security-and-privacy/gnupg
security-and-privacy
/
gnupg
mirror of git://git.gnupg.org/gnupg.git
1
0
Fork 0
Code Releases Activity

Merged Top directory of NewPG with GnuPG.

This commit is contained in:
Werner Koch 2002-10-19 07:55:27 +00:00
parent 82a17c9fb3
commit 9214e1b282
10 changed files with 1235 additions and 4760 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

117
AUTHORS
View File

@ -1,117 +0,0 @@
Program: GnuPG
Maintainer: Werner Koch <wk@gnupg.org>
Bug reports: <bug-gnupg@gnu.org>
Security related bug reports: <security@gnupg.org>
Authors
=======
Birger Langkjer <birger.langkjer@image.dk> Translations [da]
Daniel Resare <daniel@resare.com> Translations [sv]
David Shaw <dshaw@jabberwocky.com> Assignment
(all in keyserver/,
a lot of changes in g10/ see the ChangeLog,
bug fixes here and there)
Dokianakis Theofanis <madf@hellug.gr> Translations [el]
Edmund GRIMLEY EVANS <edmundo@rano.org> Translations [eo]
Gaël Quéri <gael@lautre.net> Translations [fr]
(fixed a lot of typos)
Gregory Steuck <steuck@iname.com> Translations [ru]
Ivo Timmermans <itimmermans@bigfoot.com> Translations [nl]
Jacobo Tarri'o Barreiro <jtarrio@iname.com> Translations [gl]
Janusz Aleksander Urbanowicz <alex@bofh.torun.pl> Translations [po]
Magda Procha'zkova' <magda@math.muni.cz> Translations [cs]
Michael Roth <mroth@nessie.de> Assignment
(wrote cipher/des.c., changes and bug fixes all over the place)
Marco d'Itri <md@linux.it> Translations [it]
Matthew Skala <mskala@ansuz.sooke.bc.ca> Disclaimer
(wrote cipher/twofish.c)
Niklas Hernaeus <nh@df.lth.se> Disclaimer
(weak key patches)
Nilgun Belma Buguner <nilgun@technologist.com> Translations [tr]
Nils Ellmenreich <nils 'at' infosun.fmi.uni-passau.de> Assignment
(configure.in, cipher/rndlinux.c, FAQ)
Paul Eggert <eggert@twinsun.com>
(configuration macros for LFS)
Pedro Morais <morais@poli.org> Translations [pt_PT]
Rémi Guyomarch <rguyom@mail.dotcom.fr> Assignment
(g10/compress.c, g10/encr-data.c,
g10/free-packet.c, g10/mdfilter.c, g10/plaintext.c, util/iobuf.c)
Stefan Bellon <sbellon@sbellon.de> Assignment
(All patches to support RISC OS)
Timo Schulz <twoaday@freakmail.de> Assignment
(util/w32reg.c, g10/passphrase.c, g10/hkp.c)
Tedi Heriyanto <tedi_h@gmx.net> Translations [id]
Thiago Jung Bauermann <jungmann@cwb.matrix.com.br> Translations [pt_BR]
Rafael Caetano dos Santos <rcaetano@linux.ime.usp.br> Translations [pt_BR]
Toomas Soome <tsoome@ut.ee> Translations [et]
Urko Lusa <ulusa@euskalnet.net> Translations [es_ES]
Walter Koch <koch@u32.de> Translations [de]
Werner Koch <wk@gnupg.org> Assignment
(started the whole thing)
Yosiaki IIDA <iida@ring.gr.jp> Translations [ja]
Other legal information
=======================
This program uses the zlib compression library written by
Jean-loup Gailly and Mark Adler.
Most of the stuff in mpi has been taken from the GMP library by
Torbjorn Granlund <tege@noisy.tmg.se>.
The Rijndael implementation (cipher/rijndael.c) is based on the
public domain reference code provided for the AES selection process.
The Rijndael algorithm is due to Joan Daemen and Vincent Rijmen.
The files cipher/rndunix.c and cipher/rndw32.c are based on rndunix.c
and rndwin32.c from cryptlib.
Copyright Peter Gutmann, Paul Kendall, and Chris Wedgwood 1996-1999.
The files in debian/ are by James Troup who is the Debian maintainer
for GnuPG.
The RPM specs file scripts/gnupg.spec has been contributed by
several people.
Copyright 1998, 1999, 2000, 2001, 2002 Free Software Foundation, Inc.
This file is free software; as a special exception the author gives
unlimited permission to copy and/or distribute it, with or without
modifications, as long as this notice is preserved.
This file is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY, to the extent permitted by law; without even the
implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

1136
ChangeLog
View File

File diff suppressed because it is too large Load Diff

51
Makefile.am
View File

@ -1,7 +1,8 @@
# Copyright (C) 1998, 1999, 2000, 2001 Free Software Foundation, Inc.
#
# Makefile.am - main makefile for NewPG/GnuPG
# Copyright (C) 2001 Free Software Foundation, Inc.
#
# This file is part of GnuPG.
#
#
# GnuPG is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
@ -18,37 +19,29 @@
## Process this file with automake to produce Makefile.in
if CROSS_COMPILING
checks =
EXTRA_DIST = autogen.sh
if BUILD_GPGSM
sm = sm
else
checks = checks
sm =
endif
if BUILD_AGENT
agent = agent
else
agent =
endif
if BUILD_SCDAEMON
scd = scd
else
scd =
endif
SUBDIRS = intl zlib util mpi cipher tools g10 keyserver po doc ${checks}
EXTRA_DIST = PROJECTS BUGS config.h.in
DISTCLEANFILES = g10defs.h
SUBDIRS = intl jnlib assuan common kbx ${sm} ${agent} ${scd} po doc tests
# Add all the files listed in "distfiles" files to the distribution,
# apply version numbers to some files and create a VERSION file which
# we need for the Prereq: patch file trick.
dist-hook:
@set -e; \
for file in `cd $(top_srcdir); \
find scripts mpi include -type f -name distfiles`; do \
dir=`dirname $$file` ; $(mkinstalldirs) $(distdir)/$$dir ; \
for i in distfiles `cat $(top_srcdir)/$$file` ; do \
ln $(top_srcdir)/$$dir/$$i $(distdir)/$$dir/$$i 2> /dev/null \
|| cp -p $(top_srcdir)/$$dir/$$i $(distdir)/$$dir/$$i; \
done ; \
done
@set -e; \
sed -e 's/@pkg_version@/$(VERSION)/g' \
$(top_srcdir)/scripts/gnupg.spec.in \
> $(distdir)/scripts/gnupg.spec
echo "$(VERSION)" > $(distdir)/VERSION
@set -e; echo "$(VERSION)" > $(distdir)/VERSION

1318
NEWS
View File

File diff suppressed because it is too large Load Diff

898
README
View File

@ -1,652 +1,372 @@
NewPG is a temporary protect to work on GnuPG extensions. It will be
merged into the regular GnuPG sources for a GnuPG 2.0 release.
GnuPG - The GNU Privacy Guard
-------------------------------
Version 1.3
jnlib/ utility functions
assuan/ assuan protocol library
kbx/ keybox library
sm/ the gpgsm program
agent/ the gpg-agent
scd/ the smartcard daemon
Copyright 1998, 1999, 2000, 2001, 2002 Free Software Foundation, Inc.
Libksba and Libgcrypt are required to build it.
This file is free software; as a special exception the author gives
unlimited permission to copy and/or distribute it, with or without
modifications, as long as this notice is preserved.
Assuan and Keybox are both designed to be source include-able.
This file is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY, to the extent permitted by law; without even the
implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
A texinfo manual `gnupg.info' will get installed. Some commands and
options given below.
Intro
-----
COMMANDS
========
GnuPG is GNU's tool for secure communication and data storage.
It can be used to encrypt data and to create digital signatures.
It includes an advanced key management facility and is compliant
with the proposed OpenPGP Internet standard as described in RFC2440.
gpgsm:
------
GnuPG works best on GNU/Linux or *BSD systems. Most other Unices
are also supported but are not as well tested as the Free Unices.
See http://www.gnupg.org/gnupg.html#supsys for a list of systems
which are known to work.
--learn-card
See the file COPYING for copyright and warranty information.
Read tinformation about the private keys from the smartcard and
import the certificates from there.
Because GnuPG does not use use any patented algorithm it cannot be
compatible with PGP2 versions. PGP 2.x uses IDEA (which is patented
worldwide).
--export
The default algorithms are DSA and ElGamal, but RSA is also
supported. ElGamal for signing is available, but because of the
larger size of such signatures it is deprecated (Please note that
the GnuPG implementation of ElGamal signatures is *not* insecure).
Symmetric algorithms are: AES, 3DES, Blowfish, CAST5 and Twofish.
Digest algorithms available are MD5, RIPEMD160 and SHA1.
Export all certificates storein the Keybox or those specified on
the commandline. When using --armor a few informational lines are
prepended before each block.
Installation
------------
Please read the file INSTALL and the sections in this file
related to the installation. Here is a quick summary:
OPTIONS
=======
1) Check that you have unmodified sources. See below on how to do
this. Don't skip it - this is an important step!
gpgsm:
------
2) Unpack the TAR. With GNU tar you can do it this way:
"tar xzvf gnupg-x.y.z.tar.gz"
--include-certs <n>
3) "cd gnupg-x.y.z"
4) "./configure"
5) "make"
6) "make install"
7) You end up with a "gpg" binary in /usr/local/bin.
8) To avoid swapping out of sensitive data, you can install "gpg" as
suid root. If you don't do so, you may want to add the option
"no-secmem-warning" to ~/.gnupg/gpg.conf
How to Verify the Source
------------------------
In order to check that the version of GnuPG which you are going to
install is an original and unmodified one, you can do it in one of
the following ways:
a) If you already have a trusted Version of GnuPG installed, you
can simply check the supplied signature:
$ gpg --verify gnupg-x.y.z.tar.gz.asc
This checks that the detached signature gnupg-x.y.z.tar.gz.asc
is indeed a a signature of gnupg-x.y.z.tar.gz. The key used to
create this signature is:
"pub 1024D/57548DCD 1998-07-07 Werner Koch (gnupg sig) <dd9jn@gnu.org>"
If you do not have this key, you can get it from the source in
the file doc/samplekeys.asc (use "gpg --import doc/samplekeys.asc"
to add it to the keyring) or from any keyserver. You have to
make sure that this is really the key and not a faked one. You
can do this by comparing the output of:
$ gpg --fingerprint 0x57548DCD
with the fingerprint published elsewhere.
Please note, that you have to use an old version of GnuPG to
do all this stuff. *Never* use the version which you are going
to check!
b) If you don't have any of the above programs, you have to verify
the MD5 checksum:
$ md5sum gnupg-x.y.z.tar.gz
This should yield an output _similar_ to this:
fd9351b26b3189c1d577f0970f9dcadc gnupg-x.y.z.tar.gz
Now check that this checksum is _exactly_ the same as the one
published via the announcement list and probably via Usenet.
Documentation
-------------
The manual will be distributed separate under the name "gph".
An online version of the latest manual draft is available at the
GnuPG web pages:
http://www.gnupg.org/gph/
A list of frequently asked questions is available in GnuPG's
distibution in the file doc/FAQ and online as:
http://www.gnupg.org/faq.html
A couple of HOWTO documents are available online; for a listing see:
http://www.gnupg.org/docs.html#howtos
A man page with a description of all commands and options gets installed
along with the program.
Introduction
------------
Here is a brief overview on how to use GnuPG - it is strongly suggested
that you read the manual and other information about the use of
cryptography. GnuPG is only a tool, secure usage requires that
YOU KNOW WHAT YOU ARE DOING.
If you already have a DSA key from PGP 5 (they call them DH/ElGamal)
you can simply copy the pgp keyrings over the GnuPG keyrings after
running gpg once to create the correct directory.
The normal way to create a key is
gpg --gen-key
This asks some questions and then starts key generation. To create
good random numbers for the key parameters, GnuPG needs to gather
enough noise (entropy) from your system. If you see no progress
during key generation you should start some other activities such
as mouse moves or hitting on the CTRL and SHIFT keys.
Generate a key ONLY on a machine where you have direct physical
access - don't do it over the network or on a machine used also
by others - especially if you have no access to the root account.
When you are asked for a passphrase use a good one which you can
easy remember. Don't make the passphrase too long because you have
to type it for every decryption or signing; but, - AND THIS IS VERY
IMPORTANT - use a good one that is not easily to guess because the
security of the whole system relies on your secret key and the
passphrase that protects it when someone gains access to your secret
keyring. A good way to select a passphrase is to figure out a short
nonsense sentence which makes some sense for you and modify it by
inserting extra spaces, non-letters and changing the case of some
characters - this is really easy to remember especially if you
associate some pictures with it.
Next, you should create a revocation certificate in case someone
gets knowledge of your secret key or you forgot your passphrase
gpg --gen-revoke your_user_id
Run this command and store the revocation certificate away. The output
is always ASCII armored, so that you can print it and (hopefully
never) re-create it if your electronic media fails.
Now you can use your key to create digital signatures
gpg -s file
This creates a file "file.gpg" which is compressed and has a
signature attached.
gpg -sa file
Same as above, but creates a file "file.asc" which is ASCII armored
and and ready for sending by mail. It is better to use your
mailers features to create signatures (The mailer uses GnuPG to do
this) because the mailer has the ability to MIME encode such
signatures - but this is not a security issue.
gpg -s -o out file
Creates a signature of "file", but writes the output to the file
"out".
Everyone who knows your public key (you can and should publish
your key by putting it on a key server, a web page or in your .plan
file) is now able to check whether you really signed this text
gpg --verify file
GnuPG now checks whether the signature is valid and prints an
appropriate message. If the signature is good, you know at least
that the person (or machine) has access to the secret key which
corresponds to the published public key.
If you run gpg without an option it will verify the signature and
create a new file that is identical to the original. gpg can also
run as a filter, so that you can pipe data to verify trough it
cat signed-file | gpg | wc -l
which will check the signature of signed-file and then display the
number of lines in the original file.
To send a message encrypted to someone you can use
gpg -e -r heine file
This encrypts "file" with the public key of the user "heine" and
writes it to "file.gpg"
echo "hello" | gpg -ea -r heine | mail heine
Ditto, but encrypts "hello\n" and mails it as ASCII armored message
to the user with the mail address heine.
gpg -se -r heine file
This encrypts "file" with the public key of "heine" and writes it
to "file.gpg" after signing it with your user id.
gpg -se -r heine -u Suttner file
Ditto, but sign the file with your alternative user id "Suttner"
GnuPG has some options to help you publish public keys. This is
called "exporting" a key, thus
gpg --export >all-my-keys
exports all the keys in the keyring and writes them (in a binary
format) to "all-my-keys". You may then mail "all-my-keys" as an
MIME attachment to someone else or put it on an FTP server. To
export only some user IDs, you give them as arguments on the command
line.
To mail a public key or put it on a web page you have to create
the key in ASCII armored format
gpg --export --armor | mail panther@tiger.int
This will send all your public keys to your friend panther.
If you have received a key from someone else you can put it
into your public keyring. This is called "importing"
gpg --import [filenames]
New keys are appended to your keyring and already existing
keys are updated. Note that GnuPG does not import keys that
are not self-signed.
Because anyone can claim that a public key belongs to her
we must have some way to check that a public key really belongs
to the owner. This can be achieved by comparing the key during
a phone call. Sure, it is not very easy to compare a binary file
by reading the complete hex dump of the file - GnuPG (and nearly
every other program used for management of cryptographic keys)
provides other solutions.
gpg --fingerprint <username>
prints the so called "fingerprint" of the given username which
is a sequence of hex bytes (which you may have noticed in mail
sigs or on business cards) that uniquely identifies the public
key - different keys will always have different fingerprints.
It is easy to compare fingerprints by phone and I suggest
that you print your fingerprint on the back of your business
card. To see the fingerprints of the secondary keys, you can
give the command twice; but this is normally not needed.
If you don't know the owner of the public key you are in trouble.
Suppose however that friend of yours knows someone who knows someone
who has met the owner of the public key at some computer conference.
Suppose that all the people between you and the public key holder
may now act as introducers to you. Introducers signing keys thereby
certify that they know the owner of the keys they sign. If you then
trust all the introducers to have correctly signed other keys, you
can be be sure that the other key really belongs to the one who
claims to own it..
There are 2 steps to validate a key:
1. First check that there is a complete chain
of signed keys from the public key you want to use
and your key and verify each signature.
2. Make sure that you have full trust in the certificates
of all the introduces between the public key holder and
you.
Step 2 is the more complicated part because there is no easy way
for a computer to decide who is trustworthy and who is not. GnuPG
leaves this decision to you and will ask you for a trust value
(here also referenced as the owner-trust of a key) for every key
needed to check the chain of certificates. You may choose from:
a) "I don't know" - then it is not possible to use any
of the chains of certificates, in which this key is used
as an introducer, to validate the target key. Use this if
you don't know the introducer.
b) "I do not trust" - Use this if you know that the introducer
does not do a good job in certifying other keys. The effect
is the same as with a) but for a) you may later want to
change the value because you got new information about this
introducer.
c) "I trust marginally" - Use this if you assume that the
introducer knows what he is doing. Together with some
other marginally trusted keys, GnuPG validates the target
key then as good.
d) "I fully trust" - Use this if you really know that this
introducer does a good job when certifying other keys.
If all the introducer are of this trust value, GnuPG
normally needs only one chain of signatures to validate
a target key okay. (But this may be adjusted with the help
of some options).
This information is confidential because it gives your personal
opinion on the trustworthiness of someone else. Therefore this data
is not stored in the keyring but in the "trustdb"
(~/.gnupg/trustdb.gpg). Do not assign a high trust value just
because the introducer is a friend of yours - decide how well she
understands the implications of key signatures and you may want to
tell her more about public key cryptography so you can later change
the trust value you assigned.
Okay, here is how GnuPG helps you with key management. Most stuff
is done with the --edit-key command
gpg --edit-key <keyid or username>
GnuPG displays some information about the key and then prompts
for a command (enter "help" to see a list of commands and see
the man page for a more detailed explanation). To sign a key
you select the user ID you want to sign by entering the number
that is displayed in the leftmost column (or do nothing if the
key has only one user ID) and then enter the command "sign" and
follow all the prompts. When you are ready, give the command
"save" (or use "quit" to cancel your actions).
If you want to sign the key with another of your user IDs, you
must give an "-u" option on the command line together with the
"--edit-key".
Normally you want to sign only one user ID because GnuPG
uses only one and this keeps the public key certificate
small. Because such key signatures are very important you
should make sure that the signatories of your key sign a user ID
which is very likely to stay for a long time - choose one with an
email address you have full control of or do not enter an email
address at all. In future GnuPG will have a way to tell which
user ID is the one with an email address you prefer - because
you have no signatures on this email address it is easy to change
this address. Remember, your signatories sign your public key (the
primary one) together with one of your user IDs - so it is not possible
to change the user ID later without voiding all the signatures.
Tip: If you hear about a key signing party on a computer conference
join it because this is a very convenient way to get your key
certified (But remember that signatures have nothing to to with the
trust you assign to a key).
8 Ways to Specify a User ID
--------------------------
There are several ways to specify a user ID, here are some examples.
* Only by the short keyid (prepend a zero if it begins with A..F):
"234567C4"
"0F34E556E"
"01347A56A"
"0xAB123456
* By a complete keyid:
"234AABBCC34567C4"
"0F323456784E56EAB"
"01AB3FED1347A5612"
"0x234AABBCC34567C4"
* By a fingerprint:
"1234343434343434C434343434343434"
"123434343434343C3434343434343734349A3434"
"0E12343434343434343434EAB3484343434343434"
The first one is MD5 the others are ripemd160 or sha1.
* By an exact string:
"=Heinrich Heine <heinrichh@uni-duesseldorf.de>"
* By an email address:
"<heinrichh@uni-duesseldorf.de>"
* By word match
"+Heinrich Heine duesseldorf"
All words must match exactly (not case sensitive) and appear in
any order in the user ID. Words are any sequences of letters,
digits, the underscore and characters with bit 7 set.
* Or by the usual substring:
"Heine"
"*Heine"
The '*' indicates substring search explicitly.
Batch mode
----------
If you use the option "--batch", GnuPG runs in non-interactive mode and
never prompts for input data. This does not even allow entering the
passphrase. Until we have a better solution (something like ssh-agent),
you can use the option "--passphrase-fd n", which works like PGP's
PGPPASSFD.
Batch mode also causes GnuPG to terminate as soon as a BAD signature is
detected.
Exit status
-----------
GnuPG returns with an exit status of 1 if in batch mode and a bad signature
has been detected or 2 or higher for all other errors. You should parse
stderr or, better, the output of the fd specified with --status-fd to get
detailed information about the errors.
Configure options
-----------------
Here is a list of configure options which are sometime useful
for installation.
--enable-static-rnd=<name>
Force the use of the random byte gathering
module <name>. Default is either to use /dev/random
or the auto mode. Value for name:
egd - Use the module which accesses the
Entropy Gathering Daemon. See the webpages
for more information about it.
unix - Use the standard Unix module which does not
have a very good performance.
linux - Use the module which accesses /dev/random.
This is the first choice and the default one
for GNU/Linux or *BSD.
auto - Compile linux, egd and unix in and
automagically select at runtime.
Using N of -2 includes all certificate except for the Root cert,
-1 includes all certs, 0 does not include any certs, 1 includes only
the signers cert (this is the default) and all other positives
values include up to N certs starting with the signer cert.
--with-egd-socket=<name>
This is only used when EGD is used as random
gatherer. GnuPG uses by default "~/.gnupg/entropy"
as the socket to connect EGD. Using this option the
socket name can be changed. You may use any filename
here with 2 exceptions: a filename starting with
"~/" uses the socket in the homedirectory of the user
and one starting with a "=" uses a socket in the
GnuPG homedirectory which is bye default "~/.gnupg".
--with-included-zlib
Forces usage of the local zlib sources. Default is
to use the (shared) library of the system.
--policy-file <filename>
--with-included-gettext
Forces usage of the local gettext sources instead of
the one provided by your system.
Chnage the deault name of the policy file
--disable-nls
Disable NLS support (See the file ABOUT-NLS)
--enable-policy-checks
--disable-policy-checks
--enable-m-guard
Enable the integrated malloc checking code. Please
note that this feature does not work on all CPUs
(e.g. SunOS 5.7 on UltraSparc-2) and might give
you a bus error.
By default policy checks are enabled. These options may be used to
change it.
--disable-dynload
If you have problems with dynamic loading, this
option disables all dynamic loading stuff. Note
that the use of dynamic linking is very limited.
--enable-crl-checks
--disable-crl-checks
--disable-asm
Do not use assembler modules. It is not possible
to use this on some CPU types.
--disable-exec
Disable all remote program execution. This
disables photo ID viewing as well as all keyserver
types aside from HKP.
By default the CRL checks are enabled and the DirMngr is used to
check for revoked certificates. The disable option is most useful
with a off-line connection to suppres this check.
--disable-photo-viewers
Disable only photo ID viewing.
--agent-program <path_to_agent_program>
--disable-keyserver-helpers
Disable only keyserver helpers (not including
HKP).
Specify an agent program to be used for secret key operations. The
default value is "../agent/gpg-agent". This is only used as a
fallback when the envrionment varaibale GPG_AGENT_INFO is not set or
a running agent can't be connected.
--dirmngr-program <path_to_dirmgr_program>
--disable-keyserver-path
Disables the user's ability to use the exec-path
feature to add additional search directories when
executing a keyserver helper.
Specify a dirmngr program to be used for CRL checks. The default
value is "/usr/sbin/dirmngr". This is only used as a fallback when
the envrionment varaibale DIRMNGR_INFO is not set or a running
dirmngr can't be connected.
--with-photo-viewer=FIXED_VIEWER
Force the photo viewer to be FIXED_VIEWER and
disable any ability for the user to change it in
their options file.
--no-secmem-warning
Don't print the warning "no secure memory"
Installation Problems
---------------------
If you get unresolved externals "gettext" you should run configure
again with the option "--with-included-gettext"; this is version
0.10.35 which is available at alpha.gnu.org.
--armor
If you have other compile problems, try the configure options
"--with-included-zlib" or "--disable-nls" (See ABOUT-NLS) or
--disable-dynload.
Create PEM ecoded output. Default is binary output.
We can't check all assembler files, so if you have problems
assembling them (or the program crashes) use --disable-asm with
./configure. The configure scripts may consider several
subdirectories to get all available assembler files; be sure to
delete the correct ones. The assembler replacements are in C and
in mpi/generic; never delete udiv-qrnnd.S in any CPU directory,
because there may be no C substitute. Don't forget to delete
"config.cache" and run "./config.status --recheck".
--base64
Some make tools are broken - the best solution is to use GNU's
make. Try gmake or grab the sources from a GNU archive and
install them.
Create Base-64 encoded output; i.e. PEM without the header lines.
On some OSF systems you may get unresolved externals. This is a
libtool problem and the workaround is to manually remove all the
"-lc -lz" but the last one from the linker line and execute them
manually.
--assume-armor
On some architectures you see warnings like:
longlong.h:175: warning: function declaration isn't a prototype
or
http.c:647: warning: cast increases required alignment of target type
This doesn't matter and we know about it (actually it is due to
some warning options which we have enabled for gcc)
Assume the input data is PEM encoded. Default is to autodetect the
encoding but this is may fail.
--assume-base64
Specific problems on some machines
----------------------------------
Assume the input data is plain base-64 encoded.
* IBM RS/6000 running AIX:
--assume-binary
Due to a change in gcc (since version 2.8) the MPI stuff may
not build. In this case try to run configure using:
CFLAGS="-g -O2 -mcpu=powerpc" ./configure
Assume the input data is binary encoded.
* Compaq C V6.2 for alpha:
--server
You may want to use the option "-msg-disable ptrmismatch1"
to get rid of the sign/unsigned char mismatch warnings.
Run in server mode. This is used by GPGME to control gpgsm. See
the assuan specification regarding gpgsm about the used protocol.
Some options are ignored in server mode.
* SVR4.2 (ESIX V4.2 cc)
--local-user <user_id>
Due to problems with the ESIX as, you probably want to do
CFLAGS="-O -K pentium" ./configure --disable-asm
Reported by Reinhard Wobst.
Set the user to be used for signing. The default is the first
secret key found in the database.
--with-key-data
Displays extra information with the --list-keys commands. Especiall
a line tagged "grp" si printed which tells you the keygrip of a
key. This is string is for example used as the filename of the
secret key.
The Random Device
-----------------
gpg-agent:
---------
Random devices are available in Linux, FreeBSD and OpenBSD.
Operating systems without a random devices must use another
entropy collector.
--pinentry-program <path_to_pinentry_program>
This collector works by running a lot of commands that yield more
or less unpredictable output and feds this as entropy into the
random generator - It should work reliably but you should check
whether it produces good output for your version of Unix. There
are some debug options to help you (see cipher/rndunix.c).
Specify the PINentry program. The default value is
"../../pinentry/kpinentry/kpinentry" so you most likely want to
specify it.
--no-grab
Tel the pinentry not to grab keybourd and mouse. You most likely
want to give this option during testing and development to avoid
lockups in case of bugs.
Creating an RPM package
-----------------------
The file scripts/gnupg.spec is used to build a RPM package (both
binary and src):
1. copy the spec file into /usr/src/redhat/SPECS
2. copy the tar file into /usr/src/redhat/SOURCES
3. type: rpm -ba SPECS/gnupg.spec
Or use the -t (--tarbuild) option of rpm:
1. rpm -ta gnupg-x.x.x.tar.gz
FILES
=====
The binary rpm file can now be found in /usr/src/redhat/RPMS, source
rpm in /usr/src/redhat/SRPMS
The default home directory is ~/.gnupg. It can be changed by
either the --homedir option or by seting the environment variable
GNUPGHOME. This is a list of files usually found in this directory:
gpgsm.conf
Options for gpgsm. Options are the same as the command line
options but don't enter the leading dashes and give arguments
without an equal sign. Blank lines and lines starting with a
hash mark as the first non whitye space character are ignored.
gpg-agent.conf
Options for gpg-agent
scdaemon.conf
Options for scdaemon.
dirmngr.conf
Options for the DirMngr which is not part of this package and
the option file wilol most likely be moved to /etc
gpg.conf
Options for gpg. Note that old versions of gpg use the
filename `options' instead of `gpg.conf'.
policies.txt
A list of allowed CA policies. This file should give the
object identifiers of the policies line by line. emptry lines
and lines startung with a hash mark are ignored.
++++++++++
2.289.9.9
++++++++++
trustlist.txt
A list of trusted certificates usually maintained by
gpg-agent. It can however be edited manually. The file will
be created automagically with some explaining comments.
random_seed
Used internally for keeping the state of the RNG over
invocations.
pubring.kbx
The database file with the certificates.
pubring.gpg
The database file with the OpenPGP public keys. This will
eventually be merged with pubring.kbx
secring.gpg
The database file with the OpenPGP secret keys. This will be
removed when gpg is changed to make use of the gpg-agent.
How to Get More Information
---------------------------
private-keys-v1.d/
The primary WWW page is "http://www.gnupg.org"
The primary FTP site is "ftp://ftp.gnupg.org/gcrypt/"
Directory holding the private keys maintained by gpg-agent.
For detailed info see agent/keyformat.txt. Note that there is
a helper tool gpg-protect-tool which may be used to protect or
unprotect keys. This is however nothing a user should care
about.
See http://www.gnupg.org/mirrors.html for a list of mirrors
and use them if possible. You may also find GnuPG mirrored on
some of the regular GNU mirrors.
We have some mailing lists dedicated to GnuPG:
How to specify a user ID
========================
gnupg-announce@gnupg.org For important announcements like
new versions and such stuff.
This is a moderated list and has
very low traffic.
Due to the way X.509 certificates are made up we need a few new ways
to specify a certificate (aka key in OpenPGP). In addition to the
ways a user ID can be specified with gpg, I have implemented 3 new
modes for gpgsm, here is the entire list of ways to specify a key:
gnupg-users@gnupg.org For general user discussion and
help.
* By keyID.
gnupg-devel@gnupg.org GnuPG developers main forum.
This format is deducded from the length of the string and its
content or "0x" prefix. For use with OpenPGP a exclamation mark may
be appended to force use of the specified (sub)key.
You subscribe to one of the list by sending mail with a subject
of "subscribe" to x-request@gnupg.org, where x is the name of the
mailing list (gnupg-announce, gnupg-users, etc.). An archive of
the mailing lists is available at http://lists.gnupg.org .
As with v34 OpenPGP keys, the keyID of an X509 certificate are the
low 64 bits of the SHA-1 fingerprint. The use of keyIDs is just a
shortcut, for all automated processing the fingerprint should be
used.
Please direct bug reports to <bug-gnupg@gnu.org> or post
them direct to the mailing list <gnupg-devel@gnupg.org>.
Examples:
Please direct questions about GnuPG to the users mailing list or
one of the pgp newsgroups; please do not direct questions to one
of the authors directly as we are busy working on improvements
and bug fixes. Both mailing lists are watched by the authors
and we try to answer questions when time allows us to do so.
234567C4
0F34E556E
01347A56A
0xAB123456
234AABBCC34567C4
0F323456784E56EAB
01AB3FED1347A5612
0x234AABBCC34567C4
* By fingerprint
This is format is deduced from the length of the string and its
content or "0x" prefix. Note, that only the 20 byte fingerprint is
used with GPGSM (SHA-1 hash of the certificate). For use with
OpenPGP a exclamation mark may be appended to force use of the
specified (sub)key.
Examples:
1234343434343434C434343434343434
123434343434343C3434343434343734349A3434
0E12343434343434343434EAB3484343434343434
0xE12343434343434343434EAB3484343434343434
* Exact match on OpenPGP user ID
This is denoted by a leading equal sign. It does not make much
sense for X.509.
Example:
=Heinrich Heine <heinrichh@uni-duesseldorf.de>
* Exact match on an email address.
This is indicated by enclosing the email address in the usual way
with left and right angles
Example:
<heinrichh@uni-duesseldorf.de>
* Word match
All words must match exactly (not case sensitive) but can appear in
any order in the user ID or a subjects name. Words are any
sequences of letters, digits, the underscore and all characters
with bit 7 set.
Example:
+Heinrich Heine duesseldorf
* [NEW] Exact match by subject's DN
This is indicated by a leading slash, directly followed by the
rfc2253 encoded DN of the subject.
Example:
/CN=Henrich Heine,O=Poets,L=Paris,C=FR
* [NEW] Excact match by issuer's DN
This is indicated by a leading hash mark, directly followed by a
slash and then directly followed by the rfc2253 encoded DN of the
issuer. This should return the Root cert of the issuer
Example:
#/CN=Root Cert,O=Poets,L=Paris,C=FR
* [NEW] Exact match by serial number and subject's DN
This is indicated by a hash mark, followed by the hexadecmal
representation of the serial number, the followed by a slahs and
the RFC2253 encoded DN of the issuer.
Example:
#4F03/CN=Root Cert,O=Poets,L=Paris,C=FR
* Substring match
By case insensitive substring matching. This is the default mode
but applications may want to explicitly indicate this by putting
the asterisk in front.
Example:
Heine
*Heine
Please note that we have reused the hash mark indentifier which was
used in old GnuPG versions to indicate the so called local-id. It is
not anymore used and there should be no conflict when used with X.509
stuff.
Using the rfc2253 format of DNs has the drawback that it is not
possible to map them back to the original encoding, however we don't
have to do this, because our key database stores this encoding as meta
data.
Some of the search modes are not yet implemented ;-)
How to import a private key
===========================
There is some limited support to import a private key from a PKCS-12
file. Note, that this does only import the private key and not any
certificates available in that file.
gpg-protect-tool --p12-import --store foo.p12
This require that the gpg-agent is running, alternative you may give
the passphrase on the commandline using the option "-P <passphrase>" -
however this is in general not a good idea. If that key already
exists, the protect-tool refuses to store it unless you use the option
"--force".
How to export a private key
===========================
There is also limited support to export a private key in PKCS-12
format. However the certificate is not stored and there is no MAC applied.
gpg-protect-tool --p12-export foo.key >foo.p12
Commercial grade support for GnuPG is available; please see
the GNU service directory or search other resources.

231
THANKS
View File

@ -1,232 +1,3 @@
GnuPG was originally written by Werner Koch. Other people contributed by
reporting problems, suggesting various improvements or submitting actual
code. Here is a list of those people. Help me keep it complete and free of
errors.
Adam Mitchell adam@cafe21.org
Albert Chin china@thewrittenword.com
Alec Habig habig@budoe2.bu.edu
Allan Clark allanc@sco.com
Anand Kumria wildfire@progsoc.uts.edu.au
Andreas Haumer andreas@xss.co.at
Anthony Mulcahy anthony@kcn.ne.jp
Ariel T Glenn ariel@columbia.edu
Bob Mathews bobmathews@mindspring.com
Bodo Moeller Bodo_Moeller@public.uni-hamburg.de
Brendan O'Dea bod@debian.org
Brenno de Winter brenno@dewinter.com
Brian M. Carlson karlsson@hal-pc.org
Brian Moore bem@cmc.net
Brian Warner warner@lothar.com
Bryan Fullerton bryanf@samurai.com
Caskey L. Dickson caskey@technocage.com
Cees van de Griend cees-list@griend.xs4all.nl
Charles Levert charles@comm.polymtl.ca
Chip Salzenberg chip@valinux.com
Chris Adams cmadams@hiwaay.net
Christian Biere christianbiere@gmx.de
Christian Kurz shorty@debian.org
Christian von Roques roques@pond.sub.org
Christopher Oliver oliver@fritz.traverse.net
Christian Recktenwald chris@citecs.de
Dan Winship danw@helixcode.com
Daniel Eisenbud eisenbud@cs.swarthmore.edu
Daniel Koening dan@mail.isis.de
Daniel Resare daniel@resare.com
Dave Dykstra dwd@bell-labs.com
David C Niemi niemi@tuxers.net
David Champion dgc@uchicago.edu
David D. Scribner dscribner@bigfoot.com
David Ellement ellement@sdd.hp.com
David Hallinan hallinan@rtd.com
David Hollenberg dhollen@ISI.EDU
David Mathog MATHOG@seqaxp.bio.caltech.edu
David R. Bergstein dbergstein@home.com
David Shaw dshaw@jabberwocky.com
Detlef Lannert lannert@lannert.rz.uni-duesseldorf.de
Dimitri dmitri@advantrix.com
Dirk Lattermann dlatt@t-online.de
Dirk Meyer dirk.meyer@dinoex.sub.org
Disastry Disastry@saiknes.lv
Douglas Calvert dfc@anize.org
Ed Boraas ecxjo@esperanto.org
Edmund GRIMLEY EVANS edmundo@rano.org
Edwin Woudt edwin@woudt.nl
Enzo Michelangeli em@MailAndNews.com
Ernst Molitor ernst.molitor@uni-bonn.de
Fabio Coatti cova@ferrara.linux.it
Felix von Leitner leitner@amdiv.de
fish stiqz fish@analog.org
Florian Weimer Florian.Weimer@rus.uni-stuttgart.de
Francesco Potorti pot@gnu.org
Frank Donahoe fdonahoe@wilkes1.wilkes.edu
Frank Heckenbach heckenb@mi.uni-erlangen.de
Frank Stajano frank.stajano@cl.cam.ac.uk
Frank Tobin ftobin@uiuc.edu
Gabriel Rosenkoetter gr@eclipsed.net
Gaël Quéri gael@lautre.net
Gene Carter gcarter@lanier.com
Georg Schwarz georg.schwarz@iname.com
Giampaolo Tomassoni g.tomassoni@libero.it
Gilbert Fernandes gilbert_fernandes@hotmail.com
Greg Louis glouis@dynamicro.on.ca
Greg Troxel gdt@ir.bbn.com
Gregory Steuck steuck@iname.com
Geoff Keating geoffk@ozemail.com.au
Harald Denker harry@hal.westfalen.de
Holger Baust Holger.Baust@freenet-ag.de
Hendrik Buschkamp buschkamp@rheumanet.org
Holger Schurig holger@d.om.org
Holger Smolinski smolinsk@de.ibm.com
Holger Trapp Holger.Trapp@informatik.tu-chemnitz.de
Hugh Daniel hugh@toad.com
Huy Le huyle@ugcs.caltech.edu
Ian McKellar imckellar@harvestroad.com.au
Ingo Klöcker kloecker@kde.org
Ivo Timmermans itimmermans@bigfoot.com
Jan Krueger max@physics.otago.ac.nz
Jan Niehusmann jan@gondor.com
Janusz A. Urbanowicz alex@bofh.torun.pl
James Troup james@nocrew.org
Jean-loup Gailly gzip@prep.ai.mit.edu
Jeff Long long@kestrel.cc.ukans.edu
Jeffery Von Ronne jronne@ics.uci.edu
Jens Bachem bachem@rrz.uni-koeln.de
Jeroen C. van Gelderen jeroen@vangelderen.org
J Horacio MG homega@ciberia.es
J. Michael Ashley jashley@acm.org
Jim Bauer jfbauer@home.com
Jim Small cavenewt@my-deja.com
Joachim Backes backes@rhrk.uni-kl.de
Joe Rhett jrhett@isite.net
John A. Martin jam@jamux.com
Johnny Teveßen j.tevessen@gmx.de
Jörg Schilling schilling@fokus.gmd.de
Jos Backus Jos.Backus@nl.origin-it.com
Jun Kuriyama kuriyama@sky.rim.or.jp
Kahil D. Jallad kdj4@cs.columbia.edu
Karl Fogel kfogel@guanabana.onshore.com
Karsten Thygesen karthy@kom.auc.dk
Katsuhiro Kondou kondou@nec.co.jp
Kazu Yamamoto kazu@iijlab.net
Keith Clayton keith@claytons.org
Kevin Ryde user42@zip.com.au
Klaus Singvogel ks@caldera.de
Kurt Garloff garloff@suse.de
Lars Kellogg-Stedman lars@bu.edu
L. Sassaman rabbi@quickie.net
M Taylor mctaylor@privacy.nb.ca
Marcel Waldvogel mwa@arl.wustl.edu
Marco d'Itri md@linux.it
Marco Parrone marc0@autistici.org
Marcus Brinkmann Marcus.Brinkmann@ruhr-uni-bochum.de
Mark Adler madler@alumni.caltech.edu
Mark Elbrecht snowball3@bigfoot.com
Mark Pettit pettit@yahoo-inc.com
Markus Friedl Markus.Friedl@informatik.uni-erlangen.de
Martin Kahlert martin.kahlert@provi.de
Martin Hamilton
Martin Schulte schulte@thp.uni-koeln.de
Matt Kraai kraai@alumni.carnegiemellon.edu
Matthew Skala mskala@ansuz.sooke.bc.ca
Matthew Wilcox matthew@wil.cx
Matthias Urlichs smurf@noris.de
Max Valianskiy maxcom@maxcom.ml.org
Michael Engels michael.engels@uni-duesseldorf.de
Michael Fischer v. Mollard mfvm@gmx.de
Michael Roth mroth@nessie.de
Michael Sobolev mss@despair.transas.com
Michael Tokarev mjt@tls.msk.ru
Nicolas Graner Nicolas.Graner@cri.u-psud.fr
Mike McEwan mike@lotusland.demon.co.uk
Neal H Walfield neal@cs.uml.edu
NIIBE Yutaka gniibe@chroot.org
Niklas Hernaeus
Nimrod Zimerman zimerman@forfree.at
N J Doye nic@niss.ac.uk
Oliver Haakert haakert@hsp.de
Oskari Jääskeläinen f33003a@cc.hut.fi
Pascal Scheffers Pascal@scheffers.net
Paul D. Smith psmith@baynetworks.com
Per Cederqvist ceder@lysator.liu.se
Phil Blundell pb@debian.org
Philippe Laliberte arsphl@oeil.qc.ca
Peter Fales psfales@lucent.com
Peter Gutmann pgut001@cs.auckland.ac.nz
Peter Marschall Peter.Marschall@gedos.de
Peter Valchev pvalchev@openbsd.org
Piotr Krukowiecki piotr@pingu.ii.uj.edu.pl
QingLong qinglong@bolizm.ihep.su
Ralph Gillen gillen@theochem.uni-duesseldorf.de
Rat ratinox@peorth.gweep.net
Reinhard Wobst R.Wobst@ifw-dresden.de
Rémi Guyomarch rguyom@mail.dotcom.fr
Reuben Sumner rasumner@wisdom.weizmann.ac.il
Richard Outerbridge outer@interlog.com
Robert Joop rj@rainbow.in-berlin.de
Roddy Strachan roddy@satlink.com.au
Roger Sondermann r.so@bigfoot.com
Roland Rosenfeld roland@spinnaker.rhein.de
Roman Pavlik rp@tns.cz
Ross Golder rossigee@bigfoot.com
Ryan Malayter rmalayter@bai.org
Sam Roberts sam@cogent.ca
Sami Tolvanen sami@tolvanen.com
Sean MacLennan seanm@netwinder.org
Sebastian Klemke packet@convergence.de
Serge Munhoven munhoven@mema.ucl.ac.be
SL Baur steve@xemacs.org
Stefan Bellon sbellon@sbellon.de
Stefan Karrmann S.Karrmann@gmx.net
Stefan Keller dres@cs.tu-berlin.de
Steffen Ullrich ccrlphr@xensei.com
Steffen Zahn zahn@berlin.snafu.de
Steven Bakker steven@icoe.att.com
Steven Murdoch sjmurdoch@bigfoot.com
Susanne Schultz schultz@hsp.de
Ted Cabeen secabeen@pobox.com
Thiago Jung Bauermann jungmann@cwb.matrix.com.br
Thomas Roessler roessler@guug.de
Tim Mooney mooney@dogbert.cc.ndsu.nodak.edu
Timo Schulz towaday@freakmail.de
TOGAWA Satoshi Satoshi.Togawa@jp.yokogawa.com
Tom Spindler dogcow@home.merit.edu
Tom Zerucha tzeruch@ceddec.com
Tomas Fasth tomas.fasth@twinspot.net
Tommi Komulainen Tommi.Komulainen@iki.fi
Thomas Klausner wiz@danbala.ifoer.tuwien.ac.at
Tomasz Kozlowski tomek@rentec.com
Thomas Mikkelsen tbm@image.dk
Ulf Möller 3umoelle@informatik.uni-hamburg.de
Urko Lusa ulusa@euskalnet.net
Vincent P. Broman broman@spawar.navy.mil
W Lewis wiml@hhhh.org
Walter Hofmann Walter.Hofmann@physik.stud.uni-erlangen.de
Walter Koch koch@hsp.de
Wayne Chapeskie waynec@spinnaker.com
Werner Koch wk@gnupg.org
Wim Vandeputte bunbun@reptile.rug.ac.be
Winona Brown win@huh.org
Yosiaki IIDA iida@ring.gr.jp
Yoshihiro Kajiki kajiki@ylug.org
nbecker@hns.com
Thanks to the German Unix User Group for sponsoring this project,
Martin Hamilton for hosting the first mailing list and OpenIT for
cheap hosting conditions.
The development of this software has partly been funded by the German
Ministry for Economics and Technology under grant VIB3-68553.168-001/1999.
Many thanks to my wife Gerlinde for having so much patience with
me while hacking late in the evening.
Copyright 1998, 1999, 2000, 2001, 2002 Free Software Foundation, Inc.
This file is free software; as a special exception the author gives
unlimited permission to copy and/or distribute it, with or without
modifications, as long as this notice is preserved.
This file is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY, to the extent permitted by law; without even the
implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Richard Lefebvre rick@CERCA.UMontreal.CA

141
TODO
View File

@ -1,104 +1,61 @@
* Reword the "Not enough entropy" messages.
-*- outline -*-
* Do we need a configure test for putenv?
* src/base64
** Make parsing more robust
Currently we don't cope with overlong lines in the best way.
* Check for consistent spelling of user ID, key ID etc.
Replace "user id not found" in getkey.c by "no valid user ID found".
* Describe some pitfalls when using EGD. Check that ~/.gnupg/entropy
really is the default. What about needed permission?
* sm/call-agent.c
** The protocol uses an incomplete S-expression
We should always use valid S-Exp and not just parts.
** Some code should go into import.c
** When we allow concurrent service request in gpgsm, we
might want to have an agent context for each service request
(i.e. Assuan context).
* Using an expired key for signing should give an error message
"expired key" and not "unusable key'. Furthermore the error should
also be thrown when the default key has expired. Reported by
Eric.VanBuggenhaut add AdValvas.be.
* sm/certreqgen.c
** Improve error reporting
** Do some basic checks on the supplied DNs
* pause scrolling help in --edit-key and elsewhere.
* sm/certchain.c
** When a certificate chain was sucessfully verified, make ephemeral certs used in this chain permanent.
** figure out how to auto retrieve a key by serialno+issuer.
Dirmngr is currently not able to parse more than the CN.
* getkey does not return revoked/expired keys - therefore it is not
possible to override it.
* sm/decrypt.c
** replace leading zero in integer hack by a cleaner solution
* Selection using +wordlist does not work.
What about adding a feature -word to the +wordlist search mode.
* sm/sign.c
** Don't hardcode the use of RSA.
* Check the changes to the gpg random gatherer on all W32 platforms.
* sm/gpgsm.c
** Support --output
** mark all unimplemented commands and options.
* Show more info does not work from edit->trust
* Check that no secret temporary results are stored in the result parameter
of the mpi functions. We have already done this for mpi-mul.c
* We need another special packet at the end of a clearsign message to mark
it's end and allow for multiple signature for one message. And
add a real grammar to the code in mainproc.c
* If there is no secure memory, allocate more memory for the secure
memory block or do it in all cases.
* add some minor things vor VMS.
* Use DSA keys with the test suite (partly done)
* Fix the bug in the mips assembler code
* Add a way to show the fingerprint of an key signator's keys
* Add an is_valid flag to each user ID.
* Replace the printing of the user name by [self-signature] when
appropriate so that a key listing does not get clobbered.
* Concatenated encryption messages don't work corectly - only the
first one is processed.
* Add option to put the list of recipients (from the encryption
layer) into the signatures notation data.
* --disable-asm should still assemble _udiv_qrnnd when needed
* Get new assembler stuff from gmp 3.1
* use DEL and ^H for erasing the previous character (util/ttyio.c).
or better readline.
* add test cases for invalid data (scrambled armor or other random data)
* add checking of armor trailers. Try to detect garbled header
lines. Often one dash is missing due to sloppy cut+paste; so add
a warning note like the one for QP.
* the pubkey encrypt functions should do some sanity checks.
* "gpg filename.tar.gz.asc" should work like --verify (-sab).
* for messages created with "-t", it might make sense to append the
verification status of the message to the output (i.e. write something to
the --output file and not only to stderr. However the problem is
that we consider the message transpatrent and don't have any
indication of the used character set. To implement this feature
we need to make sure that all output is plain 7 bit ascii but
given that we need to print a user name, this does not make sense
at all. The only way this can be implemented is by assuming that
the message is encoded in utf8 and hope tht everyone starts to use
utf8 instead of latin-1 or whatever RSN. Hmmm, I myself should
start with this.
* keyflags don't distinguish between {certify,signature}-only.
* Instead of issuing a "signature packet without keyid" gpg should
try to get the keyID from a corresponding one-pass signature
packet (See bug report 817). This is not easy to do as we don't
store the one-pass packets.
* cat foo | gpg --sign | gpg --list-packets
Does not list the signature packet.
* When presenting the result of a verification show the user ID with
the highest trust level first instead of the primary one.
* sm/keydb.c
** Check file permissions
** Write a keybox header and check for that magic value.
** Check that all error code mapping is done.
** Remove the inter-module dependencies between gpgsm and keybox
* agent/command.c
** Make sure that secure memory is used where appropriate
** Implement option passing per connection (DISPLAY and TTY)
* agent/pkdecrypt.c, agent/pksign.c
** Don't use stdio to return results.
* agent/protect-tool.c
** Export and import certificates along with the secret key.
** Make it more comfortable; i.e. copy files to the correct place.
* Move pkcs-1 encoding into libgcrypt.
* Use a MAC to protect some files.
* sm/export.c
** Return an error code or a status info per user ID.
Things we won't do
------------------
* New option --file-remove path-to-wipe-program ?

841
acinclude.m4
View File

@ -17,14 +17,6 @@ dnl You should have received a copy of the GNU General Public License
dnl along with this program; if not, write to the Free Software
dnl Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
dnl GNUPG_MSG_PRINT(STRING)
dnl print a message
dnl
define(GNUPG_MSG_PRINT,
[ echo $ac_n "$1"" $ac_c" 1>&AC_FD_MSG
])
dnl GNUPG_CHECK_TYPEDEF(TYPE, HAVE_NAME)
dnl Check whether a typedef exists and create a #define $2 if it exists
dnl
@ -44,315 +36,95 @@ AC_DEFUN(GNUPG_CHECK_TYPEDEF,
])
dnl GNUPG_CHECK_GNUMAKE
dnl
AC_DEFUN(GNUPG_CHECK_GNUMAKE,
[
if ${MAKE-make} --version 2>/dev/null | grep '^GNU ' >/dev/null 2>&1; then
:
else
AC_MSG_WARN([[
***
*** It seems that you are not using GNU make. Some make tools have serious
*** flaws and you may not be able to build this software at all. Before you
*** complain, please try GNU make: GNU make is easy to build and available
*** at all GNU archives. It is always available from ftp.gnu.org:/gnu/make.
***]])
fi
])
dnl GNUPG_CHECK_FAQPROG
dnl
AC_DEFUN(GNUPG_CHECK_FAQPROG,
[ AC_MSG_CHECKING(for faqprog.pl)
if faqprog.pl -V 2>/dev/null | grep '^faqprog.pl ' >/dev/null 2>&1; then
working_faqprog=yes
FAQPROG="faqprog.pl"
else
working_faqprog=no
FAQPROG=": "
fi
AC_MSG_RESULT($working_faqprog)
AC_SUBST(FAQPROG)
AM_CONDITIONAL(WORKING_FAQPROG, test "$working_faqprog" = "yes" )
dnl if test $working_faqprog = no; then
dnl AC_MSG_WARN([[
dnl ***
dnl *** It seems that the faqprog.pl program is not installed;
dnl *** however it is only needed if you want to change the FAQ.
dnl *** (faqprog.pl should be available at:
dnl *** ftp://ftp.gnupg.org/pub/gcrypt/contrib/faqprog.pl )
dnl *** No need to worry about this warning.
dnl ***]])
dnl fi
])
dnl GNUPG_CHECK_DOCBOOK_TO_TEXI
dnl
AC_DEFUN(GNUPG_CHECK_DOCBOOK_TO_TEXI,
[
AC_CHECK_PROG(DOCBOOK_TO_TEXI, docbook2texi, yes, no)
AC_MSG_CHECKING(for sgml to texi tools)
working_sgmltotexi=no
if test "$ac_cv_prog_DOCBOOK_TO_TEXI" = yes; then
if sgml2xml -v /dev/null 2>&1 | grep 'SP version' >/dev/null 2>&1 ; then
working_sgmltotexi=yes
fi
fi
AC_MSG_RESULT($working_sgmltotexi)
AM_CONDITIONAL(HAVE_DOCBOOK_TO_TEXI, test "$working_sgmltotexi" = "yes" )
])
dnl GNUPG_CHECK_ENDIAN
dnl define either LITTLE_ENDIAN_HOST or BIG_ENDIAN_HOST
dnl
define(GNUPG_CHECK_ENDIAN,
[ if test "$cross_compiling" = yes; then
AC_MSG_WARN(cross compiling; assuming little endianess)
fi
AC_MSG_CHECKING(endianess)
AC_CACHE_VAL(gnupg_cv_c_endian,
[ gnupg_cv_c_endian=unknown
# See if sys/param.h defines the BYTE_ORDER macro.
AC_TRY_COMPILE([#include <sys/types.h>
#include <sys/param.h>], [
#if !BYTE_ORDER || !BIG_ENDIAN || !LITTLE_ENDIAN
bogus endian macros
#endif], [# It does; now see whether it defined to BIG_ENDIAN or not.
AC_TRY_COMPILE([#include <sys/types.h>
#include <sys/param.h>], [
#if BYTE_ORDER != BIG_ENDIAN
not big endian
#endif], gnupg_cv_c_endian=big, gnupg_cv_c_endian=little)])
if test "$gnupg_cv_c_endian" = unknown; then
AC_TRY_RUN([main () {
/* Are we little or big endian? From Harbison&Steele. */
union
{
long l;
char c[sizeof (long)];
} u;
u.l = 1;
exit (u.c[sizeof (long) - 1] == 1);
}],
gnupg_cv_c_endian=little,
gnupg_cv_c_endian=big,
gnupg_cv_c_endian=little
)
fi
# Check for the getsockopt SO_PEERCRED
AC_DEFUN(GNUPG_SYS_SO_PEERCRED,
[ AC_MSG_CHECKING(for SO_PEERCRED)
AC_CACHE_VAL(gnupg_cv_sys_so_peercred,
[AC_TRY_COMPILE([#include <sys/socket.h>],
[struct ucred cr;
int cl = sizeof cr;
getsockopt (1, SOL_SOCKET, SO_PEERCRED, &cr, &cl);],
gnupg_cv_sys_so_peercred=yes,
gnupg_cv_sys_so_peercred=no)
])
AC_MSG_RESULT([$gnupg_cv_c_endian])
if test "$gnupg_cv_c_endian" = little; then
AC_DEFINE(LITTLE_ENDIAN_HOST,1,
[Defined if the host has little endian byte ordering])
else
AC_DEFINE(BIG_ENDIAN_HOST,1,
[Defined if the host has big endian byte ordering])
fi
])
dnl GNUPG_CHECK_CACHE
dnl
define(GNUPG_CHECK_CACHE,
[ AC_MSG_CHECKING(cached information)
gnupg_hostcheck="$target"
AC_CACHE_VAL(gnupg_cv_hostcheck, [ gnupg_cv_hostcheck="$gnupg_hostcheck" ])
if test "$gnupg_cv_hostcheck" != "$gnupg_hostcheck"; then
AC_MSG_RESULT(changed)
AC_MSG_WARN(config.cache exists!)
AC_MSG_ERROR(you must do 'make distclean' first to compile for
different target or different parameters.)
else
AC_MSG_RESULT(ok)
AC_MSG_RESULT($gnupg_cv_sys_so_peercred)
if test $gnupg_cv_sys_so_peercred = yes; then
AC_DEFINE(HAVE_SO_PEERCRED, 1,
[Defined if SO_PEERCRED is supported (Linux)])
fi
])
######################################################################
# Check for -fPIC etc (taken from libtool)
# This sets CFLAGS_PIC to the required flags
# NO_PIC to yes if it is not possible to
# generate PIC
######################################################################
dnl GNUPG_CHECK_PIC
dnl
define(GNUPG_CHECK_PIC,
[ AC_MSG_CHECKING(for option to create PIC)
CFLAGS_PIC=
NO_PIC=no
if test "$cross_compiling" = yes; then
AC_MSG_RESULT(assume none)
else
if test "$GCC" = yes; then
CFLAGS_PIC="-fPIC"
else
case "$host_os" in
aix3* | aix4*)
# All rs/6000 code is PIC
# but is there any non-rs/6000 AIX platform?
;;
hpux9* | hpux10*)
CFLAGS_PIC="+Z"
;;
# GNUPG_BUILD_PROGRAM(NAME,DEFAULT)
# Add a --enable-NAME option to configure an set the
# shell variable build_NAME either to "yes" or "no". DEFAULT must
# either be "yes" or "no" and decided on the default value for
# build_NAME and whether --enable-NAME or --disable-NAME is shown with
# ./configure --help
AC_DEFUN(GNUPG_BUILD_PROGRAM,
[build_$1=$2
m4_if([$2],[yes],[
AC_ARG_ENABLE([$1], AC_HELP_STRING([--disable-$1],
[do not build the $1 program]),
build_$1=$enableval, build_$1=$2)
],[
AC_ARG_ENABLE([$1], AC_HELP_STRING([--enable-$1],
[build the $1 program]),
build_$1=$enableval, build_$1=$2)
])
case "$build_$1" in
no|yes)
;;
*)
AC_MSG_ERROR([only yes or no allowed for feature --enable-$1])
;;
esac
])
irix5* | irix6*)
# PIC (with -KPIC) is the default.
;;
osf3* | osf4*)
# FIXME - pic_flag is probably required for
# hppa*-osf* and i860-osf*
;;
sco3.2v5*)
CFLAGS_PIC='-Kpic'
;;
solaris2* | solaris7* )
CFLAGS_PIC='-KPIC'
;;
sunos4*)
CFLAGS_PIC='-PIC'
;;
*)
NO_PIC=yes
;;
esac
fi
case "$host_cpu" in
rs6000 | powerpc | powerpcle)
# Yippee! All RS/6000 and PowerPC code is position-independent.
CFLAGS_PIC=""
;;
# GNUPG_PTH_VERSION_CHECK(REQUIRED)
#
# If the version is sufficient, HAVE_PTH will be set to yes.
#
# Taken form the m4 macros which come with Pth
AC_DEFUN(GNUPG_PTH_VERSION_CHECK,
[
_pth_version=`$PTH_CONFIG --version | awk 'NR==1 {print [$]3}'`
_req_version="ifelse([$1],,1.2.0,$1)"
for _var in _pth_version _req_version; do
eval "_val=\"\$${_var}\""
_major=`echo $_val | sed 's/\([[0-9]]*\)\.\([[0-9]]*\)\([[ab.]]\)\([[0-9]]*\)/\1/'`
_minor=`echo $_val | sed 's/\([[0-9]]*\)\.\([[0-9]]*\)\([[ab.]]\)\([[0-9]]*\)/\2/'`
_rtype=`echo $_val | sed 's/\([[0-9]]*\)\.\([[0-9]]*\)\([[ab.]]\)\([[0-9]]*\)/\3/'`
_micro=`echo $_val | sed 's/\([[0-9]]*\)\.\([[0-9]]*\)\([[ab.]]\)\([[0-9]]*\)/\4/'`
case $_rtype in
"a" ) _rtype=0 ;;
"b" ) _rtype=1 ;;
"." ) _rtype=2 ;;
esac
if test "$NO_PIC" = yes; then
AC_MSG_RESULT(not possible)
else
if test -z "$CFLAGS_PIC"; then
AC_MSG_RESULT(none)
else
AC_MSG_RESULT($CFLAGS_PIC)
_hex=`echo dummy | awk '{ printf("%d%02d%1d%02d", major, minor, rtype, micro); }' \
"major=$_major" "minor=$_minor" "rtype=$_rtype" "micro=$_micro"`
eval "${_var}_hex=\"\$_hex\""
done
have_pth=no
if test ".$_pth_version_hex" != .; then
if test ".$_req_version_hex" != .; then
if test $_pth_version_hex -ge $_req_version_hex; then
have_pth=yes
fi
fi
fi
if test $have_pth = no; then
AC_MSG_WARN([[
***
*** Found Pth version $_pth_version, but require at least
*** version $_req_version. Please upgrade Pth first.
***]])
fi
])
######################################################################
# Check for export-dynamic flag
# This sets CFLAGS_EXPORTDYNAMIC to the required flags
######################################################################
dnl GNUPG_CHECK_EXPORTDYNAMIC
dnl
define(GNUPG_CHECK_EXPORTDYNAMIC,
[ AC_MSG_CHECKING(how to specify -export-dynamic)
if test "$cross_compiling" = yes; then
AC_MSG_RESULT(assume none)
CFLAGS_EXPORTDYNAMIC=""
else
AC_CACHE_VAL(gnupg_cv_export_dynamic,[
if AC_TRY_COMMAND([${CC-cc} $CFLAGS -Wl,--version 2>&1 |
grep "GNU ld" >/dev/null]); then
# using gnu's linker
gnupg_cv_export_dynamic="-Wl,-export-dynamic"
else
case "$host_os" in
hpux* )
gnupg_cv_export_dynamic="-Wl,-E"
;;
* )
gnupg_cv_export_dynamic=""
;;
esac
fi
])
AC_MSG_RESULT($gnupg_cv_export_dynamic)
CFLAGS_EXPORTDYNAMIC="$gnupg_cv_export_dynamic"
fi
])
#####################################################################
# Check for SysV IPC (from GIMP)
# And see whether we have a SHM_LOCK (FreeBSD does not have it).
#####################################################################
dnl GNUPG_CHECK_IPC
dnl
define(GNUPG_CHECK_IPC,
[ AC_CHECK_HEADERS(sys/ipc.h sys/shm.h)
if test "$ac_cv_header_sys_shm_h" = "yes"; then
AC_MSG_CHECKING(whether IPC_RMID allowes subsequent attaches)
AC_CACHE_VAL(gnupg_cv_ipc_rmid_deferred_release,
AC_TRY_RUN([
#include <sys/types.h>
#include <sys/ipc.h>
#include <sys/shm.h>
int main()
{
int id;
char *shmaddr;
id = shmget (IPC_PRIVATE, 4, IPC_CREAT | 0777);
if (id == -1)
exit (2);
shmaddr = shmat (id, 0, 0);
shmctl (id, IPC_RMID, 0);
if ((char*) shmat (id, 0, 0) == (char*) -1)
{
shmdt (shmaddr);
exit (1);
}
shmdt (shmaddr);
shmdt (shmaddr);
exit (0);
}
],
gnupg_cv_ipc_rmid_deferred_release="yes",
gnupg_cv_ipc_rmid_deferred_release="no",
gnupg_cv_ipc_rmid_deferred_release="assume-no")
)
if test "$gnupg_cv_ipc_rmid_deferred_release" = "yes"; then
AC_DEFINE(IPC_RMID_DEFERRED_RELEASE,1,
[Defined if we can do a deferred shm release])
AC_MSG_RESULT(yes)
else
if test "$gnupg_cv_ipc_rmid_deferred_release" = "no"; then
AC_MSG_RESULT(no)
else
AC_MSG_RESULT([assuming no])
fi
fi
AC_MSG_CHECKING(whether SHM_LOCK is available)
AC_CACHE_VAL(gnupg_cv_ipc_have_shm_lock,
AC_TRY_COMPILE([#include <sys/types.h>
#include <sys/ipc.h>
#include <sys/shm.h>],[
int shm_id;
shmctl(shm_id, SHM_LOCK, 0);
],
gnupg_cv_ipc_have_shm_lock="yes",
gnupg_cv_ipc_have_shm_lock="no"
)
)
if test "$gnupg_cv_ipc_have_shm_lock" = "yes"; then
AC_DEFINE(IPC_HAVE_SHM_LOCK,1,
[Defined if a SysV shared memory supports the LOCK flag])
AC_MSG_RESULT(yes)
else
AC_MSG_RESULT(no)
fi
fi
])
######################################################################
# Check whether mlock is broken (hpux 10.20 raises a SIGBUS if mlock
# is not called from uid 0 (not tested whether uid 0 works)
@ -448,295 +220,206 @@ define(GNUPG_CHECK_MLOCK,
])
################################################################
# GNUPG_PROG_NM - find the path to a BSD-compatible name lister
AC_DEFUN(GNUPG_PROG_NM,
[AC_MSG_CHECKING([for BSD-compatible nm])
AC_CACHE_VAL(ac_cv_path_NM,
[if test -n "$NM"; then
# Let the user override the test.
ac_cv_path_NM="$NM"
else
IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS="${IFS}:"
for ac_dir in /usr/ucb /usr/ccs/bin $PATH /bin; do
test -z "$ac_dir" && ac_dir=.
if test -f $ac_dir/nm; then
# Check to see if the nm accepts a BSD-compat flag.
# Adding the `sed 1q' prevents false positives on HP-UX, which says:
# nm: unknown option "B" ignored
if ($ac_dir/nm -B /dev/null 2>&1 | sed '1q'; exit 0) | egrep /dev/null >/dev/null; then
ac_cv_path_NM="$ac_dir/nm -B"
elif ($ac_dir/nm -p /dev/null 2>&1 | sed '1q'; exit 0) | egrep /dev/null >/dev/null; then
ac_cv_path_NM="$ac_dir/nm -p"
else
ac_cv_path_NM="$ac_dir/nm"
fi
break
fi
done
IFS="$ac_save_ifs"
test -z "$ac_cv_path_NM" && ac_cv_path_NM=nm
fi])
NM="$ac_cv_path_NM"
AC_MSG_RESULT([$NM])
AC_SUBST(NM)
])
# GNUPG_SYS_NM_PARSE - Check for command ro grab the raw symbol name followed
# by C symbol name from nm.
AC_DEFUN(GNUPG_SYS_NM_PARSE,
[AC_REQUIRE([AC_CANONICAL_HOST])dnl
AC_REQUIRE([GNUPG_PROG_NM])dnl
# Check for command to grab the raw symbol name followed by C symbol from nm.
AC_MSG_CHECKING([command to parse $NM output])
AC_CACHE_VAL(ac_cv_sys_global_symbol_pipe,
[# These are sane defaults that work on at least a few old systems.
# {They come from Ultrix. What could be older than Ultrix?!! ;)}
dnl [copied from libgcrypt]
dnl AM_PATH_LIBGCRYPT([MINIMUM-VERSION,
dnl [ACTION-IF-FOUND [, ACTION-IF-NOT-FOUND ]]])
dnl Test for liblibgcrypt and define LIBGCRYPT_CFLAGS and LIBGCRYPT_LIBS
dnl
AC_DEFUN(AM_PATH_LIBGCRYPT,
[ AC_ARG_WITH(libgcrypt-prefix,
AC_HELP_STRING([--with-libgcrypt-prefix=PFX],
[prefix where LIBGCRYPT is installed (optional)]),
libgcrypt_config_prefix="$withval", libgcrypt_config_prefix="")
if test x$libgcrypt_config_prefix != x ; then
libgcrypt_config_args="$libgcrypt_config_args --prefix=$libgcrypt_config_prefix"
if test x${LIBGCRYPT_CONFIG+set} != xset ; then
LIBGCRYPT_CONFIG=$libgcrypt_config_prefix/bin/libgcrypt-config
fi
fi
changequote(,)dnl
# Character class describing NM global symbol codes.
ac_symcode='[BCDEGRSTU]'
# Regexp to match symbols that can be accessed directly from C.
ac_sympat='\([_A-Za-z][_A-Za-z0-9]*\)'
# Transform the above into a raw symbol and a C symbol.
ac_symxfrm='\1 \1'
# Define system-specific variables.
case "$host_os" in
aix*)
ac_symcode='[BCDTU]'
;;
freebsd* | netbsd* | openbsd* | bsdi* | sunos* | cygwin32* | mingw32*)
ac_sympat='_\([_A-Za-z][_A-Za-z0-9]*\)'
ac_symxfrm='_\1 \1'
;;
irix*)
# Cannot use undefined symbols on IRIX because inlined functions mess us up.
ac_symcode='[BCDEGRST]'
;;
solaris*)
ac_symcode='[BDTU]'
;;
esac
# If we're using GNU nm, then use its standard symbol codes.
if $NM -V 2>&1 | egrep '(GNU|with BFD)' > /dev/null; then
ac_symcode='[ABCDGISTUW]'
fi
case "$host_os" in
cygwin32* | mingw32*)
# We do not want undefined symbols on cygwin32. The user must
# arrange to define them via -l arguments.
ac_symcode='[ABCDGISTW]'
;;
esac
changequote([,])dnl
# Write the raw and C identifiers.
ac_cv_sys_global_symbol_pipe="sed -n -e 's/^.* $ac_symcode $ac_sympat$/$ac_symxfrm/p'"
# Check to see that the pipe works correctly.
ac_pipe_works=no
cat > conftest.$ac_ext <<EOF
#ifdef __cplusplus
extern "C" {
#endif
char nm_test_var;
void nm_test_func(){}
#ifdef __cplusplus
}
#endif
int main(){nm_test_var='a';nm_test_func;return 0;}
EOF
if AC_TRY_EVAL(ac_compile); then
# Now try to grab the symbols.
ac_nlist=conftest.nm
if AC_TRY_EVAL(NM conftest.$ac_objext \| $ac_cv_sys_global_symbol_pipe \> $ac_nlist) && test -s "$ac_nlist"; then
# Try sorting and uniquifying the output.
if sort "$ac_nlist" | uniq > "$ac_nlist"T; then
mv -f "$ac_nlist"T "$ac_nlist"
ac_wcout=`wc "$ac_nlist" 2>/dev/null`
changequote(,)dnl
ac_count=`echo "X$ac_wcout" | sed -e 's,^X,,' -e 's/^[ ]*\([0-9][0-9]*\).*$/\1/'`
changequote([,])dnl
(test "$ac_count" -ge 0) 2>/dev/null || ac_count=-1
else
rm -f "$ac_nlist"T
ac_count=-1
fi
# Make sure that we snagged all the symbols we need.
if egrep ' nm_test_var$' "$ac_nlist" >/dev/null; then
if egrep ' nm_test_func$' "$ac_nlist" >/dev/null; then
cat <<EOF > conftest.c
#ifdef __cplusplus
extern "C" {
#endif
EOF
# Now generate the symbol file.
sed 's/^.* \(.*\)$/extern char \1;/' < "$ac_nlist" >> conftest.c
cat <<EOF >> conftest.c
#if defined (__STDC__) && __STDC__
# define __ptr_t void *
#else
# define __ptr_t char *
#endif
/* The number of symbols in dld_preloaded_symbols, -1 if unsorted. */
int dld_preloaded_symbol_count = $ac_count;
/* The mapping between symbol names and symbols. */
struct {
char *name;
__ptr_t address;
}
changequote(,)dnl
dld_preloaded_symbols[] =
changequote([,])dnl
{
EOF
sed 's/^\(.*\) \(.*\)$/ {"\1", (__ptr_t) \&\2},/' < "$ac_nlist" >> conftest.c
cat <<\EOF >> conftest.c
{0, (__ptr_t) 0}
};
#ifdef __cplusplus
}
#endif
EOF
# Now try linking the two files.
mv conftest.$ac_objext conftestm.$ac_objext
ac_save_LIBS="$LIBS"
ac_save_CFLAGS="$CFLAGS"
LIBS="conftestm.$ac_objext"
CFLAGS="$CFLAGS$no_builtin_flag"
if AC_TRY_EVAL(ac_link) && test -s conftest; then
ac_pipe_works=yes
else
echo "configure: failed program was:" >&AC_FD_CC
cat conftest.c >&AC_FD_CC
AC_PATH_PROG(LIBGCRYPT_CONFIG, libgcrypt-config, no)
min_libgcrypt_version=ifelse([$1], ,0.4.4,$1)
AC_MSG_CHECKING(for LIBGCRYPT - version >= $min_libgcrypt_version)
ok=no
if test "$LIBGCRYPT_CONFIG" != "no" ; then
req_major=`echo $min_libgcrypt_version | \
sed 's/\([[0-9]]*\)\.\([[0-9]]*\)\.\([[0-9]]*\)/\1/'`
req_minor=`echo $min_libgcrypt_version | \
sed 's/\([[0-9]]*\)\.\([[0-9]]*\)\.\([[0-9]]*\)/\2/'`
req_micro=`echo $min_libgcrypt_version | \
sed 's/\([[0-9]]*\)\.\([[0-9]]*\)\.\([[0-9]]*\)/\3/'`
libgcrypt_config_version=`$LIBGCRYPT_CONFIG $libgcrypt_config_args --version`
major=`echo $libgcrypt_config_version | \
sed 's/\([[0-9]]*\)\.\([[0-9]]*\)\.\([[0-9]]*\).*/\1/'`
minor=`echo $libgcrypt_config_version | \
sed 's/\([[0-9]]*\)\.\([[0-9]]*\)\.\([[0-9]]*\).*/\2/'`
micro=`echo $libgcrypt_config_version | \
sed 's/\([[0-9]]*\)\.\([[0-9]]*\)\.\([[0-9]]*\).*/\3/'`
if test "$major" -gt "$req_major"; then
ok=yes
else
if test "$major" -eq "$req_major"; then
if test "$minor" -gt "$req_minor"; then
ok=yes
else
if test "$minor" -eq "$req_minor"; then
if test "$micro" -ge "$req_micro"; then
ok=yes
fi
fi
fi
fi
LIBS="$ac_save_LIBS"
CFLAGS="$ac_save_CFLAGS"
else
echo "cannot find nm_test_func in $ac_nlist" >&AC_FD_CC
fi
else
echo "cannot find nm_test_var in $ac_nlist" >&AC_FD_CC
fi
else
echo "cannot run $ac_cv_sys_global_symbol_pipe" >&AC_FD_CC
fi
else
echo "$progname: failed program was:" >&AC_FD_CC
cat conftest.c >&AC_FD_CC
fi
rm -rf conftest*
# Do not use the global_symbol_pipe unless it works.
test "$ac_pipe_works" = yes || ac_cv_sys_global_symbol_pipe=
if test $ok = yes; then
LIBGCRYPT_CFLAGS=`$LIBGCRYPT_CONFIG $libgcrypt_config_args --cflags`
LIBGCRYPT_LIBS=`$LIBGCRYPT_CONFIG $libgcrypt_config_args --libs`
AC_MSG_RESULT(yes)
ifelse([$2], , :, [$2])
else
LIBGCRYPT_CFLAGS=""
LIBGCRYPT_LIBS=""
AC_MSG_RESULT(no)
ifelse([$3], , :, [$3])
fi
AC_SUBST(LIBGCRYPT_CFLAGS)
AC_SUBST(LIBGCRYPT_LIBS)
])
ac_result=yes
if test -z "$ac_cv_sys_global_symbol_pipe"; then
ac_result=no
fi
AC_MSG_RESULT($ac_result)
])
# GNUPG_SYS_LIBTOOL_CYGWIN32 - find tools needed on cygwin32
AC_DEFUN(GNUPG_SYS_LIBTOOL_CYGWIN32,
[AC_CHECK_TOOL(DLLTOOL, dlltool, false)
AC_CHECK_TOOL(AS, as, false)
])
dnl [Copied from libksba]
dnl AM_PATH_KSBA([MINIMUM-VERSION,
dnl [ACTION-IF-FOUND [, ACTION-IF-NOT-FOUND ]]])
dnl Test for libksba and define KSBA_CFLAGS and KSBA_LIBS
dnl
AC_DEFUN(AM_PATH_KSBA,
[ AC_ARG_WITH(ksba-prefix,
AC_HELP_STRING([--with-ksba-prefix=PFX],
[prefix where KSBA is installed (optional)]),
ksba_config_prefix="$withval", ksba_config_prefix="")
if test x$ksba_config_prefix != x ; then
ksba_config_args="$ksba_config_args --prefix=$ksba_config_prefix"
if test x${KSBA_CONFIG+set} != xset ; then
KSBA_CONFIG=$ksba_config_prefix/bin/ksba-config
fi
fi
# GNUPG_SYS_SYMBOL_UNDERSCORE - does the compiler prefix global symbols
# with an underscore?
AC_DEFUN(GNUPG_SYS_SYMBOL_UNDERSCORE,
[tmp_do_check="no"
case "${target}" in
i386-emx-os2 | i[3456]86-pc-os2*emx | i386-pc-msdosdjgpp | *-*-cygwin)
ac_cv_sys_symbol_underscore=yes
;;
*)
if test "$cross_compiling" = yes; then
ac_cv_sys_symbol_underscore=yes
else
tmp_do_check="yes"
fi
;;
esac
if test "$tmp_do_check" = "yes"; then
AC_REQUIRE([GNUPG_PROG_NM])dnl
AC_REQUIRE([GNUPG_SYS_NM_PARSE])dnl
AC_MSG_CHECKING([for _ prefix in compiled symbols])
AC_CACHE_VAL(ac_cv_sys_symbol_underscore,
[ac_cv_sys_symbol_underscore=no
cat > conftest.$ac_ext <<EOF
void nm_test_func(){}
int main(){nm_test_func;return 0;}
EOF
if AC_TRY_EVAL(ac_compile); then
# Now try to grab the symbols.
ac_nlist=conftest.nm
if AC_TRY_EVAL(NM conftest.$ac_objext \| $ac_cv_sys_global_symbol_pipe \> $ac_nlist) && test -s "$ac_nlist"; then
# See whether the symbols have a leading underscore.
if egrep '^_nm_test_func' "$ac_nlist" >/dev/null; then
ac_cv_sys_symbol_underscore=yes
else
if egrep '^nm_test_func ' "$ac_nlist" >/dev/null; then
:
else
echo "configure: cannot find nm_test_func in $ac_nlist" >&AC_FD_CC
fi
AC_PATH_PROG(KSBA_CONFIG, ksba-config, no)
min_ksba_version=ifelse([$1], ,0.4.4,$1)
AC_MSG_CHECKING(for KSBA - version >= $min_ksba_version)
ok=no
if test "$KSBA_CONFIG" != "no" ; then
req_major=`echo $min_ksba_version | \
sed 's/\([[0-9]]*\)\.\([[0-9]]*\)\.\([[0-9]]*\)/\1/'`
req_minor=`echo $min_ksba_version | \
sed 's/\([[0-9]]*\)\.\([[0-9]]*\)\.\([[0-9]]*\)/\2/'`
req_micro=`echo $min_ksba_version | \
sed 's/\([[0-9]]*\)\.\([[0-9]]*\)\.\([[0-9]]*\)/\3/'`
ksba_config_version=`$KSBA_CONFIG $ksba_config_args --version`
major=`echo $ksba_config_version | \
sed 's/\([[0-9]]*\)\.\([[0-9]]*\)\.\([[0-9]]*\).*/\1/'`
minor=`echo $ksba_config_version | \
sed 's/\([[0-9]]*\)\.\([[0-9]]*\)\.\([[0-9]]*\).*/\2/'`
micro=`echo $ksba_config_version | \
sed 's/\([[0-9]]*\)\.\([[0-9]]*\)\.\([[0-9]]*\).*/\3/'`
if test "$major" -gt "$req_major"; then
ok=yes
else
if test "$major" -eq "$req_major"; then
if test "$minor" -gt "$req_minor"; then
ok=yes
else
if test "$minor" -eq "$req_minor"; then
if test "$micro" -ge "$req_micro"; then
ok=yes
fi
fi
fi
fi
fi
else
echo "configure: cannot run $ac_cv_sys_global_symbol_pipe" >&AC_FD_CC
fi
else
echo "configure: failed program was:" >&AC_FD_CC
cat conftest.c >&AC_FD_CC
fi
rm -rf conftest*
])
else
AC_MSG_CHECKING([for _ prefix in compiled symbols])
fi
AC_MSG_RESULT($ac_cv_sys_symbol_underscore)
if test x$ac_cv_sys_symbol_underscore = xyes; then
AC_DEFINE(WITH_SYMBOL_UNDERSCORE,1,
[Defined if compiled symbols have a leading underscore])
fi
if test $ok = yes; then
KSBA_CFLAGS=`$KSBA_CONFIG $ksba_config_args --cflags`
KSBA_LIBS=`$KSBA_CONFIG $ksba_config_args --libs`
AC_MSG_RESULT(yes)
ifelse([$2], , :, [$2])
else
KSBA_CFLAGS=""
KSBA_LIBS=""
AC_MSG_RESULT(no)
ifelse([$3], , :, [$3])
fi
AC_SUBST(KSBA_CFLAGS)
AC_SUBST(KSBA_LIBS)
])
dnl Stolen from gcc
dnl Define MKDIR_TAKES_ONE_ARG if mkdir accepts only one argument instead
dnl of the usual 2.
AC_DEFUN(GNUPG_FUNC_MKDIR_TAKES_ONE_ARG,
[AC_CHECK_HEADERS(sys/stat.h unistd.h direct.h)
AC_CACHE_CHECK([if mkdir takes one argument], gnupg_cv_mkdir_takes_one_arg,
[AC_TRY_COMPILE([
#include <sys/types.h>
#ifdef HAVE_SYS_STAT_H
# include <sys/stat.h>
#endif
#ifdef HAVE_UNISTD_H
# include <unistd.h>
#endif
#ifdef HAVE_DIRECT_H
# include <direct.h>
#endif], [mkdir ("foo", 0);],
gnupg_cv_mkdir_takes_one_arg=no, gnupg_cv_mkdir_takes_one_arg=yes)])
if test $gnupg_cv_mkdir_takes_one_arg = yes ; then
AC_DEFINE(MKDIR_TAKES_ONE_ARG,1,
[Defined if mkdir() does not take permission flags])
fi
dnl AM_PATH_OPENSC([MINIMUM-VERSION,
dnl [ACTION-IF-FOUND [, ACTION-IF-NOT-FOUND ]]])
dnl Test for OpenSC and define OPENSC_CFLAGS and OPENSC_LIBS
dnl
AC_DEFUN(AM_PATH_OPENSC,
[ AC_ARG_WITH(opensc-prefix,
AC_HELP_STRING([--with-opensc-prefix=PFX],
[prefix where OpenSC is installed (optional)]),
opensc_config_prefix="$withval", opensc_config_prefix="")
if test x$opensc_config_prefix != x ; then
opensc_config_args="$opensc_config_args --prefix=$opensc_config_prefix"
if test x${OPENSC_CONFIG+set} != xset ; then
OPENSC_CONFIG=$opensc_config_prefix/bin/opensc-config
fi
fi
AC_PATH_PROG(OPENSC_CONFIG, opensc-config, no)
min_opensc_version=ifelse([$1], ,0.7.0,$1)
AC_MSG_CHECKING(for OpenSC - version >= $min_opensc_version)
ok=no
if test "$OPENSC_CONFIG" != "no" ; then
req_major=`echo $min_opensc_version | \
sed 's/\([[0-9]]*\)\.\([[0-9]]*\)\.\([[0-9]]*\)/\1/'`
req_minor=`echo $min_opensc_version | \
sed 's/\([[0-9]]*\)\.\([[0-9]]*\)\.\([[0-9]]*\)/\2/'`
req_micro=`echo $min_opensc_version | \
sed 's/\([[0-9]]*\)\.\([[0-9]]*\)\.\([[0-9]]*\)/\3/'`
opensc_config_version=`$OPENSC_CONFIG $opensc_config_args --version`
major=`echo $opensc_config_version | \
sed 's/\([[0-9]]*\)\.\([[0-9]]*\)\.\([[0-9]]*\).*/\1/'`
minor=`echo $opensc_config_version | \
sed 's/\([[0-9]]*\)\.\([[0-9]]*\)\.\([[0-9]]*\).*/\2/'`
micro=`echo $opensc_config_version | \
sed 's/\([[0-9]]*\)\.\([[0-9]]*\)\.\([[0-9]]*\).*/\3/'`
if test "$major" -gt "$req_major"; then
ok=yes
else
if test "$major" -eq "$req_major"; then
if test "$minor" -gt "$req_minor"; then
ok=yes
else
if test "$minor" -eq "$req_minor"; then
if test "$micro" -ge "$req_micro"; then
ok=yes
fi
fi
fi
fi
fi
fi
if test $ok = yes; then
OPENSC_CFLAGS=`$OPENSC_CONFIG $opensc_config_args --cflags`
OPENSC_LIBS=`$OPENSC_CONFIG $opensc_config_args --libs`
OPENSC_LIBS="$OPENSC_LIBS -lpcsclite -lpthread"
AC_MSG_RESULT(yes)
ifelse([$2], , :, [$2])
else
OPENSC_CFLAGS=""
OPENSC_LIBS=""
AC_MSG_RESULT(no)
ifelse([$3], , :, [$3])
fi
AC_SUBST(OPENSC_CFLAGS)
AC_SUBST(OPENSC_LIBS)
])

162
autogen.sh
View File

@ -1,5 +1,163 @@
#!/bin/sh
# Run this to generate all the initial makefiles, etc.
# It is only needed for the CVS version.
autogen_sh="`dirname $0`/scripts/autogen.sh"
exec $autogen_sh $*
# have_version(prog, list of executables, required version)
#
# Returns true and sets $prog to the first executable with the
# required minimum major.minor.
have_version ()
{
found=0
for prog in $2 :
do
ver=$($prog --version \
| gawk '{ if (match($0, /[0-9]+\.[0-9]+/))
{
print substr($0, RSTART, RLENGTH); ok=1; exit 0;
}
}
END {
if (! ok)
exit 1;
}')
if test $? = 0
then
if expr 0$ver '>=' 0$3 >/dev/null 2>&1
then
echo Using $prog
found=1
export $1="$prog"
break
fi
fi
done
if test 0$found = 01
then
true
else
echo "*** Error. Could not find an appropriate executable for $1 with "
echo "at least version $3."
false
fi
}
PGM=NEWPG
lib_config_files=""
autoconf_vers=2.52
automake_vers=1.5
aclocal_vers=1.5
#libtool_vers=1.3
DIE=no
if test "$1" = "--build-w32"; then
shift
target=i386--mingw32
if [ ! -f ./config.guess ]; then
echo "./config.guess not found" >&2
exit 1
fi
host=`./config.guess`
if ! mingw32 --version >/dev/null; then
echo "We need at least version 0.3 of MingW32/CPD" >&2
exit 1
fi
if [ -f config.h ]; then
if grep HAVE_DOSISH_SYSTEM config.h | grep undef >/dev/null; then
echo "Pease run a 'make distclean' first" >&2
exit 1
fi
fi
crossinstalldir=`mingw32 --install-dir`
crossbindir=`mingw32 --get-bindir 2>/dev/null` \
|| crossbindir="$crossinstalldir/bin"
crossdatadir=`mingw32 --get-datadir 2>/dev/null` \
|| crossdatadir="$crossinstalldir/share"
crosslibdir=`mingw32 --get-libdir 2>/dev/null` \
|| crosslibdir="$crossinstalldir/i386--mingw32/lib"
crossincdir=`mingw32 --get-includedir 2>/dev/null` \
|| crossincdir="$crossinstalldir/i386--mingw32/include"
CC=`mingw32 --get-path gcc`
CPP=`mingw32 --get-path cpp`
AR=`mingw32 --get-path ar`
RANLIB=`mingw32 --get-path ranlib`
export CC CPP AR RANLIB
disable_foo_tests=""
if [ -n "$lib_config_files" ]; then
for i in $lib_config_files; do
j=`echo $i | tr '[a-z-]' '[A-Z_]'`
eval "$j=${crossbindir}/$i"
export $j
disable_foo_tests="$disable_foo_tests --disable-`echo $i| \
sed 's,-config$,,'`-test"
if [ ! -f "${crossbindir}/$i" ]; then
echo "$i not installed for MingW32" >&2
DIE=yes
fi
done
fi
[ $DIE = yes ] && exit 1
./configure --host=${host} --target=${target} ${disable_foo_tests} \
--bindir=${crossbindir} --libdir=${crosslibdir} \
--datadir=${crossdatadir} --includedir=${crossincdir} \
--enable-maintainer-mode $*
exit $?
fi
if ! have_version autoconf "$autoconf autoconf" $autoconf_vers
then
DIE="yes"
fi
if have_version automake "$automake automake automake-1.6" $automake_vers
then
if ! have_version aclocal "$aclocal aclocal aclocal-1.6" $aclocal_vers
then
DIE='yes'
fi
else
DIE='yes'
fi
#if (libtool --version) < /dev/null > /dev/null 2>&1 ; then
# if (libtool --version | awk 'NR==1 { if( $4 >= '$libtool_vers') \
# exit 1; exit 0; }');
# then
# echo "**Error**: "\`libtool\'" is too old."
# echo ' (version ' $libtool_vers ' or newer is required)'
# DIE="yes"
# fi
#else
# echo
# echo "**Error**: You must have "\`libtool\'" installed to compile $PGM."
# echo ' (version ' $libtool_vers ' or newer is required)'
# DIE="yes"
#fi
if test "$DIE" = "yes"; then
exit 1
fi
#echo "Running libtoolize... Ignore non-fatal messages."
#echo "no" | libtoolize
echo "Running gettextize... Ignore non-fatal messages."
echo "no" | gettextize
echo "Running $aclocal"
$aclocal
echo "Running autoheader..."
autoheader
echo "Running $automake --gnu -a"
$automake --gnu -a
echo "Running $autoconf"
$autoconf

1100
configure.ac
View File

File diff suppressed because it is too large Load Diff