[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Suggest another way of importing GNU Guix GPG key

From: Alex Vong
Subject: Re: Suggest another way of importing GNU Guix GPG key
Date: Sun, 30 Jun 2019 05:40:33 +0800
User-agent: mu4e 1.2.0; emacs 26.2


One solution would be to download the keyring from
<> and verify the signature in
the following way:

  $ gpg --keyring ./gnu-keyring.gpg --verify guix-1.0.1.tar.gz.sig 


address@hidden writes:

> Hello,
> SKS keyservers are currently under attack
> ( - 
> the attack can cause a GPG client to freeze completely and mess the
> GPG installation completely.
> I suggest GNU Guix proposes another way of importing the GPG keys so
> that users will not suffer from this problem.
> There's another, newer, keyserver, proposed in this gist, that is run
> by new software that doesnt suffer from this attack. See:
> However, that keyserver is not replicated. You could either use that
> one or simply offer a download of the key over TLS with verification
> against installed CAs, as secure as this can get.
> Regards

Attachment: signature.asc
Description: PGP signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]