Your message dated Tue, 18 Jun 2019 19:07:38 +0000
with message-id <[email protected]>
and subject line Bug#930665: fixed in gnupg2 2.2.16-2
has caused the Debian Bug report #930665,
regarding gpg won't import valid self-signatures if no user ids are present in
imported transferable public key
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
930665: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930665
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: gpg
Version: 2.2.13-2
Severity: normal
Dear Maintainer,
in the current version of GnuPG, signatures will be imported from public key
blocks only if they are accompanied by a UserID packet plus valid signature.
However, self-signatures on the key itself and on subkeys can be
cryptographically verified, independently of user ids. This opens a use case of
transferring revocations and updates on subkeys, without revealing the key's
user ids.
For instance, consider a case where I have the following key in my keyring:
> -----BEGIN PGP PUBLIC KEY BLOCK-----
>
> mDMEXECaehYJKwYBBAHaRw8BAQdAAiJ1/GyBM4kgpY/nx+sXytMi8I+x8MW0/NBq
> 3jepKpG0E0RhbmllbCBLYWhuIEdpbGxtb3KImQQTFggAQQIbAQUJA8JnAAULCQgH
> AgYVCgkICwIEFgIDAQIeAQIXgBYhBHI+NDrAAzHwNHPmg3vloR+jfochBQJcQJsl
> AhkBAAoJEHvloR+jfoch7q0A/3AMFfxPJGJ5rljN8qMctaFWAzAGc5rElBFQ433t
> vuFYAQDagLYOFgcv9A5axQR4O0oYXJKfMBuImqaWyhDRg/MbAA==
> =dSe7
> -----END PGP PUBLIC KEY BLOCK-----
The following PGP block contains the same primary key, as well as a valid
revocation signature:
> -----BEGIN PGP PUBLIC KEY BLOCK-----
>
> mDMEXECaehYJKwYBBAHaRw8BAQdAAiJ1/GyBM4kgpY/nx+sXytMi8I+x8MW0/NBq
> 3jepKpGIeAQgFggAIBYhBHI+NDrAAzHwNHPmg3vloR+jfochBQJcQJp6Ah0AAAoJ
> EHvloR+jfochA+QA/jzjDXDZxwNd39ZfEkngWkR3Xebc96hCkTu9+jlbQnL/AP0b
> HrIUG62g5BGzePFhXB+XtSpRL1g4H1Ywsd+GdWymBQ==
> =KuHa
> -----END PGP PUBLIC KEY BLOCK-----
Importing this via `gpg --import` will yield an error:
> gpg: key 0x7BE5A11FA37E8721: no user ID
The key in my keyring will remain valid and unrevoked, even though a keyblock
that contained a cryptographically valid revocation signature was encountered by
GnuPG during an import operation.
User IDs typically contain data that is of a more personal nature than the
cryptographic information stored in other packets. It is arguably a quite
important use case to distribute updates to cryptographic data in an OpenPGP
certificate independently of personal information. This applies in particular to
revoked keys, where usually the only important thing to distribute is the
revocation itself. In countries where GDPR applies, it can also be interpreted
as a legal obligation to distribute User IDs only with consent of its owner.
A related effort is a new keyserver implementation [Hagrid], which went live
last week at https://keys.openpgp.org/ (disclaimer: I'm the maintainer of said
project). This keyserver publishes identity information only after verification
via e-mail, but distributes non-identity information freely. This was received
very well by the community so far. However, since GnuPG won't import keys
without identity information, a `gpg --refresh-keys` will not update any keys
which don't have at least one verified identity.
I contributed a patch series to GnuPG (see [patch mail] on gnupg-devel) that
implements the desired behavior, which is currently under review. Since GnuPG
already supports a similar (but different) mechanism via the import-option
"import-drop-uids" on its current master (see [related announcement]), the
required changes are relatively unintrusive.
Given the increasing reliability issues of the sks keyserver pool to distribute
OpenPGP certificate updates (in particular, key revocations), and the freshly
changing landscape of keyservers, I would welcome a speedy distribution and,
ideally, backport of this patch in the debian packaging of GnuPG.
Thanks
- V
[section 11.1]: https://tools.ietf.org/html/rfc4880#section-11.1
[Hagrid]: https://gitlab.com/hagrid-keyserver/hagrid/
[related announcement]:
https://lists.gnupg.org/pipermail/gnupg-devel/2018-October/033969.html
[patch mail]: mid:[email protected]
--- End Message ---
--- Begin Message ---
Source: gnupg2
Source-Version: 2.2.16-2
We believe that the bug you reported is fixed in the latest version of
gnupg2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Daniel Kahn Gillmor <[email protected]> (supplier of updated gnupg2
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 18 Jun 2019 12:59:57 -0400
Source: gnupg2
Architecture: source
Version: 2.2.16-2
Distribution: experimental
Urgency: medium
Maintainer: Debian GnuPG Maintainers <[email protected]>
Changed-By: Daniel Kahn Gillmor <[email protected]>
Closes: 930042 930665
Changes:
gnupg2 (2.2.16-2) experimental; urgency=medium
.
* fix HKPS redirections
* drop dh_missing --fail-missing (Closes: #930042)
* enable cert update without uids (Closes: #930665)
* fix upstream spelling of 'arbitrary'
Checksums-Sha1:
ae40f98b810f110ba3426230f9612503d6919e15 3164 gnupg2_2.2.16-2.dsc
e397b3fb247f42146bed419d9f06e41ddfbb1fca 61568 gnupg2_2.2.16-2.debian.tar.xz
90188709c3f461400076ec714964260a2272691e 19147 gnupg2_2.2.16-2_amd64.buildinfo
Checksums-Sha256:
0fd99806173b220b0d168253aadb16b7daedd9e973cd9fdf8d492c2d545cab76 3164
gnupg2_2.2.16-2.dsc
e245993acfc3ec0c54109ae3fe2d1d7f88822ec36432422cad715ad4b833ff3b 61568
gnupg2_2.2.16-2.debian.tar.xz
06915a08ef898216b2e2b6a2f410ee80a5e8cecd2189f2dec9af2da875e3e812 19147
gnupg2_2.2.16-2_amd64.buildinfo
Files:
41d9179da9daec96de416d2a450ec17e 3164 utils optional gnupg2_2.2.16-2.dsc
0a68aae83671d7b1d4cadec5aa64a3e4 61568 utils optional
gnupg2_2.2.16-2.debian.tar.xz
fe1fd898089683f8e9f437546a3198fc 19147 utils optional
gnupg2_2.2.16-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iHUEARYKAB0WIQTJDm02IAobkioVCed2GBllKa5f+AUCXQkeZQAKCRB2GBllKa5f
+ElTAQD6KIhzCHEqc26db8kXJ7f+jUnIIruFghRWQPPNS3IEhgD/cCjp/bvySwnZ
MFre16ZpYoMIUZj6Lv3wic1DwKdrYQw=
=+Xch
-----END PGP SIGNATURE-----
--- End Message ---
