[Announce] GnuPG stable 1.4 released

Werner Koch wk at gnupg.org
Thu Dec 16 18:24:48 CET 2004

We are pleased to announce the availability of the new stable GnuPG
series.  This first release is version 1.4.0

The GNU Privacy Guard (GnuPG) is GNU's tool for secure communication
and data storage.  It is a complete and free replacement of PGP and
can be used to encrypt data and to create digital signatures.  It
includes an advanced key management facility and is compliant with the
proposed OpenPGP Internet standard as described in RFC2440.

1.4.x is very similar to 1.2.x although a lot of improvements have
been added over the course of the last 2 years.  There are some minor
incompatibilities when using very rare options but in almost all cases
it may just replace the 1.2.x versions (as well as 1.0.6).

Please note that the 1.2.x series will enter end of life status on
January 1, 2005, after which it will only be updated for security
critical bugs.

Before then, we expect one more 1.2.x release to address a few minor
outstanding issues (the fixes for which are already in 1.4.0), and to
update the translations.

Getting the Software

Please follow the instructions found at http://www.gnupg.org/download/
or read on:

GnuPG 1.4.0 may be downloaded from one of the GnuPG mirror sites or
direct from ftp://ftp.gnupg.org/gcrypt .  The list of mirrors can be
found at http://www.gnupg.org/mirrors.html .  Note, that GnuPG is not
available at ftp.gnu.org.

On the mirrors you should find the following files in the *gnupg*

  gnupg-1.4.0.tar.bz2 (2658k)

      GnuPG source compressed using BZIP2 and OpenPGP signature.

  gnupg-1.4.0.tar.gz (3837k)

      GnuPG source compressed using GZIP and OpenPGP signature.

Select one of them. To shorten the download time, you probably want to
get the BZIP2 compressed file.  Please try another mirror if
exceptional your mirror is not yet up to date.

In the *binary* directory, you should find these files:

  gnupg-w32cli-1.4.0.zip (1626k)

      GnuPG compiled for Microsoft Windows and OpenPGP signature.
      Note that this is a command line version and comes without a
      graphical installer tool.  You have to use an UNZIP utility to
      extract the files and install them manually.  The included file
      README.W32 has further instructions.  The source files are the
      same as given above.

Checking the Integrity

In order to check that the version of GnuPG which you are going to
install is an original and unmodified one, you can do it in one of
the following ways:

 * If you already have a trusted version of GnuPG installed, you
   can simply check the supplied signature.  For example to check the
   signature of the file gnupg-1.4.0.tar.bz2 you would use this command:

     gpg --verify gnupg-1.4.0.tar.bz2.sig

   This checks whether the signature file matches the source file.
   You should see a message indicating that the signature is good and
   made by that signing key.  Make sure that you have the right key,
   either by checking the fingerprint of that key with other sources
   or by checking that the key has been signed by a trustworthy other
   key.  Note, that you can retrieve the signing key using "finger wk
   'at' g10code.com" or "finger dd9jn 'at' gnu.org" or using the
   keyservers.  I recently prolonged the expiration date; thus you
   might need a fresh copy of that key.

   Never use a GnuPG version you just downloaded to check the
   integrity of the source - use an existing GnuPG installation!

 * If you are not able to use an old version of GnuPG, you have to verify
   the SHA1 checksum.  Assuming you downloaded the file
   gnupg-1.4.0.tar.bz2, you would run the sha1sum command like this:

     sha1sum gnupg-1.4.0.tar.bz2

   and check that the output matches the first line from the
   following list:

0054635a131b7af383e956fa9e1520ac44cad116  gnupg-1.4.0.tar.bz2
7078b8f14f21d04c7bc9d988a6a2f08d703fbc83  gnupg-1.4.0.tar.gz
6490a13bf98c919190e0f9bc115ab5af0b3059e0  gnupg-w32cli-1.4.0.zip

Upgrade Information

If you are upgrading from a version prior to 1.0.7, you should run the
script tools/convert-from-106 once.  Please note also that due to a
bug in versions prior to 1.0.6 it may not be possible to downgrade to
such versions unless you apply the patch
http://www.gnupg.org/developer/gpg-woody-fix.txt .

If you have any problems, please see the FAQ and the mailing list
archive at http://lists.gnupg.org.  Please direct questions to the
gnupg-users at gnupg.org mailing list.

What's New

There are too many changes to list them here.  Please check out the
NEWS file or read the summary at the end of this announcement.


GnuPG comes with support for 28 languages:

  American English         Indonesian (id)[*]
  Bela-Russian (be)[*]     Italian (it)[*]
  Catalan (ca)[*]          Japanese (ja)
  Czech (cs)               Polish (pl)[*]
  Danish (da)[*]           Brazilian Portuguese (pt_BR)[*]
  Dutch (nl)[*]            Portuguese (pt)[*]
  Esperanto (eo)[*]        Romanian (ro)[*]
  Estonian (et)[*]         Russian (ru)[*]
  Finnish (fi)[*]          Slovak (sk)[*]
  French (fr)              Spanish (es)[*]
  Galician (gl)[*]         Swedish (sv)[*]
  German (de) [*]          Traditional Chinese (zh_TW)[*] 
  Greek (el) [*]           Simplified Chinese (zh_CN)
  Hungarian (hu) [*]       Turkish (tr) [*]

Languages marked with [*] were not updated for this release and you
will most likely notice untranslated messages. Many thanks to the
translators for their ongoing support of GnuPG.

Due to a lot of stylistic changes to the strings and about 150 new
strings, most translations are not up to date. However we don't think
that this is reason enough to hold back the release.  Updated
translations will be added to the next releases.

[Note to our translators: please see the file doc/TRANSLATE]

Future Directions

GnuPG 1.4.x is the current stable branch and will be kept as the easy
to use and build single-executable versions.  We plan to backport new
features from the development series to 1.4.

GnuPG 1.9.x is the new development series of GnuPG.  This version
merged the code from the Aegypten project and thus it includes the
gpg-agent, a smartcard daemon and gpg's S/MIME cousin gpgsm.  The
design is different to the previous versions and we may not support
all ancient systems - thus POSIX compatibility will be an absolute
requirement for supported platforms.  1.9 is as of now based on an
somewhat older 1.3 code but will peacefully coexist with other GnuPG


Developing and maintaining GnuPG and related software is nothing one
can do in the evening or on weekends.  We all spend a lot of time and
money on it.  David is actually doing this in his spare time beside
his day job; g10 Code employs Timo and Werner to work on this software
and would appreciate to refinance it by entering into support
contracts or other contributions.


We have to thank all the people who helped with this release, be it
testing, coding, translating, suggesting, auditing, administering the
servers, spreading the word or answering questions on the mailing
lists.  Kudos to David Shaw who did most of the new features in 1.4
and discussed various OpenPGP problems in lengths at several working

Happy Hacking,

  The GnuPG Team (David, Timo and Werner)

Werner Koch                                      <wk at gnupg.org>
The GnuPG Experts                                http://g10code.com
Free Software Foundation Europe                  http://fsfeurope.org


GnuPG 1.4 Highlights

This is a brief overview of the changes between the GnuPG 1.2 series
and the new GnuPG 1.4 series.  To read the full list of highlights for
each revision that led up to 1.4, see the NEWS file in the GnuPG
distribution.  This document is based on the NEWS file, and is thus
the highlights of the highlights.

When upgrading, note that RFC-2440, the OpenPGP standard, is currently
being revised.  Most of the revisions in the latest draft (2440bis-12)
have already been incorporated into GnuPG 1.4.

Algorithm Changes

OpenPGP supports many different algorithms for encryption, hashing,
and compression, and taking into account the OpenPGP revisions, GnuPG
1.4 supports a slightly different algorithm set than 1.2 did.

The SHA256, SHA384, and SHA512 hashes are now supported for read and

The BZIP2 compression algorithm is now supported for read and write.

Due to the recent successful attack on the MD5 hash algorithm
(discussed in <http://www.rsasecurity.com/rsalabs/node.asp?id=2738>,
among other places), MD5 is deprecated for OpenPGP use.  It is still
allowed in GnuPG 1.4 for backwards compatibility, but a warning is
given when it is used.

The TIGER/192 hash is no longer available.  This should not be
interpreted as a statement as to the quality of TIGER/192 - rather,
the revised OpenPGP standard removes support for several unused or
mostly unused hashes, and TIGER/192 was one of them.

Similarly, Elgamal signatures and the Elgamal signing key type have
been removed from the OpenPGP standard, and thus from GnuPG.  Please
do not confuse Elgamal signatures with DSA or DSS signatures or with
Elgamal encryption.  Elgamal signatures were very rarely used and were
not supported in any product other than GnuPG.  Elgamal encryption was
and still is part of OpenPGP and GnuPG.

Very old (pre-1.0) versions of GnuPG supported a nonstandard (contrary
to OpenPGP) Elgamal key type.  While no recent version of GnuPG
permitted the generation of such keys, GnuPG 1.2 could still use them.
GnuPG 1.4 no longer allows the use of these keys or the (also
nonstandard) messages generated using them.

At build time, it is possible to select which algorithms will be built
into GnuPG.  This can be used to build a smaller program binary for
embedded uses where space is tight.

Keyserver Changes

GnuPG 1.4 does all keyserver operations via plugin or helper
applications.  This allows the main GnuPG program to be smaller and
simpler.  People who package GnuPG for various reasons have the
flexibility to include or leave out support for any keyserver type as

Support for fetching keys via HTTP and finger has been added.  This is
mainly useful for setting a preferred keyserver URL like
"http://www.jabberwocky.com/key.asc". or "finger:wk at g10code.com".

The LDAP keyserver helper now supports storing, retrieving, and
searching for keys in both the old NAI "LDAP keyserver" as well as the
more recent method to store OpenPGP keys in standard LDAP servers.
This is compatible with the storage schema that PGP uses, so both
products can interoperate with the same LDAP server.

The LDAP keyserver helper is compatible with the PGP company's new
"Global Directory" service.

If the LDAP library you use supports LDAP-over-TLS and LDAPS, then
GnuPG detects this and supports them as well.  Note that using TLS or
LDAPS does not improve the security of GnuPG itself, but may be useful
in certain key distribution scenarios.

HTTP Basic authentication is now supported for all HKP and HTTP
keyserver functions, either through a proxy or via direct access.

The HKP keyserver plugin supports the new machine-readable key
listing format for those keyservers that provide it.

IPv6 is supported for HKP and HTTP keyserver access.

When using a HKP keyserver with multiple DNS records (such as
subkeys.pgp.net which has the addresses of multiple servers around the
world), all DNS address records are tried until one succeeds.  This
prevents a single down server in the rotation from stopping access.

DNS SRV records are used in HKP keyserver lookups to allow
administrators to load balance and select keyserver ports

Timeout support has been added to the keyserver plugins.  This allows
users to set an upper limit on how long to wait for the keyserver
before giving up.

Preferred Keyserver URL

Preferred keyserver support has been added.  Users may set a preferred
keyserver via the --edit-key command "keyserver".  If the
--keyserver-option honor-keyserver-url is set (and it is by default),
then the preferred keyserver is used when refreshing that key with

The --sig-keyserver-url option can be used to inform signature
recipients where the signing key can be downloaded.  When verifying
the signature, if the signing key is not present, and the keyserver
options honor-keyserver-url and auto-key-retrieve are set, this URL
will be used to retrieve the key.

Trust Signatures

GnuPG 1.4 supports OpenPGP trust signatures, which allow a user to
specify the trust level and distance from the user along with the
signature so users can delegate different levels of certification
ability to other users, possibly restricted by a regular expression on
the user ID.

Trust Models

GnuPG 1.4 supports several ways of looking at trust:

Classic - The classic PGP trust model, where people sign each others
	  keys and thus build up an assurance (called "validity") that
	  the key belongs to the right person.  This was the default
	  trust model in GnuPG 1.2.

Always - Bypass all trust checks, and make all keys fully valid.

Direct - Users may set key validity directly.

PGP - The PGP 7 and 8 behavior which combines Classic trust with trust
      signatures overlaid on top.  This is the default trust model in
      GnuPG 1.4.

The OpenPGP Smartcard

GnuPG 1.4 supports the OpenPGP smartcard

Secret keys may be kept fully or partially on the smartcard.  The
smartcard may be used for primary keys or subkeys.

Other Interesting New Features

For those using Security-Enhanced Linux <http://www.nsa.gov/selinux/>,
the configure option --enable-selinux-support prevents GnuPG from
processing its own files (i.e. reading the secret keyring for
something other than getting a secret key from it).  This simplifies
writing ACLs for the SELinux kernel.

Readline support is now available at all prompts if the system
provides a readline library.

GnuPG can now create messages that can be decrypted with either a
passphrase or a secret key.  These messages may be generated with
--symmetric --encrypt or --symmetric --sign --encrypt.

--list-options and --verify-options allow the user to customize
exactly what key listings or signature verifications look like,
enabling or disabling things such as photo display, preferred
keyserver URL, calculated validity for each user ID, etc.

The --primary-keyring option designates the keyring that the user
wants new keys imported into.

The --hidden-recipient (or -R) command encrypts to a user, but hides
the identity of that user.  This is the same functionality as
--throw-keyid, but can be used on a per-user basis.

Full algorithm names (e.g. "3DES", "SHA1", "ZIP") can now be used
interchangeably with the short algorithm names (e.g. "S2", "H2", "Z1")
anywhere algorithm names are used in GnuPG.

The --keyid-format option selects short (99242560), long
(DB698D7199242560), 0xshort (0x99242560), or 0xlong
(0xDB698D7199242560) key ID displays.  This lets users tune the
display to what they prefer.

While it is not recommended for extended periods, it is possible to
run both GnuPG 1.2.x and GnuPG 1.4 during the transition.  To aid in
this, GnuPG 1.4 tries to load a config file suffixed with its version
before it loads the default config file.  For example, 1.4 will try
for gpg.conf-1.4 and gpg.conf-1 before falling back to the regular
gpg.conf file.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
Url : /pipermail/attachments/20041216/5a276d39/attachment.pgp

More information about the Gnupg-announce mailing list