I'm reviving this end-of-last-year thread, because... On 161228-15:42+0100, NdK wrote: > Il 28/12/2016 13:28, Miroslav Rovis ha scritto: > > >> The fact that Github, since this outgoing year, accept gpg signing only > >> if you post your public key to their servers. > I can't say for sure, but maybe that's so so they can have an > "attestation key" to use for verifying signatures, without expensive WoT > checks. By loading your key, you're certifying it's yours. But it won't > actually give any more assurance than "you is you" than your credentials > (against GitHub): if someone steals your credentials, he can replace > your pub key and sign new commits in your name. They're using GPG just > as a frontend for signatures using self-signed certificates. >
Notice this line below: > BTW nothing prevents you from uploading your key to the keyservers and It may not have been used by a repo that I'm interested in on github, read on... > participate in the WoT -- that's the only thing that could assure who > clones your repo that *you* signed those commits. ... > > Just some quick links in connection, for the less familiar. > > For users (like me): > > https://help.github.com/categories/gpg/ It's this repo, where the latest two tags are PGP-signed: https://github.com/Synzvato/decentraleyes/tags They are signed with the key below, and no matter how I tried: gpg --keyserver hkp://pgp.mit.edu --recv-key CECC45E1E979013C gpg --keyserver hkp://pool.sks-keyservers.net --recv-key CECC45E1E979013C it appears that key is not on the usual keyservers. (Because I can get other keys, but not that one. Is it uploaded only to github? Wrong, IMO, if that is the case, and I'll open an issue with the repo to tell them so.) Can anybody check if maybe they can get that key from the keyservers? -- Miroslav Rovis Zagreb, Croatia http://www.CroatiaFidelis.hr
signature.asc
Description: Digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
