Re: announce-gen and OpenPGP key servers

bug-gnulib

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: announce-gen and OpenPGP key servers

From:	Jim Meyering
Subject:	Re: announce-gen and OpenPGP key servers
Date:	Tue, 27 Jul 2021 18:57:15 -0700

On Tue, Jul 27, 2021 at 2:38 AM Simon Josefsson via Gnulib discussion
list <bug-gnulib@gnu.org> wrote:
> Hi.  Our announce-gen contains:
>
>   If that command fails because you don't have the required public key,
>   then run this command to import it:
>   gpg --keyserver keys.gnupg.net --recv-keys $gpg_key_id
>
> Given recent OpenPGP key server issues, that doesn't work reliably any
> more, and behave different for different GnuPG versions.  What should we
> recommend instead?  Werner Koch said:
>
> https://lists.gnupg.org/pipermail/gnupg-devel/2021-July/034937.html
>
> I like WKD, but not all of us has published their OpenPGP key there, and
> some may never be able to (it requires that you can put a file on your
> e-mail domains' https server).  Still, I think it is the best long-term
> solution.
>
> How about the patch below?  It is not meant to be commited, but to start
> discussion.
>
> I think we should do more than the patch.  The OpenPGP web of trust
> seems to be under attack and is not as usable any more.
>
> Our announcements doesn't contain the full OpenPGP key fingerprint,
> which they should.
>
> The release announcement could include hash checksums of the files too.
>
> Some of us publish our OpenPGP keys at a https URL, and including that
> link in the announcement would also help.  That could point to the
> Savannah PGP page, but I think few of us keep that maintained and the
> URL looks horrible.
>
> Maybe we should involve the ftp-upload@gnu.org people.  Having the
> OpenPGP key database they use be published on gnu.org would help.
>
> Let's discuss and see what we can do.
>
> /Simon
>
> diff --git a/build-aux/announce-gen b/build-aux/announce-gen
> index daa478c8e..a696bff89 100755
> --- a/build-aux/announce-gen
> +++ b/build-aux/announce-gen
> @@ -549,7 +549,12 @@ then run this command to import it:
>
>    gpg --keyserver keys.gnupg.net --recv-keys $gpg_key_id
>
> -and rerun the 'gpg --verify' command.
> +You may also try other key servers such as keyserver.ubuntu.com or
> +pgp.mit.edu.  With newer GnuPG versions you may use the following
> +command to download and refresh any expired key:
> +
> +  gpg --auto-key-locate=clear,wkd,nodefault --locate-key simon@josefsson.org

I've just run that, and it failed like this:

  gpg: error retrieving 'simon@josefsson.org' via WKD: General error

I too agree. We must make changes to improve matters.
I was rather dismayed to see recently how hard it was to find a usable
keyserver.

Feel free to make the script generate a full fingerprint and even
(though it feels a little like giving up) add a checksum or two.

[Prev in Thread]

Current Thread

[Next in Thread]

announce-gen and OpenPGP key servers, Simon Josefsson, 2021/07/27
- Re: announce-gen and OpenPGP key servers, Paul Eggert, 2021/07/27
- Re: announce-gen and OpenPGP key servers, Jim Meyering <=

Prev by Date: Re: Undefined use of weak symbols in gnulib
Next by Date: fts in gnulib behave different than glibc
Previous by thread: Re: announce-gen and OpenPGP key servers
Next by thread: fts in gnulib behave different than glibc
Index(es):
- Date
- Thread