Page MenuHome GnuPG

GnuPG dirmngr sends incorrect l parameter to a WKD server
Closed, ResolvedPublic


According to the OpenPGP Web Key Directory spec (, the last part of a WKD URI is the unchanged local-part as a parameter with name l using proper percent escaping.

However, GnuPG does not percent escape the "+" characters in the local-part and most server frameworks unescape the "+" character in a query string to a space, so GnuPG should percent escape the "+" character to "%2B".

GnuPG does not percent escape the "#" character in the local-part. Due to a custom URI parser in GnuPG which does not treat the "#" character (or any other character) as a fragment separator, it is not strictly needed to percent escape the "#" character but it is still a common habit.

These can be fixed with the following kind of patch:

diff --git a/dirmngr/server.c b/dirmngr/server.c
index 2702d32f9..1d9cb7fb4 100644
--- a/dirmngr/server.c
+++ b/dirmngr/server.c
@@ -1012,7 +1012,7 @@ proc_wkd_get (ctrl_t ctrl, assuan_context_t ctx, char *line)
       char *escapedmbox;
-      escapedmbox = http_escape_string (mbox, "%;?&=");
+      escapedmbox = http_escape_string (mbox, "%;?&=+#");
       if (escapedmbox)
           uri = strconcat ("https://",

Additionally, as stated above, the value of the l parameter should be the unchanged local-part, where as GnuPG sends an ASCII lowercased local-part.