-
intrigeri authored
For background, see #12689 and its various duplicates. The short version is: - Unfortunately, hkp://jirk5u4osbsr34t5.onion is way too unreliable. - Most non-tech-savvy OpenPGP users don't use keyservers at all, so this change should not affect them much. - Tech-savvy OpenPGP users who want to use the Web-of-Trust (which keys.openpgp.org's design essentially kills) should be able to switch to a keyserver of their choosing, that includes non-self certifications. Let's use the Onion service instead of hkps://keys.openpgp.org/, so that we don't lose end-to-end encryption and authentication of the keyserver in Seahorse, which doesn't support hkps://. Alternatively, we could use hkps://keys.openpgp.org/ everywhere else, but it feels simpler to use the same keyserver everywhere. At this point, the only Tails systems that are affected by this change are those run without GnuPG persistence, and newly created persistent GnuPG configuration. Pre-existing persistent GnuPG configuration is not updated (yet). On the test suite front: - This commit keeps the Chutney-based redirector setup as-is, except it will proxy requests to keys.openpgp.org, instead of pool.sks-keyservers.net previously. This should work as long as keys.openpgp.org supports cleartext communication on port 11371. - In theory, our long-term plan is to replace this with a local mock keyserver Onion service. We'll see if that's still worth the effort once we redirect requests to a more reliable upstream keyserver. - I'm removing the @fragile tag for torified_gnupg.feature. There might be other reasons why these scenarios are fragile; let's learn about them.
dbfbfa7b