SKS and GnuPG related issues and possible workarounds
tlikonen at iki.fi
Sat Jul 6 07:33:37 CEST 2019
Konstantin Boyandin via Gnupg-users [2019-07-05T20:45:59-04:00] wrote:
> ATM, none of systems I use GnuPG in has been hit with the signature
> flood disaster. If I might miss that point - is it possible to get,
> somehow, the list of flooded keys IDs (if anyone keeps the stats)?
I don't maintain a list and such a list can be always outdated anyway.
Better option is to set protective settings right now in gpg.conf file.
# maybe also:
With option "import-clean" key import operations accept only key
signatures from already known keys. With poisoned keys the import
operation can take time but at least your local keyring is protected
from importing them.
The gpg(1) manual page for version 2.1.18 (Debian) is misleading,
After import, compact (remove all signatures except the
self-signature) any user IDs from the new key that are
not usable. Then, remove any signatures from the new
key that are not usable. This includes signatures that
were issued by keys that are not present on the
keyring. This option is the same as running the --edit-
key command "clean" after import. Defaults to no.
It says "After import" but according to Werner Koch it actually
strips unknown key signatures _before_ importing them to the local
keyring. The manual also says that "This option is the same as running
the --edit-key command 'clean' after import." This is also wrong or
misleading because it may lead user thinking that in import oprations
first all keys and key signatures are imported to local keyring and then
they are cleaned.
/// OpenPGP key: 4E1055DC84E9DFF613D78557719D69D324539450
/ https://keybase.io/tlikonen https://github.com/tlikonen
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 507 bytes
Desc: not available
More information about the Gnupg-users