security-and-privacy/gnupg
security-and-privacy/gnupg
1
0
Fork 0
mirror of git://git.gnupg.org/gnupg.git synced 2025-01-10 13:04:23 +01:00
Code Activity

* Changed variable for default gnupg.org http location from $hGPG

Browse Source 
to $hGPGHTTP and update instances of variable throughout FAQ in
  introduction area and sections 1.1, 2.1 and 2.2

* Added section 1.4 - What conventions are used in this FAQ?
  + unices vs. win32 (with hyperlink (<Rhomedir>) to section 4.18 for
    example
  + gpg.conf vs. options (with hyperlink (<Roptions>) to section 5.8
    to note name change

* Corrected section 2.2 - Changed ftp URL (both display and link URLs)
  from "ftp://ftp.gnupg.org/pub/gcrypt" to ftp://ftp.gnupg.org/gcrypt/,
  and the display URL (not the actual link URL, it's correct) of the http
  URL from "http://www.gnupg.org/mirror.html" to
 "http://www.gnupg.org/mirrors.html"

* Included variable ($hVERSION) for easier updating of latest gpg
  version when referenced (as in section 2.2)

* Included variable ($hGPGFTP) for default gnupg.org ftp location
  (ftp://ftp.gnupg.org) for use in sections 2.2 and 4.16

* Corrected section 3.1 visual display of link from
  "http://www.gnupg.org/gnupg.html#supsys" to
  "http://www.gnupg.org/backend.html#supsys"

* Edited sections 3.1, 3.2, 5.2 to include $hGPGHTTP variable

* Corrected section 3.2 - Word typo ("avoided" was "avoiced").

* Corrected / edited section 3.3 -
  + corrected link: ftp://ftp.gnupg.dk/pub/contrib-dk/
    for idea.c.gz, idea.c.gz.sig, ideadll.zip, ideadll.zip.sig
  + edited section to include all files and added
    ~/.gnupg/gpg.conf info

* Edited section 4.6 - As this section deals with loosing a public key,
  I added a paragraph containing a hyperlink to the end of section 4.21
  ("I still have my secret key, but lost my public key..."). The
  paragraph reads: "If you've lost your public key and need to recreate
  it instead for continued use with your secret key, you may be able to
  use gpgsplit as detailed in question <Rgpgsplit>."

* Edited section 4.15 - Added paragraph below table on GPGrelay, an
  application for MUAs that lack OpenPGP (rfc2015) support to. "Users of
  Win32 MUAs that lack OpenPGP support may look into using GPGrelay
  <http://http://gpgrelay.sourceforge.net>, a small email-relaying
  server that uses GnuPG to enable many email clients to send and
  receive emails that conform to PGP-MIME (RFC 2015)."
  suggested by: Andreas John <aj@tesla.inka.de>

* Corrected section 4.16 - Incorportated Werner's URL fix for gpgme FTP
  location to synchronize local CVS with released FAQ version 1.5.8.

* Added section 4.19 - "How do I verify signed packages?"
  suggested by: Christian Reis <kiko@async.com.br>

* Added section 4.20 - "How do I export a keyring with only selected
  signatures?"
  by: David Shaw <dshaw@jabberwocky.com>

* Added section 4.21 - "I still have my secret key, but lost my public
  key. What can I do?"
  by: Werner Koch <wk@gnupg.org>

* Added section 4.22 - "Clearsigned messages sent from my web-mail
  account have an invalid signature. Why?"
  by: David Scribner <dscribner@bigfoot.com>

* Edited / Corrected section 5.8 - Changed question from "I just
  installed the most recent version of GnuPG and don't have a
  ~/.gnupg/options file. Is this missing from the installation?" to
  "GnuPG no longer installs a ~/.gnupg/options file. Is it missing?"
  + Added "An existing options file can be renamed to gpg.conf for
    users upgrading, or receiving the message that the "old default
    options file" is ignored (occurs if both a gpg.conf and an
    options file are found)." to the end of the paragraph.
  + Corrected ~/.gnupg/gpg.conf (was ~/.gnupg/conf)

* Added section 5.9 - "How to you export GnuPG keys for use with PGP?"
  by: David Shaw <dshaw@jabberwocky.com>
This commit is contained in:
Werner Koch 2002-12-05 18:47:58 +00:00
parent 77f99fd667
commit 5c504ac5c5
1 changed files with 212 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

238
doc/faq.raw
View File

@ -7,21 +7,23 @@ The most recent version of the FAQ is available from
[$usenetheader=
]
[$maintainer=David D. Scribner, <faq 'at' gnupg.org>]
[$hGPG=http://www.gnupg.org]
[$hGPGHTTP=http://www.gnupg.org]
[$hGPGFTP=ftp://ftp.gnupg.org]
[$hVERSION=1.2.1]
[H body bgcolor=#ffffff text=#000000 link=#1f00ff alink=#ff0000 vlink=#9900dd]
[H H1]GnuPG Frequently Asked Questions[H /H1]
[H p]
Version: 1.5.8[H br]
Last-Modified: Oct 8, 2002[H br]
Version: 1.6.0[H br]
Last-Modified: Dec 1, 2002[H br]
Maintained-by: [$maintainer]
[H /p]
This is the GnuPG FAQ. The latest HTML version is available
[H a href=[$hGPG]/faq.html]here[H/a].
[H a href=[$hGPGHTTP]/faq.html]here[H/a].
The index is generated automatically, so there may be errors. Not all
questions may be in the section they belong to. Suggestions about how
@ -44,7 +46,7 @@ you could search in the mailing list archive.
<Q> What is GnuPG?
[H a href=[$hGPG]]GnuPG[H /a] stands for GNU Privacy Guard and
[H a href=[$hGPGHTTP]]GnuPG[H /a] stands for GNU Privacy Guard and
is GNU's tool for secure communication and data storage. It can be
used to encrypt data and to create digital signatures. It includes
an advanced key management facility and is compliant with the
@ -66,6 +68,35 @@ you could search in the mailing list archive.
read the file titled COPYING that accompanies the application for
more information.
<Q> What conventions are used in this FAQ?
Although GnuPG is being developed for several operating systems
(often in parallel), the conventions used in this FAQ reflect a
UNIX shell environment. For Win32 users, references to a shell
prompt (`$') should be interpreted as a command prompt (`>'),
directory names separated by a forward slash (`/') may need to be
converted to a back slash (`\'), and a tilde (`~') represents a
user's "home" directory (reference question <Rhomedir> for an example).
Also, the indicator used to inform the shell that a continuation
of the command will follow on the next line (the `\' character
seen at the end of some command strings in this FAQ, and represents
a "\<newline>" pair) should be noted. If your shell or command
interpreter does not support this convention, the command should be
typed in its entirety as a single entry after removing the trailing
backslash and continuing with the second line before pressing Enter
or the return key.
Please keep in mind that this FAQ contains information that may not
apply to your particular version, as new features and bug fixes are
added on a continuing basis (reference the NEWS file included with
the source or package for noteworthy changes between versions). One
item to note is that starting with GnuPG version 1.1.92 the file
containing user options and settings has been renamed from "options"
to "gpg.conf". Information in the FAQ that relates to the options
file may be interchangable with the newer gpg.conf file in many
instances. See question <Roptions> for details.
<S> SOURCES of INFORMATION
@ -74,7 +105,7 @@ you could search in the mailing list archive.
On-line resources:
[H UL]
[H LI]The documentation page is located at [H a href=[$hGPG]/docs.html]<[$hGPG]/docs.html>[H/a].
[H LI]The documentation page is located at [H a href=[$hGPGHTTP]/docs.html]<[$hGPGHTTP]/docs.html>[H/a].
Also, have a look at the HOWTOs and the GNU Privacy Handbook (GPH,
available in English, Spanish and Russian). The latter provides a
detailed user's guide to GnuPG. You'll also find a document about
@ -86,8 +117,8 @@ you could search in the mailing list archive.
the developers.
In addition, searchable archives can be found on MARC, e.g.: [H br]
gnupg-users: [H a href=http://marc.theaimsgroup.com/?l=gnupg-users&r=1&w=2]<http://marc.theaimsgroup.com/?l=gnupg-users&r=1&w=2>[H/a],[H br]
gnupg-devel: [H a href=http://marc.theaimsgroup.com/?l=gnupg-devel&r=1&w=2]<http://marc.theaimsgroup.com/?l=gnupg-devel&r=1&w=2>[H/a].[H br]
gnupg-users: [H a href=http://marc.theaimsgroup.com/?l=gnupg-users&r=1&w=2]<http://marc.theaimsgroup.com/?l=gnupg-users&r=1&w=2>[H/a][H br]
gnupg-devel: [H a href=http://marc.theaimsgroup.com/?l=gnupg-devel&r=1&w=2]<http://marc.theaimsgroup.com/?l=gnupg-devel&r=1&w=2>[H/a][H br]
[H B]PLEASE:[H/B]
Before posting to a list, read this FAQ and the available
@ -108,13 +139,13 @@ you could search in the mailing list archive.
<Q> Where do I get GnuPG?
You can download the GNU Privacy Guard from its primary FTP server
[H a href=ftp://ftp.gnupg.org/pub/gcrypt]<ftp.gnupg.org>[H /a] or from one of the mirrors:
[H a href=[$hGPGFTP]/gcrypt/]<[$hGPGFTP]/gcrypt/>[H /a] or from one of the mirrors:
[H a href=[$hGPG]/mirrors.html]
<[$hGPG]/mirror.html>
[H a href=[$hGPGHTTP]/mirrors.html]
<[$hGPGHTTP]/mirrors.html>
[H /a]
The current stable version is 1.2.x. Please upgrade to this version as
The current stable version is [$hVERSION]. Please upgrade to this version as
it includes additional features, functions and security fixes that may
not have existed in prior versions.
@ -127,8 +158,8 @@ you could search in the mailing list archive.
Windows NT/2000) and Macintosh OS/X. A list of OSes reported to be OK
is presented at:
[H a href=http://www.gnupg.org/backend.html#supsys]
<http://www.gnupg.org/gnupg.html#supsys>
[H a href=[$hGPGHTTP]/backend.html#supsys]
<[$hGPGHTTP]/backend.html#supsys>
[H /a]
<Q> Which random data gatherer should I use?
@ -150,7 +181,7 @@ you could search in the mailing list archive.
On other systems, the Entropy Gathering Daemon (EGD) is a good choice.
It is a perl-daemon that monitors system activity and hashes it into
random data. See the download page [H a href=http://www.gnupg.org/download.html]<http://www.gnupg.org/download.html>[H /a]
random data. See the download page [H a href=[$hGPGHTTP]/download.html]<[$hGPGHTTP]/download.html>[H /a]
to obtain EGD. Use:
[H pre]
@ -174,14 +205,21 @@ you could search in the mailing list archive.
However, there is an unofficial module to include it even in earlier
versions of GnuPG. It's available from
[H a href=ftp://ftp.gnupg.org/pub/gcrypt/contrib/]<ftp://ftp.gnupg.org/pub/gcrypt/contrib/>[H /a]. Look for:
[H a href=ftp://ftp.gnupg.dk/pub/contrib-dk/]<ftp://ftp.gnupg.dk/pub/contrib-dk/>[H /a]. Look for:
[H pre]
idea.c
idea.c.gz (c module)
idea.c.gz.sig (signature file)
[H /pre]
[H pre]
ideadll.zip (c module and win32 dll)
ideadll.zip.sig (signature file)
[H /pre]
Compilation directives are in the headers of these files. You will
then need to add the following line to your ~/.gnupg/options file:
then need to add the following line to your ~/.gnupg/gpg.conf or
~/.gnupg/options file:
[H pre]
load-extension idea
@ -334,6 +372,10 @@ you could search in the mailing list archive.
which can be obtained by using the --with-colons options (it is
the fifth field in the lines beginning with "sec").
If you've lost your public key and need to recreate it instead
for continued use with your secret key, you may be able to use
gpgsplit as detailed in question <Rgpgsplit>.
<Q> What are trust, validity and ownertrust?
With GnuPG, the term "ownertrust" is used instead of "trust" to
@ -502,16 +544,21 @@ you could search in the mailing list archive.
Good overviews of OpenPGP-support can be found at:[H br]
[H a href=http://cryptorights.org/pgp-users/resources/pgp-mail-clients.html]<http://cryptorights.org/pgp-users/resources/pgp-mail-clients.html>[H /a],[H br]
[H a href=http://www.geocities.com/openpgp/courrier_en.html]<http://www.geocities.com/openpgp/courrier_en.html>[H /a] and[H br]
[H a href=http://www.geocities.com/openpgp/courrier_en.html]<http://www.geocities.com/openpgp/courrier_en.html>[H /a], and[H br]
[H a href=http://www.bretschneidernet.de/tips/secmua.html]<http://www.bretschneidernet.de/tips/secmua.html>[H /a].
Users of Win32 MUAs that lack OpenPGP support may look into
using GPGrelay [H a href=http://http://gpgrelay.sourceforge.net]<http://gpgrelay.sourceforge.net>[H /a], a small
email-relaying server that uses GnuPG to enable many email clients
to send and receive emails that conform to PGP-MIME (RFC 2015).
<Q> Can't we have a gpg library?
This has been frequently requested. However, the current viewpoint
of the GnuPG maintainers is that this would lead to several security
issues and will therefore not be implemented in the foreseeable
future. However, for some areas of application gpgme could do the
trick. You'll find it at [H a href=ftp://ftp.gnupg.org/gcrypt/alpha/gpgme]<ftp://ftp.gnupg.org/gcrypt/alpha/gpgme>[H /a].
trick. You'll find it at [H a href=[$hGPGFTP]/gcrypt/alpha/gpgme]<[$hGPGFTP]/gcrypt/alpha/gpgme>[H /a].
<Q> I have successfully generated a revocation certificate, but I don't
understand how to send it to the key servers.
@ -531,6 +578,7 @@ you could search in the mailing list archive.
(or use a keyserver web interface for this).
<Dhomedir>
<Q> How do I put my keyring in a different directory?
GnuPG keeps several files in a special homedir directory. These
@ -549,6 +597,76 @@ you could search in the mailing list archive.
on a floppy disk. Don't use "--keyring" as its purpose is to specify
additional keyring files.
<Q> How do I verify signed packages?
Before you can verify the signature that accompanies a package,
you must first have the vendor, organisation, or issueing person's
key imported into your public keyring. To prevent GnuPG warning
messages the key should also be validated (or locally signed).
You will also need to download the detached signature file along
with the package. These files will usually have the same name as
the package, with either a binary (.sig) or ASCII armor (.asc)
extension.
Once their key has been imported, and the package and accompanying
signature files have been downloaded, use:
[H pre]
$ gpg --verify sigfile signed-file
[H /pre]
If the signature file has the same base name as the package file,
the package can also be verified by specifying just the signature
file, as GnuPG will derive the package's file name from the name
given (less the .sig or .asc extension). For example, to verify a
package named foobar.tar.gz against its detached binary signature
file, use:
[H pre]
$ gpg --verify foobar.tar.gz.sig
[H /pre]
<Q> How do I export a keyring with only selected signatures?
If you're wanting to create a keyring with only a subset of signatures
selected from a master keyring (for a club, user group, or company
department for example), simply specify the keys you want to export:
[H pre]
$ gpg --armor --export key1 key2 key3 key4 > keys1-4.asc
[H /pre]
<Dgpgsplit>
<Q> I still have my secret key, but lost my public key. What can I do?
All OpenPGP secret keys have a copy of the public key inside them,
and in a worst-case scenario, you can create yourself a new public
key using the secret key.
A tool to convert a secret key into a public one has been included
(it's actually a new option for gpgsplit) and is available with GnuPG
versions 1.2.1 or later (or can be found in CVS). It works like this:
[H pre]
$ gpgsplit --no-split --secret-to-public secret.gpg >publickey.gpg
[H /pre]
One should first try to export the secret key and convert just this
one. Using the entire secret keyring should work too. After this has
been done, the publickey.gpg file can be imported into GnuPG as usual.
<Q> Clearsigned messages sent from my web-mail account have an invalid
signature. Why?
Check to make sure the settings for your web-based email account
do not use HTML formatting for the pasted clearsigned message. This can
alter the message with embedded HTML markup tags or spaces, resulting
in an invalid signature. The recipient may be able to copy the signed
message block to a text file for verification, or the web email
service may allow you to attach the clearsigned message as a file
if plaintext messages are not an option.
<S> COMPATIBILITY ISSUES
@ -599,7 +717,7 @@ you could search in the mailing list archive.
algorithm is still patented until 2007. Under certain conditions you
may use IDEA even today. In that case, you may refer to Question
<Ridea> about how to add IDEA support to GnuPG and read
[H a href=http://www.gnupg.org/gph/en/pgp2x.html]<http://www.gnupg.org/gph/en/pgp2x.html>[H /a] to perform the migration.
[H a href=[$hGPGHTTP]/gph/en/pgp2x.html]<[$hGPGHTTP]/gph/en/pgp2x.html>[H /a] to perform the migration.
<Q> (removed)
@ -668,13 +786,81 @@ you could search in the mailing list archive.
--export-secret-keys <key-ID>
[H /pre]
<Q> I just installed the most recent version of GnuPG and don't have a
~/.gnupg/options file. Is this missing from the installation?
<Doptions>
<Q> GnuPG no longer installs a ~/.gnupg/options file. Is it missing?
No. The ~/.gnupg/options file has been renamed to ~/.gnupg/conf for
No. The ~/.gnupg/options file has been renamed to ~/.gnupg/gpg.conf for
new installs as of version 1.1.92. If an existing ~/.gnupg/options file
is found during an upgrade it will still be used, but this change was
required to have a more consistent naming scheme with forthcoming tools.
An existing options file can be renamed to gpg.conf for users upgrading,
or receiving the message that the "old default options file" is ignored
(occurs if both a gpg.conf and an options file are found).
<Q> How do you export GnuPG keys for use with PGP?
This has come up fairly often, so here's the HOWTO:
PGP can (for most key types) use secret keys generated by GnuPG. The
problems that come up occasionally are generally because GnuPG
supports a few more features from the OpenPGP standard than PGP does.
If your secret key has any of those features in use, then PGP will
reject the key or you will have problems communicating later. Note
that PGP doesn't do ElGamal signing keys at all, so they are not
usable with any version.
These instructions should work for GnuPG 1.0.7 and later, and PGP
7.0.3 and later.
Start by editing the key. Most of this line is not really necessary
as the default values are correct, but it does not hurt to repeat the
values, as this will override them in case you have something else set
in your options file.
[H pre]
$ gpg --s2k-cipher-algo cast5 --s2k-digest-algo sha1 --s2k-mode 3 \
--simple-sk-checksum --edit KeyID
[H /pre]
Turn off some features. Set the list of preferred ciphers, hashes,
and compression algorithms to things that PGP can handle. (Yes, I
know this is an odd list of ciphers, but this is what PGP itself uses,
minus IDEA).
[H pre]
> setpref S9 S8 S7 S3 S2 S10 H2 H3 Z1 Z0
[H /pre]
Now put the list of preferences onto the key.
[H pre]
> updpref
[H /pre]
Finally we must decrypt and re-encrypt the key, making sure that we
encrypt with a cipher that PGP likes. We set this up in the --edit
line above, so now we just need to change the passphrase to make it
take effect. You can use the same passphrase if you like, or take
this opportunity to actually change it.
[H pre]
> passwd
[H /pre]
Save our work.
[H pre]
> save
[H /pre]
Now we can do the usual export:
[H pre]
$ gpg --export KeyID > mypublickey.pgp
$ gpg --export-secret-key KeyID > mysecretkey.pgp
[H /pre]
Thanks to David Shaw for this information!
<S> PROBLEMS and ERROR MESSAGES
@ -882,8 +1068,8 @@ you could search in the mailing list archive.
http://www.gnupg.org/developer/gpg-woody-fix.txt
[H /pre]
<Q> I've upgraded to GnuPG version 1.0.7 and now it takes longer to load
my keyrings. What can I do?
<Q> I upgraded to GnuPG version 1.0.7 and now it takes longer to load my
keyrings. What can I do?
The way signature states are stored has changed so that v3 signatures
can be supported. You can use the new --rebuild-keydb-caches migration