--with-sig-check silently ignored when used with --import and --recv-keys

Sun May 3 01:02:46 CEST 2015

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Howdy all,

I've been playing around with key signatures and ran across an interesting
situation. For some reason, --with-sig-check is silently ignored when used with
- --import and --recv-keys. Is this something I should file a bug on?

==Summary==

I have setup a public key for Alice that has one valid signature from Bob and
one invalid signature from Mallory.

http://p80.pool.sks-keyservers.net/pks/lookup?op=vindex&search=0xA5452207

When you import Alice's public key via gpg --import or --recv-keys, GnuPG does
not verify the signatures on Alice's public key, even if I have Bob and/or
Mallory's public keys already in my keyring.

==Steps To Reproduce==

1. Request Bob and Mallory's public keys from the keyserver.

> $ gpg2 --recv-keys --with-sig-check 65B57FDF B8062D4C
> gpg: requesting key 65B57FDF from hkp server keys.gnupg.net
> gpg: requesting key B8062D4C from hkp server keys.gnupg.net
> gpg: key 65B57FDF: public key "Bob User (Good Signature) <bob+goodsig at example.com>" imported
> gpg: key B8062D4C: public key "Mallory User (Bad Signature) <mallory+badsig at example.com>" imported
> gpg: Total number processed: 2
> gpg:               imported: 2  (RSA: 2)

2. Request Alice's public keys from the keyserver.

> $ gpg2 --recv-keys --with-sig-check A5452207
> gpg: requesting key A5452207 from hkp server keys.gnupg.net
> gpg: key A5452207: public key "Alice User (Signature Test) <alice+sigtest at example.com>" imported
> gpg: no ultimately trusted keys found
> gpg: Total number processed: 1
> gpg:               imported: 1  (RSA: 1)

3. Checking signatures shows that Mallory's signature is bad.

> $ gpg2 --check-sigs
> /home/user/testring/pubring.gpg
> ------------------------------------------
> pub   2048R/65B57FDF 2015-04-01
> uid                  Bob User (Good Signature) <bob+goodsig at example.com>
> sig!3        65B57FDF 2015-04-01  Bob User (Good Signature) <bob+goodsig at example.com>
> sub   2048R/83518D34 2015-04-01
> sig!         65B57FDF 2015-04-01  Bob User (Good Signature) <bob+goodsig at example.com>
>
> pub   2048R/B8062D4C 2015-04-01
> uid                  Mallory User (Bad Signature) <mallory+badsig at example.com>
> sig!3        B8062D4C 2015-04-01  Mallory User (Bad Signature) <mallory+badsig at example.com>
> sub   2048R/FDE6C57B 2015-04-01
> sig!         B8062D4C 2015-04-01  Mallory User (Bad Signature) <mallory+badsig at example.com>
>
> pub   2048R/A5452207 2015-04-01
> uid                  Alice User (Signature Test) <alice+sigtest at example.com>
> sig!3        A5452207 2015-04-01  Alice User (Signature Test) <alice+sigtest at example.com>
> sig!         65B57FDF 2015-04-01  Bob User (Good Signature) <bob+goodsig at example.com>
> sig-         B8062D4C 2015-04-01  Mallory User (Bad Signature) <mallory+badsig at example.com>
> sub   2048R/0BE64ECE 2015-04-01
> sig!         A5452207 2015-04-01  Alice User (Signature Test) <alice+sigtest at example.com>
>
> 1 bad signature

==What Should Happen==

When importing public keys, --with-sig-check should not get silently ignored
when added to --import or --recv-keys. Alternatively, the --with-sig-check flag
should throw an error if included with --import or --recv-keys since silently
ignoring it might make a user assume that all signatures were valid.

Thanks!
Daniel Roesler