我刚刚在服务器上配置了 WKD,并且
gpg -v --auto-key-locate clear,wkd,nodefault --locate-key [email protected]
对于我的大多数 uid/key 组合,它都能按预期工作,除了一个地址([电子邮件保护]) 链接到当前密钥和已撤销密钥。上述命令的输出如下所示:
gpg: Note: RFC4880bis features are enabled.
gpg: using pgp trust model
gpg: pub rsa4096/68FD03F8C6AB1DE4 2016-06-15 Old User <[email protected]>
gpg: Note: signature key 68FD03F8C6AB1DE4 expired Mon Jun 14 18:12:44 2021 CEST
gpg: key 68FD03F8C6AB1DE4: "Old Nickname <[email protected]>" not changed
gpg: pub ed25519/7CD4656792B3A1F9 2022-06-06 Old User <[email protected]>
gpg: key 7CD4656792B3A1F9: "Old User <[email protected]>" not changed
gpg: Total number processed: 2
gpg: unchanged: 2
gpg: auto-key-locate found fingerprint xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
gpg: Note: signature key 68FD03F8C6AB1DE4 expired Mon Jun 14 18:12:44 2021 CEST
gpg: automatically retrieved '[email protected]' via WKD
pub rsa4096 2016-06-15 [SC] [revoked: 2022-06-07]
51585E1318770F501D3CBDE968FD03F8C6AB1DE4
uid [ revoked] Old Nickname <[email protected]>
uid [ revoked] Old User <[email protected]>
uid [ revoked] Old Nickname2 <[email protected]>
sub rsa4096 2016-06-15 [E] [revoked: 2022-06-07]
虽然[电子邮件保护]是新密钥的主 uid,gpg 显示此密钥的其他 uid([电子邮件保护])。这很奇怪,但无关紧要。但随后 gpg 继续选择已撤销的密钥,该密钥可通过 WKD 以某种方式获得。
WKD 测试https://metacode.biz/openpgp/web-key-directory提供类似的结果,但它显示当前密钥和撤销密钥的指纹。
两个问题:
- 哪个 WKD 服务器托管我的撤销密钥,以便它优先于我在 domain.com 上的 WKD 服务器?
- 为什么 gpg 选择过期和撤销的密钥而不是有效密钥?
谢谢,Jan
答案1
问题解决了:我按照 https://shibumi.dev/posts/how-to-setup-your-own-wkd-server/,并且无意中导出了该地址的所有密钥(gpg --no-armor --export $uid)而不是指定密钥 id。
现在我只导出/发布了有效密钥(gpg --no-armor --export $keyid),一切正常。