Consider WKD (Web Key Directory) for our keys

[lazka]

Instead of using the keyserver we would host the keys ourselves. https://wiki.gnupg.org/WKD

• We'd need to add a "foobar@msys2.org" UID to our packager keys
• All packager keys would need to be re-signed with the master keys (to verify the new UID)
• We'd need to provide a https://openpgpkey.msys2.org/.well-known/... hosting the keys statically

Background: https://bugs.archlinux.org/task/63171

[Biswa96]

Thanks for sharing the details. The threads in that bug report are awesome. Just out of curiosity, I have some queries.

• The discussion was started based on spamming the keyserver. Can the new msys2's own keyserver prevent that type of spamming?
• How secure the new keyserver will be?
• Will this transition be transparent to all users?
• Does this require a email server also?

[lazka]

From what I understand it's just a static website with a certain structure. So yes, very(?), yes, no.

[lazka]

The main challenge would be to get Alexey to sign our keys again, I think.

[jeremyd2019]

I've set WKD up a couple of times. It is a static website. Most of the spec actually deals with automated key submission/updates, and can be ignored if you don't care about that. The only bit that you need to do is that you MUST publish a policy file, but it can be empty if you don't support submission.

[lazka]

Had a short talk with David yesterday and he's OK if we try this.

Also had a very short exchange with Alexey, he's reachable, but very bussy as always :)

[jeremyd2019]

If you decide to do this, I have some experience setting this up, over multiple revisions of the spec, if you want advice on how to do it in a way that complies with as many revisions as possible (or you can just conform to the latest revision, hosting files in https://openpgpkey.msys2.org/.well-known/openpgpkey/msys2.org/..., since it could be safely assumed that the consumer is a recent version of GnuPG),