From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=0.1 required=5.0 tests=DKIM_ADSP_ALL, MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE autolearn=no autolearn_force=no version=3.4.4 Received: (qmail 26119 invoked from network); 15 Jul 2020 01:00:31 -0000 Received: from ns1.primenet.com.au (HELO primenet.com.au) (203.24.36.2) by inbox.vuxu.org with ESMTPUTF8; 15 Jul 2020 01:00:31 -0000 Received: (qmail 14499 invoked by alias); 15 Jul 2020 01:00:21 -0000 Mailing-List: contact zsh-workers-help@zsh.org; run by ezmlm Precedence: bulk X-No-Archive: yes List-Id: Zsh Workers List List-Post: List-Help: List-Unsubscribe: Sender: zsh-workers@zsh.org X-Seq: 46248 Received: (qmail 2181 invoked by uid 1010); 15 Jul 2020 01:00:21 -0000 X-Qmail-Scanner-Diagnostics: from mx.spodhuis.org by f.primenet.com.au (envelope-from , uid 7791) with qmail-scanner-2.11 (clamdscan: 0.102.3/25870. spamassassin: 3.4.4. Clear:RC:0(94.142.241.89):SA:0(-4.3/5.0):. Processed in 2.553247 secs); 15 Jul 2020 01:00:21 -0000 X-Envelope-From: zsh-workers+phil.pennock@spodhuis.org X-Qmail-Scanner-Mime-Attachments: | X-Qmail-Scanner-Zip-Files: | Received-SPF: pass (ns1.primenet.com.au: SPF record at spodhuis.org designates 94.142.241.89 as permitted sender) Date: Tue, 14 Jul 2020 20:59:37 -0400 From: Phil Pennock To: Daniel Shahaf Cc: zsh-workers@zsh.org Subject: Re: Hosting copies of the PGP public keys Message-ID: <20200715005937.GA6956@fullerene.field.pennock-tech.net> References: <20200713181423.0b979d87@tarpaulin.shahaf.local2> <2041F3EE-7E01-4554-AAC3-C5452D192C18@dana.is> <20200714184143.1aa13873@tarpaulin.shahaf.local2> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20200714184143.1aa13873@tarpaulin.shahaf.local2> OpenPGP: url=https://www.security.spodhuis.org/PGP/keys/keys-2013rsa-2020cv25519.asc On 2020-07-14 at 18:41 +0000, Daniel Shahaf wrote: > Incidentally, Phil recommended «gpg --dearmor Keys/*.asc | gpg --armor > zsh-keyring.asc» > rather than plain «cat Keys/*.asc», but I don't know which of the two > options is preferable. Context for this: discussing expired keys, and pointing out that the public keyserver system is ... not in good health. A couple of years ago, would routinely list over 100 active servers in good health. Attacks on the system and spamming tools have driven away volunteers (such as myself) and now we're down to 18 servers currently healthy. Anyone here relying upon the keyservers would be well advised to look for a plan B. My generic recommendation is to put files in the directory layout needed to support "WKD", from the GnuPG developers. It's more sane than "RSA4096 keys in DNS". You don't need to set up WKS or the other stuff for email auto-updates, you just need tooling to put the right content in the right place inside .well-known. [footnote 1 is a plug] As to the above recommendation: gpg should support both, I don't know which other tools support reading multiple armored blocks from one file, as opposed to one armored block. Generally a .asc file is a "keyring" in some custom ASCII armoring. A keyring is just a raw sequence of PGP packets, one after another. In a pinch, you can use `gpg --list-packets` to look at a file (ASCII or raw) and use cut(1) with binary offsets to slice and dice a raw PGP export. I've done this when I had need to persuade a tool to temporarily ignore a revocation. So it was more of a throw-away comment that --dearmor and --armor might be marginally more portable to various tools which read stuff because you end up with just one importable blob instead of N. -Phil [1] is how I manage some sites; `other/standalone-update-website` within the repo is a standalone tool which might be easier to integrate into other workflows.