The GnuPG project has released version 2.5.19 of its privacy software, introducing post-quantum cryptography (PQC) support and critical updates for Windows users. According to an announcement from developer Werner Koch on lists.gnupg.org, the new release includes the Kyber algorithm, also known as ML-KEMA or FIPS-203, to protect against quantum-based decryption attacks.
Beyond the introduction of Kyber, the 2.5 series focuses on improving 64-bit Windows performance. Koch noted that while the 2.5 series brings these significant cryptographic advancements, the upcoming 2.6 series will primarily focus on internal updates to leverage newer library features rather than widespread architectural changes.
Users of the older 2.4 series face a looming deadline for software maintenance. The announcement warns that the 2.4 series reaches end-of-life in just two months, urging developers and system administrators to update to 2.5.19 immediately. The project maintains that all new versions of GnuPG remain fully compatible with previous iterations.
Technical updates and bug fixes
The 2.5.19 release includes several functional improvements for the gpgsm and agent components. The gpgsm tool now allows the cipher mode to be included within the algorithm string for the --cipher-algo option, and it provides more detailed error reporting when failing to check a CRL distribution point.
Security patches in this version address specific vulnerabilities and edge cases. The update fixes RSA padding issues in SSH signature handling and prevents the software from calling certain functions when an empty passphrase is used. For users of smartcards, the agent component features improved pinentry behavior and text descriptions within the smartcard context.
Additional fixes address compatibility with German Telekom certificates by skipping optional parameters in PKCS#12. The release also resolves a bug in the gpgtar utility regarding directory checks and addresses a trustlist reading error that previously prevented the use of files missing a trailing newline character.
Developers can download the GnuPG 2.5.19 source code or Windows installers directly from the official GnuPG mirrors. The software remains free and open-source under the GNU General Public License.
