[pkg-gnupg-maint] Bug#930665: Bug#930665: gpg won't import valid self-signatures if no user ids are present in imported transferable public key

[Daniel Kahn Gillmor]

Control: forwarded 930665 https://dev.gnupg.org/T4393
Control: severity 930665 important
Control: tags 930665 + confirmed

Hi Vincent--

On Tue 2019-06-18 01:04:02 +0200, Vincent Breitmoser wrote:
> in the current version of GnuPG, signatures will be imported from public key
> blocks only if they are accompanied by a UserID packet plus valid signature.
> However, self-signatures on the key itself and on subkeys can be
> cryptographically verified, independently of user ids. This opens a use case of
> transferring revocations and updates on subkeys, without revealing the key's
> user ids.

thanks for this report.  I think GnuPG's inability to receive these
kinds of cryptographic updates to OpenPGP certificates that it knows
about is at core a security risk (it makes it more likely that users
will use a revoked key; or will be unable to use any key at all, and
will send plaintext).

This risk is exacerbated by the ongoing failure of the traditional
keyserver network due to abuse, which is what newer keyservers like
keys.openpgp.org aim to withstand.

I've backported these changes to the 2.2.x branch, and am considering
applying them to the debian packaging for GnuPG so that debian users are
defended against these risks.

I'm hoping for more meaningful feedback from upstream on the associated
upstream bug report.

         --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-gnupg-maint/attachments/20190618/49a3a41d/attachment.sig>