Skip to content

Provide a PGP Key Server at Eclipse.org

Summary

It would be very good if https://keyserver.eclipse.org/ existed and that it worked like https://keyserver.ubuntu.com/ does. I believe the later uses https://hockeypuck.io/ to drive it.

The basis for this need is as a result of the recent push to support PGP as an alternative to jarsigning:

https://gitlab.eclipse.org/eclipse-wg/ide-wg/ide-wg.eclipse.org/-/issues/11

Especially relevant is this background section:

https://gitlab.eclipse.org/eclipse-wg/ide-wg/ide-wg.eclipse.org/-/issues/11#background

A key server will be used within Eclipse applications to better support PGP signing, e.g., for displaying the web of trust, and even supporting things like key revocation. Without a key server, a more complete web of trust as shown here would not be possible, e.g., we'd only be able to show the first two nodes in the lower tree:

image

We can only know a key is revoked if we get an up-to-date version of the key from a key server...

The key server site will also be used by users to understand the web of trust with respect to the keys they are being asked to trust and to manually verify with great care.

Copyright © Eclipse Foundation, Inc. All Rights Reserved.     Privacy Policy | Terms of Use | Copyright Agent