From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org
X-Spam-Level: 
X-Spam-Status: No, score=-3.4 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,
	T_SCC_BODY_TEXT_LINE,UNPARSEABLE_RELAY autolearn=ham
	autolearn_force=no version=3.4.4
Received: (qmail 11532 invoked from network); 16 May 2022 23:58:03 -0000
Received: from zero.zsh.org (2a02:898:31:0:48:4558:7a:7368)
  by inbox.vuxu.org with ESMTPUTF8; 16 May 2022 23:58:03 -0000
ARC-Seal: i=1; cv=none; a=rsa-sha256; d=zsh.org; s=rsa-20210803; t=1652745483;
	 b=AmMutRfC/xqnNHKPU2PVlrfTrJZOwwy+mgH13NutV1OqStLNGCyPdJt3A9KMzVbZQdJWZkq0WC
	  qOFi769bxjJOGCCu8pCT55OHx14qeRMSd3ZTXStRk2SWlCl4Ch+tbb2n/d3a7kyNNoWFK9JiDu
	  m9gzp7EDq4cxBP37YmPrMqGgz2ku4LkqQEXGR2H6ouxrMY/cNxUyQUoemZvCTqYK5gWvcduC+B
	  5qGH/BGML+uPj6wlVdXQo+23udVyGtPeHuzyrzPhgSXv/eLYpLyl8otH9b8lfwmKBGFAnFPxv1
	  KnTy+RDagc+mpLqx7Q7PaSEBK1fB7H53UaZPb5MpmBD+xA==;
ARC-Authentication-Results: i=1; zsh.org;
	iprev=pass (mx.spodhuis.org) smtp.remote-ip=94.142.241.89;
	dkim=pass header.d=spodhuis.org header.s=d202202e2 header.a=ed25519-sha256;
	dkim=pass header.d=spodhuis.org header.s=d202202 header.a=rsa-sha256;
	dmarc=pass header.from=spodhuis.org;
	arc=none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed; d=zsh.org; s=rsa-20210803; t=1652745483;
	bh=1YvPyfkofT13z8MLpbFtD7ROBr0ZI5je9UBs8kSCoNs=;
	h=List-Archive:List-Owner:List-Post:List-Unsubscribe:List-Subscribe:List-Help:
	  List-Id:Sender:In-Reply-To:Content-Transfer-Encoding:Content-Type:
	  MIME-Version:References:Message-ID:Subject:To:From:Date:DKIM-Signature:
	  DKIM-Signature:DKIM-Signature;
	b=CqiHR1XyISnrjs6/n8sgkDgmZ6LdDy1b+l2oBqvxYELJWizKlgDx4MYM2MEzav5Enny+yhsstY
	  MhESLsZ1q4961Fi2sAovp0qrgY856rP/ZRKElUvU/vRTfjyOnGhcJIY/MVakikJVNr16BNTz+6
	  rxCMfJAXwvC9vdI23RnUwlrk/lZHHk38CRQgQO1ltbEHHWhuDiU5j9nMSA0mKre3AfcNiejthX
	  UOfebb+hDnS/7HZ/cJ3oLj3AAJIanHKp/FtRPAxdNksC7uG+JXEw/wGIkKIH9pk7VKL9tA4jS4
	  RmuA90DeNs84i+ofxImcAH/pOTDg7NVGiPpjyvowTUL8Zg==;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=zsh.org;
	s=rsa-20210803; h=List-Archive:List-Owner:List-Post:List-Unsubscribe:
	List-Subscribe:List-Help:List-Id:Sender:In-Reply-To:Content-Transfer-Encoding
	:Content-Type:MIME-Version:References:Message-ID:Subject:To:From:Date:
	Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From:
	Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID;
	bh=pIUvEYn9aQSW7kItOuEe0eev2yBTsKxNl87bZHhgqzw=; b=dG2BGoOZ4fWZg4lVR8/PdihL25
	o68gORL+KjJs9ohb0c4AIiQKvJF3jPQ3U4sMs3uRfVyPkY1n3Ts92xVycFkuO2/BAnbyLYyrzJR3m
	epwSHRNJBcN5rVWgNmaIuHZinyldlHq4MR8Vx/EV3K+9lRMdfKA03RICeQBefjUTU4/rnqGeApP28
	mXyo/BUeZzCU1+alFUIMqijGJ/v1CmJ8VwkUNtTh1OeIlehL/Tc+5FMO6Qggdd+Vglzq/UKs+7XOP
	1ovpqYAjFFjEQPXoj5zFXPt0nZZvzFqB8LAUMLBWU9t9e/uoLaeXtGTwwv6nD9mNCpN13EabgysxC
	7zW30W9Q==;
Received: from authenticated user by zero.zsh.org with local 
	id 1nqkbD-000KML-1e;
	Mon, 16 May 2022 23:58:03 +0000
Authentication-Results: zsh.org;
	iprev=pass (mx.spodhuis.org) smtp.remote-ip=94.142.241.89;
	dkim=pass header.d=spodhuis.org header.s=d202202e2 header.a=ed25519-sha256;
	dkim=pass header.d=spodhuis.org header.s=d202202 header.a=rsa-sha256;
	dmarc=pass header.from=spodhuis.org;
	arc=none
Received: from mx.spodhuis.org ([94.142.241.89]:46466) (DNSSEC AD)
	by zero.zsh.org with esmtps (TLS1.3:TLS_AES_256_GCM_SHA384:256)
	id 1nqkaY-000JzT-GI;
	Mon, 16 May 2022 23:57:23 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=spodhuis.org; s=d202202; h=OpenPGP:In-Reply-To:Content-Transfer-Encoding:
	Content-Type:MIME-Version:References:Message-ID:Subject:To:From:Date:From:
	Reply-To:Subject:Date:To:Cc:Content-ID:Content-Description:OpenPGP:
	Organization:Auto-Submitted; bh=pIUvEYn9aQSW7kItOuEe0eev2yBTsKxNl87bZHhgqzw=;
	t=1652745442; x=1653955042; b=Uz+LuHsT7VF6uLMaHpOVNsd7XL36VCYc81Eo1V3j9vm0Qm6
	Bhpix48ezOitSO54fr/E40slPYbLfcPC5kaLa7yVcZ0bT13dNFvR33VXF0jVbnBrcP5vwLs9Ohizc
	pVqmE/ZEfJ2JtasN5V/654R1qH/CbISqu1/VOOSFioxiy/qfk/Cx4Ory7Zw9QoHuI7WWVVqpSiNvh
	vd8woN3QzFt6/cbonM0fPZQrUtP1M1UYpRarqurz0ub8ys7BGFz7DrLpzZRhOgTeQ9/FsjV93xTrH
	pEQtfAKH3ndSjtDHIy7lG2/+og4bZqs2CTP/LuRhLJJ9w5tNnpREGVkO1bQaUfIA==;
DKIM-Signature: v=1; a=ed25519-sha256; q=dns/txt; c=relaxed/relaxed;
	d=spodhuis.org; s=d202202e2; h=OpenPGP:In-Reply-To:Content-Transfer-Encoding:
	Content-Type:MIME-Version:References:Message-ID:Subject:To:From:Date:From:
	Reply-To:Subject:Date:To:Cc:Content-ID:Content-Description:OpenPGP:
	Organization:Auto-Submitted; bh=pIUvEYn9aQSW7kItOuEe0eev2yBTsKxNl87bZHhgqzw=;
	t=1652745442; x=1653955042; b=iiGWFmqIja3/Wx2DRP6nn5x8UNizYURBR4JYhvVF2aIYChZ
	ov+DjIzjSH5bHjC8e3uxh1oDnOB+HrsEY0h1oAQ==;
Received: from authenticated user by smtp.spodhuis.org with esmtpsa (TLS1.3:TLS_AES_256_GCM_SHA384:256)
	id 1nqkaX-000JzO-II; Mon, 16 May 2022 23:57:21 +0000
Date: Mon, 16 May 2022 19:57:19 -0400
From: Phil Pennock <zsh-workers+phil.pennock@spodhuis.org>
To: zsh-workers@zsh.org
Subject: Re: Posted zsh 5.9
Message-ID: <YoLk30/vdg6yh4MP@fullerene.field.pennock-tech.net>
Mail-Followup-To: zsh-workers@zsh.org
References: <25ece9e8-71fb-4cf4-adf1-1fbef7eda0a1@www.fastmail.com>
 <20220514215010.GI13508@tarpaulin.shahaf.local2>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <20220514215010.GI13508@tarpaulin.shahaf.local2>
OpenPGP: url=https://www.security.spodhuis.org/PGP/keys/keys-2013rsa-2020cv25519.asc
X-Seq: 50240
Archived-At: <https://zsh.org/workers/50240>
X-Loop: zsh-workers@zsh.org
Errors-To: zsh-workers-owner@zsh.org
Precedence: list
Precedence: bulk
Sender: zsh-workers-request@zsh.org
X-no-archive: yes
List-Id: <zsh-workers.zsh.org>
List-Help: <mailto:sympa@zsh.org?subject=help>
List-Subscribe: <mailto:sympa@zsh.org?subject=subscribe%20zsh-workers>
List-Unsubscribe: <mailto:sympa@zsh.org?subject=unsubscribe%20zsh-workers>
List-Post: <mailto:zsh-workers@zsh.org>
List-Owner: <mailto:zsh-workers-request@zsh.org>
List-Archive: <http://www.zsh.org/sympa/arc/zsh-workers>

On 2022-05-14 at 21:50 +0000, Daniel Shahaf wrote:
> The intention is to have the public keys easily available to anyone who
> downloads the artifacts themselves, particularly as «gpg --keyserver foo
> --recv-key $fingerprint» isn't as reliable as it used to be.
> 
> For zsh.org there's little question where to put the keyring file, as
> there's only one relevant directory.  Any reason not to upload
> zsh-keyring.asc to zsh.org/pub?

None that I can see.

Keys can be put into many places, as long as the deployment workflow
updates them all.

IMO the "correct" approach for the future is federated lookups, aka WKD
(in practice); this uses /.well-known/ to put keys into place in a
schema which gpg (and various email clients) can use to retrieve the
keys automatically with `--locate-keys`.  This can be done on
https://zsh.org/ or on https://openpgpkey.zsh.org/

Only works for keys with a UID in zsh.org.  But means that email clients
will automatically find the right keys without needing to go dig around
in various websites.

* https://wiki.gnupg.org/WKD walks through it
* https://wiki.gnupg.org/WKDHosting explains setup on the web-server

and of those, I'm obviously biased towards
<https://github.com/PennockTech/openpgpkey-control>; that layout is what
I use for some other domains, and `other/standalone-update-website`
within the repo has been successfully used by at least a few people in
updating contents as part of a general website build flow ... and is
probably the right path for zsh.org.  Feed it the keyring for
`--keys-file` and a directory top for the serving root for
`--output-dir` and it will write things into the right places.

With that, `gpg --locate-keys pdp@zsh.org` would work, and similarly for
any other key with a UID in zsh.org.