[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Finding a “good” OpenPGP key server
From: |
Tanguy LE CARROUR |
Subject: |
Re: Finding a “good” OpenPGP key server |
Date: |
Thu, 21 Apr 2022 19:15:33 +0200 |
User-agent: |
alot/0.10 |
Hi Ludo’,
Thanks for updating the topic! :-)
Quoting Ludovic Courtès (2022-04-18 22:24:00)
> Tanguy LE CARROUR <tanguy@bioneland.org> skribis:
>
> > $ ./pre-inst-env guix refresh -u gnurl
> >
> > Starting download of /tmp/guix-file.NqJa4t
> > From https://ftpmirror.gnu.org/gnu/gnunet/gnurl-7.72.0.tar.gz...
> > following redirection to
> > `https://mirrors.ocf.berkeley.edu/gnu/gnunet/gnurl-7.72.0.tar.gz'...
> > …2.0.tar.gz 3.3MiB 3.1MiB/s 00:01 [##################]
> > 100.0%
> >
> > Starting download of /tmp/guix-file.VXn0IS
> > From https://ftpmirror.gnu.org/gnu/gnunet/gnurl-7.72.0.tar.gz.sig...
> > following redirection to
> > `https://mirrors.ocf.berkeley.edu/gnu/gnunet/gnurl-7.72.0.tar.gz.sig'...
> > …0.tar.gz.sig 833B 654KiB/s 00:00 [##################]
> > 100.0%
> > gpgv: Signature made Wed 16 Sep 2020 22:30:16 CEST
> > gpgv: using RSA key 6115012DEA3026F62A98A556D6B570842F7E7F8D
> > gpgv: Can't check signature: No public key
> > Would you like to add this key to keyring
> > '/home/tanguy/.config/guix/upstream/trustedkeys.kbx'?
> > yes
> > gpg: keyserver receive failed: No data
>
> This indicates that ‘guix refresh’ failed to download the relevant GPG
> key from the default key server, the one that appears in
> ~/.gnupg/dirmngr.conf (if it exists).
>
> That’s unfortunately often the case these days. :-/ This key appears to
> be on keys.openpgp.org, but it lacks a “user ID” packet and so gpg
> ignores it (for no good reason):
>
> --8<---------------cut here---------------start------------->8---
> $ gpg --no-default-keyring --keyring
> /home/ludo/.config/guix/upstream/trustedkeys.kbx --keyserver keys.openpgp.org
> --recv-keys 6115012DEA3026F62A98A556D6B570842F7E7F8D
> gpg: key D6B570842F7E7F8D: no user ID
> gpg: Total number processed: 1
> $ gpg --no-default-keyring --keyring
> /home/ludo/.config/guix/upstream/trustedkeys.kbx --list-keys
> 6115012DEA3026F62A98A556D6B570842F7E7F8D
> gpg: error reading key: No public key
> --8<---------------cut here---------------end--------------->8---
>
> I’m not sure what a good solution is (other than looking for the key
> manually on Savannah or on some random key server).
Sorry it took me so long to answer!
Actually, Nikita answered this question on a thread on GNUnet's mailing list:
https://lists.gnu.org/archive/html/gnunet-developers/2022-04/msg00030.html
The end of the discussion is off list. The key used to
sign the package is deprecated and not to be used any more/any where.
The proper solution should come from GNUnet, but maybe, we could bypass
the key verification in Guix. Or, I could clone the repo, claim
ownership and sign a new package myself. But that doesn't look like a
good/fair solution to me! Thoughts?!
Regards,
--
Tanguy