Why is --auto-key-locate only for encrypting?

raf gnupg at raf.org
Thu Sep 2 01:28:42 CEST 2021

On Wed, Sep 01, 2021 at 01:50:36PM +0200, Ingo Klöcker <kloecker at kde.org> wrote:

> On Mittwoch, 1. September 2021 07:55:21 CEST raf via Gnupg-users wrote:
> > Why is the --auto-key-locate only for encrypting (says
> > the gpg(1) manpage)? Wouldn't it also be useful when
> > receiving emails and verifying signatures?
> --auto-key-locate looks up keys by email address. It makes no sense when 
> verifying signatures because in this case you already know the key id the 
> signature was made with, so that there's no reason to look up the key by email 
> address (which is ambiguous).

Thanks. I don't understand why it makes no sense, but
I'll take your word for it. But I can think of a reason
to look up the key by email address even though you
have the keyid from the signature: when the key is not
on a keyserver or a WKD server, but is in a DNS
OPENPGPKEY record (DANE). But perhaps that's not a thing.

> The equivalent for automatic look-up of keys when verifying signatures is 
> --auto-key-retrieve.

Thanks, but the manpage doesn't include DANE as one of
the lookup methods for that option. That's what I was
hoping for.

Since this option does a WKD lookup if wkd is in the
auto-key-locate list (and --disable-signer-uid isn't
used), it seems that it would make sense to do a DANE
lookup if dane is in the auto-key-locate list (and
--disable-signer-uid isn't used).

> Regards,
> Ingo


More information about the Gnupg-users mailing list