phive icon indicating copy to clipboard operation
phive copied to clipboard

Published 20 hours ago verified publisher icon phar-io

Consider implementing explicit API support for keys.openpgp.org

Open theseer opened this issue 4 years ago • 8 comments

Currently we use the "compat api" that mimiks the API provided by sks-keyservers.

/cc @jaapio

theseer avatar Nov 20 '20 20:11 theseer

Given that sks-keyservers flagged themselves as legacy and are about to die out, we probably should just remove their support and focus on explicitly supporting the newer API.

theseer avatar Jun 14 '21 20:06 theseer

sks-keyservers.net pool DNS records disabled effective immediately

https://www.reddit.com/r/crypto/comments/o7oh4w/skskeyserversnet_pool_dns_records_disabled/

$ host ha.pool.sks-keyservers.net
Host ha.pool.sks-keyservers.net not found: 3(NXDOMAIN)

szepeviktor avatar Jul 06 '21 21:07 szepeviktor

@theseer Please remove SKS from source and docs.

Temporarily we could use keys.openpgp.org

szepeviktor avatar Jul 06 '21 21:07 szepeviktor

You lost me: What does sks-keyservers have to do with the API provided by keys.openpgp.org?

Temporarily we could use keys.openpgp.org

What do you mean and why "temporarily"?

theseer avatar Jul 06 '21 21:07 theseer

keys.openpgp.org is an alternative to SKS servers. My PHIVE GitHub Action just stopped working - that is why I've commented here.

szepeviktor avatar Jul 06 '21 21:07 szepeviktor

@theseer Please remove SKS from source and docs.

Given the DNS does no longer resolve, this is basically a no-op. On top: SKS-Keyserver already are the last resort entry (see: https://github.com/phar-io/phive/blob/master/conf/pgp-keyservers.php) and basically shouldn't be reached in 99,9% of all cases.

We indeed should remove sks references from the phar.io website.

theseer avatar Jul 06 '21 21:07 theseer

SKS-Keyserver already are the last resort entry

I see! :)

szepeviktor avatar Jul 06 '21 21:07 szepeviktor

keys.openpgp.org is an alternative to SKS servers. My PHIVE GitHub Action just stopped working - that is why I've commented here.

I know what keys.openpgp.org is. Phive uses it as the default server - read: first server -, with a fallback to the keyserver run by canonical for ubuntu in case the key is not found there.

And it's a lot more than just an alternative, also providing a different API. Hence, this ticket. The fact sks keyservers got shut down is not in any way related to this issue.

Using keys.openpgp.org is NOT a temporary option. The key handling is different and not all keys that are (or by now were) listed in sks' servers are available on openpgp.org yet.

Again, nothing to do with this issue at all: This is about implementing explicit support for the keys.openpgp.org provided API.

theseer avatar Jul 06 '21 21:07 theseer