Linux Today: Linux News On Internet Time.

Release Digest: GNU, August 24, 2003

Aug 25, 2003, 05:00 (0 Talkback[s])

GnuPG 1.2.3


We are pleased to announce the availability of a new stable GnuPG release: Version 1.2.3

The GNU Privacy Guard (GnuPG) is GNU's tool for secure communication and data storage. It is a complete and free replacement of PGP and can be used to encrypt data and to create digital signatures. It includes an advanced key management facility and is compliant with the proposed OpenPGP Internet standard as described in RFC2440.

This release solves a performance problem introduced with 1.2.2 and make building on less common platforms easier.

Getting the Software

GnuPG 1.2.3 can be downloaded from one of the GnuPG mirror sites or >From direct from ftp://ftp.gnupg.org/gcrypt .

The list of mirrors can be found at http://www.gnupg.org/mirrors.html.

Note, that GnuPG is not available at ftp.gnu.org.

On the mirrors you should find the follwing files in the gnupg directory:

gnupg-1.2.3.tar.bz2 (2240k)

GnuPG source compressed using BZIP2 and OpenPGP signature.

gnupg-1.2.3.tar.gz (3228k)

GnuPG source compressed using GZIP and OpenPGP signature.

gnupg-1.2.2-1.2.3.diff.gz (915k)

A patch file to upgrade a 1.2.2 GnuPG source. This file is signed; you have to use GnuPG > 0.9.5 to verify the signature. GnuPG has a feature to allow clear signed patch files which can still be processed by the patch utility.

Select one of them. To shorten the download time, you probably want to get the BZIP2 compressed file. Please try another mirror if exceptional your mirror is not yet up to date.

In the binary directory, you should find these files:

gnupg-w32cli-1.2.3.zip (1309k)

GnuPG compiled for Microsoft Windows and OpenPGP signature. Note that this is a command line version and comes without a graphical installer tool. You have to use an UNZIP utility to extract the files and install them manually. The included file README.W32 has further instructions.

Checking the Integrity

In order to check that the version of GnuPG which you are going to install is an original and unmodified one, you can do it in one of the following ways:

  • If you already have a trusted version of GnuPG installed, you can simply check the supplied signature. For example to check the signature of the file gnupg-1.2.3.tar.bz2 you would use this command:

gpg --verify gnupg-1.2.3.tar.bz2.sig

This checks whether the signature file matches the source file. You should see a message indicating that the signature is good and made by that signing key. Make sure that you have the right key, either by checking the fingerprint of that key with other sources or by checking that the key has been signed by a trustworthy other key. Note, that you can retrieve the signing key by finger wk 'at' g10code.com .

Never use a GnuPG version you just downloaded to check the integrity of the source - use an existing GnuPG installation.

  • If you are not able to use an old version of GnuPG, you have to verify the MD5 checksum. Assuming you downloaded the file gnupg-1.2.3.tar.bz2, you would run the md5sum command like this:

md5sum gnupg-1.2.3.tar.bz2

and check that the output matches the first line from the following list:

cdca1282d7901f9ddb52f9725b001af2 gnupg-1.2.3.tar.bz2
46b990908019422535a08ce91b370ae7 gnupg-1.2.3.tar.gz
64c305371e658764006439b73ecbd8c3 gnupg-1.2.2-1.2.3.diff.gz
208f98809a6e533fed08846723795477 gnupg-w32cli-1.2.3.zip

Upgrade Information

If you are upgrading from a version prior to 1.0.7, you should run the script tools/convert-from-106 once. Please note also that due to a bug in versions prior to 1.0.6 it may not be possible to downgrade to such versions unless you apply the patch http://www.gnupg.org/developer/gpg-woody-fix.txt .

If you have any problems, please see the FAQ and the mailing list archive at http://lists.gnupg.org. Please direct questions to the gnupg-users@gnupg.org mailing list.

What's New

Here is a list of major user visible changes since 1.2.2:

  • New "--gnupg" option (set by default) that disables --openpgp, and the various --pgpX emulation options. This replaces --no-openpgp, and --no-pgpX, and also means that GnuPG has finally grown a --gnupg option to make GnuPG act like GnuPG.
  • A number of portability changes to make building GnuPG on less-common platforms easier.
  • Romanian translation.
  • Two new %-expandos for use in notation and policy URLs. "%g" expands to the fingerprint of the key making the signature (which might be a subkey), and "%p" expands to the fingerprint of the primary key that owns the key making the signature.
  • New "tru" record in --with-colons --list-keys listings. It shows the status of the trust database that was used to calculate the key validity in the listings. See doc/DETAILS for the specifics of this.
  • New REVKEYSIG status tag for --status-fd. It indicates a valid signature that was issued by a revoked key. See doc/DETAILS for the specifics of this.


GnuPG comes with support for these langauges:
American English Indonesian (id)
Catalan (ca) Italian (it)
Czech (cs) Japanese (ja)
Danish (da)[*] Polish (pl)
Dutch (nl)[*] Brazilian Portuguese (pt_BR)[*]
Esperanto (eo)[*] Portuguese (pt)
Estonian (et) Romanian (ro)
Finnish (fi) Slovak (sk)
French (fr) Spanish (es)
Galician (gl) Swedish (sv)
German (de) Traditional Chinese (zh_TW)
Greek (el) Turkish (tr)
Hungarian (hu)  

Languages marked with [*] were not updated for this releases and you may notice untranslated messages. Many thanks to the translators for their ongoing support of GnuPG.

Future Directions

GnuPG 1.2.x is the current stable branch and won't undergo any serious changes. We will just fix bugs and add compatibility fixes as required.

GnuPG 1.3.x is the version were we do most new stuff and it will lead to the next stable version 1.4 not too far away.

GnuPG 1.9.x is brand new and flagged as experimental. This version merged the code from the Aegypten project and thus it includes the gpg-agent, a smartcard daemon and gpg's S/MIME cousin gpgsm. The design is different to the previous versions and we won't support any ancient systems - thus POSIX compatibility will be an absolute requirement for supported platforms. 1.9 is based on the current 1.3 code and has been released to have software ready to play with the forthcoming OpenPGP smartcard.

The OpenPGP smartcard is a soon to be released specification of an ISO 7816 based application to generate or import keys into a smartcard and provide all functionality to use this card with OpenPGP. The specification features 3 1024 bit RSA keys (signing, decryption and authentication) as well as utility data objects to make integration easy. We will be able to give about 50 test cards to selected developers and soon after distribute real cards.

For other developments you may want to consult the task list at http://g10code.com/en/tasklist.html .

Happy Hacking,

The GnuPG team (David, Stefan, Timo and Werner)

Let's not forget about all the other contributors; here is list of them (from the THANKS file):

The GNU Privacy Guard has been created by the GnuPG team: David Shaw, Matthew Skala, Michael Roth, Niklas Hernaeus, Nils Ellmenreich, Rémi Guyomarch, Stefan Bellon, Timo Schulz and Werner Koch. Birger Langkjer, Daniel Resare, Dokianakis Theofanis, Edmund GRIMLEY EVANS, Gaël Quéri, Gregory Steuck, Nagy Ferenc László, Ivo Timmermans, Jacobo Tarri'o Barreiro, Janusz Aleksander Urbanowicz, Jedi Lin, Jouni Hiltunen, Laurentiu Buzdugan, Magda Procha'zkova', Michael Anckaert, Michal Majer, Marco d'Itri, Nilgun Belma Buguner, Pedro Morais, Tedi Heriyanto, Thiago Jung Bauermann, Rafael Caetano dos Santos, Toomas Soome, Urko Lusa, Walter Koch, Yosiaki IIDA did the official translations. Mike Ashley wrote and maintains the GNU Privacy Handbook. David Scribner is the current FAQ editor. Lorenzo Cappelletti maintains the web site.

The following people helped greatly by suggesting improvements, testing, fixing bugs, providing resources and doing other important tasks: Adam Mitchell, Albert Chin, Alec Habig, Allan Clark, Anand Kumria, Andreas Haumer, Anthony Mulcahy, Ariel T Glenn, Bob Mathews, Bodo Moeller, Brendan O'Dea, Brenno de Winter, Brian M. Carlson, Brian Moore, Brian Warner, Bryan Fullerton, Caskey L. Dickson, Cees van de Griend, Charles Levert, Chip Salzenberg, Chris Adams, Christian Biere, Christian Kurz, Christian von Roques, Christopher Oliver, Christian Recktenwald, Dan Winship, Daniel Eisenbud, Daniel Koening, Dave Dykstra, David C Niemi, David Champion, David Ellement, David Hallinan, David Hollenberg, David Mathog, David R. Bergstein, Detlef Lannert, Dimitri, Dirk Lattermann, Dirk Meyer, Disastry, Douglas Calvert, Ed Boraas, Edmund GRIMLEY EVANS, Edwin Woudt, Enzo Michelangeli, Ernst Molitor, Fabio Coatti, Felix von Leitner, fish stiqz, Florian Weimer, Francesco Potorti, Frank Donahoe, Frank Heckenbach, Frank Stajano, Frank Tobin, Gabriel Rosenkoetter, Gaël Quéri, Gene Carter, Geoff Keating, Georg Schwarz, Giampaolo Tomassoni, Gilbert Fernandes, Greg Louis, Greg Troxel, Gregory Steuck, Gregery Barton, Harald Denker, Holger Baust, Hendrik Buschkamp, Holger Schurig, Holger Smolinski, Holger Trapp, Hugh Daniel, Huy Le, Ian McKellar, Ivo Timmermans, Jan Krueger, Jan Niehusmann, Janusz A. Urbanowicz, James Troup, Jean-loup Gailly, Jeff Long, Jeffery Von Ronne, Jens Bachem, Jeroen C. van Gelderen, J Horacio MG, J. Michael Ashley, Jim Bauer, Jim Small, Joachim Backes, Joe Rhett, John A. Martin, Johnny Teveßen, Jörg Schilling, Jos Backus, Joseph Walton, Juan F. Codagnone, Jun Kuriyama, Kahil D. Jallad, Karl Fogel, Karsten Thygesen, Katsuhiro Kondou, Kazu Yamamoto, Keith Clayton, Kevin Ryde, Klaus Singvogel, Kurt Garloff, Lars Kellogg-Stedman, L. Sassaman, M Taylor, Marcel Waldvogel, Marco d'Itri, Marco Parrone, Marcus Brinkmann, Mark Adler, Mark Elbrecht, Mark Pettit, Markus Friedl, Martin Kahlert, Martin Hamilton, Martin Schulte, Matt Kraai, Matthew Skala, Matthew Wilcox, Matthias Urlichs, Max Valianskiy, Michael Engels, Michael Fischer v. Mollard, Michael Roth, Michael Sobolev, Michael Tokarev, Nicolas Graner, Mike McEwan, Neal H Walfield, Nelson H. F. Beebe, NIIBE Yutaka, Niklas Hernaeus, Nimrod Zimerman, N J Doye, Oliver Haakert, Oskari Jääskeläinen, Pascal Scheffers, Paul D. Smith, Per Cederqvist, Phil Blundell, Philippe Laliberte, Peter Fales, Peter Gutmann, Peter Marschall, Peter Valchev, Piotr Krukowiecki, QingLong, Ralph Gillen, Rat, Reinhard Wobst, Rémi Guyomarch, Reuben Sumner, Richard Outerbridge, Robert Joop, Roddy Strachan, Roger Sondermann, Roland Rosenfeld, Roman Pavlik, Ross Golder, Ryan Malayter, Sam Roberts, Sami Tolvanen, Sean MacLennan, Sebastian Klemke, Serge Munhoven, SL Baur, Stefan Bellon, Dr.Stefan.Dalibor, Stefan Karrmann, Stefan Keller, Steffen Ullrich, Steffen Zahn, Steven Bakker, Steven Murdoch, Susanne Schultz, Ted Cabeen, Thiago Jung Bauermann, Thijmen Klok, Thomas Roessler, Tim Mooney, Timo Schulz, Todd Vierling, TOGAWA Satoshi, Tom Spindler, Tom Zerucha, Tomas Fasth, Tommi Komulainen, Thomas Klausner, Tomasz Kozlowski, Thomas Mikkelsen, Ulf Möller, Urko Lusa, Vincent P. Broman, Volker Quetschke, W Lewis, Walter Hofmann, Walter Koch, Wayne Chapeskie, Wim Vandeputte, Winona Brown, Yosiaki IIDA, Yoshihiro Kajiki and Gerlinde Klaes.

This software has been made possible by the previous work of Chris Wedgwood, Jean-loup Gailly, Jon Callas, Mark Adler, Martin Hellmann Paul Kendall, Philip R. Zimmermann, Peter Gutmann, Philip A. Nelson, Taher ElGamal, Torbjorn Granlund, Whitfield Diffie, some unknown NSA mathematicians and all the folks who have worked hard to create complete and free operating systems.

Werner Koch