Page MenuHome GnuPG

Check keyid after downloading key from keyserver and before importing it
Closed, ResolvedPublic


When downloading a key from a keyserver with --recv-key it appears that gnupg
does not check that the keyid of the downloaded key matches the keyid of the
requested key. It would be nice to get a --stict mode (or even make that
default) that warns/refuses if the keyids are not matching.

If you agree with the general idea I can looking into providing a patch for this.

Event Timeline

werner claimed this task.

We have meanwhile implemented such a check.