1
0
mirror of git://git.gnupg.org/gnupg.git synced 2024-10-29 19:48:43 +01:00
Commit Graph

1163 Commits

Author SHA1 Message Date
Werner Koch
2f3eebf186
wkd: New command --print-wkd-url for gpg-wks-client.
* tools/gpg-wks-client.c (aPrintWKDURL): New.
(opts): Add option.
(main): Implement.
* tools/wks-util.c (wks_cmd_print_wkd_url): New.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-03-25 15:14:32 +01:00
Werner Koch
7a38af6a10
doc: Clarify option --no-keyring.
--
GnuPG-bug-id: 4424

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-03-25 14:48:28 +01:00
Werner Koch
64621f1f40
wkd: New command --print-wkd-hash for gpg-wks-client.
* tools/gpg-wks-client.c (aPrintWKDHash): New.
(opts) : Add "--print-wkd-hash".
(main): Implement that command.
(proc_userid_from_stdin): New.
* tools/wks-util.c (wks_fname_from_userid): Add option HASH_ONLY.
(wks_cmd_print_wkd_hash): New.
--

GnuPG-bug-id: 4418
Signed-off-by: Werner Koch <wk@gnupg.org>
2019-03-25 14:41:44 +01:00
Daniel Kahn Gillmor
93782de23f doc: fix formatting error
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2019-03-22 23:49:03 +01:00
Werner Koch
5d73c231e4
gpgtar: Make option -C work for archive creation.
* tools/gpgtar-create.c (gpgtar_create): Switch to the -C directory.
--

The -C option is pretty useful given that pattern are always relative
to the current directory.  In contrast to GNU tar, the switching is
done only once.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit b3a7a51407)
2019-03-07 10:56:18 +01:00
Daniel Kahn Gillmor
a7b2a87f94
gpgv: Improve documentation for keyring choices
* doc/gpgv.texi: Improve documentation for keyring choices

--

From the existing documentation, it's not clear whether the default
keyring will always be mixed into the set of keyrings, or whether it
will be skipped if a --keyring is present.  The updated text here
attempts to describe the keyring selection logic more completely.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2019-03-07 07:55:51 +01:00
Daniel Kahn Gillmor
121286d9d1
gpgsm: default to 3072-bit keys.
* doc/gpgsm.texi, doc/howto-create-a-server-cert.texi: : update
default to 3072 bits.
* sm/certreqgen-ui.c (gpgsm_gencertreq_tty): update default to
3072 bits.
* sm/certreqgen.c (proc_parameters): update default to 3072 bits.
* sm/gpgsm.c (main): print correct default_pubkey_algo.

--

3072-bit RSA is widely considered to be 128-bit-equivalent security.
This is a sensible default in 2017.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

Gbp-Pq: Topic update-defaults
Gbp-Pq: Name 0014-gpgsm-default-to-3072-bit-keys.patch
(cherry picked from commit 7955262151)
2019-02-28 11:00:31 +01:00
Werner Koch
6651a0640d
scd: Allow standard keyref scheme for app-openpgp.
* scd/app-openpgp.c (do_change_pin): Allow prefixing the CHVNO with
"OPENPGP."
--

The generic keyref allows for better error detection in case a keyref
is send to a wrong card.  This has been taken from master commit
3231ecdafd which has additional changed
for gpg-card-tool, which is only available there.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-02-11 10:59:22 +01:00
Werner Koch
5e5f3ca0c2
gpg: Implement searching keys via keygrip.
* kbx/keybox-defs.h (struct _keybox_openpgp_key_info): Add field grip.
* kbx/keybox-openpgp.c (struct keyparm_s): New.
(keygrip_from_keyparm): New.
(parse_key): Compute keygrip.
* kbx/keybox-search.c (blob_openpgp_has_grip): New.
(has_keygrip): Call it.
--

This has been marked for too long as not yet working.  However, it is
a pretty useful feature and will come pretty handy when looking for
all keys matching one keygrip.

Can be optimized a lot by storing the keygrip in the meta data.  This
will be done along with the upgrade of KBX for v5 fingerprints.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit c128667b3c)
2019-01-29 20:19:22 +01:00
Werner Koch
9fd6ba268f
doc: Mark keyserver-options timeout and http-proxy as obsolete.
--

(cherry picked from commit 6c000d4b78)
2019-01-22 10:15:36 +01:00
Werner Koch
de29a50e7c
agent: Make the S2K calibration time runtime configurable.
* agent/protect.c (s2k_calibration_time): New file global var.
(calibrate_s2k_count): Use it here.
(get_calibrated_s2k_count): Replace function static var by ...
(s2k_calibrated_count): new file global var.
(set_s2k_calibration_time): New function.
* agent/gpg-agent.c (oS2KCalibration): New const.
(opts): New option --s2k-calibration.
(parse_rereadable_options): Parse that option.
--

Note that using an unrelistic high value (like 60000) takes quite some
time for calibration.

GnuPG-bug-id: 3399
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit cbcc8c1954)
2018-12-11 18:14:38 +01:00
Werner Koch
9b53845168
gpg: New list-option "show-only-fpr-mbox".
* g10/gpg.c (parse_list_options): Add option "show-only-fpr-mbox".
* g10/options.h (LIST_SHOW_ONLY_FPR_MBOX): New.
* g10/keylist.c (list_keyblock_simple): New.
(list_keyblock): Call it.
(list_all): Do not print the keyring name in LIST_SHOW_ONLY_FPR_MBOX
mode.
--

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 0e8bf20479)

* g10/keylist.c (list_keyblock_simple): Remove optional arg from
mailbox_from_userid
2018-12-05 08:48:14 +01:00
Werner Koch
b6fd60dfa1
wks: Allow reading of --install-key arguments from stdin.
* tools/wks-util.c (install_key_from_spec_file): New.
(wks_cmd_install_key): Call it.
* tools/gpg-wks-client.c (main): Allow --install-key w/o arguments.
* tools/gpg-wks-server.c (main): Ditto.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit ba46a359b9)
2018-12-05 08:47:09 +01:00
Werner Koch
5b4aa8c6d4
wks: Add new commands --install-key and --remove-key to the client.
* tools/gpg-wks-client.c (aInstallKey, aRemoveKey, oDirectory): New.
(opts): Add "--install-key", "--remove-key" and "-C".
(parse_arguments): Parse them.
(main): Check that the given directory exists.  Implement the new
commands.
--

These commands maybe useful to prepare a WKD directory on a non-Unix
box using the standard wks client.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 602b190963)
2018-12-05 08:41:50 +01:00
Werner Koch
6acca0e4d9
doc: Clarify use of clear and nodefault in the AKL.
--

(cherry picked from commit e5c3a6999a)
2018-11-21 09:22:00 +01:00
Werner Koch
66e0bd37ee
wks: New option --with-colons for gpg-wks-client.
* tools/gpg-wks.h (opt): Add field with_colons.
* tools/gpg-wks-client.c (oWithColons): New const.
(opts, parse_arguments): Add option --with-colons.
(main): Change aSupported to take several domains in --with-colons
mode.
(command_send): Factor policy getting code out to ...
(get_policy_and_sa): New function.
(command_supported): Make use of new function.
--

In addition to this the --create command now also supports a
submission address only in the policy file.  That means the
submission-address file is not anymore required and can be replaced by
the policy file.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit e3a1e80d13)
2018-11-05 20:58:58 +01:00
Werner Koch
82cd7556fd
gpg: Don't take the a TOFU trust model from the trustdb,
* g10/tdbio.c (tdbio_update_version_record): Never store a TOFU model.
(create_version_record): Don't init as TOFU.
(tdbio_db_matches_options): Don't indicate a change in case TOFU is
stored in an old trustdb file.
--

This change allows to switch between a tofu and pgp or tofu+pgp trust
model without an auto rebuild of the trustdb.  This also requires that
the tofu trust model is requested on the command line.  If TOFU will
ever be the default we need to tweak the model detection via TM_AUTO
by also looking into the TOFU data base,

GnuPG-bug-id: 4134
(cherry picked from commit 150a33df41)
2018-11-05 09:17:03 +01:00
Werner Koch
839426104a
wkd: Add option --directory to the server.
* tools/gpg-wks-server.c (opts): Add '--directory',
(main): Explain how to set correct permissions.
(command_list_domains): Create an empty policy file and remove the
warning for an empty policy file.
--

Note that a policy file is meanwhile required and thus is is useful to
create it.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit f248416bc9)
2018-10-26 14:59:43 +02:00
Werner Koch
2d700f2c6c
doc: Minor additions to the gpg man page
--

Includes a fix for
GnuPG-bug-id: 3906

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 420dc2b49a)
2018-08-29 15:05:26 +02:00
Werner Koch
3169b5ae3f
doc: Show how to list envvars send to gpg-agent.
--

GnuPG-bug: 3353
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 53bbac0865)
2018-08-29 09:53:38 +02:00
Werner Koch
a59a9962f4
gpg: New option --known-notation.
* g10/gpg.c (oKnownNotation): New const.
(opts): Add option --known-notation.
(main): Set option.
* g10/parse-packet.c (known_notations_list): New local var.
(register_known_notation): New.
(can_handle_critical_notation): Rewrite to handle the new feature.
Also print the name of unknown notations in verbose mode.
--

GnuPG-bug-id: 4060
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 3da835713f)
2018-08-29 09:36:44 +02:00
Werner Koch
a8e24addcc
gpg: Print revocation reason for "rvs" records.
* g10/import.c (get_revocation_reason): New.
(list_standalone_revocation): Extend function.
--

Note that this function extends the "rvs" field signature-class (field
11) with the revocation reason.  GPGME does not yet parse this but it
can be expected that the comma delimiter does not break other parsers.

A new field is added to the "rvs" (and in future also the "rev")
record to carry a record specific comment.  Hopefully all parsers
meanwhile learned the lesson from other new fields and don't bail out
on more fields than they know about.

This is partial solution to
GnuPG-bug-id: 1173

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit b7cd2c2093)
2018-07-03 11:56:04 +02:00
Werner Koch
5c67ee160d
gpg: Let --show-keys print revocation certificates.
* g10/import.c (list_standalone_revocation): New.
(import_revoke_cert): Call new function.
--

GnuPG-bug-id: 4018
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 386b9c4f25)
2018-07-03 11:55:41 +02:00
Daniel Kahn Gillmor
86b64876be
gpg: Add new usage option for drop-subkey filters.
* g10/import.c (impex_filter_getval): Add new "usage" property for
drop-subkey filter.
--

For example, this permits extraction of only encryption-capable
subkeys like so:

    gpg --export-filter 'drop-subkey=usage !~ e' --export $FPR

GnuPG-Bug-id: 4019
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
(cherry picked from commit 2ddfb5bef9)
2018-06-12 09:04:13 +02:00
Werner Koch
cbb84b3361
gpg: Set some list options with --show-keys
* g10/gpg.c (main): Set some list options.
--

The new command --show-keys is commonly used to check the content of a
file with keys.  In this case it can be expected that all included
subkeys and uids are of interested, even when they are already expired
or have been revoked.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit d2bc66f241)
2018-06-11 08:49:32 +02:00
Werner Koch
8c0e1fac96
doc: Typo fixes
--

Reported-by: Claus Assmann <ca+gnupg-users@esmtp.org>
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 70f26e4263)
2018-06-06 17:26:20 +02:00
Werner Koch
dc87a3341f
gpg: New command --show-keys.
* g10/gpg.c (aShowKeys): New const.
(opts): New command --show-keys.
(main): Implement command.
* g10/import.c (import_keys_internal): Don't print stats in show-only
mode.
(import_one): Be silent in show-only mode.
--

Using

  --import --import-options show-only

to look at a key is too cumbersome.  Provide this shortcut and also
remove some diagnostic cruft in this case.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 257661d6ae)
2018-06-06 11:59:06 +02:00
Werner Koch
866667765f
gpg: Remove MDC options
* g10/gpg.c: Turn options --force-mdc, --no-force-mdc, --disable-mdc
and --no-disable-mdc into NOPs.
* g10/encrypt.c (use_mdc): Simplify.  MDC is now almost always used.
* g10/cipher.c (write_header): Include extra hint and make
translatable.
* g10/options.h (struct opt): Remove fields force_mdc and disable_mdc.

--

The MDC is now always used except with --rfc2440 which will lead to a
a big fat warning.

This is a stripped down version of commit
253e8bdd90 which could not directly be
applied due to the AEAD mechanisms there.

Signed-off-by: Werner Koch <wk@gnupg.org>
2018-05-31 12:08:22 +02:00
Werner Koch
3db1b48a2d
gpg: Hard fail on a missing MDC even for legacy algorithms.
* g10/mainproc.c (proc_encrypted): Require an MDC or AEAD
* tests/openpgp/defs.scm (create-gpghome): Use --ignore-mdc-error to
allow testing with the current files.
--

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit d1431901f0)

Resolved Conflicts:
	g10/mainproc.c - Remove AEAD stuff.
2018-05-31 11:54:07 +02:00
Werner Koch
26c0d3a3fc
gpg: Turn --no-mdc-warn into a NOP.
* g10/gpg.c (oNoMDCWarn): Remove.
(opts): Make --no-mdc-warn a NOP.
(main): Don't set var.
* g10/options.h (struct opt): Remove 'no_mdc_var'.
* g10/cipher-cfb.c (write_header): Assume opt.no_mdc_warn is false.
* g10/mainproc.c (proc_encrypted): Ditto.
--

Users should not be allowed to suppress the warning that they are
shooting into their foot.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 96350c5d5a)
2018-05-31 11:47:07 +02:00
Ineiev
ed12a1daba
doc: Update description of displayed trust values.
* doc/trust-values.texi: New file.
* doc/Makefile.am (EXTRA_DIST): Add trust-values.texi.
* doc/gnupg.texi (Trust Values): New chapter.
* doc/gpg.texi (OpenPGP Key Management): Update the description
of how trust values are displayed, replace table with a reference
to Trust Values.
* doc/gpg.texi (GPG Examples): Add @mansect trust values.

--

Signed-off-by: Ineiev <ineiev@gnu.org>
2018-05-07 08:07:07 +02:00
Werner Koch
bb8894760f
dirmngr: Add the used TLS library to the debug output.
* dirmngr/http.c (send_request): Print the used TLS library in debug
mode.
--

We allow two different TLS libararies and thus it is useful to see
that in the debug output of bug reports.

Signed-off-by: Werner Koch <wk@gnupg.org>
2018-04-25 15:25:26 +02:00
Werner Koch
d2ad715441
doc: Update NEWS and add an example to gpg.texi.
--
2018-04-23 09:23:41 +02:00
Andre Heinecke
a44ed3d9a1
doc: Remove unneccesary empty flags in vsndf.prf
* doc/examples/vsnfd.prf (max-cache-ttl): Remove empty flags.

Signed-off-by: Andre Heinecke <aheinecke@intevation.de>
2018-04-20 11:00:00 +02:00
Werner Koch
69c3e7acb7
gpg: Extend the "sig" record in --list-mode.
* g10/getkey.c (get_user_id_string): Add arg R_NOUID.  Change call
callers.
(get_user_id): Add arg R_NOUID.  Change call callers.
* g10/mainproc.c (issuer_fpr_string): Make global.
* g10/keylist.c (list_keyblock_colon): Print a '?' for a missing key
also in --list-mode.  Print the "issuer fpr" field also if there is an
issuer fingerprint subpacket.
--

Scripts used to rely on the "User ID not found" string even in the
--with-colons listing.  However, that is not a good idea because that
string is subject to translations etc.  Now we have an explicit way of
telling that a key is missing.  For example:

  gpg --list-sigs --with-colons | \
    awk -F: '$1=="sig" && $2=="?" {if($13){print $13}else{print $5}}'

Prints all keyids or fingerprint of signing keys for which we do not
have the key in our local keyring.

Signed-off-by: Werner Koch <wk@gnupg.org>
2018-04-12 17:53:17 +02:00
Werner Koch
23a714598c
gpg: Extend the ERRSIG status line with a fingerprint.
* g10/mainproc.c (issuer_fpr_raw): New.
(issuer_fpr_string): Re-implement using issuer_fpr_rtaw.
(check_sig_and_print): Don't free ISSUER_FPR.  Use ISSUER_FPR_RAW.
Use write_status_printf.  Extend ERRSIG status.
--

Modern OpenPGP implementations put the ISSUER_FPR into the signature
to make it easier to discover the, public needed to check the
signature.  This is also useful in error messages and thus we add it.

Signed-off-by: Werner Koch <wk@gnupg.org>
2018-04-12 16:41:18 +02:00
Werner Koch
789d240cb4
gpg: New option --no-symkey-cache.
* g10/gpg.c (oNoSymkeyCache): New.
(opts): Add that option.
(main): Set var.
* g10/options.h (struct opt): New field no_symkey_cache.
* g10/passphrase.c (passphrase_to_dek): Implement that feature.

Signed-off-by: Werner Koch <wk@gnupg.org>
2018-04-11 20:35:40 +02:00
Werner Koch
7fa6f14814
doc: Typo fix in gpg.texi
--

Reported-by: Cody Brownstein
2018-04-09 19:46:54 +02:00
Werner Koch
519e4560e8
doc: Add an example for --default-new-key-algo
--
2018-04-09 10:51:28 +02:00
Werner Koch
a4e26f2ee8
doc: Document --key-edit:change-usage
* g10/keyedit.c (menu_changeusage): Make strings translatable.
--

GnuPG-bug-id: 3816
Signed-off-by: Werner Koch <wk@gnupg.org>
2018-04-09 10:36:26 +02:00
Werner Koch
2cd35df5db
gpg,sm: New option --request-origin.
* g10/gpg.c (oRequestOrigin): New const.
(opts): New option --request-origin.
(main): Parse that option.
* g10/options.h (struct opt): Add field request_origin.
* g10/call-agent.c (start_agent): Send option to the agent.
* sm/gpgsm.c (oRequestOrigin): New const.
(opts): New option --request-origin.
(main): Parse that option.
* sm/gpgsm.h (struct opt): Add field request_origin.
* sm/call-agent.c (start_agent): Send option to the agent.

Signed-off-by: Werner Koch <wk@gnupg.org>
2018-03-23 09:06:20 +01:00
Werner Koch
05c55ee260
agent: New OPTION pretend-request-origin
* common/shareddefs.h (request_origin_t): New.
* common/agent-opt.c (parse_request_origin): New.
(str_request_origin): New.
* agent/command.c (option_handler): Implement new option.
--

This allows to pretend that a request originated from the extra or
browser socket.

Signed-off-by: Werner Koch <wk@gnupg.org>
2018-03-23 08:37:14 +01:00
NIIBE Yutaka
5400a5bb77 build: Fix the manual source field.
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2018-03-23 15:16:16 +09:00
Werner Koch
165bc38cef
gpg: Implement --dry-run for --passwd.
* g10/keyedit.c (change_passphrase): Take care of --dry-run.

Signed-off-by: Werner Koch <wk@gnupg.org>
2018-03-22 10:23:35 +01:00
Ben McGinnes
7e40c5efbe
doc: man page grammar
--
Fixed two grammatical errors: their vs. there and oneself vs. one
(one's self would still be too stilted).
2018-03-07 10:00:28 +01:00
Werner Koch
f060cb5c63
agent: Also evict cached items via a timer.
* agent/cache.c (agent_cache_housekeeping): New func.
* agent/gpg-agent.c (handle_tick): Call it.
--

This change mitigates the risk of having cached items in a post mortem
dump.

GnuPG-bug-id: 3829
Signed-off-by: Werner Koch <wk@gnupg.org>
2018-03-06 16:22:42 +01:00
Werner Koch
641aae783e
doc: Fix recently introduced typo in gpgsm.texi.
--
2018-02-22 16:39:52 +01:00
Werner Koch
cf006cbf73
doc: Clarify -export-secret-key-p12
--

GnuPG-bug-id: 3788
Signed-off-by: Werner Koch <wk@gnupg.org>
2018-02-22 10:24:24 +01:00
Werner Koch
c4d8efb894
doc: Add extra hint on unattended use of gpg.
--
2018-02-21 10:17:20 +01:00
Werner Koch
685a5e1558
wks: Add special mode to --install-key.
* tools/gpg-wks-client.c (get_key_status_parm_s)
(get_key_status_cb, get_key): Move to ...
* tools/wks-util.c: ...here.
(get_key): Rename to wks_get_key.
* tools/gpg-wks-server.c: Include userids.h.
(command_install_key): Allow use of a fingerprint.

Signed-off-by: Werner Koch <wk@gnupg.org>
2018-02-20 15:23:19 +01:00
Werner Koch
ee474856ec
wks: Implement server command --install-key.
* tools/wks-util.c (wks_filter_uid): Add arg 'binary'.
* tools/gpg-wks-server.c (main): Expect 2 args for --install-key.
(write_to_file): New.
(check_and_publish): Factor some code out to ...
(compute_hu_fname): ... new.
(command_install_key): Implement.

Signed-off-by: Werner Koch <wk@gnupg.org>
2018-02-20 11:45:58 +01:00
Andre Heinecke
e0658b19d9
doc: Add compliance de-vs to gpgsm in vsnfd.prf
* doc/examples/vsnfd.prf: Set complaince mode for gpgsm.
2018-02-09 09:45:28 +01:00
Werner Koch
91a3d15cee
doc: Note --quick-gen-key as an alias for --quick-generate-key
--
2018-01-25 15:14:37 +01:00
Andre Heinecke
6fb5713f4a
doc: Note pinentry-mode for passphrase opts
* doc/gpg.texi (--passphrase, --passphrase-file, --passphrase-fd):
Note that pinentry-mode needs to be loopback.

Signed-off-by: Andre Heinecke <aheinecke@intevation.de>
2018-01-09 08:48:54 +01:00
Werner Koch
7449063b1a
wks: New server options --check, --with-dir, with-file.
* tools/gpg-wks-server.c (aCheck, oWithDir, oWithFile): New const.
(opts): New options --check, --with-dir, and --with-file.
(main): Call command_check_key.
(command_list_domains): Implement option --with-dir.
(fname_from_userid): New.
(command_check_key): New.
(command_remove_key): Implement existsing command.
(command_revoke_key): Call command_remove_key as a simple
implementation.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-12-19 17:42:10 +01:00
Werner Koch
482e000b8a
conf: New option --status-fd.
* tools/gpgconf.c (oStatusFD): New const.
(opts): New option --status-fd.
(statusfp): New var.
(set_status_fd): New.
(gpgconf_write_status): New.
(gpgconf_failure): New.
(main): Set status fd and replace exit by gpgconf_failure.
* tools/gpgconf-comp.c: Repalce exit by gpgconf_failure.
(gc_process_gpgconf_conf): Print a few warning status messages.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-12-18 17:46:05 +01:00
Werner Koch
8c878ae4c9
sm: Allow explicit setting of the default --compliance=gnupg
* sm/gpgsm.c (main): Allow setting of the default compliance.
* tools/gpgconf-comp.c (gc_options_gpgsm): Add "compliance".
--

This is required so that we can use this option in in gpgconf.conf.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-12-18 12:05:31 +01:00
Werner Koch
c81a447190
Change backlog from 5 to 64 and provide option --listen-backlog.
* agent/gpg-agent.c (oListenBacklog): New const.
(opts): New option --listen-backlog.
(listen_backlog): New var.
(main): Parse new options.
(create_server_socket): Use var instead of 5.
* dirmngr/dirmngr.c: Likewise.
* scd/scdaemon.c: Likewise.
--

GnuPG-bug-id: 3473
Signed-off-by: Werner Koch <wk@gnupg.org>
2017-12-12 14:14:40 +01:00
Werner Koch
3e72143023
doc: Typo fix
--
2017-12-11 10:17:59 +01:00
Werner Koch
6391de3e62
doc: Fix Dijkstra
--

Edsger Wybe Dijkstra (1930 --2002)
  - Dutch computer scientist
2017-12-08 07:40:06 +01:00
Daniel Kahn Gillmor
8a2917345b doc: clarify that --encrypt refers to public key encryption
--

A simple read of gpg(1) is ambiguous about whether --encrypt could be
for either symmetric or pubkey encryption.  Closer inference suggests
that --encrypt is about pubkey encryption only.  Make that clearer on
a first read.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2017-11-30 10:21:58 -05:00
Werner Koch
18af15249d
agent: New option --auto-expand-secmem.
* agent/gpg-agent.c (oAutoExpandSecmem): New enum value.
(opts): New option --auto-expand-secmem.
(main): Implement that option.
--

Note that this option has an effect only if Libgcrypt >= 1.8.2 is
used.

GnuPG-bug-id: 3530
2017-11-24 10:30:25 +01:00
NIIBE Yutaka
e1984969ca build: BSD make support for yat2m.
* configure.ac (YAT2M): Only define when found.
* doc/Makefile.am: Portability fix.

--

This is not intended to apply to master, but 2.2 branch only.  When
new libgpg-error is required, installation of yat2m can be assumed.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2017-11-20 11:33:26 +09:00
Werner Koch
1b6d1ac976
doc: Add man page for gpgtar
--

This also removes the documentation for gpg-zip which is not
distributed anymore.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-11-15 10:17:17 +01:00
Will Thompson
1faf8187f9
doc: fix NEWSIG documentation
--
08c82b1 introduced one optional argument for this status message. Due to
an apparent editing error, the sentence fragment "arguments are
currently defined." was left in the documentation.

Signed-off-by: Will Thompson <wjt@endlessm.com>
2017-11-15 08:59:41 +01:00
Will Thompson
49635b454b
doc: expand documentation of PROGRESS message
--
This answers two questions that I was only able to answer by examining
each site where PROGRESS messages are emitted, and fixes a typo.

Signed-off-by: Will Thompson <wjt@endlessm.com>
2017-11-15 08:59:12 +01:00
Werner Koch
30f21f8b0f
dirmngr: Reduce default LDAP timeout to 15 seconds.
* dirmngr/dirmngr.c (DEFAULT_LDAP_TIMEOUT): Change to 15.
* dirmngr/dirmngr_ldap.c (DEFAULT_LDAP_TIMEOUT): Ditto.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit ab7ac82704)
GnuPG-bug-id: 3487
2017-11-07 10:05:18 +01:00
Werner Koch
3607ab2cf3
agent: New GETINFO sub-commands "s2k_count_cal" and "s2k_time".
* agent/command.c (cmd_getinfo): New sub-commands.
* agent/protect.c (get_standard_s2k_count): Factor some code out to ...
(get_calibrated_s2k_count): new.
(get_standard_s2k_time): New.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 52d41c8b0f)
2017-11-06 15:11:24 +01:00
Werner Koch
78a6d0ce88
agent: New option --s2k-count.
* agent/agent.h (opt): New field 's2k_count'.
* agent/gpg-agent.c (oS2KCount): New enum value.
(opts): New option --s2k-count.
(parse_rereadable_options): Set opt.s2k_count.
--

This option is useful to speed up the starting of gpg-agent and in
cases where the auto-calibration runs into problems due to a broken
time measurement facility.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit f7212f1d11)
2017-11-06 15:11:13 +01:00
Werner Koch
9e3f2a7e0b
doc: Fix "SEE ALSO" section of gpgv.
--
2017-10-20 08:56:39 +02:00
Werner Koch
2c7dccca9b
gpg: Print sec/sbb with --import-option import-show or show-only.
* g10/import.c (import_one): Pass FROM_SK to list_keyblock_direct.
--

Note that this will likely add the suffix '#' top "sec" because the
secret key has not yet (or will not be) imported.  If the secret key
already exists locally another suffix might be printed.  The upshot is
that the suffix has no usefulness.

GnuPG-bug-id: 3431
Signed-off-by: Werner Koch <wk@gnupg.org>
2017-10-19 17:12:36 +02:00
Werner Koch
e725c4d653
doc: Make --check-sigs more prominent.
--

It seems people are using --list-sigs instead of --check-sigs and do
not realize that the signatures are not checked at all.  We better
highlight the use of --check-sigs to avoid this UI problem.

Suggested-by: Andrew Gallagher
Signed-off-by: Werner Koch <wk@gnupg.org>
2017-09-27 17:24:31 +02:00
Werner Koch
50c8b6c88f
wks: Create a new user id if provider wants mailbox-only.
* tools/gpg-wks-client.c (get_key): Add arg 'exact'.
(add_user_id): New.
(command_send): Create new user id.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-09-18 15:41:51 +02:00
Werner Koch
9d80fb8e00
Release 2.2.0 2017-08-28 11:18:26 +02:00
Daniel Kahn Gillmor
e6f84116ab gpg: default to --no-auto-key-retrieve.
* g10/gpg.c (main): remove KEYSERVER_AUTO_KEY_RETRIEVE from the
default keyserver options.
* doc/gpg.texi: document this change.
--

This is a partial reversion of
7e1fe791d1.  Werner and i discussed it
earlier today, and came to the conclusion that:

 * the risk of metadata leakage represented by a default
   --auto-key-retrieve, both in e-mail (as a "web bug") and in other
   contexts where GnuPG is used to verified signatures, is quite high.

 * the advantages of --auto-key-retrieve (in terms of signature
   verification) can sometimes be achieved in other ways, such as when
   a signed message includes a copy of its own key.

 * when those other ways are not useful, a graphical, user-facing
   application can still offer the user the opportunity to choose to
   fetch the key; or it can apply its own policy about when to set
   --auto-key-retrieve, without needing to affect the defaults.

Note that --auto-key-retrieve is specifically about signature
verification.  Decisions about how and whether to look up a key during
message encryption are governed by --auto-key-locate.  This change
does not touch the --auto-key-locate default of "local,wkd".  The user
deliberately asking gpg to encrypt to an e-mail address is a different
scenario than having an incoming e-mail trigger a potentially unique
network request.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2017-08-11 02:26:52 -04:00
Werner Koch
0a8e20c4c6
sm: Always print the keygrip in colon mode.
* sm/keylist.c (list_cert_colon): Always print the keygrip as
described in the manual.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-08-08 13:05:50 +02:00
Justus Winter
c4506f624e
gpg: Add option '--disable-dirmngr'.
* doc/gpg.texi: Document new option.
* g10/call-dirmngr.c (create_context): Fail if option is given.
* g10/gpg.c (cmd_and_opt_values): New value.
(opts): New option.
(gpgconf_list): Add new option.
(main): Handle new option.
* g10/options.h (struct opt): New field 'disable_dirmngr'.
* tools/gpgconf-comp.c (gc_options_gpg): New option.

GnuPG-bug-id: 3334
Signed-off-by: Justus Winter <justus@g10code.com>
2017-08-08 11:43:22 +02:00
Daniel Kahn Gillmor
81074c3b02 systemd-user: Drop redundant After=*.socket.
* doc/examples/systemd-user/*.service: Drop redundant After=*.socket
directive.

--

systemd.socket(5) says:

   Socket units will have a Before= dependency on the service which
   they trigger added implicitly.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2017-08-07 08:01:18 -04:00
Daniel Kahn Gillmor
407da18254 systemd-user: Drop RefuseManualStart=true.
* doc/examples/systemd-user/*.service: drop RefuseManualStart=true

--

These user services can be safely started manually as long as at least
their primary sockets are available.  They'll just start with nothing
to do, which should be fine.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2017-08-07 08:01:18 -04:00
Daniel Kahn Gillmor
a611cba142 Fix spelling.
* doc/gpg.texi: s/occured/occurred/

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2017-08-07 03:35:41 -04:00
Werner Koch
7e1fe791d1
gpg: Default to --auto-key-locate "local,wkd" and --auto-key-retrieve.
* g10/gpg.c (main): Add KEYSERVER_AUTO_KEY_RETRIEVE to the default
keyserver options.  Set the default for --auto-key-locate to
"local,wkd".  Reset that default iff --auto-key-locate has been given
in the option file or in the commandline.
* g10/getkey.c (parse_auto_key_locate): Work on a copy of the arg.
--

GnuPG-bug-id: 3324
Signed-off-by: Werner Koch <wk@gnupg.org>
2017-08-04 22:06:18 +02:00
Werner Koch
3d78ae4d3d
agent: Make --no-grab the default.
* agent/gpg-agent.c (oGrab): New const.
(opts): New option --grab.  Remove description for --no-grab.
(parse_rereadable_options): Make --no-grab the default.
(finalize_rereadable_options): Allow --grab to override --no-grab.
(main) <gpgconflist>: Add "grab".
* tools/gpgconf-comp.c (gc_options_gpg_agent): Add "grab".

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-08-04 18:34:03 +02:00
Werner Koch
d9fabcc198
gpg: New import option show-only.
* g10/options.h (IMPORT_DRY_RUN): New.
* g10/import.c (parse_import_options): Add "show-only".
(import_one): use that as alternative to opt.dry_run.
--

This is just a convenience thing for

  --import-options import-show --dry-run

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-08-04 17:03:03 +02:00
Werner Koch
be636c3cfc
doc: Add man pages form gpg-wks-server and gpg-wks-client.
* doc/wks.texi: New.
* doc/gnupg.texi: Include wks.texi.
* doc/Makefile.am (gnupg_TEXINFOS): Add wks.texi.
(myman_pages): Add new man pages.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-07-26 17:53:00 +02:00
Andre Heinecke
4f569c6907
doc: Update vsnfd profile example
* doc/examples/vsnfd.prf: Use rsa3072

--
This brings it in line with the requested default for vsnfd.
2017-07-26 15:48:02 +02:00
Werner Koch
fd68bdb61e
dirmngr: Auto-enable Tor on startup or reload.
* dirmngr/dirmngr.c (dirmngr_use_tor): Test for Tor availibility.
--

GnuPG-bug-id: 2935
Signed-off-by: Werner Koch <wk@gnupg.org>
2017-07-26 10:58:15 +02:00
Werner Koch
aa358ac78c
doc: Use @var for meta variables in gpg.texi
--

This results in more standrard man pages.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-07-24 21:29:51 +02:00
Werner Koch
87b5421ca8
gpg: Extend --key-origin to take an optional URL arg.
* g10/getkey.c (parse_key_origin): Parse appended URL.
* g10/options.h (struct opt): Add field 'key_origin_url'.
* g10/gpg.c (main) <aImport>: Pass that option to import_keys.
* g10/import.c (apply_meta_data): Extend for file and url.
* g10/keyserver.c (keyserver_fetch): Pass the url to
import_keys_es_stream.
--

Example:

  gpg --key-origin url,myscheme://bla --import FILE

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-07-24 21:10:58 +02:00
Werner Koch
5dac85fba7
doc: Revert the bug reporting address to bugs.gnupg.org
--

dev.gnupg org is the development platform but the canonical bug
address is and has always been bugs.gnupg.org.  We should keep on
using this address for the case that we switch the tracker again or
split it off the development system.

That is also the reason why we should keep on communicating a plain
bug number without the 'T' prefix.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-07-24 10:43:27 +02:00
Werner Koch
b55b72bb81
gpg: Extend --quick-set-expire to allow subkey expiration setting.
* g10/keyedit.c (keyedit_quick_set_expire): Add new arg subkeyfprs.
(menu_expire): Rename arg force_mainkey to unattended and allow
unattended changing of subkey expiration.
* g10/gpg.c (main): Extend --quick-set-expire.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-07-21 18:15:01 +02:00
Marcus Brinkmann
cea4313644 doc: Clarify wording of export-attributes.
* doc/gpg.texi: Clarify wording of export-attributes.

Signed-off-by: Marcus Brinkmann <mb@g10code.com>
GnuPG-bug-id: 2228
2017-07-20 19:12:06 +02:00
Werner Koch
165cdd8121
gpg: New option --with-key-origin.
* g10/getkey.c (parse_key_origin): Factor list out as ...
(key_origin_list): new struct.
(key_origin_string): New.
* g10/gpg.c (oWithKeyOrigin): New const.
(opts): New option --with-key-origin.
(main): Implement option.
* g10/options.h (struct opt): New flag with_key_origin.
* g10/keylist.c (list_keyblock_print): Print key origin info.
(list_keyblock_colon): Ditto.
2017-07-20 18:13:40 +02:00
Werner Koch
33ecb541fc
doc: Comment fixes and one trailing comma fix.
--
2017-07-20 18:13:40 +02:00
Werner Koch
fa1155e89e
gpg: New option --key-origin.
* g10/keydb.h (KEYORG_): Rename to KEYORG_.
* g10/packet.h (PKT_user_id): Rename field keysrc to keyorg.  Adjust
users.
(PKT_public_key): Ditto.
(PKT_ring_trust): Ditto.
* g10/options.h (struct opt): Add field key_origin.
* g10/getkey.c (parse_key_origin): New.
* g10/gpg.c (oKeyOrigin): New.
(opts): Add "keys-origin".
(main): Set option.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-07-13 18:29:01 +02:00
Marcus Brinkmann
877a321d01 doc: Document gnupg version requirement for gpg-preset-passphrase.
Signed-off-by: Marcus Brinkmann <mb@g10code.com>
GnuPG-bug-id: 2331
2017-07-13 17:12:42 +02:00
Neal H. Walfield
243b2a570c doc: Improve TOFU documentation.
* doc/gpg.texi: Improve TOFU documentation.

Signed-off-by: Neal H. Walfield <neal@g10code.com>
Suggested-by: Teemu Likonen <tlikonen@iki.fi>
2017-07-06 21:17:31 +02:00
Justus Winter
4c3a59e9c0
doc: Fix typo.
--
Signed-off-by: Justus Winter <justus@g10code.com>
2017-07-06 12:56:42 +02:00
Daniel Shahaf
4538f3cf8d doc: minor clarification
---
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2017-07-05 16:55:53 -04:00
Werner Koch
139de02b93
doc: Update yat2m to take care of SOURCE_DATE_EPOCH.
* doc/yat2m.c (main): Set a default for OPT_DATE.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-07-05 11:01:36 +02:00
Werner Koch
f6faa05874
doc: Prefer an installed version of yat2m
* configure.ac (YAT2M): Check for tool.
* doc/Makefile.am (yat2m-stamp): Use installed tool if possible.
--
2017-07-05 11:01:36 +02:00
Marcus Brinkmann
7fb724c616 doc: Document obsolete option in gpgsm. Closes T2231.
* doc/gpgsm.texi: Mark --prefer-system-dirmngr as obsolete.

Signed-off-by: Marcus Brinkmann <mb@g10code.com>
GnuPG-bug-id: 2231
2017-07-01 14:30:04 +02:00
Werner Koch
f31dc2540a
gpg,gpgsm: Emit status code ENCRYPTION_COMPLIANCE_MODE.
* common/status.h (STATUS_ENCRYPTION_COMPLIANCE_MODE): New.
* g10/encrypt.c (encrypt_crypt): Emit new status code.
* sm/encrypt.c (gpgsm_encrypt): Ditto.
--

This status code allows to report whether an encryption operation was
compliant to de-vs.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-06-23 12:01:20 +02:00
Justus Winter
9b12b45aa5
gpg: Check and fix keys on import.
* doc/gpg.texi: Document the new import option.
* g10/gpg.c (main): Make the new option default to yes.
* g10/import.c (parse_import_options): Parse the new option.
(import_one): Act on the new option.
* g10/options.h (IMPORT_REPAIR_KEYS): New macro.

GnuPG-bug-id: 2236
Signed-off-by: Justus Winter <justus@g10code.com>
2017-06-14 09:36:28 +02:00
Werner Koch
9b43220b8a
dirmngr: Implement HTTP connect timeouts of 15 or 2 seconds.
* dirmngr/dirmngr.c (oConnectTimeout, oConnectQuickTimeout): New
enums.
(opts): New options --connect-timeout and --connect-quick-timeout.
(DEFAULT_CONNECT_TIMEOUT): New.
(DEFAULT_CONNECT_QUICK_TIMEOUT): New.
(parse_rereadable_options): Handle new options.
(post_option_parsing): New.  Use instead of direct calls to
set_debug() and set_tor_mode ().
(main): Setup default timeouts.
(dirmngr_init_default_ctrl): Set standard connect timeout.
* dirmngr/dirmngr.h (opt): New fields connect_timeout and
connect_quick_timeout.
(server_control_s): New field timeout.
* dirmngr/ks-engine-finger.c (ks_finger_fetch): Pass timeout to
http_raw_connect.
* dirmngr/ks-engine-hkp.c (send_request): Call
http_session_set_timeout.
* dirmngr/ks-engine-http.c (ks_http_fetch): Ditto.
* dirmngr/server.c (cmd_wkd_get, cmd_ks_search, cmd_ks_get)
(cmd_ks_fetch): Implement --quick option.
--

The standard connect timeouts are way to long so we add a timeout to
the connect calls.  Also implement the --quick option which is already
used by gpg for non-important requests (e.g. looking up a key for
verification).

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-06-08 09:37:36 +02:00
Justus Winter
be8ca88526
gpg: Report compliance with CO_DE_VS.
* common/compliance.c (gnupg_pk_is_compliant): Add DSA with certain
parameters.
(gnupg_cipher_is_compliant): New function.
(gnupg_digest_is_compliant): Likewise.
* common/compliance.h (gnupg_cipher_is_compliant): New prototype.
(gnupg_digest_is_compliant): Likewise.
* common/status.h (STATUS_DECRYPTION_COMPLIANCE_MODE): New status.
(STATUS_VERIFICATION_COMPLIANCE_MODE): Likewise.
* doc/DETAILS: Document the new status lines.
* g10/mainproc.c (proc_encrypted): Compute compliance with CO_DE_VS
and report that using the new status line.
(check_sig_and_print): Likewise.
* sm/decrypt.c (gpgsm_decrypt): Likewise.
* sm/verify.c (gpgsm_verify): Likewise.
--

When decrypting data and verifying signatures, report whether the
operations are in compliance with the criteria for data classified as
VS-NfD.  This information will be picked up by the frontend and
presented to the user.

GnuPG-bug-id: 3059
Signed-off-by: Justus Winter <justus@g10code.com>
2017-06-01 13:16:18 +02:00
Justus Winter
485b5a6e6d
doc: Improve documentation.
* doc/gpgsm.texi: Mention that '--with-key-data' implies
'--with-colons'.

Signed-off-by: Justus Winter <justus@g10code.com>
2017-05-31 17:38:16 +02:00
Justus Winter
525f2c482a
agent: Make digest algorithms for ssh fingerprints configurable.
* agent/agent.h (opt): New field 'ssh_fingerprint_digest'.
* agent/command-ssh.c (data_sign, ssh_identity_register): Honor the
option for strings used to communicate with the user.
* agent/findkey.c (agent_modify_description): Likewise.
* agent/gpg-agent.c (cmd_and_opt_values): New value.
(opts): New option '--ssh-fingerprint-digest'.
(parse_rereadable_options): Set the default to MD5 for now.
(main): Handle the new option.
* doc/gpg-agent.texi: Document the new option.
--

OpenSSH has transitioned from using MD5 to compute key fingerprints to
SHA256.  This patch makes the digest used when communicating key
fingerprints to the user (e.g. in pinentry dialogs) configurable.
For now this patch conservatively defaults to MD5.

GnuPG-bug-id: 2106
Signed-off-by: Justus Winter <justus@g10code.com>
2017-05-24 18:09:07 +02:00
Daniel Kahn Gillmor
3713f67026 doc: Fix spellings.
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2017-05-18 16:34:37 -04:00
Daniel Kahn Gillmor
705da1eb23 docs: Point to https://dev.gnupg.org/ .
Replace mentions of bugs.gnupg.org with https://dev.gnupg.org/.  Since
the project has transitioned to a better workflow for supporting
contributions, we should ensure that our documentation points to the
right place.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2017-05-18 15:05:57 -04:00
Justus Winter
3a8c94e522
doc: Fix name of program.
--
Signed-off-by: Justus Winter <justus@g10code.com>
2017-05-11 17:41:00 +02:00
Justus Winter
6fdeef5b61
doc: Fix documentation.
--
Fixes-commit: da4db172f6
Signed-off-by: Justus Winter <justus@g10code.com>
2017-05-08 12:18:19 +02:00
Daniel Kahn Gillmor
201f868030 g10: Remove skeleton options files.
* build-aux/speed/w32/inst.nsi: stop installing skeleton files.
* doc/gpg.texi: stop documenting skeleton files.
* g10/Makefile.am: stop installing skeleton files.
* g10/openfile.c (copy_options_file): Remove.
(try_make_homedir): do not call copy_options_file.

--

The defaults for gpg and dirmngr are good.  Both programs should work
fine for the simple case without any config file.  The skeleton config
files were being copied at first use (when the defaults are fine).
But when the user needs to fiddle with them (after they've become
sophisticated users), they're likely out of date because gpg has been
upgraded since then.  So they're used for documentation, but they're
stale documentation, which is probably worse than a clean empty file.

GnuPG-bug-id: 3086
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2017-05-02 18:55:32 +09:00
NIIBE Yutaka
5c8fe54809 Spelling fixes in docs and comments.
--

In addition, fix trailing spaces in tests/inittests.

GnuPG-bug-id: 3121
Reported-by: ka7 (klemens)
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2017-04-28 10:06:33 +09:00
Werner Koch
9c9fde1495
doc: Explain the '>' in a key listing.
--

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-04-07 10:26:55 +02:00
Werner Koch
3533b85440
dirmngr: New option --disable-ipv6
* dirmngr/dirmngr.h (struct opt): Add field 'disable_ipv6'.
* dirmngr/dirmngr.c (oDisableIPv6): New const.
(opts): New option --disable-ipv6.
(parse_rereadable_options): Set that option.
* dirmngr/dns-stuff.c (opt_disable_ipv6): New var.
(set_dns_disable_ipv6): New.
(resolve_name_standard): Make use of it.
* dirmngr/ks-engine-finger.c (ks_finger_fetch): Take care of
OPT.DISABLE_IPV6.
* dirmngr/ks-engine-hkp.c (map_host): Ditto.
(send_request): Ditto.
* dirmngr/ks-engine-http.c (ks_http_fetch): Ditto.
* dirmngr/ocsp.c (do_ocsp_request): Ditto.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-04-03 20:56:12 +02:00
Werner Koch
608124af2c
doc: Add two example profiles.
--
2017-04-03 16:54:43 +02:00
Werner Koch
d24375271b
agent: Use OCB for key protection with --enable-extended-key-format.
* agent/protect.c (PROT_DEFAULT_TO_OCB): Remove macro.
(agent_protect): Make the default protection mode depend on the extend
key format option.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-04-02 20:02:55 +02:00
Werner Koch
a8895c99a7
gpg: Revamp reading and writing of ring trust packets.
* g10/parse-packet.c (parse_trust): Rename to ...
(parse_ring_trust): this.  Change args and implement new ring trust
packet format.
(parse): Add special ring trust packet handling.
* g10/packet.h (PKT_user_id): New fields KEYUPDATE, UPDATEURL, and
KEYSRC.
(PKT_public_key): Ditto.
(RING_TRUST_SIG, RING_TRUST_KEY, RING_TRUST_UID): New consts.
(PKT_ring_trust): New.
(struct packet_struct): Remove member RING_TRUST.
(strcu parse_packet_ctx_s): Add field SKIP_META.
(init_parse_packet): Init SKIPT_META.
* g10/free-packet.c (release_public_key_parts): Free UDPATEURL.
(free_user_id): Ditto.
* g10/mainproc.c (list_node): Remove printing of non-documented "rtv"
lines.
* g10/build-packet.c (build_packet_and_meta): New.
(do_ring_trust): New.
* g10/export.c (write_keyblock_to_output): Use build_packet_and_meta
in backup mode.
(do_export_one_keyblock): Ditto.
* g10/import.c (read_block): Add arg WITH_META.  Skip ring trust
packets if that ism not set.
(import): Call read_block WITH_META in restore mode.
* g10/keydb.h (KEYSRC_UNKNOWN, KEYSRC_FILE, KEYSRC_KS, KEYSRC_PREF_KS)
(KEYSRC_WKD, KEYSRC_WKD_SD, KEYSRC_DANE): New constants.  They are not
yet used, though.
* g10/keydb.c (parse_keyblock_image): Allow ring trust packets.
(build_keyblock_image): Ditto.  Use build_packet_and_meta.
* g10/keyring.c (keyring_get_keyblock): Remove specila treatment of
ring trust packets.
(write_keyblock): Use build_packet_and_meta.  Remove special treatment
of ring trust packets and initialization of the signature caches.
--

This patch introduced the framework to store meta data for keys and
user ids in the keyrings/keyboxes.  Ring trust packets are
implementation defined and have always been used in gpg to cache the
signature verification status.

Ring trust packets are only exported with the export option "backup"
and only imported with the import option "restore".

The new code uses a cleaner way to handle the ring trust packets: When
the parser reads a ring trust packet and the previously read packet
matches the type of that ring trust packet, the information is stored
in that previously read packet (signature, user id, or primary key)
and the next packet is read immediately.  Thus only the parser sees
the ring trust packets.  Ring trust packets are written by using the
new function build_packet_and_meta instead of build_packet.  That
function writes a ring trust packet when the needed information is
available.

As a side-effect of this patch the signature status cache works again
and "gpg --check-sigs" is thus much faster.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-03-30 09:07:02 +02:00
Werner Koch
4af389c972
gpg: Prepare for listing last_update and key origin data.
* g10/keylist.c (list_keyblock_colon): Add empty fields 19 and 20.

--

We add them now to early catch error in parsers which arbitrary limit
the number of fields in --with-colon listings.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-03-28 12:32:05 +02:00
Werner Koch
2c237c1362
agent: New option --enable-extended-key-format.
* agent/gpg-agent.c (oEnableExtendedKeyFormat): New const.
(opts): New option --enable-extended-key-format.
(parse_rereadable_options): Set option
* agent/findkey.c (write_extended_private_key): Add arg 'update'.
(agent_write_private_key): Implement new option.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-03-24 10:35:36 +01:00
Werner Koch
74c1f30ad6
gpg: New command --quick-set-primary-uid.
* g10/gpg.c (aQuickSetPrimaryUid): New const.
(opts): New command --quick-set-primary-uid.
(main): Implement it.
* g10/keyedit.c (keyedit_quick_adduid): Factor some code out to ...
(quick_find_keyblock): new func.
(keyedit_quick_revuid): Use quick_find_keyblock.
(keyedit_quick_set_primary): New.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-03-21 15:09:30 +01:00
Werner Koch
fe0b37e123
gpg: Add new field no 18 to the colon listing.
* g10/misc.c (gnupg_pk_is_compliant): New.
* g10/keylist.c (print_compliance_flags): New.
(list_keyblock_colon): Call it here.
* sm/keylist.c (print_compliance_flags): New.
(list_cert_colon): Call it here.
--

This patch is to convey information about DE_VS compliant keys to the
caller.  The double digit value is used so that parsers do the right
thing and don't just look for a single digit.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-03-20 10:09:40 +01:00
Werner Koch
e2c63a13e2
gpg: Remove unused stuff.
* g10/OPTIONS: Remove.
* g10/options.h (struct opt): Remove 'shm_coprocess'.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-03-20 08:40:21 +01:00
Werner Koch
f0257b4a86
doc: Add a note to the trust model direct.
* doc/gpg.texi (GPG Configuration Options): Add note.  Chnage Index
from trust-mode:foo to trust-model:foo.
2017-03-08 11:35:53 +01:00
Werner Koch
1813f3be23
gpg: Add new variables to the import and export filters.
* g10/import.c (impex_filter_getval): Add new variables "expired",
"revoked", and "disabled".

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-03-03 09:22:40 +01:00
Werner Koch
891ab23411
gpg: Make --export-options work with --export-secret-keys.
* g10/export.c (export_seckeys): Add arg OPTIONS and pass it to
do_export.
(export_secsubkeys): Ditto.
* g10/gpg.c (main): Pass opt.export_options to export_seckeys and
export_secsubkeys
--

Back in the old days we did not used the export options for secret
keys export because of a lot of duplicated code and that the old
secring.gpg was anyway smaller that the pubring.gpg.  With 2.1 it was
pretty easy to enable it.

Reported-by: Peter Lebbing
GnuPG-bug-id: 2973
2017-03-01 14:41:47 +01:00
Werner Koch
7af5d61c6e
gpgv: New options --log-file and --debug
* g10/gpgv.c (oLoggerFile, oDebug): New consts.
(opts): Add options --log-file and --debug.
(main): Implement options.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-02-24 13:23:16 +01:00
Werner Koch
effa80e0b5
gpg: Emit new status DECRYPTION_KEY
* common/status.h (STATUS_DECRYPTION_KEY): New.
* g10/pubkey-enc.c (get_it): Emit that status.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-02-23 19:59:21 +01:00
Yuri Chornoivan
24cf0606b4 Clean up word replication.
--

This fixes extra word repetitions (like "the the" or "is is") in the
code and docs.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2017-02-21 13:11:46 -05:00
Justus Winter
90d383f1eb
tests: Test and document other ways to create keys.
* doc/gpg.texi: Clarify usage and expiration arguments for key
generation.
* tests/openpgp/quick-key-manipulation.scm: Test all variants.

Signed-off-by: Justus Winter <justus@g10code.com>
2017-02-15 15:51:09 +01:00
Daniel Kahn Gillmor
f2b276dffb doc: Clarify abbreviation of --help.
* doc/gpg.texi: clarify abbreviation of --help.

Debian-bug-id: 852979
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2017-02-04 01:30:55 -05:00
Werner Koch
b0e8376e19
dirmngr: Require --allow-version-check even if --use-tor is used.
* dirmngr/dirmngr.c (housekeeping_thread): Load swdb only if the
option is set.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-01-31 13:24:24 +01:00
Werner Koch
72736af86a
dirmngr: New option --disable-ipv4.
* dirmngr/dirmngr.c (oDisableIPv4): New const.
(opts): New option --disable-ipv4.
(parse_rereadable_options): Set that option.
* dirmngr/dirmngr.h (opt): New field 'disable_ipv4'.
* dirmngr/dns-stuff.c (opt_disable_ipv4): bew var.
(set_dns_disable_ipv4): New.
(resolve_name_standard): Skip v4 addresses when OPT_DISABLE_IPV4 is
set.
* dirmngr/ks-engine-hkp.c (map_host): Ditto.
(send_request): Pass HTTP_FLAG_IGNORE_IPv4 if opt.disable_v4 is set.
* dirmngr/crlfetch.c (crl_fetch): Ditto.
* dirmngr/ks-engine-finger.c (ks_finger_fetch): Ditto.
* dirmngr/ks-engine-http.c (ks_http_fetch): Ditto.
* dirmngr/ocsp.c (do_ocsp_request): Ditto.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-01-24 20:52:24 +01:00
Werner Koch
953d4ec6af
gpg: New export and import options "backup" and "restore".
* g10/export.c (parse_export_options): Add "backup" and its alias
"export-backup".
(do_export_one_keyblock): Export ring trust packets in backup mode.
* g10/import.c (parse_import_options): Add "restore" and its alias
"import-restore".
(read_block): Import ring trust packets.
--

These options are intended to, well, backup and restore keys between
GnuPG implementations.  These options may eventually be enhanced to
backup and restore all public key related information.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-01-23 10:13:26 +01:00
Damien Goutte-Gattat
3daeef702b gpg: Allow to freeze faked system time.
* g10/gpg.c (main): If the parameter for --faked-system-time
ends with a '!', freeze time at the specified point.
* common/gettime.c (gnupg_set_time): Allow to freeze the time
at an arbitrary time instead of only the current time.
* doc/gpg.texi: Update documentation for --faked-system-time.
--

This patch allows the user to modify the behavior of the
--faked-system-time option: by appending a '!' to the parameter,
time in GnuPG will be frozen at the specified time, instead of
advancing normally from that time onward.

Signed-off-by: Damien Goutte-Gattat <dgouttegattat@incenp.org>
2017-01-19 10:39:06 +01:00
Werner Koch
2312248b2e
gpgconf: Allow "all" for --launch, --kill, and --reload.
* tools/gpgconf-comp.c (gc_component_launch): Allow -1 for COMPONENT.
(gc_component_kill): Ditto.
(gc_component_reload): For robustness change the condition to < 0.
* tools/gpgconf.c (main) <aLaunch, aKill, aReload>: Support argument
"all".

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-01-18 10:07:53 +01:00
NIIBE Yutaka
79cea89774 scd: Cleanup SERIALNO protocol.
* scd/app.c (app_get_serial_and_stamp): Remove.
(app_get_serialno): New.
(app_write_learn_status): Use send_status_direct.
(app_getattr): Use app_get_serialno for SERIALNO and
send with send_status_direct.
* scd/app-openpgp.c (do_getattr): Likewise.
* scd/command.c (cmd_serialno): Don't send TIMESTAMP of 0.
(cmd_learn): Likewise.  Don't inquire with TIMESTAMP of 0.

--

In the SERIALNO protocol, timestamp used to be considered, but had never
used at all.  In the new implementation, removed card/token is always
detected and connection becomes invalid, no timestamp is required any
more.  Examined scute and poldi as well for this protocol change.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2017-01-18 16:03:47 +09:00
Werner Koch
da894c48ec
dirmngr: Implement debug option "network" for http.
* dirmngr/dirmngr.c (parse_rereadable_options): Set http debugging.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-01-11 10:42:44 +01:00
Daniel Kahn Gillmor
a20a450ac4 systemd-user: Enable "systemctl --user reload {dirmngr,gpg-agent}"
* doc/examples/systemd-user/*.service: Add ExecReload directives to
  indicate the canonical way to reload the services.

GnuPG recommends reloading the agent and dirmngr with "gpgconf
--reload".  if anyone is running them as systemd user services, they
might ask them to reload in the systemd way, so teach systemd the
right thing to do.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2017-01-10 17:16:38 -05:00
Werner Koch
7345c64b08
doc: Mention dirmngr.conf
--

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-01-10 16:26:38 +01:00
Werner Koch
2baba11fad
doc: Update man page for watchgnupg
--

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-01-09 08:54:45 +01:00
Andre Heinecke
e1f68337b9 doc: Document summary values of TOFU_STATS
--

Signed-off-by: Andre Heinecke <aheinecke@intevation.de>
2017-01-06 12:45:36 +01:00
Werner Koch
353f6ff376
doc: Mention gpgv in the description of gpg --verify.
--

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-01-05 20:43:40 +01:00
Werner Koch
293a55bacd
doc: Extend dirmngr's --allow-version-check description
--
2017-01-03 13:12:25 +01:00
Werner Koch
5a4a109354
doc: Remove warning that DNS is not routed via Tor
--

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-01-02 10:39:59 +01:00
Werner Koch
81c012787f
dirmngr: New option --resolver-timeout.
* dirmngr/dns-stuff.c (DEFAULT_TIMEOUT): New.
(opt_timeout): New var.
(set_dns_timeout): New.
(libdns_res_open): Set the default timeout.
(libdns_res_wait): Use configurable timeout.
(resolve_name_libdns): Ditto.

* dirmngr/dirmngr.c (oResolverTimeout): New const.
(opts): New option --resolver-timeout.
(parse_rereadable_options): Set that option.
(main) <aGPGConfList>: Add --nameserver and --resolver-timeout.
* tools/gpgconf-comp.c (gc_options_dirmngr): Add --resolver-timeout
and --nameserver.

* dirmngr/http.c (connect_server): Fix yesterday introduced bug in
error diagnostic.
--

This timeout is a pretty crude thing because libdns has a few other
internal timeouts as well.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-12-20 09:53:58 +01:00
Justus Winter
a76fe9e86d doc: Clarify that delkey deletes public keys.
--
GnuPG-bug-id: 2878
Signed-off-by: Justus Winter <justus@g10code.com>
2016-12-19 15:42:35 +01:00
Werner Koch
e384405b6e
Remove unused debug flags and add "dns" and "network".
* g10/options.h (DBG_CARD_IO_VALUE, DBG_CARD_IO): Remove.
* g10/gpg.c (debug_flags): Remove "cardio".
* agent/agent.h (DBG_COMMAND_VALUE, DBG_COMMAND): Remove.
* agent/gpg-agent.c (debug_flags): Remove "command".
* scd/scdaemon.h (DBG_COMMAND_VALUE, DBG_COMMAND): Remove.
* scd/scdaemon.c (debug_flags): Remove "command".
* dirmngr/dirmngr.h (DBG_DNS_VALUE, DBG_DNS): New.
(DBG_NETWORK_VALUE, DNG_NETWORK): New.
* dirmngr/dirmngr.c (debug_flags): Add "dns" and "network".
--

Note that "dns" and "network" are not yet used but will soon be added
to dirmngr.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-12-19 09:41:15 +01:00
Werner Koch
41a426a1a0
doc: Wrap a too long line in DETAILS.
--
2016-12-16 19:03:43 +01:00
Werner Koch
76cd64a5ba
gpgconf: New command --apply-profile.
* tools/gpgconf.c (aApplyProfile): New.
(opts): New command --apply-profile.
(main): Implement that command.
* tools/gpgconf-comp.c (option_check_validity): Add arg VERBATIM.
(change_options_program): Ditto.
(change_one_value): Ditto.
(gc_component_change_options): Ditto.
(gc_apply_profile): New.

--

Here is an example for a profile

--8<---------------cut here---------------start------------->8---
# foo.prf - Sample profile

[gpg]
compliance de-vs
default-new-key-algo brainpoolP256r1+brainpoolP256r1

[gpgsm]
enable-crl-checks

[gpg-agent]
default-cache-ttl 900
max-cache-ttl [] 3600
no-allow-mark-trusted
no-allow-external-cache
enforce-passphrase-constraints
min-passphrase-len 9
min-passphrase-nonalpha 0

[dirmngr]
keyserver hkp://keys.gnupg.net
allow-ocsp
--8<---------------cut here---------------end--------------->8---

Note that flags inside of brackets are allowed after the option name.
The only defined flag for now is "[default]".  In case the value
starts with a bracket, it is possible to insert "[]" as a nop-flag.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-12-16 16:05:02 +01:00
Justus Winter
12a5265afa doc: Mention extra information in pinentry status lines.
* doc/DETAILS: Mention that 'PINENTRY_LAUNCHED may carry extra
information.

Fixes-commit: c1ea0b577a
Signed-off-by: Justus Winter <justus@g10code.com>
2016-12-16 16:01:26 +01:00
Neal H. Walfield
a165fa09be doc: Fix manual.
* doc/gpg.texi: Remove comment about options being parsed in-order.
They aren't.

Signed-off-by: Neal H. Walfield <neal@g10code.com>
Fixes-commit: 7572d27
2016-12-16 14:55:54 +01:00
Neal H. Walfield
94f6b9010d g10: Extend TOFU_STATS to emit <sign-days> and <encyrption-days>
* doc/DETAILS: Add SIGN-DAYS and ENCRYPT-DAYS to the TOFU_STATS status
line.
* g10/tofu.c (write_stats_status): Take additional parameters
signature_days and encryption_days.  Update callers.  Include them in
the tfs record and TOFU status lines.
(show_statistics): Compute the number of days on which we saw a
message signed by FINGERPRINT, and the number of days on which we
encrypted a message to it.

Signed-off-by: Neal H. Walfield <neal@g10code.com>
2016-12-16 14:32:39 +01:00
Justus Winter
ca02a8b78f doc: Improve section on unattended key generation.
* doc/gpg.texi: Improve the subsection on unattended key generation by
suggesting the quick key manipulation interface as an alternative, and
by suggesting alternatives to '%pubring' and '%secring'.  Simplify
examples accordingly.

GnuPG-bug-id: 2400
Signed-off-by: Justus Winter <justus@g10code.com>
2016-12-16 14:30:10 +01:00
Justus Winter
116a78eb86 doc: Add documentation for programmatic use of GnuPG.
* doc/gpg.texi: New subsections on programmatic use of GnuPG,
ephemeral home directories, and the quick key manipulation interface.

Signed-off-by: Justus Winter <justus@g10code.com>
2016-12-16 14:30:10 +01:00
Justus Winter
41ad04d403 g10: Rework the --quick-* interface.
* g10/gpg.c (opts): Rename options.
(main): Update errors.
* doc/gpg.texi: Update accordingly.
--
I decided not to keep the old versions as aliases in the documentation
because the interface is a fairly recent addition.

GnuPG-bug-id: 2700
Signed-off-by: Justus Winter <justus@g10code.com>
2016-12-15 15:32:51 +01:00
Justus Winter
6e4396723e g10: Rename 'card-edit' to 'edit-card'.
* g10/gpg.c (opts): Rename option.
* g10/call-agent.c (agent_scd_learn): Update comment.
* doc/gpg.texi: Update accordingly.
--
This change has a surprising side effect.  Previously, --edit was an
alias for --edit-key, because the argument parser actually accepts
unique prefixes of all options.  With this change, however, --edit is
ambiguous.

GnuPG-bug-id: 2700
Signed-off-by: Justus Winter <justus@g10code.com>
2016-12-15 14:50:10 +01:00
Justus Winter
3c691097ca g10: Spell out --desig-revoke.
* g10/gpg.c (opts): Rename option.
* doc/gpg.texi: Update accordingly.
--
This is a rather long name, but I believe that this command is rarely
used, and in places where it is used frequently, the process is likely
automated.

GnuPG-bug-id: 2700
Signed-off-by: Justus Winter <justus@g10code.com>
2016-12-15 13:59:48 +01:00
Justus Winter
c252627c6f g10: Shorten unreasonably long option.
* g10/gpg.c (opts): Rename 'generate-revocation-certificate' to
'generate-revocation'.
* doc/gpg.texi: Update accordingly.
* po: Update translations.

GnuPG-bug-id: 2700
Fixes-commit: ec1bd3ae68
Signed-off-by: Justus Winter <justus@g10code.com>
2016-12-15 13:01:03 +01:00
Justus Winter
bc6b76ef26 doc: Add aliases of all changed options.
* doc/gpg.texi: Add the old version of every option that was updated
with the last change set.
* doc/gpgsm.texi: Likewise.

GnuPG-bug-id: 2700
Signed-off-by: Justus Winter <justus@g10code.com>
2016-12-15 12:44:52 +01:00
Werner Koch
d34a2bb410
dirmngr: New configure option --disable-libdns.
* configure.ac: Add option --disable-libdns
(USE_LIBDNS): New ac_subst and am_conditional.
(USE_C99_CFLAGS): Set only if libdns is used.
* dirmngr/Makefile.am (dirmngr_SOURCES): Move dns.c and dns.h to ...
(dirmngr_SOURCES) [USE_LIBDNS0: here.
(t_common_src): Ditto.
* dirmngr/dirmngr.c (oRecursiveResolver): New constant.
(opts): New option "--recursive-resolver".
(parse_rereadable_options): Set option.
* dirmngr/t-dns-stuff.c (main): Add option --recursive-resolver.
* dirmngr/server.c (cmd_getinfo): Depend output of "dnsinfo" on the
new variables.
* dirmngr/dns-stuff.c: Include dns.h only if USE_DNSLIB is defined.
Also build and call dnslib functions only if USE_DNSLIB is defined.
(recursive_resolver): New var.
(enable_recursive_resolver): New func.
(recursive_resolver_p): New func.
--

In case users run into problems building GnuPG, the configure option
allows to disable that support and continue w/o Tor support using the
system resolver.

--recursive-resolver was easy enough to implement and may be useful in
some situation.  It does not fully work, though.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-12-14 15:57:17 +01:00
Justus Winter
2e734a3ce1
dirmngr,build: Remove support for ADNS.
* autogen.rc: Remove '--with-adns' argument.
* configure.ac: Remove check for ADNS.
* dirmngr/dns-stuff.c: Remove all code that uses ADNS.
* dirmngr/server.c (cmd_getinfo): Update status line.
* doc/dirmngr.texi: Do not mention ADNS.
--

We used ADNS to support queries over Tor.  However, our patch to ADNS
that adds Tor support was never accepted upstream.  Furthermore, there
are other shortcomings that let us to consider alternatives.

Signed-off-by: Justus Winter <justus@g10code.com>
2016-12-14 15:52:01 +01:00
Justus Winter
c1c35fb887 g10,sm: Spell out --passwd.
* g10/gpg.c (opts): Spell out option.
* sm/gpgsm.c (opts): Likewise.
* doc/gpg.texi: Update accordingly.
* doc/gpgsm.texi: Likewise.

GnuPG-bug-id: 2700
Signed-off-by: Justus Winter <justus@g10code.com>
2016-12-13 17:49:47 +01:00
Justus Winter
ec1bd3ae68 g10: Spell out --gen-revoke.
* g10/gpg.c (opts): Spell out option.
* doc/gpg.texi: Update accordingly.
* po: Update translations.

GnuPG-bug-id: 2700
Signed-off-by: Justus Winter <justus@g10code.com>
2016-12-13 17:43:22 +01:00
Justus Winter
09163a6390 g10: Spell out --full-gen-key.
* g10/gpg.c (opts): Spell out option.
(main): Likewise.
* g10/keygen.c (generate_keypair): Likewise.
* doc/gpg.texi: Update accordingly.

GnuPG-bug-id: 2700
Signed-off-by: Justus Winter <justus@g10code.com>
2016-12-13 17:30:55 +01:00
Justus Winter
892c827e72 g10,sm: Spell out --gen-key.
* g10/gpg.c (opts): Spell out option.
* sm/gpgsm.c (opts): Likewise.
* doc/gpg.texi: Update accordingly.

GnuPG-bug-id: 2700
Signed-off-by: Justus Winter <justus@g10code.com>
2016-12-13 17:30:55 +01:00
Justus Winter
9147737f1c g10,sm: Spell out --check-sigs.
* g10/gpg.c (opts): Spell out option.
* sm/gpgsm.c (opts): Likewise.
* doc/gpg.texi: Update accordingly.

GnuPG-bug-id: 2700
Signed-off-by: Justus Winter <justus@g10code.com>
2016-12-13 17:30:55 +01:00
Justus Winter
a6d6e4afe4 g10,sm: Spell out --list-sigs.
* g10/gpg.c (opts): Spell out option.
* sm/gpgsm.c (opts): Likewise.
* doc/gpg.texi: Update accordingly.

GnuPG-bug-id: 2700
Signed-off-by: Justus Winter <justus@g10code.com>
2016-12-13 17:30:54 +01:00
Justus Winter
04754ce3a7 g10: Hyphenate --clearsign.
* g10/gpg.c (opts): Hyphenate option.
* doc/gpg.texi: Update accordingly.
* po: Update translations.
* tests/openpgp: Update tests.

GnuPG-bug-id: 2700
Signed-off-by: Justus Winter <justus@g10code.com>
2016-12-13 17:30:54 +01:00
Justus Winter
ca59815234 g10: Spell out --recv-keys.
* g10/gpg.c (opts): Spell out option.
* doc/gpg.texi: Update accordingly.

GnuPG-bug-id: 2700
Signed-off-by: Justus Winter <justus@g10code.com>
2016-12-13 17:30:54 +01:00
Justus Winter
dd3dde07a9 g10: Create expiring keys in quick key generation mode.
* doc/gpg.texi: Document that fact.
* g10/keygen.c (quick_generate_keypair): Use a default value.
* tests/openpgp/quick-key-manipulation.scm: Test that fact.

GnuPG-bug-id: 2701
Signed-off-by: Justus Winter <justus@g10code.com>
2016-12-13 16:35:08 +01:00
Neal H. Walfield
7572d270fc doc: Improve the text in the gpg manual
* doc/gpg.texi: Improve the text.

Signed-off-by: Neal H. Walfield <neal@g10code.com>
2016-12-06 12:16:59 +01:00
Werner Koch
41b3d0975d
gpg: New option --quick-set-expire.
* g10/gpg.c (aQuickSetExpire): New.
(opts): New option --quick-set-expire.
(main): Implement option.
* g10/keyedit.c (menu_expire): Add args FORCE_MAINKEY and
NEWEXPIRATION.  Change semantics of the return value.  Change caller.
(keyedit_quick_set_expire): New.
--

This patch partly solves
GnuPG-bug-id: 2701
2016-12-05 11:00:11 +01:00
Werner Koch
ce29272e24
gpg: New option --default-new-key-algo.
* common/openpgp-oid.c (openpgp_is_curve_supported): Add optional arg
R_ALGO and change all callers.
* common/util.h (GPG_ERR_UNKNOWN_FLAG): New error code.
* g10/options.h (struct opt): Add field DEF_NEW_KEY_ALGO.
* g10/gpg.c (oDefaultNewKeyAlgo): New enum.
(opts): New option "--default-new-key-algo".
(main): Set the option.
* g10/keygen.c: Remove DEFAULT_STD_ FUTURE_STD_ constants and replace
them by ...
(DEFAULT_STD_KEY_PARAM, FUTURE_STD_KEY_PARAM): new string constants.
(get_keysize_range): Remove arg R_DEF and return that value instead.
Change all callers.
(gen_rsa): Use get_keysize_range instead of the removed
DEFAULT_STD_KEYSIZE.
(parse_key_parameter_part): New function.
(parse_key_parameter_string): New function.
(quick_generate_keypair): Refactor using parse_key_parameter_string.
(generate_keypair): Ditto.
(parse_algo_usage_expire): Ditto.
--

This new option is intended to be used in the forthcoming
--set-profile command of gpgconf.  It allows to provide a gpg
configuration with custom defaults for a new key using the simple
commands which use the default algorithm set.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-12-02 19:47:40 +01:00
Werner Koch
304566d332
dirmngr: Add option --standard-resolver.
* dirmngr/dirmngr.c (oStandardResolver): New constant.
(opts): New option --standard-resolver.
(parse_rereadable_options): Set option.
* dirmngr/dns-stuff.c: Refactor all code to support the new option.
(standard_resolver): New var.
(enable_standard_resolver, standard_resolver_p): New func.
* dirmngr/http.c (connect_server): Remove USE_DNS_SRV build
conditional.
* dirmngr/ks-engine-hkp.c (map_host): Ditto.
* dirmngr/server.c (cmd_getinfo) <dnsinfo>: Take care of new option
* configure.ac (HAVE_ADNS_IF_TORMODE): Remove var ADNSLIB.  ac_define
USE_ADNS in the adns checking code.  Remove options --disable-dns-srv
and --disable-dns-cert.  Always look for the system resolver.  Print
warning if no system resolver was found.
(USE_DNS_CERT, USE_DNS_SRV): Remove ac_defines.
(HAVE_SYSTEM_RESOLVER): New ac_define.
(USE_DNS_SRV): Remove am_conditional; not used anyway.
--

This option allows for runtime switching to the system's standard
resolver.  This is mainly useful to work around possible bugs in the
optional resolver libraries (as of now ADNS).  Note that on Windows
there is no code to use systems's resolver and thus for full
functionality dirmngr must be build with a separate resolver.

This patch also does way with configure options to disable the use of
CERT and SRV records.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-12-01 16:40:32 +01:00
Neal H. Walfield
2f27cb12e3 g10: Extend TOFU_STATS to always show the validity
* doc/DETAILS (TOFU_STATS): Rename the VALIDITY field to SUMMARY.  Add
a new field called VALIDITY.
* g10/tofu.c (write_stats_status): Update output accordingly.

--
Signed-off-by: Neal H. Walfield <neal@g10code.com>

Change TOFU_STATS as discussed offline with Werner, Justus and Andre.
2016-11-29 14:55:59 +01:00
Daniel Kahn Gillmor
2c97fa84c1 doc: Clarify dirmngr --homedir option.
--

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2016-11-21 17:33:31 +09:00
Daniel Kahn Gillmor
0540cfbee4 doc: Ship example gpg-agent-browser.socket in examples/systemd-user/.
* doc/Makefile.am: Ship gpg-agent-browser.socket alongside the other
systemd user service example files.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2016-11-21 16:37:24 +09:00
Daniel Kahn Gillmor
8fb4822524
dirmngr: Use a default keyserver if none is explicitly set
* configure.ac: Define DIRMNGR_DEFAULT_KEYSERVER.
* dirmngr/server.c (ensure_keyserver): Use it if no keyservers are set.
* doc/dirmngr.texi: Document this behavior.

--

A user who doesn't specify a keyserver, but asks gnupg to fetch a key
currently just gets a simple error messages "No keyserver available".

If the user is asking to contact a keyserver, we should have a
reasonable default, and not require them to fiddle with settings when
they might not know what settings to choose.  This patch makes the
default hkps://hkps.pool.sks-keyservers.net.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2016-11-17 15:29:35 +01:00
Daniel Kahn Gillmor
7c1613d415
dirmngr: Add system CAs if no hkp-cacert is given
* dirmngr/dirmngr.c (http_session_new): If the user isn't talking to
the HKPS pool, and they have not specified any hkp-cacert, then we
should default to the system CAs, rather than nothing.
* doc/dirmngr.texi: Document choice of CAs.

--

Consider three possible classes of dirmngr configuration:

 a) no hkps:// keyserver URLs at all (communication with keyservers is
    entirely in the clear)

 b) hkps:// keyserver URLs, but no hkp-cacert directives

 c) hkps:// keyserver URLs, and at least one hkp-cacert directive

class (a) provides no confidentiality of requests.

class (b) currently will never work because the server certificate
cannot be validated.

class (c) is currently supported as intended.

This patch allows users with configurations in class (b) to work as
most users expect (relying on the system certificate authorities),
without affecting users in classes (a) or (c).

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

o minor indentation fix
  - wk
2016-11-17 15:29:35 +01:00
Werner Koch
5210ff70bc
doc: Typo fixes.
--

Reported-by: Nathan Musoke <nathan.musoke@gmail.com>
2016-11-17 15:29:35 +01:00
Werner Koch
bd91f92ace
dirmngr: Auto-sownload the swdb.lst
* dirmngr/dirmngr.h (struct opt): Add field allow_version_check.
* dirmngr/dirmngr.c (oAllowVersionCheck): New.
(opts): Add --allow-version-check.
(network_activity_seen): New variable.
(parse_rereadable_options): Set opt.allow_version_check.
(main) <aGPGConfList>: Do not anymore set the no change flag for
Windows.  Add allow-version-check.
(netactivity_action): Set network_activity_seen.
(housekeeping_thread): Call dirmngr_load_swdb.
* tools/gpgconf-comp.c (gc_options_dirmngr): Add allow-version-check.
Make "use-tor" available at Basic level.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-11-17 10:14:14 +01:00
Werner Koch
c45ca316a5
dirmngr: Improve downloading of swdb.lst.
* dirmngr/loadswdb.c (time_of_saved_swdb): Aslo return the "verified"
timestamp.
(dirmngr_load_swdb): Avoid unnecessary disk or network access witout
FORCE.  Do not update swdb.lst if it did not change.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-11-17 10:08:20 +01:00
Werner Koch
43bfaf2c54
gpg: New option --override-session-key-fd.
* g10/gpg.c (oOverrideSessionKeyFD): New.
(opts): Add option --override-session-key-fd.
(main): Handle that option.
(read_sessionkey_from_fd): New.
--

The override-session-key feature was designed to mitigate the effect
of the British RIP act by allowing to keep the private key private and
hand out only a session key.  For that use case the leaking of the
session key would not be a problem.  However there are other use
cases, for example fast re-decryption after an initial decryption,
which would benefit from concealing the session key from other users.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-11-16 09:03:03 +01:00
Werner Koch
500e594c2d
gpgv: New option --enable-special-filenames.
* g10/gpgv.c (oEnableSpecialFilenames): New.
(opts): Add option --enable-special-filenames.
(main): Implement that option.
--

This is the same option we have in gpg.  It allows to use commands
like

 gpgv --enable-special-filenames -- '-&3' - <msg 3<msg.sig

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-11-15 20:11:59 +01:00
Werner Koch
f86b1a15ad
gpg: New option --compliance.
* g10/gpg.c (oCompliance): New.
(opts): Add "--compliance".
(parse_tofu_policy): Use a generic description string for "help".
(parse_compliance_option): New.
(main): Add option oCompliance.  Factor out code for compliance
setting to ...
(set_compliance_option): new.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-11-15 13:06:49 +01:00
Daniel Kahn Gillmor
57e95f5413
doc: Include config examples for socket-activated user services.
--

These configuration files and instructions enable clean and simple
daemon supervision on machines that run systemd.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

- Removed the detailed ChangeLog entry because that is not needed for
  doc changes.
- Added an entry to doc/examples/README.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-11-11 08:44:51 +01:00
Werner Koch
1854f0f611
doc: Clarify dirmngr option --daemon.
--

With commit d83ba4897b all system daemon
features have been removed and thus this should be reflected in the
man page.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-11-11 08:25:04 +01:00
Werner Koch
4d7dc432b5
Change all http://www.gnu.org in license notices to https://
--
2016-11-05 12:02:19 +01:00
Werner Koch
d10b67b9bc
gpgconf: Add a new field to the --query-swdb output.
* tools/gpgconf.c (query_swdb): Insert new field with the installed
version.  Check that the supplied version does not contain a colon.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-11-03 10:58:19 +01:00
Werner Koch
0ed6a6df5a
gpgconf: Add command --query-swdb.
* tools/gpgconf.c (aQuerySWDB): New.
(opts): Add --query-swdb.
(valid_swdb_name_p): New.
(query_swdb): New.
(main): Implement command --query-swdb.
--

Right now this command is not very useful because dimngr has not yet
been changed to create the swdb.lst.  For manual tests the swdb.lst
file from the Net can be used with these additional lines:

  .filedate 20161102T130337
  .verified 20161102T150000
2016-11-02 17:58:11 +01:00
Daniel Kahn Gillmor
68b59bbc42 Spelling: correct spelling of "passphrase".
There were several different variant spellings of "passphrase".  This
should fix them all for all English text.

I did notice that po/it.po contains multiple instances of
"passhprase", which also looks suspect to me, but i do not know
Italian, so i did not try to correct it.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2016-11-02 12:53:58 +01:00
Werner Koch
cf20b23c14
dirmngr: Do not implement --supervised in Windows.
* dirmngr/dirmngr.c (opts) [W32]: Remove --supervised.
(main) [W32]: Ditto.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-10-27 09:27:37 +02:00
Daniel Kahn Gillmor
75f8aaf5bc dirmngr: Implement --supervised command (for systemd, etc).
* dirmngr/dirmngr.c (main): Add new --supervised command, which is a
mode designed for running under a process supervision system like
systemd or runit.
* doc/dirmngr.texi: document --supervised option.

--

"dirmngr --supervised" is a way to invoke dirmngr such that a system
supervisor like systemd can provide socket-activated startup, log
management, and scheduled shutdown.

When running in this mode, dirmngr:

 * Does not open its own listening socket; rather, it expects to be
   given a listening socket on file descriptor 3.

 * Does not detach from the invoking process, staying in the
   foreground instead.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2016-10-27 10:46:53 +09:00
Daniel Kahn Gillmor
900c18f0b5 doc: Fix spelling of "internal".
--
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2016-10-26 14:37:14 +09:00
Daniel Kahn Gillmor
869c06efa7 doc: Document how to manually shut down gpg-agent.
* doc/gpg-agent.texi: document "gpgconf --kill gpg-agent" for manual
  agent termination.

This was requested in a side-comment in https://bugs.debian.org/840669

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2016-10-17 10:48:03 +02:00
Daniel Kahn Gillmor
c53ce53ab1 doc: Point gpg-agent(1) at the right gpg manpage in SEE ALSO.
* doc/gpg-agent.texi (SEE ALSO): refer to @gpgname, instead of
  hard-coding "gpg2".

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2016-10-17 10:47:54 +02:00
Werner Koch
5d43d28aa3
gpg: Put extra parens around bit tests.
* g10/options.h (DBG_MPI): New.
* g10/gpg.c (set_debug): Use macro or extra parens for binary operator.
* g10/parse-packet.c (set_packet_list_mode): Use dbg macro.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-10-07 07:54:38 +02:00
Werner Koch
1a9c8d78ec
agent: Streamline the supervised mode code.
* agent/gpg-agent.c (get_socket_path): Rename to ...
(get_socket_name): this.  This is to comply with the GNU coding guide.
Use xtrymalloc instead of malloc.  Do not build for W32.
(map_supervised_sockets): Use strtokenize and set the the socket names
here.
(main): Adjust for above change.  Do not close the socket.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-10-04 17:11:43 +02:00
Daniel Kahn Gillmor
9f92b62a51
agent: Implement --supervised command (for systemd, etc).
* agent/gpg-agent.c (get_socket_path): New function for POSIX systems
to return the path for a provided unix-domain socket.
(map_supervised_sockets): New function to inspect $LISTEN_FDS and
$LISTEN_FDNAMES and map them to the specific functionality offered by
the agent.
(main): Add --supervised command.  When used, listen on already-open
file descriptors instead of opening our own.
* doc/gpg-agent.texi: Document --supervised option.

--

"gpg-agent --supervised" is a way to invoke gpg-agent such that a
system supervisor like systemd can provide socket-activated startup,
log management, and scheduled shutdown.

When running in this mode, gpg-agent:

 * Does not open its own listening socket; rather, it expects to be
   given a listening socket on incoming file descriptors.

 * Does not detach from the invoking process, staying in the
   foreground instead.  Unless otherwise specified, logs are sent to
   stderr.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2016-10-04 17:11:43 +02:00