Why is --auto-key-locate only for encrypting?
raf
gnupg at raf.org
Thu Sep 2 01:28:42 CEST 2021
On Wed, Sep 01, 2021 at 01:50:36PM +0200, Ingo Klöcker <kloecker at kde.org> wrote:
> On Mittwoch, 1. September 2021 07:55:21 CEST raf via Gnupg-users wrote:
> > Why is the --auto-key-locate only for encrypting (says
> > the gpg(1) manpage)? Wouldn't it also be useful when
> > receiving emails and verifying signatures?
>
> --auto-key-locate looks up keys by email address. It makes no sense when
> verifying signatures because in this case you already know the key id the
> signature was made with, so that there's no reason to look up the key by email
> address (which is ambiguous).
Thanks. I don't understand why it makes no sense, but
I'll take your word for it. But I can think of a reason
to look up the key by email address even though you
have the keyid from the signature: when the key is not
on a keyserver or a WKD server, but is in a DNS
OPENPGPKEY record (DANE). But perhaps that's not a thing.
> The equivalent for automatic look-up of keys when verifying signatures is
> --auto-key-retrieve.
Thanks, but the manpage doesn't include DANE as one of
the lookup methods for that option. That's what I was
hoping for.
Since this option does a WKD lookup if wkd is in the
auto-key-locate list (and --disable-signer-uid isn't
used), it seems that it would make sense to do a DANE
lookup if dane is in the auto-key-locate list (and
--disable-signer-uid isn't used).
> Regards,
> Ingo
cheers,
raf
More information about the Gnupg-users
mailing list