--with-sig-check silently ignored when used with --import and --recv-keys

Daniel Roesler diafygi at gmail.com
Sun May 3 01:02:46 CEST 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Howdy all,

I've been playing around with key signatures and ran across an interesting
situation. For some reason, --with-sig-check is silently ignored when used with
- --import and --recv-keys. Is this something I should file a bug on?

==Summary==

I have setup a public key for Alice that has one valid signature from Bob and
one invalid signature from Mallory.

http://p80.pool.sks-keyservers.net/pks/lookup?op=vindex&search=0xA5452207

When you import Alice's public key via gpg --import or --recv-keys, GnuPG does
not verify the signatures on Alice's public key, even if I have Bob and/or
Mallory's public keys already in my keyring.


==Steps To Reproduce==

1. Request Bob and Mallory's public keys from the keyserver.

> $ gpg2 --recv-keys --with-sig-check 65B57FDF B8062D4C
> gpg: requesting key 65B57FDF from hkp server keys.gnupg.net
> gpg: requesting key B8062D4C from hkp server keys.gnupg.net
> gpg: key 65B57FDF: public key "Bob User (Good Signature) <bob+goodsig at example.com>" imported
> gpg: key B8062D4C: public key "Mallory User (Bad Signature) <mallory+badsig at example.com>" imported
> gpg: Total number processed: 2
> gpg:               imported: 2  (RSA: 2)

2. Request Alice's public keys from the keyserver.

> $ gpg2 --recv-keys --with-sig-check A5452207
> gpg: requesting key A5452207 from hkp server keys.gnupg.net
> gpg: key A5452207: public key "Alice User (Signature Test) <alice+sigtest at example.com>" imported
> gpg: no ultimately trusted keys found
> gpg: Total number processed: 1
> gpg:               imported: 1  (RSA: 1)

3. Checking signatures shows that Mallory's signature is bad.

> $ gpg2 --check-sigs
> /home/user/testring/pubring.gpg
> ------------------------------------------
> pub   2048R/65B57FDF 2015-04-01
> uid                  Bob User (Good Signature) <bob+goodsig at example.com>
> sig!3        65B57FDF 2015-04-01  Bob User (Good Signature) <bob+goodsig at example.com>
> sub   2048R/83518D34 2015-04-01
> sig!         65B57FDF 2015-04-01  Bob User (Good Signature) <bob+goodsig at example.com>
>
> pub   2048R/B8062D4C 2015-04-01
> uid                  Mallory User (Bad Signature) <mallory+badsig at example.com>
> sig!3        B8062D4C 2015-04-01  Mallory User (Bad Signature) <mallory+badsig at example.com>
> sub   2048R/FDE6C57B 2015-04-01
> sig!         B8062D4C 2015-04-01  Mallory User (Bad Signature) <mallory+badsig at example.com>
>
> pub   2048R/A5452207 2015-04-01
> uid                  Alice User (Signature Test) <alice+sigtest at example.com>
> sig!3        A5452207 2015-04-01  Alice User (Signature Test) <alice+sigtest at example.com>
> sig!         65B57FDF 2015-04-01  Bob User (Good Signature) <bob+goodsig at example.com>
> sig-         B8062D4C 2015-04-01  Mallory User (Bad Signature) <mallory+badsig at example.com>
> sub   2048R/0BE64ECE 2015-04-01
> sig!         A5452207 2015-04-01  Alice User (Signature Test) <alice+sigtest at example.com>
>
> 1 bad signature

==What Should Happen==

When importing public keys, --with-sig-check should not get silently ignored
when added to --import or --recv-keys. Alternatively, the --with-sig-check flag
should throw an error if included with --import or --recv-keys since silently
ignoring it might make a user assume that all signatures were valid.

Thanks!
Daniel Roesler

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJVRVcQAAoJEOf2+tFy7+494jMP/RPTkAj94Q4ZCkyWvbMmcKqs
2y18GOhY1ETwTIlYPNY6ley8LhOpGZS7DmQ+vczpMf9PCCoTkBvUCdorwbSo1B2c
N2t71jn65/wAQAYSGirTYCqqFALf9EZVk70RcjOIHc7jxr0sp3kUllCKBtNuRYWj
i2+JOVV8+/qWkByxEkCTSY0N7w83IivRqRdVsfsm4kaDI7cQJ8l/ETPtS3nzSJcQ
s1RRtvwEw/yOnBvHZ1Q1WnQAR9P2edafzR4Wx/UTgtJqj1pRaE4f6ceiW5eGtX6N
UQoBoFQ0+iMVvtNGX6eE/1bvp8uifnIWKfQOacUHO/eq2AdH2pkBgKe5yl0vL4dN
wEbjTm046c2SQf6e57EfwNAX2dVjDsLUFOnLdYxAE0wUX40MlbYI+5we1LATAfoV
CruDl2BWUKUM7QgT9Aiv6GSh2q+btVhljX13wVuhPMeXr+xorMq4R5XPdzimdnyH
CSkIsonf21I9AbESOvG5nH7hbeRgAHn5sE9Zvj/+AsFpjV/5cAWyA6/R+vk9d6/J
rUpap0MxtK79ZP35U1w57pbESMniE+owEDlTUd/Jjy3rbcdvmAUVJPdFJDqJmo7k
q5MjfsgPeedLBC1bXklR30jyQyoOAerbiCWnpW6390AJDF+oRyJ2+r+dhTSJBm26
3WLQkeeHKZnSpbwrMDDs
=6tWl
-----END PGP SIGNATURE-----



More information about the Gnupg-users mailing list