ProxMox/Debian 10.1 gnupg2 notice:

Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

ProxMox/Debian 10.1 gnupg2 notice:

H Visage
Thought it would be interesting to know this state:


apt-listchanges: News
---------------------

gnupg2 (2.2.12-1+deb10u1) buster; urgency=medium

  In this version we adopt GnuPG's upstream approach of making keyserver
  access default to self-sigs-only.  This defends against receiving
  flooded OpenPGP certificates.  To revert to the previous behavior (not
  recommended!), add the following directive to ~/.gnupg/gpg.conf:

    keyserver-options no-self-sigs-only

  We also adopt keys.openpgp.org as the default keyserver, since it avoids
  the associated bandwidth waste of fetching third-party certifications
  that will not be used.  To revert to the older SKS keyserver network (not
  recommended!), add the following directive to ~/.gnupg/dirmngr.conf:

    keyserver hkps://hkps.pool.sks-keyservers.net

  Note: we do *not* adopt upstream's choice of import-clean for the
  keyserver default, since it can lead to data loss, see
  https://dev.gnupg.org/T4628 for more details.

 -- Daniel Kahn Gillmor <[hidden email]>  Wed, 21 Aug 2019 14:53:47 -0400


_______________________________________________
Sks-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/sks-devel
Reply | Threaded
Open this post in threaded view
|

Re: ProxMox/Debian 10.1 gnupg2 notice:

Todd Fleisher
Hendrik,
Thanks for sharing this. It seems the latest GPG Tools release for macOS integrated the same behavior and is stripping valid 3rd party signatures from newly downloaded or updated keys. I’m trying to work around it, but so far no luck trying to use that option via the command line or in gpg.conf or dirmngr.conf. If anyone has solved for this for that platform please let me know.

-T

> On Sep 10, 2019, at 2:03 AM, Hendrik Visage <[hidden email]> wrote:
>
> Thought it would be interesting to know this state:
>
>
> apt-listchanges: News
> ---------------------
>
> gnupg2 (2.2.12-1+deb10u1) buster; urgency=medium
>
>  In this version we adopt GnuPG's upstream approach of making keyserver
>  access default to self-sigs-only.  This defends against receiving
>  flooded OpenPGP certificates.  To revert to the previous behavior (not
>  recommended!), add the following directive to ~/.gnupg/gpg.conf:
>
>    keyserver-options no-self-sigs-only
>
>  We also adopt keys.openpgp.org as the default keyserver, since it avoids
>  the associated bandwidth waste of fetching third-party certifications
>  that will not be used.  To revert to the older SKS keyserver network (not
>  recommended!), add the following directive to ~/.gnupg/dirmngr.conf:
>
>    keyserver hkps://hkps.pool.sks-keyservers.net
>
>  Note: we do *not* adopt upstream's choice of import-clean for the
>  keyserver default, since it can lead to data loss, see
>  https://dev.gnupg.org/T4628 for more details.
>
> -- Daniel Kahn Gillmor <[hidden email]>  Wed, 21 Aug 2019 14:53:47 -0400
>
>
> _______________________________________________
> Sks-devel mailing list
> [hidden email]
> https://lists.nongnu.org/mailman/listinfo/sks-devel

_______________________________________________
Sks-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/sks-devel

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: ProxMox/Debian 10.1 gnupg2 notice:

Todd Fleisher
Nevermind, I was botching the syntax in gpg.conf & also getting mixed up between that and dirmngr.conf since GPG Tools calls out that is responsible fro key server communication (but not key importing where the stripping happens). Thanks again for posting this, Hendrik.

-T

On Sep 10, 2019, at 10:27 PM, Todd Fleisher <[hidden email]> wrote:

Signed PGP part
Hendrik,
Thanks for sharing this. It seems the latest GPG Tools release for macOS integrated the same behavior and is stripping valid 3rd party signatures from newly downloaded or updated keys. I’m trying to work around it, but so far no luck trying to use that option via the command line or in gpg.conf or dirmngr.conf. If anyone has solved for this for that platform please let me know.

-T

On Sep 10, 2019, at 2:03 AM, Hendrik Visage <[hidden email]> wrote:

Thought it would be interesting to know this state:


apt-listchanges: News
---------------------

gnupg2 (2.2.12-1+deb10u1) buster; urgency=medium

In this version we adopt GnuPG's upstream approach of making keyserver
access default to self-sigs-only.  This defends against receiving
flooded OpenPGP certificates.  To revert to the previous behavior (not
recommended!), add the following directive to ~/.gnupg/gpg.conf:

  keyserver-options no-self-sigs-only

We also adopt keys.openpgp.org as the default keyserver, since it avoids
the associated bandwidth waste of fetching third-party certifications
that will not be used.  To revert to the older SKS keyserver network (not
recommended!), add the following directive to ~/.gnupg/dirmngr.conf:

  keyserver <a href="hkps://hkps.pool.sks-keyservers.net" class="">hkps://hkps.pool.sks-keyservers.net

Note: we do *not* adopt upstream's choice of import-clean for the
keyserver default, since it can lead to data loss, see
https://dev.gnupg.org/T4628 for more details.

-- Daniel Kahn Gillmor <[hidden email]>  Wed, 21 Aug 2019 14:53:47 -0400


_______________________________________________
Sks-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/sks-devel



_______________________________________________
Sks-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/sks-devel

signature.asc (849 bytes) Download Attachment