Alexandre DulaunoyMay 1

Post-quantum defaults and GnuPG

@andrewg email is a very insightful overview of where the standards, implementations, and openness of the community.

After years of using OpenPGP, the PQC discussions are a good opportunity to rethink what we should prepare for next and especially which community we should work with.

#pgp #librepgp #openpgp #opensource
#community #cybersecurity

🔗 https://lists.gnupg.org/pipermail/gnupg-users/2026-April/068280.html

Post-quantum defaults

Show threadAndrew GallagherApr 29

@ber @GnuPG @rob Thanks! I'll point the lurkers to the mailing list for my full response, which I agree is better in long form: https://lists.gnupg.org/pipermail/gnupg-users/2026-April/068288.html

The tl;dr though is simple: the burning issue is a power struggle between a collective governance model (#OpenPGP) and a BDFL governance model (#LibrePGP). There isn't room for both. And while we can all try to be more civil, calling out bad behaviour will always have the appearance of incivility.

Discussion style differences between OpenPGP design groups (Re: Post-quantum defaults)

Paul HölscherApr 25

Da möchte man sich in #E2EE für #eMail einlesen, schon entdeckt man das neue Tech-Drama zwischen #OpenPGP und #LibrePGP.

Unabhängig von der inhaltlichen Diskussion: Nutzerfreundlich ist anders.

Fragmentierte Standards, opinionated und zu technische Dokumentationen, viel Deep-Tech-Talk, ...

Dass sich das Thema E2EE noch nicht großflächig etabliert hat, liegt meiner Meinung nach in erster Linie an dieser unschönen #UX - und das gilt leider für viele andere #OpenSource-Projekte auch. Schade.

Show thread0xKaishakuninApr 25
If you use one of the new #GnuPG 2.5 #LibrePGP PQC Keys, which one?
Kyber 768 (brainpool256)
0%
Kyber 1024 (brainpool384)
0%
Kyber 768 (X25519)
100%
Kyber 1024 (X448)
0%
Poll ended at .
0xKaishakuninApr 25

#GnuPG has been working on a forked #LibrePGP standard with support for #PQC now for a while. GnuPG 2.5 supports the new LibrePGP keys and diverges from the #OpenPGP RFC in the works for PQC.

Do you use 2.5 with a new PQC key? Stick with 2.4 and/or wait for the updated OpenPGP standard?

Please boost.

#crypto #cryptography #standard

I use GnuPG 2.5 with a LibrePGP PQC Hybrid Key
33.3%
I use GnuPG 2.4. with a traditional OpenPGP key
16.7%
I wait for the updated OpenPGP standard with PQC
50%
Poll ended at .
GnuPGApr 24

When looking at the changes towards the new 2.5.19 version of #GnuPG, there are many small things; like a way to use OCB for symmetric-only encryption, a few defect fixes and improvements.

Not that exciting, but maintenance of the well known #LibrePGP, OpenPGPv4 and CMS capable crypto engine.... you may want to know anyhow. ;)

https://lists.gnupg.org/pipermail/gnupg-announce/2026q2/000504.html
https://dev.gnupg.org/T7998

#GnuPG #EndtoEndCrypto #FreeSoftware

[Announce] GnuPG 2.5.19 released

GnuPGApr 22

Dear GnuPG packagers and builders, please upgrade libgcrypt to v1.12.2 to remove a denial of service vulnerability (estimated CVSS 3.1: AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H -- 7.5 (HIGH)) Releases of other stable versions of libgcrypt are available as well.

(GnuPG versions >= 2.5.7 are not affected due to the use of a different encryption API.)

See https://lists.gnupg.org/pipermail/gnupg-announce/2026q2/000503.html for details.

#GnuPG #EndtoEndCrypto #FreeSoftware #LibrePGP

[Announce] [Security fixes] Libgcrypt 1.12.2, 1.11.3, 1.10.x released

GnuPGJan 5

Details about the (ongoing) response to https://gpg.fail/ from GnuPG's side:

* https://www.gnupg.org/blog/20251226-cleartext-signatures.html
* https://dev.gnupg.org/T7906 Memory Corruption in ASCII-Armor Parsing
* https://dev.gnupg.org/T7900 (overview)

Please upgrade to GnuPG 2.5.16, 2.4.9 or #Gpg4win 5.0.0-beta479 which already have the fix for what (currently) is seen to be the only major defect: T7906.

(Researchers - Thanks! - found defects in GnuPG, Sequoia-PG, Minisign and age.)

#EndtoEndCrypto #LibrePGP #GnuPG #Security

gpg.fail

GnuPGDec 1

#GnuPG v2.5.14 is here to try.

A no-brainer upgrade for those who use the 2.5 series already. You'd get some defects fixed and a new secret key export-import for the Post quantum cryptography (#PQC) algorithm "Kyber". RCF8332 for ssh is now supported.

For others: the 2.5 series is good for Windows 64 and PQC. #LibrePGP #OpenPGPv4 #EndtoEndCrypto

https://lists.gnupg.org/pipermail/gnupg-announce/2025q4/000499.html

[Announce] GnuPG 2.5.14 released

Show threadDavid SardariNov 9, 2025

@Velocifyer @andrewg That's the reason for my plans to switch from #GnuPG to #sequoiapgp, not the #LibrePGP vs #RFC9580 mess. If a RTFM doesn't suffice and it comes down to RTFC (...Code), I am out.

See GnuPG manpage:

❯ gpg --version | head -n 1
gpg (GnuPG) 2.5.13
❯ man gpg | sed -n '/^[[:space:]]*dane/,/^$/p'
dane Locate a key using DANE, as specified in draft-ietf-dane-openpgpkey-05.txt.

... and:

The lookup result MUST pass DNSSEC validation; if validation reaches any state other than "Secure", the verification MUST be treated as a failure.

Source: https://datatracker.ietf.org/doc/html/draft-ietf-dane-openpgpkey-05#section-5

Using DANE to Associate OpenPGP public keys with email addresses

OpenPGP is a message format for email (and file) encryption that lacks a standardized lookup mechanism to securely obtain OpenPGP public keys. This document specifies a method for publishing and locating OpenPGP public keys in DNS for a specific email address using a new OPENPGPKEY DNS Resource Record. Security is provided via DNSSEC.

IETF Datatracker