Issue1579

Title --recv-key with full fingerprint does not actually check that the received key matches the fingerprint
Priority feature Status resolved
Category gnupg Due Date
Version ExtLink  (go)
Superseder Nosy List agl
Assigned To Topics  (help)

Created on 2013-12-12.15:11:55 by [P] agl, last changed 2014-08-29.09:37:06 by werner.

Messages
msg5326 (view) Author: werner Date: 2014-08-29.09:37:05
Meanwhile implemnted in all branches.
msg4904 (view) Author: agl Date: 2013-12-12.20:22:06
Also related (includes patch): http://bugs.debian.org/cgi-bin/bugreport.cgi?
bug=725411
msg4903 (view) Author: agl Date: 2013-12-12.15:11:55
While `gpg --recv-key <full fingerprint>` does send the full fingerprint to the 
keyserver, it doesn't verify that the received key(s) match that fingerprint.

For example, `gpg --keyserver hkp://imperialviolet.org:8080 --recv-key 
0000000000000000000000000000000000000000` will fetch my public key, despite it not 
having that fingerprint.

This certainly surprised me and I fear that other people may also make the incorrect 
assumption that --recv-key with a full fingerprint is safe without further checking: 
I'm aware of two other people who did.

This patch appears to be related: http://lists.gnupg.org/pipermail/gnupg-devel/2013-
September/027964.html but I'm unable to check whether it was included because I 
cannot currently reach git.gnupg.org.

(This issue is similar to https://bugs.g10code.com/gnupg/issue1444, although that 
only discusses matching the keyid, which is too small to be collision resistant.)
History
Date User Action Args
2014-08-29 09:37:06wernersetstatus: chatting -> resolved
messages: + msg5326
2013-12-12 20:22:06aglsetstatus: unread -> chatting
messages: + msg4904
2013-12-12 15:11:55aglcreate