Retrieval by keyid was removed in commit 96bf8f477805, which breaks --auto-key-retrieve for signatures which have no fingerprint field. There are projects which still use these for code authenticity checks (see test plan). This patch restores the keyid as a last-resort fallback only, in case none of the other methods for automatic lookup is available.
Details
Details
- Reviewers
• werner - Commits
- rKLEOPATRA5e9d402be380: Yet another place with deprecated API
The patch was tested using two examples which I've run across recently:
- xf86-input-joystick (signature)
- file: ftp://ftp.astron.com/pub/file/file-5.37.tar.gz{,.asc}
Without the patch, gpg --auto-key-retrieve --verify $sigfile fails with "No public key." With the patch, the same command retrieves the public key used for the signature and successfully verifies it.
Diff Detail
Diff Detail
- Repository
- rG GnuPG
- Lint
Lint Skipped - Unit
Unit Tests Skipped
Event Timeline
Comment Actions
auto key retrieve using just the key id is dangerous because it can lead to a DoS. It is too easy to flood keyservers with several keys have the same keyid. Let's don't give an incentive to the script kiddies trying to pull down the OpenPGP keyservers.