Order of lookup methods in --auto-key-retrieve
wiktor at metacode.biz
Sun Jun 30 21:36:56 CEST 2019
One of the lesser known things is that gpg can utilize Web Key Directory
lookup when verifying signatures made to unknown keys:
$ curl -sSL https://metacode.biz/.well-known/security.txt | gpg
gpg: Signature made Sun Jun 24 18:24:28 2018 UTC
gpg: using RSA key 59A29DEA8D37388C656863DFB97A1EE09DB417EC
gpg: issuer "wiktor at metacode.biz"
gpg: requesting key B97A1EE09DB417EC from hkp server 127.0.0.1
gpg: key 6C8857E0D8E8F074: public key "..." imported
gpg: Total number processed: 1
gpg: imported: 1
gpg: Good signature ...
The code checks first the keyserver and then the WKD domain. I guess
this is to limit the number of IP-leaking queries and prefer trusted
I'm wondering if reversing the order (first WKD, then keyserver)
wouldn't be a better option. The current mechanism is not perfect, so
that the IP-leaking could still be triggered by attacker by using a
brand new key (that is not published on keyservers).
On the other hand trying WKD first would allow the key holder to return
a good key even if the key was spammed on keyservers to the point of not
I did think about this scenario after reading SKS Keyserver Network
Attack: Consequences  post:
> What's important is my instructions told them to check the digital signature. And today, if they do this it is overwhelmingly likely they'll get a poisoned certificate from the keyserver network and their GnuPG installation will break horribly.
GnuPG first trying WKD when verifying signatures would prevent this
More information about the Gnupg-devel