On Fri, 8 Apr 2022, ckeader wrote:
The key server network as we knew it is dead and buried, and I would not expect any of them to provide complete or indeed reliable information. This article explains why: https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f. There was some discussion at the time over on gnupg-users also.
This was facinating reading, and I was not aware of any of it before. Unfortunately, I have not figured out how to follow its advice yet.
Everything related to OpenPGP is extremely obtuse with massive amounts of documentation.
OpenSSH 8 and later offer a facility which allows validating a file's origin and integrity given a certificate (see https://www.agwa.name/blog/post/ssh_signatures). I gave this a try and it was remarkably simple. It is several orders of magnitude less complex than OpenPGP and many people use OpenSSH. Unfortunately, not all systems have OpenSSH 8 yet (or will ever have OpenSSH). Another issue is that users could be confused by ".sig" files and won't know if they should use OpenSSH or gpg to validate with them without looking at the content.
Providing the signer's pub keys on a (secured) web site seems to be the best option for now.
I have been using several mechanisms, including an insecure URL link as is shown in my email signature text.
An important question has not been asked yet, IMHO - why are maintainers using this relatively obscure method for hashing?
Yes, this is very obscure and it defeats the purpose, which should be to encourage verification.
Bob -- Bob Friesenhahn bfrie...@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/ GraphicsMagick Maintainer, http://www.GraphicsMagick.org/ Public Key, http://www.simplesystems.org/users/bfriesen/public-key.txt
