--===============1909781630071337642== Content-Type: multipart/signed; boundary="nextPart2148029.G0rbJ8UNtC"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit --nextPart2148029.G0rbJ8UNtC Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Am Freitag 27 Januar 2023 09:13:15 schrieb Simon Josefsson via Gnupg-devel: > my goal is to come up with the best/safest text to write in a software > release on how to verify OpenPGP signatures for the tarball. > > Currently I'm using the text below, which recommends 'gpg > --locate-external-key' as the preferred mechanism and normally that uses > WKD and will try to refresh the key from the server (otherwise people > get old cached keys from local key storage). =C2=A0I like the simplicity = and > UX of this approach.=20 If the email address has the same domain as the downloading domain of the package, it all is controlled by the same entity. It would make more= =20 sense to have a second paths to building trust in a public key. One source of trust would be that you already have an old pub key from a=20 previous download. Another practice I hope to establish is that clients will from time to time= =20 query a keyserver about the pubkey to have a chance to see if there is a=20 revokation for the pubkey, they'll get from the email provider and to have = a=20 chance to detect malicious acts by the email provider itself. > This mechanism must be able to retrieve all=20 > currently valid keys for a particular e-mail address, otherwise people > will complain not finding the right key. This only is a problem if an old tarball is to be verified. One way to build trust could be to get the new, current, recommended pubkey= =20 from the WKD and then retrieve the other pubkey from a keyserver and a signature from the WKD pubkey. Would only work if keyserver would carry 3rd party signatures again. > Second to using the e-mail, maybe retrieving by key id should be > preferred because that is more stable. =C2=A0However there aren't really = any > stable working keyid-based OpenPGP key search engines left, are there? Sure, a number of them: https://spider.pgpkeys.eu/ e.g. https://keyserver2.gnupg.org/ Bernhard =2D-=20 https://intevation.de/~bernhard =C2=A0 +49 541 33 508 3-3 Intevation GmbH, Osnabr=C3=BCck, DE; Amtsgericht Osnabr=C3=BCck, HRB 18998 Gesch=C3=A4ftsf=C3=BChrer Frank Koormann, Bernhard Reiter --nextPart2148029.G0rbJ8UNtC Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- iQGzBAABCgAdFiEEvdlX+cT+D9xYPc1tK3ujv5vDpVQFAmP3i/sACgkQK3ujv5vD pVTIlAv/funmySg5xEMJIvG53niw56phS8jmPg7XWCbEC+lWoh9A+ZbvkbDxw6MS d7xUjYTcWBQRT27EcyvxSXyHav7om2Xb8tGyN7RWZMHBY29qX5eTxCkd79O2/qif VCzvddIuf+pXapuhVjCRwam8/O4+WQ5BHO1hDdWGW0bitdyritqc89B5ZikSp0Np 3EwM9MBhKYvtR66MUCp3QHG0v7o0iGzEnKyCZH4/ukWcOMTdob88dDj2/ILaKc0N I7B8ulLlLZ3HsCIhOTkJfdrQzPopgDD7HMCt/dlCPx8G5IltseP4nKgLBcyvvWj5 e1JHDS+wVHtRWG7/B8Ilid7dj1q5EyPHA4UdBMiXo33GDDSOS5jePNj9vVdEbi9A pXK/5Gkcb7J+Ab98DjVjXwwQAgJZQv15sIFh2dL73XpZIopQTPudUDHLLS3+kbIR XBUUikJFP5hz9CTsbGuLAwq4YWlK7vDqR3qsR05ic7JQztEqjOPN27zrYxqiaF0O kVUo6b9Y =8tAU -----END PGP SIGNATURE----- --nextPart2148029.G0rbJ8UNtC-- --===============1909781630071337642== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Gnupg-devel mailing list Gnupg-devel@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-devel --===============1909781630071337642==--