--recv-key with full fingerprint does not actually check that the received key matches the fingerprint
Closed, ResolvedPublic

Description

While gpg --recv-key <full fingerprint> does send the full fingerprint to the
keyserver, it doesn't verify that the received key(s) match that fingerprint.

For example, `gpg --keyserver hkp://imperialviolet.org:8080 --recv-key
0000000000000000000000000000000000000000` will fetch my public key, despite it not
having that fingerprint.

This certainly surprised me and I fear that other people may also make the incorrect
assumption that --recv-key with a full fingerprint is safe without further checking:
I'm aware of two other people who did.

This patch appears to be related: http://lists.gnupg.org/pipermail/gnupg-devel/2013-
September/027964.html but I'm unable to check whether it was included because I
cannot currently reach git.gnupg.org.

(This issue is similar to T1444, although that
only discusses matching the keyid, which is too small to be collision resistant.)

agl added a subscriber: agl.
agl added a comment.Dec 12 2013, 9:22 PM

Also related (includes patch): http://bugs.debian.org/cgi-bin/bugreport.cgi?
bug=725411

werner added a subscriber: werner.Aug 29 2014, 11:37 AM

Meanwhile implemnted in all branches.

werner closed this task as Resolved.Aug 29 2014, 11:37 AM
werner claimed this task.