Hi,
I just configured WKD on my server, and
gpg -v --auto-key-locate clear,wkd,nodefault --locate-key user@domain.com
works as expected for most of my uid/key combos, except for one address
(olduser@domain.com) which is linked to both a current and a revoked
key. The output of the above command looks like this:
gpg: Note: RFC4880bis features are enabled.
gpg: using pgp trust model
gpg: pub rsa4096/68FD03F8C6AB1DE4 2016-06-15 Old User <olduser@domain.com>
gpg: Note: signature key 68FD03F8C6AB1DE4 expired Mon Jun 14 18:12:44 2021 CEST
gpg: key 68FD03F8C6AB1DE4: "Old Nickname <nickname@domain.com>" not changed
gpg: pub ed25519/7CD4656792B3A1F9 2022-06-06 Old User <newname@domain.com>
gpg: key 7CD4656792B3A1F9: "Old User <olduser@domain.com>" not changed
gpg: Total number processed: 2
gpg: unchanged: 2
gpg: auto-key-locate found fingerprint xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
gpg: Note: signature key 68FD03F8C6AB1DE4 expired Mon Jun 14 18:12:44 2021 CEST
gpg: automatically retrieved 'olduser@domain.com' via WKD
pub rsa4096 2016-06-15 [SC] [revoked: 2022-06-07]
51585E1318770F501D3CBDE968FD03F8C6AB1DE4
uid [ revoked] Old Nickname <nickname@domain.com>
uid [ revoked] Old User <olduser@domain.com>
uid [ revoked] Old Nickname2 <nickname2@domain.com>
sub rsa4096 2016-06-15 [E] [revoked: 2022-06-07]
Even though olduser@domain.com is the primary uid for the new key, gpg
shows the other uid for this key (newname@domain.com). This is odd, but
irrelevant. But then gpg proceeds to select the revoked key which is
somehow available via WKD.
The WKD test at https://metacode.biz/openpgp/web-key-directory delivers
similar results, but at least it displays the fingerprints of both the current
and the revoked key.
Two questions:
- Which WKD server hosts my expired/revoked key such that it takes precedence
over my own WKD server at domain.com?
- Why does gpg select an expired/revoked key over a valid key?
Thanks,
Jan
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users
I just configured WKD on my server, and
gpg -v --auto-key-locate clear,wkd,nodefault --locate-key user@domain.com
works as expected for most of my uid/key combos, except for one address
(olduser@domain.com) which is linked to both a current and a revoked
key. The output of the above command looks like this:
gpg: Note: RFC4880bis features are enabled.
gpg: using pgp trust model
gpg: pub rsa4096/68FD03F8C6AB1DE4 2016-06-15 Old User <olduser@domain.com>
gpg: Note: signature key 68FD03F8C6AB1DE4 expired Mon Jun 14 18:12:44 2021 CEST
gpg: key 68FD03F8C6AB1DE4: "Old Nickname <nickname@domain.com>" not changed
gpg: pub ed25519/7CD4656792B3A1F9 2022-06-06 Old User <newname@domain.com>
gpg: key 7CD4656792B3A1F9: "Old User <olduser@domain.com>" not changed
gpg: Total number processed: 2
gpg: unchanged: 2
gpg: auto-key-locate found fingerprint xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
gpg: Note: signature key 68FD03F8C6AB1DE4 expired Mon Jun 14 18:12:44 2021 CEST
gpg: automatically retrieved 'olduser@domain.com' via WKD
pub rsa4096 2016-06-15 [SC] [revoked: 2022-06-07]
51585E1318770F501D3CBDE968FD03F8C6AB1DE4
uid [ revoked] Old Nickname <nickname@domain.com>
uid [ revoked] Old User <olduser@domain.com>
uid [ revoked] Old Nickname2 <nickname2@domain.com>
sub rsa4096 2016-06-15 [E] [revoked: 2022-06-07]
Even though olduser@domain.com is the primary uid for the new key, gpg
shows the other uid for this key (newname@domain.com). This is odd, but
irrelevant. But then gpg proceeds to select the revoked key which is
somehow available via WKD.
The WKD test at https://metacode.biz/openpgp/web-key-directory delivers
similar results, but at least it displays the fingerprints of both the current
and the revoked key.
Two questions:
- Which WKD server hosts my expired/revoked key such that it takes precedence
over my own WKD server at domain.com?
- Why does gpg select an expired/revoked key over a valid key?
Thanks,
Jan
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users