GnuPG 2.1: --auto-key-locate dane

[Werner Koch]

On Thu, 26 Nov 2015 23:00, mls at dabpunkt.eu said:

> returns no key. So AFAIS the error is not at you or gpg, but at gmx.
>
> The OpenPGPKey-DNS-entry for my mail-adress works, if you like to test gpg.

Not for me:

  $ gpg --auto-key-locate clear,pka,dane,local -v --locate-key mls at dabpunkt.ue
  [...]
  gpg: error retrieving 'mls at dabpunkt.ue' via PKA: Not found
  gpg: error retrieving 'mls at dabpunkt.ue' via DANE: Not found
  gpg: can't handle public key algorithm 105
  gpg: error retrieving 'mls at dabpunkt.ue' via Local: No public key
  gpg: key "mls at dabpunkt.ue" not found: No public key
  
This is the current version but there are no changes related to DANE
since 2.1.9.  I redacted your address in the above transscript (eu->ue).
A likely reason for the problem is a change of the algorithm from
SHA-224 to a truncated SHA-256 in one of the last OpenPGP drafts.

Use "gpg --print-dane-records -k mls at dabpunkt.ue" to output a suitbale
DANE record.

Here is a working example:

  $ gpg --auto-key-locate clear,dane,local -v --locate-key wk at gnupg.org
  [...]
  gpg: pub  dsa2048/F2AD85AC1E42B367 2007-12-31  Werner Koch <wk at gnupg.org>
  gpg: key F2AD85AC1E42B367: "Werner Koch <wk at gnupg.org>" not changed
  gpg: Total number processed: 1
  gpg:              unchanged: 1
  gpg: auto-key-locate found fingerprint 80615870F5BAD690333686D0F2AD85AC1E42B367
  gpg: automatically retrieved 'wk at gnupg.org' via DANE
  [...]

Note that using --locate-key is better because it uses the same strategy
as used by -r.  In the second example I left out PKA because I also have
a PKA entry for my address. By using "clear" I override defaults set in
gpg.conf and "local" instructs gpg to check the local keyring after
"dane".  Another address for testing is my g10code address.



Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.