Dear GnuPG ebuild maintainers, the current stable GnuPG version sets a disputed OCB (AEAD) cipher by default for newly created keys that is apparently GnuPG-specific, non-standardized and apparently highly disputed, cf. the mailing list thread to be found at https://lists.gnupg.org/pipermail/gnupg-users/2024-March/066962.html and especially a message from OpenKeychain maintainer Vincent Breitmoser: https://lists.gnupg.org/pipermail/gnupg-users/2024-March/066972.html This leads to interoperability problems. Other PGP implementations simply can't decrypt data encrypted using such a key. Vincent writes that other distributions, including Debian, Arch, Fedora and more have decided to patch this away (for now), so that users won't run into what I experienced. Arch e.g. includes instructions how to manually disable this block cipher for existing keys in their wiki: https://wiki.archlinux.org/title/GnuPG#Disable_unsupported_AEAD_mechanism I think we either also should patch this away for now, hide it behind some "expert" flag, or at least display a big fat warning that newly created keys will be GnuPG-only if not tweaked manually after creation. From an end-user's perspective, this is awkward. I personally don't want to participate in religious wars about which block cipher is the right one or join some "faction". I just want working and first of all interoperable encryption ... What do you think about this? Cheers, Tobias
I was meaning to look into this before and it completely slipped my mind, unfortunately. I'll look today or tomorrow. Thanks.
Thanks for the instant reply! Just to also leave this here: https://security.stackexchange.com/questions/275883/should-one-really-disable-aead-for-recent-gnupg-created-pgp-keys
Any news on how Gentoo will handle this?
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fc2b8743fef9c5bd8cd79a0a0f92f083e246cd00 commit fc2b8743fef9c5bd8cd79a0a0f92f083e246cd00 Author: Sam James <sam@gentoo.org> AuthorDate: 2024-06-24 03:56:52 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-06-24 03:58:04 +0000 app-crypt/gnupg: revert rfc4880bis default for now Revert a new default which creates keys incompatible with other OpenPGP implementations. This is what other distros such as Fedora and Arch. See https://lwn.net/Articles/953797/. Closes: https://bugs.gentoo.org/926186 Signed-off-by: Sam James <sam@gentoo.org> .../files/gnupg-2.4.5-revert-rfc4880bis.patch | 196 +++++++++++++++++++++ app-crypt/gnupg/gnupg-2.4.5-r2.ebuild | 193 ++++++++++++++++++++ 2 files changed, 389 insertions(+)
Sorry for the wait. I kept coming back to it and wanting to research more and that ended up being me procrastinating. I'm not sure if we want to keep the revert forever, but I think it makes sense to be more conservative (in that it's not harmful to just not-default to it), as we're not actually removing a feature or anything. Bleh. Thank you again.
Thanks for fixing this -- or better said making a decision here. I think it's the complete right way to be conservative in this case and change the default. Anyone who still wants this will know what he does and can still activate it. So no harm done to anyone for now, and a lot of headaches saved for "normal" users.
Hey, I just created a new PGP key using app-crypt/gnupg-2.4.5-r2, using the default parameters. Still, AEAD (OCB) is enabled: $ gpg --expert --edit-key ... gpg> showpref [ultimate] (1). ... Cipher: AES256, AES192, AES, 3DES AEAD: OCB Digest: SHA512, SHA384, SHA256, SHA224, SHA1 Compression: ZLIB, BZIP2, ZIP, Uncompressed Features: MDC, AEAD, Keyserver no-modify Wasn't the point of this to not enable this by default to keep compatibility with other implementations?
(In reply to Tobias Leupold from comment #7) > Hey, I just created a new PGP key using app-crypt/gnupg-2.4.5-r2, using the > default parameters. I _think_ this is the issue mentioned at https://wiki.archlinux.org/title/GnuPG#Disable_unsupported_AEAD_mechanism -- i.e. the patch we, Arch, Fedora are using doesn't change it everywhere?
As far as I can can grasp it, this addresses the very issue that enabling AEAD (OCB) causes the incompatibilities this is all about, and how they can be eliminated by disabling this block cipher again. I _thought_ the patch would disable this setting by default, so that we get universally usable keys again ... this is not the case, and thus I wondered if this is what you intended, and also what the patch changes if not the defaults ...
I'll compare with other distros later. I agree it's bizarre.
Thanks a lot for still messing with this ;-)
