[Announce] Libgcrypt 1.6.4 released

Werner Koch wk at gnupg.org
Tue Sep 8 09:06:38 CEST 2015


The GNU project is pleased to announce the availability of Libgcrypt
version 1.6.4.  This is a maintenance release with a minor security fix.

Libgcrypt is a general purpose library of cryptographic building blocks.
It does not provide any implementation of OpenPGP or other protocols.
Thorough understanding of applied cryptography is required for proper
use of Libgcrypt.

Noteworthy changes in version 1.6.4

 * Speed up the random number generator by requiring less extra

 * New flag "no-keytest" for ECC key generation.  Due to a bug in the
   parser that flag will also be accepted but ignored by older version
   of Libgcrypt.

 * Always verify a created RSA signature to avoid private key leaks
   due to hardware failures.

 * Fix alignment bug in the AESNI code on Windows > 7.

 * Support FreeBSD 10 and later.

 * Other minor bug fixes.


Source code is hosted at the GnuPG FTP server and its mirrors as listed
at https://gnupg.org/download/mirrors.html .  On the primary server
the source tarball and its digital signature are:

 ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.6.4.tar.bz2 (2490k)

That file is bzip2 compressed.  A gzip compressed version is here:

 ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.6.4.tar.gz (2901k)

The same files are also available via HTTP:


In order to check that the version of Libgcrypt you are going to build
is an original and unmodified one, you can do it in one of the following

 * Check the supplied OpenPGP signature.  For example to check the
   signature of the file libgcrypt-1.6.4.tar.bz2 you would use this

     gpg --verify libgcrypt-1.6.4.tar.bz2.sig libgcrypt-1.6.4.tar.bz2

   This checks whether the signature file matches the source file.  You
   should see a message indicating that the signature is good and made
   by one of the release signing keys. 
   See https://gnupg.org/signature_key.html .

 * If you are not able to use GnuPG, you have to verify the SHA-1

     sha1sum libgcrypt-1.6.4.tar.bz2

   and check that the output matches the first line from the
   following list:

ed52add1ce635deeb2f5c6650e52667debd4ec70  libgcrypt-1.6.4.tar.bz2
da6507d7ba902d7482cc09e1114ccaf3ab495c76  libgcrypt-1.6.4.tar.gz


Libgcrypt is distributed under the terms of the GNU Lesser General
Public License (LGPLv2.1+).  The helper programs as well as the
documentation are distributed under the terms of the GNU General Public
License (GPLv2+).  The file LICENSES has notices about contributions
that require these additional notices are distributed.


For help on developing with Libgcrypt you should read the included
manual and optional ask on the gcrypt-devel mailing list [1].  A
listing with commercial support offers for Libgcrypt and related
software is available at the GnuPG web site [2].

If you are a developer and you may need a certain feature for your
project, please do not hesitate to bring it to the gcrypt-devel mailing
list for discussion.


We have to thank all the people who helped with this release, be it
testing, coding, translating, suggesting, auditing, administering the
servers, spreading the word, and answering questions on the mailing
lists.  Maintenance and development of GnuPG is possible due to many
individual and corporate donations; for a list of non-anonymous donors
see <https://gnupg.org/donate/kudos.html>.

For the GnuPG hackers,


This is an announcement only mailing list.  Please send replies only to
the gcrypt-devel 'at' gnupg.org mailing lists.

[1] https://lists.gnupg.org/mailman/listinfo/gcrypt-devel
[2] https://www.gnupg.org/service.html

Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 180 bytes
Desc: not available
URL: </pipermail/attachments/20150908/11a82c60/attachment-0001.sig>

More information about the Gnupg-announce mailing list