Key Server

GPG Suite 2019.1 will introduce a new key server. This KB answers the most common questions about this change. Support is currently available in our latest hotfix GPG Suite if you want to test the new key server.

Why?

Pervious versions of GPG Suite used sks key servers. Late June 2019 an attack was discovered. In that attack a large number of signatures is added to a key and uploaded to the key servers, rendering those keys unusable. Downloading such a "poisoned" key may corrupt the gpg setup and can result in crashes in GPG Mail or GPG Keychain.

Affected keys?

We are aware of four keys which have been affected. Other keys could be affected in the future.

Way forward?

The new key server used in GPG Suite is keys.openpgp.org. It protects users information much better and avoids problems that have often been reported in the past.

  • improved performance
  • searches will return only a single key
  • identities (email addresses) are only published with consent while non-identity information (e.g. fingerprints) is freely distributed
  • users can delete personal information (email addresses) with a simple email-confirmation

The old key servers can still be used if necessary.

Using the new key server

Since not all keys may yet be verified, make sure to not only search using your contacts email but also search for the fingerprint of their key. Unverified keys can only be found by searching for the fingerprint. Please note that searching for names is no longer possible.

Conclusion

The fact that such an attack was possible is problematic and it's been coming a long time. But changing large ecosystems like OpenPGP isn't trivial and done quickly.
So thanks to the people who have worked hard to put together Hagrid, the new key server.

Nonetheless we are excited about this change and think that it brings huge benefits for our users. As always you are welcome to share your feedback.

See also: Key Upload and Verification