? Comments re key servers? re gpg-encrypted mail? re key servers carry many phony keys?
miro.rovis at croatiafidelis.hr
Tue Jan 31 00:42:22 CET 2017
I'm reviving this end-of-last-year thread, because...
On 161228-15:42+0100, NdK wrote:
> Il 28/12/2016 13:28, Miroslav Rovis ha scritto:
> >> The fact that Github, since this outgoing year, accept gpg signing only
> >> if you post your public key to their servers.
> I can't say for sure, but maybe that's so so they can have an
> "attestation key" to use for verifying signatures, without expensive WoT
> checks. By loading your key, you're certifying it's yours. But it won't
> actually give any more assurance than "you is you" than your credentials
> (against GitHub): if someone steals your credentials, he can replace
> your pub key and sign new commits in your name. They're using GPG just
> as a frontend for signatures using self-signed certificates.
Notice this line below:
> BTW nothing prevents you from uploading your key to the keyservers and
It may not have been used by a repo that I'm interested in on github,
> participate in the WoT -- that's the only thing that could assure who
> clones your repo that *you* signed those commits.
> > Just some quick links in connection, for the less familiar.
> > For users (like me):
> > https://help.github.com/categories/gpg/
It's this repo, where the latest two tags are PGP-signed:
They are signed with the key below, and no matter how I tried:
gpg --keyserver hkp://pgp.mit.edu --recv-key CECC45E1E979013C
gpg --keyserver hkp://pool.sks-keyservers.net --recv-key CECC45E1E979013C
it appears that key is not on the usual keyservers. (Because I can get
other keys, but not that one. Is it uploaded only to github? Wrong, IMO,
if that is the case, and I'll open an issue with the repo to tell them
Can anybody check if maybe they can get that key from the keyservers?
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: Digital signature
More information about the Gnupg-users