GnuPG

GnuPG (also known as GPG or GNU Privacy Guard) is an open source, free and complete replacement for PGP (Pretty Good Privacy) developed because it does not use the patented IDEA algorithm that is used in PGP, and because it can be used without any restrictions.

An RFC2440 (OpenPGP) compliant application

Being written from scratch, GnuPG is a RFC2440 (OpenPGP) compliant application. It can be used as a filter program and provides far better functionality than Pretty Good Privacy, as well as some security enhancements over PGP 2.

Supports decryption of PGP 5/6/7 messages and numerous encryption algorithms

GnuPG is capable of decrypting and verifying PGP 5, 6 and 7 messages. It supports the DSA, RSA, AES, 3DES, Blowfish, Twofish, ElGamal, CAST5, SHA-1, MD5, TIGER and RIPE-MD-160 encryption algorithms, as well as S/MIME.

The project supports key and signature expiration dates, optional anonymous message receivers and HKP keyservers (wwwkeys.pgp.net). In addition, it allows users to encrypt and sign both their communication and data.

Among other notable features, we can mention a versatile key management system, access modules for all sorts of public key directories, as well as easy integration with other projects. A plethora of front-end applications for GnuPG are available for download on Softoware.

Under the hood and availability

GnuPG is a GNU project, a command-line application written entirely in the C programming language. It is distributed in two separate branches, version 1.4 and 2.0, available for download as a source archive, but installable from the default software repos of your favorite Linux OS.

Bottom line

Summing up, GnuPG is Linux’s best free and complete implementation of the OpenPGP standard as explained on the RFC4880 document located at http://www.ietf.org/rfc/rfc4880.txt.

With the GnuPG installed and configured on your GNU/Linux system, you will be able to send and view encrypted email messages, using any open source email client that supports the GnuPG standard.

What is new in this release:

• dirmngr: Fix recursive resolver mode and other bugs in the libdns code. [#3374,#3803,#3610]
• dirmngr: When using libgpg-error 1.32 or later a GnuPG build with NTBTLS support (e.g. the standard Windows installer) does not anymore block for dozens of seconds before returning data. If you still have problems on Windows, please consider to use one of the options disable-ipv4 or disable-ipv6.
• gpg: Fix bug in --show-keys which actually imported revocation certificates. [#4017]
• gpg: Ignore too long user-ID and comment packets. [#4022]
• gpg: Fix crash due to bad German translation. Improved printf format compile time check.
• gpg: Handle missing ISSUER sub packet gracefully in the presence of the new ISSUER_FPR. [#4046]
• gpg: Allow decryption using several passphrases in most cases. [#3795,#4050]
• gpg: Command --show-keys now enables the list options show-unusable-uids, show-unusable-subkeys, show-notations and show-policy-urls by default.
• gpg: Command --show-keys now prints revocation certificates. [#4018]
• gpg: Add revocation reason to the "rev" and "rvs" records of the option --with-colons. [#1173]
• gpg: Export option export-clean does now remove certain expired subkeys; export-minimal removes all expired subkeys. [#3622]
• gpg: New "usage" property for the drop-subkey filters. [#4019]

What is new in version 2.2.8:

• gpg: Decryption of messages not using the MDC mode will now lead to a hard failure even if a legacy cipher algorithm was used. The option --ignore-mdc-error can be used to turn this failure into a warning. Take care: Never use that option unconditionally or without a prior warning.
• gpg: The MDC encryption mode is now always used regardless of the cipher algorithm or any preferences. For testing --rfc2440 can be used to create a message without an MDC.
• gpg: Sanitize the diagnostic output of the original file name in verbose mode. [#4012,CVE-2018-12020]
• gpg: Detect suspicious multiple plaintext packets in a more reliable way. [#4000]
• gpg: Fix the duplicate key signature detection code. [#3994]
• gpg: The options --no-mdc-warn, --force-mdc, --no-force-mdc, --disable-mdc and --no-disable-mdc have no more effect.
• agent: Add DBUS_SESSION_BUS_ADDRESS and a few other envvars to the list of startup environment variables. [#3947]

What is new in version :

• gpg: Avoid duplicate key imports by concurrently running gpg processes. [#3446]
• gpg: Fix creating on-disk subkey with on-card primary key. [#3280]
• gpg: Fix validity retrieval for multiple keyrings. [Debian#878812]
• gpg: Fix --dry-run and import option show-only for secret keys.
• gpg: Print "sec" or "sbb" for secret keys with import option import-show. [#3431]
• gpg: Make import less verbose. [#3397]
• gpg: Add alias "Key-Grip" for parameter "Keygrip" and new parameter "Subkey-Grip" to unattended key generation. [#3478]
• gpg: Improve "factory-reset" command for OpenPGP cards. [#3286]
• gpg: Ease switching Gnuk tokens into ECC mode by using the magic keysize value 25519.
• gpgsm: Fix --with-colon listing in crt records for fields > 12.
• gpgsm: Do not expect X.509 keyids to be unique. [#1644]
• agent: Fix stucked Pinentry when using --max-passphrase-days. [#3190]
• agent: New option --s2k-count. [#3276 (workaround)]
• dirmngr: Do not follow https-to-http redirects. [#3436]
• dirmngr: Reduce default LDAP timeout from 100 to 15 seconds. [#3487]
• gpgconf: Ignore non-installed components for commands --apply-profile and --apply-defaults. [#3313]
• Add configure option --enable-werror. [#2423]

What is new in version 2.2.3:

• gpg: Avoid duplicate key imports by concurrently running gpg processes. [#3446]
• gpg: Fix creating on-disk subkey with on-card primary key. [#3280]
• gpg: Fix validity retrieval for multiple keyrings. [Debian#878812]
• gpg: Fix --dry-run and import option show-only for secret keys.
• gpg: Print "sec" or "sbb" for secret keys with import option import-show. [#3431]
• gpg: Make import less verbose. [#3397]
• gpg: Add alias "Key-Grip" for parameter "Keygrip" and new parameter "Subkey-Grip" to unattended key generation. [#3478]
• gpg: Improve "factory-reset" command for OpenPGP cards. [#3286]
• gpg: Ease switching Gnuk tokens into ECC mode by using the magic keysize value 25519.
• gpgsm: Fix --with-colon listing in crt records for fields > 12.
• gpgsm: Do not expect X.509 keyids to be unique. [#1644]
• agent: Fix stucked Pinentry when using --max-passphrase-days. [#3190]
• agent: New option --s2k-count. [#3276 (workaround)]
• dirmngr: Do not follow https-to-http redirects. [#3436]
• dirmngr: Reduce default LDAP timeout from 100 to 15 seconds. [#3487]
• gpgconf: Ignore non-installed components for commands --apply-profile and --apply-defaults. [#3313]
• Add configure option --enable-werror. [#2423]

What is new in version 2.2.0:

• This is the new long term stable branch. This branch will only see bug fixes and no new features.
• gpg: Reverted change done in 2.1.23 so that --no-auto-key-retrieve is again the default.
• Fixed a few minor bugs.
• This release incorporates all changes from the 2.1 series including these from the release candidate 2.1.23:
• gpg: "gpg" is now installed as "gpg" and not anymore as "gpg2". If needed, the new configure option --enable-gpg-is-gpg2 can be used to revert this.
• gpg: Option --auto-key-locate "local,wkd" is now used by default. Note: this enables keyserver and Web Key Directory operators to notice when you intend to encrypt to a mail address without having the key locally. This new behaviour will eventually make key discovery much easier and mostly automatic. Disable this by adding auto-key-locate local to your gpg.conf. [This description has been adjusted to include the above mentioned change in 2.2.0]
• agent: Option --no-grab is now the default. The new option --grab allows to revert this.
• gpg: New import option "show-only".
• gpg: New option --disable-dirmngr to entirely disable network access for gpg.
• gpg,gpgsm: Tweaked DE-VS compliance behaviour.
• New configure flag --enable-all-tests to run more extensive tests during "make check".
• gpgsm: The keygrip is now always printed in colon mode as documented in the man page.
• Fixed connection timeout problem under Windows.

What is new in version 2.1.8:

• gpg: Sending very large keys to the keyservers works again.
• gpg: Validity strings in key listings are now again translatable.
• gpg: Emit FAILURE status lines to help GPGME.
• gpg: Does not anymore link to Libksba to reduce dependencies.
• gpgsm: Export of secret keys via Assuan is now possible.
• agent: Raise the maximum passphrase length from 100 to 255 bytes.
• agent: Fix regression using EdDSA keys with ssh.
• Does not anymore use a build timestamp by default.
• The fallback encoding for broken locale settings changed from Latin-1 to UTF-8.
• Many code cleanups and improved internal documentation.
• Various minor bug fixes.

What is new in version 2.1.6:

• agent: New option --verify for the PASSWD command.
• gpgsm: Add command option "offline" as an alternative to --disable-dirmngr.
• gpg: Do not prompt multiple times for a password in pinentry loopback mode.
• Allow the use of debug category names with --debug.
• Using gpg-agent and gpg/gpgsm with different locales will now show the correct translations in Pinentry.
• gpg: Improve speed of --list-sigs and --check-sigs.
• gpg: Make --list-options show-sig-subpackets work again.
• gpg: Fix an export problem for old keyrings with PGP-2 keys.
• scd: Support PIN-pads on more readers.
• dirmngr: Properly cleanup zombie LDAP helper processes and avoid hangs on dirmngr shutdown.
• Various other bug fixes.

What is new in version 2.1.4:

• gpg: Add command --quick-adduid to non-interactively add a new user id to an existing key.
• gpg: Do no enable honor-keyserver-url by default. Make it work if enabled.
• gpg: Display the serial number in the --card-status output again.
• agent: Support for external password managers. Add option --no-allow-external-cache.
• scdaemon: Improved handling of extended APDUs.
• Make HTTP proxies work again.
• All network access including DNS as been moved to Dirmngr.
• Allow building without LDAP support.

What is new in version 2.1.2:

• gpg: The parameter 'Passphrase' for batch key generation works again.
• gpg: Using a passphrase option in batch mode now has the expected effect on --quick-gen-key.
• gpg: Improved reporting of unsupported PGP-2 keys.
• gpg: Added support for algo names when generating keys using --command-fd.
• gpg: Fixed DoS based on bogus and overlong key packets.
• agent: When setting --default-cache-ttl the value for --max-cache-ttl is adjusted to be not lower than the former.
• agent: Fixed problems with the new --extra-socket.
• agent: Made --allow-loopback-pinentry changeable with gpgconf.
• agent: Fixed importing of unprotected openpgp keys.
• agent: Now tries to use a fallback pinentry if the standard pinentry is not installed.
• scd: Added support for ECDH.
• Fixed several bugs related to bogus keyrings and improved some other code.

What is new in version 2.1.1:

• gpg: Detect faulty use of --verify on detached signatures.
• gpg: New import option "keep-ownertrust".
• gpg: New sub-command "factory-reset" for --card-edit.
• gpg: A stub key for smartcards is now created by --card-status.
• gpg: Fixed regression in --refresh-keys.
• gpg: Fixed regresion in %g and %p codes for --sig-notation.
• gpg: Fixed best matching hash algo detection for ECDSA and EdDSA.
• gpg: Improved perceived speed of secret key listisngs.
• gpg: Print number of skipped PGP-2 keys on import.
• gpg: Removed the option aliases --throw-keyid and --notation-data; use --throw-keyids and --set-notation instead.
• gpg: New import option "keep-ownertrust".
• gpg: Skip too large keys during import.
• gpg,gpgsm: New option --no-autostart to avoid starting gpg-agent or dirmngr.
• gpg-agent: New option --extra-socket to provide a restricted command set for use with remote clients.
• gpgconf --kill does not anymore start a service only to kill it.
• gpg-pconnect-agent: Add convenience option --uiserver.
• Fixed keyserver access for Windows.
• Fixed build problems on Mac OS X
• The Windows installer does now install development files
• More translations (but most of them are not complete).
• To support remotely mounted home directories, the IPC sockets may now be redirected. This feature requires Libassuan 2.2.0.
• Improved portability and the usual bunch of bug fixes.

What is new in version 2.1.0:

• The file "secring.gpg" is not anymore used to store the secret keys. Merging of secret keys is now supported.
• All support for PGP-2 keys has been removed for security reasons.
• The standard key generation interface is now much leaner. This will help a new user to quickly generate a suitable key.
• Support for Elliptic Curve Cryptography (ECC) is now available.
• Commands to create and sign keys from the command line without any extra prompts are now available.
• The Pinentry may now show the new passphrase entry and the passphrase confirmation entry in one dialog.
• There is no more need to manually start the gpg-agent. It is now started by any part of GnuPG as needed.
• Problems with importing keys with the same long key id have been addressed.
• The Dirmngr is now part of GnuPG proper and also takes care of accessing keyserver. - Keyserver pools are now handled in a smarter way.
• A new format for locally storing the public keys is now used. This considerable speeds up operations on large keyrings.
• Revocation certificates are now created by default.
• Card support has been updated, new readers and token types are supported.
• The format of the key listing has been changed to better identify the properties of a key.
• The gpg-agent may now be used on Windows as a Pageant replacement for Putty in the same way it is used for years on Unix as ssh-agent replacement.
• Creation of X.509 certificates has been improved. It is now also possible to export them directly in PKCS#8 and PEM format for use on TLS servers.

What is new in version 2.0.26:

• gpg: Fix a regression in 2.0.24 if a subkey id is given to --recv-keys et al.
• gpg: Cap attribute packets at 16MB.
• gpgsm: Auto-create the ".gnupg" home directory in the same way gpg does.
• scdaemon: Allow for certificates > 1024 when using PC/SC.

What is new in version 2.0.24:

• gpg: Avoid DoS due to garbled compressed data packets.
• gpg: Screen keyserver responses to avoid importing unwanted keys from rogue servers.
• gpg: The validity of user ids is now shown by default. To revert this add "list-options no-show-uid-validity" to gpg.conf.
• gpg: Print more specific reason codes with the INV_RECP status.
• gpg: Allow loading of a cert only key to an OpenPGP card.
• gpg-agent: Make ssh support for ECDSA keys work with Libgcrypt 1.6.
• Minor bug fixes.

What is new in version 2.0.22:

• Fixed possible infinite recursion in the compressed packet parser. [CVE-2013-4402]
• Improved support for some card readers.
• Prepared building with the forthcoming Libgcrypt 1.6.
• Protect against rogue keyservers sending secret keys.

What is new in version 2.0.18:

• Bug fix for newer versions of Libgcrypt.
• Support the SSH confirm flag and show SSH fingerprints in ssh related pinentries.
• Improved dirmngr/gpgsm interaction for OCSP.
• Allow generation of card keys up to 4096 bit.

What is new in version 2.0.17:

• Allow more hash algorithms with the OpenPGP v2 card.
• The gpg-agent now tests for a new gpg-agent.conf on a HUP.
• Fixed output of "gpgconf --check-options".
• Fixed a bug where Scdaemon sends a signal to Gpg-agent running in non-daemon mode.
• Fixed TTY management for pinentries and session variable update problem.
• Minor bug fixes.