In my #gpg complaints, apparently `gpg --fetch-keys` is affected by `keyserver-options` as I get a different result with it and `curl -LO` and `gpg --import`.
The `curl`ed file includes signature from my trusted key, while with `--fetch-keys` requires me to verify the key being correct again without giving me the hint that it may be reliable due to being signed previously.
Wow, that’s bad. Maybe this is due to the import-self-sigs-only flag and GnuPG just drops all third-party signatures (e.g. your own) entirely on import? Check out this thread: https://dev.gnupg.org/T4591#127535
@wiktor That appears to be the case. I added `no-import-self-sigs-only` to my `keyserver-options` prompting gpg to complain `keyserver option 'no-import-self-sigs-only' is unknown` (also confirming that `--fetch-keys` is affected by `keyserver-options`) and after removing the excess `-import`, and fetching the same key, it suddenly gets two new signatures.
I am testing with https://mikaela.keybase.pub/PGP/tor-browser-developers.asc which seems to be minimized as it contains mine and micahflee's (whom I am Keybase tracking) sigs
@wiktor Sorry, I mean cleaned, I keep confusing minimize and clean
@wiktor I appear to be running version `2.2.17-3ubuntu1` from Ubuntu Focal Fossa (development branch).
(It was originally 18.04, but I wanted systemd-resolved's DoT and I was bored and unsupervised, so I decided to seek excitement from the upcoming release and April isn't that far in the future...)
Yep, check out this changelog for 2.2.18: https://lists.gnupg.org/pipermail/gnupg-announce/2019q4/000442.html
* gpg: Fix a potential loss of key sigantures during import with self-sigs-only active. [#4628]
That’s this ticket: https://dev.gnupg.org/T4628
Don’t miss the excitement of a rolling distro Mikaela! ;) Also… I need to check DoT in systemd-resolved, good hint :)