Switch gpg.mozilla.org out for keys.openpgp.org

README.rst

@@ -673,10 +673,9 @@ Example: place the following in your ``~/.bashrc``
 Specify a different GPG key server
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-By default, ``sops`` uses the key server ``gpg.mozilla.org`` to retrieve the GPG
+By default, ``sops`` uses the key server ``keys.openpgp.org`` to retrieve the GPG
 keys that are not present in the local keyring.
-To use a different GPG key server, set the ``SOPS_GPG_KEYSERVER`` environment
-variable.
+This is no longer configurable. You can learn more about why from this write-up: [SKS Keyserver Network Under Attack](https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f).
 
 Example: place the following in your ``~/.bashrc``
 

cmd/sops/main.go

@@ -109,7 +109,6 @@ func main() {
    the "add-{kms,pgp,gcp-kms,azure-kv,hc-vault-transit}" and "rm-{kms,pgp,gcp-kms,azure-kv,hc-vault-transit}" flags.
 
    To use a different GPG binary than the one in your PATH, set SOPS_GPG_EXEC.
-   To use a GPG key server other than gpg.mozilla.org, set SOPS_GPG_KEYSERVER.
 
    To select a different editor than the default (vim), set EDITOR.
 
@@ -185,9 +184,9 @@ func main() {
 					Usage: "the user to run the command as",
 				},
 				cli.StringFlag{
-                                        Name:  "input-type",
-                                        Usage: "currently json, yaml, dotenv and binary are supported. If not set, sops will use the file's extension to determine the type",
-                                },
+					Name:  "input-type",
+					Usage: "currently json, yaml, dotenv and binary are supported. If not set, sops will use the file's extension to determine the type",
+				},
 				cli.StringFlag{
 					Name:  "output-type",
 					Usage: "currently json, yaml, dotenv and binary are supported. If not set, sops will use the input file's extension to determine the output format",

pgp/keysource.go

@@ -86,8 +86,10 @@ func (key *MasterKey) encryptWithGPGBinary(dataKey []byte) error {
 	return nil
 }
 
-func getKeyFromKeyServer(keyserver string, fingerprint string) (openpgp.Entity, error) {
-	url := fmt.Sprintf("https://%s/pks/lookup?op=get&options=mr&search=0x%s", keyserver, fingerprint)
+func getKeyFromKeyServer(fingerprint string) (openpgp.Entity, error) {
+	log.Warn("Deprecation Warning: GPG key fetching from a keyserver witihin sops will be removed in a future version of sops. See https://github.com/mozilla/sops/issues/727 for more information.")
+
+	url := fmt.Sprintf("https://keys.openpgp.org/vks/v1/by-fingerprint/%s", fingerprint)
 	resp, err := http.Get(url)
 	if err != nil {
 		return openpgp.Entity{}, fmt.Errorf("error getting key from keyserver: %s", err)
@@ -103,14 +105,6 @@ func getKeyFromKeyServer(keyserver string, fingerprint string) (openpgp.Entity,
 	return *ents[0], nil
 }
 
-func gpgKeyServer() string {
-	keyServer := "gpg.mozilla.org"
-	if envKeyServer := os.Getenv("SOPS_GPG_KEYSERVER"); envKeyServer != "" {
-		keyServer = envKeyServer
-	}
-	return keyServer
-}
-
 func (key *MasterKey) getPubKey() (openpgp.Entity, error) {
 	ring, err := key.pubRing()
 	if err == nil {
@@ -120,8 +114,7 @@ func (key *MasterKey) getPubKey() (openpgp.Entity, error) {
 			return entity, nil
 		}
 	}
-	keyServer := gpgKeyServer()
-	entity, err := getKeyFromKeyServer(keyServer, key.Fingerprint)
+	entity, err := getKeyFromKeyServer(key.Fingerprint)
 	if err != nil {
 		return openpgp.Entity{},
 			fmt.Errorf("key with fingerprint %s is not available "+

pgp/keysource_test.go

@@ -45,6 +45,6 @@ func TestPGPKeySourceFromString(t *testing.T) {
 
 func TestRetrievePGPKey(t *testing.T) {
 	fingerprint := "FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4"
-	_, err := getKeyFromKeyServer("gpg.mozilla.org", fingerprint)
+	_, err := getKeyFromKeyServer(fingerprint)
 	assert.NoError(t, err)
 }