Page MenuHome GnuPG
Create Task
Maniphest T3198

GnuPG should fail to send a key to a keyserver on "unknown options"
Closed, ResolvedPublic
Actions

Description

On gpg (GnuPG) 2.1.18 on Debian Testing, which I was using for an university assignment, I accidentally messed up the command order and supplied --keyserver after --send-keys.

Instead of bailing out due to not understanding it, GnuPG decided to upload my key to the wrong keyserver without asking me, leaking a public key I only intended to use for an university assignment to a public server with no way to undo it.

Expected result:

$ gpg —send-keys 6B1816496C48E48BD3FBAA20B22FD1EDBF11B728 —keyserver sec1.aii.avans.nl
gpg: Note: '--keyserver' is not considered an option: bailing out

Actual result:

$ gpg —send-keys 6B1816496C48E48BD3FBAA20B22FD1EDBF11B728 —keyserver sec1.aii.avans.nl
gpg: Note: '--keyserver' is not considered an option
gpg: "--keyserver" not a key ID: skipping
gpg: "sec1.aii.avans.nl" not a key ID: skipping
gpg: sending key B22FD1EDBF11B728 to hkp://keys.gnupg.net

Note: I have searched the bugtracker but could not find any issue like this.

Details

Version
2.1.18

Event Timeline

SylvieLorxu created this task.Jun 7 2017, 10:24 AM
SylvieLorxu updated the task description. (Show Details)
werner added a project: Not A Bug.Jun 7 2017, 1:08 PM
werner added a subscriber: werner.

Option parsing stops at the first non-option. "--keyserver" and "sec1...." could have also been key specifications.
Because sometimes people make errors we print a warning. But we can't bail out on a perfectly valid command line. That is the same why

rm -rf * ~

does what it says and not just removes the backup files.

I am sorry about your problem, but with a public key anyone at your site could have fetched the key as well and distributed it worldwide.

werner closed this task as Resolved.Jun 7 2017, 1:09 PM
werner claimed this task.
SylvieLorxu added a comment.Jun 7 2017, 1:19 PM

gpg: Note: '--keyserver' is not considered an option

This states that GnuPG recognizes this was likely meant as an option and that the user likely made a mistake. It makes no sense to recognize something is wrong and then bulldoze through it. I understand not wanting to bail out on a "perfectly valid command line", but in interactive usage, you could at least give the user 5 seconds to press Ctrl+C then instead. The code already knows the user most likely made a mistake. Especially because this is security software, giving the user some way to recover when you can tell something is a mistake seems sensible.

werner added a comment.Jun 7 2017, 1:33 PM

A few people asked for this generic option help; it is not specific to keyservers. Now we implemented that and still not okay for everyone, oh dear.

#insert <standard-unix-is-friendly-but-disclaimer>