[Announce] A New Future for GnuPG

Werner Koch wk at gnupg.org
Mon Jan 3 08:19:26 CET 2022


Hello and a Happy Gnu Year!

It has been quite some time since my last status report on GnuPG.  I
have been quite busy working on the project but unfortunately rarely
active on the usual channels.  So, here is a new report telling what we
did over the last two or three years.

Please read at least the last section.

A web version of this article is available at
https://gnupg.org/blog/20220102-a-new-future-for-gnupg.html


Some background
===============

  In the beginning GnuPG was a fun project I did in my spare time.
  After a few years this turned out to be a full time job and it was
  possible to acquire paid projects to maintain and further develop
  GnuPG.

  When the BSI (Germany's Federal Office for Information Security)
  migrated back from Linux to Windows, a need to migrate their
  end-to-end encryption solution, based on GnuPG and KMail, was needed.
  A call for bids for an Open Source solution was issued and our
  company, g10 Code, along with our friends at Intevation and KDAB
  received the contract.  The outcome was Gpg4win, the meanwhile
  standard distribution of GnuPG for Windows.

  It turned out that the software used in Germany to protect restricted
  data at the VS-NfD level, called Chiasmus, showed its age.  For
  example, the block length of 64 bits (like IDEA or 3DES) is not
  anymore secure for data of more than 150 MiB.  Also the secret
  encryption algorithm has not anymore the confidence people used to
  have in it and due to lacking hardware support it is quite slow.  A
  new call to bid for a replacement of that software was issued and we
  also with Intevation were granted the contract.  Our solution was to
  update GnuPG and its frontends Kleopatra and GpgOL.  After some
  thorough evaluation of our software (working title /Gpg4VS-NfD/) and
  the usual bureaucratic we received a first approval in January 2019.


Meet GnuPG.com
==============

  I have been working with Andre Heinecke of Intevation GmbH since about
  2010 on Gpg4win and some other projects.  With the foreseeable
  approval of /Gpg4VS-NfD/ Andre then left Intevation and took over 40%
  of the g10 Code shares from my brother (I am holding the other 60%).

  We started to make a real product out of /Gpg4VS-NfD/.  Thus we rented
  a new office to work desk by desk on this and hired staff for sales
  and marketing.  We introduced the brand /GnuPG.com/ to have a better
  recognition of our product than by our legal name /g10 Code GmbH/.
  The software itself was re-branded as /GnuPG VS-Desktop®/ and
  distributed as an MSI packet for Windows and as an AppImage for Linux.
  Except for customer specific configuration files /GnuPG VS-Desktop/ is
  and will always be Open Source under the GNU General Public License.

  We also keep maintaining /Gpg4win/ as the community version.  This is
  based on the the same source code as /GnuPG VS-Desktop/ but comes with
  more features due to the use of the latest development branch.

  The benefits for the customer to pay for /GnuPG VS-Desktop/ are: a
  commercial support contract, the guarantee of a long term maintained
  and approved version, customization options, community tested new
  features, and the per-approval required vendor for security updates.

  Also technically published for longer, it became only last year widely
  known, that the legacy Chiasmus software may not anymore be used for
  restricted communication from this year on.  For the administration
  and also for the industry two option exist to migrate away from
  Chiasmus: the proprietary GreenBone software from /cryptovision GmbH/
  and our Open Source software /GnuPG VS-Desktop/.


The rush towards GnuPG VS-Desktop
=================================

  Since summer 2021 the phones of our sales team didn't stop ringing and
  we could bring in the fruits of our work.  We were not aware how many
  different governmental agencies exist and how many of them have a need
  to protect data at the VS-NfD (restricted) level.  And with those
  agencies also comes a huge private and corporate sector who also have
  to handle such communication.

  Although we support S/MIME, the majority of our customers decided in
  favor of the OpenPGP protocol, due to its higher flexibility and
  independence of a centralized public key infrastructure.  A minor
  drawback is that for a quick start and easy migration from Chiasmus,
  many sites will use symmetric-only encryption (i.e. based on
  "gpg -c").  However, the now deployed software provides the
  foundation to move on to a comfortable public-key solution.

  In particular, our now smooth integration into Active Directory makes
  working with OpenPGP under Windows really nice.  We were also able to
  partner with Rohde & Schwarz Cybersecurity GmbH for a smooth
  integration of GnuPG VS-Desktop with their smartcard administration
  system.

  We estimate that a quarter million workplaces will be equipped with
  GnuPG VS-Desktop and provide the users state of the art file and
  mail encryption.  Our longer term plan is to equip all public agency
  workplaces with end-to-end encryption software - not only those with
  an immediate need for an approved VS-NfD solution.  This should also
  fit well into the announced goal of the new German government to
  foster the development of Open Source.


Kudos to all supporters
=======================

  For many years our work was mainly financed by donations and smaller
  projects.  Now we have reached a point where we can benefit from a
  continuous revenue stream to maintain and extend the software without
  asking for donations or grants.  This is quite a new experience to us
  and I am actually a bit proud to lead one of the few self-sustaining
  free software projects who had not to sacrifice the goals of the
  movement.

  Those of you with SEPA donations, please cancel them and redirect your
  funds to other projects which are more in need of financial support.
  The Paypal and Stripe based recurring donations have already been
  canceled by us.

     All you supporters greatly helped us to keep GnuPG alive and to
              finally setup a sustainable development model.

                              *Thank you!*



Salam-Shalom,

   Werner



p.s.
This is an announcement only mailing list.  Please send replies only to
the gnupg-users at gnupg.org mailing list.
p.p.s
List of Release Signing Keys:
To guarantee that a downloaded GnuPG version has not been tampered by
malicious entities we provide signature files for all tarballs and
binary versions.  The keys are also signed by the long term keys of
their respective owners.  Current releases are signed by one or more
of these four keys:

  rsa3072 2017-03-17 [expires: 2027-03-15]
  5B80 C575 4298 F0CB 55D8  ED6A BCEF 7E29 4B09 2E28
  Andre Heinecke (Release Signing Key)

  ed25519 2020-08-24 [expires: 2030-06-30]
  6DAA 6E64 A76D 2840 571B  4902 5288 97B8 2640 3ADA
  Werner Koch (dist signing 2020)

  ed25519 2021-05-19 [expires: 2027-04-04]
  AC8E 115B F73E 2D8D 47FA  9908 E98E 9B2D 19C6 C8BD
  Niibe Yutaka (GnuPG Release Key)

  brainpoolP256r1 2021-10-15 [expires: 2029-12-31]
  02F3 8DFF 731F F97C B039  A1DA 549E 695E 905B A208
  GnuPG.com (Release Signing Key 2021)

The keys are available at https://gnupg.org/signature_key.html and
in any recently released GnuPG tarball in the file g10/distsigkey.gpg .
Note that this mail has been signed by a different key.

-- 
g10 Code GmbH        -=- GnuPG.com -=-      AmtsGer. Wuppertal HRB 14459
Bergstr. 3a                                 Geschäftsführung Werner Koch
D-40699 Erkrath      https://gnupg.com      USt-Id DE215605608
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-announce/attachments/20220103/3f515f42/attachment-0001.sig>


More information about the Gnupg-announce mailing list