ProHoster > Blog > internet news > GnuPG 2.4.0 release

GnuPG 2.4.0 release

After five years of development, the release of the GnuPG 2.4.0 toolkit (GNU Privacy Guard), compatible with the OpenPGP (RFC-4880) and S / MIME standards, and providing utilities for data encryption, electronic signatures, key management and access to public repositories keys.

GnuPG 2.4.0 is positioned as the first release of a new stable branch that incorporates the changes accumulated during the preparation of the 2.3.x releases. Branch 2.2 has been moved to the category of the old stable branch, which will be supported until the end of 2024. The GnuPG 1.4 branch continues to be maintained as a classic series that consumes minimal resources, is suitable for embedded systems, and is compatible with legacy encryption algorithms.

Key changes in GnuPG 2.4 compared to the previous 2.2 stable branch:

  • Added background process with key database implementation using SQLite DBMS for storage and demonstrating much faster key lookup. To enable the new storage, you must activate the "use-keyboxd" option in common.conf.
  • A tpm2d background process has been added to allow the use of TPM 2.0 chips to protect private keys and perform encryption or digital signature operations on the TPM side.
  • A new gpg-card utility has been added that can be used as a flexible interface for all supported smartcard types.
  • Added new utility gpg-auth for authentication.
  • A new common configuration file, common.conf, has been added, which is used to enable the keyboxd background process without separately adding settings to gpg.conf and gpgsm.conf.
  • Support for the fifth version of keys and digital signatures is provided, which uses the SHA256 algorithm instead of SHA1.
  • The default algorithms for public keys are ed25519 and cv25519.
  • Added support for AEAD block cipher modes OCB and EAX.
  • Added support for X448 elliptic curves (ed448, cv448).
  • The use of group names in key lists is allowed.
  • Added "--chuid" option to gpg, gpgsm, gpgconf, gpg-card and gpg-connect-agent to change user id.
  • The Windows platform has full Unicode support on the command line.
  • Added "--with-tss" build option to select TSS library.
  • gpgsm adds basic ECC support and the ability to generate EdDSA certificates. Added support for decrypting data encrypted with a password. Added support for AES-GCM decryption. Added new options "--ldapserver" and "--show-certs".
  • The agent is allowed to use the "Label:" value in the key file to configure the PIN prompt. Implemented support for ssh-agent extensions for environment variables. Added Win32-OpenSSH emulation via gpg-agent. By default, the SHA-256 algorithm is used to create fingerprints of SSH keys. Added "--pinentry-formatted-passphrase" and "--check-sym-passphrase-pattern" options.
  • Support for multiple card readers and tokens has been improved in scd. Implemented the ability to use multiple applications with a specific smart card. Added support for PIV cards, Telesec Signature Cards v2.0 and Rohde&Schwarz Cybersecurity. Added new options "--application-priority" and "--pcsc-shared".
  • Added "--show-configs" option to gpgconf utility.
  • gpg changes:
    • Added parameter "--list-filter" to selectively generate a list of keys, for example "gpg -k --list-filter 'select=revoked-f && sub/algostr=ed25519'".
    • Added new commands and options: "--quick-update-pref", "show-pref", "show-pref-verbose", "--export-filter export-revocs", "--full-timestrings", "--min- rsa-length", "--forbid-gen-key", "--override-compliance-check", "--force-sign-key", and "--no-auto-trust-new-key".
    • Added support for importing custom CRLs.
    • Verification of digital signatures is 10 or more times faster.
    • Validation results now depend on the "--sender" option and the signature creator ID.
    • Added the ability to export Ed448 keys for SSH.
    • Only OCB mode is allowed for AEAD encryption.
    • Decryption without a public key is allowed if a smart card is inserted.
    • Algorithms ed448 and cv448 are now forced to enable version XNUMX key generation
    • When importing from an LDAP server, the self-sigs-only option is disabled by default.
  • gpg has stopped using 64-bit algorithms for encryption. The use of 3DES is prohibited, and AES is declared as the minimum supported algorithm. You can use the "--allow-old-cipher-algos" option to disable the restriction.
  • Removed symcryptrun utility (deprecated binding over external Chiasmus utility).
  • The deprecated PKA key discovery method has been deprecated and the options associated with it have been removed.

Source: opennet.ru

Add a comment