Fedora and GPG 2.5

By Joe Brockmeier
January 26, 2026

The GNU Privacy Guard (GPG) project decided to break from the OpenPGP standard for email encryption in 2023, and instead adopted its own homegrown LibrePGP specification. The GPG 2.4 branch, the last one to adhere to OpenPGP, will be reaching the end of life in mid-2026. The Fedora project is currently having a discussion about how that affects the distribution, its users, and what to offer once 2.4 is no longer receiving updates.

gpg.fail

The Fedora discussion was prompted by the gpg.fail disclosures in late December. Christian Stadelmann learned about the GPG flaws reported by the gpg.fail researchers and noticed that Fedora's gnupg2 package had not received any updates to fix those flaws. In fact, the package had not been updated since July 2025. He asked about this on the Fedora devel mailing list and pointed to a bug that lists all the 2.5.x updates that have not been packaged for Fedora. "Is it possible that gnupg is unmaintained? This would pose a high security risk to the Fedora project."

The package was not unmaintained. Red Hat, which employs the GPG package's maintainer Jakub Jelen, has an annual shutdown at the end of the year during the holidays. Like many other Red Hat employees, Jelen was taking some time off. In addition, he explained on January 2, he was keeping the package on GPG's "oldstable" 2.4 branch deliberately. That was why the package had not seen updates in several months—its upstream had not pushed out any new 2.4 releases.

The 2.5 branch was originally an experimental branch that implemented LibrePGP. Jelen noted that LibrePGP is not compatible with anything else and would likely result in users shooting themselves in the feet. "Updating to 2.5 would result in new users generating incompatible LibrePGP keys, which I do not think is a good idea to do now for all Fedora users." Since that is undesirable, he had been staying on 2.4 and syncing with the FreePG repository that contains a set of patches that is maintained for downstream projects, such as Debian and Fedora. The gnupg2 package for Fedora 43 includes a number of patches from FreePG, though it does not include the patch for LibrePGP format support.

Jelen said that he hoped to have a better solution by the time that GPG 2.4 reaches the end of its life, "but I can not anticipate what it is going to be". Meanwhile, he also noted that he was pushing out a package with the 2.4 fixes from the GPG project.

Michael Gruber pointed out that some of the fixes were available since October on the 2.4 branch (but not yet in a release). Jelen said that he was unaware of that, because he tracked the CVE database and there had not been CVEs issued. He said it made him question, again, whether Fedora should invest time and resources into an upstream that is not disclosing vulnerabilities clearly.

The communication around 2.5 has been somewhat muddy in general. Until recently, the 2.5.x series was understood to be a development branch and the next stable version of GPG would be 2.6. In June 2025, Koch said in the announcement for GPG 2.5.8 that the release was "another one in a series of public testing releases leading to a new stable version 2.6". The 2.5.9 release in July had similar language. Versions 2.5.10 and 2.5.11 did not have release announcements sent to the GPG announcement list. In September, Koch announced 2.5.12 and said that the 2.5 series is fully supported and ready for production use. He also sent out an announcement for GPG 2.4.8 several months after it was actually released in August 2025; that announcement noted that 2.4 would reach end of life in June 2026. The news that 2.4's end of life was approaching was not quite in the bottom of a locked filing cabinet in a disused lavatory, but it would not be surprising if a number of users and packagers missed the message all the same.

Alternatives

In the discussion that followed, Clemens Lang pointed out that Red Hat was standardizing on the Sequoia project, and that Red Hat Enterprise Linux (RHEL) 10 had dropped GPG's libgcrypt as a core cryptography library. "RHEL 10 already contains RPM signing keys that cannot be understood by GnuPG." Gruber said that he was all for replacing GPG with something better, but complained that Red Hat was choosing key types that would force Sequoia adoption. He did not, however, offer a preferred replacement for GPG.

Neal Gompa said that Red Hat was not trying to drive Sequoia adoption with incompatible key types; it had chosen post-quantum cryptography (PQC) algorithms, and GPG simply does not support PQC. Jelen agreed and said that Red Hat was not forcing Sequoia adoption, and that any implementation of the OpenPGP standard should do. "We just want to stay on the 'standard' side".

Sequoia developer Neal H. Walfield said that there were two ways to replace GPG with Sequoia: convince application developers to switch, and finish the work-in-progress drop-in replacement (dubbed "Chameleon") for GPG that uses Sequoia.

The chameleon has the advantage that instead of forcing an application to switch to Sequoia, we give the user the freedom to choose what implementation they prefer. The disadvantage of the chameleon is that it has to be compatible with gpg, which means that we can't change the interface or the workflows. Further, since gpg's interface is quite complex with lots of subtle interactions, writing a perfect drop-in replacement will take a long time. So far we've implemented the functionality that some specific applications use. That has worked pretty well and I'd estimate that we have >90% coverage. But a lot more work is needed to cover the long tail of commands and their many options.

Petr Menšík brought up the %{gpgverify} macro used for Fedora RPM packaging. Fedora's packaging guidelines specify that packagers must use %{gpgverify} to perform verification of a source file's signature at the start of the build process for an RPM. Currently, that macro expands to an invocation of the gpgv signature tool. Gruber responded that the guidelines did not require that the macro call gpgv specifically, though; it could be changed to use Sequoia's sqv instead.

So far, no decision has been reached, though it would seem that the consensus is largely in favor of replacing GPG with Sequoia in instances where Fedora tooling requires signing and verification of OpenPGP signatures.

What to provide to users is still on the table. Arch Linux, Debian, Ubuntu, and other major distributions are still providing 2.4.x versions of GPG. Fedora tries to avoid deviating from upstream most of the time, but providing a version of GPG that does not implement the OpenPGP standard may not serve users well. The clock is ticking; the Fedora 44 release that is expected in April will likely ship with GPG 2.4.9, but a decision for Fedora 45 will need to be reached soon.

Index entries for this article
Security	GNU Privacy Guard (GPG)

to post comments

...

Posted Jan 26, 2026 19:19 UTC (Mon) by cen (subscriber, #170575) [Link] (3 responses)

I was looking into using Sequoia instead of gpg to use with my Yubikey or just hardware keys in general but couldn't find a single guide on how to do it (except a blog post from 2021) , google search is a complete wasteland. What I get from this article is that we're moving towards yet another hard collision when the old tool is being replaced with the new and it will be yet another clusterf* of a transition like Wayland or Python 2. Bonus points in that standards will no longer be compatible. Same old, same old.

...

Posted Jan 26, 2026 20:05 UTC (Mon) by neverpanic (subscriber, #99747) [Link]

Yeah, there can probably be better documentation around that, but for now you have two (maybe three) options on a scale from pretty simple to pretty complicated:

(a) Keep using the GnuPG agent `gpg-agent`. Sequoia knows how to talk to that and will by default. I.e., if you import your current public key into `sq`, you should immediately be able to decrypt and sign with it.

(b) Build sequoia-keystore (https://gitlab.com/sequoia-pgp/sequoia-keystore/-/tree/ma...) with its `openpgp-card` feature (https://gitlab.com/sequoia-pgp/sequoia-keystore/-/blob/ma...) using `cargo build --release --features openpgp-card`. I've seen this work on my machine, but it is at times a little rough around the edges. For example, it won't prompt you to insert your Yubikey if it isn't connected like gpg-agent does, but will just fail the operation. As far as I know, it also currently doesn't have pinentry integration and will ask for the Yubikey PIN on the command line only, which may not be what you want.

(c) Create a new key in a PIV-compatible PKCS#11 token and use that. Requires building sq with the `sequioa-keystore/cryptoki` feature (https://gitlab.com/sequoia-pgp/sequoia-keystore/-/blob/pq...) and using the `sequoia-cryptoki` tool (https://gitlab.com/sequoia-pgp/sequoia-cryptoki) to create that key. Pretty complicated, requires compiling a bunch of things from source, wouldn't recommend it now — but long term it allows you to get off specialized OpenPGP cards (which I guess also won't see further development to include, for example, PQC algorithms) and onto a card standard that is being developed. In fact, I've just finished a demo for a talk at FOSDEM where I show this particular approach, see https://github.com/neverpanic/fosdem-rpm-pqc-signing-demo/ and https://www.youtube.com/watch?v=svtu1yJpfEg.

Of course the entire situation is a shitshow, and the fork in PGP standards will mean an already crumbling ecosystem sees even more disarray. At the moment, I don't see a path out of that with GnuPG.

On a positive note, that's the first time I've made it to LWN, so yay, I guess? :D

...

Posted Jan 27, 2026 12:31 UTC (Tue) by kanru (subscriber, #63577) [Link] (1 responses)

Sequoia used to have experimental support for directly talking to hardware keys, but now it seems it has to rely on gpg-agent or a compatible agent.

If you need a standalone Rust tool, OpenPGP-card-tools (OCT) is a great alternative for YubiKeys and NitroKeys. You can also use the opensc-pkcs11 adapter to bridge these keys for SSH use. A key advantage of this stack is that it communicates via PCSC instead of scdaemon, meaning you won't run into the "resource busy" locking issues typical of GnuPG.

Sequoia supports OpenPGP Cards

Posted Jan 27, 2026 12:55 UTC (Tue) by neal (subscriber, #7439) [Link]

Sequoia has support for both gpg-agent and OpenPGP Cards.

Whereas gpg-agent support is enabled by default, OpenPGP card support is disabled. This is due to the aforementioned issue that gpg-agent locks cards by default, which results in problems when a process tries to access a card using both gpg-agent and the native OpenPGP card support. The reason that we decided to enabled gpg-agent by default is that it seems like this is the more usable configuration for most users: they can immediately use their existing keys with tools like sq; no manual configuration required.

We are slowly working to add support for reading gpg-agent's configuration files, but this is tricky and there are other things that we want to make progress on as well. For most people, the gpg-agent solution is good enough.

Why the heck?

Posted Jan 27, 2026 3:34 UTC (Tue) by smurf (subscriber, #17840) [Link] (5 responses)

I'd be (mildly) interested in knowing why the GPG maintainer(s?) thinks that further fragmenting of an already-small-ish standard is a good idea in the first place.

Why the heck?

Posted Jan 27, 2026 4:29 UTC (Tue) by Kluge (subscriber, #2881) [Link]

It's the third link in the article: https://lwn.net/Articles/953797/

Why the heck?

Posted Jan 27, 2026 4:34 UTC (Tue) by ebiederm (subscriber, #35028) [Link] (1 responses)

LWN covered that a while ago
https://lwn.net/Articles/953797/.

Why the heck?

Posted Jan 27, 2026 7:51 UTC (Tue) by smurf (subscriber, #17840) [Link]

Thanks. Seems that the discussion, if you even want to call it that, has stalled since then.

I have to admit that after reviewing this I'm all for switching to Sequoia — if only because I've been bitten by https://dev.gnupg.org/T4393 .

Why the heck?

Posted Jan 27, 2026 6:20 UTC (Tue) by draco (subscriber, #1792) [Link] (1 responses)

I didn't find the previous LWN coverage particularly illuminating, but after some digging online, these two links answered all my lingering questions:

https://www.gnupg.org/blog/20250117-aheinecke-on-sequoia....

https://blog.pgpkeys.eu/critique-critique.html

Why the heck?

Posted Feb 4, 2026 13:55 UTC (Wed) by ondrej (subscriber, #27872) [Link]

Let me say that I know DKG personally and he is the most kind and most pleasant person to work with I ever met.

Neal Gompa said that Red Hat was not trying to drive Sequoia adoption with incompatible key types; it had chosen post-quantum cryptography (PQC) algorithms, and GPG simply does not support PQC.

Posted Jan 27, 2026 6:36 UTC (Tue) by sam_c (subscriber, #139836) [Link] (5 responses)

> Neal Gompa said that Red Hat was not trying to drive Sequoia adoption with incompatible key types; it had chosen post-quantum cryptography (PQC) algorithms, and GPG simply does not support PQC.

GnuPG does support PQC in the form of Kyber, as part of the LibrePGP spec. AIUI the LibrePGP and OpenPGP PQC provisions are incompatible though.

Post-Quantum Support

Posted Jan 27, 2026 8:07 UTC (Tue) by neal (subscriber, #7439) [Link] (1 responses)

You're both half right. LibrePGP (draft-koch-librepgp-04) does support post-quantum cryptography in the form of ML-KEM. But ML-KEM can only be used for encryption and decryption. OpenPGP supports ML-KEM for encryption and decryption, and ML-DSA and SLH-DSA for signing and verification. One of the drivers of this change in Fedora is the desire for post-quantum signing of packages, which LibrePGP does not currently support. Werner doesn't consider signing that important:

Signing is for now not an important topic.  The primary goal is to
secure data at rest (sniffed) to be prepared for the case that classical
encrypion algorithms are at risk due to QC.

Post-Quantum Support

Posted Jan 27, 2026 9:10 UTC (Tue) by sam_c (subscriber, #139836) [Link]

Thanks for explaining. It's not easy to find much of this :)

Neal Gompa said that Red Hat was not trying to drive Sequoia adoption with incompatible key types; it had chosen post-quantum cryptography (PQC) algorithms, and GPG simply does not support PQC.

Posted Jan 27, 2026 8:43 UTC (Tue) by neverpanic (subscriber, #99747) [Link] (2 responses)

Kyber is dead, only ML-KEM is relevant now. I don't know whether libgcrypt's implementation happens to be ML-KEM and only uses the Kyber name, or whether it really is Kyber (which would be another incompatibility).

That being said, RHEL uses Sequoia for signatures over RPMs, and while libgcrypt has code for that, GnuPG does not. Sequoia also has support for HSMs through PKCS#11 including PQC, which is critical for high-value targets like signing keys, another thing GnuPG lacks.

A message further down in the mailing list thread did explain that, too: https://lwn.net/ml/fedora-devel/5760EFDD-867C-47FB-A1FD-8...

So while Neal wasn't entirely correct, for the purposes that matter here, I feel like he was close enough.

Kyber is just another name ML-KEM aka FIPS-203.

Posted Jan 27, 2026 15:23 UTC (Tue) by dd9jn (✭ supporter ✭, #4459) [Link] (1 responses)

Kyber and ML-KEM are actually the same. Specification wise we changed to the final FIPS-203 (aka ML-KEM):

Noteworthy changes in version 2.5.1 (2024-09-12)

  * gpg: The support for composite Kyber+ECC public key algorithms
    does now use the final FIPS-203 and LibrePGP specifications.  The
    experimental keys from 2.5.0 are no longer supported.  [T6815]

From the Kyber site of things there is no visible change but protocol wise we changed the code point to the final one. Signatures are far more problematic because you can't simply have a subkey as you can do for encryption keys. Thus for easier migration it is better to first support encryption and after the signature problems have been sorted out allow to use Dilithium or whatever signature scheme is then (before 2030 in Germany) en-vogue.

BTW: for some real-world words on all pqc things see Peter Gutman's talk.

the talk

Posted Feb 6, 2026 21:47 UTC (Fri) by cbushey (guest, #142134) [Link]

Thank you for the reference to Peter Gutman's talk. Going off the title I thought it wouldn't be very convincing of anything but it turned out to be very interesting to me. It brings to light real issues with quantum computers that have been demonstrated so far.

CVEs

Posted Jan 27, 2026 6:38 UTC (Tue) by sam_c (subscriber, #139836) [Link] (2 responses)

> Michael Gruber pointed out that some of the fixes were available since October on the 2.4 branch (but not yet in a release). Jelen said that he was unaware of that, because he tracked the CVE database and there had not been CVEs issued. He said it made him question, again, whether Fedora should invest time and resources into an upstream that is not disclosing vulnerabilities clearly.

This part is vulnerable to some debate, I'd say. I think the GnuPG people were bound by the disclosure timeline negotiated between themselves and the 'gpg.fail' researchers. Some projects will still publish fixes, either with reference to a vulnerability but no details (especially if they don't think it's exploitable), or with no mention of it being a security fix until later in an advisory.

CVEs

Posted Jan 27, 2026 8:46 UTC (Tue) by neal (subscriber, #7439) [Link] (1 responses)

Some of the fixes include a POC, like the fix for possible memory corruption in the armor parser, which was committed in October.

CVEs

Posted Jan 27, 2026 9:09 UTC (Tue) by sam_c (subscriber, #139836) [Link]

Yes, and indeed:
> However memory corruption can never be tolerated as it always has the protential for remode code execution.
so a CVE should have been requested immediately. Thanks!

LibrePGP is not compatible to what?

Posted Jan 27, 2026 15:40 UTC (Tue) by dd9jn (✭ supporter ✭, #4459) [Link]

Sorry, I can't let this go without a comment:

> Jelen noted that LibrePGP is not compatible with anything else [...]

LibrePGP (aka rfc4880bis) is OpenPGP (rfc4880) plus SHA256 fingerprints for certain keys, OCB, PQC-resistant encryption, and AES as fallback instead of 3DES. Also a couple of other changes which are in active use by all implementations since 4880 was released in 2008 (ed25519 etc). It is fully compatible to all OpenPGP implementation actively in use all over the world.

In fact rfc9580, which claims to be OpenPGP now, dropped real world things from OpenPGP and is thus not backward compatible. Let me only name the dropping of Designated Revokers, which is a very useful feature to make OpenPGP useful for large organizations. It has been used since PGP5; and PGP installations are still used by many organizations.

Might be useful to hard-fork gnupg 1.x

Posted Jan 28, 2026 9:15 UTC (Wed) by mirabilos (subscriber, #84359) [Link]

Add gpg-agent from a workable gpg2 version, and voilà you have a not-so-sucking thing without all those new options that cause all that trouble.

I will not miss GnuPG

Posted Jan 30, 2026 21:29 UTC (Fri) by DemiMarie (subscriber, #164188) [Link]

Personally, I will not miss GnuPG at all.

I trivially found many missing end of file/packet/etc checks in the parsers. There is a known and unfixed denial of service vulnerability via compressed signatures. There are missing checks for I/O errors when writing data. This is before one even gets to https://gpg.fail.

I even sent patches to fix the denial of service vulnerability and they were rejected.