Noteworthy changes in version 2.5.0 (2024-07-05)
First release of a version leading to the next stable series 2.6.

• gpg: Support composite Kyber+ECC public key algorithms. This is experimental due to the yet outstanding FIPS-203 specification. [T6815]
• gpg: Allow algo string "pqc" for --quick-gen-key. [rG12ac129a70]
• gpg: New option --show-only-session-key. [rG1695cf267e]
• gpg: Print designated revokers also in non-colon listing mode. [rG9d618d1273]
• gpg: Make --with-sig-check work with --show-key in non-colon listing mode. [rG0c34edc443]
• tpm: Rework error handling and fix key import [T7129, T7186]
• Varous fixes to improve robustness on 64 bit Windows. [T7139]

Changes also found in 2.4.6:

• gpg: New command --quick-set-ownertrust. [rG967678d972]
• gpg: Indicate disabled keys in key listings and add list option "show-ownertrust". [rG2a0a706eb2]
• gpg: Make sure a DECRYPTION_OKAY is never issued for a bad OCB tag. [T7042]
• gpg: Do not allow to accidently set the RENC usage. [T7072]
• gpg: Accept armored files without CRC24 checksum. [T7071]
• gpg: New --import-option "only-pubkeys". [T7146]
• gpg: Repurpose the AKL mechanism "ldap" to work like the keyserver mechnism but only for LDAP keyservers. [rG068ebb6f1e]
• gpg: ADSKs are now configurable for new keys. [T6882]
• gpgsm: Emit user IDs with an empty Subject also in colon mode. [T7171]
• agent: Consider an empty pattern file as valid. [rGc27534de95]
• agent: Fix error handling of READKEY. [T6012]
• agent: Avoid random errors when storing key in ephemeral mode. [T7129, rGfdc5003956]
• agent: Make "SCD DEVINFO --watch" more robust. [T7151]
• scd: Improve KDF data object handling for OpenPGP cards. [T7058]
• scd: Avoid buffer overrun with more than 16 PC/SC readers. [T7129, rG4c1b007035]
• scd: Fix how the scdaemon on its pipe connection finishes. [T7160]
• gpgconf: Check readability of some files with -X and change its output format. [rG98e287ba6d]
• gpg-mail-tube: New tool to apply PGP/MIME encryption to a mail. [rG28a080bc9f]
• Fix some uninitialized variables and double frees in error code paths. [T7129]

Changes also found in 2.4.5:

• gpg,gpgv: New option --assert-pubkey-algo. [T6946]
• gpg: Emit status lines for errors in the compression layer. [T6977]
• gpg: Fix invocation with --trusted-keys and --no-options. [T7025]
• gpgsm: Allow for a longer salt in PKCS#12 files. [T6757]
• gpgtar: Make --status-fd=2 work on Windows. [T6961]
• scd: Support for the ACR-122U NFC reader. [rG1682ca9f01]
• scd: Suport D-TRUST ECC cards. [T7000,T7001]
• scd: Allow auto detaching of kernel drivers; can be disabled with the new compatibility-flag ccid-no-auto-detach. [rGa1ea3b13e0]
• scd: Allow setting a PIN length of 6 also with a reset code for openpgp cards. [T6843]
• agent: Allow GET_PASSPHRASE in restricted mode. [rGadf4db6e20]
• dirmngr: Trust system's root CAs for checking CRL issuers. [T6963]
• dirmngr: Fix regression in 2.4.4 in fetching keys via hkps. [T6997]
• gpg-wks-client: Make option --mirror work properly w/o specifying domains. [rG37cc255e49]
• g13,gpg-wks-client: Allow command style options as in "g13 mount foo". [rGa09157ccb2]
• Allow tilde expansion for the foo-program options. [T7017]
• Make the getswdb.sh tool usable outside the GnuPG tree.

Changes also found in 2.4.4:

• gpg: Do not keep an unprotected smartcard backup key on disk. See https://gnupg.org/blog/20240125-smartcard-backup-key.html for a security advisory. [T6944]
• gpg: Allow to specify seconds since Epoch beyond 2038 on 32-bit platforms. [T6736]
• gpg: Fix expiration time when Creation-Date is specified. [T5252]
• gpg: Add support for Subkey-Expire-Date. [rG96b69c1866]
• gpg: Add option --with-v5-fingerprint. [T6705]
• gpg: Add sub-option ignore-attributes to --import-options. [rGd4976e35d2]
• gpg: Add --list-filter properties sig_expires/sig_expires_d. [rGbf662d0f93af]
• gpg: Fix validity of re-imported keys. [T6399]
• gpg: Report BEGIN_ status before examining the input. [T6481]
• gpg: Don't try to compress a read-only keybox. [T6811]
• gpg: Choose key from inserted card over a non-inserted card. [T6831]
• gpg: Allow to create revocations even with non-compliant algos. [T6929]
• gpg: Fix regression in the Revoker keyword of the parameter file. [T6923]
• gpg: Improve error message for expired default keys. [T4704]
• gpgsm: Add --always-trust feature. [T6559]
• gpgsm: Support ECC certificates in de-vs mode. [T6802]
• gpgsm: Major rewrite of the PKCS#12 parser. [T6536]
• gpgsm: No not show the pkcs#12 passphrase in debug output. [T6654]
• keyboxd: Timeout on failure to get the database lock. [T6838]
• agent: Update the key stubs only if really modified. [T6829]
• scd: Add support for certain Starcos 3.2 cards. [rG5304c9b080]
• scd: Add support for CardOS 5.4 cards. [rG812f988059]
• scd: Add support for D-Trust 4.1/4.4 cards. [rG0b85a9ac09]
• scd: Add support for Smartcafe Expert 7.0 cards. [T6919]
• scd: Add a length check for a new PIN. [T6843]
• tpm: Fix keytotpm handling in the agent. [rG9909f622f6]
• tpm: Fixes for the TPM test suite. [T6052]
• dirmngr: Avoid starting a second instance on Windows via GPGME based launching. [T6833]
• dirmngr: New option --ignore-crl-extensions. [T6545]
• dirmngr: Support config value "none" to disable the default keyserver. [T6708]
• dirmngr: Implement automatic proxy detection on Windows. [T5768]
• dirmngr: Fix handling of the HTTP Content-Length. [rGa5e33618f4]
• dirmngr: Add code to support proxy authentication using the Negotiation method on Windows. [T6719]
• gpgconf: Add commands --lock and --unlock. [rG93b5ba38dc]
• gpgconf: Add keyword socketdir to gpgconf.ctl. [rG239c1fdc28]
• gpgconf: Adjust the -X command for the new VERSION file format. [T6918]
• wkd: Use export-clean for gpg-wks-client's --mirror and --create commands. [rG2c7f7a5a278c]
• wkd: Make --add-revocs the default in gpg-wks-client. New option --no-add-revocs. [rG10c937ee68]
• Remove duplicated backslashes when setting the homedir. [T6833]
• Ignore attempts to remove the /dev/null device. [T6556]
• Improve advisory file lock retry strategy. [T3380]
• Improve the speedo build system for Unix. [T6710]

Changes also found in 2.4.3:

• gpg: Set default expiration date to 3 years. [T2701]
• gpg: Add --list-filter properties "key_expires" and "key_expires_d". [T6529]
• gpg: Emit status line and proper diagnostics for write errors. [T6528]
• gpg: Make progress work for large files on Windows. [T6534]
• gpg: New option --no-compress as alias for -z0.
• gpg: Show better error messages for blocked PINs. [T6425]
• gpgsm: Print PROGRESS status lines. Add new --input-size-hint. [T6534]
• gpgsm: Support SENDCERT_SKI for --call-dirmngr. [rG701a8b30f0]
• gpgsm: Major rewrite of the PKCS#12 parser. [T6536]
• gpgtar: New option --no-compress.
• dirmngr: Extend the AD_QUERY command. [rG207c99567c]
• dirmngr: Disable the HTTP redirect rewriting. [T6477]
• dirmngr: New option --compatibility-flags. [rGbf04b07327]
• dirmngr: New option --ignore-crl-extensions. [T6545]
• dirmngr: Support config value "none" to disable the default keyserver. [T6708]
• wkd: Use export-clean for gpg-wks-client's --mirror and --create commands. [rG2c7f7a5a27]
• wkd: Make --add-revocs the default in gpg-wks-client. New option --no-add-revocs. [rG10c937ee68]
• scd: Make signing work for Nexus cards. [rGb83d86b988]
• scd: Fix authentication with Administration Key for PIV. [rG25b59cf6ce]
• Fix garbled time output in non-English Windows. [T6741]

Changes also found in 2.4.2:

• gpg: Print a warning if no more encryption subkeys are left over after changing the expiration date. [rGef2c3d50fa]
• gpg: Fix searching for the ADSK key when adding an ADSK. [T6504]
• gpgsm: Speed up key listings on Windows. [rG08ff55bd44]
• gpgsm: Reduce the number of "failed to open policy file" diagnostics. [rG68613a6a9d]
• agent: Make updating of private key files more robust and track display S/N. [T6135]
• keyboxd: Avoid longish delays on Windows when listing keys. [rG6944aefa3c]
• gpgtar: Emit extra status lines to help GPGME. [T6497]
• w32: Avoid using the VirtualStore. [T6403]

(prev: T6454 next: T7191)