Why is --auto-key-locate only for encrypting?

Ingo Klöcker kloecker at kde.org
Thu Sep 2 13:10:40 CEST 2021


On Donnerstag, 2. September 2021 01:28:42 CEST raf via Gnupg-users wrote:
> On Wed, Sep 01, 2021 at 01:50:36PM +0200, Ingo Klöcker <kloecker at kde.org> 
wrote:
> > On Mittwoch, 1. September 2021 07:55:21 CEST raf via Gnupg-users wrote:
> > > Why is the --auto-key-locate only for encrypting (says
> > > the gpg(1) manpage)? Wouldn't it also be useful when
> > > receiving emails and verifying signatures?
> > 
> > --auto-key-locate looks up keys by email address. It makes no sense when
> > verifying signatures because in this case you already know the key id the
> > signature was made with, so that there's no reason to look up the key by
> > email address (which is ambiguous).
> 
> Thanks. I don't understand why it makes no sense, but
> I'll take your word for it. But I can think of a reason
> to look up the key by email address even though you
> have the keyid from the signature: when the key is not
> on a keyserver or a WKD server, but is in a DNS
> OPENPGPKEY record (DANE). But perhaps that's not a thing.

I retract my claim that is makes no sense. It can make sense and that's why 
--auto-key-retrieve also does a lookup by email address on WKD.

> > The equivalent for automatic look-up of keys when verifying signatures is
> > --auto-key-retrieve.
> 
> Thanks, but the manpage doesn't include DANE as one of
> the lookup methods for that option. That's what I was
> hoping for.
> 
> Since this option does a WKD lookup if wkd is in the
> auto-key-locate list (and --disable-signer-uid isn't
> used), it seems that it would make sense to do a DANE
> lookup if dane is in the auto-key-locate list (and
> --disable-signer-uid isn't used).

So what you actually want is that --auto-key-retrieve also does a DANE lookup 
or in fact all kinds of lookup supported by --auto-key-locate. Did you check 
that it not already does this (even if the man page doesn't mention it)? If 
yes, then I'd say submit a request for this feature at https://dev.gnupg.org.

Regards,
Ingo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210902/f305ef69/attachment.sig>


More information about the Gnupg-users mailing list