Paranoid

[roshii]

Switching to HKPS key pool server for secure key retreival

[amacneil]

So I used to use sks-keyservers.net, but switched to the ubuntu keyserver because it was too unreliable (often failed during CI or docker hub builds).

See https://github.com/amacneil/docker-bitcoin/pull/9 https://github.com/amacneil/docker-bitcoin/pull/11

If we are going to be paranoid, what about just importing the gpg keys directly into this git repo? There isn't really any particular advantage to pulling the keys from a remote server (either way you have to trust me that I listed the correct key in this repo).

[hypergig]

If we are going to be paranoid, what about just importing the gpg keys directly into this git repo? There isn't really any particular advantage to pulling the keys from a remote server (either way you have to trust me that I listed the correct key in this repo).

100% agree. I actually put gpg keys into the docker file as environment vars for downstream use. It's just a public key.

[roshii]

1) I also noticed sks-keyservers.net did not answer with keys once only on more than a dozen try

2) I think, having key servers makes code easier to audit. I'd be quite cumbersome to verify each and every PGP keys instead of their fingerprint (which you can just read and compare with your eye)

all in all, it maintains audit-ability while making sure the received key is the one asked for (+1) but may take away some reliability (-0.5) = +0.5 ?

[amacneil]

I agree that the shorter keys are easier to visually inspect/audit.

did not answer with keys once only on more than a dozen try

Given how many builds we run in CI (all versions of all forks), this means we are almost guaranteed to fail every CI build. I don't see any other reason to switch away from the ubuntu keyserver (and I don't believe there are any security advantages of using hkps - even the official docker images do not use it), so closing this. Let me know if I've missed anything.

[roshii]

agreed