Doug Barton

Stale keyserver URL

It is fairly common for people to modify their PGP key to specify a keyserver URL and then forget to refresh the key. This problem is especially noticable when the PGP Corp. keyserver is used since that server will drop the key if the key owner does not respond to the periodic e-mail messages that are sent to ensure that the key is still valid. It will also remove old keys when new keys are uploaded by the same user.

The stale keyserver URL becomes a problem when someone who has that key in their keyring attempts to refresh it. By default GnuPG attempts to honor the keyserver URL, so the refresh command will not work unless:
  • The owner of the key has uploaded a new version of the key to another server, and
  • The user attempting to refresh the key knows the right combination of commands to query a different server.
Fortunately this problem is easy to fix. The first step is for the owner of the key to decide whether or not they intend to continue using they keyserver URL. If the answer is yes, all that is necessary is to once again upload the key to that specific server.

If the answer is no, the process is simple:
  • Update the key by removing the keyserver URL
  • Upload the key to the keyserver mentioned in the old keyserver URL
  • Upload the key to another keyserver network, like hkp://pool.sks-keyservers.net
If it is no longer possible to upload the key to the old keyserver the other steps in the process should still be followed so that users who are able can refresh the key.