Questions re auto-key-locate
Konstantin Ryabitsev
konstantin at linuxfoundation.org
Tue Feb 15 23:01:29 CET 2022
On Tue, Feb 15, 2022 at 12:32:50PM -0800, Dan Mahoney (Gushi) via Gnupg-users wrote:
> Thus, using that as a prefetch method to grab the current version of our
> codesign@ key into our keyring is not helpful either, unless we "faked it"
> by attempting to encrypt a message to that address, then discarded it.
>
> Is there another way forward? The normal things for auto-key-locate don't
> seem to help here. I'm open to ideas.
Hi, Dan:
Any reason you want to stick with auto-locating keys instead of just
maintaining a keyring for verification purposes?
If you do want to keep using DANE, you can "gpg --auto-key-locate dane
--locate-keys codesign at whatnot" to build your pubring, e.g. (using wkd):
$ export GNUPGHOME=$(mktemp -d)
$ gpg --auto-key-locate wkd --locate-keys torvalds at kernel.org gregkh at kernel.org
We now have a $GNUPGHOME/pubring.kbx containing the keys we can use for
verification. At some point in the past I wrote the following script that
makes use of this exact approach:
https://git.kernel.org/pub/scm/linux/kernel/git/mricon/korg-helpers.git/tree/get-verified-tarball
-K
More information about the Gnupg-users
mailing list