#GnuPG 2.5.20-freepg has been released.

It contains all the latest bug fixes from upstream GnuPG, plus the usual FreePG patches.

Note that the FreePG project considers the 2.5.x branch to be experimental, and does not enable non-standard OpenPGP algorithms unless “--compliance=gnupg” is explicitly set.

Release notes
=============

Noteworthy changes in version 2.5.20-freepg (2026-05-15)
--------------------------------------------------------

* No FreePG-specific changes.

https://gitlab.com/freepg/gnupg/-/releases/gnupg-2.5.20-freepg

Upstream's release notes follow.

------

Noteworthy changes in version 2.5.20 (2026-05-13)
-------------------------------------------------

* New and extended features:

- gpgsm: Implement GCM encryption. Note that decryption works
since version 2.3.2. [T3979]

- gpgsm: New option --attribute and server command SETATTR to
include arbitrary signed or unsigned attributes into a signature.
Enable only with libksba 1.7.0 or later. [T4537]

- gpgsm: Introduce system attribute _signingCertificateV2.
[rG0335a9cb04]

* Bug fixes:

- gpg: Fix wrong assertion failure which could very rarely occur
during key signature checking. [rG693f5642f6]

- gpg: Consider certify-only keys for revocation signature check.
[T8196]

- gpgsm: Fix possible double free in the CMS parser. [T8240]

- gpgsm: Fix possible too early removal of ephemeral keys. [T8236]

- gpgsm: Avoid emitting a final FAILURE status line if --status-fd
is not used. [rG69c27fe377]

- gpgsm: Fix a regression in 2.5.19 for password encrypted GCM
data. [rG60a823c97b]

- agent: Fix not using cache for pinentry loopback. [rGd4b608a31f]

- agent: Fix command PUT_SECRET by saving input line. [rG1875bc185e]

- keyboxd: Mark keys searched but not imported via LDAP correctly
as ephemeral. [T8048]

- scdaemon: Avoid buffer overflow with SC-HSM cards providing RSA
keys > 2k. [T8244]

- dirmngr: Fix uninitialized use of the dns_any union in
dns_rr_cmp. [T8251]

Release-info: https://dev.gnupg.org/T7997

#GnuPG 2.5.19-freepg has been released.

It contains all the latest bug fixes from upstream GnuPG, plus the usual FreePG patches.

Note that the FreePG project considers the 2.5.x branch to be experimental, and does not enable non-standard OpenPGP algorithms unless “--compliance=gnupg” is explicitly set.

Release Notes
=============

Noteworthy changes in version 2.5.19-freepg (2026-04-30)
-------------------------------------------------

* No FreePG-specific changes.

https://gitlab.com/freepg/gnupg/-/releases/gnupg-2.5.19-freepg

Upstream's release notes follow.

-----

Noteworthy changes in version 2.5.19 (2026-04-24)
-------------------------------------------------

* New and extended features:

- gpg: New option --use-ocb-sym. [rGccdcdfbb37]

- gpg: New options --show-[only-]session-hash. [rGecd0f7afa1]

- gpgsm: Allow cipher mode to be part of the algo given to the
--cipher-algo option. [T3979]

- gpgsm: Emit more details when failing to check a crlDP. [T8221]

- agent: Improve pinentry behavior and texts in smartcard context.
[T6425]

- dirmngr: New keyword "clear" for --keyserver. [rG2ab4cba36c]

* Bug fixes:

- gpg: Fix edge case in --refresh-keys. [T8197]

- gpg: Don't call gcry_kdf_derive with empty passphrase. [T7739]

- gpgsm: Skip the optional PKCS#12 PBES2 keyLength parameter to
allow import of recently issued certificates by the German
Telekom. [rGc8c9604bba]

- gpgsm: Fix a bug so that a certificate can be signed using a
different algo. [rG66fdafab3c]

- gpgsm: Make GCM fully compliant in de-vs mode. [rG04fd775fce]

- gpgsm: Add a certificate chain check for de-vs compliance.
[T8188]

- gpgsm: Show rsaPSS certificates as de-vs compliant in listings.
[T8222]

- agent: Rework the trustlist reading code to finally allow a
trustlist.txt with a missing trailing LF. [T8078]

- ssh: Fix RSA padding in signature handling. [T7882,T8202]

- gpgtar: Fix -C (--directory) to check the output directory.
[T8159]

* Other changes:

- agent: Raise an error when p >= q for RSA keys to detect
incorrect generated *PGP keys. [T8171]

Release-info: https://dev.gnupg.org/T7998

#GnuPG 2.2.54-freepg has been released.

It contains all the latest bug fixes from upstream GnuPG, plus the usual FreePG patches.

Release Notes
=============

## Noteworthy changes in version 2.2.54-freepg (2026-04-24)

* No FreePG-specific changes.

https://gitlab.com/freepg/gnupg/-/releases/gnupg-2.2.54-freepg

Upstream's release notes follow.

-------------

## Noteworthy changes in version 2.2.54 (2026-04-20)

* gpg: Fix an edge case in --refresh-keys. [T8197]

* gpgsm: Add a certificate chain check for de-vs compliance.
[T8188]

* gpgsm: Show rsaPSS certificates as de-vs compliant in listings.
[T8222]

* agent: Accept a trustlist with a missing LF at the end. [T8078]

Release-info: https://dev.gnupg.org/T8170

#GnuPG 2.2.53-freepg has been released.

It contains all the latest bug fixes from upstream GnuPG, plus the usual FreePG patches.

In addition, a fix for the default filename path traversal issue identified by #gpgfail has been backported from upstream 2.5.16 (gpg.fail/filename)

https://gitlab.com/freepg/gnupg/-/releases/gnupg-2.2.53-freepg

FreePG now has a public mailing list for general discussion and formal decision-making.

Thanks to simplelists.com for their kind sponsorship!

https://openpgp.simplelists.com/freepg

#GnuPG 2.5.18-freepg has been released.

It contains all the latest bug fixes from upstream GnuPG, plus the usual FreePG patches.

This release also contains fixes for additional gpg.fail issues that remain unfixed upstream:

* skip trust packets during import-restore (https://gpg.fail/trust)
* compat ignore truncated line (https://gpg.fail/formfeed)
* fail on unprintable armor headers (https://gpg.fail/nullbyte https://gpg.fail/notdash)

Note that the FreePG project considers the 2.5.x branch to be experimental, and does not enable non-standard OpenPGP algorithms unless “--compliance=gnupg” is explicitly set.

https://gitlab.com/freepg/gnupg/-/releases/gnupg-2.5.18-freepg