[Announce] GnuPG 2.2.18 released
ilf at zeromail.org
Sat Nov 30 08:00:27 CET 2019
Thanks for the new release.
I run "gpg --check-trustdb --quiet" via cron, but now on every run it
> gpg: Note: third-party key signatures using the SHA1 algorithm
> are rejected
man gpg(1) sais:
> -q, --quiet
> Try to be as quiet as possible.
IMHO, gpg should not output that line when used with --quiet.
Werner Koch via Gnupg-devel:
> This release also retires the use of SHA-1 key signatures created
> since this year.
> * gpg: Prepare against chosen-prefix SHA-1 collisions in key
> signatures. This change removes all SHA-1 based key signature
> newer than 2019-01-19 from the web-of-trust. Note that this
> includes all key signature created with dsa1024 keys. The new
> option --allow-weak-key-signatues can be used to override the new
> and safer behaviour. [#4755,CVE-2019-14855]
If you upload your address book to "the cloud", I don't want to be in it.
More information about the Gnupg-devel