Page MenuHome GnuPG

gpg: Fall back on keyid for --auto-key-retrieve.
Needs ReviewPublic

Authored by djpohly on Oct 25 2019, 6:17 PM.

Details

Summary

Retrieval by keyid was removed in commit 96bf8f477805, which breaks --auto-key-retrieve for signatures which have no fingerprint field. There are projects which still use these for code authenticity checks (see test plan). This patch restores the keyid as a last-resort fallback only, in case none of the other methods for automatic lookup is available.

Test Plan

The patch was tested using two examples which I've run across recently:

Without the patch, gpg --auto-key-retrieve --verify $sigfile fails with "No public key." With the patch, the same command retrieves the public key used for the signature and successfully verifies it.

Diff Detail

Repository
rG GnuPG
Lint
Lint Skipped
Unit
Unit Tests Skipped

Event Timeline

djpohly edited the test plan for this revision. (Show Details)

Adding werner to reviewers since this references his commit.

auto key retrieve using just the key id is dangerous because it can lead to a DoS. It is too easy to flood keyservers with several keys have the same keyid. Let's don't give an incentive to the script kiddies trying to pull down the OpenPGP keyservers.