SKS and GnuPG related issues and possible workarounds
Wiktor Kwapisiewicz
wiktor at metacode.biz
Wed Jul 3 12:03:36 CEST 2019
On 03.07.2019 11:06, Robert J. Hansen wrote:
> Those two account for literally 99% of all use cases. The vast majority
> of OpenPGP is to verify package signatures; for the small fraction that
> use it for email, Enigmail is the most dominant choice, with GpgOL a
> close second.
Yes. It seems distros that I know of manually manage package signing
keys so they wouldn't be vulnerable to this kind of attack:
https://blog.liw.fi/posts/2019/07/02/debian_and_the_sks_signature_flooding_attack/
(although it would be a chore as previously they could just --refresh-keys).
For something completely different: on gnupg-devel there was a
discussion on using Web Key Directory first for fetching signing keys.
So "gpg --auto-key-retrieve --verify HOWTO.txt.sig HOWTO.txt" would get
the key from sixdemonbag.org instead of keyservers thus retrieving good,
non-flooded key. The change is tracked at https://dev.gnupg.org/T4595
Kind regards,
Wiktor
--
https://metacode.biz/@wiktor
More information about the Gnupg-users
mailing list