GHC releases GPG key not very available / usable
Summary
The GPG key associated with recent GHC releases has a few issues. The key is tied to @wz1000 .
- It is available at http://pgp.mit.edu/ , however this appears to be flakey and it is currently down.
- It is available at https://keys.openpgp.org/search?q=588764FBE22D19C4 , however apparently keys.openpgp.org does not expose user info (unless explicitly enabled?), which means it can't be used to verify the releases (apparently).
- Unlike the previous releases by @bgamari the key is not available at keyserver.ubuntu.com ie. https://keyserver.ubuntu.com/pks/lookup?search=ben%40well-typed.com&fingerprint=on&op=index which does not have the above issues.
I'm learning about GPG here.. sorry if I'm doing something silly.
Steps to reproduce
$ gpg --batch --keyserver hkps://keys.openpgp.org --receive-keys 588764FBE22D19C4
gpg: key 588764FBE22D19C4: new key but contains no user ID - skipped
gpg: Total number processed: 1
gpg: w/o user IDs: 1
$ curl -O https://downloads.haskell.org/~ghc/8.10.7/ghc-8.10.7-x86_64-deb10-linux.tar.xz
$ curl -O https://downloads.haskell.org/~ghc/8.10.7/ghc-8.10.7-x86_64-deb10-linux.tar.xz.sig
$ gpg --batch --verify ghc-8.10.7-x86_64-deb10-linux.tar.xz.sig ghc-8.10.7-x86_64-deb10-linux.tar.xz
gpg: Signature made Fri 27 Aug 2021 04:38:21 AEST
gpg: using RSA key 88B57FCF7DB53B4DB3BFA4B1588764FBE22D19C4
gpg: Can't check signature: No public key
Expected behavior
The GPG signature is verified.
Environment
- GHC version used: 8.10.7
Optional:
- Operating System:
Tried ubuntu + debian
- System Architecture:
x86