On Tue, Feb 15, 2022 at 12:32:50PM -0800, Dan Mahoney (Gushi) via Gnupg-users wrote: > Thus, using that as a prefetch method to grab the current version of our > codesign@ key into our keyring is not helpful either, unless we "faked it" > by attempting to encrypt a message to that address, then discarded it. > > Is there another way forward? The normal things for auto-key-locate don't > seem to help here. I'm open to ideas.
Hi, Dan: Any reason you want to stick with auto-locating keys instead of just maintaining a keyring for verification purposes? If you do want to keep using DANE, you can "gpg --auto-key-locate dane --locate-keys codesign@whatnot" to build your pubring, e.g. (using wkd): $ export GNUPGHOME=$(mktemp -d) $ gpg --auto-key-locate wkd --locate-keys torva...@kernel.org gre...@kernel.org We now have a $GNUPGHOME/pubring.kbx containing the keys we can use for verification. At some point in the past I wrote the following script that makes use of this exact approach: https://git.kernel.org/pub/scm/linux/kernel/git/mricon/korg-helpers.git/tree/get-verified-tarball -K _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
