-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello! We are pleased to announce the availability of a new stable release of GnuPG: Version 1.2.0 The GNU Privacy Guard (GnuPG) is GNU''s tool for secure communication and data storage. It is a complete and free replacement of PGP and can be used to encrypt data and to create digital signatures. It includes an advanced key management facility and is compliant with the proposed OpenPGP Internet standard as described in RFC2440. This new release implements most of OpenPGP''s optional features, has somewhat better interoperabilty with non-conforming OpenPGP implementations and improved keyserver support. Getting the Software =================== GnuPG 1.2.0 can be downloaded from one of the *GnuPG mirror sites*. The list of mirrors can be found at http://www.gnupg.org/mirrors.html. See below for a list of mirrors already carrying this new released. On the mirrors you should find the follwing files in the *gnupg* directory: gnupg-1.2.0.tar.bz2 (1.8 MB) gnupg-1.2.0.tar.bz2.sig GnuPG 1.2 source compressed using BZIP2 and OpenPGP signature. gnupg-1.2.0.tar.gz (2.5 MB) gnupg-1.2.0.tar.gz.sig GnuPG source compressed using GZIP and OpenPGP signature. gnupg-1.0.7-1.2.0.diff.gz (1.0 MB) A patch file to upgrade a 1.0.7 GnuPG source. This file is signed; you have to use GnuPG > 0.9.5 to verify the signature. GnuPG has a feature to allow clear signed patch files which can still be processed by the patch utility. Select one of them. To shorten the download time, you probably want to get the BZIP2 compressed file. Please try another mirror if exceptional your mirror is not yet up to date. In the *binary* directory, you should find these files: gnupg-w32cli-1.2.0.zip (1.0 MB) gnupg-w32cli-1.2.0.zip.sig GnuPG compiled for Microsoft Windows and OpenPGP signature. Note that this is a command line version and comes without a graphical installer tool. You have to use an UNZIP utility to extract the files and install them manually. The included file README.W32 has further instructions. Checking the Integrity ===================== In order to check that the version of GnuPG which you are going to install is an original and unmodified one, you can do it in one of the following ways: * If you already have a trusted version of GnuPG installed, you can simply check the supplied signature. For example to check the signature of the file gnupg-1.2.0.tar.bz2 you would use this command: gpg --verify gnupg-1.2.0.tar.bz2.sig This checks whether the signature file matches the source file. You should see a message indicating that the signature is good and made by that signing key. Make sure that you have the right key, either by checking the fingerprint of that key with other sources or by checking that the key has been signed by a trustworthy other key. Never use a GnuPG version you just downloaded to check the integrity of the source - use an existing GnuPG installation. * If you are not able to use an old version of GnuPG, you have to verify the MD5 checksum. Assuming you downloaded the file gnupg-1.2.0.tar.bz2, you would run the md5sum command like this: md5sum gnupg-1.2.0.tar.bz2 and check that the output matches the first line from the following list: b22b10dacfeb5c2b0bc4ce9def2d1120 gnupg-1.2.0.tar.bz2 e93ceafc4395d1713d20044d523d18a7 gnupg-1.2.0.tar.gz c735a9a4400e3e3b0b78f88aadedfd3d gnupg-1.0.7-1.2.0.diff.gz af439e3ba82c8648041e8e9d902c3c01 gnupg-w32cli-1.2.0.zip Upgrade Information ================== The name of the default configuration file has changed from "options" to "gpg.conf". The old name will still be used as long as no "gpg.conf" exists. We recommend to rename your file after the installation. If you are upgrading from a version prior to 1.0.7, you may want to run the command "gpg --rebuild-keydb-caches" once to speed up the keyring access. Please note also that due to a bug in versions prior to 1.0.6 it won''t be possible to downgrade to such versions unless you use the GnuPG version which comes with Debian''s Woody release or you apply the patch http://www.gnupg.org/developer/gpg-woody-fix.txt . If you have any problems, please see the FAQ and the mailing list archive at http://lists.gnupg.org. Please direct questions to the gnupg-users@gnupg.org mailing list. What''s New ========== Here is a list of major user visible changes since 1.0.7: Configuration: * The default configuration file is now ~/.gnupg/gpg.conf. If an old ~/.gnupg/options is found it will still be used. This change is required to have a more consistent naming scheme with forthcoming tools. * The configure option --with-static-rnd=auto allows to build gpg with all available entropy gathering modules included. At runtime the best usable one will be selected from the list linux, egd, unix. This is also the default for systems lacking a /dev/random device. * All modules are now linked statically; the --load-extension option is in general not useful anymore. The only exception is to specify the deprecated IDEA cipher plugin. * There are now various ways to restrict the ability GnuPG has to exec external programs (for the keyserver helpers or photo ID viewers). Read the README file for the complete list. * The keyserver helper programs now live in /usr/[local/]libexec/gnupg by default. If you are upgrading from 1.0.7, you might want to delete your old copies in /usr/[local/]bin. If you use an OS that does not use libexec for whatever reason, use configure --libexecdir=/usr/local/lib to place the keyserver helpers there. New features: * New "group" command to refer to several keys with one name. * The option --interactive now has the desired effect when importing keys. * Full revocation key (aka "designated revoker") support. * When using --batch with one of the --delete-key commands, the key must be specified by fingerprint. See the man page for details. * New export option to leave off attribute packets (photo IDs) during export. This is useful when exporting to HKP keyservers which do not understand attribute packets. * New import option to repair during import the HKP keyserver mangling multiple subkeys bug. Note that this cannot completely repair the damaged key as some crucial data is removed by the keyserver, but it does at least give you back one subkey. This is on by default for keyserver --recv-keys, and off by default for regular --import. * New commands: --personal-cipher-preferences, --personal-digest-preferences, and --personal-compress-preferences allow the user to specify which algorithms are to be preferred. Note that this does not permit using an algorithm that is not present in the recipient''s preferences (which would violate the OpenPGP standard). This just allows sorting the preferences differently. * New --attribute-fd command for frontends and scripts to get the contents of attribute packets (i.e. photos) Incompatible changes: * Options --emulate-checksum-bug and --emulate-3des-s2k-bug have been removed. * The IDEA plugin has changed. Previous versions of the IDEA plugin will no longer work with GnuPG. However, the current version of the plugin will work with earlier GnuPG versions. * ElGamal sign and encrypt is not anymore allowed in the key generation dialog unless in expert mode. RSA sign and encrypt has been added with the same restrictions. OpenPGP compatibility: * The use of MDCs have increased. A MDC will be used if the recipients directly request it, if the recipients have AES, AES192, AES256, or TWOFISH in their cipher preferences, or if the chosen cipher has a blocksize not equal to 64 bits (currently this is also AES, AES192, AES256, and TWOFISH). * GnuPG will no longer automatically disable compression when processing an already-compressed file unless a MDC is being used. This is to give the message a certain amount of resistance to the chosen-ciphertext attack while communicating with other programs (most commonly PGP earlier than version 7.x) that do not support MDCs. * The preferred hash algorithms on a key are consulted when encrypting a signed message to that key. Note that this is disabled by default by a SHA1 preference in --personal-digest-preferences. * --cert-digest-algo allows the user to specify the hash algorithm to use when signing a key rather than the default SHA1 (or MD5 for PGP2 keys). Do not use this feature unless you fully understand the implications of this. * --pgp7 mode automatically sets all necessary options to ensure that the resulting message will be usable by a user of PGP 7.x. Bug fixes: * The file permission and ownership checks on files have been clarified. Specifically, the homedir (usually ~/.gnupg) is checked to protect everything within it. If the user specifies keyrings outside this homedir, they are presumed to be shared keyrings and therefore *not* checked. Configuration files specified with the --options option and the IDEA cipher extension specified with --load-extension are checked, along with their enclosing directories. * The LDAP keyserver handler now works properly with very old (version 1) LDAP keyservers. * [W32] Keyserver access does work with Windows NT. Other changes: * A warning is issued if the user forces the use of an algorithm that is not listed in the recipient''s preferences. * In expert mode, the user can now re-sign a v3 key with a v4 self-signature. This does not change the v3 key into a v4 key, but it does allow the user to use preferences, primary ID flags, etc. * Significantly improved photo ID support on non-unixlike platforms. * The default character set is now taken from the current locale; it can still be overridden by the --charset option. Using the option -vvv shows the used character set. Internationalization ===================GnuPG comes with support for these langauges: American English Greek (el) Catalan (ca) Indonesian (id) Czech (cs) Italian (it) Danish (da)[*] Japanese (ja) Dutch (nl)[*] Polish (pl) Esperanto (eo)[*] Brazilian Portuguese (pt_BR)[*] Estonian (et)[*] Portuguese (pt) French (fr)[*] Spanish (es)[*] Galician (gl) Swedish (sv)[*] German (de) Turkish (tr) Languages marked with [*] were not updated for this releases and you may notice untranslated messages. We will probably release an update of the translations when we have received some translation updates. May thanks to the translators for their ongoing support of GnuPG. Happy Hacking, The GnuPG team (David, Stefan, Timo and Werner) p.s. The mirror sites below have been verified to already carry this new release. The full list of sites mirroring ftp.gnupg.org is available at http://www.gnupg.org/mirrors.html. Australia Australia ftp://ftp.planetmirror.com/pub/gnupg/ Asia Japan ftp://ftp.ayamura.org/pub/gnupg/ Europe Austria ftp://gd.tuwien.ac.at/privacy/gnupg/ http://gd.tuwien.ac.at/privacy/gnupg/ Denmark ftp://sunsite.dk/pub/security/gcrypt/ Finland ftp://ftp.jyu.fi/pub/crypt/gcrypt/ ftp://trumpetti.atm.tut.fi/gcrypt/ http://trumpetti.atm.tut.fi/gcrypt/ France ftp://ftp.strasbourg.linuxfr.org/pub/gnupg/ Germany ftp://ftp.freenet.de/pub/ftp.gnupg.org/gcrypt/ Greece ftp://igloo.linux.gr/pub/crypto/gnupg/ Italy ftp://ftp.linux.it/pub/mirrors/gnupg/ http://ftp.linux.it/pub/mirrors/gnupg/ Netherlands ftp://ftp.demon.nl/pub/mirrors/gnupg/ Switzerland ftp://sunsite.cnlab-switch.ch/mirror/gcrypt/ United Kingdom ftp://ftp.mirror.ac.uk/sites/ftp.gnupg.org/gcrypt/ http://www.mirror.ac.uk/sites/ftp.gnupg.org/gcrypt/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.0 (GNU/Linux) iD8DBQE9jWkpbH7huGIcwBMRAn2zAJwMBV5wm63NCdoO8USSFxKz1VzLcACeIHxk 8z7znh4OKJFUdvF74ZO79Qs=PttW -----END PGP SIGNATURE-----