This is an enhancement and security-fix release, and all users are strongly
encouraged to upgrade.
* Fixed #108: Changed how any return value from the on_data callable is
processed. In earlier versions, the return value was ignored. In this version,
if the return value is False, the data received from gpg is not
buffered. Otherwise (if the value is None or True, for example), the
data is buffered as normal. This functionality can be used to do your own
buffering, or to prevent buffering altogether.
The on_data callable is also called once with an empty byte-string to
signal the end of data from gpg.
* Fixed #97: Added an additional attribute check_fingerprint_collisions to
GPG instances, which defaults to False. It seems that gpg is happy
to have duplicate keys and fingerprints in a keyring, so we can't be too
strict. A user can set this attribute of an instance to True to trigger a
check for collisions.
* Fixed #111: With GnuPG 2.2.7 or later, provide the fingerprint of a signing
key for a failed signature verification, if available.
* Fixed #21: For verification where multiple signatures are involved, a
mapping of signature_ids to fingerprint, keyid, username, creation date,
creation timestamp and expiry timestamp is provided.
* Added a check to disallow certain control characters ('\r', '\n', NUL) in
passphrases. This fix mitigates against CVE-2019-6690.
This release  has been signed with my code signing key:
Vinay Sajip (CODE SIGNING KEY) <vinay_sajip at yahoo.co.uk
Fingerprint: CA74 9061 914E AC13 8E66 EADB 9147 B477 339A 9B86
Recent changes to PyPI don't show the GPG signature with the download links.
An alternative download source where the signatures are available is the project's
own downloads page .
As always, your feedback is most welcome (especially bug reports ,
patches and suggestions for improvement, or any other points via this group).
Red Dove Consultants Ltd.