Re: [Announce] GnuPG 2.4.1 released

2023-05-02 Thread Werner Koch via Gnupg-users 
On Mon,  1 May 2023 13:10, Todd Zullinger said:

> Sorry it interrupted your weekend.  Thanks for the new

Actually it was Friday evening and I left the office a bit earlier than
usual.


Salam-Shalom,

   Werner

-- 
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein


openpgp-digital-signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [Announce] GnuPG 2.4.1 released

2023-05-01 Thread Todd Zullinger via Gnupg-users 
Werner Koch via Gnupg-users wrote:
> On Fri, 28 Apr 2023 11:21, Todd Zullinger said:
> 
>> It seems neither of these files have not made it to the
>> server yet:
> 
> Sorry for that.  I have used a new build machine and obviously forgot
> one of the last steps. Most of the release process is scripted but the
> final upload needs to be done manually (after signing, copying to the
> internal archive, updating the repo, writing announcement and updating
> the web page).
> 
> Fixed after Bernhard called me at home.

Sorry it interrupted your weekend.  Thanks for the new
release and all of your work on GnuPG and OpenPGP. :)

-- 
Todd


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: ADK's (was: [Announce] GnuPG 2.4.1 released)

2023-04-30 Thread Johan Wevers via Gnupg-users 
On 2023-04-30 13:22, Andrew Gallagher via Gnupg-users wrote:

> Just curious, what’s the threat scenario here?

The HR department of the receiver.

-- 
ir. J.C.A. Wevers
PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [Announce] GnuPG 2.4.1 released

2023-04-30 Thread Werner Koch via Gnupg-users 
On Fri, 28 Apr 2023 11:21, Todd Zullinger said:

> It seems neither of these files have not made it to the
> server yet:

Sorry for that.  I have used a new build machine and obviously forgot
one of the last steps. Most of the release process is scripted but the
final upload needs to be done manually (after signing, copying to the
internal archive, updating the repo, writing announcement and updating
the web page).

Fixed after Bernhard called me at home.


Shalom-Salam,

   Werner

-- 
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein


openpgp-digital-signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: ADK's (was: [Announce] GnuPG 2.4.1 released)

2023-04-30 Thread Andrew Gallagher via Gnupg-users 
On 30 Apr 2023, at 11:30, Johan Wevers via Gnupg-users  
wrote:
> 
> On 2023-04-30 1:15, ckeader via Gnupg-users wrote:
> 
>> Can't call it that as long as it's under user control (every long option of 
>> the software has an equivalent config file option. You don't add such a key 
>> via config or command line, no adsk will happen as it's not configured).
> 
> On my key, yes, I can choose to add an adk or not of course. But suppose
> I want to encrypt to a key that has an adk added, but I only want to
> encrypt to that key and not to the added adk? How do I do that?

Just curious, what’s the threat scenario here? If you suspect that your 
correspondent’s key preferences have been tampered with by a third party then 
surely the entire key is supect and shouldn’t be used at all? If on the other 
hand you believe that it has not been tampered with, but your correspondent has 
been negligent in configuring it, then maybe you shouldn’t trust your 
correspondent?

A



signature.asc
Description: Message signed with OpenPGP
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: ADK's (was: [Announce] GnuPG 2.4.1 released)

2023-04-30 Thread Johan Wevers via Gnupg-users 
On 2023-04-30 1:15, ckeader via Gnupg-users wrote:

> Can't call it that as long as it's under user control (every long option of 
> the software has an equivalent config file option. You don't add such a key 
> via config or command line, no adsk will happen as it's not configured).

On my key, yes, I can choose to add an adk or not of course. But suppose
I want to encrypt to a key that has an adk added, but I only want to
encrypt to that key and not to the added adk? How do I do that?

> If you're using gpg built by your org, you have no trustworthy environment 
> anyway.

Probably, but when I answer a mail from home with my own GnuPG I want to
be able to ignore adk's.

> And the feature needs to be supported by the client.

You, currently I run gpg 2.2 so it's not of immediate concern. But when
I eventually upgrade I want to be able to ignore adk's.

-- 
ir. J.C.A. Wevers
PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: ADK's (was: [Announce] GnuPG 2.4.1 released)

2023-04-29 Thread ckeader via Gnupg-users 
Johan Wevers via Gnupg-users writes:
> On 2023-04-28 15:47, Werner Koch via Gnupg-users wrote:
> 
> >   * gpg: New command --quick-add-adsk and other ADSK features.
> > [T6395, https://gnupg.org/blog/20230321-adsk.html]
> 
> So you finally caved in to the backdoor demands.
> 
> What I'm missing (maybe I just didn't found it?) is an option in my
> config file to ignore adk requests and just don't encrypt to those keys
> as well when I send or reply a message.

Can't call it that as long as it's under user control (every long option of the 
software has an equivalent config file option. You don't add such a key via 
config or command line, no adsk will happen as it's not configured). If you're 
using gpg built by your org, you have no trustworthy environment anyway.

And the feature needs to be supported by the client.

In the face of email having been hijacked by the corporates/Micros~t+Exchange 
and intrinsically broken S/MIME, practical relevance: close to zero.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: ADK's (was: [Announce] GnuPG 2.4.1 released)

2023-04-28 Thread Steffen Nurpmeso 
gnupg-users@gnupg.org wrote in
 <20230428230349.429d3d3a@localhost>:
 |Johan Wevers via Gnupg-users  wrote:
 |>On 2023-04-28 15:47, Werner Koch via Gnupg-users wrote:
 |>
 |>>   * gpg: New command --quick-add-adsk and other ADSK features.
 |>> [T6395, https://gnupg.org/blog/20230321-adsk.html]  
 |>
 |>So you finally caved in to the backdoor demands.
 |
 |If there is no option as you say, i would say yes.
 |
 |>What I'm missing (maybe I just didn't found it?) is an option in my
 |>config file to ignore adk requests and just don't encrypt to those keys
 |>as well when I send or reply a message.
 |
 |ACK, absolutely necessary. Otherwise GnuPG would no longer be a
 |trustworthy encryption solution.

And Patrice Lumumba was thrown into a pit of slaked lime.
(After being beaten to death with rifle butts on the flight from
western to eastern Kongo, as far as i know.  But wild times still
under colonial money mighty.  (Afaik.))

--steffen
|
|Der Kragenbaer,The moon bear,
|der holt sich munter   he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)
|~~
|..and in spring, hear David Leonard sing..
|
|The black bear,  The black bear,
|blithely holds his own   holds himself at leisure
|beating it, up and down  tossing over his ups and downs with pleasure
|~~
|Farewell, dear collar bear

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: ADK's (was: [Announce] GnuPG 2.4.1 released)

2023-04-28 Thread mlnl via Gnupg-users 
Hi Johan,

Johan Wevers via Gnupg-users  wrote:

>On 2023-04-28 15:47, Werner Koch via Gnupg-users wrote:
>
>>   * gpg: New command --quick-add-adsk and other ADSK features.
>> [T6395, https://gnupg.org/blog/20230321-adsk.html]  
>
>So you finally caved in to the backdoor demands.

If there is no option as you say, i would say yes.

>What I'm missing (maybe I just didn't found it?) is an option in my
>config file to ignore adk requests and just don't encrypt to those keys
>as well when I send or reply a message.

ACK, absolutely necessary. Otherwise GnuPG would no longer be a
trustworthy encryption solution.

-- 
mlnl

GPG:1FC05426F87FA623

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

files are there now (Re: [Announce] GnuPG 2.4.1 released)

2023-04-28 Thread Bernhard Reiter 
Am Freitag 28 April 2023 17:21:54 schrieb Todd Zullinger via Gnupg-users:
> >  https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.4.1.tar.bz2 (7169k)
> >  https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.4.1.tar.bz2.sig
>
> It seems neither of these files have not made it to the
> server yet:

They are now.

(Though not visible on 
https://gnupg.org/ftp/gcrypt/gnupg/ yet )
 curl --silent https://gnupg.org/ftp/gcrypt/gnupg/ | grep '2\.4\.1' | wc -l
0
)

Best Regards
Bernhard

-- 
https://intevation.de/~bernhard   +49 541 33 508 3-3
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter


signature.asc
Description: This is a digitally signed message part.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [Announce] GnuPG 2.4.1 released

2023-04-28 Thread Bernhard Reiter 
Am Freitag 28 April 2023 15:47:52 schrieb Werner Koch via Gnupg-devel:
> We are pleased to announce the availability of a new stable GnuPG
> release: version 2.4.1.  

Congrats!

> - Version 2.4 is the current stable version with a lot of new features
>   compared to 2.2.  This announcement is about the latest release of
>   this series; the previous release was 2.3.8.

This reads like "2.3.8" was a typo, maybe something to check for the next 
announcement.

Best Regards
Bernhard


signature.asc
Description: This is a digitally signed message part.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [Announce] GnuPG 2.4.1 released

2023-04-28 Thread Johan Wevers via Gnupg-users 
I get a 404 not found, the last version preesent on the server is 2.4.0.

-- 
ir. J.C.A. Wevers
PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [Announce] GnuPG 2.4.1 released

2023-04-28 Thread Todd Zullinger via Gnupg-users 
Hi,

Werner Koch via Gnupg-users wrote:
> Getting the Software
> 
> 
> Please follow the instructions found at  or
> read on:
> 
> GnuPG may be downloaded from one of the GnuPG mirror sites or direct
> from its primary FTP server.  The list of mirrors can be found at
> .  Note that GnuPG is not
> available at ftp.gnu.org.
> 
> The GnuPG source code compressed using BZIP2 and its OpenPGP signature
> are available here:
> 
>  https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.4.1.tar.bz2 (7169k)
>  https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.4.1.tar.bz2.sig

It seems neither of these files have not made it to the
server yet:

$ curl -I https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.4.1.tar.bz2
HTTP/1.1 404 Not Found
Date: Fri, 28 Apr 2023 15:19:07 GMT
Strict-Transport-Security: max-age=31536000
Accept-Ranges: bytes
Connection: close
Content-Type: text/html; charset=ISO-8859-1

$ curl -I https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.4.1.tar.bz2.sig
HTTP/1.1 404 Not Found
Date: Fri, 28 Apr 2023 15:19:07 GMT
Strict-Transport-Security: max-age=31536000
Accept-Ranges: bytes
Connection: close
Content-Type: text/html; charset=ISO-8859-1

-- 
Todd


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

ADK's (was: [Announce] GnuPG 2.4.1 released)

2023-04-28 Thread Johan Wevers via Gnupg-users 
On 2023-04-28 15:47, Werner Koch via Gnupg-users wrote:

>   * gpg: New command --quick-add-adsk and other ADSK features.
> [T6395, https://gnupg.org/blog/20230321-adsk.html]

So you finally caved in to the backdoor demands.

What I'm missing (maybe I just didn't found it?) is an option in my
config file to ignore adk requests and just don't encrypt to those keys
as well when I send or reply a message.

-- 
ir. J.C.A. Wevers
PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

[Announce] GnuPG 2.4.1 released

2023-04-28 Thread Werner Koch via Gnupg-users 
Hello!

We are pleased to announce the availability of a new stable GnuPG
release: version 2.4.1.  This version fixes some minor regressions
introduced with 2.4.0 and also adds a couple of new features.  See
below for details.


What is GnuPG
=

The GNU Privacy Guard (GnuPG, GPG) is a complete and free implementation
of the OpenPGP and S/MIME standards.

GnuPG allows to encrypt and sign data and communication, features a
versatile key management system as well as access modules for public key
directories.  GnuPG itself is a command line tool with features for easy
integration with other applications.  The separate library GPGME provides
a uniform API to use the GnuPG engine by software written in common
programming languages.  A wealth of frontend applications and libraries
making use of GnuPG are available.  As an universal crypto engine GnuPG
provides support for S/MIME and Secure Shell in addition to OpenPGP.

GnuPG is Free Software (meaning that it respects your freedom).  It can
be freely used, modified and distributed under the terms of the GNU
General Public License.

Three different series of GnuPG are actively maintained:

- Version 2.4 is the current stable version with a lot of new features
  compared to 2.2.  This announcement is about the latest release of
  this series; the previous release was 2.3.8.

- Version 2.2 is our LTS (long term support) version and guaranteed to
  be maintained at least until the end of 2024. Only a small subset of
  features from 2.4 has been back-ported to this series.  See
  https://gnupg.org/download/index.html#end-of-life

- Version 1.4 is only maintained to allow decryption of very old data
  which is, for security reasons, not anymore possible with other GnuPG
  versions.  Please use 1.4 only for this purpose.


Noteworthy changes in version 2.4.1
===

  * If the ~/.gnupg directory does not exist, the keyboxd is now
automagically enabled.  [rGd9e7488b17]

  * gpg: New option --add-desig-revoker.  [rG3d094e2bcf]

  * gpg: New option --assert-signer.  [rGc9e95b8dee]

  * gpg: New command --quick-add-adsk and other ADSK features.
[T6395, https://gnupg.org/blog/20230321-adsk.html]

  * gpg: New list-option "show-unusable-sigs".  Also show
"[self-signature]" instead of the user-id in key signature
listings.  [rG103acfe9ca]

  * gpg: For symmetric encryption the default S2K hash is now SHA256.
[T6367]

  * gpg: Detect already compressed data also when using a pipe.  Also
detect JPEG and PNG file formats.  [T6332]

  * gpg: New subcommand "openpgp" for --card-edit.  [T6462]

  * gpgsm: Verification of detached signatures does now strip trailing
zeroes from the input if --assume-binary is used.  [rG2a13f7f9dc]

  * gpgsm: Non-armored detached signature are now created without
using indefinite form length octets.  This improves compatibility
with some PDF signature verification software.  [rG8996b0b655]

  * gpgtar: Emit progress status lines in create mode.  [T6363]

  * dirmngr: The LDAP modifyTimestamp is now returned by some
keyserver commands.  [rG56d309133f]

  * ssh: Allow specification of the order keys are presented to ssh.
See the man page entry for --enable-ssh-support.  [T5996, T6212]

  * gpg: Make list-options "show-sig-subpackets" work again.
Fixes regression in 2.4.0.  [rG5a223303d7]

  * gpg: Fix the keytocard command for Yubikeys.  [T6378]

  * gpg: Do not continue an export after a cancel for the primary key.
[T6093]

  * gpg: Replace the --override-compliance-check hack by a real fix.
[T5655]

  * gpgtar: Fix decryption with input taken from stdin.  [T6355]

  Release-info: https://dev.gnupg.org/T6454


Getting the Software


Please follow the instructions found at  or
read on:

GnuPG may be downloaded from one of the GnuPG mirror sites or direct
from its primary FTP server.  The list of mirrors can be found at
.  Note that GnuPG is not
available at ftp.gnu.org.

The GnuPG source code compressed using BZIP2 and its OpenPGP signature
are available here:

 https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.4.1.tar.bz2 (7169k)
 https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.4.1.tar.bz2.sig

An installer for Windows without any graphical frontend except for a
very minimal Pinentry tool is available here:

 https://gnupg.org/ftp/gcrypt/binary/gnupg-w32-2.4.1_20230428.exe (5305k)
 https://gnupg.org/ftp/gcrypt/binary/gnupg-w32-2.4.1_20230428.exe.sig

The source used to build this Windows installer can be found in the same
directory with a ".tar.xz" suffix.

A new release of Gpg4win including this version of GnuPG will soon be
announced.


Checking the Integrity
==

In order to check that the version of GnuPG which you are going to
install is an original and unmodified one, you can do it in one of
the following ways:

 * If you already have a version of GnuPG