I have a user who is interested in deploying Passbolt. As far as I understand, Passbolt depends on the PHP GnuPG extension. PHP GnuPG states in their Github repository that:
“The extension supports only gnupg version 1 and the version 2 is not currently supported. It should be fixed in the extension version 1.5.”
GnuPG 1.X however seems to be deprecated a long time ago, and the GnuPG 2.X major version seems to be the one that should be used.
So, does Passbolt depend on GnuPG 1.X which is essentially deprecated, or have I come to the wrong conclusion?
Gnupg 1.x is old but not deprecated. The last release 1.4 was made in July 2017 and gnupg.org states: “it lacks many modern features and will receive only important updates”. But maybe I missed something, did you see an article saying it is deprecated you could share here?
To my knowledge php-gnupg relies on libgpgme and not the gpg executable (this is why we choose to use php-gnupg in the first place, instead of using a lib calling the executable directly or a pure php implementation). The libgpgme API works fine disregard off the backend. You can see it in the dependencies for the ubuntu packages for example: https://packages.ubuntu.com/xenial/php-gnupg https://packages.ubuntu.com/xenial/libgpgme11
I’m not sure why php-gnupg repositories says only version 1 is supported as it seems to work fine on system with only gpg v2 installed. There are probably some new features of the gnugp2 API that are not supported.
You can ask the maintainer of php-gnupg for more information, that would be interesting to know the bottom of this.