semantics of gnupg --keyserver in 2.1

Andre Heinecke aheinecke at
Wed Dec 17 10:37:39 CET 2014


On Tuesday, December 16, 2014 06:23:57 PM Daniel Kahn Gillmor wrote:
> in GnuPG 2.1, keyserver operations are delegated to the dirmngr daemon.
> This is a good move overall, because it means the daemon can do things
> like keep track of which keyservers it has tried recently.
> however, it means that some commands that users may be used to won't do
> what they expect.  For example, in 2.1:
>   gpg --keyserver foo.example --recv 0xdeadbeef
> won't actually try to talk to foo.example, if dirmngr is already started
> and has decided that it will use bar.example (e.g. from
> ~/.gnupg/gpg.conf).

Gnupg sends the dirmngr the keyserver it should use with a KEYSERVER command.
In dirmngr's debug output you can see that it sends KEYSERVER --clear <foo>
and then another KEYSERVER command for each keyserver configured.

In my tests it always used the last one.

> Should gpg warn about the fact that --keyserver is being ignored here?

I hacked it for me locally to  send the keyserver supplied with --keyserver as 
the last one. (Added a commit message and attached this)

I have not sent this to werner as I am not sure that this a proper solution. 
If the keyserver setting from the command line should just overwrite the 
settings from the config then there is no need for a list. And I would have 
expected dirmngr to fall back to the configured keyserver if the server 
provided by --keyserver is not available. This also does not happen.


Andre Heinecke |  ++49-541-335083-262  |
Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998
Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-gpg-Append-command-line-keyserver-to-options.patch
Type: text/x-patch
Size: 1318 bytes
Desc: not available
URL: </pipermail/attachments/20141217/c0736afc/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20141217/c0736afc/attachment.sig>

More information about the Gnupg-devel mailing list