ANN: A new version (0.4.4) of python-gnupg has been released. It contains a security-related change - please update to this version

Skip to first unread message

Vinay Sajip

Jan 24, 2019, 4:55:17 AM1/24/19
to python-gnupg
What Changed?
This is an enhancement and security-fix release, and all users are strongly
encouraged to upgrade.

Brief summary:

* Fixed #108: Changed how any return value from the on_data callable is
  processed. In earlier versions, the return value was ignored. In this version,
  if the return value is False, the data received from gpg is not
  buffered. Otherwise (if the value is None or True, for example), the
  data is buffered as normal. This functionality can be used to do your own
  buffering, or to prevent buffering altogether.

  The on_data callable is also called once with an empty byte-string to
  signal the end of data from gpg.

* Fixed #97: Added an additional attribute check_fingerprint_collisions to
  GPG instances, which defaults to False. It seems that gpg is happy
  to have duplicate keys and fingerprints in a keyring, so we can't be too
  strict. A user can set this attribute of an instance to True to trigger a
  check for collisions.

* Fixed #111: With GnuPG 2.2.7 or later, provide the fingerprint of a signing
  key for a failed signature verification, if available.

* Fixed #21: For verification where multiple signatures are involved, a
  mapping of signature_ids to fingerprint, keyid, username, creation date,
  creation timestamp and expiry timestamp is provided.

* Added a check to disallow certain control characters ('\r', '\n', NUL) in
  passphrases. This fix mitigates against CVE-2019-6690.

This release [2] has been signed with my code signing key:

Vinay Sajip (CODE SIGNING KEY) <vinay_sajip at>
Fingerprint: CA74 9061 914E AC13 8E66 EADB 9147 B477 339A 9B86

Recent changes to PyPI don't show the GPG signature with the download links.
An alternative download source where the signatures are available is the project's
own downloads page [4].

As always, your feedback is most welcome (especially bug reports [3],
patches and suggestions for improvement, or any other points via this group).



Vinay Sajip
Red Dove Consultants Ltd.

Reply all
Reply to author
0 new messages