PHAR.IO - How to get a public key registered with a key server

How to get a public key registered with a key server

Prerequisites

You need a personal or company GPG key. If you don't have one, this explains how to generate a GPG key.

Export your public key

gpg --export --armor john@example.com > john_doe.pub

-----BEGIN PGP PUBLIC KEY BLOCK-----
mQGiBEm7B54RBADhXaYmvUdBoyt5wAi......=vEm7B54RBADh9dmP
-----END PGP PUBLIC KEY BLOCK-----

About the arguments:

--export Export the public key information of the key belonging to john@example.com
--armor Create a base64 encoded ascii string rather than using a binary format
john@example.com The key id to export
> john_doe.pub Save the output into this file

Submit your public key to the a key server

While Phive will support fetching keys from other sources soon, for now uploading your key to keys.openpgp.org is recommend.

Phive checks the modern pool provided by openpgp.org first, only supporting the legacy keyservers as a fallback.

While you of course can upload your public key to both pools, for phive to find it uploading to one is sufficient.

Please note: The legacy servers sks-keyserver pool has ceased operation. If you did not yet upload your public key to keys.openpgp.org, please do so now.

If not found at the aformentioned server, at the time of this writing, phive also checks the keyservers operated by canonical/ubuntu and the MIT.

Upload to openpgp.org

Go to a https://keys.openpgp.org/upload
Select the file "john_doe.pub" created in the previous step and click on upload.
Follow the instructions sent to you by openpgp.org to finish the registration and proof of ownership

Important: keys.openpgp.org strips the UID from the key until ownership is confirmed. The key is useless when no UID is included so make sure you follow the instructions sent to you by openpgp.org.

Upload to legacy server (optional)

Go to https://keyserver.ubuntu.com
Paste the content of the file "john_doe.pub" unmodified and including the ----BEGIN and ---END lines into the form
Click on "submit this key to the keyserver!"

Congratulations, you published your public key.

Please allow a couple of minutes for the servers to replicate that information before starting to use the key.

Alternate way to submit your public key to the key servers using the CLI

gpg --keyid-format LONG --list-keys john@example.com
pub   rsa4096/ABCDEF0123456789 2018-01-01 [SCEA] [expires: 2021-01-01]
      ABCDEF0123456789ABCDEF0123456789
uid              [ ultimate ] John Doe <john@example.com>

This shows the 16-byte Key-ID right after the key-type and key-size. In this example it's the highlighted part of this line:

pub rsa4096/ABCDEF0123456789 2018-01-01 [SCEA] [expires: 2021-01-01]

The next step is to use this Key-ID to send it to the keyserver, in our case the MIT one.

gpg --keyserver keyserver.ubuntu.com --send-keys ABCDEF0123456789

Congratulations, you published your public key.

Please allow a couple of minutes for the servers to replicate that information before starting to use the key.

General notes on Security

A keyserver does not make any claims about authenticity. It merely provides an automated means to get a public key based on its ID. It's up to the user to decide whether the result is to be trusted, as in whether or not to import the public key to the local chain. Do not blindly import a key but at least verify its fingerprint. The phar.io fingerprint information can be found in the footer.
Instead of using a keyserver, public keys can of course also be imported directly. Linux distributions for example do that by providing their keys in release-packages or the base OS installation image. Phive will only contact a keyserver in case the key used for signing is not already known, a.k.a can not be found in the local chain.