Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Migrate the security teams GPG key download to keys.openpgp.org #480

Merged
merged 1 commit into from Jun 23, 2020
Merged

Migrate the security teams GPG key download to keys.openpgp.org #480

merged 1 commit into from Jun 23, 2020

Conversation

mweinelt
Copy link
Member

The old SKS system is flawed and shouldn't be used anymore. Hagrid (https://sequoia-pgp.org/blog/2019/06/14/20190614-hagrid/) is a relatively new key of replacement for the old SKS system. It strips the signatures from the keys, to prevent key poisoning, so the WoT is dead and gone.

Also key ids can be cheaply forged, even long ones, see:

Therefore let's migrate to https://keys.openpgp.net and drop key ids entirely.

@mweinelt mweinelt changed the title Migrate the security teams GPG key download to keys.opengpg.org Migrate the security teams GPG key download to keys.openpgp.org Jun 19, 2020
cole-h
cole-h reviewed Jun 19, 2020
View reviewed changes
teams/security.tt Outdated Show resolved Hide resolved
@mweinelt
Migrate the security teams GPG key download to keys.openpgp.org
e408271 
Also drop key ids as even long ones are trivially replicatable.
@milibopp milibopp requested a review from grahamc June 21, 2020 09:24
@milibopp
Copy link
Contributor

lgtm, but @fpletz and @grahamc should probably confirm this.

@garbas garbas added the enhancement New feature or request label Jun 22, 2020
flokli
flokli approved these changes Jun 23, 2020
View reviewed changes
Copy link

@flokli flokli left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can someone with the necessary permissions merge this?

keys.openpgp.org is definitely better than linking to pgp.mit.edu - especially as we currently don't have the full fingerprint in the URL.

@milibopp milibopp merged commit 2aa2af3 into NixOS:master Jun 23, 2020
@milibopp
Copy link
Contributor

Thanks for pushing on this, @flokli. I overlooked that the fingerprint was already in there, so no additional confirmation is required. So it's merged now.

@mweinelt mweinelt deleted the security-openpgp branch June 23, 2020 21:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cole-h cole-h cole-h left review comments

@Valodim Valodim Valodim approved these changes

@flokli flokli flokli approved these changes

@grahamc grahamc Awaiting requested review from grahamc

Assignees

@grahamc grahamc

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
7 participants
@mweinelt @milibopp @Valodim @flokli @cole-h @garbas @grahamc