2004-01-29 21:16:59 +01:00
|
|
|
The GNU Privacy Guard 2
|
|
|
|
=========================
|
|
|
|
Version 1.9.x
|
2002-06-29 16:15:02 +02:00
|
|
|
|
|
|
|
|
2005-06-20 19:32:44 +02:00
|
|
|
GnuPG 1.9 is the future version of GnuPG; it is based on some gnupg-1.3
|
2004-01-29 21:16:59 +01:00
|
|
|
code and the previous newpg package. It will eventually lead to a
|
2005-06-20 19:32:44 +02:00
|
|
|
GnuPG 2.0 release. Note that GnuPG 1.4 and 1.9 are not always in sync
|
|
|
|
and thus features and bug fixes done in 1.4 are not necessary
|
2004-01-29 21:16:59 +01:00
|
|
|
available in 1.9.
|
|
|
|
|
2004-07-22 11:37:36 +02:00
|
|
|
You should use this GnuPG version if you want to use the gpg-agent or
|
|
|
|
gpgsm (the S/MIME variant of gpg). Note that the gpg-agent is also
|
2005-06-20 19:32:44 +02:00
|
|
|
helpful when using the standard gpg versions (1.4.x as well as some of
|
|
|
|
the old 1.2.x). There are no problems installing 1.4 and 1.9
|
2006-07-27 16:18:55 +02:00
|
|
|
alongside; in dact we suggest to do this.
|
2004-07-22 11:37:36 +02:00
|
|
|
|
2004-01-29 21:16:59 +01:00
|
|
|
|
|
|
|
BUILD INSTRUCTIONS
|
|
|
|
==================
|
|
|
|
|
|
|
|
GnuPG 1.9 depends on the following packages:
|
|
|
|
|
2004-09-30 16:34:34 +02:00
|
|
|
libgpg-error (ftp://ftp.gnupg.org/gcrypt/libgpg-error/)
|
|
|
|
libgcrypt (ftp://ftp.gnupg.org/gcrypt/libgcrypt/)
|
2004-01-29 21:16:59 +01:00
|
|
|
libassuan (ftp://ftp.gnupg.org/gcrypt/alpha/libassuan/)
|
|
|
|
libksba (ftp://ftp.gnupg.org/gcrypt/alpha/libksba/)
|
|
|
|
|
2004-07-22 11:37:36 +02:00
|
|
|
If you use the configure option --enable-agent-only, libksba is not
|
|
|
|
required.
|
|
|
|
|
|
|
|
You also need the pinentry package for most function of GnuPG; however
|
2004-01-29 21:16:59 +01:00
|
|
|
it is not a build requirement. pinentry is available at
|
|
|
|
ftp://ftp.gnupg.org/gcrypt/pinentry/ .
|
|
|
|
|
|
|
|
You should get the latest versions of course, the GnuPG configure
|
|
|
|
script complains if a version is not sufficient.
|
|
|
|
|
|
|
|
After building and installing the above packages in the order as given
|
2004-07-22 11:37:36 +02:00
|
|
|
above, you may now continue with GnuPG installation (you may also just
|
2004-01-29 21:16:59 +01:00
|
|
|
try to build GnuPG to see whether your already installed versions are
|
|
|
|
sufficient).
|
|
|
|
|
|
|
|
As with all packages, you just have to do
|
2003-12-23 12:05:19 +01:00
|
|
|
|
2004-01-29 21:16:59 +01:00
|
|
|
./configure
|
|
|
|
make
|
|
|
|
make install
|
2002-06-29 16:15:02 +02:00
|
|
|
|
2004-01-29 21:16:59 +01:00
|
|
|
(Before doing install you might need to become root.)
|
2002-06-29 16:15:02 +02:00
|
|
|
|
2004-01-29 21:16:59 +01:00
|
|
|
If everything succeeds, you have a working GnuPG with support for
|
|
|
|
S/MIME and smartcards. Note that there is no binary gpg but a gpg2 so
|
2006-07-29 02:22:16 +02:00
|
|
|
that this package won't conflict with a GnuPG 1.2 or 1.3
|
2004-07-22 11:37:36 +02:00
|
|
|
installation. gpg2 behaves just like gpg; it is however suggested to
|
2005-04-21 11:33:07 +02:00
|
|
|
keep using gpg 1.2.x or 1.3.x. gpg2 is not even build by default.
|
2004-01-29 21:16:59 +01:00
|
|
|
|
|
|
|
In case of problem please ask on gpa-dev@gnupg.org for advise. Note
|
|
|
|
that this release is only expected to build on GNU and *BSD systems.
|
|
|
|
|
|
|
|
A texinfo manual named `gnupg.info' will get installed. Some commands
|
|
|
|
and options given below. See also the section `SMARTCARD INTRO'.
|
2002-06-29 16:15:02 +02:00
|
|
|
|
2002-07-01 11:44:56 +02:00
|
|
|
|
2002-10-19 09:55:27 +02:00
|
|
|
COMMANDS
|
|
|
|
========
|
2002-06-29 16:15:02 +02:00
|
|
|
|
2005-06-20 19:32:44 +02:00
|
|
|
See the info documentation ("info gnupg") for a full list of commands
|
|
|
|
and options.
|
|
|
|
|
2002-10-19 09:55:27 +02:00
|
|
|
gpgsm:
|
|
|
|
------
|
2002-06-29 16:15:02 +02:00
|
|
|
|
2002-10-19 09:55:27 +02:00
|
|
|
--learn-card
|
2002-06-29 16:15:02 +02:00
|
|
|
|
2003-12-23 12:05:19 +01:00
|
|
|
Read information about the private keys from the smartcard and
|
2002-10-19 09:55:27 +02:00
|
|
|
import the certificates from there.
|
2002-06-29 16:15:02 +02:00
|
|
|
|
2002-10-19 09:55:27 +02:00
|
|
|
--export
|
2002-06-29 16:15:02 +02:00
|
|
|
|
2003-12-23 12:05:19 +01:00
|
|
|
Export all certificates stored in the Keybox or those specified on
|
|
|
|
the command line. When using --armor a few informational lines are
|
|
|
|
prepended before each block.
|
2002-06-29 16:15:02 +02:00
|
|
|
|
|
|
|
|
2002-10-19 09:55:27 +02:00
|
|
|
OPTIONS
|
|
|
|
=======
|
2002-06-29 16:15:02 +02:00
|
|
|
|
2002-10-19 09:55:27 +02:00
|
|
|
gpgsm:
|
|
|
|
------
|
2002-06-29 16:15:02 +02:00
|
|
|
|
2002-10-19 09:55:27 +02:00
|
|
|
--include-certs <n>
|
2002-06-29 16:15:02 +02:00
|
|
|
|
2002-10-19 09:55:27 +02:00
|
|
|
Using N of -2 includes all certificate except for the Root cert,
|
|
|
|
-1 includes all certs, 0 does not include any certs, 1 includes only
|
|
|
|
the signers cert (this is the default) and all other positives
|
|
|
|
values include up to N certs starting with the signer cert.
|
|
|
|
|
|
|
|
--policy-file <filename>
|
2002-06-29 16:15:02 +02:00
|
|
|
|
2006-07-29 02:22:16 +02:00
|
|
|
Change the default name of the policy file
|
2002-06-29 16:15:02 +02:00
|
|
|
|
2002-10-19 09:55:27 +02:00
|
|
|
--enable-policy-checks
|
|
|
|
--disable-policy-checks
|
2002-06-29 16:15:02 +02:00
|
|
|
|
2002-10-19 09:55:27 +02:00
|
|
|
By default policy checks are enabled. These options may be used to
|
|
|
|
change it.
|
2002-06-29 16:15:02 +02:00
|
|
|
|
2002-10-19 09:55:27 +02:00
|
|
|
--enable-crl-checks
|
|
|
|
--disable-crl-checks
|
2002-06-29 16:15:02 +02:00
|
|
|
|
2002-10-19 09:55:27 +02:00
|
|
|
By default the CRL checks are enabled and the DirMngr is used to
|
|
|
|
check for revoked certificates. The disable option is most useful
|
2006-07-29 02:22:16 +02:00
|
|
|
with an off-line connection to suppres this check.
|
2002-06-29 16:15:02 +02:00
|
|
|
|
2002-10-19 09:55:27 +02:00
|
|
|
--agent-program <path_to_agent_program>
|
2002-06-29 16:15:02 +02:00
|
|
|
|
2002-10-19 09:55:27 +02:00
|
|
|
Specify an agent program to be used for secret key operations. The
|
|
|
|
default value is "../agent/gpg-agent". This is only used as a
|
2006-07-29 02:22:16 +02:00
|
|
|
fallback when the envrionment variable GPG_AGENT_INFO is not set or
|
2002-10-19 09:55:27 +02:00
|
|
|
a running agent can't be connected.
|
|
|
|
|
|
|
|
--dirmngr-program <path_to_dirmgr_program>
|
2002-06-29 16:15:02 +02:00
|
|
|
|
2002-10-19 09:55:27 +02:00
|
|
|
Specify a dirmngr program to be used for CRL checks. The default
|
|
|
|
value is "/usr/sbin/dirmngr". This is only used as a fallback when
|
2006-07-29 02:22:16 +02:00
|
|
|
the environment variable DIRMNGR_INFO is not set or a running
|
2002-10-19 09:55:27 +02:00
|
|
|
dirmngr can't be connected.
|
2002-06-29 16:15:02 +02:00
|
|
|
|
2002-10-19 09:55:27 +02:00
|
|
|
--no-secmem-warning
|
2002-06-29 16:15:02 +02:00
|
|
|
|
2002-10-19 09:55:27 +02:00
|
|
|
Don't print the warning "no secure memory"
|
2002-06-29 16:15:02 +02:00
|
|
|
|
2002-10-19 09:55:27 +02:00
|
|
|
--armor
|
2002-06-29 16:15:02 +02:00
|
|
|
|
2006-07-29 02:22:16 +02:00
|
|
|
Create PEM encoded output. Default is binary output.
|
2002-06-29 16:15:02 +02:00
|
|
|
|
2002-10-19 09:55:27 +02:00
|
|
|
--base64
|
2002-06-29 16:15:02 +02:00
|
|
|
|
2002-10-19 09:55:27 +02:00
|
|
|
Create Base-64 encoded output; i.e. PEM without the header lines.
|
2002-06-29 16:15:02 +02:00
|
|
|
|
2002-10-19 09:55:27 +02:00
|
|
|
--assume-armor
|
2002-06-29 16:15:02 +02:00
|
|
|
|
2002-10-19 09:55:27 +02:00
|
|
|
Assume the input data is PEM encoded. Default is to autodetect the
|
|
|
|
encoding but this is may fail.
|
2002-06-29 16:15:02 +02:00
|
|
|
|
2002-10-19 09:55:27 +02:00
|
|
|
--assume-base64
|
2002-06-29 16:15:02 +02:00
|
|
|
|
2002-10-19 09:55:27 +02:00
|
|
|
Assume the input data is plain base-64 encoded.
|
2002-06-29 16:15:02 +02:00
|
|
|
|
2002-10-19 09:55:27 +02:00
|
|
|
--assume-binary
|
2002-06-29 16:15:02 +02:00
|
|
|
|
2002-10-19 09:55:27 +02:00
|
|
|
Assume the input data is binary encoded.
|
2002-06-29 16:15:02 +02:00
|
|
|
|
2002-10-19 09:55:27 +02:00
|
|
|
--server
|
2002-06-29 16:15:02 +02:00
|
|
|
|
2002-10-19 09:55:27 +02:00
|
|
|
Run in server mode. This is used by GPGME to control gpgsm. See
|
|
|
|
the assuan specification regarding gpgsm about the used protocol.
|
|
|
|
Some options are ignored in server mode.
|
2002-06-29 16:15:02 +02:00
|
|
|
|
2002-10-19 09:55:27 +02:00
|
|
|
--local-user <user_id>
|
2002-06-29 16:15:02 +02:00
|
|
|
|
2002-10-19 09:55:27 +02:00
|
|
|
Set the user to be used for signing. The default is the first
|
|
|
|
secret key found in the database.
|
2002-06-29 16:15:02 +02:00
|
|
|
|
2002-10-19 09:55:27 +02:00
|
|
|
--with-key-data
|
2002-06-29 16:15:02 +02:00
|
|
|
|
2004-01-27 17:40:42 +01:00
|
|
|
Displays extra information with the --list-keys commands. Especially
|
|
|
|
a line tagged "grp" is printed which tells you the keygrip of a
|
2002-10-19 09:55:27 +02:00
|
|
|
key. This is string is for example used as the filename of the
|
|
|
|
secret key.
|
2002-06-29 16:15:02 +02:00
|
|
|
|
|
|
|
|
|
|
|
|
2002-10-19 09:55:27 +02:00
|
|
|
gpg-agent:
|
|
|
|
---------
|
2002-06-29 16:15:02 +02:00
|
|
|
|
2002-10-19 09:55:27 +02:00
|
|
|
--pinentry-program <path_to_pinentry_program>
|
2002-06-29 16:15:02 +02:00
|
|
|
|
2002-10-19 09:55:27 +02:00
|
|
|
Specify the PINentry program. The default value is
|
2003-12-23 12:05:19 +01:00
|
|
|
"<prefix>/bin/pinentry" so you most likely want to specify it.
|
2002-06-29 16:15:02 +02:00
|
|
|
|
2002-10-19 09:55:27 +02:00
|
|
|
--no-grab
|
2002-06-29 16:15:02 +02:00
|
|
|
|
2006-07-29 02:22:16 +02:00
|
|
|
Tell the pinentry not to grab keyboard and mouse. You most likely
|
2002-10-19 09:55:27 +02:00
|
|
|
want to give this option during testing and development to avoid
|
|
|
|
lockups in case of bugs.
|
2002-06-29 16:15:02 +02:00
|
|
|
|
2002-10-19 09:55:27 +02:00
|
|
|
|
2003-08-05 19:11:04 +02:00
|
|
|
scdaemon:
|
|
|
|
--------
|
|
|
|
|
|
|
|
--ctapi-driver <libraryname>
|
|
|
|
|
|
|
|
The default for Scdaemon is to use the PC/SC API currently provided
|
|
|
|
by libpcsclite.so. As an alternative the ctAPI can be used by
|
|
|
|
specify this option with the appropriate driver name
|
|
|
|
(e.g. libtowitoko.so).
|
|
|
|
|
|
|
|
--reader-port <portname>
|
|
|
|
|
|
|
|
This specifies the port of the chipcard reader. For PC/SC this is
|
|
|
|
currently ignored and the first PC/SC reader is used. For the
|
|
|
|
ctAPI, a number must be specified (the default is 32768 for the
|
|
|
|
first USB port).
|
2002-06-29 16:15:02 +02:00
|
|
|
|
2004-01-29 21:16:59 +01:00
|
|
|
--disable-ccid
|
|
|
|
|
|
|
|
Disable the integrated support for CCID compliant readers. This
|
|
|
|
allows to fall back to one of the other drivers even if the internal
|
|
|
|
CCID driver can handle the reader. Note, that CCID support is only
|
|
|
|
available if libusb was available at build time.
|
2002-06-29 16:15:02 +02:00
|
|
|
|
|
|
|
|
2002-10-19 09:55:27 +02:00
|
|
|
FILES
|
|
|
|
=====
|
2002-06-29 16:15:02 +02:00
|
|
|
|
2002-10-19 09:55:27 +02:00
|
|
|
The default home directory is ~/.gnupg. It can be changed by
|
2006-07-29 02:22:16 +02:00
|
|
|
either the --homedir option or by setting the environment variable
|
2002-10-19 09:55:27 +02:00
|
|
|
GNUPGHOME. This is a list of files usually found in this directory:
|
2002-06-29 16:15:02 +02:00
|
|
|
|
2002-10-19 09:55:27 +02:00
|
|
|
gpgsm.conf
|
2002-06-29 16:15:02 +02:00
|
|
|
|
2002-10-19 09:55:27 +02:00
|
|
|
Options for gpgsm. Options are the same as the command line
|
|
|
|
options but don't enter the leading dashes and give arguments
|
|
|
|
without an equal sign. Blank lines and lines starting with a
|
2006-07-29 02:22:16 +02:00
|
|
|
hash mark as the first non white space character are ignored.
|
2002-06-29 16:15:02 +02:00
|
|
|
|
2002-10-19 09:55:27 +02:00
|
|
|
gpg-agent.conf
|
|
|
|
|
|
|
|
Options for gpg-agent
|
2002-06-29 16:15:02 +02:00
|
|
|
|
2002-10-19 09:55:27 +02:00
|
|
|
scdaemon.conf
|
2002-06-29 16:15:02 +02:00
|
|
|
|
2002-10-19 09:55:27 +02:00
|
|
|
Options for scdaemon.
|
2002-06-29 16:15:02 +02:00
|
|
|
|
2002-10-19 09:55:27 +02:00
|
|
|
dirmngr.conf
|
2002-06-29 16:15:02 +02:00
|
|
|
|
2002-10-19 09:55:27 +02:00
|
|
|
Options for the DirMngr which is not part of this package and
|
2006-07-29 02:22:16 +02:00
|
|
|
the option file will most likely be moved to /etc
|
2002-06-29 16:15:02 +02:00
|
|
|
|
2002-10-19 09:55:27 +02:00
|
|
|
gpg.conf
|
|
|
|
|
|
|
|
Options for gpg. Note that old versions of gpg use the
|
|
|
|
filename `options' instead of `gpg.conf'.
|
2002-06-29 16:15:02 +02:00
|
|
|
|
2003-08-05 19:11:04 +02:00
|
|
|
gpg.conf-1.9.x
|
|
|
|
|
|
|
|
Options for gpg; tried before gpg.conf
|
|
|
|
|
|
|
|
|
2002-10-19 09:55:27 +02:00
|
|
|
policies.txt
|
2002-06-29 16:15:02 +02:00
|
|
|
|
2002-10-19 09:55:27 +02:00
|
|
|
A list of allowed CA policies. This file should give the
|
2003-08-05 19:11:04 +02:00
|
|
|
object identifiers of the policies line by line. Empty lines
|
2006-07-29 02:22:16 +02:00
|
|
|
and lines starting with a hash mark are ignored.
|
2002-06-29 16:15:02 +02:00
|
|
|
|
2002-10-19 09:55:27 +02:00
|
|
|
++++++++++
|
|
|
|
2.289.9.9
|
|
|
|
++++++++++
|
2002-06-29 16:15:02 +02:00
|
|
|
|
2002-10-19 09:55:27 +02:00
|
|
|
trustlist.txt
|
2002-06-29 16:15:02 +02:00
|
|
|
|
2004-07-22 11:37:36 +02:00
|
|
|
A list of trusted certificates. The file will be created
|
|
|
|
automagically with some explaining comments. By using
|
|
|
|
gpg-agent's option --allow-mark-trusted, gpg-agent may add new
|
|
|
|
entries after user confirmation.
|
2002-06-29 16:15:02 +02:00
|
|
|
|
2002-10-19 09:55:27 +02:00
|
|
|
random_seed
|
2002-06-29 16:15:02 +02:00
|
|
|
|
2002-10-19 09:55:27 +02:00
|
|
|
Used internally for keeping the state of the RNG over
|
|
|
|
invocations.
|
2002-06-29 16:15:02 +02:00
|
|
|
|
2002-10-19 09:55:27 +02:00
|
|
|
pubring.kbx
|
2002-06-29 16:15:02 +02:00
|
|
|
|
2002-10-19 09:55:27 +02:00
|
|
|
The database file with the certificates.
|
2002-06-29 16:15:02 +02:00
|
|
|
|
2002-10-19 09:55:27 +02:00
|
|
|
pubring.gpg
|
2002-06-29 16:15:02 +02:00
|
|
|
|
2002-10-19 09:55:27 +02:00
|
|
|
The database file with the OpenPGP public keys. This will
|
|
|
|
eventually be merged with pubring.kbx
|
2002-06-29 16:15:02 +02:00
|
|
|
|
2002-10-19 09:55:27 +02:00
|
|
|
secring.gpg
|
2002-06-29 16:15:02 +02:00
|
|
|
|
2002-10-19 09:55:27 +02:00
|
|
|
The database file with the OpenPGP secret keys. This will be
|
|
|
|
removed when gpg is changed to make use of the gpg-agent.
|
2002-06-29 16:15:02 +02:00
|
|
|
|
|
|
|
|
2002-10-19 09:55:27 +02:00
|
|
|
private-keys-v1.d/
|
2002-06-29 16:15:02 +02:00
|
|
|
|
2002-10-19 09:55:27 +02:00
|
|
|
Directory holding the private keys maintained by gpg-agent.
|
|
|
|
For detailed info see agent/keyformat.txt. Note that there is
|
|
|
|
a helper tool gpg-protect-tool which may be used to protect or
|
|
|
|
unprotect keys. This is however nothing a user should care
|
|
|
|
about.
|
2002-06-29 16:15:02 +02:00
|
|
|
|
2002-07-01 11:44:56 +02:00
|
|
|
|
2004-01-29 21:16:59 +01:00
|
|
|
SOURCE FILES
|
|
|
|
============
|
|
|
|
|
|
|
|
Here is a list of directories with source files:
|
|
|
|
|
|
|
|
jnlib/ utility functions
|
|
|
|
kbx/ keybox library
|
|
|
|
g10/ the gpg program here called gpg2
|
|
|
|
sm/ the gpgsm program
|
|
|
|
agent/ the gpg-agent
|
|
|
|
scd/ the smartcard daemon
|
|
|
|
doc/ documentation
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
HOW TO SPECIFY A USER ID
|
2002-10-19 09:55:27 +02:00
|
|
|
========================
|
|
|
|
|
|
|
|
Due to the way X.509 certificates are made up we need a few new ways
|
|
|
|
to specify a certificate (aka key in OpenPGP). In addition to the
|
|
|
|
ways a user ID can be specified with gpg, I have implemented 3 new
|
|
|
|
modes for gpgsm, here is the entire list of ways to specify a key:
|
|
|
|
|
|
|
|
* By keyID.
|
|
|
|
|
2006-07-29 02:22:16 +02:00
|
|
|
This format is deducted from the length of the string and its
|
|
|
|
content or "0x" prefix. For use with OpenPGP an exclamation mark may
|
2002-10-19 09:55:27 +02:00
|
|
|
be appended to force use of the specified (sub)key.
|
|
|
|
|
|
|
|
As with v34 OpenPGP keys, the keyID of an X509 certificate are the
|
|
|
|
low 64 bits of the SHA-1 fingerprint. The use of keyIDs is just a
|
|
|
|
shortcut, for all automated processing the fingerprint should be
|
|
|
|
used.
|
|
|
|
|
|
|
|
Examples:
|
|
|
|
|
|
|
|
234567C4
|
|
|
|
0F34E556E
|
|
|
|
01347A56A
|
|
|
|
0xAB123456
|
|
|
|
|
|
|
|
234AABBCC34567C4
|
|
|
|
0F323456784E56EAB
|
|
|
|
01AB3FED1347A5612
|
|
|
|
0x234AABBCC34567C4
|
|
|
|
|
|
|
|
* By fingerprint
|
|
|
|
|
|
|
|
This is format is deduced from the length of the string and its
|
|
|
|
content or "0x" prefix. Note, that only the 20 byte fingerprint is
|
|
|
|
used with GPGSM (SHA-1 hash of the certificate). For use with
|
2006-07-29 02:22:16 +02:00
|
|
|
OpenPGP an exclamation mark may be appended to force use of the
|
2002-10-19 09:55:27 +02:00
|
|
|
specified (sub)key.
|
|
|
|
|
|
|
|
Examples:
|
|
|
|
|
|
|
|
1234343434343434C434343434343434
|
|
|
|
123434343434343C3434343434343734349A3434
|
|
|
|
0E12343434343434343434EAB3484343434343434
|
|
|
|
0xE12343434343434343434EAB3484343434343434
|
|
|
|
|
|
|
|
* Exact match on OpenPGP user ID
|
|
|
|
|
|
|
|
This is denoted by a leading equal sign. It does not make much
|
|
|
|
sense for X.509.
|
|
|
|
|
|
|
|
Example:
|
|
|
|
|
|
|
|
=Heinrich Heine <heinrichh@uni-duesseldorf.de>
|
|
|
|
|
|
|
|
* Exact match on an email address.
|
|
|
|
|
|
|
|
This is indicated by enclosing the email address in the usual way
|
|
|
|
with left and right angles
|
|
|
|
|
|
|
|
Example:
|
|
|
|
|
|
|
|
<heinrichh@uni-duesseldorf.de>
|
|
|
|
|
|
|
|
* Word match
|
2002-07-04 15:35:42 +02:00
|
|
|
|
2002-10-19 09:55:27 +02:00
|
|
|
All words must match exactly (not case sensitive) but can appear in
|
|
|
|
any order in the user ID or a subjects name. Words are any
|
|
|
|
sequences of letters, digits, the underscore and all characters
|
|
|
|
with bit 7 set.
|
2002-07-01 11:44:56 +02:00
|
|
|
|
2002-10-19 09:55:27 +02:00
|
|
|
Example:
|
2002-07-01 11:44:56 +02:00
|
|
|
|
2002-10-19 09:55:27 +02:00
|
|
|
+Heinrich Heine duesseldorf
|
2002-07-01 11:44:56 +02:00
|
|
|
|
2005-04-18 12:44:46 +02:00
|
|
|
* Exact match by subject's DN
|
2002-07-01 11:44:56 +02:00
|
|
|
|
2002-10-19 09:55:27 +02:00
|
|
|
This is indicated by a leading slash, directly followed by the
|
2004-01-29 08:41:55 +01:00
|
|
|
rfc2253 encoded DN of the subject. Note that you can't use the
|
|
|
|
string printed by "gpgsm --list-keys" because that one as been
|
|
|
|
reordered and modified for better readability; use --with-colons to
|
|
|
|
print the raw (but standard escaped) rfc2253 string
|
2002-07-01 11:44:56 +02:00
|
|
|
|
2002-10-19 09:55:27 +02:00
|
|
|
Example:
|
2002-07-01 11:44:56 +02:00
|
|
|
|
2004-01-29 08:41:55 +01:00
|
|
|
/CN=Heinrich Heine,O=Poets,L=Paris,C=FR
|
2002-07-01 11:44:56 +02:00
|
|
|
|
2006-07-29 02:22:16 +02:00
|
|
|
* Exact match by issuer's DN
|
2002-07-01 11:44:56 +02:00
|
|
|
|
2002-10-19 09:55:27 +02:00
|
|
|
This is indicated by a leading hash mark, directly followed by a
|
|
|
|
slash and then directly followed by the rfc2253 encoded DN of the
|
2004-01-29 08:41:55 +01:00
|
|
|
issuer. This should return the Root cert of the issuer. See note
|
|
|
|
above.
|
2002-07-01 11:44:56 +02:00
|
|
|
|
2002-10-19 09:55:27 +02:00
|
|
|
Example:
|
2002-07-01 11:44:56 +02:00
|
|
|
|
2002-10-19 09:55:27 +02:00
|
|
|
#/CN=Root Cert,O=Poets,L=Paris,C=FR
|
2002-07-01 11:44:56 +02:00
|
|
|
|
2005-04-18 12:44:46 +02:00
|
|
|
* Exact match by serial number and issuer's DN
|
2002-07-01 11:44:56 +02:00
|
|
|
|
2002-10-19 09:55:27 +02:00
|
|
|
This is indicated by a hash mark, followed by the hexadecmal
|
2005-04-18 12:44:46 +02:00
|
|
|
representation of the serial number, the followed by a slash and
|
2004-01-29 08:41:55 +01:00
|
|
|
the RFC2253 encoded DN of the issuer. See note above.
|
2002-07-01 11:44:56 +02:00
|
|
|
|
2002-10-19 09:55:27 +02:00
|
|
|
Example:
|
2002-07-01 11:44:56 +02:00
|
|
|
|
2002-10-19 09:55:27 +02:00
|
|
|
#4F03/CN=Root Cert,O=Poets,L=Paris,C=FR
|
2002-09-02 15:50:05 +02:00
|
|
|
|
2002-10-19 09:55:27 +02:00
|
|
|
* Substring match
|
2002-07-01 11:44:56 +02:00
|
|
|
|
2002-10-19 09:55:27 +02:00
|
|
|
By case insensitive substring matching. This is the default mode
|
|
|
|
but applications may want to explicitly indicate this by putting
|
|
|
|
the asterisk in front.
|
2002-07-01 11:44:56 +02:00
|
|
|
|
2002-10-19 09:55:27 +02:00
|
|
|
Example:
|
2002-07-01 11:44:56 +02:00
|
|
|
|
2002-10-19 09:55:27 +02:00
|
|
|
Heine
|
|
|
|
*Heine
|
2002-07-01 11:44:56 +02:00
|
|
|
|
2002-06-29 16:15:02 +02:00
|
|
|
|
2004-07-22 11:37:36 +02:00
|
|
|
Please note that we have reused the hash mark identifier which was
|
2002-10-19 09:55:27 +02:00
|
|
|
used in old GnuPG versions to indicate the so called local-id. It is
|
|
|
|
not anymore used and there should be no conflict when used with X.509
|
|
|
|
stuff.
|
2002-06-29 16:15:02 +02:00
|
|
|
|
2002-10-19 09:55:27 +02:00
|
|
|
Using the rfc2253 format of DNs has the drawback that it is not
|
|
|
|
possible to map them back to the original encoding, however we don't
|
|
|
|
have to do this, because our key database stores this encoding as meta
|
|
|
|
data.
|
2002-06-29 16:15:02 +02:00
|
|
|
|
2002-10-19 09:55:27 +02:00
|
|
|
Some of the search modes are not yet implemented ;-)
|
2002-06-29 16:15:02 +02:00
|
|
|
|
|
|
|
|
2004-01-29 21:16:59 +01:00
|
|
|
HOW TO IMPORT A PRIVATE KEY
|
2002-10-19 09:55:27 +02:00
|
|
|
===========================
|
|
|
|
There is some limited support to import a private key from a PKCS-12
|
2004-02-13 13:40:54 +01:00
|
|
|
file.
|
2002-06-29 16:15:02 +02:00
|
|
|
|
2004-02-13 13:40:54 +01:00
|
|
|
gpgsm --import foo.p12
|
|
|
|
|
2004-07-22 11:37:36 +02:00
|
|
|
This requires that the gpg-agent is running.
|
2002-06-29 16:15:02 +02:00
|
|
|
|
1999-09-18 09:18:02 +02:00
|
|
|
|
2004-01-29 21:16:59 +01:00
|
|
|
HOW TO EXPORT A PRIVATE KEY
|
2002-10-19 09:55:27 +02:00
|
|
|
===========================
|
|
|
|
There is also limited support to export a private key in PKCS-12
|
2004-09-30 16:34:34 +02:00
|
|
|
format. However there is no MAC applied.
|
2001-07-04 11:42:04 +02:00
|
|
|
|
2004-10-20 10:54:45 +02:00
|
|
|
gpgsm --export-secret-key-p12 userID >foo.p12
|
2001-07-04 11:42:04 +02:00
|
|
|
|
1999-07-23 14:03:01 +02:00
|
|
|
|
2004-01-29 21:16:59 +01:00
|
|
|
SMARTCARD INTRO
|
|
|
|
===============
|
|
|
|
|
2004-02-13 13:40:54 +01:00
|
|
|
GPG, the OpenPGP part of GnuPG, supports the OpenPGP smartcard
|
2005-06-20 19:32:44 +02:00
|
|
|
(surprise!); see http://g10code.com/p-card.html and
|
|
|
|
http://www.gnupg.org/documentation/howtos.html#GnuPG-cardHOWTO .
|
2004-01-29 21:16:59 +01:00
|
|
|
|
2004-02-13 13:40:54 +01:00
|
|
|
GPGSM, the CMS (S/MIME) part of GnuPG, supports two kinds of
|
2004-01-29 21:16:59 +01:00
|
|
|
smartcards. The most flexible way is to use PKCS#15 compliant cards,
|
|
|
|
however you must have build GnuPG with support for the OpenSC library.
|
|
|
|
The build process automagically detects the presence of this library
|
|
|
|
and will include support for these cards.
|
|
|
|
|
2004-07-22 11:37:36 +02:00
|
|
|
The other cards we currently support are the Telesec NetKey card with
|
|
|
|
the NKS 2.0 card application and all generic DINSIG cards.
|
2004-01-29 21:16:59 +01:00
|
|
|
|
|
|
|
Before GPGSM can make use of a new card it must gather some
|
|
|
|
information, like the card's serial number, the public keys and the
|
|
|
|
certificates stored on the card. Thus for a new card you need to run
|
|
|
|
the command
|
|
|
|
|
|
|
|
gpgsm --learn-card
|
|
|
|
|
|
|
|
once. This is also a good test to see whether your card reader is
|
|
|
|
properly installed. See below in case of error. Once this has been
|
|
|
|
done you may use the keys stored on the card in the same way you use
|
|
|
|
keys stored on the disk. gpgsm automagically knows whether a card is
|
|
|
|
required and will pop up the pinentry to ask you to insert the
|
|
|
|
correct card.
|
|
|
|
|
|
|
|
For selecting the driver, see the options of scdaemon. A useful
|
|
|
|
debugging flag is "--debug 2048" showing the communication between
|
|
|
|
scdaemon and the reader.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|