From e6f84116abca2ed49bf14b2e28c3c811a3717227 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Fri, 11 Aug 2017 02:26:52 -0400 Subject: [PATCH] gpg: default to --no-auto-key-retrieve. * g10/gpg.c (main): remove KEYSERVER_AUTO_KEY_RETRIEVE from the default keyserver options. * doc/gpg.texi: document this change. -- This is a partial reversion of 7e1fe791d188b078398bf83c9af992cb1bd2a4b3. Werner and i discussed it earlier today, and came to the conclusion that: * the risk of metadata leakage represented by a default --auto-key-retrieve, both in e-mail (as a "web bug") and in other contexts where GnuPG is used to verified signatures, is quite high. * the advantages of --auto-key-retrieve (in terms of signature verification) can sometimes be achieved in other ways, such as when a signed message includes a copy of its own key. * when those other ways are not useful, a graphical, user-facing application can still offer the user the opportunity to choose to fetch the key; or it can apply its own policy about when to set --auto-key-retrieve, without needing to affect the defaults. Note that --auto-key-retrieve is specifically about signature verification. Decisions about how and whether to look up a key during message encryption are governed by --auto-key-locate. This change does not touch the --auto-key-locate default of "local,wkd". The user deliberately asking gpg to encrypt to an e-mail address is a different scenario than having an incoming e-mail trigger a potentially unique network request. Signed-off-by: Daniel Kahn Gillmor --- doc/gpg.texi | 2 +- g10/gpg.c | 3 +-- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/doc/gpg.texi b/doc/gpg.texi index c71126a97..b6a9b2d70 100644 --- a/doc/gpg.texi +++ b/doc/gpg.texi @@ -1792,7 +1792,7 @@ list. The default is "local,wkd". @opindex no-auto-key-retrieve These options enable or disable the automatic retrieving of keys from a keyserver when verifying signatures made by keys that are not on the -local keyring. The default is @option{--auto-key-retrieve}. +local keyring. The default is @option{--no-auto-key-retrieve}. If the method "wkd" is included in the list of methods given to @option{auto-key-locate}, the signer's user ID is part of the diff --git a/g10/gpg.c b/g10/gpg.c index c721cdc4a..c9fa7ae5b 100644 --- a/g10/gpg.c +++ b/g10/gpg.c @@ -2366,8 +2366,7 @@ main (int argc, char **argv) opt.keyserver_options.import_options = (IMPORT_REPAIR_KEYS | IMPORT_REPAIR_PKS_SUBKEY_BUG); opt.keyserver_options.export_options = EXPORT_ATTRIBUTES; - opt.keyserver_options.options = (KEYSERVER_HONOR_PKA_RECORD - | KEYSERVER_AUTO_KEY_RETRIEVE); + opt.keyserver_options.options = KEYSERVER_HONOR_PKA_RECORD; opt.verify_options = (LIST_SHOW_UID_VALIDITY | VERIFY_SHOW_POLICY_URLS | VERIFY_SHOW_STD_NOTATIONS -- 2.13.0