From f3959f14b6c496c726bbca5230becb7b6844a234 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Mon, 5 Oct 2015 19:48:47 +0200 Subject: [PATCH] gpg: Install a dirmngr.conf file. * g10/dirmngr-conf.skel: New. * g10/Makefile.am (EXTRA_DIST): Add file. (install-data-local, uninstall-local): Install that file. * g10/openfile.c (copy_options_file): Add arg "name", return a value, simplify with xstrconcat, and factor warning message out to: (try_make_homedir): here. Also install dirmngr.conf. * g10/options.skel: Remove --keyserver entry. -- The option --keyserver in gpg has been deprecated in favor of --keyserver in dirmngr.conf. Thus we need to install a skeleton file for dirmngr to set a default keyserver. Signed-off-by: Werner Koch --- g10/Makefile.am | 6 ++++- g10/dirmngr-conf.skel | 61 +++++++++++++++++++++++++++++++++++++++++++ g10/openfile.c | 34 ++++++++++++++---------- g10/options.skel | 32 +---------------------- 4 files changed, 87 insertions(+), 46 deletions(-) create mode 100644 g10/dirmngr-conf.skel diff --git a/g10/Makefile.am b/g10/Makefile.am index 2fd52b3f7..cd121833a 100644 --- a/g10/Makefile.am +++ b/g10/Makefile.am @@ -18,7 +18,8 @@ ## Process this file with automake to produce Makefile.in -EXTRA_DIST = options.skel distsigkey.gpg ChangeLog-2011 gpg-w32info.rc \ +EXTRA_DIST = options.skel dirmngr-conf.skel distsigkey.gpg \ + ChangeLog-2011 gpg-w32info.rc \ gpg.w32-manifest.in test.c t-keydb-keyring.kbx AM_CPPFLAGS = -I$(top_srcdir)/common @@ -164,11 +165,14 @@ install-data-local: $(mkinstalldirs) $(DESTDIR)$(pkgdatadir) $(INSTALL_DATA) $(srcdir)/options.skel \ $(DESTDIR)$(pkgdatadir)/gpg-conf.skel + $(INSTALL_DATA) $(srcdir)/dirmngr-conf.skel \ + $(DESTDIR)$(pkgdatadir)/dirmngr-conf.skel $(INSTALL_DATA) $(srcdir)/distsigkey.gpg \ $(DESTDIR)$(pkgdatadir)/distsigkey.gpg uninstall-local: -@rm $(DESTDIR)$(pkgdatadir)/gpg-conf.skel + -@rm $(DESTDIR)$(pkgdatadir)/dirmngr-conf.skel -@rm $(DESTDIR)$(pkgdatadir)/distsigkey.gpg diff --git a/g10/dirmngr-conf.skel b/g10/dirmngr-conf.skel new file mode 100644 index 000000000..0888fb7f4 --- /dev/null +++ b/g10/dirmngr-conf.skel @@ -0,0 +1,61 @@ +# dirmngr-conf.skel - Skeleton to create dirmngr.conf. +# (Note that the first three lines are not copied.) +# +# dirmngr.conf - Options for Dirmngr +# Written in 2015 by The GnuPG Project +# +# To the extent possible under law, the authors have dedicated all +# copyright and related and neighboring rights to this file to the +# public domain worldwide. This file is distributed without any +# warranty. You should have received a copy of the CC0 Public Domain +# Dedication along with this file. If not, see +# . +# +# +# Unless you specify which option file to use (with the command line +# option "--options filename"), the file ~/.gnupg/dirmngr.conf is used +# by dirmngr. The file can contain any long options which are valid +# for Dirmngr. If the first non white space character of a line is a +# '#', the line is ignored. Empty lines are also ignored. See the +# dirmngr man page or the manual for a list of options. +# + +# --keyserver URI +# +# GPG can send and receive keys to and from a keyserver. These +# servers can be HKP, Email, or LDAP (if GnuPG is built with LDAP +# support). +# +# Example HKP keyservers: +# hkp://keys.gnupg.net +# +# Example HKPS keyservers (see --hkp-cacert below): +# hkps://hkps.pool.sks-keyservers.net +# +# Example LDAP keyservers: +# ldap://pgp.surfnet.nl:11370 +# +# Regular URL syntax applies, and you can set an alternate port +# through the usual method: +# hkp://keyserver.example.net:22742 +# +# Most users just set the name and type of their preferred keyserver. +# Note that most servers (with the notable exception of +# ldap://keyserver.pgp.com) synchronize changes with each other. Note +# also that a single server name may actually point to multiple +# servers via DNS round-robin. hkp://keys.gnupg.net is an example of +# such a "server", which spreads the load over a number of physical +# servers. + +keyserver hkp://keys.gnupg.net + +# --hkp-cacert FILENAME +# +# For the "hkps" scheme (keyserver access over TLS), Dirmngr needs to +# know the root certificates for verification of the TLS certificates +# used for the connection. Enter the full name of a file with the +# root certificates here. If that file is in PEM format a ".pem" +# suffix is expected. This option may be given multiple times to add +# more root certificates. + +#hkp-cacert /path/to/CA/sks-keyservers.netCA.pem diff --git a/g10/openfile.c b/g10/openfile.c index 76961e5f6..859090e8f 100644 --- a/g10/openfile.c +++ b/g10/openfile.c @@ -375,10 +375,11 @@ open_sigfile (const char *sigfilename, progress_filter_context_t *pfx) /**************** - * Copy the option file skeleton to the given directory. + * Copy the option file skeleton for NAME to the given directory. + * Returns true if the new option file has any option. */ -static void -copy_options_file (const char *destdir) +static int +copy_options_file (const char *destdir, const char *name) { const char *datadir = gnupg_datadir (); char *fname; @@ -390,10 +391,9 @@ copy_options_file (const char *destdir) int any_option = 0; if (opt.dry_run) - return; + return 0; - fname = xmalloc (strlen(datadir) + strlen(destdir) + 15); - strcpy (stpcpy(fname, datadir), DIRSEP_S "gpg-conf" SKELEXT); + fname = xstrconcat (datadir, DIRSEP_S, name, "-conf", SKELEXT, NULL); src = fopen (fname, "r"); if (src && is_secured_file (fileno (src))) { @@ -405,9 +405,10 @@ copy_options_file (const char *destdir) { log_info (_("can't open '%s': %s\n"), fname, strerror(errno)); xfree(fname); - return; + return 0; } - strcpy (stpcpy (fname, destdir), DIRSEP_S GPGEXT_GPG EXTSEP_S "conf"); + xfree (fname); + fname = xstrconcat (destdir, DIRSEP_S, name, EXTSEP_S, "conf", NULL); oldmask = umask (077); if (is_secured_filename (fname)) @@ -424,7 +425,7 @@ copy_options_file (const char *destdir) log_info (_("can't create '%s': %s\n"), fname, strerror(errno) ); fclose (src); xfree (fname); - return; + return 0; } while ((c = getc (src)) != EOF) @@ -455,11 +456,8 @@ copy_options_file (const char *destdir) fclose (src); log_info (_("new configuration file '%s' created\n"), fname); - if (any_option) - log_info (_("WARNING: options in '%s'" - " are not yet active during this run\n"), - fname); xfree (fname); + return any_option; } @@ -492,7 +490,15 @@ try_make_homedir (const char *fname) fname, strerror(errno) ); else if (!opt.quiet ) log_info ( _("directory '%s' created\n"), fname ); - copy_options_file( fname ); + + /* Note that we also copy a dirmngr.conf file here. This is + because gpg is likely the first invoked tool and thus creates + the directory. */ + copy_options_file (fname, DIRMNGR_NAME); + if (copy_options_file (fname, GPG_NAME)) + log_info (_("WARNING: options in '%s'" + " are not yet active during this run\n"), + fname); } } diff --git a/g10/options.skel b/g10/options.skel index 20b571118..e8f188231 100644 --- a/g10/options.skel +++ b/g10/options.skel @@ -95,39 +95,9 @@ require-cross-certification #lock-once -# GnuPG can send and receive keys to and from a keyserver. These -# servers can be HKP, email, or LDAP (if GnuPG is built with LDAP -# support). -# -# Example HKP keyservers: -# hkp://keys.gnupg.net -# -# Example LDAP keyservers: -# ldap://pgp.surfnet.nl:11370 -# -# Regular URL syntax applies, and you can set an alternate port -# through the usual method: -# hkp://keyserver.example.net:22742 -# -# If you have problems connecting to a HKP server through a buggy http -# proxy, you can use keyserver option broken-http-proxy (see below), -# but first you should make sure that you have read the man page -# regarding proxies (keyserver option honor-http-proxy) -# -# Most users just set the name and type of their preferred keyserver. -# Note that most servers (with the notable exception of -# ldap://keyserver.pgp.com) synchronize changes with each other. Note -# also that a single server name may actually point to multiple -# servers via DNS round-robin. hkp://keys.gnupg.net is an example of -# such a "server", which spreads the load over a number of physical -# servers. To see the IP address of the server actually used, you may use -# the "--keyserver-options debug". - -keyserver hkp://keys.gnupg.net -#keyserver http://http-keys.gnupg.net -#keyserver mailto:pgp-public-keys@keys.nl.pgp.net # Common options for keyserver functions: +# (Note that the --keyserver option has been moved to dirmngr.conf) # # include-disabled = when searching, include keys marked as "disabled" # on the keyserver (not all keyservers support this).