Changes to “gpg”

After updating my Tumbleweed system last week, I noticed that something had changed with “gpg”.  Or, more explicitly, “gpg” was not working at all.  This was immediately noticeable, because I had configured “kdewallet” to use “gpg” for encryption.

Okay, that’s a bug.  It will presumably be fixed before opensuse 13.3 is released.  For now, I had to find out what was up and how to work around the problem.

What changed?

The specific Tumbleweed change was an update of gpg from version 2.1.0 to 2.1.1.  The major change was already there in 2.1.0, but I had not noticed it because everything that I was doing still worked.  The 2.1.1 update broke that.

The specific change was to remove support for old pgp2 keys.  These are the type of key introduced with pgp2 in the early 1990s.  They use RSA  (for the public key encryption) and the md5 digest algorithm for hashing.  These days, the md5 hash is considered too weak.

I’m not sure what they changed or why for gpg 2.1.1, but it was surely a mistake.  That release refused to read my keyring, because it contained some older pgp2 keys.  This is reported as bug 914625.

The workaround

I managed to get a working gpg with

mv .gnupg .gnupg.old  ## rename keyring directory
gpg --import .gnupg.old/pubring.gpg
gpg --import .gnupg.old/secring.gpg

That gave me a keyring that I could at least use.  I now had to reset the trust of my keys.  With that change, I could now open kdewallet once again.

The impact

I’m not sure that I like this change.  While I was not actively using any pgp2 keys, my web of trust did depend on some of those older keys and on signatures made with those keys.

Fortunately, I can still access the old keys on my opensuse 13.2 system.  So I will probably have to spend some time reviewing my web of trust, and perhaps signing some keys to validate them, where they were previously validated by signatures from trusted pgp2 keys.

Other changes

While reviewing my web of trust, I have noticed that the options “–export-local-sigs” and “–import-local-sigs” are no longer supported.  Fortunately, local-sigs were imported without that option, when I used the workaround that I described above.

I see that the gpg developers are recommending that people use “gpg1.4” if they need to access older pgp2 keys.  Unfortunately, “opensuse” does not provide “gpg-1.4”, though Mint (and probably Ubuntu) does.  So maybe I’ll need to keep a copy of Mint around for a while.  I have made a feature request (at the OpenFATE site) for providing gpg-1.4, but that probably won’t go anywhere.


Tags: , ,

About Neil Rickert

Retired mathematician and computer scientist who dabbles in cognitive science.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: