GnuPG 2.1 best practices review #451
Comments
Newer GnuPG versions generate a revocation certificate automatically. See riseupnet#451.
|
Just wanted to drop a "thank you" for this thread of bug reports. i've encountered a few quirks with the migration to GPG and it's nice to know people are looking into it ;D |
|
Phew, I'm glad that I found this ticket. I think the best practices guide should either target only modern GnuPG (>2.1) or be split into two - modern and legacy. Currently it's hard to navigate and a lot of stuff is obsolete in modern gpg ( There is also stuff that I think is worth adding (for example setting up Web Key Directory on own domain allows easy and secure key discovery using e-mail addresses). |
|
pull requests are welcome! :) |
|
Excellent idea :) |
|
Hello, thank you for the wonderful guide! I was able to follow every part of the guide, but I'm failing to publish my key to a key server. I believe this is because Another weird thing is that https://sks-keyservers.net/sks-keyservers.netCA.pem does not seem to download a file by default. What I did was I right-clicked that link and selected "Save Link As..." Then I was able to save a file called |
|
Hi @DamianRivas, thanks for the feedback! We can only help if we know
what you tried in combination with the output of for example 'gpg
--send-keys keyIDs'. Also this is not a good place to give user support,
at best try the [gpg-users
list](http://lists.gnupg.org/mailman/listinfo/gnupg-users) or the
[webchat](https://webchat.freenode.net/?channels=#gnupg) for #gnupg.
I believe this is because `gnupg-curl` doesn't seem to exist anymore.
Are there any known alternatives? I'm on Ubuntu 18.04.
See above, since version 2.1 gpg uses dirmngr to handle interactions
with keyservers as explained in latest changes to the guide (#523).
Another weird thing is that
https://sks-keyservers.net/sks-keyservers.netCA.pem does not seem to
download a file by default. What I did was I right-clicked that link
and selected "Save Link As..." Then I was able to save a file called
`sks-keyservers.netCA.pem`. Is this acceptable?
Isn't this what you wanted? You are lucky, modern firefox shows a
dialog to trust a new Certificate Authority when opening a .pem file
instead.
Sorry, I can't help you better without a clear error message.
|
|
Hi @kradan! I actually just tried again and it worked for me this time. Perhaps I copied and pasted the fingerprint incorrectly the first time around. And yeah, the command was It might be a good idea to explicitly state that dirmngr replaces gnupg-curl. I came across the guide because I'm totally new to encryption, and "Use dirmngr in OpenPGP best practices" didn't mean anything to me until now that I already know to look for that. Just my 2 cents if the goal here is to be welcoming to newbies. The more I Google, the more it seems that most of the stuff in the riseup guide is deprecated. I realize this is stated in the beginning but considering the amount of information it contains I didn't expect so much to be outdated for newer versions. Although there seems to be some good gems in there like I don't want to go on a huge tangent, so thanks for the reply and the resources! :) |
|
I just added a new issue about the guide: #539 |
|
Hey everyone, after checking other 'best practices' implementations, I found a suitable template from which to update RiseUp's 'best practices guide'. Here's the implementation from Roll Your Own Network; what I like about it is the thorough comments with documentation. However, some of the options are not discussed in RiseUp's guide; like It'd be nice to see other people's take on those options. |
|
We are killing this document as GnuPG's work has been doing good defaults for a while and the guide is by itself problematic. |
This is a meta-issue to regroup issues surrounding a formal review of the GnuPG best practices after the publication of the GnuPG 2.1 release, which includes some of the recommendations from the document.
The text was updated successfully, but these errors were encountered: