Bug#844724: apt: Does not seem to support new GnuPG keybox keyring format

To: Guillem Jover <gjover@sipwise.com>, 844724@bugs.debian.org
Subject: Bug#844724: apt: Does not seem to support new GnuPG keybox keyring format
From: David Kalnischkies <david@kalnischkies.de>
Date: Sun, 20 Nov 2016 13:23:13 +0100
Message-id: <[🔎] 20161120122313.vpybuojjjv4hljvt@crossbow>
Mail-followup-to: David Kalnischkies <david@kalnischkies.de>, Guillem Jover <gjover@sipwise.com>, 844724@bugs.debian.org
Reply-to: David Kalnischkies <david@kalnischkies.de>, 844724@bugs.debian.org
In-reply-to: <[🔎] 20161118125818.qtjlrnuzr4cdlrlk@thunder.hadrons.org>
References: <[🔎] 20161118125818.qtjlrnuzr4cdlrlk@thunder.hadrons.org>

On Fri, Nov 18, 2016 at 01:58:18PM +0100, Guillem Jover wrote:
> [ Setting as important as this is GnuPG default, but if you think this
>   is a new feature or similar please just change it to wishlist. ]
[…]
> It seems like apt (and its gpgv method) do not support the new GnuPG
> keybox keyring format? Which is the one currently generated by default
> with newer GnuPG versions. A simple session to demonstrate:

The (non)support of keybox was topic back then I worked on the gpg2 last
year.  The problem is with the goals/limitations we have: We want to be
gpgv only (Debian maintainer approves), a single --keyring should be
passed to it (gpg has a hardcoded limit of 40 ATM and upstream talks
about dropping that to 1 some day) and we want to support 'classic'
(1.x) and 'modern' (2.x).

While talking with Daniel Kahn Gillmor about this he actually came up
with the suggestion that we 'cat' the 'simple' keyring files together as
those aren't going away, use that and ignore keybox. Also, back then
gpgv{,2} wasn't supporting keybox and it was unclear if it would
(manpage suggests now that it does – at least the modern variant).

I acknowledge that this binary format stuff is annoying and hence
I suggest something completely different: We try to abolish the binary
formats in the external interface. I thought that would be hard, but
I recently learned from Johannes Schauer/sbuild that there it is
actually trivial to convert an armored key to the 'simple' keyring
format (= the binary format we accept) with another of Daniels shell
tricks [0].

Beside the practical problems of implementing keybox support as an
archive admin you can't use it anyhow until all your users have an apt
version installed supporting it and even then you tend to wait for the
last version without support reaching end-of-life (in your support view)
to have an easier time, so effective usage is likely still years away…
– enough time to invent keystash (= the future/better keybox) to restart
the cycle… The *.asc usage will take just as long to reach critical
mass, but I have some hope for that format to not be changed and
text-based formats tend to be easier to work with for humans.

I have a patch for this mostly done which I am going to merge if I don't
hear people complain bigtime about it and would consider this report
+wontfix then. Any comments?

Best regards

David Kalnischkies

[0] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=831409#67

Attachment: signature.asc
Description: PGP signature

Reply to:

References:
- Bug#844724: apt: Does not seem to support new GnuPG keybox keyring format
  - From: Guillem Jover <gjover@sipwise.com>

Prev by Date: Processed: Re: Bug#636871: provide a command-line switch to prefer IPv6 or IPv4
Next by Date: Bug#844724: apt: Does not seem to support new GnuPG keybox keyring format
Previous by thread: Processed: Re: Bug#844724: apt: Does not seem to support new GnuPG keybox keyring format
Next by thread: Processed: Re: Bug#844724: apt: Does not seem to support new GnuPG keybox keyring format
Index(es):
- Date
- Thread