[arch-general] Problem automatically importing key for signed package.

Mantas M. grawity at gmail.com
Sun Nov 6 07:24:25 EST 2011

On Sun, Nov 06, 2011 at 10:36:17AM +0000, Peter Lewis wrote:
> But yes, this led me to to it. I had previously thought that all the keyservers
> synced with each other at some point, but apparently this isn't the case with
> keys.gnupg.net (at least). Sticking my key on that keyserver means that it
> behaves as expected.
> [...]
> Yeah, I wonder what the expected behaviour is regarding syncing of keyservers.
> I'm sure I read somewhere that uploading to one was supposed to be sufficient.

It should be sufficient in theory - once a key is uploaded to one server, it would propagate to others in several minutes.

Unless some servers are broken. For example: [1]

> Also, there is a bug in older versions of the SKS key server code that impairs synchronization from other, non-SKS servers but not synchronization to others. Among the servers affected are cryptonomicon.mit.edu (pgp.mit.edu, pgpkeys.mit.edu, www.us.pgp.net), pks.gpg.cz (sks.ms.mff.cuni.cz), and the.earth.li (wwwkeys.uk.pgp.net), all of which have been removed from the above list of servers. It has not yet been determined if the problem relates to which version of the SKS server software is used or is a result of whether the server is or is not a member of the SKS pool.

(One of the keyservers pointed to by 'keys.gnupg.net' happens to be 'pks.gpg.cz'.)

Even with the latest software, the SKS pool status page [2] shows some keyservers missing 10, 30, even ~200 keys.

There are at least two standard ways of publishing PGP keys as DNS records [3], but I'm not sure if any software besides GnuPG supports them.

[1]: http://www.rossde.com/PGP/pgp_keyserv.html
[2]: http://sks-keyservers.net/status/
[3]: http://www.gushi.org/make-dns-cert/HOWTO.html

Mantas M.

More information about the arch-general mailing list