gpg auto-locate-key selects expired/revoked key

Jan Eden tech at eden.one
Wed Jun 8 10:13:40 CEST 2022 

Hi,

I just configured WKD on my server, and

gpg -v --auto-key-locate clear,wkd,nodefault --locate-key user at domain.com

works as expected for most of my uid/key combos, except for one address
(olduser at domain.com) which is linked to both a current and a revoked
key. The output of the above command looks like this:

gpg: Note: RFC4880bis features are enabled.
gpg: using pgp trust model
gpg: pub  rsa4096/68FD03F8C6AB1DE4 2016-06-15  Old User <olduser at domain.com>
gpg: Note: signature key 68FD03F8C6AB1DE4 expired Mon Jun 14 18:12:44 2021 CEST
gpg: key 68FD03F8C6AB1DE4: "Old Nickname <nickname at domain.com>" not changed
gpg: pub  ed25519/7CD4656792B3A1F9 2022-06-06  Old User <newname at domain.com>
gpg: key 7CD4656792B3A1F9: "Old User <olduser at domain.com>" not changed
gpg: Total number processed: 2
gpg:              unchanged: 2
gpg: auto-key-locate found fingerprint xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
gpg: Note: signature key 68FD03F8C6AB1DE4 expired Mon Jun 14 18:12:44 2021 CEST
gpg: automatically retrieved 'olduser at domain.com' via WKD
pub   rsa4096 2016-06-15 [SC] [revoked: 2022-06-07]
      51585E1318770F501D3CBDE968FD03F8C6AB1DE4
uid           [ revoked] Old Nickname <nickname at domain.com>
uid           [ revoked] Old User <olduser at domain.com>
uid           [ revoked] Old Nickname2 <nickname2 at domain.com>
sub   rsa4096 2016-06-15 [E] [revoked: 2022-06-07]

Even though olduser at domain.com is the primary uid for the new key, gpg
shows the other uid for this key (newname at domain.com). This is odd, but
irrelevant. But then gpg proceeds to select the revoked key which is
somehow available via WKD.

The WKD test at https://metacode.biz/openpgp/web-key-directory delivers
similar results, but at least it displays the fingerprints of both the current
and the revoked key.

Two questions:

- Which WKD server hosts my expired/revoked key such that it takes precedence
  over my own WKD server at domain.com?
- Why does gpg select an expired/revoked key over a valid key?

Thanks,
Jan

More information about the Gnupg-users mailing list