Cleaning GPG Keys.

AFAIK the recent attack on GPG of appeding a bunch of signatures to inflate its size causing client sot crash has been addressed upstream. meanwhile there are equivalent commands one can use with the older version to clean a key before importing to avoid this attack.

A PoC poisoning tool has been made by a researcher and released in the wild so discussion is not going to cause more harm then already known.

https://daniel-lange.com/archives/159-Cleaning-a-broken-GnuPG-gpg-key.html

Maybe we can add a few of these setting to gpg.conf

I don’t see any useful ones.

Sounds really bad. Looks like gpg upstream fixes didn’t flow into Debian stable security upgrades.

Staying away from key servers until the dust setteld seems the way to go, as per:

gpg --recv-keys fails / no longer use keyservers for anything - #8 by Patrick

1 Like