On Fri, Mar 10, 2017 at 11:00 AM, Bernhard E. Reiter <bernhard.reiter@xxxxxxxxxxxxx> wrote: > Dear Git-Devs, I haven't contributed to Git's GPG code, but I'm taking the liberty of CC-ing some people who have. > git uses an pipe-and-exec approach to running a GnuPG binary > as writen in the documentation [1]: > > gpg.program > Use this custom program instead of "gpg" found on $PATH when making > or verifying a PGP signature. The program must support the same > command-line interface as GPG > > please consider using libgpgme interfacing to GnuPG, because the gpg > command-line interface is not considered an official API to GnuPG by the > GnuPG-devs and thus potentially unstable. > > == Details > > I'm involved in GnuPG development. For most applications using libgpgme is the > way what GnuPG-devs would recommend, also see > > https://wiki.gnupg.org/APIs . > > GnuPG devs are making a good effort of trying to keep the command-line > interface stable, though it is not for sure. Git is only using a small part > of the interface, so the risk when keeping the current way is small. > Still I believe git's stability and usability would profit when moving to > libgpgme, especially with the coming move to GnuPG 2.2, better diagnosing > messages and for cross-plattform usage. > > == Usability problem with `gpg2` vs `gpg` > > My use case today was signing and git by default found the `gpg` binary by > default and the command failed. The reason is that I have `gpg2` installed > and most applications use it right away. So git failed signing because > the .gnupg configuration of the user was not ready for the old `gpg` which is > still installed on Debian GNU/Linux for purposes of the operating system. If > git would have used libgpgme, gpgme would have choosen the most uptodate > version of `gpg` available (or configured) without me intervening via > gpg.program. Now because of this problem you could adding a check for `gpg2` > and fallback to `gpg`, but even better would be to move to libgpgme. >:) I'm on Debian but haven't had these issues. What's your gpg & gpg2 --version & Debian release? And what in particular failed? And what git version was this? I see we've had a couple of workarounds for gpg2, in particular Linus's v2.8.4-1-gb624a3e67f, but if you have v2.10.0 or later that won't fix whatever issue you had. Using the library sounds good, but a shorter-term immediate fix would be to figure out what bug you encountered in our use of the command-line version, and see if we've fixed that already or not. Regardless of what we do with a gpg library in the future some distros might want to backport such a small patch if we can come up with it. > Best Regards and thanks for maintaining Git as Free Software, > Bernhard > > == how to respond > > ps: Please copy me on replies as I am not on git@xxxxxxxxxxxxxxx. > pps: I've copied gnupg-devel@ so they can see I've send this report, you don't > have to. > > > [1] > https://github.com/git/git/blob/3bc53220cb2dcf709f7a027a3f526befd021d858/Documentation/config.txt > search for 'gpg.program'. > > -- > www.intevation.de/~bernhard (CEO) +49 541 33 508 3-3 > Intevation GmbH, Osnabrück, Germany; Amtsgericht Osnabrück, HRB 18998 > Owned and run by Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner