Hello, One solution would be to download the keyring from and verify the signature in the following way: $ gpg --keyring ./gnu-keyring.gpg --verify guix-1.0.1.tar.gz.sig guix-1.0.1.tar.gz Cheers, Alex dftxbs3e@free.fr writes: > Hello, > > SKS keyservers are currently under attack > (https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f) - > the attack can cause a GPG client to freeze completely and mess the > GPG installation completely. > > I suggest GNU Guix proposes another way of importing the GPG keys so > that users will not suffer from this problem. > > There's another, newer, keyserver, proposed in this gist, that is run > by new software that doesnt suffer from this attack. See: > https://keys.openpgp.org/about/news#2019-06-12-launch > > However, that keyserver is not replicated. You could either use that > one or simply offer a download of the key over TLS with verification > against installed CAs, as secure as this can get. > > Regards