[prev in list] [next in list] [prev in thread] [next in thread]
List: gnupg-devel
Subject: Re: WKD: returns only one pubkey (and why)
From: Werner Koch via Gnupg-devel <gnupg-devel () gnupg ! org>
Date: 2023-01-27 9:23:48
Message-ID: 87v8ks1gbf.fsf () wheatstone ! g10code ! de
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
Hi!
Just a quick note:
> Currently I'm using the text below, which recommends 'gpg
> --locate-external-key' as the preferred mechanism and normally that uses
> WKD and will try to refresh the key from the server (otherwise people
> get old cached keys from local key storage). I like the simplicity and
You may also include the key in the signature:
gpg -sabvu commit --include-key </etc/motd >motd.asc
and then advise to use
gpg --verify --auto-key-import -v motd.asc /etc/motd
However, auto-key-import will only import the key if is not yet there.
It won't update a key. These options are available since gnupg 2.2.20
FWIW, I recently had to build gcc and I have found no way to validate
the key of Jakub. No key signatures available and I have found nowhere
a listing of fingerprints - even not on the RedHat site which only lists
product keys. If even I am not able to figure this out, how shall we
bootstrap our software ecosystem in a somewhat secure way? How does
Debian verifies that a gcc update is pristine - private exchange of keys
with Jakub?
--locate-external-key does not help either because it relies on the very
same mechanism we anyway use to download the source (i.e. TLS).
Salam-Shalom,
Werner
p.s.
gcc is just one of a myriad of examples; sorry for picking its author
--
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein
["openpgp-digital-signature.asc" (application/pgp-signature)]
_______________________________________________
Gnupg-devel mailing list
Gnupg-devel@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-devel
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic