While gpg --recv-key <full fingerprint> does send the full fingerprint to the
keyserver, it doesn't verify that the received key(s) match that fingerprint.
For example, `gpg --keyserver hkp://imperialviolet.org:8080 --recv-key
0000000000000000000000000000000000000000` will fetch my public key, despite it not
having that fingerprint.
This certainly surprised me and I fear that other people may also make the incorrect
assumption that --recv-key with a full fingerprint is safe without further checking:
I'm aware of two other people who did.
This patch appears to be related: http://lists.gnupg.org/pipermail/gnupg-devel/2013-
September/027964.html but I'm unable to check whether it was included because I
cannot currently reach git.gnupg.org.
(This issue is similar to T1444, although that
only discusses matching the keyid, which is too small to be collision resistant.)