7.21. Obtaining Keys from a Keyserver

Problem

You want to obtain a public key from a keyserver.

Solution

If you have the key ID, you can import it immediately:

$ gpg --keyserver keyserver --recv-keys key_ID

Otherwise, to search for a key by the owner’s name or email address, and match keys before importing them, use:

$ gpg --keyserver keyserver --search-keys string_to_match

To specify a default keyserver, so you need not use the --keyserver option above:

               ~/.gnupg/options:
keyserver keyserver_DNS_name_or_IP_address

To have GnuPG automatically contact a keyserver and import keys whenever needed:

               ~/.gnupg/options:
keyserver keyserver_DNS_name_or_IP_address
keyserver-options auto-key-retrieve

With this configuration, for example, if you were to verify the signature on some downloaded software signed with a key you didn’t have (gpg —verify foo.tar.gz.sig), GnuPG would automatically download and import that key from your keyserver, if available.

Additionally, most keyservers have a web-based interface for adding and locating keys.

Remember to check the key fingerprint with the owner before trusting it. [Recipe 7.9]

Discussion

Importing a key does not verify its validity—it does not verify that the claimed binding between a user identity (name, email address, etc.) and the public key is legitimate. For example, if you use gpg —verify to check the signature of a key imported from a keyserver, GnuPG may still produce the following warning, even if the signature itself is good:

gpg: WARNING: This key ...

Get Linux Security Cookbook now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.