From chris at anthum.com Tue Dec 9 21:26:36 2025 From: chris at anthum.com (chris at anthum.com) Date: Tue, 9 Dec 2025 13:26:36 -0700 Subject: macOS recommended build options Message-ID: Can anyone recommend which ./configure options to enable/disable for general users on macOS? I'm creating a new v2.5.x macOS Homebrew formula (pre-built package) macOS users, because Homebrew currently only provides 1.8/2.2: $ brew search gnupg gnupg at 1.4 gnupg at 2.2 Proposed config: GnuPG v2.5.13 has been configured as follows: Revision: b39a02981 (45978) Platform: Darwin (x86_64-apple-darwin24.6.0) OpenPGP: yes S/MIME: yes Agent: yes Smartcard: yes TPM: no G13: no Dirmngr: no Keyboxd: yes Gpgtar: yes WKS tools: yes Protect tool: (default) LDAP wrapper: (default) Default agent: (default) Default pinentry: /usr/local/opt/pinentry/bin/pinentry Default scdaemon: (default) Default keyboxd: (default) Default tpm2daemon: (default) Default dirmngr: (default) Dirmngr auto start: yes Readline support: yes LDAP support: n/a TLS support: no TOFU support: yes Tor support: only .onion Homebrew's v2.2 current formula: https://github.com/Homebrew/homebrew-core/blob/c68118c10299278de2cc69ca19acae262127b375/Formula/g/gnupg.rb#L56-L61 From rjh at sixdemonbag.org Wed Dec 10 10:35:12 2025 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Wed, 10 Dec 2025 04:35:12 -0500 Subject: macOS recommended build options In-Reply-To: References: Message-ID: > Can anyone recommend which ./configure options to enable/disable for > general users on macOS? I'm creating a new v2.5.x macOS Homebrew > formula (pre-built package) macOS users, because Homebrew currently > only provides 1.8/2.2: On the contrary: /opt/homebrew/bin/gpg --version gpg (GnuPG) 2.4.8 -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 236 bytes Desc: OpenPGP digital signature URL: From chris at anthum.com Wed Dec 10 20:05:06 2025 From: chris at anthum.com (chris at anthum.com) Date: Wed, 10 Dec 2025 12:05:06 -0700 Subject: macOS recommended build options In-Reply-To: References:

Message-ID: Thanks Robert?my mistake. I submitted a new v2.5 Homebrew formula that maintains feature parity Homebrew's current release build (v2.4.8): https://github.com/Homebrew/homebrew-core/pull/257998 From chris at anthum.com Sat Dec 13 06:24:07 2025 From: chris at anthum.com (chris at anthum.com) Date: Fri, 12 Dec 2025 22:24:07 -0700 Subject: GnuPG dev account request Message-ID: May I please have an account for https://dev.gnupg.org? anthumchris From noe at xn--no-cja.eu Sat Dec 13 22:19:39 2025 From: noe at xn--no-cja.eu (=?utf-8?Q?No=C3=A9_Lopez?=) Date: Sat, 13 Dec 2025 22:19:39 +0100 Subject: Where are the GPGME python bindings? Message-ID: <87v7iayt90.fsf@xn--no-cja.eu> Hi, In the GPGME 2.0 release and documentation[1,2], its mentioned that the Python bindings have been moved to a separate repository, as well as other bindings. I could find repositories for the QT and C++ bindings, but couldn?t find the Python bindings. Could you provide me with a link? Thanks in advance, No? Lopez [1] NEWS in GPGME repository [2] https://dev.gnupg.org/T7262 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 686 bytes Desc: not available URL: From chris at anthum.com Sun Dec 14 00:49:58 2025 From: chris at anthum.com (chris at anthum.com) Date: Sat, 13 Dec 2025 16:49:58 -0700 Subject: Where are the GPGME python bindings? In-Reply-To: <87v7iayt90.fsf@xn--no-cja.eu> References: <87v7iayt90.fsf@xn--no-cja.eu> Message-ID: > I could find repositories for the QT and C++ bindings, but couldn?t find > the Python bindings. Could you provide me with a link? https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpgmepy.git https://github.com/gpg/gpgmepy (mirror) perhaps those? From noe at xn--no-cja.eu Mon Dec 15 12:14:35 2025 From: noe at xn--no-cja.eu (=?utf-8?Q?No=C3=A9?= Lopez) Date: Mon, 15 Dec 2025 12:14:35 +0100 Subject: Where are the GPGME python bindings? In-Reply-To: References: <87v7iayt90.fsf@xn--no-cja.eu> Message-ID: <87fr9cyp2c.fsf@xn--no-cja.eu> chris at anthum.com writes: >> I could find repositories for the QT and C++ bindings, but couldn?t find >> the Python bindings. Could you provide me with a link? > > https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpgmepy.git > https://github.com/gpg/gpgmepy (mirror) > > perhaps those? > That looks right, thanks! I was originally looking in . -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 686 bytes Desc: not available URL: From kloecker at kde.org Mon Dec 15 21:13:41 2025 From: kloecker at kde.org (Ingo =?UTF-8?B?S2zDtmNrZXI=?=) Date: Mon, 15 Dec 2025 21:13:41 +0100 Subject: Where are the GPGME python bindings? In-Reply-To: <87fr9cyp2c.fsf@xn--no-cja.eu> References: <87v7iayt90.fsf@xn--no-cja.eu> <87fr9cyp2c.fsf@xn--no-cja.eu> Message-ID: <2201841.9o76ZdvQCi@daneel> On Montag, 15. Dezember 2025 12:14:35 Mitteleurop?ische Normalzeit No? Lopez via Gnupg-users wrote: > chris at anthum.com writes: > >> I could find repositories for the QT and C++ bindings, but couldn?t find > >> the Python bindings. Could you provide me with a link? > > > > https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpgmepy.git > > https://github.com/gpg/gpgmepy (mirror) > > > > perhaps those? > > That looks right, thanks! I was originally looking in > . Then you seem to have overlooked it because it is listed at https://dev.gnupg.org/diffusion/ There isn't much activity so that you have to scroll down a bit or simply search for Python. Regards, Ingo -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 265 bytes Desc: This is a digitally signed message part. URL: From noe at xn--no-cja.eu Mon Dec 15 23:51:27 2025 From: noe at xn--no-cja.eu (=?utf-8?Q?No=C3=A9?= Lopez) Date: Mon, 15 Dec 2025 23:51:27 +0100 Subject: Where are the GPGME python bindings? In-Reply-To: <2201841.9o76ZdvQCi@daneel> References: <87v7iayt90.fsf@xn--no-cja.eu> <87fr9cyp2c.fsf@xn--no-cja.eu> <2201841.9o76ZdvQCi@daneel> Message-ID: <87bjjzz7dc.fsf@xn--no-cja.eu> Ingo Kl?cker writes: > On Montag, 15. Dezember 2025 12:14:35 Mitteleurop?ische Normalzeit No? Lopez > via Gnupg-users wrote: >> chris at anthum.com writes: >> >> I could find repositories for the QT and C++ bindings, but couldn?t find >> >> the Python bindings. Could you provide me with a link? >> > >> > https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpgmepy.git >> > https://github.com/gpg/gpgmepy (mirror) >> > >> > perhaps those? >> >> That looks right, thanks! I was originally looking in >> . > > Then you seem to have overlooked it because it is listed at > https://dev.gnupg.org/diffusion/ > > There isn't much activity so that you have to scroll down a bit or simply > search for Python. Oh! I figured it out, it doesn?t show when searching ?gpgme?. Looks like there?s a typo and its titled ?Ggme Python bindings?. Have a nice day, No? -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 686 bytes Desc: not available URL: From ebo at gnupg.org Tue Dec 16 11:00:43 2025 From: ebo at gnupg.org (ebo at gnupg.org) Date: Tue, 16 Dec 2025 11:00:43 +0100 Subject: Where are the GPGME python bindings? In-Reply-To: <87bjjzz7dc.fsf@xn--no-cja.eu> References: <87v7iayt90.fsf@xn--no-cja.eu> <2201841.9o76ZdvQCi@daneel> <87bjjzz7dc.fsf@xn--no-cja.eu> Message-ID: <8577621.KF7fkY60pq@jackson> Hi! On Montag, 15. Dezember 2025 23:51:27 CET No? Lopez via Gnupg-users wrote: > I figured it out, it doesn?t show when searching ?gpgme?. Looks like > there?s a typo and its titled ?Ggme Python bindings?. Thanks to pointing that out, the typo is fixed now. Regards, Eva From igor.ageyev1 at gmail.com Tue Dec 23 20:48:57 2025 From: igor.ageyev1 at gmail.com (Igor Ageyev) Date: Tue, 23 Dec 2025 12:48:57 -0700 Subject: gpg with Amazon CloudHSM Message-ID: <34A8815A-06AB-4E55-B0E4-7F720304411D@gmail.com> Hi everybody, I am trying to help my coworker who is struggling with getting pgp working with AWS CloudHSM using the CloudHSM pkcs11 library and scdaemon. He created an RSA 2048 key within the HSM and is able to see it with pkcs-tool. When he connects with gpg-agent and issues SCD LEARN to get the key grips, he gets S SERIALNO ?.. S APPTYPE PKCS11 OK No key information is printed. We?ve turned up verbosity and debug level but did not see any errors or warnings printed that would point to an error. This is on a Debian derivative if that matters. Has anybody gotten gpg working with CloudHSM? Any pointers on troubleshooting? Thank you in advance. Igor From suunj1331 at gmail.com Sat Dec 27 03:49:06 2025 From: suunj1331 at gmail.com (suunj) Date: Sat, 27 Dec 2025 11:49:06 +0900 Subject: Request for dev.gnupg.org account Message-ID: Hello, I would like to request an account on dev.gnupg.org to report bugs and contribute to the project. Preferred username: suunj1331 Email: suunj1331 at gmail.com Thank you. -------------- next part -------------- An HTML attachment was scrubbed... URL: From chris at anthum.com Sat Dec 27 19:34:17 2025 From: chris at anthum.com (chris at anthum.com) Date: Sat, 27 Dec 2025 19:34:17 +0100 Subject: gpg with Amazon CloudHSM In-Reply-To: <34A8815A-06AB-4E55-B0E4-7F720304411D@gmail.com> References: <34A8815A-06AB-4E55-B0E4-7F720304411D@gmail.com> Message-ID: > Has anybody gotten gpg working with CloudHSM? Any pointers on troubleshooting? No experience, but they list known issues below, with a specific page for PKCS #11 https://docs.aws.amazon.com/cloudhsm/latest/userguide/KnownIssues.html https://docs.aws.amazon.com/cloudhsm/latest/userguide/ki-pkcs11-sdk.html From igor.ageyev1 at gmail.com Sun Dec 28 04:51:49 2025 From: igor.ageyev1 at gmail.com (Igor Ageyev) Date: Sat, 27 Dec 2025 20:51:49 -0700 Subject: gpg with Amazon CloudHSM In-Reply-To: References: <34A8815A-06AB-4E55-B0E4-7F720304411D@gmail.com> Message-ID: On Dec 27, 2025, at 11:34?AM, chris at anthum.com wrote: > >> Has anybody gotten gpg working with CloudHSM? Any pointers on troubleshooting? > > No experience, but they list known issues below, with a specific page > for PKCS #11 > > https://docs.aws.amazon.com/cloudhsm/latest/userguide/KnownIssues.html > https://docs.aws.amazon.com/cloudhsm/latest/userguide/ki-pkcs11-sdk.html > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > https://lists.gnupg.org/mailman/listinfo/gnupg-users Thank you, I did see that. Nothing in the list of known issues explains the problem we are seeing, unfortunately. Regards, Igor Ageyev From wk at gnupg.org Mon Dec 29 11:29:33 2025 From: wk at gnupg.org (Werner Koch) Date: Mon, 29 Dec 2025 11:29:33 +0100 Subject: gpg with Amazon CloudHSM In-Reply-To: (chris@anthum.com's message of "Sat, 27 Dec 2025 19:34:17 +0100") References: <34A8815A-06AB-4E55-B0E4-7F720304411D@gmail.com> Message-ID: <87v7hppomq.fsf@jacob.g10code.de> Hi! > No experience, but they list known issues below, with a specific page > for PKCS #11 GnuPG has no support for using a smardcard or HSM via PKCS#11. What we have is a pkcs#11 provider so that gpg-agent/scdaemon can be used by pkcs#11 aware applications. What we do instead is to implement the access to smartcards directly using the native APDU interface. We have a feature request to use a pcks#11 driver as backend: https://dev.gnupg.org/T6234 however the customer canceled the project and thus we have no use/business case for this. Salam-Shalom, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein -------------- next part -------------- A non-text attachment was scrubbed... Name: openpgp-digital-signature.asc Type: application/pgp-signature Size: 284 bytes Desc: not available URL: From wk at gnupg.org Mon Dec 29 11:31:01 2025 From: wk at gnupg.org (Werner Koch) Date: Mon, 29 Dec 2025 11:31:01 +0100 Subject: Request for dev.gnupg.org account In-Reply-To: (suunj via Gnupg-users's message of "Sat, 27 Dec 2025 11:49:06 +0900") References: Message-ID: <87qzsdpoka.fsf@jacob.g10code.de> On Sat, 27 Dec 2025 11:49, suunj said: > Hello, I would like to request an account on dev.gnupg.org to report bugs > and contribute to the project. Confirmation mal is on the way. Shalom-Salam, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein -------------- next part -------------- A non-text attachment was scrubbed... Name: openpgp-digital-signature.asc Type: application/pgp-signature Size: 284 bytes Desc: not available URL: From wk at gnupg.org Tue Dec 30 09:40:01 2025 From: wk at gnupg.org (Werner Koch) Date: Tue, 30 Dec 2025 09:40:01 +0100 Subject: [Announce] GnuPG 2.5.16 released Message-ID: <87qzscs6qm.fsf@jacob.g10code.de> Hello! We are pleased to announce the availability of a new GnuPG release: Version 2.5.16. This release adds new features and fixes a couple of bugs. Note that the 2.5 series is now declared the stable version of GnuPG. The oldstable 2.4 series will reach end-of-life in just 6 months. The main features in the 2.5 series are improvements for 64 bit Windows and the introduction of Kyber (aka ML-KEM or FIPS-203) as PQC encryption algorithm. Other than PQC support the 2.6 series will not differ a lot from 2.4 because the majority of changes are internal to make use of newer features from the supporting libraries. What is GnuPG ============= The GNU Privacy Guard (GnuPG, GPG) is a complete and free implementation of the OpenPGP and S/MIME standards. GnuPG allows to encrypt and sign data and communication, features a versatile key management system as well as access modules for public key directories. GnuPG itself is a command line tool with features for easy integration with other applications. The separate library GPGME provides a uniform API to use the GnuPG engine by software written in common programming languages. A wealth of frontend applications and libraries making use of GnuPG are available. As an universal crypto engine GnuPG provides support for S/MIME and Secure Shell in addition to OpenPGP. GnuPG is Free Software (meaning that it respects your freedom). It can be freely used, modified and distributed under the terms of the GNU General Public License. Noteworthy changes in version 2.5.16 (2025-12-30) ================================================= [compared to version 2.5.14] * gpg: Fix a validation bug when using keyboxd. [T7983] * gpg: Deprecate the option --not-dash-escaped and ignore the NotDashEscaped armor header. [T7901] * keyboxd: Fix migration to new schema. [T7892,rG81bb949755] * dirmngr: New compatibility flag "ocsp-sha256-certid" to support forthcoming libksba versions. [rG674aa54242] * Use a synchronous spawning method for the daemon processes under Windows. [T7716] * Avoid the function name thread_init to fix building on AIX. [T7958] * New translation to Georgian. Release-info: https://dev.gnupg.org/T7995 Getting the Software ==================== Please follow the instructions found at or read on: GnuPG may be downloaded from one of the GnuPG mirror sites or direct from its primary file server. The list of mirrors can be found at . Note that GnuPG is not available at ftp.gnu.org. The GnuPG source code compressed using BZIP2 and its OpenPGP signature are available here: https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.5.16.tar.bz2 (8109k) https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.5.16.tar.bz2.sig An installer for Windows without any graphical frontend except for a very minimal Pinentry tool is available here: https://gnupg.org/ftp/gcrypt/binary/gnupg-w32-2.5.16_20251230.exe (5571k) https://gnupg.org/ftp/gcrypt/binary/gnupg-w32-2.5.16_20251230.exe.sig The source used to build this installer for 64-bit Windows is available as https://gnupg.org/ftp/gcrypt/gnupg/gnupg-w32-2.5.16_20251230.tar.xz (15M) https://gnupg.org/ftp/gcrypt/gnupg/gnupg-w32-2.5.16_20251230.tar.xz.sig This source tarball may also be used to download all required libraries at once to build a Unix version on any modern system. See the included README. Debian Packages =============== We also provide Debian style packages for a couple of Debian variants. See https://repos.gnupg.org/deb/gnupg/trixie/ or use the menu to switch to other distros/releases. If you encounter packaging problems please report them to the gnupg-devel mailing list. Due to the holidays it may take a few days until the packages are available. Windows Installer ================= A new beta version of Gpg4win is this time not available. Please wait for the upcoming Gpg4win 5.0 release. Checking the Integrity ====================== In order to check that the version of GnuPG which you are going to install is an original and unmodified one, you can do it in one of the following ways: * If you already have a version of GnuPG installed, you can simply verify the supplied signature. For example to verify the signature of the file gnupg-2.5.16.tar.bz2 you would use this command: gpg --verify gnupg-2.5.16.tar.bz2.sig gnupg-2.5.16.tar.bz2 This checks whether the signature file matches the source file. You should see a message indicating that the signature is good and made by one or more of the release signing keys. Make sure that this is a valid key, either by matching the shown fingerprint against a trustworthy list of valid release signing keys or by checking that the key has been signed by trustworthy other keys. See the end of this mail for information on the signing keys. * If you are not able to use an existing version of GnuPG, you have to verify the SHA-1 checksum. On Unix systems the command to do this is either "sha1sum" or "shasum". Assuming you downloaded the file gnupg-2.5.16.tar.bz2, you run the command like this: sha1sum gnupg-2.5.16.tar.bz2 and check that the output matches the next line: 3acefeef08c82a4d4a8ba36f95c2986fb925d359 gnupg-2.5.16.tar.bz2 94cd33c1fb6ca8191f582afbdba8fcc7c1b04b5b gnupg-w32-2.5.16_20251230.tar.xz 250e1d3c3b4924188e6457a4c1f0d33ff2b2fe9e gnupg-w32-2.5.16_20251230.exe Internationalization ==================== This version of GnuPG has support for 26 languages with Chinese, Czech, Dutch, French, Georgian, German, Italian, Japanese, Norwegian, Polish, Portuguese, Russian, Turkish, and Ukrainian being almost completely translated. Documentation and Support ========================= The file gnupg.info has the complete reference manual of the system. Separate man pages are included as well but they miss some of the details available only in the manual. The manual is also available online at https://gnupg.org/documentation/manuals/gnupg/ or can be downloaded as PDF at https://gnupg.org/documentation/manuals/gnupg.pdf You may also want to search the GnuPG mailing list archives or ask on the gnupg-users mailing list for advise on how to solve problems. Most of the new features are around for several years and thus enough public experience is available. https://wiki.gnupg.org has user contributed information around GnuPG and relate software. If you are using cleartext signatures in your application please read https://gnupg.org/blog/20251226-cleartext-signatures.html . In case of build problems specific to this release please first check https://dev.gnupg.org/T7995 for updated information. We are sorry that due to ongoing DoS on this service, you may end up at a "is under maintenance page". Please consult the archive of the gnupg-users mailing list before reporting a bug: https://gnupg.org/documentation/mailing-lists.html. We suggest to send bug reports for a new release to this list in favor of filing a bug at https://bugs.gnupg.org. If you need commercial support go to https://gnupg.com or https://gnupg.org/service.html. If you are a developer and you need a certain feature for your project, please do not hesitate to bring it to the gnupg-devel mailing list for discussion. Thanks ====== Since 2001 maintenance and development of GnuPG is done by g10 Code GmbH and has mostly been financed by donations. A team of full-time employed developers and contractors are working exclusively on GnuPG and related software like Libgcrypt, GPGME, Kleopatra, Okular, and Gpg4win. Fortunately, and this is still not common with free software, we have established a way of financing the development while keeping all our software free and freely available for everyone. Our model is similar to the way RedHat manages RHEL and Fedora: Except for the actual binary of the MSI installer for Windows and client specific configuration files, all the software is available under the GNU GPL and other Open Source licenses. Thus customers may even build and distribute their own version of the software as long as they do not use our trademarks GnuPG Desktop? or GnuPG VS-Desktop?. We like to thank all the nice people who are helping the GnuPG project, be it testing, coding, translating, suggesting, auditing, administering the servers, spreading the word, answering questions on the mailing lists, or helped with donations. *Thank you all* Your GnuPG hackers p.s. This is an announcement only mailing list. Please send replies only to the gnupg-users at gnupg.org mailing list. * List of Release Signing Keys: To guarantee that a downloaded GnuPG version has not been tampered by malicious entities we provide signature files for all tarballs and binary versions. The keys are also signed by the long term keys of their respective owners. Current releases are signed by one or more of these four keys: ed25519 2020-08-24 [SC] [expires: 2030-06-30] 6DAA 6E64 A76D 2840 571B 4902 5288 97B8 2640 3ADA Werner Koch (dist signing 2020) ed25519 2021-05-19 [SC] [expires: 2027-04-04] AC8E 115B F73E 2D8D 47FA 9908 E98E 9B2D 19C6 C8BD Niibe Yutaka (GnuPG Release Key) rsa3072 2025-05-09 [SC] [expires: 2033-03-03] 3B76 1AE4 E63B F351 9CE7 D63B ECB6 64CB E133 2EEF Alexander Kulbartsch (GnuPG Release Key) brainpoolP256r1 2021-10-15 [SC] [expires: 2029-12-31] 02F3 8DFF 731F F97C B039 A1DA 549E 695E 905B A208 GnuPG.com (Release Signing Key 2021) The keys are available at https://gnupg.org/signature_key.html and in any recently released GnuPG tarball in the file g10/distsigkey.gpg . Note that this mail has been signed by a different key. * Debian Package Signing Key: The new Debian style packages are signed using this key: ed25519 2025-07-08 [SC] [expires: 2035-07-14] 3209 7B71 9B37 45D6 E61D DA1B 85C4 5AE3 E1A2 B355 GnuPG.org Package Signing Key See the package website (https://repos.gnupg.org/deb/gnupg) for a list of supported distributions and a download link for the key. -- Arguing that you don't care about the right to privacy because you have nothing to hide is no different from saying you don't care about free speech because you have nothing to say. - Edward Snowden -------------- next part -------------- A non-text attachment was scrubbed... Name: openpgp-digital-signature.asc Type: application/pgp-signature Size: 284 bytes Desc: not available URL: -------------- next part -------------- _______________________________________________ Gnupg-announce mailing list Gnupg-announce at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From chris at anthum.com Tue Dec 30 12:19:58 2025 From: chris at anthum.com (chris at anthum.com) Date: Tue, 30 Dec 2025 12:19:58 +0100 Subject: macOS recommended build options In-Reply-To: References:

Message-ID: I published a Homebrew tap for gnupg at 2.5 https://github.com/anthumchris/homebrew-tap The Homebrew team recommended that until 2.6-stable is officially released: https://github.com/Homebrew/homebrew-core/pull/257998#discussion_r2617113389 From wk at gnupg.org Tue Dec 30 14:55:00 2025 From: wk at gnupg.org (Werner Koch) Date: Tue, 30 Dec 2025 14:55:00 +0100 Subject: macOS recommended build options In-Reply-To: (chris@anthum.com's message of "Tue, 30 Dec 2025 12:19:58 +0100") References:

Message-ID: <87a4z0rs5n.fsf@jacob.g10code.de> On Tue, 30 Dec 2025 12:19, chris at anthum.com said: > The Homebrew team recommended that until 2.6-stable is officially released: > https://github.com/Homebrew/homebrew-core/pull/257998#discussion_r2617113389 Because 2.4 will soon reach end-of-life, the 2.5 series is now declared the sable version. We don't bump up the version number to 2.6.0 but for some time keep majro and minor and 2.5 - this is because 2.6.0 will be an LTS version and we plan to do some more feature updates on stable before declaring it LTS. The webpage has already been adjusted. Shalom-Salam, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein -------------- next part -------------- A non-text attachment was scrubbed... Name: openpgp-digital-signature.asc Type: application/pgp-signature Size: 284 bytes Desc: not available URL: From marius.spix at web.de Tue Dec 30 14:55:00 2025 From: marius.spix at web.de (Marius Spix) Date: Tue, 30 Dec 2025 14:55:00 +0100 Subject: Unsafe configuration of the pinentry program Message-ID: <20251230145500.15121588@rockhopper> Dear GnuPG devs, I wanted to point out a potential security concern about gpg-agent. I noted that an application with write access to an user's home directory can easily compromise gpg-agent by overriding the key pinentry-program in ~/.gnupg/gpg-agent.conf This is a potential security risk, as it allows to switch the pinentry plugin with a malicious version, which can be used to steal passwords. I am not aware whether this vulnerability has ever been exploited, but it would be trivial to do so. Therefore, I wonder why no hardening mechanisms are used here. In my opinion there should be additional checks, e. g. a restriction of allowed pinentry paths (e. g. only /usr/bin and /usr/local/bin), ownership checks (e. g. only allow binaries owned by root) or warnings, when a non-standard pinentry-program setting is used. What do you think? Thank you very much for your time and for maintaining GnuPG. Best regards Marius Spix From wk at gnupg.org Tue Dec 30 15:49:37 2025 From: wk at gnupg.org (Werner Koch) Date: Tue, 30 Dec 2025 15:49:37 +0100 Subject: Unsafe configuration of the pinentry program In-Reply-To: <20251230145500.15121588@rockhopper> (Marius Spix via Gnupg-users's message of "Tue, 30 Dec 2025 14:55:00 +0100") References: <20251230145500.15121588@rockhopper> Message-ID: <87v7hoqb26.fsf@jacob.g10code.de> On Tue, 30 Dec 2025 14:55, Marius Spix said: > directory can easily compromise gpg-agent by overriding the key > pinentry-program in ~/.gnupg/gpg-agent.conf This is anyway TILT - GAME OVER. There are hundereds of ways to compromise a system if you have write access to the configuration files. Thanks for asking. Shalom-Salam, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein -------------- next part -------------- A non-text attachment was scrubbed... Name: openpgp-digital-signature.asc Type: application/pgp-signature Size: 284 bytes Desc: not available URL: From rjh at sixdemonbag.org Tue Dec 30 17:00:53 2025 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue, 30 Dec 2025 11:00:53 -0500 Subject: Unsafe configuration of the pinentry program In-Reply-To: <20251230145500.15121588@rockhopper> References: <20251230145500.15121588@rockhopper> Message-ID: <24550C70-8859-4143-9DA2-84865FEBF614@sixdemonbag.org> > Dear GnuPG devs, I?m not a GnuPG dev but I?ll take a stab: > I wanted to point out a potential security concern about gpg-agent. NOTABUG / WONTFIX. The instant you execute compromised code, you enter a catastrophic and unrecoverable game over state. > In my opinion there should be additional checks, e. g. a restriction of > allowed pinentry paths (e. g. only /usr/bin and /usr/local/bin), > ownership checks (e. g. only allow binaries owned by root) or > warnings, when a non-standard pinentry-program setting is used. What do > you think? Werner has already explained why your proposed fix won?t work. I think it?s significantly worse than ?it won?t work?. I think it?s, ?it won?t work even against the toy attacker it?s designed for." If I were toy attacker, my malware would deploy its own gpg-agent which lacked these checks, edit your .profile to add ?alias gpg-agent=$HOME/.hidden/gpg-agent?, kill the existing gpg-agent, and start the new one. Wham, your ?fix? is completely bypassed in a persistent way. As Werner says, game over. I?m actually lying through my teeth there, because if I?m the malware author I would not be a toy threat. I wouldn?t deploy on your machine without a local privilege escalation, at which point I can replace system binaries. The GnuPG suite gets subverted, as does AppArmor/selinux, your syslog gets compromised, my own malicious SSL cert goes into your system cache, multipath persistence gets enabled, beacons set, the whole nine yards. Yes, there?s a lot of mayhem you can do from an unprivileged account. But the real mayhem starts with an LPE. This is why among CNO professionals the overwhelming opinion is to not even attempt for unprivileged access unless you have an LPE and a tailored exploitation plan that completely specifies actions on target: initial access -> LPE -> counterforensics -> persistence -> beaconing and future access -> forensics -> data exfiltration -> lateral exploration and network discovery -> reconnaissance reporting -> counterforensics -> exit. Different shops may order exploitation events differently, but that basic progression would be recognized as being a pretty standard exploitation plan. Please read either the Lockheed killchain paper or the Pols killchain paper: https://www.unifiedkillchain.com/assets/The-Unified-Kill-Chain.pdf Let that motivate your future thinking on how best to defend from attacks. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 984 bytes Desc: Message signed with OpenPGP URL: From rjh at sixdemonbag.org Tue Dec 30 18:05:41 2025 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue, 30 Dec 2025 12:05:41 -0500 Subject: https://gpg.fail Message-ID: A friend pointed me to the site https://gpg.fail and asked me what I thought of it. At first I didn't think much of it, but on closer inspection it seems there may be some legitimate issues in need of addressing. See, e.g., https://gpg.fail/detached . I've been able to verify the bottom line claim here, although I haven't verified their diagnosis. Others, such as https://gpg.fail/noverify, do not seem to be of particular concern. (Point blank: if in 2025 you're using GnuPG at the command line for anything except certificate management, please stop. Parsing GnuPG's command line output is notoriously difficult. Use GPGME with language bindings of your choice.) -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 236 bytes Desc: OpenPGP digital signature URL: From chris at anthum.com Tue Dec 30 18:36:35 2025 From: chris at anthum.com (chris at anthum.com) Date: Tue, 30 Dec 2025 18:36:35 +0100 Subject: macOS recommended build options In-Reply-To: <87a4z0rs5n.fsf@jacob.g10code.de> References:

<87a4z0rs5n.fsf@jacob.g10code.de> Message-ID: > Because 2.4 will soon reach end-of-life, the 2.5 series is now declared > the sable version [...] The webpage has already been adjusted. Thanks, I'll re-open the PR with Homebrew and ask the team to re-consider formally publishing 2.5, pointing them to your email and relevant links. From wk at gnupg.org Tue Dec 30 19:10:24 2025 From: wk at gnupg.org (Werner Koch) Date: Tue, 30 Dec 2025 19:10:24 +0100 Subject: T7903 - detached (was: https://gpg.fail) In-Reply-To: (Robert J. Hansen via Gnupg-users's message of "Tue, 30 Dec 2025 12:05:41 -0500") References: Message-ID: <87h5t7rgbz.fsf@jacob.g10code.de> On Tue, 30 Dec 2025 12:05, Robert J. Hansen said: > See, e.g., https://gpg.fail/detached . I've been able to verify the > bottom line claim here, although I haven't verified their diagnosis. This is our ticket: https://dev.gnupg.org/T7903 When we fixed the bug in early November, I had put thus into the commit log: But note: Using the output of the verify command for detached signatures is useless because with a non-manipulated signature nothing would haven been written. In fact, you should always known whether you expect a detached signature or a binary or cleartext signature. After the publication of those claimed bugs, we made the ticket public and I commented: Note using the output of --decrypt directly on the tty is a Bad Idea(tm). You won't cat arbitrary files to your tty for the same reason. BTW, if you watched CitizenFour please don't follow the example given in the first scene where someone types gpg -d on the tty. > particular concern. (Point blank: if in 2025 you're using GnuPG at the > command line for anything except certificate management, please > stop. Parsing GnuPG's command line output is notoriously Well you need to know what you do. As always when making use of tools. > difficult. Use GPGME with language bindings of your choice.) Indeed, that makes it easier to get things right. BTW, gpgme even comes with a JSON frontend which can for example be used for Native Messaging with browsers. Shalom-Salam, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein -------------- next part -------------- A non-text attachment was scrubbed... Name: openpgp-digital-signature.asc Type: application/pgp-signature Size: 284 bytes Desc: not available URL: From albrecht.dress at posteo.de Tue Dec 30 18:48:52 2025 From: albrecht.dress at posteo.de (Albrecht =?iso-8859-1?b?RHJl3w==?=) Date: Tue, 30 Dec 2025 17:48:52 +0000 Subject: https://gpg.fail In-Reply-To: References: Message-ID: Am 30.12.25 18:05 schrieb(en) Robert J. Hansen via Gnupg-users: > A friend pointed me to the site https://gpg.fail and asked me what I > thought of it. At first I didn't think much of it, but on closer > inspection it seems there may be some legitimate issues in need of > addressing. Side note: The EU protective DNS server () thinks that the site /might/ be malicious (see attached screenshot). Didn't look into details, though? Best, Albrecht. -------------- next part -------------- A non-text attachment was scrubbed... Name: Bildschirmfoto_2025-12-30_18-44-35.png Type: image/png Size: 356713 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: openpgp-digital-signature.asc Type: application/pgp-signature Size: 488 bytes Desc: This is a digitally signed message part. URL: From klaus at vink-slott.dk Wed Dec 31 10:38:01 2025 From: klaus at vink-slott.dk (Klaus Vink Slott) Date: Wed, 31 Dec 2025 10:38:01 +0100 Subject: pinentryQT timeout Message-ID: <9941ad91-3182-4f2c-8fd2-5e19a47cc2de@vink-slott.dk> This might be slightly off-topic, but I hope someone has an idea: When opening a KDE session, I've always liked to let KDE relaunch every program that was running in the previous session. However, as more and more programs rely on KDE Wallet, this has caused me a problem. I have my gpg setup using kdewallet + gnupg + yubiKey setup as described by DrDuh(1). Everything is fine when it's up and running, but as KDE Wallet is required by many of the programs I use, it's essential that I enter the PIN quite early in the login sequence. Perhaps even before the login splash screen times out. If I don't manage to enter the PIN for opening GPG/KDE Wallet before the next program launches in front of Pinentry, there is no chance of accessing Pinentry before it or the program that calls it times out. I could try using something like Alt+Tab to bring Pinentry back to the front, but then the next program launches in front and the process repeats, ultimately leaving me with a pile of pop-ups complaining that GPG has not been opened. I've searched through the options in the PIN entry program for a "stay on top" option, not finding any - also tried to add an extended time to the gpg-agent.conf file, but it didn't help. Do you have any ideas, or should I give up on the KDE relaunch feature? -- Regards Klaus 1: https://github.com/drduh/YubiKey-Guide From kloecker at kde.org Wed Dec 31 19:22:59 2025 From: kloecker at kde.org (Ingo =?UTF-8?B?S2zDtmNrZXI=?=) Date: Wed, 31 Dec 2025 19:22:59 +0100 Subject: pinentryQT timeout In-Reply-To: <9941ad91-3182-4f2c-8fd2-5e19a47cc2de@vink-slott.dk> References: <9941ad91-3182-4f2c-8fd2-5e19a47cc2de@vink-slott.dk> Message-ID: <2580878.XAFRqVoOGU@daneel> On Mittwoch, 31. Dezember 2025 10:38:01 Mitteleurop?ische Normalzeit Klaus Vink Slott via Gnupg-users wrote: > This might be slightly off-topic, but I hope someone has an idea: > > When opening a KDE session, I've always liked to let KDE relaunch every > program that was running in the previous session. However, as more and > more programs rely on KDE Wallet, this has caused me a problem. > > I have my gpg setup using kdewallet + gnupg + yubiKey setup as described > by DrDuh(1). I'm using a similar setup, but without a smartcard. > Everything is fine when it's up and running, but as KDE Wallet is > required by many of the programs I use, it's essential that I enter the > PIN quite early in the login sequence. Perhaps even before the login > splash screen times out. If I don't manage to enter the PIN for opening > GPG/KDE Wallet before the next program launches in front of Pinentry, > there is no chance of accessing Pinentry before it or the program that > calls it times out. I don't think that this has ever happened here, but I don't have that many visible programs on the first virtual desktop. > I've searched through the options in the PIN entry program for a "stay > on top" option, not finding any - also tried to add an extended time to > the gpg-agent.conf file, but it didn't help. > > Do you have any ideas, or should I give up on the KDE relaunch feature? Maybe you can set Special Window settings or Special Application settings for pinentry-qt to keep its window on top. Right-click on the title bar of pinentry, select More Actions... and then Configure Special Window Settings... Then add the "Keep above other windows" property (under Arrangement & Access). Regards, Ingo -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 265 bytes Desc: This is a digitally signed message part. URL: