Adding support for fetching GPG key using WKD protocol
wiktor at metacode.biz
Thu Jul 5 07:23:58 UTC 2018
> Just wondering, I've got "auto-key-retrieve" set in my gpg.conf. I'm
> using gpgme, and as far as I'm aware it fetches keys it doesn't know
> upon reading the message (gives a little delay) to verify the signature
> is OK.
> Is this a different thing somehow?
Yes, auto-key-retrieve is different from auto-key-locate.
Auto-key-retrieve is for signatures. It's a boolean flag that is
disabled by default (because signature verification usually happens
automatically when viewing signed content, and this could be used to
track when you view your e-mail in some clients).
Auto-key-locate is for encryption. It's a list of schemes tried in
succession and is triggered when using e.g. --locate-key (but also with
--encrypt --recipient $EMAIL). By default it's "local,wkd". The
reasoning is that if you explicitly want to send an e-mail to someone
and you don't have their key (local) you would want to fetch it from
their server (wkd). This is done only once (then the key is imported
into the keyring).
Actually auto-key-retrieve when enabled will use the list from
This post by dkg goes into more details:
But I can answer specific questions if you have more.
> On 04-07-2018 23:27:23 +0200, Wiktor Kwapisiewicz wrote:
>> Hello mutt-dev,
>> I would like to extend mutt to add fetching GPG keys over Web Key
>> Directory protocol.
>> (I've previously created an issue on gitlab  but I'll summarize the
>> thing here for the broader audience).
>> Web Key Directory is a new scheme for GPG key discovery. It converts the
>> e-mail address to HTTPS URL and fetches the key from there. It is
>> already supported by some e-mail clients (EnigMail, GpgOL).
>> For example kernel.org has it enabled and Linus' key is at:
>> As GnuPG 2 has it enabled by default "gpg --locate-key
>> torvalds at kernel.org" will fetch that key.
>> I've been exploring mutt's source code and the change would mostly be
>> enabling external lookup for keys that are not locally present  when
>> encryption is explicitly turned on (gpgme backend).
>> That raises some privacy issues, the same was discussed on gnupg-devel
>> ML  (gpg by default will fetch the key via WKD when encrypting to a
>> recipient but will *not* fetch the key when verifying signatures).
>> The question is how to do it well. Maybe ask the user if they want to
>> search for the key using WKD if it's not locally present?
>> An option would be the first choice but I worry about it not being used
>> at all (as people rarely enable non-standard features ).
>> Thank you for your consideration!
>> Kind regards,
>> : https://gitlab.com/muttmua/mutt/issues/55
>> : gpgme_set_keylist_mode(ctx,
>> GPGME_KEYLIST_MODE_LOCAL|GPGME_KEYLIST_MODE_EXTERN); in
>> : https://lists.gnupg.org/pipermail/gnupg-devel/2017-August/033021.html
>> : https://gitlab.com/muttmua/mutt/issues/3
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 862 bytes
Desc: OpenPGP digital signature
More information about the Mutt-dev