ANN: A new version (0.4.3) of python-gnupg has been released. It contains a security-related change - please update to this version

[Vinay Sajip]

A new version of the Python module which wraps GnuPG has been released.

What Changed?

=============

This is a security-fix release, and all users are strongly encouraged to upgrade.

This fix mitigates against CVE-2018-12020. See the discoverer's blog post [6] for

more information.

Brief summary:

* Added --no-verbose to the gpg command line, in case verbose is specified in

  gpg.conf - we don't need verbose output.

This release [2] has been signed with my code signing key:

Vinay Sajip (CODE SIGNING KEY) <vinay_sajip at yahoo.co.uk>

Fingerprint: CA74 9061 914E AC13 8E66 EADB 9147 B477 339A 9B86

Recent changes to PyPI don't show the GPG signature with the download links.

An alternative download source where the signatures are available is the project's

own downloads page [5].

As always, your feedback is most welcome (especially bug reports [3],

patches and suggestions for improvement, or any other points via the

mailing list/discussion group [4]).

Enjoy!

Cheers

Vinay Sajip

Red Dove Consultants Ltd.

[1] https://bitbucket.org/vinay.sajip/python-gnupg

[2] https://pypi.python.org/pypi/python-gnupg/0.4.3

[3] https://bitbucket.org/vinay.sajip/python-gnupg/issues

[4] https://groups.google.com/forum/#!forum/python-gnupg

[5] https://bitbucket.org/vinay.sajip/python-gnupg/downloads/

[6] https://neopg.io/blog/gpg-signature-spoof/