diff --git a/doc/Makefile.am b/doc/Makefile.am index 240bcf38b..6d66679f3 100644 --- a/doc/Makefile.am +++ b/doc/Makefile.am @@ -57,9 +57,9 @@ gnupg_TEXINFOS = \ DVIPS = TEXINPUTS="$(srcdir)$(PATH_SEPARATOR)$$TEXINPUTS" dvips -AM_MAKEINFOFLAGS = -I $(srcdir) --css-ref=/share/site.css -D gpgtwoone +AM_MAKEINFOFLAGS = -I $(srcdir) --css-ref=/share/site.css -YAT2M_OPTIONS = -I $(srcdir) -D gpgtwoone \ +YAT2M_OPTIONS = -I $(srcdir) \ --release "GnuPG @PACKAGE_VERSION@" --source "GNU Privacy Guard 2.1" myman_sources = gnupg7.texi gpg.texi gpgsm.texi gpg-agent.texi \ diff --git a/doc/debugging.texi b/doc/debugging.texi index f26d1aac9..35cb699f0 100644 --- a/doc/debugging.texi +++ b/doc/debugging.texi @@ -103,7 +103,6 @@ used. Using the keyserver debug option as in is thus often helpful. Note that the actual output depends on the backend and may change from release to release. -@ifset gpgtwoone @item Logging on WindowsCE For development, the best logging method on WindowsCE is the use of @@ -113,7 +112,6 @@ on the given port. (@pxref{option watchgnupg --tcp}). For in the field tests it is better to make use of the logging facility provided by the @command{gpgcedev} driver (part of libassuan); this is enabled by using a log file name of @file{GPG2:}. (@pxref{option --log-file}). -@end ifset @end itemize diff --git a/doc/gnupg.texi b/doc/gnupg.texi index b0952309d..2517a50ec 100644 --- a/doc/gnupg.texi +++ b/doc/gnupg.texi @@ -52,10 +52,8 @@ section entitled ``Copying''. * gpg2: (gnupg). OpenPGP encryption and signing tool. * gpgsm: (gnupg). S/MIME encryption and signing tool. * gpg-agent: (gnupg). The secret key daemon. -@ifset gpgtwoone * dirmngr: (gnupg). X.509 CRL and OCSP server. * dirmngr-client: (gnupg). X.509 CRL and OCSP client. -@end ifset @end direntry @@ -127,9 +125,7 @@ the administration and the architecture. * Installation:: A short installation guide. * Invoking GPG-AGENT:: How to launch the secret key daemon. -@ifset gpgtwoone * Invoking DIRMNGR:: How to launch the CRL and OCSP daemon. -@end ifset * Invoking GPG:: Using the OpenPGP protocol. * Invoking GPGSM:: Using the S/MIME protocol. * Invoking SCDAEMON:: How to handle Smartcards. @@ -161,9 +157,7 @@ the administration and the architecture. @include instguide.texi @include gpg-agent.texi -@ifset gpgtwoone @include dirmngr.texi -@end ifset @include gpg.texi @include gpgsm.texi @include scdaemon.texi diff --git a/doc/gpg-agent.texi b/doc/gpg-agent.texi index eb02c9c75..307839275 100644 --- a/doc/gpg-agent.texi +++ b/doc/gpg-agent.texi @@ -2,10 +2,6 @@ @c This is part of the GnuPG manual. @c For copying conditions, see the file gnupg.texi. -@c Note that we use this texinfo file for all versions of GnuPG: -@c 2.0 and 2.1. The macro "gpgtwoone" controls parts which are only -@c valid for GnuPG 2.1 and later. - @node Invoking GPG-AGENT @chapter Invoking GPG-AGENT @@ -52,7 +48,6 @@ independently from any protocol. It is used as a backend for @command{gpg} and @command{gpgsm} as well as for a couple of other utilities. -@ifset gpgtwoone The agent is automatically started on demand by @command{gpg}, @command{gpgsm}, @command{gpgconf}, or @command{gpg-connect-agent}. Thus there is no reason to start it manually. In case you want to use @@ -61,51 +56,6 @@ the included Secure Shell Agent you may start the agent using: @example gpg-connect-agent /bye @end example -@end ifset - -@ifclear gpgtwoone -@noindent -The usual way to run the agent is from the @code{~/.xsession} file: - -@example -eval $(gpg-agent --daemon) -@end example -@noindent -If you don't use an X server, you can also put this into your regular -startup file @code{~/.profile} or @code{.bash_profile}. It is best not -to run multiple instance of the @command{gpg-agent}, so you should make -sure that only one is running: @command{gpg-agent} uses an environment -variable to inform clients about the communication parameters. You can -write the content of this environment variable to a file so that you can -test for a running agent. Here is an example using Bourne shell syntax: - -@smallexample -gpg-agent --daemon --enable-ssh-support \ - --write-env-file "$@{HOME@}/.gpg-agent-info" -@end smallexample - -This code should only be run once per user session to initially fire up -the agent. In the example the optional support for the included Secure -Shell agent is enabled and the information about the agent is written to -a file in the HOME directory. Note that by running gpg-agent without -arguments you may test whether an agent is already running; however such -a test may lead to a race condition, thus it is not suggested. - -@noindent -The second script needs to be run for each interactive session: - -@smallexample -if [ -f "$@{HOME@}/.gpg-agent-info" ]; then - . "$@{HOME@}/.gpg-agent-info" - export GPG_AGENT_INFO - export SSH_AUTH_SOCK -fi -@end smallexample - -@noindent -It reads the data out of the file and exports the variables. If you -don't use Secure Shell, you don't need the last two export statements. -@end ifclear @noindent You should always add the following lines to your @code{.bashrc} or @@ -175,17 +125,11 @@ default mode is to create a socket and listen for commands there. @opindex daemon Start the gpg-agent as a daemon; that is, detach it from the console and run it in the background. -@ifclear gpgtwoone -Because @command{gpg-agent} prints out -important information required for further use, a common way of -invoking gpg-agent is: @code{eval $(gpg-agent --daemon)} to setup the -environment variables. The option @option{--write-env-file} is -another way commonly used to do this. -@end ifclear -Yet another way is creating -a new process as a child of gpg-agent: @code{gpg-agent --daemon -/bin/sh}. This way you get a new shell with the environment setup -properly; if you exit from this shell, gpg-agent terminates as well. + +As an alternative you may create a new process as a child of +gpg-agent: @code{gpg-agent --daemon /bin/sh}. This way you get a new +shell with the environment setup properly; after you exit from this +shell, gpg-agent terminates within a few seconds. @end table @mansect options @@ -323,23 +267,6 @@ shell or the C-shell respectively. The default is to guess it based on the environment variable @code{SHELL} which is correct in almost all cases. -@ifclear gpgtwoone -@item --write-env-file @var{file} -@opindex write-env-file -Often it is required to connect to the agent from a process not being an -inferior of @command{gpg-agent} and thus the environment variable with -the socket name is not available. To help setting up those variables in -other sessions, this option may be used to write the information into -@var{file}. If @var{file} is not specified the default name -@file{$@{HOME@}/.gpg-agent-info} will be used. The format is suitable -to be evaluated by a Bourne shell like in this simple example: - -@example -eval $(cat @var{file}) -eval $(cut -d= -f 1 < @var{file} | xargs echo export) -@end example -@end ifclear - @item --no-grab @opindex no-grab @@ -369,15 +296,12 @@ accept Root-CA keys. This option allows the use of @command{gpg-preset-passphrase} to seed the internal cache of @command{gpg-agent} with passphrases. -@ifset gpgtwoone @anchor{option --allow-loopback-pinentry} @item --allow-loopback-pinentry @opindex allow-loopback-pinentry Allow clients to use the loopback pinentry features; see the option @option{pinentry-mode} for details. -@end ifset -@ifset gpgtwoone @item --no-allow-external-cache @opindex no-allow-external-cache Tell Pinentry not to enable features which use an external cache for @@ -388,7 +312,6 @@ credentials with one master password and may have installed a Pinentry which employs an additional external cache to implement such a policy. By using this option the Pinentry is advised not to make use of such a cache and instead always ask the user for the requested passphrase. -@end ifset @item --ignore-cache-for-signing @opindex ignore-cache-for-signing @@ -492,7 +415,6 @@ Do not make use of the scdaemon tool. This option has the effect of disabling the ability to do smartcard operations. Note, that enabling this option at runtime does not kill an already forked scdaemon. -@ifset gpgtwoone @item --disable-check-own-socket @opindex disable-check-own-socket @command{gpg-agent} employs a periodic self-test to detect a stolen @@ -500,7 +422,6 @@ socket. This usually means a second instance of @command{gpg-agent} has taken over the socket and @command{gpg-agent} will then terminate itself. This option may be used to disable this self-test for debugging purposes. -@end ifset @item --use-standard-socket @itemx --no-use-standard-socket @@ -508,30 +429,9 @@ debugging purposes. @opindex use-standard-socket @opindex no-use-standard-socket @opindex use-standard-socket-p -@ifset gpgtwoone Since GnuPG 2.1 the standard socket is always used. These options have no more effect. The command @code{gpg-agent --use-standard-socket-p} will thus always return success. -@end ifset -@ifclear gpgtwoone -By enabling this option @command{gpg-agent} will listen on the socket -named @file{S.gpg-agent}, located in the home directory, and not create -a random socket below a temporary directory. Tools connecting to -@command{gpg-agent} should first try to connect to the socket given in -environment variable @var{GPG_AGENT_INFO} and then fall back to this -socket. This option may not be used if the home directory is mounted on -a remote file system which does not support special files like fifos or -sockets. - -Note, that @option{--use-standard-socket} is the default on -Windows systems. - -The default may be changed at build time. It is -possible to test at runtime whether the agent has been configured for -use with the standard socket by issuing the command @command{gpg-agent ---use-standard-socket-p} which returns success if the standard socket -option has been enabled. -@end ifclear @item --display @var{string} @itemx --ttyname @var{string} @@ -810,7 +710,6 @@ This signal is used for internal purposes. @node Agent Examples @section Examples -@ifset gpgtwoone It is important to set the GPG_TTY environment variable in your login shell, for example in the @file{~/.bashrc} init script: @@ -831,45 +730,7 @@ if [ "$@{gnupg_SSH_AUTH_SOCK_by:-0@}" -ne $$ ]; then fi @end example @end cartouche -@end ifset -@ifclear gpgtwoone -The usual way to invoke @command{gpg-agent} is - -@example -$ eval $(gpg-agent --daemon) -@end example - -An alternative way is by replacing @command{ssh-agent} with -@command{gpg-agent}. If for example @command{ssh-agent} is started as -part of the Xsession initialization, you may simply replace -@command{ssh-agent} by a script like: - -@cartouche -@example -#!/bin/sh - -exec /usr/local/bin/gpg-agent --enable-ssh-support --daemon \ - --write-env-file $@{HOME@}/.gpg-agent-info "$@@" -@end example -@end cartouche - -@noindent -and add something like (for Bourne shells) - -@cartouche -@example - if [ -f "$@{HOME@}/.gpg-agent-info" ]; then - . "$@{HOME@}/.gpg-agent-info" - export GPG_AGENT_INFO - export SSH_AUTH_SOCK - fi -@end example -@end cartouche - -@noindent -to your shell initialization file (e.g. @file{~/.bashrc}). -@end ifclear @c @c Assuan Protocol @@ -881,21 +742,8 @@ to your shell initialization file (e.g. @file{~/.bashrc}). Note: this section does only document the protocol, which is used by GnuPG components; it does not deal with the ssh-agent protocol. -@ifset gpgtwoone The @command{gpg-agent} daemon is started on demand by the GnuPG components. -@end ifset -@ifclear gpgtwoone -The @command{gpg-agent} should be started by the login shell and set an -environment variable to tell clients about the socket to be used. -Clients should deny to access an agent with a socket name which does -not match its own configuration. An application may choose to start -an instance of the gpg-agent if it does not figure that any has been -started; it should not do this if a gpg-agent is running but not -usable. Because @command{gpg-agent} can only be used in background mode, no -special command line option is required to activate the use of the -protocol. -@end ifclear To identify a key we use a thing called keygrip which is the SHA-1 hash of an canonical encoded S-Expression of the public key as used in @@ -905,13 +753,11 @@ certificate is that it will be possible to use the same keypair for different protocols, thereby saving space on the token used to keep the secret keys. -@ifset gpgtwoone The @command{gpg-agent} may send status messages during a command or when returning from a command to inform a client about the progress or result of an operation. For example, the @var{INQUIRE_MAXLEN} status message may be sent during a server inquire to inform the client of the maximum usable length of the inquired data (which should not be exceeded). -@end ifset @menu * Agent PKDECRYPT:: Decrypting a session key @@ -922,9 +768,7 @@ the inquired data (which should not be exceeded). * Agent ISTRUSTED:: Importing a Root Certificate * Agent GET_PASSPHRASE:: Ask for a passphrase * Agent CLEAR_PASSPHRASE:: Expire a cached passphrase -@ifset gpgtwoone * Agent PRESET_PASSPHRASE:: Set a passphrase for a keygrip -@end ifset * Agent GET_CONFIRMATION:: Ask for confirmation * Agent HAVEKEY:: Check whether a key is available * Agent LEARN:: Register a smartcard @@ -1104,12 +948,7 @@ option allows to choose the storage location. To get the secret key out of the PSE, a special export tool has to be used. @example -@ifset gpgtwoone GENKEY [--no-protection] [--preset] [] -@end ifset -@ifclear gpgtwoone - GENKEY -@end ifclear @end example Invokes the key generation process and the server will then inquire @@ -1155,7 +994,6 @@ Here is an example session: @end smallexample @end cartouche -@ifset gpgtwoone The @option{--no-protection} option may be used to prevent prompting for a passphrase to protect the secret key while leaving the secret key unprotected. The @option{--preset} option may be used to add the passphrase to the cache @@ -1167,7 +1005,6 @@ keyword @code{NEWPASSWD} to retrieve that passphrase. This option takes precedence over @option{--no-protection}; however if the client sends a empty (zero-length) passphrase, this is identical to @option{--no-protection}. -@end ifset @node Agent IMPORT @subsection Importing a Secret Key @@ -1334,22 +1171,13 @@ function returns with OK even when there is no cached passphrase. Use this command to remove a cached passphrase. @example -@ifset gpgtwoone CLEAR_PASSPHRASE [--mode=normal] -@end ifset -@ifclear gpgtwoone - CLEAR_PASSPHRASE -@end ifclear @end example -@ifset gpgtwoone The @option{--mode=normal} option can be used to clear a @var{cache_id} that was set by gpg-agent. -@end ifset - -@ifset gpgtwoone @node Agent PRESET_PASSPHRASE @subsection Set a passphrase for a keygrip @@ -1368,9 +1196,6 @@ The @var{timeout} parameter keeps the passphrase cached for the specified number of seconds. A value of @code{-1} means infinate while @code{0} means the default (currently only a timeout of -1 is allowed, which means to never expire it). -@end ifset - - @node Agent GET_CONFIRMATION @@ -1425,21 +1250,13 @@ option given the certificates are send back. @subsection Change a Passphrase @example -@ifset gpgtwoone PASSWD [--cache-nonce=] [--passwd-nonce=] [--preset] @var{keygrip} -@end ifset -@ifclear gpgtwoone - PASSWD @var{keygrip} -@end ifclear @end example This command is used to interactively change the passphrase of the key -identified by the hex string @var{keygrip}. - -@ifset gpgtwoone -The @option{--preset} option may be used to add the new passphrase to the -cache using the default cache parameters. -@end ifset +identified by the hex string @var{keygrip}. The @option{--preset} +option may be used to add the new passphrase to the cache using the +default cache parameters. @node Agent UPDATESTARTUPTTY @@ -1540,7 +1357,6 @@ See Assuan command @code{PKSIGN}. This does not need any value. It is used to enable the PINENTRY_LAUNCHED inquiry. -@ifset gpgtwoone @item pinentry-mode This option is used to change the operation mode of the pinentry. The following values are defined: @@ -1564,16 +1380,12 @@ following values are defined: Use the @xref{option --allow-loopback-pinentry}. @end table -@end ifset -@ifset gpgtwoone @item cache-ttl-opt-preset This option sets the cache TTL for new entries created by GENKEY and PASSWD commands when using the @option{--preset} option. It it is not used a default value is used. -@end ifset -@ifset gpgtwoone @item s2k-count Instead of using the standard S2K count (which is computed on the fly), the given S2K count is used for new keys or when changing the @@ -1581,7 +1393,6 @@ passphrase of a key. Values below 65536 are considered to be 0. This option is valid for the entire session or until reset to 0. This option is useful if the key is later used on boxes which are either much slower or faster than the actual box. -@end ifset @end table diff --git a/doc/gpg.texi b/doc/gpg.texi index 0d855c9ea..77072bd90 100644 --- a/doc/gpg.texi +++ b/doc/gpg.texi @@ -3,10 +3,6 @@ @c This is part of the GnuPG manual. @c For copying conditions, see the file gnupg.texi. -@c Note that we use this texinfo file for all GnuPG-2 branches. -@c The macro "gpgtwoone" controls parts which are only -@c valid for GnuPG 2.1 and later. - @node Invoking GPG @chapter Invoking GPG @cindex GPG command options @@ -15,13 +11,7 @@ @c Begin algorithm defaults -@ifclear gpgtwoone -@set DEFSYMENCALGO CAST5 -@end ifclear - -@ifset gpgtwoone @set DEFSYMENCALGO AES128 -@end ifset @c End algorithm defaults @@ -407,15 +397,9 @@ an additional signing subkey on a dedicated machine and then using this command to export the key without the primary key to the main machine. -@ifset gpgtwoone GnuPG may ask you to enter the passphrase for the key. This is required because the internal protection method of the secret key is different from the one specified by the OpenPGP protocol. -@end ifset -@ifclear gpgtwoone -See the option @option{--simple-sk-checksum} if you want to import an -exported secret key into ancient OpenPGP implementations. -@end ifclear @item --import @itemx --fast-import @@ -565,7 +549,6 @@ This section explains the main commands for key management @table @gnupgtabopt -@ifset gpgtwoone @item --quick-gen-key @code{user-id} @opindex quick-gen-key This is a simple command to generate a standard key with one user id. @@ -586,20 +569,17 @@ the passphrase options (@option{--passphrase}, supplied passphrase is used for the new key and the agent does not ask for it. To create a key without any protection @code{--passphrase ''} may be used. -@end ifset @item --gen-key @opindex gen-key Generate a new key pair using teh current default parameters. This is the standard command to create a new key. -@ifset gpgtwoone @item --full-gen-key @opindex gen-key Generate a new key pair with dialogs for all options. This is an extended version of @option{--gen-key}. -@end ifset There is also a feature which allows you to create keys in batch mode. See the the manual section ``Unattended key generation'' on how to use this. @@ -925,7 +905,6 @@ Signs a public key with your secret key but marks it as non-exportable. This is a shortcut version of the subcommand "lsign" from @option{--edit-key}. -@ifset gpgtwoone @item --quick-sign-key @code{fpr} [@code{names}] @itemx --quick-lsign-key @code{fpr} [@code{names}] @opindex quick-sign-key @@ -943,9 +922,7 @@ This command uses reasonable defaults and thus does not provide the full flexibility of the "sign" subcommand from @option{--edit-key}. Its intended use is to help unattended key signing by utilizing a list of verified fingerprints. -@end ifset -@ifset gpgtwoone @item --quick-adduid @var{user-id} @var{new-user-id} @opindex quick-adduid This command adds a new user id to an existing key. In contrast to @@ -953,7 +930,6 @@ the interactive sub-command @code{adduid} of @option{--edit-key} the @var{new-user-id} is added verbatim with only leading and trailing white space removed, it is expected to be UTF-8 encoded, and no checks on its form are applied. -@end ifset @item --passwd @var{user_id} @opindex passwd @@ -1271,13 +1247,8 @@ use the specified keyring alone, use @option{--keyring} along with @item --secret-keyring @code{file} @opindex secret-keyring -@ifset gpgtwoone This is an obsolete option and ignored. All secret keys are stored in the @file{private-keys-v1.d} directory below the GnuPG home directory. -@end ifset -@ifclear gpgtwoone -Same as @option{--keyring} but for the secret keyrings. -@end ifclear @item --primary-keyring @code{file} @opindex primary-keyring @@ -1610,21 +1581,6 @@ are available for all keyserver types, some common options are: this option is not used with HKP keyservers, as they do not support retrieving keys by subkey id. -@ifclear gpgtwoone - @item use-temp-files - On most Unix-like platforms, GnuPG communicates with the keyserver - helper program via pipes, which is the most efficient method. This - option forces GnuPG to use temporary files to communicate. On some - platforms (such as Win32 and RISC OS), this option is always enabled. -@end ifclear - -@ifclear gpgtwoone - @item keep-temp-files - If using `use-temp-files', do not delete the temp files after using - them. This option is useful to learn the keyserver communication - protocol by reading the temporary files. -@end ifclear - @item timeout Tell the keyserver helper program how long (in seconds) to try and perform a keyserver action before giving up. Note that performing @@ -1635,64 +1591,23 @@ are available for all keyserver types, some common options are: @item http-proxy=@code{value} Set the proxy to use for HTTP and HKP keyservers. -@ifset gpgtwoone -This overrides any proxy defined in @file{dirmngr.conf}. -@end ifset -@ifclear gpgtwoone -This overrides the "http_proxy" environment variable, if any. -@end ifclear - -@ifclear gpgtwoone - @item max-cert-size - When retrieving a key via DNS CERT, only accept keys up to this size. - Defaults to 16384 bytes. -@end ifclear + This overrides any proxy defined in @file{dirmngr.conf}. @item verbose -@ifset gpgtwoone -This option has no more function since GnuPG 2.1. Use the -@code{dirmngr} configuration options instead. -@end ifset -@ifclear gpgtwoone -Tell the keyserver helper program to be more verbose. This option can -be repeated multiple times to increase the verbosity level. -@end ifclear + This option has no more function since GnuPG 2.1. Use the + @code{dirmngr} configuration options instead. @item debug -@ifset gpgtwoone -This option has no more function since GnuPG 2.1. Use the -@code{dirmngr} configuration options instead. -@end ifset -@ifclear gpgtwoone -Turn on debug output in the keyserver helper program. Note that the -details of debug output depends on which keyserver helper program is -being used, and in turn, on any libraries that the keyserver helper -program uses internally (libcurl, openldap, etc). -@end ifclear + This option has no more function since GnuPG 2.1. Use the + @code{dirmngr} configuration options instead. @item check-cert -@ifset gpgtwoone -This option has no more function since GnuPG 2.1. Use the -@code{dirmngr} configuration options instead. -@end ifset -@ifclear gpgtwoone -Enable certificate checking if the keyserver presents one (for hkps or -ldaps). Defaults to on. -@end ifclear + This option has no more function since GnuPG 2.1. Use the + @code{dirmngr} configuration options instead. @item ca-cert-file -@ifset gpgtwoone -This option has no more function since GnuPG 2.1. Use the -@code{dirmngr} configuration options instead. -@end ifset -@ifclear gpgtwoone - Provide a certificate store to override the system default. Only - necessary if check-cert is enabled, and the keyserver is using a - certificate that is not present in a system default certificate list. - - Note that depending on the SSL library that the keyserver helper is - built with, this may actually be a directory or a file. -@end ifclear + This option has no more function since GnuPG 2.1. Use the + @code{dirmngr} configuration options instead. @end table @@ -1710,20 +1625,6 @@ key signer (defaults to 3) @opindex max-cert-depth Maximum depth of a certification chain (default is 5). -@ifclear gpgtwoone -@item --simple-sk-checksum -@opindex simple-sk-checksum -Secret keys are integrity protected by using a SHA-1 checksum. This -method is part of the upcoming enhanced OpenPGP specification but -GnuPG already uses it as a countermeasure against certain attacks. -Old applications don't understand this new format, so this option may -be used to switch back to the old behaviour. Using this option bears -a security risk. Note that using this option only takes effect when -the secret key is encrypted - the simplest way to make this happen is -to change the passphrase on the key (even changing it to the same -value is acceptable). -@end ifclear - @item --no-sig-cache @opindex no-sig-cache Do not cache the verification status of key signatures. @@ -1767,20 +1668,13 @@ default value is determined by running @command{gpgconf} with the option @option{--list-dirs}. Note that the pipe symbol (@code{|}) is used for a regression test suite hack and may thus not be used in the file name. -@ifclear gpgtwoone -This is only used -as a fallback when the environment variable @code{GPG_AGENT_INFO} is not -set or a running agent cannot be connected. -@end ifclear -@ifset gpgtwoone @item --dirmngr-program @var{file} @opindex dirmngr-program Specify a dirmngr program to be used for keyserver access. The default value is @file{/usr/sbin/dirmngr}. This is only used as a fallback when the environment variable @code{DIRMNGR_INFO} is not set or a running dirmngr cannot be connected. -@end ifset @item --no-autostart @opindex no-autostart @@ -1969,7 +1863,6 @@ Remove all entries from the @option{--group} list. Use @var{name} as the key to sign with. Note that this option overrides @option{--default-key}. -@ifset gpgtwoone @item --try-secret-key @var{name} @opindex try-secret-key For hidden recipients GPG needs to know the keys to use for trial @@ -1981,7 +1874,6 @@ the long keyid to avoid ambiguities. Note that gpg-agent might pop up a pinentry for a lot keys to do the trial decryption. If you want to stop all further trial decryption you may use close-window button instead of the cancel button. -@end ifset @item --try-all-secrets @opindex try-all-secrets @@ -2112,15 +2004,13 @@ opposite meaning. The options are: @c Since GnuPG 2.1 gpg-agent manages the secret key and thus the @c export-reset-subkey-passwd hack is not anymore justified. Such use - @c cases need to be implemented using a specialized secret key export + @c cases may be implemented using a specialized secret key export @c tool. -@ifclear gpgtwoone - @item export-reset-subkey-passwd - When using the @option{--export-secret-subkeys} command, this option resets - the passphrases for all exported subkeys to empty. This is useful - when the exported subkey is to be used on an unattended machine where - a passphrase doesn't necessarily make sense. Defaults to no. -@end ifclear + @c @item export-reset-subkey-passwd + @c When using the @option{--export-secret-subkeys} command, this option resets + @c the passphrases for all exported subkeys to empty. This is useful + @c when the exported subkey is to be used on an unattended machine where + @c a passphrase doesn't necessarily make sense. Defaults to no. @item export-clean Compact (remove all signatures from) user IDs on the key being @@ -2161,22 +2051,18 @@ listing mode and print all timestamps as seconds since 1970-01-01. Since GnuPG 2.0.10, this mode is always used and thus this option is obsolete; it does not harm to use it though. -@ifset gpgtwoone @item --legacy-list-mode @opindex legacy-list-mode Revert to the pre-2.1 public key list mode. This only affects the human readable output and not the machine interface (i.e. @code{--with-colons}). Note that the legacy format does not allow to convey suitable information for elliptic curves. -@end ifset @item --with-fingerprint @opindex with-fingerprint Same as the command @option{--fingerprint} but changes only the format of the output and may be used together with another command. -@ifset gpgtwoone - @item --with-icao-spelling @opindex with-icao-spelling Print the ICAO spelling of the fingerprint in addition to the hex digits. @@ -2190,8 +2076,6 @@ Include the keygrip in the key listings. Include info about the presence of a secret key in public key listings done with @code{--with-colons}. -@end ifset - @end table @c ******************************************* @@ -2214,34 +2098,11 @@ platforms that have different line ending conventions (UNIX-like to Mac, Mac to Windows, etc). @option{--no-textmode} disables this option, and is the default. -@ifclear gpgtwoone -@item --force-v3-sigs -@itemx --no-force-v3-sigs -@opindex force-v3-sigs -OpenPGP states that an implementation should generate v4 signatures -but PGP versions 5 through 7 only recognize v4 signatures on key -material. This option forces v3 signatures for signatures on data. -Note that this option implies @option{--no-ask-sig-expire}, and unsets -@option{--sig-policy-url}, @option{--sig-notation}, and -@option{--sig-keyserver-url}, as these features cannot be used with v3 -signatures. @option{--no-force-v3-sigs} disables this option. -Defaults to no. - -@item --force-v4-certs -@itemx --no-force-v4-certs -@opindex force-v4-certs -Always use v4 key signatures even on v3 keys. This option also -changes the default hash algorithm for v3 RSA keys from MD5 to SHA-1. -@option{--no-force-v4-certs} disables this option. -@end ifclear - -@ifset gpgtwoone @item --force-v3-sigs @itemx --no-force-v3-sigs @item --force-v4-certs @itemx --no-force-v4-certs These options are obsolete and have no effect since GnuPG 2.1. -@end ifset @item --force-mdc @opindex force-mdc @@ -2397,12 +2258,7 @@ compression algorithms none and ZIP. This also disables --throw-keyids, and making signatures with signing subkeys as PGP 6 does not understand signatures made by signing subkeys. -@ifclear gpgtwoone -This option implies @option{--disable-mdc --escape-from-lines --force-v3-sigs}. -@end ifclear -@ifset gpgtwoone This option implies @option{--disable-mdc --escape-from-lines}. -@end ifset @item --pgp7 @opindex pgp7 @@ -2761,7 +2617,6 @@ avoid it. Note that this passphrase is only used if the option @option{--batch} has also been given. This is different from GnuPG version 1.x. -@ifset gpgtwoone @item --pinentry-mode @code{mode} @opindex pinentry-mode Set the pinentry mode to @code{mode}. Allowed values for @code{mode} @@ -2779,7 +2634,6 @@ are: Redirect Pinentry queries to the caller. Note that in contrast to Pinentry the user is not prompted again if he enters a bad password. @end table -@end ifset @item --command-fd @code{n} @opindex command-fd @@ -3102,26 +2956,19 @@ files; They all live in in the current home directory (@pxref{option @item ~/.gnupg/pubring.gpg.lock The lock file for the public keyring. -@ifset gpgtwoone @item ~/.gnupg/pubring.kbx The public keyring using a different format. This file is sharred with @command{gpgsm}. You should backup this file. @item ~/.gnupg/pubring.kbx.lock The lock file for @file{pubring.kbx}. -@end ifset @item ~/.gnupg/secring.gpg -@ifclear gpgtwoone - The secret keyring. You should backup this file. -@end ifclear -@ifset gpgtwoone A secret keyring as used by GnuPG versions before 2.1. It is not used by GnuPG 2.1 and later. @item ~/.gnupg/.gpg-v21-migrated - File indicating that a migration to GnuPG 2.1 has taken place. -@end ifset + File indicating that a migration to GnuPG 2.1 has been done. @item ~/.gnupg/trustdb.gpg The trust database. There is no need to backup this file; it is better @@ -3166,18 +3013,7 @@ Operation is further controlled by a few environment variables: If set directory used instead of "~/.gnupg". @item GPG_AGENT_INFO -@ifset gpgtwoone This variable was used by GnuPG versions before 2.1 -@end ifset -@ifclear gpgtwoone - Used to locate the gpg-agent. - - The value consists of 3 colon delimited fields: The first is the path - to the Unix Domain Socket, the second the PID of the gpg-agent and the - protocol version which should be set to 1. When starting the gpg-agent - as described in its documentation, this variable is set to the correct - value. The option @option{--gpg-agent-info} can be used to override it. -@end ifclear @item PINENTRY_USER_DATA This value is passed via gpg-agent to pinentry. It is useful to convey @@ -3409,17 +3245,7 @@ control statements must be given. For GnuPG 2.1 and later @item %ask-passphrase @itemx %no-ask-passphrase -@ifclear gpgtwoone -Enable (or disable) a mode where the command @option{passphrase} is -ignored and instead the usual passphrase dialog is used. This does -not make sense for batch key generation; however the unattended key -generation feature is also used by GUIs and this feature relinquishes -the GUI from implementing its own passphrase entry code. These are -global control statements and affect all future key generations. -@end ifclear -@ifset gpgtwoone This option is a no-op for GnuPG 2.1 and later. -@end ifset @item %no-protection Using this option allows the creation of keys without any passphrase diff --git a/doc/gpgsm.texi b/doc/gpgsm.texi index 9f16f8264..1b57d1a2c 100644 --- a/doc/gpgsm.texi +++ b/doc/gpgsm.texi @@ -165,20 +165,12 @@ use @samp{--help} to get a list of supported operations. @table @gnupgtabopt @item --gen-key @opindex gen-key -@ifclear gpgtwoone --This command allows the creation of a certificate signing request. It --is commonly used along with the @option{--output} option to save the --created CSR into a file. If used with the @option{--batch} a parameter --file is used to create the CSR. -@end ifclear -@ifset gpgtwoone This command allows the creation of a certificate signing request or a self-signed certificate. It is commonly used along with the @option{--output} option to save the created CSR or certificate into a file. If used with the @option{--batch} a parameter file is used to create the CSR or certificate and it is further possible to create non-self-signed certificates. -@end ifset @item --list-keys @itemx -k @@ -266,7 +258,6 @@ informational lines are prepended to the output. Note, that the PKCS#12 format is not very secure and this command is only provided if there is no other way to exchange the private key. (@pxref{option --p12-charset}) -@ifset gpgtwoone @item --export-secret-key-p8 @var{key-id} @itemx --export-secret-key-raw @var{key-id} @opindex export-secret-key-p8 @@ -277,7 +268,6 @@ PKCS#1 format; the @code{...-p8} command exports in PKCS#8 format. When used with the @code{--armor} option a few informational lines are prepended to the output. These commands are useful to prepare a key for use on a TLS server. -@end ifset @item --import [@var{files}] @opindex import @@ -361,11 +351,6 @@ Specify an agent program to be used for secret key operations. The default value is determined by running the command @command{gpgconf}. Note that the pipe symbol (@code{|}) is used for a regression test suite hack and may thus not be used in the file name. -@ifclear gpgtwoone -This is only used -as a fallback when the environment variable @code{GPG_AGENT_INFO} is not -set or a running agent cannot be connected. -@end ifclear @item --dirmngr-program @var{file} @opindex dirmngr-program @@ -594,12 +579,10 @@ certificate. Include the keygrip in standard key listings. Note that the keygrip is always listed in --with-colons mode. -@ifset gpgtwoone @item --with-secret @opindex with-secret Include info about the presence of a secret key in public key listings done with @code{--with-colons}. -@end ifset @end table @@ -906,10 +889,6 @@ other programs of this software too. @item S.gpg-agent @cindex S.gpg-agent If this file exists -@ifclear gpgtwoone -and the environment variable @env{GPG_AGENT_INFO} is -not set, -@end ifclear @command{gpgsm} will first try to connect to this socket for accessing @command{gpg-agent} before starting a new @command{gpg-agent} instance. Under Windows this socket (which in reality be a plain file @@ -1000,12 +979,6 @@ this is a missing certificate. @node CSR and certificate creation @subsection CSR and certificate creation -@ifclear gpgtwoone -@strong{Please notice}: The immediate creation of certificates is only -supported by GnuPG version 2.1 or later. With a 2.0 version you may -only create a CSR. -@end ifclear - The command @option{--gen-key} may be used along with the option @option{--batch} to either create a certificate signing request (CSR) or an X.509 certificate. This is controlled by a parameter file; the diff --git a/doc/tools.texi b/doc/tools.texi index fadbcb13b..7bf5066bf 100644 --- a/doc/tools.texi +++ b/doc/tools.texi @@ -16,9 +16,7 @@ GnuPG comes with a couple of smaller tools: * gpgsm-gencert.sh:: Generate an X.509 certificate request. * gpg-preset-passphrase:: Put a passphrase into the cache. * gpg-connect-agent:: Communicate with a running agent. -@ifset gpgtwoone * dirmngr-client:: How to use the Dirmngr client tool. -@end ifset * gpgparsemail:: Parse a mail message into an annotated format * symcryptrun:: Call a simple symmetric encryption tool. * gpg-zip:: Encrypt or sign files into an archive. @@ -305,7 +303,6 @@ Reload all or the given component. This is basically the same as sending a SIGHUP to the component. Components which don't support reloading are ignored. -@ifset gpgtwoone @item --launch [@var{component}] @opindex launch If the @var{component} is not already running, start it. @@ -320,7 +317,6 @@ Kill the given component. Components which support killing are gpg-agent and scdaemon. Components which don't support reloading are ignored. Note that as of now reload and kill have the same effect for scdaemon. -@end ifset @end table @@ -1210,7 +1206,6 @@ option @option{--list-dirs}. Note that the pipe symbol (@code{|}) is used for a regression test suite hack and may thus not be used in the file name. -@ifset gpgtwoone @item --dirmngr-program @var{file} @opindex dirmngr-program Specify the directory manager (keyserver client) program to be started @@ -1221,7 +1216,6 @@ option @option{--dirmngr}. @opindex dirmngr Connect to a running directory manager (keyserver client) instead of to the gpg-agent. If a dirmngr is not running, start it. -@end ifset @item -S @itemx --raw-socket @var{name} @@ -1487,7 +1481,6 @@ Print a list of available control commands. @include see-also-note.texi @end ifset -@ifset gpgtwoone @c @c DIRMNGR-CLIENT @c @@ -1648,7 +1641,7 @@ Squid's @option{external_acl_type} option. @command{gpgsm}(1) @include see-also-note.texi @end ifset -@end ifset + @c @c GPGPARSEMAIL