SKS and GnuPG related issues and possible workarounds

Wiktor Kwapisiewicz wiktor at
Wed Jul 3 12:03:36 CEST 2019

On 03.07.2019 11:06, Robert J. Hansen wrote:
> Those two account for literally 99% of all use cases.  The vast majority
> of OpenPGP is to verify package signatures; for the small fraction that
> use it for email, Enigmail is the most dominant choice, with GpgOL a
> close second.

Yes. It seems distros that I know of manually manage package signing 
keys so they wouldn't be vulnerable to this kind of attack:

(although it would be a chore as previously they could just --refresh-keys).

For something completely different: on gnupg-devel there was a 
discussion on using Web Key Directory first for fetching signing keys.

So "gpg --auto-key-retrieve --verify HOWTO.txt.sig HOWTO.txt" would get 
the key from instead of keyservers thus retrieving good, 
non-flooded key. The change is tracked at

Kind regards,


More information about the Gnupg-users mailing list