GPG Suite ignores auto-key-locate configuration

Bryan's Avatar


04 Aug, 2021 10:53 PM

GPG Suite seems to be utilizing the gpg --receive-keys or --search-keys rather than the --locate-keys command. The former only searches the configured key server but the later will search for the key in the order of the options set in auto-locate-key. ie. "local,wkd,keyserver". This is probably not the desired behavior if you intend GPG Suite to work with WKD.


  1. Support Staff 1 Posted by Luke Le on 12 Aug, 2021 03:07 PM

    Luke Le's Avatar

    Hi Bryan,

    this is true for our GPG Suite tools like GPG Mail, GPG Services and GPG Keychain.
    Since they don't automatically fetch any keys at the moment, this is by design.

    Via command line you can of course use auto-locate-key and it will work as expected if configured in your gpg.conf

  2. 2 Posted by Bryan on 12 Aug, 2021 04:04 PM

    Bryan's Avatar

    Hey Luke, thanks for the response. I'm a little confused though... I have an option that says "Automatically download public keys" which does automatically fetch keys from my configured key server when I receive a signed email and don't already have the signer's key. Could this option not use --locate-key to support the auto-locate-key options since the keyserver is still used in the same way?

  3. Support Staff 3 Posted by Luke Le on 18 Aug, 2021 09:41 AM

    Luke Le's Avatar

    Hi Bryan,

    my previous message left out a few details. "They don't automatically fetch any keys" was meant to say, unless manually configured by using the setting you mentioned. Since our default is that fetching keys is disabled, it should not be overridden by a "misconfigured" gpg.conf. It's of course absolutely possible that you have added the auto-key-retrieve setting on purpose in the past, but it's also possible that it was set by a different tool in the past, without asking you, which is why we want you to "re-activate" option explicitly.

    Based on GnuPG's manual however, auto-key-retrieve does use WKD, which of course makes sense:

    "--auto-key-retrieve [...] If the signature has the Signer’s UID set a WKD lookup is done. This is the default configuration [...]"

    auto-key-locate on the other hand is mainly used to fetch missing keys when encrypting messages for a recipient. But can also be used to disable the use of WKD with auto-key-retrieve

    Could you send a signed message to [email blocked] so we can test this?

  4. 4 Posted by Bryan on 25 Aug, 2021 07:58 PM

    Bryan's Avatar

    Hey Luke,
    Okay, so I was initially confused by auto-key-retrieve setting. Thank you for clearing that up.

    I set the auto-key-locate parameter manually in gpg.conf with the mechanisms I wanted "local,wkd,keyserver" and enabled auto-key-retrieve. I see now that auto-key-retrieve is not necessary for auto-key-locate to work, and having auto-key-retrieve disabled is a safe default. Maybe I should just explain what I was trying to do...

    My goal was to set up GPG Suite to retrieve keys from our WKD and optionally use our internal HKP server as fallback. But even with the auto-key-locate parameters set in gpg.conf nothing actually tries to look up the key. This is why I was attempting to use the "Automatically download public keys" (aka auto-key-retrieve) setting, but was mistaken about what it did.

    If I may request a feature it would be WKD support. Thunderbird has removed the ability to set a custom HKP server and GPG Suite seems to not work reliably with our internal HKP server either so I'd like to transition my Org to WKD.

    Also the email address you have in your message is blocked. Feel free to email me at the email associated with this post.

  5. Support Staff 5 Posted by Steve on 26 Aug, 2021 03:06 PM

    Steve's Avatar

    Thanks for elaborating on and sharing your use-case. We have a ticket for adding support for WKD. I connected this discussion with the existing ticket. That means, should this discussion get closed, it will be re-opened as soon as the ticket is closed. That way you stay in the loop and will receive info as soon as we have news. Feel free to open a new discussion should you run into further problems or need assistance.

    What do you mean by "email address is blocked"? Blocked in what way?


  6. 6 Posted by Bryan on 26 Aug, 2021 06:28 PM

    Bryan's Avatar

    Thanks for the update, Steve.


  7. Steve closed this discussion on 27 Aug, 2021 07:29 PM.

  8. Steve re-opened this discussion on 22 Jan, 2022 03:58 PM

  9. Support Staff 7 Posted by Steve on 22 Jan, 2022 03:58 PM

    Steve's Avatar

    Sorry Bryan - I never responded about the blocked email question of yours. You sent a screenshot showing the problem. Tender (the support platform service we use) has a "feature" where they remove email addresses.

    Luke was asking about a signed test message from you. The email address you can send that to is team AT gpgtools DOT org

  10. Steve closed this discussion on 22 Jan, 2022 03:58 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts


? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac