diff --git a/web/download/index.org b/web/download/index.org
index a48043a..ec0d627 100644
--- a/web/download/index.org
+++ b/web/download/index.org
@@ -1,149 +1,149 @@
#+TITLE: GnuPG - Download
#+STARTUP: showall align
#+SETUPFILE: "../share/setup.inc"
#+GPGWEB-NEED-SWDB
#+OPTIONS: ^:{}
#+macro: check_sig_note GnuPG distributions are signed. It is wise and more secure to check out for their [[integrity_check.org][@@html:@@integrity@@html:@@]].
#+macro: ftpopen @@html:download@@
#+macro: ftpcloseS @@html:">sig@@
* Download
#+index: GnuPG!download
Note that you may also download the GNU Privacy Guard from a mirror
site close to you. See our [[file:mirrors.org][list of mirrors]]. The table below
provides links to the location of the files on the primary server
only.
** Source code releases
These are the canonical release forms of GnuPG. To use them you
need to build the binary version from the provided source code.
For Unix systems this is the standard way of installing software.
For GNU/Linux distributions are commonly used (e.g. Debian, Fedora,
RedHat, or Ubuntu) which may already come with a directly
installable packages. However, these version may be older so that
building from the source is often also a good choice. Some
knowledge on how to compile and install software is required.
The table lists the different GnuPG packages, followed by required
libraries, required tools, optional software, and legacy versions
of GnuPG. For end-of-life dates see further down.
| Name | Version | Date | Size | Tarball | Signature |
|-----------------+------------------------+-------------------------+--------------------------+--------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------|
| | | | | | |
| [[../software/index.org][GnuPG]] | {{{gnupg24_ver}}} | {{{gnupg24_date}}} | {{{gnupg24_size}}} | {{{ftpopen}}}{{{ftp_loc_base}}}/gnupg/gnupg-{{{gnupg24_ver}}}.tar.bz2{{{ftpclose}}} | {{{ftpopen}}}{{{ftp_loc_base}}}/gnupg/gnupg-{{{gnupg24_ver}}}.tar.bz2.sig{{{ftpclose}}} |
| [[../software/index.org][GnuPG]] (LTS) | {{{gnupg22_ver}}} | {{{gnupg22_date}}} | {{{gnupg22_size}}} | {{{ftpopen}}}{{{ftp_loc_base}}}/gnupg/gnupg-{{{gnupg22_ver}}}.tar.bz2{{{ftpclose}}} | {{{ftpopen}}}{{{ftp_loc_base}}}/gnupg/gnupg-{{{gnupg22_ver}}}.tar.bz2.sig{{{ftpclose}}} |
- | GnuPG Desktop | {{{gnupgdesk_ver}}} | {{{gnupgdesk_date}}} | {{{gnupgdesk_src_size}}} | {{{ftpopen}}}{{{gpgcom_base}}}/gnupg/gnupg-desktop-{{{gnupgdesk_ver}}}.tar.xz | {{{ftpopen}}}{{{gpgcom_base}}}/gnupg/gnupg-desktop-{{{gnupgdesk_ver}}}.tar.xz.sig{{{ftpclose}}} |
+ | GnuPG Desktop | {{{gnupgdesk_ver}}} | {{{gnupgdesk_date}}} | {{{gnupgdesk_src_size}}} | {{{ftpopen}}}{{{gpgcom_base}}}/gnupg/gnupg-desktop-{{{gnupgdesk_ver}}}.tar.xz{{{ftpclose}}} | {{{ftpopen}}}{{{gpgcom_base}}}/gnupg/gnupg-desktop-{{{gnupgdesk_ver}}}.tar.xz.sig{{{ftpclose}}} |
|-----------------+------------------------+-------------------------+--------------------------+--------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------|
| [[../software/libgpg-error/index.org][Libgpg-error]] | {{{libgpg_error_ver}}} | {{{libgpg_error_date}}} | {{{libgpg_error_size}}} | {{{ftpopen}}}{{{ftp_loc_base}}}/libgpg-error/libgpg-error-{{{libgpg_error_ver}}}.tar.bz2{{{ftpclose}}} | {{{ftpopen}}}{{{ftp_loc_base}}}/libgpg-error/libgpg-error-{{{libgpg_error_ver}}}.tar.bz2.sig{{{ftpclose}}} |
| [[../software/libgcrypt/index.org][Libgcrypt]] | {{{libgcrypt_ver}}} | {{{libgcrypt_date}}} | {{{libgcrypt_size}}} | {{{ftpopen}}}{{{ftp_loc_base}}}/libgcrypt/libgcrypt-{{{libgcrypt_ver}}}.tar.bz2{{{ftpclose}}} | {{{ftpopen}}}{{{ftp_loc_base}}}/libgcrypt/libgcrypt-{{{libgcrypt_ver}}}.tar.bz2.sig{{{ftpclose}}} |
| [[../software/libgcrypt/index.org][Libgcrypt]] (LTS) | {{{libgcrypt18_ver}}} | {{{libgcrypt18_date}}} | {{{libgcrypt18_size}}} | {{{ftpopen}}}{{{ftp_loc_base}}}/libgcrypt/libgcrypt-{{{libgcrypt18_ver}}}.tar.bz2{{{ftpclose}}} | {{{ftpopen}}}{{{ftp_loc_base}}}/libgcrypt/libgcrypt-{{{libgcrypt18_ver}}}.tar.bz2.sig{{{ftpclose}}} |
| [[../software/libksba/index.org][Libksba]] | {{{libksba_ver}}} | {{{libksba_date}}} | {{{libksba_size}}} | {{{ftpopen}}}{{{ftp_loc_base}}}/libksba/libksba-{{{libksba_ver}}}.tar.bz2{{{ftpclose}}} | {{{ftpopen}}}{{{ftp_loc_base}}}/libksba/libksba-{{{libksba_ver}}}.tar.bz2.sig{{{ftpclose}}} |
| [[../software/libassuan/index.org][Libassuan]] | {{{libassuan_ver}}} | {{{libassuan_date}}} | {{{libassuan_size}}} | {{{ftpopen}}}{{{ftp_loc_base}}}/libassuan/libassuan-{{{libassuan_ver}}}.tar.bz2{{{ftpclose}}} | {{{ftpopen}}}{{{ftp_loc_base}}}/libassuan/libassuan-{{{libassuan_ver}}}.tar.bz2.sig{{{ftpclose}}} |
| [[../software/ntbtls/index.org][ntbTLS]] | {{{ntbtls_ver}}} | {{{ntbtls_date}}} | {{{ntbtls_size}}} | {{{ftpopen}}}{{{ftp_loc_base}}}/ntbtls/ntbtls-{{{ntbtls_ver}}}.tar.bz2{{{ftpclose}}} | {{{ftpopen}}}{{{ftp_loc_base}}}/ntbtls/ntbtls-{{{ntbtls_ver}}}.tar.bz2.sig{{{ftpclose}}} |
| [[../software/npth/index.org][nPth]] | {{{npth_ver}}} | {{{npth_date}}} | {{{npth_size}}} | {{{ftpopen}}}{{{ftp_loc_base}}}/npth/npth-{{{npth_ver}}}.tar.bz2{{{ftpclose}}} | {{{ftpopen}}}{{{ftp_loc_base}}}/npth/npth-{{{npth_ver}}}.tar.bz2.sig{{{ftpclose}}} |
|-----------------+------------------------+-------------------------+--------------------------+--------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------|
| Pinentry | {{{pinentry_ver}}} | {{{pinentry_date}}} | {{{pinentry_size}}} | {{{ftpopen}}}{{{ftp_loc_base}}}/pinentry/pinentry-{{{pinentry_ver}}}.tar.bz2{{{ftpclose}}} | {{{ftpopen}}}{{{ftp_loc_base}}}/pinentry/pinentry-{{{pinentry_ver}}}.tar.bz2.sig{{{ftpclose}}} |
|-----------------+------------------------+-------------------------+--------------------------+--------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------|
| [[../software/gpgme/index.org][GPGME]] | {{{gpgme_ver}}} | {{{gpgme_date}}} | {{{gpgme_size}}} | {{{ftpopen}}}{{{ftp_loc_base}}}/gpgme/gpgme-{{{gpgme_ver}}}.tar.bz2{{{ftpclose}}} | {{{ftpopen}}}{{{ftp_loc_base}}}/gpgme/gpgme-{{{gpgme_ver}}}.tar.bz2.sig{{{ftpclose}}} |
| [[../software/scute/index.org][Scute]] | {{{scute_ver}}} | {{{scute_date}}} | {{{scute_size}}} | {{{ftpopen}}}{{{ftp_loc_base}}}/scute/scute-{{{scute_ver}}}.tar.bz2{{{ftpclose}}} | {{{ftpopen}}}{{{ftp_loc_base}}}/scute/scute-{{{scute_ver}}}.tar.bz2.sig{{{ftpclose}}} |
| [[../software/gpa/index.org][GPA]] | {{{gpa_ver}}} | {{{gpa_date}}} | {{{gpa_size}}} | {{{ftpopen}}}{{{ftp_loc_base}}}/gpa/gpa-{{{gpa_ver}}}.tar.bz2{{{ftpclose}}} | {{{ftpopen}}}{{{ftp_loc_base}}}/gpa/gpa-{{{gpa_ver}}}.tar.bz2.sig{{{ftpclose}}} |
|-----------------+------------------------+-------------------------+--------------------------+--------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------|
| GnuPG 1.4 | {{{gnupg1_ver}}} | {{{gnupg1_date}}} | {{{gnupg1_size}}} | {{{ftpopen}}}{{{ftp_loc_base}}}/gnupg/gnupg-{{{gnupg1_ver}}}.tar.bz2{{{ftpclose}}} | {{{ftpopen}}}{{{ftp_loc_base}}}/gnupg/gnupg-{{{gnupg1_ver}}}.tar.bz2.sig{{{ftpclose}}} |
|-----------------+------------------------+-------------------------+--------------------------+--------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------|
{{{check_sig_note}}}
Remarks:
- - /Pinentry/ is a collection of passphrase entry dialogs which is
- required for almost all usages of GnuPG.
-
- /GnuPG Desktop^{\reg}/ is an AppImage for Linux featuring the
current GnuPG version and Kleopatra, its advanced graphical user
interface. This is only the source code; for the actual AppImage
see below. This AppImage can be used on almost all 64bit x86
Linux versions.
+ - /Pinentry/ is a collection of passphrase entry dialogs which is
+ required for almost all usages of GnuPG.
+
- /GPGME/ is the standard library to access GnuPG functions from
programming languages.
- /Scute/ is a PKCS#11 provider on top of GnuPG.
- /GPA/ is a graphical frontend to GnuPG.
- /GnuPG 1.4/ is the old, single binary version which still support
the unsafe PGP-2 keys. This branch has no dependencies on the
above listed libraries or the Pinentry. However, it lacks many
modern features and will receive only important updates.
** GnuPG binary releases
:PROPERTIES:
:CUSTOM_ID: binary
:END:
#+index: Binaries!download
In general we do not distribute binary releases but leave that to
the common Linux distributions. However, for some operating
systems we list pointers to readily installable releases. We
cannot guarantee that the versions offered there are current. Note
also that some of them apply security patches on top of the
standard versions but keep the original version number.
| OS | Where | Description |
|---------+--------------------+----------------------------------------------------------|
| | <18> | |
- | Linux | {{{ftpopen}}}{{{gpgcom_base}}}/gnupg/gnupg-desktop-{{{gnupgdesk_ver}}}-x86_64.AppImage{{{ftpclose}}} {{{ftpopen}}}{{{gpgcom_base}}}/gnupg/gnupg-desktop-{{{gnupgdesk_ver}}}-x86_64.AppImage.sig{{{ftpclose}}} | /GnuPG Desktop^{\reg}/ AppImage with the current /GnuPG/ |
+ | Linux | {{{ftpopen}}}{{{gpgcom_base}}}/gnupg/gnupg-desktop-{{{gnupgdesk_ver}}}-x86_64.AppImage{{{ftpclose}}} {{{ftpopen}}}{{{gpgcom_base}}}/gnupg/gnupg-desktop-{{{gnupgdesk_ver}}}-x86_64.AppImage.sig{{{ftpcloseS}}} | /GnuPG Desktop^{\reg}/ AppImage with the current /GnuPG/ |
| Windows | [[https://gpg4win.org/download.html][Gpg4win]] | Full featured Windows version of /GnuPG/ |
| | {{{ftpopen}}}{{{ftp_loc_base}}}/binary/gnupg-w32-{{{gnupg24_w32_ver}}}.exe{{{ftpclose}}} {{{ftpopen}}}{{{ftp_loc_base}}}/binary/gnupg-w32-{{{gnupg24_w32_ver}}}.exe.sig{{{ftpcloseS}}} | Simple installer for the current /GnuPG/ |
| | {{{ftpopen}}}{{{ftp_loc_base}}}/binary/gnupg-w32cli-{{{gnupg1_w32cli_ver}}}.exe{{{ftpclose}}} {{{ftpopen}}}{{{ftp_loc_base}}}/binary/gnupg-w32cli-{{{gnupg1_w32cli_ver}}}.exe.sig{{{ftpcloseS}}} | Simple installer for /GnuPG 1.4/ |
| OS X | [[https://gpgtools.org][Mac GPG]] | Installer from the gpgtools project |
| | [[https://sourceforge.net/p/gpgosx/docu/Download/][GnuPG for OS X]] | Installer for /GnuPG/ |
| Debian | [[https://www.debian.org][Debian site]] | GnuPG is part of Debian |
| RPM | [[http://rpmfind.net/][rpmfind]] | RPM packages for different OS |
| Android | [[https://guardianproject.info/code/gnupg/][Guardian project]] | Provides a GnuPG framework |
| VMS | [[http://www.antinode.info/dec/sw/gnupg.html][antinode.info]] | A port of GnuPG 1.4 to OpenVMS |
| RISC OS | [[http://www.sbellon.de/gnupg.html][home page]] | A port of GnuPG to RISC OS |
|---------+--------------------+----------------------------------------------------------|
** End-of-life announcements
:PROPERTIES:
:CUSTOM_ID: end-of-life
:END:
We announce the end-of-life date for a current stable version at
the time a new stable version is released. We maintain old
branches for at least two years. For GnuPG 2.2 we consider 2.1.0
as the birth of this new stable branch. For most other packages we
don't maintain branches and thus there is no end-of-life; always
use the latest version.
| Package | Ver. | End-of-life | Birth |
|-----------+-------+----------------+------------|
| | | | |
| GnuPG | +1.0+ | 2002-09-07 | 1999-09-07 |
| | +1.2+ | 2005-01-01 | 2002-09-21 |
| | 1.4 | none (2) | 2004-12-16 |
| | +2.0+ | 2017-12-31 | 2006-11-11 |
| | 2.2 | 2024-12-31 (1) | 2014-11-06 |
| | 2.3 | tba | 2021-04-07 |
| Libgcrypt | +1.5+ | 2016-12-31 | 2011-06-29 |
| | +1.6+ | 2017-06-30 | 2013-12-16 |
| | +1.7+ | 2019-06-30 | 2016-04-15 |
| | 1.8 | 2024-12-31 (1) | 2017-07-18 |
| | 1.9 | 2024-03-31 | 2021-01-19 |
| | 1.10 | tba | 2022-02-01 |
- /(1)/: Long Term Support; eol date likely to be prolonged
- /(2)/: Legacy version; see remarks above.
- /tba/: To be announced.
# eof #
diff --git a/web/download/integrity_check.org b/web/download/integrity_check.org
index 990896e..b1d5166 100644
--- a/web/download/integrity_check.org
+++ b/web/download/integrity_check.org
@@ -1,132 +1,132 @@
#+TITLE: GnuPG - Integrity Check
#+STARTUP: showall
#+SETUPFILE: "../share/setup.inc"
#+GPGWEB-NEED-SWDB
#+OPTIONS: ^:{}
* Integrity Check
#+index: integrity check
You can check that the version of GnuPG that you want to install is
original and unmodified by either verifying the file's signature or
comparing the checksum with the one published in the release
announcement.
** Verifying the File's Signature
If you already have a trusted version of GnuPG installed, you can
check the supplied signature. For example, to check the signature
of the file gnupg-{{{gnupg22_ver}}}.tar.bz2, you can use this command:
{{{begin_example}}}
$ gpg {{{twodashes}}}verify gnupg-{{{gnupg22_ver}}}.tar.bz2.sig gnupg-{{{gnupg22_ver}}}.tar.bz2
{{{end_example}}}
*Note: you should never use a GnuPG version you just downloaded to
check the integrity of the source* --- use an existing, trusted GnuPG
installation, e.g., the one provided by your distribution.
If the output of the above command is similar to the following, then
either you don't have our distribution keys (our [[../signature_key.org][signing keys are
here]]) or the signature was generated by someone else and the file
should be treated suspiciously.
{{{begin_example}}}
gpg: Signature made Fri 09 Oct 2015 05:41:55 PM CEST using RSA key ID 4F25E3B6
gpg: Can't check signature: No public key
gpg: Signature made Tue 13 Oct 2015 10:18:01 AM CEST using RSA key ID 33BD3F06
gpg: Can't check signature: No public key
{{{end_example}}}
If you instead see:
{{{begin_example}}}
gpg: Good signature from "Werner Koch (dist sig)" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6
gpg: Signature made Tue 13 Oct 2015 10:18:01 AM CEST using RSA key ID 33BD3F06
gpg: Good signature from "NIIBE Yutaka (GnuPG Release Key) " [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 031E C253 6E58 0D8E A286 A9F2 2071 B08A 33BD 3F06
{{{end_example}}}
then you have a copy of our keys and the signatures are valid, but
either you have not marked the keys as trusted or the keys are a
forgery. In this case, at the very least, you should compare the
fingerprints that are shown to those on the [[../signature_key.org][signing keys page]]. Even
better is to compare the fingerprints with those shown on our
business cards, which we handout at events that we attend.
Ideally, you'll see something like:
{{{begin_example}}}
gpg: Signature made Fri 09 Oct 2015 05:41:55 PM CEST using RSA key ID 4F25E3B6
gpg: Good signature from "Werner Koch (dist sig)" [full]
gpg: Signature made Tue 13 Oct 2015 10:18:01 AM CEST using RSA key ID 33BD3F06
gpg: Good signature from "NIIBE Yutaka (GnuPG Release Key) " [full]
{{{end_example}}}
This means that the signature is valid and that you trust this key
(either you signed it or someone you trusted did).
** Comparing Checksums
If you are not able to use an old version of GnuPG, you can still
verify the file's SHA-1 checksum. This is less secure, because if
someone modified the files as they were transferred to you, it
would not be much more effort to modify the checksums that you see
on this webpage. As such, if you use this method, you should
compare the checksums with those in release announcement. This is
sent to the gnupg-announce mailing list (among others), which is
widely mirrored. Don't use the mailing list archive on this
website, but find the announcement on several other websites and
make sure the checksum is consistent. This makes it more difficult
for an attacker to trick you into installing a modified version of
the software.
Assuming you downloaded the file gnupg-{{{gnupg22_ver}}}.tar.bz2, you
can run the =sha1sum= command like this:
{{{begin_chksum}}}
sha1sum gnupg-{{{gnupg22_ver}}}.tar.bz2
{{{end_chksum}}}
and check that the output matches the SHA-1 checksum reported on
this site. An example of a =sha1sum= output is:
{{{begin_chksum}}}
{{{gnupg22_sha1}}} gnupg-{{{gnupg22_ver}}}.tar.bz2
{{{end_chksum}}}
** List of SHA-1 check-sums
For your convenience, all SHA-1 check-sums available for software
that can be downloaded from [[https://gnupg.org/ftp/][our site]], have been gathered below.
{{{begin_chksum}}}
{{{gnupg24_sha1}}} gnupg-{{{gnupg24_ver}}}.tar.bz2
{{{gnupg24_w32_sha1}}} gnupg-w32-{{{gnupg24_w32_ver}}}.exe
{{{gnupg22_sha1}}} gnupg-{{{gnupg22_ver}}}.tar.bz2
{{{gnupg22_w32_sha1}}} gnupg-w32-{{{gnupg22_w32_ver}}}.exe
- {{{gnupgdesk_src_sha1}}} gnupg-desktop-{{{gnupgdesk_src_ver}}}.tar.xz
- {{{gnupgdesk_ai_sha1}}} gnupg-desktop-{{{gnupgdesk_ai_ver}}}-x86_64.AppImage
+ {{{gnupgdesk_src_sha1}}} gnupg-desktop-{{{gnupgdesk_ver}}}.tar.xz
+ {{{gnupgdesk_ai_sha1}}} gnupg-desktop-{{{gnupgdesk_ver}}}-x86_64.AppImage
{{{libgpg_error_sha1}}} libgpg-error-{{{libgpg_error_ver}}}.tar.bz2
{{{libgcrypt_sha1}}} libgcrypt-{{{libgcrypt_ver}}}.tar.bz2
{{{libksba_sha1}}} libksba-{{{libksba_ver}}}.tar.bz2
{{{libassuan_sha1}}} libassuan-{{{libassuan_ver}}}.tar.bz2
{{{ntbtls_sha1}}} ntbtls-{{{ntbtls_ver}}}.tar.bz2
{{{npth_sha1}}} npth-{{{npth_ver}}}.tar.bz2
{{{pinentry_sha1}}} pinentry-{{{pinentry_ver}}}.tar.bz2
{{{gpgme_sha1}}} gpgme-{{{gpgme_ver}}}.tar.bz2
{{{scute_sha1}}} scute-{{{scute_ver}}}.tar.bz2
{{{gpa_sha1}}} gpa-{{{gpa_ver}}}.tar.bz2
{{{dirmngr_sha1}}} dirmngr-{{{dirmngr_ver}}}.tar.bz2
{{{gnupg20_sha1}}} gnupg-{{{gnupg20_ver}}}.tar.bz2
{{{gnupg1_sha1}}} gnupg-{{{gnupg1_ver}}}.tar.bz2
{{{gnupg1_w32cli_sha1}}} gnupg-w32cli-{{{gnupg1_w32cli_ver}}}.exe
{{{end_chksum}}}
# eof #