GnuPG VS-Desktop 3.3.3

GnuPG VS-Desktop® version 3.3.3 is available since 2025-11-06. It fixes a couple of bugs and introduces a few minor features. The previous version was 3.3.2. The next version is 3.3.4.

Notes to Admins

An update to this version is strongly recommended due to these security fixes:

  • The GnuPG component has been updated to address a security issue related to third-party key signatures.
  • The libgcrypt component has been updated to fix a security issue.
  • The optional Okular component has been updated with security fixes for its Poppler backend.

New Features

Engine (GnuPG)

  • gpg: Try to retrieve a key from LDAP before sending it. This can be disabled using keyserver-options no-update-before-send (T7730)
  • scdaemon: Make signing work with Nexus cards. (rGe1576eee04)
  • dirmngr: Implement command KS_DEL for LDAP. (T5447)
  • dirmngr: Support Unix LDAP servers using a schema similar to the one used on Windows LDS servers. (T7742)
  • gpgsm: Make use of the de-vs flag in trustlist.txt. (rG14383ff052)

Solved Bugs

GUI (Kleopatra)

  • Always show version information. (T7639)
  • Restore the behavior of the configuration options RSAKeySizes and PGPKeyType. (T7674)
  • Do not offer revoked UIDs for sign/encrypt operations. (T7678)
  • Add a workaround for a locking issue during key generation. (T7827)

GUI (Pinentry)

  • The Show/Hide button is now accessible via keyboard. (T7736)
  • Fix an issue with pinentry icons in high-contrast mode. (T7737)

Engine (GnuPG)

  • gpg: Prevent a potential downgrade to SHA1 when handling third-party key signatures. (rG4329e47463)
  • gpg: Correctly report VS-NfD compliance when using OCB together with an additional password. (T7804)
  • gpg: Prevent possible memory violations in the ASCII armor parser. (rG1e929abd20)
  • Restore the additional check for a VS-NfD-compliant RNG on Windows. (rGbad0e15d87)
  • gpgsm: Fix locking issues when deleting or storing certificates that could lead to deadlocks. (T2196)
  • gpgsm: Correct caching of trustlist.txt flags. (T7738)
  • gpg-agent, dirmngr: Fix a startup issue on Windows that could lead to blocking conditions. (T7829)
  • On Windows, use the nPth-friendly gnupg_usleep instead of the standard Sleep API. (rG8491117f09)
  • dirmngr: Fix an assertion failure caused by an incorrect buffer length for certain public keys. (rGafb0aa2674)
  • scdaemon: Accept P15 cards with an empty label. (rG84229829b5)
  • libgcrypt: Global configuration files on Windows are now located under CSIDL_COMMON_APPDATA instead of /etc on the current drive. (rC33413bf3dd)

Outlook Add-In (GgpOL)

  • Fix handling of the BRING_TO_FRONT event. (rOaaf7bedef8)
  • Newly received encrypted emails can again be moved to folders via the context menu. (T7712)
  • Ensure that the name of a temporary file does not become too long and has a proper suffix. (T7722)
  • Also show attachments with long suffixes. (T7813)
  • Fix high CPU load for unsigned mails that are not selected. (T7771)
  • Fix incorrect UI status display for non-mail items. (T7646)
  • Fix incorrect UI status display when the disabledAutoPreview setting is used. (T7803)
  • Fix a possible plaintext leak when opening the very first PGP message in Outlook if Outlook is operating in read-as-plain mode. (T7858, rO88ab93687c)

Known Issues

Crashes in the gpg backend may cause various errors:

  • No OpenPGP certificates listed in Kleopatra.
  • Error messages when trying to decrypt OpenPGP encrypted data.

Versions of the Components

Component Version Remarks
GnuPG 2.2.51  
Kleopatra 3.3.3  
GpgOL 2.6.9  
GpgEX 1.0.11  
Libgcrypt 1.8.12 T7887
Libksba 1.6.7 T7173

This page as PDF.

Unless otherwise noted, these web pages are: Copyright 2025 g10 Code GmbH. Verbatim copying and distribution is permitted in any medium, provided this notice is preserved. See the Legal Notice & Privacy Policy for details. This page was last changed on 2025-12-01.