Page MenuHome GnuPG

remap `--search` to `--locate-keys` (with warning)
Closed, WontfixPublic


over on T4591, there's some discussion about how --search is dangerously broken given the state of the SKS keyserver network.

This ticket documents a proposal to deprecate gpg --search.

I recommend having --search behave as though the user had done --locate-keys instead, and produce an additional warning to stderr.



Event Timeline

werner triaged this task as High priority.

My plan is to let --search-key be the same as locate-key but without local lookups, thus it will be the same as

--auto-key-locate nodefault,clear,wkd,dane,keyserver --locate-key

with the akl list using whatever is configured or the default but without "local". This will also allow to for a WKD refresh without typing all the options above. I would do that at least in 2.2 only if a mail address has been give, If just a name is given the old code path is used.

I tried to implement this but this is troublesome for other programs using the interface because a common patter is to use --search-keys to get a listing and then use --recv-key to import the keys - That won't work and will require changes to --recv-key too. Thus this change will not go into 2.2. Anyway, it is not dangerous to have --search-keys because the new default for import from keyservers will be to strip all key-signatures.

For convenience a new command --locate-external-keys will be in 2.2 which does the --auto-key-locate dance.

werner lowered the priority of this task from High to Normal.Jul 4 2019, 3:23 PM