gnupg: Update to 2.2.17, with security fixes
- gpg: Ignore all key-signatures received from keyservers. This change is required to mitigate a DoS due to keys flooded with faked key-signatures. The old behaviour can be achieved by adding keyserver-options no-self-sigs-only,no-import-clean to your gpg.conf. [#4607]
- gpg: If an imported keyblocks is too large to be stored in the keybox (pubring.kbx) do not error out but fallback to an import using the options "self-sigs-only,import-clean". [#4591]
- gpg: New command --locate-external-key which can be used to refresh keys from the Web Key Directory or via other methods configured with --auto-key-locate.
- gpg: New import option "self-sigs-only".
- gpg: In --auto-key-retrieve prefer WKD over keyservers. [#4595]
- dirmngr: Support the "openpgpkey" subdomain feature from draft-koch-openpgp-webkey-service-07. [#4590].
- dirmngr: Add an exception for the "openpgpkey" subdomain to the CSRF protection. [#4603]
- dirmngr: Fix endless loop due to http errors 503 and 504. [#4600]
- dirmngr: Fix TLS bug during redirection of HKP requests. [#4566]
- gpgconf: Fix a race condition when killing components. [#4577]
Release-info: https://dev.gnupg.org/T4606
MFH: 2019Q3