? Comments re key servers? re gpg-encrypted mail? re key servers carry many phony keys?

Alexandre Oliveira xinayder at airmail.cc
Wed Dec 28 17:04:23 CET 2016

On 28/12/2016 08:43, Miroslav Rovis wrote:
> It's a different topic, but it might have the unreliability of
> keyservers for its justification:
> The fact that Github, since this outgoing year, accept gpg signing only
> if you post your public key to their servers.
> Or does it? Is it more like Github wants to collect and control?
> I know it was possible to:
> $ cd <your git project>
> $ git tag <version> -s
> $ git push --tags
> and all was there, signed and verifiable for everbody, without the need
> to have previously posted your own public key to github.com. Up until
> just last year, IIRC.
> Any ideas for true reasons behind that move? And is it an improvement,
> or quite the contrary?

Until this year there was no way to verify the signature of commits and
releases through the GitHub website, so they created a "kind of"
keyserver in their own server to manage users public keys.

Alexandre Oliveira
  167F D82F 514A E8D1 2E9E
  C62D 1B63 9D4A 7E9D DA9D

More information about the Gnupg-users mailing list