Disable importing V3 public keys from keyservers
David Leon Gil
coruus at gmail.com
Fri Oct 10 20:47:36 CEST 2014
On Fri, Oct 10, 2014 at 2:13 PM, Werner Koch <wk at gnupg.org> wrote:
> Sure, gpg will import those keys - but they are not usable:
The reason GnuPG can't encrypt to those keys is because the signature
packet does not have the "encrypt" key usage flag set, as doing gpg
--list-packets would show you. (I didn't set these flags in the sample
code so that people wouldn't inadvertently encrypt to these spoofed
keys.)
If I set those bits, this works:
gpg2 --home ./test --keyserver 127.0.0.1 -r wk at gnupg.org -e
test/pubring.gpg
gpg: 621CC013: There is no assurance this key belongs to the named user
pub 3839R/621CC013 2013-08-05 Werner Koch <wk at gnupg.org>
Primary key fingerprint: F5 05 05 91 B3 2C F2 E2 DB 25 4C 41 D4 16 4A 13
(It obviously isn't your key: it's >> 2048 bits.)
Attached. Try it for yourself.
> The real bug with faked keys is that they will clog the keyring because
> we take the first matching _keyid_. But the very same problem exists
> with v4 keys. Indeed, we better fix that problem for 2.1.0.
Very much agree; this is why I'm particularly concerned about
keyservers. (It's just an easy way for anyone on a public wifi
network, say, to generate a key that will make verifying downloaded
software impossible for anyone without a lot of experience using
GnuPG.)
> Aihh, those old broken v3 keys. The usual practice of checking creation
> date and key length in addition to the fingerprint comes to mind of old
> timers.
Agreed. Is showing fingerprints the default in 2.1.0 then? (Maybe this
could get added to point releases too.)
-------------- next part --------------
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2
mQHvA1IAAAAAAAEO/1bY5PWpst3uIuXFkn2VINXE/kY6geBXZEJFVv3IRtmrlIRL
wVBGNXYIv4h8Ra9WyaVcz11mI0e+EV0q6LVxao6tUfrTyPU01onWog+vczSHJrsR
JTrC/uVSUCj+FgZruWmM2sO90qtQqt61NEsDP55B0F4Vuf6Rii9rI0vjgZ0yOREg
V65PKWO4E3pMuIhqYqNYfOc6P+64ietlWf0cWbQPWeI5dRUL0VQsExWxl5NzDAkK
k2hjUOCqQsq8v42Ft25vR/ZrZF7XHpCt9v1pD5rtXu4H6uzCfj1+DA2vxrHd69PX
u5elDIWDA+6un8eeRfej3oCdc980gL6yNsz5O6tpq1VrJolcHZt2pkIM1S2XRAND
EmIHa+jtMGyGob9wzJoNUmD/qGX+ayjkSr/ldB4AxNl1UtXejzwA4V3K3Pkx7tjL
sLLl/2M/xBQhOfTA6m5AAt6bGtxnHxTFTwrTOmIU0Msqj5+VSFRIaldeTvaN4WtC
ToD+Fwimc8yi2jdVWGQF4iLa2SOFJEd+eWml5OvpGPJfyG4nv2ff6LfFKZ79vA0l
gw0iX/vEx1Fs7JqtZfawgdrf3WUZFrDnFu0rYKlVNPYPhOCKObtLbRHCXi9CmizY
7zjXo6RsfuG4YhzAEwARAQABtBpXZXJuZXIgS29jaCA8d2tAZ251cGcub3JnPokC
FwQTAQoAIQUCVDgoXQIbDwULCQgHAwUVCgkICwUWAgMAAAIeAQIXgAAKCRBsfuG4
YhzAExPWDv4j1/RBRoe6+F+dF3+ls1vsAnMXO0bgxwoRgIuDw8YG8q5K1CcGnu7t
2g4VT/sYeHnJp9TyFCwSps31TBsrZUNkMS/1NBEpalOK+E1sqjLn6twTgeh6b9o+
9Z8ZgmEvRIkxweEepQbqadk+xv9Y3qKUCx7k5igajv7osznfQcPIKUf0snC8Gpgi
DTVsU9b06Ehod/yvODjNU3PUdXv+Dx31uO9sKi0+TBnn5pm7h5DpuL2DnWZBsm0d
x82HeT6DYTPjhTRxiws/GnKB5WvE1O8veq2Ssa5wU/Lhuu7jN9ZgzY7fCSDYsdV/
m5Dg3LBA55+JBl0PbdF8hY6B74Xek6EV36pUxCGA+k0xuwu1qR0p7ojZN/X/ZYwt
4bgrGNh12YibNW7j3cmZ71KwObI92C/gWAKT7MVmsuRWwu2BjYja3jPsLLehxLeb
jDDZJbqeDzFM8jOlMH/M1OhJLNUuWmrlIr46tRZ7tZXlBib8tzpbTUHH/gltRILc
AKfaKbAe8bYQcO/odyxJKXU/HQZzEy8/RmLhrzIXWtHqW6+mHN20US1Mgx8VgM89
Z7ea0YexS+hoMl9pE7rVBuaDvj68J/qe5irXK+5i+cVHKPhlaAMtzVXrNg2i37cT
hrPQs0V1E2c=
=4dum
-----END PGP PUBLIC KEY BLOCK-----
More information about the Gnupg-devel
mailing list