[Differential] [Commented On] D3140: Add formatters for application/pgp-keys and application/vnd.gnupg.wks body parts
aheinecke (Andre Heinecke)
noreply at phabricator.kde.org
Mon Oct 24 17:49:16 BST 2016
aheinecke added inline comments.
INLINE COMMENTS
> knauss wrote in pgpkeymessagepart.cpp:81
> what? gpgme do not offer any function to scan data is a key?
Yes,... *blushes for gpgme*
And we need one here. This is fragile and dangerous. We can have multiple keys in a application/pgp-keys file. This would only show the last one. When a user is then offered to import the key (which I suggested in my other comment) he can be tricked into importing multiple keys with different fingerprints / userids. Also without an action gnupg determines by itself what it does with the data. E.g. try to decrypt it. I can't really think of an attack that could utilize this but maybe.
I've written a new gpgme command for this gpgme_op_keylist_from_data which takes a gpgme_data_t and returns a keylistresult. Just need to get it upstream, which is surprisingly a bit difficult as I use "gpg --import-options import-show --dry-run --import" where upstream says that this is not technically a keylisting :-/
In qt this would be a keylistjob that takes a QByteArray.
I'll let you know when we have API for that. (But Packagers will not like us if we depend on unreleased again. So maybe we should then use that with an Ifdef version guard.) :-)
REPOSITORY
rKDEPIMADDONS KDE PIM Addons
REVISION DETAIL
https://phabricator.kde.org/D3140
EMAIL PREFERENCES
https://phabricator.kde.org/settings/panel/emailpreferences/
To: dvratil, bjoernbalazs, aheinecke, mlaurent
Cc: knauss, emanuel, mlaurent, kde-pim, #kde_pim, spencerb, dvasin, winterz, vkrause, dvratil
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/kde-pim/attachments/20161024/c2ebf814/attachment.html>
More information about the kde-pim
mailing list