[Bug 1844055] Re: Importing public key from keys.openpgp.org fails with "no user ID"

Sun Sep 15 14:50:26 UTC 2019

Some more context:

"New" keys.openpgp.org key server: 
  https://keys.openpgp.org/about/news#2019-06-12-launch

Isses with SKS keyservers: 
  https://medium.com/@mdrahony/are-sks-keyservers-safe-do-we-need-them-7056b495101c

OpenPGP certificate (key signature) flooding / spam:
  https://www.vice.com/en_us/article/8xzj45/someone-is-spamming-and-breaking-a-core-component-of-pgps-ecosystem
  https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f
  https://dkg.fifthhorseman.net/blog/openpgp-certificate-flooding.html
  https://nvd.nist.gov/vuln/detail/CVE-2019-13050

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-13050

** Bug watch added: Debian Bug tracker #930665
   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930665

** Also affects: gnupg2 (Debian) via
   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930665
   Importance: Unknown
       Status: Unknown

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to gnupg2 in Ubuntu.
https://bugs.launchpad.net/bugs/1844055

Title:
  Importing public key from keys.openpgp.org fails with "no user ID"

Status in gnupg2 package in Ubuntu:
  New
Status in gnupg2 package in Debian:
  Unknown

Bug description:
  Running (up to date) 18.04 LTS I'm trying to import a public key from
  the somewhat new but OpenPGP key spamming resistant key server at
  keys.openpgp.org:

  $ curl -s 'https://keys.openpgp.org/vks/v1/by-fingerprint/723E343AC00331F03473E6837BE5A11FA37E8721' | gpg --import
  gpg: key 0x7BE5A11FA37E8721: no user ID
  gpg: Total number processed: 1
  $

  This key fails to import (GPG does not report that any keys were
  imported).

  $ gpg --version | head -n2
  gpg (GnuPG) 2.2.4
  libgcrypt 1.8.1
  $

  This makes it impossible to use most of the keys stored on the
  keys.openpgp.org keyserver and forces users (who want / need to use
  key servers) to instead work with SKS keyservers which do not prevent
  signature spamming, on a GPG build which lacks fixes against signature
  spamming. Which puts Ubuntu 18.04 LTS users at great risk of becoming
  victims of signature spamming, breaking their GPG installations in
  ways which are difficult to debug.

  This issue has been previously discussed and solved in Debian at
  https://bugs.debian.org/930665

  ProblemType: Bug
  DistroRelease: Ubuntu 18.04
  Package: gnupg 2.2.4-1ubuntu1.2
  ProcVersionSignature: Ubuntu 5.0.0-27.28~18.04.1-generic 5.0.21
  Uname: Linux 5.0.0-27-generic x86_64
  ApportVersion: 2.20.9-0ubuntu7.7
  Architecture: amd64
  CurrentDesktop: ubuntu:GNOME
  Date: Sun Sep 15 16:20:13 2019
  SourcePackage: gnupg2
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnupg2/+bug/1844055/+subscriptions