[pkg-gnupg-maint] Bug#802100: gnupg should fetch keys using hkps by default

Antoine Amarilli a3nm at a3nm.net
Sat Oct 17 14:31:22 UTC 2015

Package: gnupg
Version: 1.4.19-5
Severity: wishlist

Dear Maintainer,

By default, gpg requests keys using HKP server <keys.gnupg.net>. This allows a
passive attacker to obtain information about the keys requested by the user,
which may be harmful in terms of privacy.

I think that gpg should be using an HKPS server by default. See e.g.,

See also a similar bug for dirmngr:

Best regards,

Antoine Amarilli

-- System Information:
Debian Release: stretch/sid
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.2.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages gnupg depends on:
ii  gpgv          1.4.19-5
ii  libbz2-1.0    1.0.6-8
ii  libc6         2.19-22
ii  libreadline6  6.3-8+b3
ii  libusb-0.1-4  2:0.1.12-27
ii  zlib1g        1:1.2.8.dfsg-2+b1

Versions of packages gnupg recommends:
ii  gnupg-curl     1.4.19-5
ii  libldap-2.4-2  2.4.42+dfsg-2

Versions of packages gnupg suggests:
ii  eog           3.18.0-1
pn  gnupg-doc     <none>
ii  imagemagick   8:
ii  libpcsclite1  1.8.14-1
ii  parcimonie    0.9-3

-- debconf-show failed

More information about the pkg-gnupg-maint mailing list