From: Tanguy LE CARROUR <tanguy@bioneland.org>
To: "Ludovic Courtès" <ludo@gnu.org>,
"Philip McGrath" <philip@philipmcgrath.com>
Cc: guix-devel@gnu.org
Subject: Re: Finding a “good” OpenPGP key server
Date: Mon, 02 May 2022 09:21:43 +0200 [thread overview]
Message-ID: <165147610382.2266.1877773176182189615@localhost> (raw)
In-Reply-To: <38fcdec1-290a-4d7b-3736-bb6947525c2e@philipmcgrath.com>
Hi Philip,
Quoting Philip McGrath (2022-04-29 21:11:41)
> On 4/18/22 16:24, Ludovic Courtès wrote:
> > Hi,
> >
> > Tanguy LE CARROUR <tanguy@bioneland.org> skribis:
> >
> >> gpgv: Signature made Wed 16 Sep 2020 22:30:16 CEST
> >> gpgv: using RSA key 6115012DEA3026F62A98A556D6B570842F7E7F8D
> >> gpgv: Can't check signature: No public key
> >> Would you like to add this key to keyring '/home/tanguy/.config/guix/upstream/trustedkeys.kbx'?
> >> yes
> >> gpg: keyserver receive failed: No data
> >
> > This indicates that ‘guix refresh’ failed to download the relevant GPG
> > key from the default key server, the one that appears in
> > ~/.gnupg/dirmngr.conf (if it exists).
> >
> > That’s unfortunately often the case these days. :-/ This key appears to
> > be on keys.openpgp.org, but it lacks a “user ID” packet and so gpg
> > ignores it (for no good reason):
> >
> > --8<---------------cut here---------------start------------->8---
> > $ gpg --no-default-keyring --keyring /home/ludo/.config/guix/upstream/trustedkeys.kbx --keyserver keys.openpgp.org --recv-keys 6115012DEA3026F62A98A556D6B570842F7E7F8D
> > gpg: key D6B570842F7E7F8D: no user ID
> > gpg: Total number processed: 1
> > $ gpg --no-default-keyring --keyring /home/ludo/.config/guix/upstream/trustedkeys.kbx --list-keys 6115012DEA3026F62A98A556D6B570842F7E7F8D
> > gpg: error reading key: No public key
> > --8<---------------cut here---------------end--------------->8---
> >
> > I’m not sure what a good solution is (other than looking for the key
> > manually on Savannah or on some random key server).
> >
>
> Many distributions of GnuPG include a patch to handle keys without “user
> ID” packets.[1] In fact, it may well be *most* distributions: Debian,
> Fedora, Nix, OpenSUSE[2], and at least one commonly-recommended
> installation option for Mac. Debian packagers have argued [3]:
>
> > I think GnuPG's inability to receive these
> > kinds of cryptographic updates to OpenPGP certificates that it knows
> > about is at core a security risk (it makes it more likely that users
> > will use a revoked key; or will be unable to use any key at all, and
> > will send plaintext).
>
> Unfortunately, the upstream GnuPG maintainer has rejected the patch, I
> guess because strict conformance to the OpenPGP standards requires user
> ids.[4]
>
> I am by no means an expert on PGP or GPG issues, but I'd be in favor of
> Guix adopting this patch.
>
> -Philip
>
> [1]: https://keys.openpgp.org/about/faq#older-gnupg
> [2]: https://build.opensuse.org/package/show/openSUSE:Factory/gpg2
> [3]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930665#10
> [4]: https://dev.gnupg.org/T4393#133689
Oh… thank you so much for your answer! Looks like the proper way to go!
I'll try to update GnuPG package definition to integrate one or several
of those patches.
Or maybe we should first figure out it this is the right thing to do?!
Guix, thoughts!?
Regards,
--
Tanguy
next prev parent reply other threads:[~2022-05-02 7:23 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-11 8:17 Error updating gnurl Tanguy LE CARROUR
2022-04-18 20:24 ` Finding a “good” OpenPGP key server Ludovic Courtès
2022-04-21 17:15 ` Tanguy LE CARROUR
2022-04-28 7:35 ` Ludovic Courtès
2022-04-29 19:11 ` Philip McGrath
2022-05-02 7:21 ` Tanguy LE CARROUR [this message]
2022-05-23 14:43 ` Ludovic Courtès
2022-05-23 16:19 ` Maxime Devos
2022-05-30 15:34 ` Ludovic Courtès
2022-05-31 7:55 ` Tanguy LE CARROUR
2022-05-31 8:44 ` Maxime Devos
2022-06-01 16:31 ` Ludovic Courtès
2022-05-31 15:09 ` Vagrant Cascadian
2022-05-31 17:44 ` zimoun
2022-06-01 16:32 ` Ludovic Courtès
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=165147610382.2266.1877773176182189615@localhost \
--to=tanguy@bioneland.org \
--cc=guix-devel@gnu.org \
--cc=ludo@gnu.org \
--cc=philip@philipmcgrath.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).