Release Digest: GNU, September 25, 2002
Sep 26, 2002, 05:00 (0 Talkback[s])
We are pleased to announce the availability of a new stable release of
GnuPG: Version 1.2.0
The GNU Privacy Guard (GnuPG) is GNU's tool for secure communication
and data storage. It is a complete and free replacement of PGP and
can be used to encrypt data and to create digital signatures. It
includes an advanced key management facility and is compliant with the
proposed OpenPGP Internet standard as described in RFC2440. This new
release implements most of OpenPGP's optional features, has somewhat
better interoperabilty with non-conforming OpenPGP implementations and
improved keyserver support.
Getting the Software
GnuPG 1.2.0 can be downloaded from one of the GnuPG mirror sites.
The list of mirrors can be found at http://www.gnupg.org/mirrors.html.
See below for a list of mirrors already carrying this new released.
On the mirrors you should find the follwing files in the gnupg
gnupg-1.2.0.tar.bz/2 (1.8 MB)
GnuPG 1.2 source compressed using BZIP2 and OpenPGP signature.
gnupg-1.2.0.tar.gz/ (2.5 MB)
GnuPG source compressed using GZIP and OpenPGP signature.
gnupg-1.0.7-1.2.0.diff.gz/ (1.0 MB)
A patch file to upgrade a 1.0.7 GnuPG source. This file is
signed; you have to use GnuPG > 0.9.5 to verify the signature.
GnuPG has a feature to allow clear signed patch files which can
still be processed by the patch utility.
Select one of them. To shorten the download time, you probably want
to get the BZIP2 compressed file. Please try another mirror if
exceptional your mirror is not yet up to date.
In the binary directory, you should find these files:
gnupg-w32cli-1.2.0.zip/ (1.0 MB)
GnuPG compiled for Microsoft Windows and OpenPGP signature.
Note that this is a command line version and comes without a
graphical installer tool. You have to use an UNZIP utility to
extract the files and install them manually. The included file
README.W32 has further instructions.
Checking the Integrity
In order to check that the version of GnuPG which you are going to
install is an original and unmodified one, you can do it in one of
the following ways:
* If you already have a trusted version of GnuPG installed, you
can simply check the supplied signature. For example to check the
signature of the file gnupg-1.2.0.tar.bz/2 you would use this command:
gpg --verify gnupg-1.2.0.tar.bz2.sig/
This checks whether the signature file matches the source file.
You should see a message indicating that the signature is good and
made by that signing key. Make sure that you have the right key,
either by checking the fingerprint of that key with other sources
or by checking that the key has been signed by a trustworthy other
Never use a GnuPG version you just downloaded to check the
integrity of the source - use an existing GnuPG installation.
* If you are not able to use an old version of GnuPG, you have to verify
the MD5 checksum. Assuming you downloaded the file
gnupg-1.2.0.tar.bz/2, you would run the md5sum command like this:
and check that the output matches the first line from the
The name of the default configuration file has changed from "options"
to "gpg.conf". The old name will still be used as long as no
"gpg.conf" exists. We recommend to rename your file after the
If you are upgrading from a version prior to 1.0.7, you may want to
run the command "gpg --rebuild-keydb-caches" once to speed up the
keyring access. Please note also that due to a bug in versions prior
to 1.0.6 it won't be possible to downgrade to such versions unless you
use the GnuPG version which comes with Debian's Woody release or you
apply the patch http://www.gnupg.org/developer/gpg-woody-fix.txt .
If you have any problems, please see the FAQ and the mailing list
archive at http://lists.gnupg.org. Please direct questions to the
email@example.com mailing list.
Here is a list of major user visible changes since 1.0.7:
* The default configuration file is now ~/.gnupg/gpg.conf. If an
old ~/.gnupg/options is found it will still be used. This
change is required to have a more consistent naming scheme with
* The configure option --with-static-rnd=auto allows to build gpg
with all available entropy gathering modules included. At
runtime the best usable one will be selected from the list
linux, egd, unix. This is also the default for systems lacking
a /dev/random device.
* All modules are now linked statically; the --load-extension
option is in general not useful anymore. The only exception is
to specify the deprecated IDEA cipher plugin.
* There are now various ways to restrict the ability GnuPG has to
exec external programs (for the keyserver helpers or photo ID
viewers). Read the README file for the complete list.
* The keyserver helper programs now live in
/usr/[local/]libexec/gnupg by default. If you are upgrading
from 1.0.7, you might want to delete your old copies in
/usr/[local/]bin. If you use an OS that does not use libexec
for whatever reason, use configure --libexecdir=/usr/local/lib
to place the keyserver helpers there.
* New "group" command to refer to several keys with one name.
* The option --interactive now has the desired effect when
* Full revocation key (aka "designated revoker") support.
* When using --batch with one of the --delete-key commands, the
key must be specified by fingerprint. See the man page for
* New export option to leave off attribute packets (photo IDs)
during export. This is useful when exporting to HKP keyservers
which do not understand attribute packets.
* New import option to repair during import the HKP keyserver
mangling multiple subkeys bug. Note that this cannot completely
repair the damaged key as some crucial data is removed by the
keyserver, but it does at least give you back one subkey. This
is on by default for keyserver --recv-keys, and off by default
for regular --import.
* New commands: --personal-cipher-preferences,
--personal-compress-preferences allow the user to specify which
algorithms are to be preferred. Note that this does not permit
using an algorithm that is not present in the recipient's
preferences (which would violate the OpenPGP standard). This
just allows sorting the preferences differently.
* New --attribute-fd command for frontends and scripts to get the
contents of attribute packets (i.e. photos)
* Options --emulate-checksum-bug and --emulate-3des-s2k-bug have
* The IDEA plugin has changed. Previous versions of the IDEA
plugin will no longer work with GnuPG. However, the current
version of the plugin will work with earlier GnuPG versions.
* ElGamal sign and encrypt is not anymore allowed in the key
generation dialog unless in expert mode. RSA sign and encrypt
has been added with the same restrictions.
* The use of MDCs have increased. A MDC will be used if the
recipients directly request it, if the recipients have AES,
AES192, AES256, or TWOFISH in their cipher preferences, or if
the chosen cipher has a blocksize not equal to 64 bits
(currently this is also AES, AES192, AES256, and TWOFISH).
* GnuPG will no longer automatically disable compression when
processing an already-compressed file unless a MDC is being
used. This is to give the message a certain amount of
resistance to the chosen-ciphertext attack while communicating
with other programs (most commonly PGP earlier than version 7.x)
that do not support MDCs.
* The preferred hash algorithms on a key are consulted when
encrypting a signed message to that key. Note that this is
disabled by default by a SHA1 preference in
* --cert-digest-algo allows the user to specify the hash algorithm
to use when signing a key rather than the default SHA1 (or MD5
for PGP2 keys). Do not use this feature unless you fully
understand the implications of this.
* --pgp7 mode automatically sets all necessary options to ensure
that the resulting message will be usable by a user of PGP 7.x.
* The file permission and ownership checks on files have been
clarified. Specifically, the homedir (usually ~/.gnupg) is
checked to protect everything within it. If the user specifies
keyrings outside this homedir, they are presumed to be shared
keyrings and therefore not checked. Configuration files
specified with the --options option and the IDEA cipher
extension specified with --load-extension are checked, along
with their enclosing directories.
* The LDAP keyserver handler now works properly with very old
(version 1) LDAP keyservers.
* [W32] Keyserver access does work with Windows NT.
* A warning is issued if the user forces the use of an algorithm
that is not listed in the recipient's preferences.
* In expert mode, the user can now re-sign a v3 key with a v4
self-signature. This does not change the v3 key into a v4 key,
but it does allow the user to use preferences, primary ID flags,
* Significantly improved photo ID support on non-unixlike
* The default character set is now taken from the current locale;
it can still be overridden by the --charset option. Using the
option -vvv shows the used character set.
GnuPG comes with support for these langauges:
American English Greek (el)
Catalan (ca) Indonesian (id)
Czech (cs) Italian (it)
Danish (da)[*] Japanese (ja)
Dutch (nl)[*] Polish (pl)
Esperanto (eo)[*] Brazilian Portuguese (pt_BR)[*]
Estonian (et)[*] Portuguese (pt)
French (fr)[*] Spanish (es)[*]
Galician (gl) Swedish (sv)[*]
German (de) Turkish (tr)
Languages marked with [*] were not updated for this releases and you
may notice untranslated messages. We will probably release an update
of the translations when we have received some translation updates.
May thanks to the translators for their ongoing support of GnuPG.
The GnuPG team (David, Stefan, Timo and Werner)
The mirror sites below have been verified to already carry this new
release. The full list of sites mirroring ftp ftp.gnupg.org is available