diff options
| author | Werner Koch <wk@gnupg.org> | 2019-07-05 09:31:58 +0200 |
|---|---|---|
| committer | Werner Koch <wk@gnupg.org> | 2019-07-05 10:33:13 +0200 |
| commit | 96bf8f477805bae58cfb77af8ceba418ff8aaad9 (patch) | |
| tree | 5bb1ce772c99b93909a992fce98d945dbcb0ba2d /doc | |
| parent | wkd: Change client/server limit back to 64 KiB (diff) | |
| download | gnupg2-96bf8f477805bae58cfb77af8ceba418ff8aaad9.tar.xz gnupg2-96bf8f477805bae58cfb77af8ceba418ff8aaad9.zip | |
gpg: With --auto-key-retrieve prefer WKD over keyservers.
* g10/mainproc.c (check_sig_and_print): Print a hint on how to make
use of the preferred keyserver. Remove keyserver lookup just by the
keyid. Try a WKD lookup before a keyserver lookup.
--
The use of the the keyid for lookups does not make much sense anymore
since for quite some time we do have the fingerprint as part of the
signature.
GnuPG-bug-id: 4595
Signed-off-by: Werner Koch <wk@gnupg.org>
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/gpg.texi | 24 |
1 files changed, 20 insertions, 4 deletions
diff --git a/doc/gpg.texi b/doc/gpg.texi index 9513a4e0f..80c7f48f5 100644 --- a/doc/gpg.texi +++ b/doc/gpg.texi @@ -1814,10 +1814,26 @@ These options enable or disable the automatic retrieving of keys from a keyserver when verifying signatures made by keys that are not on the local keyring. The default is @option{--no-auto-key-retrieve}. -If the method "wkd" is included in the list of methods given to -@option{auto-key-locate}, the signer's user ID is part of the -signature, and the option @option{--disable-signer-uid} is not used, -the "wkd" method may also be used to retrieve a key. +The order of methods tried to lookup the key is: + +1. If a preferred keyserver is specified in the signature and the +option @option{honor-keyserver-url} is active (which is not the +default), that keyserver is tried. Note that the creator of the +signature uses the option @option{--sig-keyserver-url} to specify the +preferred keyserver for data signatures. + +2. If the signature has the Signer's UID set (e.g. using +@option{--sender} while creating the signature) a Web Key Directory +(WKD) lookup is done. This is the default configuration but can be +disabled by removing WKD from the auto-key-locate list or by using the +option @option{--disable-signer-uid}. + +3. If the option @option{honor-pka-record} is active, the legacy PKA +method is used. + +4. If any keyserver is configured and the Issuer Fingerprint is part +of the signature (since GnuPG 2.1.16), the configured keyservers are +tried. Note that this option makes a "web bug" like behavior possible. Keyserver or Web Key Directory operators can see which keys you |