1
0
mirror of git://git.gnupg.org/gnupg.git synced 2024-10-31 20:08:43 +01:00
Commit Graph

1084 Commits

Author SHA1 Message Date
Werner Koch
d6df1bf849
sm: New option --ldapserver as an alias for --keyserver.
* sm/gpgsm.c (opts): Add option --ldapserver and make --keyserver an
alias.
--

We should use "keyserver" for OpenPGP and thus it is better to allow
for "ldapserver" here - it is the same convention as now used in
dirmngr.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-06-09 10:34:14 +02:00
Werner Koch
b912f07cdf
w32: Always use Unicode for console input and output.
* common/init.c (_init_common_subsystems) [W32]: Set the codepage to
UTF-8 for input and putput.  Switch gettext to UTF-8.
* g10/gpg.c (utf8_strings) [W32]: Make sure this is always set.
--

With this patch the former patch to use ReadConsoleW and WriteConsoleW
in ttyio.c are kind of superfluous because the ANSI version of these
functions are also able to read/write UTF-8 directly given the console
code page has been set correctly.  However, this seems to work only
with recent versions of Windows-10.

GnuPG-bug-id: 4365
(cherry picked from commit 8c41b8aac3)
Removed changes for "gpgconf --show-codepages" of the original patch.
2021-06-08 10:34:54 +02:00
Werner Koch
7c4b0eda74
doc: Update description of LDAP keyservers
--
2021-05-28 15:50:58 +02:00
Werner Koch
317d5947b8
dirmngr: Use --ldaptimeout for OpenPGP LDAP keyservers.
* dirmngr/ks-engine-ldap.c (my_ldap_connect): Use LDAP_OPT_TIMEOUT.

* dirmngr/dirmngr.c (main): Move --ldaptimeout setting to ...
(parse_rereadable_options): here.
--

Note that this has not yet been tested.  In fact a test with OpenLDAP
using a modified route got stuck in the connection attempt.  Maybe it
works on Windows - will be tested later.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-05-26 19:06:36 +02:00
Werner Koch
ff17aee5d1
dirmngr: New option --ldapserver
* dirmngr/dirmngr.c (opts): Add option --ldapserver.
(ldapserver_list_needs_reset): New var.
(parse_rereadable_options): Implement option.
(main): Ignore dirmngr_ldapservers.conf if no --ldapserver is used.

* dirmngr/server.c (cmd_ldapserver): Add option --clear and list
configured servers if none are given.
--

This option allows to specify LDAP keyserver in dirmngr instead of
using gpgsm.conf.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-05-26 16:21:50 +02:00
Werner Koch
9f586700ec
gpg,sm: Simplify keyserver spec parsing.
* common/keyserver.h: Remove.
* sm/gpgsm.h (struct keyserver_spec): Remove.
(opt): Change keyserver to a strlist_t.
* sm/gpgsm.c (keyserver_list_free): Remove.
(parse_keyserver_line): Remove.
(main): Store keyserver in an strlist.
* sm/call-dirmngr.c (prepare_dirmngr): Adjust for the strlist.  Avoid
an ambiguity in dirmngr by adding a prefix if needed.

* g10/options.h (struct keyserver_spec): Move definition from
keyserver.h to here.  Remove most fields.
* g10/keyserver.c (free_keyserver_spec): Adjust.
(cmp_keyserver_spec): Adjust.
(parse_keyserver_uri): Simplify.
(keyidlist): Remove fakev3 arg which does not make any sense because
we don't even support v3 keys.
--

We now rely on the dirmngr to parse the keyserver specs.  Thus a bad
specification will not be caught immediately.  However, even before
that dirmngr had stricter tests.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-05-26 14:30:17 +02:00
Werner Koch
e7251be84c
gpg: Auto import keys specified with --trusted-keys.
* g10/getkey.c (get_pubkey_with_ldap_fallback): New.
* g10/trustdb.c (verify_own_keys): Use it.

(cherry picked from commit 100037ac0f)
2021-05-04 10:21:14 +02:00
Werner Koch
2af217ecd7
gpg: Allow fingerprint based lookup with --locate-external-key.
* g10/keyserver.c (keyserver_import_fprint_ntds): New.
* g10/getkey.c (get_pubkey_byname): Detect an attempt to search by
fingerprint in no_local mode.
--

See the man page.  For testing use

  gpg --auto-key-locate local,wkd,keyserver --locate-external-key  \
    FINGERPRINT

with at least one LDAP keyserver given in dirmngr.conf.  On Windows
"ntds" may be used instead or in addtion to "keyserver".

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit ec36eca08c)
2021-05-03 20:53:15 +02:00
Werner Koch
f9198189e3
doc: Fix option name.
--
2021-04-29 19:50:58 +02:00
Werner Koch
5eec40f3d8
scd: New option --pcsc-shared.
* scd/scdaemon.h (opt): Add field opcsc_shared.
* scd/scdaemon.c (opcscShared): New.
(opts): Add "--pcsc-shared".
(main): Set flag.
* scd/apdu.c (connect_pcsc_card): Use it.
(pcsc_get_status): Take flag in account.
* scd/app-openpgp.c (verify_chv2): Do not auto verify chv1 in shared
mode.
--

This option should in general not be used.  The patch tries to limit
bad effects but using shared mode is somewhat dangerous depending on
the other PC/SC users.

(cherry picked from commit 5732e7a8e9)
2021-04-29 19:43:23 +02:00
Werner Koch
1303b0ed84
gpg: Do not use self-sigs-only for LDAP keyserver imports.
* dirmngr/ks-engine-ldap.c (ks_ldap_get): Print a SOURCE status.
* g10/options.h (opts): New field expl_import_self_sigs_only.
* g10/import.c (parse_import_options): Set it.
* g10/keyserver.c (keyserver_get_chunk): Add special options for LDAP.
--

I can be assumed that configured LDAP servers are somehow curated and
not affected by rogue key signatures as the HKP servers are.  Thus we
can allow the import of key signature from LDAP keyservers by default.

GnuPG-bug-id: 5387
2021-04-13 14:50:05 +02:00
Werner Koch
87d7b7e075
gpg: New option --force-sign-key
* g10/gpg.c (oForceSignKey,opts): New option "--force-sign-key".
(main): Set it.
* g10/options.h (opt): New flag flags.force_sign_key.
* g10/keyedit.c (sign_uids): Use new flag.
--

GnuPG-bug-id: 4584
2021-03-11 11:32:00 +01:00
Werner Koch
b8998e5ee0
doc: Explain how Tor is detected.
--
2021-02-24 11:09:37 +01:00
Werner Koch
55f46b33df
dirmngr: Support new gpgNtds parameter in LDAP keyserver URLs.
* dirmngr/ldap-parse-uri.c (ldap_parse_uri): Support a new gpgNtds
extension.
* dirmngr/ks-engine-ldap.c (my_ldap_connect): Do ldap_init always with
hostname - which is NULL and thus the same if not given.  Fix minor
error in error code handling.
--

Note that "gpgNtds" is per RFC-4512 case insensitive and has not yet
been officially regisetered.  Thus for correctness the OID can be
used:

  1.3.6.1.4.1.11591.2.5          LDAP URL extensions
  1.3.6.1.4.1.11591.2.5.1          gpgNtds=1 (auth. with current user)

Note that the value must be 1; all other values won't enable AD
authentication and are resevered for future use.
2021-02-17 17:31:36 +01:00
Werner Koch
db687d15e6
doc: Remove man page for symcryptrun.
--

The tool has no more configure option to build it and thus the man
page does not make sense.  We keep the actual file for reference,
though.

GnuPG-bug-id: 5290
2021-02-09 18:28:09 +01:00
Werner Koch
261fb98c6f
doc: Explain LDAP keyserver parameters 2020-12-21 17:24:41 +01:00
Werner Koch
559efd23e9
gpg: New AKL method "ntds"
* dirmngr/ks-engine-ldap.c (keyspec_to_ldap_filter): Change the new
support for KEYDB_SEARCH_MODE_MAIL.
(ks_ldap_get): Add a debug.
* g10/options.h (AKL_NTDS): New.
* g10/keyserver.c (keyserver_import_ntds): New.
(keyserver_get_chunk): Allow KEYDB_SEARCH_MODE_MAIL.
* g10/getkey.c (parse_auto_key_locate): Support "ntds".
(get_pubkey_byname): Ditto.
2020-12-17 18:19:01 +01:00
Jens Meißner
a3f95a29b9
doc: Add parameters for batch generation of ECC keys.
* doc/gpg.texi: Add parameters for batch generation of ECC keys.

--

There are parameters required for batch generation of ECC keys which
weren't mentioned in the documentation.

Signed-off-by: Jens Meißner <meissner@b1-systems.de>
2020-12-01 09:58:32 +01:00
Gavin L. Rebeiro
563db31467
doc: Fix typos
--
GnuPG-bug-id: 5071

Also fixed one in keyformat.txt [wk].

(cherry picked from commit 572bcacc28)
2020-11-23 12:13:52 +01:00
Werner Koch
7f765a98fd
card: Run factory-reset in locked stated.
* scd/command.c (reset_notify): Add option --keep-lock.
(do_reset): Add arg keep_lock.
(cmd_lock): Send progress status.
* g10/call-agent.c (agent_scd_apdu): Add more pseudo APDUs.
* g10/card-util.c (send_apdu): Ditto.
(factory_reset): Use lock commands.
--

This is required so that for example Kleopatra does not detect the
RESET and issues a SERIALNO of its own, thus conflicting with our
SERIALNO undefined.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-11-09 13:04:38 +01:00
Werner Koch
a4fa4b5d4b
speedo,w32: Install gpg-check-pattern and example profiles.
* doc/examples/vsnfd.prf: Rename to VS-NfD.prf.
* doc/examples/Automatic.prf: New.
* doc/Makefile.am (examples): Adjust.
* build-aux/speedo/w32/inst.nsi: Install gpg-check-pattern.exe and 3
example files.
* build-aux/speedo/w32/wixlib.wxs: Add new files.
--

Note that we renamed the existing example profile so that kleopatra
shows a nicer name.  In fact the gpg4win installer just copies of
theses file but it is better to maintain them here.

gpg-check-pattern.exe can no be installed because we meanwhile have a
regex lib which works also on Windows.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-11-04 18:15:37 +01:00
Werner Koch
7ec56b0336
gpg: New command --quick-revoke-sig
* g10/gpg.c (enum cmd_and_opt_values): Add aQuickRevSig.
(opts): Add --quick-revoke-sig.
(main): Implement.
* g10/keyedit.c (quick_find_keyblock): Add arg 'want_secret' and
adjust all callers.
(keyedit_quick_revsig): new.
* g10/revoke.c (get_default_sig_revocation_reason): New.
* g10/keylist.c (cmp_signodes): New.
--

GnuPG-bug-id: 5093
Backported-from-master: 243f9176e7
2020-10-28 18:10:01 +01:00
Andre Heinecke
d833030f8c
doc: Remove enable-extended-key-format in vsnfd
* doc/examples/vsnfd.prf: Remove enable-extended-key-format

--
This is no longer a valid option for gpg-agent because it
is now the default.
2020-10-01 18:22:44 +02:00
Werner Koch
5b6cfef620
build: Fix recent commit for SOURCE_DATE_EPOCH.
--

Fixes-commit: 5ade2b68db
which was recently pushed to make use of $SOURCE_DATE_EPOCH
as fallback.

(cherry picked from commit 61bb75d045)
Signed-off-by: Werner Koch <wk@gnupg.org>
2020-09-09 15:40:08 +02:00
Gavin L. Rebeiro
27652e0ca7
doc: Fix typos
--
2020-08-27 12:53:10 +02:00
Werner Koch
b5de213efe
doc: Add a remark about keyservers.
--
2020-08-27 12:51:12 +02:00
Werner Koch
60f08969e1
gpg: Set default keysize to rsa3072
* g10/keygen.c (DEFAULT_STD_KEY_PARAM): Change.
(gen_rsa): Set fallback to 3072.
(get_keysize_range): Set default to 3072.
* doc/examples/vsnfd.prf: No more need for default-new-key-algo.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-08-25 13:08:25 +02:00
Werner Koch
5b927b7b27
agent: Default to extended key format.
* agent/gpg-agent.c (oDisableExtendedKeyFormat, oNoop): New.
(opts): Make --enable-extended-key-format a dummy option.  Add
disable-extended-key-format.
(parse_rereadable_options): Implement oDisableExtendedKeyFormat.
* agent/protect.c (agent_protect): Be safe and set use_ocb either to
to 1 or 0.
--

Extended key format is supported since version 2.1.12 which should have
long been replaced by a newer version in all installations.  Thus for
2.2.22 we will make use of the extended-key-format by default.

This is a backport of the commits:
05eff1f662
91ae3e7fb6

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-08-22 15:10:08 +02:00
Werner Koch
843890663b
gpgtar,w32: Handle Unicode file names.
* tools/gpgtar.c (oUtf8Strings): New.
(opts): Add option --utf8-strings.
(parse_arguments): Set option.
* tools/gpgtar.h (opt): Add field utf8strings.
* tools/gpgtar-create.c (name_to_utf8): New.
(fillup_entry_w32): Use that.
(scan_directory): Ditto.
(scan_directory) [W32]: Convert file name to utf8.
(gpgtar_create): Convert pattern.
--

Note that this works only with file names read from a file or if the
specified files on the command line are plain ascii.  When recursing
into a directory Unicode file names work again.  This limitation is
due to  main(int, char**) which can't get the wchar version.  We could
fix that but is needs a bit more work in our init code.

GnuPG-bug-id: 4083
Signed-off-by: Werner Koch <wk@gnupg.org>
2020-08-22 14:38:20 +02:00
Werner Koch
77f97eec49
doc: Describe the relation between pubring.gpg and pubring.kbx
--
GnuPG-bug-id: 4958
2020-08-20 10:16:10 +02:00
Werner Koch
a4d73b1c8e
gpg: Fix regression for non-default --passphrase-repeat option.
* agent/command.c (cmd_get_passphrase): Take care of --repeat with
--newsymkey.
--

GnuPG-bug-id: 4997
2020-08-20 09:35:58 +02:00
Werner Koch
9c57de75cf
sm: Also show the SHA-256 fingerprint.
* sm/keylist.c (list_cert_colon): Emit a new "fp2" record.
(list_cert_raw): Print the SHA2 fingerprint.
(list_cert_std): Ditto.
--
Signed-off-by: Werner Koch <wk@gnupg.org>
Backported-from-master: e7d7092390

Here in 2.2 we keep the string "fingerprint:" and no not change it to
"sha1 fpr" as we did in master (2.3).
2020-08-04 11:15:47 +02:00
Werner Koch
5ade2b68db
doc: Minor enhancement for reproducibility.
* doc/Makefile.am (defsincdate): In no repo mode and with
SOURCE_DATE_EPOCH set, use that instead of blanking the date.
--

GnuPG-bug-id: 4947
2020-06-03 17:16:44 +02:00
Werner Koch
aec7d136e4
sm: Always allow authorityInfoAccess lookup if CRLs are also enabled.
* sm/certchain.c (find_up): Disable external lookups in offline mode.
Always allow AKI lookup if CRLs are also enabled.
--

GnuPG-bug-id: 4898
Signed-off-by: Werner Koch <wk@gnupg.org>
2020-04-16 19:07:36 +02:00
Werner Koch
1dfe71c62b
gpg: Support decryption of the new AEAD packet
* common/openpgpdefs.h (aead_algo_t): New.
(pkttype_t): Add PKT_ENCRYPTED_AEAD.
* g10/decrypt-data.c (struct decode_filter_context_s): Add fields for
AEAD.
(aead_set_nonce_and_ad): New.
(aead_checktag): New.
(decrypt_data): Support AEAD.
(aead_underflow): New.
(aead_decode_filter): New.
* g10/dek.h (DEK): Add field use_aead.  Turn use_mdc,
algo_info_printed, and symmetric into bit flags.
* g10/mainproc.c (struct mainproc_context): Add field
seen_pkt_encrypted_aead.
(release_list): Clear it.
(have_seen_pkt_encrypted_aead): New.
(symkey_decrypt_seskey): Support AEAD.
(proc_symkey_enc): Ditto.
(proc_encrypted): Ditto.
(proc_plaintext): Ditto.
* g10/misc.c (MY_GCRY_CIPHER_MODE_EAX): New.
(openpgp_aead_test_algo): New.
(openpgp_aead_algo_name): New.
(openpgp_aead_algo_info): New.
* g10/packet.h (PKT_symkey_enc): Add field use_aead.
(PKT_user_id): Add field flags.aead
(PKT_public_key): Ditto.
(PKT_encrypted): Add fields for AEAD.
* g10/parse-packet.c (parse): Handle PKT_ENCRYPTED_AEAD.
(parse_symkeyenc): Support AEAD.
(parse_encrypted): Ditto.
(dump_sig_subpkt): Dump AEAD preference packet.
(parse_encrypted_aead): New.
--

This patch allows to decrypt data encrypted using the new AEAD
mechanism as specified in rfc4880bis.  Although preferences are used
to enable this new mode, it is useful to have at least a decryption
option in case a user switches between GnuPG 2.2 and newer versions.

The new AEAD mechanism is much faster than the current CFB+MDC and
thus 2.2 will allow faster decryption of symmetric only decryption.

This patch is based on the current master (2.3) code base and includes
a few other patches.  In particular
commit 44be675b75
(gpg: More check for symmetric key encryption.)
is included.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-04-16 08:25:55 +02:00
Werner Koch
9497d25c56
scd: Factor common PIN status check out.
* scd/iso7816.h (ISO7816_VERIFY_ERROR): New.
(ISO7816_VERIFY_NO_PIN): New.
(ISO7816_VERIFY_BLOCKED): New.
(ISO7816_VERIFY_NULLPIN): New.
(ISO7816_VERIFY_NOT_NEEDED): New.
* scd/iso7816.c (iso7816_verify_status): New.
* scd/app-nks.c (get_chv_status): Use new function.
--

Signed-off-by: Werner Koch <wk@gnupg.org>

Backported from master:
- Removed the non-existant app-piv.c patches.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-04-15 15:35:55 +02:00
Werner Koch
431b3e68e0
scd:openpgp: New attribute "MANUFACTURER".
* scd/app-openpgp.c (get_manufacturer): New..
(do_getattr): Add new attribute "MANUFACTURER".
(do_learn_status): Always print it.
--

This will make it easy to maintain the list of OpenPGP vendors at just
one place.

Signed-off-by: Werner Koch <wk@gnupg.org>

Backported from master:

.. or well in master and 2.2

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-04-15 15:16:05 +02:00
Werner Koch
1424c12e4c
sm: Consider certificates w/o CRL DP as valid.
* sm/certchain.c (is_cert_still_valid): Shortcut if tehre is no DP.
* common/audit.c (proc_type_verify): Print "n/a" if a cert has no
distribution point.
* sm/gpgsm.h (opt): Add field enable_issuer_based_crl_check.
* sm/gpgsm.c (oEnableIssuerBasedCRLCheck): New.
(opts): Add option --enable-issuer-based-crl-check.
(main): Set option.
--

If the issuer does not provide a DP and the user wants such an issuer,
we expect that a certificate does not need revocation checks.  The new
option --enable-issuer-based-crl-check can be used to revert to the
old behaviour which requires that a suitable LDAP server has been
configured to lookup a CRL by issuer.

Signed-off-by: Werner Koch <wk@gnupg.org>

(cherry picked from master)
2020-03-27 21:20:13 +01:00
Daniel Kahn Gillmor
b6d89d1944
gpg: Update --trusted-key to accept fingerprint as well as long key id.
* g10/trustdb.c (tdb_register_trusted_key): accept fingerprint as well
as long key ID.
* doc/gpg.texi: document that --trusted-key can accept a fingerprint.
--

GnuPG-bug-id: 4855
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

Fixed uses or return and kept the old string to avoid breaking
translations.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 810ea2cc68)

Remove the test for FPRLEN which we do not have in 2.2

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-03-18 14:01:17 +01:00
Werner Koch
95b42278ca
gpg: New option --auto-key-import
* g10/gpg.c (opts): New options --auto-key-import,
--no-auto-key-import, and --no-include-key-block.
(gpgconf_list): Add them.
* g10/options.h (opt): Add field flags.auto_key_import.
* g10/mainproc.c (check_sig_and_print): Use flag to enable that
feature.
* tools/gpgconf-comp.c: Give the new options a Basic config level.
--

Note that the --no variants of the options are intended for easy
disabling at the command line.

GnuPG-bug-id: 4856
Signed-off-by: Werner Koch <wk@gnupg.org>

Backported from master.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-03-14 20:07:37 +01:00
Werner Koch
d79ebee64e
gpg: New option --include-key-block.
* common/openpgpdefs.h (SIGSUBPKT_KEY_BLOCK): New.
* g10/gpg.c (oIncludeKeyBlock): New.
(opts): New option --include-key-block.
(main): Implement.
* g10/options.h (opt): New flag include_key_block.
* g10/parse-packet.c (dump_sig_subpkt): Support SIGSUBPKT_KEY_BLOCK.
(parse_one_sig_subpkt): Ditto.
(can_handle_critical): Ditto.
* g10/sign.c (mk_sig_subpkt_key_block): New.
(write_signature_packets): Call it for data signatures.
--

This patch adds support for a to be proposed OpenPGP ferature:

  Introduce the Key Block subpacket to align OpenPGP with CMS.

  This new subpacket may be used similar to the CertificateSet of
  CMS (RFC-5652) and thus allows to start encrypted communication
  after having received a signed message.  In practice a stripped down
  version of the key should be including having only the key material
  and the self-signatures which are really useful and shall be used by
  the recipient to reply encrypted.

  #### Key Block

  (1 octet with value 0, N octets of key data)

  This subpacket MAY be used to convey key data along with a signature
  of class 0x00, 0x01, or 0x02.  It MUST contain the key used to create
  the signature; either as the primary key or as a subkey.  The key
  SHOULD contain a primary or subkey capable of encryption and the
  entire key must be a valid OpenPGP key including at least one User ID
  packet and the corresponding self-signatures.

  Implementations MUST ignore this subpacket if the first octet does not
  have a value of zero or if the key data does not represent a valid
  transferable public key.

GnuPG-bug-id: 4856
Signed-off-by: Werner Koch <wk@gnupg.org>

Backported from master.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-03-14 19:38:09 +01:00
Werner Koch
2baa00ea18
gpg: Add property "fpr" for use by --export-filter.
* g10/export.c (push_export_filters): New.
(pop_export_filters): New.
(export_pubkey_buffer): Add args prefix and prefixlen.  Adjust
callers.
* g10/import.c (impex_filter_getval): Add property "fpr".
* g10/main.h (struct impex_filter_parm_s): Add field hexfpr.
--

The push and pop feature will help us to use the export filter
internally in gpg.  Same for the export_pubkey_buffer change.

GnuPG-bug-id: 4856
Signed-off-by: Werner Koch <wk@gnupg.org>
2020-03-14 19:15:00 +01:00
Nick Piper
60dbe08294 doc: Correction of typo in documentation of KEY_CONSIDERED
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
(cherry picked from commit 0e1cbabc0a)
2020-02-18 18:12:01 -05:00
Werner Koch
146dacd3b1
doc: Improve the warning section of the gpg man page.
* doc/gpg.texi: Update return value and warning sections.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 113a8288b8)
2020-02-10 17:14:43 +01:00
Werner Koch
b966d05837
doc: Removed the footnote that OpenPGP is not used with the keybox
--
GnuPG-bug-id: 4799
2020-01-08 13:32:23 +01:00
Werner Koch
dd373d4a27
doc,dirmngr: Clarify --standard-resolver.
--

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit c21267e1c7)
GnuPG-bug-id: 4547
2019-11-23 20:30:22 +01:00
Werner Koch
499cd4d2eb
doc: Clarify how to use --log-file in gpg.
--

Note that in 2.3 --batch is not anymore required.
2019-11-18 18:51:36 +01:00
Werner Koch
3efc94f1eb
dirmngr,gpg: Better diagnostic in case of bad TLS certificates.
* doc/DETAILS: Specify new status code "NOTE".
* dirmngr/ks-engine-http.c (ks_http_fetch): Print a NOTE status for a
bad TLS certificate.
* g10/call-dirmngr.c (ks_status_cb): Detect this status.
--

For example a

  gpg -v --locate-external-keys dd9jn@posteo.net

now yields

  gpg: Note: server uses an invalid certificate
  gpg: (further info: bad cert for 'posteo.net': \
                      Hostname does not match the certificate)
  gpg: error retrieving 'dd9jn@posteo.net' via WKD: Wrong name
  gpg: error reading key: Wrong name

(without -v the "further info" line is not shown).  Note that even
after years Posteo is not able to provide a valid certificate for
their .net addresses.  Anyway, this help to show the feature.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-11-18 18:44:36 +01:00
Werner Koch
3b1fcf6523
gpg: Add option --allow-weak-key-signatures.
* g10/gpg.c (oAllowWeakKeySignatures): New.
(opts): Add --allow-weak-key-signatures.
(main): Set it.
* g10/options.h (struct opt): Add flags.allow_weak_key_signatures.
* g10/misc.c (print_sha1_keysig_rejected_note): New.
* g10/sig-check.c (check_signature_over_key_or_uid): Print note and
act on new option.
--

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit e624c41dba)
2019-11-11 12:29:18 +01:00
Werner Koch
1d83f92fa9
doc: Improved description of status PLAINTEXT_LENGTH.
--

GnuPG-bug-id: 4741
2019-11-07 15:46:00 +01:00