a usable

Feel free to make the script generate a full fingerprint and even
(though it feels a little like giving up) add a checksum or two.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]