The following commands will fail to retrieve any OpenPGP certificates:

export GNUPGHOME=$(mkdir -d)
echo no-auto-key-locate > $GNUPGHOME/gpg.conf
gpg --locate-external-key dkg@fifthhorseman.net

This is confusing; a user might well want to avoid automatic key lookups that they are unaware of, and still want to be able to do an explicit search of the Internet for expected OpenPGP certificates. The last command even completes "successfully" (i.e. with a 0 return code), though gpg never asks dirmngr anything.

Parsing out the manual pages carefully, and thinking about the implementation approach, i can understand why these options interact the way that they do, but from a configuration semantics standpoint it is certainly surprising.

i think one of the semantic hangups here is the word auto. is no-auto-key-lookup supposed to negate the automatic nature of key lookup? or is it supposed to negate lookup entirely?

given that command-line arguments typically override config file options, the --locate-external-keys command might be expected to override the config file option.

i'm not sure the best way to fix this confusing corner of the interface, but here's a proposal (i'm happy to hear other proposals):

if:

• the command is --locate-external-key, and
• the AKL list is entirely empty (or contains only local)

then:

• treat the AKL list as though it was the three most common external mechanisms: wkd,dane,keyserver

This is idiosyncratic too, of course, but it seems to be closer to what a user might actually mean to express in this situation.