Maniphest T7998

Release GnuPG 2.5.19
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	• werner
	Dec 29 2025, 11:44 PM

Tags

Subscribers

Description

Noteworthy changes in version 2.5.19 (2026-04-24)

New and extended features:
- gpg: New option --use-ocb-sym. [rGccdcdfbb37]
- gpg: New options --show-[only-]session-hash. [rGecd0f7afa1]
- gpgsm: Allow cipher mode to be part of the algo given to the --cipher-algo option. [T3979]
- gpgsm: Emit more details when failing to check a crlDP. [T8221]
- agent: Improve pinentry behavior and texts in smartcard context. [T6425]
- dirmngr: New keyword "clear" for --keyserver. [rG2ab4cba36c]
Bug fixes:
- gpg: Fix edge case in --refresh-keys. [T8197]
- gpg: Don't call gcry_kdf_derive with empty passphrase. [T7739]
- gpgsm: Skip the optional PKCS#12 PBES2 keyLength parameter to allow import of recently issued certificates by the German Telekom. [rGc8c9604bba]
- gpgsm: Fix a bug so that a certificate can be signed using a different algo. [rG66fdafab3c]
- gpgsm: Make GCM fully compliant in de-vs mode. [rG04fd775fce]
- gpgsm: Add a certificate chain check for de-vs compliance. [T8188]
- gpgsm: Show rsaPSS certificates as de-vs compliant in listings. [T8222]
- agent: Rework the trustlist reading code to finally allow a trustlist.txt with a missing trailing LF. [T8078]
- ssh: Fix RSA padding in signature handling. [T7882,T8202]
- gpgtar: Fix -C (--directory) to check the output directory. [T8159] (bug reported by Oleh Konko, 1seal.org)

Other changes:
- agent: Raise an error when p >= q for RSA keys to detect incorrect generated *PGP keys. [T8171]

(prev: T7999 next: T7997)

Related Objects

Mentioned In: T7997: Release GnuPG 2.5.20
T7999: Release GnuPG 2.5.18
Mentioned Here: rGc8c9604bba0c: gpgsm: Skip the optional PKCS#12 PBES2 keyLength parameter
rGccdcdfbb37ab: gpg: Add option --use-ocb-sym
rG66fdafab3c6d: gpgsm: Fix bug so that a cert can be signed by a different algo.
rG04fd775fce59: gpgsm: Make GCM fully compliant for de-vs
rG2ab4cba36ccd: dirmngr: New keyword "clear" for --keyserver.
rGecd0f7afa1cf: gpg: New options --show-session-hash and --show-only-session-hash.
T3979: GPGSM: Authenticated encryption
T6425: improve pinentry behavior and texts in smart card context
T7739: pinentry/kleopatra: NVDA reads text multiple times
T7882: `rsa-sha2` signature values are improperly truncated
T8078: GpgAgent: trustlist.txt still requires LF on the last line
T8171: interoperability of PGP RSA keys
T8188: gpgsm: No error/warning on verification or decryption in case of trusted but not VS-compliant certificate
T8197: "gpg --refresh-keys" aborts with "gpg: keyserver refresh failed: No data" if too many keys are missing on keyserver
T8202: Intermittent ssh publickey login failure after upgrade to gnupg 2.5.x
T8221: gpgsm: emit more details when failing to check a crl from a crlDP
T8222: Show RSA-PSS certificates as de-vs compliant in X.509 key listings
T8159: gpgtar write outside --directory via symlink traversal
T7997: Release GnuPG 2.5.20
T7999: Release GnuPG 2.5.18

Event Timeline

• werner triaged this task as Low priority.Dec 29 2025, 11:44 PM

• werner created this task.

• werner created this object with edit policy "Administrators".

• werner mentioned this in T7999: Release GnuPG 2.5.18.Dec 29 2025, 11:49 PM

• werner updated the task description. (Show Details)

thesamesam added a subscriber: thesamesam.Dec 30 2025, 12:19 AM

• gniibe updated the task description. (Show Details)Fri, Apr 17, 9:29 AM

• werner updated the task description. (Show Details)Fri, Apr 24, 1:21 PM

• werner closed this task as Resolved.Wed, May 13, 3:11 PM

• werner claimed this task.

• werner mentioned this in T7997: Release GnuPG 2.5.20.