Hi!
On Wed, 2024-05-01 at 19:12:10 +0200, Guillem Jover wrote:
> Package: devscripts
> Version: 2.23.7
> Severity: wishlist
> Tags: patch
> X-Debbugs-Cc: Daniel Kahn Gillmor <d...@fifthhorseman.net>
> GnuPG upstream has decided to get out of the standardizing process for
> OpenPGP, and instead is trying to push its own proprietary fork based on
> an old draft that did not have consensus within the IETF working group.
>
> This is going to be a source of interoperability problems, but we can
> mitigate them somewhat when creating signatures by requiring compliance
> with the OpenPGP RFC, even if it's going to be locked into an old version,
> as later ones are not planned to get implemented. More so, given that the
> latest releases of GnuPG have been switched to default to the proprietary
> draft.
>
> We need to set secure signing preferred algorithms as the current GnuPG
> defaults with --openpgp cater for heavy backwards compatibility at the
> cost of being insecure but potentially being compatible with very old
> programs.
>
> We care more about secure defaults than backwards compatibility with
> ancient programs, so we pass our preferences to gpg when signing. This
> should also cover the case for users that have created old keys with
> insecure key preferences which might end up producing insecure
> signatures.
>
> Equivalent changes were made to dpkg-buildpackage.
>
> Attached the patch implementing this.
I've rebased the patch against current git main, and re-tested it. It
would be nice to get this in, to palliate potential upcoming GnuPG
interoperability problems due to the schism.
> (Ideally debsign would also grow additional OpenPGP backends, like
> dpkg did, or perhaps it could be replaced entirely with the upcoming
> dpkg-sign program.)
Thanks,
Guillem
From eff020b9a97d80e591b280cebb9d62a6ac7cb88a Mon Sep 17 00:00:00 2001
From: Guillem Jover <guil...@debian.org>
Date: Sat, 27 Apr 2024 20:33:05 +0200
Subject: [PATCH] debsign: Ensure future GnuPG interop by forcing OpenPGP
compliant behavior
GnuPG upstream has decided to get out of the standardizing process for
OpenPGP, and instead is trying to push its own proprietary fork based on
an old draft that did not have consensus within the IETF working group.
This is going to be a source of interoperability problems, but we can
mitigate them somewhat when creating signatures by requiring compliance
with the OpenPGP RFC, even if it's going to be locked into an old version,
as later ones are not planned to get implemented. More so, given that the
latest releases of GnuPG have been switched to default to the proprietary
draft.
We need to set secure signing preferred algorithms as the current GnuPG
defaults with --openpgp cater for heavy backwards compatibility at the
cost of being insecure but potentially being compatible with very old
programs.
We care more about secure defaults than backwards compatibility with
ancient programs, so we pass our preferences to gpg when signing. This
should also cover the case for users that have created old keys with
insecure key preferences which might end up producing insecure
signatures.
Equivalent changes were made to dpkg-buildpackage.
---
scripts/debsign.sh | 2 ++
1 file changed, 2 insertions(+)
diff --git a/scripts/debsign.sh b/scripts/debsign.sh
index 2ddb8b11..49648b09 100755
--- a/scripts/debsign.sh
+++ b/scripts/debsign.sh
@@ -172,6 +172,8 @@ signfile() {
$signcommand --no-auto-check-trustdb \
--local-user "$signas" --clearsign \
+ --openpgp \
+ --personal-digest-preferences 'SHA512 SHA384 SHA256 SHA224' \
--list-options no-show-policy-urls \
--armor --textmode --output "$ASCII_SIGNED_FILE"\
"$UNSIGNED_FILE" || \
--
2.45.2
