Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Migrate the security teams GPG key download to keys.openpgp.org #480

Merged
merged 1 commit into from Jun 23, 2020

Conversation

@mweinelt
Copy link
Member

mweinelt commented Jun 19, 2020

The old SKS system is flawed and shouldn't be used anymore. Hagrid (https://sequoia-pgp.org/blog/2019/06/14/20190614-hagrid/) is a relatively new key of replacement for the old SKS system. It strips the signatures from the keys, to prevent key poisoning, so the WoT is dead and gone.

Also key ids can be cheaply forged, even long ones, see:

Therefore let's migrate to https://keys.openpgp.net and drop key ids entirely.

@mweinelt mweinelt changed the title Migrate the security teams GPG key download to keys.opengpg.org Migrate the security teams GPG key download to keys.openpgp.org Jun 19, 2020
@mweinelt mweinelt force-pushed the mweinelt:security-openpgp branch from 015d4ff to 2dd2e4e Jun 19, 2020
teams/security.tt Outdated Show resolved Hide resolved
@mweinelt mweinelt force-pushed the mweinelt:security-openpgp branch from 2dd2e4e to 54de1ed Jun 19, 2020
Also drop key ids as even long ones are trivially replicatable.
@mweinelt mweinelt force-pushed the mweinelt:security-openpgp branch from 54de1ed to e408271 Jun 19, 2020
@edibopp edibopp requested a review from grahamc Jun 21, 2020
@edibopp
Copy link
Contributor

edibopp commented Jun 21, 2020

lgtm, but @fpletz and @grahamc should probably confirm this.

@flokli
flokli approved these changes Jun 23, 2020
Copy link

flokli left a comment

Can someone with the necessary permissions merge this?

keys.openpgp.org is definitely better than linking to pgp.mit.edu - especially as we currently don't have the full fingerprint in the URL.

@edibopp edibopp merged commit 2aa2af3 into NixOS:master Jun 23, 2020
1 check passed
1 check passed
build-and-deploy
Details
@edibopp
Copy link
Contributor

edibopp commented Jun 23, 2020

Thanks for pushing on this, @flokli. I overlooked that the fingerprint was already in there, so no additional confirmation is required. So it's merged now.

@mweinelt mweinelt deleted the mweinelt:security-openpgp branch Jun 23, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

7 participants
You can’t perform that action at this time.