- Update to 2.5.2:
* gpg: Add option 16 to --full-gen-key to create ECC+Kyber. [T6638]
* gpg: For composite algos add the algo string to the colons
listings. [T6638]
* gpg: Validate the trustdb after the import of a trusted key.
[T7200]
* gpg: Exclude expired trusted keys from the key validation process.
[T7200]
* gpg: Fix a wrong decryption failed status for signed and OCB
encrypted messages without a signature verification key. [T7042]
* gpg: Retain binary representation for import->export with Ed25519
key signatures. [T7426]
* gpg: Fix comparing ed448 to ed25519 with --assert-pubkey-algo.
[T7425]
* gpg: Avoid a failure exit code for expired ultimately trusted
keys. [T7351]
* gpg: Emit status error for an invalid ADSK. [T7322]
* gpg: Allow the use of an ADSK subkey as ADSK subkey. [T6882]
* gpg: Fix --quick-set-expire for V5 subkey fingerprints. [T7298]
* gpg: Robust error handling for SCD READKEY. [T7309]
* gpg: Fix cv25519 v5 export regression. [T7316]
* gpgsm: Nearly fourfold speedup of validated certificate listings.
[T7308]
* gpgsm: Improvement for some rare P12 files. [rGf50dde6269]
* gpgsm: Terminate key listing on output write error. [T6185]
* agent: Add option --status to the LISTRUSTED command.
[rG4275d5fa7a]
* agent: Fix detection of the yet unused trustflag de-vs. [T5079]
* agent: Allow ssh to sign data larger than the Assuan line length.
[T7436]
OBS-URL: https://build.opensuse.org/request/show/1230099
OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=309
* gpg: The support for composite Kyber+ECC public key algorithms
does now use the final FIPS-203 and LibrePGP specifications. The
experimental keys from 2.5.0 are no longer supported. [T6815]
* gpg: New commands --add-recipients and --change-recipients. [T1825]
* gpg: New option --proc-all-sigs. [T7261]
* gpg: Fix a regression in 2.5.0 in gpgme's tests. [T7195]
* gpg: Make --no-literal work again for -c and --store. [T5852]
* gpg: Improve detection of input data read errors. [T6528]
* gpg: Fix getting key by IPGP record (rfc-4398). [T7288]
* gpgsm: New option --assert-signer. [T7286]
* gpgsm: More improvements to PKCS#12 parsing to cope with latest
IVBB changes. [T7213]
* agent: Fix KEYTOCARD command when used with a loopback pinentry. [T7283]
* gpg-mail-tube: Make sure GNUPGHOME is set in vsd mode. New option
--as-attach. [rG4511997e9e1b]
* Now uses the process spawn API from libgpg-error. [T7192,T7194]
* Removed the --enable-gpg-is-gpg2 configure time option.
[rG2125f228d36c]
* Rebase patches:
- gnupg-add_legacy_FIPS_mode_option.patch
- gnupg-revert-rfc4880bis.patch
- gnupg-nobetasuffix.patch
OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=306
- Update to 2.4.5:
* gpg,gpgv: New option --assert-pubkey-algo. [T6946]
* gpg: Emit status lines for errors in the compression layer. [T6977]
* gpg: Fix invocation with --trusted-keys and --no-options. [T7025]
* gpgsm: Allow for a longer salt in PKCS#12 files. [T6757]
* gpgtar: Make --status-fd=2 work on Windows. [T6961]
* scd: Support for the ACR-122U NFC reader. [rG1682ca9f01]
* scd: Suport D-TRUST ECC cards. [T7000,T7001]
* scd: Allow auto detaching of kernel drivers; can be disabled with
the new compatibility-flag ccid-no-auto-detach. [rGa1ea3b13e0]
* scd: Allow setting a PIN length of 6 also with a reset code for
openpgp cards. [T6843]
* agent: Allow GET_PASSPHRASE in restricted mode. [rGadf4db6e20]
* dirmngr: Trust system's root CAs for checking CRL issuers. [T6963]
* dirmngr: Fix regression in 2.4.4 in fetching keys via hkps. [T6997]
* gpg-wks-client: Make option --mirror work properly w/o specifying
domains. [rG37cc255e49]
* g13,gpg-wks-client: Allow command style options as in "g13 mount
foo". [rGa09157ccb2]
* Allow tilde expansion for the foo-program options. [T7017]
* Make the getswdb.sh tool usable outside the GnuPG tree.
* Release-info: https://dev.gnupg.org/T6960
* Update the required versions for the dependencies.
OBS-URL: https://build.opensuse.org/request/show/1156367
OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=302
- Update to 2.4.4: [bsc#1219191]
* gpg: Do not keep an unprotected smartcard backup key on disk.
See https://gnupg.org/blog/20240125-smartcard-backup-key.html
for a security advisory. [T6944]
* gpg: Allow to specify seconds since Epoch beyond 2038 on 32-bit
platforms. [T6736]
* gpg: Fix expiration time when Creation-Date is specified. [T5252]
* gpg: Add support for Subkey-Expire-Date. [rG96b69c1866]
* gpg: Add option --with-v5-fingerprint. [T6705]
* gpg: Add sub-option ignore-attributes to --import-options.
* gpg: Add --list-filter properties sig_expires/sig_expires_d.
* gpg: Fix validity of re-imported keys. [T6399]
* gpg: Report BEGIN_ status before examining the input. [T6481]
* gpg: Don't try to compress a read-only keybox. [T6811]
* gpg: Choose key from inserted card over a non-inserted card. [T6831]
* gpg: Allow to create revocations even with non-compliant algos. [T6929]
* gpg: Fix regression in the Revoker keyword of the parameter file. [T6923]
* gpg: Improve error message for expired default keys. [T4704]
* gpgsm: Add --always-trust feature. [T6559]
* gpgsm: Support ECC certificates in de-vs mode. [T6802]
* gpgsm: Major rewrite of the PKCS#12 parser. [T6536]
* gpgsm: No not show the pkcs#12 passphrase in debug output. [T6654]
* keyboxd: Timeout on failure to get the database lock. [T6838]
* agent: Update the key stubs only if really modified. [T6829]
* scd: Add support for certain Starcos 3.2 cards. [rG5304c9b080]
* scd: Add support for CardOS 5.4 cards. [rG812f988059]
* scd: Add support for D-Trust 4.1/4.4 cards. [rG0b85a9ac09]
* scd: Add support for Smartcafe Expert 7.0 cards. [T6919]
* scd: Add a length check for a new PIN. [T6843]
* tpm: Fix keytotpm handling in the agent. [rG9909f622f6]
OBS-URL: https://build.opensuse.org/request/show/1141611
OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=300
- Install the internal executables in the /usr/libexec dir instead
of /usr/lib64. These files are keyboxd, scdaemon, gpg-auth
gpg-check-pattern, gpg-pair-tool, gpg-preset-passphrase,
gpg-protect-tool, gpg-wks-client, dirmngr_ldap and tpm2daemon.
- Provide the systemd-user files since they have been removed
upstream since version 2.4.1. [bsc#1201564]
* Add gpg2-systemd-user.tar.xz
- Revert back to use the IBM TPM Software stack.
- Update to 2.4.3:
* gpg: Set default expiration date to 3 years. [T2701]
* gpg: Add --list-filter properties "key_expires" and
"key_expires_d". [T6529]
* gpg: Emit status line and proper diagnostics for write errors. [T6528]
* gpg: Make progress work for large files on Windows. [T6534]
* gpg: New option --no-compress as alias for -z0.
* gpgsm: Print PROGRESS status lines. Add new --input-size-hint. [T6534]
* gpgsm: Support SENDCERT_SKI for --call-dirmngr. [rG701a8b30f0]
* gpgsm: Major rewrite of the PKCS#12 parser. [T6536]
* gpgtar: New option --no-compress.
* dirmngr: Extend the AD_QUERY command. [rG207c99567c]
* dirmngr: Disable the HTTP redirect rewriting. [T6477]
* dirmngr: New option --compatibility-flags. [rGbf04b07327]
* dirmngr: New option --ignore-crl-extensions. [T6545]
* wkd: Use export-clean for gpg-wks-client's --mirror and --create
commands. [rG2c7f7a5a27]
* wkd: Make --add-revocs the default in gpg-wks-client. New option
--no-add-revocs. [rG10c937ee68]
OBS-URL: https://build.opensuse.org/request/show/1116649
OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=292
- Install the systemd user units in the _userunitdir [bsc#1201564]
* Note that, there is no activation by default.
- Temporarily revert back to the pre-2.4 default for key generation.
The new rfc4880bis has been set as the default in 2.4 version and
might create incompatible keys. Note that, rfc4880bis can still
be used with the option flag --rfc4880bis as in previous versions.
* More info in the gnupg-devel ML:
https://lists.gnupg.org/pipermail/gnupg-devel/2022-December/035183.html
* Reverted commit https://dev.gnupg.org/rGcaf4b3fc16e9
* Add gnupg-revert-rfc4880bis.patch
- Allow 8192 bit RSA keys in keygen UI when large_rsa is set
* Add gnupg-allow-large-rsa.patch
- Fix broken GPGME QT tests: Upstram dev task dev.gnupg.org/T6313
* The original patch has been modified to expand the changes
also to the tests/gpgme/Makefile.in file.
* Add gnupg-tests-Fix-tests-gpgme-for-in-source-tree-builds.patch
- Updated to require libgpg-error-devel >= 1.46
- Rebased patches:
* gnupg-allow-import-of-previously-known-keys-even-without-UIDs.patch
* gnupg-add_legacy_FIPS_mode_option.patch
- GnuPG 2.4.0:
* common: Fix translations in --help for gpgrt < 1.47.
* gpg: Do not continue the export after a cancel for the primary key.
* gpg: Replace use of PRIu64 in log_debug.
* Update NEWS for 2.4.0.
* tests: Fix make check with GPGME.
OBS-URL: https://build.opensuse.org/request/show/1112814
OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=289
- Update to 2.4.2:
* gpg: Print a warning if no more encryption subkeys are left over
after changing the expiration date. [rGef2c3d50fa]
* gpg: Fix searching for the ADSK key when adding an ADSK. [T6504]
* gpgsm: Speed up key listings on Windows. [rG08ff55bd44]
* gpgsm: Reduce the number of "failed to open policy file"
diagnostics. [rG68613a6a9d]
* agent: Make updating of private key files more robust and track
display S/N. [T6135]
* keyboxd: Avoid longish delays on Windows when listing keys.
[rG6944aefa3c]
* gpgtar: Emit extra status lines to help GPGME. [T6497]
* w32: Avoid using the VirtualStore. [T6403]
* Rebase gnupg-add_legacy_FIPS_mode_option.patch
- Update to 2.4.1:
* If the ~/.gnupg directory does not exist, the keyboxd is now
automagically enabled. [rGd9e7488b17]
* gpg: New option --add-desig-revoker. [rG3d094e2bcf]
* gpg: New option --assert-signer. [rGc9e95b8dee]
* gpg: New command --quick-add-adsk and other ADSK features.
[T6395, https://gnupg.org/blog/20230321-adsk.html]
* gpg: New list-option "show-unusable-sigs". Also show "[self-signature]"
instead of the user-id in key signature listings. [rG103acfe9ca]
* gpg: For symmetric encryption the default S2K hash is now SHA256. [T6367]
* gpg: Detect already compressed data also when using a pipe. Also
detect JPEG and PNG file formats. [T6332]
* gpg: New subcommand "openpgp" for --card-edit. [T6462]
* gpgsm: Verification of detached signatures does now strip trailing
zeroes from the input if --assume-binary is used. [rG2a13f7f9dc]
OBS-URL: https://build.opensuse.org/request/show/1089861
OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=287
- Temporarily revert back to the pre-2.4 default for key generation.
The new rfc4880bis has been set as the default in 2.4 version and
might create incompatible keys. Note that, rfc4880bis can still
be used with the option flag --rfc4880bis as in previous versions.
* More info in the gnupg-devel ML:
https://lists.gnupg.org/pipermail/gnupg-devel/2022-December/035183.html
* Reverted commit https://dev.gnupg.org/rGcaf4b3fc16e9
* Add gnupg-revert-rfc4880bis.patch
- Allow 8192 bit RSA keys in keygen UI when large_rsa is set
* Add gnupg-allow-large-rsa.patch
- Enable the regression tests: Fix the regression test suite that
fails with the IBM TPM Software stack. Builds fine using the Intel
TPM; use the swtpm and tpm2-0-tss-devel packages instead of
ibmswtpm2 and ibmtss-devel.
OBS-URL: https://build.opensuse.org/request/show/1083635
OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=285
- Rebased patches:
* gnupg-add_legacy_FIPS_mode_option.patch
- Removed patches (already upstream):
* gnupg-tests-Fix-tests-gpgme-for-in-source-tree-builds.patch
- Don't ship systemd examples, as they are removed from upstream
release tarball.
- Update to 2.4.1:
* If the ~/.gnupg directory does not exist, the keyboxd is now
automagically enabled.
* gpg: New option --add-desig-revoker.
* gpg: New option --assert-signer.
* gpg: New command --quick-add-adsk and other ADSK features.
* gpg: New list-option "show-unusable-sigs". Also show
"[self-signature]" instead of the user-id in key signature
listings.
* gpg: For symmetric encryption the default S2K hash is now SHA256.
* gpg: Detect already compressed data also when using a pipe. Also
detect JPEG and PNG file formats.
* gpg: New subcommand "openpgp" for --card-edit.
* gpgsm: Verification of detached signatures does now strip trailing
zeroes from the input if --assume-binary is used.
* gpgsm: Non-armored detached signature are now created without
using indefinite form length octets. This improves compatibility
with some PDF signature verification software.
* gpgtar: Emit progress status lines in create mode.
* dirmngr: The LDAP modifyTimestamp is now returned by some
keyserver commands.
* ssh: Allow specification of the order keys are presented to ssh.
See the man page entry for --enable-ssh-support.
* gpg: Make list-options "show-sig-subpackets" work again.
OBS-URL: https://build.opensuse.org/request/show/1083567
OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=284
- Updated to require libgpg-error-devel >= 1.46
- Rebased patches:
* gnupg-allow-import-of-previously-known-keys-even-without-UIDs.patch
* gnupg-add_legacy_FIPS_mode_option.patch
- GnuPG 2.4.0:
* common: Fix translations in --help for gpgrt < 1.47.
* gpg: Do not continue the export after a cancel for the primary key.
* gpg: Replace use of PRIu64 in log_debug.
* Update NEWS for 2.4.0.
* tests: Fix make check with GPGME.
* agent: Allow arguments to "scd serialno" in restricted mode.
* scd:p15: Skip deleted records.
* build: Remove Windows CE support.
* wkd: Do not send/install/mirror expired user ids.
* gpgsm: Print the revocation time also with --verify.
* gpgsm: Fix "problem re-searching certificate" case.
* gpgsm: Print revocation date and reason in cert listings.
* gpgsm: Silence the "non-critical certificate policy not allowed".
* gpgsm: Always use the chain model if the root-CA requests this.
* gpg: New export option "mode1003".
* gpg: Remove a mostly duplicated function.
* tests: Simplify fake-pinentry to use the option only.
* tests: Fix fake-pinentry for Windows.
* tests: Fix make check-all.
* agent: Fix import of protected v5 keys.
* gpgsm: Change default algo to AES-256.
* tests: Put a workaround for semihosted environment.
* tests: More fix for semihosted environment.
* tests: Support semihosted environment.
* tests: Fix tests under cms.
OBS-URL: https://build.opensuse.org/request/show/1046530
OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=282
- GnuPG 2.3.8:
* gpg: Do not consider unknown public keys as non-compliant while
decrypting.
* gpg: Avoid to emit a compliance mode line if Libgcrypt is
non-compliant.
* gpg: Improve --edit-key setpref command to ease c+p.
* gpg: Emit an ERROR status if --quick-set-primary-uid fails and
allow to pass the user ID by hash.
* gpg: Actually show symmetric+pubkey encrypted data as de-vs
compliant. Add extra compliance checks for symkey_enc packets.
* gpg: In de-vs mode use SHA-256 instead of SHA-1 as implicit
preference.
* gpgsm: Fix reporting of bad passphrase error during PKCS#11
import.
* agent: Fix a regression in "READKEY --format=ssh".
* agent: New option --need-attr for KEYINFO.
* agent: New attribute "Remote-list" for use by KEYINFO.
* scd: Fix problem with Yubikey 5.4 firmware.
* dirmngr: Fix CRL Distribution Point fallback to other schemes.
* dirmngr: New LDAP server flag "areconly" (A-record-only).
* dirmngr: Fix upload of multiple keys for an LDAP server specified
using the colon format.
* dirmngr: Use LDAP schema v2 when a Base DN is specified.
* dirmngr: Avoid caching expired certificates.
* wkd: Fix path traversal attack in gpg-wks-server. Add the mail
address to the pending request data.
* wkd: New command --mirror for gpg-wks-client.
* gpg-auth: New tool for authentication.
* New common.conf option no-autostart.
* Silence warnings from AllowSetForegroundWindow unless
OBS-URL: https://build.opensuse.org/request/show/1012076
OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=280
