[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Finding a “good” OpenPGP key server

From: Vagrant Cascadian
Subject: Re: Finding a “good” OpenPGP key server
Date: Tue, 31 May 2022 08:09:21 -0700

On 2022-05-30, Ludovic Courtès wrote:
> Maxime Devos <> skribis:
>> Ludovic Courtès schreef op ma 18-04-2022 om 22:24 [+0200]:
>>> [... guix refresh -u stuff failing due to not finding the key ...]
>>> I’m not sure what a good solution is (other than looking for the key
>>> manually on Savannah or on some random key server).
>> Alternatively, why use key servers at all?  WDYT of something like
>> (package
>>   (name "gnurl")
>>   [...]
>>   (properties
>>     ;; Keys that are considered ‘trustworthy’ for signing releases
>>     ;; of gnurl.
>>     `((permitted-pgp-signing-keys "CABB A99E ..." "DEAD BEEF ...")
>>       ;; Locations of PGP key (possibly with some of them pointing to
>>       ;; the same key)
>>       (pgp-key-locations
>>         ,(savannah-pgp-key USER-ID) ... ; most signers are on 
>>         ,(local-file "[...]/") ; not easily available from the 
>> Web               
>>         "https://rando/";
>>         "ipfs://.../..." "gnunet://...")))) ; download key via P2P networks
>> The first part (permitted-pgp-signing-keys) has been suggested previously and
>> seems mostly orthogonal, but the second part is new.  It would reduce
>> the dependency on central infrastructure.  We could consider key servers
>> to be ‘merely’ another fallback.
> We could also have our own key server.  Just like ‘guix lint -c
> archival’ triggers SWH archival, we could have a tool that triggers key
> download on the server so that crypto material never vanishes.

Or keep some keyrings in a git repo, if we want to keep the keys
somewhat restricted to committers... a major problem of the public
keyserver network is/was the ability for anyone to update or add any key
for anybody.

We've already got the keyring branch in guix.git, maybe adding an
upstream-keys branch wouldn't be madness? Or a separate git
repository. And then you could get it archived at software heritage or or whatever trivially.

live well,

Attachment: signature.asc
Description: PGP signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]