[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-devel] Reminder: don't trust 32-bit short IDs when using GPG!

From: Peter Maydell
Subject: [Qemu-devel] Reminder: don't trust 32-bit short IDs when using GPG!
Date: Fri, 10 Jun 2016 15:46:52 +0100

We've noticed recently that the GPG keyservers have fake keys for
some of the QEMU maintainers, which have keys which have been
deliberately constructed to have collisions on the 32-bit "short ID"
field which gpg shows you by default.

shows both my actual key and a fake.)

It's been known for years that it's pretty easy to construct a
key with whatever 32-bit short ID you like:
so this is not a new or suddenly alarming attack on us specifically,
but it seems like a good point to remind people that they need to
be careful when using GPG in order not to be caught out by this:

 * whenever you're checking a PGP key, always check the full-length
   fingerprint, not the short ID or the not-so-short ID
   (eg output of gpg --fingerprint)
 * when you're interacting with anybody else doing PGP keysigning
   (especially if they are a PGP novice), emphasise that they need
   to check the full fingerprint at all stages
 * upgrade to a newer gpg which doesn't have the "only sends short IDs
   when asking keyservers for keys" bug
 * don't use 32-bit short ids in 'gpg --recv-keys' and similar command
   lines (and pay attention to the gpg output about how many keys it
   says it's downloaded)
 * add the following two lines to your .gnupg/gpg.conf:
    keyid-format 0xlong
   so that gpg doesn't show you short-format IDs. Instead it will show
   64-bit IDs and also fingerprints.
   64-bit IDs can also collide so they are not a substitute for checking
   full fingerprints, but may be a helpful mollyguard against some
   of the junk in the public keyservers confusing you.
 * check whether you've already accidentally downloaded any keys with
   duplicate short-ids into your local keyring; I think this rune will
   gpg --list-keys | sed -ne 's/.*\([0-9A-F]\{8\}\).*$/\1/p' | uniq -d

It is in general difficult to impossible to maintain a local keyring
which only has intended keys in it without staging them via an
intermediate temporary keyring, so the advice above about --recv-keys
and setting the keyid-format is intended mainly to make it a little
harder to make user errors when dealing with the junk in the public
key servers. The major requirement is that you must always check
the full fingerprint before signing a key.

(I've sanity checked that none of the keys in my local keyring have
dubious duplicates, which is what gets checked when doing signed merges
into master. As a result of my recently making the config change
suggested above you'll see that merge commits now quote the 64-bit
long ID rather than the 32 bit short one and from now forward
should also quote the full fingerprint.)

-- PMM

reply via email to

[Prev in Thread] Current Thread [Next in Thread]