A change was recently made to the GnuPG codebases whereby GnuPG now checks during a key import operation whether a key matches the search description before it is imported. This works fine when importing a single key (e.g. "gpg --recv-key 12345678"), but the code is incomplete and doesn't work properly when importing multiple keys (e.g. "gpg --refresh-keys" or "gpg --recv-key 12345678 90ABCDEF"). The bug causes gpg to print a rather mysterious error, e.g. for --refresh-keys:
Code:
gpg: key 91B35673: rejected by import filter
gpg: key 74858952: rejected by import filter
gpg: key E1B7D789: rejected by import filter
gpg: key 3637BBA2: rejected by import filter
gpg: key 57ED7F67: rejected by import filter
gpg: key 9FBC897B: rejected by import filter
gpg: key 02FF4B7C: rejected by import filter
gpg: key DE6F0195: rejected by import filter
gpg: key D30D87A4: rejected by import filter
The fact that this breaks --refresh-keys in particular is a pretty serious problem, since other software (e.g. Enigmail) relies on it to function correctly.
This bug is fixed as of GnuPG 1.4.18 and 2.0.26 (the patch is committed to git
here), and I've compiled my own packages to verify that they fix the error given above by --refresh-keys (they do).
It's tenuous to suggest that this is a security risk in itself, but given that other security-sensitive software might rely on --refresh-keys working correctly, is there any chance we could get updated official packages, please?