Page MenuHome GnuPG
Feed Advanced Search

Advanced Search
Use Results
Hide Query

Yesterday

werner committed rW83608d53f6e5: Update GnuPG to 2.5.17 (authored by werner).
Update GnuPG to 2.5.17
Wed, Jan 28, 4:21 PM
werner closed T8028: Release Gpg4win 5.0.0 as Resolved.
Wed, Jan 28, 4:14 PM · gpg4win, Release Info
werner closed T8060: Release Gpg4win 5.0.1 as Resolved.
Wed, Jan 28, 4:14 PM · gpg4win, Release Info
werner added projects to T8065: gnupg self test hang: clean migration: gnupg26, NetBSD.

Do you remember wether you had the same problem also with 2.5.14 or 2.5.16? Or can you test with these versions? Which version of libgpg-error are you using?

Wed, Jan 28, 4:13 PM · NetBSD, gnupg26, Bug Report
werner committed rG81760cc931d6: Fix stub functions to avoid LTO linking bugs. (authored by werner).
Fix stub functions to avoid LTO linking bugs.
Wed, Jan 28, 1:41 PM
werner added a comment to T8029: IPC error on batch import of secret kyber cert.

My actual plan is to rework the imp[ort/export of secret keys to gpg-agent. Right now gpg-agent has knowledge of OpenPGP for import/export. This is not good and the required conversion should be moved to a helper tools for easier testing and to have this out of the gpg-agent process. For Kyber we right now don't use any conversion mut store the secret keys in gpg-agent's native format. Thus the passphrase is not necessary. We need to figure out why we have this problem here.

Wed, Jan 28, 11:47 AM · gnupg26, Bug Report, gpd5x, kleopatra

Tue, Jan 27

werner committed rG3fdd959d8994: Post release updates (authored by werner).
Post release updates
Tue, Jan 27, 6:51 PM
werner committed rGf2f89dc82538: po: msgmerge (authored by werner).
po: msgmerge
Tue, Jan 27, 6:51 PM
werner committed rG17b514596f60: Release 2.5.17 (authored by werner).
Release 2.5.17
Tue, Jan 27, 6:51 PM
werner committed rG11b7e4139e82: gpg: Fix possible NULL-deref with overlong signature packets. (authored by werner).
gpg: Fix possible NULL-deref with overlong signature packets.
Tue, Jan 27, 6:51 PM
werner committed rG93fa34d9a346: tpm: Fix possible buffer overflow in PKDECRYPT (authored by werner).
tpm: Fix possible buffer overflow in PKDECRYPT
Tue, Jan 27, 6:51 PM
werner committed rGc3e387427977: po: Update Swedish translation (authored by Daniel Nylander <github@danielnylander.se>).
po: Update Swedish translation
Tue, Jan 27, 6:51 PM
werner committed rGeba28eeaa1b1: agent: Add accelerator keys for "Wrong" and "Correct". (authored by werner).
agent: Add accelerator keys for "Wrong" and "Correct".
Tue, Jan 27, 6:51 PM
werner committed rG2438271ab601: agent: Fix stack buffer overflow when using gpgsm and KEM (authored by werner).
agent: Fix stack buffer overflow when using gpgsm and KEM
Tue, Jan 27, 6:51 PM
werner set External Link to https://lists.gnupg.org/pipermail/gnupg-announce/2026q1/000501.html on T7996: Release GnuPG 2.5.17 (security).
Tue, Jan 27, 5:52 PM · CVE, gnupg, Release Info
werner committed rD400df30db64e: Security announcement (authored by werner).
Security announcement
Tue, Jan 27, 5:34 PM
werner updated the task description for T8060: Release Gpg4win 5.0.1.
Tue, Jan 27, 5:28 PM · gpg4win, Release Info
werner committed rDc5bbc42c40a6: swdb: GnuPg 2.5.17 and Gpg4win 5.0.1 (authored by werner).
swdb: GnuPg 2.5.17 and Gpg4win 5.0.1
Tue, Jan 27, 5:26 PM
werner closed T8045: Stack-based buffer overflow in TPM2 `PKDECRYPT` as Resolved.
Tue, Jan 27, 5:18 PM · gnupg26, CVE, TPM, Bug Report
werner closed T8049: Null pointer dereference with overlong signature packet as Resolved.
Tue, Jan 27, 5:17 PM · segv, gnupg26, Bug Report
werner closed T8055: pinentry-tty: Correct/Cancel/Wrong - what does "C" select? as Resolved.
Tue, Jan 27, 5:17 PM · gnupg, pinentry, Bug Report
werner renamed T8049: Null pointer dereference with overlong signature packet from Security (internal) - Aisle Research report: Null pointer dereference with overlong signature packet to Null pointer dereference with overlong signature packet.
Tue, Jan 27, 5:16 PM · segv, gnupg26, Bug Report
werner changed the visibility for T8045: Stack-based buffer overflow in TPM2 `PKDECRYPT`.
Tue, Jan 27, 5:12 PM · gnupg26, CVE, TPM, Bug Report
werner closed T8044: gpg-agent stack buffer overflow in pkdecrypt using KEM as Resolved.
Tue, Jan 27, 5:12 PM · CVE, gnupg26, gpgagent, Bug Report
werner changed the visibility for T7996: Release GnuPG 2.5.17 (security).
Tue, Jan 27, 5:11 PM · CVE, gnupg, Release Info
werner added a comment to T7996: Release GnuPG 2.5.17 (security).

This is a security update

Tue, Jan 27, 3:47 PM · CVE, gnupg, Release Info
werner renamed T7996: Release GnuPG 2.5.17 (security) from Release GnuPG 2.5.17 to Release GnuPG 2.5.17 (security).
Tue, Jan 27, 3:44 PM · CVE, gnupg, Release Info
werner added a comment to T8028: Release Gpg4win 5.0.0.

Gpg4win 5.0.0 (2026-01-14)

Tue, Jan 27, 11:45 AM · gpg4win, Release Info
werner triaged T8060: Release Gpg4win 5.0.1 as High priority.
Tue, Jan 27, 11:45 AM · gpg4win, Release Info

Sun, Jan 25

werner committed rE9b7c3438a3c9: po: Update Swedish translation. (authored by Daniel Nylander <github@danielnylander.se>).
po: Update Swedish translation.
Sun, Jan 25, 6:30 PM
werner added a comment to T8049: Null pointer dereference with overlong signature packet.

Reconsidering this all I don't think it makes any sense to distinguish between (-1) and GPG_ERR_INV_PACKET. We use (-1) for a too short read of the hashed or unhashed area (premature eof). INV_PACKET is for unknown versions, too much data (arbitrary limit), bad parameters, and underflow. Let's forget my previous comment and always use INV_PACKET.

Sun, Jan 25, 5:23 PM · segv, gnupg26, Bug Report
werner changed the status of T8045: Stack-based buffer overflow in TPM2 `PKDECRYPT` from Open to Testing.
Sun, Jan 25, 5:02 PM · gnupg26, CVE, TPM, Bug Report
werner triaged T8055: pinentry-tty: Correct/Cancel/Wrong - what does "C" select? as Low priority.
Sun, Jan 25, 4:38 PM · gnupg, pinentry, Bug Report
werner added a comment to T8055: pinentry-tty: Correct/Cancel/Wrong - what does "C" select?.

I think "O" is a better key:

Sun, Jan 25, 4:37 PM · gnupg, pinentry, Bug Report
werner added a comment to T8055: pinentry-tty: Correct/Cancel/Wrong - what does "C" select?.

We need to change the accelerator. Right now gpg-agent uses

Sun, Jan 25, 4:14 PM · gnupg, pinentry, Bug Report

Fri, Jan 23

werner triaged T8047: Support secure memory on Windows as Low priority.

I don't think that we will implement that any time soon. Today we too often require more mlock-able memory than available and in this case Libgcrypt resorts to allocating new memory arenas which are not locked. This is not as worse as one might think: the majro advantage with secmem is that a free() on secmem allocated memory will also wipe that memory. A better solution has always been to use an encrypted swap/paging file. 25 years ago, it was not easy to configure but today there should be no problem and hopefully already the default.

Fri, Jan 23, 9:25 PM · Windows, gnupg, Feature Request
werner lowered the priority of T8049: Null pointer dereference with overlong signature packet from Unbreak Now! to Normal.
Fri, Jan 23, 9:18 PM · segv, gnupg26, Bug Report
werner added a comment to T8053: GpgSM: `log-file` is ignored.

Please run with --debug 0 which should show you which confiration files are read in which order. Is there anything in a common.conf file? A log-file statement tehre would overwrite the command line option.

Fri, Jan 23, 9:16 PM · gpd5x, Bug Report, S/MIME, gnupg26
werner added a comment to T8049: Null pointer dereference with overlong signature packet.

We should keep in mind that we set an arbitrary limit for the [un]hashed areas. They are actually allowed to be larger. At some point in the future we might want to lift that limit again or add another algorithm. We need to take care that we don't drop the signature packet but merely don't use it. The packet needs to be storable in our keyring even if we cannot parse it now correctly. This is different from a broken packet, which is better dropped.

Fri, Jan 23, 11:37 AM · segv, gnupg26, Bug Report
werner committed rDef5f6100cc35: Add short update to recent blog post (authored by werner).
Add short update to recent blog post
Fri, Jan 23, 11:24 AM

Thu, Jan 22

werner removed a project from T8049: Null pointer dereference with overlong signature packet: Bug Report.

I definitely prefer 0004. I am not so sure on the use of -1 as return code. I know that we use it for legacy reasons but it does not feel correct. Maybe add an arg int *skipme to the function so that we can selectively skip this packet. Note that I have not fully evaluated the patch; the -1 might just be right.

Thu, Jan 22, 1:02 PM · segv, gnupg26, Bug Report

Wed, Jan 21

werner shifted T8045: Stack-based buffer overflow in TPM2 `PKDECRYPT` from the Restricted Space space to the S1 Public space.
Wed, Jan 21, 12:40 PM · gnupg26, CVE, TPM, Bug Report
werner shifted T8044: gpg-agent stack buffer overflow in pkdecrypt using KEM from the Restricted Space space to the S1 Public space.
Wed, Jan 21, 12:23 PM · CVE, gnupg26, gpgagent, Bug Report
werner closed T8032: libksba: Input validation for DER encoded INTEGER as Wontfix.
Wed, Jan 21, 10:39 AM · S/MIME, libksba, Bug Report
werner changed the status of T8044: gpg-agent stack buffer overflow in pkdecrypt using KEM from Open to Testing.
Wed, Jan 21, 10:20 AM · CVE, gnupg26, gpgagent, Bug Report

Tue, Jan 20

werner claimed T8044: gpg-agent stack buffer overflow in pkdecrypt using KEM.
Tue, Jan 20, 2:44 PM · CVE, gnupg26, gpgagent, Bug Report
werner added a comment to T8048: Keyboxd: S/MIME certificate is imported on ldap search.

I have not checked but I guess that the certificate is marked as ephemeal and kleopatra either lists ephemeral certificates or the ephemeral flag got removed to to a validation process,

Tue, Jan 20, 2:43 PM · keyboxd, Bug Report, gnupg26, S/MIME, LDAP, gpd5x
werner added a comment to T8044: gpg-agent stack buffer overflow in pkdecrypt using KEM.

I have this fix committed to my working directory:

Tue, Jan 20, 12:54 PM · CVE, gnupg26, gpgagent, Bug Report
werner added a project to T8044: gpg-agent stack buffer overflow in pkdecrypt using KEM: CVE.

We have no CVE yet. However, CVE is also a good tag for security bugs,

Tue, Jan 20, 12:18 PM · CVE, gnupg26, gpgagent, Bug Report
werner renamed T8044: gpg-agent stack buffer overflow in pkdecrypt using KEM from Security (internal) - gpg-agent stack buffer overflow to gpg-agent stack buffer overflow in pkdecrypt using KEM.
Tue, Jan 20, 12:10 PM · CVE, gnupg26, gpgagent, Bug Report

Fri, Jan 16

werner triaged T8032: libksba: Input validation for DER encoded INTEGER as Low priority.

See the gnupg-devel mailing list for more discussions. Subject: libgcrypt P256 signature malleability via weak DER enforcement"

Fri, Jan 16, 11:01 AM · S/MIME, libksba, Bug Report
werner closed T8037: Kernel32.dll GetCurrentPackageFullName Windows 7 error as Resolved.

Windows7 has long reached end-of-life. Do not use it unless you have a fully air-gapped system. In this case, continue to use gpg4win 4.4.1 or resort to the command line of 5.0.0 which should still work.

Fri, Jan 16, 10:57 AM · End Of Life, Windows, Support, gpg4win

Thu, Jan 15

werner set External Link to https://gnupg.org/blog/20251226-cleartext-signatures.html on T7900: Cleartext Signature Forgery in GnuPG.
Thu, Jan 15, 4:05 PM · Not A Bug, OpenBSD, gnupg

Wed, Jan 14

werner committed rD44923a4ad318: swdb: gpg4win 5.0.0 (authored by werner).
swdb: gpg4win 5.0.0
Wed, Jan 14, 7:20 PM
werner committed rW808e47ecc009: Post release updates (authored by werner).
Post release updates
Wed, Jan 14, 5:52 PM
werner committed rW494fe73653ab: Release gpg4win 5.0.0 (authored by werner).
Release gpg4win 5.0.0
Wed, Jan 14, 5:52 PM
werner added a comment to T8032: libksba: Input validation for DER encoded INTEGER.

Two historic integer encoding glitches from Peter Gutmann's style guide:

Wed, Jan 14, 10:08 AM · S/MIME, libksba, Bug Report

Tue, Jan 13

werner added a comment to T5707: Kleopatra: Use windows registry additionally to config files.

Am I right that for VSD we use:

Tue, Jan 13, 5:23 PM · gpd5x, gpg4win, kleopatra
werner triaged T8028: Release Gpg4win 5.0.0 as Normal priority.
Tue, Jan 13, 12:43 PM · gpg4win, Release Info
werner renamed FK_gpg4win from GPG4win to FK_gpg4win.
Tue, Jan 13, 12:42 PM

Mon, Jan 12

werner changed the status of T8026: Kleopatra: Export of multiple S/MIME certificates only exports one from Open to Testing.
Mon, Jan 12, 4:51 PM · gpd5x (gpd-5.0.1), gnupg26, Bug Report
werner committed rGc7770b0a7068: gpgsm: Make multiple search patterns work with keyboxd. (authored by werner).
gpgsm: Make multiple search patterns work with keyboxd.
Mon, Jan 12, 4:38 PM
werner committed rG71570012ed51: gpg: Remove a dead statement. (authored by werner).
gpg: Remove a dead statement.
Mon, Jan 12, 4:38 PM
werner added a comment to T8026: Kleopatra: Export of multiple S/MIME certificates only exports one.

Thanks Ingo. It seems 2.5.17 is not too far away.

Mon, Jan 12, 4:28 PM · gpd5x (gpd-5.0.1), gnupg26, Bug Report

Fri, Jan 9

werner moved T7866: Allow separate LDAP keyserver for uploading from QA to WIP on the gnupg26 board.
Fri, Jan 9, 3:50 PM · gnupg22, vsd34, LDAP, Feature Request, gnupg26
werner changed the status of T7990: export-minimal unexpectedly omits expired key from Open to Testing.
Fri, Jan 9, 3:43 PM · gnupg26, Feature Request, Gentoo
werner committed rG0bcd9be9a068: gpg: New export-option "keep-expired-subkeys" (authored by werner).
gpg: New export-option "keep-expired-subkeys"
Fri, Jan 9, 3:35 PM
werner added a comment to T7990: export-minimal unexpectedly omits expired key.

So w/o the new option we have:

Fri, Jan 9, 3:11 PM · gnupg26, Feature Request, Gentoo
werner triaged T7990: export-minimal unexpectedly omits expired key as High priority.
Fri, Jan 9, 2:47 PM · gnupg26, Feature Request, Gentoo
werner added a comment to T7993: Documentation: make clear that detached signatures are preferred.

I updated the rendered form of the English GPH with a warning and a link to the blog.

Fri, Jan 9, 2:45 PM · Documentation
werner closed T7993: Documentation: make clear that detached signatures are preferred as Resolved.

Thanks for the hint.

Fri, Jan 9, 2:30 PM · Documentation
werner committed rD124678b1cf19: faq: Mention the cleartext signed blog and fix the keyserver entry (authored by werner).
faq: Mention the cleartext signed blog and fix the keyserver entry
Fri, Jan 9, 2:25 PM
werner committed rG0e37a6779e56: doc: Improve the "Programmatic use of GnuPG" section. (authored by werner).
doc: Improve the "Programmatic use of GnuPG" section.
Fri, Jan 9, 2:17 PM
werner closed T7994: Documentation: mention `status-fd` in "Programmatic use of GnuPG" as Resolved.

Will be in the next release.

Fri, Jan 9, 2:02 PM · gnupg, Documentation
werner closed T7663: Certificated signed using SHA-1 isn't trusted, but needs --force-sign-key to re-sign. as Resolved.
Fri, Jan 9, 1:42 PM · gnupg26, Feature Request
werner removed a project from T6815: PQC encryption for GnuPG: gnupg26.

it does not make sense to have a workboard item for this parent ticket.

Fri, Jan 9, 1:40 PM · OpenPGP, PQC, gnupg
werner closed T7298: gpg --quick-set-expire fails for V5 subkeys as Resolved.
Fri, Jan 9, 1:39 PM · gnupg24, gnupg26, Bug Report
werner moved T7298: gpg --quick-set-expire fails for V5 subkeys from QA to done on the gnupg24 board.
Fri, Jan 9, 1:38 PM · gnupg24, gnupg26, Bug Report
werner added a comment to T7866: Allow separate LDAP keyserver for uploading.

Independent of keyserver order in dirmngr.conf, --search-keys still offers keys from the upload server, but the download fails:

Fri, Jan 9, 1:35 PM · gnupg22, vsd34, LDAP, Feature Request, gnupg26
werner added a comment to T7866: Allow separate LDAP keyserver for uploading.

For "Although the upload server is used for upload, the gpg message still displays the first keyserver" see T8025

Fri, Jan 9, 1:28 PM · gnupg22, vsd34, LDAP, Feature Request, gnupg26
werner triaged T8025: Display the correct LDAP server in gpg if the upload flag is in use. as Normal priority.
Fri, Jan 9, 1:28 PM · Bug Report, LDAP, gnupg26
werner closed T7676: Cannot decrypt a message encrypted to a Cv25519 key on a token as Resolved.

I am using that version and key daily. No problems seen.

Fri, Jan 9, 1:25 PM · gnupg26, Bug Report
werner closed T7649: gnupg: Use KEM interface for encryption/decryption as Resolved.
Fri, Jan 9, 1:24 PM · gnupg26
werner edited projects for T6421: Improve error message if no reset code (PUK) is set, added: gnupg26; removed gnupg22, gnupg24.

I think we won't fix that for 2.2

Fri, Jan 9, 11:32 AM · gnupg26, Feature Request, gpgrt
werner edited projects for T6436: Double pinentry on change password, added: gnupg26; removed gnupg24.
Fri, Jan 9, 11:28 AM · gpd5x, gnupg26, Feature Request
werner changed the status of T7840: Oddity with 7816 change_reference_data from Testing to Open.
Fri, Jan 9, 11:27 AM · Bug Report, gnupg22, gnupg26, scd
werner moved T7840: Oddity with 7816 change_reference_data from QA to Done on the gnupg26 board.
Fri, Jan 9, 11:27 AM · Bug Report, gnupg22, gnupg26, scd
werner moved T7332: Kleopatra: Initial keylisting sometimes fails or hangs for some seconds from Backlog to gnupg-2.2.52 on the gnupg22 board.
Fri, Jan 9, 11:25 AM · gpd5x (gpd-5.0.0), gnupg22 (gnupg-2.2.52), gnupg24, kleopatra, Bug Report
werner closed T7730: gpg: retrieve a certificate from an LDAP server before sending it to the LDAP server as Resolved.
Fri, Jan 9, 11:22 AM · gpd5x (gpd-5.0.0), gnupg22 (gnupg-2.2.52), gnupg26, Feature Request
werner moved T7730: gpg: retrieve a certificate from an LDAP server before sending it to the LDAP server from WiP to gnupg-2.2.52 on the gnupg22 board.
Fri, Jan 9, 11:22 AM · gpd5x (gpd-5.0.0), gnupg22 (gnupg-2.2.52), gnupg26, Feature Request
werner closed T7829: w32: daemon (gpg-agent/keyboxd/dirmngr) startup and connection race when there is a socket file already, a subtask of T7658: Okular: Dirmngr startup timeout on signature validation, as Resolved.
Fri, Jan 9, 11:21 AM · gpd5x (gpd-5.0.0), Bug Report, okular
werner closed T7829: w32: daemon (gpg-agent/keyboxd/dirmngr) startup and connection race when there is a socket file already as Resolved.

That was also fixed in gnupg 2.2.50 and thus vsd 3.3.3

Fri, Jan 9, 11:21 AM · gpd5x (gpd-5.0.0), gnupg22 (gnupg-2.2.52), Bug Report, okular
werner moved T7829: w32: daemon (gpg-agent/keyboxd/dirmngr) startup and connection race when there is a socket file already from QA to gnupg-2.2.52 on the gnupg22 board.
Fri, Jan 9, 11:19 AM · gpd5x (gpd-5.0.0), gnupg22 (gnupg-2.2.52), Bug Report, okular
werner moved T7914: Card s/n number missing in gpgsm from WiP to gnupg-2.2.52 on the gnupg22 board.
Fri, Jan 9, 11:17 AM · gnupg22 (gnupg-2.2.52), scd, S/MIME, Feature Request, gnupg26
werner moved T2196: keydb locking can result in deadlock in 2.2 from Backlog to gnupg-2.2.52 on the gnupg22 board.
Fri, Jan 9, 11:15 AM · gnupg22 (gnupg-2.2.52), Bug Report
werner closed T2196: keydb locking can result in deadlock in 2.2 as Resolved.

That was fixed with 2.2.52 which fixed a bug in the fix done in 2.2.50 (see rG31fef13df1). Note that 2.2.48 to 2.2.50 had only internal releases.

Fri, Jan 9, 11:15 AM · gnupg22 (gnupg-2.2.52), Bug Report
werner created gnupg22 (gnupg-2.2.52).
Fri, Jan 9, 11:11 AM
werner closed T7805: Permission denied on batch deletion of mixed (openpgp+smime) certs as Resolved.

Given that the 2.2 fix has been tested and resolved and we don't have another ticket for 2.6, we can close this one.

Fri, Jan 9, 11:07 AM · gnupg, vsd, kleopatra
werner closed T7805: Permission denied on batch deletion of mixed (openpgp+smime) certs, a subtask of T7855: keybox/keydb locking issue in 2.6 , as Resolved.
Fri, Jan 9, 11:07 AM · gpd5x (gpd-5.0.0), gnupg26
werner lowered the priority of T7889: libgcrypt: HAVE_BROKEN_MLOCK from High to Normal.

Okay, let's backport this.

Fri, Jan 9, 11:04 AM · backport, libgcrypt, Bug Report
Next