? Comments re key servers? re gpg-encrypted mail? re key servers carry many phony keys?
Alexandre Oliveira
xinayder at airmail.cc
Wed Dec 28 17:04:23 CET 2016
On 28/12/2016 08:43, Miroslav Rovis wrote:
>
> It's a different topic, but it might have the unreliability of
> keyservers for its justification:
>
> The fact that Github, since this outgoing year, accept gpg signing only
> if you post your public key to their servers.
>
> Or does it? Is it more like Github wants to collect and control?
>
> I know it was possible to:
>
> $ cd <your git project>
> $ git tag <version> -s
> $ git push --tags
>
> and all was there, signed and verifiable for everbody, without the need
> to have previously posted your own public key to github.com. Up until
> just last year, IIRC.
>
> Any ideas for true reasons behind that move? And is it an improvement,
> or quite the contrary?
>
Until this year there was no way to verify the signature of commits and
releases through the GitHub website, so they created a "kind of"
keyserver in their own server to manage users public keys.
--
Alexandre Oliveira
167F D82F 514A E8D1 2E9E
C62D 1B63 9D4A 7E9D DA9D
More information about the Gnupg-users
mailing list