What is Werner's key? (Or - who signs gnupg-announce mails?)
Frank Guthausen
fg.gnupg at shimps.de
Sun Mar 23 18:07:31 CET 2025
On Sat, 22 Mar 2025 17:16:38 -0400
"K. M. Peterson via Gnupg-users" <gnupg-users at gnupg.org> wrote:
>
> I am still somewhat unclear about and sadly unaware of the current
> state of the world of keyservers;
The keyserver concept is broken since there were some
attacks in the past, and there are GDPR issues, too. A
modified setup is still available, but WKD is an alternative
and some users' keys are here and some there.
> While the gnupg-announce emails cover where/how to verify the
> artifacts from the project, the emails themselves I receive seem to
> be signed by a key that I'm unable to either verify nor add to my
> keyring to trust. In particular, my client informs me that the mail
> is signed by a key with fingerprint
> 0x8777461F2A074EBC480D359419CC1C9E085B107A - but I can't find that on
> any of the keyservers that I can access.
This seems to be Werner's key, but it is the fingerprint of
a subkey. The key is AFAIK not on a keyserver but it should
be available via WKD:
$ gpg -v --auto-key-locate clear,wkd,nodefault --locate-external-keys wk at gnupg.org
Once Werner's key is imported or updated, it should show up:
$ gpg --list-keys --with-fingerprint --with-fingerprint | grep -B2 "8777 461F 2A07 4EBC 480D 3594 19CC 1C9E 085B 107A"
The option for the fingerprint is invoked twice.
--
kind regards
Frank
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 659 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20250323/e67dd09b/attachment.sig>
More information about the Gnupg-users
mailing list