Hi, Just wondering, I've got "auto-key-retrieve" set in my gpg.conf. I'm using gpgme, and as far as I'm aware it fetches keys it doesn't know upon reading the message (gives a little delay) to verify the signature is OK.Is this a different thing somehow?
Yes, auto-key-retrieve is different from auto-key-locate.Auto-key-retrieve is for signatures. It's a boolean flag that is disabled by default (because signature verification usually happens automatically when viewing signed content, and this could be used to track when you view your e-mail in some clients).
Auto-key-locate is for encryption. It's a list of schemes tried in succession and is triggered when using e.g. --locate-key (but also with --encrypt --recipient $EMAIL). By default it's "local,wkd". The reasoning is that if you explicitly want to send an e-mail to someone and you don't have their key (local) you would want to fetch it from their server (wkd). This is done only once (then the key is imported into the keyring).
Actually auto-key-retrieve when enabled will use the list from auto-key-locate.
This post by dkg goes into more details: https://lists.gnupg.org/pipermail/gnupg-devel/2017-August/033021.html But I can answer specific questions if you have more. Kind regards, Wiktor
Thanks, Fabian On 04-07-2018 23:27:23 +0200, Wiktor Kwapisiewicz wrote:Hello mutt-dev, I would like to extend mutt to add fetching GPG keys over Web Key Directory protocol. (I've previously created an issue on gitlab [0] but I'll summarize the thing here for the broader audience). Web Key Directory is a new scheme for GPG key discovery. It converts the e-mail address to HTTPS URL and fetches the key from there. It is already supported by some e-mail clients (EnigMail, GpgOL). For example kernel.org has it enabled and Linus' key is at: https://kernel.org/.well-known/openpgpkey/hu/pf113mfnx1f3eb1yiwhsipa91xfc7o4x As GnuPG 2 has it enabled by default "gpg --locate-key torva...@kernel.org" will fetch that key. I've been exploring mutt's source code and the change would mostly be enabling external lookup for keys that are not locally present [1] when encryption is explicitly turned on (gpgme backend). That raises some privacy issues, the same was discussed on gnupg-devel ML [2] (gpg by default will fetch the key via WKD when encrypting to a recipient but will *not* fetch the key when verifying signatures). The question is how to do it well. Maybe ask the user if they want to search for the key using WKD if it's not locally present? An option would be the first choice but I worry about it not being used at all (as people rarely enable non-standard features [3]). Thank you for your consideration! Kind regards, Wiktor [0]: https://gitlab.com/muttmua/mutt/issues/55 [1]: gpgme_set_keylist_mode(ctx, GPGME_KEYLIST_MODE_LOCAL|GPGME_KEYLIST_MODE_EXTERN); in crypto-gpgme.c#get_candidates. [2]: https://lists.gnupg.org/pipermail/gnupg-devel/2017-August/033021.html [3]: https://gitlab.com/muttmua/mutt/issues/3 -- https://metacode.biz/@wiktor
-- */metacode/*
signature.asc
Description: OpenPGP digital signature
