Hello Users and Supporters of Gpg4win,
if you currently have problems accessing keyservers
or if you get public keys via WKD
you should install a GnuPG update over Gpg4win-3.1.16
to fix a problem with Let's encrypt TLS certificates for those connections.
Easiest is to download and run the installer:
When in doubt, do the install.
Corresponding OpenPGP signature
(usually not needed, see https://www.gpg4win.org/package-integrity.html)
If you want to try the new GnuPG 2.3 series, you can. Version 2.3.3
has the fix as well.
=== What is the problem being fixed?
Let's Encrypt (LE) issues TLS certificates which are widely used to secure
connections to servers. This includes many keyservers (and area where
development is going on for other reasons, for example
https://spider.pgpkeys.eu/ shows some new decentral public keyservers.)
And it includes some sites offering public keys with a web key directory.
Let's Encrypt used a bit of a trick to still support old android
devices, where - in my understanding - it is impossible to update the root
certificate store, but some expiration dates are ignored. So LE got an
intermediate certificate from an expired root certificate.
Simply put, there are now two validation paths for this LE certificate, one
being invalid and one being valid. The logic in GnuPG needed adjustment
to pick the valid one. The other potential solution, to remove the outdated
root certificate for your certificate software, does not work in situations
where the operating system or the webserver still deliver the expired root
=== Why not with a full Gpg4win release?
We are in the preparation of the Gpg4win 4.0 release, but this needs a few
more days. Upgrading GnuPG separately is the quickest and most robust way
of offering this fix to those who depend on the functionality. We are aware
that this extra install is a bit of an inconvenience for you and we apologise
for this. We have done it to get you both the fix and Gpg4win 4.0 sooner.