—–BEGIN PGP SIGNED MESSAGE—– Hash: SHA256
This is a modified binary for gpg 2.0.30 which removes constraints checking for various data lengths when creating, importing, and uploading keys. Here is an example key (the filesize is appx 1.4 megs): please_sir@may_i_have_some_more.com (and uploaded to the keyserver . Moral of the story: never rely on client side validation.
My intent in this is not to disclose a bug for GPG to fix, but to draw caution to using public keyservers, period. When you sign someone’s key, think twice before you upload it to the public. You are basically advertising your trust relationships to the world.
There are some cool things coming out, especially from Phenoelit, in the near future that IMHO go a long way towards solving this problem. In the meantime, be careful.
1 Since I assume everyone will be skeptical of what a modified binary contains, I posted the diff on github .
PS: to accomplish the one thing GPG is *very* good at, I’ve gone ahead and signed this page to prove that the key does, in fact, belong to me
—–BEGIN PGP SIGNATURE—– Version: GnuPG v2 iF4EAREIAAYFAldkU94ACgkQ9ZFmFzj/7S9meAD7BIrlvnvfibniwE4Ls+4RteWi WB8XmFhpyOqWB1MzB1QA/1zBlsvDjoWmq9B9zrv1T0vsQ5WiWcsnxOqVheSlNA3c =rDHt —–END PGP SIGNATURE—–