Import manipulated public key, gpg 1.4.11 corrupts database [1445]

KB Sriram mail_kb at
Fri Dec 14 20:50:02 CET 2012

A quick ping to the list about (filed about a week back.)

The summary is that one can craft a public key that causes gpg --import to corrupt its pubring.gpg database, at which point most subsequent gpg operations (including --delete-key) fail. Also, just running gpg without importing it (specifically: "gpg thebadkey.gpg") shows no errors and an apparently valid key.

It's at least a nuisance as the database has to be restored manually from pubring.pgp~, and I also don't know whether other tools that use gpg in the background expose an obvious way to restore the database. (Might there be additional complications if such keys were published via keyservers?)

At any rate, thought I'd point to this issue in the mailing list as well, in case it is a real problem (and my apologies if someone has already looked at it and just not updated the status -- it says 'unread' at the moment.)

Best regards,

More information about the Gnupg-devel mailing list