-
Notifications
You must be signed in to change notification settings - Fork 157
/
NEWS
5620 lines (3460 loc) · 184 KB
/
NEWS
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
Noteworthy changes in version 2.5.2 (unreleased)
------------------------------------------------
* dirmngr: A list of used URLs for loaded CRLs is printed first in
the output of the LISTCRL command. [T7337]
See-also: gnupg-announce/2024q4/000xxx.html
Release-info: https://dev.gnupg.org/T7289
Noteworthy changes in version 2.5.1 (2024-09-12)
------------------------------------------------
* gpg: The support for composite Kyber+ECC public key algorithms
does now use the final FIPS-203 and LibrePGP specifications. The
experimental keys from 2.5.0 are no longer supported. [T6815]
* gpg: New commands --add-recipients and --change-recipients.
[T1825]
* gpg: New option --proc-all-sigs. [T7261]
* gpg: Fix a regression in 2.5.0 in gpgme's tests. [T7195]
* gpg: Make --no-literal work again for -c and --store. [T5852]
* gpg: Improve detection of input data read errors. [T6528]
* gpg: Fix getting key by IPGP record (rfc-4398). [T7288]
* gpgsm: New option --assert-signer. [T7286]
* gpgsm: More improvements to PKCS#12 parsing to cope with latest
IVBB changes. [T7213]
* agent: Fix KEYTOCARD command when used with a loopback pinentry.
[T7283]
* gpg-mail-tube: Make sure GNUPGHOME is set in vsd mode. New option
--as-attach. [rG4511997e9e1b]
* Now uses the process spawn API from libgpg-error. [T7192,T7194]
* Removed the --enable-gpg-is-gpg2 configure time option.
[rG2125f228d36c]
* Die Windows version will now be build for 64-Bit Windows and with
the corresponding changes to the installation directory and
Registry keys.
See-also: gnupg-announce/2024q3/000485.html
Release-info: https://dev.gnupg.org/T7191
Noteworthy changes in version 2.5.0 (2024-07-05)
------------------------------------------------
* gpg: Support composite Kyber+ECC public key algorithms. This is
experimental due to the yet outstanding FIPS-203 specification.
[T6815]
* gpg: Allow algo string "pqc" for --quick-gen-key. [rG12ac129a70]
* gpg: New option --show-only-session-key. [rG1695cf267e]
* gpg: Print designated revokers also in non-colon listing mode.
[rG9d618d1273]
* gpg: Make --with-sig-check work with --show-key in non-colon
listing mode. [rG0c34edc443]
* tpm: Rework error handling and fix key import [T7129, T7186]
* Varous fixes to improve robustness on 64 bit Windows. [T7139]
Changes also found in 2.4.6:
* gpg: New command --quick-set-ownertrust. [rG967678d972]
* gpg: Indicate disabled keys in key listings and add list option
"show-ownertrust". [rG2a0a706eb2]
* gpg: Make sure a DECRYPTION_OKAY is never issued for a bad OCB
tag. [T7042]
* gpg: Do not allow to accidently set the RENC usage. [T7072]
* gpg: Accept armored files without CRC24 checksum. [T7071]
* gpg: New --import-option "only-pubkeys". [T7146]
* gpg: Repurpose the AKL mechanism "ldap" to work like the keyserver
mechnism but only for LDAP keyservers. [rG068ebb6f1e]
* gpg: ADSKs are now configurable for new keys. [T6882]
* gpgsm: Emit user IDs with an empty Subject also in colon mode.
[T7171]
* agent: Consider an empty pattern file as valid. [rGc27534de95]
* agent: Fix error handling of READKEY. [T6012]
* agent: Avoid random errors when storing key in ephemeral mode.
[T7129, rGfdc5003956]
* agent: Make "SCD DEVINFO --watch" more robust. [T7151]
* scd: Improve KDF data object handling for OpenPGP cards. [T7058]
* scd: Avoid buffer overrun with more than 16 PC/SC readers.
[T7129, rG4c1b007035]
* scd: Fix how the scdaemon on its pipe connection finishes.
[T7160]
* gpgconf: Check readability of some files with -X and change its
output format. [rG98e287ba6d]
* gpg-mail-tube: New tool to apply PGP/MIME encryption to a mail.
[rG28a080bc9f]
* Fix some uninitialized variables and double frees in error code
paths. [T7129]
Changes also found in 2.4.5:
* gpg,gpgv: New option --assert-pubkey-algo. [T6946]
* gpg: Emit status lines for errors in the compression layer.
[T6977]
* gpg: Fix invocation with --trusted-keys and --no-options. [T7025]
* gpgsm: Allow for a longer salt in PKCS#12 files. [T6757]
* gpgtar: Make --status-fd=2 work on Windows. [T6961]
* scd: Support for the ACR-122U NFC reader. [rG1682ca9f01]
* scd: Suport D-TRUST ECC cards. [T7000,T7001]
* scd: Allow auto detaching of kernel drivers; can be disabled with
the new compatibility-flag ccid-no-auto-detach. [rGa1ea3b13e0]
* scd: Allow setting a PIN length of 6 also with a reset code for
openpgp cards. [T6843]
* agent: Allow GET_PASSPHRASE in restricted mode. [rGadf4db6e20]
* dirmngr: Trust system's root CAs for checking CRL issuers.
[T6963]
* dirmngr: Fix regression in 2.4.4 in fetching keys via hkps.
[T6997]
* gpg-wks-client: Make option --mirror work properly w/o specifying
domains. [rG37cc255e49]
* g13,gpg-wks-client: Allow command style options as in "g13 mount
foo". [rGa09157ccb2]
* Allow tilde expansion for the foo-program options. [T7017]
* Make the getswdb.sh tool usable outside the GnuPG tree.
Changes also found in 2.4.4:
* gpg: Do not keep an unprotected smartcard backup key on disk. See
https://gnupg.org/blog/20240125-smartcard-backup-key.html for a
security advisory. [T6944]
* gpg: Allow to specify seconds since Epoch beyond 2038 on 32-bit
platforms. [T6736]
* gpg: Fix expiration time when Creation-Date is specified. [T5252]
* gpg: Add support for Subkey-Expire-Date. [rG96b69c1866]
* gpg: Add option --with-v5-fingerprint. [T6705]
* gpg: Add sub-option ignore-attributes to --import-options.
[rGd4976e35d2]
* gpg: Add --list-filter properties sig_expires/sig_expires_d.
[rGbf662d0f93af]
* gpg: Fix validity of re-imported keys. [T6399]
* gpg: Report BEGIN_ status before examining the input. [T6481]
* gpg: Don't try to compress a read-only keybox. [T6811]
* gpg: Choose key from inserted card over a non-inserted
card. [T6831]
* gpg: Allow to create revocations even with non-compliant algos.
[T6929]
* gpg: Fix regression in the Revoker keyword of the parameter file.
[T6923]
* gpg: Improve error message for expired default keys. [T4704]
* gpgsm: Add --always-trust feature. [T6559]
* gpgsm: Support ECC certificates in de-vs mode. [T6802]
* gpgsm: Major rewrite of the PKCS#12 parser. [T6536]
* gpgsm: No not show the pkcs#12 passphrase in debug output. [T6654]
* keyboxd: Timeout on failure to get the database lock. [T6838]
* agent: Update the key stubs only if really modified. [T6829]
* scd: Add support for certain Starcos 3.2 cards. [rG5304c9b080]
* scd: Add support for CardOS 5.4 cards. [rG812f988059]
* scd: Add support for D-Trust 4.1/4.4 cards. [rG0b85a9ac09]
* scd: Add support for Smartcafe Expert 7.0 cards. [T6919]
* scd: Add a length check for a new PIN. [T6843]
* tpm: Fix keytotpm handling in the agent. [rG9909f622f6]
* tpm: Fixes for the TPM test suite. [T6052]
* dirmngr: Avoid starting a second instance on Windows via GPGME
based launching. [T6833]
* dirmngr: New option --ignore-crl-extensions. [T6545]
* dirmngr: Support config value "none" to disable the default
keyserver. [T6708]
* dirmngr: Implement automatic proxy detection on Windows. [T5768]
* dirmngr: Fix handling of the HTTP Content-Length. [rGa5e33618f4]
* dirmngr: Add code to support proxy authentication using the
Negotiation method on Windows. [T6719]
* gpgconf: Add commands --lock and --unlock. [rG93b5ba38dc]
* gpgconf: Add keyword socketdir to gpgconf.ctl. [rG239c1fdc28]
* gpgconf: Adjust the -X command for the new VERSION file format.
[T6918]
* wkd: Use export-clean for gpg-wks-client's --mirror and --create
commands. [rG2c7f7a5a278c]
* wkd: Make --add-revocs the default in gpg-wks-client. New option
--no-add-revocs. [rG10c937ee68]
* Remove duplicated backslashes when setting the homedir. [T6833]
* Ignore attempts to remove the /dev/null device. [T6556]
* Improve advisory file lock retry strategy. [T3380]
* Improve the speedo build system for Unix. [T6710]
Changes also found in 2.4.3:
* gpg: Set default expiration date to 3 years. [T2701]
* gpg: Add --list-filter properties "key_expires" and
"key_expires_d". [T6529]
* gpg: Emit status line and proper diagnostics for write errors.
[T6528]
* gpg: Make progress work for large files on Windows. [T6534]
* gpg: New option --no-compress as alias for -z0.
* gpg: Show better error messages for blocked PINs. [T6425]
* gpgsm: Print PROGRESS status lines. Add new --input-size-hint.
[T6534]
* gpgsm: Support SENDCERT_SKI for --call-dirmngr. [rG701a8b30f0]
* gpgsm: Major rewrite of the PKCS#12 parser. [T6536]
* gpgtar: New option --no-compress.
* dirmngr: Extend the AD_QUERY command. [rG207c99567c]
* dirmngr: Disable the HTTP redirect rewriting. [T6477]
* dirmngr: New option --compatibility-flags. [rGbf04b07327]
* dirmngr: New option --ignore-crl-extensions. [T6545]
* dirmngr: Support config value "none" to disable the default
keyserver. [T6708]
* wkd: Use export-clean for gpg-wks-client's --mirror and --create
commands. [rG2c7f7a5a27]
* wkd: Make --add-revocs the default in gpg-wks-client. New option
--no-add-revocs. [rG10c937ee68]
* scd: Make signing work for Nexus cards. [rGb83d86b988]
* scd: Fix authentication with Administration Key for PIV.
[rG25b59cf6ce]
* Fix garbled time output in non-English Windows. [T6741]
Changes also found in 2.4.2:
* gpg: Print a warning if no more encryption subkeys are left over
after changing the expiration date. [rGef2c3d50fa]
* gpg: Fix searching for the ADSK key when adding an ADSK. [T6504]
* gpgsm: Speed up key listings on Windows. [rG08ff55bd44]
* gpgsm: Reduce the number of "failed to open policy file"
diagnostics. [rG68613a6a9d]
* agent: Make updating of private key files more robust and track
display S/N. [T6135]
* keyboxd: Avoid longish delays on Windows when listing keys.
[rG6944aefa3c]
* gpgtar: Emit extra status lines to help GPGME. [T6497]
* w32: Avoid using the VirtualStore. [T6403]
Release-info: https://dev.gnupg.org/T7189
Release dates of 2.4 versions
-----------------------------
Version 2.4.6 (unreleased) https://dev.gnupg.org/T7030
Version 2.4.5 (2024-03-07) https://dev.gnupg.org/T6960
Version 2.4.4 (2024-01-25) https://dev.gnupg.org/T6578
Version 2.4.3 (2023-07-04) https://dev.gnupg.org/T6509
Version 2.4.2 (2023-05-30) https://dev.gnupg.org/T6506
Version 2.4.1 (2023-04-28) https://dev.gnupg.org/T6454
Version 2.4.0 (2022-12-16) https://dev.gnupg.org/T6302
Noteworthy changes in version 2.4.1 (2023-04-28)
------------------------------------------------
* If the ~/.gnupg directory does not exist, the keyboxd is now
automagically enabled. [rGd9e7488b17]
* gpg: New option --add-desig-revoker. [rG3d094e2bcf]
* gpg: New option --assert-signer. [rGc9e95b8dee]
* gpg: New command --quick-add-adsk and other ADSK features.
[T6395, https://gnupg.org/blog/20230321-adsk.html]
* gpg: New list-option "show-unusable-sigs". Also show
"[self-signature]" instead of the user-id in key signature
listings. [rG103acfe9ca]
* gpg: For symmetric encryption the default S2K hash is now SHA256.
[T6367]
* gpg: Detect already compressed data also when using a pipe. Also
detect JPEG and PNG file formats. [T6332]
* gpg: New subcommand "openpgp" for --card-edit. [T6462]
* gpgsm: Verification of detached signatures does now strip trailing
zeroes from the input if --assume-binary is used. [rG2a13f7f9dc]
* gpgsm: Non-armored detached signature are now created without
using indefinite form length octets. This improves compatibility
with some PDF signature verification software. [rG8996b0b655]
* gpgtar: Emit progress status lines in create mode. [T6363]
* dirmngr: The LDAP modifyTimestamp is now returned by some
keyserver commands. [rG56d309133f]
* ssh: Allow specification of the order keys are presented to ssh.
See the man page entry for --enable-ssh-support. [T5996, T6212]
* gpg: Make list-options "show-sig-subpackets" work again.
Fixes regression in 2.4.0. [rG5a223303d7]
* gpg: Fix the keytocard command for Yubikeys. [T6378]
* gpg: Do not continue an export after a cancel for the primary key.
[T6093]
* gpg: Replace the --override-compliance-check hack by a real fix.
[T5655]
* gpgtar: Fix decryption with input taken from stdin. [T6355]
See-also: gnupg-announce/2023q2/000478.html
Release-info: https://dev.gnupg.org/T6454
Noteworthy changes in version 2.4.0 (2022-12-16)
------------------------------------------------
* gpg: New command --quick-update-pref. [rGd40d23b233]
* gpg: New list-options show-pref and show-pref-verbose.
[rG811cfa34cb]
* gpg: New option --list-filter to restrict key listings like
gpg -k --list-filter 'select=revoked-f && sub/algostr=ed25519'
[rG1324dc3490]
* gpg: New --export-filter export-revocs. [rGc985b52e71]
* gpg: Also import stray revocation certificates. [rG7aaedfb107]
* gpg: Add a notation to encryption subkeys in de-vs mode. [T6279]
* gpg: Improve signature verification speed by a factor of more than
four. Double detached signing speed. [T5826]
* gpg: Allow only OCB for AEAD encryption. [rG5a2cef801d]
* gpg: Fix trusted introducer for mbox only user-ids. [T6238]
* gpg: Report an error via status-fd for receiving a key from the
agent. [T5151]
* gpg: Make --require-compliance work without the --status-fd
option. [rG2aacd843ad]
* gpg: Fix verification of cleartext signatures with overlong lines.
[T6272]
* agent: Fix import of protected OpenPGP v5 keys. [T6294]
* gpgsm: Change the default cipher algorithm from AES128 to AES256.
Also announce support for this in signatures. [rG2d8ac55d26]
* gpgsm: Always use the chain validation model if the root-CA
requests this. [rG7fa1d3cc82]
* gpgsm: Print OCSP revocation date and reason in cert listings.
[rGb6abaed2b5]
* agent: Support Win32-OpenSSH emulation by gpg-agent. [T3883]
* scd: Support the Telesec Signature Card v2.0. [T6252]
* scd: Redact --debug cardio output of a VERIFY APDU. [T5085]
* scd: Skip deleted pkcs#15 records in CARDOS 5. [rG061efac03f]
* dirmngr: Fix build with no LDAP support. [T6239]
* dirmngr: Fix verification of ECDSA signed CRLs. [rG868dabb402]
* wkd: New option --add-revocs for gpg-wks-client. [rGc3f9f2d497]
* wkd: Ignore expired user-ids in gpg-wks-client. [T6292]
* card: New commands "gpg" and "gpgsm". [rG9c4691c73e]
See-also: gnupg-announce/2022q4/000477.html
Release-info: https://dev.gnupg.org/T6303
Noteworthy changes in version 2.3.8 (2022-10-13)
------------------------------------------------
* gpg: Do not consider unknown public keys as non-compliant while
decrypting. [T6205]
* gpg: Avoid to emit a compliance mode line if Libgcrypt is
non-compliant. [T6221]
* gpg: Improve --edit-key setpref command to ease c+p. [rG1908fa8b83]
* gpg: Emit an ERROR status if --quick-set-primary-uid fails and
allow to pass the user ID by hash. [T6126]
* gpg: Actually show symmetric+pubkey encrypted data as de-vs
compliant. Add extra compliance checks for symkey_enc packets.
[T6119]
* gpg: In de-vs mode use SHA-256 instead of SHA-1 as implicit
preference. [T6043]
* gpgsm: Fix reporting of bad passphrase error during PKCS#11
import. [T5713,T6037]
* agent: Fix a regression in "READKEY --format=ssh". [T6012]
* agent: New option --need-attr for KEYINFO. [rG989eae648c]
* agent: New attribute "Remote-list" for use by KEYINFO.
[r1383aa4750]
* scd: Fix problem with Yubikey 5.4 firmware. [T6070]
* dirmngr: Fix CRL Distribution Point fallback to other schemes.
[rG0c8299e2b5]
* dirmngr: New LDAP server flag "areconly" (A-record-only).
[rGd65a0335e5]
* dirmngr: Fix upload of multiple keys for an LDAP server specified
using the colon format. [rG536b5cd663]
* dirmngr: Use LDAP schema v2 when a Base DN is specified. [T6047]
* dirmngr: Avoid caching expired certificates. [T6142]
* wkd: Fix path traversal attack in gpg-wks-server. Add the mail
address to the pending request data. [rG8a63a8c825,T6098]
* wkd: New command --mirror for gpg-wks-client. [T6224]
* gpg-auth: New tool for authentication. [T5862]
* New common.conf option no-autostart. [rG203dcc19eb]
* Silence warnings from AllowSetForegroundWindow unless
GNUPG_EXEC_DEBUG_FLAGS is used. [rG4ef8516a79]
Release-info: https://dev.gnupg.org/T6106
See-also: gnupg-announce/2022q4/000476.html
Noteworthy changes in version 2.3.7 (2022-07-11)
------------------------------------------------
* gpg: Fix possibly garbled status messages in NOTATION_DATA. This
bug could trick GPGME and other parsers to accept faked status
lines. [T6027, CVE-2022-34903]
* gpg: Look up user ID to revoke by UID hash. [T5936]
* gpg: Setup the 'usage' filter property for export. [rG7aabd94b81]
* gpg,w32: Allow Unicode filenames for iobuf_cancel. [rG4ee2009083]
* gpg: Fix reading AEAD preference. [T6019]
* gpgsm: New option --compatibility-flags. [rGf0b373cec9]
* gpgsm: Rework the PKCS#12 parser to support DFN issued keys.
[T6037]
* agent: New option --no-user-trustlist and --sys-trustlist-name.
[T5990]
* agent: Pop up dialog window for confirmation, when specified so.
[T5099]
* agent: Show "Label:" field of private key when prompt the
insertion. [T5986]
* agent: Handle USAGE information in KEYINFO. [rG295a6a7591]
* agent,ssh: Make not-inserted OpenPGP.3 keys available for SSH.
[T5996]
* agent,ssh: Support "Use-for-ssh" flag in private key. [T5985]
* agent: New field "Prompt" to prevent asking card key insertion.
[T5987]
* agent: Support --format=ssh option for READKEY. [T6012]
* agent: Add KEYATTR command. [T5988]
* agent: Flush before calling ftruncate. [T6035]
* agent: Do not consider --min-passphrase-len for the magic wand.
[rGae2f1f0785]
* kbx: Fix a race condition which results no status report. [T5948]
* scd:openpgp: Fix a segv for cards supporting unknown curves.
[T5963]
* scd:p15: Fix reading certificates without length info.
* scd:p15: Improve the displayed S/N for Technology Nexus cards.
* scd:openpgp: Add workaround for ECC attribute on Yubikey. [T5963]
* scd,piv: Fix status report of KEYPAIRINFO. [rG64c8786105]
* scd:nks: Support the Telesec ESIGN application. [T5219, T4938]
* scd: Fix use of SCardListReaders for PC/SC. [T5979]
* scd: Support automatic card selection for READCERT with keygrip.
[T6003]
* scd: Support specifying keygrip for learn command. [T6002]
* dirmngr: Fix for Windows when build against GNUTLS. [T5899]
* gpg-connect-agent: Add --unbuffered option.
* gpg-connect-agent: Add a way to cancel an INQUIRE. [T6010]
* gpgconf: New short options -V and -X
Release-info: https://dev.gnupg.org/T5947
See-also: gnupg-announce/2022q3/000474.html
Noteworthy changes in version 2.3.6 (2022-04-25)
------------------------------------------------
* gpg: Fix regression in 2.3.5 importing longer keys. [T5941]
* gpg: Emit an ERROR status as hint for a bad passphrase. [T5943]
* gpg: Avoid NULL-ptr access due to corrupted packets. [T5940]
* gpgsm: Improve the "Certificate not found" error message. [T5821]
* agent: Pass pattern directly to gpg-check-pattern. [rGe529c54fe3]
* scd: Fix hard-coded constant for RSA authentication key OpenPGP.3.
[rG2848fe4c84]
Release-info: https://dev.gnupg.org/T5937
See-also: gnupg-announce/2022q2/000473.html
Noteworthy changes in version 2.3.5 (2022-04-21)
------------------------------------------------
* gpg: Up to five times faster verification of detached signatures.
Doubled detached signing speed. [T5826,rG4e27b9defc,rGf8943ce098]
* gpg: Threefold decryption speedup for large files.
[T5820,rGab177eed51]
* gpg: Nearly double the AES256.OCB encryption speed. [rG99e2c178c7]
* gpg: Removed EAX from the preference list. [rG253fcb9777]
* gpg: Allow --dearmor to decode all kinds of armor files.
[rG34ea19aff9]
* gpg: Remove restrictions for the name part of a user-id.
[rG8945f1aedf]
* gpg: Allow decryption of symmetric encrypted data even for
non-compliant cipher. [rG8631d4cfe2]
* gpg,gpgsm: New option --require-compliance. [rGee013c5350]
* gpgsm: New option --ignore-cert-with-oid. [rGe23dc755fa]
* gpgtar: Create and handle extended headers to support long file
names. [T5754]
* gpgtar: Support file names longer than MAX_PATH on Windows.
[rG70b738f93f]
* gpgtar: Use a pipe for decryption and thus avoid memory
exhaustion. [rGe5ef5e3b91]
* gpgtar: New option --with-log. [rGed53d41b4c]
* agent: New flag "qual" for the trustlist.txt. [rG7c8c606061]
* scdaemon: Add support for GeNUA cards. [rG0dcc249852]
* scdaemon: Add --challenge-response option to PK_AUTH for OpenPGP
cards. [T5862]
* dirmngr: Support the use of ECDSA for CRLs and OCSP.
[rGde87c8e1ea,rG890e9849b5]
* dirmngr: Map all gnupg.net addresses to the Ubuntu keyserver.
[T5751]
* ssh: Return a faked response for the new session-bind extension.
[T5931]
* gpgconf: Add command aliases -L -K -R. [rGec4a1cffb8]
* gpg: Request keygrip of key to add via command interface. [T5771]
* gpg: Print Yubikey version correctly. [T5787]
* gpg: Always use version >= 4 to generate key signature. [T5809]
* gpg: Fix generating AEAD packet. [T5853]
* gpg: Fix version on symmetric encrypted AEAD files if the force
option is used. [T5856]
* gpg: Fix adding the list of ultimate trusted keys. [T5742]
* gpgsm: Fix parsing of certain PKCS#12 files. [T5793]
* gpgsm: Print diagnostic about CRL problems due to Tor mode.
[rG137e59a6a5]
* agent: Use "Created:" field for creation time. [T5538]
* scdaemon Fix error handling for a PC/SC reader selected with
reader-port. [T5758]
* scdaemon: Fix DEVINFO with no --watch. [rGc6dd9ff929]
* scdaemon: Fix socket resource leak on Windwos. [T5029]
* scdaemon: Use extended mode for pkcs#15 already for rsa2048.
[rG597253ca17]
* scdaemon: Enhance PASSWD command to accept KEYGRIP optionally.
[T5862]
* scdaemon: Fix memory leak in ccid-driver. [rG8ac92f0e80]
* tpm: Always use hexgrip when storing a key password.
[rGaf2fbd9b01]
* dirmngr: Make WKD lookups work for resolvers not handling SRV
records. [T4729]
* dirmngr: Avoid initial delay on the first keyserver access in
presence of --no-use-tor. [rG57d546674d]
* dirmngr: Workaround for a certain broken LDAP URL. [rG90caa7ad59]
* dirmngr: Escape more characters in WKD requests. [T5902]
* dirmngr: Suppress error message on trial reading as PEM format.
[T5531]
* gpgconf: Fix component table when not building without TPM
support. [T5701]
* gpgconf: Silence warnings from parsing the option files. [T5874]
* gpgconf: Do not list ignored options and mark forced options as
read-only. [rG42785d7c8a]
* gpgconf: Tweak the use of the ldapserver option. [T5801]
* ssh: Fix adding an ed25519 key with a zero length comment. [T5794]
* kbx: Fix searching for FPR20 in version 2 blob. [T5888]
* Fix early homedir creation. [T5895]
* Improve removing of stale lockfiles under Unix. [T5884]
Release-info: https://dev.gnupg.org/T5743
See-also: gnupg-announce/2022q2/000472.html
Noteworthy changes in version 2.3.4 (2021-12-20)
------------------------------------------------
* gpg: New option --min-rsa-length. [rG5f39db70c0]
* gpg: New option --forbid-gen-key. [rGc397ba3ac0]
* gpg: New option --override-compliance-check. [T5655]
* gpgconf: New command --show-configs. [rGa0fb78ee0f]
* agent,dirmngr,keyboxd: New option --steal-socket.
[rGb0079ab39d,rGdd708f60d5]
* gpg: Fix printing of binary notations. [T5667]
* gpg: Remove stale ultimately trusted keys from the trustdb.
[T5685,T5742]
* gpg: Fix indentation of --print-mds and --print-md sha512. [T5679]
* gpg: Emit gpg 2.2 compatible Ed25519 signature. [T5331]
* gpgsm: Detect circular chains in --list-chain. [rG74c5b35062]
* dirmngr: Make reading resolv.conf more robust. [T5657]
* dirmngr: Ask keyservers to provide the key fingerprints. [T5741]
* gpgconf: Allow changing gpg's deprecated keyserver option. [T5462]
* gpg-wks-server: Fix created file permissions. [rG60be00b033]
* scd: Support longer data for ssh-agent authentication with openpgp
cards. [T5682]
* scd: Modify DEVINFO behavior to support looping forever. [T5359]
* Support gpgconf.ctl for NetBSD and Solaris. [T5656,T5671]
* Silence "Garbled console data" warning under Windows in most
cases. [rGe293da3b21]
* Silence warning about the rootdir under Unices w/o a mounted /proc
file system. [T5656]
* Fix possible build problems about missing include files. [T5592]
Release-info: https://dev.gnupg.org/T5654
See-also: gnupg-announce/2021q4/000468.html
Noteworthy changes in version 2.3.3 (2021-10-12)
------------------------------------------------
* agent: Fix segv in GET_PASSPHRASE (regression). [#5577]
* dirmngr: Fix Let's Encrypt certificate chain validation. [#5639]
* gpg: Change default and maximum AEAD chunk size to 4 MiB.
[ad3dabc9fb]
* gpg: Print a warning when importing a bad cv25519 secret key.
[#5464]
* gpg: Fix --list-packets for undecryptable AEAD packets. [#5584]
* gpg: Verify backsigs for v5 keys correctly. [#5628]
* keyboxd: Fix checksum computation for no UBID entry on disk.
[#5573]
* keyboxd: Fix "invalid object" error with cv448 keys. [#5609]
* dirmngr: New option --ignore-cert. [4b3e9a44b5]
* agent: Fix calibrate_get_time use of clock_gettime. [#5623]
* Silence process spawning diagnostics on Windows. [f2b01025c3]
* Support a gpgconf.ctl file under Unix and use this for the
regression tests. [#5999]
Release-info: https://dev.gnupg.org/T5565
See-also: gnupg-announce/2021q4/000466.html
Noteworthy changes in version 2.3.2 (2021-08-24)
------------------------------------------------
* gpg: Allow fingerprint based lookup with --locate-external-key.
[ec36eca08c]
* gpg: Allow decryption w/o public key but with correct card
inserted. [50293ec2eb]
* gpg: Auto import keys specified with --trusted-keys. [100037ac0f]
* gpg: Do not use import-clean for LDAP keyserver imports. [#5387]
* gpg: Fix mailbox based search via AKL keyserver method. [4fcfac6feb]
* gpg: Fix memory corruption with --clearsign introduced with 2.3.1.
[#5430]
* gpg: Use a more descriptive prompt for symmetric decryption.
[6dfae2f402]
* gpg: Improve speed of secret key listing. [40da61b89b]
* gpg: Support keygrip search with traditional keyring. [#5469]
* gpg: Let --fetch-key return an exit code on failure. [#5376]
* gpg: Emit the NO_SECKEY status again for decryption. [#5562]
* gpgsm: Support decryption of password based encryption (pwri).
[eeb65d3bbd]
* gpgsm: Support AES-GCM decryption. [4980fb3c6d]
* gpgsm: Let --dump-cert --show-cert also print an OpenPGP
fingerprint. [52bbdc731f]
* gpgsm: Fix finding of issuer in use-keyboxd mode. [6b76693ff5]
* gpgsm: New option --ldapserver as an alias for --keyserver.
[89df86157e]
* agent: Use SHA-256 for SSH fingerprint by default. [#5434]
* agent: Fix calling handle_pincache_put. [#5436]
* agent: Fix importing protected secret key. [#5122]
* agent: Fix a regression in agent_get_shadow_info_type. [#5393]
* agent: Add translatable text for Caps Lock hint. [#4950]
* agent: New option --pinentry-formatted-passphrase. [#5517]
* agent: Add checkpin inquiry for pinentry. [#5517,#5532]
* agent: New option --check-sym-passphrase-pattern. [#5517]
* agent: Use the sysconfdir for a pattern file.
* agent: Make QT_QPA_PLATFORMTHEME=qt5ct work for the pinentry.
[1305baf099]
* dirmngr: LDAP search by a mailbox now ignores revoked keys.
[1406f551f1]
* dirmngr: For KS_SEARCH return the fingerprint also with LDAP.
[#5441]
* dirmngr: Allow for non-URL specified ldap keyservers. [#5405,#5452]
* dirmngr: New option --ldapserver. [52cf32ce2f]
* dirmngr: Fix regression in KS_GET for mail address pattern.
[#5497]
* card: New option --shadow for the list command. [2fce99d73a]
* tests: Make sure the built keyboxd is used. [#5406]
* scd: Fix computing shared secrets for 512 bit curves.
[9e24f2a45c]
* scd: Fix unblock PIN by a Reset Code with KDF. [#5413]
* scd: Fix PC/SC removed card problem. [8d81fd7c01]
* scd: Recover the partial match for PORTSTR for PC/SC.
[53bdc6288f]
* scd: Make sure to release the PC/SC context. [#5416]
* scd: Fix zero-byte handling in ECC. [#5163]
* scd: Fix serial number detection for Yubikey 5. [#5442]
* scd: Add basic support for AET JCOP cards. [544ec7872a]
* scd: Detect external interference when --pcsc-shared is in use.
[#5484]
* scd: Fix access to the list of cards. [#5524]
* gpgconf: Do not list a disabled tpm2d. [#5408]
* gpgconf: Make runtime changes with different homedir work.
[31c0aa2ff3]
* keyboxd: Fix searching for exact mail adddress. [f79e9540ca]
* keyboxd: Fix searching with multiple patterns. [101ba4f18a]
* gpgtar: Fix file size computation under Windows. [14e36bdbe1]
* tools: Extend gpg-check-pattern. [73c03e0232]
* wkd: Fix client issue with leading or trailing spaces in
user-ids. [b4345f7521]
* Under Windows add a fallback in case the console can't cope with
Unicode. [#5491]
* Under Windows use LOCAL_APPDATA for the socket directory. [#5537]
* Pass XDG_SESSION_TYPE and QT_QPA_PLATFORM envvars to Pinentry.
[#3659]
* Change the default keyserver to keyserver.ubuntu.com. This is a
temporary change due to the shutdown of the SKS keyserver pools.
[55b5928099]
Release-info: https://dev.gnupg.org/T5405
See-also: gnupg-announce/2021q3/000462.html
Noteworthy changes in version 2.3.1 (2021-04-20)
------------------------------------------------