Update keys.gnupg.net?

Simon Josefsson simon at josefsson.org
Tue Jul 27 11:15:01 CEST 2021 

Werner Koch <wk at gnupg.org> writes:

> On Fri, 23 Jul 2021 19:45, Simon Josefsson said:
>
>> many release announcements of GNU projects.  Is there anything better
>> than that?  Of course, how to locate PGP keys for a single individual
>
> The new default is the Ubuntu keyserver which seems to be the best
> maintained one.  There is also the mayfirst server which I use regularly.
>
> keys.gnupg.net was introduced even before the sks pools and allowed to
> update the default keyserver for gnupg by changing the zone.  However
> with the introduction of the sks pools and with TLS a CNAME did not
> worked anymore and thus GnuPG was changed to use a hardwired mapping of
> keys.gnuypg.net to the SKS pool
>
> Web Key Directory seems to be the best fit but it does not allow to make
> use of the Web of Trust.  But that is the same for keyservers also
> (since some time).

Yeah, I also came to the conclusion of WKS:

https://gitlab.com/libidn/libidn2/-/issues/98#note_635780242

However --locate-external-keys is a new command, and not even present in
Debian buster.  To solve the use-case of refreshing any expired local
keys, the following appears to work:

gpg --auto-key-locate=clear,wkd,nodefault --locate-key simon at josefsson.org

How does GnuPG select which key is shown when running that command?

It used to look like this:

jas at latte:~$ gpg --auto-key-locate=clear,wkd,nodefault --locate-key simon at josefsson.org
gpg: key EDA21E94B565716F: "Simon Josefsson <simon at josefsson.org>" not changed
gpg: key 0664A76954265E8C: "Simon Josefsson <simon at josefsson.org>" not changed
gpg: key D73CF638C53C06BE: "Simon Josefsson <simon at josefsson.org>" not changed
gpg: Total number processed: 3
gpg:              unchanged: 3
pub   rsa1280 2002-05-05 [SC] [expired: 2014-11-10]
      0424D4EE81A0E3D119C6F835EDA21E94B565716F
uid           [ expired] Simon Josefsson <simon at josefsson.org>

jas at latte:~$ 

So it picked my oldest key...

I reordered the keys in my exported file on the server, and now it looks
like this:

jas at latte:~$ gpg --auto-key-locate=clear,wkd,nodefault --locate-key simon at josefsson.org
gpg: key 0664A76954265E8C: "Simon Josefsson <simon at josefsson.org>" not changed
gpg: key D73CF638C53C06BE: "Simon Josefsson <simon at josefsson.org>" not changed
gpg: key EDA21E94B565716F: "Simon Josefsson <simon at josefsson.org>" not changed
gpg: Total number processed: 3
gpg:              unchanged: 3
pub   rsa3744 2014-06-22 [SC] [expires: 2022-05-17]
      9AA9BDB11BB1B99A21285A330664A76954265E8C
uid           [ultimate] Simon Josefsson <simon at josefsson.org>
sub   rsa2048 2014-06-22 [S] [expires: 2022-05-17]
sub   rsa2048 2014-06-22 [E] [expires: 2022-05-17]
sub   rsa2048 2014-06-22 [A] [expires: 2022-05-17]

jas at latte:~$ 

The server has my Ed25519 key first, but still GnuPG is showing my RSA
key anyway.

Could the logic be to show the newest non-expired key?

Alternatively, show short summary output of all retrieved keys.  That is
probably the best?

/Simon
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 255 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20210727/657a10cd/attachment.sig>

More information about the Gnupg-devel mailing list