From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on dcvr.yhbt.net X-Spam-Level: X-Spam-ASN: AS22989 209.51.188.0/24 X-Spam-Status: No, score=-3.9 required=3.0 tests=AWL,BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED, RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,SPF_HELO_PASS,SPF_PASS shortcircuit=no autolearn=ham autolearn_force=no version=3.4.2 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dcvr.yhbt.net (Postfix) with ESMTPS id CDB911F8C6 for ; Wed, 28 Jul 2021 01:57:36 +0000 (UTC) Received: from localhost ([::1]:58530 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1m8YpA-0001bQ-US for normalperson@yhbt.net; Tue, 27 Jul 2021 21:57:32 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:43162) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1m8Yp8-0001bF-4n for bug-gnulib@gnu.org; Tue, 27 Jul 2021 21:57:30 -0400 Received: from mail-wr1-f51.google.com ([209.85.221.51]:36619) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1m8Yp6-0003Cc-Bu for bug-gnulib@gnu.org; Tue, 27 Jul 2021 21:57:29 -0400 Received: by mail-wr1-f51.google.com with SMTP id g15so565119wrd.3 for ; Tue, 27 Jul 2021 18:57:28 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ftu9KY79SEJquhClLhm8zaKhCrFPKiTFe1QyTDHce44=; b=AeDZ2qe4V34mxzoWy9kEE0RQ9ugeE8xp345cY4Hnto52liNY0O0OUYOnzT7oyammRB 2Yww9W51GNRFhOiCXaVUaTsOAoQUOWBddgFph5wOGDO3aDJPqJjc8vgmn/H6xBaPhqkK ++j0erWVTzaj8SCKlxb2eQrxxMSs25RWcnYb9d0uY6sHxzakPUolm9EtmrvPgmi2q7wd YLd5o1nN2lYGzAN6my/T3hbmJkSMxCOMHbuTVrJvecBQIBjZxTG8bvjwbHofXH1Ej6aR hojYkGkwU3dE1CNhTNhrJlHbwBwTCeE/YF9zucUfmprJmxenMbeAXCt8Azs5kLh/REh2 C89w== X-Gm-Message-State: AOAM531FlMydcdAeNZB69yvpVu4NBRdHA64uKC08/lMz8AYvGHu34Kjj 3jminAm+CCaFMQCAaebwFD8ArWenhDLHuSPnRTU= X-Google-Smtp-Source: ABdhPJxnwLrU9H6xMyLoOvMO87fJ02nuCX+CjeHwy0veb3rUbb4FJJcuWqUrtEorEWQfwOqnr2fL5HKfoVjWswISeT4= X-Received: by 2002:adf:f20d:: with SMTP id p13mr19162387wro.287.1627437446930; Tue, 27 Jul 2021 18:57:26 -0700 (PDT) MIME-Version: 1.0 References: <87y29sf65o.fsf@latte.josefsson.org> In-Reply-To: <87y29sf65o.fsf@latte.josefsson.org> From: Jim Meyering Date: Tue, 27 Jul 2021 18:57:15 -0700 Message-ID: Subject: Re: announce-gen and OpenPGP key servers To: Simon Josefsson Content-Type: text/plain; charset="UTF-8" Received-SPF: pass client-ip=209.85.221.51; envelope-from=meyering@gmail.com; helo=mail-wr1-f51.google.com X-Spam_score_int: -13 X-Spam_score: -1.4 X-Spam_bar: - X-Spam_report: (-1.4 / 5.0 requ) BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: bug-gnulib@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Gnulib discussion list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: "bug-gnulib@gnu.org List" Errors-To: bug-gnulib-bounces+normalperson=yhbt.net@gnu.org Sender: "bug-gnulib" On Tue, Jul 27, 2021 at 2:38 AM Simon Josefsson via Gnulib discussion list wrote: > Hi. Our announce-gen contains: > > If that command fails because you don't have the required public key, > then run this command to import it: > gpg --keyserver keys.gnupg.net --recv-keys $gpg_key_id > > Given recent OpenPGP key server issues, that doesn't work reliably any > more, and behave different for different GnuPG versions. What should we > recommend instead? Werner Koch said: > > https://lists.gnupg.org/pipermail/gnupg-devel/2021-July/034937.html > > I like WKD, but not all of us has published their OpenPGP key there, and > some may never be able to (it requires that you can put a file on your > e-mail domains' https server). Still, I think it is the best long-term > solution. > > How about the patch below? It is not meant to be commited, but to start > discussion. > > I think we should do more than the patch. The OpenPGP web of trust > seems to be under attack and is not as usable any more. > > Our announcements doesn't contain the full OpenPGP key fingerprint, > which they should. > > The release announcement could include hash checksums of the files too. > > Some of us publish our OpenPGP keys at a https URL, and including that > link in the announcement would also help. That could point to the > Savannah PGP page, but I think few of us keep that maintained and the > URL looks horrible. > > Maybe we should involve the ftp-upload@gnu.org people. Having the > OpenPGP key database they use be published on gnu.org would help. > > Let's discuss and see what we can do. > > /Simon > > diff --git a/build-aux/announce-gen b/build-aux/announce-gen > index daa478c8e..a696bff89 100755 > --- a/build-aux/announce-gen > +++ b/build-aux/announce-gen > @@ -549,7 +549,12 @@ then run this command to import it: > > gpg --keyserver keys.gnupg.net --recv-keys $gpg_key_id > > -and rerun the 'gpg --verify' command. > +You may also try other key servers such as keyserver.ubuntu.com or > +pgp.mit.edu. With newer GnuPG versions you may use the following > +command to download and refresh any expired key: > + > + gpg --auto-key-locate=clear,wkd,nodefault --locate-key simon@josefsson.org I've just run that, and it failed like this: gpg: error retrieving 'simon@josefsson.org' via WKD: General error I too agree. We must make changes to improve matters. I was rather dismayed to see recently how hard it was to find a usable keyserver. Feel free to make the script generate a full fingerprint and even (though it feels a little like giving up) add a checksum or two.