diff options
| author | Werner Koch <[email protected]> | 2017-07-19 11:03:43 +0000 |
|---|---|---|
| committer | Werner Koch <[email protected]> | 2017-07-19 11:09:13 +0000 |
| commit | 2e5459457473eb4b3e7b2b14815cb94faa66e8bb (patch) | |
| tree | 0350f7d80ca5c5510b158c8cf5ff0340d00246f3 | |
| parent | dirmngr: Implement TLS over http proxies. (diff) | |
| download | gnupg-2e5459457473eb4b3e7b2b14815cb94faa66e8bb.tar.gz gnupg-2e5459457473eb4b3e7b2b14815cb94faa66e8bb.zip | |
gpg: Avoid asking by fpr and then by keyid during auto-key-retrieve.
* g10/mainproc.c (check_sig_and_print): Track key server request via
fingerprint.
--
New signatures carry the fingerprint and thus --auto-key-retrieve tries
to lookup the key by fingerprint. If that failed it used to also ask
the same thing by KEYID - but the keyid is part of the fingerprint and
thus it will either get no response or the wrong key back. We can
easily avoid this.
Signed-off-by: Werner Koch <[email protected]>
| -rw-r--r-- | g10/mainproc.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/g10/mainproc.c b/g10/mainproc.c index c57925c9f..fddafd8cf 100644 --- a/g10/mainproc.c +++ b/g10/mainproc.c @@ -1658,6 +1658,7 @@ check_sig_and_print (CTX c, kbnode_t node) int is_revkey = 0; char *issuer_fpr; PKT_public_key *pk = NULL; /* The public key for the signature or NULL. */ + int tried_ks_by_fpr; if (opt.skip_verify) { @@ -1886,6 +1887,7 @@ check_sig_and_print (CTX c, kbnode_t node) * that the signers fingerprint is encoded in the signature. We * favor this over the WKD method (to be tried next), because an * arbitrary keyserver is less subject to web bug like monitoring. */ + tried_ks_by_fpr = 0; if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY && (opt.keyserver_options.options&KEYSERVER_AUTO_KEY_RETRIEVE) && keyserver_any_configured (c->ctrl)) @@ -1902,6 +1904,7 @@ check_sig_and_print (CTX c, kbnode_t node) pk = NULL; glo_ctrl.in_auto_key_retrieve++; res = keyserver_import_fprint (c->ctrl, p+1, n-1, opt.keyserver, 1); + tried_ks_by_fpr = 1; glo_ctrl.in_auto_key_retrieve--; if (!res) rc = do_check_sig (c, node, NULL, &is_expkey, &is_revkey, &pk); @@ -1933,6 +1936,7 @@ check_sig_and_print (CTX c, kbnode_t node) * keyserver. */ if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY && (opt.keyserver_options.options&KEYSERVER_AUTO_KEY_RETRIEVE) + && !tried_ks_by_fpr && keyserver_any_configured (c->ctrl)) { int res; |