Page MenuHome GnuPG

--recv-key with full fingerprint does not actually check that the received key matches the fingerprint
Closed, ResolvedPublic

Description

While gpg --recv-key <full fingerprint> does send the full fingerprint to the
keyserver, it doesn't verify that the received key(s) match that fingerprint.

For example, `gpg --keyserver hkp://imperialviolet.org:8080 --recv-key
0000000000000000000000000000000000000000` will fetch my public key, despite it not
having that fingerprint.

This certainly surprised me and I fear that other people may also make the incorrect
assumption that --recv-key with a full fingerprint is safe without further checking:
I'm aware of two other people who did.

This patch appears to be related: http://lists.gnupg.org/pipermail/gnupg-devel/2013-
September/027964.html but I'm unable to check whether it was included because I
cannot currently reach git.gnupg.org.

(This issue is similar to T1444, although that
only discusses matching the keyid, which is too small to be collision resistant.)

Event Timeline

Meanwhile implemnted in all branches.

werner claimed this task.