--auto-key-retrieve fails for some keys

Tadeus Prastowo 0x66726565 at gmail.com
Tue Nov 2 16:05:30 CET 2021 

Hello,

The signature on a Linux kernel can be verified successfully using
`--auto-key-retrieve', but the signature on an Emacs cannot be
verified in the same manner because gpg is unable to retrieve the
needed public key automatically.

The GPG version is 2.2.19 (libgcrypt 1.8.5, if that matters) as
shipped by Ubuntu 20.04.3.  I manage to locate only one post in the
GnuPG mailing list archive with respect to this `--auto-key-retrieve'
failure.  But, as far as I can see it, the post has no response.

Perhaps one of you can reproduce the problem by the following steps?

1. Test using Linux kernel.
wget https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-5.11.tar.xz
https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-5.11.tar.sign
unxz < linux-5.11.tar.xz | gpg --keyserver
hkp://keyserver.ubuntu.com:80 --auto-key-retrieve --verify
linux-5.11.tar.sign -

The output of the last command is as follows:
gpg: Signature made Mon 15 Feb 2021 10:11:32 AM CET
gpg:                using RSA key 647F28654894E3BD457199BE38DBBDC86092693E
gpg: requesting key 38DBBDC86092693E from hkp server keyserver.ubuntu.com
gpg: key 38DBBDC86092693E: public key "Greg Kroah-Hartman
<gregkh at linuxfoundation.org>" imported
gpg: Total number processed: 1
gpg:               imported: 1
gpg: Good signature from "Greg Kroah-Hartman
<gregkh at linuxfoundation.org>" [unknown]
gpg:                 aka "Greg Kroah-Hartman <gregkh at kernel.org>" [unknown]
gpg:                 aka "Greg Kroah-Hartman (Linux kernel stable
release signing key) <greg at kroah.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 647F 2865 4894 E3BD 4571  99BE 38DB BDC8 6092 693E

2. Test using Emacs.
wget  http://mirror.kumi.systems/gnu/emacs/emacs-27.2.tar.xz.sig
http://mirror.kumi.systems/gnu/emacs/emacs-27.2.tar.xz
cat emacs-27.2.tar.xz  | gpg --keyserver hkp://keyserver.ubuntu.com:80
--auto-key-retrieve --verify emacs-27.2.tar.xz.sig -

The output of the last command is as follows:
gpg: Signature made Thu 25 Mar 2021 12:53:08 PM CET
gpg:                using RSA key 91C1262F01EB8D39
gpg: Can't check signature: No public key

The key 0x91C1262F01EB8D39, however, can be retrieved manually just
fine as shown below:
gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 0x91C1262F01EB8D39
gpg: key 91C1262F01EB8D39: public key "Eli Zaretskii (eliz)
<eliz at gnu.org>" imported
gpg: Total number processed: 1
gpg:               imported: 1

Any idea why the --auto-key-retrieve feature fails for some keys?

Thank you.

--
Best regards,
Tadeus

More information about the Gnupg-users mailing list