gnupg-2.4.4

[Douglas R. Reno]

New point version

[Xi Ruoyao]

make -C doc pdf ps fails complaining lacking some .eps files.

[Xi Ruoyao]

Noteworthy changes in version 2.4.4 (2024-01-25)

• gpg: Do not keep an unprotected smartcard backup key on disk. See ​https://gnupg.org/blog/20240125-smartcard-backup-key.html for a security advisory. [T6944]
• gpg: Allow to specify seconds since Epoch beyond 2038 on 32-bit platforms. [T6736]
• gpg: Fix expiration time when Creation-Date is specified. [T5252]
• gpg: Add support for Subkey-Expire-Date. [rG96b69c1866]
• gpg: Add option --with-v5-fingerprint. [T6705]
• gpg: Add sub-option ignore-attributes to --import-options. [rGd4976e35d2]
• gpg: Add --list-filter properties sig_expires/sig_expires_d. [rGbf662d0f93af]
• gpg: Fix validity of re-imported keys. [T6399]
• gpg: Report BEGIN_ status before examining the input. [T6481]
• gpg: Don't try to compress a read-only keybox. [T6811]
• gpg: Choose key from inserted card over a non-inserted card. [T6831]
• gpg: Allow to create revocations even with non-compliant algos. [T6929]
• gpg: Fix regression in the Revoker keyword of the parameter file. [T6923]
• gpg: Improve error message for expired default keys. [T4704]
• gpgsm: Add --always-trust feature. [T6559]
• gpgsm: Support ECC certificates in de-vs mode. [T6802]
• gpgsm: Major rewrite of the PKCS#12 parser. [T6536]
• gpgsm: No not show the pkcs#12 passphrase in debug output. [T6654]
• keyboxd: Timeout on failure to get the database lock. [T6838]
• agent: Update the key stubs only if really modified. [T6829]
• scd: Add support for certain Starcos 3.2 cards. [rG5304c9b080]
• scd: Add support for CardOS 5.4 cards. [rG812f988059]
• scd: Add support for D-Trust 4.1/4.4 cards. [rG0b85a9ac09]
• scd: Add support for Smartcafe Expert 7.0 cards. [T6919]
• scd: Add a length check for a new PIN. [T6843]
• tpm: Fix keytotpm handling in the agent. [rG9909f622f6]
• tpm: Fixes for the TPM test suite. [T6052]
• dirmngr: Avoid starting a second instance on Windows via GPGME based launching. [T6833]
• dirmngr: New option --ignore-crl-extensions. [T6545]
• dirmngr: Support config value "none" to disable the default keyserver. [T6708]
• dirmngr: Implement automatic proxy detection on Windows. [T5768]
• dirmngr: Fix handling of the HTTP Content-Length. [rGa5e33618f4]
• dirmngr: Add code to support proxy authentication using the Negotiation method on Windows. [T6719]
• gpgconf: Add commands --lock and --unlock. [rG93b5ba38dc]
• gpgconf: Add keyword socketdir to gpgconf.ctl. [rG239c1fdc28]
• gpgconf: Adjust the -X command for the new VERSION file format. [T6918]
• wkd: Use export-clean for gpg-wks-client's --mirror and --create commands. [rG2c7f7a5a278c]
• wkd: Make --add-revocs the default in gpg-wks-client. New option --no-add-revocs. [rG10c937ee68]
• Remove duplicated backslashes when setting the homedir. [T6833]
• Ignore attempts to remove the /dev/null device. [T6556]
• Improve advisory file lock retry strategy. [T3380]
• Improve the speedo build system for Unix. [T6710]

Release-info: ​https://dev.gnupg.org/T6578

[Douglas R. Reno]

The patch is no longer required

[Douglas R. Reno]

I'm going to file a security advisory due to ​https://gnupg.org/blog/20240125-smartcard-backup-key.html. It only impacts a small subset of users and I've put some information on how to address the problem if they are impacted. In short, when using the '--edit-key' switch to generate a Smartcard key, an unprotected backup copy of the key was saved to disk.

[Douglas R. Reno]

Fixed at d037c38c2938101a7fbedfee68c137942e2b167b

SA-12.0-082 issued