[tz] My public key via GitHub and WKD for verifying tzdb distributions

Paul Eggert eggert at cs.ucla.edu
Sun Oct 25 23:13:07 UTC 2020 

Recently users have had trouble verifying tzdb releases because they could not 
obtain the GPG public key that I use to sign the releases. These problems stem 
from the denial-of-service attacks on public keyservers last year, combined with 
my extending the expiration of my longstanding public key, which had been due to 
expire in August. The expiration-date extension had problems propagating to 
public keyservers that use the traditional method of key distribution.

To try to help ameliorate this problem I recently did two things.

First, I uploaded my public key to the development repository on GitHub. You can 
now use <https://github.com/eggert/tz/tags> to verify every tzdb release 
starting with 2012e. (Older releases are not tagged, as discussed in the 2013f 
NEWS entry.)

Second, at my suggestion the UCLA Computer Science Department has added WKD 
support to cs.ucla.edu, and you can now verify my key independently via WKD. See 
an example below for how to do this.

In the longer term, the IANA have been working on a way to have IANA authorities 
sign distributions, and eventually we hope to have something implemented along 
those lines.

Thanks to Phil Pennock for his suggestions and help in improving the process of 
verifying tzdb distributions.


PS. For more about last year's denial-of-service attacks and the use of WKD 
instead of traditional public keyservers, please see:

Osborne C. PGP SKS key network poisoned by unknown hackers. ZDNet. 2019-07-04. 
https://www.zdnet.com/article/openpgp-flooded-with-spam-by-unknown-hackers/

Koch W. OpenPGP Web Key Directory. Active Internet-Draft. 2020-05-26. 
https://datatracker.ietf.org/doc/draft-koch-openpgp-webkey-service/

What is a Web Key Directory? GnuPG e.V. 2020-07-06. https://wiki.gnupg.org/WKD


PPS. Here is one way to verify a key via WKD, using the 'gpg' shell command. 
You'll need a recent-enough GnuPG: version 2.1.23 (2017-08-23) or later should 
suffice.

$ gpg --auto-key-locate wkd --locate-keys eggert at cs.ucla.edu
gpg: key ED97E90E62AA7E34: public key "Paul Eggert <eggert at cs.ucla.edu>" imported
gpg: Total number processed: 1
gpg:               imported: 1
gpg: no ultimately trusted keys found
pub   rsa4096 2010-09-03 [SC] [expires: 2021-08-31]
       7E3792A9D8ACF7D633BC1588ED97E90E62AA7E34
uid           [ unknown] Paul Eggert <eggert at cs.ucla.edu>
sub   rsa4096 2010-09-03 [E] [expires: 2021-08-31]

More information about the tz mailing list