gnupg: change default keyserver to non-SKS

See https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f. The SKS network is vulnerable to certificate poisoning, which can destroy GnuPG installations. keys.openpgp.org is a new non-SKS keyserver that is resistant to this type of attack. With such an attack being possible, it is unsafe to use SKS keyservers for almost anything, and so we should protect our users from a now unsafe default. keys.openpgp.org offers some (but not all) functionality of SKS, and is better than nothing. This default is only present in gnupg22. gnupg20 and gnupg1orig are not affected.
2019-06-30 14:04:22 +00:00 · 2019-06-30 14:04:22 +00:00 · c727083e65
commit c727083e65
parent e295fd8137
1 changed files with 4 additions and 1 deletions
--- a/pkgs/tools/security/gnupg/22.nix
+++ b/pkgs/tools/security/gnupg/22.nix
@ -33,7 +33,10 @@ stdenv.mkDerivation rec {
  patches = [
    ./fix-libusb-include-path.patch
  ];
-  postPatch = stdenv.lib.optionalString stdenv.isLinux ''
+  postPatch = ''
+    sed -i 's,hkps://hkps.pool.sks-keyservers.net,hkps://keys.openpgp.org,g' \
+        configure doc/dirmngr.texi doc/gnupg.info-1
+  '' + stdenv.lib.optionalString stdenv.isLinux ''
    sed -i 's,"libpcsclite\.so[^"]*","${stdenv.lib.getLib pcsclite}/lib/libpcsclite.so",g' scd/scdaemon.c
  ''; #" fix Emacs syntax highlighting :-(