Page MenuHome GnuPG

Release GnuPG 2.2.17
Closed, ResolvedPublic


Noteworthy changes in 2.2.17:

  • gpg: Ignore all key-signatures received from keyservers. This change is required to mitigate a DoS due to keys flooded with faked key-signatures. The old behaviour can be achieved by adding keyserver-options no-self-sigs-only,no-import-clean to your gpg.conf. [T4607]
  • gpg: If an imported keyblocks is too large to be stored in the keybox (pubring.kbx) do not error out but fallback to an import using the options "self-sigs-only,import-clean". [T4591]
  • gpg: New command --locate-external-key which can be used to refresh keys from the Web Key Directory or via other methods configured with --auto-key-locate.
  • gpg: New import option "self-sigs-only".
  • gpg: In --auto-key-retrieve prefer WKD over keyservers. [T4595]
  • dirmngr: Support the "openpgpkey" subdomain feature from draft-koch-openpgp-webkey-service-07. [T4590].
  • dirmngr: Add an exception for the "openpgpkey" subdomain to the CSRF protection. [T4603]
  • dirmngr: Fix endless loop due to http errors 503 and 504. [T4600]
  • dirmngr: Fix TLS bug during redirection of HKP requests. [T4566]
  • gpgconf: Fix a race condition when killing components. [T4577]

Event Timeline

Please consider to backport rG914fa3be22bf: dirmngr: Support the new WKD draft with the openpgpkey subdomain. from master. Cherry-pick mostly works, only dirmngr/server.c needs manual edit (because of resolve_dns_name change).
Allowing WKD service by subdomain (openpgpkey) is good, because it is easier to deploy by separate admin, in some situations.

werner set External Link to

Err... my repo for 2.2 was a week old. Now, I updated, and confirmed it's there.
Thanks having the support!