- Update to 2.5.8:
* gpg: Show revocation reason with a standard -k listing. [T7083]
* gpg: Emit a revocation reason as comment in a "pub" record.
[T7083]
* agent: Fix regression in 2.5.7 decrypting with a card based
cv25519 key. [T7676]
* scd:openpgp: Fix a regression in exporting card based ed25519 ssh
keys. [T7589]
* dirmngr: Do not require a keyserver for "gpg --fetch-key".
[T7693]
- Remove patch:
* gnupg-agent-fix-for-prefix-0x40-in-the-point-representation.patch
OBS-URL: https://build.opensuse.org/request/show/1287470
OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=330
* gpg: Allow updating a SHA-1 key certification w/o using
the --force-sign-key option. [T7663]
* gpg: The group key flag has now been fully implemented.
[rG8833a34bf0]
* gpg: Make combination of show-only-fpr-mbox and show-unusable-uid
work. [rGd5a4a2dc89]
* gpg: Do not allow compressed key packets on import. [T7014]
* gpgsm: Allow an empty subject DN also during import. [T7171]
* agent: Recover the old behavior with max-cache-ttl=0. [T6681]
* agent: Fix ECC key on smartcard for composite KEM with PQC.
[T7648]
* scd: Fix a harmless read buffer over-read in a function used by
PKCS#15 cards. [T7662]
* gpg-mail-tube,wks: Support templates for mail content. [T7381]
* Use the KEM interface of Libgcrypt for encryption/decryption.
[T7649]
- Remove patches:
* gnupg-agent-Recover-the-old-behavior-with-max-cache-ttl-0.patch
* gnupg-dirmngr-Don-t-install-expired-sks-certificate.patch
- Update gpg2.keyring
OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=326
* gpg: Add a flag to the filter expressions for left anchored
substring match. [rGc12b7d047e]
* gpg: New list option "show-trustsig" to avoid resorting to colon
mode for this info. [rG41d6ae8f41]
* gpg: New command --quick-tsign-key to create a trust signature.
[rGd90b290f97]
* gpg: New keygen parameter "User-Id". [rGcfd597c603]
* gpg: New list options "show-trustsig". [rGrG41d6ae8f41]
* gpg: Fix double free of internal data in no-sig-cache mode [T7547]
* gpg: Signatures from revoked or expired keys do not anymore show
up as missing keys. Fixes regression in 2.5.5. [T7583]
* gpgsm: Extend --learn-card by an optional s/n argument. [T7379]
* gpgsm: Skip expired certificates when selection a certificate by
subject. [rG4cf83273e8]
* card: New command "ll" as alias for "list --cards". [rGd6ee7adebe]
* scd:p15: Accept P15 cards with a zero-length label. [rGdb25aa9887]
* keyboxd: Use case-insensitive search for mail addresses. [T7576]
* dirmngr: Fix a problem in libdns related to an address change from
127.0.0.1. [T4021]
* gpgconf: Fix reload and kill of keyboxd. [T7569]
* Fix logic for certain recsel conditions. [rG8968e84903]
* Add Solaris support to get_signal_name. [T7638]
* Fix build error of the test shell on AIX. [T7632]
- Release-info: https://dev.gnupg.org/T7586
- Rebase patch gnupg-nobetasuffix.patch
- Remove patch gnupg-CVE-2025-30258-fix.patch
OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=322
* gpg: New option --disable-pqc-encryption. [rG00c31f8b04]
* gpg: Fix --quick-add-key for Weierstrass ECC with usage given. [T7506]
* gpg: Fix handling with no CRC armor. [T7071]
* gpg: New private Kyber keys are now cross-referenced using a new
Link attribute. [T6638]
* gpg: Fix an import problem with keys having another primary key as
a subkey. [T7527]
* gpgsm: Allow unattended PKCS#12 export without passphrase. [rG159e801043]
* gpgsm: Allow CSR generation with an unprotected key. [rG89055f24f4]
* agent: New option --change-std-env-name. [T7522]
* agent: Fix ssh-agent's request_identities for skipped Brainpool
keys. [rG2469dc5aae]
* Do not package zlib and bzip2 object files in a speedo release build. [T7442]
* Rebase patches:
- gnupg-add_legacy_FIPS_mode_option.patch
- gnupg-allow-import-of-previously-known-keys-even-without-UIDs.patch
- gnupg-revert-rfc4880bis.patch
OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=315
* gpg: Allow for signature subpackets of up to 30000 octets.
[rG36dbca3e69]
* gpg: Silence expired trusted-key diagnostics in quiet mode. [T7351]
* gpg: Allow smaller session keys with Kyber and enforce the use of
AES-256 if useful. [T7472]
* gpg: Fix regression in key generation from existing card key.
[T7309,T7457]
* gpg: Print a warning if the card backup key could not be written.
[T2169]
* The --supervised options of gpg-agent and dirmngr have been
renamed to --deprecated-supervised as preparation for their removal.
[rGa019a0fcd8]
* There is no more default for a keyserver.
OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=313
- Update to 2.5.2:
* gpg: Add option 16 to --full-gen-key to create ECC+Kyber. [T6638]
* gpg: For composite algos add the algo string to the colons
listings. [T6638]
* gpg: Validate the trustdb after the import of a trusted key.
[T7200]
* gpg: Exclude expired trusted keys from the key validation process.
[T7200]
* gpg: Fix a wrong decryption failed status for signed and OCB
encrypted messages without a signature verification key. [T7042]
* gpg: Retain binary representation for import->export with Ed25519
key signatures. [T7426]
* gpg: Fix comparing ed448 to ed25519 with --assert-pubkey-algo.
[T7425]
* gpg: Avoid a failure exit code for expired ultimately trusted
keys. [T7351]
* gpg: Emit status error for an invalid ADSK. [T7322]
* gpg: Allow the use of an ADSK subkey as ADSK subkey. [T6882]
* gpg: Fix --quick-set-expire for V5 subkey fingerprints. [T7298]
* gpg: Robust error handling for SCD READKEY. [T7309]
* gpg: Fix cv25519 v5 export regression. [T7316]
* gpgsm: Nearly fourfold speedup of validated certificate listings.
[T7308]
* gpgsm: Improvement for some rare P12 files. [rGf50dde6269]
* gpgsm: Terminate key listing on output write error. [T6185]
* agent: Add option --status to the LISTRUSTED command.
[rG4275d5fa7a]
* agent: Fix detection of the yet unused trustflag de-vs. [T5079]
* agent: Allow ssh to sign data larger than the Assuan line length.
[T7436]
OBS-URL: https://build.opensuse.org/request/show/1230099
OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=309
* gpg: The support for composite Kyber+ECC public key algorithms
does now use the final FIPS-203 and LibrePGP specifications. The
experimental keys from 2.5.0 are no longer supported. [T6815]
* gpg: New commands --add-recipients and --change-recipients. [T1825]
* gpg: New option --proc-all-sigs. [T7261]
* gpg: Fix a regression in 2.5.0 in gpgme's tests. [T7195]
* gpg: Make --no-literal work again for -c and --store. [T5852]
* gpg: Improve detection of input data read errors. [T6528]
* gpg: Fix getting key by IPGP record (rfc-4398). [T7288]
* gpgsm: New option --assert-signer. [T7286]
* gpgsm: More improvements to PKCS#12 parsing to cope with latest
IVBB changes. [T7213]
* agent: Fix KEYTOCARD command when used with a loopback pinentry. [T7283]
* gpg-mail-tube: Make sure GNUPGHOME is set in vsd mode. New option
--as-attach. [rG4511997e9e1b]
* Now uses the process spawn API from libgpg-error. [T7192,T7194]
* Removed the --enable-gpg-is-gpg2 configure time option.
[rG2125f228d36c]
* Rebase patches:
- gnupg-add_legacy_FIPS_mode_option.patch
- gnupg-revert-rfc4880bis.patch
- gnupg-nobetasuffix.patch
OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=306
- Update to 2.4.5:
* gpg,gpgv: New option --assert-pubkey-algo. [T6946]
* gpg: Emit status lines for errors in the compression layer. [T6977]
* gpg: Fix invocation with --trusted-keys and --no-options. [T7025]
* gpgsm: Allow for a longer salt in PKCS#12 files. [T6757]
* gpgtar: Make --status-fd=2 work on Windows. [T6961]
* scd: Support for the ACR-122U NFC reader. [rG1682ca9f01]
* scd: Suport D-TRUST ECC cards. [T7000,T7001]
* scd: Allow auto detaching of kernel drivers; can be disabled with
the new compatibility-flag ccid-no-auto-detach. [rGa1ea3b13e0]
* scd: Allow setting a PIN length of 6 also with a reset code for
openpgp cards. [T6843]
* agent: Allow GET_PASSPHRASE in restricted mode. [rGadf4db6e20]
* dirmngr: Trust system's root CAs for checking CRL issuers. [T6963]
* dirmngr: Fix regression in 2.4.4 in fetching keys via hkps. [T6997]
* gpg-wks-client: Make option --mirror work properly w/o specifying
domains. [rG37cc255e49]
* g13,gpg-wks-client: Allow command style options as in "g13 mount
foo". [rGa09157ccb2]
* Allow tilde expansion for the foo-program options. [T7017]
* Make the getswdb.sh tool usable outside the GnuPG tree.
* Release-info: https://dev.gnupg.org/T6960
* Update the required versions for the dependencies.
OBS-URL: https://build.opensuse.org/request/show/1156367
OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=302
- Update to 2.4.4: [bsc#1219191]
* gpg: Do not keep an unprotected smartcard backup key on disk.
See https://gnupg.org/blog/20240125-smartcard-backup-key.html
for a security advisory. [T6944]
* gpg: Allow to specify seconds since Epoch beyond 2038 on 32-bit
platforms. [T6736]
* gpg: Fix expiration time when Creation-Date is specified. [T5252]
* gpg: Add support for Subkey-Expire-Date. [rG96b69c1866]
* gpg: Add option --with-v5-fingerprint. [T6705]
* gpg: Add sub-option ignore-attributes to --import-options.
* gpg: Add --list-filter properties sig_expires/sig_expires_d.
* gpg: Fix validity of re-imported keys. [T6399]
* gpg: Report BEGIN_ status before examining the input. [T6481]
* gpg: Don't try to compress a read-only keybox. [T6811]
* gpg: Choose key from inserted card over a non-inserted card. [T6831]
* gpg: Allow to create revocations even with non-compliant algos. [T6929]
* gpg: Fix regression in the Revoker keyword of the parameter file. [T6923]
* gpg: Improve error message for expired default keys. [T4704]
* gpgsm: Add --always-trust feature. [T6559]
* gpgsm: Support ECC certificates in de-vs mode. [T6802]
* gpgsm: Major rewrite of the PKCS#12 parser. [T6536]
* gpgsm: No not show the pkcs#12 passphrase in debug output. [T6654]
* keyboxd: Timeout on failure to get the database lock. [T6838]
* agent: Update the key stubs only if really modified. [T6829]
* scd: Add support for certain Starcos 3.2 cards. [rG5304c9b080]
* scd: Add support for CardOS 5.4 cards. [rG812f988059]
* scd: Add support for D-Trust 4.1/4.4 cards. [rG0b85a9ac09]
* scd: Add support for Smartcafe Expert 7.0 cards. [T6919]
* scd: Add a length check for a new PIN. [T6843]
* tpm: Fix keytotpm handling in the agent. [rG9909f622f6]
OBS-URL: https://build.opensuse.org/request/show/1141611
OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=300
- Install the internal executables in the /usr/libexec dir instead
of /usr/lib64. These files are keyboxd, scdaemon, gpg-auth
gpg-check-pattern, gpg-pair-tool, gpg-preset-passphrase,
gpg-protect-tool, gpg-wks-client, dirmngr_ldap and tpm2daemon.
- Provide the systemd-user files since they have been removed
upstream since version 2.4.1. [bsc#1201564]
* Add gpg2-systemd-user.tar.xz
- Revert back to use the IBM TPM Software stack.
- Update to 2.4.3:
* gpg: Set default expiration date to 3 years. [T2701]
* gpg: Add --list-filter properties "key_expires" and
"key_expires_d". [T6529]
* gpg: Emit status line and proper diagnostics for write errors. [T6528]
* gpg: Make progress work for large files on Windows. [T6534]
* gpg: New option --no-compress as alias for -z0.
* gpgsm: Print PROGRESS status lines. Add new --input-size-hint. [T6534]
* gpgsm: Support SENDCERT_SKI for --call-dirmngr. [rG701a8b30f0]
* gpgsm: Major rewrite of the PKCS#12 parser. [T6536]
* gpgtar: New option --no-compress.
* dirmngr: Extend the AD_QUERY command. [rG207c99567c]
* dirmngr: Disable the HTTP redirect rewriting. [T6477]
* dirmngr: New option --compatibility-flags. [rGbf04b07327]
* dirmngr: New option --ignore-crl-extensions. [T6545]
* wkd: Use export-clean for gpg-wks-client's --mirror and --create
commands. [rG2c7f7a5a27]
* wkd: Make --add-revocs the default in gpg-wks-client. New option
--no-add-revocs. [rG10c937ee68]
OBS-URL: https://build.opensuse.org/request/show/1116649
OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=292
- Install the systemd user units in the _userunitdir [bsc#1201564]
* Note that, there is no activation by default.
- Temporarily revert back to the pre-2.4 default for key generation.
The new rfc4880bis has been set as the default in 2.4 version and
might create incompatible keys. Note that, rfc4880bis can still
be used with the option flag --rfc4880bis as in previous versions.
* More info in the gnupg-devel ML:
https://lists.gnupg.org/pipermail/gnupg-devel/2022-December/035183.html
* Reverted commit https://dev.gnupg.org/rGcaf4b3fc16e9
* Add gnupg-revert-rfc4880bis.patch
- Allow 8192 bit RSA keys in keygen UI when large_rsa is set
* Add gnupg-allow-large-rsa.patch
- Fix broken GPGME QT tests: Upstram dev task dev.gnupg.org/T6313
* The original patch has been modified to expand the changes
also to the tests/gpgme/Makefile.in file.
* Add gnupg-tests-Fix-tests-gpgme-for-in-source-tree-builds.patch
- Updated to require libgpg-error-devel >= 1.46
- Rebased patches:
* gnupg-allow-import-of-previously-known-keys-even-without-UIDs.patch
* gnupg-add_legacy_FIPS_mode_option.patch
- GnuPG 2.4.0:
* common: Fix translations in --help for gpgrt < 1.47.
* gpg: Do not continue the export after a cancel for the primary key.
* gpg: Replace use of PRIu64 in log_debug.
* Update NEWS for 2.4.0.
* tests: Fix make check with GPGME.
OBS-URL: https://build.opensuse.org/request/show/1112814
OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=289
- Update to 2.4.2:
* gpg: Print a warning if no more encryption subkeys are left over
after changing the expiration date. [rGef2c3d50fa]
* gpg: Fix searching for the ADSK key when adding an ADSK. [T6504]
* gpgsm: Speed up key listings on Windows. [rG08ff55bd44]
* gpgsm: Reduce the number of "failed to open policy file"
diagnostics. [rG68613a6a9d]
* agent: Make updating of private key files more robust and track
display S/N. [T6135]
* keyboxd: Avoid longish delays on Windows when listing keys.
[rG6944aefa3c]
* gpgtar: Emit extra status lines to help GPGME. [T6497]
* w32: Avoid using the VirtualStore. [T6403]
* Rebase gnupg-add_legacy_FIPS_mode_option.patch
- Update to 2.4.1:
* If the ~/.gnupg directory does not exist, the keyboxd is now
automagically enabled. [rGd9e7488b17]
* gpg: New option --add-desig-revoker. [rG3d094e2bcf]
* gpg: New option --assert-signer. [rGc9e95b8dee]
* gpg: New command --quick-add-adsk and other ADSK features.
[T6395, https://gnupg.org/blog/20230321-adsk.html]
* gpg: New list-option "show-unusable-sigs". Also show "[self-signature]"
instead of the user-id in key signature listings. [rG103acfe9ca]
* gpg: For symmetric encryption the default S2K hash is now SHA256. [T6367]
* gpg: Detect already compressed data also when using a pipe. Also
detect JPEG and PNG file formats. [T6332]
* gpg: New subcommand "openpgp" for --card-edit. [T6462]
* gpgsm: Verification of detached signatures does now strip trailing
zeroes from the input if --assume-binary is used. [rG2a13f7f9dc]
OBS-URL: https://build.opensuse.org/request/show/1089861
OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=287
- Temporarily revert back to the pre-2.4 default for key generation.
The new rfc4880bis has been set as the default in 2.4 version and
might create incompatible keys. Note that, rfc4880bis can still
be used with the option flag --rfc4880bis as in previous versions.
* More info in the gnupg-devel ML:
https://lists.gnupg.org/pipermail/gnupg-devel/2022-December/035183.html
* Reverted commit https://dev.gnupg.org/rGcaf4b3fc16e9
* Add gnupg-revert-rfc4880bis.patch
- Allow 8192 bit RSA keys in keygen UI when large_rsa is set
* Add gnupg-allow-large-rsa.patch
- Enable the regression tests: Fix the regression test suite that
fails with the IBM TPM Software stack. Builds fine using the Intel
TPM; use the swtpm and tpm2-0-tss-devel packages instead of
ibmswtpm2 and ibmtss-devel.
OBS-URL: https://build.opensuse.org/request/show/1083635
OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=285
- Rebased patches:
* gnupg-add_legacy_FIPS_mode_option.patch
- Removed patches (already upstream):
* gnupg-tests-Fix-tests-gpgme-for-in-source-tree-builds.patch
- Don't ship systemd examples, as they are removed from upstream
release tarball.
- Update to 2.4.1:
* If the ~/.gnupg directory does not exist, the keyboxd is now
automagically enabled.
* gpg: New option --add-desig-revoker.
* gpg: New option --assert-signer.
* gpg: New command --quick-add-adsk and other ADSK features.
* gpg: New list-option "show-unusable-sigs". Also show
"[self-signature]" instead of the user-id in key signature
listings.
* gpg: For symmetric encryption the default S2K hash is now SHA256.
* gpg: Detect already compressed data also when using a pipe. Also
detect JPEG and PNG file formats.
* gpg: New subcommand "openpgp" for --card-edit.
* gpgsm: Verification of detached signatures does now strip trailing
zeroes from the input if --assume-binary is used.
* gpgsm: Non-armored detached signature are now created without
using indefinite form length octets. This improves compatibility
with some PDF signature verification software.
* gpgtar: Emit progress status lines in create mode.
* dirmngr: The LDAP modifyTimestamp is now returned by some
keyserver commands.
* ssh: Allow specification of the order keys are presented to ssh.
See the man page entry for --enable-ssh-support.
* gpg: Make list-options "show-sig-subpackets" work again.
OBS-URL: https://build.opensuse.org/request/show/1083567
OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=284
- Updated to require libgpg-error-devel >= 1.46
- Rebased patches:
* gnupg-allow-import-of-previously-known-keys-even-without-UIDs.patch
* gnupg-add_legacy_FIPS_mode_option.patch
- GnuPG 2.4.0:
* common: Fix translations in --help for gpgrt < 1.47.
* gpg: Do not continue the export after a cancel for the primary key.
* gpg: Replace use of PRIu64 in log_debug.
* Update NEWS for 2.4.0.
* tests: Fix make check with GPGME.
* agent: Allow arguments to "scd serialno" in restricted mode.
* scd:p15: Skip deleted records.
* build: Remove Windows CE support.
* wkd: Do not send/install/mirror expired user ids.
* gpgsm: Print the revocation time also with --verify.
* gpgsm: Fix "problem re-searching certificate" case.
* gpgsm: Print revocation date and reason in cert listings.
* gpgsm: Silence the "non-critical certificate policy not allowed".
* gpgsm: Always use the chain model if the root-CA requests this.
* gpg: New export option "mode1003".
* gpg: Remove a mostly duplicated function.
* tests: Simplify fake-pinentry to use the option only.
* tests: Fix fake-pinentry for Windows.
* tests: Fix make check-all.
* agent: Fix import of protected v5 keys.
* gpgsm: Change default algo to AES-256.
* tests: Put a workaround for semihosted environment.
* tests: More fix for semihosted environment.
* tests: Support semihosted environment.
* tests: Fix tests under cms.
OBS-URL: https://build.opensuse.org/request/show/1046530
OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=282
- GnuPG 2.3.8:
* gpg: Do not consider unknown public keys as non-compliant while
decrypting.
* gpg: Avoid to emit a compliance mode line if Libgcrypt is
non-compliant.
* gpg: Improve --edit-key setpref command to ease c+p.
* gpg: Emit an ERROR status if --quick-set-primary-uid fails and
allow to pass the user ID by hash.
* gpg: Actually show symmetric+pubkey encrypted data as de-vs
compliant. Add extra compliance checks for symkey_enc packets.
* gpg: In de-vs mode use SHA-256 instead of SHA-1 as implicit
preference.
* gpgsm: Fix reporting of bad passphrase error during PKCS#11
import.
* agent: Fix a regression in "READKEY --format=ssh".
* agent: New option --need-attr for KEYINFO.
* agent: New attribute "Remote-list" for use by KEYINFO.
* scd: Fix problem with Yubikey 5.4 firmware.
* dirmngr: Fix CRL Distribution Point fallback to other schemes.
* dirmngr: New LDAP server flag "areconly" (A-record-only).
* dirmngr: Fix upload of multiple keys for an LDAP server specified
using the colon format.
* dirmngr: Use LDAP schema v2 when a Base DN is specified.
* dirmngr: Avoid caching expired certificates.
* wkd: Fix path traversal attack in gpg-wks-server. Add the mail
address to the pending request data.
* wkd: New command --mirror for gpg-wks-client.
* gpg-auth: New tool for authentication.
* New common.conf option no-autostart.
* Silence warnings from AllowSetForegroundWindow unless
OBS-URL: https://build.opensuse.org/request/show/1012076
OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=280
- GnuPG 2.3.2:
* gpg: Allow fingerprint based lookup with --locate-external-key.
* gpg: Allow decryption w/o public key but with correct card inserted.
* gpg: Auto import keys specified with --trusted-keys.
* gpg: Do not use import-clean for LDAP keyserver imports.
* gpg: Fix mailbox based search via AKL keyserver method.
* gpg: Fix memory corruption with --clearsign introduced with 2.3.1.
* gpg: Use a more descriptive prompt for symmetric decryption.
* gpg: Improve speed of secret key listing.
* gpg: Support keygrip search with traditional keyring.
* gpg: Let --fetch-key return an exit code on failure.
* gpg: Emit the NO_SECKEY status again for decryption.
* gpgsm: Support decryption of password based encryption (pwri).
* gpgsm: Support AES-GCM decryption.
* gpgsm: Let --dump-cert --show-cert also print an OpenPGP fingerprint.
* gpgsm: Fix finding of issuer in use-keyboxd mode.
* gpgsm: New option --ldapserver as an alias for --keyserver.
* agent: Use SHA-256 for SSH fingerprint by default.
* agent: Fix calling handle_pincache_put.
* agent: Fix importing protected secret key.
* agent: Fix a regression in agent_get_shadow_info_type.
* agent: Add translatable text for Caps Lock hint.
* agent: New option --pinentry-formatted-passphrase.
* agent: Add checkpin inquiry for pinentry.
* agent: New option --check-sym-passphrase-pattern.
* agent: Use the sysconfdir for a pattern file.
* agent: Make QT_QPA_PLATFORMTHEME=qt5ct work for the pinentry.
* dirmngr: LDAP search by a mailbox now ignores revoked keys.
* dirmngr: For KS_SEARCH return the fingerprint also with LDAP.
* dirmngr: Allow for non-URL specified ldap keyservers.
OBS-URL: https://build.opensuse.org/request/show/914200
OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=268
- GnuPG 2.3.1:
* The new configuration file common.conf is now used to enable
the use of the key database daemon with "use-keyboxd". Using
this option in gpg.conf and gpgsm.conf is supported for a
transitional period. See doc/example/common.conf for more.
* gpg: Force version 5 key creation for ed448 and cv448 algorithms.
* gpg: By default do not use the self-sigs-only option when
importing from an LDAP keyserver.
* gpg: Lookup a missing public key of the active card via LDAP.
* gpgsm: New command --show-certs.
* scd: Fix CCID driver for SCM SPR332/SPR532.
* scd: Further improvements for PKCS#15 cards.
* New configure option --with-tss to allow the selection of the
TSS library.
- Rebase patches:
* gnupg-add_legacy_FIPS_mode_option.patch
* gnupg-allow-import-of-previously-known-keys-even-without-UIDs.patch
* gnupg-dont-fail-with-seahorse-agent.patch
* gnupg-set_umask_before_open_outfile.patch
- GnuPG 2.3.0:
* A new experimental key database daemon is provided. To enable
it put "use-keyboxd" into gpg.conf and gpgsm.conf. Keys are stored
in a SQLite database and make key lookup much faster.
* New tool gpg-card as a flexible frontend for all types of
supported smartcards.
* New option --chuid for gpg, gpgsm, gpgconf, gpg-card, and
gpg-connect-agent.
* The gpg-wks-client tool is now installed under bin; a wrapper for
its old location at libexec is also installed.
OBS-URL: https://build.opensuse.org/request/show/899451
OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=267
- GnuPG 2.2.23:
* gpg: fix AHEAD preference list overflow boo#1176034 / CVE-2020-25125
* gpg: fix possible segv in the key cleaning code
* gpgsm: fix a minor RFC2253 parser gub
* scdaemon: Fix a PIN verify failure on certain OpenPGP card
implementations
- GnuPG 2.2.22:
* gpg: Change the default key algorithm to rsa3072
* gpg: Add regular expression support for Trust Signatures on
all platforms
* gpg: Ignore --personal-digest-prefs for ECDSA keys
* gpgsm: Make rsaPSS a de-vs compliant scheme
* gpgsm: Show also the SHA256 fingerprint in key listings
* gpgsm: Do not require a default keyring for --gpgconf-list
* gpg-agent: Default to extended key format and record the
creation time of keys
Add new option --disable-extended-key-format
* gpg-agent: Support the WAYLAND_DISPLAY envvar
* gpg-agent: Allow using --gpgconf-list even if HOME does not
exist
* gpg-agent: Make the Pinentry work even if the envvar TERM is
set to the empty string
* scdaemon: Add a workaround for Gnuk tokens <= 2.15 which
wrongly incremented the error counter when using the
"verify" command of "gpg --edit-key" with only the signature
key being present
* dirmngr: Better handle systems with disabled IPv6
* gpgpslit: Install tool. It was not installed in the past to
avoid conflicts with the version installed by GnuPG 1.4
OBS-URL: https://build.opensuse.org/request/show/831939
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gpg2?expand=0&rev=150
- GnuPG 2.2.23:
* gpg: fix AHEAD preference list overflow boo#1176034 / CVE-2020-25125
* gpg: fix possible segv in the key cleaning code
* gpgsm: fix a minor RFC2253 parser gub
* scdaemon: Fix a PIN verify failure on certain OpenPGP card
implementations
- GnuPG 2.2.22:
* gpg: Change the default key algorithm to rsa3072
* gpg: Add regular expression support for Trust Signatures on
all platforms
* gpg: Ignore --personal-digest-prefs for ECDSA keys
* gpgsm: Make rsaPSS a de-vs compliant scheme
* gpgsm: Show also the SHA256 fingerprint in key listings
* gpgsm: Do not require a default keyring for --gpgconf-list
* gpg-agent: Default to extended key format and record the
creation time of keys
Add new option --disable-extended-key-format
* gpg-agent: Support the WAYLAND_DISPLAY envvar
* gpg-agent: Allow using --gpgconf-list even if HOME does not
exist
* gpg-agent: Make the Pinentry work even if the envvar TERM is
set to the empty string
* scdaemon: Add a workaround for Gnuk tokens <= 2.15 which
wrongly incremented the error counter when using the
"verify" command of "gpg --edit-key" with only the signature
key being present
* dirmngr: Better handle systems with disabled IPv6
* gpgpslit: Install tool. It was not installed in the past to
avoid conflicts with the version installed by GnuPG 1.4
OBS-URL: https://build.opensuse.org/request/show/831939
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gpg2?expand=0&rev=150
- Update to 2.2.18 [bsc#1157900, CVE-2019-14855]
* gpg: Changed the way keys are detected on a smartcards; this
allows the use of non-OpenPGP cards. In the case of a not very
likely regression the new option --use-only-openpgp-card is
available. [#4681]
* gpg: The commands --full-gen-key and --quick-gen-key now allow
direct key generation from supported cards. [#4681]
* gpg: Prepare against chosen-prefix SHA-1 collisions in key
signatures. This change removes all SHA-1 based key signature
newer than 2019-01-19 from the web-of-trust. Note that this
includes all key signature created with dsa1024 keys. The new
option --allow-weak-key-signatues can be used to override the new
and safer behaviour. [#4755,CVE-2019-14855]
* gpg: Improve performance for import of large keyblocks. [#4592]
* gpg: Implement a keybox compression run. [#4644]
* gpg: Show warnings from dirmngr about redirect and certificate
problems (details require --verbose as usual).
* gpg: Allow to pass the empty string for the passphrase if the
'--passphase=' syntax is used. [#4633]
* gpg: Fix printing of the KDF object attributes.
* gpg: Avoid surprises with --locate-external-key and certain
--auto-key-locate settings. [#4662]
* gpg: Improve selection of best matching key. [#4713]
* gpg: Delete key binding signature when deletring a subkey.
[#4665,#4457]
* gpg: Fix a potential loss of key sigantures during import with
self-sigs-only active. [#4628]
* gpg: Silence "marked as ultimately trusted" diagnostics if
option --quiet is used. [#4634]
* gpg: Silence some diagnostics during in key listsing even with
OBS-URL: https://build.opensuse.org/request/show/751408
OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=237
- Update to 2.2.17 [bsc#1141093]
* gpg: Do not try the import fallback if the options are already used.
* gpg: Fix regression in option "self-sigs-only".
* gpg: With --auto-key-retrieve prefer WKD over keyservers.
* gpg: Add "self-sigs-only" and "import-clean" to the keyserver options.
* gpg: Avoid printing false AKL error message.
* gpg: New command --locate-external-key.
* gpg: Make the get_pubkey_byname interface easier to understand.
* gpg: Fallback to import with self-sigs-only on too large keyblocks.
* gpg: New import and keyserver option "self-sigs-only"
* gpg: Make read_block in import.c more flexible.
* dirmngr: fix handling of HTTPS redirections during HKP.
* dirmngr: Avoid endless loop in case of HTTP error 503.
* dirmngr: Do not rewrite the redirection for the "openpgpkey" subdomain.
* dirmngr: Support the new WKD draft with the openpgpkey subdomain.
* wkd: Change client/server limit back to 64 KiB.
* tools: gpgconf: Killing order is children-first.
* Return better error code for some getinfo IPC commands.
* po: Update Russian translation.
OBS-URL: https://build.opensuse.org/request/show/714630
OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=233
- Update to 2.2.16
* gpg: Fixed i18n markup of some strings.
* gpg: Allow deletion of subkeys with --delete-[secret-]key.
* gpg: Do not bail on an invalid packet in the local keyring.
* gpg: Do not allow creation of user ids larger than our parser allows.
* gpg: Do not delete any keys if --dry-run is passed.
* gpg: Fix using --decrypt along with --use-embedded-filename.
* gpg: Improve the photo image viewer selection.
* gpg: enable OpenPGP export of cleartext keys with comments.
* gpg: Do not print a hint to use the deprecated --keyserver option.
* gpg: Change update_keysig_packet to replace SHA-1 by SHA-256.
* gpg: Use just the addrspec from the Signer's UID.
* gpg: Accept also armored data from the WKD.
* gpg: Set a limit of 5 to the number of keys imported from the WKD.
* gpg: Don't use EdDSA algo ID for ECDSA curves.
* agent: Stop scdaemon after reload when disable_scdaemon.
* agent: For SSH key, don't put NUL-byte at the end.
* agent: correct length for uri and comment on 64-bit big-endian platforms
* dirmngr: Allow for other hash algorithms than SHA-1 in OCSP.
* dirmngr: Improve domaininfo cache update algorithm.
* dirmngr: Better error code for http status 413.
* g10: Fix possible null dereference.
* g10: Fix double free when locating by mbox.
* g10: Fix symmetric cipher algo constant for ECDH.
* sm: Avoid confusing diagnostic for the default key.
* sm: Fix a warning in an es_fopencooie function.
* gpgconf: Before --launch check that the config file is fine.
* gpgconf: Support --homedir for --launch.
* build: Update m4/iconv.m4.
* doc: correct documentation for gpgconf --kill.
OBS-URL: https://build.opensuse.org/request/show/706483
OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=229
- Update to 2.2.14:
* gpg: Allow import of PGP desktop exported secret keys. Also avoid
importing secret keys if the secret keyblock is not valid.
* gpg: Do not error out on version 5 keys in the local keyring.
* gpg: Make invalid primary key algo obvious in key listings.
* sm: Do not mark a certificate in a key listing as de-vs compliant
if its use for a signature will not be possible.
* sm: Fix certificate creation with key on card.
* sm: Create rsa3072 bit certificates by default.
* sm: Print Yubikey attestation extensions with --dump-cert.
* agent: Fix cancellation handling for scdaemon.
* agent: Support --mode=ssh option for CLEAR_PASSPHRASE.
* scd: Fix flushing of the CA-FPR DOs in app-openpgp.
* scd: Avoid a conflict error with the "undefined" app.
* dirmngr: Add CSRF protection exception for protonmail.
* dirmngr: Fix build problems with gcc 9 in libdns.
* gpgconf: New option --show-socket for use wity --launch.
* gpgtar: Make option -C work for archive creation.
- Removed patches that are included upstream by now:
- 0001-libdns-Avoid-using-compound-literals.patch
- 0002-libdns-Avoid-using-compound-literals-2.patch
- 0003-libdns-Avoid-using-compound-literals-3.patch
- 0004-libdns-Avoid-using-compound-literals-4.patch
- 0005-libdns-Avoid-using-compound-literals-5.patch
- 0006-libdns-Avoid-using-compound-literals-6.patch
- 0007-libdns-Avoid-using-compound-literals-7.patch
- 0008-libdns-Avoid-using-compound-literals-8.patch
OBS-URL: https://build.opensuse.org/request/show/686406
OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=224
- Update to 2.2.13:
* gpg: Implement key lookup via keygrip (using the & prefix).
* gpg: Allow generating Ed25519 key from existing key.
* gpg: Emit an ERROR status line if no key was found with -k.
* gpg: Stop early when trying to create a primary Elgamal key.
* gpgsm: Print the card's key algorithms along with their keygrips
in interactive key generation.
* agent: Clear bogus pinentry cache in the error case.
* scd: Support "acknowledge button" feature.
* scd: Fix for USB INTERRUPT transfer.
* wks: Do no use compression for the the encrypted challenge and response.
Release-info: https://dev.gnupg.org/T4290
See-also: gnupg-announce/2019q1/000434.html
- Update to 2.2.12: (forwarded request 674396 from kbabioch)
OBS-URL: https://build.opensuse.org/request/show/674400
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gpg2?expand=0&rev=135
- Update to 2.2.13:
* gpg: Implement key lookup via keygrip (using the & prefix).
* gpg: Allow generating Ed25519 key from existing key.
* gpg: Emit an ERROR status line if no key was found with -k.
* gpg: Stop early when trying to create a primary Elgamal key.
* gpgsm: Print the card's key algorithms along with their keygrips
in interactive key generation.
* agent: Clear bogus pinentry cache in the error case.
* scd: Support "acknowledge button" feature.
* scd: Fix for USB INTERRUPT transfer.
* wks: Do no use compression for the the encrypted challenge and response.
Release-info: https://dev.gnupg.org/T4290
See-also: gnupg-announce/2019q1/000434.html
- Update to 2.2.12: (forwarded request 674396 from kbabioch)
OBS-URL: https://build.opensuse.org/request/show/674400
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gpg2?expand=0&rev=135
- Update to 2.2.13:
* gpg: Implement key lookup via keygrip (using the & prefix).
* gpg: Allow generating Ed25519 key from existing key.
* gpg: Emit an ERROR status line if no key was found with -k.
* gpg: Stop early when trying to create a primary Elgamal key.
* gpgsm: Print the card's key algorithms along with their keygrips
in interactive key generation.
* agent: Clear bogus pinentry cache in the error case.
* scd: Support "acknowledge button" feature.
* scd: Fix for USB INTERRUPT transfer.
* wks: Do no use compression for the the encrypted challenge and response.
Release-info: https://dev.gnupg.org/T4290
See-also: gnupg-announce/2019q1/000434.html
- Update to 2.2.12:
OBS-URL: https://build.opensuse.org/request/show/674396
OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=219
-Update to 2.2.12:
* tools: New commands --install-key and --remove-key for
gpg-wks-client. This allows to prepare a Web Key Directory on a
local file system for later upload to a web server.
* gpg: New --list-option "show-only-fpr-mbox". This makes the use
of the new gpg-wks-client --install-key command easier on Windows.
* gpg: Improve processing speed when --skip-verify is used.
* gpg: Fix a bug where a LF was accidentally written to the console.
* gpg: --card-status now shwos whether a card has the new KDF
feature enabled.
* agent: New runtime option --s2k-calibration=MSEC. New configure
option --with-agent-s2k-calibration=MSEC. [#3399]
* dirmngr: Try another keyserver from the pool on receiving a 502,
503, or 504 error. [#4175]
* dirmngr: Avoid possible CSRF attacks via http redirects. A HTTP
query will not anymore follow a 3xx redirect unless the Location
header gives the same host. If the host is different only the
host and port is taken from the Location header and the original
path and query parts are kept.
* dirmngr: New command FLUSHCRL to flush all CRLS from disk and
memory. [#3967]
OBS-URL: https://build.opensuse.org/request/show/658084
OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=217
- Code no longer uses libcurl, remove from buildrequires.
- Update to 2.2.11:
* gpgsm: Fix CRL loading when intermediate certicates are not yet trusted.
* gpgsm: Fix an error message about the digest algo.
* gpg: Fix a wrong warning due to new sign usage check introduced with 2.2.9.
* gpg: Print the "data source" even for an unsuccessful keyserver query.
* gpg: Do not store the TOFU trust model in the trustdb.
* scd: Fix cases of "Bad PIN" after using "forcesig".
* agent: Fix possible hang in the ssh handler.
* dirmngr: Tack the unmodified mail address to a WKD request.
* dirmngr: Tweak diagnostic about missing LDAP server file.
* dirmngr: In verbose mode print the OCSP responder id.
* dirmngr: Fix parsing of the LDAP port.
* wks: Add option --directory/-C to the server.
* wks: Add option --with-colons to the client.
* Fix EBADF when gpg et al. are called by broken CGI scripts.
* Fix some minor memory leaks and bugs.
OBS-URL: https://build.opensuse.org/request/show/648382
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gpg2?expand=0&rev=133
- Code no longer uses libcurl, remove from buildrequires.
- Update to 2.2.11:
* gpgsm: Fix CRL loading when intermediate certicates are not yet trusted.
* gpgsm: Fix an error message about the digest algo.
* gpg: Fix a wrong warning due to new sign usage check introduced with 2.2.9.
* gpg: Print the "data source" even for an unsuccessful keyserver query.
* gpg: Do not store the TOFU trust model in the trustdb.
* scd: Fix cases of "Bad PIN" after using "forcesig".
* agent: Fix possible hang in the ssh handler.
* dirmngr: Tack the unmodified mail address to a WKD request.
* dirmngr: Tweak diagnostic about missing LDAP server file.
* dirmngr: In verbose mode print the OCSP responder id.
* dirmngr: Fix parsing of the LDAP port.
* wks: Add option --directory/-C to the server.
* wks: Add option --with-colons to the client.
* Fix EBADF when gpg et al. are called by broken CGI scripts.
* Fix some minor memory leaks and bugs.
OBS-URL: https://build.opensuse.org/request/show/648382
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gpg2?expand=0&rev=133
- Update to 2.2.11:
* gpgsm: Fix CRL loading when intermediate certicates are not yet trusted.
* gpgsm: Fix an error message about the digest algo.
* gpg: Fix a wrong warning due to new sign usage check introduced with 2.2.9.
* gpg: Print the "data source" even for an unsuccessful keyserver query.
* gpg: Do not store the TOFU trust model in the trustdb.
* scd: Fix cases of "Bad PIN" after using "forcesig".
* agent: Fix possible hang in the ssh handler.
* dirmngr: Tack the unmodified mail address to a WKD request.
* dirmngr: Tweak diagnostic about missing LDAP server file.
* dirmngr: In verbose mode print the OCSP responder id.
* dirmngr: Fix parsing of the LDAP port.
* wks: Add option --directory/-C to the server.
* wks: Add option --with-colons to the client.
* Fix EBADF when gpg et al. are called by broken CGI scripts.
* Fix some minor memory leaks and bugs.
OBS-URL: https://build.opensuse.org/request/show/646642
OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=213
- Applied spec-cleaner
- Refreshed patches
- Update to version 2.2.8:
* gpg: Decryption of messages not using the MDC mode will now lead to a
hard failure even if a legacy cipher algorithm was used. The option
--ignore-mdc-error can be used to turn this failure into a warning. Take
care: Never use that option unconditionally or without a prior warning.
* gpg: The MDC encryption mode is now always used regardless of the
cipher algorithm or any preferences. For testing --rfc2440 can be
used to create a message without an MDC.
* gpg: Sanitize the diagnostic output of the original file name in
verbose mode.
* gpg: Detect suspicious multiple plaintext packets in a more reliable way.
* gpg: Fix the duplicate key signature detection code.
* gpg: The options --no-mdc-warn, --force-mdc, --no-force-mdc,
--disable-mdc and --no-disable-mdc have no more effect.
* agent: Add DBUS_SESSION_BUS_ADDRESS and a few other envvars to the
list of startup environment variables.
OBS-URL: https://build.opensuse.org/request/show/615233
OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=198
- upgrade to 2.1.0 (modern)
- The file "secring.gpg" is not anymore used to store the secret
keys. Merging of secret keys is now supported.
- All support for PGP-2 keys has been removed for security reasons.
- The standard key generation interface is now much leaner. This
will help a new user to quickly generate a suitable key.
- Support for Elliptic Curve Cryptography (ECC) is now available.
- Commands to create and sign keys from the command line without any
extra prompts are now available.
- The Pinentry may now show the new passphrase entry and the
passphrase confirmation entry in one dialog.
- There is no more need to manually start the gpg-agent. It is now
started by any part of GnuPG as needed.
- Problems with importing keys with the same long key id have been
addressed.
- The Dirmngr is now part of GnuPG proper and also takes care of
accessing keyserver.
- Keyserver pools are now handled in a smarter way.
- A new format for locally storing the public keys is now used.
This considerable speeds up operations on large keyrings.
- Revocation certificates are now created by default.
- Card support has been updated, new readers and token types are
supported.
- The format of the key listing has been changed to better identify
the properties of a key.
- The gpg-agent may now be used on Windows as a Pageant replacement
for Putty in the same way it is used for years on Unix as
ssh-agent replacement.
- Creation of X.509 certificates has been improved. It is now also
possible to export them directly in PKCS#8 and PEM format for use
OBS-URL: https://build.opensuse.org/request/show/260826
OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=79
- Mention some of the changes in Greg's version update
* GPG now accepts a space separated fingerprint as a user ID. This
allows to copy and paste the fingerprint from the key listing.
* GPG now uses the longest key ID available. Removed support for the
original HKP keyserver which is not anymore used by any site.
* Rebuild the trustdb after changing the option --min-cert-level.
* Ukrainian translation.
* Honor option --cert-digest-algo when creating a cert.
* Emit a DECRYPTION_INFO status line.
* Improved detection of JPEG files. (forwarded request 114352 from vitezslav_cizek)
OBS-URL: https://build.opensuse.org/request/show/114364
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gpg2?expand=0&rev=62
- Mention some of the changes in Greg's version update
* GPG now accepts a space separated fingerprint as a user ID. This
allows to copy and paste the fingerprint from the key listing.
* GPG now uses the longest key ID available. Removed support for the
original HKP keyserver which is not anymore used by any site.
* Rebuild the trustdb after changing the option --min-cert-level.
* Ukrainian translation.
* Honor option --cert-digest-algo when creating a cert.
* Emit a DECRYPTION_INFO status line.
* Improved detection of JPEG files. (forwarded request 114352 from vitezslav_cizek)
OBS-URL: https://build.opensuse.org/request/show/114364
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gpg2?expand=0&rev=62
- Mention some of the changes in Greg's version update
* GPG now accepts a space separated fingerprint as a user ID. This
allows to copy and paste the fingerprint from the key listing.
* GPG now uses the longest key ID available. Removed support for the
original HKP keyserver which is not anymore used by any site.
* Rebuild the trustdb after changing the option --min-cert-level.
* Ukrainian translation.
* Honor option --cert-digest-algo when creating a cert.
* Emit a DECRYPTION_INFO status line.
* Improved detection of JPEG files.
OBS-URL: https://build.opensuse.org/request/show/114352
OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=48
#PATCH-FIX-UPSTREAM: bsc#1257395 CVE-2026-24883: denial of service due to long signature packet length causing parse_signature to return success with sig->data[] set to a NULL value
Patch21:gnupg-CVE-2026-24883.patch
#PATCH-FIX-UPSTREAM: bsc#1257396 CVE-2026-24882: stack-based buffer overflow in TPM2 PKDECRYPT for TPM-backed RSA and ECC keys
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.