- Install the internal executables in the /usr/libexec dir instead
of /usr/lib64. These files are keyboxd, scdaemon, gpg-auth
gpg-check-pattern, gpg-pair-tool, gpg-preset-passphrase,
gpg-protect-tool, gpg-wks-client, dirmngr_ldap and tpm2daemon.
- Provide the systemd-user files since they have been removed
upstream since version 2.4.1. [bsc#1201564]
* Add gpg2-systemd-user.tar.xz
- Revert back to use the IBM TPM Software stack.
- Update to 2.4.3:
* gpg: Set default expiration date to 3 years. [T2701]
* gpg: Add --list-filter properties "key_expires" and
"key_expires_d". [T6529]
* gpg: Emit status line and proper diagnostics for write errors. [T6528]
* gpg: Make progress work for large files on Windows. [T6534]
* gpg: New option --no-compress as alias for -z0.
* gpgsm: Print PROGRESS status lines. Add new --input-size-hint. [T6534]
* gpgsm: Support SENDCERT_SKI for --call-dirmngr. [rG701a8b30f0]
* gpgsm: Major rewrite of the PKCS#12 parser. [T6536]
* gpgtar: New option --no-compress.
* dirmngr: Extend the AD_QUERY command. [rG207c99567c]
* dirmngr: Disable the HTTP redirect rewriting. [T6477]
* dirmngr: New option --compatibility-flags. [rGbf04b07327]
* dirmngr: New option --ignore-crl-extensions. [T6545]
* wkd: Use export-clean for gpg-wks-client's --mirror and --create
commands. [rG2c7f7a5a27]
* wkd: Make --add-revocs the default in gpg-wks-client. New option
--no-add-revocs. [rG10c937ee68]
OBS-URL: https://build.opensuse.org/request/show/1116649
OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=292
- Install the systemd user units in the _userunitdir [bsc#1201564]
* Note that, there is no activation by default.
- Temporarily revert back to the pre-2.4 default for key generation.
The new rfc4880bis has been set as the default in 2.4 version and
might create incompatible keys. Note that, rfc4880bis can still
be used with the option flag --rfc4880bis as in previous versions.
* More info in the gnupg-devel ML:
https://lists.gnupg.org/pipermail/gnupg-devel/2022-December/035183.html
* Reverted commit https://dev.gnupg.org/rGcaf4b3fc16e9
* Add gnupg-revert-rfc4880bis.patch
- Allow 8192 bit RSA keys in keygen UI when large_rsa is set
* Add gnupg-allow-large-rsa.patch
- Fix broken GPGME QT tests: Upstram dev task dev.gnupg.org/T6313
* The original patch has been modified to expand the changes
also to the tests/gpgme/Makefile.in file.
* Add gnupg-tests-Fix-tests-gpgme-for-in-source-tree-builds.patch
- Updated to require libgpg-error-devel >= 1.46
- Rebased patches:
* gnupg-allow-import-of-previously-known-keys-even-without-UIDs.patch
* gnupg-add_legacy_FIPS_mode_option.patch
- GnuPG 2.4.0:
* common: Fix translations in --help for gpgrt < 1.47.
* gpg: Do not continue the export after a cancel for the primary key.
* gpg: Replace use of PRIu64 in log_debug.
* Update NEWS for 2.4.0.
* tests: Fix make check with GPGME.
OBS-URL: https://build.opensuse.org/request/show/1112814
OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=289
- Update to 2.4.2:
* gpg: Print a warning if no more encryption subkeys are left over
after changing the expiration date. [rGef2c3d50fa]
* gpg: Fix searching for the ADSK key when adding an ADSK. [T6504]
* gpgsm: Speed up key listings on Windows. [rG08ff55bd44]
* gpgsm: Reduce the number of "failed to open policy file"
diagnostics. [rG68613a6a9d]
* agent: Make updating of private key files more robust and track
display S/N. [T6135]
* keyboxd: Avoid longish delays on Windows when listing keys.
[rG6944aefa3c]
* gpgtar: Emit extra status lines to help GPGME. [T6497]
* w32: Avoid using the VirtualStore. [T6403]
* Rebase gnupg-add_legacy_FIPS_mode_option.patch
- Update to 2.4.1:
* If the ~/.gnupg directory does not exist, the keyboxd is now
automagically enabled. [rGd9e7488b17]
* gpg: New option --add-desig-revoker. [rG3d094e2bcf]
* gpg: New option --assert-signer. [rGc9e95b8dee]
* gpg: New command --quick-add-adsk and other ADSK features.
[T6395, https://gnupg.org/blog/20230321-adsk.html]
* gpg: New list-option "show-unusable-sigs". Also show "[self-signature]"
instead of the user-id in key signature listings. [rG103acfe9ca]
* gpg: For symmetric encryption the default S2K hash is now SHA256. [T6367]
* gpg: Detect already compressed data also when using a pipe. Also
detect JPEG and PNG file formats. [T6332]
* gpg: New subcommand "openpgp" for --card-edit. [T6462]
* gpgsm: Verification of detached signatures does now strip trailing
zeroes from the input if --assume-binary is used. [rG2a13f7f9dc]
OBS-URL: https://build.opensuse.org/request/show/1089861
OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=287
- Temporarily revert back to the pre-2.4 default for key generation.
The new rfc4880bis has been set as the default in 2.4 version and
might create incompatible keys. Note that, rfc4880bis can still
be used with the option flag --rfc4880bis as in previous versions.
* More info in the gnupg-devel ML:
https://lists.gnupg.org/pipermail/gnupg-devel/2022-December/035183.html
* Reverted commit https://dev.gnupg.org/rGcaf4b3fc16e9
* Add gnupg-revert-rfc4880bis.patch
- Allow 8192 bit RSA keys in keygen UI when large_rsa is set
* Add gnupg-allow-large-rsa.patch
- Enable the regression tests: Fix the regression test suite that
fails with the IBM TPM Software stack. Builds fine using the Intel
TPM; use the swtpm and tpm2-0-tss-devel packages instead of
ibmswtpm2 and ibmtss-devel.
OBS-URL: https://build.opensuse.org/request/show/1083635
OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=285
- Rebased patches:
* gnupg-add_legacy_FIPS_mode_option.patch
- Removed patches (already upstream):
* gnupg-tests-Fix-tests-gpgme-for-in-source-tree-builds.patch
- Don't ship systemd examples, as they are removed from upstream
release tarball.
- Update to 2.4.1:
* If the ~/.gnupg directory does not exist, the keyboxd is now
automagically enabled.
* gpg: New option --add-desig-revoker.
* gpg: New option --assert-signer.
* gpg: New command --quick-add-adsk and other ADSK features.
* gpg: New list-option "show-unusable-sigs". Also show
"[self-signature]" instead of the user-id in key signature
listings.
* gpg: For symmetric encryption the default S2K hash is now SHA256.
* gpg: Detect already compressed data also when using a pipe. Also
detect JPEG and PNG file formats.
* gpg: New subcommand "openpgp" for --card-edit.
* gpgsm: Verification of detached signatures does now strip trailing
zeroes from the input if --assume-binary is used.
* gpgsm: Non-armored detached signature are now created without
using indefinite form length octets. This improves compatibility
with some PDF signature verification software.
* gpgtar: Emit progress status lines in create mode.
* dirmngr: The LDAP modifyTimestamp is now returned by some
keyserver commands.
* ssh: Allow specification of the order keys are presented to ssh.
See the man page entry for --enable-ssh-support.
* gpg: Make list-options "show-sig-subpackets" work again.
OBS-URL: https://build.opensuse.org/request/show/1083567
OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=284
- Updated to require libgpg-error-devel >= 1.46
- Rebased patches:
* gnupg-allow-import-of-previously-known-keys-even-without-UIDs.patch
* gnupg-add_legacy_FIPS_mode_option.patch
- GnuPG 2.4.0:
* common: Fix translations in --help for gpgrt < 1.47.
* gpg: Do not continue the export after a cancel for the primary key.
* gpg: Replace use of PRIu64 in log_debug.
* Update NEWS for 2.4.0.
* tests: Fix make check with GPGME.
* agent: Allow arguments to "scd serialno" in restricted mode.
* scd:p15: Skip deleted records.
* build: Remove Windows CE support.
* wkd: Do not send/install/mirror expired user ids.
* gpgsm: Print the revocation time also with --verify.
* gpgsm: Fix "problem re-searching certificate" case.
* gpgsm: Print revocation date and reason in cert listings.
* gpgsm: Silence the "non-critical certificate policy not allowed".
* gpgsm: Always use the chain model if the root-CA requests this.
* gpg: New export option "mode1003".
* gpg: Remove a mostly duplicated function.
* tests: Simplify fake-pinentry to use the option only.
* tests: Fix fake-pinentry for Windows.
* tests: Fix make check-all.
* agent: Fix import of protected v5 keys.
* gpgsm: Change default algo to AES-256.
* tests: Put a workaround for semihosted environment.
* tests: More fix for semihosted environment.
* tests: Support semihosted environment.
* tests: Fix tests under cms.
OBS-URL: https://build.opensuse.org/request/show/1046530
OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=282
- GnuPG 2.3.8:
* gpg: Do not consider unknown public keys as non-compliant while
decrypting.
* gpg: Avoid to emit a compliance mode line if Libgcrypt is
non-compliant.
* gpg: Improve --edit-key setpref command to ease c+p.
* gpg: Emit an ERROR status if --quick-set-primary-uid fails and
allow to pass the user ID by hash.
* gpg: Actually show symmetric+pubkey encrypted data as de-vs
compliant. Add extra compliance checks for symkey_enc packets.
* gpg: In de-vs mode use SHA-256 instead of SHA-1 as implicit
preference.
* gpgsm: Fix reporting of bad passphrase error during PKCS#11
import.
* agent: Fix a regression in "READKEY --format=ssh".
* agent: New option --need-attr for KEYINFO.
* agent: New attribute "Remote-list" for use by KEYINFO.
* scd: Fix problem with Yubikey 5.4 firmware.
* dirmngr: Fix CRL Distribution Point fallback to other schemes.
* dirmngr: New LDAP server flag "areconly" (A-record-only).
* dirmngr: Fix upload of multiple keys for an LDAP server specified
using the colon format.
* dirmngr: Use LDAP schema v2 when a Base DN is specified.
* dirmngr: Avoid caching expired certificates.
* wkd: Fix path traversal attack in gpg-wks-server. Add the mail
address to the pending request data.
* wkd: New command --mirror for gpg-wks-client.
* gpg-auth: New tool for authentication.
* New common.conf option no-autostart.
* Silence warnings from AllowSetForegroundWindow unless
OBS-URL: https://build.opensuse.org/request/show/1012076
OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=280
- GnuPG 2.3.2:
* gpg: Allow fingerprint based lookup with --locate-external-key.
* gpg: Allow decryption w/o public key but with correct card inserted.
* gpg: Auto import keys specified with --trusted-keys.
* gpg: Do not use import-clean for LDAP keyserver imports.
* gpg: Fix mailbox based search via AKL keyserver method.
* gpg: Fix memory corruption with --clearsign introduced with 2.3.1.
* gpg: Use a more descriptive prompt for symmetric decryption.
* gpg: Improve speed of secret key listing.
* gpg: Support keygrip search with traditional keyring.
* gpg: Let --fetch-key return an exit code on failure.
* gpg: Emit the NO_SECKEY status again for decryption.
* gpgsm: Support decryption of password based encryption (pwri).
* gpgsm: Support AES-GCM decryption.
* gpgsm: Let --dump-cert --show-cert also print an OpenPGP fingerprint.
* gpgsm: Fix finding of issuer in use-keyboxd mode.
* gpgsm: New option --ldapserver as an alias for --keyserver.
* agent: Use SHA-256 for SSH fingerprint by default.
* agent: Fix calling handle_pincache_put.
* agent: Fix importing protected secret key.
* agent: Fix a regression in agent_get_shadow_info_type.
* agent: Add translatable text for Caps Lock hint.
* agent: New option --pinentry-formatted-passphrase.
* agent: Add checkpin inquiry for pinentry.
* agent: New option --check-sym-passphrase-pattern.
* agent: Use the sysconfdir for a pattern file.
* agent: Make QT_QPA_PLATFORMTHEME=qt5ct work for the pinentry.
* dirmngr: LDAP search by a mailbox now ignores revoked keys.
* dirmngr: For KS_SEARCH return the fingerprint also with LDAP.
* dirmngr: Allow for non-URL specified ldap keyservers.
OBS-URL: https://build.opensuse.org/request/show/914200
OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=268
- GnuPG 2.3.1:
* The new configuration file common.conf is now used to enable
the use of the key database daemon with "use-keyboxd". Using
this option in gpg.conf and gpgsm.conf is supported for a
transitional period. See doc/example/common.conf for more.
* gpg: Force version 5 key creation for ed448 and cv448 algorithms.
* gpg: By default do not use the self-sigs-only option when
importing from an LDAP keyserver.
* gpg: Lookup a missing public key of the active card via LDAP.
* gpgsm: New command --show-certs.
* scd: Fix CCID driver for SCM SPR332/SPR532.
* scd: Further improvements for PKCS#15 cards.
* New configure option --with-tss to allow the selection of the
TSS library.
- Rebase patches:
* gnupg-add_legacy_FIPS_mode_option.patch
* gnupg-allow-import-of-previously-known-keys-even-without-UIDs.patch
* gnupg-dont-fail-with-seahorse-agent.patch
* gnupg-set_umask_before_open_outfile.patch
- GnuPG 2.3.0:
* A new experimental key database daemon is provided. To enable
it put "use-keyboxd" into gpg.conf and gpgsm.conf. Keys are stored
in a SQLite database and make key lookup much faster.
* New tool gpg-card as a flexible frontend for all types of
supported smartcards.
* New option --chuid for gpg, gpgsm, gpgconf, gpg-card, and
gpg-connect-agent.
* The gpg-wks-client tool is now installed under bin; a wrapper for
its old location at libexec is also installed.
OBS-URL: https://build.opensuse.org/request/show/899451
OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=267
- Update to 2.2.18 [bsc#1157900, CVE-2019-14855]
* gpg: Changed the way keys are detected on a smartcards; this
allows the use of non-OpenPGP cards. In the case of a not very
likely regression the new option --use-only-openpgp-card is
available. [#4681]
* gpg: The commands --full-gen-key and --quick-gen-key now allow
direct key generation from supported cards. [#4681]
* gpg: Prepare against chosen-prefix SHA-1 collisions in key
signatures. This change removes all SHA-1 based key signature
newer than 2019-01-19 from the web-of-trust. Note that this
includes all key signature created with dsa1024 keys. The new
option --allow-weak-key-signatues can be used to override the new
and safer behaviour. [#4755,CVE-2019-14855]
* gpg: Improve performance for import of large keyblocks. [#4592]
* gpg: Implement a keybox compression run. [#4644]
* gpg: Show warnings from dirmngr about redirect and certificate
problems (details require --verbose as usual).
* gpg: Allow to pass the empty string for the passphrase if the
'--passphase=' syntax is used. [#4633]
* gpg: Fix printing of the KDF object attributes.
* gpg: Avoid surprises with --locate-external-key and certain
--auto-key-locate settings. [#4662]
* gpg: Improve selection of best matching key. [#4713]
* gpg: Delete key binding signature when deletring a subkey.
[#4665,#4457]
* gpg: Fix a potential loss of key sigantures during import with
self-sigs-only active. [#4628]
* gpg: Silence "marked as ultimately trusted" diagnostics if
option --quiet is used. [#4634]
* gpg: Silence some diagnostics during in key listsing even with
OBS-URL: https://build.opensuse.org/request/show/751408
OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=237
- Update to 2.2.17 [bsc#1141093]
* gpg: Do not try the import fallback if the options are already used.
* gpg: Fix regression in option "self-sigs-only".
* gpg: With --auto-key-retrieve prefer WKD over keyservers.
* gpg: Add "self-sigs-only" and "import-clean" to the keyserver options.
* gpg: Avoid printing false AKL error message.
* gpg: New command --locate-external-key.
* gpg: Make the get_pubkey_byname interface easier to understand.
* gpg: Fallback to import with self-sigs-only on too large keyblocks.
* gpg: New import and keyserver option "self-sigs-only"
* gpg: Make read_block in import.c more flexible.
* dirmngr: fix handling of HTTPS redirections during HKP.
* dirmngr: Avoid endless loop in case of HTTP error 503.
* dirmngr: Do not rewrite the redirection for the "openpgpkey" subdomain.
* dirmngr: Support the new WKD draft with the openpgpkey subdomain.
* wkd: Change client/server limit back to 64 KiB.
* tools: gpgconf: Killing order is children-first.
* Return better error code for some getinfo IPC commands.
* po: Update Russian translation.
OBS-URL: https://build.opensuse.org/request/show/714630
OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=233
- Update to 2.2.16
* gpg: Fixed i18n markup of some strings.
* gpg: Allow deletion of subkeys with --delete-[secret-]key.
* gpg: Do not bail on an invalid packet in the local keyring.
* gpg: Do not allow creation of user ids larger than our parser allows.
* gpg: Do not delete any keys if --dry-run is passed.
* gpg: Fix using --decrypt along with --use-embedded-filename.
* gpg: Improve the photo image viewer selection.
* gpg: enable OpenPGP export of cleartext keys with comments.
* gpg: Do not print a hint to use the deprecated --keyserver option.
* gpg: Change update_keysig_packet to replace SHA-1 by SHA-256.
* gpg: Use just the addrspec from the Signer's UID.
* gpg: Accept also armored data from the WKD.
* gpg: Set a limit of 5 to the number of keys imported from the WKD.
* gpg: Don't use EdDSA algo ID for ECDSA curves.
* agent: Stop scdaemon after reload when disable_scdaemon.
* agent: For SSH key, don't put NUL-byte at the end.
* agent: correct length for uri and comment on 64-bit big-endian platforms
* dirmngr: Allow for other hash algorithms than SHA-1 in OCSP.
* dirmngr: Improve domaininfo cache update algorithm.
* dirmngr: Better error code for http status 413.
* g10: Fix possible null dereference.
* g10: Fix double free when locating by mbox.
* g10: Fix symmetric cipher algo constant for ECDH.
* sm: Avoid confusing diagnostic for the default key.
* sm: Fix a warning in an es_fopencooie function.
* gpgconf: Before --launch check that the config file is fine.
* gpgconf: Support --homedir for --launch.
* build: Update m4/iconv.m4.
* doc: correct documentation for gpgconf --kill.
OBS-URL: https://build.opensuse.org/request/show/706483
OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=229
- Update to 2.2.14:
* gpg: Allow import of PGP desktop exported secret keys. Also avoid
importing secret keys if the secret keyblock is not valid.
* gpg: Do not error out on version 5 keys in the local keyring.
* gpg: Make invalid primary key algo obvious in key listings.
* sm: Do not mark a certificate in a key listing as de-vs compliant
if its use for a signature will not be possible.
* sm: Fix certificate creation with key on card.
* sm: Create rsa3072 bit certificates by default.
* sm: Print Yubikey attestation extensions with --dump-cert.
* agent: Fix cancellation handling for scdaemon.
* agent: Support --mode=ssh option for CLEAR_PASSPHRASE.
* scd: Fix flushing of the CA-FPR DOs in app-openpgp.
* scd: Avoid a conflict error with the "undefined" app.
* dirmngr: Add CSRF protection exception for protonmail.
* dirmngr: Fix build problems with gcc 9 in libdns.
* gpgconf: New option --show-socket for use wity --launch.
* gpgtar: Make option -C work for archive creation.
- Removed patches that are included upstream by now:
- 0001-libdns-Avoid-using-compound-literals.patch
- 0002-libdns-Avoid-using-compound-literals-2.patch
- 0003-libdns-Avoid-using-compound-literals-3.patch
- 0004-libdns-Avoid-using-compound-literals-4.patch
- 0005-libdns-Avoid-using-compound-literals-5.patch
- 0006-libdns-Avoid-using-compound-literals-6.patch
- 0007-libdns-Avoid-using-compound-literals-7.patch
- 0008-libdns-Avoid-using-compound-literals-8.patch
OBS-URL: https://build.opensuse.org/request/show/686406
OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=224
- Update to 2.2.13:
* gpg: Implement key lookup via keygrip (using the & prefix).
* gpg: Allow generating Ed25519 key from existing key.
* gpg: Emit an ERROR status line if no key was found with -k.
* gpg: Stop early when trying to create a primary Elgamal key.
* gpgsm: Print the card's key algorithms along with their keygrips
in interactive key generation.
* agent: Clear bogus pinentry cache in the error case.
* scd: Support "acknowledge button" feature.
* scd: Fix for USB INTERRUPT transfer.
* wks: Do no use compression for the the encrypted challenge and response.
Release-info: https://dev.gnupg.org/T4290
See-also: gnupg-announce/2019q1/000434.html
- Update to 2.2.12:
OBS-URL: https://build.opensuse.org/request/show/674396
OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=219
-Update to 2.2.12:
* tools: New commands --install-key and --remove-key for
gpg-wks-client. This allows to prepare a Web Key Directory on a
local file system for later upload to a web server.
* gpg: New --list-option "show-only-fpr-mbox". This makes the use
of the new gpg-wks-client --install-key command easier on Windows.
* gpg: Improve processing speed when --skip-verify is used.
* gpg: Fix a bug where a LF was accidentally written to the console.
* gpg: --card-status now shwos whether a card has the new KDF
feature enabled.
* agent: New runtime option --s2k-calibration=MSEC. New configure
option --with-agent-s2k-calibration=MSEC. [#3399]
* dirmngr: Try another keyserver from the pool on receiving a 502,
503, or 504 error. [#4175]
* dirmngr: Avoid possible CSRF attacks via http redirects. A HTTP
query will not anymore follow a 3xx redirect unless the Location
header gives the same host. If the host is different only the
host and port is taken from the Location header and the original
path and query parts are kept.
* dirmngr: New command FLUSHCRL to flush all CRLS from disk and
memory. [#3967]
OBS-URL: https://build.opensuse.org/request/show/658084
OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=217
- Update to 2.2.11:
* gpgsm: Fix CRL loading when intermediate certicates are not yet trusted.
* gpgsm: Fix an error message about the digest algo.
* gpg: Fix a wrong warning due to new sign usage check introduced with 2.2.9.
* gpg: Print the "data source" even for an unsuccessful keyserver query.
* gpg: Do not store the TOFU trust model in the trustdb.
* scd: Fix cases of "Bad PIN" after using "forcesig".
* agent: Fix possible hang in the ssh handler.
* dirmngr: Tack the unmodified mail address to a WKD request.
* dirmngr: Tweak diagnostic about missing LDAP server file.
* dirmngr: In verbose mode print the OCSP responder id.
* dirmngr: Fix parsing of the LDAP port.
* wks: Add option --directory/-C to the server.
* wks: Add option --with-colons to the client.
* Fix EBADF when gpg et al. are called by broken CGI scripts.
* Fix some minor memory leaks and bugs.
OBS-URL: https://build.opensuse.org/request/show/646642
OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=213
