[pkg-gnupg-maint] Bug#895646: gnupg: do not allow short key IDS in gpg.conf
Georges Khaznadar
georgesk at debian.org
Fri Apr 13 23:35:34 BST 2018
Package: gnupg
Version: 2.2.5-1
Severity: important
Recent email exchanges show that GPG short ID collisions become
less uncommon nowadays. So every program dealing with GPG and
security must disregard the usage of short key IDs.
Here is my current status regarding this issue:
---------------8<-------------------------------
$ grep default-key ~/.gnupg/gpg.conf
default-key 7136AE39
$ gpg --version
gpg (GnuPG) 2.2.5
...
---------------8<-------------------------------
I was using a short key ID for a long time (my fault, I shall fix it)
However, gpg never complained.
For the sake of future security, gpg should at least issue a warning and
disregard the short key ID when it is part of
the configuration file.
I filed a merge request for the package gnupg2:
https://salsa.debian.org/debian/gnupg2/merge_requests/3
Thank you in advance for any comment.
-- System Information:
Debian Release: buster/sid
APT prefers stable
APT policy: (900, 'stable'), (499, 'testing'), (400, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-6-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages gnupg depends on:
ii dirmngr 2.2.5-1
ii gnupg-l10n 2.2.5-1
ii gnupg-utils 2.2.5-1
ii gpg 2.2.5-1
ii gpg-agent 2.2.5-1
ii gpg-wks-client 2.2.5-1
ii gpg-wks-server 2.2.5-1
ii gpgsm 2.2.5-1
ii gpgv 2.2.5-1
gnupg recommends no packages.
Versions of packages gnupg suggests:
pn parcimonie <none>
ii xloadimage 4.1-24
-- no debconf information
More information about the pkg-gnupg-maint
mailing list