security-and-privacy/gnupg
security-and-privacy/gnupg
1
0
Fork 0
mirror of git://git.gnupg.org/gnupg.git synced 2025-02-01 16:33:02 +01:00
Code Activity

Document no-allow-mark-trusted option

Browse Source 
doc: Document no-allow-mark-trusted for gpg-agent

    * doc/gpg-agent.texi: Change allow-mark-trusted doc to
    no-allow-mark-trusted.

    --
    Since rev. 78a56b14 allow-mark-trusted is the default option
    and was replaced by no-allow-mark-trusted to disable the
    interactive prompt.

Signed-off-by: Andre Heinecke <aheinecke@intevation.de>
This commit is contained in:
Andre Heinecke 2014-12-05 11:16:14 +01:00 committed by Werner Koch
parent 8720125f5a
commit f4ed04fca8
1 changed files with 11 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
doc/gpg-agent.texi
View File

@ -350,12 +350,12 @@ descriptor has been set on a Windows platform, the Registry entry
the logging output. the logging output.
@anchor{option --allow-mark-trusted} @anchor{option --no-allow-mark-trusted}
@item --allow-mark-trusted @item --no-allow-mark-trusted
@opindex allow-mark-trusted @opindex no-allow-mark-trusted
Allow clients to mark keys as trusted, i.e. put them into the Do not allow clients to mark keys as trusted, i.e. put them into the
@file{trustlist.txt} file. This is by default not allowed to make it @file{trustlist.txt} file. This makes it harder for users to inadvertently
harder for users to inadvertently accept Root-CA keys. accept Root-CA keys.
@anchor{option --allow-preset-passphrase} @anchor{option --allow-preset-passphrase}
@item --allow-preset-passphrase @item --allow-preset-passphrase
@ -650,11 +650,10 @@ administrator might have already entered those keys which are deemed
trustworthy enough into this file. Places where to look for the trustworthy enough into this file. Places where to look for the
fingerprint of a root certificate are letters received from the CA or fingerprint of a root certificate are letters received from the CA or
the website of the CA (after making 100% sure that this is indeed the the website of the CA (after making 100% sure that this is indeed the
website of that CA). You may want to consider allowing interactive website of that CA). You may want to consider disallowing interactive
updates of this file by using the @xref{option --allow-mark-trusted}. updates of this file by using the @xref{option --no-allow-mark-trusted}.
This is however not as secure as maintaining this file manually. It is It might even be advisable to change the permissions to read-only so
even advisable to change the permissions to read-only so that this file that this file can't be changed inadvertently.
can't be changed inadvertently.
As a special feature a line @code{include-default} will include a global As a special feature a line @code{include-default} will include a global
list of trusted certificates (e.g. @file{/etc/gnupg/trustlist.txt}). list of trusted certificates (e.g. @file{/etc/gnupg/trustlist.txt}).
@ -751,7 +750,7 @@ again. Only certain options are honored: @code{quiet},
@code{verbose}, @code{debug}, @code{debug-all}, @code{debug-level}, @code{verbose}, @code{debug}, @code{debug-all}, @code{debug-level},
@code{no-grab}, @code{pinentry-program}, @code{default-cache-ttl}, @code{no-grab}, @code{pinentry-program}, @code{default-cache-ttl},
@code{max-cache-ttl}, @code{ignore-cache-for-signing}, @code{max-cache-ttl}, @code{ignore-cache-for-signing},
@code{allow-mark-trusted}, @code{disable-scdaemon}, and @code{no-allow-mark-trusted}, @code{disable-scdaemon}, and
@code{disable-check-own-socket}. @code{scdaemon-program} is also @code{disable-check-own-socket}. @code{scdaemon-program} is also
supported but due to the current implementation, which calls the supported but due to the current implementation, which calls the
scdaemon only once, it is not of much use unless you manually kill the scdaemon only once, it is not of much use unless you manually kill the