Changelog for
gpg2-2.3.8-3.5.x86_64.rpm :
* Mon Oct 17 2022 Pedro Monreal
- GnuPG 2.3.8:
* gpg: Do not consider unknown public keys as non-compliant while decrypting.
* gpg: Avoid to emit a compliance mode line if Libgcrypt is non-compliant.
* gpg: Improve --edit-key setpref command to ease c+p.
* gpg: Emit an ERROR status if --quick-set-primary-uid fails and allow to pass the user ID by hash.
* gpg: Actually show symmetric+pubkey encrypted data as de-vs compliant. Add extra compliance checks for symkey_enc packets.
* gpg: In de-vs mode use SHA-256 instead of SHA-1 as implicit preference.
* gpgsm: Fix reporting of bad passphrase error during PKCS#11 import.
* agent: Fix a regression in \"READKEY --format=ssh\".
* agent: New option --need-attr for KEYINFO.
* agent: New attribute \"Remote-list\" for use by KEYINFO.
* scd: Fix problem with Yubikey 5.4 firmware.
* dirmngr: Fix CRL Distribution Point fallback to other schemes.
* dirmngr: New LDAP server flag \"areconly\" (A-record-only).
* dirmngr: Fix upload of multiple keys for an LDAP server specified using the colon format.
* dirmngr: Use LDAP schema v2 when a Base DN is specified.
* dirmngr: Avoid caching expired certificates.
* wkd: Fix path traversal attack in gpg-wks-server. Add the mail address to the pending request data.
* wkd: New command --mirror for gpg-wks-client.
* gpg-auth: New tool for authentication.
* New common.conf option no-autostart.
* Silence warnings from AllowSetForegroundWindow unless GNUPG_EXEC_DEBUG_FLAGS is used.
* Rebase gnupg-detect_FIPS_mode.patch
* Remove patch upstream: - gnupg-2.3.7-scd-openpgp-Fix-workaround-for-Yubikey-heuristics.patch
* Mon Aug 08 2022 Andreas Stieger - Fix YubiKey 5 Nano support (boo#1202201), add gnupg-2.3.7-scd-openpgp-Fix-workaround-for-Yubikey-heuristics.patch
* Tue Jul 12 2022 Andreas Stieger - GnuPG 2.3.7:
* CVE-2022-34903: garbled status messages could trick gpgme and other parsers to accept faked status lines [boo#1201225]
* A number of bug fixes to the gpg command line interface
* gpgsm gained a number of new options and got some rework on the PKCS#12 parser to support DFN issues keys
* The gpg agent got some added options and UI tweaks
* smart card support got a number of bug fixes, and improved support for Technology Nexus cards and Yubikey
* The Telesec ESIGN application is now supported
* Mon May 16 2022 Marcus Meissner - added tpm support, added a new subpackage gpg2-tpm
* Mon Apr 25 2022 Andreas Stieger - GnuPG 2.3.6:
* Up to five times faster verification of detached signatures, doubled detached signing speed, threefold decryption speedup for large files, nearly double the AES256.OCB encryption speed
* Add support for GeNUA cards
* Added and improved options for crypto options, and all-around bug fixes
* Wed Dec 22 2021 Andreas Stieger - GnuPG 2.3.4:
* gpg: New option --min-rsa-length
* gpg: New option --forbid-gen-key
* gpg: New option --override-compliance-check
* gpgconf: New command --show-configs
* agent,dirmngr,keyboxd: New option --steal-socket
* gpg: Fix printing of binary notations
* gpg: Remove stale ultimately trusted keys from the trustdb
* gpg: Fix indentation of --print-mds and --print-md sha512
* gpg: Emit gpg 2.2 compatible Ed25519 signature
* gpgsm: Detect circular chains in --list-chain
* dirmngr: Make reading resolv.conf more robust
* dirmngr: Ask keyservers to provide the key fingerprints
* gpgconf: Allow changing gpg\'s deprecated keyserver option
* gpg-wks-server: Fix created file permissions
* scd: Support longer data for ssh-agent authentication with openpgp cards
* scd: Modify DEVINFO behavior to support looping forever
* Silence warning about the rootdir under Unices w/o a mounted /proc file system
* Fix possible build problems about missing include files
* Tue Oct 12 2021 Andreas Stieger - GnuPG 2.3.3:
* agent: Fix segv in GET_PASSPHRASE (regression)
* dirmngr: Fix Let\'s Encrypt certificate chain validation
* gpg: Change default and maximum AEAD chunk size to 4 MiB
* gpg: Print a warning when importing a bad cv25519 secret key
* gpg: Fix --list-packets for undecryptable AEAD packets
* gpg: Verify backsigs for v5 keys correctly
* keyboxd: Fix checksum computation for no UBID entry on disk
* keyboxd: Fix \"invalid object\" error with cv448 keys
* dirmngr: New option --ignore-cert
* agent: Fix calibrate_get_time use of clock_gettime
* Support a gpgconf.ctl file under Unix and use this for the regression tests
* Wed Aug 25 2021 Pedro Monreal - GnuPG 2.3.2:
* gpg: Allow fingerprint based lookup with --locate-external-key.
* gpg: Allow decryption w/o public key but with correct card inserted.
* gpg: Auto import keys specified with --trusted-keys.
* gpg: Do not use import-clean for LDAP keyserver imports.
* gpg: Fix mailbox based search via AKL keyserver method.
* gpg: Fix memory corruption with --clearsign introduced with 2.3.1.
* gpg: Use a more descriptive prompt for symmetric decryption.
* gpg: Improve speed of secret key listing.
* gpg: Support keygrip search with traditional keyring.
* gpg: Let --fetch-key return an exit code on failure.
* gpg: Emit the NO_SECKEY status again for decryption.
* gpgsm: Support decryption of password based encryption (pwri).
* gpgsm: Support AES-GCM decryption.
* gpgsm: Let --dump-cert --show-cert also print an OpenPGP fingerprint.
* gpgsm: Fix finding of issuer in use-keyboxd mode.
* gpgsm: New option --ldapserver as an alias for --keyserver.
* agent: Use SHA-256 for SSH fingerprint by default.
* agent: Fix calling handle_pincache_put.
* agent: Fix importing protected secret key.
* agent: Fix a regression in agent_get_shadow_info_type.
* agent: Add translatable text for Caps Lock hint.
* agent: New option --pinentry-formatted-passphrase.
* agent: Add checkpin inquiry for pinentry.
* agent: New option --check-sym-passphrase-pattern.
* agent: Use the sysconfdir for a pattern file.
* agent: Make QT_QPA_PLATFORMTHEME=qt5ct work for the pinentry.
* dirmngr: LDAP search by a mailbox now ignores revoked keys.
* dirmngr: For KS_SEARCH return the fingerprint also with LDAP.
* dirmngr: Allow for non-URL specified ldap keyservers.
* dirmngr: New option --ldapserver.
* dirmngr: Fix regression in KS_GET for mail address pattern.
* card: New option --shadow for the list command.
* tests: Make sure the built keyboxd is used.
* scd: Fix computing shared secrets for 512 bit curves.
* scd: Fix unblock PIN by a Reset Code with KDF.
* scd: Fix PC/SC removed card problem.
* scd: Recover the partial match for PORTSTR for PC/SC.
* scd: Make sure to release the PC/SC context.
* scd: Fix zero-byte handling in ECC.
* scd: Fix serial number detection for Yubikey 5.
* scd: Add basic support for AET JCOP cards.
* scd: Detect external interference when --pcsc-shared is in use.
* scd: Fix access to the list of cards.
* gpgconf: Do not list a disabled tpm2d.
* gpgconf: Make runtime changes with different homedir work.
* keyboxd: Fix searching for exact mail adddress.
* keyboxd: Fix searching with multiple patterns.
* tools: Extend gpg-check-pattern.
* wkd: Fix client issue with leading or trailing spaces in user-ids.
* Pass XDG_SESSION_TYPE and QT_QPA_PLATFORM envvars to Pinentry.
* Change the default keyserver to keyserver.ubuntu.com. This is a temporary change due to the shutdown of the SKS keyserver pools.
* Fri Jun 11 2021 Pedro Monreal - GnuPG 2.3.1:
* The new configuration file common.conf is now used to enable the use of the key database daemon with \"use-keyboxd\". Using this option in gpg.conf and gpgsm.conf is supported for a transitional period. See doc/example/common.conf for more.
* gpg: Force version 5 key creation for ed448 and cv448 algorithms.
* gpg: By default do not use the self-sigs-only option when importing from an LDAP keyserver.
* gpg: Lookup a missing public key of the active card via LDAP.
* gpgsm: New command --show-certs.
* scd: Fix CCID driver for SCM SPR332/SPR532.
* scd: Further improvements for PKCS#15 cards.
* New configure option --with-tss to allow the selection of the TSS library.- Rebase patches:
* gnupg-add_legacy_FIPS_mode_option.patch
* gnupg-allow-import-of-previously-known-keys-even-without-UIDs.patch
* gnupg-dont-fail-with-seahorse-agent.patch
* gnupg-set_umask_before_open_outfile.patch
* Fri Jun 11 2021 Andreas Stieger - GnuPG 2.3.0:
* A new experimental key database daemon is provided. To enable it put \"use-keyboxd\" into gpg.conf and gpgsm.conf. Keys are stored in a SQLite database and make key lookup much faster.
* New tool gpg-card as a flexible frontend for all types of supported smartcards.
* New option --chuid for gpg, gpgsm, gpgconf, gpg-card, and gpg-connect-agent.
* The gpg-wks-client tool is now installed under bin; a wrapper for its old location at libexec is also installed.
* tpm2d: New daemon to physically bind keys to the local machine.
* gpg: Switch to ed25519/cv25519 as default public key algorithms.
* gpg: Verification results now depend on the --sender option and the signer\'s UID subpacket.
* gpg: Do not use any 64-bit block size cipher algorithm for encryption. Use AES as last resort cipher preference instead of 3DES. This can be reverted using --allow-old-cipher-algos.
* gpg: Support AEAD encryption mode using OCB or EAX.
* gpg: Support v5 keys and signatures.
* gpg: Support curve X448 (ed448, cv448).
* gpg: Allow use of group names in key listings.
* gpg: New option --full-timestrings to print date and time.
* gpg: New option --force-sign-key.
* gpg: New option --no-auto-trust-new-key.
* gpg: The legacy key discovery method PKA is no longer supported. The command --print-pka-records and the PKA related import and export options have been removed.
* gpg: Support export of Ed448 Secure Shell keys.
* gpgsm: Add basic ECC support.
* gpgsm: Support creation of EdDSA certificates. [#4888]
* agent: Allow the use of \"Label:\" in a key file to customize the pinentry prompt.
* agent: Support ssh-agent extensions for environment variables. With a patched version of OpenSSH this avoids the need for the \"updatestartuptty\" kludge.
* scd: Improve support for multiple card readers and tokens.
* scd: Support PIV cards.
* scd: Support for Rohde&Schwarz Cybersecurity cards.
* scd: Support Telesec Signature Cards v2.0
* scd: Support multiple application on certain smartcard.
* scd: New option --application-priority.
* scd: New option --pcsc-shared; see man page for important notes.
* dirmngr: Support a gpgNtds parameter in LDAP keyserver URLs.
* The symcryptrun tool, a wrapper for the now obsolete external Chiasmus tool, has been removed.
* Full Unicode support for the command line.- dropped legacy commands: gpg-zip
* Wed Apr 07 2021 Andreas Stieger - Remove the \"files-are-digests\" option from the openSUSE package. This feature was not upstream and only used in the OBS signing daemon. The recommended upstream feature for separating the data to be signed from the private keys is gpg agent forwarding, available from 2.1. Drop gnupg-2.2.8-files-are-digests.patch
* Tue Jan 12 2021 Andreas Stieger - GnuPG 2.2.27:
* gpgconf: Fix case with neither local nor global gpg.conf
* gpgconf: Fix description of two new options- includes changes from 2.2.26:
* gpg: New AKL method \"ntds\"
* gpg: Fix --trusted-key with fingerprint arg
* scd: Fix writing of ECC keys to an OpenPGP card
* scd: Make an USB error fix specific to SPR532 readers
* dirmngr: With new LDAP keyservers store the new attributes. Never store the useless pgpSignerID. Fix a long standing bug storing some keys on an ldap server.
* dirmngr: Support the new Active Direcory LDAP schema for keyservers
* dirmngr: Allow LDAP OpenPGP searches via fingerprint
* dirmngr: Do not block other threads during keyserver LDAP calls
* Support global configuration files
* Fix the iconv fallback handling to UTF-8
* Mon Nov 23 2020 Andreas Stieger - GnuPG 2.2.25:
* scd: Fix regression in 2.2.24 requiring gpg --card-status before signing or decrypting
* gpgsm: Using Libksba 1.5.0 signatures with a rarely used combination of attributes can now be verified
* Tue Nov 17 2020 Andreas Stieger - GnuPG 2.2.24:
* gpg: New command --quick-revoke-sig
* gpg: Do not use weak digest algos if selected by recipient preference during sign+encrypt
* gpg: Switch to AES256 for symmetric encryption in de-vs mode
* gpg: Silence weak digest warnings with --quiet
* gpg: Print new status line CANCELED_BY_USER for a cancel during symmetric encryption
* gpg: Fix the encrypt+sign hash algo preference selection for ECDSA. This is in particular needed for keys created from existing smartcard based keys
* agent: Fix secret key import of GnuPG 2.3 generated Ed25519 keys
* agent: Keep some permissions of private-keys-v1.d
* dirmngr: Align sks-keyservers.netCA.pem use between ntbtls and gnutls builds
* dirmngr: Fix the pool keyserver case for a single host in the pool
* scd: Fix the use case of verify_chv2 by CHECKPIN
* scd: Various improvements to the ccid-driver
* scd: Minor fixes for Yubikey
* gpgconf: New option --show-versions
* i18n: Complete overhaul and completion of the Italian translation
* Thu Sep 03 2020 Andreas Stieger - GnuPG 2.2.23:
* gpg: fix AHEAD preference list overflow boo#1176034 / CVE-2020-25125
* gpg: fix possible segv in the key cleaning code
* gpgsm: fix a minor RFC2253 parser gub
* scdaemon: Fix a PIN verify failure on certain OpenPGP card implementations
* Tue Sep 01 2020 Andreas Stieger - GnuPG 2.2.22:
* gpg: Change the default key algorithm to rsa3072
* gpg: Add regular expression support for Trust Signatures on all platforms
* gpg: Ignore --personal-digest-prefs for ECDSA keys
* gpgsm: Make rsaPSS a de-vs compliant scheme
* gpgsm: Show also the SHA256 fingerprint in key listings
* gpgsm: Do not require a default keyring for --gpgconf-list
* gpg-agent: Default to extended key format and record the creation time of keys Add new option --disable-extended-key-format
* gpg-agent: Support the WAYLAND_DISPLAY envvar
* gpg-agent: Allow using --gpgconf-list even if HOME does not exist
* gpg-agent: Make the Pinentry work even if the envvar TERM is set to the empty string
* scdaemon: Add a workaround for Gnuk tokens <= 2.15 which wrongly incremented the error counter when using the \"verify\" command of \"gpg --edit-key\" with only the signature key being present
* dirmngr: Better handle systems with disabled IPv6
* gpgpslit: Install tool. It was not installed in the past to avoid conflicts with the version installed by GnuPG 1.4
* gpgtar: Make --files-from and --null work as documented- drop gnupg-gpgme-t-encrypt-sym.patch, upstream
* Tue Jul 14 2020 Pedro Monreal Gonzalez - Fix regression in latest gpg2 that makes gpgme fail to build [bsc#1174007]- Add gnupg-gpgme-t-encrypt-sym.patch
* Thu Jul 09 2020 Andreas Stieger - GnuPG 2.2.21:
* gpg: Improve symmetric decryption speed by about 25%
* gpg: Support decryption of AEAD encrypted data packets
* gpg: Add option --no-include-key-block
* gpg: Allow for extra padding in ECDH
* gpg: Only a single pinentry is shown for symmetric encryption if the pinentry supports this
* gpg: Print a note if no keys are given to --delete-key
* gpg,gpgsm: The ridiculous passphrase quality bar is not anymore shown
* gpgsm: Certificates without a CRL distribution point are now considered valid without looking up a CRL. The new option - -enable-issuer-based-crl-check can be used to revert to the former behaviour
* gpgsm: Support rsaPSS signature verification
* gpgsm: Unless CRL checking is disabled lookup a missing issuer certificate using the certificate\'s authorityInfoAccess
* gpgsm: Print the certificate\'s serial number also in decimal notation
* gpgsm: Fix possible NULL-deref in messages of --gen-key
* scd: Support the CardOS 5 based D-Trust Card 3.1
* dirmngr: Allow http URLs with \"LOOKUP --url\"
* wkd: Take name of sendmail from configure. Fixes an OpenBSD specific bug
* Thu Apr 30 2020 Pedro Monreal Gonzalez - Fix gpgme and gpgme-qt builds on gpg2 2.2.20 update [bsc#1170811]- Refresh patches:
* gnupg-2.2.8-files-are-digests.patch
* gnupg-add_legacy_FIPS_mode_option.patch
* Fri Mar 20 2020 Andreas Stieger - GnuPG 2.2.20:
* Protect the error counter against overflow to guarantee that the tools can\'t be tricked into returning success after an error
* gpg: Make really sure that --verify-files always returns an error
* gpg: Fix key listing --with-secret if a pattern is given
* gpg: Fix detection of certain keys used as default-key
* gpg: Fix default-key selection when a card is available
* gpg: Fix key expiration and key usage for keys created with a creation date of zero
* gpgsm: Fix import of some CR,LF terminated certificates
* gpg: New options --include-key-block and --auto-key-import to allow encrypted replies after an initial signed message
* gpg: Allow the use of a fingerprint with --trusted-key
* gpg: New property \"fpr\" for use by --export-filter
* scdaemon: Disable the pinpad if a KDF DO is used
* dirmngr: Improve finding OCSP certificates- drop gpg2-gcc10-build-fno-common.patch, upstream
* Fri Mar 13 2020 Fabian Vogt - Split dirmngr into a subpackage to avoid a hard dependency of gpg2 on libgnutls
* Wed Feb 19 2020 Pedro Monreal Gonzalez - Fix build with GCC-10: [bsc#1160394]
* Always use EXTERN_UNLESS_MAIN_MODULE pattern
* In GCC-10, the default option -fcommon will change to -fno-common- Add gpg2-gcc10-build-fno-common.patch
* Fri Jan 10 2020 Pedro Monreal Gonzalez - Accept key updates even without UIDs [bsc#1143158]- Add patches:
* gnupg-allow-import-of-previously-known-keys-even-without-UIDs.patch
* gnupg-accept_subkeys_with_a_good_revocation_but_no_self-sig_during_import.patch
* gnupg-add-test-cases-for-import-without-uid.patch