[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Suggest another way of importing GNU Guix GPG key
|
From: |
Alex Vong |
|
Subject: |
Re: Suggest another way of importing GNU Guix GPG key |
|
Date: |
Sun, 30 Jun 2019 05:40:33 +0800 |
|
User-agent: |
mu4e 1.2.0; emacs 26.2 |
Hello,
One solution would be to download the keyring from
<https://ftp.gnu.org/gnu/gnu-keyring.gpg> and verify the signature in
the following way:
$ gpg --keyring ./gnu-keyring.gpg --verify guix-1.0.1.tar.gz.sig
guix-1.0.1.tar.gz
Cheers,
Alex
address@hidden writes:
> Hello,
>
> SKS keyservers are currently under attack
> (https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f) -
> the attack can cause a GPG client to freeze completely and mess the
> GPG installation completely.
>
> I suggest GNU Guix proposes another way of importing the GPG keys so
> that users will not suffer from this problem.
>
> There's another, newer, keyserver, proposed in this gist, that is run
> by new software that doesnt suffer from this attack. See:
> https://keys.openpgp.org/about/news#2019-06-12-launch
>
> However, that keyserver is not replicated. You could either use that
> one or simply offer a download of the key over TLS with verification
> against installed CAs, as secure as this can get.
>
> Regards
signature.asc
Description: PGP signature