On Sun, Mar 13, 2022, at 09:10, Simon Josefsson wrote:
> Darshit Shah <[email protected]> writes:
>
>> + --gpg-keyring-url=URL URL pointing to the GnuPG Keyring containing
>> + the key used to sign the tarballs
> ...
>> If that command fails because you don't have the required public key,
>> then run this command to import it:
>>
>> - gpg --keyserver keys.gnupg.net --recv-keys $gpg_key_id
>> + wget -q -O- '$gpg_keyring_url' | gpg --import -
>
> Hi. I agree this part of announce-gen is sub-optimal. There were
> earlier discussions about solutions:
>
> https://gitlab.com/libidn/libidn2/-/issues/98#note_635780242
>
> My first reaction was that we should use something like that instead,
> and not your patch. However given how unreliable the GnuPG parameters
> (different version compatibility, and some reports about bugs) are wrt
> to key servers, I prefer your approach to mention a URL in the
> announcement instead of suggesting --recv-keys or some variant of
> --locate-external-keys. This also makes it much easier for anyone not
> using GnuPG to locate the OpenPGP key.
>
> Do you have push access to gnulib, or do you want me to polish up the
> patch and push it?
I don't have push access to gnulib, so could you please push it for me?
