WKD: returns only one pubkey (and why)

Fri Jan 27 10:23:48 CET 2023

Hi!

Just a quick note:

> Currently I'm using the text below, which recommends 'gpg
> --locate-external-key' as the preferred mechanism and normally that uses
> WKD and will try to refresh the key from the server (otherwise people
> get old cached keys from local key storage).  I like the simplicity and

You may also include the key in the signature:

  gpg -sabvu commit --include-key </etc/motd >motd.asc

and then advise to use

  gpg --verify --auto-key-import -v motd.asc /etc/motd

However, auto-key-import will only import the key if is not yet there.
It won't update a key.  These options are available since gnupg 2.2.20

FWIW, I recently had to build gcc and I have found no way to validate
the key of Jakub.  No key signatures available and I have found nowhere
a listing of fingerprints - even not on the RedHat site which only lists
product keys.  If even I am not able to figure this out, how shall we
bootstrap our software ecosystem in a somewhat secure way?  How does
Debian verifies that a gcc update is pristine - private exchange of keys
with Jakub?

--locate-external-key does not help either because it relies on the very
same mechanism we anyway use to download the source (i.e. TLS).

Salam-Shalom,

   Werner

p.s.
gcc is just one of a myriad of examples; sorry for picking its author

-- 
The pioneers of a warless world are the youth that
refuse military service.             - A. Einstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openpgp-digital-signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20230127/9270a27c/attachment.sig>