Noteworthy changes in version 2.4.1 ===================================
* If the ~/.gnupg directory does not exist, the keyboxd is now automagically enabled. [rGd9e7488b17] * gpg: New option --add-desig-revoker. [rG3d094e2bcf] * gpg: New option --assert-signer. [rGc9e95b8dee] * gpg: New command --quick-add-adsk and other ADSK features. [T6395, https://gnupg.org/blog/20230321-adsk.html] * gpg: New list-option "show-unusable-sigs". Also show "[self-signature]" instead of the user-id in key signature listings. [rG103acfe9ca] * gpg: For symmetric encryption the default S2K hash is now SHA256. [T6367] * gpg: Detect already compressed data also when using a pipe. Also detect JPEG and PNG file formats. [T6332] * gpg: New subcommand "openpgp" for --card-edit. [T6462] * gpgsm: Verification of detached signatures does now strip trailing zeroes from the input if --assume-binary is used. [rG2a13f7f9dc] * gpgsm: Non-armored detached signature are now created without using indefinite form length octets. This improves compatibility with some PDF signature verification software. [rG8996b0b655] * gpgtar: Emit progress status lines in create mode. [T6363] * dirmngr: The LDAP modifyTimestamp is now returned by some keyserver commands. [rG56d309133f] * ssh: Allow specification of the order keys are presented to ssh. See the man page entry for --enable-ssh-support. [T5996, T6212] * gpg: Make list-options "show-sig-subpackets" work again. Fixes regression in 2.4.0. [rG5a223303d7] * gpg: Fix the keytocard command for Yubikeys. [T6378] * gpg: Do not continue an export after a cancel for the primary key. [T6093] * gpg: Replace the --override-compliance-check hack by a real fix. [T5655] * gpgtar: Fix decryption with input taken from stdin. [T6355]
Noteworthy changes in version 2.4.2 ===================================
* gpg: Print a warning if no more encryption subkeys are left over after changing the expiration date. [rGef2c3d50fa] * gpg: Fix searching for the ADSK key when adding an ADSK. [T6504] * gpgsm: Speed up key listings on Windows. [rG08ff55bd44] * gpgsm: Reduce the number of "failed to open policy file" diagnostics. [rG68613a6a9d] * agent: Make updating of private key files more robust and track display S/N. [T6135] * keyboxd: Avoid longish delays on Windows when listing keys. [rG6944aefa3c] * gpgtar: Emit extra status lines to help GPGME. [T6497] * w32: Avoid using the VirtualStore. [T6403]
Noteworthy changes in version 2.4.3 ===================================
* gpg: Set default expiration date to 3 years. [T2701] * gpg: Add --list-filter properties "key_expires" and "key_expires_d". [T6529] * gpg: Emit status line and proper diagnostics for write errors. [T6528] * gpg: Make progress work for large files on Windows. [T6534] * gpg: New option --no-compress as alias for -z0. * gpgsm: Print PROGRESS status lines. Add new --input-size-hint. [T6534] * gpgsm: Support SENDCERT_SKI for --call-dirmngr. [rG701a8b30f0] * gpgsm: Major rewrite of the PKCS#12 parser. [T6536] * gpgtar: New option --no-compress. * dirmngr: Extend the AD_QUERY command. [rG207c99567c] * dirmngr: Disable the HTTP redirect rewriting. [T6477] * dirmngr: New option --compatibility-flags. [rGbf04b07327] * dirmngr: New option --ignore-crl-extensions. [T6545] * wkd: Use export-clean for gpg-wks-client's --mirror and --create commands. [rG2c7f7a5a27] * wkd: Make --add-revocs the default in gpg-wks-client. New option --no-add-revocs. [rG10c937ee68] * scd: Make signing work for Nexus cards. [rGb83d86b988] * scd: Fix authentication with Administration Key for PIV. [rG25b59cf6ce]
Noteworthy changes in version 2.4.5 ===================================
* gpg,gpgv: New option --assert-pubkey-algo. [T6946] * gpg: Emit status lines for errors in the compression layer. [T6977] * gpg: Fix invocation with --trusted-keys and --no-options. [T7025] * gpgsm: Allow for a longer salt in PKCS#12 files. [T6757] * gpgtar: Make --status-fd=2 work on Windows. [T6961] * scd: Support for the ACR-122U NFC reader. [rG1682ca9f01] * scd: Suport D-TRUST ECC cards. [T7000,T7001] * scd: Allow auto detaching of kernel drivers; can be disabled with the new compatibility-flag ccid-no-auto-detach. [rGa1ea3b13e0] * scd: Allow setting a PIN length of 6 also with a reset code for openpgp cards. [T6843] * agent: Allow GET_PASSPHRASE in restricted mode. [rGadf4db6e20] * dirmngr: Trust system's root CAs for checking CRL issuers. [T6963] * dirmngr: Fix regression in 2.4.4 in fetching keys via hkps. [T6997] * gpg-wks-client: Make option --mirror work properly w/o specifying domains. [rG37cc255e49] * g13,gpg-wks-client: Allow command style options as in "g13 mount foo". [rGa09157ccb2] * Allow tilde expansion for the foo-program options. [T7017] * Make the getswdb.sh tool usable outside the GnuPG tree.
Noteworthy changes in version 2.5.0 (2024-07-05) ================================================ [compared to version 2.4.5] * gpg: Support composite Kyber+ECC public key algorithms. This is experimental due to the yet outstanding FIPS-203 specification. [T6815] * gpg: Allow algo string "pqc" for --quick-gen-key. [rG12ac129a70] * gpg: New option --show-only-session-key. [rG1695cf267e] * gpg: Print designated revokers also in non-colon listing mode. [rG9d618d1273] * gpg: Make --with-sig-check work with --show-key in non-colon listing mode. [rG0c34edc443] * tpm: Rework error handling and fix key import [T7129, T7186] * Varous fixes to improve robustness on 64 bit Windows. [T7139]
Changes which will also show up in the firthcoming 2.4.6:
* gpg: New command --quick-set-ownertrust. [rG967678d972] * gpg: Indicate disabled keys in key listings and add list option "show-ownertrust". [rG2a0a706eb2] * gpg: Make sure a DECRYPTION_OKAY is never issued for a bad OCB tag. [T7042] * gpg: Do not allow to accidently set the RENC usage. [T7072] * gpg: Accept armored files without CRC24 checksum. [T7071] * gpg: New --import-option "only-pubkeys". [T7146] * gpg: Repurpose the AKL mechanism "ldap" to work like the keyserver mechnism but only for LDAP keyservers. [rG068ebb6f1e] * gpg: ADSKs are now configurable for new keys. [T6882] * gpgsm: Emit user IDs with an empty Subject also in colon mode. [T7171] * agent: Consider an empty pattern file as valid. [rGc27534de95] * agent: Fix error handling of READKEY. [T6012] * agent: Avoid random errors when storing key in ephemeral mode. [T7129, rGfdc5003956] * agent: Make "SCD DEVINFO --watch" more robust. [T7151] * scd: Improve KDF data object handling for OpenPGP cards. [T7058] * scd: Avoid buffer overrun with more than 16 PC/SC readers. [T7129, rG4c1b007035] * scd: Fix how the scdaemon on its pipe connection finishes. [T7160] * gpgconf: Check readability of some files with -X and change its output format. [rG98e287ba6d] * gpg-mail-tube: New tool to apply PGP/MIME encryption to a mail. [rG28a080bc9f] * Fix some uninitialized variables and double frees in error code paths. [T7129]
Noteworthy changes in version 2.5.1 (2024-09-12) ================================================ [compared to version 2.5.0] * gpg: The support for composite Kyber+ECC public key algorithms does now use the final FIPS-203 and LibrePGP specifications. The experimental keys from 2.5.0 are no longer supported. [T6815] * gpg: New commands --add-recipients and --change-recipients. [T1825] * gpg: New option --proc-all-sigs. [T7261] * gpg: Fix a regression in 2.5.0 in gpgme's tests. [T7195] * gpg: Make --no-literal work again for -c and --store. [T5852] * gpg: Improve detection of input data read errors. [T6528] * gpg: Fix getting key by IPGP record (rfc-4398). [T7288] * gpgsm: New option --assert-signer. [T7286] * gpgsm: More improvements to PKCS#12 parsing to cope with latest IVBB changes. [T7213] * agent: Fix KEYTOCARD command when used with a loopback pinentry. [T7283] * gpg-mail-tube: Make sure GNUPGHOME is set in vsd mode. New option --as-attach. [rG4511997e9e1b] * Now uses the process spawn API from libgpg-error. [T7192,T7194] * Removed the --enable-gpg-is-gpg2 configure time option. [rG2125f228d36c] * Die Windows version will now be build for 64-Bit Windows and with the corresponding changes to the installation directory and Registry keys.
Noteworthy changes in version 2.4.6 =================================== * gpg: New command --quick-set-ownertrust. [rG967678d972] * gpg: Indicate disabled keys in key listings and add list option "show-ownertrust". [rG2a0a706eb2] * gpg: Make sure a DECRYPTION_OKAY is never issued for a bad OCB tag. [T7042] * gpg: Do not allow to accidently set the RENC usage. [T7072] * gpg: Accept armored files without CRC24 checksum. [T7071] * gpg: New --import-option "only-pubkeys". [T7146] * gpg: Repurpose the AKL mechanism "ldap" to work like the keyserver mechnism but only for LDAP keyservers. [rG6551281ca3] * gpg: ADSKs are now configurable for new keys. [T6882] * gpg: New option --proc-all-sigs. [T7261] * gpg: Fix a wrong decryption failed status for signed and OCB encrypted messages without a signature verification key. [T7042] * gpg: Make --no-literal work again for -c and --store. [T5852] * gpg: Fix getting key by IPGP. [T7288] * gpg: Validate the trustdb after the import of a trusted key. [T7200] * gpg: Exclude expired trusted keys from the key validation process. [T7200] * gpgsm: New option --assert-signer. [T7286] * gpgsm: Emit user IDs with an empty Subject also in colon mode. [T7171] * keyboxd: Fix a race condition on the database handle. [T7294] * agent: Consider an empty pattern file as valid. [rGc27534de95] * agent: Fix error handling of READKEY. [T6012] * agent: Avoid random errors when storing key in ephemeral mode. [T7129, rG19d93a239d] * agent: Make "SCD DEVINFO --watch" more robust. [T7151] * agent: Fix detection of the yet unused trustflag de-vs. [T5079] * scd: Improve KDF data object handling for OpenPGP cards. [T7058] * scd: Avoid buffer overrun with more than 16 PC/SC readers. [T7129, rG524e3a9345] * scd: Fix how the scdaemon on its pipe connection finishes. [T7160] * gpgconf: Check readability of some files with -X and change its output format. [rG759adb2493] * gpg-mail-tube: New tool to apply PGP/MIME encryption to a mail. [rGa564a9f66c] * Fix a race condition in creating the socket directory. [T7332] * Fix some uninitialized variables and double frees in error code paths. [T7129]
Noteworthy changes in version 2.4.7 ===================================
* gpg: Allow the use of an ADSK subkey as ADSK subkey. [T6882] * gpg: Avoid a failure exit code for expired ultimately trusted keys. [T7351] * gpg: Fix comparing ed448 to ed25519 with --assert-pubkey-algo. [T7425] * gpg: Retain binary representation for import->export with Ed25519 key signatures. [T7426] * gpgsm: Improvement for some rare P12 files. [rG5f9975abf5] * scd: More mitigations against lock ups with multiple cards or apps. [T7323, T7402] * gpgtar: Fix directory creation during extraction. [T7380] * gpg-mail-tube: Minor fixes. * gpgconf: Add list flag to trusted-key et al. [T7313] * Fix a build problem on macOS (missing unistd.h). [T7193]
Noteworthy changes in version 2.5.2 (2024-12-05) ================================================ [compared to version 2.5.1]
* gpg: Add option 16 to --full-gen-key to create ECC+Kyber. [T6638] * gpg: For composite algos add the algo string to the colons listings. [T6638] * gpg: Validate the trustdb after the import of a trusted key. [T7200] * gpg: Exclude expired trusted keys from the key validation process. [T7200] * gpg: Fix a wrong decryption failed status for signed and OCB encrypted messages without a signature verification key. [T7042] * gpg: Retain binary representation for import->export with Ed25519 key signatures. [T7426] * gpg: Fix comparing ed448 to ed25519 with --assert-pubkey-algo. [T7425] * gpg: Avoid a failure exit code for expired ultimately trusted keys. [T7351] * gpg: Emit status error for an invalid ADSK. [T7322] * gpg: Allow the use of an ADSK subkey as ADSK subkey. [T6882] * gpg: Fix --quick-set-expire for V5 subkey fingerprints. [T7298] * gpg: Robust error handling for SCD READKEY. [T7309] * gpg: Fix cv25519 v5 export regression. [T7316] * gpgsm: Nearly fourfold speedup of validated certificate listings. [T7308] * gpgsm: Improvement for some rare P12 files. [rGf50dde6269] * gpgsm: Terminate key listing on output write error. [T6185] * agent: Add option --status to the LISTRUSTED command. [rG4275d5fa7a] * agent: Fix detection of the yet unused trustflag de-vs. [T5079] * agent: Allow ssh to sign data larger than the Assuan line length. [T7436] * keyboxd: Fix a race condition on the database handle. [T7294] * dirmngr: A list of used URLs for loaded CRLs is printed first in the output of the LISTCRL command. [T7337]
* scd: More mitigations against lock ups with multiple cards or apps. [T7323, T7402] * gpgtar: Use log-file from common.conf only in --batch mode. [rGb389e04ef5] * gpgtar: Fix directory creation during extraction. [T7380] * gpg-mail-tube: Minor fixes. * gpgconf: Add list flag to trusted-key et al. [T7313] * Implement GNUPG_ASSUME_COMPLIANCE envvar and registry key for testing de-vs compliance mode. [rGb287fb5775,rG7b0be541a9] * Enable additional runtime protections in speedo builds for Windows. [rG39aa206dc5] * Fix a race condition in creating the socket directory. [T7332] * Fix a build problem on macOS (missing unistd.h). [T7193]
Noteworthy changes in version 2.5.3 (2025-01-09) ================================================ [compared to version 2.5.2]
* gpg: Allow for signature subpackets of up to 30000 octets. [rG36dbca3e69] * gpg: Silence expired trusted-key diagnostics in quiet mode. [T7351] * gpg: Allow smaller session keys with Kyber and enforce the use of AES-256 if useful. [T7472] * gpg: Fix regression in key generation from existing card key. [T7309,T7457] * gpg: Print a warning if the card backup key could not be written. [T2169] * The --supervised options of gpg-agent and dirmngr have been renamed to --deprecated-supervised as preparation for their removal. [rGa019a0fcd8] * There is no more default for a keyserver.
Noteworthy changes in version 2.5.4 (2025-02-12) ================================================ [compared to version 2.5.3]
* gpg: New option --disable-pqc-encryption. [rG00c31f8b04] * gpg: Fix --quick-add-key for Weierstrass ECC with usage given. [T7506] * gpg: Fix handling with no CRC armor. [T7071] * gpg: New private Kyber keys are now cross-referenced using a new Link attribute. [T6638] * gpg: Fix an import problem with keys having another primary key as a subkey. [T7527] * gpgsm: Allow unattended PKCS#12 export without passphrase. [rG159e801043] * gpgsm: Allow CSR generation with an unprotected key. [rG89055f24f4] * agent: New option --change-std-env-name. [T7522] * agent: Fix ssh-agent's request_identities for skipped Brainpool keys. [rG2469dc5aae] * Do not package zlib and bzip2 object files in a Speedo release build. [T7442]
Noteworthy changes in version 2.5.5 (2025-03-07) ================================================ [compared to version 2.5.4]
* gpg: Fix a verification DoS due to a malicious subkey in the keyring. [T7527] * dirmngr: Fix possible hangs due to blocking connection requests. [T6606, T7434] * w32: On socket nonce mismatch close the socket. [T7434] * w32: Print more detailed diagnostics for IPC errors. * GPGME is not any more distributed with the Windows installer. Please install gpg4win to get gpgme version.
Noteworthy changes in version 2.5.6 (2025-05-08) ================================================ [compared to version 2.5.5]
* gpg: Add a flag to the filter expressions for left anchored substring match. [rGc12b7d047e] * gpg: New list option "show-trustsig" to avoid resorting to colon mode for this info. [rG41d6ae8f41] * gpg: New command --quick-tsign-key to create a trust signature. [rGd90b290f97] * gpg: New keygen parameter "User-Id". [rGcfd597c603] * gpg: New list options "show-trustsig". [rGrG41d6ae8f41] * gpg: Fix double free of internal data in no-sig-cache mode [T7547] * gpg: Signatures from revoked or expired keys do not anymore show up as missing keys. Fixes regression in 2.5.5. [T7583] * gpgsm: Extend --learn-card by an optional s/n argument. [T7379] * gpgsm: Skip expired certificates when selection a certificate by subject. [rG4cf83273e8] * card: New command "ll" as alias for "list --cards". [rGd6ee7adebe] * scd: Fix posssible lockup on Windows due to a lost select result. [rGa7ec3792c5] * scd:p15: Accept P15 cards with a zero-length label. [rGdb25aa9887] * keyboxd: Use case-insensitive search for mail addresses. [T7576] * dirmngr: Fix a problem in libdns related to an address change from 127.0.0.1. [T4021] * gpgconf: Fix reload and kill of keyboxd. [T7569] * Fix logic for certain recsel conditions. [rG8968e84903] * Add Solaris support to get_signal_name. [T7638] * Fix build error of the test shell on AIX. [T7632]
About the vulnerability: Embedded malicious fonts in a PDF file may lead to code execution in Okular. CVSS Base Score: 8.1 (v3.1) Details https://euvd.enisa.europa.eu/enisa/EUVD-2025-6367 (alternative ids: CVE-2025-27363, GHSA-g8qj-jv5h-78cp)
There are other good things in Gpg4win 4.4.1, for example * improvements in the Outlook Add-in (GpgOL) * a better Kleopatra * GnuPG upgraded to v2.4.8
Check out the https://www.gpg4win.org/change-history.html
Noteworthy changes in version 2.5.7 (2025-06-02) ================================================ [compared to version 2.5.6]
* gpg: Allow updating a SHA-1 key certification w/o using the --force-sign-key option. [T7663] * gpg: The group key flag has now been fully implemented. [rG8833a34bf0] * gpg: Make combination of show-only-fpr-mbox and show-unusable-uid work. [rGd5a4a2dc89] * gpg: Do not allow compressed key packets on import. [T7014] * gpgsm: Allow an empty subject DN also during import. [T7171] * agent: Recover the old behavior with max-cache-ttl=0. [T6681] * agent: Fix ECC key on smartcard for composite KEM with PQC. [T7648] * scd: Fix a harmless read buffer over-read in a function used by PKCS#15 cards. [T7662] * gpg-mail-tube,wks: Support templates for mail content. [T7381] * Use the KEM interface of Libgcrypt for encryption/decryption. [T7649] * Fix a glitch in socket handling in Windows in case of a nonce mismatch. [rG645cf7d8fc]
Noteworthy changes in version 2.5.8 (2025-06-20) ================================================ [compared to version 2.5.7]
* gpg: Show revocation reason with a standard -k listing. [T7083] * gpg: Emit a revocation reason as comment in a "pub" record. [T7083] * agent: Fix regression in 2.5.7 decrypting with a card based cv25519 key. [T7676] * scd:openpgp: Fix a regression in exporting card based ed25519 ssh keys. [T7589] * dirmngr: Do not require a keyserver for "gpg --fetch-key". [T7693]
Noteworthy changes in version 2.5.9 (2025-07-10) ================================================ [compared to version 2.5.8]
* gpg: Add the revocation reason to the sigclass of a "rev" line. Regression in 2.5.7. [T7073] * gpg: Do not show the non-standard secp256k1 curve in the menu to select the curve. It can however be specified using its name. [rG49a9171f63] * gpg: Fix regression in using the secp256k1 curve. [T7698] * dirmngr: New option --user-agent and send a default User-Agent of "GnuPG/2.6" for all HTTP requests. [T7715]
GnuPG 2.5.12 (テスト版だけど "fully supported and thus ready for production use" と謳ってる) Gpg4winの新しいベータ版はまだ出てない
Noteworthy changes in version 2.5.12 (2025-09-02) ================================================= [compared to version 2.5.11]
* gpg: New options --[no-]auto-key-upload. [T7333] * gpg: Keys send to an LDAP server are now first updated from that server. New keyserver option "no-update-before-send" to disable this feature. [T7730] * gpg: Disable default compression for 7z compressed input. [rG53252628de] * gpg: Fix a regression with composite PQC and ECC algos. [T7649] * gpg: Fix the list of possible algos for --edit-key:addkey. [T7788] * gpg: Allow to select the Kyber variants with --edit-key:addkey. [T7792] * gpg: Avoid a second Pinentry pop-up for a configured ADSK during key generation. [T7491] * gpg: Change the ADSK key binding time to use the current time. [T6882] * gpgsm: Add option --no-qes-note and new trustlist flag "noconsent". [T7713] * agent: Enable "relax" in the trustlist by default and add flag "norelax". [rG7b133027ae] * agent: Fix a crash on Windows in the Putty support. [T7799] * dirmgr: Support LDAP servers using a schema like the Windows LDS servers. [T7742] * scd:openpgp: Support Yubikey attestation generation. [rG5ddfedf24a] * gpgtar: Fix regression in end-of-archive detection. [T7757]
Noteworthy changes in version 2.5.13 (2025-10-22) ================================================= [compared to version 2.5.12]
* gpg: Fix de-vs compliance with OCB and additional password. [T7804] * gpg: Detect duplicate keys with --add-recipients. [T1825] * gpg: Take care about the prefix for cv25519 encryption. [T7649] * gpg: Avoid potential downgrade to SHA1 in 3rd party key signatures. [rGdb9705ef59] * gpg: Error out on unverified output for non-detached signatures. [rG8abc320f2a] * gpgsm: Use KEM interface for en- and decryption. [T7811,T7845] * gpgsm: Fix delete and store certificate locking glitches. [T7855] * gpg,gpgsm: Run keybox compression only when there are no other users. [T7855] * gpg,gpgsm: Improve keybox closing and locking order on read and write. [T7855] * gpg,gpgsm: Always use share mode read-write for the keybox file access. [T7829] * scd:openpgp: Fix an oddity in changing the PIN. [T7840] * dirmngr: New LDAP keyserver flag "upload". [T7866] * agent: Retry private key deletion in case of sharing violations for up to 400ms. [T7863] * Take care of a possible race on daemon startup under Windows. [T7829] * Improve file renaming on Windows in case of a sharing violation error. [T7829]
