[PATCH] Disable importing V3 public keys from keyservers

Daniel Kahn Gillmor dkg at fifthhorseman.net
Fri Oct 10 16:25:20 CEST 2014

On 10/10/2014 10:10 AM, David Leon Gil wrote:
> Yes; V3 keys with V3 signatures get a warning / don't work. Have you
> tried this with a V3 key with a *V4* signature?
> Here's Ben Laurie's key. Results of gpg2 --import:
> gpg: pub  4090R/0x1B080C452719AF35 2013-08-05  Ben Laurie <ben at links.org>
> gpg: using PGP trust model
> gpg: key 0x1B080C452719AF35: public key "Ben Laurie <ben at links.org>" imported
> gpg: Total number processed: 1
> gpg:               imported: 1  (RSA: 1)

sorry, i hadn't tested this part, and you're quite right.  I agree that
we should reject v3 keys on import entirely.

Just blocking MD5 is insufficient, and gpg 2.1 does successfully import
your demonstration key.


PS if Ben Laurie is reading this, sorry that you got used as an example!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20141010/e8bfa7e8/attachment.sig>

More information about the Gnupg-devel mailing list