From 929e3b949abcdcc6e05a82919a66c0958fad0306 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sun, 7 Apr 2024 18:14:43 +0200 Subject: Setting default RSA key length to 4096 in gpg. Signed-off-by: Daniel Baumann --- .../0002-gpg-default-to-4096-bit-keys.patch | 82 ++++++++++++++++++++++ debian/patches/series | 1 + 2 files changed, 83 insertions(+) create mode 100644 debian/patches/progress-linux/0002-gpg-default-to-4096-bit-keys.patch diff --git a/debian/patches/progress-linux/0002-gpg-default-to-4096-bit-keys.patch b/debian/patches/progress-linux/0002-gpg-default-to-4096-bit-keys.patch new file mode 100644 index 0000000..695056c --- /dev/null +++ b/debian/patches/progress-linux/0002-gpg-default-to-4096-bit-keys.patch @@ -0,0 +1,82 @@ +Author: Daniel Baumann +Subject: gpg: default to 4096-bit RSA keys. + +diff -Naurp gnupg2.orig/agent/command.c gnupg2/agent/command.c +--- gnupg2.orig/agent/command.c ++++ gnupg2/agent/command.c +@@ -843,7 +843,7 @@ static const char hlp_genkey[] = + "\n" + " C: GENKEY\n" + " S: INQUIRE KEYPARAM\n" +- " C: D (genkey (rsa (nbits 3072)))\n" ++ " C: D (genkey (rsa (nbits 4096)))\n" + " C: END\n" + " S: D (public-key\n" + " S: D (rsa (n 326487324683264) (e 10001)))\n" +diff -Naurp gnupg2.orig/doc/wks.texi gnupg2/doc/wks.texi +--- gnupg2.orig/doc/wks.texi ++++ gnupg2/doc/wks.texi +@@ -412,10 +412,10 @@ the submission address: + The output of the last command looks similar to this: + + @example +- sec rsa3072 2016-08-30 [SC] ++ sec rsa4096 2016-08-30 [SC] + C0FCF8642D830C53246211400346653590B3795B + uid [ultimate] key-submission@@example.net +- ssb rsa3072 2016-08-30 [E] ++ ssb rsa4096 2016-08-30 [E] + @end example + + Take the fingerprint from that output and manually publish the key: +diff -Naurp gnupg2.orig/g10/keygen.c gnupg2/g10/keygen.c +--- gnupg2.orig/g10/keygen.c ++++ gnupg2/g10/keygen.c +@@ -49,7 +49,7 @@ + /* The default algorithms. You should also check that the value + is inside the bounds enforced by ask_keysize and gen_xxx. See also + get_keysize_range which encodes the allowed ranges. */ +-#define DEFAULT_STD_KEY_PARAM "rsa3072/cert,sign+rsa3072/encr" ++#define DEFAULT_STD_KEY_PARAM "rsa4096/cert,sign+rsa4096/encr" + #define FUTURE_STD_KEY_PARAM "ed25519/cert,sign+cv25519/encr" + + /* When generating keys using the streamlined key generation dialog, +@@ -1652,7 +1652,7 @@ gen_rsa (int algo, unsigned int nbits, K + + if (nbits < 1024) + { +- nbits = 3072; ++ nbits = 4096; + log_info (_("keysize invalid; using %u bits\n"), nbits ); + } + else if (nbits > maxsize) +@@ -2267,7 +2267,7 @@ get_keysize_range (int algo, unsigned in + default: + *min = opt.compliance == CO_DE_VS ? 2048: 1024; + *max = 4096; +- def = 3072; ++ def = 4096; + break; + } + +diff -Naurp gnupg2.orig/g10/keyid.c gnupg2/g10/keyid.c +--- gnupg2.orig/g10/keyid.c ++++ gnupg2/g10/keyid.c +@@ -73,7 +73,7 @@ pubkey_letter( int algo ) + is copied to the supplied buffer up a length of BUFSIZE-1. + Examples for the output are: + +- "rsa3072" - RSA with 3072 bit ++ "rsa4096" - RSA with 4096 bit + "elg1024" - Elgamal with 1024 bit + "ed25519" - ECC using the curve Ed25519. + "E_1.2.3.4" - ECC using the unsupported curve with OID "1.2.3.4". +@@ -83,7 +83,7 @@ pubkey_letter( int algo ) + If the option --legacy-list-mode is active, the output use the + legacy format: + +- "3072R" - RSA with 3072 bit ++ "4096R" - RSA with 4096 bit + "1024g" - Elgamal with 1024 bit + "256E" - ECDSA using a curve with 256 bit + diff --git a/debian/patches/series b/debian/patches/series index 5b3442b..ea7ef45 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -25,3 +25,4 @@ from-upstream/gpg-Move-NETLIBS-after-GPG_ERROR_LIBS.patch from-upstream/dirmngr-Fix-build-with-no-LDAP-support.patch from-upstream/gpg-Move-NETLIBS-after-GPG_ERROR_LIBS-another.patch progress-linux/0001-gpgsm-default-to-4096-bit-keys.patch +progress-linux/0002-gpg-default-to-4096-bit-keys.patch -- cgit v1.2.3