Page MenuHome GnuPG

gpg: Fall back on keyid for --auto-key-retrieve.
Needs ReviewPublic

Authored by djpohly on Oct 25 2019, 6:17 PM.



Retrieval by keyid was removed in commit 96bf8f477805, which breaks --auto-key-retrieve for signatures which have no fingerprint field. There are projects which still use these for code authenticity checks (see test plan). This patch restores the keyid as a last-resort fallback only, in case none of the other methods for automatic lookup is available.

Test Plan

The patch was tested using two examples which I've run across recently:

Without the patch, gpg --auto-key-retrieve --verify $sigfile fails with "No public key." With the patch, the same command retrieves the public key used for the signature and successfully verifies it.

Diff Detail

rG GnuPG
Lint Skipped
Unit Tests Skipped

Event Timeline

djpohly edited the test plan for this revision. (Show Details)

Adding werner to reviewers since this references his commit.

auto key retrieve using just the key id is dangerous because it can lead to a DoS. It is too easy to flood keyservers with several keys have the same keyid. Let's don't give an incentive to the script kiddies trying to pull down the OpenPGP keyservers.