[PATCH] Disable importing V3 public keys from keyservers
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Fri Oct 10 16:25:20 CEST 2014
On 10/10/2014 10:10 AM, David Leon Gil wrote:
> Yes; V3 keys with V3 signatures get a warning / don't work. Have you
> tried this with a V3 key with a *V4* signature?
>
> Here's Ben Laurie's key. Results of gpg2 --import:
>
> gpg: pub 4090R/0x1B080C452719AF35 2013-08-05 Ben Laurie <ben at links.org>
> gpg: using PGP trust model
> gpg: key 0x1B080C452719AF35: public key "Ben Laurie <ben at links.org>" imported
> gpg: Total number processed: 1
> gpg: imported: 1 (RSA: 1)
sorry, i hadn't tested this part, and you're quite right. I agree that
we should reject v3 keys on import entirely.
Just blocking MD5 is insufficient, and gpg 2.1 does successfully import
your demonstration key.
--dkg
PS if Ben Laurie is reading this, sorry that you got used as an example!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20141010/e8bfa7e8/attachment.sig>
More information about the Gnupg-devel
mailing list