toolkit release (GNU Privacy Guard) compatible with the OpenPGP standards () and S/MIME, and provides utilities for data encryption, working with electronic signatures, key management and access to public key stores. As a reminder, the GnuPG 2.2 branch is positioned as a development release that continues to add new features; the 2.1 branch only allows for corrective fixes.
The new issue proposes measures to counter , leading to GnuPG hanging and the inability to continue working until the problematic certificate is deleted from the local store or the certificate store is recreated based on verified public keys. The added protection is based on completely ignoring by default all third-party digital signatures of certificates received from key storage servers. Let us recall that any user can add his own digital signature for arbitrary certificates to the key storage server, which is used by attackers to create a huge number of such signatures (more than a hundred thousand) for the victim’s certificate, the processing of which disrupts the normal operation of GnuPG.
Ignoring third-party digital signatures is regulated by the “self-sigs-only” option, which allows only the creators’ own signatures to be loaded for keys. To restore the old behavior, you can add the “keyserver-options no-self-sigs-only,no-import-clean” setting to gpg.conf. Moreover, if during operation the import of a number of blocks is detected, which will cause overflow of the local storage (pubring.kbx), instead of displaying an error, GnuPG automatically turns on the mode of ignoring digital signatures (“self-sigs-only,import-clean”).
To update keys using the mechanism (WKD) Added a "--locate-external-key" option that can be used to recreate the certificate store based on verified public keys. When performing the "--auto-key-retrieve" operation, the WKD mechanism is now preferred over keyservers. The essence of WKD is to place public keys on the web with a link to the domain specified in the postal address. For example, for the address "[email protected]"The key can be downloaded via the link "https://example.com/.well-known/openpgpkey/hu/183d7d5ab73cfceece9a5594e6039d5a".
Source: opennet.ru