Hi all, I have been doing some reasearch here and I have been able to determine that right now GPG represents (with the non-free RSA and IDEA modules) a functional replacement for PGP 2.x for both checking signatures and creating signatures.
It is remarkably easy to do, I am surprised that someone else has not mentioned it.. Put this in your .gnupg/options file: load-extension rsa load-extension idea keyring /usr/share/keyrings/debian-keyring.pgp keyring /usr/share/keyrings/debian-keyring.gpg keyring /home/jgg/.pgp/pubring.pgp secret-keyring /home/jgg/.pgp/secring.pgp (for instance) GPG will directly read your existing PGP 2 key rings, the distributed RSA ring and the DSS ring. It also able to directly parse the encrypted secret key ring. PGP 2.x compatible signatures can be generated using this command: gpg --rfc-1991 -a --clearsign foo.txt Note: You cannot pipe input to gpg and get a PGP 2.x compatible sig. Werner says it enters a different mode when you use a pipe.. Sigs can be checked using cat foo.asc | gpgm Much like PGP.. (gpgm is a version that does not need root privlage to lock memory) You can also generate a DSS key and have both your RSA and DSS key available to GPG for signing, the -u option can select between them. I am hoping that information like this will help us to adopt gpg and free algorithms more quickly. With any luck we should be able to eliminate the use of PGP in the archive checking scripts using instead GPG (which would finally allow DSS keys to be used for uploads) As a final note, I have not yet found out the fate of RSA in a years time, I would hope that it will be moved into the main GPG distribution and become a fully free algorithm. IDEA won't be, but IDEA is unnecessary for signatures and GPG can use other ciphers with RSA keys for encryption. Jason