gnupg: apply patch to allow import of key updates without user ids #80266
Conversation
|
This needs to target the staging branch. |
Valodim
force-pushed
the
gnupg/import-without-uid
branch
from
6fc9845
to
e3de1c8
Compare
|
No problemo :) \\ |
This adds a patch series which allows GnuPG to import updates (revocations and subkeys) from certificates that contain no user ids. This is relevant for refreshing keys from the default keyserver keys.openpgp.org, where only user ids that contain verified email addresses will be distributed, and revoked keys never contain any user ids. This patch series was originally authored and submitted to upstream half a year ago (by me), but now comes from Debian packaging where it's been included since then. Relates to the following upstream issue: https://dev.gnupg.org/T4393
Valodim
force-pushed
the
gnupg/import-without-uid
branch
from
e3de1c8
to
bf70ad2
Compare
|
Rebased onto staging. Builds and works fine for me. |
|
I tried to collect some background information which might help a possible reviewer. NOTE: I am by no means an expert on this topic. @Valodim: please correct me if I am wrong.
|
|
All of those points seem correct, thanks for writing them up :)
Correct. This is already the default in Nix since #63952, so even stable. Disclaimer: I maintain keys.openpgp.org.
The quoted argument is sound in itself, but slightly misses the point. In a nutshell, a key typically consists of: primary key + subkeys + revocations + user ids. GnuPG checks for this structure on import. There is indeed a good argument not to import keys without user ids, since the user ids (or rather, their self-signatures) carry relevant metadata for the primary key. However, the subkeys and revocations can independently be checked for cryptographic integrity. For a key where a user id is already known, if we see a file that's "primary key + revocation + subkeys", the behavior this patch introduces is to merge the revocations and subkeys into the local store. To put it differently, if you currently hand GnuPG a file with structure "primary key + revocation", the revocation will be ignored, unless there is also a valid user id on the data. Same for subkeys. I can only speculate why Werner doesn't want to merge this patch. So far I have not seen a sound technical argument against the use case.
It's also in GPGTools for macOS, iinm. |
|
Hi there -- i'm the most active GnuPG maintainer in debian. just wanted to weigh in here to corroborate @Valodim's analysis and the attached patches in case that's useful. The default keyserver is used for This change is an important one, and should be applied upstream. But given upstream's inexplicable delay, those of us who redistribute GnuPG are obliged to fix it for our users. |
|
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: https://discourse.nixos.org/t/prs-ready-for-review-may-2019/3032/121 |
This adds a patch series which allows GnuPG to import updates
(revocations and subkeys) from certificates that contain no user ids.
This is relevant for refreshing keys from the default keyserver
keys.openpgp.org, where only user ids that contain verified email
addresses will be distributed, and revoked keys never contain any user
ids.
This patch series was originally authored and submitted to upstream half
a year ago (by me), but now comes from Debian packaging where it's been
included since then.
Relates to the following upstream issue: https://dev.gnupg.org/T4393
sandboxinnix.confon non-NixOS linux)