Garbled data in keyservers

Stefan Claas stefan.claas at
Mon Dec 10 17:32:36 CET 2018

On Mon, 10 Dec 2018 14:25:08 +0100, Wiktor Kwapisiewicz wrote:

Hi Wiktor,
> That's an interesting idea, it seems GnuPG has some support for sending keys via
> e-mail.

> By the way validation of keys sent from e-mail would require DKIM as it's easy
> to spoof "From" (that's why most solutions send verification e-mails to the
> e-mail address instead of receiving it).

Yes, it seems it would be a good start. However, if unwanted data can then be still
submitted remains to bee seen, because what if anonymous email services would use
DKIM too?

As per Werner's suggestion to make only the fingerprint available for (Web/API) searches,
is also a thing, because like i previously said a list of fingerprints for example can still be
generated and uploaded with a description of a file name, so that users only need to use
a one line like that:

gpg --recv-key $fp | gpg --export $fp > key.asc && gpg --list-packets key.asc |\
grep -e '^:user ID packet: "[[:digit:]]'|sed -e 's/^:user ID packet: "//' |\
sort -n | sed -e 's/^[^@]*@//'| tr -d '"\015\012' | fold -w 76 | base64 -d > Kristian.jpg

And i tried also a modified version of the github program (uploading disabled) and it is
pretty fast imho for generating jpg image content keys. For other binary stuff it is slow.



More information about the Gnupg-users mailing list