How to use '--verify-options pka-lookup'?

WhiteWinterWolf gnupg.lists at
Sun Dec 10 15:40:51 CET 2017


Can anyone tell me or point me to some example on how to use the
following option:

    --verify-options pka-lookup

As per my understanding, given a pubkey in the keyring and a signed
file, this parameter should tell GPG to contact the DNS server handling
the domain from the pubkey email address and ensure that the key
fingerprint is indeed the expected one.

I find this option interesting since, as long as PKA is not used to
fetch the key too, it opens a very convenient way to check a key from
two independent sources and make it far harder for an attacker to
replace a key (as long as SHA-1 fingerprints can be trusted).

However, I can try to use this option any way I can think of, it just
doesn't seem to have any noticeable effect.

Here is an example on how I tried to use this option:

    gpg --verify-options pka-lookup --verify somefile.sig somefile.txt

PKA lookup step seems to be simply ignored and skipped.

Thank you by advance!



More information about the Gnupg-users mailing list