-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Explain what this means in plain English for users of Enigmail and what they need to do.
- -o coderman wrote: > ---------- Forwarded message ---------- From: Werner Koch > <[email protected]> Date: Thu, 06 Nov 2014 10:01:51 +0100 Subject: > [Announce] GnuPG 2.1.0 "modern" released > > Hello! > > The GnuPG Project is pleased to announce the availability of a new > release: Version 2.1.0. > > The GNU Privacy Guard (GnuPG) is a complete and free implementation > of the OpenPGP standard as defined by RFC-4880 and better known as > PGP. > > GnuPG, also known as GPG, allows to encrypt and sign data and > communication, features a versatile key management system as well > as access modules for public key directories. GnuPG itself is a > command line tool with features for easy integration with other > applications. A wealth of frontend applications and libraries > making use of GnuPG are available. Since version 2 GnuPG provides > support for S/MIME and Secure Shell in addition to OpenPGP. > > GnuPG is Free Software (meaning that it respects your freedom). It > can be freely used, modified and distributed under the terms of the > GNU General Public License. > > Three different versions of GnuPG are actively maintained: > > - GnuPG "modern" (2.1) is the latest development with a lot of new > features. This announcement is about the first release of this > version. > > - GnuPG "stable" (2.0) is the current stable version for general > use. This is what most users are currently using. > > - GnuPG "classic" (1.4) is the old standalone version which is > most suitable for older or embedded platforms. > > You may not install "modern" (2.1) and "stable" (2.0) at the same > time. However, it is possible to install "classic" (1.4) along > with any of the other versions. > > > What's New in GnuPG-2.1 ======================= > > - The file "secring.gpg" is not anymore used to store the secret > keys. Merging of secret keys is now supported. > > - All support for PGP-2 keys has been removed for security > reasons. > > - The standard key generation interface is now much leaner. This > will help a new user to quickly generate a suitable key. > > - Support for Elliptic Curve Cryptography (ECC) is now available. > > - Commands to create and sign keys from the command line without > any extra prompts are now available. > > - The Pinentry may now show the new passphrase entry and the > passphrase confirmation entry in one dialog. > > - There is no more need to manually start the gpg-agent. It is > now started by any part of GnuPG as needed. > > - Problems with importing keys with the same long key id have been > addressed. > > - The Dirmngr is now part of GnuPG proper and also takes care of > accessing keyserver. > > - Keyserver pools are now handled in a smarter way. > > - A new format for locally storing the public keys is now used. > This considerable speeds up operations on large keyrings. > > - Revocation certificates are now created by default. > > - Card support has been updated, new readers and token types are > supported. > > - The format of the key listing has been changed to better > identify the properties of a key. > > - The gpg-agent may now be used on Windows as a Pageant > replacement for Putty in the same way it is used for years on Unix > as ssh-agent replacement. > > - Creation of X.509 certificates has been improved. It is now > also possible to export them directly in PKCS#8 and PEM format for > use on TLS servers. > > A detailed description of the changes can be found at > https://gnupg.org/faq/whats-new-in-2.1.html . > > > Getting the Software ==================== > > Please follow the instructions found at https://gnupg.org/download/ > or read on: > > GnuPG 2.1.0 may be downloaded from one of the GnuPG mirror sites > or direct from its primary FTP server. The list of mirrors can be > found at https://gnupg.org/mirrors.html . Note that GnuPG is not > available at ftp.gnu.org. > > On ftp.gnupg.org you find these files: > > ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-2.1.0.tar.bz2 (3039k) > ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-2.1.0.tar.bz2.sig > > This is the GnuPG 2.1 source code compressed using BZIP2 and its > OpenPGP signature. > > ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32-2.1.0_20141105.exe > (6225k) > ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32-2.1.0_20141105.exe.sig > > This is an experimental installer for Windows including GPA as > graphical key manager and GpgEX as an Explorer extension. Please > de-install an already installed Gpg4win version before trying this > installer. This binary version has not been tested very well, thus > it is likely that you will run into problems. The complete source > code for the software included in this installer is in the same > directory; use the suffix ".tar.xz" instead of ".exe". > > Although several beta versions have been released over the course > of the last years, no extensive public field test has been done. > Thus it is likely that bugs will show up. Please check the mailing > list archives and the new wiki https://wiki.gnupg.org for latest > information on known problems and workaround. > > > Checking the Integrity ====================== > > In order to check that the version of GnuPG which you are going to > install is an original and unmodified one, you can do it in one of > the following ways: > > * If you already have a version of GnuPG installed, you can simply > verify the supplied signature. For example to verify the > signature of the file gnupg-2.1.0.tar.bz2 you would use this > command: > > gpg --verify gnupg-2.1.0.tar.bz2.sig > > This checks whether the signature file matches the source file. You > should see a message indicating that the signature is good and made > by one or more of the release signing keys. Make sure that this is > a valid key, either by matching the shown fingerprint against a > trustworthy list of valid release signing keys or by checking that > the key has been signed by trustworthy other keys. See below for > information on the signing keys. > > * If you are not able to use an existing version of GnuPG, you > have to verify the SHA-1 checksum. On Unix systems the command to > do this is either "sha1sum" or "shasum". Assuming you downloaded > the file gnupg-2.1.0.tar.bz2, you would run the command like this: > > sha1sum gnupg-2.1.0.tar.bz2 > > and check that the output matches the first line from the following > list: > > 2fcd0ca6889ef6cb59e3275e8411f8b7778c2f33 gnupg-2.1.0.tar.bz2 > 9907cb6509a0e63331b27a92e25c1ef956caaf3b > gnupg-w32-2.1.0_20141105.exe > 28dc1365292c61fbb2bbae730d4158f425463c91 > gnupg-w32-2.1.0_20141105.tar.xz > > > Release Signing Keys ==================== > > To guarantee that a downloaded GnuPG version has not been tampered > by malicious entities we provide signature files for all tarballs > and binary versions. The keys are also signed by the long term > keys of their respective owners. Current releases are signed by > one or more of these four keys: > > 2048R/4F25E3B6 2011-01-12 Key fingerprint = D869 2123 C406 5DEA > 5E0F 3AB5 249B 39D2 4F25 E3B6 Werner Koch (dist sig) > > rsa2048/E0856959 2014-10-29 Key fingerprint = 46CC 7308 65BB 5C78 > EBAB ADCF 0437 6F3E E085 6959 David Shaw (GnuPG Release Signing > Key) <dshaw 'at' jabberwocky.com> > > rsa2048/33BD3F06 2014-10-29 Key fingerprint = 031E C253 6E58 0D8E > A286 A9F2 2071 B08A 33BD 3F06 NIIBE Yutaka (GnuPG Release Key) > <gniibe 'at' fsij.org> > > rsa2048/7EFD60D9 2014-10-19 Key fingerprint = D238 EA65 D64C 67ED > 4C30 73F2 8A86 1B1C 7EFD 60D9 Werner Koch (Release Signing Key) > > You may retrieve these files from the keyservers using this > command > > gpg --recv-keys 249B39D24F25E3B6 04376F3EE0856959 \ > 2071B08A33BD3F06 8A861B1C7EFD60D9 > > The keys are also available at > https://gnupg.org/signature_key.html and in the released GnuPG > tarball in the file g10/distsigkey.gpg . Note that this mail has > been signed using my standard PGP key. > > > Internationalization ==================== > > This new branch of GnuPG has support for 4 languages: French, > German, Japanese, and Ukrainian. More translations can be expected > with the next point releases. > > > Documentation ============= > > If you used GnuPG in the past you should read the description of > changes and new features at doc/whats-new-in-2.1.txt or online at > > https://gnupg.org/faq/whats-new-in-2.1.html > > The file gnupg.info has the complete user manual of the system. > Separate man pages are included as well but they have not all the > details available in the manual. It is also possible to read the > complete manual online in HTML format at > > https://gnupg.org/documentation/manuals/gnupg/ > > or in Portable Document Format at > > https://gnupg.org/documentation/manuals/gnupg.pdf . > > The chapters on gpg-agent, gpg and gpgsm include information on > how to set up the whole thing. You may also want search the GnuPG > mailing list archives or ask on the gnupg-users mailing lists for > advise on how to solve problems. Many of the new features are > around for several years and thus enough public knowledge is > already available. > > > Support ======= > > Please consult the archive of the gnupg-users mailing list before > reporting a bug > <https://gnupg.org/documentation/mailing-lists.html>. We suggest to > send bug reports for a new release to this list in favor of filing > a bug at <https://bugs.gnupg.org>. For commercial support requests > we keep a list of known service companies at: > > https://gnupg.org/service.html > > The driving force behind the development of GnuPG is the company > of its principal author, Werner Koch. Maintenance and improvement > of GnuPG and related software takes up most of their resources. To > allow him to continue this work he kindly asks to either purchase a > support contract, engage g10 Code for custom enhancements, or to > donate money: > > https://gnupg.org/donate/ > > > Thanks ====== > > We have to thank all the people who helped with this release, be > it testing, coding, translating, suggesting, auditing, > administering the servers, spreading the word, and answering > questions on the mailing lists. A final big Thank You goes to Hal > Finney, who too early passed away this year. Hal worked on PGP and > helped to make OpenPGP a great standard; it has been a pleasure > having worked with him. > - -- http://abis.io ~ "a protocol concept to enable decentralization and expansion of a giving economy, and a new social good" https://keybase.io/odinn -----BEGIN PGP SIGNATURE----- iQEcBAEBCgAGBQJUW+rxAAoJEGxwq/inSG8CAecH/Rlgc3MdymDUV8uv5MrAVBLv 6/7Apl8ArBhv94d6BP0vs4cl/Qrfdb19sysDtDohTh2lt0FtBA/fAqoRhpWpRemb fqEtfi/tOCJyP46EBleshc/TZnwbfUIpfba8xXUitaRf7Xe4qFQeMpAwHtqLvFwt 6W/iwm1NPmX3JmqdIn6utpEvY+NLe0jiiv6yoNtFjKgn58qDk1HweBQzRDh3GZ1z bCM90U5ikKpkztJofgqvibkcNRRZYdMf5gElqdrp6r4Jz6QXZpPz8JeQ+dRIs58f i+N46JtylAFJ+p22GrxIJ4xhOZSYyuocveZcOrghaSIu/rGHEVhgsNeRrG0v3SQ= =DhWQ -----END PGP SIGNATURE-----
