Minimal requirement for GPG ?
Mikkel Kirkgaard Nielsen
miki at mikini.dk
Tue Dec 4 01:22:22 CET 2018
Hi Cedric.
On 2018-12-03 14:38, Cedric Girard wrote:
> on one laptop, with GPG 1.4.16, the gpg file is crypted only with the
> first key in .gpg-id. Is there a limitation on this old version of
> GPG ? I did not find any information about pass requirement.
Well, the README says pass depends on "GnuPG2", but the actual code
assumes "gpg" and steps up to using "gpg2" if it is available[0].
[0] https://git.zx2c4.com/password-store/tree/src/password-store.sh#n10
What is the pass version, operating system and OS release of the machine
in question? Has pass been installed using the system's package management?
I'm thinking that if the distribution ships a ~5 year old gnupg (1.4.16
was released on 2013-12-18[1]) I guess chances are you won't get a pass
version that supports teams (multiple recipients in .gpg-id) either. The
team feature was committed on 2014-03-19[2] and released in v1.5 on
2014-04-12[3].
[1] https://www.gnupg.org/download/release_notes.html#gnupg-1.4.16
[2]
https://git.zx2c4.com/password-store/commit/?id=b1314982194c99361c2b81b3359a21d5a289fdb5
[3] https://git.zx2c4.com/password-store/tag/?h=1.5
The team feature feeds all keys mentioned in .gpg-id to gnupg using
multiple --recipient/-r arguments[4] when encrypting. A pre-1.5 pass
would use only the first key, exactly as you describe, as they all do
"head -n 1" on the file[5].
[4] https://git.zx2c4.com/password-store/tree/src/password-store.sh#n102
[5]
https://git.zx2c4.com/password-store/tree/src/password-store.sh?h=1.4#n190
I doubt that any gnupg exists that doesn't support multiple recipients
as the hybrid cipher approach[6] making this feasible (data=symmetric,
session key=asymmetric pr. recipient) is an OpenPGP[7] requirement.
AFAIK it has been supported for ages, maybe even for the entire gnupg
lifespan (obsolete rfc2440 from 1998-11[8] talks about it, gnupg v0.0.0
was released 1997-12-20[9]).
[6] https://www.gnupg.org/gph/en/manual.html#AEN210
[7] https://tools.ietf.org/html/rfc4880#section-2.1
[8] https://tools.ietf.org/html/rfc2440#section-2.1
[9] https://www.gnupg.org/download/release_notes.html#sec-2-70
Looking specifically into the source of gnupg 1.4.16 it seems to me that
it would be able to parse multiple -r flags[10] as the team feature
expects. A checkout, compilation and test of the 1.4.16 tag from git on
an Ubuntu 16.04 system confirms this.
You could do something like the below to assure yourself that it is
indeed the case on the system in question (the example encrypts for your
and mine pubkey, they need to be available of course);
$ echo test | gpg -r B369349A -r 24895E49 -e |gpg --list-packets
[10]
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob;f=g10/gpg.c;h=dbf2f40c5b1c5f36f4e0c2e91b8dbfaea7577ea4;hb=7cdb86e0ad7a3f452c2f7358e3e830785281addc#l93
Hope this helps.
Regards,
--
Mikkel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.zx2c4.com/pipermail/password-store/attachments/20181204/da2e1f59/attachment-0001.asc>
More information about the Password-Store
mailing list