Bad, possibly insecure key usage flags on new keys

Like it says in Bugzilla [1], when Seahorse generates new keys it
gives RSA (sign only) keys *all* capabilities (encryption etc.)
instead of just signing/certifying. GnuPG normally doesn't give the
option of using the same RSA key for signing *and* encryption (I'm
guessing for security reasons like this: [2]), so Seahorse shouldn't

Fixing it is really simple; I attached a patch, can anyone test it?

From 258fcbaebe3f5fbb585d485ac001cc2d5ed9e5a7 Mon Sep 17 00:00:00 2001
From: nobled <nobled dreamwidth org>
Date: Thu, 10 Sep 2009 00:07:45 -0400
Subject: [PATCH] [gpgme] Set usage flags on batch-generated keys (closes: bgo#555205)

Added lines for "Key-Usage:" and "Subkey-Usage:" to the standard input
to `gpg --batch --gen-key`.
 pgp/seahorse-gpgme-key-op.c |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/pgp/seahorse-gpgme-key-op.c b/pgp/seahorse-gpgme-key-op.c
index c059494..f67cc5f 100644
--- a/pgp/seahorse-gpgme-key-op.c
+++ b/pgp/seahorse-gpgme-key-op.c
@@ -135,15 +135,15 @@ seahorse_gpgme_key_op_generate (SeahorseGpgmeSource *psrc, const gchar *name,
         common = g_strdup_printf ("Name-Comment: %s\n%s", comment, common);
     if (type == RSA_SIGN)
-        key_type = "Key-Type: RSA";
+        key_type = "Key-Type: RSA\nKey-Usage: sign";
-        key_type = "Key-Type: DSA";
+        key_type = "Key-Type: DSA\nKey-Usage: sign";
     start = g_strdup_printf ("<GnupgKeyParms format=\"internal\">\n%s\nKey-Length: ", key_type);
     /* Subkey xml */
     if (type == DSA_ELGAMAL)
-        parms = g_strdup_printf ("%s%d\nSubkey-Type: ELG-E\nSubkey-Length: %d\n%s",
+        parms = g_strdup_printf ("%s%d\nSubkey-Type: ELG-E\nSubkey-Length: %d\nSubkey-Usage: encrypt\n%s",
                                  start, DSA_MAX, length, common);
         parms = g_strdup_printf ("%s%d\n%s", start, length, common);

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]