You are not logged in.
I have seen an email on the GnuPG mailing list few days ago regarding the state of GnuPG 1.4 vs 2.x. I'm shocked to see that today GnuPG 1.4 has been simply removed from Core.
Here is the original answer from the main GnuPG maintainer in the mailing list:
We maintain two stable branches: 1.4. and 2.0. If you ask which one you should use, the answer depends on the environment:
1. For unattended servers, 1.4 is is the easiest solution. In general you will only encrypt or verify signatures on such boxes. Thus there is no need for a passphrase.
2. For old Unix systems with 2.x build problems, you may resort to 1.4.
3. For all desktop systems, 2.0 is the suggested versions. New development is only done on 2.0. The standard installer for Windows uses 2.x. All new ports are even using 2.1. In case you really really don't want the Pinentry, 2.1 will eventually offer you a way to use the passphrase in the same as done in 1.4.
I don't understand that move as both versions are considered stable and maintained and more importantly can live together. GnuPG2 has much more dependencies that 1.4. Furthermore in server like installations you really don't want to deal with GnuPG2 agent and so on, you want a standalone tool that works out of the box.
Can someone explain the motivation behind that move? Can we put it back?
PS: I also noticed that the new GnuPG package creates a symbolic link so /usr/bin/gpg points to gpg2. Again that is misleading considering they not necessarily share the same commands.
Thanks
Last edited by alphazo (2012-03-28 08:15:31)
Offline
http://mailman.archlinux.org/pipermail/ … 22690.html should explain everything. That mailing list is the proper place to 'see' developer announcements.
Allan-Volunteer on the (topic being discussed) mailn lists. You never get the people who matters attention on the forums.
jasonwryan-Installing Arch is a measure of your literacy. Maintaining Arch is a measure of your diligence. Contributing to Arch is a measure of your competence.
Griemak-Bleeding edge, not bleeding flat. Edge denotes falls will occur from time to time. Bring your own parachute.
Offline
Just to give you an example I did a quick test by just replacing the path to the gnupg executable in Enigmail (GnuPG plugin for Firefox) to point to gpg2. While I'm able to sign my outgoing messages with GnuPG2, all the incoming messages no longer show the special "Signed" icon on a message that has been digitally signed. You are going to tell me that is an Enigmail bug. Probably, but on the other hand this transition seems not to have been tested properly considering all possible use cases for GnuPG 1.4 (headless, scripts, different versions of OpenPG cards, gnupg-agent mess with gnome-keyring taking over default gpg-agent, upcoming new key storage location and so on).
[EDIT] The "Signed" icon came back after restarting Thunderbird.
Last edited by alphazo (2012-03-28 09:24:52)
Offline
Can someone explain the motivation behind that move?
GnuPG-2 provides all the features of GnuPG-1 and more, and is the most recent stable upstream release.
Can we put it back?
I see no need for GnuPG-1 in our repos, but don't let this prevent you from maintaining it in the AUR.
this transition seems not to have been tested properly considering all possible use cases
It has been tested properly considering all possible use cases that people who run [testing] care for; feel free to join the club. Besides, any incompatibility issue should be reported and fixed (either upstream or in our package); holding on to GnuPG-1 by fear of bugs is unreasonable.
Offline
holding on to GnuPG-1 by fear of bugs is unreasonable.
GPG2 doesn't accept the --no-use-agent switch and because of that Psi+ for instance asks for passphrase for each incoming message, which is very annoying as you may consider.
There are two solutions for this: use keys without passphrase (didn`t try that though) and revert to gpg 1.4. Well, actually there is the third option - modify Psi+ source, but I choose just put gpg1 back by now Anyway, imho deleting gpg1 is a bit early thing,
Offline
Thanks DeathDoom for pointing out one of the side effects. Today I found out another one. When gpg 1.4 is available, Thunderbird is able to cache the PIN code for my openpgp card so I don't have to enter that PIN code everytime I sign an email. When only having gpg2, the PIN code has to go through gnome-keyring which doesn't support caching pincode for the OpenPGP card therefore I need to enter it everytime and even more strangely I need to enter it twice the first time I use Engimail+Thundebird.
Offline
DeathDoom: The point of using gpg-agent is explicitly to avoid having to type your passphrase in multiple times. I'm not exactly sure how you/Psi+ configured it to get the opposite effect.
alphazo: So you are actually complaining about gnome-keyring, aren't you?
Offline
I've upload gpg1 to the AUR due to issues with pinentry-curses.
More info here: https://bbs.archlinux.org/viewtopic.php … 7#p1079227
My Arch Linux Stuff • Forum Etiquette • Community Ethos - Arch is not for everyone
Offline
alphazo: So you are actually complaining about gnome-keyring, aren't you?
Enigmail is able to cache the PIN code for my OpenPGP card while gnome-keyring doesn't support it. I tried in the past to get rid of gnome-keyring and use gpg-agent instead but I had other issues too.
Offline
DeathDoom: The point of using gpg-agent is explicitly to avoid having to type your passphrase in multiple times. I'm not exactly sure how you/Psi+ configured it to get the opposite effect.
Maybe Psi+ has its own caching functions, but it is a well-known behavior for such programs with gpg2, even for windoze Miranda as I remember
http://forum.psi-plus.com/viewtopic.php?f=10&t=72
default-cache-ttl 10800 doesn`t work though
Offline
Well, since I did not really check while updating what versions are installed (ok, my bad!), my computer was no longer bootable. I am using a gpg encrypted keyfile for my root-Partition and after the update the initramdisk contained gpg2 (which didn't work, of course) instead of gpg1. Not nice :-(. So I am switching to an openssl-encrypted key for now.
I switched to OlafLostViking to match the IRC alias.
Offline
Funny to see all those bad experiences for a move that has been "tested properly" (according to an earlier post). I'm not even mentioning the incompatibility with pacman that now uses signed packages. When you install Arch using the latest ISO and upgrade the system then you are stuck with gnupg2 not being able to automatically import some keys. Pretty bad out of the box experience.
Offline
Well, since I did not really check while updating what versions are installed (ok, my bad!), my computer was no longer bootable. I am using a gpg encrypted keyfile for my root-Partition and after the update the initramdisk contained gpg2 (which didn't work, of course) instead of gpg1. Not nice :-(. So I am switching to an openssl-encrypted key for now.
I`m very glad to see this post before I reboot
Thanks!
Offline
Funny to see all those bad experiences for a move that has been "tested properly" (according to an earlier post). I'm not even mentioning the incompatibility with pacman that now uses signed packages. When you install Arch using the latest ISO and upgrade the system then you are stuck with gnupg2 not being able to automatically import some keys. Pretty bad out of the box experience.
What that hints to me is that somehow noone using [testing] has the setups mentioned as problematic.
Allan-Volunteer on the (topic being discussed) mailn lists. You never get the people who matters attention on the forums.
jasonwryan-Installing Arch is a measure of your literacy. Maintaining Arch is a measure of your diligence. Contributing to Arch is a measure of your competence.
Griemak-Bleeding edge, not bleeding flat. Edge denotes falls will occur from time to time. Bring your own parachute.
Offline
olaf.the.lost.viking wrote:Well, since I did not really check while updating what versions are installed (ok, my bad!), my computer was no longer bootable. I am using a gpg encrypted keyfile for my root-Partition and after the update the initramdisk contained gpg2 (which didn't work, of course) instead of gpg1. Not nice :-(. So I am switching to an openssl-encrypted key for now.
I`m very glad to see this post before I reboot
Thanks!
same situation here
I also use a setup with a gpg encrypted keyfile for luks
https://bbs.archlinux.org/viewtopic.php?id=129885&p=3
Last edited by Fallback (2012-04-01 20:07:38)
Offline
Enigmail is able to cache the PIN code for my OpenPGP card while gnome-keyring doesn't support it. I tried in the past to get rid of gnome-keyring and use gpg-agent instead but I had other issues too.
This may come a bit late, but have you set up gpg-agent already? With a short configuration (taking you 4 steps!) you will have even more convenience with gnupg2!
1. create /etc/profile.d/gpg-agent.sh with the following lines:
#!/bin/sh
envfile="${HOME}/.gnupg/gpg-agent.env"
if test -f "$envfile" && kill -0 $(grep GPG_AGENT_INFO "$envfile" | cut -d: -f 2) 2>/dev/null; then
eval "$(cat "$envfile")"
else
eval "$(gpg-agent --daemon --write-env-file "$envfile")"
fi
export GPG_AGENT_INFO # the env file does not contain the export statement
(taken from gnupg-Archwiki page)
2. add the following lines in .(ba|z|whatever-shell-you-use)shrc:
GPG_TTY=$(tty)
export GPG_TTY
(as recommended by gpg-agent man)
3. create ~/.gnupg/gpg-agent.conf with the following lines: (saves the password for 6 hours!)
default-cache-ttl 216000
default-cache-ttl-ssh 216000
4. logout and login again.
If you now open your email programme, view a signed or encrypted email, (i.e. have to type in your password) and restart Thunderbird, the password is still cached, which wasn’t the case before!
Best, Jakob
Offline
Thanks Jakob, works fine for me !
I was able to use gpg directly but there was some kind of strange problem when I tried to sign a tag with git. The pinentry-curses didn't show up and I got some errors. After killing it, the whole terminale was unusable and I had to logout and login again.
That was quite annoying, so thank you for your solution.
Offline