[Announce] GnuPG 2.2.18 released

ilf ilf at zeromail.org
Sat Nov 30 08:00:27 CET 2019

Thanks for the new release.

I run "gpg --check-trustdb --quiet" via cron, but now on every run it 

> gpg: Note: third-party key signatures using the SHA1 algorithm 
> are rejected

man gpg(1) sais:

>      -q, --quiet
>                    Try to be as quiet as possible.

IMHO, gpg should not output that line when used with --quiet.


Werner Koch via Gnupg-devel:
> This release also retires the use of SHA-1 key signatures created 
> since this year.

>  * gpg: Prepare against chosen-prefix SHA-1 collisions in key 
>    signatures.  This change removes all SHA-1 based key signature 
>    newer than 2019-01-19 from the web-of-trust.  Note that this 
>    includes all key signature created with dsa1024 keys.  The new 
>    option --allow-weak-key-signatues can be used to override the new 
>    and safer behaviour.  [#4755,CVE-2019-14855]


If you upload your address book to "the cloud", I don't want to be in it.

More information about the Gnupg-devel mailing list