announce-gen and OpenPGP key servers - Simon Josefsson via Gnulib discussion list

From: Simon Josefsson via Gnulib discussion list <bug-gnulib@gnu.org>
To: bug-gnulib@gnu.org
Subject: announce-gen and OpenPGP key servers
Date: Tue, 27 Jul 2021 11:38:27 +0200	[thread overview]
Message-ID: <87y29sf65o.fsf@latte.josefsson.org> (raw)

[-- Attachment #1: Type: text/plain, Size: 2178 bytes --]

Hi.  Our announce-gen contains:

  If that command fails because you don't have the required public key,
  then run this command to import it:
  gpg --keyserver keys.gnupg.net --recv-keys $gpg_key_id

Given recent OpenPGP key server issues, that doesn't work reliably any
more, and behave different for different GnuPG versions.  What should we
recommend instead?  Werner Koch said:

https://lists.gnupg.org/pipermail/gnupg-devel/2021-July/034937.html

I like WKD, but not all of us has published their OpenPGP key there, and
some may never be able to (it requires that you can put a file on your
e-mail domains' https server).  Still, I think it is the best long-term
solution.

How about the patch below?  It is not meant to be commited, but to start
discussion.

I think we should do more than the patch.  The OpenPGP web of trust
seems to be under attack and is not as usable any more.

Our announcements doesn't contain the full OpenPGP key fingerprint,
which they should.

The release announcement could include hash checksums of the files too.

Some of us publish our OpenPGP keys at a https URL, and including that
link in the announcement would also help.  That could point to the
Savannah PGP page, but I think few of us keep that maintained and the
URL looks horrible.

Maybe we should involve the ftp-upload@gnu.org people.  Having the
OpenPGP key database they use be published on gnu.org would help.

Let's discuss and see what we can do.

/Simon

diff --git a/build-aux/announce-gen b/build-aux/announce-gen
index daa478c8e..a696bff89 100755
--- a/build-aux/announce-gen
+++ b/build-aux/announce-gen
@@ -549,7 +549,12 @@ then run this command to import it:
 
   gpg --keyserver keys.gnupg.net --recv-keys $gpg_key_id
 
-and rerun the 'gpg --verify' command.
+You may also try other key servers such as keyserver.ubuntu.com or
+pgp.mit.edu.  With newer GnuPG versions you may use the following
+command to download and refresh any expired key:
+
+  gpg --auto-key-locate=clear,wkd,nodefault --locate-key simon@josefsson.org
+
 EOF
 
   my @tool_versions = get_tool_versions (\@tool_list, $gnulib_version);

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 255 bytes --]
