diff options
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/gpg.texi | 26 |
1 files changed, 22 insertions, 4 deletions
diff --git a/doc/gpg.texi b/doc/gpg.texi index 83be00e20..7a135cdc8 100644 --- a/doc/gpg.texi +++ b/doc/gpg.texi @@ -1818,6 +1818,20 @@ list. The default is "local,wkd". @end table +@item --auto-key-import +@itemx --no-auto-key-import +@opindex auto-key-import +@opindex no-auto-key-import +This is an offline mechanism to get a missing key for signature +verification and for later encryption to this key. If this option is +enabled and a signature includes an embedded key, that key is +used to verify the signature and on verification success that key is +imported. The default is @option{--no-auto-key-import}. + +On the sender (signing) site the option @option{--include-key-block} +needs to be used to put the public part of the signing key as “Key +Block subpacket” into the signature. + @item --auto-key-retrieve @itemx --no-auto-key-retrieve @opindex auto-key-retrieve @@ -1828,22 +1842,26 @@ local keyring. The default is @option{--no-auto-key-retrieve}. The order of methods tried to lookup the key is: -1. If a preferred keyserver is specified in the signature and the +1. If the option @option{--auto-key-import} is set and the signatures +includes an embedded key, that key is used to verify the +signature and on verification success that key is imported. + +2. If a preferred keyserver is specified in the signature and the option @option{honor-keyserver-url} is active (which is not the default), that keyserver is tried. Note that the creator of the signature uses the option @option{--sig-keyserver-url} to specify the preferred keyserver for data signatures. -2. If the signature has the Signer's UID set (e.g. using +3. If the signature has the Signer's UID set (e.g. using @option{--sender} while creating the signature) a Web Key Directory (WKD) lookup is done. This is the default configuration but can be disabled by removing WKD from the auto-key-locate list or by using the option @option{--disable-signer-uid}. -3. If the option @option{honor-pka-record} is active, the legacy PKA +4. If the option @option{honor-pka-record} is active, the legacy PKA method is used. -4. If any keyserver is configured and the Issuer Fingerprint is part +5. If any keyserver is configured and the Issuer Fingerprint is part of the signature (since GnuPG 2.1.16), the configured keyservers are tried. |