summaryrefslogtreecommitdiff
path: root/website/news/modified-gnutls-2.4.x-available.mdwn
blob: 36cfbfc51c949dbbef14777c02644262e40baa94 (plain)

[[meta title="Modified GnuTLS 2.4.x available"]]


2008-10-25 UPDATE: GnuTLS 2.6 has been released, and it contains the functionality we needed. Please upgrade to GnuTLS 2.6 if you need Monkeysphere to deal with passphrase-protected authentication subkeys. The information on this page is now of historical interest only.


The MonkeySphere project is now making available a patched version of GnuTLS version 2.4.x, which enhances the utility of the monkeysphere package by enabling it to read authentication subkeys emitted by GnuPG under certain circumstances.

You can track this package in debian lenny by adding the following lines to /etc/apt/sources.list:

deb http://archive.monkeysphere.info/debian experimental gnutls
deb-src http://archive.monkeysphere.info/debian experimental gnutls

Or you can patch and build the packages yourself with the patches and scripts provided in the MonkeySphere git repo.

The only modification needed simply enables the library to parse a GNU extension to the String-to-key (S2K) mechanism as laid out in RFC 4880.

The specific S2K extension supported is known as gnu-dummy, and it simply allows a "secret" key block to be written without storing any of the secret key material. This is used by GnuPG on the primary key when the --export-secret-subkeys argument is given.

GnuPG's DETAILS file describes this extension this way:

GNU extensions to the S2K algorithm
===================================
S2K mode 101 is used to identify these extensions.
After the hash algorithm the 3 bytes "GNU" are used to make
clear that these are extensions for GNU, the next bytes gives the
GNU protection mode - 1000.  Defined modes are:
  1001 - do not store the secret part at all
  1002 - a stub to access smartcards (not used in 1.2.x)

And gpg(1) says of --export-secret-subkeys:

[This] command has the special property to render the secret
part of the primary key useless; this is a GNU extension to
OpenPGP and other implementations can not be expected to
successfully import such a key.

A version of this patch was first proposed on gnutls-dev, and looks like it will be adopted upstream in the GnuTLS 2.6.x series, at which point these packages will be unnecessary.

Until that time, these packages are provided to tide over users of monkeysphere on debian lenny (or compatible systems) who want to be able to hand off the authentication-capable OpenPGP subkeys in their GnuPG keyring to their SSH agent.