GPGME: locate-keys: how identify that different keys were returned by keyservers
Bernhard Reiter
bernhard at intevation.de
Tue Feb 3 10:57:41 CET 2026
Hi,
Am Mittwoch 03 Dezember 2025 18:22:36 schrieb Bruce Walzer via Gnupg-devel:
> > The scenario is running "gpg --locate-keys email at example.org" with the
> > configured keyservers returning different keys for that email address.
>
> So the problem seems intrinsic to me. The user will
> eventually be expected to determine which key fingerprint/ID is
> correct.
note that if you restrict your request to WKD (web key directory)
you can use all pubkeys you will get. Which will be one.
So there is no interaction necessary in the common case,
you can just encrypt to the pubkey you get from WKD for an email address.
gpg --locate-keys --auto-key-locate clear,nodefault,wkd
bernhard.reiter at intevation.de
or gpg --locate-external-keys --auto-key-locate clear,nodefault,wkd
bernhard.reiter at intevation.de
should help you test this. (Should be possible via GPGME as well.)
WKD should be enabled and used by default
and Claws can do some more steps to do that right from the start.
See:
https://wiki.gnupg.org/EMailClients/ClawsMail
https://wiki.gnupg.org/WKD/BachelorThesisIncreaseWKDUsage2021
https://wiki.gnupg.org/WKD/DistributionOfWKD
https://wiki.gnupg.org/WKD/UsabilityOfWKD <- mentions Claws test
Best,
Bernhard
--
https://intevation.de/~bernhard +49 541 33 508 3-3
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer: Frank Koormann, Bernhard Reiter
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20260203/6bbf55ac/attachment.sig>
More information about the Gnupg-devel
mailing list