32bit key id is a poor idea... use full fingerprint instead

[freethenation]

https://rvm.io/rvm/install contains the line gpg --keyserver hkp://keys.gnupg.net --recv-keys D39DC0E3 You should use your full fingerprint instead. See https://evil32.com/ for more info.

[mpapis]

ok I get it's bad to use 32bit key, how do I fix it, the mentioned link does not seem to show a fix only describes the problem (sorry if I missed it, a bit tired)

[freethenation]

gpg --keyserver hkp://keys.gnupg.net --recv-keys D39DC0E3 ->
gpg --keyserver hkp://keys.gnupg.net --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3
Just use the full fingerprint when receiving the key.

[mpapis]

ah so the D39DC0E3 is just the ending of full fingerprint, I see that gpg was patched ~ year ago, would we need to add a note for older versions to use the short versions?

[freethenation]

The patch mentioned on that page has to do with a MITM attack not 32bit key ids. People using old version of GPG might be vulnerable to the MITM if there network is compromised but I don't think its worth mentioning.

The 32bit collision issue is a separate issue that can not be "patched". I can easily upload a key with the same 32bit fingerprint and users would receive both into their local key ring. The command above should run in all versions of GPG. Keyservers are required to allow full fingerprint searches. From the spec http://tools.ietf.org/html/draft-shaw-openpgp-hkp-00#section-3.1.1.1

A keyserver that allows searching by keyid MUST accept the 160-bit
   version 4 fingerprint, 64-bit key IDs, and 32-bit key IDs in the
   "search" variable