[Announce] GnuPG 1.2.2 released
Werner Koch
wk@gnupg.org
Sat May 3 23:28:04 2003
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello!
We are pleased to announce the availability of a new stable GnuPG
release: Version 1.2.2
The GNU Privacy Guard (GnuPG) is GNU's tool for secure communication
and data storage. It is a complete and free replacement of PGP and
can be used to encrypt data and to create digital signatures. It
includes an advanced key management facility and is compliant with the
proposed OpenPGP Internet standard as described in RFC2440. This new
release implements most of OpenPGP's optional features, has somewhat
better interoperabilty with non-conforming OpenPGP implementations and
improved keyserver support.
***************************************************************
* Due to a bug found in the key validdation code, we strongly *
* suggest to update to this release if you are relying on the *
* Web-Of-Trust semantics. *
***************************************************************
Getting the Software
====================
GnuPG 1.2.2 can be downloaded from one of the *GnuPG mirror sites*.
The list of mirrors can be found at http://www.gnupg.org/mirrors.html.
On the mirrors you should find the follwing files in the *gnupg*
directory:
gnupg-1.2.2.tar.bz2 (2.1 MB)
gnupg-1.2.2.tar.bz2.sig
GnuPG 1.2 source compressed using BZIP2 and OpenPGP signature.
gnupg-1.2.2.tar.gz (3.1 MB)
gnupg-1.2.2.tar.gz.sig
GnuPG source compressed using GZIP and OpenPGP signature.
gnupg-1.2.1-1.2.2.diff.gz (1.1 MB)
A patch file to upgrade a 1.2.1 GnuPG source. This file is
signed; you have to use GnuPG > 0.9.5 to verify the signature.
GnuPG has a feature to allow clear signed patch files which can
still be processed by the patch utility.
Select one of them. To shorten the download time, you probably want to
get the BZIP2 compressed file. Please try another mirror if
exceptional your mirror is not yet up to date. We have uploaded the
.gz tarbvall on May 1, so at least this one should be available at
the mirrors.
In the *binary* directory, you should find these files:
gnupg-w32cli-1.2.2.zip (1.3 MB)
gnupg-w32cli-1.2.2.zip.sig
GnuPG compiled for Microsoft Windows and OpenPGP signature.
Note that this is a command line version and comes without a
graphical installer tool. You have to use an UNZIP utility to
extract the files and install them manually. The included file
README.W32 has further instructions.
Checking the Integrity
======================
In order to check that the version of GnuPG which you are going to
install is an original and unmodified one, you can do it in one of
the following ways:
* If you already have a trusted version of GnuPG installed, you
can simply check the supplied signature. For example to check the
signature of the file gnupg-1.2.2.tar.bz2 you would use this command:
gpg --verify gnupg-1.2.2.tar.bz2.sig
This checks whether the signature file matches the source file.
You should see a message indicating that the signature is good and
made by that signing key. Make sure that you have the right key,
either by checking the fingerprint of that key with other sources
or by checking that the key has been signed by a trustworthy other
key. Note, that you can retrieve the signing key by
finger wk 'at' g10code.com .
Never use a GnuPG version you just downloaded to check the
integrity of the source - use an existing GnuPG installation.
* If you are not able to use an old version of GnuPG, you have to verify
the MD5 checksum. Assuming you downloaded the file
gnupg-1.2.2.tar.bz2, you would run the md5sum command like this:
md5sum gnupg-1.2.2.tar.bz2
and check that the output matches the first line from the
following list:
4e1b357b22e1d45d14d340ce03d39b63 gnupg-1.2.2.tar.bz2
01cf9c6b949603d0511f6fc07bc758d2 gnupg-1.2.2.tar.gz
bbb2691b0322f570c7e683049ba3c777 gnupg-1.2.1-1.2.2.diff.gz
7f7f4b5312f3ebddc67eba0b6a8661a4 gnupg-w32cli-1.2.2.zip
Upgrade Information
===================
If you are upgrading from a version prior to 1.0.7, you should run the
script tools/convert-from-106 once. Please note also that due to a
bug in versions prior to 1.0.6 it may not be possible to downgrade to
such versions unless you apply the patch
http://www.gnupg.org/developer/gpg-woody-fix.txt .
If you have any problems, please see the FAQ and the mailing list
archive at http://lists.gnupg.org. Please direct questions to the
gnupg-users@gnupg.org mailing list.
What's New
===========
Here is a list of major user visible changes since 1.2.1:
Configuration:
* A "convert-from-106" script has been added. This is a simple
script that automates the conversion from a 1.0.6 or earlier
version of GnuPG to a 1.0.7 or later version.
New features:
* A "--trust-model always" option has been added to smooth the
transition to a future GnuPG that has multiple trust models.
This is identical to the current "--always-trust" option.
* Care is taken to prevent compiler optimization from removing
memory wiping code.
* New option --no-mangle-dos-filenames so that filenames are not
truncated in the W32 version.
* New command "revuid" in the --edit-key menu to revoke a user ID.
This is a simpler interface to the old method (which still
works) of revoking the user ID self-signature.
* Status VALIDSIG now also contains the primary key fingerprint,
as well as the signature version, public key algorithm, hash
algorithm, and signature class.
* Add read-only support for the SHA-256 hash, and optional
read-only support for the SHA-384 and SHA-512 hashes.
* New option --enable-progress-filter for use with frontends.
Incompatible changes:
* Notation names that do not contain a '@' are no longer allowed
unless --expert is set. This is to help prevent pollution of
the (as yet unused) IETF notation namespace.
* Disabled keys are now skipped when selecting keys for
encryption. If you are using the --with-colons key listings to
detect disabled keys, please see doc/DETAILS for a minor format
change in this release.
OpenPGP compatibility:
* Fixed a compatibility problem with CryptoEx by increasing the
window size of the uncompressor.
* Note that the TIGER/192 digest algorithm is in the process of
being dropped from the OpenPGP standard. While this release of
GnuPG still contains it, it is disabled by default. To ensure
you will still be able to use your messages with future versions
of GnuPG and other OpenPGP programs, please do not use this
algorithm.
Bug fixes:
* A bug in key validation has been fixed. This bug only affects
keys with more than one user ID (photo IDs do not count here),
and results in all user IDs on a given key being treated with
the validity of the most-valid user ID on that key.
Other changes:
* Minor trustdb changes to make the trust calculations match
common usage.
* New translations: Finnish, Hungarian, Slovak, and Traditional
Chinese.
Internationalization
====================
GnuPG comes with support for these langauges:
American English Hungarian (hu)
Catalan (ca) Indonesian (id)
Czech (cs) Italian (it)
Danish (da)[*] Japanese (ja)
Dutch (nl)[*] Polish (pl)
Esperanto (eo)[*] Brazilian Portuguese (pt_BR)[*]
Estonian (et) Portuguese (pt)
Finnish (fi) Slovak (sk)
French (fr) Spanish (es)
Galician (gl) Swedish (sv)
German (de) Traditional Chinese (zh_TW)
Greek (el) Turkish (tr)
Languages marked with [*] were not updated for this releases and you
may notice untranslated messages. We may release an update of the
translations when we have received some translation updates. Many
thanks to the translators for their ongoing support of GnuPG.
Happy Hacking,
The GnuPG team (David, Stefan, Timo and Werner)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
iD8DBQE+tB1KbH7huGIcwBMRArYTAJ0deLOyUMDFQwy3+nj/VFgUHIrPGACggUFV
uPS86Mf9N/pjVNNNfNXWen4=
=HX8r
-----END PGP SIGNATURE-----
_______________________________________________
Gnupg-announce mailing list
Gnupg-announce@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-announce