gpg auto-locate-key selects expired/revoked key

Jan Eden tech at
Thu Jun 9 22:13:32 CEST 2022

On 2022-06-09 21:40, Ingo Klöcker wrote:
> On Donnerstag, 9. Juni 2022 17:38:04 CEST Mark via Gnupg-users wrote:
> > I just looked at what Kleopatra has it set for and it has it set for
> > hkp:// as well. I'm guessing that is no longer the best
> > choice?
> Kleopatra uses whatever `gpgconf --list-options dirmngr` returns 
> as value for `keyserver`. So it depends on the version of GnuPG you are using. 
> The default returned by gpgconf 2.3.6 is hkps://
> As Andrew wrote, hkp:// is mapped internally by dirmngr to the 
> default keyserver. For a short while, hkp:// was mapped to 
> hkp:// while hkps:// was mapped to
> hkps:// Since 2.3.5 all URLs with domain name 
> are mapped to hkps:// The latest 2.2 
> version still uses hkp:// for non-TLS URLs.
> Conclusion: For GnuPG 2.3.5 and later hkp:// is as good as not 
> setting a keyserver or as setting it to hkps:// If you 
> are using a recent GnuPG 2.2, then hkp:// is not a good choice. 
> It's much better not to set a keyserver at all and go with the default. Even 
> for GnuPG 2.3.5 not setting keyserver is the way to go unless you really want 
> to use a specific keyserver.

That's interesting, because I had configured hkp:// in
gpg.conf (deprecated, I know) with GnuPG 2.3.4 and was not able to
refresh Andrew's keys. Only after changing the keyserver option to
hkp://, I received the updated keys.

`gpgconf --list-options dirmngr` returns hkps://,

- Jan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <>

More information about the Gnupg-users mailing list