Version 4.4.1 released 2025-05-21$$$A security bug has been found and fixed in the freetype library which is used by the included PDF viewer Okular. An update to this version of Gpg4win is highly suggested to avoid attacks in PDF documents using rogue embedded fonts. (CVE-2025-27363)$$$Kleopatra: The setting whether to show tags has been removed. The Tags column in the certificate lists can be shown/hidden the same way as the other columns. [T7204]$$$GpgOL: New feature to handle encrypted mails processed by the Titus data classification software. This can be disabled by setting the GpgOL Registry key disableTitusHandling to the string value 1. [rOc1b81f8737]$$$GpgOL: New optional feature to disable the automatic verification or decryption in the mail preview window. This feature can be enabled by setting the GpgOL Registry key disableAutoPreview to the string value 1. If enabled the new Start Decryption context menu item may be used to decrypt or verify a mail. [rO26c2fc196b] Possible workaround for issues due to third party Outlook AddIns.$$$Kleopatra: Decrypting archives with long filenames has been improved. [T7532]$$$Kleopatra: Certificates with multiple user IDs that have already been certified not-exportable can now be certified exportable. [T7600]$$$Kleopatra: Ensure that the decryption result window is visible when decrypting a file from the Windows Explorer. [T5780]$$$Kleopatra: Make showing the details of a certificate selected under Encrypt for others work again. [T7435]$$$Kleopatra: A crash was resolved that occurred when trying to decrypt something that was encrypted for a single hidden recipient. [T7476]$$$Kleopatra: Respect the default expiration date for key generation also when generating certificates for smart cards. [T7481]$$$GpgOL: Certificate groups are resolved again. [T7484]$$$GpgOL: A crash was resolved that sometimes occurred in the security approval window and that resulted in a No recipients for encryption selected error in Outlook. [T7312]$$$GpgOL: Fixed a crash on certain mails. [rO34d53b4309]$$$GpgOL: Fix setting of the content-id when sending multipart/related. [T5982]$$$GpgOL: Show signature status in ribbon for mails stored in files (.eml or .msg). [T6646]$$$GpgOL: Better distinguish level 3 signature security level from level 2 by using a double check mark in the icon. [T7079]$$$GpgOL: Consider the Policy Registry entry for ReadAsPlain first. This fixes the known issue Group policy may not be taken into account from 3.3.0. [T5681]$$$GpgOL: Allow the Permanently decrypt feature only after a successful decryption operation to avoid having unreadable mail on canceling the decryption. [T7485]$$$GpgOL: Fix a crash when cancelling an encrypted draft in certain cases. [T7590]$$$GnuPG: For a full list of changes between GnuPG 2.4.7 in Gpg4win-4.4.0 and GnuPG 2.4.8 in Gpg4win-4.4.1 please see: https://dev.gnupg.org/T7428$$$GnuPG: 2.4.8$$$Kleopatra: 20250514$$$GpgOL: 2.6.1$$$GpgEX: 1.0.11$$$Kompendium DE: 4.0.1$$$Compendium EN: 3.0.0

Version 4.4.0 released 2024-11-27$$$File encryption/decryption and signing/verification:$$$Kleopatra: Encryption and decryption of large files is much faster. [T6351]$$$Kleopatra: It is now possible to change the name of a decrypted file if another file with the same name already exists. [T6851]$$$Kleopatra: Files can be signed with multiple signatures. [T6867; T7273]$$$Kleopatra: All valid user IDs are listed for signing and encryption. This simplifies using certificates with multiple user IDs. [T7183]$$$Kleopatra: An easier to understand message is shown if a file could not be decrypted because it wasnt encrypted for one of the users certificates. [T7295]$$$Kleopatra: An icon for folder encryption was added. [T6984]$$$Certificate management:$$$Kleopatra: Certificates can be updated directly from the certificate list. [T6739]$$$Kleopatra: Additional subkeys can be added to existing certificates. [T6877]$$$Kleopatra: ADSKs can be added to existing certificates. [T6879]$$$Kleopatra: Look and feel of the certificate details view has been improved. [T7019; T6924; T6959; T7128; T7227; T7229; T7237; T7250; T7258]$$$Kleopatra: Changing the validity of subkeys has been improved. [T6878; T7198]$$$Kleopatra: Algorithm and keygrip can be displayed in the certificate list. [T6957]$$$Kleopatra: Generating a new OpenPGP certificate has been simplified by removing some options. [T6998]$$$Kleopatra: The confirmation window that is shown when deleting a certificate was simplified. [T7043]$$$Kleopatra: The workflow for revoking a certificate has been improved. [T7076; T7078]$$$Kleopatra: Certificates can be disabled if one doesnt want to use them for encryption or signing but still wants to keep them available. [T7089; T7217; T7234; T7296]$$$Kleopatra: In the certificate details window the origin of user-IDs can be displayed. [T7096]$$$Kleopatra: The password protecting a subkey can be changed even if the primary secret key is not available (offline key). [T7104]$$$Kleopatra: The name of the column displaying the status of certificates (e.g. certified; not certified; expired; revoked; etc.) was changed to Status. [T7219]$$$Kleopatra: Descriptions (tooltips) clarify the filter criteria that can be applied to the listed certificates. [T7302]$$$Certificate lookup:$$$Kleopatra: Show message that certificate lookup is in progress. [T6493]$$$Kleopatra: Show the certificate details on double-click on search results. [T7027]$$$Kleopatra: Show origin in search results. [T7067]$$$Kleopatra: Show all search results if same certificate was found on multiple servers. [T7153]$$$Kleopatra: Show origin and protocol columns in search results. [T7155]$$$Kleopatra: Adapt widths of columns to search results. [T7252]$$$Kleopatra: Select a unique search result for easier import. [T6936]$$$Certificate groups:$$$Zertifikatsgruppen:$$$Kleopatra: The group configuration can be opened from the toolbar. [T6913]$$$Kleopatra: The configuration of groups has been simplified. [T6662; T6722; T6966; T7321]$$$Kleopatra: New groups can be created directly from the certificate list. [T6912]$$$Kleopatra: When a certificate is deleted then the groups containing the certificate are listed. [T6403]$$$Kleopatra: The group configuration file kleopatragroupsrc is now stored in the GNUPGHOME. [T6931]$$$Smartcard management:$$$Kleopatra: Look and feel of the smartcard management view has been unified. [T6420; T6847; T7018; T7082]$$$Kleopatra: Certificates are now imported automatically from smartcards. [T6846]$$$Kleopatra: The workflow for moving a key to a smartcard has been improved. [T6933]$$$Other features:$$$Kleopatra: Add option to disable OpenPGP keyserver lookup. Add option to enable automatic retrieval of signing certificates when verifying signatures. [T6950]$$$Kleopatra: Add possibility to show the GnuPG configuration to help customer support. [T6072; T7331]$$$Kleopatra: Automatically initiate the most likely operation (encryption; decryption or import) when a file is dropped on Kleopatra. [T6894]$$$Kleopatra: Auto

Version 4.3.1 released 2024-03-11$$$GnuPG: D-TRUST ECC smart cards are now supported. [T7000;T7001]$$$Kleopatra: The WKD lookup does now also work if the mail addresses are surrounded by spaces. [T6868]$$$Kleopatra: The WKD lookup now works even if no keyserver is configured. [T6868]$$$GnuPG: The Windows system root CAs are now trusted when checking CRL. [T6963]$$$GnuPG: For a full list of the backend changes between GnuPG 2.4.4 in Gpg4win-4.3.0 and GnuPG 2.4.5 in Gpg4win-4.3.1 please see: https://dev.gnupg.org/T6960$$$GnuPG: 2.4.5$$$Kleopatra: 3.2.2$$$GpgOL: 2.5.12$$$GpgEX: 1.0.10$$$Kompendium DE: 4.0.1$$$Compendium EN: 3.0.0$$$Explicit download of this version: gpg4win-4.3.1

Version 4.3.0 released 2024-01-25$$$Kleopatra: A new mail viewer mode has been added; allowing crypto mails received by mail clients without PGP/MIME or S/MIME support to be decrypted. This means that you can open an SMIME.p7m file or openpgp-encrypted-message.asc attachment with Kleopatra; and it will be displayed as a mail. [T6199]$$$Kleopatra: It is now possible to certify multiple certificates at once using the group interface. [T6469]$$$Okular (GnuPG Edition): This PDF reader has received a lot of updates and is now ready for everydays use.$$$GnuPG: Support for proxy authentication using the Negotiation method has been added. [T6719]$$$GnuPG: Keyserver can now be configured to the value none to avoid unnecessary queries to non-existing keyservers that would slow down the system. [T6708]$$$GnuPG: Es kann nun der Wert none als Schlüsselserver verwendet werden; um unnötige Abfragen gegen nicht existierende Server zu vermeiden; die das System verlangsamen würden. [T6708]$$$GnuPG: A new option has been added to ignore specific CRL extensions. This can help as a workaround for problems with specific CRLs. [T6545]$$$GnuPG: Automatic proxy detection has been improved. [T5768]$$$Kleopatra: The start time of Kleopatra has been drastically improved on throttled systems with third-party software installed; which manipulates system calls. The number of system calls to start Kleopatra has been roughly halved. [T6259]$$$Kleopatra: The advanced options in the certification view are now automatically visible if they were open in the last certification. [T6480]$$$Kleopatra: Windows dark mode is now fully supported. [T4066]$$$Kleopatra: Some invalid operations; such as signing with an expired certificate; which would have resulted in errors; can no longer be triggered. The reason for this is indicated; too. [T6742 T6788]$$$Kleopatra: The support for Telesec signature cards has been improved. [T6830]$$$Kleopatra: When exporting or publishing certificates; the user is now informed if there are uncertified certificates in the export. This is especially useful when exporting groups. [T6766]$$$Kleopatra: Expiry dates after 19.01.2038 (year 2038 bug) are now possible. [T6736]$$$Kleopatra: The dialog to extend OpenPGP certificates has been improved and redundant options removed. [T6621]$$$Kleopatra: When creating archives; they are now written out as a .part file to improve error handling and canceling the operation without leaving a broken archive in the file system. [T6584]$$$Kleopatra: Updating certificates now also looks for updates in a Web Key Directory if one exists for the domain. [T5951]$$$Kleopatra: Progress bars are now also properly shown for S/MIME file operations. [T6534]$$$GpgOL: Added support for RFC2231 encoded attachment filenames; which increases compatibility with Apple Mail. [T6604]$$$GpgOL: Draft encryption with S/MIME certificates now skips CRL checks and is much faster and reliable. [T6827]$$$GpgOL: The error handling was improved if a preference for S/MIME is set and signing selected but no signing certificate can be found. See: https://gnupg.com/vsd/registry-settings.html (smimeNoCertSigErr) on how to add a custom message to instruct users what to do in this case. [T6683]$$$GpgOL: It is now possible to encrypt to S/MIME certificates that are untrusted or cannot be validated because of CRL errors. In this case a warning dialog is shown; allowing the user to override the errors. This is not VS-NfD compliant but can be used for unrestricted encryption. [T6701]$$$GpgOL: Mails without the correct MIME type but which still look like crypto mails are now decrypted. This improves compatibility with Apple Mail and various mail gateways that modify the structure of crypto mails in transit. [T6701]$$$GpgOL: The internal attachments are now called GpgOL_MIME_structure.mime instead of GpgOL_MIME_structure.txt to make it easier to link them to Kleopatra. This is; for example; visible for users when using the Outlook web interface. [T6656]$$$Gp

Version 4.2.0 released 2023-07-14$$$$$$ Okular (GnuPG Edition): Gpg4win has been extended with the popular Okular PDF Viewer. Although our Okular version is currently considered experimental and therefore not installed by default; this provides the ability to legally sign and verify documents with the S/MIME certificates and smart cards GnuPG supports. The GnuPG Edition of Okular is optimized to be lightweight and to provide as little attack surface as possible. It does not support any active content like JavaScript or media files in PDF documents. It should therefore be more suitable in high security environments than other PDF readers. See: https://www.gpg4win.org/version4.2.html$$$ GnuPG: The new component keyboxd is now enabled by default for new users of Gpg4win. keyboxd stores certificates (public keys) in an sqlite database and keeps it in memory. The resulting performance improvement can be quite large especially for users with large keyrings. Adventuresome users can enable it manually: Select all certificates in Kleopatra and export them with a right click. Add a file %APPDATA%\gnupg\common.conf with the contents use-keyboxd (without the quote marks); then restart Kleopatra and import your certificates again. As usual we caution to make a backup of the %APPDATA%\gnupg directory before modifying files in there. To switch back to the old behavior; add a # character in front of the use-keyboxd and restart Kleopatra. Where applicable you have to export the certificate before and import them again after the restart.$$$ mkportable has been removed. Please see: https://wiki.gnupg.org/Gpg4win/PortableVersion on how to create a portable version of Gpg4win.$$$ Kleopatra: Folder encryption and decryption (gpgtar) has been completely reworked so that it now has roughly the same performance as on the command line. The new architecture also allows for further performance improvements in the future and is much more robust. And solves several issues. [T5478 T6488 T6499 et.al.]$$$ Kleopatra: The progress indicator now also works for very large data files. [T6534]$$$ Kleopatra: It is now possible to rename the output file; if a file with the same name already exists; instead of just overwriting or canceling. [T6372]$$$ Kleopatra: It is now offered to delete the secret key on the computer after it was successfully transferred to a smart card. [T5836]$$$ Kleopatra: Added warnings when your certificate or other certificates in your keyring are about to expire. The warnings are configurable and should allow a smoother switch to a new or extended certificate. [T6452]$$$ Kleopatra: The Notepad now also uses the last chosen certificates for signing and self-encryption as default. The values are shared with file encryption.[T6415]$$$ Kleopatra: The startup time of Kleopatra has been slightly improved. [T6259]$$$ Kleopatra: The certificate selection input and dropdown fields are now alphabetically sorted. [T6492; T6514]$$$ Kleopatra: Backed up subkeys can now be restored through the UI even when they were used from a smart card in between. [T3456; T3391]$$$ Kleopatra: For certifications of public keys it is now possible to configure a default validity period. [T6452]$$$ Kleopatra: When extending the validity period of a certificate; the default for new ones is now preset. [T6479]$$$ Kleopatra: The default validity of new certificates is now three years instead of two. This can be changed through configuration. [T2701]$$$ GpgOL: Now offers to create a OpenPGP certificate; if none with signing capability exists and only signing is requested. [T5869]$$$ GnuPG: The PKCS#12 (.p12 files) parser has been rewritten to increase compatibility with other PKCS#12 implementations. [T6536]$$$ GnuPG: S/MIME certificate listings have been sped up on Windows. [rG08ff55bd44]$$$ GnuPG: A new option ADSK has been added to signal the intention that messages should be encrypted to multiple subkeys. [T6395;

GPA: So long; and thanks for all the fish. To reduce maintenance and overall quality of Gpg4win we have decided to retire GPA. Over the last decade Kleopatra has made large improvements in quality and is very well maintained and the focus of our development. [rW3f7ed3834f]$$$GnuPG: Improve signature verification speed by a factor of more than four. Double detached signing speed. [T5826]$$$GnuPG: Import stray revocation certificates to improve WKD usability.$$$GnuPG: New option --add-revocs for gpg-wks-client. [rG2f4492f3be]$$$GnuPG: Ignore expired user-ids in gpg-wks-client. [T6292]$$$GnuPG: Support the Telesec Signature Card v2.0 in OpenPGP. [T6252]$$$GnuPG: For the new AEAD Format we now only allow the fast OCB mode. The EAX mode may still be used for decryption. [rG5a2cef801d]$$$Kleopatra: Support the import of non-standard conforming UTF-16 encoded text files with certificates. [T6298]$$$Kleopatra: New Option to delete the locally stored secret key after a transfer to a smart card. [T5836]$$$Kleopatra: Improve the display of keys in the group edit dialog. [T6295]$$$Kleopatra: Simplify changing the owner trust of keys. [T6148]$$$Kleopatra: Allow selecting ECC with supported curves when generating new keys for smart cards. [T4429]$$$GnuPG: Update the X.509/CMS library Libksba to version 1.6.3 to fix a security problem in the CRL signature parser. [T6230]$$$GnuPG: Fix trusted introducer for mbox only user-ids. [T6238]$$$GpgOL: IMAP access to encrypted mails works again. [T6203]$$$Kleopatra: Dont report success if the key signing job was canceled. [T6305]$$$Kleopatra: Report failed imports immediately when receiving the result. [T6302]$$$Kleopatra: Do not offer invalid S/MIME certificates for signing or encryption. [T6216]$$$Kleopatra: Dont ask user to certify an imported expired or revoked OpenPGP key. [T6155]$$$Kleopatra: Do not crash when closing details widget while certificate dump is shown. [T6180]$$$Kleopatra: Improve usability and accessibility of the notepad operations. [T6188]$$$GnuPG: 2.4.0$$$Kleopatra: 3.1.26$$$GpgOL: 2.5.6$$$GpgEX: 1.0.9$$$Kompendium DE: 4.0.1$$$Compendium EN: 3.0.0$$$Explicit download of this version: gpg4win-4.1.0$$$$$$Details in the README of this version: README-4.1.0.en.txt

GPA: So long; and thanks for all the fish. To reduce maintenance and overall quality of Gpg4win we have decided to retire GPA. Over the last decade Kleopatra has made large improvements in quality and is very well maintained and the focus of our development. [rW3f7ed3834f]$$$GnuPG: Improve signature verification speed by a factor of more than four. Double detached signing speed. [T5826]$$$GnuPG: Import stray revocation certificates to improve WKD usability.$$$GnuPG: New option --add-revocs for gpg-wks-client. [rG2f4492f3be]$$$GnuPG: Ignore expired user-ids in gpg-wks-client. [T6292]$$$GnuPG: Support the Telesec Signature Card v2.0 in OpenPGP. [T6252]$$$GnuPG: For the new AEAD Format we now only allow the fast OCB mode. The EAX mode may still be used for decryption. [rG5a2cef801d]$$$Kleopatra: Support the import of non-standard conforming UTF-16 encoded text files with certificates. [T6298]$$$Kleopatra: New Option to delete the locally stored secret key after a transfer to a smart card. [T5836]$$$Kleopatra: Improve the display of keys in the group edit dialog. [T6295]$$$Kleopatra: Simplify changing the owner trust of keys. [T6148]$$$Kleopatra: Allow selecting ECC with supported curves when generating new keys for smart cards. [T4429]$$$GnuPG: Update the X.509/CMS library Libksba to version 1.6.3 to fix a security problem in the CRL signature parser. [T6230]$$$GnuPG: Fix trusted introducer for mbox only user-ids. [T6238]$$$GpgOL: IMAP access to encrypted mails works again. [T6203]$$$Kleopatra: Dont report success if the key signing job was canceled. [T6305]$$$Kleopatra: Report failed imports immediately when receiving the result. [T6302]$$$Kleopatra: Do not offer invalid S/MIME certificates for signing or encryption. [T6216]$$$Kleopatra: Dont ask user to certify an imported expired or revoked OpenPGP key. [T6155]$$$Kleopatra: Do not crash when closing details widget while certificate dump is shown. [T6180]$$$Kleopatra: Improve usability and accessibility of the notepad operations. [T6188]$$$GnuPG: 2.4.0$$$Kleopatra: 3.1.26$$$GpgOL: 2.5.6$$$GpgEX: 1.0.9$$$Kompendium DE: 4.0.1$$$Compendium EN: 3.0.0$$$Explicit download of this version: gpg4win-4.1.0$$$$$$Details in the README of this version: README-4.1.0.en.txt

Version 4.0.4 released 2022-10-17$$$GnuPG: Avoids invalid hash method errors by using SHA-256 for certificates with implicit SHA-1 preferences in de-vs mode. (T6043)$$$GnuPG: In de-vs mode use AES-128 instead of 3-DES as implicit preference. This avoids problems with software considering 3-DES as non-compliant but does only announce 3-DES as supported algorithm. (T6063)$$$GnuPG: Add new LDAP server flag areconly (A-record-only) to help against long delays on some AD installations.$$$GnuPG: New feature to mirror an LDAP keyserver to a Web key Directory. (T6224)$$$GnuPG: Improve reporting of bad passphrase errors during PKCS#11 import. (T5713;T6037)$$$GnuPG: It is now possible to forbid users to trust additional root certificates. The option for this is no-user-trustlist. (T5990)$$$GnuPG: It is now possible to change the default filename (trustlist.txt) for the list of S/MIME root certificates. The option for this is sys-trustlist-name or on Windows it can be configured in the registry. This allows admins to change the S/MIME root certificates from the packaged default without having it overwritten with each update. (T5990)$$$GnuPG: The display serial number is now used for card insert prompts. This should match the serial number printed on smart cards. (T6135)$$$GnuPG: New common.conf option no-autostart. (rG203dcc19eb)$$$GpgOL: Groups configured in Kleopatra can now be used for mail encryption. Groups must contain only keys of one protocol (either S/MIME or OpenPGP) and be named like the mail address. (T5967)$$$GpgOL: An exclamation mark at the end of the GpgOL config registry values under Local machine now disallows the user to change that setting. (T5827)$$$Kleopatra: Any configuration settings in kleopatrarc are now configurable through the Windows Registry / Group Policies; too. (T5707)$$$Kleopatra: Automatic extraction of tar archives can now be disabled in the Kleopatra settings. (T6057)$$$Kleopatra: The original filename is now embedded in encrypted files. (T6056)$$$Kleopatra: In case the embedded filename does not match the filename of the encrypted file; the user is asked after decryption if the file should be renamed to the embedded name. This only works for files encrypted with GnuPG VS-Desktop 3.1.24 or later. (T6056)$$$Kleopatra: The user is now asked which file should be verified if the signed data for a detached signature (.sig) could not be found automatically. (T6062)$$$Kleopatra: Queries containing just a single character are now allowed when searching in remote directories. This should make it easier to list all certificates in a directory. (T6064)$$$Kleopatra: When a user specific trustlist.txt is created by Kleopatra it now adds the include-default keyword; so that the system wide trustlist.txt is still included. (T6096)$$$Kleopatra: The storage location is now displayed per subkey to better support offline keys and multiple smart cards. (T6108)$$$Kleopatra: The certificate details now have an explicit update button to refresh a key from the configured directory services. (T5903)$$$Kleopatra: The fingerprint with the suffix .rev is now used as suggested filename for revocation certificates. (T6121)$$$Kleopatra: Several more file dialogs now save the last used directory. (T6121)$$$Kleopatra: When withdrawing certifications; the own certifications on the certificate are now automatically determined. (T6115)$$$GnuPG: Update the X.509/CMS parsing library Libksba to version 1.6.2 to fix a severe security problem. (T6230)$$$GnuPG: Do not consider unknown public keys as non-compliant while decrypting. (T6205)$$$GnuPG: Fix CRL Distribution Point fallback to other schemes.$$$GnuPG: Fix upload of multiple keys for an LDAP server specified using the colon format.$$$GnuPG: Fix a key upload problem when a BaseDN is specified for an LDAP server. (T6047)$$$GnuPG: YubiKeys with firmware versions 5.4 and above are correctly detected again. (T6070)$$$GnuPG: Combined symmetric and asymmetric encryption / decryption is

Version 4.0.3 released 2022-07-12$$$Kleopatra: A crash that occured when exiting the Application has been fixed. (T5962)$$$GnuPG: Security update to 2.3.7 to fix CVE-2022-34903. (T6027)$$$GnuPG: Improved import of PKCS#12 containers. (T6037;T5793;T4921;T4757)$$$GnuPG: 2.3.7$$$Kleopatra: 3.1.22$$$GPA: 0.10.0$$$GpgOL: 2.5.3$$$GpgEX: 1.0.9$$$Kompendium DE: 4.0.1$$$Compendium EN: 3.0.0

Version 4.0.3 released 2022-07-12$$$Kleopatra: A crash that occured when exiting the Application has been fixed. (T5962)$$$GnuPG: Security update to 2.3.7 to fix CVE-2022-34903. (T6027)$$$GnuPG: Improved import of PKCS#12 containers. (T6037;T5793;T4921;T4757)$$$GnuPG: 2.3.7$$$Kleopatra: 3.1.22$$$GPA: 0.10.0$$$GpgOL: 2.5.3$$$GpgEX: 1.0.9$$$Kompendium DE: 4.0.1$$$Compendium EN: 3.0.0