[pkg-gnupg-maint] Bug#795334: Bug#795334: If --local-user matches the default key, it should be used

Thu Aug 13 20:45:29 UTC 2015

On Wed 2015-08-12 20:42:14 -0400, Bas Wijnen wrote:
> I have an old key which is not revoked, and a new one that I use for signing
> everything.  I have set the new key as default in gnupg.conf.  When I call gpg
> --local-user="my name" (or more specifically, when debsign calls it that way),
> it selects the old key instead of the new one (I'm guessing it just selects the
> first key that matches the name).  It is counterintuitive that it chooses the
> wrong key after I set the default properly.

yes, it's choosing the key that is linearly first in its keyring.

I agree that key selection on the basis of names should be re-ordered,
but this is not something that's likely to change in the gnupg 1.4.*
branch, for two reasons:

  * there may be people relying on that behavior, which gpg doesn't want
    to break

  * it would require a full linear scan through the keyring every time,
    which is slower than bailing as soon as a single match is found.

In the meantime, you have a possible (clunky) workaround: you can remove
your old key from your keyring and then re-add it.  this will change the
order of the keys in your keyring and will make your new key the first
one found to match your User ID.

I've had some discussions with GnuPG upstream about adjusting the
selection mechanisms for years [0].  I'm not sure when we'll be able to
convince them to make this change, but i'll keep pushing. :/

Regards,                            

        --dkg                       

[0] https://lists.gnupg.org/pipermail/gnupg-users/2009-September/037376.html