[Announce]GnuPG 1.2 released

Werner Koch wk@gnupg.org
Sun Sep 22 09:38:01 2002

Hash: SHA1

We are pleased to announce the availability of a new stable release of
GnuPG: Version 1.2.0

The GNU Privacy Guard (GnuPG) is GNU's tool for secure communication
and data storage.  It is a complete and free replacement of PGP and
can be used to encrypt data and to create digital signatures.  It
includes an advanced key management facility and is compliant with the
proposed OpenPGP Internet standard as described in RFC2440.  This new
release implements most of OpenPGP's optional features, has somewhat
better interoperabilty with non-conforming OpenPGP implementations and
improved keyserver support.

Getting the Software

GnuPG 1.2.0 can be downloaded from one of the *GnuPG mirror sites*.
The list of mirrors can be found at http://www.gnupg.org/mirrors.html.
See below for a list of mirrors already carrying this new released.

On the mirrors you should find the follwing files in the *gnupg*

  gnupg-1.2.0.tar.bz2 (1.8 MB)

      GnuPG 1.2 source compressed using BZIP2 and OpenPGP signature.

  gnupg-1.2.0.tar.gz (2.5 MB)

      GnuPG source compressed using GZIP and OpenPGP signature.

  gnupg-1.0.7-1.2.0.diff.gz (1.0 MB)

      A patch file to upgrade a 1.0.7 GnuPG source. This file is
      signed; you have to use GnuPG > 0.9.5 to verify the signature.
      GnuPG has a feature to allow clear signed patch files which can
      still be processed by the patch utility.

Select one of them. To shorten the download time, you probably want
to get the BZIP2 compressed file.  Please try another mirror if
exceptional your mirror is not yet up to date.

In the *binary* directory, you should find these files:

  gnupg-w32cli-1.2.0.zip (1.0 MB)

      GnuPG compiled for Microsoft Windows and OpenPGP signature.
      Note that this is a command line version and comes without a
      graphical installer tool.  You have to use an UNZIP utility to
      extract the files and install them manually.  The included file
      README.W32 has further instructions. 

Checking the Integrity

In order to check that the version of GnuPG which you are going to
install is an original and unmodified one, you can do it in one of
the following ways:

 * If you already have a trusted version of GnuPG installed, you
   can simply check the supplied signature.  For example to check the
   signature of the file gnupg-1.2.0.tar.bz2 you would use this command:

     gpg --verify gnupg-1.2.0.tar.bz2.sig

   This checks whether the signature file matches the source file.
   You should see a message indicating that the signature is good and
   made by that signing key.  Make sure that you have the right key,
   either by checking the fingerprint of that key with other sources
   or by checking that the key has been signed by a trustworthy other

   Never use a GnuPG version you just downloaded to check the
   integrity of the source - use an existing GnuPG installation.

 * If you are not able to use an old version of GnuPG, you have to verify
   the MD5 checksum.  Assuming you downloaded the file
   gnupg-1.2.0.tar.bz2, you would run the md5sum command like this:

     md5sum gnupg-1.2.0.tar.bz2

   and check that the output matches the first line from the
   following list:

     b22b10dacfeb5c2b0bc4ce9def2d1120  gnupg-1.2.0.tar.bz2
     e93ceafc4395d1713d20044d523d18a7  gnupg-1.2.0.tar.gz
     c735a9a4400e3e3b0b78f88aadedfd3d  gnupg-1.0.7-1.2.0.diff.gz
     af439e3ba82c8648041e8e9d902c3c01  gnupg-w32cli-1.2.0.zip

Upgrade Information

The name of the default configuration file has changed from "options"
to "gpg.conf".  The old name will still be used as long as no
"gpg.conf" exists.  We recommend to rename your file after the

If you are upgrading from a version prior to 1.0.7, you may want to
run the command "gpg --rebuild-keydb-caches" once to speed up the
keyring access. Please note also that due to a bug in versions prior
to 1.0.6 it won't be possible to downgrade to such versions unless you
use the GnuPG version which comes with Debian's Woody release or you
apply the patch http://www.gnupg.org/developer/gpg-woody-fix.txt .

If you have any problems, please see the FAQ and the mailing list
archive at http://lists.gnupg.org.  Please direct questions to the
gnupg-users@gnupg.org mailing list.

What's New

Here is a list of major user visible changes since 1.0.7:


    * The default configuration file is now ~/.gnupg/gpg.conf.  If an
      old ~/.gnupg/options is found it will still be used.  This
      change is required to have a more consistent naming scheme with
      forthcoming tools.

    * The configure option --with-static-rnd=auto allows to build gpg
      with all available entropy gathering modules included.  At
      runtime the best usable one will be selected from the list
      linux, egd, unix.  This is also the default for systems lacking
      a /dev/random device.

    * All modules are now linked statically; the --load-extension
      option is in general not useful anymore.  The only exception is
      to specify the deprecated IDEA cipher plugin.

    * There are now various ways to restrict the ability GnuPG has to
      exec external programs (for the keyserver helpers or photo ID
      viewers).  Read the README file for the complete list.

    * The keyserver helper programs now live in
      /usr/[local/]libexec/gnupg by default.  If you are upgrading
      from 1.0.7, you might want to delete your old copies in
      /usr/[local/]bin.  If you use an OS that does not use libexec
      for whatever reason, use configure --libexecdir=/usr/local/lib
      to place the keyserver helpers there.

  New features:

    * New "group" command to refer to several keys with one name.

    * The option --interactive now has the desired effect when
      importing keys.

    * Full revocation key (aka "designated revoker") support.

    * When using --batch with one of the --delete-key commands, the
      key must be specified by fingerprint.  See the man page for

    * New export option to leave off attribute packets (photo IDs)
      during export.  This is useful when exporting to HKP keyservers
      which do not understand attribute packets.

    * New import option to repair during import the HKP keyserver
      mangling multiple subkeys bug.  Note that this cannot completely
      repair the damaged key as some crucial data is removed by the
      keyserver, but it does at least give you back one subkey.  This
      is on by default for keyserver --recv-keys, and off by default
      for regular --import.

    * New commands: --personal-cipher-preferences,
      --personal-digest-preferences, and
      --personal-compress-preferences allow the user to specify which
      algorithms are to be preferred.  Note that this does not permit
      using an algorithm that is not present in the recipient's
      preferences (which would violate the OpenPGP standard).  This
      just allows sorting the preferences differently.

    * New --attribute-fd command for frontends and scripts to get the
      contents of attribute packets (i.e. photos)

  Incompatible changes:

    * Options --emulate-checksum-bug and --emulate-3des-s2k-bug have
      been removed.

    * The IDEA plugin has changed.  Previous versions of the IDEA
      plugin will no longer work with GnuPG.  However, the current
      version of the plugin will work with earlier GnuPG versions.

    * ElGamal sign and encrypt is not anymore allowed in the key
      generation dialog unless in expert mode.  RSA sign and encrypt
      has been added with the same restrictions.

  OpenPGP compatibility:

    * The use of MDCs have increased.  A MDC will be used if the
      recipients directly request it, if the recipients have AES,
      AES192, AES256, or TWOFISH in their cipher preferences, or if
      the chosen cipher has a blocksize not equal to 64 bits
      (currently this is also AES, AES192, AES256, and TWOFISH).

    * GnuPG will no longer automatically disable compression when
      processing an already-compressed file unless a MDC is being
      used.  This is to give the message a certain amount of
      resistance to the chosen-ciphertext attack while communicating
      with other programs (most commonly PGP earlier than version 7.x)
      that do not support MDCs.

    * The preferred hash algorithms on a key are consulted when
      encrypting a signed message to that key.  Note that this is
      disabled by default by a SHA1 preference in

    * --cert-digest-algo allows the user to specify the hash algorithm
      to use when signing a key rather than the default SHA1 (or MD5
      for PGP2 keys).  Do not use this feature unless you fully
      understand the implications of this.

    * --pgp7 mode automatically sets all necessary options to ensure
      that the resulting message will be usable by a user of PGP 7.x.

  Bug fixes:

    * The file permission and ownership checks on files have been
      clarified.  Specifically, the homedir (usually ~/.gnupg) is
      checked to protect everything within it.  If the user specifies
      keyrings outside this homedir, they are presumed to be shared
      keyrings and therefore *not* checked.  Configuration files
      specified with the --options option and the IDEA cipher
      extension specified with --load-extension are checked, along
      with their enclosing directories.

    * The LDAP keyserver handler now works properly with very old
      (version 1) LDAP keyservers.

    * [W32] Keyserver access does work with Windows NT.

  Other changes:

    * A warning is issued if the user forces the use of an algorithm
      that is not listed in the recipient's preferences.

    * In expert mode, the user can now re-sign a v3 key with a v4
      self-signature.  This does not change the v3 key into a v4 key,
      but it does allow the user to use preferences, primary ID flags,

    * Significantly improved photo ID support on non-unixlike

    * The default character set is now taken from the current locale;
      it can still be overridden by the --charset option.  Using the
      option -vvv shows the used character set.

GnuPG comes with support for these langauges:

  American English          Greek (el)                      
  Catalan (ca)              Indonesian (id)                 
  Czech (cs)                Italian (it)                    
  Danish (da)[*]            Japanese (ja)                   
  Dutch (nl)[*]             Polish (pl)                     
  Esperanto (eo)[*]         Brazilian Portuguese (pt_BR)[*]
  Estonian (et)[*]          Portuguese (pt)                 
  French (fr)[*]            Spanish (es)[*]                
  Galician (gl)             Swedish (sv)[*]                
  German (de)               Turkish (tr)                    
Languages marked with [*] were not updated for this releases and you
may notice untranslated messages.  We will probably release an update
of the translations when we have received some translation updates.
May thanks to the translators for their ongoing support of GnuPG.

Happy Hacking,

  The GnuPG team (David, Stefan, Timo and Werner)

The mirror sites below have been verified to already carry this new
release. The full list of sites mirroring ftp.gnupg.org is available
at http://www.gnupg.org/mirrors.html. 


























    United Kingdom

Version: GnuPG v1.2.0 (GNU/Linux)


Gnupg-announce mailing list