PGP Tips

Things to do after updating my PGP key

• Send updated keys to major key servers (hkps://keyserver.ubuntu.com, hkps://keys.openpgp.org) and check whether keys are correcly uploaded or not
  • Keys returned by keys.openpgp.net does not include signatures from others
  • Check keys uploaded to Ubuntu keyserver: current key (the raw key is not updated immediately)
  • Check keys uploaded to keys.openpgp.org: current key
  • keys.openpgp.org does not distribute revocation certificates. Instead, user ID packets are gone after revocation, and thus gpg --import fails with no user ID.
• Submit updated public keys to Arch Linux keyring
  • Create a merge request following the workflow for modifying a packager key
  • Check if updated keys are available via WKD using wkd.mjs. Note that WKD is updated only after a new archlinux-keyring version is tagged.

curl $(node wkd.mjs --email yan12125@archlinux.org --advanced) | gpg --list-packets

Things to do after getting a new signature

• If there are signatures created by Arch Linux members, sync signatures from Arch Linux keyring

$ cd archlinux-keyring
$ ./keyringctl export yan12125 | gpg --import

For signatures created by others, follow these steps:

• Ask the signer to send the signature to a keyserver
• Refresh my key from that keyserver

After importing new signature, publish the overall key via steps in the previous section.

References

• PGP Best Practices from Arch Linux

By default, hokey lint uses colors to indicate warnings and errors. To see details, use gpg --export "${FULL_PGP_FINGERPRINT}" | hokey lint --output-format=JSON | json_pp.

• Somewhat out-dated OpenPGP Best Practices from riseup.net

• SKS Keyserver Network Under Attack