scd:nks: Return USAGE information for KEYINFO command.
scd:nks: Add support for signing plain SHA-2 digests.
scd:nks: Handle APP_READKEY_FLAG_INFO.
scd:nks: Support READKEY with keygrip and for "NKS-IDLM" keyref.
scd:nks: Add support of KEYGRIP for do_readcert.
scd:nks: Factor out pubkey retrieval from keygrip handling.
scd:nks: Factor out iteration over filelist.
scd:nks: Fix caching keygrip (more).
scd:nks: Minor additions to the basic IDLM application support.
scd,nks: Fix caching keygrip.
scd:nks: Emit the algo string with KEYPAIRINFO
scd:nks: Fix certificate read problem with TCOS signature card v2.
scd:nks: Implement writecert for the Signature card v2.
scd:nks: Add framework to support IDKey cards.
scd:nks: Fix remaining tries warning in --reset mode.
scd:nks: Support decryption using ECDH.
scd:nks: Get the PIN prompts right for the Signature Card
scd:nks: Add do_with_keygrip and implement a cache.
scd:nks: Allow retrieving certificates from a Signature Card v.20
The latter. Detecting mail addresses with regexp is anyway a kludge and we have more stringent code to detect mail addresses in a user-id.
I am using this many years now without any problems. Also my collegues and many other folks I know. Thus the question is how your system differs from commonly used systems.
We do not support OpenSSH certificates but ignore such requests. However, the keys from the certificates will be imported correctly. You should use the stable version of GnuPG (2.3.8) and not the LTS version 2.,2.
web: Add download links for GnuPG Desktop 2.3.8
This is the first report we have on such a problem despite of hundred thousands of users. "Triage" means that we need to look at a report to check its priority.
So, this is only for OAEP but not for ECDH? FWIW, GnUPG uses OAEP only for S/MIME.
FWIW: I am not anymore very convinced of our tofu code. it leaks too many information because it tracks and stored all signature verification. The model is further way too complicated and the SQL used will eventually lead to a resource problem. Maybe doing Tofu stuff in the frontend is a better idea and get rid of all the history processing which works only for fresh mails and not for data verification.
We already detect mail addresses for different purposes and thus it will be easy to enclose them in angle brackets just for comparision.. Almost all trust signatures out there are created by gpg and used to restrict the mail domain. No need for different regexp. See also the comments in the code related to the history.
web: Add security advisory
• werner set External Link to https://lists.gnupg.org/pipermail/gnupg-announce/2022q4/000476.html on
T6106: Release GnuPG 2.3.8.
Add CVE to the security advisory
swdb: gpg4win 4.0.4 and gnupgdesk 2.3.8
• werner set External Link to https://gnupg.org/blog/20221017-pepe-left-the-ksba.html on
T6230: Release Libksba 1.6.2 (CVE-2022-3515).
As usual see for links to the latest packages. For Gpg4win see
• werner renamed
T6230: Release Libksba 1.6.2 (CVE-2022-3515) from
Release Libksba 1.6.2 to
Release Libksba 1.6.2 (CVE-2022-3515).
Merge remote-tracking branch 'origin'
Prepare NEWS for 4.0.4 and post release updates for 3.1.25
appimage: Fix signature checking of --version option.
appimage: Next try to get --keep-socket working
doc: Update build instructions in README
appimage: Fix last commit
appimage: Add trademark notices.
appimage: Add new start option --keep-socket
Fix build problems on systems with automake != 1.15 installed.
doc: Add a comment to the packages file.
Add support for dw2 exceptions
• werner updated the task description for
T6106: Release GnuPG 2.3.8.
• werner updated the task description for
T6181: Release GnuPG 2.2.40.
speedo: Fix location of gpg-wks-client
gpg: For de-vs use AES-128 instead of 3DES as implicit preference.
sm: Fix reporting of bad passphrase error
speedo: Fix for a libgpg-error-config regression.
• werner committed
rG970b250d65fa: po: Update Turkish translation (authored by Emir SARI <emir_sari@icloud.com>).
po: Update Turkish translation
wkd: gpg-wks-client --send checks if build with sendmail support
po: Update Czech translation.
$ ping git.gnupg.org
PING git.gnupg.org (217.69.76.56) 56(84) bytes of data.
64 bytes from cvs.gnupg.org (217.69.76.56): icmp_seq=1 ttl=58 time=6.74 ms
64 bytes from cvs.gnupg.org (217.69.76.56): icmp_seq=2 ttl=58 time=6.87 ms
You need to assign a drive letter.
agent: Introduce attribute "Remote-list" to KEYINFO.
tools: Let ftp-indexer handle timestamp version numbers.
Allow the use of a remote connection.
My suggestion is to clearly state that there is a direct Key Signature with an expiration date. Another feature would be to add a separate command to modify Direct Key Signatures. However, the latter has the problem that it help with proliferation of such signatures and other OpenPGP implementation will run into other problems. Thus for the whole ecosystem such an option is might not be a good idea.
Direct key signatures are rarely used. IIRC, we implemented that the same way PGP did it.
• werner changed the status of
T6224: Mirror internal LDAP to a WKD from
Open to
Testing.
wkd: New command --mirror for gpg-wks-client.
wkd: Restrict gpg-wks-client --mirror to the given domains.
wkd: Implement --blacklist option for gpg-wks-client
wkd: Silence gpg-wks-client diagnostics from gpg.
wkd: Restrict gpg-wks-client --mirror to the given domains.
wkd: Silence gpg-wks-client diagnostics from gpg.
common: Protect against a theoretical integer overflow in tlv.c
wkd: Implement --blacklist option for gpg-wks-client