[pkg-gnupg-maint] Bug#895646: gnupg: do not allow short key IDS in gpg.conf

Georges Khaznadar georgesk at debian.org
Fri Apr 13 23:35:34 BST 2018


Package: gnupg
Version: 2.2.5-1
Severity: important

Recent email exchanges show that GPG short ID collisions become
less uncommon nowadays. So every program dealing with GPG and
security must disregard the usage of short key IDs.

Here is my current status regarding this issue:
---------------8<-------------------------------
$ grep default-key ~/.gnupg/gpg.conf
default-key 7136AE39
$ gpg --version
gpg (GnuPG) 2.2.5
...
---------------8<-------------------------------

I was using a short key ID for a long time (my fault, I shall fix it)
However, gpg never complained.

For the sake of future security, gpg should at least issue a warning and
disregard the short key ID when it is part of
the configuration file.

I filed a merge request for the package gnupg2:
https://salsa.debian.org/debian/gnupg2/merge_requests/3

Thank you in advance for any comment.



-- System Information:
Debian Release: buster/sid
  APT prefers stable
  APT policy: (900, 'stable'), (499, 'testing'), (400, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-6-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages gnupg depends on:
ii  dirmngr         2.2.5-1
ii  gnupg-l10n      2.2.5-1
ii  gnupg-utils     2.2.5-1
ii  gpg             2.2.5-1
ii  gpg-agent       2.2.5-1
ii  gpg-wks-client  2.2.5-1
ii  gpg-wks-server  2.2.5-1
ii  gpgsm           2.2.5-1
ii  gpgv            2.2.5-1

gnupg recommends no packages.

Versions of packages gnupg suggests:
pn  parcimonie  <none>
ii  xloadimage  4.1-24

-- no debconf information



More information about the pkg-gnupg-maint mailing list