gpg keychain repo?

Harald Sitter sitter at kde.org
Thu Jul 1 13:17:22 BST 2021 

On 01.07.21 09:14, Ben Cooksley wrote:
> On Thu, Jul 1, 2021 at 6:21 PM Sandro Knauß <sknauss at kde.org
> <mailto:sknauss at kde.org>> wrote:
> 
>     Hi,
> 
> 
> Hi there,
> 
> 
>     it would be helpful to get the key reliable. But I think a repo is
>     not the
>     best way to communicate gpg keys, as the whole gpg infrastructure is
>     not
>     really made for this. I would like not to see another way to
>     communicate GPG
>     keys.
> 
> 
>     In my mind I would recommend to use WKD[0] to communicate keys with the
>     outside world. WKD would give a unique url to download a minified
>     version of a
>     specific key. One disadvantage would be that it means that everyone
>     who signs a
>     release would need a kde.org <http://kde.org> address ( but I expect
>     this anyways for all you
>     create signed tarballs) or would need to setup WKD for its mail
>     address.
>     But WKD is a protocol and does not mean that we need to setup WKS.
>     That's why
>     we need a data source for WKD and here we can use a gpg repo. But
>     that would
>     be only a implementation detail and not needed to communicate with the
>     downstream. The additional advantage of WKD is also that you can
>     easily find
>     the correct key to send encrypted mails.
> 
> 
> Sorry but while that may be a reasonable assumption for the main module
> releases (Frameworks, Plasma and Gear) it is not for independently
> released applications.
> Many of these have release managers who do not hold a KDE.org address.
> 
> Also I note that this needs the keys somewhere anyway, so you are still
> going to be putting them in a repository as we need a way for people to
> do this on a reasonably self-service basis while still having a solid
> chain of trust around that - so WKD would be additional overhead (it has
> to be a repository because in general that is how you get things on KDE
> web infrastructure when it is static or run through a dynamic generator)

To be fair. Dumping keys into a WKD tree is like one command, two if you
first have to import them into gpg I guess. Hardly qualifies as overhead ;)

This leads to an interesting question though. What would the file tree
look like in the repo anyway? Surely WKD wouldn't be all that neat as it
derives from the mail address. If you download the tar and sig the only
way to get to the mail address is by first getting the key, but to get
the key you need the mail address, but to get the mail address you need
the key...

Do distros have a preference here? I'm guessing fingerprint without
spaces would be easiest since that's what gpg --verify talks about.

./CB9387521E1EE0127DA804843FDBB55084CC5D84.pkr
./53E6B47B45CEA3E0D5B7457758D0EE648A48B3BB.pkr

More information about the Distributions mailing list