From: Werner Koch <wk@gnupg.org> Subject: GnuPG 1.0.5 released
Hello!
The GNU Privacy Guard (GnuPG) is GNU’s tool for secure
communication and data storage. It is a complete and free
replacement of PGP and can be used to encrypt data and to create
digital signatures. It includes an advanced key management facility
and is compliant with the proposed OpenPGP Internet standard as
described in RFC2440.
Version 1.0.5 has just been released and should be available at
the mirrors (see below) really soon. If you can’t get it from a
mirror, use the primary location:
ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-1.0.5.tar.gz
(1.9MB) ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-1.0.5.tar.gz.sig
A (quite large) diff against 1.0.4 is also available:
ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-1.0.4-1.0.5.diff.gz
(594k)
MD5 checksums of the above files are:
44c71c3f5a9edbf5738cafc37e8359e6 gnupg-1.0.5.tar.gz/ 8139c98c65186a14ac67e531409d1614 gnupg-1.0.4-1.0.5.diff.gz/
So what’s new in this version:
- WARNING: The semantics of –verify have changed to address a
problem with detached signature detection. –verify now ignores
signed material given on stdin unless this is requested by using a
“-” as the name for the file with the signed material. Please check
all your detached signature handling applications and make sure
that they don’t pipe the signed material to stdin without using a
filename together with “-” on the the command line. - WARNING: Corrected hash calculation for input data larger than
512M – it was just wrong, so you might notice bad signature in some
very big files. It may be wise to keep an old copy of GnuPG
around. - Secret keys are no longer imported unless you use the new
option –allow-secret-key-import. This is a kludge and future
versions will handle it in another way. - New command “showpref” in the –edit-key menu to show an easier
to understand preference listing. - There is now the notation of a primary user ID. For example, it
is printed with a signature verification as the first user ID;
revoked user IDs are not printed there anymore. In general the
primary user ID is the one with the latest self-signature. - New –charset=utf-8 to bypass all internal conversions.
- Large File Support (LFS) is now working.
- New options: –ignore-crc-error, –no-sig-create-check,
–no-sig-cache, –fixed_list_mode, –no-expensive-trust-checks,
–enable-special-filenames and –use-agent. See man page. - New command –pipemode, which can be used to run gpg as a
co-process. Currently only the verification of detached signatures
are working. See doc/DETAILS. - Keyserver support for the W32 version.
- Rewritten key selection code so that GnuPG can better cope with
multiple subkeys, expire dates and so. The drawback is that it is
slower. - A whole lot of bug fixes.
- The verification status of self-signatures are now cached. To
increase the speed of key list operations for existing keys you can
do the following in your GnuPG homedir (~/.gnupg):$ cp pubring.gpg pubring.gpg.save/ && $ gpg
–export-all >x && rm pubring.gpg && gpg
–import x Only v4 keys (i.e not the old RSA keys) benefit from
this caching. - New translations: Estonian, Turkish.
Furthermore, this version implements countermeasurements against
the recent Klima/Rosa attack on the secret keyring. But let me
stress again, that the security of the system relies on the
physical security of the machine where you use GnuPG for signing or
decrypting. And as a last warning: never ever send a secret key
over an insecure channel; the passphrase encryption of the secret
keyring is not as secure as the the regular OpenPGP encryption and
should be only considered as a last resort protection.
See http://www.gnupg.org/docs-mls.html
for a list of GnuPG related mailing lists. If you have any question
you should direct them to mailing list gnupg-users@gnupg.org .
Have fun,
Werner
p.s.
The FTP, CVS and Webserver has recently moved to a new location and
you should not anymore use the *.guug.de addresses.
Here is a list of sites mirroring ftp://ftp.gnupg.org/gcrypt/
Please use them if you can; new releases should show up on these
servers within a day. This mirror list is also available at
http://www.gnupg.org/mirrors.html
Australia
ftp://orcus.progsoc.uts.edu.au/pub/gnupg/ http://orcus.progsoc.uts.edu.au/pub/gnupg/ rsync://orcus.progsoc.uts.edu.au/pub/gnupg/ ftp://mirror.aarnet.edu.au/pub/gnupg/ http://mirror.aarnet.edu.au/pub/gnupg/ Austria ftp://gd.tuwien.ac.at/privacy/gnupg/ Belgium ftp://openbsd.rug.ac.be/pub/gcrypt/ ftp://gnupg.x-zone.org/pub/gnupg Canada ftp://crypto.yashy.com/pub/cryptography/gnupg/ Czechia ftp://ftp.gnupg.cz/pub/gcrypt Denmark ftp://sunsite.dk/pub/security/gcrypt/ Finland ftp://ftp.jyu.fi/pub/crypt/gcrypt/ France ftp://ftp.strasbourg.linuxfr.org/pub/gnupg/ Germany ftp://ftp.franken.de/pub/crypt/mirror/ftp.guug.de/gcrypt/ ftp://ftp.freenet.de/pub/ftp.gnupg.org/pub/gcrypt/ Greece ftp://ftp.linux.gr/pub/crypto/gnupg/ ftp://hal.csd.auth.gr/mirrors/gnupg/ Hungary ftp://ftp.kfki.hu/pub/packages/security/gnupg/ Iceland ftp://ftp.hi.is/pub/mirrors/gnupg/ Ireland ftp://ftp.compsoc.com/pub/gnupg/ Italy ftp://ftp.linux.it/pub/mirrors/gnupg/ ftp://ftp3.linux.it/pub/mirrors/gnupg/ Japan ftp://pgp.iijlab.net/pub/gnupg/ ftp://ftp.ring.gr.jp/pub/net/gnupg/ http://www.ring.gr.jp/pub/net/gnupg/ Korea ftp://ftp.snu.ac.kr/pub/security/gnupg/ Poland ftp://sunsite.icm.edu.pl/pub/security/gnupg/ Spain ftp://dimonieta.udg.es/mirror/gnupg Sweden ftp://ftp.stacken.kth.se/pub/crypto/gnupg/ ftp://ftp.sunet.se:/pub/security/gnupg/ Switzerland ftp://sunsite.cnlab-switch.ch/mirror/gcrypt/ Taiwan ftp://coda.nctu.edu.tw/Security/gcrypt United Kingdom ftp://ftp.net.lut.ac.uk/gcrypt/ ftp://ftp.mirror.ac.uk/sites/ftp.gnupg.org/pub/gcrypt/ http://www.mirror.ac.uk/sites/ftp.gnupg.org/pub/gcrypt/
-- Werner Koch Omnis enim res, quae dando non deficit, dum habetur g10 Code GmbH et non datur, nondum habetur, quomodo habenda est. Privacy Solutions -- Augustinus