GPGME: locate-keys: how identify that different keys were returned by keyservers

[Bruce Walzer]

On Wed, Dec 03, 2025 at 11:38:04AM +0100, Giacomo Tesio wrote:
> Hi, while trying to improve the usability of key lookup in Claws-Mail
> with a contextual menu that let you search for pgp keys over any email,
> upstream developers proposed an interesting scenario I would not know
> how to handle, despite looking at the GPGME documentation.
> 
> The scenario is running "gpg --locate-keys email at example.org" with the
> configured keyservers returning different keys for that email address.

In PGP world, identities are denoted with a hex number. A key
fingerprint or the shortened key ID. These identities can normally be
considered to unique. The email address on the other hand is really
just a convenience feature tacked on to the identity. It is not only
possible, but reasonably common for there to be two PGP keys with the
same email address. For example, that can happen when someone abandons
a PGP key and starts over with another one with the same email
address. So the problem seems intrinsic to me. The user will
eventually be expected to determine which key fingerprint/ID is
correct.

Bruce