gnupg: Update to version 2.5.20

- Update from version 2.4.9 to 2.5.20
- Update of rootfile
- I missed that the stable branch had been changed from 2.4.x to 2.5.x so there have
   been a lot of versions from 2.5.0 to 2.5.20
- Branch 2.4.x (oldstable) becomes EOL on 30th July 2026.
- Changelog
2.5.20
 * New and extended features:
   - gpgsm: Implement GCM encryption.  Note that decryption works
     since version 2.3.2.  [T3979]
   - gpgsm: New option --attribute and server command SETATTR to
     include arbitrary signed or unsigned attributes into a signature.
     Enable only with libksba 1.7.0 or later.  [T4537]
   - gpgsm: Introduce system attribute _signingCertificateV2.
     [rG0335a9cb04]
 * Bug fixes:
   - gpg: Fix wrong assertion failure which could very rarely occur
     during key signature checking.  [rG693f5642f6]
   - gpg: Consider certify-only keys for revocation signature check.
     [T8196]
   - gpgsm: Fix possible double free in the CMS parser.  [T8240]
   - gpgsm: Fix possible too early removal of ephemeral keys.  [T8236]
   - gpgsm: Avoid emitting a final FAILURE status line if --status-fd
     is not used.  [rG69c27fe377]
   - gpgsm: Fix a regression in 2.5.19 for password encrypted GCM
     data.  [rG60a823c97b]
   - agent: Fix not using cache for pinentry loopback.  [rGd4b608a31f]
   - agent: Fix command PUT_SECRET by saving input line.  [rG1875bc185e]
   - keyboxd: Mark keys searched but not imported via LDAP correctly
     as ephemeral.  [T8048]
   - scdaemon: Avoid buffer overflow with SC-HSM cards providing RSA
     keys > 2k.  [T8244]
   - dirmngr: Fix uninitialized use of the dns_any union in
     dns_rr_cmp.  [T8251]
2.5.19
 * New and extended features:
   - gpg: New option --use-ocb-sym.  [rGccdcdfbb37]
   - gpg: New options --show-[only-]session-hash.  [rGecd0f7afa1]
   - gpgsm: Allow cipher mode to be part of the algo given to the
     --cipher-algo option.  [T3979]
   - gpgsm: Emit more details when failing to check a crlDP.  [T8221]
   - agent: Improve pinentry behavior and texts in smartcard context.
     [T6425]
   - dirmngr: New keyword "clear" for --keyserver.  [rG2ab4cba36c]
 * Bug fixes:
   - gpg: Fix edge case in --refresh-keys.  [T8197]
   - gpg: Don't call gcry_kdf_derive with empty passphrase.  [T7739]
   - gpgsm: Skip the optional PKCS#12 PBES2 keyLength parameter to
     allow import of recently issued certificates by the German
     Telekom.  [rGc8c9604bba]
   - gpgsm: Fix a bug so that a certificate can be signed using a
     different algo.  [rG66fdafab3c]
   - gpgsm: Make GCM fully compliant in de-vs mode.  [rG04fd775fce]
   - gpgsm: Add a certificate chain check for de-vs compliance.
     [T8188]
   - gpgsm: Show rsaPSS certificates as de-vs compliant in listings.
     [T8222]
   - agent: Rework the trustlist reading code to finally allow a
     trustlist.txt with a missing trailing LF.  [T8078]
   - ssh: Fix RSA padding in signature handling.  [T7882,T8202]
   - gpgtar: Fix -C (--directory) to check the output directory.
     [T8159]
 * Other changes:
   - agent: Raise an error when p >= q for RSA keys to detect
     incorrect generated *PGP keys.  [T8171]
2.5.18
  * gpg: Support deleting a composite secret key in gpg-agent.  [T7875]
  * gpg: Fix armor parsing when no CRC is found.  [T7071]
  * gpgsm: New option --assert-validsig.  [rG9500b2c776]
  * agent: Fix the recent regression in pkdecrypt with TPM RSA.
    [T8045]
  * scdaemon: Add support for D-Trust Card 6.1/6.4.  [rG987c6a398a]
  * dirmngr: Let KS_SEARCH print all uid records for a key.
    Fixes regression since 2015.  [rG2dde9ddf56]
  * gpg-authcode-sign.sh: Keep the log file even on success.
    [rGc0f9ca47f0]
2.5.17
  * agent: Fix stack buffer overflow when using gpgsm and KEM.  This
    was introduced with 2.5.13; see the advisory.  [T8044]
  * tpm: Fix possible buffer overflow in PKDECRYPT.  [T8045]
  * gpg: Fix possible NULL-deref with overlong signature packets.
    [T8049]
  * gpg: New export-option "keep-expired-subkeys".  [T7990]
  * gpgsm: Make multiple search patterns work with keyboxd.  [T8026]
  * agent: Add accelerator keys for "Wrong" and "Correct".  [T8055]
  * dirmngr: Help detection of bad keyserver configurations.  [T7730]
2.5.16
  * gpg: Fix a regression in 2.5.15 which created new keys with just
    the fallback preferences.  [T7909]
2.5.15
  * gpg: Fix a validation bug when using keyboxd.  [T7983]
  * gpg: Deprecate the option --not-dash-escaped and ignore the
    NotDashEscaped armor header.  [T7901]
  * keyboxd: Fix migration to new schema.  [T7892,rG81bb949755]
  * dirmngr: New compatibility flag "ocsp-sha256-certid" to support
    forthcoming libksba versions.  [rG674aa54242]
  * Use a synchronous spawning method for the daemon processes under
    Windows.  [T7716]
  * Avoid the function name thread_init to fix building on AIX.
    [T7958]
  * New translation to Georgian.
2.5.14
  * gpg: Fix possible memory corruption in the armor parser.  [T7906]
  * gpgsm: Fix output of card serial number in colon listing.  [T7914]
  * agent:ssh: Fix RSA signature handling for newer spec.  [T7882]
  * gpg: Improve/relax the checking of preference options.
    [rG6570700fdd]
  * gpg: Fix the check for the END armor line.  [rG62b8bf2f39]
  * gpg: Do not present a default when asking for another output
    filename.  [T7908]
  * gpg: Include ADSK keys in key listings specified by fingerprints.
    [T7892]
  * agent: Fix a decryption failures if the pinentry dialog for the
    first tried recipient is canceled.  Regression since 2.5.7.
    [T7893, T7649]
  * keyboxd: Fix schema of the fingerprint table.  [T7892]
  * dirmngr: Fix OCSP next-update check.  [rG9ef87bcdb0]
  * gpg: New "pfc" record in colons key listings.  [T7897]
  * gpg: Allow import and export of Kyber secret keys.  [T7315]
  * gpg: Escape characters with the high bit set in NOTATION status
    lines.  [T7896]
  * gpg: New import option "force-update".  [T7892,rGf6237ccd31]
  * agent: Accept a trustlist with a missing LF at the end.
    [rG1b4ac98de7]
  * agent: Support protection for Kyber keys.  [T6638,rGaea62817f3]
  * scd:nks: Make newer TCOS signature cards work.  [rG17596e830f]
2.5.13
  * gpg: Fix de-vs compliance with OCB and additional password.
    [T7804]
  * gpg: Detect duplicate keys with --add-recipients.  [T1825]
  * gpg: Take care about the prefix for cv25519 encryption.  [T7649]
  * gpg: Avoid potential downgrade to SHA1 in 3rd party key
    signatures.  [T7904,rGdb9705ef59]
  * gpg: Error out on unverified output for non-detached signatures.
    [T7903,rG8abc320f2a]
  * gpgsm: Use KEM interface for en- and decryption.  [T7811,T7845]
  * gpgsm: Fix delete and store certificate locking glitches.  [T7855]
  * gpg,gpgsm: Run keybox compression only when there are no other
    users.  [T7855]
  * gpg,gpgsm: Improve keybox closing and locking order on read and
    write.  [T7855]
  * gpg,gpgsm: Always use share mode read-write for the keybox file
    access.  [T7829]
  * scd:openpgp: Fix an oddity in changing the PIN.  [T7840]
  * dirmngr: New LDAP keyserver flag "upload".  [T7866]
  * agent: Retry private key deletion in case of sharing violations
    for up to 400ms.  [T7863]
  * Take care of a possible race on daemon startup under Windows.
    [T7829]
  * Improve file renaming on Windows in case of a sharing violation
    error.  [T7829]
2.5.12
  * gpg: New options --[no-]auto-key-upload.  [T7333]
  * gpg: Keys send to an LDAP server are now first updated from that
    server.  New keyserver option "no-update-before-send" to disable
    this feature.  [T7730]
  * gpg: Disable default compression for 7z compressed input.
    [rG53252628de]
  * gpg: Fix a regression with composite PQC and ECC algos.  [T7649]
  * gpg: Fix the list of possible algos for --edit-key:addkey.
    [T7788]
  * gpg: Allow to select the Kyber variants with --edit-key:addkey.
    [T7792]
  * gpg: Avoid a second Pinentry pop-up for a configured ADSK during
    key generation.  [T7491]
  * gpg: Change the ADSK key binding time to use the current time.
    [T6882]
  * gpgsm: Add option --no-qes-note and new trustlist flag
    "noconsent".  [T7713]
  * agent: Enable "relax" in the trustlist by default and add flag
    "norelax".  [rG7b133027ae]
  * agent: Fix a crash on Windows in the Putty support.  [T7799]
  * dirmgr: Support LDAP servers using a schema like the Windows LDS
    servers.  [T7742]
  * scd:openpgp: Support Yubikey attestation generation.
    [rG5ddfedf24a]
  * gpgtar: Fix regression in end-of-archive detection.  [T7757]
2.5.11
  * gpg: Fix a segv in key signing with notations introduced in
    2.5.10.  [T7754]
  * agent: Fix for smartcard decryption with Brainpool keys.  [T7709]
2.5.10
  * gpg: Add a notation with version information to signatures.  See
    doc/DETAILS for, well, details.  [rG11d3a83b04]
  * gpgv: New option --print-notation.  [rGe3cc410003]
  * gpgsm: Fix caching of the trustlist's flags.  [T7738]
  * agent: Fix for smartcard decryption returning x-coordinate only.
    [T7709]
  * agent: Another fix for a regression with unknown curves and ssh.
    See also 2.5.4.  [rG55db12472f]
  * dirmngr: Implement command KS_DEL for ldap servers.  [T5447]
2.5.9
  * gpg: Add the revocation reason to the sigclass of a "rev" line.
    Regression in 2.5.7.  [T7073]
  * gpg: Do not show the non-standard secp256k1 curve in the menu to
    select the curve.  It can however be specified using its name.
    [rG49a9171f63]
  * gpg: Fix regression in using the secp256k1 curve.  [T7698]
  * dirmngr: New option --user-agent and send a default User-Agent of
    "GnuPG/2.6" for all HTTP requests.  [T7715]
2.5.8
  * gpg: Show revocation reason with a standard -k listing.  [T7083]
  * gpg: Emit a revocation reason as comment in a "pub" record.
    [T7083]
  * agent: Fix regression in 2.5.7 decrypting with a card based
    cv25519 key.  [T7676]
  * scd:openpgp: Fix a regression in exporting card based ed25519 ssh
    keys.  [T7589]
  * dirmngr: Do not require a keyserver for "gpg --fetch-key".
    [T7693]
  See-also: gnupg-announce/2025q2/000494.html
2.5.7
  * gpg: Allow updating a SHA-1 key certification w/o using
    the --force-sign-key option.  [T7663]
  * gpg: The group key flag has now been fully implemented.
    [rG8833a34bf0]
  * gpg: Make combination of show-only-fpr-mbox and show-unusable-uid
    work.  [rGd5a4a2dc89]
  * gpg: Do not allow compressed key packets on import.  [T7014]
  * gpgsm: Allow an empty subject DN also during import.  [T7171]
  * agent: Recover the old behavior with max-cache-ttl=0.  [T6681]
  * agent: Fix ECC key on smartcard for composite KEM with PQC.
    [T7648]
  * scd: Fix a harmless read buffer over-read in a function used by
    PKCS#15 cards.  [T7662]
  * gpg-mail-tube,wks: Support templates for mail content.  [T7381]
  * Use the KEM interface of Libgcrypt for encryption/decryption.
    [T7649]
  * Fix a glitch in socket handling in Windows in case of a nonce
    mismatch.  [rG645cf7d8fc]
  See-also: gnupg-announce/2025q2/000493.html
2.5.6
  * gpg: Add a flag to the filter expressions for left anchored
    substring match.  [rGc12b7d047e]
  * gpg: New list option "show-trustsig" to avoid resorting to colon
    mode for this info.  [rG41d6ae8f41]
  * gpg: New command --quick-tsign-key to create a trust signature.
    [rGd90b290f97]
  * gpg: New keygen parameter "User-Id".  [rGcfd597c603]
  * gpg: New list options "show-trustsig".  [rGrG41d6ae8f41]
  * gpg: Fix double free of internal data in no-sig-cache mode [T7547]
  * gpg: Signatures from revoked or expired keys do not anymore show
    up as missing keys.  Fixes regression in 2.5.5.  [T7583]
  * gpgsm: Extend --learn-card by an optional s/n argument.  [T7379]
  * gpgsm: Skip expired certificates when selection a certificate by
    subject.  [rG4cf83273e8]
  * card: New command "ll" as alias for "list --cards".  [rGd6ee7adebe]
  * scd: Fix posssible lockup on Windows due to a lost select
    result.  [rGa7ec3792c5]
  * scd:p15: Accept P15 cards with a zero-length label.  [rGdb25aa9887]
  * keyboxd: Use case-insensitive search for mail addresses.  [T7576]
  * dirmngr: Fix a problem in libdns related to an address change from
    127.0.0.1.  [T4021]
  * gpgconf: Fix reload and kill of keyboxd.  [T7569]
  * Fix logic for certain recsel conditions.  [rG8968e84903]
  * Add Solaris support to get_signal_name.  [T7638]
  * Fix build error of the test shell on AIX.  [T7632]
  See-also: gnupg-announce/2025q2/000492.html
2.5.5
  * gpg: Fix a verification DoS due to a malicious subkey in the
    keyring.  [T7527]
  * dirmngr: Fix possible hangs due to blocking connection requests.
    [T6606, T7434]
  * w32: On socket nonce mismatch close the socket.  [T7434]
  * w32: Print more detailed diagnostics for IPC errors.
  * GPGME is not any more distributed with the Windows installer.
    Please install gpg4win to get gpgme version.
  See-also: gnupg-announce/2025q1/000491.html
2.5.4
  * gpg: New option --disable-pqc-encryption.  [rG00c31f8b04]
  * gpg: Fix --quick-add-key for Weierstrass ECC with usage given.
    [T7506]
  * gpg: Fix handling with no CRC armor.  [T7071]
  * gpg: New private Kyber keys are now cross-referenced using a new
    Link attribute.  [T6638]
  * gpg: Fix an import problem with keys having another primary key as
    a subkey.  [T7527]
  * gpgsm: Allow unattended PKCS#12 export without passphrase.
    [rG159e801043]
  * gpgsm: Allow CSR generation with an unprotected key.
    [rG89055f24f4]
  * agent: New option --change-std-env-name.  [T7522]
  * agent: Fix ssh-agent's request_identities for skipped Brainpool
    keys.  [rG2469dc5aae]
  * Do not package zlib and bzip2 object files in a speedo release
    build.  [T7442]
  See-also: gnupg-announce/2025q1/000490.html
2.5.3
  * gpg: Allow for signature subpackets of up to 30000 octets.
    [rG36dbca3e69]
  * gpg: Silence expired trusted-key diagnostics in quiet mode.  [T7351]
  * gpg: Allow smaller session keys with Kyber and enforce the use of
    AES-256 if useful.  [T7472]
  * gpg: Fix regression in key generation from existing card key.
    [T7309,T7457]
  * gpg: Print a warning if the card backup key could not be written.
    [T2169]
  * The --supervised options of gpg-agent and dirmngr have been
    renamed to --deprecated-supervised as preparation for their
    removal.  [rGa019a0fcd8]
  * There is no more default for a keyserver.
  See-also: gnupg-announce/2025q1/000489.html
2.5.2
  * gpg: Add option 16 to --full-gen-key to create ECC+Kyber.  [T6638]
  * gpg: For composite algos add the algo string to the colons
    listings.  [T6638]
  * gpg: Validate the trustdb after the import of a trusted key.
    [T7200]
  * gpg: Exclude expired trusted keys from the key validation process.
    [T7200]
  * gpg: Fix a wrong decryption failed status for signed and OCB
    encrypted messages without a signature verification key.  [T7042]
  * gpg: Retain binary representation for import->export with Ed25519
    key signatures.  [T7426]
  * gpg: Fix comparing ed448 to ed25519 with --assert-pubkey-algo.
    [T7425]
  * gpg: Avoid a failure exit code for expired ultimately trusted
    keys.  [T7351]
  * gpg: Emit status error for an invalid ADSK.  [T7322]
  * gpg: Allow the use of an ADSK subkey as ADSK subkey.  [T6882]
  * gpg: Fix --quick-set-expire for V5 subkey fingerprints.  [T7298]
  * gpg: Robust error handling for SCD READKEY.  [T7309]
  * gpg: Fix cv25519 v5 export regression.  [T7316]
  * gpgsm: Nearly fourfold speedup of validated certificate listings.
    [T7308]
  * gpgsm: Improvement for some rare P12 files.  [rGf50dde6269]
  * gpgsm: Terminate key listing on output write error.  [T6185]
  * agent: Add option --status to the LISTRUSTED command.
    [rG4275d5fa7a]
  * agent: Fix detection of the yet unused trustflag de-vs.  [T5079]
  * agent: Allow ssh to sign data larger than the Assuan line length.
    [T7436]
  * keyboxd: Fix a race condition on the database handle.  [T7294]
  * dirmngr: A list of used URLs for loaded CRLs is printed first in
    the output of the LISTCRL command.  [T7337]
  * scd: More mitigations against lock ups with multiple cards or
    apps.  [T7323, T7402]
  * gpgtar: Use log-file from common.conf only in --batch mode.
    [rGb389e04ef5]
  * gpgtar: Fix directory creation during extraction.  [T7380]
  * gpg-mail-tube: Minor fixes.
  * gpgconf: Add list flag to trusted-key et al.  [T7313]
  * Implement GNUPG_ASSUME_COMPLIANCE envvar and registry key for
    testing de-vs compliance mode.  [rGb287fb5775,rG7b0be541a9]
  * Enable additional runtime protections in speedo builds for
    Windows.  [rG39aa206dc5]
  * Fix a race condition in creating the socket directory.  [T7332]
  * Fix a build problem on macOS (missing unistd.h).  [T7193]
  See-also: gnupg-announce/2024q4/000488.html
2.5.1
  * gpg: The support for composite Kyber+ECC public key algorithms
    does now use the final FIPS-203 and LibrePGP specifications.  The
    experimental keys from 2.5.0 are no longer supported.  [T6815]
  * gpg: New commands --add-recipients and --change-recipients.
    [T1825]
  * gpg: New option --proc-all-sigs.  [T7261]
  * gpg: Fix a regression in 2.5.0 in gpgme's tests.  [T7195]
  * gpg: Make --no-literal work again for -c and --store.  [T5852]
  * gpg: Improve detection of input data read errors.  [T6528]
  * gpg: Fix getting key by IPGP record (rfc-4398).  [T7288]
  * gpgsm: New option --assert-signer.  [T7286]
  * gpgsm: More improvements to PKCS#12 parsing to cope with latest
    IVBB changes.  [T7213]
  * agent: Fix KEYTOCARD command when used with a loopback pinentry.
    [T7283]
  * gpg-mail-tube: Make sure GNUPGHOME is set in vsd mode.  New option
    --as-attach.  [rG4511997e9e1b]
  * Now uses the process spawn API from libgpg-error.  [T7192,T7194]
  * Removed the --enable-gpg-is-gpg2 configure time option.
    [rG2125f228d36c]
  * Die Windows version will now be build for 64-Bit Windows and with
    the corresponding changes to the installation directory and
    Registry keys.
  See-also: gnupg-announce/2024q3/000485.html
2.5.0
  * gpg: Support composite Kyber+ECC public key algorithms.  This is
    experimental due to the yet outstanding FIPS-203 specification.
    [T6815]
  * gpg: Allow algo string "pqc" for --quick-gen-key.  [rG12ac129a70]
  * gpg: New option --show-only-session-key.  [rG1695cf267e]
  * gpg: Print designated revokers also in non-colon listing mode.
    [rG9d618d1273]
  * gpg: Make --with-sig-check work with --show-key in non-colon
    listing mode.  [rG0c34edc443]
  * tpm: Rework error handling and fix key import [T7129, T7186]
  * Varous fixes to improve robustness on 64 bit Windows.  [T7139]

Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
 config/rootfiles/common/gnupg | 6 +++++-
 lfs/gnupg                     | 6 +++---
 2 files changed, 8 insertions(+), 4 deletions(-)