Noteworthy changes in version 2.2.31 (2021-09-15)
-------------------------------------------------
* agent: Fix a regression in GET_PASSPHRASE.
* scd: Fix an assertion failure in close_pcsc_reader.
* scd: Add support for PC/SC in "GETINFO reader_list".
Noteworthy changes in version 2.2.30 (2021-08-26)
-------------------------------------------------
* gpg: Extended gpg-check-pattern to support accept rules,
conjunctions, and case-sensitive matching.
* agent: New option --pinentry-formatted-passphrase.
* agent: New option --check-sym-passphrase-pattern.
* agent: Use the sysconfdir for the pattern files.
* agent: Add "checkpin" inquiry for use by pinentry.
* wkd: Fix client issue with leading or trailing spaces in
user-ids.
* Pass XDG_SESSION_TYPE and QT_QPA_PLATFORM envvars to Pinentry.
* Under Windows use LOCAL_APPDATA for the socket directory.
Noteworthy changes in version 2.2.29 (2021-07-04)
-------------------------------------------------
* Fix regression in 2.2.28 for Yubikey NEO.
* Change the default keyserver to keyserver.ubuntu.com. This is a
temporary change due to the shutdown of the SKS keyserver pools.
* gpg: Let --fetch-key return an exit code on failure.
* dirmngr: Fix regression in KS_GET for mail address pattern.
* Add fallback in case the Windows console can't cope with Unicode.
* Improve initialization of SPR532 in the CCID driver and make the
driver more robust.
* Make test suite work in presence of a broken Libgcrypt
installation.
* Make configure option --disable-ldap work again.
Noteworthy changes in version 2.2.28 (2021-06-10)
-------------------------------------------------
* gpg: Auto import keys specified with --trusted-keys.
* gpg: Allow decryption w/o public key but with correct card
inserted.
* gpg: Allow fingerprint based lookup with --locate-external-key.
* gpg: Lookup a missing public key of the current card via LDAP.
* gpg: New option --force-sign-key.
* gpg: Use a more descriptive password prompt for symmetric
decryption.
* gpg: Do not use the self-sigs-only option for LDAP keyserver
imports.
* gpg: Keep temp files when opening images via xdg-open.
* gpg: Fix mailbox based search via AKL keyserver method.
* gpg: Fix sending an OpenPGP key with umlaut to an LDAP keyserver.
* gpg: Allow ECDH with a smartcard returning only the x-coordinate.
* gpgsm: New option --ldapserver as an alias for --keyserver. Note
that configuring servers in gpgsm and gpg is deprecated; please
use the dirmngr configuration options.
* gpgsm: Support AES-GCM decryption.
* gpgsm: Support decryption of password protected files.
* gpgsm: Lock keyboxes also during a search to fix lockups on
Windows.
* agent: Skip unknown unknown ssh curves seen on
cards.
* scdaemon: New option --pcsc-shared.
* scdaemon: Backport PKCS#15 card support from GnuPG 2.3
* scdaemon: Fix CCID driver for SCM SPR332/SPR532.
* scdaemon: Fix possible PC/SC removed card problem.
* scdaemon: Fix unblock PIN by a Reset Code with KDF.
* scdaemon: Support compressed points.
* scdaemon: Prettify S/N for Yubikeys and fix reading for early
Yubikey 5 tokens.
* dirmngr: New option --ldapserver to avoid the need for the
separate dirmngr_ldapservers.conf file.
* dirmngr: The dirmngr_ldap wrapper has been rewritten to properly
support ldap-over-tls and starttls for X.509 certificates and
CRLs.
* dirmngr: OpenPGP LDAP keyservers may now also be configured using
the same syntax as used for X.509 and CRL LDAP servers. This
avoids the former cumbersome quoting rules and adds a flexible set
of flags to control the connection.
* dirmngr: The "ldaps" scheme of an OpenPGP keyserver URL is now
interpreted as ldap-with-starttls on port 389. To use the
non-standardized ldap-over-tls the new LDAP configuration method
of the new attribute "gpgNtds" needs to be used.
* dirmngr: Return the fingerprint as search result also for LDAP
OpenPGP keyservers. This requires the modernized LDAP schema.
* dirmngr: An OpenPGP LDAP search by a mailbox now ignores revoked
keys.
* gpgconf: Make runtime changes with non-default homedir work.
* gpgconf: Do not translate an empty string to the PO file's meta
data.
* gpgconf: Fix argv overflow if --homedir is used.
* gpgconf: Return a new pseudo option "compliance_de_vs".
* gpgtar: Fix file size computation under Windows.
* Full Unicode support for the Windows command line.
* Fix problem with Windows Job objects and auto start of our
daemons.
* i18n: In German always use "Passwort" instead of "Passphrase" in
prompts.
Noteworthy changes in version 2.2.24
------------------------------------
* Allow Unicode file names on Windows almost everywhere. Note that
it is still not possible to use Unicode strings on the command
line. This change also fixes a regression in 2.2.22 related to
non-ascii file names.
* Fix localized time printing on Windows.
* gpg: New command --quick-revoke-sig.
* gpg: Do not use weak digest algos if selected by recipient
preference during sign+encrypt.
* gpg: Switch to AES256 for symmetric encryption in de-vs mode.
* gpg: Silence weak digest warnings with --quiet.
* gpg: Print new status line CANCELED_BY_USER for a cancel during
symmetric encryption.
* gpg: Fix the encrypt+sign hash algo preference selection for
ECDSA. This is in particular needed for keys created from
existing smartcard based keys.
* agent: Fix secret key import of GnuPG 2.3 generated Ed25519 keys.
* agent: Keep some permissions of private-keys-v1.d.
* dirmngr: Align sks-keyservers.netCA.pem use between ntbtls and
gnutls builds.
* dirmngr: Fix the pool keyserver case for a single host in the
pool.
* scd: Fix the use case of verify_chv2 by CHECKPIN.
* scd: Various improvements to the ccid-driver.
* scd: Minor fixes for Yubikey
* gpgconf: New option --show-versions.
* w32: Install gpg-check-pattern and example profiles. Install
Windows subsystem variant of gpgconf (gpgconf-w32).
* i18n: Complete overhaul and completion of the Italian translation.
Thanks to Denis Renzi.
* Require Libgcrypt 1.8 because 1.7 has long reached end-of-life.
Fixes a criticial vulnerability: https://dev.gnupg.org/T5050
Noteworthy changes in version 2.2.22
====================================
* gpg: Change the default key algorithm to rsa3072.
* gpg: Add regular expression support for Trust Signatures on all
platforms. [#4843]
* gpg: Fix regression in 2.2.21 with non-default --passphrase-repeat
option. [#4991]
* gpg: Ignore --personal-digest-prefs for ECDSA keys. [#5021]
* gpgsm: Make rsaPSS a de-vs compliant scheme.
* gpgsm: Show also the SHA256 fingerprint in key listings.
* gpgsm: Do not require a default keyring for --gpgconf-list. [#4867]
* gpg-agent: Default to extended key format and record the creation
time of keys. Add new option --disable-extended-key-format.
* gpg-agent: Support the WAYLAND_DISPLAY envvar. [#5016]
* gpg-agent: Allow using --gpgconf-list even if HOME does not
exist. [#4866]
* gpg-agent: Make the Pinentry work even if the envvar TERM is set
to the empty string. [#4137]
* scdaemon: Add a workaround for Gnuk tokens <= 2.15 which wrongly
incremented the error counter when using the "verify" command of
"gpg --edit-key" with only the signature key being present.
* dirmngr: Better handle systems with disabled IPv6. [#4977]
* gpgpslit: Install tool. It was not installed in the past to avoid
conflicts with the version installed by GnuPG 1.4. [#5023]
* gpgtar: Handle Unicode file names on Windows correctly (requires
libgpg-error 1.39). [#4083]
* gpgtar: Make --files-from and --null work as documented. [#5027]
* Build the Windows installer with the new Ntbtls 0.2.0 so that TLS
connections succeed for servers demanding GCM.
Release-info: https://dev.gnupg.org/T5030
Noteworthy changes in version 2.2.23
====================================
* gpg: Fix AEAD preference list overflow. [#5050]
* gpg: Fix a possible segv in the key cleaning code.
* gpgsm: Fix a minor RFC2253 parser bug. [#5037]
* scdaemon: Fix a PIN verify failure on certain OpenPGP card
implementations. Regression in 2.2.22. [#5039]
* po: Fix bug in the Hungarian translation. Updates for the Czech,
Polish, and Ukrainian translations.
Release-info: https://dev.gnupg.org/T5045
Noteworthy changes in version 2.2.11:
* gpgsm: Fix CRL loading when intermediate certicates are not yet
trusted.
* gpgsm: Fix an error message about the digest algo.
* gpg: Fix a wrong warning due to new sign usage check introduced
with 2.2.9.
* gpg: Print the "data source" even for an unsuccessful keyserver
query.
* gpg: Do not store the TOFU trust model in the trustdb. This
allows to enable or disable a TOFO model without triggering a
trustdb rebuild.
* scd: Fix cases of "Bad PIN" after using "forcesig".
* agent: Fix possible hang in the ssh handler.
* dirmngr: Tack the unmodified mail address to a WKD request. See
commit a2bd4a64e5b057f291a60a9499f881dd47745e2f for details.
* dirmngr: Tweak diagnostic about missing LDAP server file.
* dirmngr: In verbose mode print the OCSP responder id.
* dirmngr: Fix parsing of the LDAP port.
* wks: Add option --directory/-C to the server. Always build the
server on Unix systems.
* wks: Add option --with-colons to the client. Support sites which
use the policy file instead of the submission-address file.
* Fix EBADF when gpg et al. are called by broken CGI scripts.
* Fix some minor memory leaks and bugs.
changes in version 2.2.3:
* gpgsm: Fix initial keybox creation on Windows.
* dirmngr: Fix crash in case of a CRL loading error.
* Fix the name of the Windows registry key.
* gpgtar: Fix wrong behaviour of --set-filename.
* gpg: Silence AKL retrieval messages.
* agent: Use clock or clock_gettime for calibration.
* agent: Improve robustness of the shutdown pending state.
Noteworthy changes in version 2.2.0 (2017-08-28)
------------------------------------------------
This is the new long term stable branch. This branch will only see
bug fixes and no new features.
* gpg: Reverted change in 2.1.23 so that --no-auto-key-retrieve is
again the default.
* Fixed a few minor bugs.
Noteworthy changes in version 2.0.27 (2015-02-18)
-------------------------------------------------
* gpg: Detect faulty use of --verify on detached signatures.
* gpg: New import option "keep-ownertrust".
* gpg: Uses SHA-256 for all signature types also on RSA keys.
* gpg: Added support for algo names when generating keys using the
--command-fd method.
* gpg: Unless --allow-weak-digest-algos is used the insecure MD5
based fingerprints are shown as all zeroe
* gpg: Fixed DoS based on bogus and overlong key packets.
* gpg: Better error reporting for keyserver problems.
* Fixed several bugs related to bogus keyrings and improved some
other code.
changes: many fixes and improvements
reviewed by John R. Shannon
pkgsrc notes:
-since S/MIME support is the biggest difference in functionality over
gnupg1, enable it per default -- my tests (with the s/mime plugin
of claws-mail) worked
-left the build against a private libassuan with GNU-pth support
alone for now, just updated libassuan to 1.0.5. We might build
pkgsrc/libassuan against pkgsrc/pth at some point, but this needs
to be checked for side effects. (As this pkg doesn't export a library
which might propagate the pth dependency, the possibility of
pthread-pth conflicts should be limited. Other uses of libassuan
need to be checked.)
GnuPG-2 provides several utilities that are used by mail clients,
such as Kmail and Balsa, including OpenPGP and S/MIME support.
GnuPG-2 has a different architecture than GnuPG-1 (e.g. 1.4.5) in that
it splits up functionality into several modules. However, both
versions may be installed alongside without any conflict. In fact,
the gpg version from GnuPG-1 is able to make use of the gpg-agent as
included in GnuPG-2 and allows for seamless passphrase caching. The
advantage of GnuPG-1 is its smaller size and the lack of dependency on
other modules at run and build time.
