[PATCH GnuPG 2/2] gpg: allow import of previously known keys, even without UIDs

[Daniel Kahn Gillmor]

On Mon 2019-05-13 12:19:20 -0400, Daniel Kahn Gillmor wrote:
> It would be great to add a test to the test suite for this behavior --
> to show what does *not* work before the patch is applied, and then to
> have the test suite succeed after the patches are applied.  This would
> also help us avoid regressions on this behavior in the future.

Following up on this test regime, here are 2 additional OpenPGP
certificates that use the same primary key and lack user IDs, but
dealing with revocations of key material:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Comment: [D] primary key, subkey, subkey revocation (no user ID)

mDMEXNmUGRYJKwYBBAHaRw8BAQdA75R8VlchvmEd2Iz/8l07RoKUaUPDB71Ao1zZ
631VAN24OARc2ZQhEgorBgEEAZdVAQUBAQdABsd5ha0AWXdXcSmfeiWIfrNcGqQK
j++lwwWDAOlkVicDAQgHiHgEKBYIACAWIQS0aY+VvNh/4EjMyikIQ9qWmqja+wUC
XNmnkAIdAgAKCRAIQ9qWmqja+ylaAQDmIKf86BJEq4OpDqU+V9D+wn2cyuxbyWVQ
3r9LiL9qNwD/QAjyrhSN8L3Mfq+wdTHo5i0yB9ZCCpHLXSbhCqfWZwQ=
=dwx2
-----END PGP PUBLIC KEY BLOCK-----


-----BEGIN PGP PUBLIC KEY BLOCK-----
Comment: [E] primary key, revocation signature over primary (no user ID)

mDMEXNmUGRYJKwYBBAHaRw8BAQdA75R8VlchvmEd2Iz/8l07RoKUaUPDB71Ao1zZ
631VAN2IeAQgFggAIBYhBLRpj5W82H/gSMzKKQhD2paaqNr7BQJc2ZQZAh0AAAoJ
EAhD2paaqNr7qAwA/2jBUpnN0BxwRO/4CrxvrLIsL+C9aSXJUOTv8XkP4lvtAQD3
XsDFfFNgEueiTfF7HtOGt5LPmRqVvUpQSMVgJJW6CQ==
=tM90
-----END PGP PUBLIC KEY BLOCK-----

I believe that failing to import these revocation certificates
represents a security risk to users of GnuPG, because it means leaving
the user with a certificate that GnuPG knows is revoked, but it is left
unrevoked.

        --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20190513/d9482e34/attachment.sig>