From dshaw at jabberwocky.com Sat Oct 2 15:47:23 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Wed Feb 23 12:43:35 2005 Subject: [Announce] GnuPG 1.3.90 released (development) Message-ID: <20041002134723.GB15332@jabberwocky.com> Hello! The latest release from the development branch of GnuPG is ready for public consumption. This is a branch to create what will very soon become GnuPG 1.4. As the version jump from 1.3.6 to 1.3.90 indicates, the 1.4 release is expected soon. We encourage people to try this development release and report any feedback or problems to gnupg-devel@gnupg.org. As always, note that while this code is stable enough for many uses, it is still the development branch. Mission-critical applications should use the 1.2.x stable branch. The files are available from: Gzipped: ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.3.90.tar.gz (3.6M) ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.3.90.tar.gz.sig Bzip2ed: ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.3.90.tar.bz2 (2.5M) ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.3.90.tar.bz2.sig MD5 checksums for the files are: c3f1a4b5134ad15aae5f93897c8294fa gnupg-1.3.90.tar.bz2 767cf77145ea4ce0df3b2ca6e86ce0a9 gnupg-1.3.90.tar.bz2.sig e3f8d36309bd63f05bae3b7371bcb994 gnupg-1.3.90.tar.gz 32a4376ae5a7a5b548bacd4d3a14816a gnupg-1.3.90.tar.gz.sig Noteworthy changes in version 1.3.90 (2004-10-01) ------------------------------------------------- * Readline support at all prompts is now available if the systems provides a readline library. The build time option --without-readline may be used to disable this feature. * Support for the OpenPGP smartcard is now enabled by default. Use the option --disable-card-support to build without support for smartcards. * New command "addcardkey" in the key edit menu to add subkeys to a smartcard. New command "keytocard" to transfer a key to a smartcard. The serial number of the card is show in secret key listings. * -K may now be used as an alias for --list-secret-keys. * HTTP Basic authentication is now supported for all HKP and HTTP keyserver functions, either through a proxy or via direct access. Enjoy! The GnuPG team (David, Stefan, Timo and Werner) From dshaw at jabberwocky.com Sat Oct 16 14:46:21 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Wed Feb 23 12:43:35 2005 Subject: [Announce] GnuPG 1.3.91 released (development) Message-ID: <20041016124621.GA19126@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello! The latest release from the development branch of GnuPG is ready for public consumption. This is a branch to create what will extremely soon become the new stable release of GnuPG 1.4. We strongly encourage people to try this development release and report any feedback or problems to gnupg-devel@gnupg.org. If you have been waiting until the 1.4 release is imminent before trying the code, that time is now. The files are available from: Gzipped: ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.3.91.tar.gz (3.7M) ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.3.91.tar.gz.sig Bzip2ed: ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.3.91.tar.bz2 (2.5M) ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.3.91.tar.bz2.sig or as a patch against the 1.3.90 source: ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.3.90-1.3.91.diff.gz (1.9M) MD5 checksums for the files are: 839e1404fa7b59fb815f44527da2b821 gnupg-1.3.90-1.3.91.diff.gz bc03e5651387e996f122ecfdb970211b gnupg-1.3.91.tar.gz fb0f58ff5392c6c20759cd9de190c659 gnupg-1.3.91.tar.bz2 SHA1 checksums for the files are: eabf07abc4ca2deddfc917d55f340440331e2a0d gnupg-1.3.90-1.3.91.diff.gz d67a2d0fd640b1d38e3e34efa9430698c54e7a55 gnupg-1.3.91.tar.gz f1e9a9c00bd48165f7da0824504f2ee4551a5bf0 gnupg-1.3.91.tar.bz2 Noteworthy changes in version 1.3.91 (2004-10-15) - ------------------------------------------------- * A new configure option --enable-selinux-support disallows processing of confidential files used by gpg (e.g. secring.gpg). This helps writing ACLs for the SELinux kernel. * Support for fetching keys via finger has been added. This is useful for setting a preferred keyserver URL like "finger:wk@g10code.com". * Timeout support has been added to the keyserver helpers. This allows users to set an upper limit on how long to wait for the keyserver before giving up. * New "direct" trust model where users can set key validity directly if they do not want to participate in the web of trust. * Minor bug fixes, code and string cleanups. Enjoy! The GnuPG team (David, Stefan, Timo and Werner) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.91-cvs (GNU/Linux) iGoEARECACoFAkFxGB0jGGh0dHA6Ly93d3cuamFiYmVyd29ja3kuY29tL2tleS5h c2MACgkQ4mZch0nhy8mnQgCfS+jst/eis2ZMQte8KrAvemYruPQAoMGcKpvBXtsO 7yB1ZQEScS64N09d =lVRT -----END PGP SIGNATURE----- From marcus.brinkmann at ruhr-uni-bochum.de Fri Oct 22 21:17:47 2004 From: marcus.brinkmann at ruhr-uni-bochum.de (Marcus Brinkmann) Date: Wed Feb 23 12:43:35 2005 Subject: [Announce] GPGME 1.0.1 released References: <87d603agf9.wl@ulysses.g10code.de> Message-ID: <87pt3a4l5w.wl@ulysses.g10code.de> We are pleased to announce version 1.0.1 of GnuPG Made Easy, a library designed to make access to GnuPG easier for applications. It may be found in the file (about 795 KB compressed) ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-1.0.1.tar.gz The following files are also available: ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-1.0.1.tar.gz.sig ftp://ftp.gnupg.org/gcrypt/alpha/gpgme/gpgme-1.0.0-1.0.1.diff.gz It should soon appear on the mirrors listed at: http://www.gnupg.org/mirrors.html Bug reports and requests for assistance should be sent to: gnupg-devel@gnupg.org The md5sum checksums for this distibution are f9acf829e1d2821e62da8832e0bebf44 gpgme-1.0.0-1.0.1.diff.gz 915045809b729998e4b7cb58856550a4 gpgme-1.0.1.tar.gz f5d4961abc805d8f393893d86482b576 gpgme-1.0.1.tar.gz.sig Noteworthy changes in version 1.0.1 (2004-10-22) ------------------------------------------------ * Only bug fixes. Marcus Brinkmann mb@g10code.de From wk at gnupg.org Thu Oct 28 12:42:14 2004 From: wk at gnupg.org (Werner Koch) Date: Wed Feb 23 12:43:35 2005 Subject: [Announce] GnuPG 1.3.92 released (development) Message-ID: <873bzzdszd.fsf@wheatstone.g10code.de> Hello! The latest release from the development branch of GnuPG is ready for public consumption. This is a branch to create what will extremely soon become the new stable release of GnuPG 1.4. We strongly encourage people to try this development release and report any feedback or problems to gnupg-devel@gnupg.org. If you have been waiting until the 1.4 release is imminent before trying the code, that time is now. The files are available from: Gzipped: ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.3.92.tar.gz (3.8M) ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.3.92.tar.gz.sig Bzip2ed: ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.3.92.tar.bz2 (2.6M) ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.3.92.tar.bz2.sig or as a patch against the 1.3.91 source: ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.3.92-1.3.92.diff.gz (602k) MD5 checksums for the files are: 285789af00856a12354fd3d967cf61b4 gnupg-1.3.92.tar.gz bc9ee1f97d22dc727a00dfbfe2ebbf5e gnupg-1.3.92.tar.bz2 4ea581339dcf46cd8c21d928d4f9b759 gnupg-1.3.91-1.3.92.diff.gz SHA1 checksums for the files are: e03bb8d584fcf6c2a4567027012ce8012d6f85ec gnupg-1.3.92.tar.gz e208f9db3fcab4b0c9afc089b6eff49a739289dc gnupg-1.3.92.tar.bz2 620f045f49d02f210edb95e3f2c6f9a42b72632c gnupg-1.3.91-1.3.92.diff.gz A compiled version for MS Windows is available: ftp://ftp.gnupg.org/gcrypt/alpha/binary/gnupg-w32cli-1.3.92.zip (1.5M) ftp://ftp.gnupg.org/gcrypt/alpha/binary/gnupg-w32cli-1.3.92.zip.sig For proper internationalization you should have the GNU iconv.dll installed. For convenience we make this DLL available at: ftp://ftp.gnupg.org/gcrypt/binary/libiconv-1.9.1.dll.zip (644k) ftp://ftp.gnupg.org/gcrypt/binary/libiconv-1.9.1.dll.zip.sig MD5 checksums for the files are: a5967c5b466e7fb3cf176a30623f55bd gnupg-w32cli-1.3.92.zip f3582d28862c539d2f655ade5e141f2f libiconv-1.9.1.dll.zip Noteworthy changes in version 1.3.92 (2004-10-28) ------------------------------------------------- * Added Russian man page. Thanks to Pawel I. Shajdo. * libiconv is now used to support other character sets other than UTF-8, Latin-1,-2 and KOI8-2. The W32 version will only work correctly when iconv.dll is installed on the system. A binary version is available at all GNU mirror sites under libiconv. * gettext for Windows has been simplified. The MO files are now distributed UTF-8 encoded and gpg translates on the fly. Enjoy! The GnuPG team (David, Stefan, Timo and Werner) From wk at gnupg.org Thu Oct 28 14:30:58 2004 From: wk at gnupg.org (Werner Koch) Date: Wed Feb 23 12:43:35 2005 Subject: [Announce] GnuPG 1.3.92 released (development) Message-ID: <87d5z3c9dp.fsf@wheatstone.g10code.de> [Obviously Mailman broke the PGP/MIME signature again. Therefore I see no other way than to repost it using the plain old clear sign format] -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello! The latest release from the development branch of GnuPG is ready for public consumption. This is a branch to create what will extremely soon become the new stable release of GnuPG 1.4. We strongly encourage people to try this development release and report any feedback or problems to gnupg-devel@gnupg.org. If you have been waiting until the 1.4 release is imminent before trying the code, that time is now. The files are available from: Gzipped: ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.3.92.tar.gz (3.8M) ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.3.92.tar.gz.sig Bzip2ed: ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.3.92.tar.bz2 (2.6M) ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.3.92.tar.bz2.sig or as a patch against the 1.3.91 source: ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.3.92-1.3.92.diff.gz (602k) MD5 checksums for the files are: 285789af00856a12354fd3d967cf61b4 gnupg-1.3.92.tar.gz bc9ee1f97d22dc727a00dfbfe2ebbf5e gnupg-1.3.92.tar.bz2 4ea581339dcf46cd8c21d928d4f9b759 gnupg-1.3.91-1.3.92.diff.gz SHA1 checksums for the files are: e03bb8d584fcf6c2a4567027012ce8012d6f85ec gnupg-1.3.92.tar.gz e208f9db3fcab4b0c9afc089b6eff49a739289dc gnupg-1.3.92.tar.bz2 620f045f49d02f210edb95e3f2c6f9a42b72632c gnupg-1.3.91-1.3.92.diff.gz A compiled version for MS Windows is available: ftp://ftp.gnupg.org/gcrypt/alpha/binary/gnupg-w32cli-1.3.92.zip (1.5M) ftp://ftp.gnupg.org/gcrypt/alpha/binary/gnupg-w32cli-1.3.92.zip.sig For proper internationalization you should have the GNU iconv.dll installed. For convenience we make this DLL available at: ftp://ftp.gnupg.org/gcrypt/binary/libiconv-1.9.1.dll.zip (644k) ftp://ftp.gnupg.org/gcrypt/binary/libiconv-1.9.1.dll.zip.sig MD5 checksums for the files are: a5967c5b466e7fb3cf176a30623f55bd gnupg-w32cli-1.3.92.zip f3582d28862c539d2f655ade5e141f2f libiconv-1.9.1.dll.zip Noteworthy changes in version 1.3.92 (2004-10-28) - ------------------------------------------------- * Added Russian man page. Thanks to Pawel I. Shajdo. * libiconv is now used to support other character sets other than UTF-8, Latin-1,-2 and KOI8-2. The W32 version will only work correctly when iconv.dll is installed on the system. A binary version is available at all GNU mirror sites under libiconv. * gettext for Windows has been simplified. The MO files are now distributed UTF-8 encoded and gpg translates on the fly. Enjoy! The GnuPG team (David, Stefan, Timo and Werner) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.92 (GNU/Linux) iEYEARECAAYFAkGA5cYACgkQYHhOlAEKV+3tHACfVCC7nAQBcaFseqI/F5onSnDT wccAn0RofBK6+v2cDHt3NrL6iojgaY5+ =OtpX -----END PGP SIGNATURE----- From wk at gnupg.org Thu Dec 9 17:16:22 2004 From: wk at gnupg.org (Werner Koch) Date: Wed Feb 23 12:43:36 2005 Subject: [Announce] sha1sum for MS Windows released Message-ID: <871xdz8n1l.fsf@wheatstone.g10code.de> Hi! In the light of the recently found weaknesses in the MD5 hash function we won't anymore accompany software announcements with MD5 checksums. Instead SHA-1 checksums will be given. All modern GNU/Linux systems are featuring a sha1sum tool, similar to the md5sum too, so this there should be no problem checking the checksums on these platforms. For MS Windows no such tool is available. To solve this problem, I wrote a simple sha1sum tool and uploaded it along with a MS Windows binary (sha1sum.exe) to the GnuPG ftp servers. The source is also available and maybe used to check the correctness or to build own binaries. It should build on all platforms. There is of course a catch-22 in that you won't be able to check the integrity of that tool without using it. So you need to rely on other ways of checking this tool; one possibility is to send it to a friend and ask the friend to check the gpg signature for you. Get it from ftp.gnupg.org at: ftp://ftp.gnupg.org/gcrypt/binary/sha1sum.exe (20k) ftp://ftp.gnupg.org/gcrypt/binary/sha1sum.exe.sig ftp://ftp.gnupg.org/gcrypt/binary/sha1sum.c (9k) ftp://ftp.gnupg.org/gcrypt/binary/sha1sum.c.sig Usage is: sha1sum This version of sha1sum does not feature the -c (--check) option so that you have to compare the printed checksums using our own eyes. Please note that if you already have a working GnuPG installation it is better to check the integrity of a package using the GnuPG generated signature which is usually in files sufficed with ".sig", ".sign", or ".asc". Using the checksum is only way to bootstrap an installation. The sha1sum utility might also be useful to verify software which does does come with a gpg signature. Happy hacking, Werner -- Werner Koch The GnuPG Experts http://g10code.com Free Software Foundation Europe http://fsfeurope.org -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available Url : /pipermail/attachments/20041209/9fcf47cf/attachment.pgp From wk at gnupg.org Tue Dec 14 11:06:45 2004 From: wk at gnupg.org (Werner Koch) Date: Wed Feb 23 12:43:36 2005 Subject: [Announce] GnuPG 1.3.93 released Message-ID: <87brcxfb2i.fsf@wheatstone.g10code.de> Hello! The latest and hopefully last release candidate for GnuPG 1.4 is ready for public consumption. We strongly encourage people to try this release candidate and report any feedback or problems to gnupg-devel@gnupg.org. If you have been waiting until the 1.4 release is imminent before trying the code, that time is now. The files are available from: Gzipped: ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.3.93.tar.gz (3.8M) ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.3.93.tar.gz.sig Bzip2ed: ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.3.93.tar.bz2 (2.6M) ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.3.93.tar.bz2.sig or as a patch against the 1.3.91 source: ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.3.92-1.3.93.diff.gz (1060k) SHA1 checksums for the files are: 2aa674ac7877c3b87423779cb11c6629b9dc9dac gnupg-1.3.93.tar.gz c09fb504c2054ffa62826eab8c10091784f64dc4 gnupg-1.3.93.tar.bz2 5bf59e2dc820f1d9a93f8c9537468fff4deb76e1 gnupg-1.3.92-1.3.93.diff.gz A compiled version for MS Windows is not available. Noteworthy changes in version 1.3.93 (2004-12-14) ------------------------------------------------- * Ask the user to repeat a changed PIN. * Switched to automake 1.9. Minor big fixes. Enjoy! The GnuPG team (David, Stefan, Timo and Werner) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available Url : /pipermail/attachments/20041214/313e4397/attachment.pgp From wk at gnupg.org Thu Dec 16 18:24:48 2004 From: wk at gnupg.org (Werner Koch) Date: Wed Feb 23 12:43:36 2005 Subject: [Announce] GnuPG stable 1.4 released Message-ID: <87zn0egnq7.fsf@wheatstone.g10code.de> Hello! We are pleased to announce the availability of the new stable GnuPG series. This first release is version 1.4.0 The GNU Privacy Guard (GnuPG) is GNU's tool for secure communication and data storage. It is a complete and free replacement of PGP and can be used to encrypt data and to create digital signatures. It includes an advanced key management facility and is compliant with the proposed OpenPGP Internet standard as described in RFC2440. 1.4.x is very similar to 1.2.x although a lot of improvements have been added over the course of the last 2 years. There are some minor incompatibilities when using very rare options but in almost all cases it may just replace the 1.2.x versions (as well as 1.0.6). Please note that the 1.2.x series will enter end of life status on January 1, 2005, after which it will only be updated for security critical bugs. Before then, we expect one more 1.2.x release to address a few minor outstanding issues (the fixes for which are already in 1.4.0), and to update the translations. Getting the Software ==================== Please follow the instructions found at http://www.gnupg.org/download/ or read on: GnuPG 1.4.0 may be downloaded from one of the GnuPG mirror sites or direct from ftp://ftp.gnupg.org/gcrypt . The list of mirrors can be found at http://www.gnupg.org/mirrors.html . Note, that GnuPG is not available at ftp.gnu.org. On the mirrors you should find the following files in the *gnupg* directory: gnupg-1.4.0.tar.bz2 (2658k) gnupg-1.4.0.tar.bz2.sig GnuPG source compressed using BZIP2 and OpenPGP signature. gnupg-1.4.0.tar.gz (3837k) gnupg-1.4.0.tar.gz.sig GnuPG source compressed using GZIP and OpenPGP signature. Select one of them. To shorten the download time, you probably want to get the BZIP2 compressed file. Please try another mirror if exceptional your mirror is not yet up to date. In the *binary* directory, you should find these files: gnupg-w32cli-1.4.0.zip (1626k) gnupg-w32cli-1.4.0.zip.sig GnuPG compiled for Microsoft Windows and OpenPGP signature. Note that this is a command line version and comes without a graphical installer tool. You have to use an UNZIP utility to extract the files and install them manually. The included file README.W32 has further instructions. The source files are the same as given above. Checking the Integrity ====================== In order to check that the version of GnuPG which you are going to install is an original and unmodified one, you can do it in one of the following ways: * If you already have a trusted version of GnuPG installed, you can simply check the supplied signature. For example to check the signature of the file gnupg-1.4.0.tar.bz2 you would use this command: gpg --verify gnupg-1.4.0.tar.bz2.sig This checks whether the signature file matches the source file. You should see a message indicating that the signature is good and made by that signing key. Make sure that you have the right key, either by checking the fingerprint of that key with other sources or by checking that the key has been signed by a trustworthy other key. Note, that you can retrieve the signing key using "finger wk 'at' g10code.com" or "finger dd9jn 'at' gnu.org" or using the keyservers. I recently prolonged the expiration date; thus you might need a fresh copy of that key. Never use a GnuPG version you just downloaded to check the integrity of the source - use an existing GnuPG installation! * If you are not able to use an old version of GnuPG, you have to verify the SHA1 checksum. Assuming you downloaded the file gnupg-1.4.0.tar.bz2, you would run the sha1sum command like this: sha1sum gnupg-1.4.0.tar.bz2 and check that the output matches the first line from the following list: 0054635a131b7af383e956fa9e1520ac44cad116 gnupg-1.4.0.tar.bz2 7078b8f14f21d04c7bc9d988a6a2f08d703fbc83 gnupg-1.4.0.tar.gz 6490a13bf98c919190e0f9bc115ab5af0b3059e0 gnupg-w32cli-1.4.0.zip Upgrade Information =================== If you are upgrading from a version prior to 1.0.7, you should run the script tools/convert-from-106 once. Please note also that due to a bug in versions prior to 1.0.6 it may not be possible to downgrade to such versions unless you apply the patch http://www.gnupg.org/developer/gpg-woody-fix.txt . If you have any problems, please see the FAQ and the mailing list archive at http://lists.gnupg.org. Please direct questions to the gnupg-users@gnupg.org mailing list. What's New =========== There are too many changes to list them here. Please check out the NEWS file or read the summary at the end of this announcement. Internationalization ==================== GnuPG comes with support for 28 languages: American English Indonesian (id)[*] Bela-Russian (be)[*] Italian (it)[*] Catalan (ca)[*] Japanese (ja) Czech (cs) Polish (pl)[*] Danish (da)[*] Brazilian Portuguese (pt_BR)[*] Dutch (nl)[*] Portuguese (pt)[*] Esperanto (eo)[*] Romanian (ro)[*] Estonian (et)[*] Russian (ru)[*] Finnish (fi)[*] Slovak (sk)[*] French (fr) Spanish (es)[*] Galician (gl)[*] Swedish (sv)[*] German (de) [*] Traditional Chinese (zh_TW)[*] Greek (el) [*] Simplified Chinese (zh_CN) Hungarian (hu) [*] Turkish (tr) [*] Languages marked with [*] were not updated for this release and you will most likely notice untranslated messages. Many thanks to the translators for their ongoing support of GnuPG. Due to a lot of stylistic changes to the strings and about 150 new strings, most translations are not up to date. However we don't think that this is reason enough to hold back the release. Updated translations will be added to the next releases. [Note to our translators: please see the file doc/TRANSLATE] Future Directions ================= GnuPG 1.4.x is the current stable branch and will be kept as the easy to use and build single-executable versions. We plan to backport new features from the development series to 1.4. GnuPG 1.9.x is the new development series of GnuPG. This version merged the code from the Aegypten project and thus it includes the gpg-agent, a smartcard daemon and gpg's S/MIME cousin gpgsm. The design is different to the previous versions and we may not support all ancient systems - thus POSIX compatibility will be an absolute requirement for supported platforms. 1.9 is as of now based on an somewhat older 1.3 code but will peacefully coexist with other GnuPG versions. Support ======= Developing and maintaining GnuPG and related software is nothing one can do in the evening or on weekends. We all spend a lot of time and money on it. David is actually doing this in his spare time beside his day job; g10 Code employs Timo and Werner to work on this software and would appreciate to refinance it by entering into support contracts or other contributions. Thanks ====== We have to thank all the people who helped with this release, be it testing, coding, translating, suggesting, auditing, administering the servers, spreading the word or answering questions on the mailing lists. Kudos to David Shaw who did most of the new features in 1.4 and discussed various OpenPGP problems in lengths at several working groups. Happy Hacking, The GnuPG Team (David, Timo and Werner) -- Werner Koch The GnuPG Experts http://g10code.com Free Software Foundation Europe http://fsfeurope.org GnuPG 1.4 Highlights ==================== This is a brief overview of the changes between the GnuPG 1.2 series and the new GnuPG 1.4 series. To read the full list of highlights for each revision that led up to 1.4, see the NEWS file in the GnuPG distribution. This document is based on the NEWS file, and is thus the highlights of the highlights. When upgrading, note that RFC-2440, the OpenPGP standard, is currently being revised. Most of the revisions in the latest draft (2440bis-12) have already been incorporated into GnuPG 1.4. Algorithm Changes ----------------- OpenPGP supports many different algorithms for encryption, hashing, and compression, and taking into account the OpenPGP revisions, GnuPG 1.4 supports a slightly different algorithm set than 1.2 did. The SHA256, SHA384, and SHA512 hashes are now supported for read and write. The BZIP2 compression algorithm is now supported for read and write. Due to the recent successful attack on the MD5 hash algorithm (discussed in , among other places), MD5 is deprecated for OpenPGP use. It is still allowed in GnuPG 1.4 for backwards compatibility, but a warning is given when it is used. The TIGER/192 hash is no longer available. This should not be interpreted as a statement as to the quality of TIGER/192 - rather, the revised OpenPGP standard removes support for several unused or mostly unused hashes, and TIGER/192 was one of them. Similarly, Elgamal signatures and the Elgamal signing key type have been removed from the OpenPGP standard, and thus from GnuPG. Please do not confuse Elgamal signatures with DSA or DSS signatures or with Elgamal encryption. Elgamal signatures were very rarely used and were not supported in any product other than GnuPG. Elgamal encryption was and still is part of OpenPGP and GnuPG. Very old (pre-1.0) versions of GnuPG supported a nonstandard (contrary to OpenPGP) Elgamal key type. While no recent version of GnuPG permitted the generation of such keys, GnuPG 1.2 could still use them. GnuPG 1.4 no longer allows the use of these keys or the (also nonstandard) messages generated using them. At build time, it is possible to select which algorithms will be built into GnuPG. This can be used to build a smaller program binary for embedded uses where space is tight. Keyserver Changes ----------------- GnuPG 1.4 does all keyserver operations via plugin or helper applications. This allows the main GnuPG program to be smaller and simpler. People who package GnuPG for various reasons have the flexibility to include or leave out support for any keyserver type as desired. Support for fetching keys via HTTP and finger has been added. This is mainly useful for setting a preferred keyserver URL like "http://www.jabberwocky.com/key.asc". or "finger:wk@g10code.com". The LDAP keyserver helper now supports storing, retrieving, and searching for keys in both the old NAI "LDAP keyserver" as well as the more recent method to store OpenPGP keys in standard LDAP servers. This is compatible with the storage schema that PGP uses, so both products can interoperate with the same LDAP server. The LDAP keyserver helper is compatible with the PGP company's new "Global Directory" service. If the LDAP library you use supports LDAP-over-TLS and LDAPS, then GnuPG detects this and supports them as well. Note that using TLS or LDAPS does not improve the security of GnuPG itself, but may be useful in certain key distribution scenarios. HTTP Basic authentication is now supported for all HKP and HTTP keyserver functions, either through a proxy or via direct access. The HKP keyserver plugin supports the new machine-readable key listing format for those keyservers that provide it. IPv6 is supported for HKP and HTTP keyserver access. When using a HKP keyserver with multiple DNS records (such as subkeys.pgp.net which has the addresses of multiple servers around the world), all DNS address records are tried until one succeeds. This prevents a single down server in the rotation from stopping access. DNS SRV records are used in HKP keyserver lookups to allow administrators to load balance and select keyserver ports automatically. Timeout support has been added to the keyserver plugins. This allows users to set an upper limit on how long to wait for the keyserver before giving up. Preferred Keyserver URL ----------------------- Preferred keyserver support has been added. Users may set a preferred keyserver via the --edit-key command "keyserver". If the --keyserver-option honor-keyserver-url is set (and it is by default), then the preferred keyserver is used when refreshing that key with --refresh-keys. The --sig-keyserver-url option can be used to inform signature recipients where the signing key can be downloaded. When verifying the signature, if the signing key is not present, and the keyserver options honor-keyserver-url and auto-key-retrieve are set, this URL will be used to retrieve the key. Trust Signatures ---------------- GnuPG 1.4 supports OpenPGP trust signatures, which allow a user to specify the trust level and distance from the user along with the signature so users can delegate different levels of certification ability to other users, possibly restricted by a regular expression on the user ID. Trust Models ------------ GnuPG 1.4 supports several ways of looking at trust: Classic - The classic PGP trust model, where people sign each others keys and thus build up an assurance (called "validity") that the key belongs to the right person. This was the default trust model in GnuPG 1.2. Always - Bypass all trust checks, and make all keys fully valid. Direct - Users may set key validity directly. PGP - The PGP 7 and 8 behavior which combines Classic trust with trust signatures overlaid on top. This is the default trust model in GnuPG 1.4. The OpenPGP Smartcard --------------------- GnuPG 1.4 supports the OpenPGP smartcard () Secret keys may be kept fully or partially on the smartcard. The smartcard may be used for primary keys or subkeys. Other Interesting New Features ------------------------------ For those using Security-Enhanced Linux , the configure option --enable-selinux-support prevents GnuPG from processing its own files (i.e. reading the secret keyring for something other than getting a secret key from it). This simplifies writing ACLs for the SELinux kernel. Readline support is now available at all prompts if the system provides a readline library. GnuPG can now create messages that can be decrypted with either a passphrase or a secret key. These messages may be generated with --symmetric --encrypt or --symmetric --sign --encrypt. --list-options and --verify-options allow the user to customize exactly what key listings or signature verifications look like, enabling or disabling things such as photo display, preferred keyserver URL, calculated validity for each user ID, etc. The --primary-keyring option designates the keyring that the user wants new keys imported into. The --hidden-recipient (or -R) command encrypts to a user, but hides the identity of that user. This is the same functionality as --throw-keyid, but can be used on a per-user basis. Full algorithm names (e.g. "3DES", "SHA1", "ZIP") can now be used interchangeably with the short algorithm names (e.g. "S2", "H2", "Z1") anywhere algorithm names are used in GnuPG. The --keyid-format option selects short (99242560), long (DB698D7199242560), 0xshort (0x99242560), or 0xlong (0xDB698D7199242560) key ID displays. This lets users tune the display to what they prefer. While it is not recommended for extended periods, it is possible to run both GnuPG 1.2.x and GnuPG 1.4 during the transition. To aid in this, GnuPG 1.4 tries to load a config file suffixed with its version before it loads the default config file. For example, 1.4 will try for gpg.conf-1.4 and gpg.conf-1 before falling back to the regular gpg.conf file. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 196 bytes Desc: not available Url : /pipermail/attachments/20041216/5a276d39/attachment.pgp From wk at gnupg.org Thu Dec 16 22:17:10 2004 From: wk at gnupg.org (Werner Koch) Date: Wed Feb 23 12:43:36 2005 Subject: [Announce] Updated GnuPG 1.4.0 Windows binary In-Reply-To: <87zn0egnq7.fsf@wheatstone.g10code.de> (Werner Koch's message of "Thu, 16 Dec 2004 18:24:48 +0100") References: <87zn0egnq7.fsf@wheatstone.g10code.de> Message-ID: <87u0qmdju1.fsf@wheatstone.g10code.de> Hello! a couple of hours ago we announced GnuPG 1.4.0, claiming that a compiled version for MS Windows is also available. Unfortunately that Windows version version has a severe bug which makes it pretty unusable. To fix this a new binary version has been released. The old file has been removed from the server and the new one has been given the version number 1.4.0a. If you already downloaded gnupg-w32cli-1.4.0.zip, you should replace that with the new one: ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32cli-1.4.0a.zip (1627k) ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32cli-1.4.0a.zip.sig The SHA1 checksum of the zip file is: 28be01b7f8eaa29db73d11bf8b9504e823c07c2b gnupg-w32cli-1.4.0a.zip I apologize for my silliness of not properly testing the Windows version. Salam-Shalom, Werner -- Werner Koch The GnuPG Experts http://g10code.com Free Software Foundation Europe http://fsfeurope.org The change to the 1.4.0 code is: diff -u -r1.71 iobuf.c --- util/iobuf.c 6 Dec 2004 10:32:20 -0000 1.71 +++ util/iobuf.c 16 Dec 2004 19:30:27 -0000 @@ -146,7 +146,7 @@ || (*a == '\' && *b == '/')) ) break; } - return *(const unsigned *)a - *(const unsigned *)b; + return *(const unsigned char *)a - *(const unsigned char *)b; #else return strcmp (a, b); #endif -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 196 bytes Desc: not available Url : /pipermail/attachments/20041216/43ecc9ec/attachment.pgp From wk at gnupg.org Tue Dec 28 11:54:32 2004 From: wk at gnupg.org (Werner Koch) Date: Wed Feb 23 12:43:36 2005 Subject: [Announce] GnuPG 1.2.7 released Message-ID: <87wtv2g0bb.fsf@wheatstone.g10code.de> Hello! As promised in the announcement of GnuPG 1.4.0 [1], we are now pleased to announce the availability GnuPG 1.2.7. The GNU Privacy Guard (GnuPG) is GNU's tool for secure communication and data storage. It is a complete and free replacement of PGP and can be used to encrypt data and to create digital signatures. It includes an advanced key management facility and is compliant with the proposed OpenPGP Internet standard as described in RFC2440. This release merely fixes a few minor bugs and updates a few translations. It will be the last regular release of the 1.2.x series as this series will enter *end of life status on January 1, 2005*, after which it will only be updated for security critical bugs. Please use the stable 1.4.x series of GnuPG unless you have good reasons to keep on using 1.2.x. Getting the Software ==================== GnuPG 1.2.7 may be downloaded from one of the GnuPG mirror sites or direct from ftp://ftp.gnupg.org/gcrypt . The list of mirrors can be found at http://www.gnupg.org/mirrors.html . Note, that GnuPG is not available at ftp.gnu.org. On the mirrors you should find the following files in the *gnupg* directory: gnupg-1.2.7.tar.bz2 (2.5M) gnupg-1.2.7.tar.bz2.sig GnuPG source compressed using BZIP2 and OpenPGP signature. gnupg-1.2.7.tar.gz (3.6M) gnupg-1.2.7.tar.gz.sig GnuPG source compressed using GZIP and OpenPGP signature. gnupg-1.2.6-1.2.7.diff.gz (296k) A patch file to upgrade a 1.2.6 GnuPG source. Select one of them. To shorten the download time, you probably want to get the BZIP2 compressed file. Please try another mirror if exceptional your mirror is not yet up to date. Note that there is no binary version for Windows because it is suggested to switch over to 1.4. On public demand we would provide a windows versions, though. Checking the Integrity ====================== In order to check that the version of GnuPG which you are going to install is an original and unmodified one, you can do it in one of the following ways: * If you already have a trusted version of GnuPG installed, you can simply check the supplied signature. For example to check the signature of the file gnupg-1.2.7.tar.bz2 you would use this command: gpg --verify gnupg-1.2.7.tar.bz2.sig This checks whether the signature file matches the source file. You should see a message indicating that the signature is good and made by that signing key. Make sure that you have the right key, either by checking the fingerprint of that key with other sources or by checking that the key has been signed by a trustworthy other key. Note, that you can retrieve the signing key using "finger wk 'at' g10code.com" or "finger dd9jn 'at' gnu.org" or using the keyservers. I recently prolonged the expiration date; thus you might need a fresh copy of that key. Never use a GnuPG version you just downloaded to check the integrity of the source - use an existing GnuPG installation! * If you are not able to use an old version of GnuPG, you have to verify the SHA1 checksum. Assuming you downloaded the file gnupg-1.2.7.tar.bz2, you would run the md5sum command like this: sha1sum gnupg-1.2.7.tar.bz2 and check that the output matches the first line from the following list: c8e47066e5bb61d74f4001b51117bf3a56a7dd3b gnupg-1.2.7.tar.bz2 010f8b48bccea11831be316fe802eb0e43f4fcc3 gnupg-1.2.7.tar.gz e2bf91f93b7292cb6aac5eb5acccceb623bc1652 gnupg-1.2.6-1.2.7.diff.gz Upgrade Information =================== If you are upgrading from a version prior to 1.0.7, you should run the script tools/convert-from-106 once. Please note also that due to a bug in versions prior to 1.0.6 it may not be possible to downgrade to such versions unless you apply the patch http://www.gnupg.org/developer/gpg-woody-fix.txt . If you have any problems, please see the FAQ and the mailing list archive at http://lists.gnupg.org. Please direct questions to the gnupg-users@gnupg.org mailing list. What's New =========== Here is a list of major user visible changes since 1.2.6: * New "pgpgroup-to-gpggroup" script (in the tools directory) to convert from PGP 6 group syntax to GnuPG group syntax. * Translation update and minor bug fixes. Internationalization ==================== GnuPG comes with support for 28 languages: American English Indonesian (id) Bela-Russian (be)[*] Italian (it) Catalan (ca) Japanese (ja)[*] Czech (cs) Polish (pl) Danish (da)[*] Brazilian Portuguese (pt_BR)[*] Dutch (nl) Portuguese (pt)[*] Esperanto (eo)[*] Romanian (ro) Estonian (et) Russian (ru) Finnish (fi) Slovak (sk) French (fr) Spanish (es) Galician (gl)[*] Swedish (sv) German (de) Traditional Chinese (zh_TW)[*] Greek (el) Simplified Chinese (zh_CN) Hungarian (hu) Turkish (tr) Languages marked with [*] were not updated for this release and you may notice untranslated messages. Many thanks to the translators for their ongoing support of GnuPG. A happy New Year, The GnuPG Team (David, Timo and Werner) [1] http://lists.gnupg.org/pipermail/gnupg-announce/2004q4/000186.html -- Werner Koch The GnuPG Experts http://g10code.com Free Software Foundation Europe http://fsfeurope.org -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 196 bytes Desc: not available Url : /pipermail/attachments/20041228/9fd00cfb/attachment.pgp