Gpg4win version 5.0.2 is available since 2026-03-16.
Notes to Admins
An update to this version is recommended due to the following security fixes:
- A security bug in GpgOL has been fixed which could result in no warning shown to the user when a signed mail contained a not signed attachment after a signed one. (T8110)
- The libpng component has been updated to version 1.6.55 to fix a security issue (CVE-2026-25646). This is only exploitable in our software if a mail is opened via Kleopatra.
Changes
GUI (Kleopatra)
- Kleopatra in Gpg4win and GnuPG Desktop uses now a blue icon (T8083)
- New Registry key to allow saving CSR as PEM (T8115)
- Removed "Forced Decryption" button in notepad (T8124)
- Omit question about own key when importing a secret team key (T8098)
- Add expired/revoked information to ldap search results (T8042)
- Extract single folder archive without creating subfolder (T8022)
- New filter for valid certificates (T7950)
- Make the initial status of the check boxes of the sign/encrypt dialog configurable (T7831)
- Add config option to only allow upload of own certificates to LDAP (T7772)
- Changed dialog on import of secret key (T7637, T7502)
- Improvement of clipboard actions (T7455)
- Improved lookup of gpgconf executable (T8082)
- Improvements for "Save Secret Team Key" (T8027, T8030)
- Fix order of filters in settings dialog (T8079)
- Formatting of QES signatures is no longer bold font (T8077)
- Re-added support for config options RSAKeySizes and PGPKeyType (T8056)
- Fix tab navigation in smart card table (T8051)
- Some improvement in representation of signature verification (T8035)
- Notepad now hides "signed" text if the signature is bad (T8020)
- Make filesystem watcher notice new trustdb (T8015)
- Fix handling of unset keyserver in configuration dialog (T8014)
- Fix tab order in notepad (T8125, T7784)
- Completed accessibility improvements of table column headings (T6568)
- Don't show duplicate ldapservers in Kleopatra configuration (T7828)
Outlook Classic Add-In (GgpOL)
- Make sure to check all attachments. (T8110)
- Avoid warning pop-up in Outlook in a certain configurations when listing other Add-Ins. (T8036)
- Fix confusing message in dialog window "Conflicting crypto settings". (T7989)
Outlook-New Add-In (GpgOL/Web)
Several improvements to this still EXPERIMENTAL component.
Engine (GnuPG)
- gpg: Support deleting a composite secret key in gpg-agent. (T7875)
- gpg: Fix armor parsing when no CRC is found. (T7071)
- gpgsm: New option –assert-validsig. (rG9500b2c776)
- agent: Fix the recent regression in pkdecrypt with TPM RSA. (T8045)
- scdaemon: Add support for D-Trust Card 6.1/6.4. (rG987c6a398a)
- dirmngr: Let KS_SEARCH print all uid records for a key. Fixes regression since 2015. (rG2dde9ddf56)
- gpg-authcode-sign.sh: Keep the log file even on success. (rGc0f9ca47f0)
Other
- libgpg-error: Fix for empty first key listing. (T8052)
- A security bug in the supporting library libpng has been fixed. Now libpng 1.6.55 is included. This is only exploitable in our software if a mail is opened via Kleopatra. (CVE-2026-25646)
Versions of the Components
Component Version Remarks
GnuPG 2.5.18 T7999
Kleopatra gpg4win-5.0.2
GpgOL 2.7.2
GpgEX 1.1.0
Libgcrypt 1.12.1 rC7e91b2a334
Libksba 1.6.8 T7174
