trying to get dirmngr to honor auto-key-retrieve

Brian Minton brian at minton.name
Wed Oct 23 15:20:45 CEST 2019


I'm trying to configure dirmngr.conf so gpg automatically retrieves keys from
the keyserver when verifying a signature.  In the past, this was done by gpg
--keyserver-options auto-key-retrieve.  The documentation for dirmngr
[https://www.gnupg.org/documentation/manuals/gnupg/Dirmngr-Options.html#Dirmngr-Options] indicates that options specified after the keyserver should match the keyserver-options from gpg.  However, it doesn't seem to be attempting to retrieve the key.

$ gpg --verify sha256sum.txt.asc 
gpg: Signature made Tue 17 Sep 2019 08:27:43 AM EDT
gpg:                using RSA key 24C6A8A7F4A80EB5
gpg: Can't check signature: No public key


Here's my dirmngr config file:
$ cat ~/.gnupg/dirmngr.conf 
#keyserver https://keyserver.brian.minton.name/ 
#keyserver x-hkp://horowitz.surfnet.nl
#keyserver mailto:pgp-public-keys at keys.nl.pgp.net
#keyserver ldap://pgp.surfnet.nl:11370
#keyserver ldap://keyserver.pgp.com
keyserver x-hkp://the.earth.li auto-key-retrieve
keyserver hkps://keys.mailvelope.com auto-key-retrieve
keyserver hkps://keys.openpgp.org auto-key-retrieve
keyserver hkp://jirk5u4osbsr34t5.onion auto-key-retrieve

verbose
debug-level guru
debug-all
log-file /home/bminton/.gnupg/dirmngr.log

Here's the content of the log file:
2019-10-23 09:16:26 dirmngr[5043.0] permanently loaded certificates: 121
2019-10-23 09:16:26 dirmngr[5043.0]     runtime cached certificates: 0
2019-10-23 09:16:26 dirmngr[5043.0]            trusted certificates: 121 (120,0,0,1)
2019-10-23 09:16:26 dirmngr[5043.6] handler for fd 6 started
2019-10-23 09:16:26 dirmngr[5043.6] DBG: chan_6 -> # Home: /home/bminton/.gnupg
2019-10-23 09:16:26 dirmngr[5043.6] DBG: chan_6 -> # Config: /home/bminton/.gnupg/dirmngr.conf
2019-10-23 09:16:26 dirmngr[5043.6] DBG: chan_6 -> OK Dirmngr 2.2.17 at your service
2019-10-23 09:16:26 dirmngr[5043.6] connection from process 5042 (1000:2009)
2019-10-23 09:16:26 dirmngr[5043.6] DBG: chan_6 <- GETINFO version
2019-10-23 09:16:26 dirmngr[5043.6] DBG: chan_6 -> D 2.2.17
2019-10-23 09:16:26 dirmngr[5043.6] DBG: chan_6 -> OK
2019-10-23 09:16:26 dirmngr[5043.6] DBG: chan_6 <- KEYSERVER --clear hkp://jirk5u4osbsr34t5.onion
2019-10-23 09:16:26 dirmngr[5043.6] DBG: chan_6 -> OK
2019-10-23 09:16:26 dirmngr[5043.6] DBG: chan_6 <- KEYSERVER
2019-10-23 09:16:26 dirmngr[5043.6] DBG: chan_6 -> S KEYSERVER hkp://jirk5u4osbsr34t5.onion
2019-10-23 09:16:26 dirmngr[5043.6] DBG: chan_6 -> OK
2019-10-23 09:16:26 dirmngr[5043.6] DBG: chan_6 <- BYE
2019-10-23 09:16:26 dirmngr[5043.6] DBG: chan_6 -> OK closing connection
2019-10-23 09:16:26 dirmngr[5043.6] handler for fd 6 terminated


As you can see, it is looking at the correct keyserver (side note, I have 4
keyservers specified, it would be nice if I could configure dirmngr to try all
of them, but that's a separate issue), but it doesn't try to retrieve the key.  If I
manually retrieve the key using the same keyserver, it works.

$ gpg --keyserver hkp://jirk5u4osbsr34t5.onion --recv 24C6A8A7F4A80EB5
gpg: key 24C6A8A7F4A80EB5: public key "CentOS-7 Key (CentOS 7 Official Signing Key) <security at centos.org>" imported
gpg: Total number processed: 1
gpg:               imported: 1

and then I can verify the signature.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 390 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20191023/7ba40d94/attachment.sig>


More information about the Gnupg-users mailing list