Mailing List Archive: GnuPG distribution key with no trust

GnuPG distribution key with no trust

May 31, 2021, 2:08 PM

Post #1 of 3 (319 views)

Hello,

is there a reason why the new software distribution key for GnuPG (
0x528897B826403ADA ) comes with no chain of trust at all? It does not
have any signature from any preceding key.

Past distribution keys like 0x53B620D01CE0C630 had signatures from other
keys you might have trusted like e.g. 0x5DE249965B0358A2

This makes it virtually impossible to build any trust in this new
distribution key.

Not signing such an important key with its predecessor is a severe
neglect of trust IMHO.

Thanks

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GnuPG distribution key with no trust [ In reply to ]

gnupg-users at gnupg

Jun 10, 2021, 12:33 PM

Post #2 of 3 (319 views)

Permalink

On Mon, 31 May 2021 21:08, mailinglisten--- said:
> Hello,
>
> is there a reason why the new software distribution key for GnuPG (
> 0x528897B826403ADA ) comes with no chain of trust at all? It does not
> have any signature from any preceding key.

I see

pub ed25519 2020-08-24 [SC] [expires: 2030-06-30]
6DAA6E64A76D2840571B4902528897B826403ADA
uid [ full ] Werner Koch (dist signing 2020)
sig!3 528897B826403ADA 2020-08-24 Werner Koch (dist signing 2020)
sig! 249B39D24F25E3B6 2020-08-24 Werner Koch (dist sig)
sig! 63113AE866587D0A 2020-08-24 wk@gnupg.org
sig! E3FDFF218E45B72B 2020-08-24 Werner Koch (wheatstone commit signing)

But you are right, the distributed key (gnugp tarball, website) has the
key signatures removed. The problem is that you won't receive any key
signature from the usual keyserver.

I'll see that we can update the keys on the web and in gnupg. The above
mentioned key with all key sigs is attached.

Shalom-Salam,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.

Re: GnuPG distribution key with no trust [ In reply to ]

gnupg-users at gnupg

Jun 12, 2021, 1:00 PM

Post #3 of 3 (313 views)

Permalink

Am 10.06.21 um 21:33 schrieb Werner Koch:
> On Mon, 31 May 2021 21:08, mailinglisten--- said:
>> Hello,
>>
>> is there a reason why the new software distribution key for GnuPG (
>> 0x528897B826403ADA ) comes with no chain of trust at all? It does not
>> have any signature from any preceding key.
>
> I see
>
> pub ed25519 2020-08-24 [SC] [expires: 2030-06-30]
> 6DAA6E64A76D2840571B4902528897B826403ADA
> uid [ full ] Werner Koch (dist signing 2020)
> sig!3 528897B826403ADA 2020-08-24 Werner Koch (dist signing 2020)
> sig! 249B39D24F25E3B6 2020-08-24 Werner Koch (dist sig)
> sig! 63113AE866587D0A 2020-08-24 wk@gnupg.org
> sig! E3FDFF218E45B72B 2020-08-24 Werner Koch (wheatstone commit signing)
>
> But you are right, the distributed key (gnugp tarball, website) has the
> key signatures removed. The problem is that you won't receive any key
> signature from the usual keyserver.
>
> I'll see that we can update the keys on the web and in gnupg. The above
> mentioned key with all key sigs is attached.

Indeed, the keyserver issue is a real pain that probably won´t go away
soon... Lucky to have your own hosted web site or mail provider
supporting WKD...

Thanks for all efforts!
regards

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Mailing List Archive

Mailing List Archive

Attached Files: