Binary package hint: gnupg
Affects both:
• gnupg-1.4.6-2ubuntu5 (hardy)
• gnupg2-2.0.7-1 (hardy)
When keys have “keyserver” preferences set (see many of the newer @tarent.de keys,
for example), the “gpg --refresh-keys” command has a weird modus operandi:
First, it takes all of the keys with a keyserver set, and connects ONCE PER KEY to
the keyserver (and often failing due to hitting the keyserver reconnection limit,
loading it, or something), then it connects ONCE for all remaining keys to the
keyserver set in ~/.gnupg/gpg.conf (which, incidentally, is the same keyserver as
the one set on all but one of the keys with a keyserver pref set in my public key
ring). This makes key refreshing very awkward, sometimes impossible.
Please (possibly report upstream) change it so that keys with the same keyserver
string listed in their pref are merged into one request, possibly merging with the
default keyserver ifi t’s also the same.
Marking this as security vulnerability because I think that, when people run
gpg --refresh-keys (or gpg2 --refresh-keys) on an automated basis and don’t
see it failing due to a loaded keyserver, they may not receive revocation
certificates in time. If you disagree, feel free to un-flag this bug.
Can you please test this with recent gpg versions (e.g. in a CHROOT) and report back? Ideal would be logs (e.g. --verbose, --status-fd, --logger-fd, ...).