Key Server

GPG Suite 2019.1 introduces a new default key server. This KB answers the most common questions about this change.

Why?

Pervious versions of GPG Suite used sks key servers. Late June 2019 an attack was discovered. In that attack a large number of signatures is added to a key and uploaded to the key servers, rendering those keys unusable. Downloading such a "poisoned" key may corrupt the gpg setup and can result in crashes in GPG Mail or GPG Keychain.

Affected keys?

We are aware of four keys which have been affected. Other keys could be affected in the future.

Way forward?

The new default key server is keys.openpgp.org. It allows for more privacy control for users and avoids problems encountered in the past:

  • improved performance
  • searches will return only a single key
  • email addresses are only published with consent
  • users can remove email addresses

The old key servers can still be used if necessary.

Using the new key server

Since not all email addresses may yet be verified, GPG Keychain will optionally fallback to the old sks key servers for searches. Please note that searching for names is no longer possible on the new key server.

Conclusion

The fact this attack was possible is problematic and it's been coming a long time. Changing large ecosystems like OpenPGP isn't trivial and done quickly.
So thanks to the people who have worked hard to put together Hagrid, the new key server.

We are excited about this change and believe it brings great benefits for our users. As always you are welcome to share your feedback.

See also: Key Upload and Verification