diff --git a/artwork/gpglogo.fig b/artwork/gpglogo.fig new file mode 100644 index 000000000..bed127833 --- /dev/null +++ b/artwork/gpglogo.fig @@ -0,0 +1,36 @@ +#FIG 3.2 +Landscape +Center +Metric +A4 +100.00 +Single +-2 +1200 2 +0 32 #414541 +0 33 #8e8e8e +0 34 #414541 +0 35 #8e8e8e +0 36 #8e8e8e +6 91 46 7785 7740 +1 3 0 2 0 7 100 0 -1 0.000 1 0.0000 3938 3893 3832 3832 3938 3893 7763 4118 +1 3 0 2 0 7 100 0 -1 0.000 1 0.0000 3938 3893 2959 2959 3938 3893 6863 4343 +2 5 0 1 0 -1 100 0 -1 0.000 0 0 -1 0 0 5 + 0 tmp/gnu1.jpg + 1628 2303 6248 2303 6248 5633 1628 5633 1628 2303 +4 0 0 100 0 30 40 0.0000 4 450 480 3713 743 N\001 +4 0 0 100 0 30 40 0.2618 4 450 465 2918 908 G\001 +4 0 0 100 0 30 40 6.0214 4 450 450 4527 791 U\001 +4 0 0 100 0 30 40 6.0214 4 330 330 3046 7398 c\001 +4 0 0 100 0 30 40 0.8727 4 330 285 6684 6299 r\001 +4 0 0 100 0 30 40 0.0000 4 465 390 3668 7493 y\001 +4 0 0 100 0 30 40 5.9341 4 330 345 2488 7193 a\001 +4 0 0 100 0 30 40 5.7596 4 330 390 1944 6889 v\001 +4 0 0 100 0 30 40 5.4978 4 465 195 1562 6609 i\001 +4 0 0 100 0 30 40 5.4105 4 330 285 1198 6206 r\001 +4 0 0 100 0 30 40 5.3233 4 450 375 826 5724 P\001 +4 0 0 100 0 30 40 0.5236 4 330 390 5681 7140 u\001 +4 0 0 100 0 30 40 0.6981 4 330 345 6247 6739 a\001 +4 0 0 100 0 30 40 1.0472 4 465 390 7039 5909 d\001 +4 0 0 100 0 30 40 0.3491 4 450 465 5031 7399 G\001 +-6 diff --git a/doc/Notes b/doc/Notes new file mode 100644 index 000000000..4a990776e --- /dev/null +++ b/doc/Notes @@ -0,0 +1,242 @@ +> * How to mark a CA certificate as trusted. + +There are two ways: + + 1. Let gpg-agent do this for you. Since version 1.9.9 you need to + add the option --allow-mark-trusted gpg-agent.conf or when + invoking gpg-agent. Everytime gpgsm notices an untrusted root + certificate gpg-agent will pop up a dialog to ask whether this + certificate should be trusted. This is similar to whatmost + browsers do. + + The disadvantage of this method and the reason why + --allow-mark-trusted is required is that the list of trusted root + certificates will grow, because almost all user will just hit + "yes, I trust" and "yes, I verified the fingerprint" without + understanding that this is a very serious decision. + + 2. Use your editor. Edit the file ~/.gnupg/trustlist.txt and add + the fingerprints of the trusted root certificates. There are + comments on the top explaining the simple format. The current + CVS version allows for colons in the fingerprint, so you can + easily cut and paste it from whereever you know that this is the + correct fingerprint. + +An example for an entry in the trustlist.txt is: + + # CN=PCA-1-Verwaltung,O=PKI-1-Verwaltung,C=de + 3EEE3D8BB7F0FE5C9F5804A3A7E51BCE98209DF9 S + +This is in fact one that probably made its way into the file using the +first method. As usual a # indicates a comment. The trailing S means +that this is to be used for (X.509). + +It is not possible to trust intermediate CA certificates; gpgsm always +checks the entire chain of certificates. + +> * How to import a key and bind it to some certificate already +> imported. Alternatively, import key and certificate together, from +> a pkcs12 blob, or pkcs8 + certificate blobs, or whatever. +> Alternatively, don't import the key at all, but specify location of +> key using a parameter when signing. + +You always need to import the key; there is something similar to a +keyring (here called a keybox: ~/.gnupg/pubring.kbx). + +Importing a key either from a binary or ascii armored (PEM) certificate +file or from a cert-only signature file is done using + + gpg --import FILE + +or + + gpg --import < FILE + +In general you should first import the root certificates and then down +to the end user certificate. You may put all into one file and gpgsm +will do the right thing in this case independend of the order. + +While verifying a signature, all included certificates are +automagically imported. + +To import from a pkcs#12 file you may use the same command; if a +private key is contained in that file, you will be asked for the +transport passphrases as well as for the new passphrase used to +protect it in gpg-agent's private key storage +(~/.gnupg/private-keys-v1.d/). Note that the pkcs#12 support is very +basic but sufficient for certificates exported from Mozilla, OpenSSL +and MS Outlook. + +Background info on private keys: + +If you want to look at the private key you first need to know the name +of the keyfile. Run the command "gpgsm -K --with-key-data [KEYID]" and +you get an output like: + + crs::1024:1:CF8[..]6D:20040105T184908:2006[...]:09::CN=ZS[....]::esES: + fpr:::::::::3B50BF2BDAF2[...]1AE6796D:::2812[...]508F21F065E65E44: + grp:::::::::C92DB9CFD588ADE846BE3AC4E7A2E1B11A4A2ADB: + uid:::::::::CN=Werner Koch,OU=test,O=g10 Code,C=de:: + uid::::::::::: + +This should be familar to advanced gpg-users; see doc/DETAILS in gpg +1.3 (CVS HEAD) for a description of the records. The value in the +"grp" tagged record is the so called keygrip and you should find a +file ~/.gnupg/private-keys-v1.d/C92DB9CFD588ADE846BE3AC4E7A2E1B11A4A2ADB.key +with the private and public key in an S-expression like format. The +gpg-protect-tool may be used to display it in a human readable format: + + $ gpgsm --call-protect-tool ~/.gnupg/private-keys-v1.d/C9[...]B.key + (protected-private-key + (rsa + (n #00C16B6E807C47BB[...]10487#) + (e #010001#) + (protected openpgp-s2k3-sha1-aes-cbc + ( + (sha1 "Hvü9Qt^Ç" "96") + #2B17DC766AEA2568EE0C688E18F9757E#) + #65A4FF9F30750A1300[...]7#) + ) + ) + +The current CVS version of gpgsm has a command --dump-keys which lists +more details of a key including the keygrip so you don't need to use +the colon format if you want to manually debug things. + + $ gpgsm --dump-keys + Serial number: 01 + Issuer: CN=Trust Anchor,O=Test Certificates,C=US + Subject: CN=Trust Anchor,O=Test Certificates,C=US + sha1_fpr: 66:8A:47:56:A2:DC:88:FF:DA:B8:95:E1:3C:63:37:55:5F:0A:F7:BF + md5_fpr: 03:01:3B:BB:EC:6C:5D:48:88:4C:95:63:99:84:ED:C0 + keygrip: 6A082B3063F6DA6D68B2994AB11B4328FD6206D2 + notBefore: 2001-04-19 14:57:20 + notAfter: 2011-04-19 14:57:20 + hashAlgo: 1.2.840.113549.1.1.5 (sha1WithRSAEncryption) + keyType: 1024 bit RSA + authKeyId: [none] + keyUsage: certSign crlSign + extKeyUsage: [none] + policies: [none] + chainLength: unlimited + crlDP: [none] + authInfo: [none] + subjInfo: [none] + extn: 2.5.29.14 (subjectKeyIdentifier) [22 octets] + +> * How to import a CRL + +CRLs are managed by the dirmngr which is a separate package. The idea +is to eventaully turn it into a system daemon, so that on a multi-user +machine CRLs are handled more efficiently. As of now the dirmngr +needs service from gpgsm thus it is best to call it through gpgsm: + + gpgsm --call-dirmngr LOAD /absolute/filename/to/a/CRL/file + +See the dirmngr README and manual for further details. + +If you don't want to check CRLs, use the option --diable-crl-checks +with gpgsm. + +> I'm trying to replace the S/MIME support in OpenSSL with gpgsm for the +> MUA Gnus. + +Great; I'd love it. + +> Perhaps I shouldn't be using gpgsm directly? gpgme didn't seem to +> have a command line front end. + +For Gnus it makes sense to use gpgsm directly. Enhancing pgg to +support gpgsm should not be that hard. Things you need to take care +off are: Warn if GPG_AGENT_INFO has not been set, because this will +call gpg-agent for each operation and obviously does not cache the +passphrase them. If GPG_AGENT_INFO has been set, also disable the +passphrase code for gpg and pass --use-agent to gpg - this way gpg +benefits from the passphrase caching and the pinentry. + +You may want to look at gpgconf (tools/README.gpgconf) to provide a +customization interface for gpgsm, gpg-agent and dirmngr. + + +Module Overview +================ + +gpgsm + libgpg-error + libgcrypt + libksba + libassuan [statically linked] + [Standard system libraries] + +gpg-agent + libgpg-error + libgcrypt + libassuan [statically linked] + libpth [system library] + [Standard system libraries] + +scdaemon + libgpg-error + libgcrypt + libksba + libassuan [statically linked] + libusb [system library, optional] + libopensc [system library, optional] + [For reader access libpcsclite or a CT-API library may be + linked at runtime (controllable by scdaemon.conf)] + [Standard system libraries] + +gpg-protect-tool + libgpg-error + libgcrypt + [Standard system libraries] + +dirmngr + libgpg-error + libgcrypt + libksba + libassuan [statically linked] + libldap [system libary] + liblber [system libary] + libsasl [system libary, required by libldap] + libdb2 [system libary, required by libsasl] + libcrypt [system libary, required by libsasl - OOPS] + libpam [system libary, required by libsasl] + [Standard system libraries] + +pinentry-curses + libncurses + [Standard system libraries] + [Independent Assuan code is source included] + +pinentry-gtk + libncurses + [GTK+ and X libraries] + [Standard system libraries] + [Independent Assuan code is source included] + +pinentry-qt + libncurses + [QT and X libraries] + [Standard system libraries] + [Independent Assuan code is source included] + +gpgme + [Standard system libraries] + [gpgsm is required at runtime] + [Independent Assuan code is source included] + +libgpg-error + [none] + +libgcrypt + libgpg-error + +libksba + libgpg-error + +libassuan + [none] + + +