Modular GnuPG packaging
This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee.
Summary
Currently GnuPG is packaged in a way that puts almost all tools and services into a single, monolithic RPM package. However, only few tools from the gnupg2 package are actually used by other tools and users. With this change, core tools and optional utilities are split off into separate packages.
Owner
- Name: Fabio Valentini
- Email: <decathorpe AT gmail DOT com>
- Name: Jakub Jelen
- Email: <jjelen AT redhat DOT com>
Current status
- Targeted release: Fedora Linux 43
- Last updated: 2025-05-06
- Announcement
- Discussion thread
- FESCo issue: #3405
- Tracker bug:
- Release notes tracker:
Detailed Description
Currently GnuPG is packaged as a monolithic RPM that contains all tools and services (except the S/MIME support, which is in gnupg2-smime, but which is also pulled in by default).
This Change proposes to split the tools provided by the monolithic gnupg2 package into different subpackages, in part based on in how GnuPG 2.4 is packaged in debian:
- gnupg2: gpg executable
- gnupg2-dirmngr: certificate management service
- gnupg2-g13: encrypted file system containers
- gnupg2-gpgconf: core configuration utilities
- gnupg2-gpg-agent: cryptographic agent
- gnupg2-keyboxd: public key material service
- gnupg2-scdaemon: SmartCard daemon
- gnupg2-smime: S/MIME support
- gnupg2-wks: Web Key Service (WKS) client and server
- gnupg2-utils: non-essential utilities
- gnupg2-verify: gpgv executable
Only mandatory subpackages will get installed by default on new systems, but upgrades from existing installs will pull in all components that were split off, to avoid breaking existing users and workflows.
This results in fewer unused programs and / or services being installed and running, and would allow a more minimal install for scenarios where only gpg or gpgv are needed, for example, for signature verification during package builds.
Additionally, it allows swapping out the actual GnuPG implementation with the one based on Sequoia-PGP, which only depends on gpgconf and gpg-agent being present, but can otherwise function as a drop-in replacement for gpg and gpgv (even via the GPGME library).
The implementation of this change is available for review in a pull request, and test builds are available in COPR.
Feedback
Based on feedback, the subcomponents that were split off into subpackages will get installed on upgrade, but not in fresh installs, to avoid breaking existing users and use cases. The pull request linked above has been updated accordingly.
Benefit to Fedora
This change results in fewer unused executables and running services being installed by default, making more components optional. It also allows users to swap the gpg implementation on the system based on their needs.
Scope
- Proposal owners:
Packaging changes to the gnupg2 package to introduce new subpackages.
Adapt packages that require utilities that have moved to other subpackages of gnupg2 (TBD), file pull requests.
- Other developers:
Review and merge pull requests.
- Release engineering:
N/A (not a System-Wide Change)
- Policies and guidelines:
N/A (not a System-Wide Change)
- Trademark approval:
N/A
- Alignment with the Fedora Strategy:
N/A
Upgrade/compatibility impact
On upgrade to Fedora 43, some non-essential GnuPG utilities will no longer be available by default, and instead moved to the optional gnupg2-g13, gnupg2-utils, and gnupg2-wks packages.
Alternatively, these optional packages could get pulled in on upgrade, but not for "fresh" installs.
How To Test
Upgrading to a Fedora version that has this Change implemented should cause no disruption, since the new optional subpackages should get installed. On fresh installs of Fedora 43+, some optional components should not get installed by default.
In either case, OpenPGP related functionality of the system should continue working as expected (note that this does *not* impact package management, which no longer uses GnuPG in any way).
User Experience
This Change should not affect most users. On a default install, some non-essential GnuPG tools will no longer be included by default.
Dependencies
N/A
Contingency Plan
- Contingency mechanism:
The Change Owners will revert the changes to the gnupg2 package and ensure an upgrade path for users who have already have the new subpackages installed on their systems.
- Contingency deadline:
N/A (not a System Wide Change)
- Blocks release?
N/A (not a System Wide Change)
Documentation
N/A (not a System Wide Change)
Release Notes
The previously monolithic GnuPG package (gnupg2) was modularized, with several tools and non-essential utilities having been split into separate subpackages. The non-essential utilities (in gnupg2-utils) and some services that are unused on most systems are no longer installed by default.
