mirror of
git://git.gnupg.org/gnupg.git
synced 2025-01-21 14:47:03 +01:00
* Broken links resulting from revised web site filesystem structure
corrected: Intro - available *here* link corrected. Was <http://www.gnupg.org/faq.html>, corrected to be: <http://www.gnupg.org/documentation/faqs.html> 1.1 - RFC 2440 link corrected. Was <http://www.gnupg.org/rfc2440.html>, now linked to: <http://www.rfc-editor.org/> 2.1 - <http://www.gnupg.org/docs.html> corrected to be: <http://www.gnupg.org/documentation/> <http://lists.gnupg.org> corrected to be: <http://www.gnupg.org/documentation/mailing-lists.html> 2.2 - <http://www.gnupg.org/mirrors.html> corrected to be: <http://www.gnupg.org/download/mirrors.html> 3.1 - <http://gnupg.org/backend.html#supsys> corrected to be: <http://gnupg.org/download/supported_systems.html> 3.2 - <http://www.gnupg.org/download.html> corrected to be: <http://www.gnupg.org/download/> * Corrected typo in question 4.12 - Changed "How can a get list of key IDs..." to "How can I get list of key IDs..." * Modified URL listed in question 6.19 to become an actual hyperlink. * Removed line continuation character ("\") at the end of command- strings that were split into two lines (to lessen confusion for those using Windows or OSes that don't support line continuation). * Removed paragraph on line continuation, replacing it with a paragraph to remind the reader that although some command lines may be split into two lines to allow for proper web page display of the FAQ file in some browsers, the entire command-string is to be entered all on one line. * Corrected command-line entries that lacked a "$" character at the beginning of the command-string to signafy a shell prompt in order to apply consitancy throughout the FAQ. * Replaced <pre> tags with <samp> for code entries to improve display for those browser with limited window widths (does not apply to tables). * Trimmed whitespace in tables to narrow width to improve display for those browsers with limited window widths.
This commit is contained in:
parent
78d250a82c
commit
f6e2cb4032
460
doc/faq.raw
460
doc/faq.raw
@ -12,18 +12,18 @@ The most recent version of the FAQ is available from
|
||||
[$hVERSION=1.2.1]
|
||||
|
||||
[H body bgcolor=#ffffff text=#000000 link=#1f00ff alink=#ff0000 vlink=#9900dd]
|
||||
[H H1]GnuPG Frequently Asked Questions[H /H1]
|
||||
[H h1]GnuPG Frequently Asked Questions[H /h1]
|
||||
|
||||
|
||||
[H p]
|
||||
Version: 1.6.0[H br]
|
||||
Last-Modified: Dec 1, 2002[H br]
|
||||
Version: 1.6.1[H br]
|
||||
Last-Modified: Dec 28, 2002[H br]
|
||||
Maintained-by: [$maintainer]
|
||||
[H /p]
|
||||
|
||||
|
||||
This is the GnuPG FAQ. The latest HTML version is available
|
||||
[H a href=[$hGPGHTTP]/faq.html]here[H/a].
|
||||
[H a href=[$hGPGHTTP]/documentation/faqs.html]here[H/a].
|
||||
|
||||
The index is generated automatically, so there may be errors. Not all
|
||||
questions may be in the section they belong to. Suggestions about how
|
||||
@ -37,9 +37,9 @@ Please, don't send message like "This should be a FAQ - what's the
|
||||
answer?". If it hasn't been asked before, it isn't a FAQ. In that case
|
||||
you could search in the mailing list archive.
|
||||
|
||||
[H HR]
|
||||
[H hr]
|
||||
<C>
|
||||
[H HR]
|
||||
[H hr]
|
||||
|
||||
|
||||
<S> GENERAL
|
||||
@ -50,7 +50,7 @@ you could search in the mailing list archive.
|
||||
is GNU's tool for secure communication and data storage. It can be
|
||||
used to encrypt data and to create digital signatures. It includes
|
||||
an advanced key management facility and is compliant with the
|
||||
proposed OpenPGP Internet standard as described in [H a href=http://www.gnupg.org/rfc2440.html]RFC 2440[H/a].
|
||||
proposed OpenPGP Internet standard as described in [H a href=http://www.rfc-editor.org/]RFC 2440[H/a].
|
||||
As such, it is aimed to be compatible with PGP from NAI, Inc.
|
||||
|
||||
<Q> Is GnuPG compatible with PGP?
|
||||
@ -78,14 +78,11 @@ you could search in the mailing list archive.
|
||||
converted to a back slash (`\'), and a tilde (`~') represents a
|
||||
user's "home" directory (reference question <Rhomedir> for an example).
|
||||
|
||||
Also, the indicator used to inform the shell that a continuation
|
||||
of the command will follow on the next line (the `\' character
|
||||
seen at the end of some command strings in this FAQ, and represents
|
||||
a "\<newline>" pair) should be noted. If your shell or command
|
||||
interpreter does not support this convention, the command should be
|
||||
typed in its entirety as a single entry after removing the trailing
|
||||
backslash and continuing with the second line before pressing Enter
|
||||
or the return key.
|
||||
Some command-lines presented in this FAQ are too long to properly
|
||||
display in some browsers for the web page version of this file, and
|
||||
have been split into two or more lines. For these commands please
|
||||
remember to enter the entire command-string on one line or the
|
||||
command will error, or at minimum not give the desired results.
|
||||
|
||||
Please keep in mind that this FAQ contains information that may not
|
||||
apply to your particular version, as new features and bug fixes are
|
||||
@ -104,45 +101,45 @@ you could search in the mailing list archive.
|
||||
|
||||
On-line resources:
|
||||
|
||||
[H UL]
|
||||
[H LI]The documentation page is located at [H a href=[$hGPGHTTP]/docs.html]<[$hGPGHTTP]/docs.html>[H/a].
|
||||
[H ul]
|
||||
[H li]The documentation page is located at [H a href=[$hGPGHTTP]/documentation/]<[$hGPGHTTP]/documentation/>[H/a].
|
||||
Also, have a look at the HOWTOs and the GNU Privacy Handbook (GPH,
|
||||
available in English, Spanish and Russian). The latter provides a
|
||||
detailed user's guide to GnuPG. You'll also find a document about
|
||||
how to convert from PGP 2.x to GnuPG.
|
||||
detailed user's guide to GnuPG. You'll also find a document about how
|
||||
to convert from PGP 2.x to GnuPG.
|
||||
|
||||
[H LI]At [H a href=http://lists.gnupg.org]<http://lists.gnupg.org>[H/a] you'll find an online archive of the
|
||||
GnuPG mailing lists. Most interesting should be gnupg-users for all
|
||||
user-related issues and gnupg-devel if you want to get in touch with
|
||||
the developers.
|
||||
[H li]At [H a href=[$hGPGHTTP]/documentation/mailing-lists.html]<[$hGPGHTTP]/documentation/mailing-lists.html>[H/a] you'll find
|
||||
an online archive of the GnuPG mailing lists. Most interesting should
|
||||
be gnupg-users for all user-related issues and gnupg-devel if you want
|
||||
to get in touch with the developers.
|
||||
|
||||
In addition, searchable archives can be found on MARC, e.g.: [H br]
|
||||
gnupg-users: [H a href=http://marc.theaimsgroup.com/?l=gnupg-users&r=1&w=2]<http://marc.theaimsgroup.com/?l=gnupg-users&r=1&w=2>[H/a][H br]
|
||||
gnupg-devel: [H a href=http://marc.theaimsgroup.com/?l=gnupg-devel&r=1&w=2]<http://marc.theaimsgroup.com/?l=gnupg-devel&r=1&w=2>[H/a][H br]
|
||||
|
||||
[H B]PLEASE:[H/B]
|
||||
Before posting to a list, read this FAQ and the available
|
||||
documentation. In addition, search the list archive - maybe your
|
||||
question has already been discussed. This way you help people focus
|
||||
on topics that have not yet been resolved.
|
||||
[H b]PLEASE:[H /b]
|
||||
Before posting to a list, read this FAQ and the available documentation.
|
||||
In addition, search the list archive - maybe your question has already
|
||||
been discussed. This way you help people focus on topics that have not
|
||||
yet been resolved.
|
||||
|
||||
[H LI]The GnuPG source distribution contains a subdirectory:
|
||||
[H li]The GnuPG source distribution contains a subdirectory:
|
||||
|
||||
[H PRE]
|
||||
[H samp]
|
||||
./doc
|
||||
[H /PRE]
|
||||
[H /samp]
|
||||
|
||||
where some additional documentation is located (mainly interesting
|
||||
for hackers, not the casual user).
|
||||
[H /UL]
|
||||
[H /ul]
|
||||
|
||||
<Q> Where do I get GnuPG?
|
||||
|
||||
You can download the GNU Privacy Guard from its primary FTP server
|
||||
[H a href=[$hGPGFTP]/gcrypt/]<[$hGPGFTP]/gcrypt/>[H /a] or from one of the mirrors:
|
||||
|
||||
[H a href=[$hGPGHTTP]/mirrors.html]
|
||||
<[$hGPGHTTP]/mirrors.html>
|
||||
[H a href=[$hGPGHTTP]/download/mirrors.html]
|
||||
<[$hGPGHTTP]/download/mirrors.html>
|
||||
[H /a]
|
||||
|
||||
The current stable version is [$hVERSION]. Please upgrade to this version as
|
||||
@ -158,8 +155,8 @@ you could search in the mailing list archive.
|
||||
Windows NT/2000) and Macintosh OS/X. A list of OSes reported to be OK
|
||||
is presented at:
|
||||
|
||||
[H a href=[$hGPGHTTP]/backend.html#supsys]
|
||||
<[$hGPGHTTP]/backend.html#supsys>
|
||||
[H a href=[$hGPGHTTP]/download/supported_systems.html]
|
||||
<[$hGPGHTTP]/download/supported_systems.html>
|
||||
[H /a]
|
||||
|
||||
<Q> Which random data gatherer should I use?
|
||||
@ -171,9 +168,9 @@ you could search in the mailing list archive.
|
||||
systems. Also Solaris users with the SUNWski package installed have
|
||||
a /dev/random. In these cases, use the configure option:
|
||||
|
||||
[H pre]
|
||||
[H samp]
|
||||
--enable-static-rnd=linux
|
||||
[H/pre]
|
||||
[H /samp]
|
||||
|
||||
In addition, there's also the kernel random device by Andi Maier
|
||||
[H a href= http://www.cosy.sbg.ac.at/~andi/]<http://www.cosy.sbg.ac.at/~andi/>[H /a], but it's still beta. Use at your
|
||||
@ -181,12 +178,12 @@ you could search in the mailing list archive.
|
||||
|
||||
On other systems, the Entropy Gathering Daemon (EGD) is a good choice.
|
||||
It is a perl-daemon that monitors system activity and hashes it into
|
||||
random data. See the download page [H a href=[$hGPGHTTP]/download.html]<[$hGPGHTTP]/download.html>[H /a]
|
||||
random data. See the download page [H a href=[$hGPGHTTP]/download/]<[$hGPGHTTP]/download/>[H /a]
|
||||
to obtain EGD. Use:
|
||||
|
||||
[H pre]
|
||||
[H samp]
|
||||
--enable-static-rnd=egd
|
||||
[H/pre]
|
||||
[H /samp]
|
||||
|
||||
here.
|
||||
|
||||
@ -208,22 +205,22 @@ you could search in the mailing list archive.
|
||||
[H a href=ftp://ftp.gnupg.dk/pub/contrib-dk/]<ftp://ftp.gnupg.dk/pub/contrib-dk/>[H /a]. Look for:
|
||||
|
||||
[H pre]
|
||||
idea.c.gz (c module)
|
||||
idea.c.gz.sig (signature file)
|
||||
idea.c.gz (c module)
|
||||
idea.c.gz.sig (signature file)
|
||||
[H /pre]
|
||||
|
||||
[H pre]
|
||||
ideadll.zip (c module and win32 dll)
|
||||
ideadll.zip.sig (signature file)
|
||||
ideadll.zip (c module and win32 dll)
|
||||
ideadll.zip.sig (signature file)
|
||||
[H /pre]
|
||||
|
||||
Compilation directives are in the headers of these files. You will
|
||||
then need to add the following line to your ~/.gnupg/gpg.conf or
|
||||
~/.gnupg/options file:
|
||||
|
||||
[H pre]
|
||||
[H samp]
|
||||
load-extension idea
|
||||
[H /pre]
|
||||
[H /samp]
|
||||
|
||||
|
||||
<S> USAGE
|
||||
@ -236,9 +233,9 @@ you could search in the mailing list archive.
|
||||
have greater sizes, but you should then check the fingerprint of
|
||||
this key:
|
||||
|
||||
[H pre]
|
||||
gpg --fingerprint <user ID>
|
||||
[H /pre]
|
||||
[H samp]
|
||||
$ gpg --fingerprint <user ID>
|
||||
[H /samp]
|
||||
|
||||
As for the key algorithms, you should stick with the default (i.e.,
|
||||
DSA signature and ElGamal encryption). An ElGamal signing key has
|
||||
@ -285,15 +282,15 @@ you could search in the mailing list archive.
|
||||
|
||||
If you do a 'gpg --help', you will get two separate lists. The first
|
||||
is a list of commands. The second is a list of options. Whenever you
|
||||
run GPG, you [H B]must[H /B] pick exactly one command (with one exception,
|
||||
see below). You [H B]may[H /B] pick one or more options. The command should,
|
||||
run GPG, you [H b]must[H /b] pick exactly one command (with one exception,
|
||||
see below). You [H b]may[H /b] pick one or more options. The command should,
|
||||
just by convention, come at the end of the argument list, after all
|
||||
the options. If the command takes a file (all the basic ones do),
|
||||
the filename comes at the very end. So the basic way to run gpg is:
|
||||
|
||||
[H pre]
|
||||
gpg [--option something] [--option2] [--option3 something] --command file
|
||||
[H/pre]
|
||||
[H samp]
|
||||
$ gpg [--option something] [--option2] [--option3 something] --command file
|
||||
[H /samp]
|
||||
|
||||
Some options take arguments. For example, the --output option (which
|
||||
can be abbreviated as -o) is an option that takes a filename. The
|
||||
@ -306,37 +303,37 @@ you could search in the mailing list archive.
|
||||
followed by the file you wish to encrypt. Therefore in this example
|
||||
the command-line issued would be:
|
||||
|
||||
[H pre]
|
||||
gpg -r alice -o secret.txt -e test.txt
|
||||
[H/pre]
|
||||
[H samp]
|
||||
$ gpg -r alice -o secret.txt -e test.txt
|
||||
[H /samp]
|
||||
|
||||
If you write the options out in full, it is easier to read:
|
||||
|
||||
[H pre]
|
||||
gpg --recipient alice --output secret.txt --encrypt test.txt
|
||||
[H/pre]
|
||||
[H samp]
|
||||
$ gpg --recipient alice --output secret.txt --encrypt test.txt
|
||||
[H /samp]
|
||||
|
||||
If you're encrypting to a file with the extension ".txt", then you'd
|
||||
probably expect to see ASCII-armored text in the file (not binary),
|
||||
so you need to add the --armor (-a) option, which doesn't take any
|
||||
arguments:
|
||||
|
||||
[H pre]
|
||||
gpg --armor --recipient alice --output secret.txt --encrypt test.txt
|
||||
[H/pre]
|
||||
[H samp]
|
||||
$ gpg --armor --recipient alice --output secret.txt --encrypt test.txt
|
||||
[H /samp]
|
||||
|
||||
If you imagine square brackets around the optional parts, it becomes
|
||||
a bit clearer:
|
||||
|
||||
[H pre]
|
||||
gpg [--armor] [--recipient alice] [--output secret.txt] --encrypt test.txt
|
||||
[H/pre]
|
||||
[H samp]
|
||||
$ gpg [--armor] [--recipient alice] [--output secret.txt] --encrypt test.txt
|
||||
[H /samp]
|
||||
|
||||
The optional parts can be rearranged any way you want:
|
||||
|
||||
[H pre]
|
||||
gpg --output secret.txt --recipient alice --armor --encrypt test.txt
|
||||
[H/pre]
|
||||
[H samp]
|
||||
$ gpg --output secret.txt --recipient alice --armor --encrypt test.txt
|
||||
[H /samp]
|
||||
|
||||
If your filename begins with a hyphen (e.g. "-a.txt"), GnuPG assumes
|
||||
this is an option and may complain. To avoid this you have to either
|
||||
@ -346,9 +343,9 @@ you could search in the mailing list archive.
|
||||
[H B]The exception to using only one command:[H /B] signing and encrypting
|
||||
at the same time. For this you can combine both commands, such as in:
|
||||
|
||||
[H pre]
|
||||
gpg [--options] --sign --encrypt foo.txt
|
||||
[H/pre]
|
||||
[H samp]
|
||||
$ gpg [--options] --sign --encrypt foo.txt
|
||||
[H /samp]
|
||||
|
||||
<Q> I can't delete a user ID on my secret keyring because it has
|
||||
already been deleted on my public keyring. What can I do?
|
||||
@ -423,12 +420,12 @@ you could search in the mailing list archive.
|
||||
the one displayed - if not, restrict yourself to plain 7 bit ASCII
|
||||
and no mapping has to be done.
|
||||
|
||||
<Q> How can a get list of key IDs used to encrypt a message?
|
||||
<Q> How can I get list of key IDs used to encrypt a message?
|
||||
|
||||
[H pre]
|
||||
gpg --batch --decrypt --list-only --status-fd 1 2>/dev/null | \
|
||||
[H samp]
|
||||
$ gpg --batch --decrypt --list-only --status-fd 1 2>/dev/null |
|
||||
awk '/^\[GNUPG:\] ENC_TO / { print $3 }'
|
||||
[H /pre]
|
||||
[H /samp]
|
||||
|
||||
<Q> I can't decrypt my symmetrical-only (-c) encrypted messages with
|
||||
a new version of GnuPG.
|
||||
@ -450,31 +447,31 @@ you could search in the mailing list archive.
|
||||
automated environment is:
|
||||
|
||||
On a secure machine:
|
||||
[H OL]
|
||||
[H LI] If you want to do automatic signing, create a signing subkey
|
||||
[H ol]
|
||||
[H li] If you want to do automatic signing, create a signing subkey
|
||||
for your key (use the interactive key editing menu by issueing
|
||||
the command 'gpg --edit-key keyID', enter "addkey" and select
|
||||
the DSA key type).
|
||||
[H LI] Make sure that you use a passphrase (needed by the current
|
||||
[H li] Make sure that you use a passphrase (needed by the current
|
||||
implementation).
|
||||
[H LI] gpg --export-secret-subkeys --no-comment foo >secring.auto
|
||||
[H LI] Copy secring.auto and the public keyring to a test directory.
|
||||
[H LI] Change to this directory.
|
||||
[H LI] gpg --homedir . --edit foo and use "passwd" to remove the
|
||||
[H li] gpg --export-secret-subkeys --no-comment foo >secring.auto
|
||||
[H li] Copy secring.auto and the public keyring to a test directory.
|
||||
[H li] Change to this directory.
|
||||
[H li] gpg --homedir . --edit foo and use "passwd" to remove the
|
||||
passphrase from the subkeys. You may also want to remove all
|
||||
unused subkeys.
|
||||
[H LI] Copy secring.auto to a floppy and carry it to the target box.
|
||||
[H /OL]
|
||||
[H li] Copy secring.auto to a floppy and carry it to the target box.
|
||||
[H /ol]
|
||||
|
||||
On the target machine:
|
||||
[H OL]
|
||||
[H LI] Install secring.auto as the secret keyring.
|
||||
[H LI] Now you can start your new service. It's also a good idea to
|
||||
[H ol]
|
||||
[H li] Install secring.auto as the secret keyring.
|
||||
[H li] Now you can start your new service. It's also a good idea to
|
||||
install an intrusion detection system so that you hopefully
|
||||
get a notice of an successful intrusion, so that you in turn
|
||||
can revoke all the subkeys installed on that machine and
|
||||
install new subkeys.
|
||||
[H /OL]
|
||||
[H /ol]
|
||||
|
||||
<Q> Which email-client can I use with GnuPG?
|
||||
|
||||
@ -491,30 +488,30 @@ you could search in the mailing list archive.
|
||||
The following list is not exhaustive:
|
||||
|
||||
[H pre]
|
||||
MUA OpenPGP ASCII How? (N,P,T)
|
||||
---------------------------------------------------------------
|
||||
Calypso N Y P (Unixmail)
|
||||
Elm N Y T (mailpgp,morepgp)
|
||||
Elm ME+ N Y N
|
||||
Emacs/Gnus Y Y T (Mailcrypt,gpg.el)
|
||||
Emacs/Mew Y Y N
|
||||
Emacs/VM N Y T (Mailcrypt)
|
||||
Evolution Y Y N
|
||||
Exmh Y Y N
|
||||
GNUMail.app Y Y P (PGPBundle)
|
||||
GPGMail Y Y N
|
||||
KMail (<=1.4.x) N Y N
|
||||
KMail (1.5.x) Y(P) Y(N) P/N
|
||||
Mozilla Y Y P (Enigmail)
|
||||
Mulberry Y Y P
|
||||
Mutt Y Y N
|
||||
Sylpheed Y Y N
|
||||
Sylpheed-claws Y Y N
|
||||
TkRat Y Y N
|
||||
XEmacs/Gnus Y Y T (Mailcrypt)
|
||||
XEmacs/Mew Y Y N
|
||||
XEmacs/VM N Y T (Mailcrypt)
|
||||
XFmail Y Y N
|
||||
MUA OpenPGP ASCII How? (N,P,T)
|
||||
-------------------------------------------------------------
|
||||
Calypso N Y P (Unixmail)
|
||||
Elm N Y T (mailpgp,morepgp)
|
||||
Elm ME+ N Y N
|
||||
Emacs/Gnus Y Y T (Mailcrypt,gpg.el)
|
||||
Emacs/Mew Y Y N
|
||||
Emacs/VM N Y T (Mailcrypt)
|
||||
Evolution Y Y N
|
||||
Exmh Y Y N
|
||||
GNUMail.app Y Y P (PGPBundle)
|
||||
GPGMail Y Y N
|
||||
KMail (<=1.4.x) N Y N
|
||||
KMail (1.5.x) Y(P) Y(N) P/N
|
||||
Mozilla Y Y P (Enigmail)
|
||||
Mulberry Y Y P
|
||||
Mutt Y Y N
|
||||
Sylpheed Y Y N
|
||||
Sylpheed-claws Y Y N
|
||||
TkRat Y Y N
|
||||
XEmacs/Gnus Y Y T (Mailcrypt)
|
||||
XEmacs/Mew Y Y N
|
||||
XEmacs/VM N Y T (Mailcrypt)
|
||||
XFmail Y Y N
|
||||
|
||||
N - Native, P - Plug-in, T - External Tool
|
||||
[H /pre]
|
||||
@ -524,22 +521,22 @@ you could search in the mailing list archive.
|
||||
for interoperability reasons for your convenience.
|
||||
|
||||
[H pre]
|
||||
MUA OpenPGP ASCII How? (N,P,T)
|
||||
---------------------------------------------------------------
|
||||
Apple Mail Y Y P (GPGMail)
|
||||
Becky2 Y Y P (BkGnuPG)
|
||||
Eudora Y Y P (EuroraGPG)
|
||||
Eudora Pro Y Y P (EudoraGPG)
|
||||
Lotus Notes N Y P
|
||||
Netscape 4.x N Y P
|
||||
Netscape 7.x Y Y P (Enigmail)
|
||||
Novell Groupwise N Y P
|
||||
Outlook N Y P (G-Data)
|
||||
Outlook Express N Y P (GPGOE)
|
||||
Pegasus N Y P (QDPGP,PM-PGP)
|
||||
Pine N Y T (pgpenvelope,(gpg|pgp)4pine)
|
||||
Postme N Y P (GPGPPL)
|
||||
The Bat! N Y P (Ritlabs)
|
||||
MUA OpenPGP ASCII How? (N,P,T)
|
||||
-------------------------------------------------------------
|
||||
Apple Mail Y Y P (GPGMail)
|
||||
Becky2 Y Y P (BkGnuPG)
|
||||
Eudora Y Y P (EuroraGPG)
|
||||
Eudora Pro Y Y P (EudoraGPG)
|
||||
Lotus Notes N Y P
|
||||
Netscape 4.x N Y P
|
||||
Netscape 7.x Y Y P (Enigmail)
|
||||
Novell Groupwise N Y P
|
||||
Outlook N Y P (G-Data)
|
||||
Outlook Express N Y P (GPGOE)
|
||||
Pegasus N Y P (QDPGP,PM-PGP)
|
||||
Pine N Y T (pgpenvelope,(gpg|pgp)4pine)
|
||||
Postme N Y P (GPGPPL)
|
||||
The Bat! N Y P (Ritlabs)
|
||||
[H /pre]
|
||||
|
||||
Good overviews of OpenPGP-support can be found at:[H br]
|
||||
@ -566,15 +563,15 @@ you could search in the mailing list archive.
|
||||
Most keyservers don't accept a 'bare' revocation certificate. You
|
||||
have to import the certificate into gpg first:
|
||||
|
||||
[H pre]
|
||||
gpg --import my-revocation.asc
|
||||
[H /pre]
|
||||
[H samp]
|
||||
$ gpg --import my-revocation.asc
|
||||
[H /samp]
|
||||
|
||||
then send the revoked key to the keyservers:
|
||||
|
||||
[H pre]
|
||||
gpg --keyserver certserver.pgp.com --send-keys mykeyid
|
||||
[H /pre]
|
||||
[H samp]
|
||||
$ gpg --keyserver certserver.pgp.com --send-keys mykeyid
|
||||
[H /samp]
|
||||
|
||||
(or use a keyserver web interface for this).
|
||||
|
||||
@ -586,11 +583,11 @@ you could search in the mailing list archive.
|
||||
and others. GnuPG will always create and use these files. On unices,
|
||||
the homedir is usually ~/.gnupg; on Windows "C:\gnupg\".
|
||||
|
||||
If you want to put your keyrings somewhere else, use:
|
||||
If you want to put your keyrings somewhere else, use the option:
|
||||
|
||||
[H pre]
|
||||
[H samp]
|
||||
--homedir /my/path/
|
||||
[H /pre]
|
||||
[H /samp]
|
||||
|
||||
to make GnuPG create all its files in that directory. Your keyring
|
||||
will be "/my/path/pubring.gpg". This way you can store your secrets
|
||||
@ -612,9 +609,9 @@ you could search in the mailing list archive.
|
||||
Once their key has been imported, and the package and accompanying
|
||||
signature files have been downloaded, use:
|
||||
|
||||
[H pre]
|
||||
[H samp]
|
||||
$ gpg --verify sigfile signed-file
|
||||
[H /pre]
|
||||
[H /samp]
|
||||
|
||||
If the signature file has the same base name as the package file,
|
||||
the package can also be verified by specifying just the signature
|
||||
@ -623,9 +620,9 @@ you could search in the mailing list archive.
|
||||
package named foobar.tar.gz against its detached binary signature
|
||||
file, use:
|
||||
|
||||
[H pre]
|
||||
[H samp]
|
||||
$ gpg --verify foobar.tar.gz.sig
|
||||
[H /pre]
|
||||
[H /samp]
|
||||
|
||||
<Q> How do I export a keyring with only selected signatures?
|
||||
|
||||
@ -633,9 +630,9 @@ you could search in the mailing list archive.
|
||||
selected from a master keyring (for a club, user group, or company
|
||||
department for example), simply specify the keys you want to export:
|
||||
|
||||
[H pre]
|
||||
[H samp]
|
||||
$ gpg --armor --export key1 key2 key3 key4 > keys1-4.asc
|
||||
[H /pre]
|
||||
[H /samp]
|
||||
|
||||
<Dgpgsplit>
|
||||
<Q> I still have my secret key, but lost my public key. What can I do?
|
||||
@ -648,9 +645,9 @@ you could search in the mailing list archive.
|
||||
(it's actually a new option for gpgsplit) and is available with GnuPG
|
||||
versions 1.2.1 or later (or can be found in CVS). It works like this:
|
||||
|
||||
[H pre]
|
||||
[H samp]
|
||||
$ gpgsplit --no-split --secret-to-public secret.gpg >publickey.gpg
|
||||
[H /pre]
|
||||
[H /samp]
|
||||
|
||||
One should first try to export the secret key and convert just this
|
||||
one. Using the entire secret keyring should work too. After this has
|
||||
@ -675,34 +672,34 @@ you could search in the mailing list archive.
|
||||
|
||||
It depends on the PGP version.
|
||||
|
||||
[H UL]
|
||||
[H LI]PGP 2.x[H br]
|
||||
[H ul]
|
||||
[H li]PGP 2.x[H br]
|
||||
You can't do that because PGP 2.x normally uses IDEA which is not
|
||||
supported by GnuPG as it is patented (see <Ridea>), but if you have a
|
||||
modified version of PGP you can try this:
|
||||
|
||||
[H pre]
|
||||
gpg --rfc1991 --cipher-algo 3des ...
|
||||
[H/pre]
|
||||
[H samp]
|
||||
$ gpg --rfc1991 --cipher-algo 3des ...
|
||||
[H /samp]
|
||||
|
||||
Please don't pipe the data to encrypt to gpg but provide it using a
|
||||
filename; otherwise, PGP 2 will not be able to handle it.
|
||||
|
||||
As for conventional encryption, you can't do this for PGP 2.
|
||||
|
||||
[H LI]PGP 5.x and higher[H br]
|
||||
[H li]PGP 5.x and higher[H br]
|
||||
You need to provide two additional options:
|
||||
|
||||
[H pre]
|
||||
[H samp]
|
||||
--compress-algo 1 --cipher-algo cast5
|
||||
[H/pre]
|
||||
[H /samp]
|
||||
|
||||
You may also use "3des" instead of "cast5", and "blowfish" does not
|
||||
work with all versions of PGP 5. You may also want to put:
|
||||
|
||||
[H pre]
|
||||
[H samp]
|
||||
compress-algo 1
|
||||
[H/pre]
|
||||
[H /samp]
|
||||
|
||||
into your ~/.gnupg/options file - this does not affect normal GnuPG
|
||||
operation.
|
||||
@ -745,9 +742,9 @@ you could search in the mailing list archive.
|
||||
There is a script in the tools directory to help you. After you have
|
||||
imported the PGP keyring you can give this command:
|
||||
|
||||
[H pre]
|
||||
[H samp]
|
||||
$ lspgpot pgpkeyring | gpg --import-ownertrust
|
||||
[H /pre]
|
||||
[H /samp]
|
||||
|
||||
where pgpkeyring is the original keyring and not the GnuPG keyring
|
||||
you might have created in the first step.
|
||||
@ -759,9 +756,9 @@ you could search in the mailing list archive.
|
||||
PGP is not really OpenPGP aware. A workaround is to export the
|
||||
secret keys with this command:
|
||||
|
||||
[H pre]
|
||||
$ gpg --export-secret-keys --no-comment -a your-key-id
|
||||
[H /pre]
|
||||
[H samp]
|
||||
$ gpg --export-secret-keys --no-comment -a your-KeyID
|
||||
[H /samp]
|
||||
|
||||
Another possibility is this: by default, GnuPG encrypts your secret
|
||||
key using the Blowfish symmetric algorithm. Older PGPs will only
|
||||
@ -769,10 +766,10 @@ you could search in the mailing list archive.
|
||||
following method you can re-encrypt your secret gpg key with a
|
||||
different algo:
|
||||
|
||||
[H pre]
|
||||
$ gpg --s2k-cipher-algo=CAST5 --s2k-digest-algo=SHA1 \
|
||||
--compress-algo=1 --edit-key <username>
|
||||
[H /pre]
|
||||
[H samp]
|
||||
$ gpg --s2k-cipher-algo=CAST5 --s2k-digest-algo=SHA1
|
||||
--compress-algo=1 --edit-key <username>
|
||||
[H /samp]
|
||||
|
||||
Then use passwd to change the password (just change it to the same
|
||||
thing, but it will encrypt the key with CAST5 this time).
|
||||
@ -781,10 +778,10 @@ you could search in the mailing list archive.
|
||||
|
||||
For PGP 6.x the following options work to export a key:
|
||||
|
||||
[H pre]
|
||||
$ gpg --s2k-cipher-algo 3des --compress-algo 1 --rfc1991 \
|
||||
--export-secret-keys <key-ID>
|
||||
[H /pre]
|
||||
[H samp]
|
||||
$ gpg --s2k-cipher-algo 3des --compress-algo 1 --rfc1991
|
||||
--export-secret-keys <KeyID>
|
||||
[H /samp]
|
||||
|
||||
<Doptions>
|
||||
<Q> GnuPG no longer installs a ~/.gnupg/options file. Is it missing?
|
||||
@ -817,25 +814,25 @@ you could search in the mailing list archive.
|
||||
values, as this will override them in case you have something else set
|
||||
in your options file.
|
||||
|
||||
[H pre]
|
||||
$ gpg --s2k-cipher-algo cast5 --s2k-digest-algo sha1 --s2k-mode 3 \
|
||||
--simple-sk-checksum --edit KeyID
|
||||
[H /pre]
|
||||
[H samp]
|
||||
$ gpg --s2k-cipher-algo cast5 --s2k-digest-algo sha1 --s2k-mode 3
|
||||
--simple-sk-checksum --edit KeyID
|
||||
[H /samp]
|
||||
|
||||
Turn off some features. Set the list of preferred ciphers, hashes,
|
||||
and compression algorithms to things that PGP can handle. (Yes, I
|
||||
know this is an odd list of ciphers, but this is what PGP itself uses,
|
||||
minus IDEA).
|
||||
|
||||
[H pre]
|
||||
[H samp]
|
||||
> setpref S9 S8 S7 S3 S2 S10 H2 H3 Z1 Z0
|
||||
[H /pre]
|
||||
[H /samp]
|
||||
|
||||
Now put the list of preferences onto the key.
|
||||
|
||||
[H pre]
|
||||
[H samp]
|
||||
> updpref
|
||||
[H /pre]
|
||||
[H /samp]
|
||||
|
||||
Finally we must decrypt and re-encrypt the key, making sure that we
|
||||
encrypt with a cipher that PGP likes. We set this up in the --edit
|
||||
@ -843,22 +840,22 @@ you could search in the mailing list archive.
|
||||
take effect. You can use the same passphrase if you like, or take
|
||||
this opportunity to actually change it.
|
||||
|
||||
[H pre]
|
||||
[H samp]
|
||||
> passwd
|
||||
[H /pre]
|
||||
[H /samp]
|
||||
|
||||
Save our work.
|
||||
|
||||
[H pre]
|
||||
[H samp]
|
||||
> save
|
||||
[H /pre]
|
||||
[H /samp]
|
||||
|
||||
Now we can do the usual export:
|
||||
|
||||
[H pre]
|
||||
[H samp]
|
||||
$ gpg --export KeyID > mypublickey.pgp
|
||||
$ gpg --export-secret-key KeyID > mysecretkey.pgp
|
||||
[H /pre]
|
||||
[H /samp]
|
||||
|
||||
Thanks to David Shaw for this information!
|
||||
|
||||
@ -876,15 +873,15 @@ you could search in the mailing list archive.
|
||||
|
||||
To setuid(root) permissions on the gpg binary you can either use:
|
||||
|
||||
[H pre]
|
||||
chmod u+s /path/to/gpg
|
||||
[H /pre]
|
||||
[H samp]
|
||||
$ chmod u+s /path/to/gpg
|
||||
[H /samp]
|
||||
|
||||
or
|
||||
|
||||
[H pre]
|
||||
chmod 4755 /path/to/gpg
|
||||
[H /pre]
|
||||
[H samp]
|
||||
$ chmod 4755 /path/to/gpg
|
||||
[H /samp]
|
||||
|
||||
Some refrain from using setuid(root) unless absolutely required for
|
||||
security reasons. Please check with your system administrator if you
|
||||
@ -893,25 +890,26 @@ you could search in the mailing list archive.
|
||||
On UnixWare 2.x and 7.x you should install GnuPG with the 'plock'
|
||||
privilege to get the same effect:
|
||||
|
||||
[H pre]
|
||||
filepriv -f plock /path/to/gpg
|
||||
[H /pre]
|
||||
[H samp]
|
||||
$ filepriv -f plock /path/to/gpg
|
||||
[H /samp]
|
||||
|
||||
If you can't or don't want to install GnuPG setuid(root), you can
|
||||
use the option "--no-secmem-warning" or put:
|
||||
|
||||
[H pre]
|
||||
[H samp]
|
||||
no-secmem-warning
|
||||
[H /pre]
|
||||
[H /samp]
|
||||
|
||||
in your ~/.gnupg/options file (this disables the warning).
|
||||
in your ~/.gnupg/options or ~/.gnupg/gpg.conf file (this disables
|
||||
the warning).
|
||||
|
||||
On some systems (e.g., Windows) GnuPG does not lock memory pages
|
||||
and older GnuPG versions (<=1.0.4) issue the warning:
|
||||
|
||||
[H pre]
|
||||
[H samp]
|
||||
gpg: Please note that you don't have secure memory
|
||||
[H /pre]
|
||||
[H /samp]
|
||||
|
||||
This warning can't be switched off by the above option because it
|
||||
was thought to be too serious an issue. However, it confused users
|
||||
@ -999,9 +997,9 @@ you could search in the mailing list archive.
|
||||
GnuPG installation in a recent state anyway. As a workaround, you can
|
||||
force gpg to use a previous default cipher algo by putting:
|
||||
|
||||
[H pre]
|
||||
[H samp]
|
||||
cipher-algo cast5
|
||||
[H /pre]
|
||||
[H /samp]
|
||||
|
||||
into your options file.
|
||||
|
||||
@ -1051,11 +1049,11 @@ you could search in the mailing list archive.
|
||||
|
||||
This will be fixed after GnuPG has been upgraded to autoconf-2.50.
|
||||
Until then, find the line setting CDPATH in the configure script
|
||||
and place a:
|
||||
and place an:
|
||||
|
||||
[H pre]
|
||||
[H samp]
|
||||
unset CDPATH
|
||||
[H /pre]
|
||||
[H /samp]
|
||||
|
||||
statement below it.
|
||||
|
||||
@ -1064,9 +1062,7 @@ you could search in the mailing list archive.
|
||||
There is a small bug in 1.0.6 which didn't parse trust packets
|
||||
correctly. You may want to apply this patch if you can't upgrade:
|
||||
|
||||
[H pre]
|
||||
http://www.gnupg.org/developer/gpg-woody-fix.txt
|
||||
[H /pre]
|
||||
[H a href=http://www.gnupg.org/developer/gpg-woody-fix.txt]<http://www.gnupg.org/developer/gpg-woody-fix.txt>[H /a]
|
||||
|
||||
<Q> I upgraded to GnuPG version 1.0.7 and now it takes longer to load my
|
||||
keyrings. What can I do?
|
||||
@ -1083,9 +1079,9 @@ you could search in the mailing list archive.
|
||||
|
||||
To generate a secret/public keypair, run:
|
||||
|
||||
[H pre]
|
||||
gpg --gen-key
|
||||
[H/pre]
|
||||
[H samp]
|
||||
$ gpg --gen-key
|
||||
[H /samp]
|
||||
|
||||
and choose the default values.
|
||||
|
||||
@ -1132,16 +1128,16 @@ you could search in the mailing list archive.
|
||||
person it says it comes from. You should be very sure that is really
|
||||
that person: You should verify the key fingerprint with:
|
||||
|
||||
[H pre]
|
||||
gpg --fingerprint user-id
|
||||
[H/pre]
|
||||
[H samp]
|
||||
$ gpg --fingerprint KeyID
|
||||
[H /samp]
|
||||
|
||||
over the phone (if you really know the voice of the other person), at
|
||||
a key signing party (which are often held at computer conferences),
|
||||
or at a meeting of your local GNU/Linux User Group.
|
||||
|
||||
Hmm, what else. You may use the option "-o filename" to force output
|
||||
to this filename (use "-" to force output to stdout). "-r" just lets
|
||||
Hmm, what else. You may use the option '-o filename' to force output
|
||||
to this filename (use '-' to force output to stdout). '-r' just lets
|
||||
you specify the recipient (which public key you encrypt with) on the
|
||||
command line instead of typing it interactively.
|
||||
|
||||
@ -1175,9 +1171,9 @@ you could search in the mailing list archive.
|
||||
You can see the validity (calculated trust value) using this
|
||||
command.
|
||||
|
||||
[H pre]
|
||||
gpg --list-keys --with-colons
|
||||
[H/pre]
|
||||
[H samp]
|
||||
$ gpg --list-keys --with-colons
|
||||
[H /samp]
|
||||
|
||||
If the first field is "pub" or "uid", the second field shows you the
|
||||
trust:
|
||||
@ -1193,15 +1189,15 @@ you could search in the mailing list archive.
|
||||
for keys for which the secret key is also available.
|
||||
r = The key has been revoked
|
||||
d = The key has been disabled
|
||||
[H/pre]
|
||||
[H /pre]
|
||||
|
||||
The value in the "pub" record is the best one of all "uid" records.
|
||||
You can get a list of the assigned trust values (how much you trust
|
||||
the owner to correctly sign another person's key) with:
|
||||
|
||||
[H pre]
|
||||
gpg --list-ownertrust
|
||||
[H/pre]
|
||||
[H samp]
|
||||
$ gpg --list-ownertrust
|
||||
[H /samp]
|
||||
|
||||
The first field is the fingerprint of the primary key, the second
|
||||
field is the assigned value:
|
||||
@ -1213,7 +1209,7 @@ you could search in the mailing list archive.
|
||||
keys.
|
||||
f = Assume that the key holder really knows how to sign keys.
|
||||
u = No need to trust ourself because we have the secret key.
|
||||
[H/pre]
|
||||
[H /pre]
|
||||
|
||||
Keep these values confidential because they express your opinions
|
||||
about others. PGP stores this information with the keyring thus it
|
||||
@ -1234,24 +1230,24 @@ you could search in the mailing list archive.
|
||||
information which is prefixed with information about the checked
|
||||
item.
|
||||
|
||||
[H pre]
|
||||
[H samp]
|
||||
"key 12345678.3456"
|
||||
[H/pre]
|
||||
[H /samp]
|
||||
|
||||
This is about the key with key ID 12345678 and the internal number
|
||||
3456, which is the record number of the so called directory record
|
||||
in the trustdb.
|
||||
|
||||
[H pre]
|
||||
[H samp]
|
||||
"uid 12345678.3456/ACDE"
|
||||
[H/pre]
|
||||
[H /samp]
|
||||
|
||||
This is about the user ID for the same key. To identify the user ID
|
||||
the last two bytes of a ripe-md-160 over the user ID ring is printed.
|
||||
|
||||
[H pre]
|
||||
[H samp]
|
||||
"sig 12345678.3456/ACDE/9A8B7C6D"
|
||||
[H/pre]
|
||||
[H /samp]
|
||||
|
||||
This is about the signature with key ID 9A8B7C6D for the above key
|
||||
and user ID, if it is a signature which is direct on a key, the user
|
||||
@ -1290,14 +1286,14 @@ you could search in the mailing list archive.
|
||||
<S> ACKNOWLEDGEMENTS
|
||||
|
||||
Many thanks to Nils Ellmenreich for maintaining this FAQ file for
|
||||
a long time, Werner Koch for the original FAQ file, and to all
|
||||
posters to gnupg-users and gnupg-devel. They all provided most
|
||||
of the answers.
|
||||
such a long time, Werner Koch for the original FAQ file, and to all
|
||||
posters to gnupg-users and gnupg-devel. They all provided most of
|
||||
the answers.
|
||||
|
||||
Also thanks to Casper Dik for providing us with a script to generate
|
||||
this FAQ (he uses it for the excellent Solaris2 FAQ).
|
||||
|
||||
[H HR]
|
||||
[H hr]
|
||||
|
||||
Copyright (C) 2000-2002 Free Software Foundation, Inc.,
|
||||
59 Temple Place - Suite 330, Boston, MA 02111, USA
|
||||
|
Loading…
x
Reference in New Issue
Block a user