date:20220711

[Announce] GnuPG for OS X 2.3.7 released

2022-07-11 Thread Ralph Seichter via Gnupg-users

GnuPG for OS X / macOS release 2.3.7 is now available for download via
https://sourceforge.net/p/gpgosx/docu/Download/ .

The disk image signature key was uploaded to keyservers on 2022-07-07
and should now be widely available. It can also be downloaded using
https://www.seichter.de/pgp/gpgosx-signing.asc .

pub ed25519/FD56297D9833FF7F 2022-07-07 [SC] [expires: 2027-07-06]
Key fingerprint = EAB0 FE4F F793 D9E7 028E  C8E2 FD56 297D 9833 FF7F
uid [ultimate] Ralph Seichter (GnuPG for OS X signing key)

Important:

Starting with this release, GnuPG 2.3.x is installed in /usr/local/gnupg-2.3
instead of the previously hardcoded directory /usr/local/gnupg-2.2. This
enables installing both stable and LTS releases of GnuPG for OS X side by
side, for advanced users' needs.

The one caveat is that the latest installation will replace existing
soft links in /usr/local/{bin,lib}. Please use absolute paths like
/usr/local/gnupg-2.2/bin/gpg2 if necessary.

-Ralph

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

[Announce] GnuPG 2.3.7 released

2022-07-11 Thread Andre Heinecke via Gnupg-users

Hello!

We are pleased to announce the availability of a new GnuPG release: 2.3.7.
This release fixes CVE-2022-34903 which could be used to inject wrong status 
information in signatures.  The status information could then be abused to 
display a wrong validity in Kleopatra and other users of GPGME.

What is GnuPG
=

The GNU Privacy Guard (GnuPG, GPG) is a complete and free implementation
of the OpenPGP and S/MIME standards.

GnuPG allows to encrypt and sign data and communication, features a
versatile key management system as well as access modules for public key
directories.  GnuPG itself is a command line tool with features for easy
integration with other applications.  The separate library GPGME provides
a uniform API to use the GnuPG engine by software written in common
programming languages.  A wealth of frontend applications and libraries
making use of GnuPG are available.  As an universal crypto engine GnuPG
provides support for S/MIME and Secure Shell in addition to OpenPGP.

GnuPG is Free Software (meaning that it respects your freedom).  It can
be freely used, modified and distributed under the terms of the GNU
General Public License.

Three different series of GnuPG are actively maintained:

- Version 2.3 is the current stable version with a lot of new features
  compared to 2.2.  This announcement is about the latest release of
  this series.

- Version 2.2 is our LTS (long term support) version and guaranteed to
  be maintained at least until the end of 2024.
  See https://gnupg.org/download/index.html#end-of-life

- Version 1.4 is only maintained to allow decryption of very old data
  which is, for security reasons, not anymore possible with other GnuPG
  versions.

Noteworthy changes in version 2.3.7 (2022-07-11)


  * gpg: Fix possibly garbled status messages in NOTATION_DATA.  This
bug could trick GPGME and other parsers to accept faked status
lines.  [T6027, CVE-2022-34903]

  * gpg: Look up user ID to revoke by UID hash.  [T5936]

  * gpg: Setup the 'usage' filter property for export.  [rG7aabd94b81]

  * gpg,w32: Allow Unicode filenames for iobuf_cancel.  [rG4ee2009083]

  * gpg: Fix reading AEAD preference.  [T6019]

  * gpgsm: New option --compatibility-flags.  [rGf0b373cec9]

  * gpgsm: Rework the PKCS#12 parser to support DFN issued keys.
[T6037]

  * agent: New option --no-user-trustlist and --sys-trustlist-name.
[T5990]

  * agent: Pop up dialog window for confirmation, when specified so.
[T5099]

  * agent: Show "Label:" field of private key when prompt the
insertion.  [T5986]

  * agent: Handle USAGE information in KEYINFO.  [rG295a6a7591]

  * agent,ssh: Make not-inserted OpenPGP.3 keys available for SSH.
[T5996]

  * agent,ssh: Support "Use-for-ssh" flag in private key.  [T5985]

  * agent: New field "Prompt" to prevent asking card key insertion.
[T5987]

  * agent: Support --format=ssh option for READKEY.  [T6012]

  * agent: Add KEYATTR command.  [T5988]

  * agent: Flush before calling ftruncate.  [T6035]

  * agent: Do not consider --min-passphrase-len for the magic wand.
[rGae2f1f0785]

  * kbx: Fix a race condition which results no status report.  [T5948]

  * scd:openpgp: Fix a segv for cards supporting unknown curves.
[T5963]

  * scd:p15: Fix reading certificates without length info.

  * scd:p15: Improve the displayed S/N for Technology Nexus cards.

  * scd:openpgp: Add workaround for ECC attribute on Yubikey.  [T5963]

  * scd,piv: Fix status report of KEYPAIRINFO.  [rG64c8786105]

  * scd:nks: Support the Telesec ESIGN application.  [T5219, T4938]

  * scd: Fix use of SCardListReaders for PC/SC.  [T5979]

  * scd: Support automatic card selection for READCERT with keygrip.
[T6003]

  * scd: Support specifying keygrip for learn command.  [T6002]

  * dirmngr: Fix for Windows when build against GNUTLS.  [T5899]

  * gpg-connect-agent: Add --unbuffered option.

  * gpg-connect-agent: Add a way to cancel an INQUIRE.  [T6010]

  * gpgconf: New short options -V and -X

  Release-info: https://dev.gnupg.org/T5947

Getting the Software


Please follow the instructions found at  or
read on:

GnuPG may be downloaded from one of the GnuPG mirror sites or direct
from its primary FTP server.  The list of mirrors can be found at
.  Note that GnuPG is not
available at ftp.gnu.org.

The GnuPG source code compressed using BZIP2 and its OpenPGP signature
are available here:

 https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.3.7.tar.bz2 (7421k)
 https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.3.7.tar.bz2.sig

An installer for Windows without any graphical frontend except for a
very minimal Pinentry tool is available here:

 https://gnupg.org/ftp/gcrypt/binary/gnupg-w32-2.3.7_20220711.exe (4761k)
 https://gnupg.org/ftp/gcrypt/binary/gnupg-w32-2.3.7_20220711.exe.sig

The source used to build the Windows

Re: GnuPG 2.2.36 released

2022-07-11 Thread Konstantin Ryabitsev via Gnupg-users

On Fri, Jul 08, 2022 at 11:07:36PM +0200, Ingo Klöcker wrote:
> > That key doesn't appear to be provided via
> > https://gnupg.org/signature_key.asc.
> 
> Yes, it is.
> 
> ```
> $ curl https://gnupg.org/signature_key.asc | gpg --import
> [...]
> gpg: key 549E695E905BA208: 1 signature not checked due to a missing key
> gpg: key 549E695E905BA208: public key "GnuPG.com (Release Signing Key 2021)" 
> imported
> gpg: Total number processed: 4
> gpg:   imported: 4
> 
> $ gpg -k 02F38DFF731FF97CB039A1DA549E695E905BA208
> pub   brainpoolP256r1/549E695E905BA208 2021-10-15 [SC] [expires: 2029-12-31]
>   02F38DFF731FF97CB039A1DA549E695E905BA208
> uid [ unknown] GnuPG.com (Release Signing Key 2021)
> ```
> 
> See https://dev.gnupg.org/T5949#159890 for why it doesn't work for you.

Ah, okay, that's unfortunate. I guess I'll skip this release, since I can't
verify it without building gnupg from scratch (without verifying it first).

-K

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

[Announce] GnuPG for OS X 2.3.7 released

[Announce] GnuPG 2.3.7 released

Re: GnuPG 2.2.36 released

3 matches

Site Navigation

Mail list logo

Footer information