distributing pubkeys: autocrypt, hagrid, WKD
Wiktor Kwapisiewicz
wiktor at metacode.biz
Tue Jul 2 22:37:31 CEST 2019
Hi Konstantin,
On 02.07.2019 21:40, Konstantin Ryabitsev wrote:
> Most subkey changes that I am aware of are not due to people's old
> subkeys expiring, but because they add new ones for reasons like
> migrating between smartcard solutions or just being nerdy and picking a
> new ECC-based subkey.
>
> When this happens, a maintainer who tries to verify a signed pull
> request will have the operation fail, so they need to have a way to
> force-refresh the developer's key.
Do you mean something simpler than [0]:
gpg --auto-key-locate clear,wkd,nodefault --locate-key torvalds at kernel.org
?
Trying key lookup over WKD if the subkey is missing locally (but primary
key is present) would be a good idea. I've seen some really weird errors
in that case [1].
If the primary key used short expiration [2] the refresh would be
automatic but not many people like to prolong expirations every couple
of months.
Kind regards,
Wiktor
[0]: https://dev.gnupg.org/T2917#115978
[1]:
https://www.reddit.com/r/tails/comments/9rchgi/tails_3101_error_cant_check_signature_no_public/
[2]:
https://blogs.gentoo.org/mgorny/2018/08/13/openpgp-key-expiration-is-not-a-security-measure/
--
https://metacode.biz/@wiktor
More information about the Gnupg-users
mailing list