help / color / mirror / code / Atom feed
From: Phil Pennock <zsh-workers+phil.pennock@spodhuis.org>
To: zsh-workers@zsh.org
Subject: Re: Posted zsh 5.9
Date: Mon, 16 May 2022 19:57:19 -0400	[thread overview]
Message-ID: <YoLk30/vdg6yh4MP@fullerene.field.pennock-tech.net> (raw)
In-Reply-To: <20220514215010.GI13508@tarpaulin.shahaf.local2>

On 2022-05-14 at 21:50 +0000, Daniel Shahaf wrote:
> The intention is to have the public keys easily available to anyone who
> downloads the artifacts themselves, particularly as «gpg --keyserver foo
> --recv-key $fingerprint» isn't as reliable as it used to be.
> For zsh.org there's little question where to put the keyring file, as
> there's only one relevant directory.  Any reason not to upload
> zsh-keyring.asc to zsh.org/pub?

None that I can see.

Keys can be put into many places, as long as the deployment workflow
updates them all.

IMO the "correct" approach for the future is federated lookups, aka WKD
(in practice); this uses /.well-known/ to put keys into place in a
schema which gpg (and various email clients) can use to retrieve the
keys automatically with `--locate-keys`.  This can be done on
https://zsh.org/ or on https://openpgpkey.zsh.org/

Only works for keys with a UID in zsh.org.  But means that email clients
will automatically find the right keys without needing to go dig around
in various websites.

* https://wiki.gnupg.org/WKD walks through it
* https://wiki.gnupg.org/WKDHosting explains setup on the web-server

and of those, I'm obviously biased towards
<https://github.com/PennockTech/openpgpkey-control>; that layout is what
I use for some other domains, and `other/standalone-update-website`
within the repo has been successfully used by at least a few people in
updating contents as part of a general website build flow ... and is
probably the right path for zsh.org.  Feed it the keyring for
`--keys-file` and a directory top for the serving root for
`--output-dir` and it will write things into the right places.

With that, `gpg --locate-keys pdp@zsh.org` would work, and similarly for
any other key with a UID in zsh.org.

  parent reply	other threads:[~2022-05-16 23:58 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-05-14 20:59 dana
2022-05-14 21:50 ` Daniel Shahaf
2022-05-14 21:58   ` Daniel Shahaf
2022-05-14 22:27   ` dana
2022-05-14 23:26     ` Daniel Shahaf
2022-05-14 23:28     ` Daniel Shahaf
2022-05-14 23:50       ` dana
2022-05-15 10:36         ` Daniel Shahaf
2022-05-15 21:43           ` dana
2022-05-16 23:57   ` Phil Pennock [this message]
2022-05-21  1:31     ` Daniel Shahaf
2022-05-14 22:11 ` Axel Beckert
2022-05-14 22:31   ` dana
2022-05-15  4:33     ` Bart Schaefer
2022-05-15  6:00       ` dana
2022-05-14 23:21   ` Daniel Shahaf
2022-05-14 23:35     ` Axel Beckert
2022-05-14 23:49       ` Daniel Shahaf

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=YoLk30/vdg6yh4MP@fullerene.field.pennock-tech.net \
    --to=zsh-workers+phil.pennock@spodhuis.org \
    --cc=zsh-workers@zsh.org \


* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this public inbox


This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).