On Fri, Nov 18, 2016 at 01:58:18PM +0100, Guillem Jover wrote: > [ Setting as important as this is GnuPG default, but if you think this > is a new feature or similar please just change it to wishlist. ] […] > It seems like apt (and its gpgv method) do not support the new GnuPG > keybox keyring format? Which is the one currently generated by default > with newer GnuPG versions. A simple session to demonstrate: The (non)support of keybox was topic back then I worked on the gpg2 last year. The problem is with the goals/limitations we have: We want to be gpgv only (Debian maintainer approves), a single --keyring should be passed to it (gpg has a hardcoded limit of 40 ATM and upstream talks about dropping that to 1 some day) and we want to support 'classic' (1.x) and 'modern' (2.x). While talking with Daniel Kahn Gillmor about this he actually came up with the suggestion that we 'cat' the 'simple' keyring files together as those aren't going away, use that and ignore keybox. Also, back then gpgv{,2} wasn't supporting keybox and it was unclear if it would (manpage suggests now that it does – at least the modern variant). I acknowledge that this binary format stuff is annoying and hence I suggest something completely different: We try to abolish the binary formats in the external interface. I thought that would be hard, but I recently learned from Johannes Schauer/sbuild that there it is actually trivial to convert an armored key to the 'simple' keyring format (= the binary format we accept) with another of Daniels shell tricks [0]. Beside the practical problems of implementing keybox support as an archive admin you can't use it anyhow until all your users have an apt version installed supporting it and even then you tend to wait for the last version without support reaching end-of-life (in your support view) to have an easier time, so effective usage is likely still years away… – enough time to invent keystash (= the future/better keybox) to restart the cycle… The *.asc usage will take just as long to reach critical mass, but I have some hope for that format to not be changed and text-based formats tend to be easier to work with for humans. I have a patch for this mostly done which I am going to merge if I don't hear people complain bigtime about it and would consider this report +wontfix then. Any comments? Best regards David Kalnischkies [0] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=831409#67
Attachment:
signature.asc
Description: PGP signature