1. 4

  2. 2

    I dunno about you, but changing the default algorithm in a SEMVER patch release seems very un-cool. This project is famously mismanaged and nothing ever changes to fix it.

    1. 4

      It’s the same algorithm, RSA, it’s a different bit-size, 2048 changed to 3072. Every implementation of the OpenPGP specs should handle it just fine, even GnuPG v1. Time changes, the minimum reasonable key-size for a long-term key changes. If GnuPG changes with reasonable tweaks, they get recriminations. If they don’t change, they get recriminations.

      Nothing changes with existing keys. The patch-number release bump does not change any minimums to operate. It changes what key would be generated by default with a fresh install.

      The only implementations which wouldn’t handle this are those which skip RSA entirely, for whatever reason, so no change there. The problems creep in for RSA once you try to cross 4096 bits, because of various sanity caps on how much CPU person A should spend because of the paranoia of some random person F somewhere out on the Internet, whose key has made it into A’s keyring.

      Honestly, the bigger issue for me with GnuPG 2.2.22 was that the release signing key changed to a new Ed25519 key, and one of the systems I build GnuPG for, Xenial, is still supported and ships by default with GnuPG v1 (truly ancient) which doesn’t handle the newer Ed25519 keys. I had to plumb some more bits together to get the verification to work for the build process. It’s all working again now.