distributing pubkeys: autocrypt, hagrid, WKD
Werner Koch
wk at gnupg.org
Wed Jul 3 09:21:20 CEST 2019
On Tue, 2 Jul 2019 15:40, konstantin at linuxfoundation.org said:
> When this happens, a maintainer who tries to verify a signed pull
> request will have the operation fail, so they need to have a way to
> force-refresh the developer's key. I would say this is the #1 workflow
Agreed. A signature carries only the fingerprint of the then unknown
subkey without any information on the primary key. Thus an automated
lookup is not possible.
But wait, if --sender has been used or due to other reasons the Signer's
UID is included in the keyring, we could do a lookup via tha user-id to
see whether the signature has been made by a new subkey. The
--auto-key-retrieve code already respective code but we need to chnage
the order from where a key is fetched.
And yes, an easier to remember command to forcefully update a key would
be very useful. I have
gpg --serach-key MAILADDRESS
for that in mind. See https://dev/gnupg.org/T4599
Shalom-Salam,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190703/2029df73/attachment.sig>
More information about the Gnupg-users
mailing list