Re: Posted zsh 5.9

[Phil Pennock <zsh-workers+phil.pennock@xxxxxxxxxxxx>]

On 2022-05-14 at 21:50 +0000, Daniel Shahaf wrote:
> The intention is to have the public keys easily available to anyone who
> downloads the artifacts themselves, particularly as «gpg --keyserver foo
> --recv-key $fingerprint» isn't as reliable as it used to be.
> 
> For zsh.org there's little question where to put the keyring file, as
> there's only one relevant directory.  Any reason not to upload
> zsh-keyring.asc to zsh.org/pub?

None that I can see.

Keys can be put into many places, as long as the deployment workflow
updates them all.

IMO the "correct" approach for the future is federated lookups, aka WKD
(in practice); this uses /.well-known/ to put keys into place in a
schema which gpg (and various email clients) can use to retrieve the
keys automatically with `--locate-keys`.  This can be done on
https://zsh.org/ or on https://openpgpkey.zsh.org/

Only works for keys with a UID in zsh.org.  But means that email clients
will automatically find the right keys without needing to go dig around
in various websites.

* https://wiki.gnupg.org/WKD walks through it
* https://wiki.gnupg.org/WKDHosting explains setup on the web-server

and of those, I'm obviously biased towards
<https://github.com/PennockTech/openpgpkey-control>; that layout is what
I use for some other domains, and `other/standalone-update-website`
within the repo has been successfully used by at least a few people in
updating contents as part of a general website build flow ... and is
probably the right path for zsh.org.  Feed it the keyring for
`--keys-file` and a directory top for the serving root for
`--output-dir` and it will write things into the right places.

With that, `gpg --locate-keys pdp@xxxxxxx` would work, and similarly for
any other key with a UID in zsh.org.