security-and-privacy/gnupg
security-and-privacy/gnupg
1
0
Fork 0
mirror of git://git.gnupg.org/gnupg.git synced 2025-07-02 22:46:30 +02:00
Code Activity

Finished preparations for 2.0.17

Browse source
This commit is contained in:
Werner Koch 2011-01-13 16:01:21 +01:00
parent eb3d99a716
commit 1f874f860c
22 changed files with 1104 additions and 346 deletions
Download patch file Download diff file Expand all files Collapse all files

6
doc/ChangeLog
View file

@ -1,3 +1,9 @@
2011-01-13 Werner Koch <wk@g10code.com>
* FAQ: Make it a static file with a pointer to the online location.
* Makefile.am (EXTRA_DIST): Remove faq.raw and faq.html.
(FAQ, faq.html): Remove these targets
2010-03-05 Werner Koch <wk@g10code.com>
* gpg.texi (GPG Configuration Options): Mention that

52
doc/DETAILS
View file

@ -34,7 +34,7 @@ record; gpg2 does this by default and the option is a dummy.
rev = revocation signature
fpr = fingerprint: (fingerprint is in field 10)
pkd = public key data (special field format, see below)
grp = reserved for gpgsm
grp = keygrip
rvk = revocation key
tru = trust database information
spk = signature subpacket
@ -221,12 +221,13 @@ more arguments in future versions.
GOODSIG <long_keyid_or_fpr> <username>
The signature with the keyid is good. For each signature only
one of the three codes GOODSIG, BADSIG or ERRSIG will be
emitted and they may be used as a marker for a new signature.
The username is the primary one encoded in UTF-8 and %XX
escaped. The fingerprint may be used instead of the long keyid
if it is available. This is the case with CMS and might
eventually also be available for OpenPGP.
one of the codes GOODSIG, BADSIG, EXPSIG, EXPKEYSIG, REVKEYSIG
or ERRSIG will be emitted. In the past they were used as a
marker for a new signature; new code should use the NEWSIG
status instead. The username is the primary one encoded in
UTF-8 and %XX escaped. The fingerprint may be used instead of
the long keyid if it is available. This is the case with CMS
and might eventually also be available for OpenPGP.
EXPSIG <long_keyid_or_fpr> <username>
The signature with the keyid is good, but the signature is
@ -464,7 +465,8 @@ more arguments in future versions.
4 := "Error storing certificate".
IMPORT_RES <count> <no_user_id> <imported> <imported_rsa> <unchanged>
<n_uids> <n_subk> <n_sigs> <n_revoc> <sec_read> <sec_imported> <sec_dups> <not_imported>
<n_uids> <n_subk> <n_sigs> <n_revoc> <sec_read> <sec_imported>
<sec_dups> <skipped_new_keys> <not_imported>
Final statistics on import process (this is one long line)
FILE_START <what> <filename>
@ -585,7 +587,8 @@ more arguments in future versions.
8 := "Policy mismatch"
9 := "Not a secret key"
10 := "Key not trusted"
11 := "Missing certificate" (e.g. intermediate or root cert.)
11 := "Missing certificate"
12 := "Missing issuer certificate"
Note that for historical reasons the INV_RECP status is also
used for gpgsm's SIGNER command where it relates to signer's
@ -616,6 +619,12 @@ more arguments in future versions.
prefixed with a numerical error code and an underscore; e.g.:
"151011327_EOF".
SUCCESS [<location>]
Postive confirimation that an operation succeeded. <location>
is optional but if given should not contain spaces.
Used only with a few commands.
ATTRIBUTE <fpr> <octets> <type> <index> <count>
<timestamp> <expiredate> <flags>
This is one long line issued for each attribute subpacket when
@ -680,6 +689,11 @@ more arguments in future versions.
A backup key named FNAME has been created for the key with
KEYID.
MOUNTPOINT <name>
NAME is a percent-plus escaped filename describing the
mountpoint for the current operation (e.g. g13 --mount). This
may either be the specified mountpoint or one randomly choosen
by g13.
Format of the "--attribute-fd" output
@ -724,7 +738,9 @@ version: the third field contains the version of GnuPG.
pubkey: the third field contains the public key algorithmdcaiphers
this version of GnuPG supports, separated by semicolons. The
algorithm numbers are as specified in RFC-4880.
algorithm numbers are as specified in RFC-4880. Note that in
contrast to the --status-fd interface these are _not_ the
Libgcrypt identifiers.
cfg:pubkey:1;2;3;16;17
@ -801,7 +817,8 @@ The format of this file is as follows:
The filename is used until a new filename is used (at commit points)
and all keys are written to that file. If a new filename is given,
this file is created (and overwrites an existing one).
Both control statements must be given.
GnuPG < 2.1: Both control statements must be given.
GnuPG >= 2.1: "%secring" is now a no-op.
%ask-passphrase
Enable a mode where the command "passphrase" is ignored and
instead the usual passphrase dialog is used. This does not
@ -811,6 +828,19 @@ The format of this file is as follows:
entry code. This is a global option.
%no-ask-passphrase
Disable the ask-passphrase mode.
%no-protection
With GnuPG 2.1 it is not anymore possible to specify a
passphrase for unattended key generation. The passphrase
command is simply ignored and %ask-passpharse is thus
implicitly enabled. Using this option allows to the creation
of keys without any passphrases. This option is mainly
intended for regression tests.
%transient-key
If given the keys are created using a faster and a somewhat
less secure random number generator. This option may be used
for keys which are only used for a short time and do not
require full cryptographic strength. It takes only effect if
used together with the option no-protection.
o The order of the parameters does not matter except for "Key-Type"
which must be the first parameter. The parameters are only for the

13
doc/FAQ Normal file
View file

@ -0,0 +1,13 @@
GnuPG Frequently Asked Questions
A FAQ is a fast moving target and thus we don't distribute it anymore
with GnuPG. You may retrieve the current FAQ in HTML format at
http://www.gnupg.org/faq/GnuPG-FAQ.html
or in plain text format at the FTP server:
ftp://ftp.gnupg.org/gcrypt/gnupg/GnuPG-FAQ.txt

32
doc/Makefile.am
View file

@ -32,12 +32,12 @@ EXTRA_DIST = samplekeys.asc \
gnupg-logo.eps gnupg-logo.pdf gnupg-logo.png \
gnupg-card-architecture.eps gnupg-card-architecture.png \
gnupg-card-architecture.pdf \
faq.raw FAQ faq.html gnupg7.texi \
FAQ gnupg7.texi \
opt-homedir.texi see-also-note.texi specify-user-id.texi \
gpgv.texi texi.css yat2m.c
BUILT_SOURCES = gnupg-card-architecture.eps gnupg-card-architecture.png \
gnupg-card-architecture.pdf FAQ faq.html
gnupg-card-architecture.pdf
info_TEXINFOS = gnupg.texi
@ -46,8 +46,6 @@ dist_pkgdata_DATA = qualified.txt com-certs.pem $(helpfiles)
nobase_dist_doc_DATA = FAQ DETAILS HACKING TRANSLATE OpenPGP KEYSERVER \
$(examples)
dist_html_DATA = faq.html
gnupg_TEXINFOS = \
gpg.texi gpgsm.texi gpg-agent.texi scdaemon.texi instguide.texi \
@ -75,7 +73,7 @@ noinst_MANS = gnupg.7
watchgnupg_SOURCE = gnupg.texi
CLEANFILES = faq.raw.xref yat2m
CLEANFILES = yat2m faq.txt
DISTCLEANFILES = gnupg.tmp gnupg.ops yat2m-stamp.tmp yat2m-stamp \
$(myman_pages) gnupg.7
@ -83,7 +81,6 @@ DISTCLEANFILES = gnupg.tmp gnupg.ops yat2m-stamp.tmp yat2m-stamp \
yat2m: yat2m.c
$(CC_FOR_BUILD) -o $@ $(srcdir)/yat2m.c
.fig.png:
fig2dev -L png `test -f '$<' || echo '$(srcdir)/'`$< $@
@ -96,32 +93,15 @@ yat2m: yat2m.c
.fig.pdf:
fig2dev -L pdf `test -f '$<' || echo '$(srcdir)/'`$< $@
FAQ : faq.raw
if WORKING_FAQPROG
$(FAQPROG) -f $< $@ || $(FAQPROG) -f $< $@
else
: Warning: missing faqprog.pl, cannot make $@
echo "No $@ due to missing faqprog.pl" > $@
echo "See ftp://ftp.gnupg.org/gcrypt/contrib/faqprog.pl" >> $@
endif
faq.html : faq.raw
if WORKING_FAQPROG
$(FAQPROG) -h -f $< $@ 2>&1 || $(FAQPROG) -h -f $< $@
else
: Warning: missing faqprog.pl, cannot make $@
echo "No $@ due to missing faqprog.pl" > $@
echo "See ftp://ftp.gnupg.org/gcrypt/contrib/faqprog.pl" >> $@
endif
# Note that yatm --store has a bug in that the @ifset gpgtwoone still
# creates a dirmngr-client page from tools.texi.
yat2m-stamp: $(myman_sources)
@rm -f yat2m-stamp.tmp
@touch yat2m-stamp.tmp
for file in $(myman_sources) ; do \
./yat2m $(YAT2M_OPTIONS) --store \
`test -f '$$file' || echo '$(srcdir)/'`$$file ; done
@test -f dirmngr-client.1 && rm dirmngr-client.1
@mv -f yat2m-stamp.tmp $@
yat2m-stamp: yat2m

2
doc/contrib.texi
View file

@ -97,7 +97,7 @@ IIDA, Yoshihiro Kajiki and Gerlinde Klaes.
This software has been made possible by the previous work of Chris
Wedgwood, Jean-loup Gailly, Jon Callas, Mark Adler, Martin Hellmann
Paul Kendall, Philip R. Zimmermann, Peter Gutmann, Philip A. Nelson,
Taher ElGamal, Torbjorn Granlund, Whitfield Diffie, some unknown NSA
Taher Elgamal, Torbjorn Granlund, Whitfield Diffie, some unknown NSA
mathematicians and all the folks who have worked hard to create
complete and free operating systems.

13
doc/debugging.texi
View file

@ -103,6 +103,17 @@ used. Using the keyserver debug option as in
is thus often helpful. Note that the actual output depends on the
backend and may change from release to release.
@ifset gpgtwoone
@item Logging on WindowsCE
For development, the best logging method on WindowsCE is the use of
remote debugging using a log file name of @file{tcp://<ip-addr>:<port>}.
The command @command{watchgnupg} may be used on the remote host to listen
on the given port. (@pxref{option watchgnupg --tcp}). For in the field
tests it is better to make use of the logging facility provided by the
@command{gpgcedev} driver (part of libassuan); this is enabled by using
a log file name of @file{GPG2:}. (@pxref{option --log-file}).
@end ifset
@end itemize
@ -194,7 +205,7 @@ or other purposes and don't have a corresponding certificate.
@item A root certificate does not verify
A common problem is that the root certificate misses the required
basicConstrains attribute and thus @command{gpgsm} rejects this
basicConstraints attribute and thus @command{gpgsm} rejects this
certificate. An error message indicating ``no value'' is a sign for
such a certificate. You may use the @code{relax} flag in
@file{trustlist.txt} to accept the certificate anyway. Note that the

25
doc/gnupg.texi
View file

@ -34,7 +34,7 @@ Published by the Free Software Foundation@*
Boston, MA 02110-1301 USA
@end iftex
Copyright @copyright{} 2002, 2004, 2005, 2006, 2007 Free Software Foundation, Inc.
Copyright @copyright{} 2002, 2004, 2005, 2006, 2007, 2010 Free Software Foundation, Inc.
@quotation
Permission is granted to copy, distribute and/or modify this document
@ -50,6 +50,11 @@ section entitled ``Copying''.
@direntry
* gpg2: (gnupg). OpenPGP encryption and signing tool.
* gpgsm: (gnupg). S/MIME encryption and signing tool.
* gpg-agent: (gnupg). The secret key daemon.
@ifset gpgtwoone
* dirmngr: (gnupg). X.509 CRL and OCSP server.
* dirmngr-client: (gnupg). X.509 CRL and OCSP client.
@end ifset
@end direntry
@ -121,6 +126,9 @@ the administration and the architecture.
* Installation:: A short installation guide.
* Invoking GPG-AGENT:: How to launch the secret key daemon.
@ifset gpgtwoone
* Invoking DIRMNGR:: How to launch the CRL and OCSP daemon.
@end ifset
* Invoking GPG:: Using the OpenPGP protocol.
* Invoking GPGSM:: Using the S/MIME protocol.
* Invoking SCDAEMON:: How to handle Smartcards.
@ -152,6 +160,9 @@ the administration and the architecture.
@include instguide.texi
@include gpg-agent.texi
@ifset gpgtwoone
@include dirmngr.texi
@end ifset
@include gpg.texi
@include gpgsm.texi
@include scdaemon.texi
@ -194,6 +205,18 @@ the administration and the architecture.
@c Epilogue
@c ---------------------------------------------------------------------
@c @node History
@c @unnumbered History
@c
@c Here are the notices from the old dirmngr manual:
@c
@c @itemize
@c @item Using DirMngr, 2002, Steffen Hansen, Klar"alvdalens Datakonsult AB.
@c @item Using DirMngr, 2004, 2005, 2006, 2008 Werner Koch, g10 Code GmbH.
@c @end itemize
@c
@bye

1
doc/gnupg7.texi
View file

@ -23,6 +23,7 @@ daemon which may also emulate the @command{ssh-agent}.
@command{gpgv}(1),
@command{gpgsm}(1),
@command{gpg-agent}(1),
@command{dirmngr}(8),
@command{scdaemon}(1)
@include see-also-note.texi
@end ifset

94
doc/gpg-agent.texi
View file

@ -2,6 +2,11 @@
@c This is part of the GnuPG manual.
@c For copying conditions, see the file gnupg.texi.
@c Note that we use this texinfo file for all versions of GnuPG:
@c 2.0 and 2.1. The macro "gpgtwoone" controls parts which are only
@c valid for GnuPG 2.1 and later.
@node Invoking GPG-AGENT
@chapter Invoking GPG-AGENT
@cindex GPG-AGENT command options
@ -47,13 +52,24 @@ independently from any protocol. It is used as a backend for
@command{gpg} and @command{gpgsm} as well as for a couple of other
utilities.
@ifset gpgtwoone
The agent is usualy started on demand by @command{gpg}, @command{gpgsm},
@command{gpgconf} or @command{gpg-connect-agent}. Thus there is no
reason to start it manually. In case you want to use the included
Secure Shell Agent you may start the agent using:
@example
gpg-connect-agent /bye
@end example
@end ifset
@ifclear gpgtwoone
@noindent
The usual way to run the agent is from the @code{~/.xsession} file:
@example
eval $(gpg-agent --daemon)
@end example
@noindent
If you don't use an X server, you can also put this into your regular
startup file @code{~/.profile} or @code{.bash_profile}. It is best not
@ -83,13 +99,13 @@ if [ -f "$@{HOME@}/.gpg-agent-info" ]; then
. "$@{HOME@}/.gpg-agent-info"
export GPG_AGENT_INFO
export SSH_AUTH_SOCK
export SSH_AGENT_PID
fi
@end smallexample
@noindent
It reads the data out of the file and exports the variables. If you
don't use Secure Shell, you don't need the last two export statements.
@end ifclear
@noindent
You should always add the following lines to your @code{.bashrc} or
@ -136,18 +152,18 @@ only one command is allowed.
@table @gnupgtabopt
@item --version
@opindex version
Print the program version and licensing information. Not that you can
Print the program version and licensing information. Note that you cannot
abbreviate this command.
@item --help
@itemx -h
@opindex help
Print a usage message summarizing the most useful command-line options.
Not that you can abbreviate this command.
Note that you cannot abbreviate this command.
@item --dump-options
@opindex dump-options
Print a list of all available options and commands. Not that you can
Print a list of all available options and commands. Note that you cannot
abbreviate this command.
@item --server
@ -315,10 +331,15 @@ eval $(cut -d= -f 1 < @var{file} | xargs echo export)
Tell the pinentry not to grab the keyboard and mouse. This option
should in general not be used to avoid X-sniffing attacks.
@anchor{option --log-file}
@item --log-file @var{file}
@opindex log-file
Append all logging output to @var{file}. This is very helpful in
seeing what the agent actually does.
Append all logging output to @var{file}. This is very helpful in seeing
what the agent actually does. If neither a log file nor a log file
descriptor has been set on a Windows platform, the Registry entry
@code{HKCU\Software\GNU\GnuPG:DefaultLogFile}, if set, is used to specify
the logging output.
@anchor{option --allow-mark-trusted}
@item --allow-mark-trusted
@ -399,7 +420,7 @@ This option does nothing yet.
@item --pinentry-program @var{filename}
@opindex pinentry-program
Use program @var{filename} as the PIN entry. The default is installation
dependent and can be shown with the @code{--version} command.
dependent.
@item --pinentry-touch-file @var{filename}
@opindex pinentry-touch-file
@ -415,7 +436,7 @@ modification and access time.
@item --scdaemon-program @var{filename}
@opindex scdaemon-program
Use program @var{filename} as the Smartcard daemon. The default is
installation dependent and can be shown with the @code{--version}
installation dependent and can be shown with the @command{gpgconf}
command.
@item --disable-scdaemon
@ -435,13 +456,20 @@ a random socket below a temporary directory. Tools connecting to
environment variable @var{GPG_AGENT_INFO} and then fall back to this
socket. This option may not be used if the home directory is mounted on
a remote file system which does not support special files like fifos or
sockets. Note, that @option{--use-standard-socket} is the
default on Windows systems. The default may be changed at build time.
It is possible to test at runtime whether the agent has been configured
for use with the standard socket by issuing the command
@command{gpg-agent --use-standard-socket-p} which returns success if the
standard socket option has been enabled.
sockets.
@ifset gpgtwoone
Note, that @option{--use-standard-socket} is the default on all
systems since GnuPG 2.1.
@end ifset
@ifclear gpgtwoone
Note, that @option{--use-standard-socket} is the default on
Windows systems.
@end ifclear
The default may be changed at build time. It is
possible to test at runtime whether the agent has been configured for
use with the standard socket by issuing the command @command{gpg-agent
--use-standard-socket-p} which returns success if the standard socket
option has been enabled.
@item --display @var{string}
@itemx --ttyname @var{string}
@ -470,7 +498,7 @@ pinentry to pop up at the @code{tty} or display you started the agent.
@item --enable-ssh-support
@opindex enable-ssh-support
Enable emulation of the OpenSSH Agent protocol.
Enable the OpenSSH Agent protocol.
In this mode of operation, the agent does not only implement the
gpg-agent protocol, but also the agent protocol used by OpenSSH
@ -497,10 +525,20 @@ has been started. To switch this display to the current one, the
following command may be used:
@smallexample
echo UPDATESTARTUPTTY | gpg-connect-agent
gpg-connect-agent updatestartuptty /bye
@end smallexample
Although all GnuPG components try to start the gpg-agent as needed, this
is not possible for the ssh support because ssh does not know about it.
Thus if no GnuPG tool which accesses the agent has been run, there is no
guarantee that ssh is abale to use gpg-agent for authentication. To fix
this you may start gpg-agent if needed using this simple command:
@smallexample
gpg-connect-agent /bye
@end smallexample
Adding the @option{--verbose} shows the progress of starting the agent.
@end table
@ -573,10 +611,13 @@ It is possible to add further flags after the @code{S} for use by the
caller:
@table @code
@item relax
Relax checking of some root certificate requirements. This is for
example required if the certificate is missing the basicConstraints
attribute (despite that it is a MUST for CA certificates).
@cindex relax
Relax checking of some root certificate requirements. As of now this
flag allows the use of root certificates with a missing basicConstraints
attribute (despite that it is a MUST for CA certificates) and disables
CRL checking for the root certificate.
@item cm
If validation of a certificate finally issued by a CA with this flag set
@ -586,7 +627,7 @@ fails, try again using the chain validation model.
@item sshcontrol
@cindex sshcontrol
This file is used when support for the secure shell agent protocol has
been enabled (@pxref{option --enable-ssh-support}). Only keys present in
this file are used in the SSH protocol. You should backup this file.
@ -709,7 +750,6 @@ and add something like (for Bourne shells)
. "$@{HOME@}/.gpg-agent-info"
export GPG_AGENT_INFO
export SSH_AUTH_SOCK
export SSH_AGENT_PID
fi
@end example
@end cartouche
@ -1149,11 +1189,13 @@ This can be used to see whether a secret key is available. It does
not return any information on whether the key is somehow protected.
@example
HAVEKEY @var{keygrip}
HAVEKEY @var{keygrips}
@end example
The Agent answers either with OK or @code{No_Secret_Key} (208). The
caller may want to check for other error codes as well.
The agent answers either with OK or @code{No_Secret_Key} (208). The
caller may want to check for other error codes as well. More than one
keygrip may be given. In this case the command returns success if at
least one of the keygrips corresponds to an available secret key.
@node Agent LEARN

59
doc/gpg.texi
View file

@ -3,6 +3,11 @@
@c This is part of the GnuPG manual.
@c For copying conditions, see the file gnupg.texi.
@c Note that we use this texinfo file for all versions of GnuPG: 1.4.x,
@c 2.0 and 2.1. The macro "gpgone" controls parts which are only valid
@c for GnuPG 1.4, the macro "gpgtwoone" controls parts which are only
@c valid for GnupG 2.1 and later.
@node Invoking GPG
@chapter Invoking GPG
@cindex GPG command options
@ -68,18 +73,19 @@ implementation.
@ifset gpgone
This is the standalone version of @command{gpg}. For desktop use you
should consider using @command{gpg2}.
should consider using @command{gpg2} @footnote{On some platforms gpg2 is
installed under the name @command{gpg}}.
@end ifset
@ifclear gpgone
In contrast to the standalone version @command{gpg}, which is more
suited for server and embedded platforms, this version is installed
under the name @command{gpg2} and more targeted to the desktop as it
requires several other modules to be installed. The standalone version
will be kept maintained and it is possible to install both versions on
the same system. If you need to use different configuration files, you
should make use of something like @file{gpg.conf-2} instead of just
@file{gpg.conf}.
suited for server and embedded platforms, this version is commonly
installed under the name @command{gpg2} and more targeted to the desktop
as it requires several other modules to be installed. The standalone
version will be kept maintained and it is possible to install both
versions on the same system. If you need to use different configuration
files, you should make use of something like @file{gpg.conf-2} instead
of just @file{gpg.conf}.
@end ifclear
@manpause
@ -1023,9 +1029,11 @@ give the opposite meaning. The options are:
@item show-photos
@opindex list-options:show-photos
Causes @option{--list-keys}, @option{--list-sigs},
@option{--list-public-keys}, and @option{--list-secret-keys} to display
any photo IDs attached to the key. Defaults to no. See also
@option{--photo-viewer}.
@option{--list-public-keys}, and @option{--list-secret-keys} to
display any photo IDs attached to the key. Defaults to no. See also
@option{--photo-viewer}. Does not work with @option{--with-colons}:
see @option{--attribute-fd} for the appropriate way to get photo data
for scripts and other frontends.
@item show-policy-urls
@opindex list-options:show-policy-urls
@ -1135,6 +1143,9 @@ same, except the file will not be deleted once the viewer exits.
Other flags are "%k" for the key ID, "%K" for the long key ID, "%f"
for the key fingerprint, "%t" for the extension of the image type
(e.g. "jpg"), "%T" for the MIME type of the image (e.g. "image/jpeg"),
"%v" for the single-character calculated validity of the image being
viewed (e.g. "f"), "%V" for the calculated validity as a string (e.g.
"full"),
and "%%" for an actual percent sign. If neither %i or %I are present,
then the photo will be supplied to the viewer on standard input.
@ -1773,13 +1784,27 @@ Remove all entries from the @option{--group} list.
Use @var{name} as the key to sign with. Note that this option overrides
@option{--default-key}.
@ifset gpgtwoone
@item --try-secret-key @var{name}
@opindex try-secret-key
For hidden recipients GPG needs to know the keys to use for trial
decryption. The key set with @option{--default-key} is always tried
first, but this is often not sufficient. This option allows to set more
keys to be used for trial decryption. Although any valid user-id
specification may be used for @var{name} it makes sense to use at least
the long keyid to avoid ambiguities. Note that gpg-agent might pop up a
pinentry for a lot keys to do the trial decryption. If you want to stop
all further trial decryption you may use close-window button instead of
the cancel button.
@end ifset
@item --try-all-secrets
@opindex try-all-secrets
Don't look at the key ID as stored in the message but try all secret
keys in turn to find the right decryption key. This option forces the
behaviour as used by anonymous recipients (created by using
@option{--throw-keyids}) and might come handy in case where an encrypted
message contains a bogus key ID.
@option{--throw-keyids} or @option{--hidden-recipient}) and might come
handy in case where an encrypted message contains a bogus key ID.
@item --skip-hidden-recipients
@itemx --no-skip-hidden-recipients
@ -1939,6 +1964,11 @@ obsolete; it does not harm to use it though.
Same as the command @option{--fingerprint} but changes only the format
of the output and may be used together with another command.
@ifset gpgtwoone
@item --with-keygrip
@opindex with-keygrip
Include the keygrip in the key listings.
@end ifset
@end table
@ -2014,8 +2044,7 @@ to safely override the algorithm chosen by the recipient key
preferences, as GPG will only select an algorithm that is usable by
all recipients. The most highly ranked digest algorithm in this list
is also used when signing without encryption
(e.g. @option{--clearsign} or @option{--sign}). The default value is
SHA-1.
(e.g. @option{--clearsign} or @option{--sign}).
@item --personal-compress-preferences @code{string}
Set the list of personal compression preferences to @code{string}.

6
doc/gpgsm.texi
View file

@ -450,7 +450,7 @@ However the standard model (shell) is in that case always tried first.
@opindex ignore-cert-extension
Add @var{oid} to the list of ignored certificate extensions. The
@var{oid} is expected to be in dotted decimal form, like
@code{2.5.29.3}. This option may used more than once. Critical
@code{2.5.29.3}. This option may be used more than once. Critical
flagged certificate extensions matching one of the OIDs in the list
are treated as if they are actually handled and thus the certificate
won't be rejected due to an unknown critical extension. Use this
@ -554,6 +554,10 @@ This option is therefore useful to simply verify a certificate.
For standard key listings, also print the MD5 fingerprint of the
certificate.
@item --with-keygrip
Include the keygrip in standard key listings. Note that the keygrip is
always listed in --with-colons mode.
@end table
@c *******************************************

26
doc/instguide.texi
View file

@ -6,7 +6,6 @@
@node Installation
@chapter A short installation guide.
Unfortunately the installation guide has not been finished in time.
Instead of delaying the release of GnuPG 2.0 even further, I decided to
release without that guide. The chapter on gpg-agent and gpgsm do
@ -16,6 +15,31 @@ meantime you may search the GnuPG mailing list archives or ask on the
gnupg-users mailing listsfor advise on how to solve problems or how to
get that whole thing up and running.
** Building the software
Building the software is decribed in the file @file{INSTALL}. Given
that you are already reading this documentation we can only give some
extra hints
To comply with the rules on GNU systems you should have build time
configured @command{dirmngr} using:
@example
./configure --sysconfdir=/etc --localstatedir=/var
@end example
This is to make sure that system wide configuration files are searched
in the directory @file{/etc/gnupg} and variable data below @file{/var};
the default would be to also install them below @file{/usr/local} where
the binaries get installed. If you selected to use the
@option{--prefix=/} you obviously don't need those option as they are
the default then.
** Explain how to setup a root CA key as trusted
Such questions may also help to write a proper installation guide.
[to be written]

227
doc/tools.texi
View file

@ -16,6 +16,9 @@ GnuPG comes with a couple of smaller tools:
* gpgsm-gencert.sh:: Generate an X.509 certificate request.
* gpg-preset-passphrase:: Put a passphrase into the cache.
* gpg-connect-agent:: Communicate with a running agent.
@ifset gpgtwoone
* dirmngr-client:: How to use the Dirmngr client tool.
@end ifset
* gpgparsemail:: Parse a mail message into an annotated format
* symcryptrun:: Call a simple symmetric encryption tool.
* gpg-zip:: Encrypt or sign files into an archive.
@ -41,11 +44,12 @@ GnuPG comes with a couple of smaller tools:
@end ifset
@mansect description
Most of the main utilities are able to write their log files to a
Unix Domain socket if configured that way. @command{watchgnupg} is a simple
listener for such a socket. It ameliorates the output with a time
stamp and makes sure that long lines are not interspersed with log
output from other utilities.
Most of the main utilities are able to write their log files to a Unix
Domain socket if configured that way. @command{watchgnupg} is a simple
listener for such a socket. It ameliorates the output with a time stamp
and makes sure that long lines are not interspersed with log output from
other utilities. This tool is not available for Windows.
@noindent
@command{watchgnupg} is commonly invoked as
@ -69,6 +73,11 @@ This starts it on the current terminal for listening on the socket
@opindex force
Delete an already existing socket file.
@anchor{option watchgnupg --tcp}
@item --tcp @var{n}
Instead of reading from a local socket, listen for connects on TCP port
@var{n}.
@item --verbose
@opindex verbose
Enable extra informational output.
@ -83,6 +92,41 @@ Display a brief help page and exit.
@end table
@noindent
@mansect examples
@chapheading Examples
@example
$ watchgnupg --force /home/foo/.gnupg/S.log
@end example
This waits for connections on the local socket
@file{/home/foo/.gnupg/S.log} and shows all log entries. To make this
work the option @option{log-file} needs to be used with all modules
which logs are to be shown. The value for that option must be given
with a special prefix (e.g. in the conf file):
@example
log-file socket:///home/foo/.gnupg/S.log
@end example
For debugging purposes it is also possible to do remote logging. Take
care if you use this feature because the information is send in the
clear over the network. Use this syntax in the conf files:
@example
log-file tcp://192.168.1.1:4711
@end example
You may use any port and not just 4711 as shown above; only IP addresses
are supported (v4 and v6) and no host names. You need to start
@command{watchgnupg} with the @option{tcp} option. Note that under
Windows the registry entry @var{HKCU\Software\GNU\GnuPG:DefaultLogFile}
can be used to change the default log output from @code{stderr} to
whatever is given by that entry. However the only useful entry is a TCP
name for remote debugging.
@mansect see also
@ifset isman
@command{gpg}(1),
@ -255,6 +299,12 @@ List the global configuration file in a colon separated format. If
Run a syntax check on the global configuration file. If @var{filename}
is given, check that file instead.
@item --reload [@var{component}]
@opindex reload
Reload all or the given component. This is basically the sam as sending
a SIGHUP to the component. Components which don't support reloading are
ignored.
@end table
@ -1129,6 +1179,11 @@ Try to be as quiet as possible.
@include opt-homedir.texi
@item --agent-program @var{file}
@opindex agent-program
Specify the agent program to be started if none is running.
@item -S
@itemx --raw-socket @var{name}
@opindex S
@ -1381,6 +1436,168 @@ Print a list of available control commands.
@include see-also-note.texi
@end ifset
@ifset gpgtwoone
@c
@c DIRMNGR-CLIENT
@c
@node dirmngr-client
@section The Dirmngr Client Tool
@manpage dirmngr-client.1
@ifset manverb
.B dirmngr-client
\- Tool to access the Dirmngr services
@end ifset
@mansect synopsis
@ifset manverb
.B dirmngr-client
.RI [ options ]
.RI [ certfile | pattern ]
@end ifset
@mansect description
The @command{dirmngr-client} is a simple tool to contact a running
dirmngr and test whether a certificate has been revoked --- either by
being listed in the corresponding CRL or by running the OCSP protocol.
If no dirmngr is running, a new instances will be started but this is
in general not a good idea due to the huge performance overhead.
@noindent
The usual way to run this tool is either:
@example
dirmngr-client @var{acert}
@end example
@noindent
or
@example
dirmngr-client <@var{acert}
@end example
Where @var{acert} is one DER encoded (binary) X.509 certificates to be
tested.
@ifclear isman
The return value of this command is
@end ifclear
@mansect return value
@ifset isman
@command{dirmngr-client} returns these values:
@end ifset
@table @code
@item 0
The certificate under question is valid; i.e. there is a valid CRL
available and it is not listed tehre or teh OCSP request returned that
that certificate is valid.
@item 1
The certificate has been revoked
@item 2 (and other values)
There was a problem checking the revocation state of the certificate.
A message to stderr has given more detailed information. Most likely
this is due to a missing or expired CRL or due to a network problem.
@end table
@mansect options
@noindent
@command{dirmngr-client} may be called with the following options:
@table @gnupgtabopt
@item --version
@opindex version
Print the program version and licensing information. Note that you cannot
abbreviate this command.
@item --help, -h
@opindex help
Print a usage message summarizing the most useful command-line options.
Note that you cannot abbreviate this command.
@item --quiet, -q
@opindex quiet
Make the output extra brief by suppressing any informational messages.
@item -v
@item --verbose
@opindex v
@opindex verbose
Outputs additional information while running.
You can increase the verbosity by giving several
verbose commands to @sc{dirmngr}, such as @samp{-vv}.
@item --pem
@opindex pem
Assume that the given certificate is in PEM (armored) format.
@item --ocsp
@opindex ocsp
Do the check using the OCSP protocol and ignore any CRLs.
@item --force-default-responder
@opindex force-default-responder
When checking using the OCSP protocl, force the use of the default OCSP
responder. That is not to use the Reponder as given by the certificate.
@item --ping
@opindex ping
Check whether the dirmngr daemon is up and running.
@item --cache-cert
@opindex cache-cert
Put the given certificate into the cache of a running dirmngr. This is
mainly useful for debugging.
@item --validate
@opindex validate
Validate the given certificate using dirmngr's internal validation code.
This is mainly useful for debugging.
@item --load-crl
@opindex load-crl
This command expects a list of filenames with DER encoded CRL files.
With the option @option{--url} URLs are expected in place of filenames
and they are loaded directly from the given location. All CRLs will be
validated and then loaded into dirmngr's cache.
@item --lookup
@opindex lookup
Take the remaining arguments and run a lookup command on each of them.
The results are Base-64 encoded outputs (without header lines). This
may be used to retrieve certificates from a server. However the output
format is not very well suited if more than one certificate is returned.
@item --url
@itemx -u
@opindex url
Modify the @command{lookup} and @command{load-crl} commands to take an URL.
@item --local
@itemx -l
@opindex url
Let the @command{lookup} command only search the local cache.
@item --squid-mode
@opindex squid-mode
Run @sc{dirmngr-client} in a mode suitable as a helper program for
Squid's @option{external_acl_type} option.
@end table
@ifset isman
@mansect see also
@command{dirmngr}(8),
@command{gpgsm}(1)
@include see-also-note.texi
@end ifset
@end ifset
@c
@c GPGPARSEMAIL