mirror of
git://git.gnupg.org/gnupg.git
synced 2025-01-25 15:27:03 +01:00
* Changed variable for default gnupg.org http location from $hGPG
to $hGPGHTTP and update instances of variable throughout FAQ in introduction area and sections 1.1, 2.1 and 2.2 * Added section 1.4 - What conventions are used in this FAQ? + unices vs. win32 (with hyperlink (<Rhomedir>) to section 4.18 for example + gpg.conf vs. options (with hyperlink (<Roptions>) to section 5.8 to note name change * Corrected section 2.2 - Changed ftp URL (both display and link URLs) from "ftp://ftp.gnupg.org/pub/gcrypt" to ftp://ftp.gnupg.org/gcrypt/, and the display URL (not the actual link URL, it's correct) of the http URL from "http://www.gnupg.org/mirror.html" to "http://www.gnupg.org/mirrors.html" * Included variable ($hVERSION) for easier updating of latest gpg version when referenced (as in section 2.2) * Included variable ($hGPGFTP) for default gnupg.org ftp location (ftp://ftp.gnupg.org) for use in sections 2.2 and 4.16 * Corrected section 3.1 visual display of link from "http://www.gnupg.org/gnupg.html#supsys" to "http://www.gnupg.org/backend.html#supsys" * Edited sections 3.1, 3.2, 5.2 to include $hGPGHTTP variable * Corrected section 3.2 - Word typo ("avoided" was "avoiced"). * Corrected / edited section 3.3 - + corrected link: ftp://ftp.gnupg.dk/pub/contrib-dk/ for idea.c.gz, idea.c.gz.sig, ideadll.zip, ideadll.zip.sig + edited section to include all files and added ~/.gnupg/gpg.conf info * Edited section 4.6 - As this section deals with loosing a public key, I added a paragraph containing a hyperlink to the end of section 4.21 ("I still have my secret key, but lost my public key..."). The paragraph reads: "If you've lost your public key and need to recreate it instead for continued use with your secret key, you may be able to use gpgsplit as detailed in question <Rgpgsplit>." * Edited section 4.15 - Added paragraph below table on GPGrelay, an application for MUAs that lack OpenPGP (rfc2015) support to. "Users of Win32 MUAs that lack OpenPGP support may look into using GPGrelay <http://http://gpgrelay.sourceforge.net>, a small email-relaying server that uses GnuPG to enable many email clients to send and receive emails that conform to PGP-MIME (RFC 2015)." suggested by: Andreas John <aj@tesla.inka.de> * Corrected section 4.16 - Incorportated Werner's URL fix for gpgme FTP location to synchronize local CVS with released FAQ version 1.5.8. * Added section 4.19 - "How do I verify signed packages?" suggested by: Christian Reis <kiko@async.com.br> * Added section 4.20 - "How do I export a keyring with only selected signatures?" by: David Shaw <dshaw@jabberwocky.com> * Added section 4.21 - "I still have my secret key, but lost my public key. What can I do?" by: Werner Koch <wk@gnupg.org> * Added section 4.22 - "Clearsigned messages sent from my web-mail account have an invalid signature. Why?" by: David Scribner <dscribner@bigfoot.com> * Edited / Corrected section 5.8 - Changed question from "I just installed the most recent version of GnuPG and don't have a ~/.gnupg/options file. Is this missing from the installation?" to "GnuPG no longer installs a ~/.gnupg/options file. Is it missing?" + Added "An existing options file can be renamed to gpg.conf for users upgrading, or receiving the message that the "old default options file" is ignored (occurs if both a gpg.conf and an options file are found)." to the end of the paragraph. + Corrected ~/.gnupg/gpg.conf (was ~/.gnupg/conf) * Added section 5.9 - "How to you export GnuPG keys for use with PGP?" by: David Shaw <dshaw@jabberwocky.com>
This commit is contained in:
parent
77f99fd667
commit
5c504ac5c5
238
doc/faq.raw
238
doc/faq.raw
@ -7,21 +7,23 @@ The most recent version of the FAQ is available from
|
||||
[$usenetheader=
|
||||
]
|
||||
[$maintainer=David D. Scribner, <faq 'at' gnupg.org>]
|
||||
[$hGPG=http://www.gnupg.org]
|
||||
[$hGPGHTTP=http://www.gnupg.org]
|
||||
[$hGPGFTP=ftp://ftp.gnupg.org]
|
||||
[$hVERSION=1.2.1]
|
||||
|
||||
[H body bgcolor=#ffffff text=#000000 link=#1f00ff alink=#ff0000 vlink=#9900dd]
|
||||
[H H1]GnuPG Frequently Asked Questions[H /H1]
|
||||
|
||||
|
||||
[H p]
|
||||
Version: 1.5.8[H br]
|
||||
Last-Modified: Oct 8, 2002[H br]
|
||||
Version: 1.6.0[H br]
|
||||
Last-Modified: Dec 1, 2002[H br]
|
||||
Maintained-by: [$maintainer]
|
||||
[H /p]
|
||||
|
||||
|
||||
This is the GnuPG FAQ. The latest HTML version is available
|
||||
[H a href=[$hGPG]/faq.html]here[H/a].
|
||||
[H a href=[$hGPGHTTP]/faq.html]here[H/a].
|
||||
|
||||
The index is generated automatically, so there may be errors. Not all
|
||||
questions may be in the section they belong to. Suggestions about how
|
||||
@ -44,7 +46,7 @@ you could search in the mailing list archive.
|
||||
|
||||
<Q> What is GnuPG?
|
||||
|
||||
[H a href=[$hGPG]]GnuPG[H /a] stands for GNU Privacy Guard and
|
||||
[H a href=[$hGPGHTTP]]GnuPG[H /a] stands for GNU Privacy Guard and
|
||||
is GNU's tool for secure communication and data storage. It can be
|
||||
used to encrypt data and to create digital signatures. It includes
|
||||
an advanced key management facility and is compliant with the
|
||||
@ -66,6 +68,35 @@ you could search in the mailing list archive.
|
||||
read the file titled COPYING that accompanies the application for
|
||||
more information.
|
||||
|
||||
<Q> What conventions are used in this FAQ?
|
||||
|
||||
Although GnuPG is being developed for several operating systems
|
||||
(often in parallel), the conventions used in this FAQ reflect a
|
||||
UNIX shell environment. For Win32 users, references to a shell
|
||||
prompt (`$') should be interpreted as a command prompt (`>'),
|
||||
directory names separated by a forward slash (`/') may need to be
|
||||
converted to a back slash (`\'), and a tilde (`~') represents a
|
||||
user's "home" directory (reference question <Rhomedir> for an example).
|
||||
|
||||
Also, the indicator used to inform the shell that a continuation
|
||||
of the command will follow on the next line (the `\' character
|
||||
seen at the end of some command strings in this FAQ, and represents
|
||||
a "\<newline>" pair) should be noted. If your shell or command
|
||||
interpreter does not support this convention, the command should be
|
||||
typed in its entirety as a single entry after removing the trailing
|
||||
backslash and continuing with the second line before pressing Enter
|
||||
or the return key.
|
||||
|
||||
Please keep in mind that this FAQ contains information that may not
|
||||
apply to your particular version, as new features and bug fixes are
|
||||
added on a continuing basis (reference the NEWS file included with
|
||||
the source or package for noteworthy changes between versions). One
|
||||
item to note is that starting with GnuPG version 1.1.92 the file
|
||||
containing user options and settings has been renamed from "options"
|
||||
to "gpg.conf". Information in the FAQ that relates to the options
|
||||
file may be interchangable with the newer gpg.conf file in many
|
||||
instances. See question <Roptions> for details.
|
||||
|
||||
|
||||
<S> SOURCES of INFORMATION
|
||||
|
||||
@ -74,7 +105,7 @@ you could search in the mailing list archive.
|
||||
On-line resources:
|
||||
|
||||
[H UL]
|
||||
[H LI]The documentation page is located at [H a href=[$hGPG]/docs.html]<[$hGPG]/docs.html>[H/a].
|
||||
[H LI]The documentation page is located at [H a href=[$hGPGHTTP]/docs.html]<[$hGPGHTTP]/docs.html>[H/a].
|
||||
Also, have a look at the HOWTOs and the GNU Privacy Handbook (GPH,
|
||||
available in English, Spanish and Russian). The latter provides a
|
||||
detailed user's guide to GnuPG. You'll also find a document about
|
||||
@ -86,8 +117,8 @@ you could search in the mailing list archive.
|
||||
the developers.
|
||||
|
||||
In addition, searchable archives can be found on MARC, e.g.: [H br]
|
||||
gnupg-users: [H a href=http://marc.theaimsgroup.com/?l=gnupg-users&r=1&w=2]<http://marc.theaimsgroup.com/?l=gnupg-users&r=1&w=2>[H/a],[H br]
|
||||
gnupg-devel: [H a href=http://marc.theaimsgroup.com/?l=gnupg-devel&r=1&w=2]<http://marc.theaimsgroup.com/?l=gnupg-devel&r=1&w=2>[H/a].[H br]
|
||||
gnupg-users: [H a href=http://marc.theaimsgroup.com/?l=gnupg-users&r=1&w=2]<http://marc.theaimsgroup.com/?l=gnupg-users&r=1&w=2>[H/a][H br]
|
||||
gnupg-devel: [H a href=http://marc.theaimsgroup.com/?l=gnupg-devel&r=1&w=2]<http://marc.theaimsgroup.com/?l=gnupg-devel&r=1&w=2>[H/a][H br]
|
||||
|
||||
[H B]PLEASE:[H/B]
|
||||
Before posting to a list, read this FAQ and the available
|
||||
@ -108,13 +139,13 @@ you could search in the mailing list archive.
|
||||
<Q> Where do I get GnuPG?
|
||||
|
||||
You can download the GNU Privacy Guard from its primary FTP server
|
||||
[H a href=ftp://ftp.gnupg.org/pub/gcrypt]<ftp.gnupg.org>[H /a] or from one of the mirrors:
|
||||
[H a href=[$hGPGFTP]/gcrypt/]<[$hGPGFTP]/gcrypt/>[H /a] or from one of the mirrors:
|
||||
|
||||
[H a href=[$hGPG]/mirrors.html]
|
||||
<[$hGPG]/mirror.html>
|
||||
[H a href=[$hGPGHTTP]/mirrors.html]
|
||||
<[$hGPGHTTP]/mirrors.html>
|
||||
[H /a]
|
||||
|
||||
The current stable version is 1.2.x. Please upgrade to this version as
|
||||
The current stable version is [$hVERSION]. Please upgrade to this version as
|
||||
it includes additional features, functions and security fixes that may
|
||||
not have existed in prior versions.
|
||||
|
||||
@ -127,8 +158,8 @@ you could search in the mailing list archive.
|
||||
Windows NT/2000) and Macintosh OS/X. A list of OSes reported to be OK
|
||||
is presented at:
|
||||
|
||||
[H a href=http://www.gnupg.org/backend.html#supsys]
|
||||
<http://www.gnupg.org/gnupg.html#supsys>
|
||||
[H a href=[$hGPGHTTP]/backend.html#supsys]
|
||||
<[$hGPGHTTP]/backend.html#supsys>
|
||||
[H /a]
|
||||
|
||||
<Q> Which random data gatherer should I use?
|
||||
@ -150,7 +181,7 @@ you could search in the mailing list archive.
|
||||
|
||||
On other systems, the Entropy Gathering Daemon (EGD) is a good choice.
|
||||
It is a perl-daemon that monitors system activity and hashes it into
|
||||
random data. See the download page [H a href=http://www.gnupg.org/download.html]<http://www.gnupg.org/download.html>[H /a]
|
||||
random data. See the download page [H a href=[$hGPGHTTP]/download.html]<[$hGPGHTTP]/download.html>[H /a]
|
||||
to obtain EGD. Use:
|
||||
|
||||
[H pre]
|
||||
@ -174,14 +205,21 @@ you could search in the mailing list archive.
|
||||
|
||||
However, there is an unofficial module to include it even in earlier
|
||||
versions of GnuPG. It's available from
|
||||
[H a href=ftp://ftp.gnupg.org/pub/gcrypt/contrib/]<ftp://ftp.gnupg.org/pub/gcrypt/contrib/>[H /a]. Look for:
|
||||
[H a href=ftp://ftp.gnupg.dk/pub/contrib-dk/]<ftp://ftp.gnupg.dk/pub/contrib-dk/>[H /a]. Look for:
|
||||
|
||||
[H pre]
|
||||
idea.c
|
||||
idea.c.gz (c module)
|
||||
idea.c.gz.sig (signature file)
|
||||
[H /pre]
|
||||
|
||||
[H pre]
|
||||
ideadll.zip (c module and win32 dll)
|
||||
ideadll.zip.sig (signature file)
|
||||
[H /pre]
|
||||
|
||||
Compilation directives are in the headers of these files. You will
|
||||
then need to add the following line to your ~/.gnupg/options file:
|
||||
then need to add the following line to your ~/.gnupg/gpg.conf or
|
||||
~/.gnupg/options file:
|
||||
|
||||
[H pre]
|
||||
load-extension idea
|
||||
@ -334,6 +372,10 @@ you could search in the mailing list archive.
|
||||
which can be obtained by using the --with-colons options (it is
|
||||
the fifth field in the lines beginning with "sec").
|
||||
|
||||
If you've lost your public key and need to recreate it instead
|
||||
for continued use with your secret key, you may be able to use
|
||||
gpgsplit as detailed in question <Rgpgsplit>.
|
||||
|
||||
<Q> What are trust, validity and ownertrust?
|
||||
|
||||
With GnuPG, the term "ownertrust" is used instead of "trust" to
|
||||
@ -502,16 +544,21 @@ you could search in the mailing list archive.
|
||||
|
||||
Good overviews of OpenPGP-support can be found at:[H br]
|
||||
[H a href=http://cryptorights.org/pgp-users/resources/pgp-mail-clients.html]<http://cryptorights.org/pgp-users/resources/pgp-mail-clients.html>[H /a],[H br]
|
||||
[H a href=http://www.geocities.com/openpgp/courrier_en.html]<http://www.geocities.com/openpgp/courrier_en.html>[H /a] and[H br]
|
||||
[H a href=http://www.geocities.com/openpgp/courrier_en.html]<http://www.geocities.com/openpgp/courrier_en.html>[H /a], and[H br]
|
||||
[H a href=http://www.bretschneidernet.de/tips/secmua.html]<http://www.bretschneidernet.de/tips/secmua.html>[H /a].
|
||||
|
||||
Users of Win32 MUAs that lack OpenPGP support may look into
|
||||
using GPGrelay [H a href=http://http://gpgrelay.sourceforge.net]<http://gpgrelay.sourceforge.net>[H /a], a small
|
||||
email-relaying server that uses GnuPG to enable many email clients
|
||||
to send and receive emails that conform to PGP-MIME (RFC 2015).
|
||||
|
||||
<Q> Can't we have a gpg library?
|
||||
|
||||
This has been frequently requested. However, the current viewpoint
|
||||
of the GnuPG maintainers is that this would lead to several security
|
||||
issues and will therefore not be implemented in the foreseeable
|
||||
future. However, for some areas of application gpgme could do the
|
||||
trick. You'll find it at [H a href=ftp://ftp.gnupg.org/gcrypt/alpha/gpgme]<ftp://ftp.gnupg.org/gcrypt/alpha/gpgme>[H /a].
|
||||
trick. You'll find it at [H a href=[$hGPGFTP]/gcrypt/alpha/gpgme]<[$hGPGFTP]/gcrypt/alpha/gpgme>[H /a].
|
||||
|
||||
<Q> I have successfully generated a revocation certificate, but I don't
|
||||
understand how to send it to the key servers.
|
||||
@ -531,6 +578,7 @@ you could search in the mailing list archive.
|
||||
|
||||
(or use a keyserver web interface for this).
|
||||
|
||||
<Dhomedir>
|
||||
<Q> How do I put my keyring in a different directory?
|
||||
|
||||
GnuPG keeps several files in a special homedir directory. These
|
||||
@ -549,6 +597,76 @@ you could search in the mailing list archive.
|
||||
on a floppy disk. Don't use "--keyring" as its purpose is to specify
|
||||
additional keyring files.
|
||||
|
||||
<Q> How do I verify signed packages?
|
||||
|
||||
Before you can verify the signature that accompanies a package,
|
||||
you must first have the vendor, organisation, or issueing person's
|
||||
key imported into your public keyring. To prevent GnuPG warning
|
||||
messages the key should also be validated (or locally signed).
|
||||
|
||||
You will also need to download the detached signature file along
|
||||
with the package. These files will usually have the same name as
|
||||
the package, with either a binary (.sig) or ASCII armor (.asc)
|
||||
extension.
|
||||
|
||||
Once their key has been imported, and the package and accompanying
|
||||
signature files have been downloaded, use:
|
||||
|
||||
[H pre]
|
||||
$ gpg --verify sigfile signed-file
|
||||
[H /pre]
|
||||
|
||||
If the signature file has the same base name as the package file,
|
||||
the package can also be verified by specifying just the signature
|
||||
file, as GnuPG will derive the package's file name from the name
|
||||
given (less the .sig or .asc extension). For example, to verify a
|
||||
package named foobar.tar.gz against its detached binary signature
|
||||
file, use:
|
||||
|
||||
[H pre]
|
||||
$ gpg --verify foobar.tar.gz.sig
|
||||
[H /pre]
|
||||
|
||||
<Q> How do I export a keyring with only selected signatures?
|
||||
|
||||
If you're wanting to create a keyring with only a subset of signatures
|
||||
selected from a master keyring (for a club, user group, or company
|
||||
department for example), simply specify the keys you want to export:
|
||||
|
||||
[H pre]
|
||||
$ gpg --armor --export key1 key2 key3 key4 > keys1-4.asc
|
||||
[H /pre]
|
||||
|
||||
<Dgpgsplit>
|
||||
<Q> I still have my secret key, but lost my public key. What can I do?
|
||||
|
||||
All OpenPGP secret keys have a copy of the public key inside them,
|
||||
and in a worst-case scenario, you can create yourself a new public
|
||||
key using the secret key.
|
||||
|
||||
A tool to convert a secret key into a public one has been included
|
||||
(it's actually a new option for gpgsplit) and is available with GnuPG
|
||||
versions 1.2.1 or later (or can be found in CVS). It works like this:
|
||||
|
||||
[H pre]
|
||||
$ gpgsplit --no-split --secret-to-public secret.gpg >publickey.gpg
|
||||
[H /pre]
|
||||
|
||||
One should first try to export the secret key and convert just this
|
||||
one. Using the entire secret keyring should work too. After this has
|
||||
been done, the publickey.gpg file can be imported into GnuPG as usual.
|
||||
|
||||
<Q> Clearsigned messages sent from my web-mail account have an invalid
|
||||
signature. Why?
|
||||
|
||||
Check to make sure the settings for your web-based email account
|
||||
do not use HTML formatting for the pasted clearsigned message. This can
|
||||
alter the message with embedded HTML markup tags or spaces, resulting
|
||||
in an invalid signature. The recipient may be able to copy the signed
|
||||
message block to a text file for verification, or the web email
|
||||
service may allow you to attach the clearsigned message as a file
|
||||
if plaintext messages are not an option.
|
||||
|
||||
|
||||
<S> COMPATIBILITY ISSUES
|
||||
|
||||
@ -599,7 +717,7 @@ you could search in the mailing list archive.
|
||||
algorithm is still patented until 2007. Under certain conditions you
|
||||
may use IDEA even today. In that case, you may refer to Question
|
||||
<Ridea> about how to add IDEA support to GnuPG and read
|
||||
[H a href=http://www.gnupg.org/gph/en/pgp2x.html]<http://www.gnupg.org/gph/en/pgp2x.html>[H /a] to perform the migration.
|
||||
[H a href=[$hGPGHTTP]/gph/en/pgp2x.html]<[$hGPGHTTP]/gph/en/pgp2x.html>[H /a] to perform the migration.
|
||||
|
||||
<Q> (removed)
|
||||
|
||||
@ -668,13 +786,81 @@ you could search in the mailing list archive.
|
||||
--export-secret-keys <key-ID>
|
||||
[H /pre]
|
||||
|
||||
<Q> I just installed the most recent version of GnuPG and don't have a
|
||||
~/.gnupg/options file. Is this missing from the installation?
|
||||
<Doptions>
|
||||
<Q> GnuPG no longer installs a ~/.gnupg/options file. Is it missing?
|
||||
|
||||
No. The ~/.gnupg/options file has been renamed to ~/.gnupg/conf for
|
||||
No. The ~/.gnupg/options file has been renamed to ~/.gnupg/gpg.conf for
|
||||
new installs as of version 1.1.92. If an existing ~/.gnupg/options file
|
||||
is found during an upgrade it will still be used, but this change was
|
||||
required to have a more consistent naming scheme with forthcoming tools.
|
||||
An existing options file can be renamed to gpg.conf for users upgrading,
|
||||
or receiving the message that the "old default options file" is ignored
|
||||
(occurs if both a gpg.conf and an options file are found).
|
||||
|
||||
<Q> How do you export GnuPG keys for use with PGP?
|
||||
|
||||
This has come up fairly often, so here's the HOWTO:
|
||||
|
||||
PGP can (for most key types) use secret keys generated by GnuPG. The
|
||||
problems that come up occasionally are generally because GnuPG
|
||||
supports a few more features from the OpenPGP standard than PGP does.
|
||||
If your secret key has any of those features in use, then PGP will
|
||||
reject the key or you will have problems communicating later. Note
|
||||
that PGP doesn't do ElGamal signing keys at all, so they are not
|
||||
usable with any version.
|
||||
|
||||
These instructions should work for GnuPG 1.0.7 and later, and PGP
|
||||
7.0.3 and later.
|
||||
|
||||
Start by editing the key. Most of this line is not really necessary
|
||||
as the default values are correct, but it does not hurt to repeat the
|
||||
values, as this will override them in case you have something else set
|
||||
in your options file.
|
||||
|
||||
[H pre]
|
||||
$ gpg --s2k-cipher-algo cast5 --s2k-digest-algo sha1 --s2k-mode 3 \
|
||||
--simple-sk-checksum --edit KeyID
|
||||
[H /pre]
|
||||
|
||||
Turn off some features. Set the list of preferred ciphers, hashes,
|
||||
and compression algorithms to things that PGP can handle. (Yes, I
|
||||
know this is an odd list of ciphers, but this is what PGP itself uses,
|
||||
minus IDEA).
|
||||
|
||||
[H pre]
|
||||
> setpref S9 S8 S7 S3 S2 S10 H2 H3 Z1 Z0
|
||||
[H /pre]
|
||||
|
||||
Now put the list of preferences onto the key.
|
||||
|
||||
[H pre]
|
||||
> updpref
|
||||
[H /pre]
|
||||
|
||||
Finally we must decrypt and re-encrypt the key, making sure that we
|
||||
encrypt with a cipher that PGP likes. We set this up in the --edit
|
||||
line above, so now we just need to change the passphrase to make it
|
||||
take effect. You can use the same passphrase if you like, or take
|
||||
this opportunity to actually change it.
|
||||
|
||||
[H pre]
|
||||
> passwd
|
||||
[H /pre]
|
||||
|
||||
Save our work.
|
||||
|
||||
[H pre]
|
||||
> save
|
||||
[H /pre]
|
||||
|
||||
Now we can do the usual export:
|
||||
|
||||
[H pre]
|
||||
$ gpg --export KeyID > mypublickey.pgp
|
||||
$ gpg --export-secret-key KeyID > mysecretkey.pgp
|
||||
[H /pre]
|
||||
|
||||
Thanks to David Shaw for this information!
|
||||
|
||||
|
||||
<S> PROBLEMS and ERROR MESSAGES
|
||||
@ -882,8 +1068,8 @@ you could search in the mailing list archive.
|
||||
http://www.gnupg.org/developer/gpg-woody-fix.txt
|
||||
[H /pre]
|
||||
|
||||
<Q> I've upgraded to GnuPG version 1.0.7 and now it takes longer to load
|
||||
my keyrings. What can I do?
|
||||
<Q> I upgraded to GnuPG version 1.0.7 and now it takes longer to load my
|
||||
keyrings. What can I do?
|
||||
|
||||
The way signature states are stored has changed so that v3 signatures
|
||||
can be supported. You can use the new --rebuild-keydb-caches migration
|
||||
|
Loading…
x
Reference in New Issue
Block a user