--auto-key-retrieve fails for some keys

Tue Nov 2 18:18:43 CET 2021

On Dienstag, 2. November 2021 16:05:30 CET Tadeus Prastowo via Gnupg-users 
wrote:
> The signature on a Linux kernel can be verified successfully using
> `--auto-key-retrieve', but the signature on an Emacs cannot be
> verified in the same manner because gpg is unable to retrieve the
> needed public key automatically.

The important difference is:
> gpg: Signature made Mon 15 Feb 2021 10:11:32 AM CET
> gpg:                using RSA key 647F28654894E3BD457199BE38DBBDC86092693E
-> fingerprint of signing key
> gpg: requesting key 38DBBDC86092693E from hkp server keyserver.ubuntu.com

> gpg: Signature made Thu 25 Mar 2021 12:53:08 PM CET
> gpg:                using RSA key 91C1262F01EB8D39
-> (long) key id of signing key
> gpg: Can't check signature: No public key

man gpg tells us:
=====
       --auto-key-retrieve
       --no-auto-key-retrieve
              These  options  enable  or disable the automatic retrieving of 
keys from a keyserver when verifying signatures made by
              keys that are not on the local keyring.  The default is --no-
auto-key-retrieve.

              The order of methods tried to lookup the key is:
[...]
              5.  If  any keyserver is configured and the Issuer Fingerprint 
is part of the signature (since GnuPG 2.1.16), the con-
              figured keyservers are tried.
=====

The signature on the Linux kernel contains the Issuer Fingerprint. The 
signature on Emacs doesn't (probably because a very old version of GnuPG is 
used to sign Emacs).

Regards,
Ingo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20211102/7f484327/attachment.sig>