Hi Konstantin,
On 02.07.2019 21:40, Konstantin Ryabitsev wrote:
Most subkey changes that I am aware of are not due to people's old
subkeys expiring, but because they add new ones for reasons like
migrating between smartcard solutions or just being nerdy and picking a
new ECC-based subkey.
When this happens, a maintainer who tries to verify a signed pull
request will have the operation fail, so they need to have a way to
force-refresh the developer's key.
Do you mean something simpler than [0]:
gpg --auto-key-locate clear,wkd,nodefault --locate-key torva...@kernel.org
?
Trying key lookup over WKD if the subkey is missing locally (but primary
key is present) would be a good idea. I've seen some really weird errors
in that case [1].
If the primary key used short expiration [2] the refresh would be
automatic but not many people like to prolong expirations every couple
of months.
Kind regards,
Wiktor
[0]: https://dev.gnupg.org/T2917#115978
[1]:
https://www.reddit.com/r/tails/comments/9rchgi/tails_3101_error_cant_check_signature_no_public/
[2]:
https://blogs.gentoo.org/mgorny/2018/08/13/openpgp-key-expiration-is-not-a-security-measure/
--
https://metacode.biz/@wiktor
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
