Order of lookup methods in --auto-key-retrieve

Wiktor Kwapisiewicz wiktor at metacode.biz
Sun Jun 30 21:36:56 CEST 2019


One of the lesser known things is that gpg can utilize Web Key Directory 
lookup when verifying signatures made to unknown keys:

$ curl -sSL https://metacode.biz/.well-known/security.txt | gpg 
--auto-key-retrieve --verify
gpg: Signature made Sun Jun 24 18:24:28 2018 UTC
gpg:                using RSA key 59A29DEA8D37388C656863DFB97A1EE09DB417EC
gpg:                issuer "wiktor at metacode.biz"
gpg: requesting key B97A1EE09DB417EC from hkp server
gpg: key 6C8857E0D8E8F074: public key "..." imported
gpg: Total number processed: 1
gpg:               imported: 1
gpg: Good signature ...

The code checks first the keyserver and then the WKD domain. I guess 
this is to limit the number of IP-leaking queries and prefer trusted 

I'm wondering if reversing the order (first WKD, then keyserver) 
wouldn't be a better option. The current mechanism is not perfect, so 
that the IP-leaking could still be triggered by attacker by using a 
brand new key (that is not published on keyservers).

On the other hand trying WKD first would allow the key holder to return 
a good key even if the key was spammed on keyservers to the point of not 
being usable.

I did think about this scenario after reading SKS Keyserver Network 
Attack: Consequences [0] post:

> What's important is my instructions told them to check the digital signature. And today, if they do this it is overwhelmingly likely they'll get a poisoned certificate from the keyserver network and their GnuPG installation will break horribly.

GnuPG first trying WKD when verifying signatures would prevent this 
specific issue.

Kind regards,

[0]: https://gist.github.com/rjhansen/f716c3ff4a7068b50f2d8896e54e4b7e


More information about the Gnupg-devel mailing list