When processing email attachments that contain OpenPGP keys, we obtain a list of the included keys (for each attachment separately), and individually decide which keys we want to auto-update.

However, if we decide to update, we import the full block of key data. This means, if there are additional keys, those will be imported, too.

This could be abused by a sender to automatically inject keys into the user's permanent key store.

Note sure whether TB already uses this feature, but RNP API has flag RNP_LOAD_SAVE_SINGLE for rnp_import_keys(), which would allow to import first key with subkeys and return it's fingerprint(s) and import status.

Nickolay, thanks for the info, it's good to know. I think it doesn't help in this scenario, because we want to load all keys and process all of them just separately. I can import, then extract individually.

(In reply to Kai Engert (:KaiE:) from comment #0)

However, if we decide to update, we import the full block of key data. This means, if there are additional keys, those will be imported, too.

Luckily I was wrong, and we're safe.

We don't import the attached key block completely.
The import call filters by fingerprint, and will only import the one key we want.

Nevertheless, we still need the patch here, because for CollectedKeysDB we should only store the single key.

Pushed by mkmelin@iki.fi:
https://hg.mozilla.org/comm-central/rev/e1dba725238f
Process arriving OpenPGP keys separately. r=mkmelin

Comment on attachment 9275150 [details]
Bug 1767942 - Process arriving OpenPGP keys separately. r=mkmelin

I'd like to have beta testing of this code.

Comment on attachment 9275150 [details]
Bug 1767942 - Process arriving OpenPGP keys separately. r=mkmelin

[Triage Comment]
Approved for beta

Thunderbird 101.0b3:
https://hg.mozilla.org/releases/comm-beta/rev/b5e5a80eabae