diff --git a/ChangeLog b/ChangeLog index 12a177276..477d68bf7 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +2010-10-04 Werner Koch + + * configure.ac (GNUPG_CHECK_FAQPROG): Remove. + 2010-08-19 Werner Koch * configure.ac (AH_BOTTOM): Define GPG_ERR_ENABLE_ERRNO_MACROS. diff --git a/common/ChangeLog b/common/ChangeLog index b7e33baf1..3b95f2d86 100644 --- a/common/ChangeLog +++ b/common/ChangeLog @@ -1,3 +1,7 @@ +2010-10-04 Werner Koch + + * gettime.c (asctimestamp) [W32CE]: Do not print the timezone. + 2010-09-30 Werner Koch * util.h (GPG_ERR_FULLY_CANCELED): Add replacement. diff --git a/common/gettime.c b/common/gettime.c index 658433d18..e54c3a628 100644 --- a/common/gettime.c +++ b/common/gettime.c @@ -330,41 +330,46 @@ isotimestamp (u32 stamp) * Note: this function returns local time */ const char * -asctimestamp( u32 stamp ) +asctimestamp (u32 stamp) { - static char buffer[50]; + static char buffer[50]; #if defined (HAVE_STRFTIME) && defined (HAVE_NL_LANGINFO) - static char fmt[50]; + static char fmt[50]; #endif - struct tm *tp; - time_t atime = stamp; + struct tm *tp; + time_t atime = stamp; - if (atime < 0) { - strcpy (buffer, "????" "-??" "-??"); - return buffer; + if (atime < 0) + { + strcpy (buffer, "????" "-??" "-??"); + return buffer; } - tp = localtime( &atime ); + tp = localtime( &atime ); #ifdef HAVE_STRFTIME -#if defined(HAVE_NL_LANGINFO) - mem2str( fmt, nl_langinfo(D_T_FMT), DIM(fmt)-3 ); - if( strstr( fmt, "%Z" ) == NULL ) - strcat( fmt, " %Z"); - /* NOTE: gcc -Wformat-noliteral will complain here. I have - found no way to suppress this warning .*/ - strftime (buffer, DIM(buffer)-1, fmt, tp); +# if defined(HAVE_NL_LANGINFO) + mem2str( fmt, nl_langinfo(D_T_FMT), DIM(fmt)-3 ); + if (!strstr( fmt, "%Z" )) + strcat( fmt, " %Z"); + /* NOTE: gcc -Wformat-noliteral will complain here. I have found no + way to suppress this warning. */ + strftime (buffer, DIM(buffer)-1, fmt, tp); +# elif defined(HAVE_W32CE_SYSTEM) + /* tzset is not available but %Z nevertheless prints a default + nonsense timezone ("WILDABBR"). Thus we don't print the time + zone at all. */ + strftime (buffer, DIM(buffer)-1, "%c", tp); +# else + /* FIXME: we should check whether the locale appends a " %Z" These + * locales from glibc don't put the " %Z": fi_FI hr_HR ja_JP lt_LT + * lv_LV POSIX ru_RU ru_SU sv_FI sv_SE zh_CN. */ + strftime (buffer, DIM(buffer)-1, "%c %Z", tp); +# endif + buffer[DIM(buffer)-1] = 0; #else - /* FIXME: we should check whether the locale appends a " %Z" - * These locales from glibc don't put the " %Z": - * fi_FI hr_HR ja_JP lt_LT lv_LV POSIX ru_RU ru_SU sv_FI sv_SE zh_CN - */ - strftime( buffer, DIM(buffer)-1, "%c %Z", tp ); + mem2str( buffer, asctime(tp), DIM(buffer) ); #endif - buffer[DIM(buffer)-1] = 0; -#else - mem2str( buffer, asctime(tp), DIM(buffer) ); -#endif - return buffer; + return buffer; } diff --git a/configure.ac b/configure.ac index 5e2d7ca4d..009f399cd 100644 --- a/configure.ac +++ b/configure.ac @@ -518,7 +518,6 @@ AC_CHECK_TOOL(WINDRES, windres, :) AC_ISC_POSIX gl_EARLY AC_SYS_LARGEFILE -GNUPG_CHECK_FAQPROG GNUPG_CHECK_USTAR # We need to compile and run a program on the build machine. A diff --git a/doc/ChangeLog b/doc/ChangeLog index efa1939e2..03105edd6 100644 --- a/doc/ChangeLog +++ b/doc/ChangeLog @@ -1,3 +1,10 @@ +2010-10-04 Werner Koch + + * faq.org: New. + * FAQ: Make it a static file with a pointer to the online location. + * Makefile.am (EXTRA_DIST): Remove faq.raw and faq.html. + (FAQ, faq.html): Remove these targets + 2010-09-28 Werner Koch * Makefile.am (AM_MAKEINFOFLAGS): Add define gpgtwoone. diff --git a/doc/Makefile.am b/doc/Makefile.am index 26c6e9e5e..73f714c85 100644 --- a/doc/Makefile.am +++ b/doc/Makefile.am @@ -32,12 +32,12 @@ EXTRA_DIST = samplekeys.asc \ gnupg-logo.eps gnupg-logo.pdf gnupg-logo.png \ gnupg-card-architecture.eps gnupg-card-architecture.png \ gnupg-card-architecture.pdf \ - faq.raw FAQ faq.html gnupg7.texi \ + FAQ gnupg7.texi \ opt-homedir.texi see-also-note.texi specify-user-id.texi \ gpgv.texi texi.css yat2m.c BUILT_SOURCES = gnupg-card-architecture.eps gnupg-card-architecture.png \ - gnupg-card-architecture.pdf FAQ faq.html + gnupg-card-architecture.pdf info_TEXINFOS = gnupg.texi @@ -46,7 +46,7 @@ dist_pkgdata_DATA = qualified.txt com-certs.pem $(helpfiles) nobase_dist_doc_DATA = FAQ DETAILS HACKING TRANSLATE OpenPGP KEYSERVER \ $(examples) -dist_html_DATA = faq.html +#dist_html_DATA = gnupg_TEXINFOS = \ @@ -75,7 +75,7 @@ man_MANS = $(myman_pages) gnupg.7 watchgnupg_SOURCE = gnupg.texi -CLEANFILES = faq.raw.xref yat2m +CLEANFILES = yat2m DISTCLEANFILES = gnupg.tmp gnupg.ops yat2m-stamp.tmp yat2m-stamp \ $(myman_pages) gnupg.7 @@ -97,25 +97,6 @@ yat2m: yat2m.c fig2dev -L pdf `test -f '$<' || echo '$(srcdir)/'`$< $@ -FAQ : faq.raw -if WORKING_FAQPROG - $(FAQPROG) -f $< $@ || $(FAQPROG) -f $< $@ -else - : Warning: missing faqprog.pl, cannot make $@ - echo "No $@ due to missing faqprog.pl" > $@ - echo "See ftp://ftp.gnupg.org/gcrypt/contrib/faqprog.pl" >> $@ -endif - -faq.html : faq.raw -if WORKING_FAQPROG - $(FAQPROG) -h -f $< $@ 2>&1 || $(FAQPROG) -h -f $< $@ -else - : Warning: missing faqprog.pl, cannot make $@ - echo "No $@ due to missing faqprog.pl" > $@ - echo "See ftp://ftp.gnupg.org/gcrypt/contrib/faqprog.pl" >> $@ -endif - - yat2m-stamp: $(myman_sources) @rm -f yat2m-stamp.tmp @touch yat2m-stamp.tmp diff --git a/doc/faq.raw b/doc/faq.org similarity index 77% rename from doc/faq.raw rename to doc/faq.org index 0e4502773..05b927b3c 100644 --- a/doc/faq.raw +++ b/doc/faq.org @@ -1,76 +1,47 @@ -[$htmltitle=GnuPG FAQ] -[$htmlcharset=] -[$sfaqheader=The GnuPG FAQ says:] -[$sfaqfooter= -The most recent version of the FAQ is available from - -] -[$usenetheader= -] -[$maintainer=David D. Scribner, ] -[$hGPGHTTP=http://www.gnupg.org] -[$hGPGFTP=ftp://ftp.gnupg.org] -[$hVERSION=1.2.2] +#+STARTUP: overview +#+OPTIONS: H:2 num:t toc:t \n:nil @:t ::t |:t ^:t *:t TeX:t +#+EMAIL: wk@gnupg.org +#+AUTHOR: GnuPG users +#+LANGUAGE: en +#+TITLE: GnuPG Frequently Asked Questions +#+OPTIONS: H:3 num:nil toc:t \n:nil @:t ::t |:t ^:{} -:t f:t *:t TeX:t LaTeX:t skip:nil d:(HIDE) tags:not-in-toc +#+LINK: gnupgweb http://www.gnupg.org/ +#+LINK gnupgftp ftp://ftp.gnupg.org/gcrypt/ +#+LINK: roundup https://bugs.g10code.com/gnupg/issue +#+STYLE: -[H body bgcolor=#ffffff text=#000000 link=#1f00ff alink=#ff0000 vlink=#9900dd] -[H h1]GnuPG Frequently Asked Questions[H /h1] +# FIXME: This FAQ needs a heavy cleanup. For now I only switched to +# org-mode format for easier maintenance. + +#+begin_html + +#+end_html -[H p] -Version: 1.6.3[H br] -Last-Modified: Jul 30, 2003[H br] -Maintained-by: [$maintainer] -[H /p] +* Welcome + :PROPERTIES: + :CUSTOM_ID: welcome + :END: + Welcome to the GnuPG FAQ. The latest HTML version is available + [[gnupgweb:faq.html][here]]. -This is the GnuPG FAQ. The latest HTML version is available -[H a href=[$hGPGHTTP]/documentation/faqs.html]here[H/a]. + The index is generated automatically, so there may be errors. Not + all questions may be in the section they belong to. Suggestions + about how to improve the structure of this FAQ are welcome. -The index is generated automatically, so there may be errors. Not all -questions may be in the section they belong to. Suggestions about how -to improve the structure of this FAQ are welcome. + Please send additions and corrections to the gnupg users mailing + list. It would be most convenient if you could provide the answer to + be included here as well. Your help is very much appreciated! -Please send additions and corrections to the maintainer. It would be -most convenient if you could provide the answer to be included here -as well. Your help is very much appreciated! + Please, don't send message like "This should be a FAQ - what's the + answer?". If it hasn't been asked before, it isn't a FAQ. In that case + you could search in the mailing list archive. -Please, don't send message like "This should be a FAQ - what's the -answer?". If it hasn't been asked before, it isn't a FAQ. In that case -you could search in the mailing list archive. - -[H hr] - -[H hr] - - - GENERAL - - What is GnuPG? - - [H a href=[$hGPGHTTP]]GnuPG[H /a] stands for GNU Privacy Guard and - is GNU's tool for secure communication and data storage. It can be - used to encrypt data and to create digital signatures. It includes - an advanced key management facility and is compliant with the - proposed OpenPGP Internet standard as described in [H a href=http://www.rfc-editor.org/]RFC 2440[H/a]. - As such, it is aimed to be compatible with PGP from PGP Corp. and - other OpenPGP tools - - Is GnuPG compatible with PGP? - - In general, yes. GnuPG and newer PGP releases should be implementing - the OpenPGP standard. But there are some interoperability problems. - See question for details. - - Is GnuPG free to use for personal or commercial use? - - Yes. GnuPG is part of the GNU family of tools and applications built - and provided in accordance with the Free Software Foundation (FSF) - General Public License (GPL). Therefore the software is free to copy, - use, modify and distribute in accordance with that license. Please - read the file titled COPYING that accompanies the application for - more information. - - What conventions are used in this FAQ? +** What conventions are used in this FAQ? + :PROPERTIES: + :CUSTOM_ID: what-conventions-are-used-in-this-faq + :END: Although GnuPG is being developed for several operating systems (often in parallel), the conventions used in this FAQ reflect a @@ -78,7 +49,7 @@ you could search in the mailing list archive. prompt (`$') should be interpreted as a command prompt (`>'), directory names separated by a forward slash (`/') may need to be converted to a back slash (`\'), and a tilde (`~') represents a - user's "home" directory (reference question for an example). + user's "home" directory (reference question [[id:how-do-i-put-my-keyring-in-a-different-directory][How do I put my keyring in a different directory?]] for an example). Some command-lines presented in this FAQ are too long to properly display in some browsers for the web page version of this file, and @@ -96,10 +67,48 @@ you could search in the mailing list archive. file may be interchangable with the newer gpg.conf file in many instances. See question for details. +* General Questions - SOURCES of INFORMATION +** What is GnuPG? + :PROPERTIES: + :CUSTOM_ID: what-is-gnupg + :END: - Where can I find more information on GnuPG? + [[gnupgweb][GnuPG]] stands for GNU Privacy Guard and is GNU's tool for secure + communication and data storage. It can be used to encrypt data and + to create digital signatures. It includes an advanced key + management facility and is compliant with the proposed OpenPGP + Internet standard as described in [[http://www.rfc-editor.org/rfc/rfc4880.txt][RFC-4880]]. As such, it is aimed + to be compatible with PGP from PGP Corp. and other OpenPGP tools + +** Is GnuPG compatible with PGP? + :PROPERTIES: + :CUSTOM_ID: is-gnupg-compatible-with-pgp + :END: + + In general, yes. GnuPG and newer PGP releases should be implementing + the OpenPGP standard. But there are some interoperability problems. + See question for details. + +** Is GnuPG free to use for personal or commercial use? + :PROPERTIES: + :CUSTOM_ID: is-gnupg-free-to-use + :END: + + Yes. GnuPG is part of the GNU family of tools and applications built + and provided in accordance with the Free Software Foundation (FSF) + General Public License (GPL). Therefore the software is free to copy, + use, modify and distribute in accordance with that license. Please + read the file titled COPYING that accompanies the application for + more information. + + +* Sources of Information + +** Where can I find more information on GnuPG? + :PROPERTIES: + :CUSTOM_ID: more-information-on-gnupg + :END: On-line resources: @@ -135,23 +144,24 @@ you could search in the mailing list archive. for hackers, not the casual user). [H /ul] - Where do I get GnuPG? +** Where do I get GnuPG? + :PROPERTIES: + :CUSTOM_ID: where-do-i-get-gnupg + :END: You can download the GNU Privacy Guard from its primary FTP server - [H a href=[$hGPGFTP]/gcrypt/]<[$hGPGFTP]/gcrypt/>[H /a] or from one of the mirrors: + [[gnupgftp:gnupg/][ftp.gnupg.org]] or from one of its [[gnupgweb:download/mirrors.html][mirrors]]. - [H a href=[$hGPGHTTP]/download/mirrors.html] - <[$hGPGHTTP]/download/mirrors.html> - [H /a] + The current stable version is FIXME. Please upgrade to this + version as it includes additional features, functions and security + fixes that may not have existed in prior versions. - The current stable version is [$hVERSION]. Please upgrade to this version as - it includes additional features, functions and security fixes that may - not have existed in prior versions. +* Installation - - INSTALLATION - - Which OSes does GnuPG run on? +** Which OSes does GnuPG run on? + :PROPERTIES: + :CUSTOM_ID: which-oses-does-gnupg-run-on + :END: It should run on most Unices as well as Windows versions (including Windows NT/2000) and Macintosh OS/X. A list of OSes reported to be OK @@ -161,7 +171,10 @@ you could search in the mailing list archive. <[$hGPGHTTP]/download/supported_systems.html> [H /a] - Which random data gatherer should I use? +** Which random data gatherer should I use? + :PROPERTIES: + :CUSTOM_ID: which-random-data-gatherer-should-i-use + :END: "Good" random numbers are crucial for the security of your encryption. Different operating systems provide a variety of more or less quality @@ -194,7 +207,10 @@ you could search in the mailing list archive. random quality isn't very good so don't use it on sensitive data. - How do I include support for RSA and IDEA? +** How do I include support for RSA and IDEA? + :PROPERTIES: + :CUSTOM_ID: how-do-i-include-support-for-rsa-and-idea + :END: RSA is included as of GnuPG version 1.0.3. @@ -225,9 +241,12 @@ you could search in the mailing list archive. [H /samp] - USAGE +* Usage - What is the recommended key size? +** What is the recommended key size? + :PROPERTIES: + :CUSTOM_ID: what-is-the-recommended-key-size + :END: 1024 bit for DSA signatures; even for plain Elgamal signatures. This is sufficient as the size of the hash is probably the weakest @@ -248,7 +267,10 @@ you could search in the mailing list archive. versions. It has only been introduced because at the time it was not clear whether there was a patent on DSA. - Why does it sometimes take so long to create keys? +** Why does it sometimes take so long to create keys? + :PROPERTIES: + :CUSTOM_ID: why-does-it-sometimes-take-so-long-to-create-keys + :END: The problem here is that we need a lot of random bytes and for that we (on Linux the /dev/random device) must collect some random data. @@ -263,7 +285,10 @@ you could search in the mailing list archive. Another problem might be another program which eats up your random bytes (a program (look at your daemons) that reads from /dev/random). - And it really takes long when I work on a remote system. Why? +** And it really takes long when I work on a remote system. Why? + :PROPERTIES: + :CUSTOM_ID: it-really-takes-long-when-i-work-on-a-remote-system + :END: Don't do this at all! You should never create keys or even use GnuPG on a remote system because you normally have no physical control @@ -280,7 +305,10 @@ you could search in the mailing list archive. the keys, so I use a special option, --quick-random, to generate insecure keys which are only good for some tests. - What is the difference between options and commands? +** What is the difference between options and commands? + :PROPERTIES: + :CUSTOM_ID: difference-between-options-and-commands + :END: If you do a 'gpg --help', you will get two separate lists. The first is a list of commands. The second is a list of options. Whenever you @@ -349,8 +377,10 @@ you could search in the mailing list archive. $ gpg [--options] --sign --encrypt foo.txt [H /samp] - I can't delete a user ID on my secret keyring because it has - already been deleted on my public keyring. What can I do? +** I can't delete a user ID on my secret keyring because it has already been deleted on my public keyring. What can I do? + :PROPERTIES: + :CUSTOM_ID: delete-user-id-from-secring-if-already-deleted-from-pubring + :END: Because you can only select from the public key ring, there is no direct way to do this. However it is not very complicated to do @@ -359,8 +389,10 @@ you could search in the mailing list archive. ring. Now select this user ID and delete it. Both user IDs will be removed from the secret ring. - I can't delete my secret key because the public key disappeared. - What can I do? +** I can't delete my secret key because the public key disappeared. What can I do? + :PROPERTIES: + :CUSTOM_ID: delete-my-secret-key-because-the-public-key-disappeared + :END: To select a key a search is always done on the public keyring, therefore it is not possible to select a secret key without @@ -375,7 +407,12 @@ you could search in the mailing list archive. for continued use with your secret key, you may be able to use gpgsplit as detailed in question . - What are trust, validity and ownertrust? + + +** What are trust, validity and ownertrust? + :PROPERTIES: + :CUSTOM_ID: what-are-trust-validity-and-ownertrust + :END: With GnuPG, the term "ownertrust" is used instead of "trust" to help clarify that this is the value you have assigned to a key @@ -387,7 +424,10 @@ you could search in the mailing list archive. on trust values see the chapter "The Web of Trust" in The GNU Privacy Handbook. - How do I sign a patch file? +** How do I sign a patch file? + :PROPERTIES: + :CUSTOM_ID: how-do-i-sign-a-patch-file + :END: Use "gpg --clearsign --not-dash-escaped ...". The problem with --clearsign is that all lines starting with a dash are quoted with @@ -400,19 +440,27 @@ you could search in the mailing list archive. mailer may not preserve these. If you want to mail a file you can simply sign it using your MUA (Mail User Agent). - Where is the "encrypt-to-self" option? +** Where is the "encrypt-to-self" option? + :PROPERTIES: + :CUSTOM_ID: where-is-the-encrypt-to-self-option + :END: Use "--encrypt-to your_keyID". You can use more than one of these options. To temporarily override the use of this additional key, you can use the option "--no-encrypt-to". - How can I get rid of the Version and Comment headers in armored - messages? +** How can I get rid of the Version and Comment headers in armored messages? + :PROPERTIES: + :CUSTOM_ID: get-rid-of-the-version-and-comment-headers-in-armored-messages + :END: Use "--no-version --comment ''". Note that the left over blank line is required by the protocol. - What does the "You are using the xxxx character set." mean? +** What does the "You are using the xxxx character set." mean? + :PROPERTIES: + :CUSTOM_ID: what-does-the-you-are-using-the-xxx-character-set-mean + :END: This note is printed when UTF-8 mapping has to be done. Make sure that the displayed character set is the one you have activated on @@ -421,16 +469,21 @@ you could search in the mailing list archive. "--charset". It is important that your active character set matches the one displayed - if not, restrict yourself to plain 7 bit ASCII and no mapping has to be done. - - How can I get list of key IDs used to encrypt a message? + +** How can I get list of key IDs used to encrypt a message? + :PROPERTIES: + :CUSTOM_ID: how-can-i-get-list-of-key-ids-used-to-encrypt-a-message + :END: [H samp] $ gpg --batch --decrypt --list-only --status-fd 1 2>/dev/null | awk '/^\[GNUPG:\] ENC_TO / { print $3 }' [H /samp] - Why can't I decrypt files encrypted as symmetrical-only (-c) with - a version of GnuPG prior to 1.0.1. +** Why can't I decrypt files encrypted as symmetrical-only (-c) with a version of GnuPG prior to 1.0.1. + :PROPERTIES: + :CUSTOM_ID: why-cant-i-decrypt-symmetrical-only-with-gnupg-prior-to-1.0.1 + :END: There was a bug in GnuPG versions prior to 1.0.1 which affected files only if 3DES or Twofish was used for symmetric-only encryption (this has @@ -442,7 +495,10 @@ you could search in the mailing list archive. updates, so you will need to use a version between 1.0.1 and 1.0.7 to re-encrypt any affected files. - How can I use GnuPG in an automated environment? +** How can I use GnuPG in an automated environment? + :PROPERTIES: + :CUSTOM_ID: how-can-i-use-gnupg-in-an-automated-environment + :END: You should use the option --batch and don't use passphrases as there is usually no way to store it more securely than on the @@ -476,7 +532,10 @@ you could search in the mailing list archive. install new subkeys. [H /ol] - Which email-client can I use with GnuPG? +** Which email-client can I use with GnuPG? + :PROPERTIES: + :CUSTOM_ID: which-email-client-can-i-use-with-gnupg + :END: Using GnuPG to encrypt email is one of the most popular uses. Several mail clients or mail user agents (MUAs) support GnuPG to @@ -551,7 +610,10 @@ you could search in the mailing list archive. email-relaying server that uses GnuPG to enable many email clients to send and receive emails that conform to PGP-MIME (RFC 2015). - Can't we have a gpg library? +** Can't we have a gpg library? + :PROPERTIES: + :CUSTOM_ID: cant-we-have-a-gpg-library + :END: This has been frequently requested. However, the current viewpoint of the GnuPG maintainers is that this would lead to several security @@ -559,8 +621,10 @@ you could search in the mailing list archive. future. However, for some areas of application gpgme could do the trick. You'll find it at [H a href=[$hGPGFTP]/gcrypt/alpha/gpgme]<[$hGPGFTP]/gcrypt/alpha/gpgme>[H /a]. - I have successfully generated a revocation certificate, but I don't - understand how to send it to the key servers. +** I have successfully generated a revocation certificate, but I don't understand how to send it to the key servers. + :PROPERTIES: + :CUSTOM_ID: how-to-send-a-revocation-to-the-keyservers + :END: Most keyservers don't accept a 'bare' revocation certificate. You have to import the certificate into gpg first: @@ -577,8 +641,10 @@ you could search in the mailing list archive. (or use a keyserver web interface for this). - - How do I put my keyring in a different directory? +** How do I put my keyring in a different directory? + :PROPERTIES: + :CUSTOM_ID: how-do-i-put-my-keyring-in-a-different-directory + :END: GnuPG keeps several files in a special homedir directory. These include the options file, pubring.gpg, secring.gpg, trustdb.gpg, @@ -598,7 +664,10 @@ you could search in the mailing list archive. on a floppy disk. Don't use "--keyring" as its purpose is to specify additional keyring files. - How do I verify signed packages? +** How do I verify signed packages? + :PROPERTIES: + :CUSTOM_ID: how-do-i-verify-signed-packages + :END: Before you can verify the signature that accompanies a package, you must first have the vendor, organisation, or issueing person's @@ -628,7 +697,10 @@ you could search in the mailing list archive. $ gpg --verify foobar.tar.gz.sig [H /samp] - How do I export a keyring with only selected signatures (keys)? +** How do I export a keyring with only selected signatures (keys)? + :PROPERTIES: + :CUSTOM_ID: how-do-i-export-a-keyring-with-only-selected-signatures + :END: If you're wanting to create a keyring with only a subset of keys selected from a master keyring (for a club, user group, or company @@ -639,7 +711,10 @@ you could search in the mailing list archive. [H /samp] - I still have my secret key, but lost my public key. What can I do? +** I still have my secret key, but lost my public key. What can I do? + :PROPERTIES: + :CUSTOM_ID: i-still-have-my-secret-key-but-lost-my-public-key + :END: All OpenPGP secret keys have a copy of the public key inside them, and in a worst-case scenario, you can create yourself a new public @@ -657,8 +732,10 @@ you could search in the mailing list archive. one. Using the entire secret keyring should work too. After this has been done, the publickey.gpg file can be imported into GnuPG as usual. - Clearsigned messages sent from my web-mail account have an invalid - signature. Why? +** Clearsigned messages sent from my web-mail account have an invalid signature. Why? + :PROPERTIES: + :CUSTOM_ID: clearsig-sent-from-webmail-have-an-invalid-signature + :END: Check to make sure the settings for your web-based email account do not use HTML formatting for the pasted clearsigned message. This can @@ -669,10 +746,13 @@ you could search in the mailing list archive. if plaintext messages are not an option. - COMPATIBILITY ISSUES +* Compatibility Issues - How can I encrypt a message with GnuPG so that PGP is able to decrypt it? +** How can I encrypt a message with GnuPG so that PGP is able to decrypt it? + :PROPERTIES: + :CUSTOM_ID: how-can-i-encrypt-a-message-so-that-pgp-is-able-to-decrypt-it + :END: It depends on the PGP version. @@ -711,7 +791,10 @@ you could search in the mailing list archive. This applies to conventional encryption as well. [H /UL] - How do I migrate from PGP 2.x to GnuPG? +** How do I migrate from PGP 2.x to GnuPG? + :PROPERTIES: + :CUSTOM_ID: how-do-i-migrate-from-pgp2-to-gnupg + :END: PGP 2 uses the RSA and IDEA encryption algorithms. Whereas the RSA patent has expired and RSA is included as of GnuPG 1.0.3, the IDEA @@ -720,11 +803,10 @@ you could search in the mailing list archive. about how to add IDEA support to GnuPG and read [H a href=[$hGPGHTTP]/gph/en/pgp2x.html]<[$hGPGHTTP]/gph/en/pgp2x.html>[H /a] to perform the migration. - (removed) - - (empty) - - Why is PGP 5.x not able to encrypt messages with some keys? +** Why is PGP 5.x not able to encrypt messages with some keys? + :PROPERTIES: + :CUSTOM_ID: why-is-pgp5-not-able-to-encrypt-messages-with-some-keys + :END: PGP, Inc. refuses to accept Elgamal keys of type 20 even for encryption. They only support type 16 (which is identical at least @@ -734,14 +816,20 @@ you could search in the mailing list archive. 16 Elgamal key to your public key, which is easy as your key signatures are still valid. - Why is PGP 5.x not able to verify my messages? +** Why is PGP 5.x not able to verify my messages? + :PROPERTIES: + :CUSTOM_ID: why-is-pgp5-not-able-to-verify-my-messages + :END: PGP 5.x does not accept v4 signatures for data material but OpenPGP requests generation of v4 signatures for all kind of data, that's why GnuPG defaults to them. Use the option "--force-v3-sigs" to generate v3 signatures for data. - How do I transfer owner trust values from PGP to GnuPG? +** How do I transfer owner trust values from PGP to GnuPG? + :PROPERTIES: + :CUSTOM_ID: how-do-i-transfer-owner-trust-values-from-pgp-to-gnupg + :END: There is a script in the tools directory to help you. After you have imported the PGP keyring you can give this command: @@ -753,7 +841,10 @@ you could search in the mailing list archive. where pgpkeyring is the original keyring and not the GnuPG keyring you might have created in the first step. - PGP does not like my secret key. +** PGP does not like my secret key. + :PROPERTIES: + :CUSTOM_ID: pgp-does-not-like-my-secret-key + :END: Older PGPs probably bail out on some private comment packets used by GnuPG. These packets are fully in compliance with OpenPGP; however @@ -788,7 +879,10 @@ you could search in the mailing list archive. [H /samp] - GnuPG no longer installs a ~/.gnupg/options file. Is it missing? +** GnuPG no longer installs a ~/.gnupg/options file. Is it missing? + :PROPERTIES: + :CUSTOM_ID: gnupg-no-longer-installs-a-options-file-is-it-missing + :END: No. The ~/.gnupg/options file has been renamed to ~/.gnupg/gpg.conf for new installs as of version 1.1.92. If an existing ~/.gnupg/options file @@ -798,7 +892,10 @@ you could search in the mailing list archive. or receiving the message that the "old default options file" is ignored (occurs if both a gpg.conf and an options file are found). - How do you export GnuPG keys for use with PGP? +** How do you export GnuPG keys for use with PGP? + :PROPERTIES: + :CUSTOM_ID: how-do-you-export-gnupg-keys-for-use-with-pgp + :END: This has come up fairly often, so here's the HOWTO: @@ -864,9 +961,12 @@ you could search in the mailing list archive. Thanks to David Shaw for this information! - PROBLEMS and ERROR MESSAGES +* Problems and Error Messages - Why do I get "gpg: Warning: using insecure memory!" +** Why do I get "gpg: Warning: using insecure memory!" + :PROPERTIES: + :CUSTOM_ID: why-do-i-get-gpg_warning_using_insecure_memory + :END: On many systems this program should be installed as setuid(root). This is necessary to lock memory pages. Locking memory pages prevents @@ -919,7 +1019,10 @@ you could search in the mailing list archive. was thought to be too serious an issue. However, it confused users too much, so the warning was eventually removed. - Large File Support doesn't work ... +** Large File Support doesn't work + :PROPERTIES: + :CUSTOM_ID: large-file-support-does-not-work + :END: LFS works correctly in post-1.0.4 versions. If configure doesn't detect it, try a different (i.e., better) compiler. egcs 1.1.2 works @@ -927,34 +1030,50 @@ you could search in the mailing list archive. of GnuPG 1.0.3 and 1.0.4 on HP-UX and Solaris were due to broken LFS support. - In the edit menu the trust values are not displayed correctly after - signing uids. Why? +** In the edit menu the trust values are not displayed correctly after signing uids. Why? + :PROPERTIES: + :CUSTOM_ID: edit-menu-trust-not-show-correctly-after-signing-uids + :END: This happens because some information is stored immediately in the trustdb, but the actual trust calculation can be done after the save command. This is a "not easy to fix" design bug which will be addressed in some future release. - What does "skipping pubkey 1: already loaded" mean? +** What does "skipping pubkey 1: already loaded" mean? + :PROPERTIES: + :CUSTOM_ID: what-does-skipping_pubkey_1_already_loaded-mean + :END: As of GnuPG 1.0.3, the RSA algorithm is included. If you still have a "load-extension rsa" in your options file, the above message occurs. Just remove the load command from the options file. - GnuPG 1.0.4 doesn't create ~/.gnupg ... +** GnuPG 1.0.4 doesn't create ~/.gnupg ... + :PROPERTIES: + :CUSTOM_ID: gnupg-1.0.4-does-not-create-.gnupg + :END: That's a known bug, already fixed in newer versions. - An Elgamal signature does not verify anymore since version 1.0.2 ... +** An Elgamal signature does not verify anymore since version 1.0.2 + :PROPERTIES: + :CUSTOM_ID: an-elgamal-signature-does-not-verify-anymore-since-version-1.0.2 + :END: Use the option --emulate-md-encode-bug. - Old versions of GnuPG can't verify Elgamal signatures +** Old versions of GnuPG can't verify Elgamal signatures + :PROPERTIES: + :CUSTOM_ID: old-versions-of-gnupg-cant-verify-elgamal-signatures + :END: Update to GnuPG 1.0.2 or newer. - When I use --clearsign, the plain text has sometimes extra dashes - in it - why? +** When I use --clearsign, the plain text has sometimes extra dashes in it - why? + :PROPERTIES: + :CUSTOM_ID: extra-dashes-in-clearsign-messages + :END: This is called dash-escaped text and is required by OpenPGP. It always happens when a line starts with a dash ("-") and is @@ -966,7 +1085,10 @@ you could search in the mailing list archive. are removed. Good mail clients remove those extra dashes when displaying such a message. - What is the thing with "can't handle multiple signatures"? +** What is the thing with "can't handle multiple signatures"? + :PROPERTIES: + :CUSTOM_ID: what-is-the-thing-with-cant_handle_multiple_signatures + :END: Due to different message formats GnuPG is not always able to split a file with multiple signatures unambiguously into its parts. This @@ -976,19 +1098,27 @@ you could search in the mailing list archive. OpenPGP format with one-pass-signature packets (which is GnuPG's default) or the cleartext signed format. - If I submit a key to a keyserver, nothing happens ... +** If I submit a key to a keyserver, nothing happens + :PROPERTIES: + :CUSTOM_ID: if-i-submit-a-key-to-a-keyserver-nothing-happens + :END: You are most likely using GnuPG 1.0.2 or older on Windows. That's feature isn't yet implemented, but it's a bug not to say it. Newer versions issue a warning. Upgrade to 1.4.5 or newer. - I get "gpg: waiting for lock ..." +** I get "gpg: waiting for lock ..." + :PROPERTIES: + :CUSTOM_ID: i-get-gpg_waiting_for_lock + :END: A previous instance of gpg has most likely exited abnormally and left a lock file. Go to ~/.gnupg and look for .*.lock files and remove them. - Older gpg binaries (e.g., 1.0) have problems with keys from newer - gpg binaries ... +** Older gpg binaries (e.g., 1.0) have problems with keys from newer gpg binaries + :PROPERTIES: + :CUSTOM_ID: gpg-1.0-has-problems-with-keys-from-newer-gpg-versions + :END: As of 1.0.3, keys generated with gpg are created with preferences to TWOFISH (and AES since 1.0.4) and that also means that they have the @@ -1007,14 +1137,20 @@ you could search in the mailing list archive. into your options file. - With 1.0.4, I get "this cipher algorithm is deprecated ..." +** With 1.0.4, I get "this cipher algorithm is deprecated ..." + :PROPERTIES: + :CUSTOM_ID: with-1.0.4-i-get-this_cipher_algorithm_is_deprecated + :END: If you just generated a new key and get this message while encrypting, you've witnessed a bug in 1.0.4. It uses the new AES cipher Rijndael that is incorrectly being referred as "deprecated". Ignore this warning, more recent versions of gpg are corrected. - Some dates are displayed as ????-??-??. Why? +** Some dates are displayed as ????-??-??. Why? + :PROPERTIES: + :CUSTOM_ID: some-dates-are-displayed-as-question-marks + :END: Due to constraints in most libc implementations, dates beyond 2038-01-19 can't be displayed correctly. 64-bit OSes are not @@ -1022,21 +1158,30 @@ you could search in the mailing list archive. instead prints some question marks. To see the correct value, you can use the options --with-colons and --fixed-list-mode. - I still have a problem. How do I report a bug? +** I still have a problem. How do I report a bug? + :PROPERTIES: + :CUSTOM_ID: i-still-have-a-problem-how-do-i-report-a-bug + :END: Are you sure that it's not been mentioned somewhere on the mailing lists? Did you have a look at the bug list (you'll find a link to - the list of reported bugs on the documentation page). If you're not - sure about it being a bug, you can send mail to the gnupg-devel - list. Otherwise, use the bug tracking system - [H a href=http://bugs.gnupg.org][H /a]. + the list of reported bugs on the documentation page). If you're + not sure about it being a bug, you can send mail to the + gnupg-devel list. Otherwise, use the bug tracking system + [[http://busg.gnupg.org][bugs.gnupg.org]]. - Why doesn't GnuPG support X.509 certificates? +** Why doesn't GnuPG support X.509 certificates? + :PROPERTIES: + :CUSTOM_ID: why-doesnt-gnupg-support-x509-certificates + :END: That is only the case for GnuPG version 1.x. GnuPG 2.x fully supports X.509 and S/MIME using the gpgsm tool. - Why do national characters in my user ID look funny? +** Why do national characters in my user ID look funny? + :PROPERTIES: + :CUSTOM_ID: why-do-national-characters-in-my-user-id-look-funny + :END: According to OpenPGP, GnuPG encodes user ID strings (and other things) using UTF-8. In this encoding of Unicode, most national @@ -1045,7 +1190,10 @@ you could search in the mailing list archive. 0xA5). This might also be the reason why keyservers can't find your key. - I get 'sed' errors when running ./configure on Mac OS X ... +** I get 'sed' errors when running ./configure on Mac OS X ... + :PROPERTIES: + :CUSTOM_ID: i-get-sed-errors-when-running-configure-on-mac-os-x + :END: This will be fixed after GnuPG has been upgraded to autoconf-2.50. Until then, find the line setting CDPATH in the configure script @@ -1057,23 +1205,29 @@ you could search in the mailing list archive. statement below it. - Why does GnuPG 1.0.6 bail out on keyrings used with 1.0.7? +** Why does GnuPG 1.0.6 bail out on keyrings used with 1.0.7? + :PROPERTIES: + :CUSTOM_ID: why-does-gnupg-1.0.6-bail-out-on-keyrings-used-with-1.0.7 + :END: There is a small bug in 1.0.6 which didn't parse trust packets correctly. You may want to apply this patch if you can't upgrade: + [[http://www.gnupg.org/developer/gpg-woody-fix.txt]]. - [H a href=http://www.gnupg.org/developer/gpg-woody-fix.txt][H /a] - - I upgraded to GnuPG version 1.0.7 and now it takes longer to load my - keyrings. What can I do? +** I upgraded to GnuPG version 1.0.7 and now it takes longer to load my keyrings. What can I do? + :PROPERTIES: + :CUSTOM_ID: with-gpg-1.0.7-it-takes-longer-to-load-my-keyrings + :END: The way signature states are stored has changed so that v3 signatures can be supported. You can use the new --rebuild-keydb-caches migration command, which was built into this release and increases the speed of many operations for existing keyrings. - Doesn't a fully trusted user ID on a key prevent warning messages - when encrypting to other IDs on the key? +** Doesn't a fully trusted user ID on a key prevent warning messages when encrypting to other IDs on the key? + :PROPERTIES: + :CUSTOM_ID: key-validation-bug-in-gpg-1.2.1 + :END: No. That was actually a key validity bug in GnuPG 1.2.1 and earlier versions. As part of the development of GnuPG 1.2.2, a bug was @@ -1084,10 +1238,12 @@ you could search in the mailing list archive. More information and a patch for a some pre-1.2.2 versions of GnuPG can be found at: - [H a href=http://lists.gnupg.org/pipermail/gnupg-announce/2003q2/000268.html][H /a] + [[http://lists.gnupg.org/pipermail/gnupg-announce/2003q2/000268.html]]. - I just compiled GnuPG from source on my GNU/Linux RPM-based system - and it's not working. Why? +** I just compiled GnuPG from source on my GNU/Linux RPM-based system and it's not working. Why? + :PROPERTIES: + :CUSTOM_ID: compiled-on-gnu-linux-rpm-based-system-and-not-working + :END: Many GNU/Linux distributions that are RPM-based will install a version of GnuPG as part of its standard installation, placing the @@ -1113,9 +1269,12 @@ you could search in the mailing list archive. located in /usr/local/bin. - ADVANCED TOPICS +* Advanced Topics - How does this whole thing work? +** How does this whole thing work? + :PROPERTIES: + :CUSTOM_ID: how-does-this-whole-thing-work + :END: To generate a secret/public keypair, run: @@ -1190,7 +1349,10 @@ you could search in the mailing list archive. system; to avoid this you should always sign and encrypt a message instead of only encrypting it. - Why are some signatures with an ELG-E key valid? +** Why are some signatures with an ELG-E key valid? + :PROPERTIES: + :CUSTOM_ID: why-are-some-signatures-with-an-elg-e-key-valid + :END: These are Elgamal keys generated by GnuPG in v3 (RFC 1991) packets. The OpenPGP draft later changed the algorithm identifier for Elgamal @@ -1200,7 +1362,10 @@ you could search in the mailing list archive. key is in a v3 packet. GnuPG is the only program which had used these v3 Elgamal keys - so this assumption is quite safe. - How does the whole trust thing work? +** How does the whole trust thing work? + :PROPERTIES: + :CUSTOM_ID: how-does-the-whole-trust-thing-work + :END: It works more or less like PGP. The difference is that the trust is computed at the time it is needed. This is one of the reasons for @@ -1257,14 +1422,20 @@ you could search in the mailing list archive. keyring. GnuPG stores the trust in the trustdb.gpg file so it is okay to give a gpg keyring away (but we have a --export command too). - What kind of output is this: "key C26EE891.298, uid 09FB: ...."? +** What kind of output is this: "key C26EE891.298, uid 09FB: ...."? + :PROPERTIES: + :CUSTOM_ID: trustb-diagnostics-output-key-uid + :END: This is the internal representation of a user ID in the trustdb. "C26EE891" is the keyid, "298" is the local ID (a record number in the trustdb) and "09FB" is the last two bytes of a ripe-md-160 hash of the user ID for this key. - How do I interpret some of the informational outputs? +** How do I interpret some of the informational outputs? + :PROPERTIES: + :CUSTOM_ID: how-do-i-interpret-some-of-the-informational-outputs + :END: While checking the validity of a key, GnuPG sometimes prints some information which is prefixed with information about the checked @@ -1293,15 +1464,20 @@ you could search in the mailing list archive. and user ID, if it is a signature which is direct on a key, the user ID part is empty (..//..). - Are the header lines of a cleartext signature part of the signed - material? +** Are the header lines of a cleartext signature part of the signed material? + :PROPERTIES: + :CUSTOM_ID: are-header-lines-of-cleartext-sigs-part-of-the-signed-material + :END: No. For example you can add or remove "Comment:" lines. They have a purpose like the mail header lines. However a "Hash:" line is needed for OpenPGP signatures to tell the parser which hash algorithm to use. - What is the list of preferred algorithms? +** What is the list of preferred algorithms? + :PROPERTIES: + :CUSTOM_ID: what-is-the-list-of-preferred-algorithms + :END: The list of preferred algorithms is a list of cipher, hash and compression algorithms stored in the self-signature of a key during @@ -1310,7 +1486,10 @@ you could search in the mailing list archive. to use. Basically it tells other people what algorithms the recipient is able to handle and provides an order of preference. - How do I change the list of preferred algorithms? +** How do I change the list of preferred algorithms? + :PROPERTIES: + :CUSTOM_ID: how-do-i-change-the-list-of-preferred-algorithms + :END: In version 1.0.7 or later, you can use the edit menu and set the new list of preference using the command "setpref"; the format of @@ -1322,7 +1501,10 @@ you could search in the mailing list archive. timestamp of the self-signature is increased by one second when running this command. - How can I import all the missing signer keys? +** How can I import all the missing signer keys? + :PROPERTIES: + :CUSTOM_ID: how-can-i-import-all-the-missing-signer-keys + :END: If you imported a key and you want to also import all the signer's keys, you can do this with this command: @@ -1335,20 +1517,44 @@ you could search in the mailing list archive. of the listing before before starting the import. - ACKNOWLEDGEMENTS +* Acknowledgements + :PROPERTIES: + :CUSTOM_ID: acknowledgements + :END: Many thanks to Nils Ellmenreich for maintaining this FAQ file for - such a long time, Werner Koch for the original FAQ file, and to all - posters to gnupg-users and gnupg-devel. They all provided most of - the answers. + such a long time, Werner Koch for the original FAQ file, David + D. Scribner as another maintainer and to all posters to + gnupg-users and gnupg-devel. They all provided most of the + answers. - Also thanks to Casper Dik for providing us with a script to generate - this FAQ (he uses it for the excellent Solaris2 FAQ). + Copyright (C) 2000, 2001, 2002, 2003, 2010 Free Software + Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + 02111, USA -[H hr] + Verbatim copying and distribution of this entire article is + permitted in any medium, provided this notice is preserved. -Copyright (C) 2000, 2001, 2002, 2003 Free Software Foundation, Inc., -51 Franklin Street, Fifth Floor, Boston, MA 02111, USA +* COMMENT HTML style specifications -Verbatim copying and distribution of this entire article is permitted in -any medium, provided this notice is preserved. +#+begin_src emacs-lisp + (defun org-faq-make-target () + "Make hard target for current headline." + (interactive) + (if (not (org-on-heading-p)) + (error "Not on a headline")) + (let ((h (org-trim (org-get-heading 'no-tags)))) + (if (string-match "[ \t]*\\?\\'" h) + (setq h (replace-match "" t t h))) + (while (string-match "[ \t]+" h) + (setq h (replace-match "-" t t h))) + (setq h (downcase h)) + (org-entry-put nil "CUSTOM_ID" h))) +#+end_src + + + +# Local Variables: +# org-export-html-style-include-default: nil +# org-export-html-style-include-scripts: nil +# End: