Bump to 2.3.0

CHANGELOG.md

@@ -1,5 +1,18 @@
 ## V 2.x.x (NEXT)
 
+## V 2.3.0 Bugfix Release
+
+This releases fixes a security issue (#50) where encrypted, but not signed archives could be modified. 
+Some background on MDC and why it's important security-wise: https://gpgtools.tenderapp.com/kb/faq/modification-detection-code-mdc-errors
+
+* Fix: Do not expose logback as compile-time dependency (#41)
+* Fix: java.io.EOFException: Unexpected end of ZIP input stream using 2.2.0 version for PGP file (#46)
+* Fix: KeyFlag#extractPublicKeyFlags throws NullPointerException if called on an older public key with no hashed subpackets (#48)
+* Fix: Encrypting with keys that don't have a KeyFlags subpacket (#50)
+* Fix: MDC (integrity checksum) is not verified when decrypting (#45)
+* Enh: Bump Bouncy Castle to 1.67
+
+
 ## V 2.2.0 Key generation
 
 * new: Add key generation (initial version by Paul Schaub [@vanitasvitae])

README.md

@@ -215,10 +215,10 @@ dependencies {
     <dependency>
         <groupId>name.neuhalfen.projects.crypto.bouncycastle.openpgp</groupId>
         <artifactId>bouncy-gpg</artifactId>
-        <version>2.2.0</version>
-    </dependency>
+        <version>2.3.0</version>
+    </dependency>
 ```
-  
+
 ### Install Provider
 
 ```java

TODO.md

@@ -4,10 +4,9 @@ Open TODOs
 Version 3.0
 --------------
 
-Version 2.2
+Version 2.4
 -------------
 
-- [ ] Key generation
 - [ ] Key generation key expiration
 - [ ] Key generation documentation
 - [ ] Add decryptor.getResult() for decryption result
@@ -16,6 +15,15 @@ Version 2.2
 - [ ] Unit tests: iterate different DefaultPGPAlgorithmSuites.secureSuiteForGnuPG() (incl. compression & no signature!)
 - [ ] Extend documentation of key derivation
 
+Version 2.3
+-------------
+- [x] Bugfixes
+
+
+Version 2.2
+-------------
+- [x] Key generation
+
 
 Version 2.1
 -------------

build.gradle

@@ -87,7 +87,7 @@ sourceCompatibility = 8
 targetCompatibility = 8
 
 group = 'name.neuhalfen.projects.crypto.bouncycastle.openpgp'
-version = '2.2.0'
+version = '2.3.0'
 
 repositories {
     jcenter()
@@ -127,7 +127,6 @@ dependencies {
     compile 'org.bouncycastle:bcpg-jdk15on:1.67'
 
     compile 'org.slf4j:slf4j-api:1.7.30'
-    compile 'ch.qos.logback:logback-classic:1.2.3'
 
     // @Nullable and friends are not needed at runtime
     compile 'com.google.code.findbugs:jsr305:3.0.2'
@@ -136,6 +135,8 @@ dependencies {
     testCompile 'org.hamcrest:hamcrest-all:1.3'
     testCompile 'org.mockito:mockito-core:3.2.4'
     testCompile 'org.concordion:concordion-api-documentation-extension:0.0.4'
+    testCompile 'ch.qos.logback:logback-classic:1.2.3'
+
 }
 
 

examples/decrypt/build.gradle

@@ -27,7 +27,7 @@ dependencies {
     compile 'org.bouncycastle:bcprov-jdk15on:1.67'
     compile 'org.bouncycastle:bcpg-jdk15on:1.67'
 
-    compile 'name.neuhalfen.projects.crypto.bouncycastle.openpgp:bouncy-gpg:2.2.0'
+    compile 'name.neuhalfen.projects.crypto.bouncycastle.openpgp:bouncy-gpg:2.3.0'
 
     compile 'org.slf4j:slf4j-api:1.7.25'
     compile 'ch.qos.logback:logback-classic:1.2.3'

examples/maven/pom.xml

@@ -42,7 +42,7 @@
     <dependency>
       <groupId>name.neuhalfen.projects.crypto.bouncycastle.openpgp</groupId>
       <artifactId>bouncy-gpg</artifactId>
-      <version>2.2.0</version>
+      <version>2.3.0</version>
     </dependency>
     <dependency>
       <groupId>ch.qos.logback</groupId>

examples/reencrypt/build.gradle

@@ -27,7 +27,7 @@ dependencies {
     compile 'org.bouncycastle:bcprov-jdk15on:1.67'
     compile 'org.bouncycastle:bcpg-jdk15on:1.67'
 
-    compile 'name.neuhalfen.projects.crypto.bouncycastle.openpgp:bouncy-gpg:2.2.0'
+    compile 'name.neuhalfen.projects.crypto.bouncycastle.openpgp:bouncy-gpg:2.3.0'
 
     compile 'org.slf4j:slf4j-api:1.7.22'
     compile 'ch.qos.logback:logback-classic:1.2.1'