draft-rfc2440-bis04.
* packet.h (PKT_secret_key): Add field sha1chk.
* seckey-cert.c (do_check): Check the SHA1 checksum
(protect_secret_key): And create it.
* build-packet.c (do_secret_key): Mark it as sha-1 protected.
* g10.c, options.h: New option --simple-sk-checksum.
that has been revoked by designated revoker, but the designated revoker is
not present to verify the revocation (whew!). This applies to all ways to
get a key into the system: --import --recv-keys, and --search-keys. If
auto-key-retrieve is set, try and retrieve the revocation key.
Also, auto-key-retrieve is now a keyserver-option.
is a cert. A sig has sigclass 0x00, 0x01, 0x02, or 0x40, and everything
else is a cert.
Add a "nrlsign" for nonrevocable and local key signatures.
Add a --no-force-mdc to undo --force-mdc.
Add a knob to force --disable-mdc/--no-disable-mdc. Off by default, of
course, but is used in --pgp2 and --pgp6 modes.
Allow specifying multiple users in the "Enter the user ID" loop. Enter a
blank line to stop. Show each key+id as it is added.
It is not illegal (though possibly silly) to have multiple policy URLs in
a given signature, so print all that are present.
More efficient implementation of URL-ifying code for --search on an HKP
keyserver.
keyids as if they were v3. The workaround/hack is to fetch both the v4
(e.g. 99242560) and v3 (e.g. 68FDDBC7) keyids. This only happens for key
refresh while using the HKP scheme and the refresh-add-fake-v3-keyids
keyserver option must be set. This should stay off by default.
turns off force_mdc, turns on no_comment, escape_from, and force_v3_sigs,
and sets compression to 1. It also restricts the user to IDEA (if
present), 3DES, CAST5, MD5, SHA1, and RIPEMD160. See the comments above
algo_available() for lots of discussion on why you would want to do this.
* passphrase.c (agent_open): Let it override the environment info.
* seckey-cert.c (check_secret_key): Always try 3 times when the
agent is enabled.
* options.skel: Describe --use-agent.
change default compression to 1
add ask-sig-expire and ask-cert-expire (--expert was getting absurdly
overloaded)
permit v3 subkeys
use --expert to protect adding multiple photo ids and adding photos to a
v3 key
that live there for safe permission/ownership (--no-permission-warning to
disable)
The newer glibcs print scary warnings about using mktemp(). The use here
was actually safe, but the warning was bound to confuse people, so here is
an arguably better tempname creator that pulls random bits from the pool.
Do not allow signing a revoked UID unless --expert is set, and ask even then.
Do not allow signing a revoked key unless --expert is set, and ask even then.