gpg keychain repo?
Ben Cooksley
bcooksley at kde.org
Thu Jul 1 08:14:29 BST 2021
On Thu, Jul 1, 2021 at 6:21 PM Sandro Knauß <sknauss at kde.org> wrote:
> Hi,
>
Hi there,
> it would be helpful to get the key reliable. But I think a repo is not the
> best way to communicate gpg keys, as the whole gpg infrastructure is not
> really made for this. I would like not to see another way to communicate
> GPG
> keys.
>
> In my mind I would recommend to use WKD[0] to communicate keys with the
> outside world. WKD would give a unique url to download a minified version
> of a
> specific key. One disadvantage would be that it means that everyone who
> signs a
> release would need a kde.org address ( but I expect this anyways for all
> you
> create signed tarballs) or would need to setup WKD for its mail address.
> But WKD is a protocol and does not mean that we need to setup WKS. That's
> why
> we need a data source for WKD and here we can use a gpg repo. But that
> would
> be only a implementation detail and not needed to communicate with the
> downstream. The additional advantage of WKD is also that you can easily
> find
> the correct key to send encrypted mails.
>
Sorry but while that may be a reasonable assumption for the main module
releases (Frameworks, Plasma and Gear) it is not for independently released
applications.
Many of these have release managers who do not hold a KDE.org address.
Also I note that this needs the keys somewhere anyway, so you are still
going to be putting them in a repository as we need a way for people to do
this on a reasonably self-service basis while still having a solid chain of
trust around that - so WKD would be additional overhead (it has to be a
repository because in general that is how you get things on KDE web
infrastructure when it is static or run through a dynamic generator)
> A script to generate the needed files for the websever is quite simple
> [1]. You
> can reach me to help to setup such a script for the KDE infrastructure.
>
> regards,
>
> hefee
>
Cheers,
Ben
> [0] https://wiki.gnupg.org/WKD
> [1] https://gitlab.com/Martin_/generate-openpgpkey-hu-3/
>
> > at akademy we were musing on the possibility of having a keychain
> > repo. in part because keyservers are proofing unreliable, in part
> > because we believe it may be more annoying to (securely) fetch a key
> > from a keyserver than fish it out of a repo.
> >
> > so...
> > would distros at all be interested in this and be able to easily use
> > keys from a git repo we host on invent.kde.org instead of a gpg
> > keyserver?
> >
> > HS
>
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/distributions/attachments/20210701/40334f12/attachment.htm>
More information about the Distributions
mailing list