Hi Vagrant, On 2026-03-12 at 11:29-07:00, Vagrant Cascadian wrote: > I will admit adding guix's keyring branch (or more likely, forgetting to > add) to the other 3-4 places I need to manually update my keys is begs > for some sort of automated process! :) > > Unfortunately, keyservers may not be kept up to date consistently, and > which keyserver network(s) an individual key is uploaded to may vary... > > In lieu of a keyserver, some keys may be available via WKD (web key > directory?) ... which essentially is a way to look up keys via email > addresses and a corresponding URL that matches the domain name... > > So, there are quite a few different ways in which the keys *could* be > updated automatically ... although the intersecting set of update > methods might be a mess. :/
For automation, I think it is safe to pull from WKD, though there are not enough people using it to make the automation really effective. (It is really easy to set up, but not everyone have a say over their email address's domain name to do it.) On the other hand, I suppose we can remind committers through warnings from `guix git authenticate', which argurably shouldn't authenticate commits with keys expired by the time of signing anyway. Cheers, Phong
signature.asc
Description: PGP signature
