Getting gpg to import signatures again
The GnuPG (gpg) ecosystem has been played with a bit in 2019 by adding fake signatures en masse to well known keys. The main result is that the SKS Keyserver network based on the OCaml software of the same name is basically history. A few other keyservers have come up like Hagrid (Rust) and Hockeypuck (Go) but there seems to be no clear winner yet. In case you missed it in 2019, see my take on cleaning these polluted keys.
Now the changed defaults in gpg to "mitigate" this issue are trickling down to even the conservative distributions. Debian Bullseye has
self-sigs-only on gpg 2.2.27 and it looks like Debian Bookworm will get gpg 2.2.40. This would add
import-clean but Daniel Kahn Gillmor patched it out. He argues correctly that this new default could delete data from good locally store pubkeys.
This all ends in you getting some random combination of
self-sigs-only and / or
import-clean depending on which Linux distribution and version you happen to use.
Better be explicit. I recommend to add:
~/.gnupg/gpg.conf to make sure you can manage signatures yourself and receive them from keyservers or local imports as intended.
In case you care: See
info gnupg --index-search=keyserver-options for the fine documentation. Of course
apt install info first to be able to read info pages. 'cause who still used them in 2023? Oh, wait...