Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: GnuPG: devel

Re: blacklisting MD5 in gpg

  

 
GnuPG devel RSS feed   Index | Next | Previous | View Threaded


wk at gnupg

May 7, 2009, 9:36 AM

Post #1 of 6 (762 views)
Permalink
Re: blacklisting MD5 in gpg
On Thu, 7 May 2009 17:12, dshaw [at] jabberwocky said:

>> Should gpg --version somehow indicate algorithms which it knows about
>> but which are blacklisted in the current configuration?
>
> That's a good idea. Maybe putting it in brackets or something like
> "[MD5]" to indicate that it exists, but isn't being used.

Unfortunately this is hard to implement because --version is processed
by the option parser internally and I doubt that it makes sense to
change this to display more information. --version displays the build
in algorithms; thus even the option --disable-cipher-algo has no effect.

The prober way to get the current configuration is to read gpg.conf or
to use gpgconf along with a GUI tool. There are just to many setting in
gpg to show them all. We would need to add extra code to show them and
we will for sure encounter bugs in that the option setting is not
displayed properly.


Shalom-Salam,

Werner

--
Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz.


_______________________________________________
Gnupg-devel mailing list
Gnupg-devel [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-devel


dkg at fifthhorseman

May 7, 2009, 10:09 AM

Post #2 of 6 (719 views)
Permalink
Re: blacklisting MD5 in gpg [In reply to]
On 05/07/2009 12:36 PM, Werner Koch wrote:
> Unfortunately this is hard to implement because --version is processed
> by the option parser internally and I doubt that it makes sense to
> change this to display more information. --version displays the build
> in algorithms; thus even the option --disable-cipher-algo has no effect.


really? it works for me on a debian testing system:

>> 0 dkg [at] pi:~$ diff -u <(gpg --version) <(gpg --disable-cipher-algo CAST5 --version)
>> --- /dev/fd/63 2009-05-07 13:00:29.744655397 -0400
>> +++ /dev/fd/62 2009-05-07 13:00:29.752652274 -0400
>> @@ -7,6 +7,6 @@
>> Home: ~/.gnupg
>> Supported algorithms:
>> Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA
>> -Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH
>> +Cipher: 3DES, BLOWFISH, AES, AES192, AES256, TWOFISH
>> Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
>> Compression: Uncompressed, ZIP, ZLIB, BZIP2
>> 1 dkg [at] pi:~$ diff -u <(gpg2 --version) <(gpg2 --disable-cipher-algo CAST5 --version)
>> --- /dev/fd/63 2009-05-07 13:01:00.184650141 -0400
>> +++ /dev/fd/62 2009-05-07 13:01:00.184650141 -0400
>> @@ -8,6 +8,6 @@
>> Home: ~/.gnupg
>> Supported algorithms:
>> Pubkey: RSA, ELG, DSA
>> -Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH
>> +Cipher: 3DES, BLOWFISH, AES, AES192, AES256, TWOFISH
>> Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
>> Compression: Uncompressed, ZIP, ZLIB, BZIP2
>> 1 dkg [at] pi:~$

it seems to work if i set it in gpg.conf too.

> The prober way to get the current configuration is to read gpg.conf or
> to use gpgconf along with a GUI tool. There are just to many setting in
> gpg to show them all. We would need to add extra code to show them and
> we will for sure encounter bugs in that the option setting is not
> displayed properly.

what about including it in the output of --list-config? (personally,
i'd like to see it in both --list-config and --version)

--dkg
Attachments: signature.asc (0.87 KB)


wk at gnupg

May 7, 2009, 10:28 AM

Post #3 of 6 (724 views)
Permalink
Re: blacklisting MD5 in gpg [In reply to]
On Thu, 7 May 2009 19:09, dkg [at] fifthhorseman said:

> really? it works for me on a debian testing system:

Ooops. I don't know my own code anymore :-(. Before parsing --version
on the command line all the other options are processed as usual and
then the algorithm list building function can make use of them. I
thought that version would be processed by the first pass of the option
parser which looks for things like --option and --homedir before parsing
the option file. I missed that I once ...

Wed Jun 10 07:39:41 1998 Werner Koch,mobil,,, (wk [at] tobol)

* fileutil.c (compare_filenames): New.

* argparse.c (arg_parse): New flag bit 6 to ignore --version

... introduced a flag to suppress exactly that.

Please forget about my comment. We can for sure put brackets around
blacklisted algos.

> what about including it in the output of --list-config? (personally,
> i'd like to see it in both --list-config and --version)

Can be done. However, gpgconf is the modern tool to ask for
configuration settings. We have just not implemented the more exotic
options like --disable-algo and --personal-foo-prefs. The latter seems
to be important, though.


Salam-Shalom,

Werner

--
Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz.


_______________________________________________
Gnupg-devel mailing list
Gnupg-devel [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-devel


dshaw at jabberwocky

May 7, 2009, 10:29 AM

Post #4 of 6 (712 views)
Permalink
Re: blacklisting MD5 in gpg [In reply to]
On May 7, 2009, at 1:09 PM, Daniel Kahn Gillmor wrote:
>
>> The prober way to get the current configuration is to read gpg.conf
>> or
>> to use gpgconf along with a GUI tool. There are just to many
>> setting in
>> gpg to show them all. We would need to add extra code to show them
>> and
>> we will for sure encounter bugs in that the option setting is not
>> displayed properly.
>
> what about including it in the output of --list-config? (personally,
> i'd like to see it in both --list-config and --version)

That's what I was thinking. GUI tools should never be parsing --
version. That's for human beings.

David


_______________________________________________
Gnupg-devel mailing list
Gnupg-devel [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-devel


rjh at sixdemonbag

May 7, 2009, 11:05 AM

Post #5 of 6 (723 views)
Permalink
Re: blacklisting MD5 in gpg [In reply to]
David Shaw wrote:
> That's what I was thinking. GUI tools should never be parsing
> --version. That's for human beings.

Perhaps this should be added to the manpage and/or the hacking file,
then. It seems probable that many scripts do just this, and if it's a
"they should never...", then script authors should have some resource to
tell them so.


_______________________________________________
Gnupg-devel mailing list
Gnupg-devel [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-devel


dshaw at jabberwocky

May 7, 2009, 11:19 AM

Post #6 of 6 (714 views)
Permalink
Re: blacklisting MD5 in gpg [In reply to]
On May 7, 2009, at 2:05 PM, Robert J. Hansen wrote:

> David Shaw wrote:
>> That's what I was thinking. GUI tools should never be parsing
>> --version. That's for human beings.
>
> Perhaps this should be added to the manpage and/or the hacking file,
> then. It seems probable that many scripts do just this, and if it's a
> "they should never...", then script authors should have some
> resource to
> tell them so.

There are limits to this sort of thing. Each option that is intended
for tools is tagged as such (--list-options, --with-colons, etc).
Past a certain point, we're just making the manual hard(er) to read
with endless repetitions of don't-use-this-in-scripts.

Perhaps a single statement that says the only safe way to use GPG at
all for scripts is via --with-colons and friends.

David

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-devel

GnuPG devel RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.