Will gpg 1.x remain supported for the foreseeable future?

Daniel Kahn Gillmor dkg at fifthhorseman.net
Wed Jan 17 05:36:56 CET 2018


On Tue 2018-01-16 16:26:49 -0800, Dan Kegel wrote:
> I worked hard to jump through hoops to use version 2 in such
> an environment, but then I ran into the fact that even the latest apt
> from debian does not support version 2's keybox format, so I had
> to drop back to gpg version 1 anyway.

apt always uses the "transferable public key" form for its OpenPGP
dependencies, which is specified in RFC 4880.  a simple linear
concatenation of these transferable public keys is a "keyring", which
apt knows how to ingest.

The "keybox" format is not used by any tool outside of the GnuPG suite,
and it doesn't have nearly as much documentation or history as the
transferable public key format.

i tend to treat *.kbx the same way i treat private-keys-v1.d -- as part
of GnuPG internals, not as part of its public interface.

If you want to generate a clean "keyring" it should be straightforward
to do so with any version of GnuPG just by using --export.  You can
import a keyring into any version of GnuPG with --import.

if you're in the habit of using GnuPG in order to create some file
within its internal "home directory" and then extract that for some
other use (like sending handing some internal file from there to apt) --
please don't do that.  The internals of the GnuPG homedir have never
explicitly been part of the publicly-exposed API.

     --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20180116/9d262f3d/attachment.sig>


More information about the Gnupg-users mailing list