On 03.07.2019 11:06, Robert J. Hansen wrote:
Those two account for literally 99% of all use cases. The vast majority
of OpenPGP is to verify package signatures; for the small fraction that
use it for email, Enigmail is the most dominant choice, with GpgOL a
close second.
Yes. It seems distros that I know of manually manage package signing
keys so they wouldn't be vulnerable to this kind of attack:
https://blog.liw.fi/posts/2019/07/02/debian_and_the_sks_signature_flooding_attack/
(although it would be a chore as previously they could just --refresh-keys).
For something completely different: on gnupg-devel there was a
discussion on using Web Key Directory first for fetching signing keys.
So "gpg --auto-key-retrieve --verify HOWTO.txt.sig HOWTO.txt" would get
the key from sixdemonbag.org instead of keyservers thus retrieving good,
non-flooded key. The change is tracked at https://dev.gnupg.org/T4595
Kind regards,
Wiktor
--
https://metacode.biz/@wiktor
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
