Recent gnupg keyserver DOS attack

Frequent users of gnupg keyservers at risk and what to do about it.

There has been a recent keyserver attack and has been reported by Ilu on our forum.

Like most distributions, SolydXK packages the keys needed for repository identification. You are only at risk if you manually download and install keys from a keyserver.

If you use keyservers to get your keys, follow these steps:

  1. Open ~/.gnupg/.gpg.conf in a text editor. Ensure there is no line starting with keyserver. If there is, remove it or put a "#" before it and save the file. In terminal you need to kill the dirmngr process: gpgconf --kill dirmngr
  2. If you need to import a repository key that isn't packaged, never use the old method with apt-key. Just download the keyfile and put it in the /etc/apt/trusted.gpg.d directory. That way you can easily see how big it is and getting rid if a poisoned key is simply a matter of deleting the file. Key files should be small, definitely smaller than 1 MB.

We have updated our system package solydxk-system (version 3.3.9) to reflect these changes for newly created users.