From kfitzner at excelcia.org Mon Jul 18 04:58:16 2005 From: kfitzner at excelcia.org (Kurt Fitzner) Date: Mon Jul 18 15:38:33 2005 Subject: [Announce] GPGee (GnuPG Explorer Extension) version 1.1.1 released Message-ID: <87mzok3b7c.fsf@wheatstone.g10code.de> Hello all, I have released version 1.1.1 of GPGee. This is a minor update to 1.1 to answer a couple user requests. Changes are: - Configuration entry added to set the way encryption Key IDs are displayed for subkeys. Encryption subkeys used to be displayed showing their subkey key ID. Now the default is to display the key ID of the parent key. This brings GPGee in line with most other GnuPG front ends. A configuration entry has been added so that (the very few) people who prefer the old behavior can still have it. - The length of time it takes for the sign/encrypt window to appear has been further reduced for people with very large keyrings. GPGee 1.1.1 installer and source are available from http://gpgee.excelcia.org For those that aren't familliar with GPGee, it is a GnuPG Explorer Extension for Windows. It adds GnuPG sign/encrypt/verify/decrypt support to the Windows explorer right-click context menu. See the web site above for a fuller list of features. Kurt Fitzner [reposted by moderator] From wk at gnupg.org Wed Jul 27 09:53:27 2005 From: wk at gnupg.org (Werner Koch) Date: Wed Jul 27 10:51:57 2005 Subject: [Announce] GnuPG 1.4.2 released Message-ID: <87sly0sn0o.fsf@wheatstone.g10code.de> Hello! We are pleased to announce the availability of a new stable GnuPG release: Version 1.4.2 The GNU Privacy Guard (GnuPG) is GNU's tool for secure communication and data storage. It is a complete and free replacement of PGP and can be used to encrypt data and to create digital signatures. It includes an advanced key management facility and is compliant with the proposed OpenPGP Internet standard as described in RFC2440. Getting the Software ==================== Please follow the instructions found at http://www.gnupg.org/download/ or read on: GnuPG 1.4.2 may be downloaded from one of the GnuPG mirror sites or direct from ftp://ftp.gnupg.org/gcrypt/ . The list of mirrors can be found at http://www.gnupg.org/mirrors.html . Note, that GnuPG is not available at ftp.gnu.org. On the mirrors you should find the following files in the *gnupg* directory: gnupg-1.4.2.tar.bz2 (2.8M) gnupg-1.4.2.tar.bz2.sig GnuPG source compressed using BZIP2 and OpenPGP signature. gnupg-1.4.2.tar.gz (4.0M) gnupg-1.4.2.tar.gz.sig GnuPG source compressed using GZIP and OpenPGP signature. gnupg-1.4.1-1.4.2.diff.bz2 (939k) A patch file to upgrade a 1.4.1 GnuPG source. Select one of them. To shorten the download time, you probably want to get the BZIP2 compressed file. Please try another mirror if exceptional your mirror is not yet up to date. In the *binary* directory, you should find these files: gnupg-w32cli-1.4.2.exe (1.4M) gnupg-w32cli-1.4.2.exe.sig GnuPG compiled for Microsoft Windows and OpenPGP signature. Note that this is a command line version and now comes with a graphical installer tool. The source files are the same as given above. Checking the Integrity ====================== In order to check that the version of GnuPG which you are going to install is an original and unmodified one, you can do it in one of the following ways: * If you already have a trusted version of GnuPG installed, you can simply check the supplied signature. For example to check the signature of the file gnupg-1.4.2.tar.bz2 you would use this command: gpg --verify gnupg-1.4.2.tar.bz2.sig This checks whether the signature file matches the source file. You should see a message indicating that the signature is good and made by that signing key. Make sure that you have the right key, either by checking the fingerprint of that key with other sources or by checking that the key has been signed by a trustworthy other key. Note, that you can retrieve the signing key using "finger wk 'at' g10code.com" or "finger dd9jn 'at' gnu.org" or using the keyservers. From time to time I prolong the expiration date; thus you might need a fresh copy of that key. Never use a GnuPG version you just downloaded to check the integrity of the source - use an existing GnuPG installation! * If you are not able to use an old version of GnuPG, you have to verify the SHA-1 checksum. Assuming you downloaded the file gnupg-1.4.2.tar.bz2, you would run the sha1sum command like this: sha1sum gnupg-1.4.2.tar.bz2 and check that the output matches the first line from the following list: 6eda5b090f9f1ac0da5e8b545e2667220a0e89ca gnupg-1.4.2.tar.bz2 cc7e9a5268bf309ac652a7343b62dff8cfb68d38 gnupg-1.4.2.tar.gz ca0180b5e5d6ee78c68c701f6ded2d9008bf7608 gnupg-1.4.1-1.4.2.diff.bz2 8394920be8d2daa764e94d4bd5869853a3f293b8 gnupg-w32cli-1.4.2.exe Upgrade Information =================== If you are upgrading from a version prior to 1.0.7, you should run the script tools/convert-from-106 once. Please note also that due to a bug in versions prior to 1.0.6 it may not be possible to downgrade to such versions unless you apply the patch http://www.gnupg.org/developer/gpg-woody-fix.txt . If you have any problems, please see the FAQ and the mailing list archive at http://lists.gnupg.org. Please direct questions to the gnupg-users@gnupg.org mailing list. What's New =========== * New command "verify" in the card-edit menu to display the Private-DO-3. The Admin command has been enhanced to take the optional arguments "on", "off" and "verify". The latter may be used to verify the Admin Pin without modifying data; this allows displaying the Private-DO-4 with the "list" command. * Rewrote large parts of the card code to optionally make use of a running gpg-agent. If --use-agent is being used and a gpg-agent with enabled scdaemon is active, gpg will now divert all card operations to that daemon. This is required because both, scdaemon and gpg require exclusive access to the card reader. By delegating the work to scdaemon, both can peacefully coexist and scdaemon is able to control the use of the reader. Note that this requires at least gnupg 1.9.17. * Fixed a couple of problems with the card reader. * Command completion is now available in the --edit-key and --card-edit menus. Filename completion is available at all filename prompts. Note that completion is only available if the system provides a readline library. * New experimental HKP keyserver helper that uses the cURL library. It is enabled via the configure option --with-libcurl like the other (also experimental) cURL helpers. Please make sure to also apply the attached patch. * New key cleaning options that can be used to remove unusable (expired, revoked) signatures from a key. This is available via the new "clean" command in --edit-key on a key by key basis, as well as via the import-clean-sigs/import-clean-uids and export-clean-sigs/export-clean-uids options for --import-options and --export-options. These are currently off by default, and replace the import-unusable-sigs/export-unusable-sigs options from version 1.4.1. * New export option export-reset-subkey-passwd. * New option --limit-card-insert-tries. Internationalization ==================== GnuPG comes with support for 28 languages: American English Indonesian (id)[*] Bela-Russian (be)[*] Italian (it)[*] Catalan (ca)[*] Japanese (ja)[*] Czech (cs) Polish (pl)[*] Danish (da)[*] Brazilian Portuguese (pt_BR)[*] Dutch (nl)[*] Portuguese (pt)[*] Esperanto (eo)[*] Romanian (ro) Estonian (et)[*] Russian (ru) Finnish (fi)[*] Slovak (sk)[*] French (fr) Spanish (es) Galician (gl)[*] Swedish (sv)[*] German (de) [*] Traditional Chinese (zh_TW) Greek (el) [*] Simplified Chinese (zh_CN) Hungarian (hu) [*] Turkish (tr) Languages marked with [*] have not been updated for this release and you will most likely notice untranslated messages. Many thanks to the translators who updated their work in time. Future Directions ================= GnuPG 1.4.x is the current stable branch and will be kept as the easy to use and build single-executable versions. We plan to backport new features from the development series to 1.4. GnuPG 1.9.x is the new development series of GnuPG. This version merged the code from the Aegypten project and thus it includes the gpg-agent, a smartcard daemon and gpg's S/MIME cousin gpgsm. The design is different to the previous versions and we may not support all ancient systems - thus POSIX compatibility will be an absolute requirement for supported platforms. 1.9 is as of now based on an somewhat older 1.3 code but will peacefully coexist with other GnuPG versions. Support ======= Developing and maintaining GnuPG and related software is nothing one can do in the evening or on weekends. We all spend a lot of time and money on it. David is actually doing this in his spare time beside his day job; g10 Code employs Timo and Werner to work on this software and would appreciate to refinance it by entering into support contracts or other contributions. Thanks ====== We have to thank all the people who helped with this release, be it testing, coding, translating, suggesting, auditing, administering the servers, spreading the word or answering questions on the mailing lists. Happy Hacking, The GnuPG Team (David, Timo and Werner) p.s. A few hours too late we found a bug in the cURL based helper programs which makes cURL based LDAP support unusable. Given that --with-libcurl is not the default we did not offtake the release but ask you to apply the patch below. diff -u -p -r1.90 -r1.91 --- g10/keyserver.c 22 Jul 2005 16:28:40 -0000 1.90 +++ g10/keyserver.c 27 Jul 2005 01:24:57 -0000 1.91 @@ -860,7 +860,9 @@ curl_can_handle(const char *scheme) static const char * keyserver_typemap(const char *type) { - if(strcmp(type,"ldaps")==0) + if(strcmp(type,"ldap")==0) + return "ldap"; + else if(strcmp(type,"ldaps")==0) return "ldap"; else if(curl_can_handle(type)) return "curl"; -- Werner Koch The GnuPG Experts http://g10code.com Free Software Foundation Europe http://fsfeurope.org Join the Fellowship and protect your Freedom! http://www.fsfe.org -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 199 bytes Desc: not available Url : /pipermail/attachments/20050727/16e8a9c0/attachment.pgp From kfitzner at excelcia.org Sat Jul 30 00:29:18 2005 From: kfitzner at excelcia.org (Kurt Fitzner) Date: Sat Jul 30 13:54:35 2005 Subject: [Announce] GPGee version 1.1.2 - Important Security Update Message-ID: <42EAADBE.901@excelcia.org> Version 1.1.2 of GPGee has been released. This release fixes a newly identified security issue. In previous versions of GPGee, the mechanism that was intended to overwrite passphrases after they were used had a flaw that prevented this from occuring. This makes is more likely (though still not very) that a passphrase could end up being written in the clear to the Windows swap file. In addition to fixing the above issue, version 1.1.2 has much more robust internal handling of passphrases all around. All memory used for passphrase handling is now locked to prevent it being swapped out. Also, a better caching mechanism is in place to cache all passphrases entered during a single verify/decrypt operation. You never have to enter a passphrase for a particular key more than once when multiple files are verified/decrypted in a single operation. For security reasons, passphrases are still not ever cached longer than a single operation. For those of you who are unfamilliar with the program, GPGee is the GnuPG Explorer Extension - a Windows shell extension front end for GnuPG that gives you access to GnuPG functionality directly through the Windows explorer right-click context menu. More information (including a full discussion of the new version, the security flaw, and its implications) and downloads are available from: http://gpgee.excelcia.org Kurt Fitzner -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 546 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20050729/09831eb0/signature.pgp From kfitzner at excelcia.org Tue Sep 6 16:09:57 2005 From: kfitzner at excelcia.org (Kurt Fitzner) Date: Tue Sep 6 17:06:25 2005 Subject: [Announce] GnuPG Explorer Extension (GPGee) version 1.2.0 released Message-ID: <431DA335.6020304@excelcia.org> Version 1.2.0 of GPGee has been released - head to the homepage at http://gpgee.excelcia.org to download it. New features include: - Support for creating signatures with more than one key at once. - Support for verifying multi-signed documents. - Automated new version checking (this was actually added in 1.1.3 but that version was unannounced) - Can automatically change the status of source files to read-only after they are signed. Useful for cases where a certain type of file's reader (MS Excel with spreadsheets is one) changes the file when it is opened even if it isn't edited. Since this would invalidate a signature, you can now have GPGee set the file read-only. In addition to that, there are a few bug fixes incorporated for good measure. For those that aren't familliar with GPGee, it is a Windows shell extension that adds GnuPG support to explorer's right-click menu. You can sign, sign+encrypt, encrypt, verify, and decrypt files right from within the Windows explorer. From kfitzner at excelcia.org Thu Sep 8 14:41:58 2005 From: kfitzner at excelcia.org (Kurt Fitzner) Date: Fri Sep 9 13:48:59 2005 Subject: [Announce] GnuPG Explorer Extension (GPGee) Version 1.2.1 Released Message-ID: <43203196.8080806@excelcia.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Version 1.2.1 of GPGee has now been released and is available at http://gpgee.excelcia.org. This is mainly a bugfix release to correct a couple of functional bugs that appeared shortly after 1.2.0 was released. Bugs fixes include: - - Performing sign+encrypt no longer results in GPGee causing Explorer to hang. - - Change in the URL used for the automatic version check (the previous URL pointed at an ISP that cached its web pages, causing repeated notices to "upgrade" to an earlier version). - - Version now only occurs once per day as it was intended. Additionally, the version checking now compares build numbers rather than performing a simple string equality check. There should never again, regardless of ISP problems, be a notice to upgrade to an earlier version. There is one added feature for 1.2.1, designed to work with the multi-key signatures added in 1.2.0. It is now possible to append new signatures to an existing detached signature. In this way you can have one person sign a document, give the document and signature to another person at another maching and that person can add another signature. For those that aren't familliar with GPGee, it is a Windows shell extension that adds GnuPG support to explorer's right-click menu. You can sign, sign+encrypt, encrypt, verify, and decrypt files right from within the Windows explorer. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iQEVAwUBQyAxlt366Kf2Ie2tAQMpqAf+LzFDQ+T30gUwQR1sOP7FmXx8rWZgWOWE 2yKh6BAnINyL8SUnojU1gClgdpeJ/JS87d0//WJaE9z96kv+VR5/qKlpTqbQtTSB 68NOnk1Iszc6NLpRGe2sHxssJSVxnEUKvAfevLGW3JEdeCkenJ1CVbY184eFu5JM Xxc9yrWy6M2gELM56+BIA2f2Zaj9smTybCwhcCnsqgGJvosXttnFeS1Vw2K3aTP1 wFpeWT7Posn0BrquF+5YBsOVJuFgEdJrxXM+546nti3FWiT+iG/Pp/aMaXGZyjFQ p8d+F+8F3Av44UXw2Nw4BxN3JaUQVaxq1i4cnz6mWvxPDF8b/UUmkQ== =/eNV -----END PGP SIGNATURE----- From wk at gnupg.org Mon Sep 12 15:29:20 2005 From: wk at gnupg.org (Werner Koch) Date: Mon Sep 12 15:31:04 2005 Subject: [Announce] GnuPG 1.9.19 (S/MIME and gpg-agent) released Message-ID: <87y862o1n3.fsf@wheatstone.g10code.de> Hello! We are pleased to announce the availability of GnuPG 1.9.19 - the branch of GnuPG featuring the S/MIME protocol. You should consider using GnuPG 1.9 if you want to use the GPG-AGENT or GPGSM. The GPG-AGENT is also helpful when using the stable GPG version 1.4 or if you want to check out its ssh-agent replacement feature. GnuPG 1.9 is the current development version of GnuPG. Despite of that, most parts (in particular GPG-AGENT and GPGSM) are considered ready for production use. Please keep on using GnuPG 1.4.x for OpenPGP; 1.9 and 1.4 may - and actually should - be installed simultaneously. This is basically a bug fix release with one new feature. * The Belgian eID card is now supported for signatures and ssh. Other pkcs#15 cards should work as well. * Fixed bug in --export-secret-key-p12 so that certificates are again included. You may download it from one of the mirrors as listed at http://www.gnupg.org/download/mirrors.html or direct from the master server ftp://ftp.gnupg.org: ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.9.19.tar.bz2 (1719k) ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.9.19.tar.bz2.sig or as a patch against the previous release: ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.9.18-1.9.19.diff.bz2 (22k) SHA-1 checksums for the above files are: aa37fbf9f25df52fcd1a957404e78efdf9c576cc gnupg-1.9.19.tar.bz2 2d0dbd0ca60ebc79fb49d99e47222c55784bb9b8 gnupg-1.9.18-1.9.19.diff.bz2 For help on installing or running GnuPG 1.9 you should send mail to the gnupg-users mailing list or to one of the country specific lists. See http://www.gnupg.org/documentation/mailing-lists.html . Improving GnuPG is costly, but you can help! We are looking for organizations that find GnuPG useful and wish to contribute back. You can contribute by reporting bugs, improve the software, or by donating money. Commercial support contracts for GnuPG are available, and they help finance continued maintenance. g10 Code GmbH, a Duesseldorf based company owned and headed by gpg's principal author, is currently funding GnuPG development. We are always looking for interesting development projects. Happy hacking, Werner -- Werner Koch The GnuPG Experts http://g10code.com Free Software Foundation Europe http://fsfeurope.org Join the Fellowship and protect your Freedom! http://www.fsfe.org -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 199 bytes Desc: not available Url : /pipermail/attachments/20050912/b74775be/attachment.pgp