Mailing List Archive

Changes in GnuPG
I was user of GPG4Win years ago and when I reinstalled it I noticed quite a bit has changed. If there is no existing pubring.gpg it creates a new keyring with the new format. Is there anything that really details the changes in this new format and why it changed? Also no more secring.gpg. Those files got moved in that "private -keys" directory. What I'm also trying to understand is now their files names don't really correspond to the key details itself, (real name, email, Key ID, etc). Why the change in that as well? Thanks
Re: Changes in GnuPG [ In reply to ]
> Is there anything that really details the changes in this new format
> and why it changed?

https://www.gnupg.org/faq/whats-new-in-2.1.html#keybox

> Also no more secring.gpg. Those files got moved in that "private
> -keys" directory. What I'm also trying to understand is now their
> files names don't really correspond to the key details itself, (real
> name, email, Key ID, etc). Why the change in that as well?

https://www.gnupg.org/faq/whats-new-in-2.1.html#nosecring

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Changes in GnuPG [ In reply to ]
Thanks for the links listed below. I did see them before but re-read them and picked up a bit more information. It seems like the pubring is more of an indexed database to allow for faster lookups and maybe. I'm not sure if that also added other features as well. I'm still a bit confused on the changes in secring. How does it come up with the names for those "new" keys as it doesn't seem to corrolate with anything I can see on the keys. For them to go away from the OpenPGP standard it obviously had to make sense to them, I'm just trying to understand (actaully learn more about) the reasons for the changes. Sent: Sunday, January 05, 2020 at 5:16 PM
From: "Robert J. Hansen" <rjh@sixdemonbag.org>
To: gnupg-users@gnupg.org
Subject: Re: Changes in GnuPG > Is there anything that really details the changes in this new format
> and why it changed?

https://www.gnupg.org/faq/whats-new-in-2.1.html#keybox"]https://www.gnupg.org/faq/whats-new-in-2.1.html#keybox

> Also no more secring.gpg. Those files got moved in that "private
> -keys" directory. What I&#39;m also trying to understand is now their
> files names don&#39;t really correspond to the key details itself, (real
> name, email, Key ID, etc). Why the change in that as well?

https://www.gnupg.org/faq/whats-new-in-2.1.html#nosecring"]https://www.gnupg.org/faq/whats-new-in-2.1.html#nosecring

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users"]http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Changes in GnuPG [ In reply to ]
On Mon, Jan 06, 2020 at 04:42:40PM +0100, azbigdogs@gmx.com wrote:
>I'm still a bit confused on the changes in secring. How does it come up
>with the names for those "new" keys as it doesn't seem to corrolate
>with anything I can see on the keys.

Files under the $GNUPGHOME/private-keys-v1.d directory are named after
the *keygrips* of the keys.

A keygrip is similar in principle to an OpenPGP fingerprint, but is
computed on a data structure that is independent of any protocol
(contrary to an OpenPGP fingerprint, which is computed over an OpenPGP
packet).

GnuPG, which since its version 2.0 implements both OpenPGP and S/MIME,
uses keygrips internally to refer to a key independently of the protocol
with which the key is to be used.

You can use the --with-keygrip option when listing keys to have GnuPG
display the keygrips, and check that they match the filenames you see in
the $GNUPGHOME/private-keys-v1.d directory.


>For them to go away from the OpenPGP standard it obviously had to make
>sense to them

The OpenPGP standard dictates how compliant implementations
interoperate. It says nothing about what the implementations shall do
internally.

Keygrips are strictly an internal implementation detail of GnuPG. When
it interacts with the outside world (e.g. when exporting a key), GnuPG
still follows the OpenPGP standard.


Cheers,

- Damien
Re: Changes in GnuPG [ In reply to ]
> I'm still a bit confused on the changes in secring. How does it come up
> with the names for those "new" keys as it doesn't seem to corrolate with
> anything I can see on the keys.

The names are actually keygrips, not fingerprints.

> For them to go away from the OpenPGP standard it obviously had to make
> sense to them…

They didn't. RFC4880 doesn't define how to store certificates.

Way back when, PGP Corporation stored its two keyrings as "pubring.pkr"
and "secring.skr". These two files were incredibly simple: each was
effectively an OpenPGP message containing nothing but a long sequence of
certificates. When PGP started it read each file into RAM, populated a
master keyring, and that was that.

When GnuPG came along they decided to use the exact same format so that
people could migrate just by renaming their .pkr and .skr files to have
.gpg extensions. And this was likely a good decision, in that it made
it easy for people to switch from PGP.

PGP is no longer a serious player in the OpenPGP space. Symantec bought
PGP years ago and seem to have been neglecting it ever since.
Consequentially, we no longer *need* to use old PGP formats to encourage
people to cross over. And at the same time, keyrings are getting a lot
bigger -- back in 2000 few people had more than a couple of dozen
certificates; twenty years later it's easy to have a few *hundred*
certificates. And the old, inefficient PGP keyring format doesn't work
very well any more.

We don't need the PGP compatibility any more and it's holding us back.
That's the root reason for the changes.

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Changes in GnuPG [ In reply to ]
Damien,

Thanks for the explanation on the keygrips. That makes sense why it is
some "random" set of characters.? I understand (I think) it is acting
like a place marker but still trying to understand the why part.


I guess I need to export my keys to make it accessible to other apps
that use PGP (LibreOffice, PowerArchiver, etc)

On 1/6/2020 3:43 PM, Damien Goutte-Gattat wrote:
> On Mon, Jan 06, 2020 at 04:42:40PM +0100, azbigdogs@gmx.com wrote:
>> I'm still a bit confused on the changes in secring. How does it come up
>> with the names for those "new" keys as it doesn't seem to corrolate
>> with anything I can see on the keys.
>
> Files under the $GNUPGHOME/private-keys-v1.d directory are named after
> the *keygrips* of the keys.
>
> A keygrip is similar in principle to an OpenPGP fingerprint, but is
> computed on a data structure that is independent of any protocol
> (contrary to an OpenPGP fingerprint, which is computed over an OpenPGP
> packet).
>
> GnuPG, which since its version 2.0 implements both OpenPGP and S/MIME,
> uses keygrips internally to refer to a key independently of the
> protocol with which the key is to be used.
>
> You can use the --with-keygrip option when listing keys to have GnuPG
> display the keygrips, and check that they match the filenames you see
> in the $GNUPGHOME/private-keys-v1.d directory.
>
>
>> For them to go away from the OpenPGP standard it obviously had to make
>> sense to them
>
> The OpenPGP standard dictates how compliant implementations
> interoperate. It says nothing about what the implementations shall do
> internally.
>
> Keygrips are strictly an internal implementation detail of GnuPG. When
> it interacts with the outside world (e.g. when exporting a key), GnuPG
> still follows the OpenPGP standard.
>
>
> Cheers,
>
> - Damien

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Changes in GnuPG [ In reply to ]
Robert,

Thanks for the explantion of the new public key format. If I understand
it correctly, the old system was like a flat file an this new one is
more like an indexed database that allows faster lookups.

On 1/7/2020 12:37 AM, Robert J. Hansen wrote:
>> I'm still a bit confused on the changes in secring. How does it come up
>> with the names for those "new" keys as it doesn't seem to corrolate with
>> anything I can see on the keys.
> The names are actually keygrips, not fingerprints.
>
>> For them to go away from the OpenPGP standard it obviously had to make
>> sense to them…
> They didn't. RFC4880 doesn't define how to store certificates.
>
> Way back when, PGP Corporation stored its two keyrings as "pubring.pkr"
> and "secring.skr". These two files were incredibly simple: each was
> effectively an OpenPGP message containing nothing but a long sequence of
> certificates. When PGP started it read each file into RAM, populated a
> master keyring, and that was that.
>
> When GnuPG came along they decided to use the exact same format so that
> people could migrate just by renaming their .pkr and .skr files to have
> .gpg extensions. And this was likely a good decision, in that it made
> it easy for people to switch from PGP.
>
> PGP is no longer a serious player in the OpenPGP space. Symantec bought
> PGP years ago and seem to have been neglecting it ever since.
> Consequentially, we no longer *need* to use old PGP formats to encourage
> people to cross over. And at the same time, keyrings are getting a lot
> bigger -- back in 2000 few people had more than a couple of dozen
> certificates; twenty years later it's easy to have a few *hundred*
> certificates. And the old, inefficient PGP keyring format doesn't work
> very well any more.
>
> We don't need the PGP compatibility any more and it's holding us back.
> That's the root reason for the changes.
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Changes in GnuPG [ In reply to ]
On Thu, 9 Jan 2020 13:01, Mark said:

> Thanks for the explantion of the new public key format. If I understand
> it correctly, the old system was like a flat file an this new one is
> more like an indexed database that allows faster lookups.

Right. The keybox format includes meta data so that there is no
requirement to parse each and every key in the keyring to compute the
fingerprint while gpg is searching for a key with a specific
fingerprint.

Actually there is no index although the format is prepared for this. I
don't think that we will ever add an inde, though. The next major
version instead will come with an option to store the keys in an SQLite
database file. Thus, as it has been always said, please use the
--import and --export options to convey OpenPGP or X.509 keys. Only if
you want to keep two GnuPG installations of the same version in sync you
may copy the entire GNUPGHOME (e.g. ~/.gnupg) - even between different
platforms.


Salam-Shalom,

Werner


@rjh: I guess you will now remark about random_seed, but I don't think
tha this is anymore an issue with modern versions. The entropy
gathering changed quite a bit in the 2.2 and we may eventually remove
that file. (Due to the new JitterRNG which is sufficient on Windows and
the faster getrandom call on Linux).

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
Re: Changes in GnuPG [ In reply to ]
> @rjh: I guess you will now remark about random_seed, but I don't think
> tha this is anymore an issue with modern versions. The entropy
> gathering changed quite a bit in the 2.2 and we may eventually remove
> that file. (Due to the new JitterRNG which is sufficient on Windows and
> the faster getrandom call on Linux).

Growing up in a family of hunters, I learned at an early age that even
if someone tells you a firearm is unloaded you should still clear the
chamber and store it pointed in a safe direction... especially if
someone tells you "no, really, it's perfectly safe, I just checked it".

I apply the same to any file claiming to be a random seed. No matter
who tells me it's safe to copy it I'm not going to copy it, and I think
other people would be best served to adopt the same rule. :)