Package: devscripts
Version: 2.23.7
Severity: wishlist
Tags: patch
X-Debbugs-Cc: Daniel Kahn Gillmor <d...@fifthhorseman.net>
Hi!
GnuPG upstream has decided to get out of the standardizing process for
OpenPGP, and instead is trying to push its own proprietary fork based on
an old draft that did not have consensus within the IETF working group.
This is going to be a source of interoperability problems, but we can
mitigate them somewhat when creating signatures by requiring compliance
with the OpenPGP RFC, even if it's going to be locked into an old version,
as later ones are not planned to get implemented. More so, given that the
latest releases of GnuPG have been switched to default to the proprietary
draft.
We need to set secure signing preferred algorithms as the current GnuPG
defaults with --openpgp cater for heavy backwards compatibility at the
cost of being insecure but potentially being compatible with very old
programs.
We care more about secure defaults than backwards compatibility with
ancient programs, so we pass our preferences to gpg when signing. This
should also cover the case for users that have created old keys with
insecure key preferences which might end up producing insecure
signatures.
Equivalent changes were made to dpkg-buildpackage.
Attached the patch implementing this.
(Ideally debsign would also grow additional OpenPGP backends, like
dpkg did, or perhaps it could be replaced entirely with the upcoming
dpkg-sign program.)
Thanks,
Guillem
From 14fd5d300f4cf9188d09aed356cc348d3d5c49fa Mon Sep 17 00:00:00 2001
From: Guillem Jover <guil...@debian.org>
Date: Sat, 27 Apr 2024 20:33:05 +0200
Subject: [PATCH] debsign: Ensure future GnuPG interop by forcing OpenPGP
compliant behavior
GnuPG upstream has decided to get out of the standardizing process for
OpenPGP, and instead is trying to push its own proprietary fork based on
an old draft that did not have consensus within the IETF working group.
This is going to be a source of interoperability problems, but we can
mitigate them somewhat when creating signatures by requiring compliance
with the OpenPGP RFC, even if it's going to be locked into an old version,
as later ones are not planned to get implemented. More so, given that the
latest releases of GnuPG have been switched to default to the proprietary
draft.
We need to set secure signing preferred algorithms as the current GnuPG
defaults with --openpgp cater for heavy backwards compatibility at the
cost of being insecure but potentially being compatible with very old
programs.
We care more about secure defaults than backwards compatibility with
ancient programs, so we pass our preferences to gpg when signing. This
should also cover the case for users that have created old keys with
insecure key preferences which might end up producing insecure
signatures.
Equivalent changes were made to dpkg-buildpackage.
---
scripts/debsign.sh | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/scripts/debsign.sh b/scripts/debsign.sh
index 15b0dfc2..bc894b18 100755
--- a/scripts/debsign.sh
+++ b/scripts/debsign.sh
@@ -178,6 +178,8 @@ signfile() {
then
$signcommand --no-auto-check-trustdb \
--local-user "$signas" --clearsign \
+ --openpgp \
+ --personal-digest-preferences 'SHA512 SHA384 SHA256 SHA224' \
--list-options no-show-policy-urls \
--armor --textmode --output "$ASCII_SIGNED_FILE"\
"$UNSIGNED_FILE" || \
@@ -188,6 +190,8 @@ signfile() {
}
else
$signcommand --local-user "$signas" --clearsign \
+ --openpgp \
+ --personal-digest-preferences 'SHA512 SHA384 SHA256 SHA224' \
--no-show-policy-url \
--armor --textmode --output "$ASCII_SIGNED_FILE" \
"$UNSIGNED_FILE" || \
--
2.43.0
