Merge branch 'STABLE-BRANCH-2-2' into master

-- Resolved Conflicts: NEWS - removed configure.ac - removed Signed-off-by: Werner Koch <wk@gnupg.org>
2025-07-02 22:46:30 +02:00 · 2018-05-13 13:29:40 +02:00 · 2018-05-13 13:29:40 +02:00 · 7b7576637d
commit 7b7576637d
parent 1793f2c46a 1ced88edf4
73 changed files with 3270 additions and 3583 deletions
--- a/doc/DETAILS
+++ b/doc/DETAILS
@ -105,6 +105,19 @@ described here.
    certificate (i.e. for the trust anchor) and an 'f' for all other
    valid certificates.

+    In "sig" records, this field may have one of these values as first
+    character:
+
+    - ! :: Signature is good.
+    - - :: Signature is bad.
+    - ? :: No public key to verify signature or public key is not usable.
+    - % :: Other error verifying a signature
+
+    More values may be added later.  The field may also be empty if
+    gpg has been invoked in a non-checking mode (--list-sigs) or in a
+    fast checking mode.  Since 2.2.7 '?' will also be printed by the
+    command --list-sigs if the key is not in the local keyring.
+
 *** Field 3 - Key length

    The length of key in bits.
@ -195,9 +208,11 @@ described here.
    gpg's --edit-key menu does.

    For "sig" records, this is the fingerprint of the key that issued
-    the signature.  Note that this is only filled in if the signature
+    the signature.  Note that this may only be filled if the signature
    verified correctly.  Note also that for various technical reasons,
    this fingerprint is only available if --no-sig-cache is used.
+    Since 2.2.7 this field will also be set if the key is missing but
+    the signature carries an issuer fingerprint as meta data.

 *** Field 14 - Flag field

@ -437,14 +452,17 @@ pkd:0:1024:B665B1435F4C2 .... FF26ABB:
    available.  This is the case with CMS and might eventually also be
    available for OpenPGP.

-*** ERRSIG  <keyid>  <pkalgo> <hashalgo> <sig_class> <time> <rc>
+*** ERRSIG  <keyid>  <pkalgo> <hashalgo> <sig_class> <time> <rc> <fpr>
    It was not possible to check the signature.  This may be caused by
    a missing public key or an unsupported algorithm.  A RC of 4
    indicates unknown algorithm, a 9 indicates a missing public
    key. The other fields give more information about this signature.
    sig_class is a 2 byte hex-value.  The fingerprint may be used
-    instead of the keyid if it is available.  This is the case with
-    gpgsm and might eventually also be available for OpenPGP.
+    instead of the long_keyid_or_fpr if it is available.  This is the
+    case with gpgsm and might eventually also be available for
+    OpenPGP.  The ERRSIG line has FPR filed which is only available
+    since 2.2.7; that FPR may either be missing or - if the signature
+    has no fingerprint as meta data.

    Note, that TIME may either be the number of seconds since Epoch or
    an ISO 8601 string.  The latter can be detected by the presence of
@ -722,7 +740,9 @@ pkd:0:1024:B665B1435F4C2 .... FF26ABB:
    The used key has been revoked by its owner.  No arguments yet.

 *** NO_PUBKEY  <long keyid>
-    The public key is not available
+    The public key is not available.  Note the arg should in general
+    not be used because it is better to take it from the ERRSIG
+    status line which is printed right before this one.

 *** NO_SECKEY  <long keyid>
    The secret key is not available
--- a/doc/Makefile.am
+++ b/doc/Makefile.am
@ -49,7 +49,8 @@ EXTRA_DIST = samplekeys.asc mksamplekeys com-certs.pem \
             gnupg-card-architecture.png gnupg-card-architecture.pdf \
             FAQ gnupg7.texi mkdefsinc.c defsincdate \
             opt-homedir.texi see-also-note.texi specify-user-id.texi \
-	     gpgv.texi yat2m.c ChangeLog-2011 whats-new-in-2.1.txt
+	     gpgv.texi yat2m.c ChangeLog-2011 whats-new-in-2.1.txt \
+             trust-values.texi

 BUILT_SOURCES = gnupg-module-overview.png gnupg-module-overview.pdf \
                gnupg-card-architecture.png gnupg-card-architecture.pdf \
--- a/doc/dirmngr.texi
+++ b/doc/dirmngr.texi
@ -208,9 +208,10 @@ flag names.  To get a list of all supported flags the single word
@opindex debug-all
 Same as @code{--debug=0xffffffff}

-@item --gnutls-debug @var{level}
-@opindex gnutls-debug
-Enable debugging of GNUTLS at @var{level}.
+@item --tls-debug @var{level}
+@opindex tls-debug
+Enable debugging of the TLS layer at @var{level}.  The details of the
+debug level depend on the used TLS library and are not set in stone.

@item --debug-wait @var{n}
@opindex debug-wait
--- a/doc/examples/vsnfd.prf
+++ b/doc/examples/vsnfd.prf
@ -15,7 +15,7 @@ enable-crl-checks
 [gpg-agent]
 enable-extended-key-format
 default-cache-ttl 900
-max-cache-ttl [] 3600
+max-cache-ttl 3600
 no-allow-mark-trusted
 no-allow-external-cache
 enforce-passphrase-constraints
--- a/doc/gnupg.texi
+++ b/doc/gnupg.texi
@ -140,6 +140,7 @@ the administration and the architecture.
 * Invoking GPGSM::      Using the S/MIME protocol.
 * Invoking SCDAEMON::   How to handle Smartcards.
 * Specify a User ID::   How to Specify a User Id.
+* Trust Values::        How GnuPG displays trust values.

 * Helper Tools::        Description of small helper tools
 * Web Key Service::     Tools for the Web Key Service
@ -179,6 +180,11 @@ the administration and the architecture.
@anchor{how-to-specify-a-user-id}
@include specify-user-id.texi

+@node Trust Values
+@chapter Trust Values
+@anchor{trust-values}
+@cindex trust values
+@include trust-values.texi

@include tools.texi
@include wks.texi
--- a/doc/gpg.texi
+++ b/doc/gpg.texi
@ -214,7 +214,10 @@ symmetric cipher used is @value{GPGSYMENCALGO}, but may be chosen with the
@option{--encrypt} (for a message that may be decrypted via a secret key
 or a passphrase), or @option{--sign} and @option{--encrypt} together
 (for a signed message that may be decrypted via a secret key or a
-passphrase).
+passphrase).  @command{@gpgname} caches the passphrase used for
+symmetric encryption so that a decrypt operation may not require that
+the user needs to enter the passphrase.  The option
+@option{--no-symkey-cache} can be used to disable this feature.

@item --store
@opindex store
@ -1037,38 +1040,13 @@ signing.

@c man:.RS
 The listing shows you the key with its secondary keys and all user
-ids.  The primary user id is indicated by a dot, and selected keys or
-user ids are indicated by an asterisk.  The trust
-value is displayed with the primary key: the first is the assigned owner
-trust and the second is the calculated trust value. Letters are used for
-the values:
+IDs.  The primary user ID is indicated by a dot, and selected keys or
+user IDs are indicated by an asterisk.  The trust
+value is displayed with the primary key: "trust" is the assigned owner
+trust and "validity" is the calculated validity of the key.  Validity
+values are also displayed for all user IDs.
+For possible values of trust, @pxref{trust-values}.
@c man:.RE
-
-@table @asis
-
-  @item -
-  No ownertrust assigned / not yet calculated.
-
-  @item e
-  Trust
-  calculation has failed; probably due to an expired key.
-
-  @item q
-  Not enough information for calculation.
-
-  @item n
-  Never trust this key.
-
-  @item m
-  Marginally trusted.
-
-  @item f
-  Fully trusted.
-
-  @item u
-  Ultimately trusted.
-
-@end table
@c ******** End Edit-key Options **********

@item --sign-key @var{name}
@ -3188,6 +3166,12 @@ are:
  Pinentry the user is not prompted again if he enters a bad password.
@end table

+@item --no-symkey-cache
+@opindex no-symkey-cache
+Disable the passphrase cache used for symmetrical en- and decryption.
+This cache is based on the message specific salt value
+(cf. @option{--s2k-mode}).
+
@item --request-origin @var{origin}
@opindex request-origin
 Tell gpg to assume that the operation ultimately originated at
@ -3302,8 +3286,14 @@ print the public key data.
 Same as @option{--list-keys}, but the signatures are listed too.  This
 command has the same effect as using @option{--list-keys} with
@option{--with-sig-list}.  Note that in contrast to
-@option{--check-signatures} the key signatures are not verified.
+@option{--check-signatures} the key signatures are not verified.  This
+command can be used to create a list of signing keys missing in the
+lcoal keyring; for example:

+@example
+      gpg --list-sigs --with-colons USERID | \
+        awk -F: '$1=="sig" && $2=="?" @{if($13)@{print $13@}else@{print $5@}@}'
+@end example

@item --fast-list-mode
@opindex fast-list-mode
@ -3831,6 +3821,10 @@ which is equivalent to
 imports only the user ids of a key containing the strings "Alfa"
 or "Alpha" but not the string "test".

+@mansect trust values
+@ifset isman
+@include trust-values.texi
+@end ifset

@mansect return value
@chapheading RETURN VALUE
--- a/doc/trust-values.texi
+++ b/doc/trust-values.texi
@ -0,0 +1,47 @@
+@c Copyright (C) 2018 Free Software Foundation, Inc.
+@c This is part of the GnuPG manual.
+@c For copying conditions, see the file gnupg.texi.
+
+Trust values are used to indicate ownertrust and validity of keys and
+user IDs.  They are displayed with letters or strings:
+
+@table @asis
+
+  @item -
+  @itemx unknown
+  No ownertrust assigned / not yet calculated.
+
+  @item e
+  @itemx expired
+
+  Trust calculation has failed; probably due to an expired key.
+
+  @item q
+  @itemx undefined, undef
+  Not enough information for calculation.
+
+  @item n
+  @itemx never
+  Never trust this key.
+
+  @item m
+  @itemx marginal
+  Marginally trusted.
+
+  @item f
+  @itemx full
+  Fully trusted.
+
+  @item u
+  @itemx ultimate
+  Ultimately trusted.
+
+  @item r
+  @itemx revoked
+  For validity only: the key or the user ID has been revoked.
+
+  @item ?
+  @itemx err
+  The program encountered an unknown trust value.
+
+@end table