dcsimg
Linux Today: Linux News On Internet Time.




More on LinuxToday


GnuPG 1.0.5 released

May 02, 2001, 14:45 (0 Talkback[s])
From: Werner Koch <wk@gnupg.org>
Subject: GnuPG 1.0.5 released

Hello!

The GNU Privacy Guard (GnuPG) is GNU's tool for secure communication and data storage. It is a complete and free replacement of PGP and can be used to encrypt data and to create digital signatures. It includes an advanced key management facility and is compliant with the proposed OpenPGP Internet standard as described in RFC2440.

Version 1.0.5 has just been released and should be available at the mirrors (see below) really soon. If you can't get it from a mirror, use the primary location:

ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-1.0.5.tar.gz (1.9MB) ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-1.0.5.tar.gz.sig

A (quite large) diff against 1.0.4 is also available:

ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-1.0.4-1.0.5.diff.gz (594k)

MD5 checksums of the above files are:


44c71c3f5a9edbf5738cafc37e8359e6 gnupg-1.0.5.tar.gz/ 8139c98c65186a14ac67e531409d1614 gnupg-1.0.4-1.0.5.diff.gz/

So what's new in this version:

  • WARNING: The semantics of --verify have changed to address a problem with detached signature detection. --verify now ignores signed material given on stdin unless this is requested by using a "-" as the name for the file with the signed material. Please check all your detached signature handling applications and make sure that they don't pipe the signed material to stdin without using a filename together with "-" on the the command line.
  • WARNING: Corrected hash calculation for input data larger than 512M - it was just wrong, so you might notice bad signature in some very big files. It may be wise to keep an old copy of GnuPG around.
  • Secret keys are no longer imported unless you use the new option --allow-secret-key-import. This is a kludge and future versions will handle it in another way.
  • New command "showpref" in the --edit-key menu to show an easier to understand preference listing.
  • There is now the notation of a primary user ID. For example, it is printed with a signature verification as the first user ID; revoked user IDs are not printed there anymore. In general the primary user ID is the one with the latest self-signature.
  • New --charset=utf-8 to bypass all internal conversions.
  • Large File Support (LFS) is now working.
  • New options: --ignore-crc-error, --no-sig-create-check, --no-sig-cache, --fixed_list_mode, --no-expensive-trust-checks, --enable-special-filenames and --use-agent. See man page.
  • New command --pipemode, which can be used to run gpg as a co-process. Currently only the verification of detached signatures are working. See doc/DETAILS.
  • Keyserver support for the W32 version.
  • Rewritten key selection code so that GnuPG can better cope with multiple subkeys, expire dates and so. The drawback is that it is slower.
  • A whole lot of bug fixes.
  • The verification status of self-signatures are now cached. To increase the speed of key list operations for existing keys you can do the following in your GnuPG homedir (~/.gnupg):

    $ cp pubring.gpg pubring.gpg.save/ && $ gpg --export-all >x && \ rm pubring.gpg && gpg --import x Only v4 keys (i.e not the old RSA keys) benefit from this caching.

  • New translations: Estonian, Turkish.

Furthermore, this version implements countermeasurements against the recent Klima/Rosa attack on the secret keyring. But let me stress again, that the security of the system relies on the physical security of the machine where you use GnuPG for signing or decrypting. And as a last warning: never ever send a secret key over an insecure channel; the passphrase encryption of the secret keyring is not as secure as the the regular OpenPGP encryption and should be only considered as a last resort protection.

See http://www.gnupg.org/docs-mls.html for a list of GnuPG related mailing lists. If you have any question you should direct them to mailing list gnupg-users@gnupg.org .

Have fun,

Werner

p.s.
The FTP, CVS and Webserver has recently moved to a new location and you should not anymore use the *.guug.de addresses.

Here is a list of sites mirroring ftp://ftp.gnupg.org/gcrypt/ Please use them if you can; new releases should show up on these servers within a day. This mirror list is also available at http://www.gnupg.org/mirrors.html

Australia

        ftp://orcus.progsoc.uts.edu.au/pub/gnupg/
        http://orcus.progsoc.uts.edu.au/pub/gnupg/
        rsync://orcus.progsoc.uts.edu.au/pub/gnupg/
        ftp://mirror.aarnet.edu.au/pub/gnupg/
        http://mirror.aarnet.edu.au/pub/gnupg/

    Austria

        ftp://gd.tuwien.ac.at/privacy/gnupg/

    Belgium

        ftp://openbsd.rug.ac.be/pub/gcrypt/
        ftp://gnupg.x-zone.org/pub/gnupg

    Canada

        ftp://crypto.yashy.com/pub/cryptography/gnupg/

    Czechia

        ftp://ftp.gnupg.cz/pub/gcrypt

    Denmark

        ftp://sunsite.dk/pub/security/gcrypt/

    Finland

        ftp://ftp.jyu.fi/pub/crypt/gcrypt/

    France

        ftp://ftp.strasbourg.linuxfr.org/pub/gnupg/

    Germany

        ftp://ftp.franken.de/pub/crypt/mirror/ftp.guug.de/gcrypt/
        ftp://ftp.freenet.de/pub/ftp.gnupg.org/pub/gcrypt/

    Greece

        ftp://ftp.linux.gr/pub/crypto/gnupg/
        ftp://hal.csd.auth.gr/mirrors/gnupg/

    Hungary

        ftp://ftp.kfki.hu/pub/packages/security/gnupg/

    Iceland

        ftp://ftp.hi.is/pub/mirrors/gnupg/

    Ireland

        ftp://ftp.compsoc.com/pub/gnupg/

    Italy

        ftp://ftp.linux.it/pub/mirrors/gnupg/
        ftp://ftp3.linux.it/pub/mirrors/gnupg/

    Japan

        ftp://pgp.iijlab.net/pub/gnupg/
        ftp://ftp.ring.gr.jp/pub/net/gnupg/
        http://www.ring.gr.jp/pub/net/gnupg/

    Korea

        ftp://ftp.snu.ac.kr/pub/security/gnupg/

    Poland

        ftp://sunsite.icm.edu.pl/pub/security/gnupg/

    Spain

        ftp://dimonieta.udg.es/mirror/gnupg

    Sweden

        ftp://ftp.stacken.kth.se/pub/crypto/gnupg/
        ftp://ftp.sunet.se:/pub/security/gnupg/

    Switzerland

        ftp://sunsite.cnlab-switch.ch/mirror/gcrypt/

    Taiwan

        ftp://coda.nctu.edu.tw/Security/gcrypt

    United Kingdom

        ftp://ftp.net.lut.ac.uk/gcrypt/
        ftp://ftp.mirror.ac.uk/sites/ftp.gnupg.org/pub/gcrypt/
        http://www.mirror.ac.uk/sites/ftp.gnupg.org/pub/gcrypt/
-- 
Werner Koch        Omnis enim res, quae dando non deficit, dum habetur
g10 Code GmbH      et non datur, nondum habetur, quomodo habenda est.
Privacy Solutions                                        -- Augustinus