Create Task
Maniphest T6881

GPG Keymanagement of other users
Closed, DuplicatePublic
Actions

Description

Includes:

  • Fetching other users keys
  • Managing other users keys in the addressbook
  • Trustmanagement of keys

In a signature we just have a fingerprint, to be able to tell anything about the fingerprint we need to get the users key. Gpg provides an option to automatically fetch all keys that we query for ("keyserver-options auto-key-retrieve" in gpg.conf), or sometimes the key is already attached to the email, so we could import it from there. Since we don't control the users gpg.conf I'm not entirely sure whether we should rely on it and whether we need to provide an alternative way of fetching keys. Keys can be fetched via "gpg --recv-keys key-id", I suppose there is also some way via the gpgme library.

The addressbook should probably provide a way to fetch the key if not yet available, which then allows the users to also manage the trust via the addressbook. This will also be necessary to be able to encrypt anything to the user, so the composer should also be able to fetch the keys.

Related Objects
Search...

StatusAssignedTask
 OpenNoneT7658 Autocrypt support
 OpenNoneT5914 GPG support
 DuplicateNoneT6881 GPG Keymanagement of other users
cmollekopf added a comment.Aug 27 2017, 10:18 PM

auto-key-retrieve only works for verifying signatures and does leak user information (that would apply to any automatic key-fetching though).

--auto-key-retrieve
--no-auto-key-retrieve
These options enable or disable the automatic retrieving of keys from a keyserver when verifying signatures made by keys that are not on the local keyring. The default is --auto-key-retrieve.

If the method "wkd" is included in the list of methods given to auto-key-locate, the signer’s user ID is part of the signature, and the option --disable-signer-uid is not used, the "wkd" method may also be used to retrieve a key.

Note that this option makes a "web bug" like behavior possible. Keyserver or Web Key Directory operators can see which keys you request, so by sending you a message signed by a brand new key (which you naturally will not have on your local keyring), the operator can tell both your IP address and the time when you verified the signature.