Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 631536 - Add download link to public gpg keys
Summary: Add download link to public gpg keys
Status: RESOLVED FIXED
Alias: None
Product: Websites
Classification: Unclassified
Component: Gentoo Website (show other bugs)
Hardware: All Linux
: Normal enhancement with 2 votes (vote)
Assignee: Matthew Marchese
URL: https://www.gentoo.org/inside-gentoo/...
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-09-20 16:13 UTC by Jonas Stein
Modified: 2022-08-05 17:52 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jonas Stein gentoo-dev 2017-09-20 16:13:38 UTC
I guess, the website is generated from the LDAP data on woodpecker and lists the key ID's. It would be a great feature to provide a download link for 
a) each public key next to the ID and
b) a keyring with all public keys

Reproducible: Always
Comment 1 Jonas Stein gentoo-dev 2020-05-27 00:44:46 UTC
Keys are available on
https://gentoo.org/.well-known/openpgpkey/hu/$HASH
like
https://gentoo.org/.well-known/openpgpkey/hu/rio3unai9edipstwq3simkt7go4foosc

we only need to add a link.
Comment 2 Alec Warner (RETIRED) archtester gentoo-dev Security 2020-05-27 05:49:45 UTC
We support WKD, do we need to support anything further?

-A
Comment 3 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2020-05-27 10:12:28 UTC
I do not think anybody gonna use it, in the 99% of cases gpg is the cli-sh thingy. Most likely you do not want people to utilize their browsers for this, because

1.) In the best case there is WKD
2.) in the worst case there is `gpg  --keyserver hkps://keys.gentoo.org --search <string>`
Comment 4 Jonas Stein gentoo-dev 2020-05-28 22:25:22 UTC
1) we can get this for free without any negative side effects.
2) with his link we also advertise that there is WKD.

From many discussions I learned, that it is merely known how and where to get our public keys.
Comment 5 Alec Warner (RETIRED) archtester gentoo-dev Security 2020-05-28 23:19:15 UTC
(In reply to Jonas Stein from comment #4)
> 1) we can get this for free without any negative side effects.
> 2) with his link we also advertise that there is WKD.
> 
> From many discussions I learned, that it is merely known how and where to
> get our public keys.

A few things:
 - We can advertise that we support WKD
 - We could potentially link the GPG fingerprint to the WKD URL for that key.

Is that sufficient, or are we looking for other things?
Comment 6 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2020-05-31 06:59:08 UTC
I'd say link the fingerprints to the WKD URLs and document that WKD can be used directly via CLI.
Comment 7 Jonas Stein gentoo-dev 2021-01-04 00:42:06 UTC
@alec 
Advertising WKD and the addition of the links to WKD would be great.
Comment 8 Matthew Marchese Gentoo Infrastructure gentoo-dev 2022-02-03 21:27:24 UTC
I implemented a link to keys.g.o for developer 'profiles' based on PGP key IDs. It should be relatively simple to implement a similar minor improvement on www.g.o...
Comment 9 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-08-05 04:06:11 UTC
(In reply to Matthew Marchese from comment #8)
> I implemented a link to keys.g.o for developer 'profiles' based on PGP key
> IDs. It should be relatively simple to implement a similar minor improvement
> on www.g.o...

As maffblaster spotted, I did this a few weeks ago but forgot about this bug!

https://gitweb.gentoo.org/sites/www.git/commit/?id=dccbe06e7f39bbeb2e223f3db2108fa74b935aa9

https://gitweb.gentoo.org/sites/www.git/commit/?id=0c6dc04330ee350d0a1d60b0862678f1f8ce1cca