mirror of
git://git.gnupg.org/gnupg.git
synced 2024-12-22 10:19:57 +01:00
Preparing for a release candidate
This commit is contained in:
parent
00310b1aa8
commit
1e1b57a294
@ -9,6 +9,7 @@ for ciph in `all_cipher_algos`; do
|
|||||||
# *BSD's dd can't cope with a count of 0
|
# *BSD's dd can't cope with a count of 0
|
||||||
if test "$i" = "0"; then
|
if test "$i" = "0"; then
|
||||||
: >z
|
: >z
|
||||||
|
my_chtag z
|
||||||
else
|
else
|
||||||
dd if=data-80000 of=z bs=1 count=$i 2>/dev/null
|
dd if=data-80000 of=z bs=1 count=$i 2>/dev/null
|
||||||
fi
|
fi
|
||||||
|
@ -112,6 +112,17 @@ echo_n () {
|
|||||||
# cleanup_files="$cleanup_files $*"
|
# cleanup_files="$cleanup_files $*"
|
||||||
#}
|
#}
|
||||||
|
|
||||||
|
|
||||||
|
# Special function for zOS.
|
||||||
|
my_chtag () {
|
||||||
|
#FIXME: Is there an envvar to test for the OS or do we
|
||||||
|
# need to resort to a configure test
|
||||||
|
#if test "$FOO" = "bar"; then
|
||||||
|
# chtag -tc ISO8859-1 $1
|
||||||
|
#fi
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
have_pubkey_algo () {
|
have_pubkey_algo () {
|
||||||
if ../g10/gpg --homedir . --version | grep "Pubkey:.*$1" >/dev/null
|
if ../g10/gpg --homedir . --version | grep "Pubkey:.*$1" >/dev/null
|
||||||
then
|
then
|
||||||
|
@ -1,3 +1,7 @@
|
|||||||
|
2009-08-13 Werner Koch <wk@g10code.com>
|
||||||
|
|
||||||
|
* gpgv.texi, gpg.texi: Udpate from GnuPG-2.
|
||||||
|
|
||||||
2008-04-30 David Shaw <dshaw@jabberwocky.com>
|
2008-04-30 David Shaw <dshaw@jabberwocky.com>
|
||||||
|
|
||||||
* gpg-zip.1: Add man page thanks to Colin Tuckley and Daniel
|
* gpg-zip.1: Add man page thanks to Colin Tuckley and Daniel
|
||||||
|
274
doc/gpg.texi
274
doc/gpg.texi
@ -1,5 +1,5 @@
|
|||||||
@c Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006,
|
@c Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007,
|
||||||
@c 2007 Free Software Foundation, Inc.
|
@c 2008, 2009 Free Software Foundation, Inc.
|
||||||
@c This is part of the GnuPG manual.
|
@c This is part of the GnuPG manual.
|
||||||
@c For copying conditions, see the file gnupg.texi.
|
@c For copying conditions, see the file gnupg.texi.
|
||||||
|
|
||||||
@ -149,7 +149,7 @@ cannot abbreviate this command.
|
|||||||
@itemx -h
|
@itemx -h
|
||||||
@opindex help
|
@opindex help
|
||||||
Print a usage message summarizing the most useful command line options.
|
Print a usage message summarizing the most useful command line options.
|
||||||
Not that you cannot abbreviate this command.
|
Note that you cannot abbreviate this command.
|
||||||
|
|
||||||
@item --warranty
|
@item --warranty
|
||||||
@opindex warranty
|
@opindex warranty
|
||||||
@ -175,18 +175,23 @@ abbreviate this command.
|
|||||||
@itemx -s
|
@itemx -s
|
||||||
@opindex sign
|
@opindex sign
|
||||||
Make a signature. This command may be combined with @option{--encrypt}
|
Make a signature. This command may be combined with @option{--encrypt}
|
||||||
(for a signed and encrypted message), @option{--symmetric} (for a signed
|
(for a signed and encrypted message), @option{--symmetric} (for a
|
||||||
and symmetrically encrypted message), or @option{--encrypt} and
|
signed and symmetrically encrypted message), or @option{--encrypt} and
|
||||||
@option{--symmetric} together (for a signed message that may be
|
@option{--symmetric} together (for a signed message that may be
|
||||||
decrypted via a secret key or a passphrase).
|
decrypted via a secret key or a passphrase). The key to be used for
|
||||||
|
signing is chosen by default or can be set with the
|
||||||
|
@option{--local-user} and @option{--default-key} options.
|
||||||
|
|
||||||
@item --clearsign
|
@item --clearsign
|
||||||
@opindex clearsign
|
@opindex clearsign
|
||||||
Make a clear text signature. The content in a clear text signature is
|
Make a clear text signature. The content in a clear text signature is
|
||||||
readable without any special software. OpenPGP software is only
|
readable without any special software. OpenPGP software is only needed
|
||||||
needed to verify the signature. Clear text signatures may modify
|
to verify the signature. Clear text signatures may modify end-of-line
|
||||||
end-of-line whitespace for platform independence and are not intended
|
whitespace for platform independence and are not intended to be
|
||||||
to be reversible.
|
reversible. The key to be used for signing is chosen by default or
|
||||||
|
can be set with the @option{--local-user} and @option{--default-key}
|
||||||
|
options.
|
||||||
|
|
||||||
|
|
||||||
@item --detach-sign
|
@item --detach-sign
|
||||||
@itemx -b
|
@itemx -b
|
||||||
@ -221,8 +226,8 @@ Store only (make a simple RFC1991 literal data packet).
|
|||||||
@item --decrypt
|
@item --decrypt
|
||||||
@itemx -d
|
@itemx -d
|
||||||
@opindex decrypt
|
@opindex decrypt
|
||||||
Decrypt the file given on the command line (or @code{stdin} if no file
|
Decrypt the file given on the command line (or STDIN if no file
|
||||||
is specified) and write it to stdout (or the file specified with
|
is specified) and write it to STDOUT (or the file specified with
|
||||||
@option{--output}). If the decrypted file is signed, the signature is also
|
@option{--output}). If the decrypted file is signed, the signature is also
|
||||||
verified. This command differs from the default operation, as it never
|
verified. This command differs from the default operation, as it never
|
||||||
writes to the filename which is included in the file and it rejects
|
writes to the filename which is included in the file and it rejects
|
||||||
@ -232,19 +237,19 @@ files which don't begin with an encrypted message.
|
|||||||
@opindex verify
|
@opindex verify
|
||||||
Assume that the first argument is a signed file or a detached signature
|
Assume that the first argument is a signed file or a detached signature
|
||||||
and verify it without generating any output. With no arguments, the
|
and verify it without generating any output. With no arguments, the
|
||||||
signature packet is read from stdin. If only a sigfile is given, it may
|
signature packet is read from STDIN. If only a sigfile is given, it may
|
||||||
be a complete signature or a detached signature, in which case the
|
be a complete signature or a detached signature, in which case the
|
||||||
signed stuff is expected in a file without the ".sig" or ".asc"
|
signed stuff is expected in a file without the ".sig" or ".asc"
|
||||||
extension. With more than 1 argument, the first should be a detached
|
extension. With more than 1 argument, the first should be a detached
|
||||||
signature and the remaining files are the signed stuff. To read the
|
signature and the remaining files are the signed stuff. To read the
|
||||||
signed stuff from stdin, use @samp{-} as the second filename. For
|
signed stuff from STDIN, use @samp{-} as the second filename. For
|
||||||
security reasons a detached signature cannot read the signed material
|
security reasons a detached signature cannot read the signed material
|
||||||
from stdin without denoting it in the above way.
|
from STDIN without denoting it in the above way.
|
||||||
|
|
||||||
@item --multifile
|
@item --multifile
|
||||||
@opindex multifile
|
@opindex multifile
|
||||||
This modifies certain other commands to accept multiple files for
|
This modifies certain other commands to accept multiple files for
|
||||||
processing on the command line or read from stdin with each filename on
|
processing on the command line or read from STDIN with each filename on
|
||||||
a separate line. This allows for many files to be processed at
|
a separate line. This allows for many files to be processed at
|
||||||
once. @option{--multifile} may currently be used along with
|
once. @option{--multifile} may currently be used along with
|
||||||
@option{--verify}, @option{--encrypt}, and @option{--decrypt}. Note that
|
@option{--verify}, @option{--encrypt}, and @option{--decrypt}. Note that
|
||||||
@ -291,6 +296,10 @@ secret key is not usable (for example, if it was created via
|
|||||||
@item --list-sigs
|
@item --list-sigs
|
||||||
@opindex list-sigs
|
@opindex list-sigs
|
||||||
Same as @option{--list-keys}, but the signatures are listed too.
|
Same as @option{--list-keys}, but the signatures are listed too.
|
||||||
|
@ifclear gpgone
|
||||||
|
This command has the same effect as
|
||||||
|
using @option{--list-keys} with @option{--with-sig-list}.
|
||||||
|
@end ifclear
|
||||||
|
|
||||||
For each signature listed, there are several flags in between the "sig"
|
For each signature listed, there are several flags in between the "sig"
|
||||||
tag and keyid. These flags give additional information about each
|
tag and keyid. These flags give additional information about each
|
||||||
@ -307,15 +316,31 @@ command "tsign").
|
|||||||
|
|
||||||
@item --check-sigs
|
@item --check-sigs
|
||||||
@opindex check-sigs
|
@opindex check-sigs
|
||||||
Same as @option{--list-sigs}, but the signatures are verified.
|
Same as @option{--list-sigs}, but the signatures are verified. Note
|
||||||
|
that for performance reasons the revocation status of a signing key is
|
||||||
|
not shown.
|
||||||
|
@ifclear gpgone
|
||||||
|
This command has the same effect as
|
||||||
|
using @option{--list-keys} with @option{--with-sig-check}.
|
||||||
|
@end ifclear
|
||||||
|
|
||||||
The status of the verification is indicated by a flag directly following
|
The status of the verification is indicated by a flag directly following
|
||||||
the "sig" tag (and thus before the flags described above for
|
the "sig" tag (and thus before the flags described above for
|
||||||
@option{--list-sigs}). A "!" indicates that the signature has been
|
@option{--list-sigs}). A "!" indicates that the signature has been
|
||||||
successfully verified, a "-" denotes a bad signature and a "%" is used
|
successfully verified, a "-" denotes a bad signature and a "%" is used
|
||||||
if an error occured while checking the signature (e.g. a non supported
|
if an error occurred while checking the signature (e.g. a non supported
|
||||||
algorithm).
|
algorithm).
|
||||||
|
|
||||||
|
@ifclear gpgone
|
||||||
|
@item --locate-keys
|
||||||
|
@opindex locate-keys
|
||||||
|
Locate the keys given as arguments. This command basically uses the
|
||||||
|
same algorithm as used when locating keys for encryption or signing and
|
||||||
|
may thus be used to see what keys @command{@gpgname} might use. In
|
||||||
|
particular external methods as defined by @option{--auto-key-locate} may
|
||||||
|
be used to locate a key. Only public keys are listed.
|
||||||
|
@end ifclear
|
||||||
|
|
||||||
|
|
||||||
@item --fingerprint
|
@item --fingerprint
|
||||||
@opindex fingerprint
|
@opindex fingerprint
|
||||||
@ -369,7 +394,7 @@ removed first. In batch mode the key must be specified by fingerprint.
|
|||||||
@opindex export
|
@opindex export
|
||||||
Either export all keys from all keyrings (default keyrings and those
|
Either export all keys from all keyrings (default keyrings and those
|
||||||
registered via option @option{--keyring}), or if at least one name is given,
|
registered via option @option{--keyring}), or if at least one name is given,
|
||||||
those of the given name. The new keyring is written to stdout or to the
|
those of the given name. The new keyring is written to STDOUT or to the
|
||||||
file given with option @option{--output}. Use together with
|
file given with option @option{--output}. Use together with
|
||||||
@option{--armor} to mail those keys.
|
@option{--armor} to mail those keys.
|
||||||
|
|
||||||
@ -379,7 +404,7 @@ Similar to @option{--export} but sends the keys to a keyserver.
|
|||||||
Fingerprints may be used instead of key IDs. Option @option{--keyserver}
|
Fingerprints may be used instead of key IDs. Option @option{--keyserver}
|
||||||
must be used to give the name of this keyserver. Don't send your
|
must be used to give the name of this keyserver. Don't send your
|
||||||
complete keyring to a keyserver --- select only those keys which are new
|
complete keyring to a keyserver --- select only those keys which are new
|
||||||
or changed by you.
|
or changed by you. If no key IDs are given, @command{gpg} does nothing.
|
||||||
|
|
||||||
@item --export-secret-keys
|
@item --export-secret-keys
|
||||||
@itemx --export-secret-subkeys
|
@itemx --export-secret-subkeys
|
||||||
@ -400,7 +425,7 @@ Import/merge keys. This adds the given keys to the
|
|||||||
keyring. The fast version is currently just a synonym.
|
keyring. The fast version is currently just a synonym.
|
||||||
|
|
||||||
There are a few other options which control how this command works.
|
There are a few other options which control how this command works.
|
||||||
Most notable here is the @option{--keyserver-options merge-only} option
|
Most notable here is the @option{--import-options merge-only} option
|
||||||
which does not insert new keys but does only the merging of new
|
which does not insert new keys but does only the merging of new
|
||||||
signatures, user-IDs and subkeys.
|
signatures, user-IDs and subkeys.
|
||||||
|
|
||||||
@ -460,16 +485,34 @@ For use with cron jobs, this command can be used together with
|
|||||||
a check is needed. To force a run even in batch mode add the option
|
a check is needed. To force a run even in batch mode add the option
|
||||||
@option{--yes}.
|
@option{--yes}.
|
||||||
|
|
||||||
|
@anchor{option --export-ownertrust}
|
||||||
@item --export-ownertrust
|
@item --export-ownertrust
|
||||||
@opindex export-ownertrust
|
@opindex export-ownertrust
|
||||||
Send the ownertrust values to stdout. This is useful for backup purposes
|
Send the ownertrust values to STDOUT. This is useful for backup purposes
|
||||||
as these values are the only ones which can't be re-created from a
|
as these values are the only ones which can't be re-created from a
|
||||||
corrupted trust DB.
|
corrupted trustdb. Example:
|
||||||
|
@c man:.RS
|
||||||
|
@example
|
||||||
|
@gpgname{} --export-ownertrust > otrust.txt
|
||||||
|
@end example
|
||||||
|
@c man:.RE
|
||||||
|
|
||||||
|
|
||||||
@item --import-ownertrust
|
@item --import-ownertrust
|
||||||
@opindex import-ownertrust
|
@opindex import-ownertrust
|
||||||
Update the trustdb with the ownertrust values stored in @code{files} (or
|
Update the trustdb with the ownertrust values stored in @code{files} (or
|
||||||
stdin if not given); existing values will be overwritten.
|
STDIN if not given); existing values will be overwritten. In case of a
|
||||||
|
severely damaged trustdb and if you have a recent backup of the
|
||||||
|
ownertrust values (e.g. in the file @file{otrust.txt}, you may re-create
|
||||||
|
the trustdb using these commands:
|
||||||
|
@c man:.RS
|
||||||
|
@example
|
||||||
|
cd ~/.gnupg
|
||||||
|
rm trustdb.gpg
|
||||||
|
@gpgname{} --import-ownertrust < otrust.txt
|
||||||
|
@end example
|
||||||
|
@c man:.RE
|
||||||
|
|
||||||
|
|
||||||
@item --rebuild-keydb-caches
|
@item --rebuild-keydb-caches
|
||||||
@opindex rebuild-keydb-caches
|
@opindex rebuild-keydb-caches
|
||||||
@ -480,7 +523,7 @@ situations too.
|
|||||||
@item --print-md @code{algo}
|
@item --print-md @code{algo}
|
||||||
@itemx --print-mds
|
@itemx --print-mds
|
||||||
@opindex print-md
|
@opindex print-md
|
||||||
Print message digest of algorithm ALGO for all given files or stdin.
|
Print message digest of algorithm ALGO for all given files or STDIN.
|
||||||
With the second form (or a deprecated "*" as algo) digests for all
|
With the second form (or a deprecated "*" as algo) digests for all
|
||||||
available algorithms are printed.
|
available algorithms are printed.
|
||||||
|
|
||||||
@ -729,13 +772,24 @@ preferred keyserver and signature notations (if any) are shown.
|
|||||||
Set the list of user ID preferences to @code{string} for all (or just
|
Set the list of user ID preferences to @code{string} for all (or just
|
||||||
the selected) user IDs. Calling setpref with no arguments sets the
|
the selected) user IDs. Calling setpref with no arguments sets the
|
||||||
preference list to the default (either built-in or set via
|
preference list to the default (either built-in or set via
|
||||||
@option{--default-preference-list}), and calling setpref with "none" as
|
@option{--default-preference-list}), and calling setpref with "none"
|
||||||
the argument sets an empty preference list. Use @command{@gpgname
|
as the argument sets an empty preference list. Use @command{@gpgname
|
||||||
--version} to get a list of available algorithms. Note that while you
|
--version} to get a list of available algorithms. Note that while you
|
||||||
can change the preferences on an attribute user ID (aka "photo ID"),
|
can change the preferences on an attribute user ID (aka "photo ID"),
|
||||||
GnuPG does not select keys via attribute user IDs so these preferences
|
GnuPG does not select keys via attribute user IDs so these preferences
|
||||||
will not be used by GnuPG.
|
will not be used by GnuPG.
|
||||||
|
|
||||||
|
When setting preferences, you should list the algorithms in the order
|
||||||
|
which you'd like to see them used by someone else when encrypting a
|
||||||
|
message to your key. If you don't include 3DES, it will be
|
||||||
|
automatically added at the end. Note that there are many factors that
|
||||||
|
go into choosing an algorithm (for example, your key may not be the
|
||||||
|
only recipient), and so the remote OpenPGP application being used to
|
||||||
|
send to you may or may not follow your exact chosen order for a given
|
||||||
|
message. It will, however, only choose an algorithm that is present
|
||||||
|
on the preference list of every recipient key. See also the
|
||||||
|
INTEROPERABILITY WITH OTHER OPENPGP PROGRAMS section below.
|
||||||
|
|
||||||
@item keyserver
|
@item keyserver
|
||||||
@opindex keyedit:keyserver
|
@opindex keyedit:keyserver
|
||||||
Set a preferred keyserver for the specified user ID(s). This allows
|
Set a preferred keyserver for the specified user ID(s). This allows
|
||||||
@ -921,7 +975,12 @@ Try to be as quiet as possible.
|
|||||||
@opindex batch
|
@opindex batch
|
||||||
@opindex no-batch
|
@opindex no-batch
|
||||||
Use batch mode. Never ask, do not allow interactive commands.
|
Use batch mode. Never ask, do not allow interactive commands.
|
||||||
@option{--no-batch} disables this option.
|
@option{--no-batch} disables this option. Note that even with a
|
||||||
|
filename given on the command line, gpg might still need to read from
|
||||||
|
STDIN (in particular if gpg figures that the input is a
|
||||||
|
detached signature and no data file has been specified). Thus if you
|
||||||
|
do not want to feed data via STDIN, you should connect STDIN to
|
||||||
|
@file{/dev/null}.
|
||||||
|
|
||||||
@item --no-tty
|
@item --no-tty
|
||||||
@opindex no-tty
|
@opindex no-tty
|
||||||
@ -1052,10 +1111,10 @@ validation. This option is only meaningful if pka-lookups is set.
|
|||||||
|
|
||||||
@item --enable-dsa2
|
@item --enable-dsa2
|
||||||
@itemx --disable-dsa2
|
@itemx --disable-dsa2
|
||||||
Enables new-style DSA keys which (unlike the old style) may be larger
|
Enable hash truncation for all DSA keys even for old DSA Keys up to
|
||||||
than 1024 bit and use hashes other than SHA-1 and RIPEMD/160. Note
|
1024 bit. This is also the default with @option{--openpgp}. Note
|
||||||
that very few programs currently support these keys and signatures
|
that older versions of GnuPG also required this flag to allow the
|
||||||
from them.
|
generation of DSA larger than 1024 bit.
|
||||||
|
|
||||||
@item --photo-viewer @code{string}
|
@item --photo-viewer @code{string}
|
||||||
This is the command line that should be run to view a photo ID. "%i"
|
This is the command line that should be run to view a photo ID. "%i"
|
||||||
@ -1068,7 +1127,7 @@ and "%%" for an actual percent sign. If neither %i or %I are present,
|
|||||||
then the photo will be supplied to the viewer on standard input.
|
then the photo will be supplied to the viewer on standard input.
|
||||||
|
|
||||||
The default viewer is "xloadimage -fork -quiet -title 'KeyID 0x%k'
|
The default viewer is "xloadimage -fork -quiet -title 'KeyID 0x%k'
|
||||||
stdin". Note that if your image viewer program is not secure, then
|
STDIN". Note that if your image viewer program is not secure, then
|
||||||
executing it from GnuPG does not make it secure.
|
executing it from GnuPG does not make it secure.
|
||||||
|
|
||||||
@item --exec-path @code{string}
|
@item --exec-path @code{string}
|
||||||
@ -1305,29 +1364,42 @@ exists.
|
|||||||
GnuPG can automatically locate and retrieve keys as needed using this
|
GnuPG can automatically locate and retrieve keys as needed using this
|
||||||
option. This happens when encrypting to an email address (in the
|
option. This happens when encrypting to an email address (in the
|
||||||
"user@@example.com" form), and there are no user@@example.com keys on
|
"user@@example.com" form), and there are no user@@example.com keys on
|
||||||
the local keyring. This option takes any number of the following
|
the local keyring. This option takes any number of the following
|
||||||
arguments, in the order they are to be tried:
|
mechanisms, in the order they are to be tried:
|
||||||
|
|
||||||
@table @asis
|
@table @asis
|
||||||
|
|
||||||
@item cert
|
@item cert
|
||||||
locate a key using DNS CERT, as specified in 2538bis (currently in
|
Locate a key using DNS CERT, as specified in rfc4398.
|
||||||
draft): http://www.josefsson.org/rfc2538bis/
|
|
||||||
|
|
||||||
@item pka
|
@item pka
|
||||||
locate a key using DNS PKA.
|
Locate a key using DNS PKA.
|
||||||
|
|
||||||
@item ldap
|
@item ldap
|
||||||
locate a key using the PGP Universal method of checking
|
Using DNS Service Discovery, check the domain in question for any LDAP
|
||||||
"ldap://keys.(thedomain)".
|
keyservers to use. If this fails, attempt to locate the key using the
|
||||||
|
PGP Universal method of checking @samp{ldap://keys.(thedomain)}.
|
||||||
|
|
||||||
@item keyserver
|
@item keyserver
|
||||||
locate a key using whatever keyserver is defined using the
|
Locate a key using whatever keyserver is defined using the
|
||||||
@option{--keyserver} option.
|
@option{--keyserver} option.
|
||||||
|
|
||||||
@item (keyserver URL)
|
@item keyserver-URL
|
||||||
In addition, a keyserver URL as used in the @option{--keyserver} option may be
|
In addition, a keyserver URL as used in the @option{--keyserver} option
|
||||||
used here to query that particular keyserver.
|
may be used here to query that particular keyserver.
|
||||||
|
|
||||||
|
@item local
|
||||||
|
Locate the key using the local keyrings. This mechanism allows to
|
||||||
|
select the order a local key lookup is done. Thus using
|
||||||
|
@samp{--auto-key-locate local} is identical to
|
||||||
|
@option{--no-auto-key-locate}.
|
||||||
|
|
||||||
|
@item nodefault
|
||||||
|
This flag disables the standard local key lookup, done before any of the
|
||||||
|
mechanisms defined by the @option{--auto-key-locate} are tried. The
|
||||||
|
position of this mechanism in the list does not matter. It is not
|
||||||
|
required if @code{local} is also used.
|
||||||
|
|
||||||
@end table
|
@end table
|
||||||
|
|
||||||
@item --keyid-format @code{short|0xshort|long|0xlong}
|
@item --keyid-format @code{short|0xshort|long|0xlong}
|
||||||
@ -1352,7 +1424,7 @@ from below, but apply only to this particular keyserver.
|
|||||||
|
|
||||||
Most keyservers synchronize with each other, so there is generally no
|
Most keyservers synchronize with each other, so there is generally no
|
||||||
need to send keys to more than one server. The keyserver
|
need to send keys to more than one server. The keyserver
|
||||||
@code{hkp://subkeys.pgp.net} uses round robin DNS to give a different
|
@code{hkp://keys.gnupg.net} uses round robin DNS to give a different
|
||||||
keyserver each time you use it.
|
keyserver each time you use it.
|
||||||
|
|
||||||
@item --keyserver-options @code{name=value1 }
|
@item --keyserver-options @code{name=value1 }
|
||||||
@ -1437,6 +1509,12 @@ Set the proxy to use for HTTP and HKP keyservers. This overrides the
|
|||||||
@item max-cert-size
|
@item max-cert-size
|
||||||
When retrieving a key via DNS CERT, only accept keys up to this size.
|
When retrieving a key via DNS CERT, only accept keys up to this size.
|
||||||
Defaults to 16384 bytes.
|
Defaults to 16384 bytes.
|
||||||
|
|
||||||
|
@item debug
|
||||||
|
Turn on debug output in the keyserver helper program. Note that the
|
||||||
|
details of debug output depends on which keyserver helper program is
|
||||||
|
being used, and in turn, on any libraries that the keyserver helper
|
||||||
|
program uses internally (libcurl, openldap, etc).
|
||||||
@end table
|
@end table
|
||||||
|
|
||||||
@item --completes-needed @code{n}
|
@item --completes-needed @code{n}
|
||||||
@ -1809,6 +1887,10 @@ source distribution.
|
|||||||
@opindex fixed-list-mode
|
@opindex fixed-list-mode
|
||||||
Do not merge primary user ID and primary key in @option{--with-colon}
|
Do not merge primary user ID and primary key in @option{--with-colon}
|
||||||
listing mode and print all timestamps as seconds since 1970-01-01.
|
listing mode and print all timestamps as seconds since 1970-01-01.
|
||||||
|
@ifclear gpgone
|
||||||
|
Since GnuPG 2.0.10, this mode is always used and thus this option is
|
||||||
|
obsolete; it does not harm to use it though.
|
||||||
|
@end ifclear
|
||||||
|
|
||||||
@item --with-fingerprint
|
@item --with-fingerprint
|
||||||
@opindex with-fingerprint
|
@opindex with-fingerprint
|
||||||
@ -1886,7 +1968,7 @@ Set the list of personal digest preferences to @code{string}. Use
|
|||||||
and use @code{none} to set no preference at all. This allows the user
|
and use @code{none} to set no preference at all. This allows the user
|
||||||
to factor in their own preferred algorithms when algorithms are chosen
|
to factor in their own preferred algorithms when algorithms are chosen
|
||||||
via recipient key preferences. The most highly ranked digest
|
via recipient key preferences. The most highly ranked digest
|
||||||
algorithm in this list is algo used when signing without encryption
|
algorithm in this list is also used when signing without encryption
|
||||||
(e.g. @option{--clearsign} or @option{--sign}). The default value is
|
(e.g. @option{--clearsign} or @option{--sign}). The default value is
|
||||||
SHA-1.
|
SHA-1.
|
||||||
|
|
||||||
@ -1896,7 +1978,7 @@ Use @command{@gpgname --version} to get a list of available
|
|||||||
algorithms, and use @code{none} to set no preference at all. This
|
algorithms, and use @code{none} to set no preference at all. This
|
||||||
allows the user to factor in their own preferred algorithms when
|
allows the user to factor in their own preferred algorithms when
|
||||||
algorithms are chosen via recipient key preferences. The most highly
|
algorithms are chosen via recipient key preferences. The most highly
|
||||||
ranked compression algorithm in this list is algo used when there are
|
ranked compression algorithm in this list is also used when there are
|
||||||
no recipient keys to consider (e.g. @option{--symmetric}).
|
no recipient keys to consider (e.g. @option{--symmetric}).
|
||||||
|
|
||||||
@item --s2k-cipher-algo @code{name}
|
@item --s2k-cipher-algo @code{name}
|
||||||
@ -1980,9 +2062,9 @@ a message that PGP 2.x will not be able to handle. Note that `PGP
|
|||||||
available, but the MIT release is a good common baseline.
|
available, but the MIT release is a good common baseline.
|
||||||
|
|
||||||
This option implies @option{--rfc1991 --disable-mdc
|
This option implies @option{--rfc1991 --disable-mdc
|
||||||
--no-force-v4-certs --no-sk-comment --escape-from-lines
|
--no-force-v4-certs --escape-from-lines --force-v3-sigs --cipher-algo
|
||||||
--force-v3-sigs --cipher-algo IDEA --digest-algo MD5 --compress-algo
|
IDEA --digest-algo MD5 --compress-algo ZIP}. It also disables
|
||||||
ZIP}. It also disables @option{--textmode} when encrypting.
|
@option{--textmode} when encrypting.
|
||||||
|
|
||||||
@item --pgp6
|
@item --pgp6
|
||||||
@opindex pgp6
|
@opindex pgp6
|
||||||
@ -1993,8 +2075,8 @@ compression algorithms none and ZIP. This also disables
|
|||||||
--throw-keyids, and making signatures with signing subkeys as PGP 6
|
--throw-keyids, and making signatures with signing subkeys as PGP 6
|
||||||
does not understand signatures made by signing subkeys.
|
does not understand signatures made by signing subkeys.
|
||||||
|
|
||||||
This option implies @option{--disable-mdc --no-sk-comment
|
This option implies @option{--disable-mdc --escape-from-lines
|
||||||
--escape-from-lines --force-v3-sigs}.
|
--force-v3-sigs}.
|
||||||
|
|
||||||
@item --pgp7
|
@item --pgp7
|
||||||
@opindex pgp7
|
@opindex pgp7
|
||||||
@ -2066,11 +2148,13 @@ Same as @option{--status-fd}, except the status data is written to file
|
|||||||
@code{file}.
|
@code{file}.
|
||||||
|
|
||||||
@item --logger-fd @code{n}
|
@item --logger-fd @code{n}
|
||||||
Write log output to file descriptor @code{n} and not to stderr.
|
Write log output to file descriptor @code{n} and not to STDERR.
|
||||||
|
|
||||||
@item --logger-file @code{file}
|
@item --log-file @code{file}
|
||||||
|
@itemx --logger-file @code{file}
|
||||||
Same as @option{--logger-fd}, except the logger data is written to file
|
Same as @option{--logger-fd}, except the logger data is written to file
|
||||||
@code{file}.
|
@code{file}. Note that @option{--log-file} is only implemented for
|
||||||
|
GnuPG-2.
|
||||||
|
|
||||||
@item --attribute-fd @code{n}
|
@item --attribute-fd @code{n}
|
||||||
Write attribute subpackets to the file descriptor @code{n}. This is most
|
Write attribute subpackets to the file descriptor @code{n}. This is most
|
||||||
@ -2152,10 +2236,10 @@ file being encrypted.
|
|||||||
|
|
||||||
@item --for-your-eyes-only
|
@item --for-your-eyes-only
|
||||||
@itemx --no-for-your-eyes-only
|
@itemx --no-for-your-eyes-only
|
||||||
Set the `for your eyes only' flag in the message. This causes GnuPG
|
Set the `for your eyes only' flag in the message. This causes GnuPG to
|
||||||
to refuse to save the file unless the @option{--output} option is given, and
|
refuse to save the file unless the @option{--output} option is given,
|
||||||
PGP to use the "secure viewer" with a Tempest-resistant font to
|
and PGP to use a "secure viewer" with a claimed Tempest-resistant font
|
||||||
display the message. This option overrides @option{--set-filename}.
|
to display the message. This option overrides @option{--set-filename}.
|
||||||
@option{--no-for-your-eyes-only} disables this option.
|
@option{--no-for-your-eyes-only} disables this option.
|
||||||
|
|
||||||
@item --use-embedded-filename
|
@item --use-embedded-filename
|
||||||
@ -2221,12 +2305,15 @@ will still get disabled.
|
|||||||
|
|
||||||
@item --throw-keyids
|
@item --throw-keyids
|
||||||
@itemx --no-throw-keyids
|
@itemx --no-throw-keyids
|
||||||
Do not put the recipient key IDs into encrypted messages. This helps
|
Do not put the recipient key IDs into encrypted messages. This helps to
|
||||||
to hide the receivers of the message and is a limited countermeasure
|
hide the receivers of the message and is a limited countermeasure
|
||||||
against traffic analysis. On the receiving side, it may slow down the
|
against traffic analysis.@footnote{Using a little social engineering
|
||||||
decryption process because all available secret keys must be tried.
|
anyone who is able to decrypt the message can check whether one of the
|
||||||
@option{--no-throw-keyids} disables this option. This option is essentially
|
other recipients is the one he suspects.} On the receiving side, it may
|
||||||
the same as using @option{--hidden-recipient} for all recipients.
|
slow down the decryption process because all available secret keys must
|
||||||
|
be tried. @option{--no-throw-keyids} disables this option. This option
|
||||||
|
is essentially the same as using @option{--hidden-recipient} for all
|
||||||
|
recipients.
|
||||||
|
|
||||||
@item --not-dash-escaped
|
@item --not-dash-escaped
|
||||||
This option changes the behavior of cleartext signatures
|
This option changes the behavior of cleartext signatures
|
||||||
@ -2253,7 +2340,7 @@ passphrase. Defaults to 1 repetition.
|
|||||||
@item --passphrase-fd @code{n}
|
@item --passphrase-fd @code{n}
|
||||||
Read the passphrase from file descriptor @code{n}. Only the first line
|
Read the passphrase from file descriptor @code{n}. Only the first line
|
||||||
will be read from file descriptor @code{n}. If you use 0 for @code{n},
|
will be read from file descriptor @code{n}. If you use 0 for @code{n},
|
||||||
the passphrase will be read from stdin. This can only be used if only
|
the passphrase will be read from STDIN. This can only be used if only
|
||||||
one passphrase is supplied.
|
one passphrase is supplied.
|
||||||
@ifclear gpgone
|
@ifclear gpgone
|
||||||
Note that this passphrase is only used if the option @option{--batch}
|
Note that this passphrase is only used if the option @option{--batch}
|
||||||
@ -2415,11 +2502,15 @@ This is an obsolete option and is not used anywhere.
|
|||||||
|
|
||||||
@item --allow-multiple-messages
|
@item --allow-multiple-messages
|
||||||
@item --no-allow-multiple-messages
|
@item --no-allow-multiple-messages
|
||||||
Allow processing of multiple OpenPGP messages contained in a single
|
Allow processing of multiple OpenPGP messages contained in a single file
|
||||||
file or stream. Some programs that call GPG are not prepared to deal
|
or stream. Some programs that call GPG are not prepared to deal with
|
||||||
with multiple messages being processed together, so this option
|
multiple messages being processed together, so this option defaults to
|
||||||
defaults to no. Note that versions of GPG prior to 1.4.7 always
|
no. Note that versions of GPG prior to 1.4.7 always allowed multiple
|
||||||
allowed multiple messages.
|
messages.
|
||||||
|
|
||||||
|
Warning: Do not use this option unless you need it as a temporary
|
||||||
|
workaround!
|
||||||
|
|
||||||
|
|
||||||
@item --enable-special-filenames
|
@item --enable-special-filenames
|
||||||
This options enables a mode in which filenames of the form
|
This options enables a mode in which filenames of the form
|
||||||
@ -2542,12 +2633,12 @@ current home directory (@pxref{option --homedir}).
|
|||||||
@table @file
|
@table @file
|
||||||
|
|
||||||
@item gpg.conf
|
@item gpg.conf
|
||||||
@cindex gpgsm.conf
|
@cindex gpg.conf
|
||||||
This is the standard configuration file read by @command{@gpgname} on
|
This is the standard configuration file read by @command{@gpgname} on
|
||||||
startup. It may contain any valid long option; the leading two dashes
|
startup. It may contain any valid long option; the leading two dashes
|
||||||
may not be entered and the option may not be abbreviated. This default
|
may not be entered and the option may not be abbreviated. This default
|
||||||
name may be changed on the command line (@pxref{option
|
name may be changed on the command line (@pxref{option --options}).
|
||||||
--options}).
|
You should backup this file.
|
||||||
|
|
||||||
@end table
|
@end table
|
||||||
|
|
||||||
@ -2567,31 +2658,32 @@ files; They all live in in the current home directory (@pxref{option
|
|||||||
|
|
||||||
@table @file
|
@table @file
|
||||||
@item ~/.gnupg/secring.gpg
|
@item ~/.gnupg/secring.gpg
|
||||||
The secret keyring.
|
The secret keyring. You should backup this file.
|
||||||
|
|
||||||
@item ~/.gnupg/secring.gpg.lock
|
@item ~/.gnupg/secring.gpg.lock
|
||||||
and the lock file
|
The lock file for the secret keyring.
|
||||||
|
|
||||||
@item ~/.gnupg/pubring.gpg
|
@item ~/.gnupg/pubring.gpg
|
||||||
The public keyring
|
The public keyring. You should backup this file.
|
||||||
|
|
||||||
@item ~/.gnupg/pubring.gpg.lock
|
@item ~/.gnupg/pubring.gpg.lock
|
||||||
and the lock file
|
The lock file for the public keyring.
|
||||||
|
|
||||||
@item ~/.gnupg/trustdb.gpg
|
@item ~/.gnupg/trustdb.gpg
|
||||||
The trust database
|
The trust database. There is no need to backup this file; it is better
|
||||||
|
to backup the ownertrust values (@pxref{option --export-ownertrust}).
|
||||||
|
|
||||||
@item ~/.gnupg/trustdb.gpg.lock
|
@item ~/.gnupg/trustdb.gpg.lock
|
||||||
and the lock file
|
The lock file for the trust database.
|
||||||
|
|
||||||
@item ~/.gnupg/random_seed
|
@item ~/.gnupg/random_seed
|
||||||
used to preserve the internal random pool
|
A file used to preserve the state of the internal random pool.
|
||||||
|
|
||||||
@item /usr[/local]/share/gnupg/options.skel
|
@item /usr[/local]/share/gnupg/options.skel
|
||||||
Skeleton options file
|
The skeleton options file.
|
||||||
|
|
||||||
@item /usr[/local]/lib/gnupg/
|
@item /usr[/local]/lib/gnupg/
|
||||||
Default location for extensions
|
Default location for extensions.
|
||||||
|
|
||||||
@end table
|
@end table
|
||||||
|
|
||||||
@ -2619,7 +2711,7 @@ value. The option @option{--gpg-agent-info} can be used to override it.
|
|||||||
|
|
||||||
@item PINENTRY_USER_DATA
|
@item PINENTRY_USER_DATA
|
||||||
This value is passed via gpg-agent to pinentry. It is useful to convey
|
This value is passed via gpg-agent to pinentry. It is useful to convey
|
||||||
extra information to a custom pinentry
|
extra information to a custom pinentry.
|
||||||
|
|
||||||
@item COLUMNS
|
@item COLUMNS
|
||||||
@itemx LINES
|
@itemx LINES
|
||||||
@ -2628,12 +2720,13 @@ Used to size some displays to the full size of the screen.
|
|||||||
|
|
||||||
@item LANGUAGE
|
@item LANGUAGE
|
||||||
Apart from its use by GNU, it is used in the W32 version to override the
|
Apart from its use by GNU, it is used in the W32 version to override the
|
||||||
language selection done through the Registry. If used and set to a a
|
language selection done through the Registry. If used and set to a
|
||||||
valid and available language name (@var{langid}), the file with the
|
valid and available language name (@var{langid}), the file with the
|
||||||
translation is loaded from
|
translation is loaded from
|
||||||
@code{@var{gpgdir}/gnupg.nls/@var{langid}.mo}. Here @var{gpgdir} is the
|
@code{@var{gpgdir}/gnupg.nls/@var{langid}.mo}. Here @var{gpgdir} is the
|
||||||
directory out of which the gpg binary has been laoded. If it can't be
|
directory out of which the gpg binary has been loaded. If it can't be
|
||||||
loaded the Registry is tried as a fallback.
|
loaded the Registry is tried and as last resort the native Windows
|
||||||
|
locale system is used.
|
||||||
|
|
||||||
@end table
|
@end table
|
||||||
|
|
||||||
@ -2658,6 +2751,9 @@ make a clear text signature
|
|||||||
@item gpg -sb @code{file}
|
@item gpg -sb @code{file}
|
||||||
make a detached signature
|
make a detached signature
|
||||||
|
|
||||||
|
@item gpg -u 0x12345678 -sb @code{file}
|
||||||
|
make a detached signature with the key 0x12345678
|
||||||
|
|
||||||
@item gpg --list-keys @code{user_ID}
|
@item gpg --list-keys @code{user_ID}
|
||||||
show keys
|
show keys
|
||||||
|
|
||||||
@ -2706,7 +2802,7 @@ is *very* easy to spy out your passphrase!
|
|||||||
|
|
||||||
If you are going to verify detached signatures, make sure that the
|
If you are going to verify detached signatures, make sure that the
|
||||||
program knows about it; either give both filenames on the command line
|
program knows about it; either give both filenames on the command line
|
||||||
or use @samp{-} to specify stdin.
|
or use @samp{-} to specify STDIN.
|
||||||
|
|
||||||
@mansect interoperability
|
@mansect interoperability
|
||||||
@chapheading INTEROPERABILITY WITH OTHER OPENPGP PROGRAMS
|
@chapheading INTEROPERABILITY WITH OTHER OPENPGP PROGRAMS
|
||||||
|
@ -123,13 +123,14 @@ one signature was bad, and other error codes for fatal errors.
|
|||||||
@table @asis
|
@table @asis
|
||||||
|
|
||||||
@item @gpgvname @code{pgpfile}
|
@item @gpgvname @code{pgpfile}
|
||||||
@itemx @gpgvname @code{sigfile}
|
@itemx @gpgvname @code{sigfile} [@code{datafile}]
|
||||||
Verify the signature of the file. The second form
|
Verify the signature of the file. The second form is used for detached
|
||||||
is used for detached signatures, where @code{sigfile} is the detached
|
signatures, where @code{sigfile} is the detached signature (either
|
||||||
signature (either ASCII-armored or binary) and are the signed
|
ASCII-armored or binary) and @code{datafile} contains the signed data;
|
||||||
data; if this is not given the name of the file holding the signed data is
|
if @code{datafile} is "-" the signed data is expected on
|
||||||
constructed by cutting off the extension (".asc", ".sig" or ".sign") from
|
@code{stdin}; if @code{datafile} is not given the name of the file
|
||||||
@code{sigfile}.
|
holding the signed data is constructed by cutting off the extension
|
||||||
|
(".asc", ".sig" or ".sign") from @code{sigfile}.
|
||||||
|
|
||||||
@end table
|
@end table
|
||||||
|
|
||||||
|
@ -1,3 +1,19 @@
|
|||||||
|
2009-08-13 Werner Koch <wk@g10code.com>
|
||||||
|
|
||||||
|
* cardglue.h: Add new error code mappings.
|
||||||
|
|
||||||
|
From GnuPG-2:
|
||||||
|
* app-openpgp.c (change_keyattr_from_string): New.
|
||||||
|
(do_setattr): Support KEY-ATTR.
|
||||||
|
* ccid-driver.c (print_pr_data): Fix 64 bit compat problem.
|
||||||
|
* ccid-driver.c (parse_ccid_descriptor): Enable hack for SCR 3320.
|
||||||
|
* card-util.c (generate_card_keys): Remove special case for
|
||||||
|
GnuPG-2. Ask for the keysize and change it.
|
||||||
|
(card_generate_subkey): Ask for the keysize and change it.
|
||||||
|
(get_info_for_key_operation): Read KEY-ATTR.
|
||||||
|
(show_keysize_warning, ask_card_keysize): New.
|
||||||
|
(do_change_keysize): New.
|
||||||
|
|
||||||
2009-08-11 David Shaw <dshaw@jabberwocky.com>
|
2009-08-11 David Shaw <dshaw@jabberwocky.com>
|
||||||
|
|
||||||
* keyserver.c (keyserver_spawn): Try and detect mis-coded Latin1
|
* keyserver.c (keyserver_spawn): Try and detect mis-coded Latin1
|
||||||
|
@ -214,6 +214,11 @@ static gpg_error_t do_auth (app_t app, const char *keyidstr,
|
|||||||
const void *indata, size_t indatalen,
|
const void *indata, size_t indatalen,
|
||||||
unsigned char **outdata, size_t *outdatalen);
|
unsigned char **outdata, size_t *outdatalen);
|
||||||
static void parse_algorithm_attribute (app_t app, int keyno);
|
static void parse_algorithm_attribute (app_t app, int keyno);
|
||||||
|
static gpg_error_t change_keyattr_from_string
|
||||||
|
(app_t app,
|
||||||
|
gpg_error_t (*pincb)(void*, const char *, char **),
|
||||||
|
void *pincb_arg,
|
||||||
|
const void *value, size_t valuelen);
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
@ -1793,6 +1798,7 @@ do_setattr (app_t app, const char *name,
|
|||||||
{ "CERT-3", 0x7F21, 3, 0, 1 },
|
{ "CERT-3", 0x7F21, 3, 0, 1 },
|
||||||
{ "SM-KEY-ENC", 0x00D1, 3, 0, 1 },
|
{ "SM-KEY-ENC", 0x00D1, 3, 0, 1 },
|
||||||
{ "SM-KEY-MAC", 0x00D2, 3, 0, 1 },
|
{ "SM-KEY-MAC", 0x00D2, 3, 0, 1 },
|
||||||
|
{ "KEY-ATTR", 0, 0, 3, 1 },
|
||||||
{ NULL, 0 }
|
{ NULL, 0 }
|
||||||
};
|
};
|
||||||
int exmode;
|
int exmode;
|
||||||
@ -1804,6 +1810,9 @@ do_setattr (app_t app, const char *name,
|
|||||||
if (table[idx].need_v2 && !app->app_local->extcap.is_v2)
|
if (table[idx].need_v2 && !app->app_local->extcap.is_v2)
|
||||||
return gpg_error (GPG_ERR_NOT_SUPPORTED); /* Not yet supported. */
|
return gpg_error (GPG_ERR_NOT_SUPPORTED); /* Not yet supported. */
|
||||||
|
|
||||||
|
if (table[idx].special == 3)
|
||||||
|
return change_keyattr_from_string (app, pincb, pincb_arg, value, valuelen);
|
||||||
|
|
||||||
switch (table[idx].need_chv)
|
switch (table[idx].need_chv)
|
||||||
{
|
{
|
||||||
case 2:
|
case 2:
|
||||||
@ -2404,6 +2413,45 @@ change_keyattr (app_t app, int keyno, unsigned int nbits,
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
/* Helper to process an setattr command for name KEY-ATTR. It expects
|
||||||
|
a string "--force <keyno> <algo> <nbits>" in (VALUE,VALUELEN). */
|
||||||
|
static gpg_error_t
|
||||||
|
change_keyattr_from_string (app_t app,
|
||||||
|
gpg_error_t (*pincb)(void*, const char *, char **),
|
||||||
|
void *pincb_arg,
|
||||||
|
const void *value, size_t valuelen)
|
||||||
|
{
|
||||||
|
gpg_error_t err;
|
||||||
|
char *string;
|
||||||
|
int keyno, algo;
|
||||||
|
unsigned int nbits;
|
||||||
|
|
||||||
|
/* VALUE is expected to be a string but not guaranteed to be
|
||||||
|
terminated. Thus copy it to an allocated buffer first. */
|
||||||
|
string = xtrymalloc (valuelen+1);
|
||||||
|
if (!string)
|
||||||
|
return gpg_error_from_syserror ();
|
||||||
|
memcpy (string, value, valuelen);
|
||||||
|
string[valuelen] = 0;
|
||||||
|
|
||||||
|
/* Because this function deletes the key we require the string
|
||||||
|
"--force" in the data to make clear that something serious might
|
||||||
|
happen. */
|
||||||
|
if (sscanf (string, " --force %d %d %u", &keyno, &algo, &nbits) != 3)
|
||||||
|
err = gpg_error (GPG_ERR_INV_DATA);
|
||||||
|
else if (keyno < 1 || keyno > 3)
|
||||||
|
err = gpg_error (GPG_ERR_INV_ID);
|
||||||
|
else if (algo != 1)
|
||||||
|
err = gpg_error (GPG_ERR_PUBKEY_ALGO); /* Not RSA. */
|
||||||
|
else if (nbits < 1024)
|
||||||
|
err = gpg_error (GPG_ERR_TOO_SHORT);
|
||||||
|
else
|
||||||
|
err = change_keyattr (app, keyno-1, nbits, pincb, pincb_arg);
|
||||||
|
|
||||||
|
xfree (string);
|
||||||
|
return err;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
/* Handle the WRITEKEY command for OpenPGP. This function expects a
|
/* Handle the WRITEKEY command for OpenPGP. This function expects a
|
||||||
canonical encoded S-expression with the secret key in KEYDATA and
|
canonical encoded S-expression with the secret key in KEYDATA and
|
||||||
|
182
g10/card-util.c
182
g10/card-util.c
@ -23,6 +23,10 @@
|
|||||||
#include <string.h>
|
#include <string.h>
|
||||||
#include <errno.h>
|
#include <errno.h>
|
||||||
#include <assert.h>
|
#include <assert.h>
|
||||||
|
#ifdef HAVE_LIBREADLINE
|
||||||
|
# define GNUPG_LIBREADLINE_H_INCLUDED
|
||||||
|
# include <readline/readline.h>
|
||||||
|
#endif /*HAVE_LIBREADLINE*/
|
||||||
|
|
||||||
#if GNUPG_MAJOR_VERSION != 1
|
#if GNUPG_MAJOR_VERSION != 1
|
||||||
# include "gpg.h"
|
# include "gpg.h"
|
||||||
@ -34,12 +38,8 @@
|
|||||||
#include "options.h"
|
#include "options.h"
|
||||||
#include "main.h"
|
#include "main.h"
|
||||||
#include "keyserver-internal.h"
|
#include "keyserver-internal.h"
|
||||||
|
|
||||||
#if GNUPG_MAJOR_VERSION == 1
|
#if GNUPG_MAJOR_VERSION == 1
|
||||||
# ifdef HAVE_LIBREADLINE
|
|
||||||
# define GNUPG_LIBREADLINE_H_INCLUDED
|
|
||||||
# include <stdio.h>
|
|
||||||
# include <readline/readline.h>
|
|
||||||
# endif /*HAVE_LIBREADLINE*/
|
|
||||||
# include "cardglue.h"
|
# include "cardglue.h"
|
||||||
#else /*GNUPG_MAJOR_VERSION!=1*/
|
#else /*GNUPG_MAJOR_VERSION!=1*/
|
||||||
# include "call-agent.h"
|
# include "call-agent.h"
|
||||||
@ -1158,6 +1158,8 @@ get_info_for_key_operation (struct agent_card_info_s *info)
|
|||||||
rc = agent_scd_getattr ("DISP-NAME", info);
|
rc = agent_scd_getattr ("DISP-NAME", info);
|
||||||
if (!rc)
|
if (!rc)
|
||||||
rc = agent_scd_getattr ("EXTCAP", info);
|
rc = agent_scd_getattr ("EXTCAP", info);
|
||||||
|
if (!rc)
|
||||||
|
rc = agent_scd_getattr ("KEY-ATTR", info);
|
||||||
if (rc)
|
if (rc)
|
||||||
log_error (_("error getting current key info: %s\n"), gpg_strerror (rc));
|
log_error (_("error getting current key info: %s\n"), gpg_strerror (rc));
|
||||||
return rc;
|
return rc;
|
||||||
@ -1253,34 +1255,114 @@ replace_existing_key_p (struct agent_card_info_s *info, int keyno)
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
static void
|
||||||
|
show_keysize_warning (void)
|
||||||
|
{
|
||||||
|
static int shown;
|
||||||
|
|
||||||
|
if (shown)
|
||||||
|
return;
|
||||||
|
shown = 1;
|
||||||
|
tty_printf
|
||||||
|
(_("NOTE: There is no guarantee that the card "
|
||||||
|
"supports the requested size.\n"
|
||||||
|
" If the key generation does not succeed, "
|
||||||
|
"please check the\n"
|
||||||
|
" documentation of your card to see what "
|
||||||
|
"sizes are allowed.\n"));
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
/* Ask for the size of a card key. NBITS is the current size
|
||||||
|
configured for the card. KEYNO is the number of the key used to
|
||||||
|
select the prompt. Returns 0 to use the default size (i.e. NBITS)
|
||||||
|
or the selected size. */
|
||||||
|
static unsigned int
|
||||||
|
ask_card_keysize (int keyno, unsigned int nbits)
|
||||||
|
{
|
||||||
|
unsigned int min_nbits = 1024;
|
||||||
|
unsigned int max_nbits = 3072; /* GnuPG limit due to Assuan. */
|
||||||
|
char *prompt, *answer;
|
||||||
|
unsigned int req_nbits;
|
||||||
|
|
||||||
|
for (;;)
|
||||||
|
{
|
||||||
|
prompt = xasprintf
|
||||||
|
(keyno == 0?
|
||||||
|
_("What keysize do you want for the Signature key? (%u) "):
|
||||||
|
keyno == 1?
|
||||||
|
_("What keysize do you want for the Encryption key? (%u) "):
|
||||||
|
_("What keysize do you want for the Authentication key? (%u) "),
|
||||||
|
nbits);
|
||||||
|
answer = cpr_get ("cardedit.genkeys.size", prompt);
|
||||||
|
cpr_kill_prompt ();
|
||||||
|
req_nbits = *answer? atoi (answer): nbits;
|
||||||
|
xfree (prompt);
|
||||||
|
xfree (answer);
|
||||||
|
|
||||||
|
if (req_nbits != nbits && (req_nbits % 32) )
|
||||||
|
{
|
||||||
|
req_nbits = ((req_nbits + 31) / 32) * 32;
|
||||||
|
tty_printf (_("rounded up to %u bits\n"), req_nbits);
|
||||||
|
}
|
||||||
|
|
||||||
|
if (req_nbits == nbits)
|
||||||
|
return 0; /* Use default. */
|
||||||
|
|
||||||
|
if (req_nbits < min_nbits || req_nbits > max_nbits)
|
||||||
|
{
|
||||||
|
tty_printf (_("%s keysizes must be in the range %u-%u\n"),
|
||||||
|
"RSA", min_nbits, max_nbits);
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
tty_printf (_("The card will now be re-configured "
|
||||||
|
"to generate a key of %u bits\n"), req_nbits);
|
||||||
|
show_keysize_warning ();
|
||||||
|
return req_nbits;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
/* Change the size of key KEYNO (0..2) to NBITS and show an error
|
||||||
|
message if that fails. */
|
||||||
|
static gpg_error_t
|
||||||
|
do_change_keysize (int keyno, unsigned int nbits)
|
||||||
|
{
|
||||||
|
gpg_error_t err;
|
||||||
|
char args[100];
|
||||||
|
|
||||||
|
snprintf (args, sizeof args, "--force %d 1 %u", keyno+1, nbits);
|
||||||
|
err = agent_scd_setattr ("KEY-ATTR", args, strlen (args), NULL);
|
||||||
|
if (err)
|
||||||
|
log_error (_("error changing size of key %d to %u bits: %s\n"),
|
||||||
|
keyno+1, nbits, gpg_strerror (err));
|
||||||
|
return err;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
static void
|
static void
|
||||||
generate_card_keys (void)
|
generate_card_keys (void)
|
||||||
{
|
{
|
||||||
struct agent_card_info_s info;
|
struct agent_card_info_s info;
|
||||||
int forced_chv1;
|
int forced_chv1;
|
||||||
int want_backup;
|
int want_backup;
|
||||||
|
int keyno;
|
||||||
|
|
||||||
if (get_info_for_key_operation (&info))
|
if (get_info_for_key_operation (&info))
|
||||||
return;
|
return;
|
||||||
|
|
||||||
if (info.extcap.ki)
|
if (info.extcap.ki)
|
||||||
{
|
{
|
||||||
#if GNUPG_MAJOR_VERSION == 1
|
|
||||||
char *answer;
|
char *answer;
|
||||||
|
|
||||||
|
|
||||||
answer = cpr_get ("cardedit.genkeys.backup_enc",
|
answer = cpr_get ("cardedit.genkeys.backup_enc",
|
||||||
_("Make off-card backup of encryption key? (Y/n) "));
|
_("Make off-card backup of encryption key? (Y/n) "));
|
||||||
|
|
||||||
want_backup=answer_is_yes_no_default(answer,1);
|
want_backup = answer_is_yes_no_default (answer, 1/*(default to Yes)*/);
|
||||||
cpr_kill_prompt();
|
cpr_kill_prompt ();
|
||||||
xfree(answer);
|
xfree (answer);
|
||||||
#else
|
|
||||||
want_backup = cpr_get_answer_is_yes
|
|
||||||
( "cardedit.genkeys.backup_enc",
|
|
||||||
_("Make off-card backup of encryption key? (Y/n) "));
|
|
||||||
/*FIXME: we need answer_is_yes_no_default()*/
|
|
||||||
#endif
|
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
want_backup = 0;
|
want_backup = 0;
|
||||||
@ -1290,16 +1372,19 @@ generate_card_keys (void)
|
|||||||
|| (info.fpr3valid && !fpr_is_zero (info.fpr3)))
|
|| (info.fpr3valid && !fpr_is_zero (info.fpr3)))
|
||||||
{
|
{
|
||||||
tty_printf ("\n");
|
tty_printf ("\n");
|
||||||
log_info ("NOTE: keys are already stored on the card!\n");
|
log_info (_("NOTE: keys are already stored on the card!\n"));
|
||||||
tty_printf ("\n");
|
tty_printf ("\n");
|
||||||
if ( !cpr_get_answer_is_yes( "cardedit.genkeys.replace_keys",
|
if ( !cpr_get_answer_is_yes ("cardedit.genkeys.replace_keys",
|
||||||
_("Replace existing keys? (y/N) ")))
|
_("Replace existing keys? (y/N) ")))
|
||||||
{
|
{
|
||||||
agent_release_card_info (&info);
|
agent_release_card_info (&info);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
else if (!info.disp_name || !*info.disp_name)
|
|
||||||
|
/* If no displayed name has been set, we assume that this is a fresh
|
||||||
|
card and print a hint about the default PINs. */
|
||||||
|
if (!info.disp_name || !*info.disp_name)
|
||||||
{
|
{
|
||||||
tty_printf ("\n");
|
tty_printf ("\n");
|
||||||
tty_printf (_("Please note that the factory settings of the PINs are\n"
|
tty_printf (_("Please note that the factory settings of the PINs are\n"
|
||||||
@ -1312,8 +1397,30 @@ generate_card_keys (void)
|
|||||||
if (check_pin_for_key_operation (&info, &forced_chv1))
|
if (check_pin_for_key_operation (&info, &forced_chv1))
|
||||||
goto leave;
|
goto leave;
|
||||||
|
|
||||||
generate_keypair (NULL, info.serialno,
|
/* If the cards features changeable key attributes, we ask for the
|
||||||
want_backup? opt.homedir:NULL);
|
key size. */
|
||||||
|
if (info.is_v2 && info.extcap.aac)
|
||||||
|
{
|
||||||
|
unsigned int nbits;
|
||||||
|
|
||||||
|
for (keyno = 0; keyno < DIM (info.key_attr); keyno++)
|
||||||
|
{
|
||||||
|
nbits = ask_card_keysize (keyno, info.key_attr[keyno].nbits);
|
||||||
|
if (nbits && do_change_keysize (keyno, nbits))
|
||||||
|
{
|
||||||
|
/* Error: Better read the default key size again. */
|
||||||
|
agent_release_card_info (&info);
|
||||||
|
if (get_info_for_key_operation (&info))
|
||||||
|
goto leave;
|
||||||
|
/* Ask again for this key size. */
|
||||||
|
keyno--;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
/* Note that INFO has not be synced. However we will only use
|
||||||
|
the serialnumber and thus it won't harm. */
|
||||||
|
}
|
||||||
|
|
||||||
|
generate_keypair (NULL, info.serialno, want_backup? opt.homedir:NULL);
|
||||||
|
|
||||||
leave:
|
leave:
|
||||||
agent_release_card_info (&info);
|
agent_release_card_info (&info);
|
||||||
@ -1365,6 +1472,26 @@ card_generate_subkey (KBNODE pub_keyblock, KBNODE sec_keyblock)
|
|||||||
if (check_pin_for_key_operation (&info, &forced_chv1))
|
if (check_pin_for_key_operation (&info, &forced_chv1))
|
||||||
goto leave;
|
goto leave;
|
||||||
|
|
||||||
|
/* If the cards features changeable key attributes, we ask for the
|
||||||
|
key size. */
|
||||||
|
if (info.is_v2 && info.extcap.aac)
|
||||||
|
{
|
||||||
|
unsigned int nbits;
|
||||||
|
|
||||||
|
ask_again:
|
||||||
|
nbits = ask_card_keysize (keyno-1, info.key_attr[keyno-1].nbits);
|
||||||
|
if (nbits && do_change_keysize (keyno-1, nbits))
|
||||||
|
{
|
||||||
|
/* Error: Better read the default key size again. */
|
||||||
|
agent_release_card_info (&info);
|
||||||
|
if (get_info_for_key_operation (&info))
|
||||||
|
goto leave;
|
||||||
|
goto ask_again;
|
||||||
|
}
|
||||||
|
/* Note that INFO has not be synced. However we will only use
|
||||||
|
the serialnumber and thus it won't harm. */
|
||||||
|
}
|
||||||
|
|
||||||
okay = generate_card_subkeypair (pub_keyblock, sec_keyblock,
|
okay = generate_card_subkeypair (pub_keyblock, sec_keyblock,
|
||||||
keyno, info.serialno);
|
keyno, info.serialno);
|
||||||
|
|
||||||
@ -1577,7 +1704,7 @@ static struct
|
|||||||
};
|
};
|
||||||
|
|
||||||
|
|
||||||
#if GNUPG_MAJOR_VERSION == 1 && defined (HAVE_LIBREADLINE)
|
#ifdef HAVE_LIBREADLINE
|
||||||
|
|
||||||
/* These two functions are used by readline for command completion. */
|
/* These two functions are used by readline for command completion. */
|
||||||
|
|
||||||
@ -1610,6 +1737,7 @@ command_generator(const char *text,int state)
|
|||||||
static char **
|
static char **
|
||||||
card_edit_completion(const char *text, int start, int end)
|
card_edit_completion(const char *text, int start, int end)
|
||||||
{
|
{
|
||||||
|
(void)end;
|
||||||
/* If we are at the start of a line, we try and command-complete.
|
/* If we are at the start of a line, we try and command-complete.
|
||||||
If not, just do nothing for now. */
|
If not, just do nothing for now. */
|
||||||
|
|
||||||
@ -1620,7 +1748,7 @@ card_edit_completion(const char *text, int start, int end)
|
|||||||
|
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
#endif /* GNUPG_MAJOR_VERSION == 1 && HAVE_LIBREADLINE */
|
#endif /*HAVE_LIBREADLINE*/
|
||||||
|
|
||||||
/* Menu to edit all user changeable values on an OpenPGP card. Only
|
/* Menu to edit all user changeable values on an OpenPGP card. Only
|
||||||
Key creation is not handled here. */
|
Key creation is not handled here. */
|
||||||
@ -1688,15 +1816,11 @@ card_edit (strlist_t commands)
|
|||||||
|
|
||||||
if (!have_commands)
|
if (!have_commands)
|
||||||
{
|
{
|
||||||
#if GNUPG_MAJOR_VERSION == 1
|
|
||||||
tty_enable_completion (card_edit_completion);
|
tty_enable_completion (card_edit_completion);
|
||||||
#endif
|
|
||||||
answer = cpr_get_no_help("cardedit.prompt", _("Command> "));
|
answer = cpr_get_no_help("cardedit.prompt", _("Command> "));
|
||||||
cpr_kill_prompt();
|
cpr_kill_prompt();
|
||||||
#if GNUPG_MAJOR_VERSION == 1
|
|
||||||
tty_disable_completion ();
|
tty_disable_completion ();
|
||||||
#endif
|
}
|
||||||
}
|
|
||||||
trim_spaces(answer);
|
trim_spaces(answer);
|
||||||
}
|
}
|
||||||
while ( *answer == '#' );
|
while ( *answer == '#' );
|
||||||
|
@ -134,6 +134,11 @@ typedef struct ctrl_ctx_s *ctrl_t;
|
|||||||
#define GPG_ERR_ENODEV G10ERR_GENERAL
|
#define GPG_ERR_ENODEV G10ERR_GENERAL
|
||||||
#define GPG_ERR_CANCELED G10ERR_CANCELED
|
#define GPG_ERR_CANCELED G10ERR_CANCELED
|
||||||
|
|
||||||
|
#define GPG_ERR_INV_DATA G10ERR_GENERAL
|
||||||
|
#define GPG_ERR_PUBKEY_ALGO G10ERR_PUBKEY_ALGO
|
||||||
|
#define GPG_ERR_TOO_SHORT G10ERR_INV_ARG
|
||||||
|
|
||||||
|
|
||||||
typedef int gpg_error_t;
|
typedef int gpg_error_t;
|
||||||
typedef int gpg_err_code_t;
|
typedef int gpg_err_code_t;
|
||||||
|
|
||||||
|
@ -413,7 +413,7 @@ print_pr_data (const unsigned char *data, size_t datalen, size_t off)
|
|||||||
{
|
{
|
||||||
if (any)
|
if (any)
|
||||||
DEBUGOUT_LF ();
|
DEBUGOUT_LF ();
|
||||||
DEBUGOUT_1 (" [%04d] ", off);
|
DEBUGOUT_1 (" [%04lu] ", (unsigned long) off);
|
||||||
}
|
}
|
||||||
DEBUGOUT_CONT_1 (" %02X", data[off]);
|
DEBUGOUT_CONT_1 (" %02X", data[off]);
|
||||||
any = 1;
|
any = 1;
|
||||||
@ -944,6 +944,11 @@ parse_ccid_descriptor (ccid_driver_t handle,
|
|||||||
0x5111 - SCR 331-DI
|
0x5111 - SCR 331-DI
|
||||||
0x5115 - SCR 335
|
0x5115 - SCR 335
|
||||||
0xe003 - SPR 532
|
0xe003 - SPR 532
|
||||||
|
The
|
||||||
|
0x5117 - SCR 3320 USB ID-000 reader
|
||||||
|
seems to be very slow but enabling this workaround boosts the
|
||||||
|
performance to a a more or less acceptable level (tested by David).
|
||||||
|
|
||||||
*/
|
*/
|
||||||
if (handle->id_vendor == VENDOR_SCM
|
if (handle->id_vendor == VENDOR_SCM
|
||||||
&& handle->max_ifsd > 48
|
&& handle->max_ifsd > 48
|
||||||
@ -951,6 +956,7 @@ parse_ccid_descriptor (ccid_driver_t handle,
|
|||||||
||(handle->id_product == 0x5111 && handle->bcd_device < 0x0620)
|
||(handle->id_product == 0x5111 && handle->bcd_device < 0x0620)
|
||||||
||(handle->id_product == 0x5115 && handle->bcd_device < 0x0514)
|
||(handle->id_product == 0x5115 && handle->bcd_device < 0x0514)
|
||||||
||(handle->id_product == 0xe003 && handle->bcd_device < 0x0504)
|
||(handle->id_product == 0xe003 && handle->bcd_device < 0x0504)
|
||||||
|
||(handle->id_product == 0x5117 && handle->bcd_device < 0x0522)
|
||||||
))
|
))
|
||||||
{
|
{
|
||||||
DEBUGOUT ("enabling workaround for buggy SCM readers\n");
|
DEBUGOUT ("enabling workaround for buggy SCM readers\n");
|
||||||
|
@ -1,3 +1,8 @@
|
|||||||
|
2009-07-14 Werner Koch <wk@g10code.com>
|
||||||
|
|
||||||
|
* de.po: s/nicht-exportfähig/unwiderrufbar/. Reported by Simon
|
||||||
|
Richter.
|
||||||
|
|
||||||
2009-07-13 Werner Koch <wk@g10code.com>
|
2009-07-13 Werner Koch <wk@g10code.com>
|
||||||
|
|
||||||
* nl.po: Applied a small fix by Jeroen Leeuwestein. Fixes bug#1085.
|
* nl.po: Applied a small fix by Jeroen Leeuwestein. Fixes bug#1085.
|
||||||
|
1688
po/pt_BR.po
1688
po/pt_BR.po
File diff suppressed because it is too large
Load Diff
1659
po/zh_CN.po
1659
po/zh_CN.po
File diff suppressed because it is too large
Load Diff
2215
po/zh_TW.po
2215
po/zh_TW.po
File diff suppressed because it is too large
Load Diff
Loading…
x
Reference in New Issue
Block a user