Follow

In my complaints, apparently `gpg --fetch-keys` is affected by `keyserver-options` as I get a different result with it and `curl -LO` and `gpg --import`.

The `curl`ed file includes signature from my trusted key, while with `--fetch-keys` requires me to verify the key being correct again without giving me the hint that it may be reliable due to being signed previously.

I was verifying signature, but I could as well have been verifying .

Wow, that’s bad. Maybe this is due to the import-self-sigs-only flag and GnuPG just drops all third-party signatures (e.g. your own) entirely on import? Check out this thread: https://dev.gnupg.org/T4591#127535

@wiktor That appears to be the case. I added `no-import-self-sigs-only` to my `keyserver-options` prompting gpg to complain `keyserver option 'no-import-self-sigs-only' is unknown` (also confirming that `--fetch-keys` is affected by `keyserver-options`) and after removing the excess `-import`, and fetching the same key, it suddenly gets two new signatures.

I am testing with mikaela.keybase.pub/PGP/tor-br which seems to be minimized as it contains mine and micahflee's (whom I am Keybase tracking) sigs

@wiktor Sorry, I mean cleaned, I keep confusing minimize and clean

Hehe, me too. Just yesterday I did mis-remember which one is which on some OpenPGP IRC channel :)

I keep telling myself it’s just because GnuPG is so confusing… it’s not me! ;)

I remember quite a few tickets related to import-self-sigs-only so check out for latest GnuPG version for fixes. It’s good to know that fetch-keys is affected. I wouldn’t think it would be, just the keyserver operations. Personally I’m not quite happy with this stripping of all Web of Trust but 🤷

@wiktor I appear to be running version `2.2.17-3ubuntu1` from Ubuntu Focal Fossa (development branch).

(It was originally 18.04, but I wanted systemd-resolved's DoT and I was bored and unsupervised, so I decided to seek excitement from the upcoming release and April isn't that far in the future...)

Yep, check out this changelog for 2.2.18: https://lists.gnupg.org/pipermail/gnupg-announce/2019q4/000442.html

* gpg: Fix a potential loss of key sigantures during import with self-sigs-only active. [#4628]

That’s this ticket: https://dev.gnupg.org/T4628

Don’t miss the excitement of a rolling distro Mikaela! ;) Also… I need to check DoT in systemd-resolved, good hint :)

Sign in to participate in the conversation
Mastodon 🔐 privacytools.io

Fast, secure and up-to-date instance. privacytools.io provides knowledge and tools to protect your privacy against global mass surveillance.

Website: privacytools.io
Matrix Chat: chat.privacytools.io
Support us on OpenCollective, your contributions are tax deductible!