changes in version 2.2.7:
* gpg: New option --no-symkey-cache to disable the passphrase cache
for symmetrical en- and decryption.
* gpg: The ERRSIG status now prints the fingerprint if that is part
of the signature.
* gpg: Relax emitting of FAILURE status lines
* gpg: Add a status flag to "sig" lines printed with --list-sigs.
* gpg: Fix "Too many open files" when using --multifile.
* ssh: Return an error for unknown ssh-agent flags.
* dirmngr: Fix a regression since 2.1.16 which caused corrupted CRL
caches under Windows.
* dirmngr: Fix a CNAME problem with pools and TLS. Also use a fixed
mapping of keys.gnupg.net to sks-keyservers.net.
* dirmngr: Try resurrecting dead hosts earlier (from 3 to 1.5 hours).
* dirmngr: Fallback to CRL if no default OCSP responder is configured.
* dirmngr: Implement CRL fetching via https. Here a redirection to
http is explictly allowed.
* dirmngr: Make LDAP searching and CRL fetching work under Windows.
This stopped working with 2.1.
* agent,dirmngr: New sub-command "getenv" for "getinfo" to ease
debugging.
Noteworthy changes in version 2.2.6:
* gpg,gpgsm: New option --request-origin to pretend requests coming
from a browser or a remote site.
* gpg: Fix race condition on trustdb.gpg updates due to too early
released lock.
* gpg: Emit FAILURE status lines in almost all cases.
* gpg: Implement --dry-run for --passwd to make checking a key's
passphrase straightforward.
* gpg: Make sure to only accept a certification capable key for key
signatures.
* gpg: Better user interaction in --card-edit for the factory-reset
sub-command.
* gpg: Improve changing key attributes in --card-edit by adding an
explicit "key-attr" sub-command.
* gpg: Print the keygrips in the --card-status.
* scd: Support KDF DO setup.
* scd: Fix some issues with PC/SC on Windows.
* scd: Fix suspend/resume handling in the CCID driver.
* agent: Evict cached passphrases also via a timer.
* agent: Use separate passphrase caches depending on the request
origin.
* ssh: Support signature flags.
* dirmngr: Handle failures related to missing IPv6 support
gracefully.
* Fix corner cases related to specified home directory with
drive letter on Windows.
* Allow the use of UNC directory names as homedir.
version 2.2.5:
* gpg: Allow the use of the "cv25519" and "ed25519" short names in
addition to the canonical curve names in --batch --gen-key.
* gpg: Make sure to print all secret keys with option --list-only
and --decrypt.
* gpg: Fix the use of future-default with --quick-add-key for
signing keys.
* gpg: Select a secret key by checking availability under gpg-agent.
* gpg: Fix reversed prompt texts for --only-sign-text-ids.
* gpg,gpgsm: Fix detection of bogus keybox blobs on 32 bit systems.
* gpgsm: Fix regression since 2.1 in --export-secret-key-raw which
got $d mod (q-1)$ wrong. Note that most tools automatically fixup
that parameter anyway.
* ssh: Fix a regression in getting the client'd PID on *BSD and
macOS.
* scd: Support the KDF Data Object of the OpenPGP card 3.3.
* scd: Fix a regression in the internal CCID driver for certain card
readers.
* scd: Fix a problem on NetBSD killing scdaemon on gpg-agent
shutdown.
* dirmngr: Improve returned error description on failure of DNS
resolving.
* wks: Implement command --install-key for gpg-wks-server.
* Add option STATIC=1 to the Speedo build system to allow a build
with statically linked versions of the core GnuPG libraries. Also
use --enable-wks-tools by default by Speedo builds for Unix.
Noteworthy changes in version 2.2.4:
* gpg: Change default preferences to prefer SHA512.
* gpg: Print a warning when more than 150 MiB are encrypted using a
cipher with 64 bit block size.
* gpg: Print a warning if the MDC feature has not been used for a
message.
* gpg: Fix regular expression of domain addresses in trust
signatures.
* agent: New option --auto-expand-secmem to help with high numbers
of concurrent connections. Requires libgcrypt 1.8.2 for having
an effect.
* dirmngr: Cache responses of WKD queries.
* gpgconf: Add option --status-fd.
* wks: Add commands --check and --remove-key to gpg-wks-server.
* Increase the backlog parameter of the daemons to 64 and add
option --listen-backlog.
* New configure option --enable-run-gnupg-user-socket to first try a
socket directory which is not removed by systemd at session end.
changes in version 2.2.3:
* gpgsm: Fix initial keybox creation on Windows.
* dirmngr: Fix crash in case of a CRL loading error.
* Fix the name of the Windows registry key.
* gpgtar: Fix wrong behaviour of --set-filename.
* gpg: Silence AKL retrieval messages.
* agent: Use clock or clock_gettime for calibration.
* agent: Improve robustness of the shutdown pending state.
changes in version 2.2.2:
* gpg: Avoid duplicate key imports by concurrently running gpg
processes.
* gpg: Fix creating on-disk subkey with on-card primary key.
* gpg: Fix validity retrieval for multiple keyrings.
* gpg: Fix --dry-run and import option show-only for secret keys.
* gpg: Print "sec" or "sbb" for secret keys with import option
import-show.
* gpg: Make import less verbose.
* gpg: Add alias "Key-Grip" for parameter "Keygrip" and new
parameter "Subkey-Grip" to unattended key generation.
* gpg: Improve "factory-reset" command for OpenPGP cards.
* gpg: Ease switching Gnuk tokens into ECC mode by using the magic
keysize value 25519.
* gpgsm: Fix --with-colon listing in crt records for fields > 12.
* gpgsm: Do not expect X.509 keyids to be unique.
* agent: Fix stucked Pinentry when using --max-passphrase-days.
* agent: New option --s2k-count.
* dirmngr: Do not follow https-to-http redirects.
* dirmngr: Reduce default LDAP timeout from 100 to 15 seconds.
* gpgconf: Ignore non-installed components for commands
--apply-profile and --apply-defaults.
* Add configure option --enable-werror.
version 2.2.1:
* gpg: Fix formatting of the user id in batch mode key generation
if only "name-email" is given.
* gpgv: Fix annoying "not suitable for" warnings.
* wks: Convey only the newest user id to the provider. This is the
case if different names are used with the same addr-spec.
* wks: Create a complying user id for provider policy mailbox-only.
* wks: Add workaround for posteo.de.
* scd: Fix the use of large ECC keys with an OpenPGP card.
* dirmngr: Use system provided root certificates if no specific HKP
certificates are configured. If build with GNUTLS, this was
already the case.
Noteworthy changes in version 2.2.0 (2017-08-28)
------------------------------------------------
This is the new long term stable branch. This branch will only see
bug fixes and no new features.
* gpg: Reverted change in 2.1.23 so that --no-auto-key-retrieve is
again the default.
* Fixed a few minor bugs.
Noteworthy changes in version 2.0.30 (2016-03-31)
-------------------------------------------------
* gpg: Avoid too early timeout during key generation with 2.1 cards.
* agent: Fixed printing of ssh fingerprints for 384 bit ECDSA keys.
* agent: Fixed an alignment bug related to the passphrase
confirmation.
* scdaemon: Fixed a "conflicting usage" bug.
* scdaemon: Fixed usb card reader removal problem on Windows 8 and
later.
* Fixed a problem on AIX due to peculiarity with RLIMIT_NOFILE.
* Updated the Japanese and Dutch translations.
* Fixed a few other bugs.
Problems found locating distfiles:
Package f-prot-antivirus6-fs-bin: missing distfile fp-NetBSD.x86.32-fs-6.2.3.tar.gz
Package f-prot-antivirus6-ws-bin: missing distfile fp-NetBSD.x86.32-ws-6.2.3.tar.gz
Package libidea: missing distfile libidea-0.8.2b.tar.gz
Package openssh: missing distfile openssh-7.1p1-hpn-20150822.diff.bz2
Package uvscan: missing distfile vlp4510e.tar.Z
Otherwise, existing SHA1 digests verified and found to be the same on
the machine holding the existing distfiles (morden). All existing
SHA1 digests retained for now as an audit trail.
While here, clean up patches. They looked pretty cargo-culty to me and
were not commented.
File a bug report for one of the remaining ones and link to it from comment.
Changes in 2.0.29:
Noteworthy changes in version 2.0.29 (2015-09-08)
-------------------------------------------------
* gpg: Print a PGP-2 fingerprint again instead of a row of "0".
* gpg: Fixed a race condition from multiple several "gpg --verify".
* gpg: Print FAILURE status lines to help GPGME.
* gpgsm: Fixed a regression in CSR generation.
* scdaemon: Fixed problems with some pinpads.
* Fixed a few other bugs.
Noteworthy changes in version 2.0.28 (2015-06-02)
-------------------------------------------------
* agent: Added support for an external password manager.
* gpg: New command --list-gcrypt-config.
* gpg: Issue NEWSIG status lines during signature verification.
* gpgsm: The default hash algo for a CSR is now SHA-256 and the
default encryption algo is AES-128.
* scdaemon: Allow PC/SC reader selection by partial name match.
* gpgtar: Fix extracting files with a size of a multiple of 512.
* Fixed several other bugs.
* Libgcrypt 1.5 is now required.
Noteworthy changes in version 2.0.27 (2015-02-18)
-------------------------------------------------
* gpg: Detect faulty use of --verify on detached signatures.
* gpg: New import option "keep-ownertrust".
* gpg: Uses SHA-256 for all signature types also on RSA keys.
* gpg: Added support for algo names when generating keys using the
--command-fd method.
* gpg: Unless --allow-weak-digest-algos is used the insecure MD5
based fingerprints are shown as all zeroe
* gpg: Fixed DoS based on bogus and overlong key packets.
* gpg: Better error reporting for keyserver problems.
* Fixed several bugs related to bogus keyrings and improved some
other code.
Noteworthy changes in version 2.0.26 (2014-08-12)
-------------------------------------------------
* gpg: Fix a regression in 2.0.24 if a subkey id is given
to --recv-keys et al.
* gpg: Cap attribute packets at 16MB.
* gpgsm: Auto-create the ".gnupg" home directory in the same
way gpg does.
* scdaemon: Allow for certificates > 1024 when using PC/SC.
Noteworthy changes in version 2.0.25 (2014-06-30)
-------------------------------------------------
* gpg: Fix a regression in 2.0.24 if more than one keyid is given
to --recv-keys et al.
* gpg: Cap RSA and Elgamal keysize at 4096 bit also for unattended
key generation.
* gpgsm: Fix a DISPLAY related problem with --export-secret-key-p12.
* scdaemon: Support reader Gemalto IDBridge CT30.
Noteworthy changes in version 2.0.24 (2014-06-24)
-------------------------------------------------
* gpg: Avoid DoS due to garbled compressed data packets.
* gpg: Screen keyserver responses to avoid importing unwanted keys
from rogue servers.
* gpg: The validity of user ids is now shown by default. To revert
this add "list-options no-show-uid-validity" to gpg.conf.
* gpg: Print more specific reason codes with the INV_RECP status.
* gpg: Allow loading of a cert only key to an OpenPGP card.
* gpg-agent: Make ssh support for ECDSA keys work with Libgcrypt 1.6.
Noteworthy changes in version 2.0.23 (2014-06-03)
-------------------------------------------------
* gpg: Reject signatures made using the MD5 hash algorithm unless the
new option --allow-weak-digest-algos or --pgp2 are given.
* gpg: Do not create a trustdb file if --trust-model=always is used.
* gpg: Only the major version number is by default included in the
armored output.
* gpg: Print a warning if the Gnome-Keyring-Daemon intercepts the
communication with the gpg-agent.
* gpg: The format of the fallback key listing ("gpg KEYFILE") is now more
aligned to the regular key listing ("gpg -k").
* gpg: The option--show-session-key prints its output now before the
decryption of the bulk message starts.
* gpg: New %U expando for the photo viewer.
* gpgsm: Improved handling of re-issued CA certificates.
* scdaemon: Various fixes for pinpad equipped card readers.
* Minor bug fixes.
Noteworthy changes in version 2.0.22 (2013-10-04)
-------------------------------------------------
* Fixed possible infinite recursion in the compressed packet
parser. [CVE-2013-4402]
* Improved support for some card readers.
* Prepared building with the forthcoming Libgcrypt 1.6.
* Protect against rogue keyservers sending secret keys.
Noteworthy changes in version 2.0.21 (2013-08-19)
-------------------------------------------------
* gpg-agent: By default the users are now asked via the Pinentry
whether they trust an X.509 root key. To prohibit interactive
marking of such keys, the new option --no-allow-mark-trusted may
be used.
* gpg-agent: The command KEYINFO has options to add info from
sshcontrol.
* The included ssh agent does now support ECDSA keys.
* The new option --enable-putty-support allows gpg-agent to act on
Windows as a Pageant replacement with full smartcard support.
* Support installation as portable application under Windows.
Noteworthy changes in version 2.0.20 (2013-05-10)
-------------------------------------------------
* Decryption using smartcards keys > 3072 bit does now work.
* New meta option ignore-invalid-option to allow using the same
option file by other GnuPG versions.
* gpg: The hash algorithm is now printed for sig records in key listings.
* gpg: Skip invalid keyblock packets during import to avoid a DoS.
* gpg: Correctly handle ports from DNS SRV records.
* keyserver: Improve use of SRV records
* gpg-agent: Avoid tty corruption when killing pinentry.
* scdaemon: Improve detection of card insertion and removal.
* scdaemon: Rename option --disable-keypad to --disable-pinpad.
* scdaemon: Better support for CCID readers. Now, the internal CCID
driver supports readers without the auto configuration feature.
* scdaemon: Add pinpad input for PC/SC, if your reader has pinpad and
it supports variable length PIN input, and you specify
--enable-pinpad-varlen option.
* scdaemon: New option --enable-pinpad-varlen.
* scdaemon: Install into libexecdir to avoid accidental execution
from the command line.
* Support building using w64-mingw32.
* Assorted bug fixes.
* Bug fix for newer versions of Libgcrypt.
* Support the SSH confirm flag and show SSH fingerprints in ssh
related pinentries.
* Improved dirmngr/gpgsm interaction for OCSP.
* Allow generation of card keys up to 4096 bit.
* Allow more hash algorithms with the OpenPGP v2 card.
* The gpg-agent now tests for a new gpg-agent.conf on a HUP.
* Fixed output of "gpgconf --check-options".
* Fixed a bug where Scdaemon sends a signal to Gpg-agent running in
non-daemon mode.
* Fixed TTY management for pinentries and session variable update
problem.
* not using autogen.sh anymore, so remove some tools from USE_TOOLS.
* patch-ak does not effect anymore for above reason, add patch-ao for it.
this patch is required to avoid conflict with security/gnupg.
Bump PKGREVISION.
changes:
-bugfixes
-New command --passwd for GPG
-Make use of libassuan 2.0 which is available as a DSO
-The gpg-agent commands KILLAGENT and RELOADAGENT are now available
on all platforms
changes:
* The default for --include-cert is now to include all certificates
in the chain except for the root certificate.
* Numerical values may now be used as an alternative to the
debug-level keywords.
* The GPGSM --audit-log feature is now more complete.
* GPG now supports DNS lookups for SRV, PKA and CERT on W32.
* New GPGSM option --ignore-cert-extension.
* New and changed passphrases are now created with an iteration count
requiring about 100ms of CPU work.
an "idea" option, but that was removed more than a year ago when it
got updated from 1.2 to 1.4
The patch was was used on gnupg2 in the "idea" case was just a four-line
memory initialization fix, there is no point in LICENSE restrictions
due to this, so I've pulled it in as regular patch so that it doesn't
get lost for the case someone fixes idea support in libgcrypt
(which isn't hard).
noticed by OBATA Akio per mail to pkgsrc-users.
This makes most sense to me since gnupg2 doesn't install a gpg-zip
intentionally. Since possible clients of gpg-zip should have a
dependency on gnupg1, we can't take over easily. Once we are sure
that gnupg2 can fully replace gnupg1, we might consider to install
eg symlinks gpg->gpg2 etc and make gnupg1 obsolete, but this needs
careful testing.
changes: many fixes and improvements
reviewed by John R. Shannon
pkgsrc notes:
-since S/MIME support is the biggest difference in functionality over
gnupg1, enable it per default -- my tests (with the s/mime plugin
of claws-mail) worked
-left the build against a private libassuan with GNU-pth support
alone for now, just updated libassuan to 1.0.5. We might build
pkgsrc/libassuan against pkgsrc/pth at some point, but this needs
to be checked for side effects. (As this pkg doesn't export a library
which might propagate the pth dependency, the possibility of
pthread-pth conflicts should be limited. Other uses of libassuan
need to be checked.)
* Enhanced gpg-connect-agent with a small scripting language.
* New option --list-config for gpgconf.
* Fixed a crash in gpgconf.
* The envvars XAUTHORITY and PINENTRY_USER_DATA are now passed to the
pinentry.
* Fixed the auto creation of the key stub for smartcards.
* Fixed a rare bug in decryption using the OpenPGP card.
* Creating DSA2 keys is now possible.
* New option --extra-digest-algo for gpgsm to allow verification of
broken signatures.
* Allow encryption with legacy Elgamal sign+encrypt keys with option
--rfc2440.
Changes:
* Fixed encryption problem if duplicate certificates are in the
keybox.
* Add new options min-passphrase-nonalpha, check-passphrase-pattern,
enforce-passphrase-constraints and max-passphrase-days to
gpg-agent.
* Add command --check-components to gpgconf. Gpgconf now uses the
installed versions of the programs and does not anymore search via
PATH for them.
on tech-pkg.
Noteworthy changes in version 2.0.6 (2007-08-16)
------------------------------------------------
* GPGSM does now grok --default-key.
* GPGCONF is now aware of --default-key and --encrypt-to.
* GPGSM does again correctly print the serial number as well the the
various keyids. This was broken since 2.0.4.
* New option --validation-model and support for the chain-model.
* Improved Windows support.
* Switched license to GPLv3.
* Fixed bug when using the --p12-charset without --armor.
* The command --gen-key may now be used instead of the
gpgsm-gencert.sh script.
* Changed key generation to reveal less information about the
machine. Bug fixes for gpg2's card key generation.
been identified in all released GnuPG versions. Exploiting this
overflow seems to be possible. Apply the following patch to GnuPG."
2006-11-27 Werner Koch <wk@g10code.com>
gnupg2 has been patched accordingly.
GnuPG-2 provides several utilities that are used by mail clients,
such as Kmail and Balsa, including OpenPGP and S/MIME support.
GnuPG-2 has a different architecture than GnuPG-1 (e.g. 1.4.5) in that
it splits up functionality into several modules. However, both
versions may be installed alongside without any conflict. In fact,
the gpg version from GnuPG-1 is able to make use of the gpg-agent as
included in GnuPG-2 and allows for seamless passphrase caching. The
advantage of GnuPG-1 is its smaller size and the lack of dependency on
other modules at run and build time.
