gpg keychain repo?
Sandro Knauß
sknauss at kde.org
Thu Jul 1 07:19:43 BST 2021
Hi,
it would be helpful to get the key reliable. But I think a repo is not the
best way to communicate gpg keys, as the whole gpg infrastructure is not
really made for this. I would like not to see another way to communicate GPG
keys.
In my mind I would recommend to use WKD[0] to communicate keys with the
outside world. WKD would give a unique url to download a minified version of a
specific key. One disadvantage would be that it means that everyone who signs a
release would need a kde.org address ( but I expect this anyways for all you
create signed tarballs) or would need to setup WKD for its mail address.
But WKD is a protocol and does not mean that we need to setup WKS. That's why
we need a data source for WKD and here we can use a gpg repo. But that would
be only a implementation detail and not needed to communicate with the
downstream. The additional advantage of WKD is also that you can easily find
the correct key to send encrypted mails.
A script to generate the needed files for the websever is quite simple [1]. You
can reach me to help to setup such a script for the KDE infrastructure.
regards,
hefee
[0] https://wiki.gnupg.org/WKD
[1] https://gitlab.com/Martin_/generate-openpgpkey-hu-3/
> at akademy we were musing on the possibility of having a keychain
> repo. in part because keyservers are proofing unreliable, in part
> because we believe it may be more annoying to (securely) fetch a key
> from a keyserver than fish it out of a repo.
>
> so...
> would distros at all be interested in this and be able to easily use
> keys from a git repo we host on invent.kde.org instead of a gpg
> keyserver?
>
> HS
More information about the Distributions
mailing list