zsh-workers
 help / color / mirror / code / Atom feed
* Hosting copies of the PGP public keys
@ 2020-07-13 18:14 Daniel Shahaf
  2020-07-14  8:17 ` Peter Stephenson
  2020-07-14 17:53 ` dana
  0 siblings, 2 replies; 5+ messages in thread
From: Daniel Shahaf @ 2020-07-13 18:14 UTC (permalink / raw)
  To: zsh-workers

Phil points out that it would be useful for
http://zsh.sourceforge.net/Arc/source.html to carry not only the `gpg
--list-keys` output but also actual copies of the public keys, in
a format that can be imported by OpenPGP tools (e.g., «gpg --import»),
in order to let people retrieve keys without relying on the public
keyservers.

I propose that that the RMs add copies of their public keys to, say,
keys/{pws,danielsh,dana}.asc in the zsh-web.git repository (using «gpg
--armor --export $MyEmailAddress»), and then, as part of uploading
a release, we also `cat keys/*.asc` into a zsh-keyring.asc and upload it
to zsh.org.

WDYT?

Cheers,

Daniel

P.S.  Phil also mentioned WKD.  It's a federated way to auto-discover
public keys given an email address.  To be an option, the RMs would
need to add *@zsh.org addresses to their keys, and we'd need to serve
some files from https://openpgpkey.zsh.org/.  Details:
https://wiki.gnupg.org/WKDHosting#Publishing

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Hosting copies of the PGP public keys
  2020-07-13 18:14 Hosting copies of the PGP public keys Daniel Shahaf
@ 2020-07-14  8:17 ` Peter Stephenson
  2020-07-14 17:53 ` dana
  1 sibling, 0 replies; 5+ messages in thread
From: Peter Stephenson @ 2020-07-14  8:17 UTC (permalink / raw)
  To: Daniel Shahaf, zsh-workers

> On 13 July 2020 at 19:14 Daniel Shahaf <d.s@daniel.shahaf.name> wrote:
> Phil points out that it would be useful for
> http://zsh.sourceforge.net/Arc/source.html to carry not only the `gpg
> --list-keys` output but also actual copies of the public keys, in
> a format that can be imported by OpenPGP tools (e.g., «gpg --import»),
> in order to let people retrieve keys without relying on the public
> keyservers.
> 
> I propose that that the RMs add copies of their public keys to, say,
> keys/{pws,danielsh,dana}.asc in the zsh-web.git repository (using «gpg
> --armor --export $MyEmailAddress»), and then, as part of uploading
> a release, we also `cat keys/*.asc` into a zsh-keyring.asc and upload it
> to zsh.org.

Sounds a reasonable procedure to me.

pws

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Hosting copies of the PGP public keys
  2020-07-13 18:14 Hosting copies of the PGP public keys Daniel Shahaf
  2020-07-14  8:17 ` Peter Stephenson
@ 2020-07-14 17:53 ` dana
  2020-07-14 18:41   ` Daniel Shahaf
  1 sibling, 1 reply; 5+ messages in thread
From: dana @ 2020-07-14 17:53 UTC (permalink / raw)
  To: Daniel Shahaf; +Cc: Zsh hackers list

On 13 Jul 2020, at 13:14, Daniel Shahaf <d.s@daniel.shahaf.name> wrote:
> I propose that that the RMs add copies of their public keys to, say,
> keys/{pws,danielsh,dana}.asc in the zsh-web.git repository (using «gpg
> --armor --export $MyEmailAddress»), and then, as part of uploading
> a release, we also `cat keys/*.asc` into a zsh-keyring.asc and upload it
> to zsh.org.

That sounds good to me as well

dana


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Hosting copies of the PGP public keys
  2020-07-14 17:53 ` dana
@ 2020-07-14 18:41   ` Daniel Shahaf
  2020-07-15  0:59     ` Phil Pennock
  0 siblings, 1 reply; 5+ messages in thread
From: Daniel Shahaf @ 2020-07-14 18:41 UTC (permalink / raw)
  To: zsh-workers

dana wrote on Tue, 14 Jul 2020 12:53 -0500:
> On 13 Jul 2020, at 13:14, Daniel Shahaf <d.s@daniel.shahaf.name> wrote:
> > I propose that that the RMs add copies of their public keys to, say,  
> > keys/{pws,danielsh,dana}.asc in the zsh-web.git repository (using «gpg  
> > --armor --export $MyEmailAddress»), and then, as part of uploading
> > a release, we also `cat keys/*.asc` into a zsh-keyring.asc and upload it
> > to zsh.org.  
> 
> That sounds good to me as well

Let's make it happen, then.  I've added my key to zsh-web.git in a new
Keys/ directory and started updating Etc/creating-a-release.txt.  If you
guys have a minute to add your respective keys, we'll then be able to
upload and link to the keyring file.

Incidentally, Phil recommended «gpg --dearmor Keys/*.asc | gpg --armor > zsh-keyring.asc»
rather than plain «cat Keys/*.asc», but I don't know which of the two
options is preferable.

Cheers,

Daniel

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Hosting copies of the PGP public keys
  2020-07-14 18:41   ` Daniel Shahaf
@ 2020-07-15  0:59     ` Phil Pennock
  0 siblings, 0 replies; 5+ messages in thread
From: Phil Pennock @ 2020-07-15  0:59 UTC (permalink / raw)
  To: Daniel Shahaf; +Cc: zsh-workers

On 2020-07-14 at 18:41 +0000, Daniel Shahaf wrote:
> Incidentally, Phil recommended «gpg --dearmor Keys/*.asc | gpg --armor > zsh-keyring.asc»
> rather than plain «cat Keys/*.asc», but I don't know which of the two
> options is preferable.

Context for this: discussing expired keys, and pointing out that the
public keyserver system is ... not in good health.  A couple of years
ago, <https://sks-keyservers.net/status/> would routinely list over 100
active servers in good health.  Attacks on the system and spamming tools
have driven away volunteers (such as myself) and now we're down to 18
servers currently healthy.

Anyone here relying upon the keyservers would be well advised to look
for a plan B.  My generic recommendation is to put files in the
directory layout needed to support "WKD", from the GnuPG developers.
It's more sane than "RSA4096 keys in DNS".  You don't need to set up WKS
or the other stuff for email auto-updates, you just need tooling to put
the right content in the right place inside .well-known.
[footnote 1 is a plug]


As to the above recommendation: gpg should support both, I don't know
which other tools support reading multiple armored blocks from one file,
as opposed to one armored block.  Generally a .asc file is a "keyring"
in some custom ASCII armoring.  A keyring is just a raw sequence of PGP
packets, one after another.  In a pinch, you can use `gpg
--list-packets` to look at a file (ASCII or raw) and use cut(1) with
binary offsets to slice and dice a raw PGP export.  I've done this when
I had need to persuade a tool to temporarily ignore a revocation.

So it was more of a throw-away comment that --dearmor and --armor might
be marginally more portable to various tools which read stuff because
you end up with just one importable blob instead of N.

-Phil

[1] <https://github.com/PennockTech/openpgpkey-control> is how I manage
    some sites; `other/standalone-update-website` within the repo is a
    standalone tool which might be easier to integrate into other
    workflows.

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2020-07-15  1:00 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-07-13 18:14 Hosting copies of the PGP public keys Daniel Shahaf
2020-07-14  8:17 ` Peter Stephenson
2020-07-14 17:53 ` dana
2020-07-14 18:41   ` Daniel Shahaf
2020-07-15  0:59     ` Phil Pennock

Code repositories for project(s) associated with this public inbox

	https://git.vuxu.org/mirror/zsh/

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).