Release GnuPG 2.2.17
Closed, ResolvedPublic


Noteworthy changes in 2.2.17:

  • gpg: Ignore all key-signatures received from keyservers. This change is required to mitigate a DoS due to keys flooded with faked key-signatures. The old behaviour can be achieved by adding keyserver-options no-self-sigs-only,no-import-clean to your gpg.conf. [T4607]
  • gpg: If an imported keyblocks is too large to be stored in the keybox (pubring.kbx) do not error out but fallback to an import using the options "self-sigs-only,import-clean". [T4591]
  • gpg: New command --locate-external-key which can be used to refresh keys from the Web Key Directory or via other methods configured with --auto-key-locate.
  • gpg: New import option "self-sigs-only".
  • gpg: In --auto-key-retrieve prefer WKD over keyservers. [T4595]
  • dirmngr: Support the "openpgpkey" subdomain feature from draft-koch-openpgp-webkey-service-07. [T4590].
  • dirmngr: Add an exception for the "openpgpkey" subdomain to the CSRF protection. [T4603]
  • dirmngr: Fix endless loop due to http errors 503 and 504. [T4600]
  • dirmngr: Fix TLS bug during redirection of HKP requests. [T4566]
  • gpgconf: Fix a race condition when killing components. [T4577]
werner created this task.Jul 3 2019, 6:00 PM
werner moved this task from Backlog to For next release on the gnupg (gpg22) board.
gniibe added a subscriber: gniibe.Jul 9 2019, 4:46 AM

Please consider to backport rG914fa3be22bf: dirmngr: Support the new WKD draft with the openpgpkey subdomain. from master. Cherry-pick mostly works, only dirmngr/server.c needs manual edit (because of resolve_dns_name change).
Allowing WKD service by subdomain (openpgpkey) is good, because it is easier to deploy by separate admin, in some situations.

werner added a comment.Jul 9 2019, 1:27 PM

I did this already on July 3 with commit 458973f502b9a43ecf29e804a2c0c86e78f5927a

werner updated the task description. (Show Details)Jul 9 2019, 3:21 PM
werner set External Link to
werner closed this task as Resolved.Jul 9 2019, 5:21 PM

Release done.

Err... my repo for 2.2 was a week old. Now, I updated, and confirmed it's there.
Thanks having the support!