[PATCH] Disable importing V3 public keys from keyservers
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Fri Oct 10 16:25:20 CEST 2014
On 10/10/2014 10:10 AM, David Leon Gil wrote:
> Yes; V3 keys with V3 signatures get a warning / don't work. Have you
> tried this with a V3 key with a *V4* signature?
> Here's Ben Laurie's key. Results of gpg2 --import:
> gpg: pub 4090R/0x1B080C452719AF35 2013-08-05 Ben Laurie <ben at links.org>
> gpg: using PGP trust model
> gpg: key 0x1B080C452719AF35: public key "Ben Laurie <ben at links.org>" imported
> gpg: Total number processed: 1
> gpg: imported: 1 (RSA: 1)
sorry, i hadn't tested this part, and you're quite right. I agree that
we should reject v3 keys on import entirely.
Just blocking MD5 is insufficient, and gpg 2.1 does successfully import
your demonstration key.
PS if Ben Laurie is reading this, sorry that you got used as an example!
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 949 bytes
Desc: OpenPGP digital signature
More information about the Gnupg-devel