[prev in list] [next in list] [prev in thread] [next in thread]
List: gcrypt-devel
Subject: Re: [Announce] Libgcrypt 1.8.4 released
From: "sgarlick () gmail ! com" <sgarlick () gmail ! com>
Date: 2018-10-29 12:23:59
Message-ID: CAKKxzKfuJPJvOLUh2B51jf=P+ps4PT_XvNBH6zHhNXPjZB24Zw () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
unsubscribe
On Sat, Oct 27, 2018 at 4:55 AM Werner Koch <wk@gnupg.org> wrote:
> Hi!
>
> The GnuPG Project is pleased to announce the availability of Libgcrypt
> versions 1.8.4. This is a maintenance release to fix a few minor bugs.
>
> Libgcrypt is a general purpose library of cryptographic building blocks.
> It is originally based on code used by GnuPG. It does not provide any
> implementation of OpenPGP or other protocols. Thorough understanding of
> applied cryptography is required to use Libgcrypt.
>
>
> Noteworthy changes in version 1.8.4
> ===================================
>
> * Bug fixes:
>
> - Fix infinite loop due to applications using fork the wrong
> way. [#3491]
>
> - Fix possible leak of a few bits of secret primes to pageable
> memory. [#3848]
>
> - Fix possible hang in the RNG (1.8.3 only). [#4034]
>
> - Several minor fixes. [#4102,#4208,#4209,#4210,#4211,#4212]
>
> * Performance:
>
> - On Linux always make use of getrandom if possible and then use
> its /dev/urandom behaviour. [#3894]
>
>
> Download
> ========
>
> Source code is hosted at the GnuPG FTP server and its mirrors as listed
> at <https://gnupg.org/download/mirrors.html>. On the primary server
> the source tarball and its digital signature are:
>
> https://gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-1.8.4.tar.bz2
> https://gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-1.8.4.tar.bz2.sig
>
> or gzip compressed:
>
> https://gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-1.8.4.tar.gz
> https://gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-1.8.4.tar.gz.sig
>
> In order to check that the version of Libgcrypt you downloaded is an
> original and unmodified file please follow the instructions found at
> <https://gnupg.org/download/integrity_check.html>. In short, you may
> use one of the following methods:
>
> - Check the supplied OpenPGP signature. For example to check the
> signature of the file libgcrypt-1.8.4.tar.bz2 you would use this
> command:
>
> gpg --verify libgcrypt-1.8.4.tar.bz2.sig libgcrypt-1.8.4.tar.bz2
>
> This checks whether the signature file matches the source file.
> You should see a message indicating that the signature is good and
> made by one or more of the release signing keys. Make sure that
> this is a valid key, either by matching the shown fingerprint
> against a trustworthy list of valid release signing keys or by
> checking that the key has been signed by trustworthy other keys.
> See the end of this mail for information on the signing keys.
>
> - If you are not able to use an existing version of GnuPG, you have
> to verify the SHA-1 checksum. On Unix systems the command to do
> this is either "sha1sum" or "shasum". Assuming you downloaded the
> file libgcrypt-1.8.4.tar.bz2, you run the command like this:
>
> sha1sum libgcrypt-1.8.4.tar.bz2
>
> and check that the output matches the first line from the
> this list:
>
> 4a8ef9db6922f3a31992aca5640b4198a69b58fc libgcrypt-1.8.4.tar.bz2
> 211855f39f3bc3c4a4f444d4c09d743dfc5cb427 libgcrypt-1.8.4.tar.gz
>
> You should also verify that the checksums above are authentic by
> matching them with copies of this announcement. Those copies can be
> found at other mailing lists, web sites, and search engines.
>
>
> Copying
> =======
>
> Libgcrypt is distributed under the terms of the GNU Lesser General
> Public License (LGPLv2.1+). The helper programs as well as the
> documentation are distributed under the terms of the GNU General Public
> License (GPLv2+). The file LICENSES has notices about contributions
> that require that these additional notices are distributed.
>
>
> Support
> =======
>
> In case of build problems specific to this release please first check
> https://dev.gnupg.org/T4234 for updated information.
>
> For help on developing with Libgcrypt you should read the included
> manual and optional ask on the gcrypt-devel mailing list [1]. A
> listing with commercial support offers for Libgcrypt and related
> software is available at the GnuPG web site [2].
>
> If you are a developer and you may need a certain feature for your
> project, please do not hesitate to bring it to the gcrypt-devel
> mailing list for discussion.
>
>
> Thanks
> ======
>
> Maintenance and development of GnuPG is mostly financed by donations.
> The GnuPG project currently employs one full-time developer and two
> contractors. They all work exclusively on GnuPG and closely related
> software like Libgcrypt, GPGME, and GPA.
>
> We have to thank all the people who helped the GnuPG project, be it
> testing, coding, translating, suggesting, auditing, administering the
> servers, spreading the word, and answering questions on the mailing
> lists. Thanks to Tomas Mraz for pointing out several smaller flaws.
>
> Many thanks to our numerous financial supporters, both corporate and
> individuals. Without you it would not be possible to keep GnuPG in a
> good shape and address all the small and larger requests made by our
> users. Thanks.
>
>
> Happy hacking,
>
> Your GnuPG hackers
>
>
>
> p.s.
> This is an announcement only mailing list. Please send replies only to
> the gnupg-users'at'gnupg.org mailing list.
>
> p.p.s
> List of Release Signing Keys:
>
> To guarantee that a downloaded GnuPG version has not been tampered by
> malicious entities we provide signature files for all tarballs and
> binary versions. The keys are also signed by the long term keys of
> their respective owners. Current releases are signed by one or more
> of these four keys:
>
> rsa2048 2011-01-12 [expires: 2019-12-31]
> Key fingerprint = D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6
> Werner Koch (dist sig)
>
> rsa2048 2014-10-29 [expires: 2019-12-31]
> Key fingerprint = 46CC 7308 65BB 5C78 EBAB ADCF 0437 6F3E E085 6959
> David Shaw (GnuPG Release Signing Key) <dshaw 'at' jabberwocky.com>
>
> rsa2048 2014-10-29 [expires: 2020-10-30]
> Key fingerprint = 031E C253 6E58 0D8E A286 A9F2 2071 B08A 33BD 3F06
> NIIBE Yutaka (GnuPG Release Key) <gniibe 'at' fsij.org>
>
> rsa3072 2017-03-17 [expires: 2027-03-15]
> Key fingerprint = 5B80 C575 4298 F0CB 55D8 ED6A BCEF 7E29 4B09 2E28
> Andre Heinecke (Release Signing Key)
>
> The keys are available at <https://gnupg.org/signature_key.html> and
> in any recently released GnuPG tarball in the file g10/distsigkey.gpg .
> Note that this mail has been signed by a different key.
>
> --
> Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
> _______________________________________________
> Gnupg-announce mailing list
> Gnupg-announce@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-announce
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
[Attachment #5 (text/html)]
<div dir="ltr">unsubscribe</div><br><div class="gmail_quote"><div dir="ltr">On Sat, \
Oct 27, 2018 at 4:55 AM Werner Koch <<a \
href="mailto:wk@gnupg.org">wk@gnupg.org</a>> wrote:<br></div><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex">Hi!<br> <br>
The GnuPG Project is pleased to announce the availability of Libgcrypt<br>
versions 1.8.4. This is a maintenance release to fix a few minor bugs.<br>
<br>
Libgcrypt is a general purpose library of cryptographic building blocks.<br>
It is originally based on code used by GnuPG. It does not provide any<br>
implementation of OpenPGP or other protocols. Thorough understanding of<br>
applied cryptography is required to use Libgcrypt.<br>
<br>
<br>
Noteworthy changes in version 1.8.4<br>
===================================<br>
<br>
* Bug fixes:<br>
<br>
- Fix infinite loop due to applications using fork the wrong<br>
way. [#3491]<br>
<br>
- Fix possible leak of a few bits of secret primes to pageable<br>
memory. [#3848]<br>
<br>
- Fix possible hang in the RNG (1.8.3 only). [#4034]<br>
<br>
- Several minor fixes. [#4102,#4208,#4209,#4210,#4211,#4212]<br>
<br>
* Performance:<br>
<br>
- On Linux always make use of getrandom if possible and then use<br>
its /dev/urandom behaviour. [#3894]<br>
<br>
<br>
Download<br>
========<br>
<br>
Source code is hosted at the GnuPG FTP server and its mirrors as listed<br>
at <<a href="https://gnupg.org/download/mirrors.html" rel="noreferrer" \
target="_blank">https://gnupg.org/download/mirrors.html</a>>. On the primary \
server<br> the source tarball and its digital signature are:<br>
<br>
<a href="https://gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-1.8.4.tar.bz2" \
rel="noreferrer" target="_blank">https://gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-1.8.4.tar.bz2</a><br>
<a href="https://gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-1.8.4.tar.bz2.sig" \
rel="noreferrer" target="_blank">https://gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-1.8.4.tar.bz2.sig</a><br>
<br>
or gzip compressed:<br>
<br>
<a href="https://gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-1.8.4.tar.gz" \
rel="noreferrer" target="_blank">https://gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-1.8.4.tar.gz</a><br>
<a href="https://gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-1.8.4.tar.gz.sig" \
rel="noreferrer" target="_blank">https://gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-1.8.4.tar.gz.sig</a><br>
<br>
In order to check that the version of Libgcrypt you downloaded is an<br>
original and unmodified file please follow the instructions found at<br>
<<a href="https://gnupg.org/download/integrity_check.html" rel="noreferrer" \
target="_blank">https://gnupg.org/download/integrity_check.html</a>>. In short, \
you may<br> use one of the following methods:<br>
<br>
- Check the supplied OpenPGP signature. For example to check the<br>
signature of the file libgcrypt-1.8.4.tar.bz2 you would use this<br>
command:<br>
<br>
gpg --verify libgcrypt-1.8.4.tar.bz2.sig libgcrypt-1.8.4.tar.bz2<br>
<br>
This checks whether the signature file matches the source file.<br>
You should see a message indicating that the signature is good and<br>
made by one or more of the release signing keys. Make sure that<br>
this is a valid key, either by matching the shown fingerprint<br>
against a trustworthy list of valid release signing keys or by<br>
checking that the key has been signed by trustworthy other keys.<br>
See the end of this mail for information on the signing keys.<br>
<br>
- If you are not able to use an existing version of GnuPG, you have<br>
to verify the SHA-1 checksum. On Unix systems the command to do<br>
this is either "sha1sum" or "shasum". Assuming you \
downloaded the<br> file libgcrypt-1.8.4.tar.bz2, you run the command like this:<br>
<br>
sha1sum libgcrypt-1.8.4.tar.bz2<br>
<br>
and check that the output matches the first line from the<br>
this list:<br>
<br>
4a8ef9db6922f3a31992aca5640b4198a69b58fc libgcrypt-1.8.4.tar.bz2<br>
211855f39f3bc3c4a4f444d4c09d743dfc5cb427 libgcrypt-1.8.4.tar.gz<br>
<br>
You should also verify that the checksums above are authentic by<br>
matching them with copies of this announcement. Those copies can be<br>
found at other mailing lists, web sites, and search engines.<br>
<br>
<br>
Copying<br>
=======<br>
<br>
Libgcrypt is distributed under the terms of the GNU Lesser General<br>
Public License (LGPLv2.1+). The helper programs as well as the<br>
documentation are distributed under the terms of the GNU General Public<br>
License (GPLv2+). The file LICENSES has notices about contributions<br>
that require that these additional notices are distributed.<br>
<br>
<br>
Support<br>
=======<br>
<br>
In case of build problems specific to this release please first check<br>
<a href="https://dev.gnupg.org/T4234" rel="noreferrer" \
target="_blank">https://dev.gnupg.org/T4234</a> for updated information.<br> <br>
For help on developing with Libgcrypt you should read the included<br>
manual and optional ask on the gcrypt-devel mailing list [1]. A<br>
listing with commercial support offers for Libgcrypt and related<br>
software is available at the GnuPG web site [2].<br>
<br>
If you are a developer and you may need a certain feature for your<br>
project, please do not hesitate to bring it to the gcrypt-devel<br>
mailing list for discussion.<br>
<br>
<br>
Thanks<br>
======<br>
<br>
Maintenance and development of GnuPG is mostly financed by donations.<br>
The GnuPG project currently employs one full-time developer and two<br>
contractors. They all work exclusively on GnuPG and closely related<br>
software like Libgcrypt, GPGME, and GPA.<br>
<br>
We have to thank all the people who helped the GnuPG project, be it<br>
testing, coding, translating, suggesting, auditing, administering the<br>
servers, spreading the word, and answering questions on the mailing<br>
lists. Thanks to Tomas Mraz for pointing out several smaller flaws.<br>
<br>
Many thanks to our numerous financial supporters, both corporate and<br>
individuals. Without you it would not be possible to keep GnuPG in a<br>
good shape and address all the small and larger requests made by our<br>
users. Thanks.<br>
<br>
<br>
Happy hacking,<br>
<br>
Your GnuPG hackers<br>
<br>
<br>
<br>
p.s.<br>
This is an announcement only mailing list. Please send replies only to<br>
the gnupg-users'at'<a href="http://gnupg.org" rel="noreferrer" \
target="_blank">gnupg.org</a> mailing list.<br> <br>
p.p.s<br>
List of Release Signing Keys:<br>
<br>
To guarantee that a downloaded GnuPG version has not been tampered by<br>
malicious entities we provide signature files for all tarballs and<br>
binary versions. The keys are also signed by the long term keys of<br>
their respective owners. Current releases are signed by one or more<br>
of these four keys:<br>
<br>
rsa2048 2011-01-12 [expires: 2019-12-31]<br>
Key fingerprint = D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6<br>
Werner Koch (dist sig)<br>
<br>
rsa2048 2014-10-29 [expires: 2019-12-31]<br>
Key fingerprint = 46CC 7308 65BB 5C78 EBAB ADCF 0437 6F3E E085 6959<br>
David Shaw (GnuPG Release Signing Key) <dshaw 'at' <a \
href="http://jabberwocky.com" rel="noreferrer" \
target="_blank">jabberwocky.com</a>><br> <br>
rsa2048 2014-10-29 [expires: 2020-10-30]<br>
Key fingerprint = 031E C253 6E58 0D8E A286 A9F2 2071 B08A 33BD 3F06<br>
NIIBE Yutaka (GnuPG Release Key) <gniibe 'at' <a href="http://fsij.org" \
rel="noreferrer" target="_blank">fsij.org</a>><br> <br>
rsa3072 2017-03-17 [expires: 2027-03-15]<br>
Key fingerprint = 5B80 C575 4298 F0CB 55D8 ED6A BCEF 7E29 4B09 2E28<br>
Andre Heinecke (Release Signing Key)<br>
<br>
The keys are available at <<a href="https://gnupg.org/signature_key.html" \
rel="noreferrer" target="_blank">https://gnupg.org/signature_key.html</a>> and<br> \
in any recently released GnuPG tarball in the file g10/distsigkey.gpg .<br> Note that \
this mail has been signed by a different key.<br> <br>
-- <br>
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.<br>
_______________________________________________<br>
Gnupg-announce mailing list<br>
<a href="mailto:Gnupg-announce@gnupg.org" \
target="_blank">Gnupg-announce@gnupg.org</a><br> <a \
href="http://lists.gnupg.org/mailman/listinfo/gnupg-announce" rel="noreferrer" \
target="_blank">http://lists.gnupg.org/mailman/listinfo/gnupg-announce</a>_______________________________________________<br>
Gnupg-users mailing list<br>
<a href="mailto:Gnupg-users@gnupg.org" target="_blank">Gnupg-users@gnupg.org</a><br>
<a href="http://lists.gnupg.org/mailman/listinfo/gnupg-users" rel="noreferrer" \
target="_blank">http://lists.gnupg.org/mailman/listinfo/gnupg-users</a><br> \
</blockquote></div>
_______________________________________________
Gcrypt-devel mailing list
Gcrypt-devel@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gcrypt-devel
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic