On Sat, 2 May 2020, Wiktor Kwapisiewicz wrote: > On 02.05.2020 07:55, Gabor Kiss wrote: > > I would create such a programs from the scratch but I cannot > > find even the format description of the dump file. :-( > > Last time I checked dumps where just packet piles so any OpenPGP tool > could read it.
Thanks again for the hint. I wrote a small Perl script to see what is in dump files at http://keys.niif.hu/keydump/. (Server is managed by me.) I found broken dumps. Certain RFC-4880 packets are truncated. For example let's see signatures of key 0x7cec0e7c93115f7e: 00483ad0 89 01 22 04 10 01 02 00 0c 05 02 44 cf db 85 |..."........D...| 00483ae0 05 03 00 93 89 01 22 04 10 01 02 00 0c 05 02 4d |......"........M| We can see a signature packet starting at 00483ad1. (89 01 22 is a typical old style packet header.) Its length should be 0x122 octets however it breaks in middle of the second subpacket starting at 00483ae0. A new packet starts at 00483ae4 but my simple parser cannot detect this and gets confused. (Unfortunately such a truncated packet may block the import procedure also on a newly set up key server, I guess.) I cannot imagine how this dump could be created. Could the attacker upload broken packets or is it "sks dump" who garbled the dump file? Or file became bad during compression/decompression? Another observation: some keys have enermous amount of signatures. "Yegor Timoshenko <yegortimoshe...@riseup.net>" may be a recorder with 174612 sigs. This is one of the poisoned keys, isn't it? Gabor -- No smoke, no drugs, no vindoze.
