Comments (2)
micah
commented on September 26, 2024
Elijah Sparrow [email protected] writes:
Currently, the openpgp best practices state:
Do not blindly trust keys from keyservers.
Anyone can upload keys to keyservers and there is no reason that you should trust that any key you download actually belongs to the individual listed in the key. You should therefore verify with the individual owner the full key fingerprint of their key. You should do this verification in real life or over the phone. Once you have verified the key fingerprint that you need, you may download the key from the keyserver pool:
gpg --recv-key 'fingerprint'
I thought that --recv-key is never enough, because the keyserver is not bound to return, necessarily, a key that matches the fingerprint and gpg does not actually confirm the fingerprint before importing.
Shouldn't this be like so?
gpg --recv-key '<fingerprint>' gpg --fingerprint '<fingerprint>'
Yes... the key retrieval could be hijacked in transfer, the keyserver
may give you a key you don't want in response to your query, and then
gnupg will happily not check that (unless they've fixed that in the new
version).
After receiving the key, you must carefully check the fingerprints
manually, sadly. This is why projects like monkeysign will retrieve the
key and then explicitly call --sign-key with the full fingerprint,
which will fail if the wrong key was returned by the keyserver.
ps - I am not sure if this reply will go to github, it added this
"noreply' address to the To line, so I've cc'd elijah directly.
from riseup_help.
elijh
commented on September 26, 2024
please review #146
from riseup_help.
Related Issues (20)
- Riseupis down?! HOT 4
- remove references to address-book (and maybe replace with Contacts)
- Decide what to do about the OTR page HOT 4
- Translating by using right-click menu on Chrome automatically saved into origin file
- Change page so Enigmail is replaced with native Thunderbird OpenPGP encryption
- Errors in pad history HOT 1
- Invitation code
- Look of h2 title pangea.org is broken HOT 2
- browsers: suggest librewolf?
- does riseup mail support custom domain? HOT 2
- linux vpn instructions out of date HOT 2
- share.riseup.net is giving ERR_SSL_PROTOCOL_ERROR HOT 1
- Cannot get support anywhere HOT 1
- Fix website responsiveness
- Add `Onion-Location` header HOT 1
- spam filtered even when DKIM/spf/ARC pass HOT 1
- get new riseup mail codes HOT 1
- Rise up referral code HOT 1
- Invite codes are sold HOT 1
- broken links for tor / onion services in footer
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from riseup_help.