New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
gnupg: apply patch to allow import of key updates without user ids #80266
Conversation
This needs to target the staging branch. |
6fc9845
to
e3de1c8
Compare
No problemo :) \\ |
This adds a patch series which allows GnuPG to import updates (revocations and subkeys) from certificates that contain no user ids. This is relevant for refreshing keys from the default keyserver keys.openpgp.org, where only user ids that contain verified email addresses will be distributed, and revoked keys never contain any user ids. This patch series was originally authored and submitted to upstream half a year ago (by me), but now comes from Debian packaging where it's been included since then. Relates to the following upstream issue: https://dev.gnupg.org/T4393
e3de1c8
to
bf70ad2
Compare
Rebased onto staging. Builds and works fine for me. |
I tried to collect some background information which might help a possible reviewer. NOTE: I am by no means an expert on this topic. @Valodim: please correct me if I am wrong.
|
All of those points seem correct, thanks for writing them up :)
Correct. This is already the default in Nix since #63952, so even stable. Disclaimer: I maintain keys.openpgp.org.
The quoted argument is sound in itself, but slightly misses the point. In a nutshell, a key typically consists of: primary key + subkeys + revocations + user ids. GnuPG checks for this structure on import. There is indeed a good argument not to import keys without user ids, since the user ids (or rather, their self-signatures) carry relevant metadata for the primary key. However, the subkeys and revocations can independently be checked for cryptographic integrity. For a key where a user id is already known, if we see a file that's "primary key + revocation + subkeys", the behavior this patch introduces is to merge the revocations and subkeys into the local store. To put it differently, if you currently hand GnuPG a file with structure "primary key + revocation", the revocation will be ignored, unless there is also a valid user id on the data. Same for subkeys. I can only speculate why Werner doesn't want to merge this patch. So far I have not seen a sound technical argument against the use case.
It's also in GPGTools for macOS, iinm. |
Hi there -- i'm the most active GnuPG maintainer in debian. just wanted to weigh in here to corroborate @Valodim's analysis and the attached patches in case that's useful. The default keyserver is used for This change is an important one, and should be applied upstream. But given upstream's inexplicable delay, those of us who redistribute GnuPG are obliged to fix it for our users. |
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: https://discourse.nixos.org/t/prs-ready-for-review-may-2019/3032/121 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It would be better if upstream would accept those patches, but since their intentions are basically unknown I'm in favor of applying them. 👍
This adds a patch series which allows GnuPG to import updates
(revocations and subkeys) from certificates that contain no user ids.
This is relevant for refreshing keys from the default keyserver
keys.openpgp.org, where only user ids that contain verified email
addresses will be distributed, and revoked keys never contain any user
ids.
This patch series was originally authored and submitted to upstream half
a year ago (by me), but now comes from Debian packaging where it's been
included since then.
Relates to the following upstream issue: https://dev.gnupg.org/T4393
sandbox
innix.conf
on non-NixOS linux)