Why has GnuPG 1.4 been removed from Core?

alphazo · 2012-03-28 08:10:50

I have seen an email on the GnuPG mailing list few days ago regarding the state of GnuPG 1.4 vs 2.x. I'm shocked to see that today GnuPG 1.4 has been simply removed from Core.
Here is the original answer from the main GnuPG maintainer in the mailing list:

We maintain two stable branches: 1.4. and 2.0. If you ask which one you should use, the answer depends on the environment:
1. For unattended servers, 1.4 is is the easiest solution. In general you will only encrypt or verify signatures on such boxes. Thus there is no need for a passphrase.
2. For old Unix systems with 2.x build problems, you may resort to 1.4.
3. For all desktop systems, 2.0 is the suggested versions. New development is only done on 2.0. The standard installer for Windows uses 2.x. All new ports are even using 2.1. In case you really really don't want the Pinentry, 2.1 will eventually offer you a way to use the passphrase in the same as done in 1.4.

I don't understand that move as both versions are considered stable and maintained and more importantly can live together. GnuPG2 has much more dependencies that 1.4. Furthermore in server like installations you really don't want to deal with GnuPG2 agent and so on, you want a standalone tool that works out of the box.

Can someone explain the motivation behind that move? Can we put it back?

PS: I also noticed that the new GnuPG package creates a symbolic link so /usr/bin/gpg points to gpg2. Again that is misleading considering they not necessarily share the same commands.

Thanks

Last edited by alphazo (2012-03-28 08:15:31)

ngoonee · 2012-03-28 08:21:23

http://mailman.archlinux.org/pipermail/ … 22690.html should explain everything. That mailing list is the proper place to 'see' developer announcements.

alphazo · 2012-03-28 09:05:38

Just to give you an example I did a quick test by just replacing the path to the gnupg executable in Enigmail (GnuPG plugin for Firefox) to point to gpg2. While I'm able to sign my outgoing messages with GnuPG2, all the incoming messages no longer show the special "Signed" icon on a message that has been digitally signed. You are going to tell me that is an Enigmail bug. Probably, but on the other hand this transition seems not to have been tested properly considering all possible use cases for GnuPG 1.4 (headless, scripts, different versions of OpenPG cards, gnupg-agent mess with gnome-keyring taking over default gpg-agent, upcoming new key storage location and so on).

[EDIT] The "Signed" icon came back after restarting Thunderbird.

Last edited by alphazo (2012-03-28 09:24:52)

vesath · 2012-03-28 17:10:18

alphazo wrote:

Can someone explain the motivation behind that move?

GnuPG-2 provides all the features of GnuPG-1 and more, and is the most recent stable upstream release.

alphazo wrote:

Can we put it back?

I see no need for GnuPG-1 in our repos, but don't let this prevent you from maintaining it in the AUR.

alphazo wrote:

this transition seems not to have been tested properly considering all possible use cases

It has been tested properly considering all possible use cases that people who run [testing] care for; feel free to join the club. Besides, any incompatibility issue should be reported and fixed (either upstream or in our package); holding on to GnuPG-1 by fear of bugs is unreasonable.

DeathDoom · 2012-03-28 20:20:46

holding on to GnuPG-1 by fear of bugs is unreasonable.

GPG2 doesn't accept the --no-use-agent switch and because of that Psi+ for instance asks for passphrase for each incoming message, which is very annoying as you may consider.

There are two solutions for this: use keys without passphrase (didn`t try that though) and revert to gpg 1.4. Well, actually there is the third option - modify Psi+ source, but I choose just put gpg1 back by now Anyway, imho deleting gpg1 is a bit early thing,

alphazo · 2012-03-28 21:12:32

Thanks DeathDoom for pointing out one of the side effects. Today I found out another one. When gpg 1.4 is available, Thunderbird is able to cache the PIN code for my openpgp card so I don't have to enter that PIN code everytime I sign an email. When only having gpg2, the PIN code has to go through gnome-keyring which doesn't support caching pincode for the OpenPGP card therefore I need to enter it everytime and even more strangely I need to enter it twice the first time I use Engimail+Thundebird.

vesath · 2012-03-28 23:33:58

DeathDoom: The point of using gpg-agent is explicitly to avoid having to type your passphrase in multiple times. I'm not exactly sure how you/Psi+ configured it to get the opposite effect.

alphazo: So you are actually complaining about gnome-keyring, aren't you?

Xyne · 2012-03-29 00:11:57

I've upload gpg1 to the AUR due to issues with pinentry-curses.
More info here: https://bbs.archlinux.org/viewtopic.php … 7#p1079227

alphazo · 2012-03-29 07:16:15

vesath wrote:

alphazo: So you are actually complaining about gnome-keyring, aren't you?

Enigmail is able to cache the PIN code for my OpenPGP card while gnome-keyring doesn't support it. I tried in the past to get rid of gnome-keyring and use gpg-agent instead but I had other issues too.

DeathDoom · 2012-03-29 10:40:11

vesath wrote:

DeathDoom: The point of using gpg-agent is explicitly to avoid having to type your passphrase in multiple times. I'm not exactly sure how you/Psi+ configured it to get the opposite effect.

Maybe Psi+ has its own caching functions, but it is a well-known behavior for such programs with gpg2, even for windoze Miranda as I remember

http://forum.psi-plus.com/viewtopic.php?f=10&t=72
default-cache-ttl 10800 doesn`t work though

olaf.the.lost.viking · 2012-03-30 14:59:38

Well, since I did not really check while updating what versions are installed (ok, my bad!), my computer was no longer bootable. I am using a gpg encrypted keyfile for my root-Partition and after the update the initramdisk contained gpg2 (which didn't work, of course) instead of gpg1. Not nice :-(. So I am switching to an openssl-encrypted key for now.

alphazo · 2012-03-31 12:08:21

Funny to see all those bad experiences for a move that has been "tested properly" (according to an earlier post). I'm not even mentioning the incompatibility with pacman that now uses signed packages. When you install Arch using the latest ISO and upgrade the system then you are stuck with gnupg2 not being able to automatically import some keys. Pretty bad out of the box experience.

DeathDoom · 2012-04-01 05:25:04

olaf.the.lost.viking wrote:

Well, since I did not really check while updating what versions are installed (ok, my bad!), my computer was no longer bootable. I am using a gpg encrypted keyfile for my root-Partition and after the update the initramdisk contained gpg2 (which didn't work, of course) instead of gpg1. Not nice :-(. So I am switching to an openssl-encrypted key for now.

I`m very glad to see this post before I reboot
Thanks!

ngoonee · 2012-04-01 09:53:56

alphazo wrote:

Funny to see all those bad experiences for a move that has been "tested properly" (according to an earlier post). I'm not even mentioning the incompatibility with pacman that now uses signed packages. When you install Arch using the latest ISO and upgrade the system then you are stuck with gnupg2 not being able to automatically import some keys. Pretty bad out of the box experience.

What that hints to me is that somehow noone using [testing] has the setups mentioned as problematic.

Fallback · 2012-04-01 20:07:12

DeathDoom wrote:

olaf.the.lost.viking wrote:
Well, since I did not really check while updating what versions are installed (ok, my bad!), my computer was no longer bootable. I am using a gpg encrypted keyfile for my root-Partition and after the update the initramdisk contained gpg2 (which didn't work, of course) instead of gpg1. Not nice :-(. So I am switching to an openssl-encrypted key for now.
I`m very glad to see this post before I reboot
Thanks!

same situation here

I also use a setup with a gpg encrypted keyfile for luks

https://bbs.archlinux.org/viewtopic.php?id=129885&p=3

Last edited by Fallback (2012-04-01 20:07:38)

jakob · 2012-04-13 18:55:13

alphazo wrote:

Enigmail is able to cache the PIN code for my OpenPGP card while gnome-keyring doesn't support it. I tried in the past to get rid of gnome-keyring and use gpg-agent instead but I had other issues too.

This may come a bit late, but have you set up gpg-agent already? With a short configuration (taking you 4 steps!) you will have even more convenience with gnupg2!

1. create /etc/profile.d/gpg-agent.sh with the following lines:

#!/bin/sh

envfile="${HOME}/.gnupg/gpg-agent.env"
if test -f "$envfile" && kill -0 $(grep GPG_AGENT_INFO "$envfile" | cut -d: -f 2) 2>/dev/null; then
    eval "$(cat "$envfile")"
else
    eval "$(gpg-agent --daemon --write-env-file "$envfile")"
fi
export GPG_AGENT_INFO  # the env file does not contain the export statement

(taken from gnupg-Archwiki page)

2. add the following lines in .(ba|z|whatever-shell-you-use)shrc:

GPG_TTY=$(tty)
export GPG_TTY

(as recommended by gpg-agent man)

3. create ~/.gnupg/gpg-agent.conf with the following lines: (saves the password for 6 hours!)

default-cache-ttl 216000
default-cache-ttl-ssh 216000

4. logout and login again.

If you now open your email programme, view a signed or encrypted email, (i.e. have to type in your password) and restart Thunderbird, the password is still cached, which wasn’t the case before!

Best, Jakob

Geoffroy · 2012-04-15 05:52:54

Thanks Jakob, works fine for me !

I was able to use gpg directly but there was some kind of strange problem when I tried to sign a tag with git. The pinentry-curses didn't show up and I got some errors. After killing it, the whole terminale was unusable and I had to logout and login again.

That was quite annoying, so thank you for your solution.

Arch Linux

#1 2012-03-28 08:10:50

Why has GnuPG 1.4 been removed from Core?

#2 2012-03-28 08:21:23

Re: Why has GnuPG 1.4 been removed from Core?

#3 2012-03-28 09:05:38

Re: Why has GnuPG 1.4 been removed from Core?

#4 2012-03-28 17:10:18

Re: Why has GnuPG 1.4 been removed from Core?

#5 2012-03-28 20:20:46

Re: Why has GnuPG 1.4 been removed from Core?

#6 2012-03-28 21:12:32

Re: Why has GnuPG 1.4 been removed from Core?

#7 2012-03-28 23:33:58

Re: Why has GnuPG 1.4 been removed from Core?

#8 2012-03-29 00:11:57

Re: Why has GnuPG 1.4 been removed from Core?

#9 2012-03-29 07:16:15

Re: Why has GnuPG 1.4 been removed from Core?

#10 2012-03-29 10:40:11

Re: Why has GnuPG 1.4 been removed from Core?

#11 2012-03-30 14:59:38

Re: Why has GnuPG 1.4 been removed from Core?

#12 2012-03-31 12:08:21

Re: Why has GnuPG 1.4 been removed from Core?

#13 2012-04-01 05:25:04

Re: Why has GnuPG 1.4 been removed from Core?

#14 2012-04-01 09:53:56

Re: Why has GnuPG 1.4 been removed from Core?

#15 2012-04-01 20:07:12

Re: Why has GnuPG 1.4 been removed from Core?

#16 2012-04-13 18:55:13

Re: Why has GnuPG 1.4 been removed from Core?

#17 2012-04-15 05:52:54

Re: Why has GnuPG 1.4 been removed from Core?

Board footer