Retrieval by keyid was removed in commit 96bf8f477805, which breaks --auto-key-retrieve for signatures which have no fingerprint field. There are projects which still use these for code authenticity checks (see test plan). This patch restores the keyid as a last-resort fallback only, in case none of the other methods for automatic lookup is available.
- rKLEOPATRA5e9d402be380: Yet another place with deprecated API
The patch was tested using two examples which I've run across recently:
Without the patch, gpg --auto-key-retrieve --verify $sigfile fails with "No public key." With the patch, the same command retrieves the public key used for the signature and successfully verifies it.
auto key retrieve using just the key id is dangerous because it can lead to a DoS. It is too easy to flood keyservers with several keys have the same keyid. Let's don't give an incentive to the script kiddies trying to pull down the OpenPGP keyservers.