diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-18 21:17:17 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-18 21:17:17 +0000 |
commit | bd4005765c9524a0ba09ad004dbc68b87ca88d0f (patch) | |
tree | 7ba55cf98941c519d1e02a469f4bdc085a28de35 | |
parent | Updating vcs fields. (diff) | |
download | gnupg2-bd4005765c9524a0ba09ad004dbc68b87ca88d0f.tar.xz gnupg2-bd4005765c9524a0ba09ad004dbc68b87ca88d0f.zip |
Setting default RSA key length to 4096 in gpgsm.
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
-rw-r--r-- | debian/patches/progress-linux/0001-gpgsm-default-to-4096-bit-keys.patch | 97 | ||||
-rw-r--r-- | debian/patches/series | 1 |
2 files changed, 98 insertions, 0 deletions
diff --git a/debian/patches/progress-linux/0001-gpgsm-default-to-4096-bit-keys.patch b/debian/patches/progress-linux/0001-gpgsm-default-to-4096-bit-keys.patch new file mode 100644 index 0000000..4187e6e --- /dev/null +++ b/debian/patches/progress-linux/0001-gpgsm-default-to-4096-bit-keys.patch @@ -0,0 +1,97 @@ +Author: Daniel Baumann <daniel.baumann@progress-linux.org> +Subject: gpgsm: default to 4096-bit keys. + +diff -Naurp gnupg2.orig/doc/gpgsm.texi gnupg2/doc/gpgsm.texi +--- gnupg2.orig/doc/gpgsm.texi ++++ gnupg2/doc/gpgsm.texi +@@ -1124,7 +1124,7 @@ key. The algorithm must be capable of si + parameter. The only supported value for @var{algo} is @samp{rsa}. + + @item Key-Length: @var{nbits} +-The requested length of a generated key in bits. Defaults to 3072. ++The requested length of a generated key in bits. Defaults to 4096. + + @item Key-Grip: @var{hexstring} + This is optional and used to generate a CSR or certificate for an +diff -Naurp gnupg2.orig/doc/howto-create-a-server-cert.texi gnupg2/doc/howto-create-a-server-cert.texi +--- gnupg2.orig/doc/howto-create-a-server-cert.texi ++++ gnupg2/doc/howto-create-a-server-cert.texi +@@ -31,12 +31,12 @@ Let's continue: + + @cartouche + @example +- What keysize do you want? (3072) +- Requested keysize is 3072 bits ++ What keysize do you want? (4096) ++ Requested keysize is 4096 bits + @end example + @end cartouche + +-Hitting enter chooses the default RSA key size of 3072 bits. Keys ++Hitting enter chooses the default RSA key size of 4096 bits. Keys + smaller than 2048 bits are too weak on the modern Internet. If you + choose a larger (stronger) key, your server will need to do more work. + +@@ -124,7 +124,7 @@ request: + @example + These parameters are used: + Key-Type: RSA +- Key-Length: 3072 ++ Key-Length: 4096 + Key-Usage: sign, encrypt + Name-DN: CN=example.com + Name-DNS: example.com +@@ -224,7 +224,7 @@ To see the content of your certificate, + aka: (dns-name example.com) + aka: (dns-name www.example.com) + validity: 2015-07-01 16:20:51 through 2016-07-01 16:20:51 +- key type: 3072 bit RSA ++ key type: 4096 bit RSA + key usage: digitalSignature keyEncipherment + ext key usage: clientAuth (suggested), serverAuth (suggested), [...] + fingerprint: 0F:9C:27:B2:DA:05:5F:CB:33:D8:19:E9:65:B9:4F:BD:B1:98:CC:57 +diff -Naurp gnupg2.orig/sm/certreqgen.c gnupg2/sm/certreqgen.c +--- gnupg2.orig/sm/certreqgen.c ++++ gnupg2/sm/certreqgen.c +@@ -26,7 +26,7 @@ + $ cat >foo <<EOF + %echo Generating a standard key + Key-Type: RSA +- Key-Length: 3072 ++ Key-Length: 4096 + Name-DN: CN=test cert 1,OU=Aegypten Project,O=g10 Code GmbH,L=Ddorf,C=DE + Name-Email: joe@foo.bar + # Do a commit here, so that we can later print a "done" +@@ -471,7 +471,7 @@ proc_parameters (ctrl_t ctrl, struct par + /* Check the keylength. NOTE: If you change this make sure that it + macthes the gpgconflist item in gpgsm.c */ + if (!get_parameter (para, pKEYLENGTH, 0)) +- nbits = 3072; ++ nbits = 4096; + else + nbits = get_parameter_uint (para, pKEYLENGTH); + if ((nbits < 1024 || nbits > 4096) && !cardkeyid) +diff -Naurp gnupg2.orig/sm/certreqgen-ui.c gnupg2/sm/certreqgen-ui.c +--- gnupg2.orig/sm/certreqgen-ui.c ++++ gnupg2/sm/certreqgen-ui.c +@@ -138,7 +138,7 @@ gpgsm_gencertreq_tty (ctrl_t ctrl, estre + unsigned int nbits; + int minbits = 1024; + int maxbits = 4096; +- int defbits = 3072; ++ int defbits = 4096; + const char *keyusage; + char *subject_name; + membuf_t mb_email, mb_dns, mb_uri, mb_result; +diff -Naurp gnupg2.orig/sm/gpgsm.c gnupg2/sm/gpgsm.c +--- gnupg2.orig/sm/gpgsm.c ++++ gnupg2/sm/gpgsm.c +@@ -1737,7 +1737,7 @@ main ( int argc, char **argv) + /* The next one is an info only item and should match what + proc_parameters actually implements. */ + es_printf ("default_pubkey_algo:%lu:\"%s:\n", GC_OPT_FLAG_DEFAULT, +- "RSA-3072"); ++ "RSA-4096"); + } + break; + case aGPGConfTest: diff --git a/debian/patches/series b/debian/patches/series index edeee22..5b3442b 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -24,3 +24,4 @@ from-upstream/gpg-Report-an-error-for-receiving-key-from-agent.patch from-upstream/gpg-Move-NETLIBS-after-GPG_ERROR_LIBS.patch from-upstream/dirmngr-Fix-build-with-no-LDAP-support.patch from-upstream/gpg-Move-NETLIBS-after-GPG_ERROR_LIBS-another.patch +progress-linux/0001-gpgsm-default-to-4096-bit-keys.patch |