[Announce] GnuPG 1.2.2 released

Werner Koch wk@gnupg.org
Sat May 3 23:28:04 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello!
    
We are pleased to announce the availability of a new stable GnuPG
release: Version 1.2.2

The GNU Privacy Guard (GnuPG) is GNU's tool for secure communication
and data storage.  It is a complete and free replacement of PGP and
can be used to encrypt data and to create digital signatures.  It
includes an advanced key management facility and is compliant with the
proposed OpenPGP Internet standard as described in RFC2440.  This new
release implements most of OpenPGP's optional features, has somewhat
better interoperabilty with non-conforming OpenPGP implementations and
improved keyserver support.

  ***************************************************************
  * Due to a bug found in the key validdation code, we strongly *
  * suggest to update to this release if you are relying on the *
  * Web-Of-Trust semantics.                                     *
  ***************************************************************

Getting the Software
====================

GnuPG 1.2.2 can be downloaded from one of the *GnuPG mirror sites*.
The list of mirrors can be found at http://www.gnupg.org/mirrors.html.

On the mirrors you should find the follwing files in the *gnupg*
directory:

  gnupg-1.2.2.tar.bz2 (2.1 MB)
  gnupg-1.2.2.tar.bz2.sig

      GnuPG 1.2 source compressed using BZIP2 and OpenPGP signature.

  gnupg-1.2.2.tar.gz (3.1 MB)
  gnupg-1.2.2.tar.gz.sig

      GnuPG source compressed using GZIP and OpenPGP signature.

  gnupg-1.2.1-1.2.2.diff.gz (1.1 MB)

      A patch file to upgrade a 1.2.1 GnuPG source. This file is
      signed; you have to use GnuPG > 0.9.5 to verify the signature.
      GnuPG has a feature to allow clear signed patch files which can
      still be processed by the patch utility.

Select one of them. To shorten the download time, you probably want to
get the BZIP2 compressed file.  Please try another mirror if
exceptional your mirror is not yet up to date.  We have uploaded the
.gz tarbvall on May 1, so at least this one should be available at
the mirrors.

In the *binary* directory, you should find these files:

  gnupg-w32cli-1.2.2.zip (1.3 MB)
  gnupg-w32cli-1.2.2.zip.sig

      GnuPG compiled for Microsoft Windows and OpenPGP signature.
      Note that this is a command line version and comes without a
      graphical installer tool.  You have to use an UNZIP utility to
      extract the files and install them manually.  The included file
      README.W32 has further instructions. 


Checking the Integrity
======================

In order to check that the version of GnuPG which you are going to
install is an original and unmodified one, you can do it in one of
the following ways:

 * If you already have a trusted version of GnuPG installed, you
   can simply check the supplied signature.  For example to check the
   signature of the file gnupg-1.2.2.tar.bz2 you would use this command:

     gpg --verify gnupg-1.2.2.tar.bz2.sig

   This checks whether the signature file matches the source file.
   You should see a message indicating that the signature is good and
   made by that signing key.  Make sure that you have the right key,
   either by checking the fingerprint of that key with other sources
   or by checking that the key has been signed by a trustworthy other
   key.  Note, that you can retrieve the signing key by 
   finger wk 'at' g10code.com .

   Never use a GnuPG version you just downloaded to check the
   integrity of the source - use an existing GnuPG installation.

 * If you are not able to use an old version of GnuPG, you have to verify
   the MD5 checksum.  Assuming you downloaded the file
   gnupg-1.2.2.tar.bz2, you would run the md5sum command like this:

     md5sum gnupg-1.2.2.tar.bz2

   and check that the output matches the first line from the
   following list:

     4e1b357b22e1d45d14d340ce03d39b63  gnupg-1.2.2.tar.bz2
     01cf9c6b949603d0511f6fc07bc758d2  gnupg-1.2.2.tar.gz
     bbb2691b0322f570c7e683049ba3c777  gnupg-1.2.1-1.2.2.diff.gz
     7f7f4b5312f3ebddc67eba0b6a8661a4  gnupg-w32cli-1.2.2.zip


Upgrade Information
===================

If you are upgrading from a version prior to 1.0.7, you should run the
script tools/convert-from-106 once.  Please note also that due to a
bug in versions prior to 1.0.6 it may not be possible to downgrade to
such versions unless you apply the patch
http://www.gnupg.org/developer/gpg-woody-fix.txt .

If you have any problems, please see the FAQ and the mailing list
archive at http://lists.gnupg.org.  Please direct questions to the
gnupg-users@gnupg.org mailing list.



What's New
===========

Here is a list of major user visible changes since 1.2.1:

  Configuration:

    * A "convert-from-106" script has been added.  This is a simple
      script that automates the conversion from a 1.0.6 or earlier
      version of GnuPG to a 1.0.7 or later version.

  New features:

    * A "--trust-model always" option has been added to smooth the
      transition to a future GnuPG that has multiple trust models.
      This is identical to the current "--always-trust" option.

    * Care is taken to prevent compiler optimization from removing
      memory wiping code.

    * New option --no-mangle-dos-filenames so that filenames are not
      truncated in the W32 version.

    * New command "revuid" in the --edit-key menu to revoke a user ID.
      This is a simpler interface to the old method (which still
      works) of revoking the user ID self-signature.

    * Status VALIDSIG now also contains the primary key fingerprint,
      as well as the signature version, public key algorithm, hash
      algorithm, and signature class.

    * Add read-only support for the SHA-256 hash, and optional
      read-only support for the SHA-384 and SHA-512 hashes.

    * New option --enable-progress-filter for use with frontends.

  Incompatible changes:

    * Notation names that do not contain a '@' are no longer allowed
      unless --expert is set.  This is to help prevent pollution of
      the (as yet unused) IETF notation namespace.

    * Disabled keys are now skipped when selecting keys for
      encryption.  If you are using the --with-colons key listings to
      detect disabled keys, please see doc/DETAILS for a minor format
      change in this release.

  OpenPGP compatibility:

    * Fixed a compatibility problem with CryptoEx by increasing the
      window size of the uncompressor.

    * Note that the TIGER/192 digest algorithm is in the process of
      being dropped from the OpenPGP standard.  While this release of
      GnuPG still contains it, it is disabled by default.  To ensure
      you will still be able to use your messages with future versions
      of GnuPG and other OpenPGP programs, please do not use this
      algorithm.

  Bug fixes:

    * A bug in key validation has been fixed.  This bug only affects
      keys with more than one user ID (photo IDs do not count here),
      and results in all user IDs on a given key being treated with
      the validity of the most-valid user ID on that key.

  Other changes:

    * Minor trustdb changes to make the trust calculations match
      common usage.

    * New translations: Finnish, Hungarian, Slovak, and Traditional
      Chinese.


Internationalization
====================
GnuPG comes with support for these langauges:

  American English            Hungarian (hu)                  
  Catalan (ca)                Indonesian (id)                 
  Czech (cs)                  Italian (it)                    
  Danish (da)[*]              Japanese (ja)                      
  Dutch (nl)[*]               Polish (pl)                        
  Esperanto (eo)[*]           Brazilian Portuguese (pt_BR)[*]    
  Estonian (et)               Portuguese (pt)                 
  Finnish (fi)                Slovak (sk)                     
  French (fr)                 Spanish (es)                    
  Galician (gl)               Swedish (sv)                    
  German (de)                 Traditional Chinese (zh_TW)     
  Greek (el)                  Turkish (tr)                    
                    
Languages marked with [*] were not updated for this releases and you
may notice untranslated messages.  We may release an update of the
translations when we have received some translation updates.  Many
thanks to the translators for their ongoing support of GnuPG.


Happy Hacking,

  The GnuPG team (David, Stefan, Timo and Werner)


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE+tB1KbH7huGIcwBMRArYTAJ0deLOyUMDFQwy3+nj/VFgUHIrPGACggUFV
uPS86Mf9N/pjVNNNfNXWen4=
=HX8r
-----END PGP SIGNATURE-----


_______________________________________________
Gnupg-announce mailing list
Gnupg-announce@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-announce