Mailing List Archive

[Announce] A New Future for GnuPG
Hello and a Happy Gnu Year!

It has been quite some time since my last status report on GnuPG. I
have been quite busy working on the project but unfortunately rarely
active on the usual channels. So, here is a new report telling what we
did over the last two or three years.

Please read at least the last section.

A web version of this article is available at
https://gnupg.org/blog/20220102-a-new-future-for-gnupg.html


Some background
===============

In the beginning GnuPG was a fun project I did in my spare time.
After a few years this turned out to be a full time job and it was
possible to acquire paid projects to maintain and further develop
GnuPG.

When the BSI (Germany's Federal Office for Information Security)
migrated back from Linux to Windows, a need to migrate their
end-to-end encryption solution, based on GnuPG and KMail, was needed.
A call for bids for an Open Source solution was issued and our
company, g10 Code, along with our friends at Intevation and KDAB
received the contract. The outcome was Gpg4win, the meanwhile
standard distribution of GnuPG for Windows.

It turned out that the software used in Germany to protect restricted
data at the VS-NfD level, called Chiasmus, showed its age. For
example, the block length of 64 bits (like IDEA or 3DES) is not
anymore secure for data of more than 150 MiB. Also the secret
encryption algorithm has not anymore the confidence people used to
have in it and due to lacking hardware support it is quite slow. A
new call to bid for a replacement of that software was issued and we
also with Intevation were granted the contract. Our solution was to
update GnuPG and its frontends Kleopatra and GpgOL. After some
thorough evaluation of our software (working title /Gpg4VS-NfD/) and
the usual bureaucratic we received a first approval in January 2019.


Meet GnuPG.com
==============

I have been working with Andre Heinecke of Intevation GmbH since about
2010 on Gpg4win and some other projects. With the foreseeable
approval of /Gpg4VS-NfD/ Andre then left Intevation and took over 40%
of the g10 Code shares from my brother (I am holding the other 60%).

We started to make a real product out of /Gpg4VS-NfD/. Thus we rented
a new office to work desk by desk on this and hired staff for sales
and marketing. We introduced the brand /GnuPG.com/ to have a better
recognition of our product than by our legal name /g10 Code GmbH/.
The software itself was re-branded as /GnuPG VS-Desktop®/ and
distributed as an MSI packet for Windows and as an AppImage for Linux.
Except for customer specific configuration files /GnuPG VS-Desktop/ is
and will always be Open Source under the GNU General Public License.

We also keep maintaining /Gpg4win/ as the community version. This is
based on the the same source code as /GnuPG VS-Desktop/ but comes with
more features due to the use of the latest development branch.

The benefits for the customer to pay for /GnuPG VS-Desktop/ are: a
commercial support contract, the guarantee of a long term maintained
and approved version, customization options, community tested new
features, and the per-approval required vendor for security updates.

Also technically published for longer, it became only last year widely
known, that the legacy Chiasmus software may not anymore be used for
restricted communication from this year on. For the administration
and also for the industry two option exist to migrate away from
Chiasmus: the proprietary GreenBone software from /cryptovision GmbH/
and our Open Source software /GnuPG VS-Desktop/.


The rush towards GnuPG VS-Desktop
=================================

Since summer 2021 the phones of our sales team didn't stop ringing and
we could bring in the fruits of our work. We were not aware how many
different governmental agencies exist and how many of them have a need
to protect data at the VS-NfD (restricted) level. And with those
agencies also comes a huge private and corporate sector who also have
to handle such communication.

Although we support S/MIME, the majority of our customers decided in
favor of the OpenPGP protocol, due to its higher flexibility and
independence of a centralized public key infrastructure. A minor
drawback is that for a quick start and easy migration from Chiasmus,
many sites will use symmetric-only encryption (i.e. based on
"gpg -c"). However, the now deployed software provides the
foundation to move on to a comfortable public-key solution.

In particular, our now smooth integration into Active Directory makes
working with OpenPGP under Windows really nice. We were also able to
partner with Rohde & Schwarz Cybersecurity GmbH for a smooth
integration of GnuPG VS-Desktop with their smartcard administration
system.

We estimate that a quarter million workplaces will be equipped with
GnuPG VS-Desktop and provide the users state of the art file and
mail encryption. Our longer term plan is to equip all public agency
workplaces with end-to-end encryption software - not only those with
an immediate need for an approved VS-NfD solution. This should also
fit well into the announced goal of the new German government to
foster the development of Open Source.


Kudos to all supporters
=======================

For many years our work was mainly financed by donations and smaller
projects. Now we have reached a point where we can benefit from a
continuous revenue stream to maintain and extend the software without
asking for donations or grants. This is quite a new experience to us
and I am actually a bit proud to lead one of the few self-sustaining
free software projects who had not to sacrifice the goals of the
movement.

Those of you with SEPA donations, please cancel them and redirect your
funds to other projects which are more in need of financial support.
The Paypal and Stripe based recurring donations have already been
canceled by us.

All you supporters greatly helped us to keep GnuPG alive and to
finally setup a sustainable development model.

*Thank you!*



Salam-Shalom,

Werner



p.s.
This is an announcement only mailing list. Please send replies only to
the gnupg-users at gnupg.org mailing list.
p.p.s
List of Release Signing Keys:
To guarantee that a downloaded GnuPG version has not been tampered by
malicious entities we provide signature files for all tarballs and
binary versions. The keys are also signed by the long term keys of
their respective owners. Current releases are signed by one or more
of these four keys:

rsa3072 2017-03-17 [expires: 2027-03-15]
5B80 C575 4298 F0CB 55D8 ED6A BCEF 7E29 4B09 2E28
Andre Heinecke (Release Signing Key)

ed25519 2020-08-24 [expires: 2030-06-30]
6DAA 6E64 A76D 2840 571B 4902 5288 97B8 2640 3ADA
Werner Koch (dist signing 2020)

ed25519 2021-05-19 [expires: 2027-04-04]
AC8E 115B F73E 2D8D 47FA 9908 E98E 9B2D 19C6 C8BD
Niibe Yutaka (GnuPG Release Key)

brainpoolP256r1 2021-10-15 [expires: 2029-12-31]
02F3 8DFF 731F F97C B039 A1DA 549E 695E 905B A208
GnuPG.com (Release Signing Key 2021)

The keys are available at https://gnupg.org/signature_key.html and
in any recently released GnuPG tarball in the file g10/distsigkey.gpg .
Note that this mail has been signed by a different key.

--
g10 Code GmbH -=- GnuPG.com -=- AmtsGer. Wuppertal HRB 14459
Bergstr. 3a Geschäftsführung Werner Koch
D-40699 Erkrath https://gnupg.com USt-Id DE215605608