Page MenuHome GnuPG
Create Task
Maniphest T4606

Release GnuPG 2.2.17
Closed, ResolvedPublic
Actions

Description

Noteworthy changes in 2.2.17:

  • gpg: Ignore all key-signatures received from keyservers. This change is required to mitigate a DoS due to keys flooded with faked key-signatures. The old behaviour can be achieved by adding keyserver-options no-self-sigs-only,no-import-clean to your gpg.conf. [T4607]
  • gpg: If an imported keyblocks is too large to be stored in the keybox (pubring.kbx) do not error out but fallback to an import using the options "self-sigs-only,import-clean". [T4591]
  • gpg: New command --locate-external-key which can be used to refresh keys from the Web Key Directory or via other methods configured with --auto-key-locate.
  • gpg: New import option "self-sigs-only".
  • gpg: In --auto-key-retrieve prefer WKD over keyservers. [T4595]
  • dirmngr: Support the "openpgpkey" subdomain feature from draft-koch-openpgp-webkey-service-07. [T4590].
  • dirmngr: Add an exception for the "openpgpkey" subdomain to the CSRF protection. [T4603]
  • dirmngr: Fix endless loop due to http errors 503 and 504. [T4600]
  • dirmngr: Fix TLS bug during redirection of HKP requests. [T4566]
  • gpgconf: Fix a race condition when killing components. [T4577]

Details

External Link
https://lists.gnupg.org/pipermail/gnupg-announce/2019q3/000439.html

Related Objects
Search...

Event Timeline

werner created this task.Jul 3 2019, 6:00 PM
werner moved this task from Backlog to For next release on the gnupg (gpg22) board.
werner added subtasks: T4591: gpg drops flooded certificates entirely if the certficate is too large, and gpg is using `pubring.kbx`, T4599: remap `--search` to `--locate-keys` (with warning), T4595: GPG: auto-key-retrieve should prefer WKD over Keyserver, T4600: dirmngr enters a loop when the keyserver returns 503 error, T4603: dirmngr WKD redirection changes paths.Jul 3 2019, 6:11 PM
werner removed a subtask: T4599: remap `--search` to `--locate-keys` (with warning).Jul 4 2019, 11:33 AM
werner added a subtask: T4607: enable `import-clean` by default.Jul 4 2019, 3:47 PM
werner closed subtask T4607: enable `import-clean` by default as Resolved.Jul 4 2019, 4:00 PM
werner closed subtask T4591: gpg drops flooded certificates entirely if the certficate is too large, and gpg is using `pubring.kbx` as Resolved.Jul 4 2019, 4:25 PM
werner closed subtask T4603: dirmngr WKD redirection changes paths as Resolved.
werner closed subtask T4595: GPG: auto-key-retrieve should prefer WKD over Keyserver as Resolved.Jul 5 2019, 10:49 AM
gniibe added a subscriber: gniibe.Jul 9 2019, 4:46 AM

Please consider to backport rG914fa3be22bf: dirmngr: Support the new WKD draft with the openpgpkey subdomain. from master. Cherry-pick mostly works, only dirmngr/server.c needs manual edit (because of resolve_dns_name change).
Allowing WKD service by subdomain (openpgpkey) is good, because it is easier to deploy by separate admin, in some situations.

werner added a comment.Jul 9 2019, 1:27 PM

I did this already on July 3 with commit 458973f502b9a43ecf29e804a2c0c86e78f5927a

werner updated the task description. (Show Details)Jul 9 2019, 3:21 PM
werner set External Link to https://lists.gnupg.org/pipermail/gnupg-announce/2019q3/000439.html.
werner closed this task as Resolved.Jul 9 2019, 5:21 PM

Release done.

gniibe added a comment.Jul 10 2019, 1:25 AM

Err... my repo for 2.2 was a week old. Now, I updated, and confirmed it's there.
Thanks having the support!

werner mentioned this in T5339: "web of trust" don't work - Don't import the validity of third parties.Mar 6 2021, 11:24 AM