On Dienstag, 2. November 2021 16:05:30 CET Tadeus Prastowo via Gnupg-users wrote: > The signature on a Linux kernel can be verified successfully using > `--auto-key-retrieve', but the signature on an Emacs cannot be > verified in the same manner because gpg is unable to retrieve the > needed public key automatically.
The important difference is:
> gpg: Signature made Mon 15 Feb 2021 10:11:32 AM CET
> gpg: using RSA key 647F28654894E3BD457199BE38DBBDC86092693E
-> fingerprint of signing key
> gpg: requesting key 38DBBDC86092693E from hkp server keyserver.ubuntu.com
> gpg: Signature made Thu 25 Mar 2021 12:53:08 PM CET
> gpg: using RSA key 91C1262F01EB8D39
-> (long) key id of signing key
> gpg: Can't check signature: No public key
man gpg tells us:
=====
--auto-key-retrieve
--no-auto-key-retrieve
These options enable or disable the automatic retrieving of
keys from a keyserver when verifying signatures made by
keys that are not on the local keyring. The default is --no-
auto-key-retrieve.
The order of methods tried to lookup the key is:
[...]
5. If any keyserver is configured and the Issuer Fingerprint
is part of the signature (since GnuPG 2.1.16), the con-
figured keyservers are tried.
=====
The signature on the Linux kernel contains the Issuer Fingerprint. The
signature on Emacs doesn't (probably because a very old version of GnuPG is
used to sign Emacs).
Regards,
Ingo
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
