Key Server

In August 2019 GPG Suite 2019.1 introduced a new default key server.

Why?

Pervious versions of GPG Suite used sks key servers. Late June 2019 an attack was discovered. In that attack a large number of signatures is added to a key and uploaded to the key servers, rendering those keys unusable. Downloading such a "poisoned" key may corrupt the gpg setup and can result in crashes in GPG Mail or GPG Keychain.

Affected keys

We are aware of a very small number of keys which have been affected. Other keys could be affected in the future.

Way forward?

The new default key server is keys.openpgp.org. It allows for much improved privacy control for users and avoids problems encountered in the past:

  • improved performance
  • searches always return a single key
  • email addresses are only published with consent and after verification
  • users can remove email addresses

The old key servers can still be used if necessary.

Using the new key server

We highly recommend to transition to the new key server. If you encounter a public key of a friend of yours, feel free to ask them about uploading their public key to the new server. In GPG Keychain > Preferences > Key Server you can optionally enable a search fallback to the old key servers.

Searching for names is no longer supported on the new key server. Please search using unique identifiers like email address or fingerprint.

Conclusion

The fact this attack was possible is problematic and it has been coming a long time. Changing large ecosystems like OpenPGP isn't trivial and done quickly.
So thanks to the people who have worked hard to put together Hagrid, the new key server.

We are excited about this change and believe it brings great benefits for our users. As always you are welcome to share your feedback.

See also: Key Upload and Verification