WKD question

Dmitry Alexandrov dag at gnui.org
Sun Aug 2 06:38:21 CEST 2020

Stefan Claas <sac at 300baud.de> wrote:
> One more question, I tried to verify Werner's signature, from postings here on the ML, but his signature could not be verified, due to a missing pub key (0xFF80AE9D1DEC358D). But when looking at Wiktor's WKD checker a key is present, but with a different Fingerprint.
> https://metacode.biz/openpgp/web-key-directory

Well, thatʼs seems to be true:

	$ wget -qO - "$(/usr/lib/gnupg/gpg-wks-client --print-wkd-url wk at gnupg.org)" | gpg --with-colons
	gpg: WARNING: no command supplied.  Trying to guess what you mean ...
	uid:::::::::wk at gnupg.org:

I dunno why @wk at gnupg.org did that, but whatever his reasons were, the fact that he was _able_ to do that, is exactly the key reason why proper (write-only) keyserver networks (SKS- or Hockeypuck-based) are indispensable.

Use them, not WKD or proprietary keyserver services, when you want to get a key by a given fingerprint.  In other words, when enabling --auto-key-retrieve, make sure that --keyserver is set to something like hkps://keyserver.ubuntu.com.  IIUC, there is, unfortunately, still no way to configure multiple keyservers for retrieval (contrary to locating).

BTW, does anyone remember, how to command gpg(1) to print the above in a human-readable format?  There was some incantation, IIRC, but GPGʼs options are so tangled, that I have failed to find it.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 247 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20200802/b7084abf/attachment.sig>

More information about the Gnupg-users mailing list