Mailing List Archive

trying to get dirmngr to honor auto-key-retrieve
I'm trying to configure dirmngr.conf so gpg automatically retrieves keys from
the keyserver when verifying a signature. In the past, this was done by gpg
--keyserver-options auto-key-retrieve. The documentation for dirmngr
[https://www.gnupg.org/documentation/manuals/gnupg/Dirmngr-Options.html#Dirmngr-Options] indicates that options specified after the keyserver should match the keyserver-options from gpg. However, it doesn't seem to be attempting to retrieve the key.

$ gpg --verify sha256sum.txt.asc
gpg: Signature made Tue 17 Sep 2019 08:27:43 AM EDT
gpg: using RSA key 24C6A8A7F4A80EB5
gpg: Can't check signature: No public key


Here's my dirmngr config file:
$ cat ~/.gnupg/dirmngr.conf
#keyserver https://keyserver.brian.minton.name/
#keyserver x-hkp://horowitz.surfnet.nl
#keyserver mailto:pgp-public-keys@keys.nl.pgp.net
#keyserver ldap://pgp.surfnet.nl:11370
#keyserver ldap://keyserver.pgp.com
keyserver x-hkp://the.earth.li auto-key-retrieve
keyserver hkps://keys.mailvelope.com auto-key-retrieve
keyserver hkps://keys.openpgp.org auto-key-retrieve
keyserver hkp://jirk5u4osbsr34t5.onion auto-key-retrieve

verbose
debug-level guru
debug-all
log-file /home/bminton/.gnupg/dirmngr.log

Here's the content of the log file:
2019-10-23 09:16:26 dirmngr[5043.0] permanently loaded certificates: 121
2019-10-23 09:16:26 dirmngr[5043.0] runtime cached certificates: 0
2019-10-23 09:16:26 dirmngr[5043.0] trusted certificates: 121 (120,0,0,1)
2019-10-23 09:16:26 dirmngr[5043.6] handler for fd 6 started
2019-10-23 09:16:26 dirmngr[5043.6] DBG: chan_6 -> # Home: /home/bminton/.gnupg
2019-10-23 09:16:26 dirmngr[5043.6] DBG: chan_6 -> # Config: /home/bminton/.gnupg/dirmngr.conf
2019-10-23 09:16:26 dirmngr[5043.6] DBG: chan_6 -> OK Dirmngr 2.2.17 at your service
2019-10-23 09:16:26 dirmngr[5043.6] connection from process 5042 (1000:2009)
2019-10-23 09:16:26 dirmngr[5043.6] DBG: chan_6 <- GETINFO version
2019-10-23 09:16:26 dirmngr[5043.6] DBG: chan_6 -> D 2.2.17
2019-10-23 09:16:26 dirmngr[5043.6] DBG: chan_6 -> OK
2019-10-23 09:16:26 dirmngr[5043.6] DBG: chan_6 <- KEYSERVER --clear hkp://jirk5u4osbsr34t5.onion
2019-10-23 09:16:26 dirmngr[5043.6] DBG: chan_6 -> OK
2019-10-23 09:16:26 dirmngr[5043.6] DBG: chan_6 <- KEYSERVER
2019-10-23 09:16:26 dirmngr[5043.6] DBG: chan_6 -> S KEYSERVER hkp://jirk5u4osbsr34t5.onion
2019-10-23 09:16:26 dirmngr[5043.6] DBG: chan_6 -> OK
2019-10-23 09:16:26 dirmngr[5043.6] DBG: chan_6 <- BYE
2019-10-23 09:16:26 dirmngr[5043.6] DBG: chan_6 -> OK closing connection
2019-10-23 09:16:26 dirmngr[5043.6] handler for fd 6 terminated


As you can see, it is looking at the correct keyserver (side note, I have 4
keyservers specified, it would be nice if I could configure dirmngr to try all
of them, but that's a separate issue), but it doesn't try to retrieve the key. If I
manually retrieve the key using the same keyserver, it works.

$ gpg --keyserver hkp://jirk5u4osbsr34t5.onion --recv 24C6A8A7F4A80EB5
gpg: key 24C6A8A7F4A80EB5: public key "CentOS-7 Key (CentOS 7 Official Signing Key) <security@centos.org>" imported
gpg: Total number processed: 1
gpg: imported: 1

and then I can verify the signature.