2.4.129 Apr 2023 12:05
If the /.gnupg directory does not exist, the keyboxd is now.
Automagically enabled. rGd9e7488b17
Gpg: New option --add-desig-revoker. rG3d094e2bcf .
Gpg: New option --assert-signer. rGc9e95b8dee .
Gpg: New command --quick-add-adsk and other ADSK features.
T6395, https://gnupg.org/blog/20230321-adsk.html .
Gpg: New list-option "show-unusable-sigs". Also show.
" self-signature " instead of the user-id in key signature.
Gpg: For symmetric encryption the default S2K hash is now SHA256.
Gpg: Detect already compressed data also when using a pipe. Also.
Detect JPEG and PNG file formats. T6332
Gpg: New subcommand "openpgp" for --card-edit. T6462 .
Gpgsm: Verification of detached signatures does now strip trailing.
Zeroes from the input if --assume-binary is used. rG2a13f7f9dc
Gpgsm: Non-armored detached signature are now created without.
Using indefinite form length octets. This improves compatibility
With some PDF signature verification software. rG8996b0b655
Gpgtar: Emit progress status lines in create mode. T6363 .
Dirmngr: The LDAP modifyTimestamp is now returned by some.
Keyserver commands. rG56d309133f
Ssh: Allow specification of the order keys are presented to ssh.
See the man page entry for --enable-ssh-support. T5996, T6212 .
Gpg: Make list-options "show-sig-subpackets" work again.
Regression in 2.4.0. rG5a223303d7
Gpg: the keytocard command for Yubikeys. T6378 .
Gpg: Do not continue an export after a cancel for the primary key.
Gpg: Replace the --override-compliance-check hack by a real.
Gpgtar: decryption with input taken from stdin. T6355 .
2.4.017 Dec 2022 07:45
Gpg: New command --quick-update-pref. rGd40d23b233 .
Gpg: New list-options show-pref and show-pref-verbose.
Gpg: New option --list-filter to restrict key listings like.
Gpg -k --list-filter 'select=revoked-f sub/algostr=ed25519'
Gpg: New --export-filter export-revocs. rGc985b52e71 .
Gpg: Also import stray revocation certificates. rG7aaedfb107 .
Gpg: Add a notation to encryption subkeys in de-vs mode. T6279 .
Gpg: Improve signature verification speed by a factor of more than.
Four. Double detached signing speed. T5826
Gpg: Allow only OCB for AEAD encryption. rG5a2cef801d .
Gpg: trusted introducer for mbox only user-ids. T6238 .
Gpg: Report an error via status-fd for receiving a key from the.
Gpg: Make --require-compliance work without the --status-fd.
Gpg: verification of cleartext signatures with overlong lines.
Agent: import of protected OpenPGP v5 keys. T6294 .
Gpgsm: Change the default cipher algorithm from AES128 to AES256.
Also announce support for this in signatures. rG2d8ac55d26 .
Gpgsm: Always use the chain validation model if the root-CA.
Requests this. rG7fa1d3cc82
Gpgsm: Print OCSP revocation date and reason in cert listings.
Agent: Support Win32-OpenSSH emulation by gpg-agent. T3883 .
Scd: Support the Telesec Signature Card v2.0. T6252 .
Scd: Redact --decardio output of a VERIFY APDU. T5085 .
Scd: Skip deleted pkcs#15 records in CARDOS 5. rG061efac03f .
Dirmngr: build with no LDAP support. T6239 .
Dirmngr: verification of ECDSA signed CRLs. rG868dabb402 .
Wkd: New option --add-revocs for gpg-wks-client. rGc3f9f2d497 .
Wkd: Ignore expired user-ids in gpg-wks-client. T6292 .
Card: New commands "gpg" and "gpgsm". rG9c4691c73e .
2.3.814 Oct 2022 03:17
Gpg: Do not consider unknown public keys as non-compliant while.
Gpg: Avoid to emit a compliance mode line if Libgcrypt is.
Gpg: Improve --edit-key setpref command to ease c+p. rG1908fa8b83 .
Gpg: Emit an ERROR status if --quick-set-primary-uid fails and.
Allow to pass the user ID by hash. T6126
Gpg: Actually show symmetric+pubkey encrypted data as de-vs.
Compliant. Add extra compliance checks for symkey_enc packets.
Gpg: In de-vs mode use SHA-256 instead of SHA-1 as implicit.
Gpgsm: reporting of bad passphrase error during PKCS#11.
Agent: a regression in "READKEY --format=ssh". T6012 .
Agent: New option --need-attr for KEYINFO. rG989eae648c .
Agent: New attribute "Remote-list" for use by KEYINFO.
Scd: problem with Yubikey 5.4 firmware. T6070 .
Dirmngr: CRL Distribution Point fallback to other schemes.
Dirmngr: New LDAP server flag "areconly" (A-record-only).
Dirmngr: upload of multiple keys for an LDAP server specified.
Using the colon format. rG536b5cd663
Dirmngr: Use LDAP schema v2 when a Base DN is specified. T6047 .
Dirmngr: Avoid caching expired certificates. T6142 .
Wkd: path traversal attack in gpg-wks-server. Add the mail.
Address to the pending request data. rG8a63a8c825,T6098
Wkd: New command --mirror for gpg-wks-client. T6224 .
Gpg-auth: New tool for authentication. T5862 .
New common.conf option no-autostart. rG203dcc19eb .
Silence warnings from AllowSetForegroundWindow unless
GNUPG_EXEC_DE_FLAGS is used. rG4ef8516a79 .
2.3.712 Jul 2022 03:17
Gpg: possibly garbled status messages in NOTATION_DATA. This.
Could trick GPGME and other parsers to accept faked status
Lines. T6027, CVE-2022-34903
Gpg: Look up user ID to revoke by UID hash. T5936 .
Gpg: Setup the 'usage' filter property for export. rG7aabd94b81 .
Gpg,w32: Allow Unicode filenames for iobuf_cancel. rG4ee2009083 .
Gpg: reading AEAD preference. T6019 .
Gpgsm: New option --compatibility-flags. rGf0b373cec9 .
Gpgsm: Rework the PKCS#12 parser to support DFN d keys.
Agent: New option --no-user-trustlist and --sys-trustlist-name.
Agent: Pop up dialog window for confirmation, when specified so.
Agent: Show "Label:" field of private key when prompt the.
Agent: Handle USAGE information in KEYINFO. rG295a6a7591 .
Agent,ssh: Make not-inserted OpenPGP.3 keys available for SSH.
Agent,ssh: Support "Use-for-ssh" flag in private key. T5985 .
Agent: New field "Prompt" to prevent asking card key insertion.
Agent: Support --format=ssh option for READKEY. T6012 .
Agent: Add KEYATTR command. T5988 .
Agent: Flush before calling ftruncate. T6035 .
Agent: Do not consider --min-passphrase-len for the magic wand.
Kbx: a race condition which results no status report. T5948 .
Scd:openpgp: a segv for cards supporting unknown curves.
Scd:p15: reading certificates without length info.
Scd:p15: Improve the displayed S/N for Technology Nexus cards.
Scd:openpgp: Add workaround for ECC attribute on Yubikey. T5963 .
Scd,piv: status report of KEYPAIRINFO. rG64c8786105 .
Scd:nks: Support the Telesec ESIGN application. T5219, T4938 .
Scd: use of SCardListReaders for PC/SC. T5979 .
Scd: Support automatic card selection for READCERT with keygrip.
Scd: Support specifying keygrip for learn command. T6002 .
Dirmngr: for Windows when build against GNUTLS. T5899 .
2.3.626 Apr 2022 03:17
Gpg: regression in 2.3.5 importing longer keys. T5941 .
Gpg: Emit an ERROR status as hint for a bad passphrase. T5943 .
Gpg: Avoid NULL-ptr access due to corrupted packets. T5940 .
Gpgsm: Improve the "Certificate not found" error message. T5821 .
Agent: Pass pattern directly to gpg-check-pattern. rGe529c54fe3 .
Scd: hard-coded constant for RSA authentication key OpenPGP.3.
2.3.522 Apr 2022 03:17
Gpg: Up to five times faster verification of detached signatures.
Doubled detached signing speed. T5826,rG4e27b9defc,rGf8943ce098 .
Gpg: Threefold decryption speedup for large files.
Gpg: Nearly double the AES256.OCB encryption speed. rG99e2c178c7 .
Gpg: Removed EAX from the preference list. rG253fcb9777 .
Gpg: Allow --dearmor to decode all kinds of armor files.
Gpg: Remove restrictions for the name part of a user-id.
Gpg: Allow decryption of symmetric encrypted data even for.
Non-compliant cipher. rG8631d4cfe2
Gpg,gpgsm: New option --require-compliance. rGee013c5350 .
Gpgsm: New option --ignore-cert-with-oid. rGe23dc755fa .
Gpgtar: Create and handle extended headers to support long file.
Gpgtar: Support file names longer than MAX_PATH on Windows.
Gpgtar: Use a pipe for decryption and thus avoid memory.
Gpgtar: New option --with-log. rGed53d41b4c .
Agent: New flag "qual" for the trustlist.txt. rG7c8c606061 .
Scdaemon: Add support for GeNUA cards. rG0dcc249852 .
Scdaemon: Add --challenge-response option to PK_AUTH for OpenPGP.
Dirmngr: Support the use of ECDSA for CRLs and OCSP.
Dirmngr: Map all gnupg.net addresses to the Ubuntu keyserver.
Ssh: Return a faked response for the new session-bind extension.
Gpgconf: Add command aliases -L -K -R. rGec4a1cffb8 .
Gpg: Request keygrip of key to add via command interface. T5771 .
Gpg: Print Yubikey version correctly. T5787 .
Gpg: Always use version = 4 to generate key signature. T5809 .
Gpg: generating AEAD packet. T5853 .
Gpg: version on symmetric encrypted AEAD files if the force.
Option is used. T5856
Gpg: adding the list of ultimate trusted keys. T5742 .
Gpgsm: parsing of certain PKCS#12 files. T5793 .
Gpgsm: Print diagnostic about CRL pr
2.3.421 Dec 2021 22:45
Gpg: New option --min-rsa-length. rG5f39db70c0 .
Gpg: New option --forbid-gen-key. rGc397ba3ac0 .
Gpg: New option --override-compliance-check. T5655 .
Gpgconf: New command --show-configs. rGa0fb78ee0f .
Agent,dirmngr,keyboxd: New option --steal-socket.
Gpg: printing of binary notations. T5667 .
Gpg: Remove stale ultimately trusted keys from the trustdb.
Gpg: indentation of --print-mds and --print-md sha512. T5679 .
Gpg: Emit gpg 2.2 compatible Ed25519 signature. T5331 .
Gpgsm: Detect circular chains in --list-chain. rG74c5b35062 .
Dirmngr: Make reading resolv.conf more robust. T5657 .
Dirmngr: Ask keyservers to provide the key fingerprints. T5741 .
Gpgconf: Allow changing gpg's deprecated keyserver option. T5462 .
Gpg-wks-server: created file permissions. rG60be00b033 .
Scd: Support longer data for ssh-agent authentication with openpgp.
Scd: Modify DEVINFO behavior to support looping forever. T5359 .
Support gpgconf.ctl for NetBSD and Solaris. T5656,T5671 .
Silence "Garbled console data" warning under Windows in most.
Silence warning about the rootdir under Unices w/o a mounted /proc.
File system. T5656
Possible build problems about missing include files. T5592 .
2.3.313 Oct 2021 21:45
Agent: segv in GET_PASSPHRASE (regression)..
Dirmngr: Let's Encrypt certificate chain validation..
Gpg: Change default and maximum AEAD chunk size to 4 MiB.
Gpg: Print a warning when importing a bad cv25519 secret key.
Gpg: --list-packets for undecryptable AEAD packets..
Gpg: Verify backsigs for v5 keys correctly..
Keyboxd: checksum computation for no UBID entry on disk.
Keyboxd: "invalid object" error with cv448 keys..
Dirmngr: New option --ignore-cert. 4b3e9a44b5 .
Agent: calibrate_get_time use of clock_gettime..
Silence process spawning diagnostics on Windows. f2b01025c3 .
Support a gpgconf.ctl file under Unix and use this for the.
2.3.225 Aug 2021 14:05
Gpg: Allow fingerprint based lookup with --locate-external-key.
Gpg: Allow decryption w/o public key but with correct card.
Gpg: Auto import keys specified with --trusted-keys. 100037ac0f .
Gpg: Do not use import-clean for LDAP keyserver imports..
Gpg: mailbox based search via AKL keyserver method. 4fcfac6feb .
Gpg: memory corruption with --clearsign introduced with 2.3.1.
Gpg: Use a more descriptive prompt for symmetric decryption.
Gpg: Improve speed of secret key listing. 40da61b89b .
Gpg: Support keygrip search with traditional keyring..
Gpg: Let --fetch-key return an exit code on failure..
Gpg: Emit the NO_SECKEY status again for decryption..
Gpgsm: Support decryption of password based encryption (pwri).
Gpgsm: Support AES-GCM decryption. 4980fb3c6d .
Gpgsm: Let --dump-cert --show-cert also print an OpenPGP.
Gpgsm: finding of r in use-keyboxd mode. 6b76693ff5 .
Gpgsm: New option --ldapserver as an alias for --keyserver.
Agent: Use SHA-256 for SSH fingerprint by default..
Agent: calling handle_pincache_put..
Agent: importing protected secret key..
Agent: a regression in agent_get_shadow_info_type..
Agent: Add translatable text for Caps Lock hint..
Agent: New option --pinentry-formatted-passphrase..
Agent: Add checkpin inquiry for pinentry..
Agent: New option --check-sym-passphrase-pattern..
Agent: Use the sysconfdir for a pattern file.
Agent: Make QT_QPA_PLATFORMTHEME=qt5ct work for the pinentry.
Dirmngr: LDAP search by a mailbox now ignores revoked keys.
Dirmngr: For KS_SEARCH return the fingerprint also with LDAP.
Dirmngr: Allow for non-URL specified ldap keyservers..
Dirmngr: New option --ldapserver. 52cf32ce2f .
Dirmngr: regression in KS_GET for mail address pattern.
Card: New option --shadow for the list command. 2fce99d73a .
Tests: Make sure
2.3.121 Apr 2021 09:45
The new configuration file common.conf is now used to enable the.
Use of the key database daemon with "use-keyboxd". Using this
Option in gpg.conf and gpgsm.conf is supported for a transitional
Period. See doc/example/common.conf for more.
Gpg: Force version 5 key creation for ed448 and cv448 algorithms.
Gpg: By default do not use the self-sigs-only option when.
Importing from an LDAP keyserver.
Gpg: Lookup a missing public key of the active card via LDAP.
Gpgsm: New command --show-certs. 51419d6341 .
Scd: CCID driver for SCM SPR332/SPR532..
Scd: Further improvements for PKCS#15 cards.
Build problems on Fedora..
Build problems on macOS..
New configure option --with-tss to allow the selection of the TSS.
2.3.008 Apr 2021 03:18
A new experimental key database daemon is provided. To enable it.
Put "use-keyboxd" into gpg.conf and gpgsm.conf. Keys are stored
in a SQLite database and make key lookup much faster.
New tool gpg-card as a flexible frontend for all types of.
New option --chuid for gpg, gpgsm, gpgconf, gpg-card, and.
The gpg-wks-client tool is now installed under bin; a wrapper for.
Its old location at libexec is also installed.
Tpm2d: New daemon to physically bind keys to the local machine.
Gpg: Switch to ed25519/cv25519 as default public key algorithms.
Gpg: Verification results now depend on the --sender option and.
The signer's UID subpacket. T4735
Gpg: Do not use any 64-bit block size cipher algorithm for.
Encryption. Use AES as last resort cipher preference instead of
3DES. This can be reverted using --allow-old-cipher-algos.
Gpg: Support AEAD encryption mode using OCB or EAX.
Gpg: Support v5 keys and signatures.
Gpg: Support curve X448 (ed448, cv448).
Gpg: Allow use of group names in key listings. e825aea2ba .
Gpg: New option --full-timestrings to print date and time.
Gpg: New option --force-sign-key..
Gpg: New option --no-auto-trust-new-key.
Gpg: The legacy key discovery method PKA is no longer supported.
The command --print-pka-records and the PKA related import and.
Export options have been removed.
Gpg: Support export of Ed448 Secure Shell keys.
Gpgsm: Add basic ECC support.
Gpgsm: Support creation of EdDSA certificates..
Agent: Allow the use of "Label:" in a key file to customize the.
Pinentry prompt. 5388537806
Agent: Support ssh-agent extensions for environment variables.
With a patched version of OpenSSH this avoids the need for the.
"updatestartuptty" kludge. 224e26cf7b .
Scd: Improve support for multiple card readers and tokens.
Scd: Support PIV cards.
Scd: Support for Rohde Schwarz Cybersecurity cards.
Scd: Support Telesec Signature Cards v2.0.
2.2.029 Aug 2017 03:15
This is the new long term stable branch. This branch will only see
And no new features.
Gpg: Reverted change in 2.1.23 so that --no-auto-key-retrieve is.
Again the default.
a few minor.
2.1.2310 Aug 2017 11:05
Gpg: "gpg" is now installed as "gpg" and not anymore as "gpg2".
If needed, the new configure option --enable-gpg-is-gpg2 can be.
Used to revert this.
Gpg: Options --auto-key-retrieve and --auto-key-locate "local,wkd".
Are now used by default. Note: this enables keyserver and Web Key
Directory operators to notice when a signature from a locally.
Non-available key is being verified for the first time or when
You intend to encrypt to a mail address without having the key
Locally. This new behaviour will eventually make key discovery
Much easier and mostly automatic. Disable this by adding
to your gpg.conf.
Agent: Option --no-grab is now the default. The new option --grab.
Allows to revert this.
Gpg: New import option "show-only".
Gpg: New option --disable-dirmngr to entirely disable network.
Access for gpg.
Gpg,gpgsm: Tweaked DE-VS compliance behaviour.
New configure flag --enable-all-tests to run more extensive tests.
During "make check".
Gpgsm: The keygrip is now always printed in colon mode as.
Documented in the man page.
Connection timeout problem under Windows.
2.1.2229 Jul 2017 03:15
Gpg: Extend command --quick-set-expire to allow for setting the.
Expiration time of subkeys.
Gpg: By default try to repair keys during import. New sub-option
no-repair-keys for --import-options.
Gpg,gpgsm: Improved checking and reporting of DE-VS compliance.
Gpg: New options --key-origin and --with-key-origin. Store the.
Time of the last key update from keyservers, WKD, or DANE.
Agent: New option --ssh-fingerprint-digest.
Dimngr: Lower timeouts on keyserver connection attempts and made
Dirmngr: Tor will now automatically be detected and used. The.
Option --no-use-tor disables Tor detection.
Dirmngr: Now detects a changed /etc/resolv.conf.
Agent,dirmngr: Initiate shutdown on removal of the GnuPG home.
Gpg: Avoid caching passphrase for failed symmetric encryption.
Agent: Support for unprotected ssh keys.
Dirmngr: name resolving on systems using only v6.
Dirmngr: Allow the use of TLS over http proxies.
W32: Change directory of the daemons after startup.
Wks: New man pages for client and server.
2.1.2116 May 2017 23:45
Gpg,gpgsm: corruption of old style keyring.gpg files. This.
Was introduced with version 2.1.20. Note that the default
Pubring.kbx format was not affected.
Gpg,dirmngr: Removed the skeleton config file support. The.
System's standard methods for providing default configuration
Files should be used instead.
W32: The Windows installer now allows installion of GnuPG without
Gpg: import filter property match.
Scd: Removed Linux support for Cardman 4040 PCMCIA reader.
Scd: some corner case in resume/suspend handling.
Many minor and code cleanup.
2.1.2004 Apr 2017 10:45
Gpg: New properties 'expired', 'revoked', and 'disabled' for the.
Import and export filters.
Gpg: New command --quick-set-primary-uid.
Gpg: New compliance field for the --with-colon key listing.
Gpg: Changed the key parser to generalize the processing of local.
Meta data packets.
Gpg: assertion failure in the TOFU trust model.
Gpg: exporting of zero length user ID packets.
Scd: Improved support for multiple readers.
Scd: timeout handling for key generation.
Agent: New option --enable-extended-key-format.
Dirmngr: Do not add a keyserver to a new dirmngr.conf. Dirmngr.
Uses a default keyserver.
Dimngr: Do not treat TLS warning alerts as severe error when.
Building with GNUTLS.
Dirmngr: Actually take /etc/hosts in account.
Wks: client problems on Windows. Published keys are now set
Tests: creation of temporary directories.
A socket directory for a non standard GNUGHOME is now created on.
The fly under /run/user. Thus "gpgconf --create-socketdir" is now
Optional. The use of "gpgconf --remove-socketdir" to clean up
Obsolete socket directories is however recommended to avoid
Cluttering /run/user with useless directories.
Build problems on some platforms.
2.1.1902 Mar 2017 17:25
Gpg: Print a warning if Tor mode is requested but the Tor daemon
is not running.
Gpg: New status code DECRYPTION_KEY to print the actual private.
Key used for decryption.
Gpgv: New options --log-file and --de.
Gpg-agent: Revamp the prompts to ask for card PINs.
Scd: Support for multiple card readers.
Scd: Removed option --de-disable-ticker. Ticker is used.
Only when it is required to watch removal of device/card.
Scd: Improved detection of card inserting and removal.
Dirmngr: New option --disable-ipv4.
Dirmngr: New option --no-use-tor to explicitly disable the use of
Dirmngr: The option --allow-version-check is now required even if.
The option --use-tor is also used.
Dirmngr: Handle a missing nsswitch.conf gracefully.
Dirmngr: Avoid PTR lookups for keyserver pools. The are only done.
For the decommand "keyserver --hosttable".
Dirmngr: Rework the internal certificate cache to support classes
of certificates. Load system provided certificates on startup.
Add options --tls, --no-crl, and --systrust to the "VALIDATE".
Dirmngr: Add support for the ntbtls library.
Wks: Create mails with a "WKS-Phase" header. detection of
The Windows installer is now build with limited TLS support.
Many other and new regression tests.
2.1.1824 Jan 2017 07:25
Gpg: Remove bogus subkey signature while cleaning a key (with.
Export-clean, import-clean, or --edit-key's sub-command clean)
Gpg: Allow freezing the clock with --faked-system-time.
Gpg: New --export-option flag "backup", new --import-option flag.
Gpg-agent: long delay due to a regression in the progress.
Scd: Lots of code cleanup and internal changes.
Scd: Improved the internal CCID driver.
Dirmngr: problem with the DNS glue code (removal of the.
Trailing dot in domain names).
Dirmngr: Make sure that Tor is actually enabled after changing the.
Conf file and sending SIGHUP or "gpgconf --reload dirmngr".
Dirmngr: Tor access to IPv6 addresses. Note that current.
Versions of Tor may require that the flag "IPv6Traffic" is used
With the option "SocksPort" in torrc to actually allow IPv6
Dirmngr: HKP for literally given IPv6 addresses.
Dirmngr: Enabled reverse DNS lookups via Tor.
Dirmngr: Added experimental SRV record lookup for WKD.
See commit 88dc3af3d4ae1afe1d5e136bc4c38bc4e7d4cd10 for details.
Dirmngr: For HKP use "pgpkey-hkps" and "pgpkey-hkp" in SRV record.
Lookups. Avoid SRV record lookup when a port is explicitly
Specified. This a regression from the 1.4 and 2.0 behavior.
Dirmngr: Gracefully handle a missing /etc/nsswitch.conf. Ignore.
Negation terms (e.g. " !UNAVAIL=return " instead of bailing out.
Dirmngr: Better deoutput for flags "dns" and "network".
Dirmngr: On reload mark all known HKP servers alive.
Gpgconf: Allow keyword "all" for --launch, --kill, and --reload.
Tools: gpg-wks-client now ignores a missing policy file on the.
Avoid unnecessary ambiguity error message in the option parsing.
Further improvements of the regression test suite.
Building with --disable-libdns configure option.
a crash running the tests on 32 bit architectures.
Spurious failures on BSD system in the spawn functions.
This affected for example gpg-wks-client and gpgconf.
2.1.1721 Dec 2016 07:25
Gpg: By default new keys expire after 2 years.
Gpg: New command --quick-set-expire to conveniently change the.
Expiration date of keys.
Gpg: Option and command names have been changed for easier.
Comprehension. The old names are still available as aliases.
Gpg: Improved the TOFU trust model.
Gpg: New option --default-new-key-algo.
Scd: Support OpenPGP card V3 for RSA.
Dirmngr: Support for the ADNS library has been removed. Instead
William Ahern's Libdns is now source included and used on all.
Platforms. This enables Tor support on all platforms. The new
Option --standard-resolver can be used to disable this code at
Runtime. In case of build problems the new configure option
--disable-libdns can be used to build without Libdns.
Dirmngr: Lazily launch ldap reaper thread.
Tools: New options --check and --status-fd for gpg-wks-client.
The UTF-8 byte order mark is now skipped when reading conf files.
Many and regressions.
Major improvements to the test suite. For example it is possible
to run the external test suite of GPGME.
2.1.1619 Nov 2016 19:25
Gpg: New algorithm for selecting the best ranked public key when.
Using a mail address with -r, -R, or --locate-key.
Gpg: New option --with-tofu-info to print a new "tfs" record in.
Colon formatted key listings.
Gpg: New option --compliance as an alternative way to specify.
Options like --rfc2440, --rfc4880, et al.
Gpg: Many changes to the TOFU implementation.
Gpg: Improve usability of --quick-gen-key.
Gpg: In --verbose mode print a diagnostic when a pinentry is.
Gpg: Remove code which warns for old versions of gnome-keyring.
Gpg: New option --override-session-key-fd.
Gpg: Option --output does now work with --verify.
Gpgv: New option --output to allow saving the verified data.
Gpgv: New option --enable-special-filenames.
Agent, dirmngr: New --supervised mode for use by systemd and alike.
Agent: By default listen on all available sockets using standard.
Agent: Invoke scdaemon with --homedir.
Dirmngr: On Linux now detects the removal of its own socket and.
Scd: Support ECC key generation.
Scd: Support more card readers.
Dirmngr: New option --allow-version-check to download a software.
Version database in the background.
Dirmngr: Use system provided CAs if no --hkp-cacert is given.
Dirmngr: Use a default keyserver if none is explicitly set.
Gpgconf: New command --query-swdb to check software versions.
Against an copy of an online database.
Gpgconf: Print the socket directory with --list-dirs.
Tools: The WKS tools now support draft version -02.
Tools: Always build gpg-wks-client and install under libexec.
Tools: New option --supported for gpg-wks-client.
The log-file option now accepts a value "socket://" to log to the.
Socket named "S.log" in the standard socket directory.
Provide fake pinentries for use by tests cases of downstream.
Many and regressions.
Many changes and improvements for the test suite.
2.1.1519 Aug 2016 03:45
Gpg: Remove the --tofu-db-format option and support for the split
Gpg: Add option --sender to prepare for coming features.
Gpg: Add option --input-size-hint to help progress indicators.
Gpg: Extend the PROGRESS status line with the counted unit.
Gpg: Avoid publishing the GnuPG version by default with --armor.
Gpg: Properly ignore legacy keys in the keyring cache.
Gpg: Always print fingerprint records in --with-colons mode.
Gpg: Make sure that keygrips are printed for each subkey in.
Gpg: New import filter "drop-sig".
Gpgsm: a in the machine-readable key listing.
Gpg,gpgsm: Block signals during keyring updates to limits the.
Effects of a Ctrl-C at the wrong time.
G13: Add command --umount and other for dm-crypt.
Agent: regression in SIGTERM handling.
Agent: Cleanup of the ssh-agent code.
Agent: Allow import of overly long keys.
Scd: problems with card removal.
Dirmngr: Remove all code for running as a system service.
Tools: Make gpg-wks-client conforming to the specs.
Tests: Improve the output of the new regression test tool.
Tests: Distribute the standalone test runner.
Tests: Run each test in a clean environment.
Spelling and grammar.
2.1.1415 Jul 2016 03:15
Gpg: Removed options --print-dane-records and --print-pka-records.
The new export options "export-pka" and "export-dane" can instead
be used with the export command.
Gpg: New options --import-filter and --export-filter.
Gpg: New import options "import-show" and "import-export".
Gpg: New option --no-keyring.
Gpg: New command --quick-revuid.
Gpg: New options -f/--recipient-file and -F/--hidden-recipient-file
to directly specify encryption keys.
Gpg: New option --mimemode to indicate that the content is a MIME.
Part. Does only enable --textmode right now.
Gpg: New option --rfc4880bis to allow experiments with proposed.
Changes to the current OpenPGP specs.
Gpg: regression in the "fetch" sub-command of --card-edit.
Gpg: regression since 2.1 in option --try-all-secrets.
Gpgv: Change default options for extra security.
Gpgsm: No more root certificates are installed by default.
Agent: "updatestartuptty" does now affect more environment.
Scd: The option --homedir does now work with scdaemon.
Scd: Support some more GEMPlus card readers.
Gpgtar: handling of '-' as file name.
Gpgtar: New commands --create and --extract.
Gpgconf: Tweak for --list-dirs to better support shell scripts.
Tools: Add programs gpg-wks-client and gpg-wks-server to implement
a Web Key Service. The configure option --enable-wks-tools is.
Required to build them; they should be considered Beta software.
Tests: Complete rework of the openpgp part of the test suite. The.
Test scripts have been changed from Bourne shell scripts to Scheme
Programs. A customized scheme interpreter (gpgscm) is included.
This change was triggered by the need to run the test suite on.
The rendering of the man pages has been improved.
2.1.1317 Jun 2016 11:25
Gpg: New command --quick-addkey. Extend the --quick-gen-key.
Gpg: New --keyid-format "none" which is now also the default.
Gpg: New option --with-subkey-fingerprint.
Gpg: Include Signer's UID subpacket in signatures if the secret key.
Has been specified using a mail address and the new option
--disable-signer-uid is not used.
Gpg: Allow unattended deletion of a secret key.
Gpg: Allow export of non-passphrase protected secret keys.
Gpg: New status lines KEY_CONSIDERED and NOTATION_FLAGS.
Gpg: Change status line TOFU_STATS_LONG to use ' ' as
a non-breaking-space character.
Gpg: Speedup key listings in Tofu mode.
Gpg: Make sure that the current and total values of a PROGRESS.
Status line are small enough.
Gpgsm: Allow the use of AES192 and SERPENT ciphers.
Dirmngr: Adjust WKD lookup to current specs.
Dirmngr: Fallback to LDAP v3 if v2 is is not supported.
Gpgconf: New commands --create-socketdir and --remove-socketdir.
New option --homedir.
If a /run/user/ UID directory exists, that directory is now used.
For IPC sockets instead of the GNUPGHOME directory. This problems with NFS and too long socket names and thus avoids the
Need for redirection files.
The Speedo build systems now uses the new versions.gnupg.org server
to retrieve the default package versions.
Detection of libusb on FreeBSD.
Speedup fd closing after a fork.
2.1.1205 May 2016 21:25
Gpg: New --edit-key sub-command "change-usage" for testing.
Gpg: Out of order key-signatures are now systematically detected.
And by --edit-key.
Gpg: Improved detection of non-armored messages.
Gpg: Removed the extra prompt needed to create Curve25519 keys.
Gpg: Improved user ID selection for --quick-sign-key.
Gpg: Use the root CAs provided by the system with --fetch-key.
Gpg: Add support for the experimental Web Key Directory key.
Gpg: Improve formatting of Tofu messages and emit new Tofu specific.
Gpgsm: Add option --pinentry-mode to support a loopback pinentry.
Gpgsm: A new pubring.kbx is now created with the header blob so.
That gpg can detect that the keybox format needs to be used.
Agent: Add read support for the new private key protection format.
Agent: Add read support for the new extended private key format.
Agent: Default to --allow-loopback-pinentry and add option.
Scd: Changed to use the new libusb 1.0 API for the internal CCID.
Dirmngr: The dirmngr-client does now auto-detect the PEM format.
G13: Add experimental support for dm-crypt.
W32: Tofu support is now available with the Speedo build method.
W32: Removed the need for libiconv.dll.
The man pages for gpg and gpgv are now installed under the correct.
Name (gpg2 or gpg - depending on a configure option).
Lots of internal cleanups and.
2.1.1127 Jan 2016 10:45
Gpg: New command --export-ssh-key to replace the gpgkey2ssh tool.
Gpg: Allow to generate mail address only keys with --gen-key.
Gpg: "--list-options show-usage" is now the default.
Gpg: Make lookup of DNS CERT records holding an URL work.
Gpg: Emit PROGRESS status lines during key generation.
Gpg: Don't check for ambigious or non-matching key specification in.
The config file or given to --encrypt-to. This feature will return
Gpg: Lock keybox files while updating them.
Gpg: Solve rare error on Windows during keyring and Keybox updates.
Gpg: possible keyring corruption..
Gpg: regression of "bkuptocard" sub-command in --edit-key and.
Remove "checkbkupkey" sub-command introduced with 2.1.
Gpg: internal error in gpgv when using default keyid-format.
Gpg: --auto-key-retrieve to work with dirmngr.conf configured.
Agent: New option --pinentry-timeout.
Scd: Improve unplugging of USB readers under Windows.
Scd: regression for generating RSA keys on card.
Dirmmgr: All configured keyservers are now searched.
Dirmngr: Install CA certificate for hkps.pool.sks-keyservers.net.
Use this certiticate even if --hkp-cacert is not used.
Gpgtar: Add actual encryption code. gpgtar does now fully replace.
Gpgtar: filename encoding problem on Windows.
Print a warning if a GnuPG component is using an older version of.
Gpg-agent, dirmngr, or scdaemon.
2.1.1005 Dec 2015 07:05
Gpg: New trust models "tofu" and "tofu+pgp".
Gpg: New command --tofu-policy. New options --tofu-default-policy.
Gpg: New option --weak-digest to specify hash algorithms which.
Should be considered weak.
Gpg: Allow the use of multiple --default-key options; take the last.
Gpg: New option --encrypt-to-default-key.
Gpg: New option --unwrap to only strip the encryption layer.
Gpg: New option --only-sign-text-ids to exclude photo IDs from key.
Gpg: Check for ambigious or non-matching key specification in the.
Config file or given to --encrypt-to.
Gpg: Show the used card reader with --card-status.
Gpg: Print export statistics and an EXPORTED status line.
Gpg: Allow selecting subkeys by keyid in --edit-key.
Gpg: Allow updating the expiration time of multiple subkeys at.
Dirmngr: New option --use-tor. For full support this requires.
Libassuan version 2.4.2 and a patched version of libadns
(e.g. adns-1.4-g10-7 as used by the standard Windows installer).
Dirmngr: New option --nameserver to specify the nameserver used in
Dirmngr: Keyservers may again be specified by IP address.
Dirmngr: problems in resolving keyserver pools.
Dirmngr: handling of premature termination of TLS streams so.
That large numbers of keys can be refreshed via hkps.
Gpg: a regression in --locate-key since 2.1.9 .
Gpg: another for keyrings with legacy keys.
Gpgsm: Allow combinations of usage flags in --gen-key.
Make tilde expansion work with most options.
Many other cleanups and.
2.1.911 Oct 2015 03:15
Gpg: Allow fetching keys via OpenPGP DANE (--auto-key-locate). New.
Gpg: for a problem with PGP-2 keys in a keyring.
Gpg: Fail with an error instead of a warning if a modern cipher.
Algorithm is used without a MDC.
Agent: New option --pinentry-invisible-char.
Agent: Always do a RSA signature verification after creation.
Agent: a regression in ssh-add-ing Ed25519 keys.
Agent: ssh fingerprint computation for nistp384 and EdDSA.
Agent: crash during passprase entry on some platforms.
Scd: Change timeout to problems with some 2.1 cards.
Dirmngr: Displayed name is now Key Acquirer.
Dirmngr: Add option --keyserver. Deprecate that option for gpg.
Install a dirmngr.conf file from a skeleton for new installations.
2.1.811 Sep 2015 03:15
Gpg: Sending very large keys to the keyservers works again.
Gpg: Validity strings in key listings are now again translatable.
Gpg: Emit FAILURE status lines to help GPGME.
Gpg: Does not anymore link to Libksba to reduce dependencies.
Gpgsm: Export of secret keys via Assuan is now possible.
Agent: Raise the maximum passphrase length from 100 to 255 bytes.
Agent: regression using EdDSA keys with ssh.
Does not anymore use a build timestamp by default.
The fallback encoding for broken locale settings changed.
From Latin-1 to UTF-8.
Many code cleanups and improved internal documentation.
2.1.712 Aug 2015 06:45
gpg: Support encryption with Curve25519 if Libgcrypt 1.7 is used.
gpg: In the --edit-key menu: Removed the need for "toggle", changed
how secret keys are indicated, new commands "fpr *" and "grip".
gpg: More fixes related to legacy keys in a keyring.
gpgv: Does now also work with a "trustedkeys.kbx" file.
scd: Support some feature from the OpenPGP card 3.0 specs.
scd: Improved ECC support.
agent: New option --force for the DELETE_KEY command.
w32: Look for the Pinentry at more places.
Dropped deprecated gpgsm-gencert.sh.
Various other bug fixes.
2.1.602 Jul 2015 06:05
agent: New option --verify for the PASSWD command.
gpgsm: Add command option "offline" as an alternative to.
gpg: Do not prompt multiple times for a password in pinentry
Allow the use of debug category names with --debug.
Using gpg-agent and gpg/gpgsm with different locales will now show
the correct translations in Pinentry.
gpg: Improve speed of --list-sigs and --check-sigs.
gpg: Make --list-options show-sig-subpackets work again.
gpg: Fix an export problem for old keyrings with PGP-2 keys.
scd: Support PIN-pads on more readers.
dirmngr: Properly cleanup zombie LDAP helper processes and avoid
hangs on dirmngr shutdown.
Various other bug fixes.
2.1.512 Jun 2015 06:45
Support for an external passphrase cache.
Support for the forthcoming version 3 OpenPGP smartcard.
Manuals now show the actual used file names.
Prepared for improved integration with Emacs.
Code cleanups and minor bug fixes.
2.1.414 May 2015 00:25
* gpg: Add command --quick-adduid to non-interacitivly add a new user
id to an existing key.
* gpg: Do no enable honor-keyserver-url by default. Make it work if
* gpg: Display the serial number in the --card-staus output again.
* agent: Support for external password managers.
Add option --no-allow-external-cache.
* scdaemon: Improved handling of extended APDUs.
* Make HTTP proxies work again.
* All network access including DNS as been moved to Dirmngr.
* Allow building without LDAP support.
* Fixed lots of smaller bugs.
2.1.312 Apr 2015 18:25
LDAP keyservers are now supported by 2.1.
New option --with-icao-spelling.
New option --print-pka-records. Changed the PKA method to use
CERT records and hashed names.
New command --list-gcrypt-config. New parameter "curve"
Print a NEWSIG status line like gpgsm always did.
Print MPI values with --list-packets and --verbose.
Write correct MPI lengths with ECC keys.
Skip legacy PGP-2 keys while searching.
Improved searching for mail addresses when using a keybox.
gpgsm: Changed default algos to AES-128 and SHA-256.
gpgtar: Fixed extracting files with sizes of a multiple of 512.
dirmngr: Fixed SNI handling for hkps pools.
Extra-certs and trusted-certs are now always loaded from
the sysconfig dir instead of the homedir.
Fixed possible problems due to compiler optimization, two minor
regressions, and other bugs.
2.0.2719 Feb 2015 12:26
Detect faulty use of --verify on detached signatures.
New import option "keep-ownertrust".
Uses SHA-256 for all signature types also on RSA keys.
Added support for algo names when generating keys using the
Unless --allow-weak-digest-algos is used the insecure MD5-based fingerprints are shown as all zeroe
Fixed DoS based on bogus and overlong key packets.
Better error reporting for keyserver problems.
Fixed several bugs related to bogus keyrings and improved some other code.
2.1.212 Feb 2015 20:45
gpg: The parameter 'Passphrase' for batch key generation works
gpg: Using a passphrase option in batch mode now has the expected
effect on --quick-gen-key.
gpg: Improved reporting of unsupported PGP-2 keys.
gpg: Added support for algo names when generating keys using
gpg: Fixed DoS based on bogus and overlong key packets.
agent: When setting --default-cache-ttl the value
for --max-cache-ttl is adjusted to be not lower than the former.
agent: Fixed problems with the new --extra-socket.
agent: Made --allow-loopback-pinentry changeable with gpgconf.
agent: Fixed importing of unprotected openpgp keys.
agent: Now tries to use a fallback pinentry if the standard
pinentry is not installed.
scd: Added support for ECDH.
Fixed several bugs related to bogus keyrings and improved some
2.1.117 Dec 2014 03:15
gpg: Detect faulty use of --verify on detached signatures.
gpg: New import option "keep-ownertrust".
gpg: New sub-command "factory-reset" for --card-edit.
gpg: A stub key for smartcards is now created by --card-status.
gpg: Fixed regression in --refresh-keys.
gpg: Fixed regresion in g and p codes for --sig-notation.
gpg: Fixed best matching hash algo detection for ECDSA and EdDSA.
gpg: Improved perceived speed of secret key listisngs.
gpg: Print number of skipped PGP-2 keys on import.
gpg: Removed the option aliases --throw-keyid and --notation-data;
use --throw-keyids and --set-notation instead.
gpg: New import option "keep-ownertrust".
gpg: Skip too large keys during import.
gpg,gpgsm: New option --no-autostart to avoid starting gpg-agent or
gpg-agent: New option --extra-socket to provide a restricted
command set for use with remote clients.
gpgconf --kill does not anymore start a service only to kill it.
gpg-pconnect-agent: Add convenience option --uiserver.
Fixed keyserver access for Windows.
Fixed build problems on Mac OS X
The Windows installer does now install development files
More translations .
To support remotely mounted home directories, the IPC sockets may
now be redirected. This feature requires Libassuan 2.2.0.
Improved portability and the usual bunch of bug fixes.
2.1.007 Nov 2014 03:15
This release introduces a lot of changes. Most of them are internal
and thus not user visible. However, some long standing behavior has
slightly changed and it is strongly suggested that an existing
gnupg" directory is backed up before this version is used.
A verbose description of the major new features and changes can be
found in the file doc/whats-new-in-2.1.txt.
gpg: All support for v3 keys has been dropped. All
signatures are now created as v4 signatures. v3 keys will be
removed from the keyring.
gpg: With pinentry-0.9.0 the passphrase "enter again" prompt shows
up in the same window as the "new passphrase" prompt.
gpg: Allow importing keys with duplicated long key ids.
dirmngr: May now be build without support for LDAP.
For a complete list of changes see the lists of changes for the
2.1.0 beta versions below. Note that all relevant fixes from
versions 2.0.14 to 2.0.26 are also applied to this version.
Noteworthy changes in version 2.1.0-beta864
gpg: Removed the GPG_AGENT_INFO related code. GnuPG does now
always use a fixed socket name in its home directory.
gpg: Renamed --gen-key to --full-gen-key and re-added a --gen-key
command with less choices.
gpg: Use SHA-256 for all signature types also on RSA keys.
gpg: Default keyring is now created with a .kbx suffix.
gpg: Add a shortcut to the key capabilies menu .
gpg: Fixed obsolete options parsing.
Further improvements for the alternative speedo build system.
Noteworthy changes in version 2.1.0-beta834
gpg: Improved passphrase caching.
gpg: Switched to algorithm number 22 for EdDSA.
gpg: Removed CAST5 from the default preferences.
gpg: Order SHA-1 last in the hash preferences.
gpg: Changed default cipher for --symmetric to AES-128.
gpg: Fixed export of ECC keys and import of EdDSA keys.
dirmngr: Fixed the KS_FETCH command.
The speedo build system now downloads related packages and works
for non-Windows platforms.
Noteworthy changes in version 2.1.0-beta783
gpg: Add command --quick-gen-key.
2.0.2613 Aug 2014 20:12
Fixes another regression in 2.0.24 when a subkey id was given to --recv-keys et al.
Attribute packets are capped at 16MB now.
Auto-create the ".gnupg" home directory in the same way gpg does.
scdaemon now allows for certificates 1024 when using PC/SC.
2.0.2502 Jul 2014 18:54
Fix a regression in 2.0.24 if more than one keyid is given to --recv-keys et al. Cap RSA and Elgamal keysize at 4096 bit also for unattended key generation. Fix a DISPLAY related problem with --export-secret-key-p12. Support reader Gemalto IDBridge CT30.
1.4.1802 Jul 2014 18:51
Fix a regression in 1.4.17 if more than one keyid is given to --recv-keys et al. Cap RSA and Elgamal keysize at 4096 bit also for unattended key generation.