[tz] My public key via GitHub and WKD for verifying tzdb distributions
Paul Eggert
eggert at cs.ucla.edu
Sun Oct 25 23:13:07 UTC 2020
Recently users have had trouble verifying tzdb releases because they could not
obtain the GPG public key that I use to sign the releases. These problems stem
from the denial-of-service attacks on public keyservers last year, combined with
my extending the expiration of my longstanding public key, which had been due to
expire in August. The expiration-date extension had problems propagating to
public keyservers that use the traditional method of key distribution.
To try to help ameliorate this problem I recently did two things.
First, I uploaded my public key to the development repository on GitHub. You can
now use <https://github.com/eggert/tz/tags> to verify every tzdb release
starting with 2012e. (Older releases are not tagged, as discussed in the 2013f
NEWS entry.)
Second, at my suggestion the UCLA Computer Science Department has added WKD
support to cs.ucla.edu, and you can now verify my key independently via WKD. See
an example below for how to do this.
In the longer term, the IANA have been working on a way to have IANA authorities
sign distributions, and eventually we hope to have something implemented along
those lines.
Thanks to Phil Pennock for his suggestions and help in improving the process of
verifying tzdb distributions.
PS. For more about last year's denial-of-service attacks and the use of WKD
instead of traditional public keyservers, please see:
Osborne C. PGP SKS key network poisoned by unknown hackers. ZDNet. 2019-07-04.
https://www.zdnet.com/article/openpgp-flooded-with-spam-by-unknown-hackers/
Koch W. OpenPGP Web Key Directory. Active Internet-Draft. 2020-05-26.
https://datatracker.ietf.org/doc/draft-koch-openpgp-webkey-service/
What is a Web Key Directory? GnuPG e.V. 2020-07-06. https://wiki.gnupg.org/WKD
PPS. Here is one way to verify a key via WKD, using the 'gpg' shell command.
You'll need a recent-enough GnuPG: version 2.1.23 (2017-08-23) or later should
suffice.
$ gpg --auto-key-locate wkd --locate-keys eggert at cs.ucla.edu
gpg: key ED97E90E62AA7E34: public key "Paul Eggert <eggert at cs.ucla.edu>" imported
gpg: Total number processed: 1
gpg: imported: 1
gpg: no ultimately trusted keys found
pub rsa4096 2010-09-03 [SC] [expires: 2021-08-31]
7E3792A9D8ACF7D633BC1588ED97E90E62AA7E34
uid [ unknown] Paul Eggert <eggert at cs.ucla.edu>
sub rsa4096 2010-09-03 [E] [expires: 2021-08-31]
More information about the tz
mailing list