gpg: Add "self-sigs-only" and "import-clean" to the keyserver options.

* g10/gpg.c (main): Change default.
--

Due to the DoS attack on the keyeservers we do not anymore default to
import key signatures.  That makes the keyserver unsuable for getting
keys for the WoT but it still allows to retriev keys - even if that
takes long to download the large keyblocks.

To revert to the old behavior add

  keyserver-optiions  no-self-sigs-only,no-import-clean

to gpg.conf.

GnuPG-bug-id: 4607
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 23c978640812d123eaffd4108744bdfcf48f7c93)
(cherry picked from commit 2b7151b0a57f5fe7d67fd76dfa1ba7a8731642c6)

Gbp-Pq: Topic from-2.2.17
Gbp-Pq: Name gpg-Add-self-sigs-only-and-import-clean-to-the-keyserver-.patch

diff --git a/doc/gpg.texi b/doc/gpg.texi
index 5c3bd4884c6dff8e0f84a0acb706da30ed752771..c8fb241acabd3014c3e2e90d51f07f8c3dc93b11 100644 (file)
--- a/doc/gpg.texi
+++ b/doc/gpg.texi
@@ -1907,6 +1907,11 @@ are available for all keyserver types, some common options are:
 
 @end table
 
+The default list of options is: "self-sigs-only, import-clean,
+repair-keys, repair-pks-subkey-bug, export-attributes,
+honor-pka-record".
+
+
 @item --completes-needed @var{n}
 @opindex compliant-needed
 Number of completely trusted users to introduce a new

diff --git a/g10/gpg.c b/g10/gpg.c
index 0e98c1aae1f53ce72635bc2e18cf4703f796bd57..6e5e901712c45ff62d02d7718d997f90cc0a7e97 100644 (file)
--- a/g10/gpg.c
+++ b/g10/gpg.c
@@ -2373,7 +2373,9 @@ main (int argc, char **argv)
     opt.import_options = IMPORT_REPAIR_KEYS;
     opt.export_options = EXPORT_ATTRIBUTES;
     opt.keyserver_options.import_options = (IMPORT_REPAIR_KEYS
-                                           | IMPORT_REPAIR_PKS_SUBKEY_BUG);
+                                           | IMPORT_REPAIR_PKS_SUBKEY_BUG
+                                            | IMPORT_SELF_SIGS_ONLY
+                                            | IMPORT_CLEAN);
     opt.keyserver_options.export_options = EXPORT_ATTRIBUTES;
     opt.keyserver_options.options = KEYSERVER_HONOR_PKA_RECORD;
     opt.verify_options = (LIST_SHOW_UID_VALIDITY