mirror of
git://git.gnupg.org/gnupg.git
synced 2024-10-31 20:08:43 +01:00
070d7bf940
* dirmngr/certcache.c (cert_cache_init): Load certificates from sysconfig dir instead of the homeidr. * dirmngr/dirmngr.c (main): Removed parsing of obsolete homedir_data option. * dirmngr/dirmngr.h (opt): Removed homedir_data. * doc/dirmngr.texi: Update and clarify certs directory doc. -- Using the homedir for extra-certs and trusted-certs makes little sense when dirmngr is used with a caller that manages it's own store of certificates and can provide those through the SENDCERT command. You can use trusted-certs and extra-certs to provide users with a base of locally available certificates that are not already in store of the applications.
1140 lines
36 KiB
Plaintext
1140 lines
36 KiB
Plaintext
Noteworthy changes in version 2.1.3 (unreleased)
|
|
------------------------------------------------
|
|
|
|
* dirmngr: extra-certs and trusted-certs are now always loaded from
|
|
the sysconfig dir instead of the homedir.
|
|
|
|
|
|
Noteworthy changes in version 2.1.2 (2015-02-11)
|
|
------------------------------------------------
|
|
|
|
* gpg: The parameter 'Passphrase' for batch key generation works
|
|
again.
|
|
|
|
* gpg: Using a passphrase option in batch mode now has the expected
|
|
effect on --quick-gen-key.
|
|
|
|
* gpg: Improved reporting of unsupported PGP-2 keys.
|
|
|
|
* gpg: Added support for algo names when generating keys using
|
|
--command-fd.
|
|
|
|
* gpg: Fixed DoS based on bogus and overlong key packets.
|
|
|
|
* agent: When setting --default-cache-ttl the value
|
|
for --max-cache-ttl is adjusted to be not lower than the former.
|
|
|
|
* agent: Fixed problems with the new --extra-socket.
|
|
|
|
* agent: Made --allow-loopback-pinentry changeable with gpgconf.
|
|
|
|
* agent: Fixed importing of unprotected openpgp keys.
|
|
|
|
* agent: Now tries to use a fallback pinentry if the standard
|
|
pinentry is not installed.
|
|
|
|
* scd: Added support for ECDH.
|
|
|
|
* Fixed several bugs related to bogus keyrings and improved some
|
|
other code.
|
|
|
|
|
|
Noteworthy changes in version 2.1.1 (2014-12-16)
|
|
------------------------------------------------
|
|
|
|
* gpg: Detect faulty use of --verify on detached signatures.
|
|
|
|
* gpg: New import option "keep-ownertrust".
|
|
|
|
* gpg: New sub-command "factory-reset" for --card-edit.
|
|
|
|
* gpg: A stub key for smartcards is now created by --card-status.
|
|
|
|
* gpg: Fixed regression in --refresh-keys.
|
|
|
|
* gpg: Fixed regresion in %g and %p codes for --sig-notation.
|
|
|
|
* gpg: Fixed best matching hash algo detection for ECDSA and EdDSA.
|
|
|
|
* gpg: Improved perceived speed of secret key listisngs.
|
|
|
|
* gpg: Print number of skipped PGP-2 keys on import.
|
|
|
|
* gpg: Removed the option aliases --throw-keyid and --notation-data;
|
|
use --throw-keyids and --set-notation instead.
|
|
|
|
* gpg: New import option "keep-ownertrust".
|
|
|
|
* gpg: Skip too large keys during import.
|
|
|
|
* gpg,gpgsm: New option --no-autostart to avoid starting gpg-agent or
|
|
dirmngr.
|
|
|
|
* gpg-agent: New option --extra-socket to provide a restricted
|
|
command set for use with remote clients.
|
|
|
|
* gpgconf --kill does not anymore start a service only to kill it.
|
|
|
|
* gpg-pconnect-agent: Add convenience option --uiserver.
|
|
|
|
* Fixed keyserver access for Windows.
|
|
|
|
* Fixed build problems on Mac OS X
|
|
|
|
* The Windows installer does now install development files
|
|
|
|
* More translations (but most of them are not complete).
|
|
|
|
* To support remotely mounted home directories, the IPC sockets may
|
|
now be redirected. This feature requires Libassuan 2.2.0.
|
|
|
|
* Improved portability and the usual bunch of bug fixes.
|
|
|
|
|
|
Noteworthy changes in version 2.1.0 (2014-11-06)
|
|
------------------------------------------------
|
|
|
|
This release introduces a lot of changes. Most of them are internal
|
|
and thus not user visible. However, some long standing behavior has
|
|
slightly changed and it is strongly suggested that an existing
|
|
"~/.gnupg" directory is backed up before this version is used.
|
|
|
|
A verbose description of the major new features and changes can be
|
|
found in the file doc/whats-new-in-2.1.txt.
|
|
|
|
* gpg: All support for v3 (PGP 2) keys has been dropped. All
|
|
signatures are now created as v4 signatures. v3 keys will be
|
|
removed from the keyring.
|
|
|
|
* gpg: With pinentry-0.9.0 the passphrase "enter again" prompt shows
|
|
up in the same window as the "new passphrase" prompt.
|
|
|
|
* gpg: Allow importing keys with duplicated long key ids.
|
|
|
|
* dirmngr: May now be build without support for LDAP.
|
|
|
|
* For a complete list of changes see the lists of changes for the
|
|
2.1.0 beta versions below. Note that all relevant fixes from
|
|
versions 2.0.14 to 2.0.26 are also applied to this version.
|
|
|
|
|
|
[Noteworthy changes in version 2.1.0-beta864 (2014-10-03)]
|
|
|
|
* gpg: Removed the GPG_AGENT_INFO related code. GnuPG does now
|
|
always use a fixed socket name in its home directory.
|
|
|
|
* gpg: Renamed --gen-key to --full-gen-key and re-added a --gen-key
|
|
command with less choices.
|
|
|
|
* gpg: Use SHA-256 for all signature types also on RSA keys.
|
|
|
|
* gpg: Default keyring is now created with a .kbx suffix.
|
|
|
|
* gpg: Add a shortcut to the key capabilies menu (e.g. "=e" sets the
|
|
encryption capabilities).
|
|
|
|
* gpg: Fixed obsolete options parsing.
|
|
|
|
* Further improvements for the alternative speedo build system.
|
|
|
|
|
|
[Noteworthy changes in version 2.1.0-beta834 (2014-09-18)]
|
|
|
|
* gpg: Improved passphrase caching.
|
|
|
|
* gpg: Switched to algorithm number 22 for EdDSA.
|
|
|
|
* gpg: Removed CAST5 from the default preferences.
|
|
|
|
* gpg: Order SHA-1 last in the hash preferences.
|
|
|
|
* gpg: Changed default cipher for --symmetric to AES-128.
|
|
|
|
* gpg: Fixed export of ECC keys and import of EdDSA keys.
|
|
|
|
* dirmngr: Fixed the KS_FETCH command.
|
|
|
|
* The speedo build system now downloads related packages and works
|
|
for non-Windows platforms.
|
|
|
|
|
|
[Noteworthy changes in version 2.1.0-beta783 (2014-08-14)]
|
|
|
|
* gpg: Add command --quick-gen-key.
|
|
|
|
* gpg: Make --quick-sign-key promote local key signatures.
|
|
|
|
* gpg: Added "show-usage" sub-option to --list-options.
|
|
|
|
* gpg: Screen keyserver responses to avoid importing unwanted keys
|
|
from rogue servers.
|
|
|
|
* gpg: Removed the option --pgp2 and --rfc1991 and the ability to
|
|
create PGP-2 compatible messages.
|
|
|
|
* gpg: Removed options --compress-keys and --compress-sigs.
|
|
|
|
* gpg: Cap attribute packets at 16MB.
|
|
|
|
* gpg: Improved output of --list-packets.
|
|
|
|
* gpg: Make with-colons output of --search-keys work again.
|
|
|
|
* gpgsm: Auto-create the ".gnupg" directory like gpg does.
|
|
|
|
* agent: Fold new passphrase warning prompts into one.
|
|
|
|
* scdaemon: Add support for the Smartcard-HSM card.
|
|
|
|
* scdaemon: Remove the use of the pcsc-wrapper.
|
|
|
|
|
|
[Noteworthy changes in version 2.1.0-beta751 (2014-07-03)]
|
|
|
|
* gpg: Create revocation certificates during key generation.
|
|
|
|
* gpg: Create exported secret keys and revocation certifciates with
|
|
mode 0700
|
|
|
|
* gpg: The validity of user ids is now shown by default. To revert
|
|
this add "list-options no-show-uid-validity" to gpg.conf.
|
|
|
|
* gpg: Make export of secret keys work again.
|
|
|
|
* gpg: The output of --list-packets does now print the offset of the
|
|
packet and information about the packet header.
|
|
|
|
* gpg: Avoid DoS due to garbled compressed data packets. [CVE-2014-4617]
|
|
|
|
* gpg: Print more specific reason codes with the INV_RECP status.
|
|
|
|
* gpg: Cap RSA and Elgamal keysize at 4096 bit also for unattended
|
|
key generation.
|
|
|
|
* scdaemon: Support reader Gemalto IDBridge CT30 and pinpad of SCT
|
|
cyberJack go.
|
|
|
|
* The speedo build system has been improved. It is now also possible
|
|
to build a partly working installer for Windows.
|
|
|
|
|
|
[Noteworthy changes in version 2.1.0-beta442 (2014-06-05)]
|
|
|
|
* gpg: Changed the format of key listings. To revert to the old
|
|
format the option --legacy-list-mode is available.
|
|
|
|
* gpg: Add experimental signature support using curve Ed25519 and
|
|
with a patched Libgcrypt also encryption support with Curve25519.
|
|
[Update: this encryption support has been removed from 2.1.0 until
|
|
we have agreed on a suitable format.]
|
|
|
|
* gpg: Allow use of Brainpool curves.
|
|
|
|
* gpg: Accepts a space separated fingerprint as user ID. This
|
|
allows to copy and paste the fingerprint from the key listing.
|
|
|
|
* gpg: The hash algorithm is now printed for signature records in key
|
|
listings.
|
|
|
|
* gpg: Reject signatures made using the MD5 hash algorithm unless the
|
|
new option --allow-weak-digest-algos or --pgp2 are given.
|
|
|
|
* gpg: Print a warning if the Gnome-Keyring-Daemon intercepts the
|
|
communication with the gpg-agent.
|
|
|
|
* gpg: New option --pinentry-mode.
|
|
|
|
* gpg: Fixed decryption using an OpenPGP card.
|
|
|
|
* gpg: Fixed bug with deeply nested compressed packets.
|
|
|
|
* gpg: Only the major version number is by default included in the
|
|
armored output.
|
|
|
|
* gpg: Do not create a trustdb file if --trust-model=always is used.
|
|
|
|
* gpg: Protect against rogue keyservers sending secret keys.
|
|
|
|
* gpg: The format of the fallback key listing ("gpg KEYFILE") is now
|
|
more aligned to the regular key listing ("gpg -k").
|
|
|
|
* gpg: The option--show-session-key prints its output now before the
|
|
decryption of the bulk message starts.
|
|
|
|
* gpg: New %U expando for the photo viewer.
|
|
|
|
* gpg,gpgsm: New option --with-secret.
|
|
|
|
* gpgsm: By default the users are now asked via the Pinentry whether
|
|
they trust an X.509 root key. To prohibit interactive marking of
|
|
such keys, the new option --no-allow-mark-trusted may be used.
|
|
|
|
* gpgsm: New commands to export a secret RSA key in PKCS#1 or PKCS#8
|
|
format.
|
|
|
|
* gpgsm: Improved handling of re-issued CA certificates.
|
|
|
|
* agent: The included ssh agent does now support ECDSA keys.
|
|
|
|
* agent: New option --enable-putty-support to allow gpg-agent on
|
|
Windows to act as a Pageant replacement with full smartcard support.
|
|
|
|
* scdaemon: New option --enable-pinpad-varlen.
|
|
|
|
* scdaemon: Various fixes for pinpad equipped card readers.
|
|
|
|
* scdaemon: Rename option --disable-pinpad (was --disable-keypad).
|
|
|
|
* scdaemon: Better support fo CCID readers. Now, internal CCID
|
|
driver supports readers with no auto configuration feature.
|
|
|
|
* dirmngr: Removed support for the original HKP keyserver which is
|
|
not anymore used by any site.
|
|
|
|
* dirmngr: Improved support for keyserver pools.
|
|
|
|
* tools: New option --dirmngr for gpg-connect-agent.
|
|
|
|
* The GNU Pth library has been replaced by the new nPth library.
|
|
|
|
* Support installation as portable application under Windows.
|
|
|
|
* All kind of other improvements - see the git log.
|
|
|
|
|
|
[Noteworthy changes in version 2.1.0beta3 (2011-12-20)]
|
|
|
|
* gpg: Fixed regression in the secret key export function.
|
|
|
|
* gpg: Allow generation of card keys up to 4096 bit.
|
|
|
|
* gpgsm: Preliminary support for the validation model "steed".
|
|
|
|
* gpgsm: Improved certificate creation.
|
|
|
|
* agent: Support the SSH confirm flag.
|
|
|
|
* agent: New option to select a passphrase mode. The loopback
|
|
mode may be used to bypass Pinentry.
|
|
|
|
* agent: The Assuan commands KILLAGENT and KILLSCD are working again.
|
|
|
|
* scdaemon: Does not anymore block after changing a card (regression
|
|
fix).
|
|
|
|
* tools: gpg-connect-agent does now proberly display the help output
|
|
for "SCD HELP" commands.
|
|
|
|
|
|
[Noteworthy changes in version 2.1.0beta2 (2011-03-08)]
|
|
|
|
* gpg: ECC support as described by draft-jivsov-openpgp-ecc-06.txt
|
|
[Update: now known as RFC-6637].
|
|
|
|
* gpg: Print "AES128" instead of "AES". This change introduces a
|
|
little incompatibility for tools using "gpg --list-config". We
|
|
hope that these tools are written robust enough to accept this new
|
|
algorithm name as well.
|
|
|
|
* gpgsm: New feature to create certificates from a parameter file.
|
|
Add prompt to the --gen-key UI to create self-signed certificates.
|
|
|
|
* agent: TMPDIR is now also honored when creating a socket using
|
|
the --no-standard-socket option and with symcryptrun's temp files.
|
|
|
|
* scdaemon: Fixed a bug where scdaemon sends a signal to gpg-agent
|
|
running in non-daemon mode.
|
|
|
|
* dirmngr: Fixed CRL loading under W32 (bug#1010).
|
|
|
|
* Dirmngr has taken over the function of the keyserver helpers. Thus
|
|
we now have a specified direct interface to keyservers via Dirmngr.
|
|
LDAP, DNS and mail backends are not yet implemented.
|
|
|
|
* Fixed TTY management for pinentries and session variable update
|
|
problem.
|
|
|
|
|
|
[Noteworthy changes in version 2.1.0beta1 (2010-10-26)]
|
|
|
|
* gpg: secring.gpg is not anymore used but all secret key operations
|
|
are delegated to gpg-agent. The import command moves secret keys
|
|
to the agent.
|
|
|
|
* gpg: The OpenPGP import command is now able to merge secret keys.
|
|
|
|
* gpg: Encrypted OpenPGP messages with trailing data (e.g. other
|
|
OpenPGP packets) are now correctly parsed.
|
|
|
|
* gpg: Given sufficient permissions Dirmngr is started automagically.
|
|
|
|
* gpg: Fixed output of "gpgconf --check-options".
|
|
|
|
* gpg: Removed options --export-options(export-secret-subkey-passwd)
|
|
and --simple-sk-checksum.
|
|
|
|
* gpg: New options --try-secret-key.
|
|
|
|
* gpg: Support DNS lookups for SRV, PKA and CERT on W32.
|
|
|
|
* gpgsm: The --audit-log feature is now more complete.
|
|
|
|
* gpgsm: The default for --include-cert is now to include all
|
|
certificates in the chain except for the root certificate.
|
|
|
|
* gpgsm: New option --ignore-cert-extension.
|
|
|
|
* g13: The G13 tool for disk encryption key management has been
|
|
added.
|
|
|
|
* agent: If the agent's --use-standard-socket option is active, all
|
|
tools try to start and daemonize the agent on the fly. In the past
|
|
this was only supported on W32; on non-W32 systems the new
|
|
configure option --disable-standard-socket may now be used to
|
|
disable this new default.
|
|
|
|
* agent: New and changed passphrases are now created with an
|
|
iteration count requiring about 100ms of CPU work.
|
|
|
|
* dirmngr: Dirmngr is now a part of this package. It is now also
|
|
expected to run as a system service and the configuration
|
|
directories are changed to the GnuPG name space. [Update: 2.1.0
|
|
starts dirmngr on demand as user daemon.]
|
|
|
|
* Support for Windows CE. [Update: This has not been tested for the
|
|
2.1.0 release]
|
|
|
|
* Numerical values may now be used as an alternative to the
|
|
debug-level keywords.
|
|
|
|
|
|
Noteworthy changes in version 2.0.13 (2009-09-04)
|
|
-------------------------------------------------
|
|
|
|
* GPG now generates 2048 bit RSA keys by default. The default hash
|
|
algorithm preferences has changed to prefer SHA-256 over SHA-1.
|
|
2048 bit DSA keys are now generated to use a 256 bit hash algorithm
|
|
|
|
* The envvars XMODIFIERS, GTK_IM_MODULE and QT_IM_MODULE are now
|
|
passed to the Pinentry to make SCIM work.
|
|
|
|
* The GPGSM command --gen-key features a --batch mode and implements
|
|
all features of gpgsm-gencert.sh in standard mode.
|
|
|
|
* New option --re-import for GPGSM's IMPORT server command.
|
|
|
|
* Enhanced writing of existing keys to OpenPGP v2 cards.
|
|
|
|
* Add hack to the internal CCID driver to allow the use of some
|
|
Omnikey based card readers with 2048 bit keys.
|
|
|
|
* GPG now repeatly asks the user to insert the requested OpenPGP
|
|
card. This can be disabled with --limit-card-insert-tries=1.
|
|
|
|
* Minor bug fixes.
|
|
|
|
|
|
Noteworthy changes in version 2.0.12 (2009-06-17)
|
|
-------------------------------------------------
|
|
|
|
* GPGSM now always lists ephemeral certificates if specified by
|
|
fingerprint or keygrip.
|
|
|
|
* New command "KEYINFO" for GPG_AGENT. GPGSM now also returns
|
|
information about smartcards.
|
|
|
|
* Made sure not to leak file descriptors if running gpg-agent with a
|
|
command. Restore the signal mask to solve a problem in Mono.
|
|
|
|
* Changed order of the confirmation questions for root certificates
|
|
and store negative answers in trustlist.txt.
|
|
|
|
* Better synchronization of concurrent smartcard sessions.
|
|
|
|
* Support 2048 bit OpenPGP cards.
|
|
|
|
* Support Telesec Netkey 3 cards.
|
|
|
|
* The gpg-protect-tool now uses gpg-agent via libassuan. Under
|
|
Windows the Pinentry will now be put into the foreground.
|
|
|
|
* Changed code to avoid a possible Mac OS X system freeze.
|
|
|
|
|
|
Noteworthy changes in version 2.0.11 (2009-03-03)
|
|
-------------------------------------------------
|
|
|
|
* Fixed a problem in SCDAEMON which caused unexpected card resets.
|
|
|
|
* SCDAEMON is now aware of the Geldkarte.
|
|
|
|
* The SCDAEMON option --allow-admin is now used by default.
|
|
|
|
* GPGCONF now restarts SCdaemon if necessary.
|
|
|
|
* The default cipher algorithm in GPGSM is now again 3DES. This is
|
|
due to interoperability problems with Outlook 2003 which still
|
|
can't cope with AES.
|
|
|
|
|
|
Noteworthy changes in version 2.0.10 (2009-01-12)
|
|
-------------------------------------------------
|
|
|
|
* [gpg] New keyserver helper gpg2keys_kdns as generic DNS CERT
|
|
lookup. Run with --help for a short description. Requires the
|
|
ADNS library.
|
|
|
|
* [gpg] New mechanisms "local" and "nodefault" for --auto-key-locate.
|
|
Fixed a few problems with this option.
|
|
|
|
* [gpg] New command --locate-keys.
|
|
|
|
* [gpg] New options --with-sig-list and --with-sig-check.
|
|
|
|
* [gpg] The option "-sat" is no longer an alias for --clearsign.
|
|
|
|
* [gpg] The option --fixed-list-mode is now implicitly used and obsolete.
|
|
|
|
* [gpg] New control statement %ask-passphrase for the unattended key
|
|
generation.
|
|
|
|
* [gpg] The algorithm to compute the SIG_ID status has been changed.
|
|
|
|
* [gpgsm] Now uses AES by default.
|
|
|
|
* [gpgsm] Made --output option work with --export-secret-key-p12.
|
|
|
|
* [gpg-agent] Terminate process if the own listening socket is not
|
|
anymore served by ourself.
|
|
|
|
* [scdaemon] Made it more robust on W32.
|
|
|
|
* [gpg-connect-agent] Accept commands given as command line arguments.
|
|
|
|
* [w32] Initialized the socket subsystem for all keyserver helpers.
|
|
|
|
* [w32] The sysconf directory has been moved from a subdirectory of
|
|
the installation directory to %CSIDL_COMMON_APPDATA%/GNU/etc/gnupg.
|
|
|
|
* [w32] The gnupg2.nls directory is not anymore used. The standard
|
|
locale directory is now used.
|
|
|
|
* [w32] Fixed a race condition between gpg and gpgsm in the use of
|
|
temporary file names.
|
|
|
|
* The gpg-preset-passphrase mechanism works again. An arbitrary
|
|
string may now be used for a custom cache ID.
|
|
|
|
* Admin PINs are cached again (bug in 2.0.9).
|
|
|
|
* Support for version 2 OpenPGP cards.
|
|
|
|
* Libgcrypt 1.4 is now required.
|
|
|
|
|
|
Noteworthy changes in version 2.0.9 (2008-03-26)
|
|
------------------------------------------------
|
|
|
|
* Gpgsm always tries to locate missing certificates from a running
|
|
Dirmngr's cache.
|
|
|
|
* Tweaks for Windows.
|
|
|
|
* The Admin PIN for OpenPGP cards may now be entered with the pinpad.
|
|
|
|
* Improved certificate chain construction.
|
|
|
|
* Extended the PKITS framework.
|
|
|
|
* Fixed a bug in the ambigious name detection.
|
|
|
|
* Fixed possible memory corruption while importing OpenPGP keys (bug
|
|
introduced with 2.0.8). [CVE-2008-1530]
|
|
|
|
* Minor bug fixes.
|
|
|
|
|
|
Noteworthy changes in version 2.0.8 (2007-12-20)
|
|
------------------------------------------------
|
|
|
|
* Enhanced gpg-connect-agent with a small scripting language.
|
|
|
|
* New option --list-config for gpgconf.
|
|
|
|
* Fixed a crash in gpgconf.
|
|
|
|
* Gpg-agent now supports the passphrase quality bar of the latest
|
|
Pinentry.
|
|
|
|
* The envvars XAUTHORITY and PINENTRY_USER_DATA are now passed to the
|
|
Pinentry.
|
|
|
|
* Fixed the auto creation of the key stub for smartcards.
|
|
|
|
* Fixed a rare bug in decryption using the OpenPGP card.
|
|
|
|
* Creating DSA2 keys is now possible.
|
|
|
|
* New option --extra-digest-algo for gpgsm to allow verification of
|
|
broken signatures.
|
|
|
|
* Allow encryption with legacy Elgamal sign+encrypt keys with option
|
|
--rfc2440.
|
|
|
|
* Windows is now a supported platform.
|
|
|
|
* Made sure that under Windows the file permissions of the socket are
|
|
taken into account. This required a change of our socket emulation
|
|
code and changed the IPC protocol under Windows.
|
|
|
|
|
|
Noteworthy changes in version 2.0.7 (2007-09-10)
|
|
------------------------------------------------
|
|
|
|
* Fixed encryption problem if duplicate certificates are in the
|
|
keybox.
|
|
|
|
* Made it work on Windows Vista. Note that the entire Windows port
|
|
is still considered Beta.
|
|
|
|
* Add new options min-passphrase-nonalpha, check-passphrase-pattern,
|
|
enforce-passphrase-constraints and max-passphrase-days to
|
|
gpg-agent.
|
|
|
|
* Add command --check-components to gpgconf. Gpgconf now uses the
|
|
installed versions of the programs and does not anymore search via
|
|
PATH for them.
|
|
|
|
|
|
Noteworthy changes in version 2.0.6 (2007-08-16)
|
|
------------------------------------------------
|
|
|
|
* GPGSM does now grok --default-key.
|
|
|
|
* GPGCONF is now aware of --default-key and --encrypt-to.
|
|
|
|
* GPGSM does again correctly print the serial number as well the the
|
|
various keyids. This was broken since 2.0.4.
|
|
|
|
* New option --validation-model and support for the chain-model.
|
|
|
|
* Improved Windows support.
|
|
|
|
|
|
Noteworthy changes in version 2.0.5 (2007-07-05)
|
|
------------------------------------------------
|
|
|
|
* Switched license to GPLv3.
|
|
|
|
* Basic support for Windows. Run "./autogen.sh --build-w32" to build
|
|
it. As usual the mingw cross compiling toolchain is required.
|
|
|
|
* Fixed bug when using the --p12-charset without --armor.
|
|
|
|
* The command --gen-key may now be used instead of the
|
|
gpgsm-gencert.sh script.
|
|
|
|
* Changed key generation to reveal less information about the
|
|
machine. Bug fixes for gpg2's card key generation.
|
|
|
|
|
|
Noteworthy changes in version 2.0.4 (2007-05-09)
|
|
------------------------------------------------
|
|
|
|
* The server mode key listing commands are now also working for
|
|
systems without the funopen/fopencookie API.
|
|
|
|
* PKCS#12 import now tries several encodings in case the passphrase
|
|
was not utf-8 encoded. New option --p12-charset for gpgsm.
|
|
|
|
* Improved the libgcrypt logging support in all modules.
|
|
|
|
|
|
Noteworthy changes in version 2.0.3 (2007-03-08)
|
|
------------------------------------------------
|
|
|
|
* By default, do not allow processing multiple plaintexts in a single
|
|
stream. Many programs that called GnuPG were assuming that GnuPG
|
|
did not permit this, and were thus not using the plaintext boundary
|
|
status tags that GnuPG provides. This change makes GnuPG reject
|
|
such messages by default which makes those programs safe again.
|
|
--allow-multiple-messages returns to the old behavior. [CVE-2007-1263].
|
|
|
|
* New --verify-option show-primary-uid-only.
|
|
|
|
* gpgconf may now reads a global configuration file to select which
|
|
options are changeable by a frontend. The new applygnupgdefaults
|
|
tool may be used by an admin to set default options for all users.
|
|
|
|
* The PIN pad of the Cherry XX44 keyboard is now supported. The
|
|
DINSIG and the NKS applications are now also aware of PIN pads.
|
|
|
|
|
|
Noteworthy changes in version 2.0.2 (2007-01-31)
|
|
------------------------------------------------
|
|
|
|
* Fixed a serious and exploitable bug in processing encrypted
|
|
packages. [CVE-2006-6235].
|
|
|
|
* Added --passphrase-repeat to set the number of times GPG will
|
|
prompt for a new passphrase to be repeated. This is useful to help
|
|
memorize a new passphrase. The default is 1 repetition.
|
|
|
|
* Using a PIN pad does now also work for the signing key.
|
|
|
|
* A warning is displayed by gpg-agent if a new passphrase is too
|
|
short. New option --min-passphrase-len defaults to 8.
|
|
|
|
* The status code BEGIN_SIGNING now shows the used hash algorithms.
|
|
|
|
|
|
Noteworthy changes in version 2.0.1 (2006-11-28)
|
|
------------------------------------------------
|
|
|
|
* Experimental support for the PIN pads of the SPR 532 and the Kaan
|
|
Advanced card readers. Add "disable-keypad" scdaemon.conf if you
|
|
don't want it. Does currently only work for the OpenPGP card and
|
|
its authentication and decrypt keys.
|
|
|
|
* Fixed build problems on some some platforms and crashes on amd64.
|
|
|
|
* Fixed a buffer overflow in gpg2. [bug#728,CVE-2006-6169]
|
|
|
|
|
|
Noteworthy changes in version 2.0.0 (2006-11-11)
|
|
------------------------------------------------
|
|
|
|
* First stable version of a GnuPG integrating OpenPGP and S/MIME.
|
|
|
|
|
|
Noteworthy changes in version 1.9.95 (2006-11-06)
|
|
-------------------------------------------------
|
|
|
|
* Minor bug fixes.
|
|
|
|
|
|
Noteworthy changes in version 1.9.94 (2006-10-24)
|
|
-------------------------------------------------
|
|
|
|
* Keys for gpgsm may now be specified using a keygrip. A keygrip is
|
|
indicated by a prefixing it with an ampersand.
|
|
|
|
* gpgconf now supports switching the CMS cipher algo (e.g. to AES).
|
|
|
|
* New command --gpgconf-test for all major tools. This may be used to
|
|
check whether the configuration file is sane.
|
|
|
|
|
|
Noteworthy changes in version 1.9.93 (2006-10-18)
|
|
-------------------------------------------------
|
|
|
|
* In --with-validation mode gpgsm will now also ask whether a root
|
|
certificate should be trusted.
|
|
|
|
* Link to Pth only if really necessary.
|
|
|
|
* Fixed a pubring corruption bug in gpg2 occurring when importing
|
|
signatures or keys with insane lengths.
|
|
|
|
* Fixed v3 keyID calculation bug in gpg2.
|
|
|
|
* More tweaks for certificates without extensions.
|
|
|
|
|
|
Noteworthy changes in version 1.9.92 (2006-10-11)
|
|
-------------------------------------------------
|
|
|
|
* Bug fixes.
|
|
|
|
|
|
Noteworthy changes in version 1.9.91 (2006-10-04)
|
|
-------------------------------------------------
|
|
|
|
* New "relax" flag for trustlist.txt to allow root CA certificates
|
|
without BasicContraints.
|
|
|
|
* [gpg2] Removed the -k PGP 2 compatibility hack. -k is now an
|
|
alias for --list-keys.
|
|
|
|
* [gpg2] Print a warning if "-sat" is used instead of "--clearsign".
|
|
|
|
|
|
Noteworthy changes in version 1.9.90 (2006-09-25)
|
|
-------------------------------------------------
|
|
|
|
* Made readline work for gpg.
|
|
|
|
* Cleanups und minor bug fixes.
|
|
|
|
* Included translations from gnupg 1.4.5.
|
|
|
|
|
|
Noteworthy changes in version 1.9.23 (2006-09-18)
|
|
-------------------------------------------------
|
|
|
|
* Regular man pages for most tools are now build directly from the
|
|
Texinfo source.
|
|
|
|
* The gpg code from 1.4.5 has been fully merged into this release.
|
|
The configure option --enable-gpg is still required to build this
|
|
gpg part. For production use of OpenPGP the gpg version 1.4.5 is
|
|
still recommended. Note, that gpg will be installed under the name
|
|
gpg2 to allow coexisting with an 1.4.x gpg.
|
|
|
|
* API change in gpg-agent's pkdecrypt command. Thus an older gpgsm
|
|
may not be used with the current gpg-agent.
|
|
|
|
* The scdaemon will now call a script on reader status changes.
|
|
|
|
* gpgsm now allows file descriptor passing for "INPUT", "OUTPUT" and
|
|
"MESSAGE".
|
|
|
|
* The gpgsm server may now output a key listing to the output file
|
|
handle. This needs to be enabled using "OPTION list-to-output=1".
|
|
|
|
* The --output option of gpgsm has now an effect on list-keys.
|
|
|
|
* New gpgsm commands --dump-chain and list-chain.
|
|
|
|
* gpg-connect-agent has new options to utilize descriptor passing.
|
|
|
|
* A global trustlist may now be used. See doc/examples/trustlist.txt.
|
|
|
|
* When creating a new pubring.kbx keybox common certificates are
|
|
imported.
|
|
|
|
|
|
Noteworthy changes in version 1.9.22 (2006-07-27)
|
|
-------------------------------------------------
|
|
|
|
* Enhanced pkcs#12 support to allow import from simple keyBags.
|
|
|
|
* Exporting to pkcs#12 now create bag attributes so that Mozilla is
|
|
able to import the files.
|
|
|
|
* Fixed uploading of certain keys to the smart card.
|
|
|
|
|
|
Noteworthy changes in version 1.9.21 (2006-06-20)
|
|
-------------------------------------------------
|
|
|
|
* New command APDU for scdaemon to allow using it for general card
|
|
access. Might be used through gpg-connect-agent by using the SCD
|
|
prefix command.
|
|
|
|
* Support for the CardMan 4040 PCMCIA reader (Linux 2.6.15 required).
|
|
|
|
* Scdaemon does not anymore reset cards at the end of a connection.
|
|
|
|
* Kludge to allow use of Bundesnetzagentur issued X.509 certificates.
|
|
|
|
* Added --hash=xxx option to scdaemon's PKSIGN command.
|
|
|
|
* Pkcs#12 files are now created with a MAC. This is for better
|
|
interoperability.
|
|
|
|
* Collected bug fixes and minor other changes.
|
|
|
|
|
|
Noteworthy changes in version 1.9.20 (2005-12-20)
|
|
-------------------------------------------------
|
|
|
|
* Importing pkcs#12 files created be recent versions of Mozilla works
|
|
again.
|
|
|
|
* Basic support for qualified signatures.
|
|
|
|
* New debug tool gpgparsemail.
|
|
|
|
|
|
Noteworthy changes in version 1.9.19 (2005-09-12)
|
|
-------------------------------------------------
|
|
|
|
* The Belgian eID card is now supported for signatures and ssh.
|
|
Other pkcs#15 cards should work as well.
|
|
|
|
* Fixed bug in --export-secret-key-p12 so that certificates are again
|
|
included.
|
|
|
|
|
|
Noteworthy changes in version 1.9.18 (2005-08-01)
|
|
-------------------------------------------------
|
|
|
|
* [gpgsm] Now allows for more than one email address as well as URIs
|
|
and dnsNames in certificate request generation. A keygrip may be
|
|
given to create a request from an existing key.
|
|
|
|
* A couple of minor bug fixes.
|
|
|
|
|
|
Noteworthy changes in version 1.9.17 (2005-06-20)
|
|
-------------------------------------------------
|
|
|
|
* gpg-connect-agent has now features to handle Assuan INQUIRE
|
|
commands.
|
|
|
|
* Internal changes for OpenPGP cards. New Assuan command WRITEKEY.
|
|
|
|
* GNU Pth is now a hard requirement.
|
|
|
|
* [scdaemon] Support for OpenSC has been removed. Instead a new and
|
|
straightforward pkcs#15 modules has been written. As of now it
|
|
does allows only signing using TCOS cards but we are going to
|
|
enhance it to match all the old capabilities.
|
|
|
|
* [gpg-agent] New option --write-env-file and Assuan command
|
|
UPDATESTARTUPTTY.
|
|
|
|
* [gpg-agent] New option --default-cache-ttl-ssh to set the TTL for
|
|
SSH passphrase caching independent from the other passphrases.
|
|
|
|
|
|
Noteworthy changes in version 1.9.16 (2005-04-21)
|
|
-------------------------------------------------
|
|
|
|
* gpg-agent does now support the ssh-agent protocol and thus allows
|
|
to use the pinentry as well as the OpenPGP smartcard with ssh.
|
|
|
|
* New tool gpg-connect-agent as a general client for the gpg-agent.
|
|
|
|
* New tool symcryptrun as a wrapper for certain encryption tools.
|
|
|
|
* The gpg tool is not anymore build by default because those gpg
|
|
versions available in the gnupg 1.4 series are far more matured.
|
|
|
|
|
|
Noteworthy changes in version 1.9.15 (2005-01-13)
|
|
-------------------------------------------------
|
|
|
|
* Fixed passphrase caching bug.
|
|
|
|
* Better support for CCID readers; the reader from Cherry RS 6700 USB
|
|
does now work.
|
|
|
|
|
|
Noteworthy changes in version 1.9.14 (2004-12-22)
|
|
-------------------------------------------------
|
|
|
|
* [gpg-agent] New option --use-standard-socket to allow the use of a
|
|
fixed socket. gpgsm falls back to this socket if GPG_AGENT_INFO
|
|
has not been set.
|
|
|
|
* Ported to MS Windows with some functional limitations.
|
|
|
|
* New tool gpg-preset-passphrase.
|
|
|
|
|
|
Noteworthy changes in version 1.9.13 (2004-12-03)
|
|
-------------------------------------------------
|
|
|
|
* [gpgsm] New option --prefer-system-dirmngr.
|
|
|
|
* Minor cleanups and debugging aids.
|
|
|
|
|
|
Noteworthy changes in version 1.9.12 (2004-10-22)
|
|
-------------------------------------------------
|
|
|
|
* [scdaemon] Partly rewrote the PC/SC code.
|
|
|
|
* Removed the sc-investigate tool. It is now in a separate package
|
|
available at ftp://ftp.g10code.com/g10code/gscutils/ .
|
|
|
|
* [gpg-agent] Fixed logging problem.
|
|
|
|
|
|
Noteworthy changes in version 1.9.11 (2004-10-01)
|
|
-------------------------------------------------
|
|
|
|
* When using --import along with --with-validation, the imported
|
|
certificates are validated and only imported if they are fully
|
|
valid.
|
|
|
|
* [gpg-agent] New option --max-cache-ttl.
|
|
|
|
* [gpg-agent] When used without --daemon or --server, gpg-agent now
|
|
check whether a agent is already running and usable.
|
|
|
|
* Fixed some i18n problems.
|
|
|
|
|
|
Noteworthy changes in version 1.9.10 (2004-07-22)
|
|
-------------------------------------------------
|
|
|
|
* Fixed a serious bug in the checking of trusted root certificates.
|
|
|
|
* New configure option --enable-agent-pnly allows to build and
|
|
install just the agent.
|
|
|
|
* Fixed a problem with the log file handling.
|
|
|
|
|
|
Noteworthy changes in version 1.9.9 (2004-06-08)
|
|
------------------------------------------------
|
|
|
|
* [gpg-agent] The new option --allow-mark-trusted is now required to
|
|
allow gpg-agent to add a key to the trustlist.txt after user
|
|
confirmation.
|
|
|
|
* Creating PKCS#10 requests does now honor the key usage.
|
|
|
|
|
|
Noteworthy changes in version 1.9.8 (2004-04-29)
|
|
------------------------------------------------
|
|
|
|
* [scdaemon] Overhauled the internal CCID driver.
|
|
|
|
* [scdaemon] Status files named ~/.gnupg/reader_<n>.status are now
|
|
written when using the internal CCID driver.
|
|
|
|
* [gpgsm] New commands --dump-{,secret,external}-keys to show a very
|
|
detailed view of the certificates.
|
|
|
|
* The keybox gets now compressed after 3 hours and ephemeral
|
|
stored certificates are deleted after about a day.
|
|
|
|
* [gpg] Usability fixes for --card-edit. Note, that this has already
|
|
been ported back to gnupg-1.3
|
|
|
|
|
|
Noteworthy changes in version 1.9.7 (2004-04-06)
|
|
------------------------------------------------
|
|
|
|
* Instrumented the modules for gpgconf.
|
|
|
|
* Added support for DINSIG card applications.
|
|
|
|
* Include the smimeCapabilities attribute with signed messages.
|
|
|
|
* Now uses the gettext domain "gnupg2" to avoid conflicts with gnupg
|
|
versions < 1.9.
|
|
|
|
|
|
Noteworthy changes in version 1.9.6 (2004-03-06)
|
|
------------------------------------------------
|
|
|
|
* Code cleanups and bug fixes.
|
|
|
|
|
|
Noteworthy changes in version 1.9.5 (2004-02-21)
|
|
------------------------------------------------
|
|
|
|
* gpg-protect-tool gets now installed into libexec as it ought to be.
|
|
Cleaned up the build system to better comply with the coding
|
|
standards.
|
|
|
|
* [gpgsm] The --import command is now able to autodetect pkcs#12
|
|
files and import secret and private keys from this file format.
|
|
A new command --export-secret-key-p12 is provided to allow
|
|
exporting of secret keys in PKCS\#12 format.
|
|
|
|
* [gpgsm] The pinentry will now present a description of the key for
|
|
whom the passphrase is requested.
|
|
|
|
* [gpgsm] New option --with-validation to check the validity of key
|
|
while listing it.
|
|
|
|
* New option --debug-level={none,basic,advanced,expert,guru} to map
|
|
the debug flags to sensitive levels on a per program base.
|
|
|
|
|
|
Noteworthy changes in version 1.9.4 (2004-01-30)
|
|
------------------------------------------------
|
|
|
|
* Added support for the Telesec NKS 2.0 card application.
|
|
|
|
* Added simple tool addgnupghome to create .gnupg directories from
|
|
/etc/skel/.gnupg.
|
|
|
|
* Various minor bug fixes and cleanups; mainly gpgsm and gpg-agent
|
|
related.
|
|
|
|
|
|
Noteworthy changes in version 1.9.3 (2003-12-23)
|
|
------------------------------------------------
|
|
|
|
* New gpgsm options --{enable,disable}-ocsp to validate keys using
|
|
OCSP. This option requires a not yet released DirMngr version.
|
|
Default is disabled.
|
|
|
|
* The --log-file option may now be used to print logs to a socket.
|
|
Prefix the socket name with "socket://" to enable this. This does
|
|
not work on all systems and falls back to stderr if there is a
|
|
problem with the socket.
|
|
|
|
* The options --encrypt-to and --no-encrypt-to now work the same in
|
|
gpgsm as in gpg. Note, they are also used in server mode.
|
|
|
|
* Duplicated recipients are now silently removed in gpgsm.
|
|
|
|
|
|
Noteworthy changes in version 1.9.2 (2003-11-17)
|
|
------------------------------------------------
|
|
|
|
* On card key generation is no longer done using the --gen-key
|
|
command but from the menu provided by the new --card-edit command.
|
|
|
|
* PINs are now properly cached and there are only 2 PINs visible.
|
|
The 3rd PIN (CHV2) is internally syncronized with the regular PIN.
|
|
|
|
* All kind of other internal stuff.
|
|
|
|
|
|
Noteworthy changes in version 1.9.1 (2003-09-06)
|
|
------------------------------------------------
|
|
|
|
* Support for OpenSC is back. scdaemon supports a --disable-opensc to
|
|
disable OpenSC use at runtime, so that PC/SC or ct-API can still be
|
|
used directly.
|
|
|
|
* Rudimentary support for the SCR335 smartcard reader using an
|
|
internal driver. Requires current libusb from CVS.
|
|
|
|
* Bug fixes.
|
|
|
|
|
|
Noteworthy changes in version 1.9.0 (2003-08-05)
|
|
------------------------------------------------
|
|
|
|
====== PLEASE SEE README-alpha =======
|
|
|
|
* gpg has been renamed to gpg2 and gpgv to gpgv2. This is a
|
|
temporary change to allow co-existing with stable gpg versions.
|
|
|
|
* ~/.gnupg/gpg.conf-1.9.0 is fist tried as config file before the
|
|
usual gpg.conf.
|
|
|
|
* Removed the -k, -kv and -kvv commands. -k is now an alias to
|
|
--list-keys. New command -K as alias for --list-secret-keys.
|
|
|
|
* Removed --run-as-shm-coprocess feature.
|
|
|
|
* gpg does now also use libgcrypt, libgpg-error is required.
|
|
|
|
* New gpgsm commands --call-dirmngr and --call-protect-tool.
|
|
|
|
* Changing a passphrase is now possible using "gpgsm --passwd"
|
|
|
|
* The content-type attribute is now recognized and created.
|
|
|
|
* The agent does now reread certain options on receiving a HUP.
|
|
|
|
* The pinentry is now forked for each request so that clients with
|
|
different environments are supported. When running in daemon mode
|
|
and --keep-display is not used the DISPLAY variable is ignored.
|
|
|
|
* Merged stuff from the newpg branch and started this new
|
|
development branch.
|
|
|
|
|
|
Copyright 2002, 2003, 2004, 2005, 2006, 2007,
|
|
2008, 2009, 2010, 2011 Free Software Foundation, Inc.
|
|
|
|
This file is free software; as a special exception the author gives
|
|
unlimited permission to copy and/or distribute it, with or without
|
|
modifications, as long as this notice is preserved.
|
|
|
|
This file is distributed in the hope that it will be useful, but
|
|
WITHOUT ANY WARRANTY, to the extent permitted by law; without even the
|
|
implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
|