-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello! We are pleased to announce the availability of a new stable GnuPG release: Version 1.2.2 The GNU Privacy Guard (GnuPG) is GNU's tool for secure communication and data storage. It is a complete and free replacement of PGP and can be used to encrypt data and to create digital signatures. It includes an advanced key management facility and is compliant with the proposed OpenPGP Internet standard as described in RFC2440. This new release implements most of OpenPGP's optional features, has somewhat better interoperabilty with non-conforming OpenPGP implementations and improved keyserver support. *************************************************************** * Due to a bug found in the key validdation code, we strongly * * suggest to update to this release if you are relying on the * * Web-Of-Trust semantics. * *************************************************************** Getting the Software =================== GnuPG 1.2.2 can be downloaded from one of the *GnuPG mirror sites*. The list of mirrors can be found at http://www.gnupg.org/mirrors.html. On the mirrors you should find the follwing files in the *gnupg* directory: gnupg-1.2.2.tar.bz2 (2.1 MB) gnupg-1.2.2.tar.bz2.sig GnuPG 1.2 source compressed using BZIP2 and OpenPGP signature. gnupg-1.2.2.tar.gz (3.1 MB) gnupg-1.2.2.tar.gz.sig GnuPG source compressed using GZIP and OpenPGP signature. gnupg-1.2.1-1.2.2.diff.gz (1.1 MB) A patch file to upgrade a 1.2.1 GnuPG source. This file is signed; you have to use GnuPG > 0.9.5 to verify the signature. GnuPG has a feature to allow clear signed patch files which can still be processed by the patch utility. Select one of them. To shorten the download time, you probably want to get the BZIP2 compressed file. Please try another mirror if exceptional your mirror is not yet up to date. We have uploaded the .gz tarbvall on May 1, so at least this one should be available at the mirrors. In the *binary* directory, you should find these files: gnupg-w32cli-1.2.2.zip (1.3 MB) gnupg-w32cli-1.2.2.zip.sig GnuPG compiled for Microsoft Windows and OpenPGP signature. Note that this is a command line version and comes without a graphical installer tool. You have to use an UNZIP utility to extract the files and install them manually. The included file README.W32 has further instructions. Checking the Integrity ===================== In order to check that the version of GnuPG which you are going to install is an original and unmodified one, you can do it in one of the following ways: * If you already have a trusted version of GnuPG installed, you can simply check the supplied signature. For example to check the signature of the file gnupg-1.2.2.tar.bz2 you would use this command: gpg --verify gnupg-1.2.2.tar.bz2.sig This checks whether the signature file matches the source file. You should see a message indicating that the signature is good and made by that signing key. Make sure that you have the right key, either by checking the fingerprint of that key with other sources or by checking that the key has been signed by a trustworthy other key. Note, that you can retrieve the signing key by finger wk 'at' g10code.com . Never use a GnuPG version you just downloaded to check the integrity of the source - use an existing GnuPG installation. * If you are not able to use an old version of GnuPG, you have to verify the MD5 checksum. Assuming you downloaded the file gnupg-1.2.2.tar.bz2, you would run the md5sum command like this: md5sum gnupg-1.2.2.tar.bz2 and check that the output matches the first line from the following list: 4e1b357b22e1d45d14d340ce03d39b63 gnupg-1.2.2.tar.bz2 01cf9c6b949603d0511f6fc07bc758d2 gnupg-1.2.2.tar.gz bbb2691b0322f570c7e683049ba3c777 gnupg-1.2.1-1.2.2.diff.gz 7f7f4b5312f3ebddc67eba0b6a8661a4 gnupg-w32cli-1.2.2.zip Upgrade Information ================== If you are upgrading from a version prior to 1.0.7, you should run the script tools/convert-from-106 once. Please note also that due to a bug in versions prior to 1.0.6 it may not be possible to downgrade to such versions unless you apply the patch http://www.gnupg.org/developer/gpg-woody-fix.txt . If you have any problems, please see the FAQ and the mailing list archive at http://lists.gnupg.org. Please direct questions to the gnupg-users@gnupg.org mailing list. What's New ========== Here is a list of major user visible changes since 1.2.1: Configuration: * A "convert-from-106" script has been added. This is a simple script that automates the conversion from a 1.0.6 or earlier version of GnuPG to a 1.0.7 or later version. New features: * A "--trust-model always" option has been added to smooth the transition to a future GnuPG that has multiple trust models. This is identical to the current "--always-trust" option. * Care is taken to prevent compiler optimization from removing memory wiping code. * New option --no-mangle-dos-filenames so that filenames are not truncated in the W32 version. * New command "revuid" in the --edit-key menu to revoke a user ID. This is a simpler interface to the old method (which still works) of revoking the user ID self-signature. * Status VALIDSIG now also contains the primary key fingerprint, as well as the signature version, public key algorithm, hash algorithm, and signature class. * Add read-only support for the SHA-256 hash, and optional read-only support for the SHA-384 and SHA-512 hashes. * New option --enable-progress-filter for use with frontends. Incompatible changes: * Notation names that do not contain a '@' are no longer allowed unless --expert is set. This is to help prevent pollution of the (as yet unused) IETF notation namespace. * Disabled keys are now skipped when selecting keys for encryption. If you are using the --with-colons key listings to detect disabled keys, please see doc/DETAILS for a minor format change in this release. OpenPGP compatibility: * Fixed a compatibility problem with CryptoEx by increasing the window size of the uncompressor. * Note that the TIGER/192 digest algorithm is in the process of being dropped from the OpenPGP standard. While this release of GnuPG still contains it, it is disabled by default. To ensure you will still be able to use your messages with future versions of GnuPG and other OpenPGP programs, please do not use this algorithm. Bug fixes: * A bug in key validation has been fixed. This bug only affects keys with more than one user ID (photo IDs do not count here), and results in all user IDs on a given key being treated with the validity of the most-valid user ID on that key. Other changes: * Minor trustdb changes to make the trust calculations match common usage. * New translations: Finnish, Hungarian, Slovak, and Traditional Chinese. Internationalization ===================GnuPG comes with support for these langauges: American English Hungarian (hu) Catalan (ca) Indonesian (id) Czech (cs) Italian (it) Danish (da)[*] Japanese (ja) Dutch (nl)[*] Polish (pl) Esperanto (eo)[*] Brazilian Portuguese (pt_BR)[*] Estonian (et) Portuguese (pt) Finnish (fi) Slovak (sk) French (fr) Spanish (es) Galician (gl) Swedish (sv) German (de) Traditional Chinese (zh_TW) Greek (el) Turkish (tr) Languages marked with [*] were not updated for this releases and you may notice untranslated messages. We may release an update of the translations when we have received some translation updates. Many thanks to the translators for their ongoing support of GnuPG. Happy Hacking, The GnuPG team (David, Stefan, Timo and Werner) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE+tB1KbH7huGIcwBMRArYTAJ0deLOyUMDFQwy3+nj/VFgUHIrPGACggUFV uPS86Mf9N/pjVNNNfNXWen4=HX8r -----END PGP SIGNATURE-----