From 5c504ac5c5514ec22aa83ec3be174a10a86b441f Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Thu, 5 Dec 2002 18:47:58 +0000 Subject: [PATCH] * Changed variable for default gnupg.org http location from $hGPG to $hGPGHTTP and update instances of variable throughout FAQ in introduction area and sections 1.1, 2.1 and 2.2 * Added section 1.4 - What conventions are used in this FAQ? + unices vs. win32 (with hyperlink () to section 4.18 for example + gpg.conf vs. options (with hyperlink () to section 5.8 to note name change * Corrected section 2.2 - Changed ftp URL (both display and link URLs) from "ftp://ftp.gnupg.org/pub/gcrypt" to ftp://ftp.gnupg.org/gcrypt/, and the display URL (not the actual link URL, it's correct) of the http URL from "http://www.gnupg.org/mirror.html" to "http://www.gnupg.org/mirrors.html" * Included variable ($hVERSION) for easier updating of latest gpg version when referenced (as in section 2.2) * Included variable ($hGPGFTP) for default gnupg.org ftp location (ftp://ftp.gnupg.org) for use in sections 2.2 and 4.16 * Corrected section 3.1 visual display of link from "http://www.gnupg.org/gnupg.html#supsys" to "http://www.gnupg.org/backend.html#supsys" * Edited sections 3.1, 3.2, 5.2 to include $hGPGHTTP variable * Corrected section 3.2 - Word typo ("avoided" was "avoiced"). * Corrected / edited section 3.3 - + corrected link: ftp://ftp.gnupg.dk/pub/contrib-dk/ for idea.c.gz, idea.c.gz.sig, ideadll.zip, ideadll.zip.sig + edited section to include all files and added ~/.gnupg/gpg.conf info * Edited section 4.6 - As this section deals with loosing a public key, I added a paragraph containing a hyperlink to the end of section 4.21 ("I still have my secret key, but lost my public key..."). The paragraph reads: "If you've lost your public key and need to recreate it instead for continued use with your secret key, you may be able to use gpgsplit as detailed in question ." * Edited section 4.15 - Added paragraph below table on GPGrelay, an application for MUAs that lack OpenPGP (rfc2015) support to. "Users of Win32 MUAs that lack OpenPGP support may look into using GPGrelay , a small email-relaying server that uses GnuPG to enable many email clients to send and receive emails that conform to PGP-MIME (RFC 2015)." suggested by: Andreas John * Corrected section 4.16 - Incorportated Werner's URL fix for gpgme FTP location to synchronize local CVS with released FAQ version 1.5.8. * Added section 4.19 - "How do I verify signed packages?" suggested by: Christian Reis * Added section 4.20 - "How do I export a keyring with only selected signatures?" by: David Shaw * Added section 4.21 - "I still have my secret key, but lost my public key. What can I do?" by: Werner Koch * Added section 4.22 - "Clearsigned messages sent from my web-mail account have an invalid signature. Why?" by: David Scribner * Edited / Corrected section 5.8 - Changed question from "I just installed the most recent version of GnuPG and don't have a ~/.gnupg/options file. Is this missing from the installation?" to "GnuPG no longer installs a ~/.gnupg/options file. Is it missing?" + Added "An existing options file can be renamed to gpg.conf for users upgrading, or receiving the message that the "old default options file" is ignored (occurs if both a gpg.conf and an options file are found)." to the end of the paragraph. + Corrected ~/.gnupg/gpg.conf (was ~/.gnupg/conf) * Added section 5.9 - "How to you export GnuPG keys for use with PGP?" by: David Shaw --- doc/faq.raw | 238 ++++++++++++++++++++++++++++++++++++++++++++++------ 1 file changed, 212 insertions(+), 26 deletions(-) diff --git a/doc/faq.raw b/doc/faq.raw index 170c76d7f..f17c527e7 100644 --- a/doc/faq.raw +++ b/doc/faq.raw @@ -7,21 +7,23 @@ The most recent version of the FAQ is available from [$usenetheader= ] [$maintainer=David D. Scribner, ] -[$hGPG=http://www.gnupg.org] +[$hGPGHTTP=http://www.gnupg.org] +[$hGPGFTP=ftp://ftp.gnupg.org] +[$hVERSION=1.2.1] [H body bgcolor=#ffffff text=#000000 link=#1f00ff alink=#ff0000 vlink=#9900dd] [H H1]GnuPG Frequently Asked Questions[H /H1] [H p] -Version: 1.5.8[H br] -Last-Modified: Oct 8, 2002[H br] +Version: 1.6.0[H br] +Last-Modified: Dec 1, 2002[H br] Maintained-by: [$maintainer] [H /p] This is the GnuPG FAQ. The latest HTML version is available -[H a href=[$hGPG]/faq.html]here[H/a]. +[H a href=[$hGPGHTTP]/faq.html]here[H/a]. The index is generated automatically, so there may be errors. Not all questions may be in the section they belong to. Suggestions about how @@ -44,7 +46,7 @@ you could search in the mailing list archive. What is GnuPG? - [H a href=[$hGPG]]GnuPG[H /a] stands for GNU Privacy Guard and + [H a href=[$hGPGHTTP]]GnuPG[H /a] stands for GNU Privacy Guard and is GNU's tool for secure communication and data storage. It can be used to encrypt data and to create digital signatures. It includes an advanced key management facility and is compliant with the @@ -66,6 +68,35 @@ you could search in the mailing list archive. read the file titled COPYING that accompanies the application for more information. + What conventions are used in this FAQ? + + Although GnuPG is being developed for several operating systems + (often in parallel), the conventions used in this FAQ reflect a + UNIX shell environment. For Win32 users, references to a shell + prompt (`$') should be interpreted as a command prompt (`>'), + directory names separated by a forward slash (`/') may need to be + converted to a back slash (`\'), and a tilde (`~') represents a + user's "home" directory (reference question for an example). + + Also, the indicator used to inform the shell that a continuation + of the command will follow on the next line (the `\' character + seen at the end of some command strings in this FAQ, and represents + a "\" pair) should be noted. If your shell or command + interpreter does not support this convention, the command should be + typed in its entirety as a single entry after removing the trailing + backslash and continuing with the second line before pressing Enter + or the return key. + + Please keep in mind that this FAQ contains information that may not + apply to your particular version, as new features and bug fixes are + added on a continuing basis (reference the NEWS file included with + the source or package for noteworthy changes between versions). One + item to note is that starting with GnuPG version 1.1.92 the file + containing user options and settings has been renamed from "options" + to "gpg.conf". Information in the FAQ that relates to the options + file may be interchangable with the newer gpg.conf file in many + instances. See question for details. + SOURCES of INFORMATION @@ -74,7 +105,7 @@ you could search in the mailing list archive. On-line resources: [H UL] - [H LI]The documentation page is located at [H a href=[$hGPG]/docs.html]<[$hGPG]/docs.html>[H/a]. + [H LI]The documentation page is located at [H a href=[$hGPGHTTP]/docs.html]<[$hGPGHTTP]/docs.html>[H/a]. Also, have a look at the HOWTOs and the GNU Privacy Handbook (GPH, available in English, Spanish and Russian). The latter provides a detailed user's guide to GnuPG. You'll also find a document about @@ -86,8 +117,8 @@ you could search in the mailing list archive. the developers. In addition, searchable archives can be found on MARC, e.g.: [H br] - gnupg-users: [H a href=http://marc.theaimsgroup.com/?l=gnupg-users&r=1&w=2][H/a],[H br] - gnupg-devel: [H a href=http://marc.theaimsgroup.com/?l=gnupg-devel&r=1&w=2][H/a].[H br] + gnupg-users: [H a href=http://marc.theaimsgroup.com/?l=gnupg-users&r=1&w=2][H/a][H br] + gnupg-devel: [H a href=http://marc.theaimsgroup.com/?l=gnupg-devel&r=1&w=2][H/a][H br] [H B]PLEASE:[H/B] Before posting to a list, read this FAQ and the available @@ -108,13 +139,13 @@ you could search in the mailing list archive. Where do I get GnuPG? You can download the GNU Privacy Guard from its primary FTP server - [H a href=ftp://ftp.gnupg.org/pub/gcrypt][H /a] or from one of the mirrors: + [H a href=[$hGPGFTP]/gcrypt/]<[$hGPGFTP]/gcrypt/>[H /a] or from one of the mirrors: - [H a href=[$hGPG]/mirrors.html] - <[$hGPG]/mirror.html> + [H a href=[$hGPGHTTP]/mirrors.html] + <[$hGPGHTTP]/mirrors.html> [H /a] - The current stable version is 1.2.x. Please upgrade to this version as + The current stable version is [$hVERSION]. Please upgrade to this version as it includes additional features, functions and security fixes that may not have existed in prior versions. @@ -127,8 +158,8 @@ you could search in the mailing list archive. Windows NT/2000) and Macintosh OS/X. A list of OSes reported to be OK is presented at: - [H a href=http://www.gnupg.org/backend.html#supsys] - + [H a href=[$hGPGHTTP]/backend.html#supsys] + <[$hGPGHTTP]/backend.html#supsys> [H /a] Which random data gatherer should I use? @@ -150,7 +181,7 @@ you could search in the mailing list archive. On other systems, the Entropy Gathering Daemon (EGD) is a good choice. It is a perl-daemon that monitors system activity and hashes it into - random data. See the download page [H a href=http://www.gnupg.org/download.html][H /a] + random data. See the download page [H a href=[$hGPGHTTP]/download.html]<[$hGPGHTTP]/download.html>[H /a] to obtain EGD. Use: [H pre] @@ -174,14 +205,21 @@ you could search in the mailing list archive. However, there is an unofficial module to include it even in earlier versions of GnuPG. It's available from - [H a href=ftp://ftp.gnupg.org/pub/gcrypt/contrib/][H /a]. Look for: + [H a href=ftp://ftp.gnupg.dk/pub/contrib-dk/][H /a]. Look for: [H pre] - idea.c + idea.c.gz (c module) + idea.c.gz.sig (signature file) + [H /pre] + + [H pre] + ideadll.zip (c module and win32 dll) + ideadll.zip.sig (signature file) [H /pre] Compilation directives are in the headers of these files. You will - then need to add the following line to your ~/.gnupg/options file: + then need to add the following line to your ~/.gnupg/gpg.conf or + ~/.gnupg/options file: [H pre] load-extension idea @@ -334,6 +372,10 @@ you could search in the mailing list archive. which can be obtained by using the --with-colons options (it is the fifth field in the lines beginning with "sec"). + If you've lost your public key and need to recreate it instead + for continued use with your secret key, you may be able to use + gpgsplit as detailed in question . + What are trust, validity and ownertrust? With GnuPG, the term "ownertrust" is used instead of "trust" to @@ -502,16 +544,21 @@ you could search in the mailing list archive. Good overviews of OpenPGP-support can be found at:[H br] [H a href=http://cryptorights.org/pgp-users/resources/pgp-mail-clients.html][H /a],[H br] - [H a href=http://www.geocities.com/openpgp/courrier_en.html][H /a] and[H br] + [H a href=http://www.geocities.com/openpgp/courrier_en.html][H /a], and[H br] [H a href=http://www.bretschneidernet.de/tips/secmua.html][H /a]. + Users of Win32 MUAs that lack OpenPGP support may look into + using GPGrelay [H a href=http://http://gpgrelay.sourceforge.net][H /a], a small + email-relaying server that uses GnuPG to enable many email clients + to send and receive emails that conform to PGP-MIME (RFC 2015). + Can't we have a gpg library? This has been frequently requested. However, the current viewpoint of the GnuPG maintainers is that this would lead to several security issues and will therefore not be implemented in the foreseeable future. However, for some areas of application gpgme could do the - trick. You'll find it at [H a href=ftp://ftp.gnupg.org/gcrypt/alpha/gpgme][H /a]. + trick. You'll find it at [H a href=[$hGPGFTP]/gcrypt/alpha/gpgme]<[$hGPGFTP]/gcrypt/alpha/gpgme>[H /a]. I have successfully generated a revocation certificate, but I don't understand how to send it to the key servers. @@ -531,6 +578,7 @@ you could search in the mailing list archive. (or use a keyserver web interface for this). + How do I put my keyring in a different directory? GnuPG keeps several files in a special homedir directory. These @@ -549,6 +597,76 @@ you could search in the mailing list archive. on a floppy disk. Don't use "--keyring" as its purpose is to specify additional keyring files. + How do I verify signed packages? + + Before you can verify the signature that accompanies a package, + you must first have the vendor, organisation, or issueing person's + key imported into your public keyring. To prevent GnuPG warning + messages the key should also be validated (or locally signed). + + You will also need to download the detached signature file along + with the package. These files will usually have the same name as + the package, with either a binary (.sig) or ASCII armor (.asc) + extension. + + Once their key has been imported, and the package and accompanying + signature files have been downloaded, use: + + [H pre] + $ gpg --verify sigfile signed-file + [H /pre] + + If the signature file has the same base name as the package file, + the package can also be verified by specifying just the signature + file, as GnuPG will derive the package's file name from the name + given (less the .sig or .asc extension). For example, to verify a + package named foobar.tar.gz against its detached binary signature + file, use: + + [H pre] + $ gpg --verify foobar.tar.gz.sig + [H /pre] + + How do I export a keyring with only selected signatures? + + If you're wanting to create a keyring with only a subset of signatures + selected from a master keyring (for a club, user group, or company + department for example), simply specify the keys you want to export: + + [H pre] + $ gpg --armor --export key1 key2 key3 key4 > keys1-4.asc + [H /pre] + + + I still have my secret key, but lost my public key. What can I do? + + All OpenPGP secret keys have a copy of the public key inside them, + and in a worst-case scenario, you can create yourself a new public + key using the secret key. + + A tool to convert a secret key into a public one has been included + (it's actually a new option for gpgsplit) and is available with GnuPG + versions 1.2.1 or later (or can be found in CVS). It works like this: + + [H pre] + $ gpgsplit --no-split --secret-to-public secret.gpg >publickey.gpg + [H /pre] + + One should first try to export the secret key and convert just this + one. Using the entire secret keyring should work too. After this has + been done, the publickey.gpg file can be imported into GnuPG as usual. + + Clearsigned messages sent from my web-mail account have an invalid + signature. Why? + + Check to make sure the settings for your web-based email account + do not use HTML formatting for the pasted clearsigned message. This can + alter the message with embedded HTML markup tags or spaces, resulting + in an invalid signature. The recipient may be able to copy the signed + message block to a text file for verification, or the web email + service may allow you to attach the clearsigned message as a file + if plaintext messages are not an option. + COMPATIBILITY ISSUES @@ -599,7 +717,7 @@ you could search in the mailing list archive. algorithm is still patented until 2007. Under certain conditions you may use IDEA even today. In that case, you may refer to Question about how to add IDEA support to GnuPG and read - [H a href=http://www.gnupg.org/gph/en/pgp2x.html][H /a] to perform the migration. + [H a href=[$hGPGHTTP]/gph/en/pgp2x.html]<[$hGPGHTTP]/gph/en/pgp2x.html>[H /a] to perform the migration. (removed) @@ -668,13 +786,81 @@ you could search in the mailing list archive. --export-secret-keys [H /pre] - I just installed the most recent version of GnuPG and don't have a - ~/.gnupg/options file. Is this missing from the installation? + + GnuPG no longer installs a ~/.gnupg/options file. Is it missing? - No. The ~/.gnupg/options file has been renamed to ~/.gnupg/conf for + No. The ~/.gnupg/options file has been renamed to ~/.gnupg/gpg.conf for new installs as of version 1.1.92. If an existing ~/.gnupg/options file is found during an upgrade it will still be used, but this change was required to have a more consistent naming scheme with forthcoming tools. + An existing options file can be renamed to gpg.conf for users upgrading, + or receiving the message that the "old default options file" is ignored + (occurs if both a gpg.conf and an options file are found). + + How do you export GnuPG keys for use with PGP? + + This has come up fairly often, so here's the HOWTO: + + PGP can (for most key types) use secret keys generated by GnuPG. The + problems that come up occasionally are generally because GnuPG + supports a few more features from the OpenPGP standard than PGP does. + If your secret key has any of those features in use, then PGP will + reject the key or you will have problems communicating later. Note + that PGP doesn't do ElGamal signing keys at all, so they are not + usable with any version. + + These instructions should work for GnuPG 1.0.7 and later, and PGP + 7.0.3 and later. + + Start by editing the key. Most of this line is not really necessary + as the default values are correct, but it does not hurt to repeat the + values, as this will override them in case you have something else set + in your options file. + + [H pre] + $ gpg --s2k-cipher-algo cast5 --s2k-digest-algo sha1 --s2k-mode 3 \ + --simple-sk-checksum --edit KeyID + [H /pre] + + Turn off some features. Set the list of preferred ciphers, hashes, + and compression algorithms to things that PGP can handle. (Yes, I + know this is an odd list of ciphers, but this is what PGP itself uses, + minus IDEA). + + [H pre] + > setpref S9 S8 S7 S3 S2 S10 H2 H3 Z1 Z0 + [H /pre] + + Now put the list of preferences onto the key. + + [H pre] + > updpref + [H /pre] + + Finally we must decrypt and re-encrypt the key, making sure that we + encrypt with a cipher that PGP likes. We set this up in the --edit + line above, so now we just need to change the passphrase to make it + take effect. You can use the same passphrase if you like, or take + this opportunity to actually change it. + + [H pre] + > passwd + [H /pre] + + Save our work. + + [H pre] + > save + [H /pre] + + Now we can do the usual export: + + [H pre] + $ gpg --export KeyID > mypublickey.pgp + $ gpg --export-secret-key KeyID > mysecretkey.pgp + [H /pre] + + Thanks to David Shaw for this information! PROBLEMS and ERROR MESSAGES @@ -882,8 +1068,8 @@ you could search in the mailing list archive. http://www.gnupg.org/developer/gpg-woody-fix.txt [H /pre] - I've upgraded to GnuPG version 1.0.7 and now it takes longer to load - my keyrings. What can I do? + I upgraded to GnuPG version 1.0.7 and now it takes longer to load my + keyrings. What can I do? The way signature states are stored has changed so that v3 signatures can be supported. You can use the new --rebuild-keydb-caches migration