On Tue, Jul 27, 2021 at 2:38 AM Simon Josefsson via Gnulib discussion list <bug-gnulib@gnu.org> wrote: > Hi. Our announce-gen contains: > > If that command fails because you don't have the required public key, > then run this command to import it: > gpg --keyserver keys.gnupg.net --recv-keys $gpg_key_id > > Given recent OpenPGP key server issues, that doesn't work reliably any > more, and behave different for different GnuPG versions. What should we > recommend instead? Werner Koch said: > > https://lists.gnupg.org/pipermail/gnupg-devel/2021-July/034937.html > > I like WKD, but not all of us has published their OpenPGP key there, and > some may never be able to (it requires that you can put a file on your > e-mail domains' https server). Still, I think it is the best long-term > solution. > > How about the patch below? It is not meant to be commited, but to start > discussion. > > I think we should do more than the patch. The OpenPGP web of trust > seems to be under attack and is not as usable any more. > > Our announcements doesn't contain the full OpenPGP key fingerprint, > which they should. > > The release announcement could include hash checksums of the files too. > > Some of us publish our OpenPGP keys at a https URL, and including that > link in the announcement would also help. That could point to the > Savannah PGP page, but I think few of us keep that maintained and the > URL looks horrible. > > Maybe we should involve the ftp-upl...@gnu.org people. Having the > OpenPGP key database they use be published on gnu.org would help. > > Let's discuss and see what we can do. > > /Simon > > diff --git a/build-aux/announce-gen b/build-aux/announce-gen > index daa478c8e..a696bff89 100755 > --- a/build-aux/announce-gen > +++ b/build-aux/announce-gen > @@ -549,7 +549,12 @@ then run this command to import it: > > gpg --keyserver keys.gnupg.net --recv-keys $gpg_key_id > > -and rerun the 'gpg --verify' command. > +You may also try other key servers such as keyserver.ubuntu.com or > +pgp.mit.edu. With newer GnuPG versions you may use the following > +command to download and refresh any expired key: > + > + gpg --auto-key-locate=clear,wkd,nodefault --locate-key si...@josefsson.org
I've just run that, and it failed like this: gpg: error retrieving 'si...@josefsson.org' via WKD: General error I too agree. We must make changes to improve matters. I was rather dismayed to see recently how hard it was to find a usable keyserver. Feel free to make the script generate a full fingerprint and even (though it feels a little like giving up) add a checksum or two.
