[pkg-gnupg-maint] What do we do about GnuPG 1.4 in debian?

Russ Allbery rra at debian.org
Sat Apr 30 02:04:18 BST 2022

Paul Wise <pabs at debian.org> writes:
> On Fri, 2022-04-29 at 17:04 -0700, Russ Allbery wrote:

>> Yes, verifying signatures using obsolete keys or obsolete algorithms
>> which are no longer supported in GnuPG 2.

> and nothing other than GnuPG 1 supports these keys?

I'm personally not aware of anything other than the even more obsolete
commercial PGP implementations, but maybe the package maintainers know

> It seems like it would be a good idea for GnuPG 2 or other OpenPGP
> implementation to at least have an option to re-enable them
> temporarily.

It would be nice, but my understanding is that this was a deliberate
simplification by the GnuPG maintainers, which is why their official
position has been that people who need such support should use GnuPG 1.
I think the change that broke most of the keys was made in GnuPG 2.1.0:

 * gpg: All support for v3 (PGP 2) keys has been dropped.  All
   signatures are now created as v4 signatures.  v3 keys will be
   removed from the keyring.

There are a few other problems that old keys or old signatures could have
other than this one, but I think this is the most significant one.

Russ Allbery (rra at debian.org)              <https://www.eyrie.org/~eagle/>

More information about the pkg-gnupg-maint mailing list