Package: gnupg2 Version: 2.1.11-7 Severity: normal Tags: security GnuPG2 defaults to returning short key IDs when listing keys. Short key IDs are quite vulnerable to collisions, and their use should be strongly discouraged.
I wrote the following with a progression of attacks; this is all well-known for years. http://gwolf.org/node/4070 So, in short: Please add "keyid-format 0xlong" to /usr/share/gnupg2/gpg-conf.skel -- System Information: Debian Release: stretch/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 4.5.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages gnupg2 depends on: ii dpkg 1.18.7 ii gnupg-agent 2.1.11-7 ii install-info 6.1.0.dfsg.1-8 ii libassuan0 2.4.2-3 ii libbz2-1.0 1.0.6-8 ii libc6 2.22-10 ii libgcrypt20 1.7.0-2 ii libgpg-error0 1.22-2 ii libksba8 1.3.4-3 ii libreadline6 6.3-8+b4 ii libsqlite3-0 3.13.0-1 ii zlib1g 1:1.2.8.dfsg-2+b1 Versions of packages gnupg2 recommends: ii dirmngr 2.1.11-7 Versions of packages gnupg2 suggests: pn gnupg-doc <none> ii parcimonie 0.10.1-1 pn xloadimage <none> -- no debconf information