Page MenuHome GnuPG

--min-cert-level should trigger --update-db
Closed, ResolvedPublic

Description

Bug

Specifying a --min-cert-level should trigger --check-trustdb

Background

  1. Users can specify options on the command line that override

defaults within gpg or in the options file. They expect that these
temporary options will not have a lingering effect on gpg.

  1. gpg's documentation states a the default --min-cert-level.
  1. For many operations (editing keys, encrypting and others)

specifying --min-cert-level does not seem to trigger
--check-trustdb.

  1. Certification levels are (presumably) useful to help the user

adopt slightly different security levels for different information.
In other words, a user might decide that for some purposes to accept
--min-cert-level=1 and for other purposes --min-cert-level=3. In
other words, users who are using this feature at all are likely to
want to switch cert levels.

  1. At the moment, running --min-cert-level=1 --check-trust-db leaves

gpg displaying incorrect trust information once the option is no longer being
specified, until or unless some other event triggers an update. This surely
presents a security issue for those relying on
gpg's trust model.

  1. At the moment, specifying --min-cert-level on the command line

has little/no effect unless the user remembers to manually update the
trustdb.

(gpg version used to verify problem: 1.4.11)

Details

Version
1.4.11

Event Timeline

npcole set Version to 1.4.11.
npcole added a subscriber: npcole.
werner added a subscriber: werner.

We would need to store the new level in the version record of the trustdb.
There is a reserved 4 byte field in the version record. We could use one byte
of it to record the level (using bit 7 to indicate that a value has been stored).

David, what to you think?

There are even 3 other reserved bytes available.

There are even 3 other reserved bytes available.

I think this makes sense. It's not a hard change. Way back when, I did something similar for trust_model -
it's stored in the version record and if gpg detects that the current model does not match what is encoded in
the header, it marks the trustdb as pending_rebuild.

This can be done more or less the same way. I'll give it a shot later today.

The changes are now commited to all active branches.

Thank you both for a very swift and sensible change.

werner claimed this task.
werner removed a project: Restricted Project.