GnuPG 2.1 beta 2 released
Werner Koch
wk at gnupg.org
Tue Mar 8 14:16:04 CET 2011
Hello!
We just released the second *beta version* of GnuPG 2.1. It has been
released to give you the opportunity to check out the new features.
It is marked as a beta versions and the plan is to release a couple more
betas in the next months before we can declare 2.1.0 stable enough for
general use. In any case the 2.1 series won't replace the 2.0 series.
If you need stable and fully maintained version of GnuPG, you should in
general use 2.0.x or even 1.4.x. Eventually we will release 2.2 as the
new stable version but that may take some time.
Noteworthy changes in version 2.1.0beta2 (2011-03-08)
-----------------------------------------------------
* ECC support for GPG as described by draft-jivsov-openpgp-ecc-06.txt.
* New GPGSM feature to create certificates from a parameter file.
Add prompt to the --gen-key UI to create self-signed certificates.
* Dirmngr has taken over the function of the keyserver helpers. Thus
we now have a specified direct interface to keyservers via Dirmngr.
LDAP, DNS and mail backends are not yet implemented.
* TMPDIR is now also honored when creating a socket using
--no-standard-socket and with symcryptrun's temp files.
* Fixed a bug where SCdaemon sends a signal to Gpg-agent running in
non-daemon mode.
* Print "AES128" instead of "AES". This change introduces a little
incompatibility for tools using "gpg --list-config". We hope that
these tools are written robust enough to accept this new algorithm
name as well.
* Fixed CRL loading under W32 (bug#1010).
* Fixed TTY management for pinentries and session variable update
problem.
Noteworthy changes already found in beta1:
* GPG does not anymore use secring.gpg but delegates all secret key
operations to gpg-agent. The import command moves secret keys to
the agent.
* The OpenPGP import command is now able to merge secret keys.
* The G13 tool for disk encryption key management has been added.
* If the agent's --use-standard-socket option is active, all tools
try to start and daemonize the agent on the fly. In the past this
was only supported on W32; on non-W32 systems the new configure
option --disable-standard-socket may now be used to disable this
new default.
* Dirmngr is now a part of this package. Dirmngr is now also
expected to run as a system service and the configuration
directories are changed to the GnuPG name space.
* Removed GPG options:
--export-options: export-secret-subkey-passwd
--simple-sk-checksum
* New GPG options:
--try-secret-key
* Support DNS lookups for SRV, PKA and CERT on W32.
* The default for --include-cert is now to include all certificates
in the chain except for the root certificate.
* Numerical values may now be used as an alternative to the
debug-level keywords.
* New GPGSM option --ignore-cert-extension.
* Support for Windows CE.
* Given sufficient permissions Dirmngr is started automagically.
* Bug fixes.
Migration from 1.4 or 2.0
=========================
The major change in 2.1 is that gpg-agent now takes care of the
OpenPGP secret keys (those managed by GPG). The former secring.gpg
will not be used anymore. Newly generated keys are generated and
stored in the agent's key store (~/.gnupg/private-keys-v1.d/). To
migrate your existing keys to the agent you should run this command
gpg2 --import ~/.gnupg/secring.gpg
The agent will you ask for the passphrase of each key. You may use
the Cancel button of the Pinentry to skip importing this key. If you
want to stop the import process and you use one of the latest
pinentries, you should close the pinentry window instead of hitting
the cancel button. Secret keys already imported are skipped by the
import command. It is advisable to keep the secring.gpg for use with
older versions of GPG.
Note that gpg-agent now uses a fixed socket by default. All tools
will start the gpg-agent as needed. In general there is no more need
to set the GPG_AGENT_INFO environment variable. The SSH_AUTH_SOCK
environment variable should be set to a fixed value.
GPG's smartcard commands --card-edit and --card-status as well as the
card related sub-commands of --edit-key are not yet supported.
However, signing and decryption with a smartcard does work.
The Dirmngr is now part of GnuPG proper. Thus there is no more need
to install the separate dirmngr package. The directroy layout of
Dirmngr changed to make use of the GnuPG directories; for example you
use /etc/gnupg/trusted-certs and /var/lib/gnupg/extra-certs. Dirmngr
needs to be started as a system daemon.
Getting the Software
====================
GnuPG 2.1 is available at
ftp://ftp.gnupg.org/gcrypt/gnupg/unstable/gnupg-2.1.0beta2.tar.bz2
ftp://ftp.gnupg.org/gcrypt/gnupg/unstable/gnupg-2.1.0beta2.tar.bz2.sig
and soon on all mirrors <http://www.gnupg.org/mirrors.html>.
Note that libgcrypt 1.5.0 is now required; it is available at
ftp://ftp.gnupg.org/gcrypt/alpha/libgcrypt/libgcrypt-1.5.0-beta1.tar.bz2
Checking the Integrity
======================
In order to check that the version of GnuPG which you are going to
install is an original and unmodified one, you can do it in one of
the following ways:
* You are expected to have a trusted version of GnuPG installed, thus
you may simply check the supplied signature. For example to check
the signature of the file gnupg-2.1.0beta2.tar.bz2 you would use this
command:
gpg --verify gnupg-2.1.0beta2.tar.bz2.sig
This checks whether the signature file matches the source file.
You should see a message indicating that the signature is good and
made by that signing key. Make sure that you have the right key,
either by checking the fingerprint of that key with other sources
or by checking that the key has been signed by a trustworthy other
key. Note, that you can retrieve the signing key using the command
finger wk ,at' g10code.com
or using a key server like
gpg --recv-key 4F25E3B6
The distribution key 4F25E3B6 is signed by the well known key
5B0358A2. If you get an key expired message, you should retrieve a
fresh copy as the expiration date might have been prolonged.
NEVER USE A GNUPG VERSION YOU JUST DOWNLOADED TO CHECK THE
INTEGRITY OF THE SOURCE - USE AN EXISTING GNUPG INSTALLATION!
Internationalization
====================
This version comes only with support for English and German. More
languages will be added for the real release.
Documentation
=============
We are currently working on an installation guide to explain in more
detail how to configure the new features. As of now the chapters on
gpg-agent and gpgsm include brief information on how to set up the
whole thing. Please watch the GnuPG website for updates of the
documentation. In the meantime you may search the GnuPG mailing list
archives or ask on the gnupg-users mailing lists for advise on how to
solve problems. Many of the new features are around for several years
and thus enough public knowledge is already available.
Future Plans
============
Some tasks we would like to do before a 2.1 release:
* Replace the pubring.gpg public key store with the keybox format.
* Re-enable importing keys to a smartcard
* Re-enable LDAP, kDNS and mail keyserver methods
Support
=======
Improving GnuPG is costly, but you can help! We are looking for
organizations that find GnuPG useful and wish to contribute back. You
can contribute by reporting bugs, improve the software, or by donating
money.
Commercial support contracts for GnuPG are available, and they help
finance continued maintenance. g10 Code GmbH, a Duesseldorf based
company owned and headed by GnuPG's principal author, is currently
funding GnuPG development. We are always looking for interesting
development projects.
A service directory is available at:
http://www.gnupg.org/service.html
Thanks
======
We have to thank all the people who helped with this release, be it
testing, coding, translating, suggesting, auditing, administering the
servers, spreading the word or answering questions on the mailing
lists.
Happy Hacking,
The GnuPG Team
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
More information about the Gnupg-devel
mailing list