gpg auto-locate-key selects expired/revoked key
Jan Eden
tech at eden.one
Thu Jun 9 22:29:52 CEST 2022
On 2022-06-09 22:13, Jan Eden via Gnupg-users wrote:
>
> On 2022-06-09 21:40, Ingo Klöcker wrote:
> > On Donnerstag, 9. Juni 2022 17:38:04 CEST Mark via Gnupg-users wrote:
> > > I just looked at what Kleopatra has it set for and it has it set for
> > > hkp://keys.gnupg.net as well. I'm guessing that is no longer the best
> > > choice?
> >
> > Kleopatra 3.1.21.220401 uses whatever `gpgconf --list-options dirmngr` returns
> > as value for `keyserver`. So it depends on the version of GnuPG you are using.
> > The default returned by gpgconf 2.3.6 is hkps://keyserver.ubuntu.com.
> >
> > As Andrew wrote, hkp://keys.gnupg.net is mapped internally by dirmngr to the
> > default keyserver. For a short while, hkp://keys.gnupg.net was mapped to
> > hkp://pgp.surf.nl while hkps://keys.gnupg.net was mapped to
> > hkps://keyserver.ubuntu.com. Since 2.3.5 all URLs with domain name
> > keys.gnupg.net are mapped to hkps://keyserver.ubuntu.com. The latest 2.2
> > version still uses hkp://pgp.surf.nl for non-TLS keys.gnupg.net URLs.
> >
> > Conclusion: For GnuPG 2.3.5 and later hkp://keys.gnupg.net is as good as not
> > setting a keyserver or as setting it to hkps://keyserver.ubuntu.com. If you
> > are using a recent GnuPG 2.2, then hkp://keys.gnupg.net is not a good choice.
> > It's much better not to set a keyserver at all and go with the default. Even
> > for GnuPG 2.3.5 not setting keyserver is the way to go unless you really want
> > to use a specific keyserver.
>
> That's interesting, because I had configured hkp://keys.gnupg.net in
> gpg.conf (deprecated, I know) with GnuPG 2.3.4 and was not able to
> refresh Andrew's keys. Only after changing the keyserver option to
> hkp://keys.openpgp.org, I received the updated keys.
>
> `gpgconf --list-options dirmngr` returns hkps://keyserver.ubuntu.com,
> though.
Sorry, the output of gpgconf referred to a changed configuration. This
is what happens for me with GnuPG 2.3.4:
value for `keyserver` in gpg.conf → keyserver used with `--refresh-key`
hkp://keys.gnupg.net → hkp://pgp.surf.nl
hkp://keys.openpgp.org → hkp://keys.openpgp.org
[empty] → hkps://keyserver.ubuntu.com
- Jan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20220609/393dec40/attachment.sig>
More information about the Gnupg-users
mailing list