gnupg: Update to version 2.5.20
- Update from version 2.4.9 to 2.5.20
- Update of rootfile
- I missed that the stable branch had been changed from 2.4.x to 2.5.x so there have
been a lot of versions from 2.5.0 to 2.5.20
- Branch 2.4.x (oldstable) becomes EOL on 30th July 2026.
- Changelog
2.5.20
* New and extended features:
- gpgsm: Implement GCM encryption. Note that decryption works
since version 2.3.2. [T3979]
- gpgsm: New option --attribute and server command SETATTR to
include arbitrary signed or unsigned attributes into a signature.
Enable only with libksba 1.7.0 or later. [T4537]
- gpgsm: Introduce system attribute _signingCertificateV2.
[rG0335a9cb04]
* Bug fixes:
- gpg: Fix wrong assertion failure which could very rarely occur
during key signature checking. [rG693f5642f6]
- gpg: Consider certify-only keys for revocation signature check.
[T8196]
- gpgsm: Fix possible double free in the CMS parser. [T8240]
- gpgsm: Fix possible too early removal of ephemeral keys. [T8236]
- gpgsm: Avoid emitting a final FAILURE status line if --status-fd
is not used. [rG69c27fe377]
- gpgsm: Fix a regression in 2.5.19 for password encrypted GCM
data. [rG60a823c97b]
- agent: Fix not using cache for pinentry loopback. [rGd4b608a31f]
- agent: Fix command PUT_SECRET by saving input line. [rG1875bc185e]
- keyboxd: Mark keys searched but not imported via LDAP correctly
as ephemeral. [T8048]
- scdaemon: Avoid buffer overflow with SC-HSM cards providing RSA
keys > 2k. [T8244]
- dirmngr: Fix uninitialized use of the dns_any union in
dns_rr_cmp. [T8251]
2.5.19
* New and extended features:
- gpg: New option --use-ocb-sym. [rGccdcdfbb37]
- gpg: New options --show-[only-]session-hash. [rGecd0f7afa1]
- gpgsm: Allow cipher mode to be part of the algo given to the
--cipher-algo option. [T3979]
- gpgsm: Emit more details when failing to check a crlDP. [T8221]
- agent: Improve pinentry behavior and texts in smartcard context.
[T6425]
- dirmngr: New keyword "clear" for --keyserver. [rG2ab4cba36c]
* Bug fixes:
- gpg: Fix edge case in --refresh-keys. [T8197]
- gpg: Don't call gcry_kdf_derive with empty passphrase. [T7739]
- gpgsm: Skip the optional PKCS#12 PBES2 keyLength parameter to
allow import of recently issued certificates by the German
Telekom. [rGc8c9604bba]
- gpgsm: Fix a bug so that a certificate can be signed using a
different algo. [rG66fdafab3c]
- gpgsm: Make GCM fully compliant in de-vs mode. [rG04fd775fce]
- gpgsm: Add a certificate chain check for de-vs compliance.
[T8188]
- gpgsm: Show rsaPSS certificates as de-vs compliant in listings.
[T8222]
- agent: Rework the trustlist reading code to finally allow a
trustlist.txt with a missing trailing LF. [T8078]
- ssh: Fix RSA padding in signature handling. [T7882,T8202]
- gpgtar: Fix -C (--directory) to check the output directory.
[T8159]
* Other changes:
- agent: Raise an error when p >= q for RSA keys to detect
incorrect generated *PGP keys. [T8171]
2.5.18
* gpg: Support deleting a composite secret key in gpg-agent. [T7875]
* gpg: Fix armor parsing when no CRC is found. [T7071]
* gpgsm: New option --assert-validsig. [rG9500b2c776]
* agent: Fix the recent regression in pkdecrypt with TPM RSA.
[T8045]
* scdaemon: Add support for D-Trust Card 6.1/6.4. [rG987c6a398a]
* dirmngr: Let KS_SEARCH print all uid records for a key.
Fixes regression since 2015. [rG2dde9ddf56]
* gpg-authcode-sign.sh: Keep the log file even on success.
[rGc0f9ca47f0]
2.5.17
* agent: Fix stack buffer overflow when using gpgsm and KEM. This
was introduced with 2.5.13; see the advisory. [T8044]
* tpm: Fix possible buffer overflow in PKDECRYPT. [T8045]
* gpg: Fix possible NULL-deref with overlong signature packets.
[T8049]
* gpg: New export-option "keep-expired-subkeys". [T7990]
* gpgsm: Make multiple search patterns work with keyboxd. [T8026]
* agent: Add accelerator keys for "Wrong" and "Correct". [T8055]
* dirmngr: Help detection of bad keyserver configurations. [T7730]
2.5.16
* gpg: Fix a regression in 2.5.15 which created new keys with just
the fallback preferences. [T7909]
2.5.15
* gpg: Fix a validation bug when using keyboxd. [T7983]
* gpg: Deprecate the option --not-dash-escaped and ignore the
NotDashEscaped armor header. [T7901]
* keyboxd: Fix migration to new schema. [T7892,rG81bb949755]
* dirmngr: New compatibility flag "ocsp-sha256-certid" to support
forthcoming libksba versions. [rG674aa54242]
* Use a synchronous spawning method for the daemon processes under
Windows. [T7716]
* Avoid the function name thread_init to fix building on AIX.
[T7958]
* New translation to Georgian.
2.5.14
* gpg: Fix possible memory corruption in the armor parser. [T7906]
* gpgsm: Fix output of card serial number in colon listing. [T7914]
* agent:ssh: Fix RSA signature handling for newer spec. [T7882]
* gpg: Improve/relax the checking of preference options.
[rG6570700fdd]
* gpg: Fix the check for the END armor line. [rG62b8bf2f39]
* gpg: Do not present a default when asking for another output
filename. [T7908]
* gpg: Include ADSK keys in key listings specified by fingerprints.
[T7892]
* agent: Fix a decryption failures if the pinentry dialog for the
first tried recipient is canceled. Regression since 2.5.7.
[T7893, T7649]
* keyboxd: Fix schema of the fingerprint table. [T7892]
* dirmngr: Fix OCSP next-update check. [rG9ef87bcdb0]
* gpg: New "pfc" record in colons key listings. [T7897]
* gpg: Allow import and export of Kyber secret keys. [T7315]
* gpg: Escape characters with the high bit set in NOTATION status
lines. [T7896]
* gpg: New import option "force-update". [T7892,rGf6237ccd31]
* agent: Accept a trustlist with a missing LF at the end.
[rG1b4ac98de7]
* agent: Support protection for Kyber keys. [T6638,rGaea62817f3]
* scd:nks: Make newer TCOS signature cards work. [rG17596e830f]
2.5.13
* gpg: Fix de-vs compliance with OCB and additional password.
[T7804]
* gpg: Detect duplicate keys with --add-recipients. [T1825]
* gpg: Take care about the prefix for cv25519 encryption. [T7649]
* gpg: Avoid potential downgrade to SHA1 in 3rd party key
signatures. [T7904,rGdb9705ef59]
* gpg: Error out on unverified output for non-detached signatures.
[T7903,rG8abc320f2a]
* gpgsm: Use KEM interface for en- and decryption. [T7811,T7845]
* gpgsm: Fix delete and store certificate locking glitches. [T7855]
* gpg,gpgsm: Run keybox compression only when there are no other
users. [T7855]
* gpg,gpgsm: Improve keybox closing and locking order on read and
write. [T7855]
* gpg,gpgsm: Always use share mode read-write for the keybox file
access. [T7829]
* scd:openpgp: Fix an oddity in changing the PIN. [T7840]
* dirmngr: New LDAP keyserver flag "upload". [T7866]
* agent: Retry private key deletion in case of sharing violations
for up to 400ms. [T7863]
* Take care of a possible race on daemon startup under Windows.
[T7829]
* Improve file renaming on Windows in case of a sharing violation
error. [T7829]
2.5.12
* gpg: New options --[no-]auto-key-upload. [T7333]
* gpg: Keys send to an LDAP server are now first updated from that
server. New keyserver option "no-update-before-send" to disable
this feature. [T7730]
* gpg: Disable default compression for 7z compressed input.
[rG53252628de]
* gpg: Fix a regression with composite PQC and ECC algos. [T7649]
* gpg: Fix the list of possible algos for --edit-key:addkey.
[T7788]
* gpg: Allow to select the Kyber variants with --edit-key:addkey.
[T7792]
* gpg: Avoid a second Pinentry pop-up for a configured ADSK during
key generation. [T7491]
* gpg: Change the ADSK key binding time to use the current time.
[T6882]
* gpgsm: Add option --no-qes-note and new trustlist flag
"noconsent". [T7713]
* agent: Enable "relax" in the trustlist by default and add flag
"norelax". [rG7b133027ae]
* agent: Fix a crash on Windows in the Putty support. [T7799]
* dirmgr: Support LDAP servers using a schema like the Windows LDS
servers. [T7742]
* scd:openpgp: Support Yubikey attestation generation.
[rG5ddfedf24a]
* gpgtar: Fix regression in end-of-archive detection. [T7757]
2.5.11
* gpg: Fix a segv in key signing with notations introduced in
2.5.10. [T7754]
* agent: Fix for smartcard decryption with Brainpool keys. [T7709]
2.5.10
* gpg: Add a notation with version information to signatures. See
doc/DETAILS for, well, details. [rG11d3a83b04]
* gpgv: New option --print-notation. [rGe3cc410003]
* gpgsm: Fix caching of the trustlist's flags. [T7738]
* agent: Fix for smartcard decryption returning x-coordinate only.
[T7709]
* agent: Another fix for a regression with unknown curves and ssh.
See also 2.5.4. [rG55db12472f]
* dirmngr: Implement command KS_DEL for ldap servers. [T5447]
2.5.9
* gpg: Add the revocation reason to the sigclass of a "rev" line.
Regression in 2.5.7. [T7073]
* gpg: Do not show the non-standard secp256k1 curve in the menu to
select the curve. It can however be specified using its name.
[rG49a9171f63]
* gpg: Fix regression in using the secp256k1 curve. [T7698]
* dirmngr: New option --user-agent and send a default User-Agent of
"GnuPG/2.6" for all HTTP requests. [T7715]
2.5.8
* gpg: Show revocation reason with a standard -k listing. [T7083]
* gpg: Emit a revocation reason as comment in a "pub" record.
[T7083]
* agent: Fix regression in 2.5.7 decrypting with a card based
cv25519 key. [T7676]
* scd:openpgp: Fix a regression in exporting card based
ed25519 ssh
keys. [T7589]
* dirmngr: Do not require a keyserver for "gpg --fetch-key".
[T7693]
See-also: gnupg-announce/2025q2/000494.html
2.5.7
* gpg: Allow updating a SHA-1 key certification w/o using
the --force-sign-key option. [T7663]
* gpg: The group key flag has now been fully implemented.
[rG8833a34bf0]
* gpg: Make combination of show-only-fpr-mbox and show-unusable-uid
work. [rGd5a4a2dc89]
* gpg: Do not allow compressed key packets on import. [T7014]
* gpgsm: Allow an empty subject DN also during import. [T7171]
* agent: Recover the old behavior with max-cache-ttl=0. [T6681]
* agent: Fix ECC key on smartcard for composite KEM with PQC.
[T7648]
* scd: Fix a harmless read buffer over-read in a function used by
PKCS#15 cards. [T7662]
* gpg-mail-tube,wks: Support templates for mail content. [T7381]
* Use the KEM interface of Libgcrypt for encryption/decryption.
[T7649]
* Fix a glitch in socket handling in Windows in case of a nonce
mismatch. [rG645cf7d8fc]
See-also: gnupg-announce/2025q2/000493.html
2.5.6
* gpg: Add a flag to the filter expressions for left anchored
substring match. [rGc12b7d047e]
* gpg: New list option "show-trustsig" to avoid resorting to colon
mode for this info. [rG41d6ae8f41]
* gpg: New command --quick-tsign-key to create a trust signature.
[rGd90b290f97]
* gpg: New keygen parameter "User-Id". [rGcfd597c603]
* gpg: New list options "show-trustsig". [rGrG41d6ae8f41]
* gpg: Fix double free of internal data in no-sig-cache mode [T7547]
* gpg: Signatures from revoked or expired keys do not anymore show
up as missing keys. Fixes regression in 2.5.5. [T7583]
* gpgsm: Extend --learn-card by an optional s/n argument. [T7379]
* gpgsm: Skip expired certificates when selection a certificate by
subject. [rG4cf83273e8]
* card: New command "ll" as alias for "list --cards". [rGd6ee7adebe]
* scd: Fix posssible lockup on Windows due to a lost select
result. [rGa7ec3792c5]
* scd:p15: Accept P15 cards with a zero-length label. [rGdb25aa9887]
* keyboxd: Use case-insensitive search for mail addresses. [T7576]
* dirmngr: Fix a problem in libdns related to an address change from
127.0.0.1. [T4021]
* gpgconf: Fix reload and kill of keyboxd. [T7569]
* Fix logic for certain recsel conditions. [rG8968e84903]
* Add Solaris support to get_signal_name. [T7638]
* Fix build error of the test shell on AIX. [T7632]
See-also: gnupg-announce/2025q2/000492.html
2.5.5
* gpg: Fix a verification DoS due to a malicious subkey in the
keyring. [T7527]
* dirmngr: Fix possible hangs due to blocking connection requests.
[T6606, T7434]
* w32: On socket nonce mismatch close the socket. [T7434]
* w32: Print more detailed diagnostics for IPC errors.
* GPGME is not any more distributed with the Windows installer.
Please install gpg4win to get gpgme version.
See-also: gnupg-announce/2025q1/000491.html
2.5.4
* gpg: New option --disable-pqc-encryption. [rG00c31f8b04]
* gpg: Fix --quick-add-key for Weierstrass ECC with usage given.
[T7506]
* gpg: Fix handling with no CRC armor. [T7071]
* gpg: New private Kyber keys are now cross-referenced using a new
Link attribute. [T6638]
* gpg: Fix an import problem with keys having another primary key as
a subkey. [T7527]
* gpgsm: Allow unattended PKCS#12 export without passphrase.
[rG159e801043]
* gpgsm: Allow CSR generation with an unprotected key.
[rG89055f24f4]
* agent: New option --change-std-env-name. [T7522]
* agent: Fix ssh-agent's request_identities for skipped Brainpool
keys. [rG2469dc5aae]
* Do not package zlib and bzip2 object files in a speedo release
build. [T7442]
See-also: gnupg-announce/2025q1/000490.html
2.5.3
* gpg: Allow for signature subpackets of up to 30000 octets.
[rG36dbca3e69]
* gpg: Silence expired trusted-key diagnostics in quiet mode. [T7351]
* gpg: Allow smaller session keys with Kyber and enforce the use of
AES-256 if useful. [T7472]
* gpg: Fix regression in key generation from existing card key.
[T7309,T7457]
* gpg: Print a warning if the card backup key could not be written.
[T2169]
* The --supervised options of gpg-agent and dirmngr have been
renamed to --deprecated-supervised as preparation for their
removal. [rGa019a0fcd8]
* There is no more default for a keyserver.
See-also: gnupg-announce/2025q1/000489.html
2.5.2
* gpg: Add option 16 to --full-gen-key to create ECC+Kyber. [T6638]
* gpg: For composite algos add the algo string to the colons
listings. [T6638]
* gpg: Validate the trustdb after the import of a trusted key.
[T7200]
* gpg: Exclude expired trusted keys from the key validation process.
[T7200]
* gpg: Fix a wrong decryption failed status for signed and OCB
encrypted messages without a signature verification key. [T7042]
* gpg: Retain binary representation for import->export with
Ed25519
key signatures. [T7426]
* gpg: Fix comparing ed448 to
ed25519 with --assert-pubkey-algo.
[T7425]
* gpg: Avoid a failure exit code for expired ultimately trusted
keys. [T7351]
* gpg: Emit status error for an invalid ADSK. [T7322]
* gpg: Allow the use of an ADSK subkey as ADSK subkey. [T6882]
* gpg: Fix --quick-set-expire for V5 subkey fingerprints. [T7298]
* gpg: Robust error handling for SCD READKEY. [T7309]
* gpg: Fix cv25519 v5 export regression. [T7316]
* gpgsm: Nearly fourfold speedup of validated certificate listings.
[T7308]
* gpgsm: Improvement for some rare P12 files. [rGf50dde6269]
* gpgsm: Terminate key listing on output write error. [T6185]
* agent: Add option --status to the LISTRUSTED command.
[rG4275d5fa7a]
* agent: Fix detection of the yet unused trustflag de-vs. [T5079]
* agent: Allow ssh to sign data larger than the Assuan line length.
[T7436]
* keyboxd: Fix a race condition on the database handle. [T7294]
* dirmngr: A list of used URLs for loaded CRLs is printed first in
the output of the LISTCRL command. [T7337]
* scd: More mitigations against lock ups with multiple cards or
apps. [T7323, T7402]
* gpgtar: Use log-file from common.conf only in --batch mode.
[rGb389e04ef5]
* gpgtar: Fix directory creation during extraction. [T7380]
* gpg-mail-tube: Minor fixes.
* gpgconf: Add list flag to trusted-key et al. [T7313]
* Implement GNUPG_ASSUME_COMPLIANCE envvar and registry key for
testing de-vs compliance mode. [rGb287fb5775,rG7b0be541a9]
* Enable additional runtime protections in speedo builds for
Windows. [rG39aa206dc5]
* Fix a race condition in creating the socket directory. [T7332]
* Fix a build problem on macOS (missing unistd.h). [T7193]
See-also: gnupg-announce/2024q4/000488.html
2.5.1
* gpg: The support for composite Kyber+ECC public key algorithms
does now use the final FIPS-203 and LibrePGP specifications. The
experimental keys from 2.5.0 are no longer supported. [T6815]
* gpg: New commands --add-recipients and --change-recipients.
[T1825]
* gpg: New option --proc-all-sigs. [T7261]
* gpg: Fix a regression in 2.5.0 in gpgme's tests. [T7195]
* gpg: Make --no-literal work again for -c and --store. [T5852]
* gpg: Improve detection of input data read errors. [T6528]
* gpg: Fix getting key by IPGP record (rfc-4398). [T7288]
* gpgsm: New option --assert-signer. [T7286]
* gpgsm: More improvements to PKCS#12 parsing to cope with latest
IVBB changes. [T7213]
* agent: Fix KEYTOCARD command when used with a loopback pinentry.
[T7283]
* gpg-mail-tube: Make sure GNUPGHOME is set in vsd mode. New option
--as-attach. [rG4511997e9e1b]
* Now uses the process spawn API from libgpg-error. [T7192,T7194]
* Removed the --enable-gpg-is-gpg2 configure time option.
[rG2125f228d36c]
* Die Windows version will now be build for 64-Bit Windows and with
the corresponding changes to the installation directory and
Registry keys.
See-also: gnupg-announce/2024q3/000485.html
2.5.0
* gpg: Support composite Kyber+ECC public key algorithms. This is
experimental due to the yet outstanding FIPS-203 specification.
[T6815]
* gpg: Allow algo string "pqc" for --quick-gen-key. [rG12ac129a70]
* gpg: New option --show-only-session-key. [rG1695cf267e]
* gpg: Print designated revokers also in non-colon listing mode.
[rG9d618d1273]
* gpg: Make --with-sig-check work with --show-key in non-colon
listing mode. [rG0c34edc443]
* tpm: Rework error handling and fix key import [T7129, T7186]
* Varous fixes to improve robustness on 64 bit Windows. [T7139]
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
projects / ipfire-2.x.git / log
