Closed jaymzh closed 5 years ago
ghost
commented
5 years ago FYI there is a FOSDEM keyring:
https://ksp.fosdem.org/files/non-authoritative/keyring.gpg
(edit) Although some might disregard that file on the basis that it's hard to verify (would require reproducing the text keylist exactly as the distributed one and checking the hash).
jaymzh
commented
5 years ago I'm aware, but it's unofficial, not signed, and the verification process is inexact. It'd be nice to just generate one from the signed list.
ghost
commented
5 years ago ah, right.
(edit) But where would it import from? The UIDs on networked public keyservers could differ to the extent of name changing for a given fingerprint. So then there would be a manual process of comparing names/emails to the KSP list. To avoid that comparison, it seems the only option is to use the unofficial keyring, generate the KSP list, and verify. Or are you saying the import would compare all the UID details textually?
ghost
commented
5 years ago I came up with this ugly-ass shit to verify the binary keyring:
gpg --print-md RIPEMD160 <(cat <(sed -e '/^001/,$d' ksp-fosdem2019.txt) <(./keylist.txt.sh) <(tail -n 2 ksp-fosdem2019.txt))
It works. The keylist.txt.sh comes from https://ksp.fosdem.org/files/non-authoritative/scripts/.
(edit) of course the keylist.txt.sh could do something sneaky so that must be inspected as part of the verification process. But it's only 40 SLOC so it's practical.
We already regex mbox parts, we can do the same thing for a flat file. Would be useful for KSPs that don't provide keyrings, just a file (ala FOSDEM).