From 113a8288b85725f7726bb2952431deea745997d8 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Mon, 10 Feb 2020 17:11:53 +0100 Subject: [PATCH] doc: Improve the warning section of the gpg man page. * doc/gpg.texi: Update return valeu and warning sections. Signed-off-by: Werner Koch --- doc/gpg.texi | 26 ++++++++++++++++---------- 1 file changed, 16 insertions(+), 10 deletions(-) diff --git a/doc/gpg.texi b/doc/gpg.texi index 29ac8f4e9..ad6e46f1f 100644 --- a/doc/gpg.texi +++ b/doc/gpg.texi @@ -3933,20 +3933,26 @@ or "Alpha" but not the string "test". @mansect return value @chapheading RETURN VALUE -The program returns 0 if everything was fine, 1 if at least -a signature was bad, and other error codes for fatal errors. +The program returns 0 if there are no severe errors, 1 if at least a +signature was bad, and other error codes for fatal errors. + +Note that signature verification requires exact knowledge of what has +been signed and by whom it has beensigned. Using only the return code +is thus not an appropriate way to verify a signature by a script. +Either make proper use or the status codes or use the @command{gpgv} +tool which has been designed to make signature verification easy for +scripts. @mansect warnings @chapheading WARNINGS -Use a *good* password for your user account and a *good* passphrase -to protect your secret key. This passphrase is the weakest part of the -whole system. Programs to do dictionary attacks on your secret keyring -are very easy to write and so you should protect your "~/.gnupg/" -directory very well. - -Keep in mind that, if this program is used over a network (telnet), it -is *very* easy to spy out your passphrase! +Use a good password for your user account and make sure that all +security issues are always fixed on your machine. Also employ +diligent physical protection to your machine. Consider to use a good +passphrase as a last resort protection to your secret key in the case +your machine gets stolen. It is important that your secret key is +never leaked. Using an easy to carry around token or smartcard with +the secret key is often a advisable. If you are going to verify detached signatures, make sure that the program knows about it; either give both filenames on the command line