Safety of using auto-key-retrieve with GPG
I am using Arch Linux and trying to build a package from the AUR. In order to build this package I need to download source files from a repository. The Arch PKGBUILD lists a key as a validpgpkey. While I can download this key individually, it is also possible to configure GPG to auto retrieve the key with
There are obviously security implications in regards to the package building process. My understanding is that the
auto-key-retrieve option is global and other programs may now start to automatically download keys. What type of security implications does that have?
The package build process itself is safe, even with automatic key retrieval: since
validpgpkeys must list full fingerprints, the key that’s automatically retrieved is sure to be the correct one. The main use-case that’s affected by automatic key retrieval is detecting unwanted changes to the
validpgpkeys declaration (but such changes should be manually verified anyway, not just when
gpg complains that it doesn’t have the necessary key in its keyring).
auto-key-retrieve option is indeed global, so enabling it means that any interaction with
gpg involving a key that isn’t in your keyring will download that key from your default keyserver. The practical difference this makes depends on two factors: the verifications you make when downloading a key manually, and whether or not your key and the key you’re downloading are connected. Obviously, if you always verify keys out of band before adding them to your keyring, you don’t want to enable automatic key retrieval. If the keys you use are connected, and you use the trust information, that’s valid regardless of where the key comes from, so automatic key retrieval is safe then. In between those two extremes, it seems to me that if you use full fingerprints, automatic key retrieval is safe too; and if you don’t, the risks associated with keys are the same regardless of their origin (e.g. accepting something signed by an evil key as signed by the real key owner, or worse, encrypting something to an evil key thinking that you’re sending it to someone else).
Really the main caveat with
auto-key-retrieve is that highlighted in the manual:
Note that this option makes a “web bug” like behavior possible. Keyserver or Web Key Directory operators can see which keys you request, so by sending you a message signed by a brand new key (which you naturally will not have on your local keyring), the operator can tell both your IP address and the time when you verified the signature.