Looking into this a bit I think we have various options: - switch to hpks by default in apt-key for the keyserver requests in apt-key and refuse to do hpk - change gnupg to reject if a downloaded key is of a different keyid than the requested key [1] - add code to apt-key to check/fixup the commandline in adv and download the keys to a tempkeyring and check that before further importing - fix softwareproperties/ppa.py only and download there using python-hpk or a custom implementation
Feedback welcome. [1] This would be my preferred fix, it would involve adding a new "expected_keys" parameter to import_keys_stream() in g10/keyserver.c or a new "validate_expected_keys()" call or something. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1016643 Title: add-apt-repository downloads gpg key in an insecure fashion To manage notifications about this bug go to: https://bugs.launchpad.net/gnupg/+bug/1016643/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
