Check keyid after downloading key from keyserver and before importing it
Closed, ResolvedPublic


When downloading a key from a keyserver with --recv-key it appears that gnupg
does not check that the keyid of the downloaded key matches the keyid of the
requested key. It would be nice to get a --stict mode (or even make that
default) that warns/refuses if the keyids are not matching.

If you agree with the general idea I can looking into providing a patch for this.

mvo added a subscriber: mvo.
werner added a subscriber: werner.Sep 26 2012, 3:22 PM

What is your threat model?

neal added a project: gnupg.Nov 6 2015, 8:56 PM
werner closed this task as Resolved.Jun 8 2016, 5:56 PM
werner claimed this task.

We have meanwhile implemented such a check.