Page MenuHome GnuPG
Create Task
Maniphest T1716

Retrieving a key with --recv-key should verify the received key matches the key ID.
Closed, ResolvedPublic
Actions

Description

I setup a server to mimic a key server and return a plain text file from
pks/lookup. I then added a random public key to the lookup file. I then
requested an different key from the command line using "gpg --keyserver
hkp://localhost --recv-keys 0xFBB75451". To my surprise, the fake key imported
without error. Ideally, GnuPG should check the returned key's fingerprint
against the fingerprint being requested. If the fingerprints do not match, the
import should fail.

Since key server communication is not encrypted, an adversary can easily reply
with a fake key and intercept subsequent encrypted communication.

Details

Version
1.4.16

Event Timeline

eviljoel set Version to 1.4.16.Sep 17 2014, 4:24 AM
eviljoel added projects: gnupg (gpg14), gnupg, Bug Report.
eviljoel added a subscriber: eviljoel.
werner added a project: Not A Bug.Sep 17 2014, 3:19 PM
werner added a subscriber: werner.

No, he can't. The data received from a keyserver is by defintion unreliable.
It may be any kind of trash. gpg takes care of ensuring that the data (i.e. the
keys) are consistent.

There has been a long and heated debate over this recently on whether the
additional check introduced with 1.4.18 is at all useful. In any case what you
requested is in all recent versions of gpg. I thus close this bug.

werner closed this task as Resolved.Sep 17 2014, 3:19 PM
werner claimed this task.