Software Update: GnuPG 2.2.18

GnuPG stands for GNU Privacy Guard and is often shortened to GPG. This is a collection of tools for securing communication flows and data. It can be used to encrypt data and create digital signatures, and to provide a framework for public key cryptography. It supports both OpenPGP and s / mime standards. For more information, we refer to this page. The developers have released GnuPG 2.2.18 with the following announcement:

GnuPG 2.2.18 released


We are pleased to announce the availability of a new GnuPG release: version 2.2.18. This is maintenance release to fix a couple of minor bugs and provide a few feature updates. This release also retires the use of SHA-1 key signatures created since this year. See below for a list of changes.

Noteworthy changes in version 2.2.18

  • gpg: Changed the way keys are detected on a smartcards; this allows the use of non-OpenPGP cards. In the case of a not very likely regression the new option –use-only-openpgp-card is available. [#4681]
  • gpg: The commands –full-gen-key and –quick-gen-key now allow direct key generation from supported cards. [#4681]
  • gpg: Prepare against chosen-prefix SHA-1 collisions in key signatures. This change removes all SHA-1 based key signature newer than 2019-01-19 from the web-of-trust. Note that this includes all key signature created with dsa1024 keys. The new option –allow-weak-key-signatures can be used to override the new and safer behavior. [#4755,CVE-2019-14855]
  • gpg: Improve performance for import of large keyblocks. [#4592]
  • gpg: Implement a keybox compression run. [#4644]
  • gpg: Show warnings from dirmngr about redirect and certificate problems (details require –verbose as usual).
  • gpg: Allow to pass the empty string for the passphrase if the ‘–passphase = “syntax is used. [#4633]
  • gpg: Fix printing of the KDF object attributes.
  • gpg: Avoid surprises with –locate-external-key and certain –auto-key-locate settings. [#4662]
  • gpg: Improve selection of best matching key. [#4713]
  • gpg: Delete key binding signature when deletring a subkey. [#4665,#4457]
  • gpg: Fix a potential loss of key sigantures during import with self-sigs-only active. [#4628]
  • gpg: Silence “marked as ultimately trusted” diagnostics if option –quiet is used. [#4634]
  • gpg: Silence some diagnostics during in key listsing even with option –verbose. [#4627]
  • gpg, gpgsm: Change parsing of agent’s pkdecrypt results. [#4652]
  • gpgsm: Support AES-256 keys.
  • gpgsm: Fix a bug in triggering a keybox compression run if –faked-system-time is used.
  • dirmngr: System CA certificates are no longer used for the SKS pool if GNUTLS instead of NTBTLS is used as TLS library. [#4594]
  • dirmngr: On Windows detect usability of IPv4 and IPv6 interfaces to avoid long timeouts. [#4165]
  • scd: Fix BWI value for APDU level transfers to make Gemalto Ezio Shield and Trustica Cryptoucan work. [#4654,#4566]
  • wkd: gpg-wks-client –install-key now installs the required policy file.

Maintenance and development of GnuPG is mostly financed by donations. The GnuPG project currently employs two full-time developers and one contractor. They all work exclusively on GnuPG and closely related software like Libgcrypt, GPGME and Gpg4win.

We have to thank all the people who helped the GnuPG project, be it testing, coding, translating, suggesting, auditing, administering the servers, spreading the word, and answering questions on the mailing lists.

Many thanks to our numerous financial supporters, both corporate and individuals. Without you it would not be possible to keep GnuPG in a good shape and to address all the small and larger requests made by our users. Thanks.

Happy hacking,
Your GnuPG hackers

Die Gedanken sind frei. Ausnahmen regulates a Bundesgesetz.

Version number 2.2.18
Release status Final
Operating systems Windows 7, Linux, BSD, macOS, Solaris, UNIX, Windows Server 2008, Windows Server 2012, Windows 8, Windows 10, Windows Server 2016
Website GnuPG
License type GPL