[Gpg4win-announce] Install GnuPG-2.2.32 to fix WKD and keyserver access
Bernhard Reiter
bernhard at intevation.de
Tue Oct 19 15:35:33 CEST 2021
Hello Users and Supporters of Gpg4win,
if you currently have problems accessing keyservers
or if you get public keys via WKD
you should install a GnuPG update over Gpg4win-3.1.16
to fix a problem with Let's encrypt TLS certificates for those connections.
Easiest is to download and run the installer:
https://gnupg.org/ftp/gcrypt/binary/gnupg-w32-2.2.32_20211006.exe
When in doubt, do the install.
== Details
Corresponding OpenPGP signature
(usually not needed, see https://www.gpg4win.org/package-integrity.html)
https://gnupg.org/ftp/gcrypt/binary/gnupg-w32-2.2.32_20211006.exe.sig
If you want to try the new GnuPG 2.3 series, you can. Version 2.3.3
has the fix as well.
=== What is the problem being fixed?
Let's Encrypt (LE) issues TLS certificates which are widely used to secure
connections to servers. This includes many keyservers (and area where
development is going on for other reasons, for example
https://spider.pgpkeys.eu/ shows some new decentral public keyservers.)
And it includes some sites offering public keys with a web key directory.
Let's Encrypt used a bit of a trick to still support old android
devices, where - in my understanding - it is impossible to update the root
certificate store, but some expiration dates are ignored. So LE got an
intermediate certificate from an expired root certificate.
Simply put, there are now two validation paths for this LE certificate, one
being invalid and one being valid. The logic in GnuPG needed adjustment
to pick the valid one. The other potential solution, to remove the outdated
root certificate for your certificate software, does not work in situations
where the operating system or the webserver still deliver the expired root
certificate.
References:
https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/
https://letsencrypt.org/2020/12/21/extending-android-compatibility.html
=== Why not with a full Gpg4win release?
We are in the preparation of the Gpg4win 4.0 release, but this needs a few
more days. Upgrading GnuPG separately is the quickest and most robust way
of offering this fix to those who depend on the functionality. We are aware
that this extra install is a bit of an inconvenience for you and we apologise
for this. We have done it to get you both the fix and Gpg4win 4.0 sooner.
Best Regards,
Bernhard
--
www.intevation.de/~bernhard +49 541 33 508 3-3
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.wald.intevation.org/pipermail/gpg4win-announce/attachments/20211019/82350d54/attachment.sig>
More information about the Gpg4win-announce
mailing list