distributing pubkeys: autocrypt, hagrid, WKD

Wiktor Kwapisiewicz wiktor at metacode.biz
Tue Jul 2 22:37:31 CEST 2019

Hi Konstantin,

On 02.07.2019 21:40, Konstantin Ryabitsev wrote:
> Most subkey changes that I am aware of are not due to people's old 
> subkeys expiring, but because they add new ones for reasons like 
> migrating between smartcard solutions or just being nerdy and picking a 
> new ECC-based subkey.
> When this happens, a maintainer who tries to verify a signed pull 
> request will have the operation fail, so they need to have a way to 
> force-refresh the developer's key.

Do you mean something simpler than [0]:

gpg --auto-key-locate clear,wkd,nodefault --locate-key torvalds at kernel.org


Trying key lookup over WKD if the subkey is missing locally (but primary 
key is present) would be a good idea. I've seen some really weird errors 
in that case [1].

If the primary key used short expiration [2] the refresh would be 
automatic but not many people like to prolong expirations every couple 
of months.

Kind regards,

[0]: https://dev.gnupg.org/T2917#115978




More information about the Gnupg-users mailing list