Do not use SKS for distributing weechat signing key

[dngray]

Hi,

The weechat signing key is being spammed, the instructions on https://weechat.org/download/ should not use the SKS network, users attempting the instruction to import the key will break their gnupg installation.

Currently the signing key on SKS is 180MB.

Background:

• https://dkg.fifthhorseman.net/blog/openpgp-certificate-flooding.html
• https://dkg.fifthhorseman.net/blog/community-impact-openpgp-cert-flooding.html
• https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f
• https://lists.gnupg.org/pipermail/gnupg-announce/2019q3/000439.html

[wiktor-k]

Agreed. Alternatively weechat should put their key on https://keys.openpgp.org (that is immune to spamming) and advise downloading from that keyserver. Or use Web Key Directory and gpg --sender when creating the signature (just like kernel.org).

Edit: I'd revise the instructions to use the following:

1. gpg --locate-key webmaster@weechat.org
2. gpg --verify weechat-2.5.tar.xz.asc weechat-2.5.tar.xz
3. Check if the fingerprint at the end matches master key fingerprint. Importing weechat key and not checking the signing fingerprint at the end of verify does not cover the case when weechat would be signed by another key present in the keyring.

[flashcode]

This is an issue on weechat.org, not WeeChat itself, so I move the issue in the appropriate repository.

[flashcode]

Fixed, thanks for pointing the problem.