diff --git a/NEWS b/NEWS index 7de62d936..9b84c1708 100644 --- a/NEWS +++ b/NEWS @@ -1,6 +1,15 @@ -Noteworthy changes in version 1.4.21 (unreleased) +Noteworthy changes in version 1.4.21 (2016-08-17) ------------------------------------------------- + * Fix critical security bug in the RNG [CVE-2016-6313]. An attacker + who obtains 580 bytes from the standard RNG can trivially predict + the next 20 bytes of output. Problem detected by Felix Dörre and + Vladimir Klebanov, KIT. + + * Tweak default options for gpgv. + + * By default do not anymore emit the GnuPG version with --armor. + Noteworthy changes in version 1.4.20 (2015-12-20) ------------------------------------------------- diff --git a/README b/README index 1a331fbea..55b2f0358 100644 --- a/README +++ b/README @@ -307,6 +307,12 @@ card. To see the fingerprints of the secondary keys, you can give the command twice; but this is normally not needed. + NEVER use the keyid to verify a key - always use the complete + fingerprint. The keyid is just a convenience handle to identify a + key by a short semi-unique name which is trivial to spoof. You + may want to put the line "keyid-format long" into your gpg.conf to + tell gpg to print the long keyid (which is still spoof-able). + If you don't know the owner of the public key you are in trouble. Suppose however that friend of yours knows someone who knows someone who has met the owner of the public key at some computer conference. @@ -403,20 +409,6 @@ There are several ways to specify a user ID, here are some examples. - * Only by the short keyid (prepend a zero if it begins with A..F): - - "234567C4" - "0F34E556E" - "01347A56A" - "0xAB123456 - - * By a complete keyid: - - "234AABBCC34567C4" - "0F323456784E56EAB" - "01AB3FED1347A5612" - "0x234AABBCC34567C4" - * By a fingerprint: "1234343434343434C434343434343434" @@ -426,6 +418,20 @@ The first one is a short fingerprint for PGP 2.x style keys. The others are long fingerprints for OpenPGP keys. + * By a complete keyid (prepend a zero if it begins with A..F): + + "234AABBCC34567C4" + "0F323456784E56EAB" + "01AB3FED1347A5612" + "0x234AABBCC34567C4" + + * By the short keyid: + + "234567C4" + "0F34E556E" + "01347A56A" + "0xAB123456 + * By an exact string: "=Heinrich Heine "