Key Server

In August 2019 GPG Suite 2019.1 introduced a new default key server.

Why?

Pervious versions of GPG Suite used the now deprecated sks key servers. In June 2019 an attack was discovered. In that attack a large number of signatures is added to a key and uploaded to the key servers, rendering those keys unusable. Downloading such a "poisoned" key may corrupt the gpg setup and could result in crashes in GPG Mail or GPG Keychain.

Affected keys

We are aware of a very small number of affected keys. Other keys could be affected in the future.

Way forward?

The new default key server is keys.openpgp.org, which allows for improved privacy control for users and avoids problems encountered in the past:

  • improved performance
  • search always returns a single key
  • email addresses are only published with consent and after verification
  • users can remove email addresses

Using the new key server

Searching for names is no longer supported. Please search using unique identifiers like email address or fingerprint.

Conclusion

The fact this attack was possible is problematic and it has been coming a long time. Changing large ecosystems like OpenPGP isn't trivial and done quickly.
So thanks to the people who have worked hard to put together Hagrid, the new key server.

We are excited about this change and believe it brings great benefits for our users. As always you are welcome to share your feedback.

See also: Key Upload and Verification