From wk at gnupg.org Sat May 3 21:50:03 2003 From: wk at gnupg.org (Werner Koch) Date: Wed Feb 23 12:43:34 2005 Subject: [Announce] GnuPG 1.2.2 released Message-ID: <87wuh7n6w5.fsf@alberti.g10code.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello! We are pleased to announce the availability of a new stable GnuPG release: Version 1.2.2 The GNU Privacy Guard (GnuPG) is GNU's tool for secure communication and data storage. It is a complete and free replacement of PGP and can be used to encrypt data and to create digital signatures. It includes an advanced key management facility and is compliant with the proposed OpenPGP Internet standard as described in RFC2440. This new release implements most of OpenPGP's optional features, has somewhat better interoperabilty with non-conforming OpenPGP implementations and improved keyserver support. *************************************************************** * Due to a bug found in the key validdation code, we strongly * * suggest to update to this release if you are relying on the * * Web-Of-Trust semantics. * *************************************************************** Getting the Software ==================== GnuPG 1.2.2 can be downloaded from one of the *GnuPG mirror sites*. The list of mirrors can be found at http://www.gnupg.org/mirrors.html. On the mirrors you should find the follwing files in the *gnupg* directory: gnupg-1.2.2.tar.bz2 (2.1 MB) gnupg-1.2.2.tar.bz2.sig GnuPG 1.2 source compressed using BZIP2 and OpenPGP signature. gnupg-1.2.2.tar.gz (3.1 MB) gnupg-1.2.2.tar.gz.sig GnuPG source compressed using GZIP and OpenPGP signature. gnupg-1.2.1-1.2.2.diff.gz (1.1 MB) A patch file to upgrade a 1.2.1 GnuPG source. This file is signed; you have to use GnuPG > 0.9.5 to verify the signature. GnuPG has a feature to allow clear signed patch files which can still be processed by the patch utility. Select one of them. To shorten the download time, you probably want to get the BZIP2 compressed file. Please try another mirror if exceptional your mirror is not yet up to date. We have uploaded the .gz tarbvall on May 1, so at least this one should be available at the mirrors. In the *binary* directory, you should find these files: gnupg-w32cli-1.2.2.zip (1.3 MB) gnupg-w32cli-1.2.2.zip.sig GnuPG compiled for Microsoft Windows and OpenPGP signature. Note that this is a command line version and comes without a graphical installer tool. You have to use an UNZIP utility to extract the files and install them manually. The included file README.W32 has further instructions. Checking the Integrity ====================== In order to check that the version of GnuPG which you are going to install is an original and unmodified one, you can do it in one of the following ways: * If you already have a trusted version of GnuPG installed, you can simply check the supplied signature. For example to check the signature of the file gnupg-1.2.2.tar.bz2 you would use this command: gpg --verify gnupg-1.2.2.tar.bz2.sig This checks whether the signature file matches the source file. You should see a message indicating that the signature is good and made by that signing key. Make sure that you have the right key, either by checking the fingerprint of that key with other sources or by checking that the key has been signed by a trustworthy other key. Note, that you can retrieve the signing key by finger wk 'at' g10code.com . Never use a GnuPG version you just downloaded to check the integrity of the source - use an existing GnuPG installation. * If you are not able to use an old version of GnuPG, you have to verify the MD5 checksum. Assuming you downloaded the file gnupg-1.2.2.tar.bz2, you would run the md5sum command like this: md5sum gnupg-1.2.2.tar.bz2 and check that the output matches the first line from the following list: 4e1b357b22e1d45d14d340ce03d39b63 gnupg-1.2.2.tar.bz2 01cf9c6b949603d0511f6fc07bc758d2 gnupg-1.2.2.tar.gz bbb2691b0322f570c7e683049ba3c777 gnupg-1.2.1-1.2.2.diff.gz 7f7f4b5312f3ebddc67eba0b6a8661a4 gnupg-w32cli-1.2.2.zip Upgrade Information =================== If you are upgrading from a version prior to 1.0.7, you should run the script tools/convert-from-106 once. Please note also that due to a bug in versions prior to 1.0.6 it may not be possible to downgrade to such versions unless you apply the patch http://www.gnupg.org/developer/gpg-woody-fix.txt . If you have any problems, please see the FAQ and the mailing list archive at http://lists.gnupg.org. Please direct questions to the gnupg-users@gnupg.org mailing list. What's New =========== Here is a list of major user visible changes since 1.2.1: Configuration: * A "convert-from-106" script has been added. This is a simple script that automates the conversion from a 1.0.6 or earlier version of GnuPG to a 1.0.7 or later version. New features: * A "--trust-model always" option has been added to smooth the transition to a future GnuPG that has multiple trust models. This is identical to the current "--always-trust" option. * Care is taken to prevent compiler optimization from removing memory wiping code. * New option --no-mangle-dos-filenames so that filenames are not truncated in the W32 version. * New command "revuid" in the --edit-key menu to revoke a user ID. This is a simpler interface to the old method (which still works) of revoking the user ID self-signature. * Status VALIDSIG now also contains the primary key fingerprint, as well as the signature version, public key algorithm, hash algorithm, and signature class. * Add read-only support for the SHA-256 hash, and optional read-only support for the SHA-384 and SHA-512 hashes. * New option --enable-progress-filter for use with frontends. Incompatible changes: * Notation names that do not contain a '@' are no longer allowed unless --expert is set. This is to help prevent pollution of the (as yet unused) IETF notation namespace. * Disabled keys are now skipped when selecting keys for encryption. If you are using the --with-colons key listings to detect disabled keys, please see doc/DETAILS for a minor format change in this release. OpenPGP compatibility: * Fixed a compatibility problem with CryptoEx by increasing the window size of the uncompressor. * Note that the TIGER/192 digest algorithm is in the process of being dropped from the OpenPGP standard. While this release of GnuPG still contains it, it is disabled by default. To ensure you will still be able to use your messages with future versions of GnuPG and other OpenPGP programs, please do not use this algorithm. Bug fixes: * A bug in key validation has been fixed. This bug only affects keys with more than one user ID (photo IDs do not count here), and results in all user IDs on a given key being treated with the validity of the most-valid user ID on that key. Other changes: * Minor trustdb changes to make the trust calculations match common usage. * New translations: Finnish, Hungarian, Slovak, and Traditional Chinese. Internationalization ==================== GnuPG comes with support for these langauges: American English Hungarian (hu) Catalan (ca) Indonesian (id) Czech (cs) Italian (it) Danish (da)[*] Japanese (ja) Dutch (nl)[*] Polish (pl) Esperanto (eo)[*] Brazilian Portuguese (pt_BR)[*] Estonian (et) Portuguese (pt) Finnish (fi) Slovak (sk) French (fr) Spanish (es) Galician (gl) Swedish (sv) German (de) Traditional Chinese (zh_TW) Greek (el) Turkish (tr) Languages marked with [*] were not updated for this releases and you may notice untranslated messages. We may release an update of the translations when we have received some translation updates. Many thanks to the translators for their ongoing support of GnuPG. Happy Hacking, The GnuPG team (David, Stefan, Timo and Werner) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE+tB1KbH7huGIcwBMRArYTAJ0deLOyUMDFQwy3+nj/VFgUHIrPGACggUFV uPS86Mf9N/pjVNNNfNXWen4= =HX8r -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Sun May 4 03:35:02 2003 From: dshaw at jabberwocky.com (David Shaw) Date: Wed Feb 23 12:43:34 2005 Subject: [Announce] Key validity bug in GnuPG 1.2.1 and earlier Message-ID: <20030504013525.GA10689@jabberwocky.com> Skipped content of type multipart/mixed-------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 244 bytes Desc: not available Url : /pipermail/attachments/20030504/7662ee76/attachment.pgp From dshaw at jabberwocky.com Tue May 27 17:46:02 2003 From: dshaw at jabberwocky.com (David Shaw) Date: Wed Feb 23 12:43:34 2005 Subject: [Announce] GnuPG 1.3.2 released (development) Message-ID: <20030527154715.GA1417@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello! The latest release from the development branch of GnuPG is ready for public consumption. This is a branch to create what will be GnuPG 1.4 someday. It will change much more frequently than the 1.2.x "stable" branch, which will mainly be updated for bug fix reasons. The more GnuPG-familiar user is encouraged try this release (and the ones that will follow in the 1.3.x branch), and report back any problems to gnupg-devel@gnupg.org. In return, you get the latest code with the latest features. Note that while this code is stable enough for many uses, it is still the development branch. Mission-critical applications should always use the 1.2.x stable branch. The files are available from: ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.3.2.tar.gz (1617k) ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.3.2.tar.gz.sig MD5 checksums for the files are: c984bfeb35fbc7bdc591bffb0d690d22 gnupg-1.3.2.tar.gz 8d6c476a9d972ee7c3436d5ba2029130 gnupg-1.3.2.tar.gz.sig Noteworthy changes in version 1.3.2 (2003-05-27) - ------------------------------------------------ * New "--gnupg" option (set by default) that disables --openpgp, and the various --pgpX emulation options. This replaces --no-openpgp, and --no-pgpX, and also means that GnuPG has now grown a --gnupg option to make GnuPG act like GnuPG. * A bug in key validation has been fixed. This bug only affects keys with more than one user ID (photo IDs do not count here), and results in all user IDs on a given key being treated with the validity of the most-valid user ID on that key. * Notation names that do not contain a '@' are no longer allowed unless --expert is set. This is to help prevent pollution of the (as yet unused) IETF notation namespace. * Multiple trust models are now supported via the --trust-model option. The options are "pgp" (web-of-trust plus trust signatures), "classic" (web-of-trust only), and "always" (identical to the --always-trust option). * The --personal-{cipher|digest|compression}-preferences are now consulted to get default algorithms before resorting to the last-ditch defaults of --s2k-cipher-algo, SHA1, and ZIP respectively. This allows a user to set algorithms to use in a safe manner so they are used when legal to do so, without forcing them on for all messages. * New --primary-keyring option to designate the keyring that the user wants new keys imported into. * --s2k-digest-algo is now used for all password mangling. Earlier versions used both --s2k-digest-algo and --digest-algo for passphrase mangling. * Handling of --hidden-recipient or --throw-keyid messages is now easier - the user only needs to give their passphrase once, and GnuPG will try it against all of the available secret keys. * Care is taken to prevent compiler optimization from removing memory wiping code. * New option --no-mangle-dos-filenames so that filenames are not truncated in the W32 version. * A "convert-from-106" script has been added. This is a simple script that automates the conversion from a 1.0.6 or earlier version of GnuPG to a 1.0.7 or later version. * Disabled keys are now skipped when selecting keys for encryption. If you are using the --with-colons key listings to detect disabled keys, please see doc/DETAILS for a minor format change in this release. * Minor trustdb changes to make the trust calculations match common usage. * New command "revuid" in the --edit-key menu to revoke a user ID. This is a simpler interface to the old method (which still works) of revoking the user ID self-signature. * Status VALIDSIG does now also print the primary key's fingerprint, as well as the signature version, pubkey algorithm, hash algorithm, and signature class. * Add read-only support for the SHA-256 hash, and optional read-only support for the SHA-384 and SHA-512 hashes. * New option --enable-progress-filter for use with frontends. * DNS SRV records are used in HKP keyserver lookups to allow administrators to load balance and select keyserver port automatically. This is as specified in draft-shaw-openpgp-hkp-00.txt. * When using the "keyid!" syntax during a key export, only that specified key is exported. If the key in question is a subkey, the primary key plus only that subkey is exported. * configure --disable-xxx options to disable individual algorithms at build time. This can be used to build a smaller gpg binary for embedded uses where space is tight. See the README file for the algorithms that can be used with this option, or use --enable-minimal to build the smallest gpg possible (disables all optional algorithms, disables keyserver access, and disables photo IDs). * The keyserver no-modify flag on a key can now be displayed and modified. * Note that the TIGER/192 digest algorithm is in the process of being dropped from the OpenPGP standard. While this release of GnuPG still contains it, it is disabled by default. To ensure you will still be able to use your messages with future versions of GnuPG and other OpenPGP programs, please do not use this algorithm. Happy Hacking, The GnuPG team (David, Stefan, Timo and Werner) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3-cvs (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+04iD4mZch0nhy8kRAo7gAJ0Z0L+WfHl58A5M1rVELZD3mkhZ4QCgojp/ nf69QY8WAh2CjpYaXhzPKH0= =uQgK -----END PGP SIGNATURE-----