A postmortem on Efail

Ben McGinnes ben at adversary.org
Wed May 23 03:57:53 CEST 2018 

On Wed, May 23, 2018 at 12:15:58AM +0200, Steffen Nurpmeso wrote:
> 
> I only use v1.4, and i will never never never never use anything
> newer because that is very large and consists of an immense amount
> of components that i really do not need.  I receive keys via hkps://
> and sign, verify, encrypt and decrypt.  Having no pinentry is a bit
> of a problem, also because ~/ expansion is not possible in gpg.conf;
> but i have a small mkfifo program that feeds in the passphrase as
> appropriate, so this works for me.

Which is fine as long as no one you correspond with uses an elliptic
curve key when corresponding with you.  1.4 has no support for any of
the curves and they're not being backported to it.  In fact the last
time I tried doing anything at all with a key containing a curve even
just what was supposed to be optional subkeys, 1.4 had significant
problems doing anything with those keys.

That sort of thing is part of the reason for maintaining a separate
~/.gnupg1 directory which was my original, pre-migration directory
(combined with some shell scripts as wrappers which invoke the right
version with the right configuration and enabling this:

bash-4.4$ gpg1 --version
gpg (GnuPG) 1.4.22
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /Users/ben/.gnupg1
Supported algorithms:
Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
bash-4.4$ gpg --version
gpg (GnuPG) 2.2.7
libgcrypt 1.8.2
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /Users/ben/.gnupg2
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
bash-4.4$

Though I believe 1.4 may have been slightly modified and/or using
whatever was last added to its branch rather than actually be 1.4.22's
stable release.

Anyway, even though my current key doesn't yet include any of the
curves, I do still need more than a few components of the current
branches.  There are people I correspond with who use keys with
curves, I also definitely need GPGME and the its Python bindings (not
having them would make my work very tricky indeed).  Plus the boss is
a huge proponent of the modern branch and arguably its greatest
advocate.  😉


Regards,
Ben
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20180523/447b3682/attachment-0001.sig>

More information about the Gnupg-users mailing list