The PGP (SKS) net server network is under attack, and it seems pretty damn bad.
Conversation
Read the post obviously. But the TL;DR is that someone is spamming the keys of certain GnuPG contributors with huge numbers of extra signature attestations, and GnuPG can’t deal with it.
5
35
74
The problem seems basically unfixable, and oh god, of course the reason involves unmaintained academic code written in OCaml.
11
47
161
This Tweet was deleted by the Tweet author. Learn more
It's a demonstration of flaws in the GPG implementation too. I've been complaining about the awful usability for ages and stopped using it for email in the past couple years, but I didn't realize that a keyring could be so trivially bricked by a maliciously crafted public key.
1
1
This Tweet was deleted by the Tweet author. Learn more
I need to figure out a solution for signing Git history to drop GPG completely. I could clone the Git repository and put that into a signed archive... and that would have far less attack surface since the signature could be verified before having Git deal with all the objects.
1
Git signed commits / tags only provide verification of that specific object and then everything else is verified via the sha1 hash chain so it has issues beyond GPG. I'm not sure how practical of an issue that is at the moment since objects have their length in the header though.
1
Git objects use the format b"type length\0data" with addressing based on the hash of the DEFLATE compressed object as a whole so that adds some complexity to generating collisions. It's still terrible, and I feel guilty every time I sign a Git tag since it's depending on sha1...