gpg auto-locate-key selects expired/revoked key

Jan Eden tech at
Wed Jun 8 10:13:40 CEST 2022


I just configured WKD on my server, and

gpg -v --auto-key-locate clear,wkd,nodefault --locate-key user at

works as expected for most of my uid/key combos, except for one address
(olduser at which is linked to both a current and a revoked
key. The output of the above command looks like this:

gpg: Note: RFC4880bis features are enabled.
gpg: using pgp trust model
gpg: pub  rsa4096/68FD03F8C6AB1DE4 2016-06-15  Old User <olduser at>
gpg: Note: signature key 68FD03F8C6AB1DE4 expired Mon Jun 14 18:12:44 2021 CEST
gpg: key 68FD03F8C6AB1DE4: "Old Nickname <nickname at>" not changed
gpg: pub  ed25519/7CD4656792B3A1F9 2022-06-06  Old User <newname at>
gpg: key 7CD4656792B3A1F9: "Old User <olduser at>" not changed
gpg: Total number processed: 2
gpg:              unchanged: 2
gpg: auto-key-locate found fingerprint xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
gpg: Note: signature key 68FD03F8C6AB1DE4 expired Mon Jun 14 18:12:44 2021 CEST
gpg: automatically retrieved 'olduser at' via WKD
pub   rsa4096 2016-06-15 [SC] [revoked: 2022-06-07]
uid           [ revoked] Old Nickname <nickname at>
uid           [ revoked] Old User <olduser at>
uid           [ revoked] Old Nickname2 <nickname2 at>
sub   rsa4096 2016-06-15 [E] [revoked: 2022-06-07]

Even though olduser at is the primary uid for the new key, gpg
shows the other uid for this key (newname at This is odd, but
irrelevant. But then gpg proceeds to select the revoked key which is
somehow available via WKD.

The WKD test at delivers
similar results, but at least it displays the fingerprints of both the current
and the revoked key.

Two questions:

- Which WKD server hosts my expired/revoked key such that it takes precedence
  over my own WKD server at
- Why does gpg select an expired/revoked key over a valid key?


More information about the Gnupg-users mailing list