touch-packages team mailing list archive

[Marc Deslauriers <marc.deslauriers@xxxxxxxxxxxxx>]

apt-add-repository validates that the key that was downloaded is the
right one before importing it, it doesn't blindly trust the key that gpg
downloaded from the keyserver.

This is wishlist simply because it's security hardening. I will include
it in the next gnupg security upload.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to gnupg in Ubuntu.
https://bugs.launchpad.net/bugs/1409117

Title:
  GPG does not verify keys received when using --recv-keys leaving
  communicaiton with key servers vulnerable to MITM

Status in GNU Privacy Guard:
  Unknown
Status in gnupg package in Ubuntu:
  Fix Released
Status in gnupg2 package in Ubuntu:
  Fix Released
Status in gnupg source package in Lucid:
  Confirmed
Status in gnupg2 source package in Lucid:
  Confirmed
Status in gnupg source package in Precise:
  Confirmed
Status in gnupg2 source package in Precise:
  Confirmed
Status in gnupg source package in Trusty:
  Confirmed
Status in gnupg2 source package in Trusty:
  Confirmed
Status in gnupg source package in Utopic:
  Confirmed
Status in gnupg2 source package in Utopic:
  Fix Released
Status in gnupg source package in Vivid:
  Fix Released
Status in gnupg2 source package in Vivid:
  Fix Released
Status in gnupg package in Debian:
  Unknown

Bug description:
  The patch from http://bugs.gnupg.org/gnupg/issue1579 is critical and
  should be backported to 12.04; right now, it is not.

  This leaves 12.04 users of GPG2 vulnerable to MITM attacks on gpg2
  --recv-keys. See https://evil32.com/ for an example (the text that is
  striked out; the gpg2 package on 12.04 is still vulnerable).

To manage notifications about this bug go to:
https://bugs.launchpad.net/gnupg/+bug/1409117/+subscriptions