1127013 – import filter is too strict for subkeys

Bug 1127013 - import filter is too strict for subkeys

Summary: import filter is too strict for subkeys

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	gnupg
Sub Component:
Version:	20
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Brian Lane
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-08-05 22:18 UTC by Eric Blake
Modified:	2014-11-10 06:41 UTC (History)
CC List:	7 users (show)
Fixed In Version:	gnupg-1.4.18-4.fc20
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-10-28 06:45:20 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Eric Blake 2014-08-05 22:18:53 UTC

Description of problem:
I tried to download the public key for Ken Coar, and got a very confusing error message.  I then logged in as a different user, and tried again, and it succeeded.  The import filter is over-active, and appears to be refusing to import a key solely because an 8-digit identifier associated with the key happens to have a substring that matches the username associated with my own personal key.

Version-Release number of selected component (if applicable):
gnupg-1.4.18-1.fc20.x86_64


How reproducible:
100% for me, but not for all users


Steps to Reproduce:
1. Create a personal gpg key associated with a short all-hex username.  In my case, although my $USER of eblake is non-hex, my key happens to be associated with a secondary email address ebb9: gpg --fingerprint eblake
2. Try to download another public subkey where the associated master key has the same all-hex substring: gpg --recv-keys f46d6ac2
3. Try to inspect the key: gpg --fingerprint 0xf46d6ac2
4. As a work-around, import the subkey directly: gpg --fingerprint 0xf46d6ac2
5. Now try to inspect it: gpg --fingerprint 0xf46d6ac2
6. Log on as a different user: su -l dummy; echo $USER
7. Try again to download: gpg --recv-keys f46d6ac2

Actual results:
1. $ gpg --fingerprint eblake
pub   2048R/2527436A 2010-04-16
      Key fingerprint = 71C2 CC22 B1C4 6029 27D2  F3AA A7A1 6B4A 2527 436A
uid                  Eric Blake <eblake>
uid                  Eric Blake (Free Software Programmer) <ebb9>
uid                  [jpeg image of size 6874]
sub   2048R/D2E4726C 2010-04-16

2. $ gpg --recv-keys f46d6ac2
gpg: requesting key F46D6AC2 from hkp server keys.gnupg.net
gpg: key 4EBB96FF: rejected by import filter
gpg: Total number processed: 1

3. $ gpg --fingerprint 0xf46d6ac2
gpg: error reading key: public key not found

4. $ gpg --recv-keys 4ebb96ff 
gpg: requesting key 4EBB96FF from hkp server keys.gnupg.net
gpg: key 4EBB96FF: public key "Ken Coar (Open sourcerer) <coar>" imported
gpg: 3 marginal(s) needed, 1 complete(s) needed, classic trust model
gpg: depth: 0  valid:   1  signed:   6  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1  valid:   6  signed:  46  trust: 0-, 4q, 0n, 0m, 2f, 0u
gpg: depth: 2  valid:  41  signed:  29  trust: 1-, 1q, 0n, 28m, 11f, 0u
gpg: depth: 3  valid:  10  signed:  21  trust: 0-, 6q, 0n, 1m, 3f, 0u
gpg: depth: 4  valid:   4  signed:   9  trust: 2-, 1q, 0n, 0m, 1f, 0u
gpg: next trustdb check due at 2015-01-29
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

5. $ gpg --fingerprint 0xf46d6ac2
pub   4096R/4EBB96FF 1997-01-24
      Key fingerprint = 4333 9E61 30A2 CA74 206F  8653 5ADF 9B5C 4EBB 96FF
uid                  Ken Coar (Open sourcerer) <coar>
uid                  Ken Coar (Open sourcerer, PHP hacker) <coar>
uid                  Ken Coar (Open sourcerer, opinionist) <Ken>
uid                  Ken Coar (Open sourcerer, Perl hacker) <ROUS>
uid                  Ken Coar (Open methodology evangelist) <coar>
uid                  Ken Coar (Opinionist [eddress retired]) <Ken.Coar>
uid                  Ken Coar/Rodent of Unusual Size (Born 1960-04, Florida, USA)
uid                  Ken Coar (Opinionist [eddress retired]) <Ken.Coar>
uid                  Ken Coar (Open sourcerer, systems rationaliser) <coar>
uid                  Ken Coar (Open sourcerer, systems rationaliser) <kcoar>
uid                  Ken Coar (Open sourcerer, systems rationaliser) <genghisken>
uid                  Ken Coar (Open sourcerer, opinionist, fallback eddress) <Ken.Coar>
sub   2048R/5D5F76E9 1997-01-24
sub   1024D/31F752F3 2014-07-22 [expires: 2016-07-21]
sub   4096R/F46D6AC2 2014-07-22 [expires: 2016-07-21]

6. echo $USER
dummy

7. $ gpg --recv-keys f46d6ac2
gpg: requesting key F46D6AC2 from hkp server keys.gnupg.net
gpg: key 4EBB96FF: public key "Ken Coar (Open sourcerer) <coar>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)


Expected results:

At step 2, the input filter should not have prevented me from getting the key.  I should not have had to resort to either step 4 (change my download request) or 7 (log on as a different user)

Additional info:

Comment 1 Brian Lane 2014-08-05 23:39:02 UTC

Please file a bug with the upstream bug tracker at https://bugs.g10code.com/gnupg/index

Comment 2 Eric Blake 2014-08-06 01:44:58 UTC

done:
https://bugs.g10code.com/gnupg/issue1680

Comment 3 Mukundan Ragavan 2014-08-24 00:04:04 UTC

Just a ping here - Looks like this is fixed upstream. Thanks!

Comment 4 Eric Blake 2014-08-25 14:24:21 UTC

If I'm reading upstream correctly, the fact that my username matched a hex substring was pure coincidence; the real issue is that ANY subkey request would fail, and the bug is that only primary keys can be downloaded.  I'm retitling the bug accordingly.

Comment 5 Brian Lane 2014-10-17 20:34:50 UTC

I've backported the 2 patches from upstream needed to fix this.

Comment 6 Fedora Update System 2014-10-17 21:15:28 UTC

gnupg-1.4.18-4.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/gnupg-1.4.18-4.fc21

Comment 7 Fedora Update System 2014-10-17 21:40:06 UTC

gnupg-1.4.18-4.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/gnupg-1.4.18-4.fc20

Comment 8 Fedora Update System 2014-10-19 13:20:25 UTC

Package gnupg-1.4.18-4.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing gnupg-1.4.18-4.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-13250/gnupg-1.4.18-4.fc20
then log in and leave karma (feedback).

Comment 9 Fedora Update System 2014-10-28 06:45:20 UTC

gnupg-1.4.18-4.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 Fedora Update System 2014-11-10 06:41:08 UTC

gnupg-1.4.18-4.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.