Skip to content


Compiling GnuPG 1.x on Linux for Windows

There are two types of encryption: one that will prevent your sister from reading your diary and one that will prevent your government.

Bruce Schneier

Update: sorry, the download links are offline because they were stolen by the FBI.
Update 2: I finally re-uploaded the files to my own server. To make file management easier, only one archive now, containing both binaries and the source.
Update 3: new guide for GnuPG 2.x, but on Linux this time (using a VM works great though)

GnuPG: key size matters, and my key is much bigger than yours

In a previous tutorial a few days ago, I explained in details how to create your own OpenPGP key and use it to sign and receive encrypted e-mails. In this tutorial, I didn’t really go deep into the key length choice: I just suggested to pick the maximum choice offered by Kleopatra (3072 bits) or to go to command line to pick GnuPG’s maximum value (4096 bits) and voilĂ .
However, as SHA-1 is starting to show some weaknesses, key length might matter more than you think until SHA-3 is out. An RSA key larger than 4096 bits will definitely break an old programs or two, but as long as you’re communicating with no too outdated versions of GnuPG, a bigger key should be fine. The main problem is: to generate an RSA key longer than 4096 bits, you’ll need to compile your own GnuPG: GnuPG is perfectly capable to handle longer keys, but a limit of 4096 bits has been hard-coded into the key generation function.
So, here’s a quick guide to edit the maximum key length and then cross-compile GnuPG for Windows on Linux. Note that compiling for Linux should be quite trivial from the documentation. If you don’t want to compile you can just grab my builds (there’s one standard and one optimized for “recent” AMD CPUs such as Phenom 2), although trusting random builds from the internet probably isn’t what you’ll want to do if you’re here worrying about getting a key longer than 4096 bits… Another option is to download my modified source that I finally included into the archive where the binaries are. NB: it’s compressed in 7-zip, in order to uncompress it with Ark you’ll need to install the p7zip-full package.

My setup

I used Kubuntu 11.10 32 bits, up-to-date as of 29 October 2011. That notably includes MinGW-GCC version 4.4.x (I love how current that is, on Windows we have version 4.6.x already). It should be much the same on Ubuntu 11.10, and I guess close enough on Debian and possibly Fedora.

Grabbing the source code

The source can be downloaded from http://www.gnupg.org/download/. Note that we’ll grab version 1.4 and not version 2.0 (see a bit below for the reason why). It’s older but works just as well for key generation.

Getting dependencies

NB: those dependencies are for GnuPG 2.x, I’m not sure if all those are needed for GnuPG 1.x. That’s because I first I tried to compile GnuPG 2.x, but since I failed I fell back to version 1.x, keeping all the packages I had already installed in the process.
apt-get install gcc-mingw32
apt-get install libgpg-error-dev libgcrypt11-dev libassuan-dev libksba-dev libpth-dev
apt-get install zlib1g-dev

Increasing maximum key size

In g10/keygen.c, find (that’s on line 1580 as of version 1.4.11)
unsigned nbits, min, def=2048, max=4096;
and replace, for instance, with:
unsigned nbits, min, def=2048, max=1048576;
(NB: that’s a lot too large, but this way you can be sure you won’t need to edit that again in a big while ^^) (source 1, source 2)

Preparing to build and building

First, an optional step for those who want to optimize the binary to fit their architecture better (for me this would be “amdfam10“): you can customize the compilation flags.

  • in configure.ac find CFLAGS="$CFLAGS -Wall" and replace it with CFLAGS="-O3 -march=amdfam10" this one doesn’t seem to be useful
  • in configure, find CFLAGS="$CFLAGS -Wall" (in version 1.4.11 that’s on line 16170) and replace it with CFLAGS="-O3 -march=amdfam10" (NB: it might be a good idea to just comment the old code then add your own, instead of overwriting it)

Even with those optimizations, my “optimized” build is still like twice slower than the official builds… I can’t figure out why :/

Now all the commands to build (NB: I’m assuming you are in the gnupg root folder):
scripts/autogen.sh --build-w32
touch po/all
make
mkdir dist-w32
scripts/mk-w32-dist

Your built executables will then be available in the dist-w32 folder. Note that the last command seems a bit broken, because according to the source where I found it it should pack all those executables into a zip, which it doesn’t do, but for what we need this will be good enough, as we’ll only use gpg.exe. Before bringing it to Windows, you may want to strip it (to make it smaller, although normally it should be stripped already): strip gpg.exe. Now you can just use it as you would use your original gpg.exe. I’d recommend that you gave this new gpg a different name, and that you’d use it only for creating new keys, because it’s probably slower than official builds (at least for me it is).

Finally, a hint about key size: 10,240 bits sounds more than enough. It’s already a lot slower than 4,096 (I’m talking about a few minutes to generate your key, compared to a few seconds for 4096 bits). I tried 16,384: it took like 40 minutes and eventually gpg crashed while validating the key (cf picture below).
What happens when your key is really too fat

Bonus: cleaning in case you messed up

If you need to rebuild, make sure you run make clean, otherwise the compiler will just use the previously compiled objects, without recompiling them.

Update (2012-01-07): finally uploaded the modified sources.
Update (2012-01-28): uploaded everything back to my own server after the FBI took down the files when taking down MegaUpload.
Update (2012-07-10): here’s a nice blog post that I just found with additional commands such as how to add an encryption subkey and stuff.

Posted in privacy, programming.


2 Responses

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.

  1. emozilla says

    You need to install the package tofrodos to make the script mk-w32-dist works

  2. patheticcockroach says

    Ah, I guess I already had this installed then: I didn’t need to install it in order to compile.



Some HTML is OK

or, reply to this post via trackback.

Sorry about the CAPTCHA that requires JS. If you really don't want to enable JS and still want to comment, you can send me your comment via e-mail and I'll post it for you.

Please solve the CAPTCHA below in order to fight spamWordPress CAPTCHA