Re: [Announce] [security fix] Libgcrypt and GnuPG

2014-08-22 Thread Branko Majic 
On Mon, 11 Aug 2014 10:21:55 +0200
Werner Koch  wrote:

> On Sat,  9 Aug 2014 22:52, bra...@majic.rs said:
> 
> > Skimming through the description, does it mean that users with OpenPGP
> > cards should be impervious to this attack? Can the attack be used to
> > leak symmetric keys during the GnuPG operation?
> 
> It is unlikely that this particular attack can be used against smart
> cards.  They are quite different from a general purpose PC.  Modern
> cards are designed to mitigate many classes of side-channel attacks
> since cards started to be targeted more than 25 years ago.
> 
> The private keys are only on the card and not accessible from the PC.
> 

I should've been more specific with my question (or perhaps I
misunderstood the answer a bit :)

If I understand correctly (please do correct me if not), when
encrypting/decrypting a file with GnuPG using an OpenPGP card, a
symmetric key is created that will encrypt the file, and subsequently
this symmetric key will be encrypted using the OpenPGP card, with the
encrypted symmetric key becoming part of the encrypted file.

This symmetric key is generated outside of the OpenPGP card (if I got
it right), and encryption/decryption of a file itself is performed
outside of the OpenPGP card (i.e. on host computer).

Can the attack be used to obtain this symmetric key for encrypting the
file during encryption/decryption operations performed by GnuPG?

Best regards

P.S.
Sorry for the original lost quote, I'll try to keep 'em shorter :)

-- 
Branko Majic
Jabber: bra...@majic.rs
Please use only Free formats when sending attachments to me.

Бранко Мајић
Џабер: bra...@majic.rs
Молим вас да додатке шаљете искључиво у слободним форматима.


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [Announce] [security fix] Libgcrypt and GnuPG

2014-08-12 Thread Werner Koch 
On Tue, 12 Aug 2014 22:42, r...@sixdemonbag.org said:

> I would also add the Qt pinentry plugin to this.  The native Win32 one
> looks completely awful.  If someone could point me at an API, I'd give

Actually this was hack to use GnuPG on WindowsCE while we are waiting
for the Qt guys to finish their migration of the Qt pinentry.  It
allowed us to enter the PIN on that HTC Touch Pro2 to test and milestone
the crypto engine.

> serious thought to doing a modern one with WPF to replace the existing
> native Win32.

That would be nice.  We need to be able to cross-compile it, though.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [Announce] [security fix] Libgcrypt and GnuPG

2014-08-12 Thread Robert J. Hansen 

FWIW, I never use anything other than gnupg out of the installer. The
 file system tools have never worked for me, and some of them don't
even work on 64 bit systems. That's not a criticism, I know how open
source works. :)  My point is simply that if you have limited
resources in my opinion the highest value target is gnupg itself.


I would also add the Qt pinentry plugin to this.  The native Win32 one
looks completely awful.  If someone could point me at an API, I'd give
serious thought to doing a modern one with WPF to replace the existing
native Win32.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [Announce] [security fix] Libgcrypt and GnuPG

2014-08-12 Thread Doug Barton 

On 08/09/2014 01:49 AM, Werner Koch wrote:

On Sat,  9 Aug 2014 01:24, p...@heypete.com said:


The GPG4Win folks are gearing up for a new release this August.


Excellent. I look forward to it.


The problem with gpg4win is that it is hard to build in particular the
KDE stuff can't be easily cross compiled.


Werner,

FWIW, I never use anything other than gnupg out of the installer. The 
file system tools have never worked for me, and some of them don't even 
work on 64 bit systems. That's not a criticism, I know how open source 
works. :)  My point is simply that if you have limited resources in my 
opinion the highest value target is gnupg itself.


hth,

Doug


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [Announce] [security fix] Libgcrypt and GnuPG

2014-08-11 Thread Jerry 
On Mon, 11 Aug 2014 11:21:32 +, KA IT User stated:

> please remove us from the mailing list. We are not longer using GnuPG in
> our company.

Please try and follow the directions.

List-Unsubscribe: ,
 

-- 
Jerry

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: AW: [Announce] [security fix] Libgcrypt and GnuPG

2014-08-11 Thread Werner Koch 
On Mon, 11 Aug 2014 13:21, e...@kommunalkredit.at said:

> please remove us from the mailing list. We are not longer using GnuPG in our 
> company.

What about visiting the URL shown as last line of each mail send through
this mailing list?  Or looking into the list mail headers?


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

AW: [Announce] [security fix] Libgcrypt and GnuPG

2014-08-11 Thread KA IT User 
Hi,

please remove us from the mailing list. We are not longer using GnuPG in our 
company.

Mit freundlichen Grüßen / Kind regards
__
Ing. Roman Höller, MSc
Informationstechnologie
Information Technology
Kommunalkredit Austria AG
1092 Wien, Türkenstraße 9
Tel.: +43 (0) 1/31631 519, Fax: -99519
Mobil: +43 (0) 664/80 31631 519
r.hoel...@kommunalkredit.at
www.kommunalkredit.at


-Ursprüngliche Nachricht-
Von: Gnupg-announce [mailto:gnupg-announce-boun...@gnupg.org] Im Auftrag von 
Werner Koch
Gesendet: Freitag, 08. August 2014 12:28
An: gnupg-annou...@gnupg.org; info-...@gnu.org
Betreff: [Announce] [security fix] Libgcrypt and GnuPG

Hi!

While evaluating the "Get Your Hands Off My Laptop" [1] paper I missed to 
describe [2] a software combination which has not been fixed and is thus 
vulnerable to the attack described by the paper.  If you are using a GnuPG 
version with a *Libgcrypt version < 1.6.0*, it is possible to mount the 
described side-channel attack on Elgamal encryption subkeys.
To check whether you are using a vulnerable Libgcrypt version, enter

  gpg2 --version

on the command line; the second line of the output gives the Libgcrypt
version:

  gpg (GnuPG) 2.0.25
  libgcrypt 1.5.3

In this example Libgcrypt is vulnerable.  If you see 1.6.0 or 1.6.1 you are 
fine.  GnuPG versions since 1.4.16 are not affected because they do not use 
Libgcrypt.

The recommendation is to update any Libgcrypt version below 1.6.0 to at least 
the latest version from the 1.5 series which is 1.5.4.  Updating to 1.6.1 is 
also possible but that requires to rebuild GnuPG.

Libgcrypt 1.5.4 has been released yesterday [3]; for convenience I include the 
download instructions below.  A CVE-id has not yet been assigned.

Many thanks to Daniel Genkin for pointing out this problem.


Shalom-Salam,

   Werner


[1] http://www.cs.tau.ac.il/~tromer/handsoff
[2] http://lists.gnupg.org/pipermail/gnupg-announce/2014q3/000349.html
[3] http://lists.gnupg.org/pipermail/gnupg-announce/2014q3/000351.html

Download


Libgcrypt source code is hosted at the GnuPG FTP server and its mirrors as 
listed at https://www.gnupg.org/download/mirrors.html .  On the primary server 
the source tarball and its digital signature are:

 ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.5.4.tar.bz2 (1478k)  
ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.5.4.tar.bz2.sig

That file is bzip2 compressed.  A gzip compressed version is here:

 ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.5.4.tar.gz (1763k)  
ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.5.4.tar.gz.sig

Alternativley you may upgrade using this patch file:

 ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.5.3-1.5.4.diff.bz2 (17k)

In order to check that the version of Libgcrypt you are going to build is an 
original and unmodified one, you can do it in one of the following
ways:

 * Check the supplied OpenPGP signature.  For example to check the
   signature of the file libgcrypt-1.5.4.tar.bz2 you would use this
   command:

 gpg --verify libgcrypt-1.5.4.tar.bz2.sig

   This checks whether the signature file matches the source file.  You
   should see a message indicating that the signature is good and made
   by the release signing key 4F25E3B6 which is certified by my well
   known key 1E42B367.  To retrieve the keys you may use the command
   "gpg --fetch-key finger:w...@g10code.com".

 * If you are not able to use GnuPG, you have to verify the SHA-1
   checksum:

 sha1sum libgcrypt-1.5.4.tar.bz2

   and check that the output matches the first line from the
   following list:

bdf4b04a0d2aabc04ab3564fbe38fd094135aa7a  libgcrypt-1.5.4.tar.bz2 
71e432e0ae8792076a40c6059667997250abbb9d  libgcrypt-1.5.4.tar.gz 
8876ae002751e6ec26c76e510d17fc3e0eccb3ed  libgcrypt-1.5.3-1.5.4.diff.bz2


Watching out for possible security problems and working with researches to fix 
them takes a lot of time.  g10 Code GmbH, a German company owned and headed by 
me, is bearing these costs.  To help us carry on this work, we need your 
support; please see https://gnupg.org/donate/ .


--
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

Company Disclaimer / Legal Notices
http://www.kommunalkredit.at/disclaimer/

Kommunalkredit Austria AG, Türkenstrasse 9, 1092 Wien - FN 45776 v, 
Handelsgericht Wien

SAVE PAPER - THINK BEFORE YOU PRINT

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [Announce] [security fix] Libgcrypt and GnuPG

2014-08-11 Thread Werner Koch 
Hi,

[94 lines of full quote deleted - pretty please strip quote to what is
 needed.  I nearly missed your question]

On Sat,  9 Aug 2014 22:52, bra...@majic.rs said:

> Skimming through the description, does it mean that users with OpenPGP
> cards should be impervious to this attack? Can the attack be used to
> leak symmetric keys during the GnuPG operation?

It is unlikely that this particular attack can be used against smart
cards.  They are quite different from a general purpose PC.  Modern
cards are designed to mitigate many classes of side-channel attacks
since cards started to be targeted more than 25 years ago.

The private keys are only on the card and not accessible from the PC.


Salam-Shalom,

   Werner


-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [Announce] [security fix] Libgcrypt and GnuPG

2014-08-09 Thread Branko Majic 
On Fri, 08 Aug 2014 12:17:06 +0200
Werner Koch  wrote:

> Hi!
> 
> While evaluating the "Get Your Hands Off My Laptop" [1] paper I missed
> to describe [2] a software combination which has not been fixed and is
> thus vulnerable to the attack described by the paper.  If you are using
> a GnuPG version with a *Libgcrypt version < 1.6.0*, it is possible to
> mount the described side-channel attack on Elgamal encryption subkeys.
> To check whether you are using a vulnerable Libgcrypt version, enter
> 
>   gpg2 --version
> 
> on the command line; the second line of the output gives the Libgcrypt
> version:
> 
>   gpg (GnuPG) 2.0.25
>   libgcrypt 1.5.3
> 
> In this example Libgcrypt is vulnerable.  If you see 1.6.0 or 1.6.1 you
> are fine.  GnuPG versions since 1.4.16 are not affected because they do
> not use Libgcrypt.
> 
> The recommendation is to update any Libgcrypt version below 1.6.0 to at
> least the latest version from the 1.5 series which is 1.5.4.  Updating
> to 1.6.1 is also possible but that requires to rebuild GnuPG.
> 
> Libgcrypt 1.5.4 has been released yesterday [3]; for convenience I
> include the download instructions below.  A CVE-id has not yet been
> assigned.
> 
> Many thanks to Daniel Genkin for pointing out this problem.
> 
> 
> Shalom-Salam,
> 
>Werner
> 
> 
> [1] http://www.cs.tau.ac.il/~tromer/handsoff
> [2] http://lists.gnupg.org/pipermail/gnupg-announce/2014q3/000349.html
> [3] http://lists.gnupg.org/pipermail/gnupg-announce/2014q3/000351.html
> 
> Download
> 
> 
> Libgcrypt source code is hosted at the GnuPG FTP server and its mirrors
> as listed at https://www.gnupg.org/download/mirrors.html .  On the
> primary server the source tarball and its digital signature are:
> 
>  ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.5.4.tar.bz2 (1478k)
>  ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.5.4.tar.bz2.sig
> 
> That file is bzip2 compressed.  A gzip compressed version is here:
> 
>  ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.5.4.tar.gz (1763k)
>  ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.5.4.tar.gz.sig
> 
> Alternativley you may upgrade using this patch file:
> 
>  ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.5.3-1.5.4.diff.bz2 (17k)
> 
> In order to check that the version of Libgcrypt you are going to build
> is an original and unmodified one, you can do it in one of the following
> ways:
> 
>  * Check the supplied OpenPGP signature.  For example to check the
>signature of the file libgcrypt-1.5.4.tar.bz2 you would use this
>command:
> 
>  gpg --verify libgcrypt-1.5.4.tar.bz2.sig
> 
>This checks whether the signature file matches the source file.  You
>should see a message indicating that the signature is good and made
>by the release signing key 4F25E3B6 which is certified by my well
>known key 1E42B367.  To retrieve the keys you may use the command
>"gpg --fetch-key finger:w...@g10code.com".
> 
>  * If you are not able to use GnuPG, you have to verify the SHA-1
>checksum:
> 
>  sha1sum libgcrypt-1.5.4.tar.bz2
> 
>and check that the output matches the first line from the
>following list:
> 
> bdf4b04a0d2aabc04ab3564fbe38fd094135aa7a  libgcrypt-1.5.4.tar.bz2
> 71e432e0ae8792076a40c6059667997250abbb9d  libgcrypt-1.5.4.tar.gz
> 8876ae002751e6ec26c76e510d17fc3e0eccb3ed  libgcrypt-1.5.3-1.5.4.diff.bz2
> 
> 
> Watching out for possible security problems and working with researches
> to fix them takes a lot of time.  g10 Code GmbH, a German company owned
> and headed by me, is bearing these costs.  To help us carry on this
> work, we need your support; please see https://gnupg.org/donate/ .
> 

Skimming through the description, does it mean that users with OpenPGP
cards should be impervious to this attack? Can the attack be used to
leak symmetric keys during the GnuPG operation?

Best regards

-- 
Branko Majic
Jabber: bra...@majic.rs
Please use only Free formats when sending attachments to me.

Бранко Мајић
Џабер: bra...@majic.rs
Молим вас да додатке шаљете искључиво у слободним форматима.


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [Announce] [security fix] Libgcrypt and GnuPG

2014-08-09 Thread Pete Stephenson 
On Sat, Aug 9, 2014 at 10:49 AM, Werner Koch  wrote:
> On Sat,  9 Aug 2014 01:24, p...@heypete.com said:
>
>>> The GPG4Win folks are gearing up for a new release this August.
>>
>> Excellent. I look forward to it.
>
> The problem with gpg4win is that it is hard to build in particular the
> KDE stuff can't be easily cross compiled.  It is quite some work to
> maintain this software and donations are very low.  My tentative plan is
> now to separate GnuPG proper from the other stuff and provide it as a
> separate installer (for gnupg 2.1)

I'll bet. Fortunately, there are decent Windows front-ends for
mail-related tasks like Enigmail. Not much for file-related tasks,
though.

I would definitely be happy if the GPG binary was packaged separately:
I almost never use GPA or other GUI tools that come with the package.

Thanks for the reminder regarding donations: I really should chip in a
bit more this year.

Cheers!
-Pete

-- 
Pete Stephenson

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [Announce] [security fix] Libgcrypt and GnuPG

2014-08-09 Thread Werner Koch 
On Sat,  9 Aug 2014 01:24, p...@heypete.com said:

>> The GPG4Win folks are gearing up for a new release this August.
>
> Excellent. I look forward to it.

The problem with gpg4win is that it is hard to build in particular the
KDE stuff can't be easily cross compiled.  It is quite some work to
maintain this software and donations are very low.  My tentative plan is
now to separate GnuPG proper from the other stuff and provide it as a
separate installer (for gnupg 2.1)


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [Announce] [security fix] Libgcrypt and GnuPG

2014-08-08 Thread Pete Stephenson 
On Fri, Aug 8, 2014 at 11:44 PM, Samir Nassar  wrote:
> On Friday, 2014-08-08 23:34:30 Pete Stephenson  wrote:
>> Does this vulnerability apply to gpg4win users?
>
> It should, since the issues the GnuPG update addresses come after the latest
> release of GPG4Win.

I assumed as such, but it's good to be certain. I'm not sure if
there'd be some OS-specific details that would affect the issue.

>> There's been no gpg4win updates since October of 2013 and there have
>> been several updates of GnuPG since then. I am somewhat concerned.
>
>> Is there any information about when an update for Windows users might
>> be released?
>
> The GPG4Win folks are gearing up for a new release this August.

Excellent. I look forward to it.

-- 
Pete Stephenson

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [Announce] [security fix] Libgcrypt and GnuPG

2014-08-08 Thread Samir Nassar 
On Friday, 2014-08-08 23:34:30 Pete Stephenson  wrote:
> Does this vulnerability apply to gpg4win users?

It should, since the issues the GnuPG update addresses come after the latest 
release of GPG4Win.

> There's been no gpg4win updates since October of 2013 and there have
> been several updates of GnuPG since then. I am somewhat concerned.

> Is there any information about when an update for Windows users might
> be released?

The GPG4Win folks are gearing up for a new release this August.

Samir

-- 
Samir Nassar
sa...@samirnassar.com
https://samirnassar.com
PGP Fingerprint: EE76 B39E 0778 8F95 F796 B044 FE67 9A90 8E99 7AB2
Public Key: https://samirnassar.com/files/key.asc

signature.asc
Description: This is a digitally signed message part.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [Announce] [security fix] Libgcrypt and GnuPG

2014-08-08 Thread Pete Stephenson 
On Fri, Aug 8, 2014 at 12:17 PM, Werner Koch  wrote:
> Hi!
>
> While evaluating the "Get Your Hands Off My Laptop" [1] paper I missed
> to describe [2] a software combination which has not been fixed and is
> thus vulnerable to the attack described by the paper.  If you are using
> a GnuPG version with a *Libgcrypt version < 1.6.0*, it is possible to
> mount the described side-channel attack on Elgamal encryption subkeys.
> To check whether you are using a vulnerable Libgcrypt version, enter
>
>   gpg2 --version
>
> on the command line; the second line of the output gives the Libgcrypt
> version:
>
>   gpg (GnuPG) 2.0.25
>   libgcrypt 1.5.3
>
> In this example Libgcrypt is vulnerable.  If you see 1.6.0 or 1.6.1 you
> are fine.  GnuPG versions since 1.4.16 are not affected because they do
> not use Libgcrypt.

Does this vulnerability apply to gpg4win users?

There's been no gpg4win updates since October of 2013 and there have
been several updates of GnuPG since then. I am somewhat concerned.

Is there any information about when an update for Windows users might
be released?

Cheers!
-Pete

-- 
Pete Stephenson

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

[Announce] [security fix] Libgcrypt and GnuPG

2014-08-08 Thread Werner Koch 
Hi!

While evaluating the "Get Your Hands Off My Laptop" [1] paper I missed
to describe [2] a software combination which has not been fixed and is
thus vulnerable to the attack described by the paper.  If you are using
a GnuPG version with a *Libgcrypt version < 1.6.0*, it is possible to
mount the described side-channel attack on Elgamal encryption subkeys.
To check whether you are using a vulnerable Libgcrypt version, enter

  gpg2 --version

on the command line; the second line of the output gives the Libgcrypt
version:

  gpg (GnuPG) 2.0.25
  libgcrypt 1.5.3

In this example Libgcrypt is vulnerable.  If you see 1.6.0 or 1.6.1 you
are fine.  GnuPG versions since 1.4.16 are not affected because they do
not use Libgcrypt.

The recommendation is to update any Libgcrypt version below 1.6.0 to at
least the latest version from the 1.5 series which is 1.5.4.  Updating
to 1.6.1 is also possible but that requires to rebuild GnuPG.

Libgcrypt 1.5.4 has been released yesterday [3]; for convenience I
include the download instructions below.  A CVE-id has not yet been
assigned.

Many thanks to Daniel Genkin for pointing out this problem.


Shalom-Salam,

   Werner


[1] http://www.cs.tau.ac.il/~tromer/handsoff
[2] http://lists.gnupg.org/pipermail/gnupg-announce/2014q3/000349.html
[3] http://lists.gnupg.org/pipermail/gnupg-announce/2014q3/000351.html

Download


Libgcrypt source code is hosted at the GnuPG FTP server and its mirrors
as listed at https://www.gnupg.org/download/mirrors.html .  On the
primary server the source tarball and its digital signature are:

 ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.5.4.tar.bz2 (1478k)
 ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.5.4.tar.bz2.sig

That file is bzip2 compressed.  A gzip compressed version is here:

 ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.5.4.tar.gz (1763k)
 ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.5.4.tar.gz.sig

Alternativley you may upgrade using this patch file:

 ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.5.3-1.5.4.diff.bz2 (17k)

In order to check that the version of Libgcrypt you are going to build
is an original and unmodified one, you can do it in one of the following
ways:

 * Check the supplied OpenPGP signature.  For example to check the
   signature of the file libgcrypt-1.5.4.tar.bz2 you would use this
   command:

 gpg --verify libgcrypt-1.5.4.tar.bz2.sig

   This checks whether the signature file matches the source file.  You
   should see a message indicating that the signature is good and made
   by the release signing key 4F25E3B6 which is certified by my well
   known key 1E42B367.  To retrieve the keys you may use the command
   "gpg --fetch-key finger:w...@g10code.com".

 * If you are not able to use GnuPG, you have to verify the SHA-1
   checksum:

 sha1sum libgcrypt-1.5.4.tar.bz2

   and check that the output matches the first line from the
   following list:

bdf4b04a0d2aabc04ab3564fbe38fd094135aa7a  libgcrypt-1.5.4.tar.bz2
71e432e0ae8792076a40c6059667997250abbb9d  libgcrypt-1.5.4.tar.gz
8876ae002751e6ec26c76e510d17fc3e0eccb3ed  libgcrypt-1.5.3-1.5.4.diff.bz2


Watching out for possible security problems and working with researches
to fix them takes a lot of time.  g10 Code GmbH, a German company owned
and headed by me, is bearing these costs.  To help us carry on this
work, we need your support; please see https://gnupg.org/donate/ .


-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgpT9CZiIYRvJ.pgp
Description: PGP signature
___
Gnupg-announce mailing list
gnupg-annou...@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-announce___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users