How to upgrade to GnuPG >2.2.8?

Question

How to upgrade GnuPG with version >2.2.8 in Ubuntu 16.04.2 LTS? When I enter gpg --version, I get gpg (GnuPG) 1.4.20. When I enter gpg2--version, I get gpg (GnuPG) 2.1.11. I also have Thunderbird with version 52.2.1. What commands should I enter or what files should I install to upgrade GnuPG? Do I need to upgrade Thunderbird?

I have looked at some links like How do I install GnuPG 2.0? How do I install GnuPG 2.2?

But I am still confused of how to do this. I am just a normal user and worry that I would ruin something. I would be grateful if I could get some help like step by step ”How to” guide.

Answer 1

Using a package manager is easiest.

Looks like the apt package for GnuPG on xenial maxes out at 1.4.20. As of this writing, you can get 2.2.4 on bionic, or 2.2.19 on focal, which is the current LTS release.

Can you upgrade your Ubuntu to a more recent version? I know that xenial is arguably still supported, but if you can, it is then as simple as sudo apt-get install gnupg afterwards to get the newest version.

Otherwise it looks like you're stuck building from source (avaliable on gnupg.org here, you'd run ./configure, then make, then make install from within the source directory).

Answer 2

Well they certainly do not make it quick! At time of writing, 2.2.27 (released 2021-01-11) is the highest version available via apt, while the current version is 2.3.8 (released 2022-10-13). The tarball of the latest version can be found here: https://www.gnupg.org/download/index.html

The following is what I had to do to install version 2.3.8.

Requirements:

• system preparation
  $ sudo apt update
$ sudo apt install bzip2 (needed to unpack the archive)
  $ sudo apt install build-essential (needed to compile the source code)
• GPG dependencies

  • npth (new portable threads): https://gnupg.org/ftp/gcrypt/npth/
    $ wget https://gnupg.org/ftp/gcrypt/npth/npth-1.6.tar.bz2
$ tar jxvf npth-1.6.tar.bz2
$ ./npth-1.6/configure && make && sudo make install

  • libgpg-error: https://gnupg.org/ftp/gcrypt/gpgrt/
    $ wget https://gnupg.org/ftp/gcrypt/gpgrt/libgpg-error-1.46.tar.bz2
$ tar jxvf libgpg-error-1.46.tar.bz2
$ ./libgpg-error-1.46/configure && make && sudo make install

  • libgcrypt: https://gnupg.org/ftp/gcrypt/libgcrypt/
    $ wget https://gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-1.10.1.tar.bz2
$ tar jxvf libgcrypt-1.10.1.tar.bz2
$ ./libgcrypt-1.10.1/configure && make && sudo make install

  • libassuan: https://gnupg.org/ftp/gcrypt/libassuan/
    $ wget https://gnupg.org/ftp/gcrypt/libassuan/libassuan-2.5.5.tar.bz2
$ tar jxvf libassuan-2.5.5.tar.bz2
$ ./libassuan-2.5.5/configure && make && sudo make install

  • libksba: https://gnupg.org/ftp/gcrypt/libksba/
    $ wget https://gnupg.org/ftp/gcrypt/libksba/libksba-1.6.2.tar.bz2
$ tar jxvf libksba-1.6.2.tar.bz2
$ ./libksba-1.6.2/configure && make && sudo make install

  • If you try to install GPG first, it will fail and tell you to install all the above. Naturally none are available via apt :)

GPG
$ wget https://www.gnupg.org/ftp/gcrypt/gnupg/gnupg-2.3.8.tar.bz2

It is highly recommended to verify the integrity given the nature of the program. There are a couple ways to do this, somewhat loosely explained on their page: https://www.gnupg.org/download/integrity_check.html

1. Download the associated signature file & check with the existing gpg that came pre-installed on the distro.

   • $ wget https://www.gnupg.org/ftp/gcrypt/gnupg/gnupg-2.3.8.tar.bz2.sig
   • You probably don't have their distribution keys, so you'll have to download those as well:
     $ wget https://gnupg.org/signature_key.asc (.asc = ASCII)
   • $ gpg --import signature_key.asc # import the keys
   • $ gpg --verify gnupg-2.3.8.tar.bz2.sig gnupg-2.3.8.tar.bz2 # verify
   • If they validate ("Good signature from...") then we know the program hasn't been modified. Or if it was modified, the key was also modified as well to hide that fact. That's why it's good to also do the below.

2. Verify the file's SHA-1 checksum.

• $ sha1sum gnupg-2.3.8.tar.bz2
• Listed at the bottom of the integrity check page are checksums for all the files. 1f31b7b4c9c9adad97f94ea3acf1aa64c0424bcc gnupg-2.3.8.tar.bz2 is the one we want (and the output of the above command should match).
• Now as they mention, if someone modified the download they could have easily modified the site to display a false checksum. Therefore it is recommended to use the gnupg-announce mailing list release announcement as the canonical source for the checksum. You'll have to search for mirrors of this announcement, as you can't solely rely on the archive on the site itself (which could be compromised). However it is useful as another double-check.
• The easiest way to find mirrors is to search for "gnupg-announce 2.3.8". I found this and this, both of which have the same checksum. So I think it's safe to say this archive has not been modified and can be installed. Oh and by the way, the dependencies all have signature files that should be checked as well to really be thorough!

$ tar jxvf gnupg-2.3.8.tar.bz2 # uncompress the bzipped tarball
$ ./gnupg-2.3.8/configure && make && sudo make install # build the source code

Almost done! But you'll notice $ gpg --version shows the old version, while $ /usr/local/bin/gpg --version is the new one. Let's fix that.

$ vim ~/.bash_aliases -> Add the line alias gpg=/usr/local/bin/gpg, save, & exit.
$ source ~/.bash_aliases # activate the alias
$ gpg --version # 2.3.8

Voilà!