HOWTO on interfacing with gnupg/pgp?

Marc Mutz
Tue Jun 19 09:32:01 2001

On Monday 18 June 2001 10:15, Werner Koch wrote:

> || On Sun, 17 Jun 2001 23:56:26 +0200
> || Marc Mutz <> wrote:
> mm> Is it ready for production yet?
> Use it. It is probably better debugged than other tools invoking gpg
> and well, I amthe manin author of both and so I take care that both
> are working.
I'll have a look at gpgme's interfacing with gpg, but I am currently more interested in design _principles_ than in details.
> mm> Will it be binary compatible within minor revision numbers?
> I don't undertstand this. The standard library conventions are of
> course honoured and I once stated that I see no reason to change an
> existing API.
It's just that the KDE team just had a bad experience with the OpenSSL 0.9.5->0.9.6{,a} transition, which broke BC, IIRC. One developer went and started his own crypto lib because of that (no, I'm not advocating that. In fact, I'm extremely opposed to that idea and hope that it will never be adopted. The world doesn't need yet another crypto lib).
> mm> Does it support PGP?
> Of course not! The GNU project[1] does not support proprietary
> software or advocates its use.
> Why do you want to use PGP? Aren't you still not upset enough about
> their policies and deliberately introduced incomptibilities? Tssss.
<snip> We happen to support PGP up to v6.x. If we were to start from scratch _now_, we'd probably restrict ourselves to supporting gnupg via gpgme. I certainly don't want to write _new_ interface classes for these programs, but we should keep the possibility to interface with old pgp implementations. In the light of the critical passphrase handling issues in KMail's pgp/gpg interface, I just wanted to extend my auditing of the (passphrase storing) high-level class to the low-level interface classes. In this framework I'm currently working. Thus cometh my question on how to best interface with _this kind of_ programs securely. And probably a little bit on how to best handle passphrases in the frontend. So switching to gpgme isn't an option ATM, since we are in feature freeze for the upcoming KDE 2.2beta and final releases. Marc -- Marc Mutz <>