[PATCH] avoid publishing the GnuPG version by default

Daniel Kahn Gillmor dkg at fifthhorseman.net
Thu Aug 4 22:58:13 CEST 2016

* g10/gpg.c (main): initialize opt.emit_version to 0
* doc/gpg.texi: document different default for --emit-version


The version of GnuPG in use is not particularly helpful.  It is not
cryptographically verifiable, and it doesn't distinguish between
significant version differences like 2.0.x and 2.1.x.

Additionally, it leaks metadata that can be used to distinguish users
from one another, and can potentially be used to target specific
attacks if there are known behaviors that differ between major

It's probably better to take the more parsimonious approach to
metadata production by default.

Signed-off-by: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
 doc/gpg.texi | 4 ++--
 g10/gpg.c    | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/doc/gpg.texi b/doc/gpg.texi
index c544967..ffbc269 100644
--- a/doc/gpg.texi
+++ b/doc/gpg.texi
@@ -2713,9 +2713,9 @@ protected by the signature.
 @opindex emit-version
 Force inclusion of the version string in ASCII armored output.  If
 given once only the name of the program and the major number is
-emitted (default), given twice the minor is also emitted, given triple
+emitted, given twice the minor is also emitted, given triple
 the micro is added, and given quad an operating system identification
-is also emitted.  @option{--no-emit-version} disables the version
+is also emitted.  @option{--no-emit-version} (default) disables the version
 @item --sig-notation @code{name=value}
diff --git a/g10/gpg.c b/g10/gpg.c
index 35d350e..b33b61b 100644
--- a/g10/gpg.c
+++ b/g10/gpg.c
@@ -2269,7 +2269,7 @@ main (int argc, char **argv)
     opt.def_cert_expire = "0";
     gnupg_set_homedir (NULL);
     opt.passphrase_repeat = 1;
-    opt.emit_version = 1; /* Limit to the major number.  */
+    opt.emit_version = 0;
     opt.weak_digests = NULL;

More information about the Gnupg-devel mailing list