[pkg-gnupg-maint] What do we do about GnuPG 1.4 in debian?
Russ Allbery
rra at debian.org
Sat Apr 30 02:04:18 BST 2022
Paul Wise <pabs at debian.org> writes:
> On Fri, 2022-04-29 at 17:04 -0700, Russ Allbery wrote:
>> Yes, verifying signatures using obsolete keys or obsolete algorithms
>> which are no longer supported in GnuPG 2.
> and nothing other than GnuPG 1 supports these keys?
I'm personally not aware of anything other than the even more obsolete
commercial PGP implementations, but maybe the package maintainers know
more.
> It seems like it would be a good idea for GnuPG 2 or other OpenPGP
> implementation to at least have an option to re-enable them
> temporarily.
It would be nice, but my understanding is that this was a deliberate
simplification by the GnuPG maintainers, which is why their official
position has been that people who need such support should use GnuPG 1.
I think the change that broke most of the keys was made in GnuPG 2.1.0:
* gpg: All support for v3 (PGP 2) keys has been dropped. All
signatures are now created as v4 signatures. v3 keys will be
removed from the keyring.
There are a few other problems that old keys or old signatures could have
other than this one, but I think this is the most significant one.
--
Russ Allbery (rra at debian.org) <https://www.eyrie.org/~eagle/>
More information about the pkg-gnupg-maint
mailing list