Looks like this subject is not over, I canât be verified either.
It looks like pool.sks-keyservers.net is just not valid any more, the domain name does not even resolve:
$ host pool.sks-keyservers.net 1.1.1.1
Using domain server:
Name: 1.1.1.1
Address: 1.1.1.1#53
Aliases:
Host pool.sks-keyservers.net not found: 3(NXDOMAIN)
gpgâs error message on this is quite surprising:
$ gpg --keyserver hkp://pool.sks-keyservers.net --recv-keys 74AF05DDD92027F5F0C3CDD50D85F29625A3F9FD
gpg: keyserver receive failed: No name
In fact the cert on https://sks-keyservers.net/ has expired 3 months ago, it looks like we should find an alternative keyserver.
The check-git-signature script has a fallback to keys.openpgp.org, but receiving from that one just does not work well (despite exit(0) on gpg side):
$ gpg --keyring $(mktemp) --no-default-keyring --keyserver hkps://keys.openpgp.org --recv-key 74AF05DDD92027F5F0C3CDD50D85F29625A3F9FD
gpg: key 0D85F29625A3F9FD: new key but contains no user ID - skipped
gpg: Total number processed: 1
gpg: w/o user IDs: 1
This is why we recently switched to keys.openpgp.org for all keyserver links on the team page:
Unfortunately, for the reasons youâve discovered, keys.openpgp.org does not work for keys whose UIDs do not have email addresses, such as the Qubes Master Signing Key and release signing keys. However, we provide many alternatives here: Verifying signatures | Qubes OS
In addition, the Ubuntu keyserver you mentioned should still work for these keys.
The problem seems to be deeper than just âkeys whose UIDs do not have email addressesâ: any key uploaded there gets stripped of their UID, AFAICT. Try to get any key there â I only tested a handful from the teamâs page but all of them suffer from this:
$ gpg --keyring $(mktemp) --keyserver hkps://keys.openpgp.org --recv-keys 0064428F455451B3EBE78A7F063938BA42CFA724
gpg: key 063938BA42CFA724: new key but contains no user ID - skipped
gpg: Total number processed: 1
gpg: w/o user IDs: 1
I fail to see what this server can be useful for, in fact
I just tried importing all 12 core team member keys. Seven imported successfully, while five were skipped due to lack of UID. So, the majority import successfully. Most of those skipped are not developers. I already emailed all core team members two weeks ago and encouraged them to verify their keys, but we canât force anyone to do it.