Getting gpg to import signatures again
The GnuPG (gpg) ecosystem has been played with a bit in 2019 by adding fake signatures en masse to well known keys. The main result is that the SKS Keyserver network based on the OCaml software of the same name is basically history. A few other keyservers have come up like Hagrid (Rust) and Hockeypuck (Go) but there seems to be no clear winner yet. In case you missed it in 2019, see my take on cleaning these polluted keys.
Now the changed defaults in gpg to "mitigate" this issue are trickling down to even the conservative distributions. Debian Bullseye has self-sigs-only
on gpg 2.2.27 and it looks like Debian Bookworm will get gpg 2.2.40. This would add import-clean
but Daniel Kahn Gillmor patched it out. He argues correctly that this new default could delete data from good locally stored pubkeys.
This all ends in you getting some random combination of self-sigs-only
and / or import-clean
depending on which Linux distribution and version you happen to use.
Better be explicit. I recommend to add:
keyserver-options no-self-sigs-only
keyserver-options no-import-clean
to your ~/.gnupg/gpg.conf
to make sure you can manage signatures yourself and receive them from keyservers or local imports as intended.
In case you care: See info gnupg --index-search=keyserver-options
for the fine documentation. Of course apt install info
first to be able to read info pages. 'cause who would still used them in 2023? Oh, wait...
Comments
Display comments as Linear | Threaded