A question about WKD
Stefan Claas
sac at 300baud.de
Wed Jan 2 14:50:14 CET 2019
On Wed, 2 Jan 2019 11:18:25 +0100, Wiktor Kwapisiewicz wrote:
Hi Wiktor,
> Revoke your current key locally and generate a new one, now export both binary
> keys (that includes revocation) to a file. Place it in .well-known/openpgpkey/hu
> overwriting the old file.
>
> Now, when GnuPG does --locate-key it will fetch both keys, revoke your old one
> and add the new one.
Thank you very much, i did not know that it can be done this way.
> If someone already has your old key GnuPG will do the fetch automatically when
> the old key expires (you didn't use expiry as far as I can see so it won't
> happen automatically).
>
> One can still "force" the WKD refresh using:
>
> $ gpg --auto-key-locate clear,wkd,nodefault --locate-key sac at 300baud.de
>
> I just tested this all with some dummy key on my end and it worked just fine...
> hope it works on your end too.
I hope so too and i will see once i have the new key.
> As for signing, if you specify signing key using "e-mail notation" GnuPG will
> embed Signer's UID packet and when the recipient uses --auto-key-retrieve it
> will grab your key using WKD instead of keyservers. But I didn't test what would
> happen if the old key is already present in the keyring that doesn't match the
> signature, probably nothing.
That's interesting and i must admit i did not know this either, so thanks again!
> (You can inspect this file with pgpdump if you want to see the packet:
> $ curl https://metacode.biz/.well-known/security.txt | pgpdump
> )
O.k.
> Happy New Year!
Happy New Year!
Best regards
Stefan
More information about the Gnupg-users
mailing list