if I create a redirect 302 for a WKD link, gnupg (2.2.1;libgcrypt 1.7.9) will follow this redirect also if that rdirect is a not TLS encrypted message. This makes it easy for MIT to modify the answer. Please do only follow links, that are also TLS encrypted:
% wget https://netzguerilla.net/.well-known/openpgpkey/hu/54f6ry7x1qqtpor16txw5gdmdbbh6a73 --2017-10-06 12:48:17-- https://netzguerilla.net/.well-known/openpgpkey/hu/54f6ry7x1qqtpor16txw5gdmdbbh6a73 Resolving netzguerilla.net (netzguerilla.net)... 217.11.59.155, 2a00:1828:2000:12::3 Connecting to netzguerilla.net (netzguerilla.net)|217.11.59.155|:443... connected. HTTP request sent, awaiting response... 302 Found Location: http://wks.netzguerilla.net/netzguerilla.net/54f6ry7x1qqtpor16txw5gdmdbbh6a73 [following] --2017-10-06 12:48:17-- http://wks.netzguerilla.net/netzguerilla.net/54f6ry7x1qqtpor16txw5gdmdbbh6a73 Resolving wks.netzguerilla.net (wks.netzguerilla.net)... 217.11.59.156, 2a00:1828:2000:12::4 Connecting to wks.netzguerilla.net (wks.netzguerilla.net)|217.11.59.156|:80... connected. HTTP request sent, awaiting response... 200 OK
and wkd is successfull:
% gpg -v --auto-key-locate=clear,wkd,nodefault --locate-key key-submission@netzguerilla.net
gpg: using pgp trust model
gpg: pub rsa4096/0x1DD87C3E0CC981B1 2017-10-06 Netzguerilla - Key Submission <key-submission@netzguerilla.net>
gpg: key 0x1DD87C3E0CC981B1: public key "Netzguerilla - Key Submission <key-submission@netzguerilla.net>" imported
gpg: Total number processed: 1
gpg: imported: 1
gpg: auto-key-locate found fingerprint 00EC901DDAEF596AF56C48BE1DD87C3E0CC981B1
gpg: automatically retrieved 'key-submission@netzguerilla.net' via WKD
pub rsa4096/0x1DD87C3E0CC981B1 2017-10-06 [SC] [expires: 2018-10-06]
00EC901DDAEF596AF56C48BE1DD87C3E0CC981B1
uid [ unknown] Netzguerilla - Key Submission <key-submission@netzguerilla.net>
sub rsa4096/0xEA26FA2FB4BE6819 2017-10-06 [E] [expires: 2018-10-06](in meanwhile I updated the redirect to a TLS encrypted one. But I can create a test setup if you need so.)