Support for a global gpgconf configuration file.

doc/ChangeLog

@@ -1,3 +1,7 @@
+2007-03-06  Werner Koch  <wk@g10code.com>
+
+	* examples/gpgconf.conf: New.
+
 2007-03-04  David Shaw  <dshaw@jabberwocky.com>
 
 	* gpg.texi (GPG Esoteric Options): Document

doc/Makefile.am

@@ -19,7 +19,8 @@
 
 ## Process this file with automake to produce Makefile.in
 
-examples = examples/README examples/scd-event examples/trustlist.txt
+examples = examples/README examples/scd-event examples/trustlist.txt \
+	   examples/gpgconf.conf
 
 EXTRA_DIST = DETAILS HACKING TRANSLATE OpenPGP KEYSERVER samplekeys.asc \
 	     gnupg-badge-openpgp.eps gnupg-badge-openpgp.jpg \

doc/examples/gpgconf.conf

@@ -0,0 +1,59 @@
+# gpgconf.conf - configuration for gpgconf
+#----------------------------------------------------------------------
+# This file is read by gpgconf(1) to setup defaults for all or
+# specified users and groups.  It may be used to change the hardwired
+# defaults in gpgconf and to enforce certain values for the various
+# GnuPG related configuration files.
+#
+# Empty lines and comment lines, indicated by a hash mark as first non
+# white space character, are ignored.  The line is separated by white
+# space into fields. The first field is used to match the user or
+# group and must start at the first column, the file is processes
+# sequential until a matching rle is found.  A rule may contain
+# several lines, continuation lines are indicated by a indenting them.
+#
+# Syntax of a line:
+# <key>|WS  <component> <option> ["["<flag>"]"] [<value>]
+#
+# Examples for the <key> field:
+#   foo         - Matches the user "foo".
+#   foo:        - Matches the user "foo".
+#   foo:staff   - Matches the user "foo" or the group "staff".
+#   :staff      - Matches the group "staff".
+#   *           - Matches any user.
+# All other variants are not defined and reserved for future use.
+#
+# <component> and <option> are as specified by gpgconf. 
+# <flag> may be one of:
+#   default     - Delete the option so that the default is used.
+#   no-change   - Mark the field as non changeable by gpgconf.
+#   change      - Mark the field as changeable by gpgconf.
+#
+# Example file:
+#==========
+# :staff  gpg-agent allow-mark-trusted [change]
+#         gpg-agent min-passphrase-len 6
+#
+# *       gpg-agent min-passphrase-len [no-change] 12
+#         gpg-agent allow-mark-trusted [default]
+#         gpg-agent allow-mark-trusted [no-change]
+#         gpgsm     enable-ocsp           
+#===========
+# All users in the group "staff" are allowed to change the value for
+# --allow-mark-trusted; gpgconf's default is not to allow a change
+# through its interface.  When "gpgconf --apply-defaults" is used,
+# "allow-mark-trusted" will get enabled and "min-passphrase-len" set
+# to 6.  All other users are not allowed to change
+# "min-passphrase-len" and "allow-mark-trusted".  When "gpgconf
+# --apply-defaults" is used for them, "min-passphrase-len" is set to
+# 12, "allow-mark-trusted" deleted from the config file and
+# "enable-ocsp" is put into the config file of gpgsm.  The latter may
+# be changed by any user.
+#-------------------------------------------------------------------
+
+
+# Allow all users to change the allow-mark-trusted option.
+# (This was the default prior to gnupg 2.0.3)
+* gpg-agent allow-mark-trusted [change]
+
+

doc/gpg-agent.texi

@@ -336,7 +336,7 @@ been accessed recently.  The default are 2 hours (7200 seconds).
 
 @item --min-passphrase-len @var{n}
 @opindex min-passphrase-len
-Set the minimal length of a passphrase.  When entereing a new passphrase
+Set the minimal length of a passphrase.  When entering a new passphrase
 shorter than this value a warning will be displayed.  Defaults to 8.
 
 @item --pinentry-program @var{filename}

doc/tools.texi

@@ -199,6 +199,7 @@ throughout this section.
 * Listing components::    List all gpgconf components.
 * Listing options::       List all options of a component.
 * Changing options::      Changing options of a component.
+* Files used by gpgconf:: What files are used by gpgconf.
 @end menu
 
 @manpause
@@ -219,8 +220,18 @@ List all options of the component @var{component}.
 
 @item --change-options @var{component}
 Change the options of the component @var{component}.
+
+@item --apply-defaults
+Update all configuration files with values taken from the global
+configuration file (usually @file{/etc/gnupg/gpgconf.conf}).
+
+@item --check-config [@var{filename}]
+Run a syntax check ion the global configuration file.  If @var{filename}
+is given, check that file instead.
+
 @end table
 
+
 @mansect options
 
 The following options may be used:
@@ -486,6 +497,11 @@ If this flag is set, a (runtime) default is available.  This and the
 @item no arg desc (64)
 If this flag is set, and the @code{optional arg} flag is set, then the
 option has a special meaning if no argument is given.
+
+@item no change (128)
+If this flag is set, gpgconf ignores requests to change the value.  GUI
+frontends should grey out this option.  Note, that manual changes of the
+configuration files are still possible.
 @end table
 
 @item level
@@ -658,6 +674,20 @@ $ echo 'force:16:' | gpgconf --change-options dirmngr
 The @code{--runtime} option can influence when the changes take
 effect.
 
+@mansect files
+@node Files used by gpgconf
+@subsection Files used by gpgconf
+
+@table @file
+
+@item /etc/gnupg/gpg-agent.conf
+@cindex gpgconf.conf
+  If this file exists, it is processed as a global configuration file.
+  A commented example can be found in the @file{examples} directory of
+  the distribution.
+@end table
+
+
 @mansect see also
 @command{gpg}(1), 
 @command{gpgsm}(1), 

doc/vuln-announce-2007-multiple-message.txt

@@ -0,0 +1,145 @@
+             Multiple Messages Problem in GnuPG and GPGME
+            ==============================================
+                              2007-03-05
+
+
+Summary
+=======
+
+Gerardo Richarte from Core Security Technologies identified a problem
+when using GnuPG in streaming mode.
+
+The problem is actually a variant of a well known problem in the way
+signed material is presented in a MUA.  It is possible to insert
+additional text before or after a signed (or signed and encrypted)
+OpenPGP message and make the user believe that this additional text is
+also covered by the signature.  The Core Security advisory describes
+several variants of the attack; they all boil down to the fact that it
+might not be possible to identify which part of a message is actually
+signed if gpg is not used correctly.
+
+[ Please do not send private mail in response to this message.  The
+  mailing list gnupg-devel is the best place to discuss this problem
+  (please subscribe first so you don't need moderator approval [1]). ]
+
+
+Impact
+======
+
+All applications using GnuPG without properly using the status
+interface to verify signed or signed and encrypted messages.
+
+All GPGME versions up to and including 1.1.3.
+
+Starting with version 1.4.7 and 2.0.3, GnuPG implements an additional
+and sufficient protection against this common usage problem.
+
+Detached signatures are in no way affected by this problem.
+
+
+Description
+===========
+
+When using gpg (or gpg2) in a pipeline or with redirected input and
+output additional data may be inserted into a message.  This allows to
+forge a signed message by prefixing it with arbitrary material.  A way
+to create such a message is:
+
+  echo "This is my sneaky plaintext message" > foobar.txt
+  gpg -z0 --output prefix.gpg --store foobar.txt
+  cat prefix.gpg original-signed-message.gpg > forged.gpg
+
+Using gpg naively this results in:
+
+  $ gpg <forged.gpg
+  This is my sneaky plaintext message
+  Either I'm dead or my watch has stopped.
+                  -- Groucho Marx's last words
+  gpg: Signature made Mon Feb 26 09:57:04 2007 CET using DSA key ID 68697734
+  gpg: Good signature from "Alfa Test (demo key) <alfa@example.net>"
+  [...]
+
+and thus gives the impression that the sneaky message is part of the
+signed Groucho quote.  The correct way to use gpg with redirection is
+by taking care of the status interface:
+
+  $ gpg --status-fd 1 <forged.gpg
+  [GNUPG:] PLAINTEXT 62 1172479053 foobar.txt
+  [GNUPG:] PLAINTEXT_LENGTH 36
+  This is my sneaky plaintext message
+  [GNUPG:] PLAINTEXT 62 1172480224 original-signed-message
+  [GNUPG:] PLAINTEXT_LENGTH 86
+  Either I'm dead or my watch has stopped.
+                  -- Groucho Marx's last words
+  gpg: Signature made Mon Feb 26 09:57:04 2007 CET using DSA key ID 68697734
+  [GNUPG:] SIG_ID UncMPBJYgbG/uszJVNKoCAz+hvY 2007-02-26 1172480224
+  [GNUPG:] GOODSIG 2D727CC768697734 Alfa Test (demo key) <alfa@example.net>
+  gpg: Good signature from "Alfa Test (demo key) <alfa@example.net>"
+  [...]
+
+Here the PLAINTEXT status lines clearly identify the start of a new
+message.
+
+Note, that using gpg on the command line is in almost all cases not
+done with redirection but by letting gpg save the the signed message.
+In this case gpg will save the message to different files or in case
+the file names are identical, prompt the over to overwrite the first
+one again.
+
+Because the problem of identifying the actual signed content when
+mixing the signed data and the signature is very common, the long
+standing suggestion for all digital signatures is to use a detached
+signature.  A detached signature allows to clearly identify what is
+signed and what is the signature.  This is also the reason why
+PGP/MIME signed messages are in general to be preferred over the old
+style clear signed messages.
+
+
+Solution
+========
+
+Given that there are many applications in use which are subject to the
+described problem, we have decided to change GnuPG so that such forged
+OpenPGP messages are detected and the signature verification will
+fail.  GnuPG 1.4.7 has been released today and is available from the
+usual places [2].  If you don't want to update, a minimal patch
+against GnuPG 1.4.6 is available at
+
+ ftp://ftp.gnupg.org/gcrypt/gnupg/patches/gnupg-1.4.6-multiple-message.patch
+
+Many applications are using the library GPGME which implements an easy
+way to process OpenPGP messages using gpg.  We have updated GPGME to
+make it immune against this problem even if an old version of gpg is
+being used.  GPGME 1.1.4 is available from the usual places [2].  A
+patch (against version 1.1.3 or 1.1.2) is available at
+
+ ftp://ftp.gnupg.org/gcrypt/gpgme/patches/gpgme-1.1.3-multiple-message.patch
+
+Please note that - after applying one of these patches - some
+vulnerable applications (mainly MUAs) may fail to handle certain
+messages which are composed of several OpenPGP messages.  To continue
+the support of such messages fixing the application is required as
+there is no way for GnuPG to do it.
+
+
+Support 
+=======
+
+g10 Code GmbH [3], a Duesseldorf based company owned and headed by
+GnuPG's principal author, is currently funding GnuPG development.
+Support contracts or other financial backing will greatly help us to
+improve the quality of GnuPG.
+
+
+Thanks
+======
+
+Gerardo Richarte found this problem.  David Shaw greatly helped to
+analyse and describe the core of the problem.
+
+
+
+
+[1] See http://lists.gnupg.org/mailman/listinfo/gnupg-devel
+[2] See http://www.gnupg.org/download/ 
+[3] See http://www.gnupg.org/service.html