Automated verification key retrieval using PKA

Discussion:

Nicolas Le Gland nicolas@legland.fr [PGP-Basics]

2014-05-30 10:12:23 UTC

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here is a seemingly well-formed plain-text clear-signed document, using

gpg --no-options --local-user "***@legland.fr"
--set-notation "pka-***@gnupg.org=***@legland.fr"
--output document.asc --clearsign document.txt

I'm looking for the necessary and sufficient command-line to download my key
using the PKA record and verify this document, from an empty keyring.

gpg --homedir=. [..] --verify document.asc

My previous attempt only succeeded in downloading the key from a keyserver,
using both version 1.4.16 from the GnuPG FTP and 2.0.22 from Gpg4win 2.2.1
on Windows, as well as version 1.4.11 and 2.0.17 on Ubuntu.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQJNBAEBAgA3BQJTiFlhMBSAAAAAABUAEnBrYS1hZGRyZXNzQGdudXBnLm9yZ25p
Y29sYXNAbGVnbGFuZC5mcgAKCRCaBXCWsbjFBWy+D/wO9hBx8hbS2jDfVtXCax6j
bQ6i80J23Q620pIU0QmciN+7mINBlCuUbrv8u/MfqrMxB+8pDizbptixDHPOlv0B
/UxBsYXUoFcMDoMhQClgPj6C6OkVrHXu1OSdmnYbIGVZ1jxMi5wlTAfU8pDS65WR
V7SBKuGvxLCPYm3xijcnB8ZgaYO0n8vAa3sXwcTPWo4kjfD1iBoYiBiA9aYGfsh5
nxmNra/owTwk5QWTcJsiiyr3gEaeoI+KRZMerA3VrRqaOUUNZlsg8dl2L+Mn+757
Su1w8xnotcjyMYcNrt4XRQmpoAuiyGh3eaCTjhk8AzPnRngKAb1KT76aPnHAwaGt
uJgMJEIgvFBi6kWJuo3W8pvtGda8Ub2xkJ9FUdvFhdXAJWeV7GPZ3R7Q2GTHTgNn
xij/LuYedKS3/GCrXOYkb1JPUqSgwzHPUsVHfNhY7y+fq5NnW6qCVQS7xtKPRTuL
ILf3uZuAI3NrKL23t57HzdENVAAbQH+3+x/zgr4iX7zxpEli+L6IUcuF4N+9jgOS
HdYrWwr/RWFmn0M+rVpQotMZXn4MTplgPDQtS9ySYDLMG1NIeOyU3QebEg9aDwzj
4RJ8dUrUbVpJCOPO3IcIfAfgohBIybp+zvMRGVxJJ+zE/4aebPMM8CEfy+bRgWSR
6pog0lXdz3YmotO/QKl6/g==
=Ahpy
-----END PGP SIGNATURE-----

--
[image: Nicolas Le Gland] <http://www.nicolas.legland.fr/>

lists@tebuco.com [PGP-Basics]

2014-05-30 12:49:21 UTC

Permalink

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi Nicolas,

Before I forget, for your clearsign hashes or signatures issue, I stumbled upon this option yesterday:
gpg --status-fd 1
which seems to display interesting info (maybe the same as the debug option did).
(strace gpg ... might reveal somethings as well.)

For your current issue, this worked for me this morning:
gpg2 --keyserver-options auto-key-retrieve --auto-key-locate pka --verify msg.txt.asc

Good luck,
Pete
Fri May 30 08:46:48 EDT 2014

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)

iQGsBAEBCgAGBQJTiH3SAAoJELOW7D0cI7Xw9JUMf1mjua4Qqpvx91QQjgaA4zzS
/pVAOVE2Xdgj/VcBHGtPR/r3fXSTkIttrNAd4PZwAD43OliGP07Oll4py9CWM1Vk
Lhi1hRvwEQY+NK8kJ0aJzCPffPJ74KZcrHalq/vCNArIDhcfjS0LElWtdi2gWSfj
pAZf1xEDPR4p4Ec51LZKHJ0FiH+Mb7HrdHjqZSg8qYyxHd962d0Pub1KVhxLjEZk
XmndrX7FEZQCA+SxZfhjoFOcP/yBI+C0bMmHPBQUyCONn8bfjoqg5WFEL0iwIHR8
oEt/G7DF+ioovc2XbRM3+Iig04vyJfusLOXNNzXFn7KIsoJDKSEUFTBOUXZ3MS4t
Pi88rcxSYYbwufg7VGCC5I2O/y6UJFGsmBChZK24Bn/PBnMEmmCAU8pNGIufvS64
TPH+of5PUXrg4hLD/ku+BRO7MxOajgK+H8IAv8Kg4GPOnaxSuslOiuKtp1TAL6fI
S8UabBO/fRoqi8f6AZYLBGZMz+dNC0L5mWF+xKKAKdTtZIXZ5HMPVn0tq1yw1Xw=
=YytU
-----END PGP SIGNATURE-----

------------------------------------
Posted by: ***@tebuco.com
------------------------------------

______________________________________________________________
Archives: http://groups.yahoo.com/group/PGP-Basics/messages
OT List: http://groups.yahoo.com/group/PGP-Basics-OT
OT Subscribe: mailto:PGP-Basics-OT-***@yahoogroups.com
Gossamer Spider Web of Trust http://www.gswot.org

Yahoo Groups Links

<*> To visit your group on the web, go to:
http://groups.yahoo.com/group/PGP-Basics/

<*> Your email settings:
Individual Email | Traditional

<*> To change settings online go to:
http://groups.yahoo.com/group/PGP-Basics/join
(Yahoo! ID required)

<*> To change settings via email:
PGP-Basics-***@yahoogroups.com
PGP-Basics-***@yahoogroups.com

<*> To unsubscribe from this group, send an email to:
PGP-Basics-***@yahoogroups.com

<*> Your use of Yahoo Groups is subject to:
https://info.yahoo.com/legal/us/yahoo/utos/terms/

Nicolas Le Gland nicolas@legland.fr [PGP-Basics]

2014-05-30 15:31:25 UTC

Permalink

Hello Pete.

Post by ***@tebuco.com [PGP-Basics]
Before I forget, for your clearsign hashes or signatures issue, I
gpg --status-fd 1

Oh, thinking of it, I used to have this around when doing expert/debug
tests. Thanks for the friendly reminder.

Post by ***@tebuco.com [PGP-Basics]
gpg2 --keyserver-options auto-key-retrieve --auto-key-locate pka --verify msg.txt.asc

Seems like I even managed to get it working even more straightforward as
my example signature only had PKA record and no preferred keyserver to
stand in the path.

gpg2 --homedir=. --keyserver-options auto-key-retrieve --verify document.asc

This finished validating both the "pka-***@gnupg.org" notation name
and my PKA settings. Pretty good hacking.
--
Nicolas Le Gland <http://www.nicolas.legland.fr/>
--
Nicolas Le Gland <http://www.nicolas.legland.fr/>

[Non-text portions of this message have been removed]

------------------------------------
Posted by: Nicolas Le Gland <***@legland.fr>
------------------------------------

______________________________________________________________
Archives: http://groups.yahoo.com/group/PGP-Basics/messages
OT List: http://groups.yahoo.com/group/PGP-Basics-OT
OT Subscribe: mailto:PGP-Basics-OT-***@yahoogroups.com
Gossamer Spider Web of Trust http://www.gswot.org

Yahoo Groups Links

<*> To visit your group on the web, go to:
http://groups.yahoo.com/group/PGP-Basics/

<*> Your email settings:
Individual Email | Traditional

<*> To change settings online go to:
http://groups.yahoo.com/group/PGP-Basics/join
(Yahoo! ID required)

<*> To change settings via email:
PGP-Basics-***@yahoogroups.com
PGP-Basics-***@yahoogroups.com

<*> To unsubscribe from this group, send an email to:
PGP-Basics-***@yahoogroups.com

<*> Your use of Yahoo Groups is subject to:
https://info.yahoo.com/legal/us/yahoo/utos/terms/

Michael Daigle md5a932e53@yahoo.ca [PGP-Basics]

2014-05-30 16:39:13 UTC

Permalink

Post by ***@tebuco.com [PGP-Basics]
gpg2 --keyserver-options auto-key-retrieve --auto-key-locate pka --verify msg.txt.asc

Hmm... I never heard of that one (--auto-key-locate pka). I use
--honor-pka-record (on by default).

Please excuse the lack of signature. Using Gmail at the moment...

--
Mike Daigle