| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Noteworthy changes in version 2.2.11:
* gpgsm: Fix CRL loading when intermediate certicates are not yet
trusted.
* gpgsm: Fix an error message about the digest algo.
* gpg: Fix a wrong warning due to new sign usage check introduced
with 2.2.9.
* gpg: Print the "data source" even for an unsuccessful keyserver
query.
* gpg: Do not store the TOFU trust model in the trustdb. This
allows to enable or disable a TOFO model without triggering a
trustdb rebuild.
* scd: Fix cases of "Bad PIN" after using "forcesig".
* agent: Fix possible hang in the ssh handler.
* dirmngr: Tack the unmodified mail address to a WKD request. See
commit a2bd4a64e5b057f291a60a9499f881dd47745e2f for details.
* dirmngr: Tweak diagnostic about missing LDAP server file.
* dirmngr: In verbose mode print the OCSP responder id.
* dirmngr: Fix parsing of the LDAP port.
* wks: Add option --directory/-C to the server. Always build the
server on Unix systems.
* wks: Add option --with-colons to the client. Support sites which
use the policy file instead of the submission-address file.
* Fix EBADF when gpg et al. are called by broken CGI scripts.
* Fix some minor memory leaks and bugs.
|
|
Changelog:
Noteworthy changes in version 2.2.10 (2018-08-30)
-------------------------------------------------
gpg: Refresh expired keys originating from the WKD. [#2917]
gpg: Use a 256 KiB limit for a WKD imported key.
gpg: New option --known-notation. [#4060]
scd: Add support for the Trustica Cryptoucan reader.
agent: Speed up starting during on-demand launching. [#3490]
dirmngr: Validate SRV records in WKD queries.
|
|
|
|
Changelog:
Noteworthy changes in version 2.2.9 (2018-07-12)
------------------------------------------------
* dirmngr: Fix recursive resolver mode and other bugs in the libdns
code. [#3374,#3803,#3610]
* dirmngr: When using libgpg-error 1.32 or later a GnuPG build with
NTBTLS support (e.g. the standard Windows installer) does not
anymore block for dozens of seconds before returning data.
* gpg: Fix bug in --show-keys which actually imported revocation
certificates. [#4017]
* gpg: Ignore too long user-ID and comment packets. [#4022]
* gpg: Fix crash due to bad German translation. Improved printf
format compile time check.
* gpg: Handle missing ISSUER sub packet gracefully in the presence of
the new ISSUER_FPR. [#4046]
* gpg: Allow decryption using several passphrases in most cases.
[#3795,#4050]
* gpg: Command --show-keys now enables the list options
show-unusable-uids, show-unusable-subkeys, show-notations and
show-policy-urls by default.
* gpg: Command --show-keys now prints revocation certificates. [#4018]
* gpg: Add revocation reason to the "rev" and "rvs" records of the
option --with-colons. [#1173]
* gpg: Export option export-clean does now remove certain expired
subkeys; export-minimal removes all expired subkeys. [#3622]
* gpg: New "usage" property for the drop-subkey filters. [#4019]
Release-info: https://dev.gnupg.org/T4036
See-also: gnupg-announce/2018q3/000427.html
|
|
Reported by Oskar on pkgsrc-users.
|
|
Changes:
Noteworthy changes in version 2.2.8 (2018-06-08)
------------------------------------------------
* gpg: Decryption of messages not using the MDC mode will now lead
to a hard failure even if a legacy cipher algorithm was used. The
option --ignore-mdc-error can be used to turn this failure into a
warning. Take care: Never use that option unconditionally or
without a prior warning.
* gpg: The MDC encryption mode is now always used regardless of the
cipher algorithm or any preferences. For testing --rfc2440 can be
used to create a message without an MDC.
* gpg: Sanitize the diagnostic output of the original file name in
verbose mode. [#4012, CVE-2018-12020]
* gpg: Detect suspicious multiple plaintext packets in a more
reliable way. [#4000]
* gpg: Fix the duplicate key signature detection code. [#3994]
* gpg: The options --no-mdc-warn, --force-mdc, --no-force-mdc,
--disable-mdc and --no-disable-mdc have no more effect.
* agent: Add DBUS_SESSION_BUS_ADDRESS and a few other envvars to the
list of startup environment variables. [#3947]
|
|
|
|
Helps binary package managers to resolve the conflict, PLIST conflicts
cannot be detected early enough.
|
|
Based on the previous default behave on NetBSD add bzip2 and zlib to the
suggested options. In the past gnupg2 automatically detected bzip2 and
zlib from the system and enabled these options also if no buildlink file
was present.
bzip2 and zlib still stay as options because if gnupg2 remote agent
forwarding is used both gnupg2 versions (local and remote) need to provide
the same compression options. This allow the user to build gnupg2 with or
without compression options if needed.
PKGREVISION bump because new suggested options might require an rebuild on
different operating systems if bzip2 and zlib was not accidentally detected
and enabled.
Reviewed by wiedi
|
|
|
|
changes in version 2.2.7:
* gpg: New option --no-symkey-cache to disable the passphrase cache
for symmetrical en- and decryption.
* gpg: The ERRSIG status now prints the fingerprint if that is part
of the signature.
* gpg: Relax emitting of FAILURE status lines
* gpg: Add a status flag to "sig" lines printed with --list-sigs.
* gpg: Fix "Too many open files" when using --multifile.
* ssh: Return an error for unknown ssh-agent flags.
* dirmngr: Fix a regression since 2.1.16 which caused corrupted CRL
caches under Windows.
* dirmngr: Fix a CNAME problem with pools and TLS. Also use a fixed
mapping of keys.gnupg.net to sks-keyservers.net.
* dirmngr: Try resurrecting dead hosts earlier (from 3 to 1.5 hours).
* dirmngr: Fallback to CRL if no default OCSP responder is configured.
* dirmngr: Implement CRL fetching via https. Here a redirection to
http is explictly allowed.
* dirmngr: Make LDAP searching and CRL fetching work under Windows.
This stopped working with 2.1.
* agent,dirmngr: New sub-command "getenv" for "getinfo" to ease
debugging.
|
|
|
|
Noteworthy changes in version 2.2.6:
* gpg,gpgsm: New option --request-origin to pretend requests coming
from a browser or a remote site.
* gpg: Fix race condition on trustdb.gpg updates due to too early
released lock.
* gpg: Emit FAILURE status lines in almost all cases.
* gpg: Implement --dry-run for --passwd to make checking a key's
passphrase straightforward.
* gpg: Make sure to only accept a certification capable key for key
signatures.
* gpg: Better user interaction in --card-edit for the factory-reset
sub-command.
* gpg: Improve changing key attributes in --card-edit by adding an
explicit "key-attr" sub-command.
* gpg: Print the keygrips in the --card-status.
* scd: Support KDF DO setup.
* scd: Fix some issues with PC/SC on Windows.
* scd: Fix suspend/resume handling in the CCID driver.
* agent: Evict cached passphrases also via a timer.
* agent: Use separate passphrase caches depending on the request
origin.
* ssh: Support signature flags.
* dirmngr: Handle failures related to missing IPv6 support
gracefully.
* Fix corner cases related to specified home directory with
drive letter on Windows.
* Allow the use of UNC directory names as homedir.
|
|
version 2.2.5:
* gpg: Allow the use of the "cv25519" and "ed25519" short names in
addition to the canonical curve names in --batch --gen-key.
* gpg: Make sure to print all secret keys with option --list-only
and --decrypt.
* gpg: Fix the use of future-default with --quick-add-key for
signing keys.
* gpg: Select a secret key by checking availability under gpg-agent.
* gpg: Fix reversed prompt texts for --only-sign-text-ids.
* gpg,gpgsm: Fix detection of bogus keybox blobs on 32 bit systems.
* gpgsm: Fix regression since 2.1 in --export-secret-key-raw which
got $d mod (q-1)$ wrong. Note that most tools automatically fixup
that parameter anyway.
* ssh: Fix a regression in getting the client'd PID on *BSD and
macOS.
* scd: Support the KDF Data Object of the OpenPGP card 3.3.
* scd: Fix a regression in the internal CCID driver for certain card
readers.
* scd: Fix a problem on NetBSD killing scdaemon on gpg-agent
shutdown.
* dirmngr: Improve returned error description on failure of DNS
resolving.
* wks: Implement command --install-key for gpg-wks-server.
* Add option STATIC=1 to the Speedo build system to allow a build
with statically linked versions of the core GnuPG libraries. Also
use --enable-wks-tools by default by Speedo builds for Unix.
|
|
|
|
Noteworthy changes in version 2.2.4:
* gpg: Change default preferences to prefer SHA512.
* gpg: Print a warning when more than 150 MiB are encrypted using a
cipher with 64 bit block size.
* gpg: Print a warning if the MDC feature has not been used for a
message.
* gpg: Fix regular expression of domain addresses in trust
signatures.
* agent: New option --auto-expand-secmem to help with high numbers
of concurrent connections. Requires libgcrypt 1.8.2 for having
an effect.
* dirmngr: Cache responses of WKD queries.
* gpgconf: Add option --status-fd.
* wks: Add commands --check and --remove-key to gpg-wks-server.
* Increase the backlog parameter of the daemons to 64 and add
option --listen-backlog.
* New configure option --enable-run-gnupg-user-socket to first try a
socket directory which is not removed by systemd at session end.
|
|
|
|
|
|
changes in version 2.2.3:
* gpgsm: Fix initial keybox creation on Windows.
* dirmngr: Fix crash in case of a CRL loading error.
* Fix the name of the Windows registry key.
* gpgtar: Fix wrong behaviour of --set-filename.
* gpg: Silence AKL retrieval messages.
* agent: Use clock or clock_gettime for calibration.
* agent: Improve robustness of the shutdown pending state.
|
|
changes in version 2.2.2:
* gpg: Avoid duplicate key imports by concurrently running gpg
processes.
* gpg: Fix creating on-disk subkey with on-card primary key.
* gpg: Fix validity retrieval for multiple keyrings.
* gpg: Fix --dry-run and import option show-only for secret keys.
* gpg: Print "sec" or "sbb" for secret keys with import option
import-show.
* gpg: Make import less verbose.
* gpg: Add alias "Key-Grip" for parameter "Keygrip" and new
parameter "Subkey-Grip" to unattended key generation.
* gpg: Improve "factory-reset" command for OpenPGP cards.
* gpg: Ease switching Gnuk tokens into ECC mode by using the magic
keysize value 25519.
* gpgsm: Fix --with-colon listing in crt records for fields > 12.
* gpgsm: Do not expect X.509 keyids to be unique.
* agent: Fix stucked Pinentry when using --max-passphrase-days.
* agent: New option --s2k-count.
* dirmngr: Do not follow https-to-http redirects.
* dirmngr: Reduce default LDAP timeout from 100 to 15 seconds.
* gpgconf: Ignore non-installed components for commands
--apply-profile and --apply-defaults.
* Add configure option --enable-werror.
|
|
version 2.2.1:
* gpg: Fix formatting of the user id in batch mode key generation
if only "name-email" is given.
* gpgv: Fix annoying "not suitable for" warnings.
* wks: Convey only the newest user id to the provider. This is the
case if different names are used with the same addr-spec.
* wks: Create a complying user id for provider policy mailbox-only.
* wks: Add workaround for posteo.de.
* scd: Fix the use of large ECC keys with an OpenPGP card.
* dirmngr: Use system provided root certificates if no specific HKP
certificates are configured. If build with GNUTLS, this was
already the case.
|
|
|
|
|
|
|
|
|
|
|
|
Noteworthy changes in version 2.2.0 (2017-08-28)
------------------------------------------------
This is the new long term stable branch. This branch will only see
bug fixes and no new features.
* gpg: Reverted change in 2.1.23 so that --no-auto-key-retrieve is
again the default.
* Fixed a few minor bugs.
|
|
|
|
|
|
|
|
|
|
Noteworthy changes in version 2.0.30 (2016-03-31)
-------------------------------------------------
* gpg: Avoid too early timeout during key generation with 2.1 cards.
* agent: Fixed printing of ssh fingerprints for 384 bit ECDSA keys.
* agent: Fixed an alignment bug related to the passphrase
confirmation.
* scdaemon: Fixed a "conflicting usage" bug.
* scdaemon: Fixed usb card reader removal problem on Windows 8 and
later.
* Fixed a problem on AIX due to peculiarity with RLIMIT_NOFILE.
* Updated the Japanese and Dutch translations.
* Fixed a few other bugs.
|
|
Found by coypu.
|
|
|
|
Problems found locating distfiles:
Package f-prot-antivirus6-fs-bin: missing distfile fp-NetBSD.x86.32-fs-6.2.3.tar.gz
Package f-prot-antivirus6-ws-bin: missing distfile fp-NetBSD.x86.32-ws-6.2.3.tar.gz
Package libidea: missing distfile libidea-0.8.2b.tar.gz
Package openssh: missing distfile openssh-7.1p1-hpn-20150822.diff.bz2
Package uvscan: missing distfile vlp4510e.tar.Z
Otherwise, existing SHA1 digests verified and found to be the same on
the machine holding the existing distfiles (morden). All existing
SHA1 digests retained for now as an audit trail.
|
|
And this package does not have header/library files.
|
|
While here, clean up patches. They looked pretty cargo-culty to me and
were not commented.
File a bug report for one of the remaining ones and link to it from comment.
Changes in 2.0.29:
Noteworthy changes in version 2.0.29 (2015-09-08)
-------------------------------------------------
* gpg: Print a PGP-2 fingerprint again instead of a row of "0".
* gpg: Fixed a race condition from multiple several "gpg --verify".
* gpg: Print FAILURE status lines to help GPGME.
* gpgsm: Fixed a regression in CSR generation.
* scdaemon: Fixed problems with some pinpads.
* Fixed a few other bugs.
|
|
|
|
|
|
|
|
Noteworthy changes in version 2.0.28 (2015-06-02)
-------------------------------------------------
* agent: Added support for an external password manager.
* gpg: New command --list-gcrypt-config.
* gpg: Issue NEWSIG status lines during signature verification.
* gpgsm: The default hash algo for a CSR is now SHA-256 and the
default encryption algo is AES-128.
* scdaemon: Allow PC/SC reader selection by partial name match.
* gpgtar: Fix extracting files with a size of a multiple of 512.
* Fixed several other bugs.
* Libgcrypt 1.5 is now required.
|
|
|
|
If you enable this, scdaemon can use some USB Tokens without another
pcsc daemon.
From Yasushi Oshima in PR 49760.
|
|
Noteworthy changes in version 2.0.27 (2015-02-18)
-------------------------------------------------
* gpg: Detect faulty use of --verify on detached signatures.
* gpg: New import option "keep-ownertrust".
* gpg: Uses SHA-256 for all signature types also on RSA keys.
* gpg: Added support for algo names when generating keys using the
--command-fd method.
* gpg: Unless --allow-weak-digest-algos is used the insecure MD5
based fingerprints are shown as all zeroe
* gpg: Fixed DoS based on bogus and overlong key packets.
* gpg: Better error reporting for keyserver problems.
* Fixed several bugs related to bogus keyrings and improved some
other code.
|
|
From ISIHARA Takanori in PR 49576.
Bump PKGREVISION.
|
|
|
|
Noteworthy changes in version 2.0.26 (2014-08-12)
-------------------------------------------------
* gpg: Fix a regression in 2.0.24 if a subkey id is given
to --recv-keys et al.
* gpg: Cap attribute packets at 16MB.
* gpgsm: Auto-create the ".gnupg" home directory in the same
way gpg does.
* scdaemon: Allow for certificates > 1024 when using PC/SC.
|
|
Found by jperkin.
|
|
Noteworthy changes in version 2.0.25 (2014-06-30)
-------------------------------------------------
* gpg: Fix a regression in 2.0.24 if more than one keyid is given
to --recv-keys et al.
* gpg: Cap RSA and Elgamal keysize at 4096 bit also for unattended
key generation.
* gpgsm: Fix a DISPLAY related problem with --export-secret-key-p12.
* scdaemon: Support reader Gemalto IDBridge CT30.
|
|
Noteworthy changes in version 2.0.24 (2014-06-24)
-------------------------------------------------
* gpg: Avoid DoS due to garbled compressed data packets.
* gpg: Screen keyserver responses to avoid importing unwanted keys
from rogue servers.
* gpg: The validity of user ids is now shown by default. To revert
this add "list-options no-show-uid-validity" to gpg.conf.
* gpg: Print more specific reason codes with the INV_RECP status.
* gpg: Allow loading of a cert only key to an OpenPGP card.
* gpg-agent: Make ssh support for ECDSA keys work with Libgcrypt 1.6.
Noteworthy changes in version 2.0.23 (2014-06-03)
-------------------------------------------------
* gpg: Reject signatures made using the MD5 hash algorithm unless the
new option --allow-weak-digest-algos or --pgp2 are given.
* gpg: Do not create a trustdb file if --trust-model=always is used.
* gpg: Only the major version number is by default included in the
armored output.
* gpg: Print a warning if the Gnome-Keyring-Daemon intercepts the
communication with the gpg-agent.
* gpg: The format of the fallback key listing ("gpg KEYFILE") is now more
aligned to the regular key listing ("gpg -k").
* gpg: The option--show-session-key prints its output now before the
decryption of the bulk message starts.
* gpg: New %U expando for the photo viewer.
* gpgsm: Improved handling of re-issued CA certificates.
* scdaemon: Various fixes for pinpad equipped card readers.
* Minor bug fixes.
|
