[pkg-gnupg-maint] Bug#834399: Bug#834399: gnupg: gnupg2-bases gpg breaks Gajim

Tue Aug 16 09:31:35 UTC 2016

Werner Koch dixit:

>Since the release of 2.1 the only valid use case for 1.4 are some
>non-POSIX systems (VMS), very old Unix systems, and for those users who
>still need to use their old (insecure) PGP-2 keys.

… and scripts, for example, we have a key generation script (wrapper
around --gen-key with certain options, which automatically fills in
stuff from LDAP) at work. Oh and some remote operations on servers.

[ on to version 2 ]

>Assuming that you are not using systemd, I would strongly suggest not to
>start gpg-agent by hand but let gpg et al start it on demand.  The only

No, that’s **extremely** undesirable.

The “current” way is: when I log in, Debian’s X session magic starts
gpg-agent automatically. For some tools that need it, I also put…
	GPG_AGENT_INFO=~/.gnupg/S.gpg-agent:0:1
… into the environment. That’s my :0 session.

Then I have a :2 session which is a VNC server. It’s started manually
from an xterm in the :0 session, so it inherits the agents.

I also have a script in /etc/profile.d/ which picks up both agents
when I log into the box via SSH.

gpg-agent is configured to use pinentry-kwallet, which reads the PGP
password from the KDE wallet.

This means I only have to login once after I boot up the machine,
and can then use the same agents no matter how I later log in (either
unlock the screen, jump onto the box via ssh, or use vncviewer).

This is important to have a non-sucking workflow. (It took me some,
long, time until gpg2 and pinentry stopped asking on the wrong
either terminal or X display, which basically made remote signing
unusable when I had not yet solved it with my current solution.)

Funnily enough, this all works well with gnupg. I only need gpg2
for S/MIME in Kontact/KDEPIM.

Also, compare (especially the warnings!):

tglase at tglase:~ $ gpg2 -K
gpg: keyserver option 'verbose' is unknown
gpg: keyserver option 'verbose' is unknown
gpg: WARNING: server 'gpg-agent' is older than us (2.1.11 < 2.1.14)
/home/tglase/.gnupg/pubring.gpg
-------------------------------
sec   rsa4096 2009-01-05 [SCEA] [expires: 2018-01-13]
      BCB19DAB35033640AE347A718950C1895EB8D3B3
uid           [ultimate] Thorsten Glaser (tarent GmbH) <…>
uid           [ultimate] Thorsten Glaser (Jabber) <…>
uid           [ultimate] Thorsten Glaser (tarent GmbH) <…>

… versus…

tglase at tglase:~ $ gpg -K
/home/tglase/.gnupg/secring.gpg
-------------------------------
sec   3072R/272AD62F 2009-10-21 [expires: 2016-09-29]
uid                  Thorsten Glaser (tarent GmbH • Nur zu Testzwecken) <…>
uid                  testname (d) <…>
uid                  SiMKo 2 <…>

sec   2048R/EB839C67 2009-10-23
uid                  Thorsten Glaser (Testkey • tarent GmbH) <…>

sec   1024R/D1D8EFD2 2014-08-18
uid                  Test for Mozilla bug#1054187

sec   3072R/BD26DDA7 2015-06-11
uid                  TestMIT Glaser (tarent solutions GmbH) <…>

sec   4096R/5EB8D3B3 2009-01-05 [expires: 2013-01-04]
uid                  Thorsten Glaser (tarent GmbH) <…>

bye,
//mirabilos (extremely-long-time pgp2.6.3in user)
-- 
18:47⎜<mirabilos:#!/bin/mksh> well channels… you see, I see everything in the
same window anyway      18:48⎜<xpt:#!/bin/mksh> i know, you have some kind of
telnet with automatic pong         18:48⎜<mirabilos:#!/bin/mksh> haha, yes :D
18:49⎜<mirabilos:#!/bin/mksh> though that's more tinyirc – sirc is more comfy