[PATCH] Disable importing V3 public keys from keyservers
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Fri Oct 10 16:05:40 CEST 2014
On 10/10/2014 09:00 AM, David Leon Gil wrote:
> On Fri, Oct 10, 2014 at 2:33 AM, Nicholas Cole <nicholas.cole at gmail.com> wrote:
>> What's the thinking behind this patch?
>
> There's little point in having a filter for long keyids if GnuPG will
> import V3 keys from a keyserver; V3 long (and short) keyids are
> trivially spoofable. (The 0xdeadbeef "attack".)
full v3 fingerprints are also spoofable …
> V3 keys make up fewer than 3% of the keys in SKS and are mostly very,
> very old. A patch with slightly less impact: Only allow V3 keys if a
> V3 fingerprint is given.
So this proposal won't help either.
I am happy that the MD5 limit will make it impossible to import v3 keys
at all with 2.1.
I just tested this with Ben Laurie's old v3 key (0x1B080C452719AF35),
and it's correct that gpg 2.1 won't import it. But there was some
non-repeatable problem with gpg2.1 initially *removing* the key for some
reason, so i had to fall back to gpg1 to remove it:
2 dkg at alice:~$ gpg2 --delete-key 0x1B080C452719AF35
gpg: there is a secret key for public key "0x1B080C452719AF35"!
gpg: use option "--delete-secret-keys" to delete it first.
2 dkg at alice:~$ gpg --list-keys 0x1B080C452719AF35
pub 1024R/0x1B080C452719AF35 1995-05-13
Key fingerprint = 3F D9 FA 49 8B 6D 60 95 5B E3 AD 83 67 7F 9E 69
uid [ unknown] Ben Laurie <ben at apache.org>
uid [ undef ] Ben Laurie <ben at algroup.co.uk>
uid [ unknown] Ben Laurie <ben at links.org>
uid [ unknown] Ben Laurie <ben at thebunker.net>
0 dkg at alice:~$ gpg --delete-keys 0x1B080C452719AF35
pub 1024R/0x1B080C452719AF35 1995-05-13 Ben Laurie <ben at apache.org>
Delete this key from the keyring? (y/N) y
0 dkg at alice:~$
weird, eh? I swear i don't have a copy of ben laurie's secret key! :)
i haven't been able to replicate that error yet either. But once i did
remove the key, gpg 2.1 doesn't import it:
2 dkg at alice:~$ gpg2 --recv 0x1B080C452719AF35
gpg: Note: signatures using the MD5 algorithm are rejected
gpg: key 0x1B080C452719AF35: no valid user IDs
gpg: this may be caused by a missing self-signature
gpg: Total number processed: 1
gpg: w/o user IDs: 1
2 dkg at alice:~$ gpg2 --list-keys 0x1B080C452719AF35
gpg: error reading key: No public key
2 dkg at alice:~$
However, using the same keyring with gpg1, it will import:
2 dkg at alice:~$ gpg --recv 0x1B080C452719AF35
gpg: WARNING: digest algorithm MD5 is deprecated
gpg: please see http://www.gnupg.org/faq/weak-digest-algos.html for more
information
gpg: key 0x1B080C452719AF35: public key "Ben Laurie <ben at apache.org>"
imported
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
0 dkg at alice:~$ gpg --list-keys 0x1B080C452719AF35
gpg: please do a --check-trustdb
pub 1024R/0x1B080C452719AF35 1995-05-13
Key fingerprint = 3F D9 FA 49 8B 6D 60 95 5B E3 AD 83 67 7F 9E 69
uid [ unknown] Ben Laurie <ben at apache.org>
uid [ unknown] Ben Laurie <ben at links.org>
uid [ undef ] Ben Laurie <ben at algroup.co.uk>
uid [ unknown] Ben Laurie <ben at thebunker.net>
0 dkg at alice:~$
And then it will be visible to gpg 2.1 again:
0 dkg at alice:~$ gpg2 --list-keys 0x1B080C452719AF35
gpg: please do a --check-trustdb
pub rsa1024/0x1B080C452719AF35 1995-05-13
Key fingerprint = 3F D9 FA 49 8B 6D 60 95 5B E3 AD 83 67 7F 9E 69
uid [ unknown] Ben Laurie <ben at apache.org>
uid [ unknown] Ben Laurie <ben at links.org>
uid [ undef ] Ben Laurie <ben at algroup.co.uk>
uid [ unknown] Ben Laurie <ben at thebunker.net>
0 dkg at alice:~$
Of course, now it does delete:
0 dkg at alice:~$ gpg2 --delete-keys 0x1B080C452719AF35
pub rsa1024/0x1B080C452719AF35 1995-05-13 Ben Laurie <ben at apache.org>
Delete this key from the keyring? (y/N) y
0 dkg at alice:~$ gpg2 --list-keys 0x1B080C452719AF35
gpg: please do a --check-trustdb
gpg: error reading key: No public key
2 dkg at alice:~$
weird,
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20141010/ba0a99c6/attachment-0001.sig>
More information about the Gnupg-devel
mailing list