Zsh Mailing List Archive Messages sorted by: Reverse Date, Date, Thread, Author

Re: Hosting copies of the PGP public keys

X-seq: zsh-workers 46248
From: Phil Pennock <zsh-workers+phil.pennock@xxxxxxxxxxxx>
To: Daniel Shahaf <d.s@xxxxxxxxxxxxxxxxxx>
Subject: Re: Hosting copies of the PGP public keys
Date: Tue, 14 Jul 2020 20:59:37 -0400
Cc: zsh-workers@xxxxxxx
In-reply-to: <20200714184143.1aa13873@tarpaulin.shahaf.local2>
List-help: <mailto:zsh-workers-help@zsh.org>
List-id: Zsh Workers List <zsh-workers.zsh.org>
List-post: <mailto:zsh-workers@zsh.org>
List-unsubscribe: <mailto:zsh-workers-unsubscribe@zsh.org>
Mailing-list: contact zsh-workers-help@xxxxxxx; run by ezmlm
Openpgp: url=https://www.security.spodhuis.org/PGP/keys/keys-2013rsa-2020cv25519.asc
References: <20200713181423.0b979d87@tarpaulin.shahaf.local2> <2041F3EE-7E01-4554-AAC3-C5452D192C18@dana.is> <20200714184143.1aa13873@tarpaulin.shahaf.local2>
Sender: zsh-workers@xxxxxxx

On 2020-07-14 at 18:41 +0000, Daniel Shahaf wrote:
> Incidentally, Phil recommended «gpg --dearmor Keys/*.asc | gpg --armor > zsh-keyring.asc»
> rather than plain «cat Keys/*.asc», but I don't know which of the two
> options is preferable.

Context for this: discussing expired keys, and pointing out that the
public keyserver system is ... not in good health. A couple of years
ago, <https://sks-keyservers.net/status/> would routinely list over 100
active servers in good health. Attacks on the system and spamming tools
have driven away volunteers (such as myself) and now we're down to 18
servers currently healthy.

Anyone here relying upon the keyservers would be well advised to look
for a plan B. My generic recommendation is to put files in the
directory layout needed to support "WKD", from the GnuPG developers.
It's more sane than "RSA4096 keys in DNS". You don't need to set up WKS
or the other stuff for email auto-updates, you just need tooling to put
the right content in the right place inside .well-known.
[footnote 1 is a plug]

As to the above recommendation: gpg should support both, I don't know
which other tools support reading multiple armored blocks from one file,
as opposed to one armored block. Generally a .asc file is a "keyring"
in some custom ASCII armoring. A keyring is just a raw sequence of PGP
packets, one after another. In a pinch, you can use `gpg
--list-packets` to look at a file (ASCII or raw) and use cut(1) with
binary offsets to slice and dice a raw PGP export. I've done this when
I had need to persuade a tool to temporarily ignore a revocation.

So it was more of a throw-away comment that --dearmor and --armor might
be marginally more portable to various tools which read stuff because
you end up with just one importable blob instead of N.

-Phil

[1] <https://github.com/PennockTech/openpgpkey-control> is how I manage
some sites; `other/standalone-update-website` within the repo is a
standalone tool which might be easier to integrate into other
workflows.

References:
- Hosting copies of the PGP public keys
  - From: Daniel Shahaf
- Re: Hosting copies of the PGP public keys
  - From: dana
- Re: Hosting copies of the PGP public keys
  - From: Daniel Shahaf

Messages sorted by: Reverse Date, Date, Thread, Author