SKS and GnuPG related issues and possible workarounds
Ryan McGinnis
ryan at digicana.com
Sat Jul 6 13:50:48 CEST 2019
Someone brought it to my attention that my key is now one of the affected keys; I think from this we can probably surmise that whoever(s) is doing this probably reads this list as this email address doesn’t see heavy circulation.
-Ryan McGinnis
https://bigstormpicture.com
PGP: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD
Sent with ProtonMail
On Sat, Jul 6, 2019 at 00:33, Teemu Likonen via Gnupg-users <gnupg-users at gnupg.org> wrote:
> Konstantin Boyandin via Gnupg-users [2019-07-05T20:45:59-04:00] wrote:
>
>> ATM, none of systems I use GnuPG in has been hit with the signature
>> flood disaster. If I might miss that point - is it possible to get,
>> somehow, the list of flooded keys IDs (if anyone keeps the stats)?
>
> I don't maintain a list and such a list can be always outdated anyway.
> Better option is to set protective settings right now in gpg.conf file.
>
> keyserver-options import-clean
> # maybe also:
> import-options import-clean
>
> With option "import-clean" key import operations accept only key
> signatures from already known keys. With poisoned keys the import
> operation can take time but at least your local keyring is protected
> from importing them.
>
> The gpg(1) manual page for version 2.1.18 (Debian) is misleading,
> though.
>
> import-clean
> After import, compact (remove all signatures except the
> self-signature) any user IDs from the new key that are
> not usable. Then, remove any signatures from the new
> key that are not usable. This includes signatures that
> were issued by keys that are not present on the
> keyring. This option is the same as running the --edit-
> key command "clean" after import. Defaults to no.
>
> It says "After import" but according to Werner Koch[1] it actually
> strips unknown key signatures _before_ importing them to the local
> keyring. The manual also says that "This option is the same as running
> the --edit-key command 'clean' after import." This is also wrong or
> misleading because it may lead user thinking that in import oprations
> first all keys and key signatures are imported to local keyring and then
> they are cleaned.
>
> -----
> 1. https://lists.gnupg.org/pipermail/gnupg-users/2019-July/062239.html
>
> --
> /// OpenPGP key: 4E1055DC84E9DFF613D78557719D69D324539450
> // https://keys.openpgp.org/search?q=tlikonen@iki.fi
> / https://keybase.io/tlikonen https://github.com/tlikonen
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190706/55ad0dc0/attachment-0001.html>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: publicKey - ryan at digicana.com - 5c738727ee58786a777c4f1db5aa3fa3486ed7ad.asc
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190706/55ad0dc0/attachment-0001.asc>
More information about the Gnupg-users
mailing list