See up-to-date stuff gnupg web page.
Thanks to the Bureau of Export Administration (BXA)'s new Encryption export controls , we in the US can finally publish "unrestricted source code" that does strong encryption, if we notify them first of the URL. This is allowed via the "Technology and Software, Unrestricted" exception ("License Exception TSU"), in 15 CFR Part 740.13 as published in the Federal Register today (2000-01-14). Yes, there are other problems with the regulations (as EFF points out, there are still unconstitutional restrictions especially for executable programs, etc....), but let's take advantage of what we can!
See http://www.crypto.com/ for a partial list of what else has been published.
So here is my first publication:
It is the RPM package of the source code for the GNU Privacy Guard, the highly-regarded patent-free general-purpose encryption program evolved from PGP as specified by the IETF's "openpgp" Proposed Standard, RFC2440. This is a copy of the original rpm from ftp://pgp.4net.it/pub/gpg/gnupg-1.0.1-1.src.rpm as described at the GNU Privacy Guard site.
The nice thing about using the RPM format is that it makes it nearly painless to install things from source code, so the export restrictions get in the way less.
Ahh - but surely you want to verify that this code can be trusted? If you have PGP 2, you can get gnupg-1.0.1-1.src.rpm.asc which is a detached signature file and verify it against my PGP keys.
Or, the MD5 fingerprint of the whole file is
84324e48819f9a04538e9de15ebaa9d0 gnupg-1.0.1-1.src.rpm
and the MD5 fingerprint of the internals of the RPM file (as
reported by rpm's --checksig option
is 2b23b955e2b33995be33be21f1bfef30
Use this sequence of steps after downloading the rpm:
$ rpm --checksig -vv gnupg-1.0.1-1.src.rpm $ rpm -i gnupg-1.0.1-1.src.rpm $ rpm -bb /usr/src/redhat/SPECS/gnupg.spec > /tmp/nohup.out 2>&1 & wait for build to finish, about 5 minutes on a 266 MHz machine $ rpm -i /usr/src/redhat/RPMS/i386/gnupg-1.0.1-1.i386.rpmYeah - it's odd - you have to first install the source package, then build a binary package, and then install that.
See the documentation via `gpg --help`, at the gnupg web page, in /usr/doc/gnupg-1.0.1/*, and via `man gpg`.
I've asked the maintainers to provide an rpm pgp signature so the rpm --checksig actually does something verifiable, but there are some chicken-and-egg problems there the first time around at least, even if it a signature that gpg can verify....