Package: gnupg Version: 2.2.5-1 Severity: important Recent email exchanges show that GPG short ID collisions become less uncommon nowadays. So every program dealing with GPG and security must disregard the usage of short key IDs.
Here is my current status regarding this issue: ---------------8<------------------------------- $ grep default-key ~/.gnupg/gpg.conf default-key 7136AE39 $ gpg --version gpg (GnuPG) 2.2.5 ... ---------------8<------------------------------- I was using a short key ID for a long time (my fault, I shall fix it) However, gpg never complained. For the sake of future security, gpg should at least issue a warning and disregard the short key ID when it is part of the configuration file. I filed a merge request for the package gnupg2: https://salsa.debian.org/debian/gnupg2/merge_requests/3 Thank you in advance for any comment. -- System Information: Debian Release: buster/sid APT prefers stable APT policy: (900, 'stable'), (499, 'testing'), (400, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-6-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages gnupg depends on: ii dirmngr 2.2.5-1 ii gnupg-l10n 2.2.5-1 ii gnupg-utils 2.2.5-1 ii gpg 2.2.5-1 ii gpg-agent 2.2.5-1 ii gpg-wks-client 2.2.5-1 ii gpg-wks-server 2.2.5-1 ii gpgsm 2.2.5-1 ii gpgv 2.2.5-1 gnupg recommends no packages. Versions of packages gnupg suggests: pn parcimonie <none> ii xloadimage 4.1-24 -- no debconf information
