Bug#895646: gnupg: do not allow short key IDS in gpg.conf

[Georg Faerber]

Hi,

On 18-08-02 09:21:38, Taowa wrote:
> Would this be acceptable behaviour:
>
> [...]

Probably, this should be discussed and integrated upstream, to let all
users benefit from it and to limit the burden of carrying additional
patches in Debian.

Cheers,
Georg


signature.asc
Description: Digital signature

Bug#895646: gnupg: do not allow short key IDS in gpg.conf

[Taowa]

Would this be acceptable behaviour:

- If the short key ID matches only one key in the keyring (and that key is 
ultimately trusted, maybe), issue a warning to the user (the assumption being 
that the user almost definitely has their own key in their keyring)

- If the short key ID matches multiple key IDs, fail with an error and tell the 
user to change their gpg.conf

Taowa

Bug#895646: gnupg: do not allow short key IDS in gpg.conf

[Georges Khaznadar]

Some more information:

Thanks to Ian Jackson, I saw that it is not safe to ignore a ligne with
"default-key 12345678" (or any other short ID) in gpg's configuration
file, because it can result in using anoter key chosen by gpg's logic
inside one's keyring.

So, the fix cannot be given by
https://salsa.debian.org/debian/gnupg2/merge_requests/3



signature.asc
Description: PGP signature

Bug#895646: gnupg: do not allow short key IDS in gpg.conf

[Georges Khaznadar]

Package: gnupg
Version: 2.2.5-1
Severity: important

Recent email exchanges show that GPG short ID collisions become
less uncommon nowadays. So every program dealing with GPG and
security must disregard the usage of short key IDs.

Here is my current status regarding this issue:
---8<---
$ grep default-key ~/.gnupg/gpg.conf
default-key 7136AE39
$ gpg --version
gpg (GnuPG) 2.2.5
...
---8<---

I was using a short key ID for a long time (my fault, I shall fix it)
However, gpg never complained.

For the sake of future security, gpg should at least issue a warning and
disregard the short key ID when it is part of
the configuration file.

I filed a merge request for the package gnupg2:
https://salsa.debian.org/debian/gnupg2/merge_requests/3

Thank you in advance for any comment.



-- System Information:
Debian Release: buster/sid
  APT prefers stable
  APT policy: (900, 'stable'), (499, 'testing'), (400, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-6-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), 
LANGUAGE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages gnupg depends on:
ii  dirmngr 2.2.5-1
ii  gnupg-l10n  2.2.5-1
ii  gnupg-utils 2.2.5-1
ii  gpg 2.2.5-1
ii  gpg-agent   2.2.5-1
ii  gpg-wks-client  2.2.5-1
ii  gpg-wks-server  2.2.5-1
ii  gpgsm   2.2.5-1
ii  gpgv2.2.5-1

gnupg recommends no packages.

Versions of packages gnupg suggests:
pn  parcimonie  
ii  xloadimage  4.1-24

-- no debconf information