gpg keychain repo?

Sandro Knauß sknauss at kde.org
Thu Jul 1 07:19:43 BST 2021


Hi,

it would be helpful to get the key reliable. But I think a repo is not the 
best way to communicate gpg keys, as the whole gpg infrastructure is not 
really made for this. I would like not to see another way to communicate GPG 
keys.

In my mind I would recommend to use WKD[0] to communicate keys with the 
outside world. WKD would give a unique url to download a minified version of a 
specific key. One disadvantage would be that it means that everyone who signs a 
release would need a kde.org address ( but I expect this anyways for all you 
create signed tarballs) or would need to setup WKD for its mail address. 
But WKD is a protocol and does not mean that we need to setup WKS. That's why 
we need a data source for WKD and here we can use a gpg repo. But that would 
be only a implementation detail and not needed to communicate with the 
downstream. The additional advantage of WKD is also that you can easily find 
the correct key to send encrypted mails.

A script to generate the needed files for the websever is quite simple [1]. You 
can reach me to help to setup such a script for the KDE infrastructure.

regards,

hefee

[0] https://wiki.gnupg.org/WKD
[1] https://gitlab.com/Martin_/generate-openpgpkey-hu-3/

> at akademy we were musing on the possibility of having a keychain
> repo. in part because keyservers are proofing unreliable, in part
> because we believe it may be more annoying to (securely) fetch a key
> from a keyserver than fish it out of a repo.
> 
> so...
> would distros at all be interested in this and be able to easily use
> keys from a git repo we host on invent.kde.org instead of a gpg
> keyserver?
> 
> HS







More information about the Distributions mailing list