"gpg2 --refresh-keys" results in "rejected by import filter"

Bug #1421640 reported by Alexander Buchner on 2015-02-13
This bug affects 1 person
Affects Status Importance Assigned to Milestone
gnupg2 (Ubuntu)
Marc Deslauriers

Bug Description

I am using Ubuntu 14.10 with gpg (GnuPG) 2.0.24.

There seems to be a bug when I want to refresh the keys.

:~$ gpg2 --refresh-keys
gpg: refreshing 33 keys from hkp://keys.gnupg.net
gpg: key 43A2BCD5: rejected by import filter
gpg: key A788C4D6: rejected by import filter
gpg: key EE728A71: rejected by import filter
gpg: key 04089964: rejected by import filter
gpg: key 6224791A: rejected by import filter
gpg: key F1AE330F: rejected by import filter
gpg: key 407D90F7: rejected by import filter

Since this problem with 2.0.24 seems to be known (http://lists.freebsd.org/pipermail/freebsd-ports/2014-June/093621.html) I think it might be a good idea to update to a more recent version.

Nosphky (philip-jackson) wrote :

Since gnupg has moved forward to the 'modern' series 2.1.* (now at 2.1.2), it would be good to have this available in Ubuntu because more and more correspondents are moving to and using ECC encryption. 2.0.* (now at 2.0.27) cannot handle this and we are being left behind.

dkg (dkg0) wrote :

This is not a good reason to move to gnupg 2.1.

It is a good reason to apply upstream git commit 044847a0e2013a2833605c1a9f80cfa6ef353309 to the gnupg2 2.0.24 package in ubuntu:


Is there anyone who can fix this bug?

Changed in gnupg2 (Ubuntu Vivid):
status: New → Fix Released
Changed in gnupg2 (Ubuntu Utopic):
status: New → In Progress
assignee: nobody → Marc Deslauriers (mdeslaur)
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gnupg2 - 2.0.24-1ubuntu2.2

gnupg2 (2.0.24-1ubuntu2.2) utopic-security; urgency=medium

  * Fix screening responses from keyservers (LP: #1421640)
    - d/p/0002-Make-screening-of-keyserver-result-work-with-multi-k.patch
    - d/p/0003-Add-kbnode_t-for-easier-backporting.patch
    - d/p/0004-gpg-Fix-regression-due-to-the-keyserver-import-filte.patch
  * Fix large key size regression from CVE-2014-5270 changes (LP: #1371766)
    - d/p/Add-build-and-runtime-support-for-larger-RSA-key.patch
    - debian/rules: build with --enable-large-secmem
  * SECURITY UPDATE: invalid memory read via invalid keyring
    - debian/patches/CVE-2015-1606.patch: skip all packets not allowed in
      a keyring in g10/keyring.c.
    - CVE-2015-1606
  * SECURITY UPDATE: memcpy with overlapping ranges
    - debian/patches/CVE-2015-1607.patch: use inline functions to convert
      buffer data to scalars in common/iobuf.c, g10/build-packet.c,
      g10/getkey.c, g10/keyid.c, g10/main.h, g10/misc.c,
      g10/parse-packet.c, g10/tdbio.c, g10/trustdb.c, include/host2net.h,
      kbx/keybox-dump.c, kbx/keybox-openpgp.c, kbx/keybox-search.c,
      kbx/keybox-update.c, scd/apdu.c, scd/app-openpgp.c,
      scd/ccid-driver.c, scd/pcsc-wrapper.c, tools/ccidmon.c.
    - CVE-2015-1607
 -- Marc Deslauriers <email address hidden> Fri, 27 Mar 2015 08:16:53 -0400

Changed in gnupg2 (Ubuntu Utopic):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers