Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. GnuPG>
  3. devel
Release candidate for 2.2.17
gnupg-devel at gnupg
Jul 5, 2019, 8:15 AM
Post #1 of 4 (395 views)
Permalink
Hi!

Due to the SKS keyserver problems we are planning a new release for the
next week. That release will have some changes related to keyserver.
See below for details.

In general we do not provide release candidates because experience
showed that they are more or less ignored. However, this time I would
like to you to give that version some testing. Get it from

<https://gnupg.org/ftp/people/werner/scratch/gnupg-2.2.17-beta21.tar.bz2>
<https://gnupg.org/ftp/people/werner/scratch/gnupg-2.2.17-beta21.tar.bz2.sig>

and in case of problems please report to gnupg-devel. Here are the
changes:

* gpg: Ignore all key-signatures received from keyservers. This
change is required to mitigate a DoS due to keys flooded with
faked key-signatures. The old behaviour can be achieved by adding
keyserver-options no-self-sigs-only,no-import-clean
to your gpg.conf. [#4607]

* gpg: If an imported keyblocks is too large to be stored in the
keybox (pubring.kbx) do not error out but fallback to an import
using the options "self-sigs-only,import-clean". [#4591]

* gpg: New command --locate-external-key which can be used to
refresh keys from the Web Key Directory or via other methods
configured with --auto-key-locate.

* gpg: New import option "self-sigs-only".

* gpg: In --auto-key-retrieve prefer WKD over keyservers. [#4595]

* dirmngr: Support the "openpgpkey" subdomain feature from
draft-koch-openpgp-webkey-service-07. [#4590].

* dirmngr: Add an exception for the "openpgpkey" subdomain to the
CSRF protection. [#4603]

* dirmngr: Fix endless loop due to http errors 503 and 504. [#4600]

* dirmngr: Fix TLS bug during redirection of HKP requests. [#4566]

* gpgconf: Fix a race condition when killing components. [#4577]

Release-info: https://dev.gnupg.org/T4606



Shalom-Salam,

Werner


--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.

Attached Files:

Re: Release candidate for 2.2.17 [ In reply to ]
gnupg-devel at gnupg
Jul 7, 2019, 11:28 PM
Post #2 of 4 (392 views)
Permalink
On 2019-07-05 at 17:15 +0200, Werner Koch via Gnupg-devel wrote:
> In general we do not provide release candidates because experience
> showed that they are more or less ignored. However, this time I would
> like to you to give that version some testing. Get it from

Looks like importing multiple keys at once from --search-keys has
broken. I don't know if this is behaviour which you still want to
support.

gpg --search-keys ${my_first_name_as_above}@pennock-tech.com
# sorry for obfuscation; darned spammers

If I try to import all three keys which I currently see, then it works
under 2.2.16 but not under 2.2.17-beta21.

I just enter >> 1 2 3 << and hit enter. That used to work.

The keys are:
ACBB4324393ADE3515DA2DDA4D1E900E14C1CC04
AB882DD64035A24758F69688D231BDA6A79FCEE0
F5AE6DEAA11037B7E652718D081969BAB569CCB2

-Phil

Attached Files:

Re: Release candidate for 2.2.17 [ In reply to ]
gnupg-devel at gnupg
Jul 7, 2019, 11:47 PM
Post #3 of 4 (392 views)
Permalink
On 2019-07-08 at 02:28 -0400, Phil Pennock wrote:
> On 2019-07-05 at 17:15 +0200, Werner Koch via Gnupg-devel wrote:
> > In general we do not provide release candidates because experience
> > showed that they are more or less ignored. However, this time I would
> > like to you to give that version some testing. Get it from
>
> Looks like importing multiple keys at once from --search-keys has
> broken. I don't know if this is behaviour which you still want to
> support.

Please forgive the very poor bug-report. (I should have been in bed
hours ago, that's my only excuse).

By "broken" I mean that only one of the three imports:

Keys 1-3 of 3 for "...". Enter number(s), N)ext, or Q)uit > 1 2 3
gpg: key 4D1E900E14C1CC04: 1 duplicate signature removed
gpg: key 4D1E900E14C1CC04: 1 signature reordered
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 4D1E900E14C1CC04: public key "Phil Pennock <...>" imported
gpg: key D231BDA6A79FCEE0: no valid user IDs
gpg: this may be caused by a missing self-signature
gpg: key 081969BAB569CCB2: no valid user IDs
gpg: this may be caused by a missing self-signature
gpg: Total number processed: 3
gpg: w/o user IDs: 2
gpg: imported: 1

However, if I instead invoke the command three times, each time
selecting one of the keys, then each imports correctly. It's only when
I try to import multiple keys at once that GnuPG decides that ... "all
keys but the last one" (?) are missing a self-signature.

There, I hope that's a bit more useful.

-Phil

Attached Files:

Re: Release candidate for 2.2.17 [ In reply to ]
gnupg-devel at gnupg
Jul 9, 2019, 2:30 AM
Post #4 of 4 (391 views)
Permalink
On Mon, 8 Jul 2019 02:28, gnupg-devel@gnupg.org said:

> If I try to import all three keys which I currently see, then it works
> under 2.2.16 but not under 2.2.17-beta21.

Thanks for the report. I found and fix the bug which was related to the
early dropping of self-signatures. A variable with the keyid for
comparison was not initialized in all cases.


Shalom-Salam,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.

Attached Files:

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal