Revision as of 10:53, 2 May 2014 editMauls (talk | contribs)Autopatrolled, Extended confirmed users134,386 edits →See also← Previous edit | Latest revision as of 18:15, 1 January 2025 edit undo1.55.81.0 (talk) →Overview | ||
(402 intermediate revisions by more than 100 users not shown) | |||
Line 1: | Line 1: | ||
{{Short description|Complete implementation of the OpenPGP and S/MIME standards}} | |||
{{distinguish|Pretty Good Privacy{{!}}Pretty Good Privacy (PGP)}} | |||
{{Infobox software | {{Infobox software | ||
| |
| name = GNU Privacy Guard | ||
| |
| title = | ||
| |
| logo = Gnupg logo.svg | ||
| |
| logo caption = | ||
| |
| logo size = 250px | ||
| |
| logo alt = The GNU Privacy Guard logo | ||
| |
| screenshot = GPG keys generation.png | ||
| caption = Key pair generation process in ] ] | |||
| screenshot size = | |||
| screenshot alt = | |||
| collapsible = | |||
| author = ] | |||
| developer = ] | |||
| released = {{Start date and age|1999|09|07|df=yes}} | |||
| discontinued = | |||
| ver layout = stacked | |||
| latest release version = {{Multiple releases | |||
| branch1 = Stable | |||
| version1 = {{wikidata|property|preferred|reference|edit|Q223204|P348|P548=Q2804309}} | |||
| date1 = {{wikidata|qualifier|preferred|single|Q223204|P348|P548=Q2804309|P577}} | |||
| branch2 = LTS | |||
| version2 = {{wikidata|property|preferred|reference|edit|Q223204|P348|P548=Q15726348}} | |||
| date2 = {{wikidata|qualifier|preferred|single|Q223204|P348|P548=Q15726348|P577}} | |||
| branch3 = Legacy | |||
| version3 = {{wikidata|property|preferred|reference|edit|Q223204|P348|P548=Q6736813}} | |||
| date3 = {{wikidata|qualifier|preferred|single|Q223204|P348|P548=Q6736813|P577}} | |||
}} | }} | ||
| latest preview version = {{wikidata|property|preferred|reference|edit|Q223204|P348|P548=Q51930650}} | |||
'''GNU Privacy Guard''' ('''GnuPG''' or '''GPG''') is a ] alternative to the ] suite of ] software. GnuPG is compliant with RFC 4880, which is the current ] standards track specification of ]. Current versions of PGP (and Veridis' Filecrypt) are ] with GnuPG and other OpenPGP-compliant systems. | |||
| latest preview date = {{wikidata|qualifier|preferred|single|Q223204|P348|P548=Q51930650|P577}} | |||
| programming language = ] | |||
| operating system = ], ], ], ], ] | |||
| platform = | |||
| size = | |||
| repo = {{URL|https://dev.gnupg.org/source/gnupg/}} | |||
| language = | |||
| language count = <!-- Number only --> | |||
| language footnote = | |||
| genre = ] | |||
| license = 2007: ]{{efn|GPL-3.0-or-later since 2007-07-04 for 2.x and 2007-10-23 for 1.x.}}<br />1997: ]{{efn|GPL-2.0-or-later from 1997-11-18 until 2007-07-04 for 2.x and 2007-10-23 for 1.x.}} | |||
| alexa = | |||
| website = {{URL|https://gnupg.org/}} | |||
| standard = | |||
}} | |||
'''GNU Privacy Guard''' ('''GnuPG''' or '''GPG''') is a ] replacement for ]'s ] software suite ]. The software is compliant with the now obsoleted<ref>{{cite web |url= https://www.rfc-editor.org/rfc/rfc9580.html |title= RFC 9580 OpenPGP |date= July 2024 |publisher= IETF |access-date= 2024-12-19 |last1= Wouters |first1= Paul |last2= Huigens |first2= Daniel |last3= Winter |first3= Justus |last4= Yutaka |first4= Niibe }}</ref> {{IETF RFC|4880}}, the ] standards-track specification of ]. Modern versions of PGP are ] with GnuPG and other OpenPGP v4-compliant systems.<ref>{{cite web |url= https://www.gnupg.org/faq/gnupg-faq.html#compatible |title= Gnu Privacy Guard |publisher= GnuPG.org |access-date= 2015-05-26 |archive-url= https://web.archive.org/web/20150429192132/https://www.gnupg.org/faq/gnupg-faq.html#compatible |archive-date= 2015-04-29 |url-status= live }}</ref> | |||
November 2023 saw two drafts aiming to update the 2007 OpenPGP v4 specification (RFC4880), ultimately resulting in the standard in July 2024. The proposal from the GnuPG developers, which is called LibrePGP, was not taken up by the OpenPGP Working Group and future versions of GnuPG will not support the current version of OpenPGP. <ref>{{cite web |url= https://lwn.net/Articles/953797/ |title= A schism in the OpenPGP world |publisher= Linux Weekly News |access-date= 2023-12-09 }}</ref> | |||
GnuPG is part of the ] and received major funding from the ] in 1999.<ref>{{cite web |url= http://www.heise.de/newsticker/meldung/Bundesregierung-foerdert-Open-Source-24110.html |title= Bundesregierung fördert Open Source |publisher= Heise Online |language= de |date= 1999-11-15 |access-date= July 24, 2013 |archive-url= https://web.archive.org/web/20131012024601/http://www.heise.de/newsticker/meldung/Bundesregierung-foerdert-Open-Source-24110.html |archive-date= October 12, 2013 |url-status= live }}</ref> | |||
== Overview == | |||
GnuPG is a ] software program because it uses a combination of conventional ] for speed, and ] for ease of secure key exchange, typically by using the recipient's public key to encrypt a ] which is used only once. This mode of operation is part of the OpenPGP standard and has been part of PGP from its first version. | |||
The GnuPG 1.x series uses an integrated cryptographic library, while the GnuPG 2.x series replaces this with ]. | |||
GnuPG encrypts messages using ] individually generated by GnuPG users. The resulting public keys may be exchanged with other users in a variety of ways, such as Internet ]. They must always be exchanged carefully to prevent identity spoofing by corrupting public key ↔ "owner" identity correspondences. It is also possible to add a cryptographic ] to a message, so the message integrity and sender can be verified, if a particular correspondence relied upon has not been corrupted. | |||
GnuPG also supports ] algorithms. By default, GnuPG uses the ] symmetrical algorithm since version 2.1,<ref name="2.1.0-beta864-announcement">{{cite web |url=https://lists.gnupg.org/pipermail/gnupg-announce/2014q4/000357.html |title=<nowiki> The maybe final Beta for GnuPG 2.1</nowiki> |access-date=2019-03-28 |archive-url=https://web.archive.org/web/20190502211129/https://lists.gnupg.org/pipermail/gnupg-announce/2014q4/000357.html |archive-date=2019-05-02 |url-status=live }}</ref> ] was used in earlier versions. GnuPG does not use patented or otherwise restricted software or algorithms. Instead, GnuPG uses a variety of other, non-patented algorithms.<ref>{{cite web|url=https://www.gnupg.org/features.en.html|title=GnuPG Features|access-date=October 1, 2009|archive-url=https://web.archive.org/web/20091004174134/http://www.gnupg.org/features.en.html|archive-date=October 4, 2009|url-status=live}}</ref> | |||
For a long time, it did not support the ] encryption algorithm used in PGP. It was in fact possible to use IDEA in GnuPG by downloading a plugin for it, however, this might require a license for some uses in countries in which IDEA was patented. Starting with versions 1.4.13 and 2.0.20, GnuPG supports IDEA because the last patent of IDEA expired in 2012. Support of IDEA is intended "to get rid of all the questions from folks either trying to decrypt old data or migrating keys from PGP to GnuPG",<ref>{{cite mailing list |last=Koch |first=Werner |title=GnuPG 1.4.13 released |publisher=gnupg-users |date=2012-12-21 |url=http://lists.gnupg.org/pipermail/gnupg-users/2012-December/045844.html |access-date=2013-05-19 |archive-url=https://web.archive.org/web/20130212065951/http://lists.gnupg.org/pipermail/gnupg-users/2012-December/045844.html |archive-date=2013-02-12 |url-status=live }}</ref> and hence is not recommended for regular use. | |||
More recent releases of GnuPG 2.x ("modern" and the now deprecated "stable" series) expose most cryptographic functions and algorithms ] (its cryptography library) provides, including support for ] (ECDH, ECDSA and EdDSA)<ref name="gnupg-2.1.0-announcement" /> in the "modern" series (i.e. since GnuPG 2.1). | |||
=== Algorithms === | |||
GnuPG is a part of the ]'s ] software project, and has received major funding from the ].<ref>{{cite web|url=http://www.heise.de/newsticker/meldung/Bundesregierung-foerdert-Open-Source-24110.html |title=Bundesregierung fördert Open Source |publisher=Heise Online | language=German |date= |accessdate=July 24, 2013}}</ref> | |||
As of 2.3 or 2.2 versions, GnuPG supports the following algorithms: | |||
; ]: ], ], ], ] (], ],{{efn|name=only2.3|only available in 2.3}} ], ], secp256k1), ] (nistp256, nistp384, nistp521, brainpoolP256r1, brainpoolP384r1, brainpoolP512r1, secp256k1), ] (ed25519, ed448{{efn|name=only2.3}}) | |||
; ]: ], ] (for backward compatibility), ], ], ], ], ] | |||
; ]: ], ], ], ] | |||
; ]: Uncompressed, ], ], ] | |||
== History == | == History == | ||
GnuPG was initially developed by ]. |
GnuPG was initially developed by ].<ref name="angwin-propublica">{{cite web | url = https://www.propublica.org/article/the-worlds-email-encryption-software-relies-on-one-guy-who-is-going-broke | date = 5 February 2015 | access-date = 6 February 2015 | first = Julia | last = Angwin | author-link=Julia Angwin | publisher = ] | title = The World's Email Encryption Software Relies on One Guy, Who is Going Broke | archive-url = https://web.archive.org/web/20150206005618/http://www.propublica.org/article/the-worlds-email-encryption-software-relies-on-one-guy-who-is-going-broke | archive-date = 6 February 2015 | url-status = live }}</ref><ref name="wayner-new-york-times">{{cite news | url = http://partners.nytimes.com/library/tech/99/11/cyber/articles/19encrypt.html | date = 19 November 1999 | access-date = 2014-08-08 | first = Peter | last = Wayner | newspaper = ] | title = Germany Awards Grant for Encryption | archive-url = https://web.archive.org/web/20140825204940/http://partners.nytimes.com/library/tech/99/11/cyber/articles/19encrypt.html | archive-date = 25 August 2014 | url-status = live }}</ref> The first production version, version 1.0.0, was released on September 7, 1999, almost two years after the first GnuPG release (version 0.0.0).<ref name="gnupg-1.0.0-announcement">{{cite web |url=https://gnupg.org/download/release_notes.html#sec-2-41 |title=Release Notes |publisher=GnuPG |access-date=2014-01-30 |archive-url=https://web.archive.org/web/20140209040746/http://gnupg.org/download/release_notes.html#sec-2-41 |archive-date=2014-02-09 |url-status=live }}</ref><ref name="angwin-propublica" /> The ] funded the documentation and the port to ] in 2000.<ref name="wayner-new-york-times" /> | ||
GnuPG is a system compliant to the OpenPGP standard, thus the history of OpenPGP is of importance; it was designed to interoperate with ], |
GnuPG is a system compliant to the OpenPGP standard, thus the history of OpenPGP is of importance; it was designed to interoperate with ], an email encryption program initially designed and developed by ].<ref>{{cite web |url=http://www.openpgp.org/members/gnupg.shtml |title=Gnu Privacy Guard |publisher=OpenPGP.org |access-date=2014-02-26 |url-status=dead |archive-url=https://web.archive.org/web/20140227185009/http://openpgp.org/members/gnupg.shtml |archive-date=2014-02-27 }}</ref><ref>{{cite web |url=https://philzimmermann.com/EN/findpgp/ |title=Where to Get PGP |publisher=Philzimmermann.com |access-date=2014-02-26 |archive-url=https://web.archive.org/web/20140226011248/http://philzimmermann.com/EN/findpgp/ |archive-date=2014-02-26 |url-status=live }}</ref> | ||
On February 7, 2014, a GnuPG ] effort closed, raising ]36,732 for a new website and infrastructure improvements.<ref>{{cite web |url=http://goteo.org/project/gnupg-new-website-and-infrastructure/home |title=GnuPG: New web site and infrastructure |access-date=2014-03-09 |publisher=goteo.org |archive-url=https://web.archive.org/web/20140330103240/http://goteo.org/project/gnupg-new-website-and-infrastructure/home |archive-date=2014-03-30 |url-status=live }}</ref> | |||
Stable 2.0 branch was initially released on 13 November 2006.<ref name="gnupg-2.0-announcement">{{cite web |date=2006-11-13 |url=http://lists.gnupg.org/pipermail/gnupg-announce/2006q4/000239.html |title=<nowiki> GnuPG 2.0 released</nowiki> |author=Werner Koch |publisher=gnupg.org |accessdate=2014-01-30}}</ref> {{as of|2014|1}}, latest version of 2.0 branch is 2.0.22, released in October 2013.<ref name="gnupg-2.0.22-announcement" /> The older stable 1.x branch, whose latest version 1.4.16 was released in December 2013,<ref name="gnupg-1.4.16-announcement" /> will be continued in parallel with the new GnuPG 2 series because there were significant changes in the architecture of the program which will not fit every purpose.<ref name="gnupg-2.0-announcement" /> | |||
=== Branches === | |||
On February 7, 2014, a GnuPG ] effort closed, raising 36,732 euros for a new web site and infrastructure improvements.<ref>{{cite web |url=http://goteo.org/project/gnupg-new-website-and-infrastructure/home |title=GnuPG: New web site and infrastructure |accessdate=2014-03-09 |publisher=goteo.org}}</ref> | |||
Since the release of a stable GnuPG 2.3, starting with version 2.3.3 in October 2021, three stable branches of GnuPG are actively maintained:<ref>{{cite web|url=https://lists.gnupg.org/pipermail/gnupg-announce/2021q4/000466.html|title=GnuPG 2.3.3 released}}</ref> | |||
* A "] branch", which currently is (as of 2021) the 2.3 branch. | |||
* A "] branch", which currently is (as of 2021) the 2.2 branch (which was formerly called "modern branch", in comparison to the 2.0 branch). | |||
* The old "] branch" (formerly called "classic branch"), which is and will stay the 1.4 branch. | |||
Before GnuPG 2.3, two stable branches of GnuPG were actively maintained: | |||
== Usage == | |||
* "Modern" (2.2), with numerous new features, such as ], compared to the former "stable" (2.0) branch, which it replaced with the release of GnuPG 2.2.0 on August 28, 2017.<ref name="gnupg-2.2.0-announcement">{{Cite mailing list |url = https://lists.gnupg.org/pipermail/gnupg-announce/2017q3/000413.html |title = GnuPG 2.2.0 released |date = 2017-08-28 |access-date = 2017-09-21 |mailing-list = gnupg-announce |last = Koch |first = Werner |author-link = Werner Koch |archive-url = https://web.archive.org/web/20170829040530/https://lists.gnupg.org/pipermail/gnupg-announce/2017q3/000413.html |archive-date = 2017-08-29 |url-status = live }}</ref> It was initially released on November 6, 2014.<ref name="gnupg-2.1.0-announcement">{{cite web |date=2014-11-06 |url=http://lists.gnupg.org/pipermail/gnupg-announce/2014q4/000358.html |title=<nowiki> GnuPG 2.1.0 "modern" released</nowiki> |last=Koch |first=Werner |author-link=Werner Koch |publisher=gnupg.org |access-date=2014-11-06 |archive-url=https://web.archive.org/web/20141106154709/http://lists.gnupg.org/pipermail/gnupg-announce/2014q4/000358.html |archive-date=2014-11-06 |url-status=live }}</ref> | |||
* "Classic" (1.4), the very old, but still maintained stand-alone version, most suitable for outdated or embedded platforms. Initially released on December 16, 2004.<ref name="gnupg-1.4.0-announcement">{{cite web |date=2004-12-16 |url=http://lists.gnupg.org/pipermail/gnupg-announce/2004q4/000186.html |title=<nowiki> GnuPG stable 1.4 released</nowiki> |last=Koch |first=Werner |author-link=Werner Koch |publisher=gnupg.org |access-date=2004-12-16 |archive-url=https://web.archive.org/web/20050103172907/http://lists.gnupg.org/pipermail/gnupg-announce/2004q4/000186.html |archive-date=2005-01-03 |url-status=live }}</ref> | |||
Different GnuPG 2.x versions (e.g. from the 2.2 and 2.0 branches) cannot be installed at the same time. However, it is possible to install a "classic" GnuPG version (i.e. from the 1.4 branch) along with any GnuPG 2.x version.<ref name="gnupg-2.1.0-announcement"/> | |||
Although the basic GnuPG program has a ], there exist various ] that provide it with a ]. For example, GnuPG encryption support has been integrated into ] and ], the graphical ]s found in ] and ], the most popular ] desktops. There are also graphical GnuPG front-ends (] for GNOME, ] for KDE). For ], the Mac GPG project provides a number of ] front-ends for OS integration of encryption and ] as well as GnuPG installations via ] ].<ref>{{cite web|title=Mac GNU Privacy Guard|url=http://macgpg.sourceforge.net/|publisher='']''|accessdate=2008-04-29}}</ref> | |||
Before the release of GnuPG 2.2 ("modern"), the now deprecated "stable" branch (2.0) was recommended for general use, initially released on November 13, 2006.<ref name="gnupg-2.0.0-announcement">{{cite web |date=2006-11-13 |url=http://lists.gnupg.org/pipermail/gnupg-announce/2006q4/000239.html |title=<nowiki> GnuPG 2.0 released</nowiki> |last=Koch |first=Werner |author-link=Werner Koch |publisher=gnupg.org |access-date=2014-01-30 |archive-url=https://web.archive.org/web/20140214124626/http://lists.gnupg.org/pipermail/gnupg-announce/2006q4/000239.html |archive-date=2014-02-14 |url-status=live }}</ref> This branch reached its ] on December 31, 2017;<ref>{{Cite web|url=https://lists.gnupg.org/pipermail/gnupg-announce/2017q1/000401.html|title=<nowiki> GnuPG 2.1.18 released</nowiki>|last=Koch|first=Werner|author-link=Werner Koch|date=2017-01-23|publisher=gnupg.org|language=en|access-date=2017-02-04|archive-url=https://web.archive.org/web/20170211080210/https://lists.gnupg.org/pipermail/gnupg-announce/2017q1/000401.html|archive-date=2017-02-11|url-status=live}}</ref> Its last version is 2.0.31, released on December 29, 2017.<ref name="gnupg-2.0.31-tagged">{{Cite web|url = https://dev.gnupg.org/rGe6dae418c260592c0860519481b5eb92d14329db|title = GnuPG 2.0.31|date = 2017-12-29|access-date = 2017-12-30}}</ref> | |||
Furthermore, the ] Installer<ref>{{cite web|title=GPGTools Installer|url=http://www.gpgtools.org/|publisher='']''|accessdate=2011-03-22}}</ref> installs all related OpenPGP applications (GPG Keychain Access), plugins (]) and dependencies (]) to use GnuPG based encryption. ] applications such as ] and ] can automatically secure messages when GnuPG is installed and configured. Web-based software such as ] also makes use of it. The cross-platform ] ] provides GnuPG support for ] and ]. Similarly, ] provides GnuPG support for ]. FireGPG was discontinued June 7, 2010.<ref>{{cite web|url=http://blog.getfiregpg.org/2010/06/07/firegpg-discontinued/|title=FireGPG’s developers blog|accessdate=July 24, 2013}}</ref> | |||
Before the release of GnuPG 2.0, all stable releases originated from a single branch; i.e., before November 13, 2006, no multiple release branches were maintained in parallel. These former, sequentially succeeding (up to 1.4) release branches were: | |||
In 2005, G10 Code and ] released ], a software suite that includes GnuPG for Windows, ], and GnuPG plug-ins for ] and ]. These tools are wrapped in a standard Windows installer, making it easier for GnuPG to be installed and used on Windows systems. | |||
* 1.2 branch, initially released on September 22, 2002,<ref name="gnupg-1.2.0-announcement">{{cite web |date=2002-09-06 |url=http://lists.gnupg.org/pipermail/gnupg-announce/2002q3/000136.html |title=<nowiki>GnuPG 1.2 released</nowiki> |last=Koch |first=Werner |author-link=Werner Koch |publisher=gnupg.org |access-date=2014-11-06 |archive-url=https://web.archive.org/web/20140617075459/http://lists.gnupg.org/pipermail/gnupg-announce/2002q3/000136.html |archive-date=2014-06-17 |url-status=live }}</ref> with 1.2.6 as the last version, released on October 26, 2004.<ref name="gnupg-1.2.6-announcement">{{cite web |date=2004-08-26 |url=http://lists.gnupg.org/pipermail/gnupg-announce/2004q3/000176.html |title=<nowiki> GnuPG 1.2.6 released</nowiki> |last=Koch |first=Werner |author-link=Werner Koch |publisher=gnupg.org |access-date=2014-11-06 |archive-url=https://web.archive.org/web/20140617075605/http://lists.gnupg.org/pipermail/gnupg-announce/2004q3/000176.html |archive-date=2014-06-17 |url-status=live }}</ref> | |||
* 1.0 branch, initially released on September 7, 1999,<ref name="gnupg-1.0.0-announcement"/> with 1.0.7 as the last version, released on April 30, 2002.<ref name="gnupg-1.0.7-announcement">{{cite web |date=2002-04-30 |url=http://lists.gnupg.org/pipermail/gnupg-announce/2002q2/000135.html |title=<nowiki> GnuPG 1.0.7 released</nowiki> |last=Koch |first=Werner |author-link=Werner Koch |publisher=gnupg.org |access-date=2014-11-06 |archive-url=https://web.archive.org/web/20140617075617/http://lists.gnupg.org/pipermail/gnupg-announce/2002q2/000135.html |archive-date=2014-06-17 |url-status=live }}</ref> | |||
(Note that before the release of GnuPG 2.3.0, branches with an odd minor release number (e.g. 2.1, 1.9, 1.3) were development branches leading to a stable release branch with a "+ 0.1" higher version number (e.g. 2.2, 2.0, 1.4); hence branches 2.2 and 2.1 both belong to the "modern" series, 2.0 and 1.9 both to the "stable" series, while the branches 1.4 and 1.3 both belong to the "classic" series. | |||
Other software wraps the command line in a ] script (e.g. ]) that is menu based. | |||
With the release of GnuPG 2.3.0, this nomenclature was altered to be composed of a "stable" and "LTS" branch from the "modern" series, plus 1.4 as the last maintained "classic" branch. Also note that even or odd minor release numbers do not indicate a stable or development release branch, anymore.) | |||
== Process == | |||
<!-- Deleted image removed: ] and GnuPG-generated ]]] --> | |||
== Platforms == | |||
GnuPG is a hybrid encryption software program in that it uses a combination of conventional ] for speed, and ] for ease of secure key exchange, typically by using the recipient's public key to encrypt a ] which is only used once. This mode of operation is part of the OpenPGP standard and has been part of PGP from its first version. | |||
] signing key for ] (with ])]] | |||
Although the basic GnuPG program has a ], there exists various ] that provide it with a ]. For example, GnuPG encryption support has been integrated into ] and ], the graphical ]s found in ] and ], the most popular ] desktops. There are also graphical GnuPG front-ends, for example ] for GNOME and ] and ] for KDE. | |||
GPGTools provides a number of front-ends for OS integration of encryption and ] as well as GnuPG installations via ] ]<ref name=":0">{{cite web|title=GPG Suite|url=https://gpgtools.org/|publisher=GPGTools|access-date=2017-12-24}}</ref> for ]. GPG Suite<ref name=":0" /> installs all related OpenPGP applications (GPG Keychain), plugins (]) and dependencies (MacGPG), along with GPG Services (integration into macOS Services menu) to use GnuPG based encryption. | |||
GnuPG encrypts messages using ] individually generated by GnuPG users. The resulting public keys may be exchanged with other users in a variety of ways, such as Internet ]s. They must always be exchanged carefully to prevent identity spoofing by corrupting public key ↔ "owner" identity correspondences. It is also possible to add a cryptographic ] to a message, so the message integrity and sender can be verified, if a particular correspondence relied upon has not been corrupted. | |||
] applications such as ] and Fire can automatically secure messages when GnuPG is installed and configured. Web-based software such as ] also makes use of it. The cross-platform ] ] provides GnuPG support for ] and ]. Similarly, Enigform provides GnuPG support for ]. FireGPG was discontinued June 7, 2010.<ref>{{cite web|url=http://blog.getfiregpg.org/2010/06/07/firegpg-discontinued/|title=FireGPG's developers blog|date=7 June 2010 |access-date=July 24, 2013|archive-url=https://web.archive.org/web/20130727112311/http://blog.getfiregpg.org/2010/06/07/firegpg-discontinued/|archive-date=July 27, 2013|url-status=live}}</ref> | |||
GnuPG also supports ] algorithms. By default GnuPG uses the ] symmetrical algorithm. | |||
In 2005, g10 Code GmbH and Intevation GmbH released ], a software suite that includes GnuPG for Windows, GNU Privacy Assistant, and GnuPG plug-ins for ] and ]. These tools are wrapped in a standard Windows installer, making it easier for GnuPG to be installed and used on Windows systems.<ref>{{Cite web|title=Gpg4win – About Gpg4win|url=https://www.gpg4win.org/about.html|access-date=2021-03-23|website=gpg4win.org}}</ref> | |||
GnuPG does not use patented or otherwise restricted software or algorithms. Instead, GnuPG uses a variety of other, non-patented algorithms.<ref>{{cite web|url=http://www.gnupg.org/features.en.html|title=GnuPG Features|accessdate=October 1, 2009}}</ref> | |||
== Vulnerabilities == | |||
For a long time it did not support the ] encryption algorithm used in PGP. It was in fact possible to use IDEA in GnuPG by downloading a plugin for it, however this might require a license for some uses in countries in which IDEA was patented. Starting with version 1.4.13/2.0.20, GnuPG supports IDEA because the last patent of IDEA expired in 2012 (Support of IDEA is "to get rid of all the questions from folks either trying to decrypt old data or migrating keys from PGP to GnuPG",<ref>{{cite mailing list |last=Koch |first=Werner |title=GnuPG 1.4.13 released |publisher=gnupg-users |date=2012-12-21 |url=http://lists.gnupg.org/pipermail/gnupg-users/2012-December/045844.html |accessdate=2013-05-19}}</ref> and is not recommended for normal use). | |||
The OpenPGP standard specifies several methods of ] messages. In 2003, due to an error in a change to GnuPG intended to make one of those methods more efficient, a security vulnerability was introduced.<ref>{{cite web|url=https://www.di.ens.fr/~pnguyen/pub_Ng04.htm|title=Can We Trust Cryptographic Software? Cryptographic Flaws in GNU Privacy Guard v1.2.3.|last=Nguyen|first=Phong Q.|publisher=EUROCRYPT 2004: 555–570|access-date=2019-08-23|archive-url=https://web.archive.org/web/20171204133110/http://www.di.ens.fr/~pnguyen/pub_Ng04.htm|archive-date=2017-12-04|url-status=live}}</ref> It affected only one method of digitally signing messages, only for some releases of GnuPG (1.0.2 through 1.2.3), and there were fewer than 1000 such keys listed on the key servers.<ref>{{cite web|url=http://lists.gnupg.org/pipermail/gnupg-announce/2003q4/000160.html|title=GnuPG's ElGamal signing keys compromised|last=Koch|first=Werner|author-link=Werner Koch|date=November 27, 2003|access-date=May 14, 2004|archive-url=https://web.archive.org/web/20040318174334/http://lists.gnupg.org/pipermail/gnupg-announce/2003q4/000160.html|archive-date=March 18, 2004|url-status=live}}</ref> Most people did not use this method, and were in any case discouraged from doing so, so the damage caused (if any, since none has been publicly reported) would appear to have been minimal. Support for this method has been removed from GnuPG versions released after this discovery (1.2.4 and later). | |||
Two further vulnerabilities were discovered in early 2006; the first being that scripted uses of GnuPG for signature verification may result in ],<ref>{{cite web|url=http://lists.gnupg.org/pipermail/gnupg-announce/2006q1/000211.html|title=False positive signature verification in GnuPG|last=Koch|first=Werner|author-link=Werner Koch|date=February 15, 2006|access-date=May 23, 2006|archive-url=https://web.archive.org/web/20060617192634/http://lists.gnupg.org/pipermail/gnupg-announce/2006q1/000211.html|archive-date=June 17, 2006|url-status=live}}</ref> the second that non-MIME messages were vulnerable to the injection of data which while not covered by the digital signature, would be reported as being part of the signed message.<ref>{{cite web|url=http://lists.gnupg.org/pipermail/gnupg-announce/2006q1/000218.html|title=GnuPG does not detect injection of unsigned data|last=Koch|first=Werner|author-link=Werner Koch|date=March 9, 2006|access-date=May 23, 2006|archive-url=https://web.archive.org/web/20060505205727/http://lists.gnupg.org/pipermail/gnupg-announce/2006q1/000218.html|archive-date=May 5, 2006|url-status=live}}</ref> In both cases updated versions of GnuPG were made available at the time of the announcement. | |||
GnuPG currently supports the following algorithms: | |||
* ]: ], ], ] | |||
* ]: ] (from 1.4.13/2.0.20), ], ], ], ], ], ] (from 1.4.10/2.0.12) | |||
* ]: ], ], ], ] | |||
* ]: Uncompressed, ], ], ] | |||
In June 2017, a vulnerability (CVE-2017-7526) was discovered within ] by Bernstein, Breitner and others: a library used by GnuPG, which enabled a full key recovery for RSA-1024 and about more than 1/8th of RSA-2048 keys. This ] exploits the fact that ] used a ] which leads to the leakage of exponent bits and to full key recovery.<ref>{{Cite web|url=https://lwn.net/Articles/727179/|title=Breaking Libgcrypt RSA via a side channel|last=Edge|first=Jake|date=5 July 2017|website=LWN.net|access-date=28 July 2017|archive-url=https://web.archive.org/web/20170728155905/https://lwn.net/Articles/727179/|archive-date=28 July 2017|url-status=live}}</ref><ref>{{cite web|url=https://eprint.iacr.org/2017/627.pdf|title=Sliding right into disaster: Left-to-right sliding windows leak|access-date=2017-06-30|archive-url=https://web.archive.org/web/20170630170347/https://eprint.iacr.org/2017/627.pdf|archive-date=2017-06-30|url-status=live}}</ref> Again, an updated version of GnuPG was made available at the time of the announcement. | |||
==Limitations== | |||
GnuPG is a command-line based system, that is not written as an ] which may be incorporated into other software. ] is an API wrapper around GnuPG which ] the output of GnuPG, and various graphical front-ends based on GPGME have been created. This currently requires an out-of-process call to the GnuPG executable for many GPGME API calls. Because GPGME makes use of a special GnuPG interface designed for machine use, a stable and maintainable API between the components is given. Possible security problems in an application do not propagate to the actual crypto code due to the process barrier. | |||
In October 2017, the ] was announced that affects RSA keys generated by ] 4 tokens, which often are used with PGP/GPG. Many published PGP keys were found to be susceptible.<ref name=nemecsys> {{Webarchive|url=https://web.archive.org/web/20171112012916/https://crocs.fi.muni.cz/_media/public/papers/nemec_roca_ccs17_preprint.pdf |date=2017-11-12 }}, Matus Nemec, Marek Sys, Petr Svenda, Dusan Klinec, Vashek Matyas, November 2017</ref> | |||
== Problems == | |||
The OpenPGP standard specifies several methods of ] messages. In 2003, due to an error in a change to GnuPG intended to make one of those methods more efficient, a security vulnerability was introduced.<ref> </ref> It affected only one method of digitally signing messages, only for some releases of GnuPG (1.0.2 through 1.2.3), and there were fewer than 1000 such keys listed on the key servers.<ref> Werner Koch, November 27, 2003</ref> Most people did not use this method, and were in any case discouraged from doing so, so the damage caused (if any, and none has been publicly reported) would appear to have been minimal. Support for this method has been removed from GnuPG versions released after this discovery (1.2.4 and later). | |||
Around June 2018, the ] attacks were announced. These allowed an attacker to convincingly spoof digital signatures.<ref>{{Cite web |url=https://arstechnica.com/information-technology/2018/06/decades-old-pgp-bug-allowed-hackers-to-spoof-just-about-anyones-signature/ |title=Decades-old PGP bug allowed hackers to spoof just about anyone's signature |date=14 June 2018 |access-date=2018-09-07 |archive-url=https://web.archive.org/web/20180907110403/https://arstechnica.com/information-technology/2018/06/decades-old-pgp-bug-allowed-hackers-to-spoof-just-about-anyones-signature/ |archive-date=2018-09-07 |url-status=live }}</ref><ref>{{Cite web |url=https://www.theregister.co.uk/2018/06/19/gnupg_popped_again_in_pass/ |title=Pass gets a fail: Simple Password Store suffers GnuPG spoofing bug |website=] |access-date=2018-09-07 |archive-url=https://web.archive.org/web/20180630114100/https://www.theregister.co.uk/2018/06/19/gnupg_popped_again_in_pass/ |archive-date=2018-06-30 |url-status=live }}</ref> | |||
Two further vulnerabilities were discovered in early 2006; the first being that scripted uses of GnuPG for signature verification may result in ],<ref> Werner Koch, February 15, 2006</ref> the second that non-MIME messages were vulnerable to the injection of data which while not covered by the digital signature, would be reported as being part of the signed message.<ref>, Werner Koch, March 9, 2006</ref> In both cases updated versions of GnuPG were made available at the time of the announcement. | |||
In January 2021, Libgcrypt 1.9.0 was released, which was found to contain a severe bug that was simple to exploit. A fix was released 10 days later in Libgcrypt 1.9.1.<ref>{{Cite web|url=https://www.theregister.com/2021/01/29/severe_libgcrypt_bug/|archive-url = https://web.archive.org/web/20210221012505/https://www.theregister.com/2021/01/29/severe_libgcrypt_bug/|archive-date = 2021-02-21|title = Severe bug in Libgcrypt – used by GPG and others – is a whole heap of trouble, prompts patch scramble}}</ref> | |||
== See also == | == See also == | ||
{{Portal|Free software |
{{Portal|Free and open-source software}} | ||
{{Div col| |
{{Div col|colwidth=30em}} | ||
* ] | * ] | ||
* ] - GPG for Android | |||
* ] – email client with GPG plugin | |||
* ] | |||
* ] | |||
* ] – Firefox extension | |||
* ] – ] plug-in | |||
* ]<ref></ref> – Firefox extension (discontinued) | |||
* ] – a Windows package with tools and manuals for email and file encryption | |||
* ] - a simplified package for Windows and Linux for portable devices (e.g., a USB drive) | |||
* ] – OS X Mail.app plug-in | |||
* ] – OS X Services Menu plug-in | |||
* ] – an OS X package with tools for email and file encryption (incl. GPGMail, GPG Keychain Access, MacGPG2, GPG Services, ...) | |||
* ] | * ] | ||
* ] – also known as OTR | |||
* ] – KDE graphical frontend for GnuPG, | |||
* ] – a smartcard with many GnuPG functions | |||
* ] – Google Chrome Extension w/ GPG encryption/decryption | |||
* ] | |||
* ] – Jabber client | |||
* ] – a friend-to-friend network based on PGP authentication | |||
* ] – email client with PGP/GPG support built-in | |||
* ] – also known as OTR. | |||
* ] – a smartcard with many GnuPG functions | |||
* ] | |||
* ] - A friend-to-friend network based on PGP authentication. | |||
* ] | * ] | ||
{{div col end}} | |||
* ] – A free, open source suite of tools to bring GnuPG/PGP to the browser | |||
* ] – a graphical frontend to GPG for Windows | |||
{{Div col end}} | |||
== |
== Notes == | ||
{{notelist}} | |||
== References == | |||
{{Reflist|30em}} | {{Reflist|30em}} | ||
==External links== | == External links == | ||
* |
* {{Official website|https://gnupg.org/}} | ||
* , written by Werner Koch, published on GnuPG's 10th birthday | * , written by Werner Koch, published on GnuPG's 10th birthday | ||
{{GNU}} | {{GNU}} | ||
{{Cryptographic software}} | {{Cryptographic software}} | ||
<!-- Interlang --> | |||
{{DEFAULTSORT:Gnu Privacy Guard}} | {{DEFAULTSORT:Gnu Privacy Guard}} | ||
] | ] | ||
] | |||
] | |||
] | |||
] | |||
] | ] | ||
] | |||
] | |||
] | |||
] | ] | ||
] | |||
] |
Latest revision as of 18:15, 1 January 2025
Complete implementation of the OpenPGP and S/MIME standards Not to be confused with Pretty Good Privacy (PGP).Key pair generation process in Unix terminal emulator | |||||
Original author(s) | Werner Koch | ||||
---|---|---|---|---|---|
Developer(s) | GNU Project | ||||
Initial release | 7 September 1999; 25 years ago (1999-09-07) | ||||
Stable release(s) | |||||
| |||||
Preview release(s) | |||||
2.5.2 / 6 December 2024 | |||||
Repository | dev | ||||
Written in | C | ||||
Operating system | Microsoft Windows, macOS, RISC OS, Android, Linux | ||||
Type | OpenPGP | ||||
License | 2007: GPL-3.0-or-later 1997: GPL-2.0-or-later | ||||
Website | gnupg |
GNU Privacy Guard (GnuPG or GPG) is a free-software replacement for Symantec's cryptographic software suite PGP. The software is compliant with the now obsoleted RFC 4880, the IETF standards-track specification of OpenPGP. Modern versions of PGP are interoperable with GnuPG and other OpenPGP v4-compliant systems.
November 2023 saw two drafts aiming to update the 2007 OpenPGP v4 specification (RFC4880), ultimately resulting in the RFC 9580 standard in July 2024. The proposal from the GnuPG developers, which is called LibrePGP, was not taken up by the OpenPGP Working Group and future versions of GnuPG will not support the current version of OpenPGP.
GnuPG is part of the GNU Project and received major funding from the German government in 1999.
Overview
GnuPG is a hybrid-encryption software program because it uses a combination of conventional symmetric-key cryptography for speed, and public-key cryptography for ease of secure key exchange, typically by using the recipient's public key to encrypt a session key which is used only once. This mode of operation is part of the OpenPGP standard and has been part of PGP from its first version.
The GnuPG 1.x series uses an integrated cryptographic library, while the GnuPG 2.x series replaces this with Libgcrypt.
GnuPG encrypts messages using asymmetric key pairs individually generated by GnuPG users. The resulting public keys may be exchanged with other users in a variety of ways, such as Internet key servers. They must always be exchanged carefully to prevent identity spoofing by corrupting public key ↔ "owner" identity correspondences. It is also possible to add a cryptographic digital signature to a message, so the message integrity and sender can be verified, if a particular correspondence relied upon has not been corrupted.
GnuPG also supports symmetric encryption algorithms. By default, GnuPG uses the AES symmetrical algorithm since version 2.1, CAST5 was used in earlier versions. GnuPG does not use patented or otherwise restricted software or algorithms. Instead, GnuPG uses a variety of other, non-patented algorithms. For a long time, it did not support the IDEA encryption algorithm used in PGP. It was in fact possible to use IDEA in GnuPG by downloading a plugin for it, however, this might require a license for some uses in countries in which IDEA was patented. Starting with versions 1.4.13 and 2.0.20, GnuPG supports IDEA because the last patent of IDEA expired in 2012. Support of IDEA is intended "to get rid of all the questions from folks either trying to decrypt old data or migrating keys from PGP to GnuPG", and hence is not recommended for regular use.
More recent releases of GnuPG 2.x ("modern" and the now deprecated "stable" series) expose most cryptographic functions and algorithms Libgcrypt (its cryptography library) provides, including support for elliptic-curve cryptography (ECDH, ECDSA and EdDSA) in the "modern" series (i.e. since GnuPG 2.1).
Algorithms
As of 2.3 or 2.2 versions, GnuPG supports the following algorithms:
- Public key
- RSA, ElGamal, DSA, ECDH (cv25519, cv448, nistp256, nistp384, nistp521, brainpoolP256r1, brainpoolP384r1, brainpoolP512r1, secp256k1), ECDSA (nistp256, nistp384, nistp521, brainpoolP256r1, brainpoolP384r1, brainpoolP512r1, secp256k1), EdDSA (ed25519, ed448)
- Cipher
- 3DES, IDEA (for backward compatibility), CAST5, Blowfish, Twofish, AES-128, AES-192, AES-256, Camellia-128, -192 and -256
- Hash
- MD5, SHA-1, RIPEMD-160, SHA-256, SHA-384, SHA-512, SHA-224
- Compression
- Uncompressed, ZIP, ZLIB, BZIP2
History
GnuPG was initially developed by Werner Koch. The first production version, version 1.0.0, was released on September 7, 1999, almost two years after the first GnuPG release (version 0.0.0). The German Federal Ministry of Economics and Technology funded the documentation and the port to Microsoft Windows in 2000.
GnuPG is a system compliant to the OpenPGP standard, thus the history of OpenPGP is of importance; it was designed to interoperate with PGP, an email encryption program initially designed and developed by Phil Zimmermann.
On February 7, 2014, a GnuPG crowdfunding effort closed, raising €36,732 for a new website and infrastructure improvements.
Branches
Since the release of a stable GnuPG 2.3, starting with version 2.3.3 in October 2021, three stable branches of GnuPG are actively maintained:
- A "stable branch", which currently is (as of 2021) the 2.3 branch.
- A "LTS (long-term support) branch", which currently is (as of 2021) the 2.2 branch (which was formerly called "modern branch", in comparison to the 2.0 branch).
- The old "legacy branch" (formerly called "classic branch"), which is and will stay the 1.4 branch.
Before GnuPG 2.3, two stable branches of GnuPG were actively maintained:
- "Modern" (2.2), with numerous new features, such as elliptic curve cryptography, compared to the former "stable" (2.0) branch, which it replaced with the release of GnuPG 2.2.0 on August 28, 2017. It was initially released on November 6, 2014.
- "Classic" (1.4), the very old, but still maintained stand-alone version, most suitable for outdated or embedded platforms. Initially released on December 16, 2004.
Different GnuPG 2.x versions (e.g. from the 2.2 and 2.0 branches) cannot be installed at the same time. However, it is possible to install a "classic" GnuPG version (i.e. from the 1.4 branch) along with any GnuPG 2.x version.
Before the release of GnuPG 2.2 ("modern"), the now deprecated "stable" branch (2.0) was recommended for general use, initially released on November 13, 2006. This branch reached its end-of-life on December 31, 2017; Its last version is 2.0.31, released on December 29, 2017.
Before the release of GnuPG 2.0, all stable releases originated from a single branch; i.e., before November 13, 2006, no multiple release branches were maintained in parallel. These former, sequentially succeeding (up to 1.4) release branches were:
- 1.2 branch, initially released on September 22, 2002, with 1.2.6 as the last version, released on October 26, 2004.
- 1.0 branch, initially released on September 7, 1999, with 1.0.7 as the last version, released on April 30, 2002.
(Note that before the release of GnuPG 2.3.0, branches with an odd minor release number (e.g. 2.1, 1.9, 1.3) were development branches leading to a stable release branch with a "+ 0.1" higher version number (e.g. 2.2, 2.0, 1.4); hence branches 2.2 and 2.1 both belong to the "modern" series, 2.0 and 1.9 both to the "stable" series, while the branches 1.4 and 1.3 both belong to the "classic" series.
With the release of GnuPG 2.3.0, this nomenclature was altered to be composed of a "stable" and "LTS" branch from the "modern" series, plus 1.4 as the last maintained "classic" branch. Also note that even or odd minor release numbers do not indicate a stable or development release branch, anymore.)
Platforms
Although the basic GnuPG program has a command-line interface, there exists various front-ends that provide it with a graphical user interface. For example, GnuPG encryption support has been integrated into KMail and Evolution, the graphical email clients found in KDE and GNOME, the most popular Linux desktops. There are also graphical GnuPG front-ends, for example Seahorse for GNOME and KGPG and Kleopatra for KDE.
GPGTools provides a number of front-ends for OS integration of encryption and key management as well as GnuPG installations via Installer packages for macOS. GPG Suite installs all related OpenPGP applications (GPG Keychain), plugins (GPG Mail) and dependencies (MacGPG), along with GPG Services (integration into macOS Services menu) to use GnuPG based encryption.
Instant messaging applications such as Psi and Fire can automatically secure messages when GnuPG is installed and configured. Web-based software such as Horde also makes use of it. The cross-platform extension Enigmail provides GnuPG support for Mozilla Thunderbird and SeaMonkey. Similarly, Enigform provides GnuPG support for Mozilla Firefox. FireGPG was discontinued June 7, 2010.
In 2005, g10 Code GmbH and Intevation GmbH released Gpg4win, a software suite that includes GnuPG for Windows, GNU Privacy Assistant, and GnuPG plug-ins for Windows Explorer and Outlook. These tools are wrapped in a standard Windows installer, making it easier for GnuPG to be installed and used on Windows systems.
Vulnerabilities
The OpenPGP standard specifies several methods of digitally signing messages. In 2003, due to an error in a change to GnuPG intended to make one of those methods more efficient, a security vulnerability was introduced. It affected only one method of digitally signing messages, only for some releases of GnuPG (1.0.2 through 1.2.3), and there were fewer than 1000 such keys listed on the key servers. Most people did not use this method, and were in any case discouraged from doing so, so the damage caused (if any, since none has been publicly reported) would appear to have been minimal. Support for this method has been removed from GnuPG versions released after this discovery (1.2.4 and later).
Two further vulnerabilities were discovered in early 2006; the first being that scripted uses of GnuPG for signature verification may result in false positives, the second that non-MIME messages were vulnerable to the injection of data which while not covered by the digital signature, would be reported as being part of the signed message. In both cases updated versions of GnuPG were made available at the time of the announcement.
In June 2017, a vulnerability (CVE-2017-7526) was discovered within Libgcrypt by Bernstein, Breitner and others: a library used by GnuPG, which enabled a full key recovery for RSA-1024 and about more than 1/8th of RSA-2048 keys. This side-channel attack exploits the fact that Libgcrypt used a sliding windows method for exponentiation which leads to the leakage of exponent bits and to full key recovery. Again, an updated version of GnuPG was made available at the time of the announcement.
In October 2017, the ROCA vulnerability was announced that affects RSA keys generated by YubiKey 4 tokens, which often are used with PGP/GPG. Many published PGP keys were found to be susceptible.
Around June 2018, the SigSpoof attacks were announced. These allowed an attacker to convincingly spoof digital signatures.
In January 2021, Libgcrypt 1.9.0 was released, which was found to contain a severe bug that was simple to exploit. A fix was released 10 days later in Libgcrypt 1.9.1.
See also
- Acoustic cryptanalysis
- Key signing party
- Off-the-Record Messaging – also known as OTR
- OpenPGP card – a smartcard with many GnuPG functions
- Package manager
- Retroshare – a friend-to-friend network based on PGP authentication
- Web of trust
Notes
- GPL-3.0-or-later since 2007-07-04 for 2.x and 2007-10-23 for 1.x.
- GPL-2.0-or-later from 1997-11-18 until 2007-07-04 for 2.x and 2007-10-23 for 1.x.
- ^ only available in 2.3
References
- Werner Koch (28 November 2024). "GnuPG 2.4.7 and Gpg4win 4.4.0 released". Retrieved 28 November 2024.
- "Noteworthy changes in version 2.2.43". 16 April 2024. Retrieved 27 May 2024.
- Werner Koch (6 December 2024). "GnuPG 2.5.2 released". Retrieved 10 December 2024.
- Wouters, Paul; Huigens, Daniel; Winter, Justus; Yutaka, Niibe (July 2024). "RFC 9580 OpenPGP". IETF. Retrieved 2024-12-19.
- "Gnu Privacy Guard". GnuPG.org. Archived from the original on 2015-04-29. Retrieved 2015-05-26.
- "A schism in the OpenPGP world". Linux Weekly News. Retrieved 2023-12-09.
- "Bundesregierung fördert Open Source" (in German). Heise Online. 1999-11-15. Archived from the original on October 12, 2013. Retrieved July 24, 2013.
- " The maybe final Beta for GnuPG 2.1". Archived from the original on 2019-05-02. Retrieved 2019-03-28.
- "GnuPG Features". Archived from the original on October 4, 2009. Retrieved October 1, 2009.
- Koch, Werner (2012-12-21). "GnuPG 1.4.13 released" (Mailing list). gnupg-users. Archived from the original on 2013-02-12. Retrieved 2013-05-19.
- ^ Koch, Werner (2014-11-06). " GnuPG 2.1.0 "modern" released". gnupg.org. Archived from the original on 2014-11-06. Retrieved 2014-11-06.
- ^ Angwin, Julia (5 February 2015). "The World's Email Encryption Software Relies on One Guy, Who is Going Broke". ProPublica. Archived from the original on 6 February 2015. Retrieved 6 February 2015.
- ^ Wayner, Peter (19 November 1999). "Germany Awards Grant for Encryption". The New York Times. Archived from the original on 25 August 2014. Retrieved 2014-08-08.
- ^ "Release Notes". GnuPG. Archived from the original on 2014-02-09. Retrieved 2014-01-30.
- "Gnu Privacy Guard". OpenPGP.org. Archived from the original on 2014-02-27. Retrieved 2014-02-26.
- "Where to Get PGP". Philzimmermann.com. Archived from the original on 2014-02-26. Retrieved 2014-02-26.
- "GnuPG: New web site and infrastructure". goteo.org. Archived from the original on 2014-03-30. Retrieved 2014-03-09.
- "GnuPG 2.3.3 released".
- Koch, Werner (2017-08-28). "[Announce] GnuPG 2.2.0 released". gnupg-announce (Mailing list). Archived from the original on 2017-08-29. Retrieved 2017-09-21.
- Koch, Werner (2004-12-16). " GnuPG stable 1.4 released". gnupg.org. Archived from the original on 2005-01-03. Retrieved 2004-12-16.
- Koch, Werner (2006-11-13). " GnuPG 2.0 released". gnupg.org. Archived from the original on 2014-02-14. Retrieved 2014-01-30.
- Koch, Werner (2017-01-23). " GnuPG 2.1.18 released". gnupg.org. Archived from the original on 2017-02-11. Retrieved 2017-02-04.
- "GnuPG 2.0.31". 2017-12-29. Retrieved 2017-12-30.
- Koch, Werner (2002-09-06). "GnuPG 1.2 released". gnupg.org. Archived from the original on 2014-06-17. Retrieved 2014-11-06.
- Koch, Werner (2004-08-26). " GnuPG 1.2.6 released". gnupg.org. Archived from the original on 2014-06-17. Retrieved 2014-11-06.
- Koch, Werner (2002-04-30). " GnuPG 1.0.7 released". gnupg.org. Archived from the original on 2014-06-17. Retrieved 2014-11-06.
- ^ "GPG Suite". GPGTools. Retrieved 2017-12-24.
- "FireGPG's developers blog". 7 June 2010. Archived from the original on July 27, 2013. Retrieved July 24, 2013.
- "Gpg4win – About Gpg4win". gpg4win.org. Retrieved 2021-03-23.
- Nguyen, Phong Q. "Can We Trust Cryptographic Software? Cryptographic Flaws in GNU Privacy Guard v1.2.3". EUROCRYPT 2004: 555–570. Archived from the original on 2017-12-04. Retrieved 2019-08-23.
- Koch, Werner (November 27, 2003). "GnuPG's ElGamal signing keys compromised". Archived from the original on March 18, 2004. Retrieved May 14, 2004.
- Koch, Werner (February 15, 2006). "False positive signature verification in GnuPG". Archived from the original on June 17, 2006. Retrieved May 23, 2006.
- Koch, Werner (March 9, 2006). "GnuPG does not detect injection of unsigned data". Archived from the original on May 5, 2006. Retrieved May 23, 2006.
- Edge, Jake (5 July 2017). "Breaking Libgcrypt RSA via a side channel". LWN.net. Archived from the original on 28 July 2017. Retrieved 28 July 2017.
- "Sliding right into disaster: Left-to-right sliding windows leak" (PDF). Archived (PDF) from the original on 2017-06-30. Retrieved 2017-06-30.
- The Return of Coppersmith's Attack: Practical Factorization of Widely Used RSA Moduli Archived 2017-11-12 at the Wayback Machine, Matus Nemec, Marek Sys, Petr Svenda, Dusan Klinec, Vashek Matyas, November 2017
- "Decades-old PGP bug allowed hackers to spoof just about anyone's signature". 14 June 2018. Archived from the original on 2018-09-07. Retrieved 2018-09-07.
- "Pass gets a fail: Simple Password Store suffers GnuPG spoofing bug". The Register. Archived from the original on 2018-06-30. Retrieved 2018-09-07.
- "Severe bug in Libgcrypt – used by GPG and others – is a whole heap of trouble, prompts patch scramble". Archived from the original on 2021-02-21.
External links
- Official website
- A Short History of the GNU Privacy Guard, written by Werner Koch, published on GnuPG's 10th birthday
GNU Project | |
---|---|
History | |
Licenses | |
Software |
|
Contributors | |
Other topics |
Cryptographic software | |||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Email clients | |||||||||||||||
Secure communication |
| ||||||||||||||
Disk encryption (Comparison) | |||||||||||||||
Anonymity | |||||||||||||||
File systems (List) | |||||||||||||||
Security-focused operating system | |||||||||||||||
Service providers | |||||||||||||||
Educational | |||||||||||||||
Anti–computer forensics | |||||||||||||||
Related topics | |||||||||||||||