WKD question
Dmitry Alexandrov
dag at gnui.org
Sun Aug 2 06:38:21 CEST 2020
Stefan Claas <sac at 300baud.de> wrote:
> One more question, I tried to verify Werner's signature, from postings here on the ML, but his signature could not be verified, due to a missing pub key (0xFF80AE9D1DEC358D). But when looking at Wiktor's WKD checker a key is present, but with a different Fingerprint.
>
> https://metacode.biz/openpgp/web-key-directory
Well, thatʼs seems to be true:
$ wget -qO - "$(/usr/lib/gnupg/gpg-wks-client --print-wkd-url wk at gnupg.org)" | gpg --with-colons
gpg: WARNING: no command supplied. Trying to guess what you mean ...
pub:-:256:22:63113AE866587D0A:1538149415:1801393200::-:
uid:::::::::wk at gnupg.org:
sub:-:256:18:3CD7B3A055039224:1538149415:1643626805:::
I dunno why @wk at gnupg.org did that, but whatever his reasons were, the fact that he was _able_ to do that, is exactly the key reason why proper (write-only) keyserver networks (SKS- or Hockeypuck-based) are indispensable.
Use them, not WKD or proprietary keyserver services, when you want to get a key by a given fingerprint. In other words, when enabling --auto-key-retrieve, make sure that --keyserver is set to something like hkps://keyserver.ubuntu.com. IIUC, there is, unfortunately, still no way to configure multiple keyservers for retrieval (contrary to locating).
BTW, does anyone remember, how to command gpg(1) to print the above in a human-readable format? There was some incantation, IIRC, but GPGʼs options are so tangled, that I have failed to find it.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 247 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20200802/b7084abf/attachment.sig>
More information about the Gnupg-users
mailing list