Page MenuHome GnuPG
Create Task
Maniphest T2922

export-minimal does not work as advertised and leaks information
Closed, ResolvedPublic
Actions

Description

$ gpg --version
gpg (GnuPG) 2.1.17

$ gpg --no-default-keyring --keyring ./test.kbx --recv-keys 0x1318efac5fbbdbce
gpg: keybox './test.kbx' created
gpg: key 1318EFAC5FBBDBCE: public key "Ximin Luo <infinity0@pwned.gg>" imported
[..]
2

$ gpg --no-default-keyring --keyring ./test.kbx --export -a --export-options
export-minimal 0x1318efac5fbbdbce > key.asc

$ gpg --list-packets < key.asc | grep nicolas
hashed subpkt 26 len 55 (policy:
http://nicolas.braud-santoni.eu/gpg-policy-20150222.asc)
hashed subpkt 26 len 55 (policy:
http://nicolas.braud-santoni.eu/gpg-policy-20150222.asc)
[.. many more .. ]

Details

Version
2.1.17

Related Objects

Event Timeline

infinity0 added projects: gnupg, Bug Report.Jan 15 2017, 4:03 PM
infinity0 set Version to 2.1.17.
infinity0 added a subscriber: infinity0.
werner added a subscriber: werner.Jan 16 2017, 8:56 AM

Please describe exactly what you mean. I can't see from this report why it and
what does not work or leak information.

infinity0 added a comment.Jan 16 2017, 12:07 PM

In the man page of gpg(1) it says:

--export-options parameters

export-minimal
    Export  the  smallest key possible. This removes all signatures except the

most recent self-signature on each user ID. [..]

If you actually do this to my key however, you will see that the resulting
output contains Nicolas' signature on my key, which is against what
"export-minimal" is supposed to do.

werner added a project: Restricted Project.Jan 17 2017, 10:32 AM

What you see are bogus subkey binding signatures. The clean function only
worked on user ID packets and their self signatures. A comment in the code
stated this. However, I see no reason why we should not remove those bogus
signatures.
Commit 3563237 does this now.

Thanks.

werner closed this task as Resolved.Jan 23 2017, 11:14 PM
werner claimed this task.
werner removed a project: Restricted Project.

Fixed in 2.1.18