SKS and GnuPG related issues and possible workarounds

Teemu Likonen tlikonen at iki.fi
Sat Jul 6 07:33:37 CEST 2019 

Konstantin Boyandin via Gnupg-users [2019-07-05T20:45:59-04:00] wrote:

> ATM, none of systems I use GnuPG in has been hit with the signature
> flood disaster. If I might miss that point - is it possible to get,
> somehow, the list of flooded keys IDs (if anyone keeps the stats)?

I don't maintain a list and such a list can be always outdated anyway.
Better option is to set protective settings right now in gpg.conf file.

    keyserver-options import-clean
    # maybe also:
    import-options import-clean

With option "import-clean" key import operations accept only key
signatures from already known keys. With poisoned keys the import
operation can take time but at least your local keyring is protected
from importing them.

The gpg(1) manual page for version 2.1.18 (Debian) is misleading,
though.

    import-clean
           After import, compact (remove all signatures except the
           self-signature) any user IDs from the new key that  are
           not  usable.   Then, remove any signatures from the new
           key that are not usable.  This includes signatures that
           were  issued  by  keys  that  are  not  present  on the
           keyring. This option is the same as running the --edit-
           key command "clean" after import. Defaults to no.

It says "After import" but according to Werner Koch[1] it actually
strips unknown key signatures _before_ importing them to the local
keyring. The manual also says that "This option is the same as running
the --edit-key command 'clean' after import." This is also wrong or
misleading because it may lead user thinking that in import oprations
first all keys and key signatures are imported to local keyring and then
they are cleaned.

-----
1. https://lists.gnupg.org/pipermail/gnupg-users/2019-July/062239.html

-- 
///  OpenPGP key: 4E1055DC84E9DFF613D78557719D69D324539450
//  https://keys.openpgp.org/search?q=tlikonen@iki.fi
/  https://keybase.io/tlikonen  https://github.com/tlikonen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 507 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190706/a93124b3/attachment.sig>

More information about the Gnupg-users mailing list