7.21. Obtaining Keys from a Keyserver
Problem
You want to obtain a public key from a keyserver.
Solution
If you have the key ID, you can import it immediately:
$ gpg --keyserverkeyserver
--recv-keyskey_ID
Otherwise, to search for a key by the owner’s name or email address, and match keys before importing them, use:
$ gpg --keyserverkeyserver
--search-keysstring_to_match
To specify a default keyserver, so you need not use the
--keyserver
option above:
~/.gnupg/options:
keyserver keyserver_DNS_name_or_IP_address
To have GnuPG automatically contact a keyserver and import keys whenever needed:
~/.gnupg/options:
keyserver keyserver_DNS_name_or_IP_address
keyserver-options auto-key-retrieve
With this configuration, for example, if you were to verify the signature on some downloaded software signed with a key you didn’t have (gpg —verify foo.tar.gz.sig), GnuPG would automatically download and import that key from your keyserver, if available.
Additionally, most keyservers have a web-based interface for adding and locating keys.
Remember to check the key fingerprint with the owner before trusting it. [Recipe 7.9]
Discussion
Importing a key does not verify its validity—it does not verify that the claimed binding between a user identity (name, email address, etc.) and the public key is legitimate. For example, if you use gpg —verify to check the signature of a key imported from a keyserver, GnuPG may still produce the following warning, even if the signature itself is good:
gpg: WARNING: This key ...
Get Linux Security Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.