On Tue, 2 Jul 2019 15:40, konstan...@linuxfoundation.org said: > When this happens, a maintainer who tries to verify a signed pull > request will have the operation fail, so they need to have a way to > force-refresh the developer's key. I would say this is the #1 workflow
Agreed. A signature carries only the fingerprint of the then unknown subkey without any information on the primary key. Thus an automated lookup is not possible. But wait, if --sender has been used or due to other reasons the Signer's UID is included in the keyring, we could do a lookup via tha user-id to see whether the signature has been made by a new subkey. The --auto-key-retrieve code already respective code but we need to chnage the order from where a key is fetched. And yes, an easier to remember command to forcefully update a key would be very useful. I have gpg --serach-key MAILADDRESS for that in mind. See https://dev/gnupg.org/T4599 Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
signature.asc
Description: PGP signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
