On Tue, Feb 02, 2016 at 01:23:05PM +0100, Miroslav Suchy wrote:
Dne 2.2.2016 v 12:00 Michael Schroeder napsal(a):
Well, the easiest way is to just use V3 if files_are_digests is used. I.e. force sig->version to 3 in gpg's write_signature_packets() function.
But the code is not there anymore. See "Removal of PGP-2 support": https://www.gnupg.org/faq/whats-new-in-2.1.html and the actual code of pgp2.
What code is no more? gnupg-2.1.10 still has a write_signature_packets function AFAICS. You just need to change the code from
if (duration || opt.sig_policy_url || opt.sig_notations || opt.sig_keyserver_url) sig->version = 4; else sig->version = pk->version;
if (duration || opt.sig_policy_url || opt.sig_notations || opt.sig_keyserver_url) sig->version = 4; else if (opt.files_are_digests) sig->version = 3; else sig->version = pk->version;
Untested, though. Maybe duration is set, in that case you need to move the opt.files_are_digests check.
I investigated it a little bit and RHEL5 (rpm-126.96.36.199) and older are unable to work with v4, while RHEL6+ (rpm-4.8.0) can work with v4 signs. IIRC the SLES 12 use rpm-4.11.2 and SLES 11 use rpm-188.8.131.52. So until RHEL5 is outdated (31 March 2017) and SLES 11 is outdated (31 Mar 2019) we need to use v3 signs.
Yes, seems like there were some problems with 2048/4096 bits and v4 sigs (https://bugzilla.redhat.com/show_bug.cgi?id=436812). So yes, rpm-4.8 should be ok for v4 sigs.