[pkg-gnupg-maint] gnupg2-revert-rfc4880bis.patch
Guillem Jover
guillem at debian.org
Fri Apr 26 09:39:57 BST 2024
Hi!
[ Replying from a mail reconstructed from the web archive, so things
might go wrong. :) ]
On Sun, 2024-03-31 at 14:15:10 +0200, Andreas Metzler wrote:
> On 2024-03-29 Daniel Kahn Gillmor <dkg at fifthhorseman.net> wrote:
> > Seems like you're asking about v5 signatures here, but you're saying
> > that the proposed versions don't currently emit them by default.
> > that's a good report to have!
>
> FWIW I ran through most of the Compliance options of GnuPG 2.4.5
> (--gnupg --openpgp --rfc4880 --rfc4880bis --rfc2440) when generating a
> detached signature with a gnupg 2.4.4 RSA key, the SHA1 using variants
> (--openpgp --rfc2440 --rfc4880) failed to verify with sqop, the others
> worked.
FWIW, I modified the GnuPG backend in the dpkg to force the --openpgp
mode, precisely to avoid interop issues, and then had to also pass
«--personal-digest-preferences SHA512 SHA384 SHA256 SHA224» as a
workaround for the weak defaults. I should request for debsign to do
the same.
So I guess another option could be to change those defaults in the
Debian packages for GnuPG.
(Ref: https://git.dpkg.org/cgit/dpkg/dpkg.git/tree/scripts/Dpkg/OpenPGP/Backend/GnuPG.pm#n302 )
Thanks,
Guillem
More information about the pkg-gnupg-maint
mailing list