summaryrefslogtreecommitdiffstats
path: root/debian
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-27 10:01:35 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-27 10:01:35 +0000
commitaad0b01708e48e57ab4960b2b86a356009ab7217 (patch)
treec52aff8d3c0bd8f2be7c7041a44db36f808d39be /debian
parentUpdating vcs fields. (diff)
downloadgnupg2-aad0b01708e48e57ab4960b2b86a356009ab7217.tar.xz
gnupg2-aad0b01708e48e57ab4960b2b86a356009ab7217.zip
Setting default RSA key length to 4096 in gpgsm.
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'debian')
-rw-r--r--debian/patches/progress-linux/0001-gpgsm-default-to-4096-bit-keys.patch97
-rw-r--r--debian/patches/series1
2 files changed, 98 insertions, 0 deletions
diff --git a/debian/patches/progress-linux/0001-gpgsm-default-to-4096-bit-keys.patch b/debian/patches/progress-linux/0001-gpgsm-default-to-4096-bit-keys.patch
new file mode 100644
index 0000000..c9cf83c
--- /dev/null
+++ b/debian/patches/progress-linux/0001-gpgsm-default-to-4096-bit-keys.patch
@@ -0,0 +1,97 @@
+Author: Daniel Baumann <daniel.baumann@progress-linux.org>
+Subject: gpgsm: default to 4096-bit keys.
+
+diff -Naurp gnupg2.orig/doc/gpgsm.texi gnupg2/doc/gpgsm.texi
+--- gnupg2.orig/doc/gpgsm.texi
++++ gnupg2/doc/gpgsm.texi
+@@ -1082,7 +1082,7 @@ key. The algorithm must be capable of si
+ parameter. The only supported value for @var{algo} is @samp{rsa}.
+
+ @item Key-Length: @var{nbits}
+-The requested length of a generated key in bits. Defaults to 3072.
++The requested length of a generated key in bits. Defaults to 4096.
+
+ @item Key-Grip: @var{hexstring}
+ This is optional and used to generate a CSR or certificate for an
+diff -Naurp gnupg2.orig/doc/howto-create-a-server-cert.texi gnupg2/doc/howto-create-a-server-cert.texi
+--- gnupg2.orig/doc/howto-create-a-server-cert.texi
++++ gnupg2/doc/howto-create-a-server-cert.texi
+@@ -31,12 +31,12 @@ Let's continue:
+
+ @cartouche
+ @example
+- What keysize do you want? (3072)
+- Requested keysize is 3072 bits
++ What keysize do you want? (4096)
++ Requested keysize is 4096 bits
+ @end example
+ @end cartouche
+
+-Hitting enter chooses the default RSA key size of 3072 bits. Keys
++Hitting enter chooses the default RSA key size of 4096 bits. Keys
+ smaller than 2048 bits are too weak on the modern Internet. If you
+ choose a larger (stronger) key, your server will need to do more work.
+
+@@ -124,7 +124,7 @@ request:
+ @example
+ These parameters are used:
+ Key-Type: RSA
+- Key-Length: 3072
++ Key-Length: 4096
+ Key-Usage: sign, encrypt
+ Name-DN: CN=example.com
+ Name-DNS: example.com
+@@ -224,7 +224,7 @@ To see the content of your certificate,
+ aka: (dns-name example.com)
+ aka: (dns-name www.example.com)
+ validity: 2015-07-01 16:20:51 through 2016-07-01 16:20:51
+- key type: 3072 bit RSA
++ key type: 4096 bit RSA
+ key usage: digitalSignature keyEncipherment
+ ext key usage: clientAuth (suggested), serverAuth (suggested), [...]
+ fingerprint: 0F:9C:27:B2:DA:05:5F:CB:33:D8:19:E9:65:B9:4F:BD:B1:98:CC:57
+diff -Naurp gnupg2.orig/sm/certreqgen.c gnupg2/sm/certreqgen.c
+--- gnupg2.orig/sm/certreqgen.c
++++ gnupg2/sm/certreqgen.c
+@@ -26,7 +26,7 @@
+ $ cat >foo <<EOF
+ %echo Generating a standard key
+ Key-Type: RSA
+- Key-Length: 3072
++ Key-Length: 4096
+ Name-DN: CN=test cert 1,OU=Aegypten Project,O=g10 Code GmbH,L=Ddorf,C=DE
+ Name-Email: joe@foo.bar
+ # Do a commit here, so that we can later print a "done"
+@@ -468,7 +468,7 @@ proc_parameters (ctrl_t ctrl, struct par
+ /* Check the keylength. NOTE: If you change this make sure that it
+ macthes the gpgconflist item in gpgsm.c */
+ if (!get_parameter (para, pKEYLENGTH, 0))
+- nbits = 3072;
++ nbits = 4096;
+ else
+ nbits = get_parameter_uint (para, pKEYLENGTH);
+ if ((nbits < 1024 || nbits > 4096) && !cardkeyid)
+diff -Naurp gnupg2.orig/sm/certreqgen-ui.c gnupg2/sm/certreqgen-ui.c
+--- gnupg2.orig/sm/certreqgen-ui.c
++++ gnupg2/sm/certreqgen-ui.c
+@@ -138,7 +138,7 @@ gpgsm_gencertreq_tty (ctrl_t ctrl, estre
+ unsigned int nbits;
+ int minbits = 1024;
+ int maxbits = 4096;
+- int defbits = 3072;
++ int defbits = 4096;
+ const char *keyusage;
+ char *subject_name;
+ membuf_t mb_email, mb_dns, mb_uri, mb_result;
+diff -Naurp gnupg2.orig/sm/gpgsm.c gnupg2/sm/gpgsm.c
+--- gnupg2.orig/sm/gpgsm.c
++++ gnupg2/sm/gpgsm.c
+@@ -1800,7 +1800,7 @@ main ( int argc, char **argv)
+ /* The next one is an info only item and should match what
+ proc_parameters actually implements. */
+ es_printf ("default_pubkey_algo:%lu:\"%s:\n", GC_OPT_FLAG_DEFAULT,
+- "RSA-3072");
++ "RSA-4096");
+ es_printf ("compliance:%lu:\"%s:\n", GC_OPT_FLAG_DEFAULT, "gnupg");
+
+ }
diff --git a/debian/patches/series b/debian/patches/series
index 3d8fed9..b2c19c2 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -22,3 +22,4 @@ gpg-drop-import-clean-from-default-keyserver-import-optio.patch
from-master/gpg-change-agent-spawn-2019-07-24-v2.patch
cherry-picked/1617856888.gnupg-2.3.0-4-gab66c4357.scd-fix-ccid-driver-for-scm-spr332-spr532.patch
cherry-picked/g10-Fix-garbled-status-messages-in-NOTATION_DATA.patch
+progress-linux/0001-gpgsm-default-to-4096-bit-keys.patch