commit: 20fe2475881d5e0a532223d59e24c6ad00202bde Author: Michał Górny <mgorny <AT> gentoo <DOT> org> AuthorDate: Sat Oct 25 16:11:35 2025 +0000 Commit: Michał Górny <mgorny <AT> gentoo <DOT> org> CommitDate: Sat Oct 25 16:11:35 2025 +0000 URL: https://gitweb.gentoo.org/data/glep.git/commit/?id=20fe2475
glep-0063: Clarify standards compliance to RFC 4880 (+ Ed25519) Update GLEP 63 to clearly indicate that all OpenPGP message must conform to RFC 4880, with the exception of ECC curve 25519 keys that we explicitly permit and that are reasonably widely supported. For completeness, link Ed25519 keys to the modern RFC 9580 standard, where they were specified as "EdDSALegacy". Also clearly indicate that only v4 message format is supported, for best interoperability. Unfortunately, the current tooling is split between v5 format / LibrePGP, and v6 format / RFC 9580. Given that GnuPG doesn't support the latter, and new tooling is unlikely to implement the former, it is best to stick with a portable superset of RFC 4880. Closes: https://bugs.gentoo.org/963069 Signed-off-by: Michał Górny <mgorny <AT> gentoo.org> glep-0063.rst | 25 +++++++++++++++++++------ 1 file changed, 19 insertions(+), 6 deletions(-) diff --git a/glep-0063.rst b/glep-0063.rst index 80ca81d..eed7e11 100644 --- a/glep-0063.rst +++ b/glep-0063.rst @@ -7,10 +7,11 @@ Author: Robin H. Johnson <[email protected]>, Michał Górny <[email protected]> Type: Standards Track Status: Final -Version: 2.2 +Version: 2.3 Created: 2013-02-18 -Last-Modified: 2020-12-17 -Post-History: 2013-11-10, 2018-07-03, 2018-07-21, 2019-02-24, 2020-12-17 +Last-Modified: 2025-10-25 +Post-History: 2013-11-10, 2018-07-03, 2018-07-21, 2019-02-24, 2020-12-17, + 2025-10-25 Content-Type: text/x-rst --- @@ -28,6 +29,9 @@ OpenPGP key management policies for the Gentoo Linux distribution. Changes ======= +v2.3 + Clarified key compatibility with RFC 4880. + v2.2 Added information about the Gentoo keyserver. @@ -94,6 +98,10 @@ are used in the context of Gentoo developer actions. All developers are required to have at least one key conforming to those requirements. Keys that do not conform to them can not be used to commit. +0. All OpenPGP data must use the v4 message format, as specified + in RFC 4880 [#RFC4880]_. In addition to that, ECC curve 25519 + is permitted as specified as "EdDSALegacy" in RFC 9580 [#RFC9580]_. + 1. SHA-2 series output digest (SHA-1 digests internally permitted), at least 256-bit. All subkey self-signatures must use this digest. @@ -105,7 +113,7 @@ Keys that do not conform to them can not be used to commit. 3. Primary key and the signing subkey are both of type EITHER: - a. RSA, >=2048 bits (OpenPGP v4 key format or later only), + a. RSA, >=2048 bits, b. ECC curve 25519. @@ -128,8 +136,7 @@ their primary key). 1. Primary key has only ``certify`` capability enabled. -2. Primary key and the signing subkey are both of type RSA, 2048 bits - (OpenPGP v4 key format or later). +2. Primary key and the signing subkey are both of type RSA, 2048 bits. 3. Key expiration renewed annually to a fixed day of the year. @@ -191,6 +198,12 @@ References .. [#GNUPG-FAQ-11-4] GnuPG FAQ: Why doesn’t GnuPG default to using RSA-4096? (https://www.gnupg.org/faq/gnupg-faq.html#no_default_of_rsa4096) +.. [#RFC4880] RFC 4880: OpenPGP Message Format + (https://www.rfc-editor.org/rfc/rfc4880) + +.. [#RFC9580] RFC 9580: OpenPGP + (https://www.rfc-editor.org/rfc/rfc9580) + .. [#DEBIANGPG] Debian GPG documentation (https://wiki.debian.org/Keysigning)
