mirror of
git://git.gnupg.org/gnupg.git
synced 2024-12-22 10:19:57 +01:00
Move parameter file description to the manual.
This commit is contained in:
parent
28c157b55c
commit
00f8b68505
@ -1,3 +1,8 @@
|
|||||||
|
2011-03-01 Werner Koch <wk@g10code.com>
|
||||||
|
|
||||||
|
* gpgsm.texi (CSR and certificate creation): New.
|
||||||
|
* gpg.texi (Unattended GPG key generation): New.
|
||||||
|
|
||||||
2010-10-29 David Shaw <dshaw@jabberwocky.com>
|
2010-10-29 David Shaw <dshaw@jabberwocky.com>
|
||||||
|
|
||||||
* gpg.texi (GPG Configuration Options): Clarify that show-photos
|
* gpg.texi (GPG Configuration Options): Clarify that show-photos
|
||||||
|
191
doc/DETAILS
191
doc/DETAILS
@ -785,199 +785,12 @@ would result in:
|
|||||||
|
|
||||||
Key generation
|
Key generation
|
||||||
==============
|
==============
|
||||||
See the Libcrypt manual.
|
See the Libcrypt manual.
|
||||||
|
|
||||||
|
|
||||||
Unattended key generation
|
Unattended key generation
|
||||||
=========================
|
=========================
|
||||||
This feature allows unattended generation of keys controlled by a
|
The the manual for a description.
|
||||||
parameter file. To use this feature, you use --gen-key together with
|
|
||||||
--batch and feed the parameters either from stdin or from a file given
|
|
||||||
on the commandline. The description below is only for GPG; GPGSM has
|
|
||||||
a similar feature, see the file sm/certreqgen.c for a description.
|
|
||||||
|
|
||||||
The format of this file is as follows:
|
|
||||||
o Text only, line length is limited to about 1000 chars.
|
|
||||||
o You must use UTF-8 encoding to specify non-ascii characters.
|
|
||||||
o Empty lines are ignored.
|
|
||||||
o Leading and trailing spaces are ignored.
|
|
||||||
o A hash sign as the first non white space character indicates a comment line.
|
|
||||||
o Control statements are indicated by a leading percent sign, the
|
|
||||||
arguments are separated by white space from the keyword.
|
|
||||||
o Parameters are specified by a keyword, followed by a colon. Arguments
|
|
||||||
are separated by white space.
|
|
||||||
o The first parameter must be "Key-Type", control statements
|
|
||||||
may be placed anywhere.
|
|
||||||
o Key generation takes place when either the end of the parameter file
|
|
||||||
is reached, the next "Key-Type" parameter is encountered or at the
|
|
||||||
control statement "%commit"
|
|
||||||
o Control statements:
|
|
||||||
%echo <text>
|
|
||||||
Print <text>.
|
|
||||||
%dry-run
|
|
||||||
Suppress actual key generation (useful for syntax checking).
|
|
||||||
%commit
|
|
||||||
Perform the key generation. An implicit commit is done
|
|
||||||
at the next "Key-Type" parameter.
|
|
||||||
%pubring <filename>
|
|
||||||
%secring <filename>
|
|
||||||
Do not write the key to the default or commandline given
|
|
||||||
keyring but to <filename>. This must be given before the first
|
|
||||||
commit to take place, duplicate specification of the same filename
|
|
||||||
is ignored, the last filename before a commit is used.
|
|
||||||
The filename is used until a new filename is used (at commit points)
|
|
||||||
and all keys are written to that file. If a new filename is given,
|
|
||||||
this file is created (and overwrites an existing one).
|
|
||||||
GnuPG < 2.1: Both control statements must be given.
|
|
||||||
GnuPG >= 2.1: "%secring" is now a no-op.
|
|
||||||
%ask-passphrase
|
|
||||||
Enable a mode where the command "passphrase" is ignored and
|
|
||||||
instead the usual passphrase dialog is used. This does not
|
|
||||||
make sense for batch key generation; however the unattended
|
|
||||||
key generation feature is also used by GUIs and this feature
|
|
||||||
relinquishes the GUI from implementing its own passphrase
|
|
||||||
entry code. This is a global option.
|
|
||||||
%no-ask-passphrase
|
|
||||||
Disable the ask-passphrase mode.
|
|
||||||
%no-protection
|
|
||||||
With GnuPG 2.1 it is not anymore possible to specify a
|
|
||||||
passphrase for unattended key generation. The passphrase
|
|
||||||
command is simply ignored and %ask-passpharse is thus
|
|
||||||
implicitly enabled. Using this option allows to the creation
|
|
||||||
of keys without any passphrases. This option is mainly
|
|
||||||
intended for regression tests.
|
|
||||||
%transient-key
|
|
||||||
If given the keys are created using a faster and a somewhat
|
|
||||||
less secure random number generator. This option may be used
|
|
||||||
for keys which are only used for a short time and do not
|
|
||||||
require full cryptographic strength. It takes only effect if
|
|
||||||
used together with the option no-protection.
|
|
||||||
|
|
||||||
o The order of the parameters does not matter except for "Key-Type"
|
|
||||||
which must be the first parameter. The parameters are only for the
|
|
||||||
generated keyblock and parameters from previous key generations are not
|
|
||||||
used. Some syntactically checks may be performed.
|
|
||||||
The currently defined parameters are:
|
|
||||||
Key-Type: <algo-number>|<algo-string>
|
|
||||||
Starts a new parameter block by giving the type of the primary
|
|
||||||
key. The algorithm must be capable of signing. This is a
|
|
||||||
required parameter. It may be "default" to use the default
|
|
||||||
one; in this case don't give a Key-Usage and use "default" for
|
|
||||||
the Subkey-Type.
|
|
||||||
Key-Length: <length-in-bits>
|
|
||||||
Length of the key in bits. The default is returned by running
|
|
||||||
the command "gpg --gpgconf-list".
|
|
||||||
Key-Usage: <usage-list>
|
|
||||||
Space or comma delimited list of key usage, allowed values are
|
|
||||||
"encrypt", "sign", and "auth". This is used to generate the
|
|
||||||
key flags. Please make sure that the algorithm is capable of
|
|
||||||
this usage. Note that OpenPGP requires that all primary keys
|
|
||||||
are capable of certification, so no matter what usage is given
|
|
||||||
here, the "cert" flag will be on. If no Key-Usage is
|
|
||||||
specified and the key-type is not "default", all allowed
|
|
||||||
usages for that particular algorithm are used; if it is not
|
|
||||||
given but "default" is used the usage will be "sign".
|
|
||||||
Subkey-Type: <algo-number>|<algo-string>
|
|
||||||
This generates a secondary key. Currently only one subkey
|
|
||||||
can be handled. "default" is also supported.
|
|
||||||
Subkey-Length: <length-in-bits>
|
|
||||||
Length of the subkey in bits. The default is returned by running
|
|
||||||
the command "gpg --gpgconf-list".
|
|
||||||
Subkey-Usage: <usage-list>
|
|
||||||
Similar to Key-Usage.
|
|
||||||
Passphrase: <string>
|
|
||||||
If you want to specify a passphrase for the secret key,
|
|
||||||
enter it here. Default is not to use any passphrase.
|
|
||||||
Name-Real: <string>
|
|
||||||
Name-Comment: <string>
|
|
||||||
Name-Email: <string>
|
|
||||||
The 3 parts of a key. Remember to use UTF-8 here.
|
|
||||||
If you don't give any of them, no user ID is created.
|
|
||||||
Expire-Date: <iso-date>|(<number>[d|w|m|y])
|
|
||||||
Set the expiration date for the key (and the subkey). It may
|
|
||||||
either be entered in ISO date format (2000-08-15) or as number
|
|
||||||
of days, weeks, month or years. The special notation
|
|
||||||
"seconds=N" is also allowed to directly give an Epoch
|
|
||||||
value. Without a letter days are assumed. Note that there is
|
|
||||||
no check done on the overflow of the type used by OpenPGP for
|
|
||||||
timestamps. Thus you better make sure that the given value
|
|
||||||
make sense. Although OpenPGP works with time intervals, GnuPG
|
|
||||||
uses an absolute value internally and thus the last year we
|
|
||||||
can represent is 2105.
|
|
||||||
Creation-Date: <iso-date>
|
|
||||||
Set the creation date of the key as stored in the key
|
|
||||||
information and which is also part of the fingerprint
|
|
||||||
calculation. Either a date like "1986-04-26" or a full
|
|
||||||
timestamp like "19860426T042640" may be used. The time is
|
|
||||||
considered to be UTC. If it is not given the current time
|
|
||||||
is used.
|
|
||||||
Preferences: <string>
|
|
||||||
Set the cipher, hash, and compression preference values for
|
|
||||||
this key. This expects the same type of string as "setpref"
|
|
||||||
in the --edit menu.
|
|
||||||
Revoker: <algo>:<fpr> [sensitive]
|
|
||||||
Add a designated revoker to the generated key. Algo is the
|
|
||||||
public key algorithm of the designated revoker (i.e. RSA=1,
|
|
||||||
DSA=17, etc.) Fpr is the fingerprint of the designated
|
|
||||||
revoker. The optional "sensitive" flag marks the designated
|
|
||||||
revoker as sensitive information. Only v4 keys may be
|
|
||||||
designated revokers.
|
|
||||||
Handle: <string>
|
|
||||||
This is an optional parameter only used with the status lines
|
|
||||||
KEY_CREATED and KEY_NOT_CREATED. STRING may be up to 100
|
|
||||||
characters and should not contain spaces. It is useful for
|
|
||||||
batch key generation to associate a key parameter block with a
|
|
||||||
status line.
|
|
||||||
Keyserver: <string>
|
|
||||||
This is an optional parameter that specifies the preferred
|
|
||||||
keyserver URL for the key.
|
|
||||||
|
|
||||||
|
|
||||||
Here is an example on how to create a key:
|
|
||||||
$ cat >foo <<EOF
|
|
||||||
%echo Generating a basic OpenPGP key
|
|
||||||
Key-Type: DSA
|
|
||||||
Key-Length: 1024
|
|
||||||
Subkey-Type: ELG-E
|
|
||||||
Subkey-Length: 1024
|
|
||||||
Name-Real: Joe Tester
|
|
||||||
Name-Comment: with stupid passphrase
|
|
||||||
Name-Email: joe@foo.bar
|
|
||||||
Expire-Date: 0
|
|
||||||
Passphrase: abc
|
|
||||||
%pubring foo.pub
|
|
||||||
%secring foo.sec
|
|
||||||
# Do a commit here, so that we can later print "done" :-)
|
|
||||||
%commit
|
|
||||||
%echo done
|
|
||||||
EOF
|
|
||||||
$ gpg --batch --gen-key foo
|
|
||||||
[...]
|
|
||||||
$ gpg --no-default-keyring --secret-keyring ./foo.sec \
|
|
||||||
--keyring ./foo.pub --list-secret-keys
|
|
||||||
/home/wk/work/gnupg-stable/scratch/foo.sec
|
|
||||||
------------------------------------------
|
|
||||||
sec 1024D/915A878D 2000-03-09 Joe Tester (with stupid passphrase) <joe@foo.bar>
|
|
||||||
ssb 1024g/8F70E2C0 2000-03-09
|
|
||||||
|
|
||||||
If you want to create a key with the default algorithms you would
|
|
||||||
use these parameters:
|
|
||||||
|
|
||||||
%echo Generating a default key
|
|
||||||
Key-Type: default
|
|
||||||
Subkey-Type: default
|
|
||||||
Name-Real: Joe Tester
|
|
||||||
Name-Comment: with stupid passphrase
|
|
||||||
Name-Email: joe@foo.bar
|
|
||||||
Expire-Date: 0
|
|
||||||
Passphrase: abc
|
|
||||||
%pubring foo.pub
|
|
||||||
%secring foo.sec
|
|
||||||
# Do a commit here, so that we can later print "done" :-)
|
|
||||||
%commit
|
|
||||||
%echo done
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Layout of the TrustDB
|
Layout of the TrustDB
|
||||||
|
265
doc/gpg.texi
265
doc/gpg.texi
@ -98,16 +98,16 @@ page and at @inforef{Top,GnuPG 1,gpg}.
|
|||||||
@mancont
|
@mancont
|
||||||
|
|
||||||
@menu
|
@menu
|
||||||
* GPG Commands:: List of all commands.
|
* GPG Commands:: List of all commands.
|
||||||
* GPG Options:: List of all options.
|
* GPG Options:: List of all options.
|
||||||
* GPG Configuration:: Configuration files.
|
* GPG Configuration:: Configuration files.
|
||||||
* GPG Examples:: Some usage examples.
|
* GPG Examples:: Some usage examples.
|
||||||
|
|
||||||
Developer information:
|
Developer information:
|
||||||
@c * Unattended Usage:: Using @command{gpg} from other programs.
|
* Unattended Usage of GPG:: Using @command{gpg} from other programs.
|
||||||
@c * GPG Protocol:: The protocol the server mode uses.
|
|
||||||
@end menu
|
@end menu
|
||||||
|
|
||||||
|
@c * GPG Protocol:: The protocol the server mode uses.
|
||||||
|
|
||||||
|
|
||||||
@c *******************************************
|
@c *******************************************
|
||||||
@ -2964,6 +2964,259 @@ Before you report a bug you should first search the mailing list
|
|||||||
archives for similar problems and second check whether such a bug has
|
archives for similar problems and second check whether such a bug has
|
||||||
already been reported to our bug tracker at http://bugs.gnupg.org .
|
already been reported to our bug tracker at http://bugs.gnupg.org .
|
||||||
|
|
||||||
|
@c *******************************************
|
||||||
|
@c *************** **************
|
||||||
|
@c *************** UNATTENDED **************
|
||||||
|
@c *************** **************
|
||||||
|
@c *******************************************
|
||||||
|
@manpause
|
||||||
|
@node Unattended Usage of GPG
|
||||||
|
@section Unattended Usage
|
||||||
|
|
||||||
|
@command{gpg} is often used as a backend engine by other software. To help
|
||||||
|
with this a machine interface has been defined to have an unambiguous
|
||||||
|
way to do this. The options @option{--status-fd} and @option{--batch}
|
||||||
|
are almost always required for this.
|
||||||
|
|
||||||
|
@menu
|
||||||
|
* Unattended GPG key generation:: Unattended key generation
|
||||||
|
@end menu
|
||||||
|
|
||||||
|
|
||||||
|
@node Unattended GPG key generation,,,Unattended Usage of GPG
|
||||||
|
@section Unattended key generation
|
||||||
|
|
||||||
|
The command @option{--gen-key} may be used along with the option
|
||||||
|
@option{--batch} for unattended key generation. The parameters are
|
||||||
|
either read from stdin or given as a file on the command line.
|
||||||
|
The format of the parameter file is as follows:
|
||||||
|
|
||||||
|
@itemize @bullet
|
||||||
|
@item Text only, line length is limited to about 1000 characters.
|
||||||
|
@item UTF-8 encoding must be used to specify non-ASCII characters.
|
||||||
|
@item Empty lines are ignored.
|
||||||
|
@item Leading and trailing while space is ignored.
|
||||||
|
@item A hash sign as the first non white space character indicates
|
||||||
|
a comment line.
|
||||||
|
@item Control statements are indicated by a leading percent sign, the
|
||||||
|
arguments are separated by white space from the keyword.
|
||||||
|
@item Parameters are specified by a keyword, followed by a colon. Arguments
|
||||||
|
are separated by white space.
|
||||||
|
@item
|
||||||
|
The first parameter must be @samp{Key-Type}; control statements may be
|
||||||
|
placed anywhere.
|
||||||
|
@item
|
||||||
|
The order of the parameters does not matter except for @samp{Key-Type}
|
||||||
|
which must be the first parameter. The parameters are only used for
|
||||||
|
the generated keyblock (primary and subkeys); parameters from previous
|
||||||
|
sets are not used. Some syntactically checks may be performed.
|
||||||
|
@item
|
||||||
|
Key generation takes place when either the end of the parameter file
|
||||||
|
is reached, the next @samp{Key-Type} parameter is encountered or at the
|
||||||
|
control statement @samp{%commit} is encountered.
|
||||||
|
@end itemize
|
||||||
|
|
||||||
|
@noindent
|
||||||
|
Control statements:
|
||||||
|
|
||||||
|
@table @asis
|
||||||
|
|
||||||
|
@item %echo @var{text}
|
||||||
|
Print @var{text} as diagnostic.
|
||||||
|
|
||||||
|
@item %dry-run
|
||||||
|
Suppress actual key generation (useful for syntax checking).
|
||||||
|
|
||||||
|
@item %commit
|
||||||
|
Perform the key generation. Note that an implicit commit is done at
|
||||||
|
the next @asis{Key-Type} parameter.
|
||||||
|
|
||||||
|
@item %pubring @var{filename}
|
||||||
|
@itemx %secring @var{filename}
|
||||||
|
Do not write the key to the default or commandline given keyring but
|
||||||
|
to @var{filename}. This must be given before the first commit to take
|
||||||
|
place, duplicate specification of the same filename is ignored, the
|
||||||
|
last filename before a commit is used. The filename is used until a
|
||||||
|
new filename is used (at commit points) and all keys are written to
|
||||||
|
that file. If a new filename is given, this file is created (and
|
||||||
|
overwrites an existing one). For gnuPG versions prior to 2.1, both
|
||||||
|
control statements must be given. For GnuPG 2.1 and later
|
||||||
|
@samp{%secring} is a no-op.
|
||||||
|
|
||||||
|
@item %ask-passphrase
|
||||||
|
@itemx %no-ask-passphrase
|
||||||
|
Enable (or disable) a mode where the command @option{passphrase} is
|
||||||
|
ignored and instead the usual passphrase dialog is used. This does
|
||||||
|
not make sense for batch key generation; however the unattended key
|
||||||
|
generation feature is also used by GUIs and this feature relinquishes
|
||||||
|
the GUI from implementing its own passphrase entry code. These are
|
||||||
|
global control statements and affect all future key genrations.
|
||||||
|
|
||||||
|
@item %no-protection
|
||||||
|
Since GnuPG version 2.1 it is not anymore possible to specify a
|
||||||
|
passphrase for unattended key generation. The passphrase command is
|
||||||
|
simply ignored and @samp{%ask-passpharse} is thus implicitly enabled.
|
||||||
|
Using this option allows the creation of keys without any passphrase
|
||||||
|
protection. This option is mainly intended for regression tests.
|
||||||
|
|
||||||
|
@item %transient-key
|
||||||
|
If given the keys are created using a faster and a somewhat less
|
||||||
|
secure random number generator. This option may be used for keys
|
||||||
|
which are only used for a short time and do not require full
|
||||||
|
cryptographic strength. It takes only effect if used together with
|
||||||
|
the control statement @samp{%no-protection}.
|
||||||
|
|
||||||
|
@end table
|
||||||
|
|
||||||
|
@noindent
|
||||||
|
General Parameters:
|
||||||
|
|
||||||
|
@table @asis
|
||||||
|
|
||||||
|
@item Key-Type: @var{algo}
|
||||||
|
Starts a new parameter block by giving the type of the primary
|
||||||
|
key. The algorithm must be capable of signing. This is a required
|
||||||
|
parameter. @var{algo} may either be an OpenPGP algorithm number or a
|
||||||
|
string with the algorithm name. The special value @samp{default} may
|
||||||
|
be used for @var{algo} to create the default key type; in this case a
|
||||||
|
@samp{Key-Usage} shall not be given and @samp{default} also be used
|
||||||
|
for @samp{Subkey-Type}.
|
||||||
|
|
||||||
|
@item Key-Length: @var{nbits}
|
||||||
|
The requested length of the generated key in bits. The default is
|
||||||
|
returned by running the command @samp{gpg2 --gpgconf-list}.
|
||||||
|
|
||||||
|
@item Key-Grip: @var{hexstring}
|
||||||
|
This is optional and used to generate a CSR or certificatet for an
|
||||||
|
already existing key. Key-Length will be ignored when given.
|
||||||
|
|
||||||
|
@item Key-Usage: @var{usage-list}
|
||||||
|
Space or comma delimited list of key usages. Allowed values are
|
||||||
|
@samp{encrypt}, @samp{sign}, and @samp{auth}. This is used to
|
||||||
|
generate the key flags. Please make sure that the algorithm is
|
||||||
|
capable of this usage. Note that OpenPGP requires that all primary
|
||||||
|
keys are capable of certification, so no matter what usage is given
|
||||||
|
here, the @samp{cert} flag will be on. If no @samp{Key-Usage} is
|
||||||
|
specified and the @samp{Key-Type} is not @samp{default}, all allowed
|
||||||
|
usages for that particular algorithm are used; if it is not given but
|
||||||
|
@samp{default} is used the usage will be @samp{sign}.
|
||||||
|
|
||||||
|
@item Subkey-Type: @var{algo}
|
||||||
|
This generates a secondary key (subkey). Currently only one subkey
|
||||||
|
can be handled. See also @samp{Key-Type} above.
|
||||||
|
|
||||||
|
@item Subkey-Length: @var{nbits}
|
||||||
|
Length of the secondary key (subkey) in bits. The default is returned
|
||||||
|
by running the command @samp{gpg2 --gpgconf-list}".
|
||||||
|
|
||||||
|
@item Subkey-Usage: @var{usage-list}
|
||||||
|
Key usage lists for a subkey; similar to @samp{Key-Usage}.
|
||||||
|
|
||||||
|
@item Passphrase: @var{string}
|
||||||
|
If you want to specify a passphrase for the secret key,
|
||||||
|
enter it here. Default is not to use any passphrase.
|
||||||
|
|
||||||
|
@item Name-Real: @var{name}
|
||||||
|
@itemx Name-Comment: @var{comment}
|
||||||
|
@itemx Name-Email: @var{email}
|
||||||
|
The three parts of a user name. Remember to use UTF-8 encoding here.
|
||||||
|
If you don't give any of them, no user ID is created.
|
||||||
|
|
||||||
|
@item Expire-Date: @var{iso-date}|(@var{number}[d|w|m|y])
|
||||||
|
Set the expiration date for the key (and the subkey). It may either
|
||||||
|
be entered in ISO date format (2000-08-15) or as number of days,
|
||||||
|
weeks, month or years. The special notation "seconds=N" is also
|
||||||
|
allowed to directly give an Epoch value. Without a letter days are
|
||||||
|
assumed. Note that there is no check done on the overflow of the type
|
||||||
|
used by OpenPGP for timestamps. Thus you better make sure that the
|
||||||
|
given value make sense. Although OpenPGP works with time intervals,
|
||||||
|
GnuPG uses an absolute value internally and thus the last year we can
|
||||||
|
represent is 2105.
|
||||||
|
|
||||||
|
@item Ceation-Date: @var{iso-date}
|
||||||
|
Set the creation date of the key as stored in the key information and
|
||||||
|
which is also part of the fingerprint calculation. Either a date like
|
||||||
|
"1986-04-26" or a full timestamp like "19860426T042640" may be used.
|
||||||
|
The time is considered to be UTC. If it is not given the current time
|
||||||
|
is used.
|
||||||
|
|
||||||
|
@item Preferences: @var{string}
|
||||||
|
Set the cipher, hash, and compression preference values for this key.
|
||||||
|
This expects the same type of string as the sub-command @samp{setpref}
|
||||||
|
in the @option{--edit-key} menu.
|
||||||
|
|
||||||
|
@item Revoker: @var{algo}:@var{fpr} [sensitive]
|
||||||
|
Add a designated revoker to the generated key. Algo is the public key
|
||||||
|
algorithm of the designated revoker (i.e. RSA=1, DSA=17, etc.)
|
||||||
|
@var{fpr} is the fingerprint of the designated revoker. The optional
|
||||||
|
@samp{sensitive} flag marks the designated revoker as sensitive
|
||||||
|
information. Only v4 keys may be designated revokers.
|
||||||
|
|
||||||
|
@item Keyserver: @var{string}
|
||||||
|
This is an optional parameter that specifies the preferred keyserver
|
||||||
|
URL for the key.
|
||||||
|
|
||||||
|
@item Handle: @var{string}
|
||||||
|
This is an optional parameter only used with the status lines
|
||||||
|
KEY_CREATED and KEY_NOT_CREATED. @var{string} may be up to 100
|
||||||
|
characters and should not contain spaces. It is useful for batch key
|
||||||
|
generation to associate a key parameter block with a status line.
|
||||||
|
|
||||||
|
@end table
|
||||||
|
|
||||||
|
@noindent
|
||||||
|
Here is an example on how to create a key:
|
||||||
|
@smallexample
|
||||||
|
$ cat >foo <<EOF
|
||||||
|
%echo Generating a basic OpenPGP key
|
||||||
|
Key-Type: DSA
|
||||||
|
Key-Length: 1024
|
||||||
|
Subkey-Type: ELG-E
|
||||||
|
Subkey-Length: 1024
|
||||||
|
Name-Real: Joe Tester
|
||||||
|
Name-Comment: with stupid passphrase
|
||||||
|
Name-Email: joe@@foo.bar
|
||||||
|
Expire-Date: 0
|
||||||
|
Passphrase: abc
|
||||||
|
%pubring foo.pub
|
||||||
|
%secring foo.sec
|
||||||
|
# Do a commit here, so that we can later print "done" :-)
|
||||||
|
%commit
|
||||||
|
%echo done
|
||||||
|
EOF
|
||||||
|
$ gpg2 --batch --gen-key foo
|
||||||
|
[...]
|
||||||
|
$ gpg2 --no-default-keyring --secret-keyring ./foo.sec \
|
||||||
|
--keyring ./foo.pub --list-secret-keys
|
||||||
|
/home/wk/work/gnupg-stable/scratch/foo.sec
|
||||||
|
------------------------------------------
|
||||||
|
sec 1024D/915A878D 2000-03-09 Joe Tester (with stupid passphrase) <joe@@foo.bar>
|
||||||
|
ssb 1024g/8F70E2C0 2000-03-09
|
||||||
|
@end smallexample
|
||||||
|
|
||||||
|
|
||||||
|
@noindent
|
||||||
|
If you want to create a key with the default algorithms you would use
|
||||||
|
these parameters:
|
||||||
|
@smallexample
|
||||||
|
%echo Generating a default key
|
||||||
|
Key-Type: default
|
||||||
|
Subkey-Type: default
|
||||||
|
Name-Real: Joe Tester
|
||||||
|
Name-Comment: with stupid passphrase
|
||||||
|
Name-Email: joe@@foo.bar
|
||||||
|
Expire-Date: 0
|
||||||
|
Passphrase: abc
|
||||||
|
%pubring foo.pub
|
||||||
|
%secring foo.sec
|
||||||
|
# Do a commit here, so that we can later print "done" :-)
|
||||||
|
%commit
|
||||||
|
%echo done
|
||||||
|
@end smallexample
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
@mansect see also
|
@mansect see also
|
||||||
@ifset isman
|
@ifset isman
|
||||||
@command{gpgv}(1),
|
@command{gpgv}(1),
|
||||||
|
160
doc/gpgsm.texi
160
doc/gpgsm.texi
@ -165,10 +165,12 @@ use @samp{--help} to get a list of supported operations.
|
|||||||
@table @gnupgtabopt
|
@table @gnupgtabopt
|
||||||
@item --gen-key
|
@item --gen-key
|
||||||
@opindex gen-key
|
@opindex gen-key
|
||||||
This command allows the creation of a certificate signing request. It
|
This command allows the creation of a certificate signing request or a
|
||||||
is commonly used along with the @option{--output} option to save the
|
self-signed certificate. It is commonly used along with the
|
||||||
created CSR into a file. If used with the @option{--batch} a parameter
|
@option{--output} option to save the created CSR or certificate into a
|
||||||
file is used to create the CSR.
|
file. If used with the @option{--batch} a parameter file is used to
|
||||||
|
create the CSR or certificate and it is further possible to create
|
||||||
|
non-self-signed certificates.
|
||||||
|
|
||||||
@item --list-keys
|
@item --list-keys
|
||||||
@itemx -k
|
@itemx -k
|
||||||
@ -886,14 +888,12 @@ $ gpgsm -er goo@@bar.net <plaintext >ciphertext
|
|||||||
@end example
|
@end example
|
||||||
|
|
||||||
|
|
||||||
@c man end
|
|
||||||
|
|
||||||
|
|
||||||
@c *******************************************
|
@c *******************************************
|
||||||
@c *************** **************
|
@c *************** **************
|
||||||
@c *************** UNATTENDED **************
|
@c *************** UNATTENDED **************
|
||||||
@c *************** **************
|
@c *************** **************
|
||||||
@c *******************************************
|
@c *******************************************
|
||||||
|
@manpause
|
||||||
@node Unattended Usage
|
@node Unattended Usage
|
||||||
@section Unattended Usage
|
@section Unattended Usage
|
||||||
|
|
||||||
@ -905,6 +905,7 @@ but may also be used in the standard operation mode by using the
|
|||||||
|
|
||||||
@menu
|
@menu
|
||||||
* Automated signature checking:: Automated signature checking.
|
* Automated signature checking:: Automated signature checking.
|
||||||
|
* CSR and certificate creation:: CSR and certificate creation.
|
||||||
@end menu
|
@end menu
|
||||||
|
|
||||||
@node Automated signature checking,,,Unattended Usage
|
@node Automated signature checking,,,Unattended Usage
|
||||||
@ -951,13 +952,156 @@ this is a missing certificate.
|
|||||||
|
|
||||||
@end table
|
@end table
|
||||||
|
|
||||||
|
@node CSR and certificate creation,,,Unattended Usage
|
||||||
|
@section CSR and certificate creation
|
||||||
|
|
||||||
|
The command @option{--gen-key} may be used along with the option
|
||||||
|
@option{--batch} to either create a certificate signing request (CSR) or an
|
||||||
|
X.509 certificate. The is controlled by a parameter file; the format
|
||||||
|
of this file is as follows:
|
||||||
|
|
||||||
|
@itemize @bullet
|
||||||
|
@item Text only, line length is limited to about 1000 characters.
|
||||||
|
@item UTF-8 encoding must be used to specify non-ASCII characters.
|
||||||
|
@item Empty lines are ignored.
|
||||||
|
@item Leading and trailing while space is ignored.
|
||||||
|
@item A hash sign as the first non white space character indicates
|
||||||
|
a comment line.
|
||||||
|
@item Control statements are indicated by a leading percent sign, the
|
||||||
|
arguments are separated by white space from the keyword.
|
||||||
|
@item Parameters are specified by a keyword, followed by a colon. Arguments
|
||||||
|
are separated by white space.
|
||||||
|
@item The first parameter must be @samp{Key-Type}, control statements
|
||||||
|
may be placed anywhere.
|
||||||
|
@item
|
||||||
|
The order of the parameters does not matter except for @samp{Key-Type}
|
||||||
|
which must be the first parameter. The parameters are only used for
|
||||||
|
the generated CSR/certificate; parameters from previous sets are not
|
||||||
|
used. Some syntactically checks may be performed.
|
||||||
|
@item
|
||||||
|
Key generation takes place when either the end of the parameter file
|
||||||
|
is reached, the next @samp{Key-Type} parameter is encountered or at the
|
||||||
|
control statement @samp{%commit} is encountered.
|
||||||
|
@end itemize
|
||||||
|
|
||||||
|
@noindent
|
||||||
|
Control statements:
|
||||||
|
|
||||||
|
@table @asis
|
||||||
|
|
||||||
|
@item %echo @var{text}
|
||||||
|
Print @var{text} as diagnostic.
|
||||||
|
|
||||||
|
@item %dry-run
|
||||||
|
Suppress actual key generation (useful for syntax checking).
|
||||||
|
|
||||||
|
@item %commit
|
||||||
|
Perform the key generation. Note that an implicit commit is done at
|
||||||
|
the next @asis{Key-Type} parameter.
|
||||||
|
|
||||||
|
@c %certfile <filename>
|
||||||
|
@c [Not yet implemented!]
|
||||||
|
@c Do not write the certificate to the keyDB but to <filename>.
|
||||||
|
@c This must be given before the first
|
||||||
|
@c commit to take place, duplicate specification of the same filename
|
||||||
|
@c is ignored, the last filename before a commit is used.
|
||||||
|
@c The filename is used until a new filename is used (at commit points)
|
||||||
|
@c and all keys are written to that file. If a new filename is given,
|
||||||
|
@c this file is created (and overwrites an existing one).
|
||||||
|
@c Both control statements must be given.
|
||||||
|
@end table
|
||||||
|
|
||||||
|
@noindent
|
||||||
|
General Parameters:
|
||||||
|
|
||||||
|
@table @asis
|
||||||
|
|
||||||
|
@item Key-Type: @var{algo}
|
||||||
|
Starts a new parameter block by giving the type of the primary
|
||||||
|
key. The algorithm must be capable of signing. This is a required
|
||||||
|
parameter. The only supported value for @var{algo} is @samp{rsa}.
|
||||||
|
|
||||||
|
@item Key-Length: @var{nbits}
|
||||||
|
The requested length of a generated key in bits. Defaults to 2048.
|
||||||
|
|
||||||
|
@item Key-Grip: @var{hexstring}
|
||||||
|
This is optional and used to generate a CSR or certificatet for an
|
||||||
|
already existing key. Key-Length will be ignored when given.
|
||||||
|
|
||||||
|
@item Key-Usage: @var{usage-list}
|
||||||
|
Space or comma delimited list of key usage, allowed values are
|
||||||
|
@samp{encrypt} and @samp{sign}. This is used to generate the keyUsage
|
||||||
|
extension. Please make sure that the algorithm is capable of this
|
||||||
|
usage. Default is to allow encrypt and sign.
|
||||||
|
|
||||||
|
@item Name-DN: @var{subject-name}
|
||||||
|
This is the Distinguished Name (DN) of the subject in RFC-2253 format.
|
||||||
|
|
||||||
|
@item Name-Email: @var{string}
|
||||||
|
This is an email address for the altSubjectName. This parameter is
|
||||||
|
optional but may occur several times to add several email addresses to
|
||||||
|
a certificate.
|
||||||
|
|
||||||
|
@item Name-DNS: @var{string}
|
||||||
|
The is an DNS name for the altSubjectName. This parameter is optional
|
||||||
|
but may occur several times to add several DNS names to a certificate.
|
||||||
|
|
||||||
|
@item Name-URI: @var{string}
|
||||||
|
This is an URI for the altSubjectName. This parameter is optional but
|
||||||
|
may occur several times to add several URIs to a certificate.
|
||||||
|
@end table
|
||||||
|
|
||||||
|
@noindent
|
||||||
|
Additional parameters used to create a certificate (in contrast to a
|
||||||
|
certificate signing request):
|
||||||
|
|
||||||
|
@table @asis
|
||||||
|
|
||||||
|
@item Serial: @var{sn}
|
||||||
|
If this parameter is given an X.509 certificate will be generated.
|
||||||
|
@var{sn} is expected to be a hex string representing an unsigned
|
||||||
|
integer of arbitary length. The special value @samp{random} can be
|
||||||
|
used to create a 64 bit random serial number.
|
||||||
|
|
||||||
|
@item Issuer-DN: @var{issuer-name}
|
||||||
|
This is the DN name of the issuer in rfc2253 format. If it is not set
|
||||||
|
it will default to the subject DN and a special GnuPG extension will
|
||||||
|
be included in the certificate to mark it as a standalone certificate.
|
||||||
|
|
||||||
|
@item Creation-Date: @var{iso-date}
|
||||||
|
@itemx Not-Before: @var{iso-date}
|
||||||
|
Set the notBefore date of the certificate. Either a date like
|
||||||
|
@samp{1986-04-26} or @samp{1986-04-26 12:00} or a standard ISO
|
||||||
|
timestamp like @samp{19860426T042640} may be used. The time is
|
||||||
|
considered to be UTC. If it is not given the current date is used.
|
||||||
|
|
||||||
|
@item Expire-Date: @var{iso-date}
|
||||||
|
@itemx Not-After: @var{iso-date}
|
||||||
|
Set the notAfter date of the certificate. Either a date like
|
||||||
|
@samp{2063-04-05} or @samp{2063-04-05 17:00} or a standard ISO
|
||||||
|
timestamp like @samp{20630405T170000} may be used. The time is
|
||||||
|
considered to be UTC. If it is not given a default value in the not
|
||||||
|
too far future is used.
|
||||||
|
|
||||||
|
@item Signing-Key: @var{keygrip}
|
||||||
|
This gives the keygrip of the key used to sign the certificate. If it
|
||||||
|
is not given a self-signed certificate will be created. For
|
||||||
|
compatibility with future versions, it is suggested to prefix the
|
||||||
|
keygrip with a @samp{&}.
|
||||||
|
|
||||||
|
@item Hash-Algo: @var{hash-algo}
|
||||||
|
Use @var{hash-algo} for this CSR or certificate. The supported hash
|
||||||
|
algorithms are: @samp{sha1}, @samp{sha256}, @samp{sha384} and
|
||||||
|
@samp{sha512}; they may also be specified with uppercase letters. The
|
||||||
|
default is @samp{sha1}.
|
||||||
|
|
||||||
|
@end table
|
||||||
|
|
||||||
@c *******************************************
|
@c *******************************************
|
||||||
@c *************** *****************
|
@c *************** *****************
|
||||||
@c *************** ASSSUAN *****************
|
@c *************** ASSSUAN *****************
|
||||||
@c *************** *****************
|
@c *************** *****************
|
||||||
@c *******************************************
|
@c *******************************************
|
||||||
@manpause
|
|
||||||
@node GPGSM Protocol
|
@node GPGSM Protocol
|
||||||
@section The Protocol the Server Mode Uses.
|
@section The Protocol the Server Mode Uses.
|
||||||
|
|
||||||
|
133
sm/certreqgen.c
133
sm/certreqgen.c
@ -19,127 +19,20 @@
|
|||||||
*/
|
*/
|
||||||
|
|
||||||
/*
|
/*
|
||||||
The format of the native parameter file is follows:
|
The format of the parameter file is described in the manual under
|
||||||
o Text only, line length is limited to about 1000 chars.
|
"Unattended Usage".
|
||||||
o You must use UTF-8 encoding to specify non-ascii characters.
|
|
||||||
o Empty lines are ignored.
|
|
||||||
o Leading and trailing spaces are ignored.
|
|
||||||
o A hash sign as the first non white space character is a comment line.
|
|
||||||
o Control statements are indicated by a leading percent sign, the
|
|
||||||
arguments are separated by white space from the keyword.
|
|
||||||
o Parameters are specified by a keyword, followed by a colon. Arguments
|
|
||||||
are separated by white space.
|
|
||||||
o The first parameter must be "Key-Type", control statements
|
|
||||||
may be placed anywhere.
|
|
||||||
o Key generation takes place when either the end of the parameter file
|
|
||||||
is reached, the next "Key-Type" parameter is encountered or at the
|
|
||||||
controlstatement "%commit"
|
|
||||||
o Control statements:
|
|
||||||
%echo <text>
|
|
||||||
Print <text>.
|
|
||||||
%dry-run
|
|
||||||
Suppress actual key generation (useful for syntax checking).
|
|
||||||
%commit
|
|
||||||
Perform the key generation. Note that an implicit commit is done
|
|
||||||
at the next "Key-Type" parameter.
|
|
||||||
%certfile <filename>
|
|
||||||
[Not yet implemented!]
|
|
||||||
Do not write the certificate to the keyDB but to <filename>.
|
|
||||||
This must be given before the first
|
|
||||||
commit to take place, duplicate specification of the same filename
|
|
||||||
is ignored, the last filename before a commit is used.
|
|
||||||
The filename is used until a new filename is used (at commit points)
|
|
||||||
and all keys are written to that file. If a new filename is given,
|
|
||||||
this file is created (and overwrites an existing one).
|
|
||||||
Both control statements must be given.
|
|
||||||
|
|
||||||
o The order of the parameters does not matter except for "Key-Type"
|
Here is an example:
|
||||||
which must be the first parameter. The parameters are only for the
|
$ cat >foo <<EOF
|
||||||
generated keyblock and parameters from previous key generations are not
|
%echo Generating a standard key
|
||||||
used. Some syntactically checks may be performed.
|
Key-Type: RSA
|
||||||
|
Key-Length: 2048
|
||||||
The currently defined parameters are:
|
Name-DN: CN=test cert 1,OU=Aegypten Project,O=g10 Code GmbH,L=Ddorf,C=DE
|
||||||
|
Name-Email: joe@foo.bar
|
||||||
Key-Type: <algo>
|
# Do a commit here, so that we can later print a "done"
|
||||||
Starts a new parameter block by giving the type of the
|
%commit
|
||||||
primary key. The algorithm must be capable of signing.
|
%echo done
|
||||||
This is a required parameter. For now the only supported
|
EOF
|
||||||
algorithm is "rsa".
|
|
||||||
|
|
||||||
Key-Length: <length-in-bits>
|
|
||||||
Length of the key in bits. Default is 2048.
|
|
||||||
|
|
||||||
Key-Grip: <hexstring>
|
|
||||||
This is optional and used to generate a request for an already
|
|
||||||
existing key. Key-Length will be ignored when given,
|
|
||||||
|
|
||||||
Key-Usage: <usage-list>
|
|
||||||
Space or comma delimited list of key usage, allowed values are
|
|
||||||
"encrypt" and "sign". This is used to generate the KeyUsage extension.
|
|
||||||
Please make sure that the algorithm is capable of this usage. Default
|
|
||||||
is to allow encrypt and sign.
|
|
||||||
|
|
||||||
Name-DN: <subject_name>
|
|
||||||
This is the DN name of the subject in rfc2253 format.
|
|
||||||
|
|
||||||
Name-Email: <string>
|
|
||||||
The is an email address for the altSubjectName
|
|
||||||
|
|
||||||
Name-DNS: <string>
|
|
||||||
The is an DNS name for the altSubjectName
|
|
||||||
|
|
||||||
Name-URI: <string>
|
|
||||||
The is an URI for the altSubjectName
|
|
||||||
|
|
||||||
The following parameters are only used if a certificate (and not
|
|
||||||
a certificate signing request) is requested:
|
|
||||||
|
|
||||||
Serial: <sn>
|
|
||||||
If this parameter is given an X.509 certificate will be
|
|
||||||
generated. SN is expected to be a hex string representing an
|
|
||||||
unsigned integer of arbitary length. The special value
|
|
||||||
"random" can be used to crete a 64 bit random serial number.
|
|
||||||
|
|
||||||
Issuer-DN: <issuer_name>
|
|
||||||
This is the DN name of the issuer in rfc2253 format. If it is
|
|
||||||
not set the subject DN will be used instead. This creates a
|
|
||||||
self-signed certificate. Only in this case a special GnuPG
|
|
||||||
extension will then be included in the certificate to mark it
|
|
||||||
as a standalone certificate.
|
|
||||||
|
|
||||||
Creation-Date: <iso-date>
|
|
||||||
Set the notBefore date of the certificate. Either a date like
|
|
||||||
"1986-04-26" or a full timestamp like "19860426T042640" may be
|
|
||||||
used. The time is considered to be UTC. If it is not given
|
|
||||||
the current date is used.
|
|
||||||
|
|
||||||
Expire-Date: <iso-date>
|
|
||||||
Set the notBefore date of the certificate. Either a date like
|
|
||||||
"1986-04-26" or a full timestamp like "19860426T042640" may be
|
|
||||||
used. The time is considered to be UTC. If it is not given a
|
|
||||||
default value is used.
|
|
||||||
|
|
||||||
Signing-Key: <keygrip>
|
|
||||||
This gives the keygrip of the key used to sign the
|
|
||||||
certificate. If it is not given a self-signed certificate
|
|
||||||
will be created.
|
|
||||||
|
|
||||||
Hash-Algo: <hash-algo>
|
|
||||||
Use HASH-ALGO for this certificate. The supported hash
|
|
||||||
algorithms are: "sha-1", "sha-256", "sha-384" and "sha-512".
|
|
||||||
"sha-1" is the default.
|
|
||||||
|
|
||||||
Here is an example:
|
|
||||||
$ cat >foo <<EOF
|
|
||||||
%echo Generating a standard key
|
|
||||||
Key-Type: RSA
|
|
||||||
Key-Length: 2048
|
|
||||||
Name-DN: CN=test cert 1,OU=Aegypten Project,O=g10 Code GmbH,L=Düsseldorf,C=DE
|
|
||||||
Name-Email: joe@foo.bar
|
|
||||||
# Do a commit here, so that we can later print "done" :-)
|
|
||||||
%commit
|
|
||||||
%echo done
|
|
||||||
EOF
|
|
||||||
*/
|
*/
|
||||||
|
|
||||||
|
|
||||||
|
Loading…
x
Reference in New Issue
Block a user