Changes to “gpg”
After updating my Tumbleweed system last week, I noticed that something had changed with “gpg”. Or, more explicitly, “gpg” was not working at all. This was immediately noticeable, because I had configured “kdewallet” to use “gpg” for encryption.
Okay, that’s a bug. It will presumably be fixed before opensuse 13.3 is released. For now, I had to find out what was up and how to work around the problem.
The specific Tumbleweed change was an update of gpg from version 2.1.0 to 2.1.1. The major change was already there in 2.1.0, but I had not noticed it because everything that I was doing still worked. The 2.1.1 update broke that.
The specific change was to remove support for old pgp2 keys. These are the type of key introduced with pgp2 in the early 1990s. They use RSA (for the public key encryption) and the md5 digest algorithm for hashing. These days, the md5 hash is considered too weak.
I’m not sure what they changed or why for gpg 2.1.1, but it was surely a mistake. That release refused to read my keyring, because it contained some older pgp2 keys. This is reported as bug 914625.
I managed to get a working gpg with
mv .gnupg .gnupg.old ## rename keyring directory gpg --import .gnupg.old/pubring.gpg gpg --import .gnupg.old/secring.gpg
That gave me a keyring that I could at least use. I now had to reset the trust of my keys. With that change, I could now open kdewallet once again.
I’m not sure that I like this change. While I was not actively using any pgp2 keys, my web of trust did depend on some of those older keys and on signatures made with those keys.
Fortunately, I can still access the old keys on my opensuse 13.2 system. So I will probably have to spend some time reviewing my web of trust, and perhaps signing some keys to validate them, where they were previously validated by signatures from trusted pgp2 keys.
While reviewing my web of trust, I have noticed that the options “–export-local-sigs” and “–import-local-sigs” are no longer supported. Fortunately, local-sigs were imported without that option, when I used the workaround that I described above.
I see that the gpg developers are recommending that people use “gpg1.4” if they need to access older pgp2 keys. Unfortunately, “opensuse” does not provide “gpg-1.4”, though Mint (and probably Ubuntu) does. So maybe I’ll need to keep a copy of Mint around for a while. I have made a feature request (at the OpenFATE site) for providing gpg-1.4, but that probably won’t go anywhere.