From: Phil Pennock <zsh-workers+phil.pennock@spodhuis.org>
To: Daniel Shahaf <d.s@daniel.shahaf.name>
Cc: zsh-workers@zsh.org
Subject: Re: Hosting copies of the PGP public keys
Date: Tue, 14 Jul 2020 20:59:37 -0400 [thread overview]
Message-ID: <20200715005937.GA6956@fullerene.field.pennock-tech.net> (raw)
In-Reply-To: <20200714184143.1aa13873@tarpaulin.shahaf.local2>
On 2020-07-14 at 18:41 +0000, Daniel Shahaf wrote:
> Incidentally, Phil recommended «gpg --dearmor Keys/*.asc | gpg --armor > zsh-keyring.asc»
> rather than plain «cat Keys/*.asc», but I don't know which of the two
> options is preferable.
Context for this: discussing expired keys, and pointing out that the
public keyserver system is ... not in good health. A couple of years
ago, <https://sks-keyservers.net/status/> would routinely list over 100
active servers in good health. Attacks on the system and spamming tools
have driven away volunteers (such as myself) and now we're down to 18
servers currently healthy.
Anyone here relying upon the keyservers would be well advised to look
for a plan B. My generic recommendation is to put files in the
directory layout needed to support "WKD", from the GnuPG developers.
It's more sane than "RSA4096 keys in DNS". You don't need to set up WKS
or the other stuff for email auto-updates, you just need tooling to put
the right content in the right place inside .well-known.
[footnote 1 is a plug]
As to the above recommendation: gpg should support both, I don't know
which other tools support reading multiple armored blocks from one file,
as opposed to one armored block. Generally a .asc file is a "keyring"
in some custom ASCII armoring. A keyring is just a raw sequence of PGP
packets, one after another. In a pinch, you can use `gpg
--list-packets` to look at a file (ASCII or raw) and use cut(1) with
binary offsets to slice and dice a raw PGP export. I've done this when
I had need to persuade a tool to temporarily ignore a revocation.
So it was more of a throw-away comment that --dearmor and --armor might
be marginally more portable to various tools which read stuff because
you end up with just one importable blob instead of N.
-Phil
[1] <https://github.com/PennockTech/openpgpkey-control> is how I manage
some sites; `other/standalone-update-website` within the repo is a
standalone tool which might be easier to integrate into other
workflows.
prev parent reply other threads:[~2020-07-15 1:00 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-13 18:14 Daniel Shahaf
2020-07-14 8:17 ` Peter Stephenson
2020-07-14 17:53 ` dana
2020-07-14 18:41 ` Daniel Shahaf
2020-07-15 0:59 ` Phil Pennock [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200715005937.GA6956@fullerene.field.pennock-tech.net \
--to=zsh-workers+phil.pennock@spodhuis.org \
--cc=d.s@daniel.shahaf.name \
--cc=zsh-workers@zsh.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/zsh/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).