gpg auto-locate-key selects expired/revoked key

Ingo Klöcker kloecker at
Thu Jun 9 21:40:46 CEST 2022

On Donnerstag, 9. Juni 2022 17:38:04 CEST Mark via Gnupg-users wrote:
> I just looked at what Kleopatra has it set for and it has it set for
> hkp:// as well. I'm guessing that is no longer the best
> choice?

Kleopatra uses whatever `gpgconf --list-options dirmngr` returns 
as value for `keyserver`. So it depends on the version of GnuPG you are using. 
The default returned by gpgconf 2.3.6 is hkps://

As Andrew wrote, hkp:// is mapped internally by dirmngr to the 
default keyserver. For a short while, hkp:// was mapped to 
hkp:// while hkps:// was mapped to
hkps:// Since 2.3.5 all URLs with domain name are mapped to hkps:// The latest 2.2 
version still uses hkp:// for non-TLS URLs.

Conclusion: For GnuPG 2.3.5 and later hkp:// is as good as not 
setting a keyserver or as setting it to hkps:// If you 
are using a recent GnuPG 2.2, then hkp:// is not a good choice. 
It's much better not to set a keyserver at all and go with the default. Even 
for GnuPG 2.3.5 not setting keyserver is the way to go unless you really want 
to use a specific keyserver.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: This is a digitally signed message part.
URL: <>

More information about the Gnupg-users mailing list