mirror of git://git.gnupg.org/gnupg.git
gpg: Add "self-sigs-only" and "import-clean" to the keyserver options.
* g10/gpg.c (main): Change default.
--
Due to the DoS attack on the keyeservers we do not anymore default to
import key signatures. That makes the keyserver unsuable for getting
keys for the WoT but it still allows to retriev keys - even if that
takes long to download the large keyblocks.
To revert to the old behavior add
keyserver-optiions no-self-sigs-only,no-import-clean
to gpg.conf.
GnuPG-bug-id: 4607
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 23c9786408
)
This commit is contained in:
parent
4cbd058a3d
commit
2b7151b0a5
18
NEWS
18
NEWS
|
@ -1,9 +1,27 @@
|
|||
Noteworthy changes in version 2.2.17 (unreleased)
|
||||
-------------------------------------------------
|
||||
|
||||
* gpg: Ignore all key-signatures received from keyservers. This
|
||||
change is required to mitigate a DoS due to keys flooded with
|
||||
faked key-signatures. The old behaviour can be achieved by adding
|
||||
keyserver-options no-self-sigs-only,no-import-clean
|
||||
to your gpg.conf. [#4607]
|
||||
|
||||
* gpg: If an imported keyblocks is too large to be stored in the
|
||||
keybox (pubring.kbx) do not error out but fallback to an import
|
||||
using the options "self-sigs-only,import-clean". [#4591]
|
||||
|
||||
* gpg: New command --locate-external-key which can be used to
|
||||
refresh keys from the Web Key Directory or via other methods
|
||||
configured with --auto-key-locate.
|
||||
|
||||
* gpg: New import option "self-sigs-only".
|
||||
|
||||
* dirmngr: Support the "openpgpkey" subdomain feature from
|
||||
draft-koch-openpgp-webkey-service-07. [#4590].
|
||||
|
||||
Release-info: https://dev.gnupg.org/T4606
|
||||
|
||||
|
||||
Noteworthy changes in version 2.2.16 (2019-05-28)
|
||||
-------------------------------------------------
|
||||
|
|
|
@ -1917,6 +1917,11 @@ are available for all keyserver types, some common options are:
|
|||
|
||||
@end table
|
||||
|
||||
The default list of options is: "self-sigs-only, import-clean,
|
||||
repair-keys, repair-pks-subkey-bug, export-attributes,
|
||||
honor-pka-record".
|
||||
|
||||
|
||||
@item --completes-needed @var{n}
|
||||
@opindex compliant-needed
|
||||
Number of completely trusted users to introduce a new
|
||||
|
|
|
@ -2375,7 +2375,9 @@ main (int argc, char **argv)
|
|||
opt.import_options = IMPORT_REPAIR_KEYS;
|
||||
opt.export_options = EXPORT_ATTRIBUTES;
|
||||
opt.keyserver_options.import_options = (IMPORT_REPAIR_KEYS
|
||||
| IMPORT_REPAIR_PKS_SUBKEY_BUG);
|
||||
| IMPORT_REPAIR_PKS_SUBKEY_BUG
|
||||
| IMPORT_SELF_SIGS_ONLY
|
||||
| IMPORT_CLEAN);
|
||||
opt.keyserver_options.export_options = EXPORT_ATTRIBUTES;
|
||||
opt.keyserver_options.options = KEYSERVER_HONOR_PKA_RECORD;
|
||||
opt.verify_options = (LIST_SHOW_UID_VALIDITY
|
||||
|
|
Loading…
Reference in New Issue