What is Werner's key? (Or - who signs gnupg-announce mails?)
K. M. Peterson
kmp.lists+gpgusers at gmail.com
Sat Mar 22 22:16:38 CET 2025
Hi all,
I apologize in advance is this is somehow naive or ignorant. I've been
using PGP/GPG for nearly 30 years, but haven't had a need to build
expertise past the point of casual use.
I'm primarily a macOS user, and I'm running the GPGTools variant of GnuPG.
I am still somewhat unclear about and sadly unaware of the current state of
the world of keyservers; though I know that GPGTools has standardized on
keys.openpgp.org and that there's been some discussion around that.
While the gnupg-announce emails cover where/how to verify the artifacts
from the project, the emails themselves I receive seem to be signed by a
key that I'm unable to either verify nor add to my keyring to trust. In
particular, my client informs me that the mail is signed by a key with
fingerprint 0x8777461F2A074EBC480D359419CC1C9E085B107A - but I can't find
that on any of the keyservers that I can access.
I'd be very happy to read up if there's an answer to this involving some
element of the structure of GPG keys that I haven't gotten to understand
(e.g., subkeys and their relationships to the "primary" key?) but
effectively I'm just looking for the shortest path to get rid of the
verification error in my client - though I wouldn't necessarily plan to
fully trust that identity. I think I'm clearly missing something, but I
don't know what.
(I'm not signing this message as I use Gmail for subscribing to most
mailing lists, though my keys should be available via WKS as well as at
least some subset of the keyserver web as kmp-gpgkey at kmp.name.)
Thanks, and again I'm sorry if this should have been an RTFM moment.
_KMP
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20250322/7a4d8520/attachment.html>
More information about the Gnupg-users
mailing list