Page MenuHome GnuPG

Release GnuPG 2.5.0
Closed, ResolvedPublic

Description

Noteworthy changes in version 2.5.0 (2024-07-05)
First release of a version leading to the next stable series 2.6.

  • gpg: Support composite Kyber+ECC public key algorithms. This is experimental due to the yet outstanding FIPS-203 specification. [T6815]
  • gpg: Allow algo string "pqc" for --quick-gen-key. [rG12ac129a70]
  • gpg: New option --show-only-session-key. [rG1695cf267e]
  • gpg: Print designated revokers also in non-colon listing mode. [rG9d618d1273]
  • gpg: Make --with-sig-check work with --show-key in non-colon listing mode. [rG0c34edc443]
  • tpm: Rework error handling and fix key import [T7129, T7186]
  • Varous fixes to improve robustness on 64 bit Windows. [T7139]

Changes also found in 2.4.6:

  • gpg: New command --quick-set-ownertrust. [rG967678d972]
  • gpg: Indicate disabled keys in key listings and add list option "show-ownertrust". [rG2a0a706eb2]
  • gpg: Make sure a DECRYPTION_OKAY is never issued for a bad OCB tag. [T7042]
  • gpg: Do not allow to accidently set the RENC usage. [T7072]
  • gpg: Accept armored files without CRC24 checksum. [T7071]
  • gpg: New --import-option "only-pubkeys". [T7146]
  • gpg: Repurpose the AKL mechanism "ldap" to work like the keyserver mechnism but only for LDAP keyservers. [rG068ebb6f1e]
  • gpg: ADSKs are now configurable for new keys. [T6882]
  • gpgsm: Emit user IDs with an empty Subject also in colon mode. [T7171]
  • agent: Consider an empty pattern file as valid. [rGc27534de95]
  • agent: Fix error handling of READKEY. [T6012]
  • agent: Avoid random errors when storing key in ephemeral mode. [T7129, rGfdc5003956]
  • agent: Make "SCD DEVINFO --watch" more robust. [T7151]
  • scd: Improve KDF data object handling for OpenPGP cards. [T7058]
  • scd: Avoid buffer overrun with more than 16 PC/SC readers. [T7129, rG4c1b007035]
  • scd: Fix how the scdaemon on its pipe connection finishes. [T7160]
  • gpgconf: Check readability of some files with -X and change its output format. [rG98e287ba6d]
  • gpg-mail-tube: New tool to apply PGP/MIME encryption to a mail. [rG28a080bc9f]
  • Fix some uninitialized variables and double frees in error code paths. [T7129]

Changes also found in 2.4.5:

  • gpg,gpgv: New option --assert-pubkey-algo. [T6946]
  • gpg: Emit status lines for errors in the compression layer. [T6977]
  • gpg: Fix invocation with --trusted-keys and --no-options. [T7025]
  • gpgsm: Allow for a longer salt in PKCS#12 files. [T6757]
  • gpgtar: Make --status-fd=2 work on Windows. [T6961]
  • scd: Support for the ACR-122U NFC reader. [rG1682ca9f01]
  • scd: Suport D-TRUST ECC cards. [T7000,T7001]
  • scd: Allow auto detaching of kernel drivers; can be disabled with the new compatibility-flag ccid-no-auto-detach. [rGa1ea3b13e0]
  • scd: Allow setting a PIN length of 6 also with a reset code for openpgp cards. [T6843]
  • agent: Allow GET_PASSPHRASE in restricted mode. [rGadf4db6e20]
  • dirmngr: Trust system's root CAs for checking CRL issuers. [T6963]
  • dirmngr: Fix regression in 2.4.4 in fetching keys via hkps. [T6997]
  • gpg-wks-client: Make option --mirror work properly w/o specifying domains. [rG37cc255e49]
  • g13,gpg-wks-client: Allow command style options as in "g13 mount foo". [rGa09157ccb2]
  • Allow tilde expansion for the foo-program options. [T7017]
  • Make the getswdb.sh tool usable outside the GnuPG tree.

Changes also found in 2.4.4:

  • gpg: Do not keep an unprotected smartcard backup key on disk. See https://gnupg.org/blog/20240125-smartcard-backup-key.html for a security advisory. [T6944]
  • gpg: Allow to specify seconds since Epoch beyond 2038 on 32-bit platforms. [T6736]
  • gpg: Fix expiration time when Creation-Date is specified. [T5252]
  • gpg: Add support for Subkey-Expire-Date. [rG96b69c1866]
  • gpg: Add option --with-v5-fingerprint. [T6705]
  • gpg: Add sub-option ignore-attributes to --import-options. [rGd4976e35d2]
  • gpg: Add --list-filter properties sig_expires/sig_expires_d. [rGbf662d0f93af]
  • gpg: Fix validity of re-imported keys. [T6399]
  • gpg: Report BEGIN_ status before examining the input. [T6481]
  • gpg: Don't try to compress a read-only keybox. [T6811]
  • gpg: Choose key from inserted card over a non-inserted card. [T6831]
  • gpg: Allow to create revocations even with non-compliant algos. [T6929]
  • gpg: Fix regression in the Revoker keyword of the parameter file. [T6923]
  • gpg: Improve error message for expired default keys. [T4704]
  • gpgsm: Add --always-trust feature. [T6559]
  • gpgsm: Support ECC certificates in de-vs mode. [T6802]
  • gpgsm: Major rewrite of the PKCS#12 parser. [T6536]
  • gpgsm: No not show the pkcs#12 passphrase in debug output. [T6654]
  • keyboxd: Timeout on failure to get the database lock. [T6838]
  • agent: Update the key stubs only if really modified. [T6829]
  • scd: Add support for certain Starcos 3.2 cards. [rG5304c9b080]
  • scd: Add support for CardOS 5.4 cards. [rG812f988059]
  • scd: Add support for D-Trust 4.1/4.4 cards. [rG0b85a9ac09]
  • scd: Add support for Smartcafe Expert 7.0 cards. [T6919]
  • scd: Add a length check for a new PIN. [T6843]
  • tpm: Fix keytotpm handling in the agent. [rG9909f622f6]
  • tpm: Fixes for the TPM test suite. [T6052]
  • dirmngr: Avoid starting a second instance on Windows via GPGME based launching. [T6833]
  • dirmngr: New option --ignore-crl-extensions. [T6545]
  • dirmngr: Support config value "none" to disable the default keyserver. [T6708]
  • dirmngr: Implement automatic proxy detection on Windows. [T5768]
  • dirmngr: Fix handling of the HTTP Content-Length. [rGa5e33618f4]
  • dirmngr: Add code to support proxy authentication using the Negotiation method on Windows. [T6719]
  • gpgconf: Add commands --lock and --unlock. [rG93b5ba38dc]
  • gpgconf: Add keyword socketdir to gpgconf.ctl. [rG239c1fdc28]
  • gpgconf: Adjust the -X command for the new VERSION file format. [T6918]
  • wkd: Use export-clean for gpg-wks-client's --mirror and --create commands. [rG2c7f7a5a278c]
  • wkd: Make --add-revocs the default in gpg-wks-client. New option --no-add-revocs. [rG10c937ee68]
  • Remove duplicated backslashes when setting the homedir. [T6833]
  • Ignore attempts to remove the /dev/null device. [T6556]
  • Improve advisory file lock retry strategy. [T3380]
  • Improve the speedo build system for Unix. [T6710]

Changes also found in 2.4.3:

  • gpg: Set default expiration date to 3 years. [T2701]
  • gpg: Add --list-filter properties "key_expires" and "key_expires_d". [T6529]
  • gpg: Emit status line and proper diagnostics for write errors. [T6528]
  • gpg: Make progress work for large files on Windows. [T6534]
  • gpg: New option --no-compress as alias for -z0.
  • gpg: Show better error messages for blocked PINs. [T6425]
  • gpgsm: Print PROGRESS status lines. Add new --input-size-hint. [T6534]
  • gpgsm: Support SENDCERT_SKI for --call-dirmngr. [rG701a8b30f0]
  • gpgsm: Major rewrite of the PKCS#12 parser. [T6536]
  • gpgtar: New option --no-compress.
  • dirmngr: Extend the AD_QUERY command. [rG207c99567c]
  • dirmngr: Disable the HTTP redirect rewriting. [T6477]
  • dirmngr: New option --compatibility-flags. [rGbf04b07327]
  • dirmngr: New option --ignore-crl-extensions. [T6545]
  • dirmngr: Support config value "none" to disable the default keyserver. [T6708]
  • wkd: Use export-clean for gpg-wks-client's --mirror and --create commands. [rG2c7f7a5a27]
  • wkd: Make --add-revocs the default in gpg-wks-client. New option --no-add-revocs. [rG10c937ee68]
  • scd: Make signing work for Nexus cards. [rGb83d86b988]
  • scd: Fix authentication with Administration Key for PIV. [rG25b59cf6ce]
  • Fix garbled time output in non-English Windows. [T6741]

Changes also found in 2.4.2:

  • gpg: Print a warning if no more encryption subkeys are left over after changing the expiration date. [rGef2c3d50fa]
  • gpg: Fix searching for the ADSK key when adding an ADSK. [T6504]
  • gpgsm: Speed up key listings on Windows. [rG08ff55bd44]
  • gpgsm: Reduce the number of "failed to open policy file" diagnostics. [rG68613a6a9d]
  • agent: Make updating of private key files more robust and track display S/N. [T6135]
  • keyboxd: Avoid longish delays on Windows when listing keys. [rG6944aefa3c]
  • gpgtar: Emit extra status lines to help GPGME. [T6497]
  • w32: Avoid using the VirtualStore. [T6403]

(prev: T6454 next: T7191)

Related Objects

Mentioned In
T7191: Release GnuPG 2.5.1
T6454: Release GnuPG 2.4.1
Mentioned Here
rGc333e9dad66e: speedo: Set PREFIX for bzip2 build also for Unix.
T7191: Release GnuPG 2.5.1
rG68613a6a9de4: gpgsm: Cache the non-existence of the policy file.
rG08ff55bd44ae: kbx: Use custom estream buffering
rGef2c3d50fa8c: gpg: Print a warning if no more encryption subkey was left over.
rG6944aefa3c2e: kbx,w32: Disable the fd-passing.
rG207c99567ced: dirmngr: Extend the AD_QUERY command.
rGbf04b07327a5: dirmngr: New option --compatibility-flags.
rG701a8b30f0be: gpgsm: Support SENDCERT_SKI for --call-dirmngr
rG2c7f7a5a278c: wks: Use export-clean for --mirror and --create.
rG10c937ee68cb: wks: Make --add-revocs the default.
rG25b59cf6ce86: scd:piv: Fix authentication with Administration Key.
rGb83d86b988bb: scd:p15: Make signing work for Nexus cards.
rG96b69c1866dd: gpg: Add support for Subkey-Expire-Date.
rGbf662d0f93af: gpg: Add --list-filter properties sig_expires/sig_expires_d
rGa5e33618f421: dirmngr: Fix handling of the HTTP Content-Length
rG9909f622f69e: agent: fix tpm2d keytotpm handling
rG5304c9b080b4: scd:p15: Basic support for Starcos 3.2.
rG93b5ba38dc3a: tools: Integrate the dotlock tool into gpgconf.
rG812f9880591e: scd:p15: Add support for CardOS 5.4
rG0b85a9ac09d1: scd:p15: Add support for D-Trust Card 4.1/4.4
rG239c1fdc28dc: common: Add keyword socketdir to gpgconf.ctl
rGd4976e35d2ca: gpg: Add sub-option ignore-attributes to --import-options.
rGa09157ccb2bd: wks: Allow command style args for gpg-wks-client.
rGadf4db6e2093: agent: Allow GET_PASSPHRASE in restricted mode.
rG37cc255e4942: wks: Make gpg-wks-client --mirror work w/o args.
rGa1ea3b13e0c7: scd: Let the CCID module auto detach the kernel driver.
rG1682ca9f012a: scd: Add support for ACR-122U
rGc27534de9553: gpg-check-pattern: Consider an empty pattern file as valid
rG98e287ba6d55: gpgconf: Change layout of the gpgconf -X output.
rG967678d9728c: gpg: New command --quick-set-ownertrust.
rG2a0a706eb213: gpg: Mark disabled keys and add show-ownertrust list option.
rGfdc500395640: agent: Make sure to return success in ephemeral store mode.
rG4c1b0070354d: scd: Avoid buffer overrun with more than 16 PC/SC readers.
rG068ebb6f1eee: gpg: Implement the LDAP AKL method.
rG9d618d127312: gpg: Print designated revokers also in a standard listing.
rG12ac129a709c: gpg: Allow shortcut algo string "pqc" for --quick-gen-key.
rG1695cf267edf: gpg: New option --show-only-session-key
rG28a080bc9f94: gpg-mail-tube: New utility.
rG0c34edc4435d: gpg: Make --with-sig-check with -with --show-key in non-colon mode.
T2701: Do not let users create keys without an expiration date
T3380: Use exponential backoff when spawning agent and dirmngr
T4704: Wrong error message when key is expired
T5252: bad expiration value when using --batch Creation-Date/Expire-Date
T5768: Dirmngr: Use windows proxy settings if system proxy settings should be used
T6012: gpg-agent: Add --format=ssh option for READKEY
T6052: gnupg2 tpm2d tests do not work
T6135: Agent, P15: Insert Smartcard query uses serial number instead of $DISPSERIALNO
T6399: Missing trustdb check on import of certificate
T6403: Kleopatra: Warn if a certificate in a group is deleted
T6425: improve pinentry behavior and texts in smart card context
T6454: Release GnuPG 2.4.1
T6477: WKD redirects and dirmngr redirect rewriting
T6481: BEGIN_ENCRYPTION status output happens later in 2.4.1 (breaks Emacs's EasyPG)
T6497: gpgtar does not return failure code to gpgme
T6504: Adding an ADSK to several keys may fail with Wrong Key Usage.
T6528: gpg: No error status when encrypting to full disk
T6529: Allow the expiration time in --list-filter expressions
T6534: gpg's progress_filter needs to use uint64_t
T6536: Extend P12 parser for ShroudedKeyBag inside a CertBag
T6545: Support CRL extension issuingDistributionPoint
T6556: gpgtar: Removes existing output file on error
T6559: GPGSM: "always trust like override" or "force" option
T6654: gpgsm: p12 passphrase visible in debug output
T6705: Provide strong v5 fingerprints also for v4 keys
T6708: Allow to inhibit the use of a default PGP keyserver
T6710: Improve Speedo for Linux to set DT_RUNPATH.
T6719: Support Proxy-Authorization: Negotiate on Windows
T6736: Year 2038 issue for key validity date
T6741: gpg 2.3+ may display garbled characters for date and time in non-English Windows
T6757: gpgsm 2.4 Fails to import P12 certificate/key
T6802: Trying to sign with a brainpool X509 key results in non-compliance error
T6811: gpgv: Read-only trustedkeys.kbx should not be compressed
T6815: PQC encryption for GnuPG
T6829: Kleopatra: Loop reading keys from smartcard
T6831: May chose a signing key from a not inserted card over an inserted one
T6833: Kleopatra: Multiple dirmngr started when searching for keys
T6838: keyboxd hangs on stale locks after changing hostname
T6843: after enable kdf-setup impossible change user/admin pin
T6882: Make ADSK configurable for new keys
T6918: gpgconf parsing of VERSION file broken
T6919: Add support for smartcafe cards
T6923: gpg fails to parse sensitive revokers from param files
T6929: Kleopatra: Allow revocation of RSA 2048 keys
T6944: The default card key generation keeps an unprotected backup of the encryption key on disk
T6946: gpgv: Help automatic reject too short keys
T6961: On Windows the gpgtar --status-fd 2 does not show the gpg status lines
T6963: Trust system's root CA for checking CRL issuers
T6977: gpgme_op_verify from libgpgme hang without returning anything when verifying corrupted file signature
T6997: gnupg-2.4.4 breaks dirmngr fetching keys via hkps:// from behind a proxy
T7000: Take derive usage into account for pkcs#15 cards.
T7001: Support D-TRUST ECC cards
T7017: allow pinentry-program to use and expand ~ in path
T7025: --trusted-key and --no-options mismatch
T7042: AEAD mode does not properly handle modified cipher text
T7058: KDF-DO is not properly implemented
T7071: gpg: Support of No CRC in ASCII armor
T7072: addkey "set your own capabilities" silently sets Restricted Encryption capability
T7129: Fix static reports by static analyser in gnugp
T7139: Windows: gnupg_exec_tool_stream with INEXTRA
T7146: gpg: Add import option "no-seckeys"
T7151: graceful shutdown: DEVINFO should be a gpg-agent command: also watching input close
T7160: scd: pipe server shutdown
T7171: Allow for empty Subject in X.509
T7186: Fix tpm2d key import after recent changes

Event Timeline

werner triaged this task as Normal priority.Fri, Jul 5, 2:42 PM
werner created this task.
werner created this object with edit policy "Administrators".
werner updated the task description. (Show Details)

In case you run into problems installing the bzip2 part w/o root rights, you need to apply rGc333e9dad66 to set the PREFIX make variable also for bzip2.

werner set External Link to https://lists.gnupg.org/pipermail/gnupg-announce/2024q3/000484.html.Mon, Jul 8, 1:16 PM