GnuPG 2.1 beta 2 released

Werner Koch wk at
Tue Mar 8 14:16:04 CET 2011

We just released the second *beta version* of GnuPG 2.1.  It has been
released to give you the opportunity to check out the new features.

It is marked as a beta versions and the plan is to release a couple more
betas in the next months before we can declare 2.1.0 stable enough for
general use.  In any case the 2.1 series won't replace the 2.0 series.
If you need stable and fully maintained version of GnuPG, you should in
general use 2.0.x or even 1.4.x.  Eventually we will release 2.2 as the
new stable version but that may take some time.

Noteworthy changes in version 2.1.0beta2 (2011-03-08)

 * ECC support for GPG as described by draft-jivsov-openpgp-ecc-06.txt.

 * New GPGSM feature to create certificates from a parameter file.
   Add prompt to the --gen-key UI to create self-signed certificates.

 * Dirmngr has taken over the function of the keyserver helpers.  Thus
   we now have a specified direct interface to keyservers via Dirmngr.
   LDAP, DNS and mail backends are not yet implemented.

 * TMPDIR is now also honored when creating a socket using
   --no-standard-socket and with symcryptrun's temp files.

 * Fixed a bug where SCdaemon sends a signal to Gpg-agent running in
   non-daemon mode.

 * Print "AES128" instead of "AES".  This change introduces a little
   incompatibility for tools using "gpg --list-config".  We hope that
   these tools are written robust enough to accept this new algorithm
   name as well.

 * Fixed CRL loading under W32 (bug#1010).

 * Fixed TTY management for pinentries and session variable update

Noteworthy changes already found in beta1:

 * GPG does not anymore use secring.gpg but delegates all secret key
   operations to gpg-agent.  The import command moves secret keys to
   the agent.

 * The OpenPGP import command is now able to merge secret keys.

 * The G13 tool for disk encryption key management has been added.

 * If the agent's --use-standard-socket option is active, all tools
   try to start and daemonize the agent on the fly.  In the past this
   was only supported on W32; on non-W32 systems the new configure
   option --disable-standard-socket may now be used to disable this
   new default.

 * Dirmngr is now a part of this package.  Dirmngr is now also
   expected to run as a system service and the configuration
   directories are changed to the GnuPG name space.

 * Removed GPG options:
    --export-options: export-secret-subkey-passwd

 * New GPG options:

 * Support DNS lookups for SRV, PKA and CERT on W32.

 * The default for --include-cert is now to include all certificates
   in the chain except for the root certificate.

 * Numerical values may now be used as an alternative to the
   debug-level keywords.

 * New GPGSM option --ignore-cert-extension.

 * Support for Windows CE.

 * Given sufficient permissions Dirmngr is started automagically.

 * Bug fixes.

Migration from 1.4 or 2.0

The major change in 2.1 is that gpg-agent now takes care of the
OpenPGP secret keys (those managed by GPG).  The former secring.gpg
will not be used anymore.  Newly generated keys are generated and
stored in the agent's key store (~/.gnupg/private-keys-v1.d/).  To
migrate your existing keys to the agent you should run this command

  gpg2 --import ~/.gnupg/secring.gpg

The agent will you ask for the passphrase of each key.  You may use
the Cancel button of the Pinentry to skip importing this key.  If you
want to stop the import process and you use one of the latest
pinentries, you should close the pinentry window instead of hitting
the cancel button.  Secret keys already imported are skipped by the
import command.  It is advisable to keep the secring.gpg for use with
older versions of GPG.

Note that gpg-agent now uses a fixed socket by default.  All tools
will start the gpg-agent as needed.  In general there is no more need
to set the GPG_AGENT_INFO environment variable.  The SSH_AUTH_SOCK
environment variable should be set to a fixed value.

GPG's smartcard commands --card-edit and --card-status as well as the
card related sub-commands of --edit-key are not yet supported.
However, signing and decryption with a smartcard does work.

The Dirmngr is now part of GnuPG proper.  Thus there is no more need
to install the separate dirmngr package.  The directroy layout of
Dirmngr changed to make use of the GnuPG directories; for example you
use /etc/gnupg/trusted-certs and /var/lib/gnupg/extra-certs.  Dirmngr
needs to be started as a system daemon.

Getting the Software

GnuPG 2.1 is available at

and soon on all mirrors <>.

Note that libgcrypt 1.5.0 is now required; it is available at

Checking the Integrity

In order to check that the version of GnuPG which you are going to
install is an original and unmodified one, you can do it in one of
the following ways:

 * You are expected to have a trusted version of GnuPG installed, thus
   you may simply check the supplied signature.  For example to check
   the signature of the file gnupg-2.1.0beta2.tar.bz2 you would use this

     gpg --verify gnupg-2.1.0beta2.tar.bz2.sig

   This checks whether the signature file matches the source file.
   You should see a message indicating that the signature is good and
   made by that signing key.  Make sure that you have the right key,
   either by checking the fingerprint of that key with other sources
   or by checking that the key has been signed by a trustworthy other
   key.  Note, that you can retrieve the signing key using the command

     finger wk ,at'

   or using a key server like

     gpg --recv-key 4F25E3B6

   The distribution key 4F25E3B6 is signed by the well known key
   5B0358A2.  If you get an key expired message, you should retrieve a
   fresh copy as the expiration date might have been prolonged.



This version comes only with support for English and German.  More
languages will be added for the real release.


We are currently working on an installation guide to explain in more
detail how to configure the new features.  As of now the chapters on
gpg-agent and gpgsm include brief information on how to set up the
whole thing.  Please watch the GnuPG website for updates of the
documentation.  In the meantime you may search the GnuPG mailing list
archives or ask on the gnupg-users mailing lists for advise on how to
solve problems.  Many of the new features are around for several years
and thus enough public knowledge is already available.

Future Plans

Some tasks we would like to do before a 2.1 release:

* Replace the pubring.gpg public key store with the keybox format.

* Re-enable importing keys to a smartcard

* Re-enable LDAP, kDNS and mail keyserver methods


Improving GnuPG is costly, but you can help!  We are looking for
organizations that find GnuPG useful and wish to contribute back.  You
can contribute by reporting bugs, improve the software, or by donating

Commercial support contracts for GnuPG are available, and they help
finance continued maintenance.  g10 Code GmbH, a Duesseldorf based
company owned and headed by GnuPG's principal author, is currently
funding GnuPG development.  We are always looking for interesting
development projects.

A service directory is available at:


We have to thank all the people who helped with this release, be it
testing, coding, translating, suggesting, auditing, administering the
servers, spreading the word or answering questions on the mailing

Happy Hacking,

  The GnuPG Team

Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-users mailing list