From 2e5459457473eb4b3e7b2b14815cb94faa66e8bb Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Wed, 19 Jul 2017 13:03:43 +0200 Subject: gpg: Avoid asking by fpr and then by keyid during auto-key-retrieve. * g10/mainproc.c (check_sig_and_print): Track key server request via fingerprint. -- New signatures carry the fingerprint and thus --auto-key-retrieve tries to lookup the key by fingerprint. If that failed it used to also ask the same thing by KEYID - but the keyid is part of the fingerprint and thus it will either get no response or the wrong key back. We can easily avoid this. Signed-off-by: Werner Koch --- g10/mainproc.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/g10/mainproc.c b/g10/mainproc.c index c57925c9f..fddafd8cf 100644 --- a/g10/mainproc.c +++ b/g10/mainproc.c @@ -1658,6 +1658,7 @@ check_sig_and_print (CTX c, kbnode_t node) int is_revkey = 0; char *issuer_fpr; PKT_public_key *pk = NULL; /* The public key for the signature or NULL. */ + int tried_ks_by_fpr; if (opt.skip_verify) { @@ -1886,6 +1887,7 @@ check_sig_and_print (CTX c, kbnode_t node) * that the signers fingerprint is encoded in the signature. We * favor this over the WKD method (to be tried next), because an * arbitrary keyserver is less subject to web bug like monitoring. */ + tried_ks_by_fpr = 0; if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY && (opt.keyserver_options.options&KEYSERVER_AUTO_KEY_RETRIEVE) && keyserver_any_configured (c->ctrl)) @@ -1902,6 +1904,7 @@ check_sig_and_print (CTX c, kbnode_t node) pk = NULL; glo_ctrl.in_auto_key_retrieve++; res = keyserver_import_fprint (c->ctrl, p+1, n-1, opt.keyserver, 1); + tried_ks_by_fpr = 1; glo_ctrl.in_auto_key_retrieve--; if (!res) rc = do_check_sig (c, node, NULL, &is_expkey, &is_revkey, &pk); @@ -1933,6 +1936,7 @@ check_sig_and_print (CTX c, kbnode_t node) * keyserver. */ if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY && (opt.keyserver_options.options&KEYSERVER_AUTO_KEY_RETRIEVE) + && !tried_ks_by_fpr && keyserver_any_configured (c->ctrl)) { int res; -- cgit v1.2.3