-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Howdy all,
I've been playing around with key signatures and ran across an interesting situation. For some reason, --with-sig-check is silently ignored when used with - --import and --recv-keys. Is this something I should file a bug on? ==Summary== I have setup a public key for Alice that has one valid signature from Bob and one invalid signature from Mallory. http://p80.pool.sks-keyservers.net/pks/lookup?op=vindex&search=0xA5452207 When you import Alice's public key via gpg --import or --recv-keys, GnuPG does not verify the signatures on Alice's public key, even if I have Bob and/or Mallory's public keys already in my keyring. ==Steps To Reproduce== 1. Request Bob and Mallory's public keys from the keyserver. > $ gpg2 --recv-keys --with-sig-check 65B57FDF B8062D4C > gpg: requesting key 65B57FDF from hkp server keys.gnupg.net > gpg: requesting key B8062D4C from hkp server keys.gnupg.net > gpg: key 65B57FDF: public key "Bob User (Good Signature) > <bob+good...@example.com>" imported > gpg: key B8062D4C: public key "Mallory User (Bad Signature) > <mallory+bad...@example.com>" imported > gpg: Total number processed: 2 > gpg: imported: 2 (RSA: 2) 2. Request Alice's public keys from the keyserver. > $ gpg2 --recv-keys --with-sig-check A5452207 > gpg: requesting key A5452207 from hkp server keys.gnupg.net > gpg: key A5452207: public key "Alice User (Signature Test) > <alice+sigt...@example.com>" imported > gpg: no ultimately trusted keys found > gpg: Total number processed: 1 > gpg: imported: 1 (RSA: 1) 3. Checking signatures shows that Mallory's signature is bad. > $ gpg2 --check-sigs > /home/user/testring/pubring.gpg > ------------------------------------------ > pub 2048R/65B57FDF 2015-04-01 > uid Bob User (Good Signature) <bob+good...@example.com> > sig!3 65B57FDF 2015-04-01 Bob User (Good Signature) > <bob+good...@example.com> > sub 2048R/83518D34 2015-04-01 > sig! 65B57FDF 2015-04-01 Bob User (Good Signature) > <bob+good...@example.com> > > pub 2048R/B8062D4C 2015-04-01 > uid Mallory User (Bad Signature) <mallory+bad...@example.com> > sig!3 B8062D4C 2015-04-01 Mallory User (Bad Signature) > <mallory+bad...@example.com> > sub 2048R/FDE6C57B 2015-04-01 > sig! B8062D4C 2015-04-01 Mallory User (Bad Signature) > <mallory+bad...@example.com> > > pub 2048R/A5452207 2015-04-01 > uid Alice User (Signature Test) <alice+sigt...@example.com> > sig!3 A5452207 2015-04-01 Alice User (Signature Test) > <alice+sigt...@example.com> > sig! 65B57FDF 2015-04-01 Bob User (Good Signature) > <bob+good...@example.com> > sig- B8062D4C 2015-04-01 Mallory User (Bad Signature) > <mallory+bad...@example.com> > sub 2048R/0BE64ECE 2015-04-01 > sig! A5452207 2015-04-01 Alice User (Signature Test) > <alice+sigt...@example.com> > > 1 bad signature ==What Should Happen== When importing public keys, --with-sig-check should not get silently ignored when added to --import or --recv-keys. Alternatively, the --with-sig-check flag should throw an error if included with --import or --recv-keys since silently ignoring it might make a user assume that all signatures were valid. Thanks! Daniel Roesler -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJVRVcQAAoJEOf2+tFy7+494jMP/RPTkAj94Q4ZCkyWvbMmcKqs 2y18GOhY1ETwTIlYPNY6ley8LhOpGZS7DmQ+vczpMf9PCCoTkBvUCdorwbSo1B2c N2t71jn65/wAQAYSGirTYCqqFALf9EZVk70RcjOIHc7jxr0sp3kUllCKBtNuRYWj i2+JOVV8+/qWkByxEkCTSY0N7w83IivRqRdVsfsm4kaDI7cQJ8l/ETPtS3nzSJcQ s1RRtvwEw/yOnBvHZ1Q1WnQAR9P2edafzR4Wx/UTgtJqj1pRaE4f6ceiW5eGtX6N UQoBoFQ0+iMVvtNGX6eE/1bvp8uifnIWKfQOacUHO/eq2AdH2pkBgKe5yl0vL4dN wEbjTm046c2SQf6e57EfwNAX2dVjDsLUFOnLdYxAE0wUX40MlbYI+5we1LATAfoV CruDl2BWUKUM7QgT9Aiv6GSh2q+btVhljX13wVuhPMeXr+xorMq4R5XPdzimdnyH CSkIsonf21I9AbESOvG5nH7hbeRgAHn5sE9Zvj/+AsFpjV/5cAWyA6/R+vk9d6/J rUpap0MxtK79ZP35U1w57pbESMniE+owEDlTUd/Jjy3rbcdvmAUVJPdFJDqJmo7k q5MjfsgPeedLBC1bXklR30jyQyoOAerbiCWnpW6390AJDF+oRyJ2+r+dhTSJBm26 3WLQkeeHKZnSpbwrMDDs =6tWl -----END PGP SIGNATURE----- _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
