Page MenuHome GnuPG

Warn in --recv-keys verbose output that no keys have been imported
Open, NormalPublic


I tried to import some of the gpg signature keys yesterday without success. Even though the output made it look successful I could not verify gpg4win and did not see the keys in --list-keys. I've since learned that this is because I was using the keyserver hkps:// which does not include IDs of keys unless the owner's e-mail address approves. The verbose output from gpg is confusing because it shows the key as processed, even though it is not actually imported. If importing a key has failed, my suggestion is it should say so and offer a remedy (eg "use option --foo to overide") if one is available.

For example, try to import Werner's key:

gpg --verbose --keyserver hkps:// --recv-keys 6DAA6E64A76D2840571B4902528897B826403ADA

gpg: data source:
gpg: armor header: Comment: 6DAA 6E64 A76D 2840 571B  4902 5288 97B8 2640 3ADA
gpg: pub  ed25519/528897B826403ADA 2020-08-24
gpg: key 528897B826403ADA: no user ID
gpg: Total number processed: 1

I thought that meant the key was imported, but it does not. In fairness it does not say anything about imported. I think that is an easy mistake to make and the output could be clarified to say whether or not the key was actually imported, and if not why not.

Also I think @werner and the other signers should consider verifying their release signing keys on the openpgp server. For whatever reason, I could not access the default keyserver (I don't know what was happening and I can access it now) and so that's why I tried openpgp. I could see someone else possibly ending up in this situation.


gpg (GnuPG) 2.3.8, libgcrypt 1.10.1

Event Timeline

Oh yes, the usual import statistics should be shown here.

Please take the release signing keys from - that is the canonical location and we can update them under our control.