From aheinecke at gnupg.org Mon Jul 15 07:24:43 2019 From: aheinecke at gnupg.org (Andre Heinecke) Date: Mon, 15 Jul 2019 07:24:43 +0200 Subject: [Gpg4win-users-en] Gpg4win 3.1.10 released Message-ID: <3811465.2aoXL7jEmz@esus> Hello, Gpg4win version 3.1.10 is released! https://www.gpg4win.org/download.html It is important to us that Gpg4win continues to be available as Free Software which can be downloaded anonymously without costs. Because we know that this is the only way for some people to get a software product which enables them to protect their communication. As Gpg4win maintenance needs to be funded nevertheless, we recommend that you set the price for yourself that shows the value of Gpg4win. Details about Gpg4win 3.1.10: https://files.gpg4win.org/README-3.1.10.en.txt Highlights in Gpg4win Version 3.1.10 (2019-07-14) ------------------------------------------- * GnuPG: Now ignores all key-signatures received from keyservers. This change is required to mitigate a DoS due to keys flooded with faked key-signatures. The old behaviour can be achieved by adding keyserver-options no-self-sigs-only,no-import-clean to your gpg.conf. See: https://wiki.gnupg.org/WKD for an alternative to the keyservers. * GpgOL: Important fixes, which include a fix for an issue that could cause the plaintext of E-Mails to be leaked to the server. More information: https://files.gpg4win.org/README-3.1.10.en.txt We like to thank the authors of the included packages and first of all, our supporters who made this release possible. With best regards your Gpg4win Development Team -- GnuPG.com - a brand of g10 Code, the GnuPG experts. g10 Code GmbH, Erkrath/Germany, AG Wuppertal HRB14459 GF Werner Koch, USt-Id DE215605608, www.g10code.com. GnuPG e.V., Rochusstr. 44, D-40479 Düsseldorf. VR 11482 Düsseldorf Vorstand: W.Koch, M.Gollowitzer, A.Heinecke. Mail: board at gnupg.org Finanzamt D-Altstadt, St-Nr: 103/5923/1779. Tel: +49-2104-4938799 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 228 bytes Desc: This is a digitally signed message part. URL: From aheinecke at gnupg.org Mon Jul 15 07:24:43 2019 From: aheinecke at gnupg.org (Andre Heinecke) Date: Mon, 15 Jul 2019 07:24:43 +0200 Subject: [Gpg4win-users-en] [Gpg4win-announce] Gpg4win 3.1.10 released Message-ID: <3811465.2aoXL7jEmz@esus> Hello, Gpg4win version 3.1.10 is released! https://www.gpg4win.org/download.html It is important to us that Gpg4win continues to be available as Free Software which can be downloaded anonymously without costs. Because we know that this is the only way for some people to get a software product which enables them to protect their communication. As Gpg4win maintenance needs to be funded nevertheless, we recommend that you set the price for yourself that shows the value of Gpg4win. Details about Gpg4win 3.1.10: https://files.gpg4win.org/README-3.1.10.en.txt Highlights in Gpg4win Version 3.1.10 (2019-07-14) ------------------------------------------- * GnuPG: Now ignores all key-signatures received from keyservers. This change is required to mitigate a DoS due to keys flooded with faked key-signatures. The old behaviour can be achieved by adding keyserver-options no-self-sigs-only,no-import-clean to your gpg.conf. See: https://wiki.gnupg.org/WKD for an alternative to the keyservers. * GpgOL: Important fixes, which include a fix for an issue that could cause the plaintext of E-Mails to be leaked to the server. More information: https://files.gpg4win.org/README-3.1.10.en.txt We like to thank the authors of the included packages and first of all, our supporters who made this release possible. With best regards your Gpg4win Development Team -- GnuPG.com - a brand of g10 Code, the GnuPG experts. g10 Code GmbH, Erkrath/Germany, AG Wuppertal HRB14459 GF Werner Koch, USt-Id DE215605608, www.g10code.com. GnuPG e.V., Rochusstr. 44, D-40479 Düsseldorf. VR 11482 Düsseldorf Vorstand: W.Koch, M.Gollowitzer, A.Heinecke. Mail: board at gnupg.org Finanzamt D-Altstadt, St-Nr: 103/5923/1779. Tel: +49-2104-4938799 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 228 bytes Desc: This is a digitally signed message part. URL: -------------- next part -------------- _______________________________________________ Gpg4win-announce mailing list Gpg4win-announce at wald.intevation.org https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/gpg4win-announce From dkg at fifthhorseman.net Wed Jul 31 03:28:10 2019 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Tue, 30 Jul 2019 21:28:10 -0400 Subject: [Gpg4win-users-en] WKD for OpenPGP certificate "Intevation File Distribution Key " Message-ID: <87ftmnro0l.fsf@fifthhorseman.net> Hi gpg4win folks-- https://www.gpg4win.org/package-integrity.html suggests that there are two OpenPGP certificates that might be used to verify the integrity of gpg4win releases. Fetching those certificates and looking at them, i notice that the user ID on both certificates is: Intevation File Distribution Key When i tried to fetch them via WKD, though, only the older certificate is returned: 0 $ gpg --locate-key distribution-key at intevation.de gpg: key 7CBD620BEC70B1B8: public key "Intevation File Distribution Key " imported gpg: Total number processed: 1 gpg: imported: 1 gpg: no ultimately trusted keys found pub dsa1024 2010-03-19 [SC] [expires: 2020-03-16] 61AC3F5EE4BE593C13D68B1E7CBD620BEC70B1B8 uid [ unknown] Intevation File Distribution Key 0 $ I think it would make more sense to publish both certificates in WKD, rather than just the older one. Could you make that change? Regards, --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 227 bytes Desc: not available URL: