Well they certainly do not make it quick! At time of writing, 2.2.27
(released 2021-01-11) is the highest version available via apt
, while the current version is 2.3.8
(released 2022-10-13). The tarball of the latest version can be found here: https://www.gnupg.org/download/index.html
The following is what I had to do to install version 2.3.8.
Requirements:
- system preparation
$ sudo apt update
$ sudo apt install bzip2
(needed to unpack the archive)
$ sudo apt install build-essential
(needed to compile the source code)
- GPG dependencies
npth (new portable threads): https://gnupg.org/ftp/gcrypt/npth/
$ wget https://gnupg.org/ftp/gcrypt/npth/npth-1.6.tar.bz2
$ tar jxvf npth-1.6.tar.bz2
$ ./npth-1.6/configure && make && sudo make install
libgpg-error: https://gnupg.org/ftp/gcrypt/gpgrt/
$ wget https://gnupg.org/ftp/gcrypt/gpgrt/libgpg-error-1.46.tar.bz2
$ tar jxvf libgpg-error-1.46.tar.bz2
$ ./libgpg-error-1.46/configure && make && sudo make install
libgcrypt: https://gnupg.org/ftp/gcrypt/libgcrypt/
$ wget https://gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-1.10.1.tar.bz2
$ tar jxvf libgcrypt-1.10.1.tar.bz2
$ ./libgcrypt-1.10.1/configure && make && sudo make install
libassuan: https://gnupg.org/ftp/gcrypt/libassuan/
$ wget https://gnupg.org/ftp/gcrypt/libassuan/libassuan-2.5.5.tar.bz2
$ tar jxvf libassuan-2.5.5.tar.bz2
$ ./libassuan-2.5.5/configure && make && sudo make install
libksba: https://gnupg.org/ftp/gcrypt/libksba/
$ wget https://gnupg.org/ftp/gcrypt/libksba/libksba-1.6.2.tar.bz2
$ tar jxvf libksba-1.6.2.tar.bz2
$ ./libksba-1.6.2/configure && make && sudo make install
If you try to install GPG first, it will fail and tell you to install all the above. Naturally none are available via apt
:)
GPG
$ wget https://www.gnupg.org/ftp/gcrypt/gnupg/gnupg-2.3.8.tar.bz2
It is highly recommended to verify the integrity given the nature of the program. There are a couple ways to do this, somewhat loosely explained on their page: https://www.gnupg.org/download/integrity_check.html
Download the associated signature file & check with the existing gpg
that came pre-installed on the distro.
$ wget https://www.gnupg.org/ftp/gcrypt/gnupg/gnupg-2.3.8.tar.bz2.sig
- You probably don't have their distribution keys, so you'll have to download those as well:
$ wget https://gnupg.org/signature_key.asc
(.asc = ASCII)
$ gpg --import signature_key.asc
# import the keys
$ gpg --verify gnupg-2.3.8.tar.bz2.sig gnupg-2.3.8.tar.bz2
# verify
- If they validate ("Good signature from...") then we know the program hasn't been modified. Or if it was modified, the key was also modified as well to hide that fact. That's why it's good to also do the below.
Verify the file's SHA-1 checksum.
$ sha1sum gnupg-2.3.8.tar.bz2
- Listed at the bottom of the integrity check page are checksums for all the files.
1f31b7b4c9c9adad97f94ea3acf1aa64c0424bcc gnupg-2.3.8.tar.bz2
is the one we want (and the output of the above command should match).
- Now as they mention, if someone modified the download they could have easily modified the site to display a false checksum. Therefore it is recommended to use the gnupg-announce mailing list release announcement as the canonical source for the checksum. You'll have to search for mirrors of this announcement, as you can't solely rely on the archive on the site itself (which could be compromised). However it is useful as another double-check.
- The easiest way to find mirrors is to search for "gnupg-announce 2.3.8". I found this and this, both of which have the same checksum. So I think it's safe to say this archive has not been modified and can be installed. Oh and by the way, the dependencies all have signature files that should be checked as well to really be thorough!
$ tar jxvf gnupg-2.3.8.tar.bz2
# uncompress the bzipped tarball
$ ./gnupg-2.3.8/configure && make && sudo make install
# build the source code
Almost done! But you'll notice $ gpg --version
shows the old version, while $ /usr/local/bin/gpg --version
is the new one. Let's fix that.
$ vim ~/.bash_aliases
-> Add the line alias gpg=/usr/local/bin/gpg
, save, & exit.
$ source ~/.bash_aliases
# activate the alias
$ gpg --version
# 2.3.8
Voilà!
sudo apt-get install gnupg
and it will update only gnupg. (source for difference between upgrade and install) – Michael Noguera May 23 '20 at 19:06gnupg2
is not used on 18.04, as it only existed to simplify the installation of gpg v2 when v1 was the default that came with the system. Because v2 is now the default, there is no need for agnupg2
package. (See the comments on this answer for more info.) – Michael Noguera May 23 '20 at 19:12