From wk на gnupg.org Thu Aug 7 14:44:51 2014 From: wk на gnupg.org (Werner Koch) Date: Thu, 07 Aug 2014 14:44:51 +0200 Subject: [gnupg-ru] [Announce] GnuPG is NOT vulnerable to -Get Your Hands Off My Laptop- Message-ID: <87bnrwzcxo.fsf@vigenere.g10code.de> Hello! This is a note about an improved side-channel attack on old versions of GnuPG. Daniel Genkin, Itamar Pipman, and Eran Tromer latest research on side channel attacks is described in the paper Get Your Hands Off My Laptop: Physical Side-Channel Key-Extraction Attacks On PCs They target an older version of GnuPG and come up with awesome results: We demonstrate physical side-channel attacks on a popular software implementation of RSA and ElGamal, running on laptop computers. Our attacks use novel side channels, based on the observation that the "ground" electric potential, in many computers, fluctuates in a computation-dependent way. An attacker can measure this signal by touching exposed metal on the computer's chassis with a plain wire, or even with a bare hand. The signal can also be measured at the remote end of Ethernet, VGA or USB cables. Through suitable cryptanalysis and signal processing, we have extracted 4096-bit RSA keys and 3072-bit ElGamal keys from laptops, via each of these channels, as well as via power analysis and electromagnetic probing. Despite the GHz-scale clock rate of the laptops and numerous noise sources, the full attacks require a few seconds of measurements using Medium Frequency signals (around 2 MHz), or one hour using Low Frequency signals (up to 40 kHz). See http://www.cs.tau.ac.il/~tromer/handsoff for more. If your GnuPG version is up-to-date there is nothing you need to do! As noted in the paper GnuPG 1.4.16 and later are not vulnerable to the attack. GnuPG 2.x and Gpg4win 2.x are not vulnerable, either. However, if you are still using a GnuPG version older than 1.4.16 you should update to at least 1.4.16 but better to 1.4.18. Note that those version numbers are for the generic GnuPG versions from gnupg.org. Some Linux distributions may have an older version but all major distributions have applied respective security fixes back in December or January. Watching out for possible security problems and working with researches to fix them takes a lot of time. g10 Code GmbH, a German company owned and headed by me, is bearing these costs. To help us carry on this work, we need your support; please see https://gnupg.org/donate/ . Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ----------- следущая часть ----------- A non-text attachment was scrubbed... Name: отсутствует Type: application/pgp-signature Size: 180 bytes Desc: отсутствует URL: ----------- следущая часть ----------- _______________________________________________ Gnupg-announce mailing list Gnupg-announce на gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From wk на gnupg.org Thu Aug 7 17:08:49 2014 From: wk на gnupg.org (Werner Koch) Date: Thu, 07 Aug 2014 17:08:49 +0200 Subject: [gnupg-ru] [Announce] [security] GPGME 1.5.1 and 1.4.4 released Message-ID: <87bnrwxrpa.fsf@vigenere.g10code.de> Hello! I am pleased to announce version 1.5.1 of GPGME. GnuPG Made Easy (GPGME) is a C language library that allows to add support for cryptography to a program. It is designed to make access to public key crypto engines as included in GnuPG easier for applications. GPGME provides a high-level crypto API for encryption, decryption, signing, signature verification, and key management. This is a security fix release and it is suggested to update to this version. Given that the 1.5 versions are quite new and implement features which may raise problems with some software, I also released version 1.4.4 with backported fixes. * Noteworthy changes in version 1.5.1 (2014-07-30) - Fixed possible overflow in gpgsm and uiserver engines. [CVE-2014-3564] - Added support for GnuPG 2.1's --with-secret option. - Interface changes relative to the 1.5.0 release: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ GPGME_KEYLIST_MODE_WITH_SECRET NEW. * Noteworthy changes in version 1.4.4 (2014-07-30) - Fixed possible overflow in gpgsm and uiserver engines. [CVE-2014-3564] - Fixed possibled segv in gpgme_op_card_edit. - Fixed minor memleaks and possible zombie processes. - Fixed prototype inconsistencies and void pointer arithmetic. * Download You may download version 1.5.1 from: ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-1.5.1.tar.bz2 (943k) ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-1.5.1.tar.bz2.sig You may download version 1.4.4 from: ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-1.4.4.tar.bz2 (936k) ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-1.4.4.tar.bz2.sig SHA-1 checksums are: a91c258e79acf30ec86a667e07f835e5e79342d8 gpgme-1.5.1.tar.bz2 1f9f668886c25467987a11c0d37c45e1ffe66b8e gpgme-1.4.4.tar.bz2 * Support Please send questions regarding the use of GPGME to the gnupg-devel mailing list: https://lists.gnupg.org/mailman/listinfo/gnupg-devel/ If you need commercial support, you may want to consult this listing: https://www.gnupg.org/service.html The driving force behind the development of the GnuPG system is my company g10 Code. Maintenance and improvement of GnuPG and related software takes up most of our resources. To allow us to continue our work on free software, we ask to either purchase a support contract, engage us for custom enhancements, or to donate money: https://gnupg.org/donate/ Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ----------- следущая часть ----------- A non-text attachment was scrubbed... Name: отсутствует Type: application/pgp-signature Size: 180 bytes Desc: отсутствует URL: ----------- следущая часть ----------- _______________________________________________ Gnupg-announce mailing list Gnupg-announce на gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From wk на gnupg.org Thu Aug 7 20:48:49 2014 From: wk на gnupg.org (Werner Koch) Date: Thu, 07 Aug 2014 20:48:49 +0200 Subject: [gnupg-ru] [Announce] Libgcrypt 1.5.4 released Message-ID: <87mwbgw2y6.fsf@vigenere.g10code.de> Hello! The GNU project is pleased to announce an update of the Libgcrypt 1.5 series: version 1.5.4. This is a maintenance release with backports of fixes from the current stable 1.6 series. In general it is preferable to use the latest stable version. However, the 1.6 series introduced an ABI break and thus some older software may not build or work correctly with 1.6. Libgcrypt is a general purpose library of cryptographic building blocks. It does not provide any implementation of OpenPGP or other protocols. Thorough understanding of applied cryptography is required for proper use Libgcrypt. Noteworthy changes in version 1.5.4 (2014-08-07) ================================================ * Declare 2016-12-31 as end-of-life for 1.5. Backported from 1.6: * Improved performance of RSA, DSA, and Elgamal by using a new exponentiation algorithm. * Fixed a subtle bug in mpi_set_bit which could set spurious bits. * Fixed a bug in an internal division function. Download ======== Source code is hosted at the GnuPG FTP server and its mirrors as listed at http://www.gnupg.org/download/mirrors.html . On the primary server the source tarball and its digital signature are: ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.5.4.tar.bz2 (1478k) ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.5.4.tar.bz2.sig That file is bzip2 compressed. A gzip compressed version is here: ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.5.4.tar.gz (1763k) ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.5.4.tar.gz.sig Alternativley you may upgrade using this patch file: ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.5.3-1.5.4.diff.bz2 (17k) In order to check that the version of Libgcrypt you are going to build is an original and unmodified one, you can do it in one of the following ways: * Check the supplied OpenPGP signature. For example to check the signature of the file libgcrypt-1.5.4.tar.bz2 you would use this command: gpg --verify libgcrypt-1.5.4.tar.bz2.sig This checks whether the signature file matches the source file. You should see a message indicating that the signature is good and made by the release signing key 4F25E3B6 which is certified by my well known key 1E42B367. To retrieve the keys you may use the command "gpg --fetch-key finger:wk на g10code.com". * If you are not able to use GnuPG, you have to verify the SHA-1 checksum: sha1sum libgcrypt-1.5.4.tar.bz2 and check that the output matches the first line from the following list: bdf4b04a0d2aabc04ab3564fbe38fd094135aa7a libgcrypt-1.5.4.tar.bz2 71e432e0ae8792076a40c6059667997250abbb9d libgcrypt-1.5.4.tar.gz 8876ae002751e6ec26c76e510d17fc3e0eccb3ed libgcrypt-1.5.3-1.5.4.diff.bz2 Copying ======= Libgcrypt is distributed under the terms of the GNU Lesser General Public License (LGPLv2.1+). The helper programs as well as the documentation are distributed under the terms of the GNU General Public License (GPLv2+). The file LICENSES has notices about contributions that require these additional notices are distributed. Support ======= For help on developing with Libgcrypt you should read the included manual and optional ask on the gcrypt-devel mailing list [1]. A listing with commercial support offers for Libgcrypt and related software is available at the GnuPG web site [2]. The driving force behind the development of Libgcrypt is my company g10 Code. Maintenance and improvement of Libgcrypt and related software takes up most of our resources. To allow us to continue our work on free software, we ask to either purchase a support contract, engage us for custom enhancements, or to donate money: http://gnupg.org/donate/ Thanks ====== Many thanks to all who contributed to Libgcrypt development, be it bug fixes, code, documentation, testing or helping users. Happy hacking, Werner [1] https://lists.gnupg.org/mailman/listinfo/gcrypt-devel [2] https://gnupg.org/service.html -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ----------- следущая часть ----------- A non-text attachment was scrubbed... Name: отсутствует Type: application/pgp-signature Size: 180 bytes Desc: отсутствует URL: ----------- следущая часть ----------- _______________________________________________ Gnupg-announce mailing list Gnupg-announce на gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From wk на gnupg.org Fri Aug 8 12:17:06 2014 From: wk на gnupg.org (Werner Koch) Date: Fri, 08 Aug 2014 12:17:06 +0200 Subject: [gnupg-ru] [Announce] [security fix] Libgcrypt and GnuPG Message-ID: <87egwruvz1.fsf@vigenere.g10code.de> Hi! While evaluating the "Get Your Hands Off My Laptop" [1] paper I missed to describe [2] a software combination which has not been fixed and is thus vulnerable to the attack described by the paper. If you are using a GnuPG version with a *Libgcrypt version < 1.6.0*, it is possible to mount the described side-channel attack on Elgamal encryption subkeys. To check whether you are using a vulnerable Libgcrypt version, enter gpg2 --version on the command line; the second line of the output gives the Libgcrypt version: gpg (GnuPG) 2.0.25 libgcrypt 1.5.3 In this example Libgcrypt is vulnerable. If you see 1.6.0 or 1.6.1 you are fine. GnuPG versions since 1.4.16 are not affected because they do not use Libgcrypt. The recommendation is to update any Libgcrypt version below 1.6.0 to at least the latest version from the 1.5 series which is 1.5.4. Updating to 1.6.1 is also possible but that requires to rebuild GnuPG. Libgcrypt 1.5.4 has been released yesterday [3]; for convenience I include the download instructions below. A CVE-id has not yet been assigned. Many thanks to Daniel Genkin for pointing out this problem. Shalom-Salam, Werner [1] http://www.cs.tau.ac.il/~tromer/handsoff [2] http://lists.gnupg.org/pipermail/gnupg-announce/2014q3/000349.html [3] http://lists.gnupg.org/pipermail/gnupg-announce/2014q3/000351.html Download ======== Libgcrypt source code is hosted at the GnuPG FTP server and its mirrors as listed at https://www.gnupg.org/download/mirrors.html . On the primary server the source tarball and its digital signature are: ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.5.4.tar.bz2 (1478k) ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.5.4.tar.bz2.sig That file is bzip2 compressed. A gzip compressed version is here: ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.5.4.tar.gz (1763k) ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.5.4.tar.gz.sig Alternativley you may upgrade using this patch file: ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.5.3-1.5.4.diff.bz2 (17k) In order to check that the version of Libgcrypt you are going to build is an original and unmodified one, you can do it in one of the following ways: * Check the supplied OpenPGP signature. For example to check the signature of the file libgcrypt-1.5.4.tar.bz2 you would use this command: gpg --verify libgcrypt-1.5.4.tar.bz2.sig This checks whether the signature file matches the source file. You should see a message indicating that the signature is good and made by the release signing key 4F25E3B6 which is certified by my well known key 1E42B367. To retrieve the keys you may use the command "gpg --fetch-key finger:wk на g10code.com". * If you are not able to use GnuPG, you have to verify the SHA-1 checksum: sha1sum libgcrypt-1.5.4.tar.bz2 and check that the output matches the first line from the following list: bdf4b04a0d2aabc04ab3564fbe38fd094135aa7a libgcrypt-1.5.4.tar.bz2 71e432e0ae8792076a40c6059667997250abbb9d libgcrypt-1.5.4.tar.gz 8876ae002751e6ec26c76e510d17fc3e0eccb3ed libgcrypt-1.5.3-1.5.4.diff.bz2 Watching out for possible security problems and working with researches to fix them takes a lot of time. g10 Code GmbH, a German company owned and headed by me, is bearing these costs. To help us carry on this work, we need your support; please see https://gnupg.org/donate/ . -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ----------- следущая часть ----------- A non-text attachment was scrubbed... Name: отсутствует Type: application/pgp-signature Size: 180 bytes Desc: отсутствует URL: ----------- следущая часть ----------- _______________________________________________ Gnupg-announce mailing list Gnupg-announce на gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From wk на gnupg.org Tue Aug 12 20:51:03 2014 From: wk на gnupg.org (Werner Koch) Date: Tue, 12 Aug 2014 20:51:03 +0200 Subject: [gnupg-ru] [Announce] GnuPG 2.0.26 released Message-ID: <87iolxo82w.fsf@vigenere.g10code.de> Hello! We are pleased to announce the availability of a new stable GnuPG-2 release: Version 2.0.26. This is a maintenance release to fix a regression introduced with the 2.0.24 release. The GNU Privacy Guard (GnuPG) is the most commonly used tool for OpenPGP mail and data encryption. It can be used to encrypt data, create digital signatures, help authenticating using Secure Shell and to provide a framework for public key cryptography. It includes an advanced key management facility and is compliant with the OpenPGP and S/MIME standards. GnuPG-2 has a different architecture than GnuPG-1 (e.g. 1.4.18) in that it splits up functionality into several modules. However, both versions may be installed alongside without any conflict. In fact, the gpg version from GnuPG-1 is able to make use of the gpg-agent as included in GnuPG-2 and allows for seamless passphrase caching. The advantage of GnuPG-1 is its smaller size and the lack of dependency on other modules at run and build time. We keep maintaining GnuPG-1 versions because they are useful on very old platforms and for server based applications requiring only OpenPGP support. GnuPG is distributed under the terms of the GNU General Public License (GPLv3+). GnuPG-2 works best on GNU/Linux and *BSD systems but is also available for other Unices, Microsoft Windows, VMS, and Mac OS X. What's New in 2.0.26 ==================== * gpg: Fix a regression in 2.0.24 if a subkey id is given to --recv-keys et al. * gpg: Cap attribute packets at 16MB. * gpgsm: Auto-create the ".gnupg" home directory in the same way gpg does. * scdaemon: Allow for certificates > 1024 when using PC/SC. Getting the Software ==================== Please follow the instructions found at https://www.gnupg.org/download/ or read on: GnuPG 2.0.26 may be downloaded from one of the GnuPG mirror sites or direct from ftp://ftp.gnupg.org/gcrypt/gnupg/ . The list of mirrors can be found at https://www.gnupg.org/mirrors.html . Note that GnuPG is not available at ftp.gnu.org. On ftp.gnupg.org and on its mirrors you should find the following new files in the gnupg/ directory: - The GnuPG-2 source code compressed using BZIP2 and its OpenPGP signature: gnupg-2.0.26.tar.bz2 (4203k) gnupg-2.0.26.tar.bz2.sig - A patch file to upgrade a 2.0.25 GnuPG source tree. This patch does not include updates of the language files. gnupg-2.0.25-2.0.26.diff.bz2 (10k) Note, that we don't distribute gzip compressed tarballs for GnuPG-2. A Windows version will soon be released at https://gpg4win.org . Checking the Integrity ====================== In order to check that the version of GnuPG which you are going to install is an original and unmodified one, you can do it in one of the following ways: * If you already have a trusted version of GnuPG installed, you can simply check the supplied signature. For example to check the signature of the file gnupg-2.0.26.tar.bz2 you would use this command: gpg --verify gnupg-2.0.26.tar.bz2.sig This checks whether the signature file matches the source file. You should see a message indicating that the signature is good and made by that signing key. Make sure that you have the right key, either by checking the fingerprint of that key with other sources or by checking that the key has been signed by a trustworthy other key. Note, that you can retrieve the signing key using the command finger wk ,at' g10code.com or using a keyserver like gpg --keyserver keys.gnupg.net --recv-key 4F25E3B6 The distribution key 4F25E3B6 is signed by the well known key 1E42B367. NEVER USE A GNUPG VERSION YOU JUST DOWNLOADED TO CHECK THE INTEGRITY OF THE SOURCE - USE AN EXISTING GNUPG INSTALLATION! * If you are not able to use an old version of GnuPG, you have to verify the SHA-1 checksum. Assuming you downloaded the file gnupg-2.0.26.tar.bz2, you would run the sha1sum command like this: sha1sum gnupg-2.0.26.tar.bz2 and check that the output matches the first line from the following list: 3ff5b38152c919724fd09cf2f17df704272ba192 gnupg-2.0.26.tar.bz2 9e5727384b163722b05a8bb5f0e4c7987a5cbbb6 gnupg-2.0.25-2.0.26.diff.bz2 Documentation ============= The file gnupg.info has the complete user manual of the system. Separate man pages are included as well; however they have not all the details available in the manual. It is also possible to read the complete manual online in HTML format at https://www.gnupg.org/documentation/manuals/gnupg/ or in Portable Document Format at https://www.gnupg.org/documentation/manuals/gnupg.pdf . The chapters on gpg-agent, gpg and gpgsm include information on how to set up the whole thing. You may also want search the GnuPG mailing list archives or ask on the gnupg-users mailing lists for advise on how to solve problems. Many of the new features are around for several years and thus enough public knowledge is already available. Support ======= Please consult the archive of the gnupg-users mailing list before reporting a bug . We suggest to send bug reports for a new release to this list in favor of filing a bug at . We also have a dedicated service directory at: https://www.gnupg.org/service.html The driving force behind the development of GnuPG is the company of its principal author, Werner Koch. Maintenance and improvement of GnuPG and related software takes up most of their resources. To allow him to continue this work he kindly asks to either purchase a support contract, engage g10 Code for custom enhancements, or to donate money: https://gnupg.org/donate/ Thanks ====== We have to thank all the people who helped with this release, be it testing, coding, translating, suggesting, auditing, administering the servers, spreading the word, and answering questions on the mailing lists. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ----------- следущая часть ----------- A non-text attachment was scrubbed... Name: отсутствует Type: application/pgp-signature Size: 180 bytes Desc: отсутствует URL: ----------- следущая часть ----------- _______________________________________________ Gnupg-announce mailing list Gnupg-announce на gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From wk на gnupg.org Thu Aug 14 17:57:06 2014 From: wk на gnupg.org (Werner Koch) Date: Thu, 14 Aug 2014 17:57:06 +0200 Subject: [gnupg-ru] [Announce] The sixth Beta for GnuPG 2.1 is now available for testing Message-ID: <871tsjdpyl.fsf@vigenere.g10code.de> Hello! I just released the sixth *beta* version of GnuPG *2.1*. It has been released to give you the opportunity to check out new features and to help fixing bugs. If you need a stable and fully maintained version of GnuPG, you should use version 2.0.26 or 1.4.18. This versions is marked as BETA and as such it should in general not be used for real work. However, the core functionality is solid enough for a long time and I am using this code base for a couple of years now. What's new in 2.1.0-beta783 since beta751 ========================================= * gpg: Add command --quick-gen-key. * gpg: Make --quick-sign-key promote local key signatures. * gpg: Added "show-usage" sub-option to --list-options. * gpg: Screen keyserver responses to avoid importing unwanted keys from rogue servers. * gpg: Removed the option --pgp2 and --rfc1991 and the ability to create PGP-2 compatible messages. * gpg: Removed options --compress-keys and --compress-sigs. * gpg: Cap attribute packets at 16MB. * gpg: Improved output of --list-packets. * gpg: Make with-colons output of --search-keys work again. * gpgsm: Auto-create the ".gnupg" directory like gpg does. * agent: Fold new passphrase warning prompts into one. * scdaemon: Add support for the Smartcard-HSM card. * scdaemon: Remove the use of the pcsc-wrapper. Getting the Software ==================== GnuPG 2.1.0-beta783 is available at ftp://ftp.gnupg.org/gcrypt/gnupg/unstable/gnupg-2.1.0-beta783.tar.bz2 ftp://ftp.gnupg.org/gcrypt/gnupg/unstable/gnupg-2.1.0-beta783.tar.bz2.sig and soon on all mirrors . Please read the README file ! Checking the Integrity ====================== In order to check that the version of GnuPG which you are going to install is an original and unmodified one, you can do it in one of the following ways: * If you already have a trusted version of GnuPG installed, you can simply check the supplied signature. For example to check the signature of the file gnupg-2.1.0-beta783.tar.bz2 you would use this command: gpg --verify gnupg-2.1.0-beta783.tar.bz2.sig Depending on your installation you may use "gpg2" instead of "gpg". This checks whether the signature file matches the source file. You should see a message indicating that the signature is good and made by that signing key. Make sure that you have the right key, either by checking the fingerprint of that key with other sources or by checking that the key has been signed by a trustworthy other key. Note, that you can retrieve the signing key using the command finger wk ,at' g10code.com or using a keyserver like gpg --keyserver keys.gnupg.net --recv-key 4F25E3B6 The distribution key 4F25E3B6 is signed by the well known key 1E42B367. NEVER USE A GNUPG VERSION YOU JUST DOWNLOADED TO CHECK THE INTEGRITY OF THE SOURCE - USE AN EXISTING GNUPG INSTALLATION! Documentation ============= The file gnupg.info has the complete user manual of the system. Separate man pages are included as well; however they have not all the details available in the manual. It is also possible to read the complete manual online in HTML format at https://www.gnupg.org/documentation/manuals/gnupg-devel/ The chapters on gpg-agent, gpg and gpgsm include information on how to set up the whole thing. You may also want search the GnuPG mailing list archives or ask on the gnupg-users mailing lists for advise on how to solve problems. Many of the new features are around for several years and thus enough public knowledge is already available. Almost all mail clients support GnuPG-2. Mutt users may want to use the configure option "--enable-gpgme" during build time and put a "set use_crypt_gpgme" in ~/.muttrc to enable S/MIME support along with the reworked OpenPGP support. Support ======= Please consult the archive of the gnupg-users mailing list before reporting a bug . We suggest to send bug reports for a new release to this list in favor of filing a bug at . We also have a dedicated service directory at: https://www.gnupg.org/service.html Maintaining and improving GnuPG is costly. For more than a decade, g10 Code GmbH, a German company owned and headed by GnuPG's principal author Werner Koch, is bearing the majority of these costs. To help them carry on this work, they need your support. See https://gnupg.org/donate/ For reasons why donating to free software projects is beneficial for everyone, please read Poul-Henning Kamp's "Quality Software Costs Money - Heartbleed Was Free" at https://queue.acm.org/detail.cfm?id=2636165 . Thanks ====== We have to thank all the people who helped with this release, be it testing, coding, translating, suggesting, auditing, administering the servers, spreading the word, and answering questions on the mailing lists. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ----------- следущая часть ----------- A non-text attachment was scrubbed... Name: отсутствует Type: application/pgp-signature Size: 180 bytes Desc: отсутствует URL: ----------- следущая часть ----------- _______________________________________________ Gnupg-announce mailing list Gnupg-announce на gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From wk на gnupg.org Thu Aug 21 15:39:26 2014 From: wk на gnupg.org (Werner Koch) Date: Thu, 21 Aug 2014 15:39:26 +0200 Subject: [gnupg-ru] [Announce] Libgcrypt 1.6.2 released Message-ID: <87oave3qsx.fsf@vigenere.g10code.de> Hello! The GNU project is pleased to announce the availability of Libgcrypt version 1.6.2. This is a maintenance release to fix problems found in the recently released versions. Libgcrypt is a general purpose library of cryptographic building blocks. It does not provide any implementation of OpenPGP or other protocols. Thorough understanding of applied cryptography is required for proper use Libgcrypt. Noteworthy changes in version 1.6.2 (2014-08-21) ================================================ * Map deprecated RSA algo number to the RSA algo number for better backward compatibility. * Support a 0x40 compression prefix for EdDSA. * Improve ARM hardware feature detection and building. * Fix powerpc-apple-darwin detection * Fix building for the x32 ABI platform. * Support building using the latest mingw-w64 toolchain. * Fix some possible NULL deref bugs. Download ======== Source code is hosted at the GnuPG FTP server and its mirrors as listed at http://www.gnupg.org/download/mirrors.html . On the primary server the source tarball and its digital signature are: ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.6.2.tar.bz2 (2418k) ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.6.2.tar.bz2.sig That file is bzip2 compressed. A gzip compressed version is here: ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.6.2.tar.gz (2874k) ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.6.2.tar.gz.sig Alternativley you may upgrade using this patch file: ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.6.1-1.6.2.diff.bz2 (17k) In order to check that the version of Libgcrypt you are going to build is an original and unmodified one, you can do it in one of the following ways: * Check the supplied OpenPGP signature. For example to check the signature of the file libgcrypt-1.6.3.tar.bz2 you would use this command: gpg --verify libgcrypt-1.6.3.tar.bz2.sig This checks whether the signature file matches the source file. You should see a message indicating that the signature is good and made by the release signing key 4F25E3B6 which is certified by my well known key 1E42B367. To retrieve the keys you may use the command "gpg --fetch-key finger:wk на g10code.com". * If you are not able to use GnuPG, you have to verify the SHA-1 checksum: sha1sum libgcrypt-1.6.3.tar.bz2 and check that the output matches the first line from the following list: cc31aca87e4a3769cb86884a3f5982b2cc8eb7ec libgcrypt-1.6.2.tar.bz2 cdaf2bdd5f34b20f4f9d926536673c15b857d2e6 libgcrypt-1.6.2.tar.gz 302592ec4183b727ad07bdd47fc4d50d717f42e2 libgcrypt-1.6.1-1.6.2.diff.bz2 Copying ======= Libgcrypt is distributed under the terms of the GNU Lesser General Public License (LGPLv2.1+). The helper programs as well as the documentation are distributed under the terms of the GNU General Public License (GPLv2+). The file LICENSES has notices about contributions that require these additional notices are distributed. Support ======= For help on developing with Libgcrypt you should read the included manual and optional ask on the gcrypt-devel mailing list [1]. A listing with commercial support offers for Libgcrypt and related software is available at the GnuPG web site [2]. The driving force behind the development of Libgcrypt is my company g10 Code. Maintenance and improvement of Libgcrypt and related software takes up most of our resources. To allow us to continue our work on free software, we ask to either purchase a support contract, engage us for custom enhancements, or to donate money: https://gnupg.org/donate/ Thanks ====== Many thanks to all who contributed to Libgcrypt development, be it bug fixes, code, documentation, testing or helping users. Happy hacking, Werner [1] http://lists.gnupg.org/mailman/listinfo/gcrypt-devel [2] https://www.gnupg.org/service.html -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ----------- следущая часть ----------- A non-text attachment was scrubbed... Name: отсутствует Type: application/pgp-signature Size: 180 bytes Desc: отсутствует URL: ----------- следущая часть ----------- _______________________________________________ Gnupg-announce mailing list Gnupg-announce на gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce