Change Details

Seems something went wrong (local error) when setting up an LDAP server for key storage. So after configuring something like (`.gnupg/gpg.conf`) ``` keyserver ldap://ldap-server/????bindname=uid=LordPrivySeal%2Cou=GnuPG%20Users%2Cdc=example%2Cdc=com,password=secret ``` (this is single line, of couse) ... and publishing a particular key, I receive an error: ``` gpg --send-keys 6AD74D237F2EEA93271474C20840333D9F15A045 gpg: sending key 0840333D9F15A045 to ldap://ldap-server.demo.gnupg.com/????bindname=uid=LordPrivySeal%2Cou=GnuPG%20Users%2Cdc=example%2Cdc=com,password=secret gpg: keyserver send failed: Invalid LDAP credentials gpg: keyserver send failed: Invalid LDAP credentials ``` The actual problem: That password (`secret`) should not be shown in any error message unless required by the user. The current situation allows credential stealing by a watcher. Observed with gnupg 2.2.27 and kleopatra 20.08.3 (which echos the gpg error message).

Seems something went wrong (local error) when setting up an LDAP server for key storage. So after configuring something like (`.gnupg/gpg.conf`) ``` keyserver ldap://ldap-server/????bindname=uid=LordPrivySeal%2Cou=GnuPG%20Users%2Cdc=example%2Cdc=com,password=secret ``` (this is single line, of couse) ... and publishing a particular key, I receive an error: ``` gpg --send-keys 6AD74D237F2EEA93271474C20840333D9F15A045 gpg: sending key 0840333D9F15A045 to ldap://ldap-server/????bindname=uid=LordPrivySeal%2Cou=GnuPG%20Users%2Cdc=example%2Cdc=com,password=secret gpg: keyserver send failed: Invalid LDAP credentials gpg: keyserver send failed: Invalid LDAP credentials ``` The actual problem: That password (`secret`) should not be shown in any error message unless required by the user. The current situation allows credential stealing by a watcher. Observed with gnupg 2.2.27 and kleopatra 20.08.3 (which echos the gpg error message).

Seems something went wrong (local error) when setting up an LDAP server for key storage. So after configuring something like (`.gnupg/gpg.conf`) ``` keyserver ldap://ldap-server/????bindname=uid=LordPrivySeal%2Cou=GnuPG%20Users%2Cdc=example%2Cdc=com,password=secret ``` (this is single line, of couse) ... and publishing a particular key, I receive an error: ``` gpg --send-keys 6AD74D237F2EEA93271474C20840333D9F15A045 gpg: sending key 0840333D9F15A045 to ldap://ldap-server.demo.gnupg.com/????bindname=uid=LordPrivySeal%2Cou=GnuPG%20Users%2Cdc=example%2Cdc=com,password=secret gpg: keyserver send failed: Invalid LDAP credentials gpg: keyserver send failed: Invalid LDAP credentials ``` The actual problem: That password (`secret`) should not be shown in any error message unless required by the user. The current situation allows credential stealing by a watcher. Observed with gnupg 2.2.27 and kleopatra 20.08.3 (which echos the gpg error message).