GnuPG versus PGP

George Sinclair gsinclair@nodc.noaa.gov
Wed Feb 7 19:46:01 2001


Okay,

After carefully reading the man pagers for GnuPG (I'm currently
running version 1.0.4 fully patched on Solaris), and after seeing an
infinitude of messages regarding various compatibility problems
between sundry versions of PGP and GnuPg and supported or half
supported algorithms (IDEA, ElGamel, blah, blah, blah ...), I'm
confused and still *uncertain* how I should be creating detached
signatures and exporting keys that a user running PGP or GnuPG may
need to verify or import. Moreover, I have no idea who out there in
the world may need to import my GnuPG public key or verify my signed
files, and I can't very well control whether they're running GnuPG or
PGP and what versions respectively. If there are certain version
incompatibilities, I can live with that. I just need to know what I
should be doing on my end with GnuPG in order to best satisfy,
e.g. making two separate keys (one to sign files for PGP and one for
GPG, etc.).

Does anyone have the definitive answer on these two questions?

1. What is the correct syntax for creating a detached signature,
   suitable for e-mail, that a user running either PGP or GnuPG can
   later verify (here's what I've been using)?

      gpg --detach-sig --armor filename
 
2. How should I export a key that a user running PGP or GnuPG may need to
   import so as to verify the signed file(s) created in 1. above
   (here's what I've been using)?

      gpg --export --armor --output username.key username

Thanks.

George | gsinclair@nodc.noaa.gov

NOTE: I have tested the syntax in 1 and 2 above with a Solaris copy of
      PGP 5.0 (`pgpk --version` shows the following: PGP for Personal
      Privacy Version: unix50fcs5) since this is the only version of
      PGP I have, and I note the following:

         A. I export my key, using GnuPG, as:

               gpg --export --armor --output username.key username

         B. I then import the key into PGP as:

               pgpk -a username.key

         C. I can then verify files signed in GPG (as shown in item 2 above).

      My experience shows, however, that either or both of the
      additional options:  

          --force-v3-sigs
          --openpgp

      in any order will have no effect on the exported key. In each case, the
      exported key will have the same checksum. These options only have an
      appreciated effect when they're used to sign a file.

      The option: '--force-v3-sigs' can be included but appears to have no
      appreciable effects on my ability to later verify the signature using
      PGP 5.0. However, the option: '--openpgp' will create problems unless
      the option: '--force-vs-options' was also included.

      If the '--openpgp' option is used without the '--force-v3-sigs'
      option, then the resultant output signature file will be slightly 
      larger. Otherwise, the output size will always be the same as long
      as '--force-v3-sigs' is included or neither of the aforementioned
      options is included.