Mailing List Archive

2.3.1: compilation result without dirmngr (due to --disable-ldap?)
Hello.

I had a shallow memory of seeing this problem fly by, but from
looking over the archive headlines i saw nothing, and the
bugtracker also did not show up anything related for dimngr
yesterday (from the headlines). On CRUX-Linux there is

# Depends on: libgcrypt libksba pinentry npth
..
name=gnupg
version=2.3.1
release=1
source=(https://gnupg.org/ftp/gcrypt/$name/$name-$version.tar.bz2)

build () {
cd $name-$version

./configure --prefix=/usr \
--libexecdir=/usr/lib \
--disable-nls \
--disable-ldap

make
make DESTDIR=$PKG install
...

and the compilation does not include dirmngr, making the entire
installation useless. (I personally still use gpg (GnuPG) 1.4.23,
but just had the idea of doing WKD for my key yesterday. P.S.:
i have not looked at the protocol, but sigh that not
a standardized checksum over the email address was chosen, like
sha256 or blake2, so that everybody could easily create the thing
by just hashing the address and exporting the key. But so it is.)

Ciao,

--steffen
|
|Der Kragenbaer, The moon bear,
|der holt sich munter he cheerfully and one by one
|einen nach dem anderen runter wa.ks himself off
|(By Robert Gernhardt)

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-devel
Re: 2.3.1: compilation result without dirmngr (due to --disable-ldap?) [ In reply to ]
On Wed, 28 Jul 2021 17:04, Steffen Nurpmeso said:

> and the compilation does not include dirmngr, making the entire
> installation useless. (I personally still use gpg (GnuPG) 1.4.23,

I just tried with --disable-ldap and --disable-nls and can't see a
problem. it the current master version though.

> i have not looked at the protocol, but sigh that not
> a standardized checksum over the email address was chosen, like

SHA-1 is a very standard algorithm and fully sufficient for the purpose
here; i.e. mapping a string to a fixed length identifier. SHA-1 is
anyway a required part of OpenPGP and there have been no security
weaknesses found its use case as fingerprint algorithms.


Shalom-Salam,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
Re: 2.3.1: compilation result without dirmngr (due to --disable-ldap?) [ In reply to ]
Werner Koch wrote in
<87v94p5zhk.fsf@wheatstone.g10code.de>:
|On Wed, 28 Jul 2021 17:04, Steffen Nurpmeso said:
|
|> and the compilation does not include dirmngr, making the entire
|> installation useless. (I personally still use gpg (GnuPG) 1.4.23,
|
|I just tried with --disable-ldap and --disable-nls and can't see a
|problem. it the current master version though.

Fine this is fixed.

|> i have not looked at the protocol, but sigh that not
|> a standardized checksum over the email address was chosen, like
|
|SHA-1 is a very standard algorithm and fully sufficient for the purpose
|here; i.e. mapping a string to a fixed length identifier. SHA-1 is
|anyway a required part of OpenPGP and there have been no security
|weaknesses found its use case as fingerprint algorithms.

Yes, no, my problem is about the the special z-base-32 step, for
which there is no tool around by default. But i personally still
struggle with the base64 that SSH now uses for fingerprinting,
i find this very hard. Yes i had seen discussion in the PGP IETF
list about such base'ing, but i _personally_ cannot grasp
z5fuz1m868tz5eeq3y86cnomqztbbyjd. Now that i have RFC 6189
i could of course take the algorithm of section 5.1.6 and
implement it. You know. It is more like .. i did not understand
why so complicated as that is nowhere human anyway, is it? Well,
unless you plan to use this way of hashing as a default in
a future GnuPG version of course. (I personally would very much
favour these nice groups of four hexdecimal bytes, as can be
produced with --fingerprint (in 1.4.*), even though it gets very
lengthy with SHA-256 or longer, but people only look at the tail
and the front, and maybe snippets in the middle, i think that was
talked about in the IETF group like this, no? .. i can confirm.
Ok, maybe if grouped by four it would work out anyway, looking at
it. But nonetheless. If grouped by four i would _assume_ that
lower/upper would even help differentiating, ie, base64 because it
is in use quite often, with OpenSSH even in user view. You know,
just doing echo BLA|sha1sum|base64 if you are on a Unix.
Whatever. Greetings to NRW!)

Ciao,

--steffen
|
|Der Kragenbaer, The moon bear,
|der holt sich munter he cheerfully and one by one
|einen nach dem anderen runter wa.ks himself off
|(By Robert Gernhardt)

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-devel
Re: 2.3.1: compilation result without dirmngr (due to --disable-ldap?) [ In reply to ]
On Mon, 2 Aug 2021 15:47, Steffen Nurpmeso said:

> Yes, no, my problem is about the the special z-base-32 step, for
> which there is no tool around by default. But i personally still

Right, same for the very new, silly, and one-usecase base-45.
(gnupg/common/t-zb32.c is not installed but might be helpful)

> struggle with the base64 that SSH now uses for fingerprinting,
> i find this very hard. Yes i had seen discussion in the PGP IETF

Me too. That has been the worsed decision they ever made. Abbreviated
SHA256 would have be totally sufficient and gians better security due to
a better UX.


Salam-Shalom,

Werner


--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.