distributing pubkeys: autocrypt, hagrid, WKD

Werner Koch wk at gnupg.org
Wed Jul 3 09:21:20 CEST 2019

On Tue,  2 Jul 2019 15:40, konstantin at linuxfoundation.org said:

> When this happens, a maintainer who tries to verify a signed pull
> request will have the operation fail, so they need to have a way to
> force-refresh the developer's key. I would say this is the #1 workflow

Agreed.  A signature carries only the fingerprint of the then unknown
subkey without any information on the primary key.  Thus an automated
lookup is not possible.

But wait, if --sender has been used or due to other reasons the Signer's
UID is included in the keyring, we could do a lookup via tha user-id to
see whether the signature has been made by a new subkey.  The
--auto-key-retrieve code already respective code but we need to chnage
the order from where a key is fetched.

And yes, an easier to remember command to forcefully update a key would
be very useful.   I have

  gpg --serach-key MAILADDRESS

for that in mind.  See https://dev/gnupg.org/T4599



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190703/2029df73/attachment.sig>

More information about the Gnupg-users mailing list