gpg updating (flooded) public keys in the background
Originally created by @sajolida on #17111 (Redmine)
Today I caught gpg checking for one of the flooded OpenPGP keys in the background.
I had been running at 100% CPU for more than 30 minutes before I killed it. Before that the same operation which killed my laptop by overheating a few hours earlier.
The command that I got from a ps
listing
was:
/usr/bin/gpg --charset utf-8 --display-charset utf-8 --no-auto-check-trustdb --no-emit-version --no-comments --display-charset utf-8 --keyserver-options no-auto-key-retrieve --batch --no-tty --no-verbose --status-fd 2 --keyserver hkp://jirk5u4osbsr34t5.onion:11371 --recv-keys EE8192A6E443D6D8
EE8192A6E443D6D8 is the key of Patrick Brunschwig <patrick@brunschwig.net> author of Enigmail and reported as floaded. See https://anarc.at/blog/2019-07-30-pgp-flooding-attacks/.
I definitely didn’t trigger this action myself.
Also note that some weeks ago, as gpg was doing some other extreme CPU operations (when checking the trust db), I rebuilt my keyring from scratch by importing all public and private keys manually again.
The version of EE8192A6E443D6D8 that I have in my keyring only has 1333 signatures so it’s not the flooded version.
gpg in Tails shouldn’t try to fetch possibly flooded keys in the background as it can lead to hardware damage and data loss.
Setting priority to Elevated as it is a regression with possibly harmful consequences.