Do not use GnuPG under Mac OS RNG

[Sebastian Hagedorn]

-- Werner Koch <wk@gnupg.org> is rumored to have mumbled on Freitag, 22.=20
Juni 2001 15:22 Uhr +0200 regarding Do not use GnuPG under Mac OS RNG:

>  || On Fri, 22 Jun 2001 08:08:50 -0400
>  || Gordon Worley <redbird@rbisland.cx> wrote:
>
>  gw> rndunix doesn't yield anything reasonably random (it's so unrandom
>  gw> that just the casual observer can see the patterns), which is why =
egd
>  gw> is being used.  egd passes it's self test on OS X and I've had no
>
> rndunix and egd are both using the same methods to collect entropy.
> So there is no difference.  It just looks like EGD is better because
> its output has gone through SHA-1 hashing.  It is hard to analyze a
> RNG and if its output is processed by a hash function (like EGD or
> /dev/[u]random) it is impossible to check it just by analyzing the
> output.
>
> STOP USING GNUPG UNDER MAC OS X AND REVOKE ALL THE KEYS YOU HAVE
> CREATED WITH THIS VERSION.  YOU SHOULD ALSO REVOKE ALL DSA SIGNING
> KEYS YOU HAVE USED TO CREATE SIGNATURE WITH THIS VERSION.

Werner, thanks for letting us know. I want to make sure that I understand=20
the issue correctly. This concerns only the generation of keys, right?=20
Using keys generated on a different platform is therefore safe(r)?

Also, what can be done to fix this? Are there libraries the end user could=20
install that gnupg would then use, or is Apple the only party that can do=20
anything about this?

Thanks, Sebastian
--
Sebastian Hagedorn
Ehrenfeldg=FCrtel 156, 50823 K=F6ln, Germany
http://www.spinfo.uni-koeln.de/~hgd/