mirror of
git://git.gnupg.org/gnupg.git
synced 2024-12-23 10:29:58 +01:00
7777e68d04
* agent/command.c (cmd_import_key): Add option --unattended. * agent/cvt-openpgp.c (convert_transfer_key): New. (do_unprotect): Factor some code out to ... (prepare_unprotect): new function. (convert_from_openpgp): Factor all code out to ... (convert_from_openpgp_main): this. Add arg 'passphrase'. Implement openpgp-native protection modes. (convert_from_openpgp_native): New. * agent/t-protect.c (convert_from_openpgp_native): New dummy fucntion * agent/protect-tool.c (convert_from_openpgp_native): Ditto. * agent/protect.c (agent_unprotect): Add arg CTRL. Adjust all callers. Support openpgp-native protection. * g10/call-agent.c (agent_import_key): Add arg 'unattended'. * g10/import.c (transfer_secret_keys): Use unattended in batch mode. -- With the gpg-agent taking care of the secret keys, the user needs to migrate existing keys from secring.gpg to the agent. This and also the standard import of secret keys required the user to unprotect the secret keys first, so that gpg-agent was able to re-protected them using its own scheme. With many secret keys this is quite some usability hurdle. In particular if a passphrase is not instantly available. To make this migration smoother, this patch implements an unattended key import/migration which delays the conversion to the gpg-agent format until the key is actually used. For example: gpg2 --batch --import mysecretkey.gpg works without any user interaction due to the use of --batch. Now if a key is used (e.g. "gpg2 -su USERID_FROM_MYSECRETKEY foo"), gpg-agent has to ask for the passphrase anyway, converts the key from the openpgp format to the internal format, signs, re-encrypts the key and tries to store it in the gpg-agent format to the disk. The next time, the internal format of the key is used. This patch has only been tested with the old demo keys, more tests with other protection formats and no protection are needed. Signed-off-by: Werner Koch <wk@gnupg.org>
207 lines
8.2 KiB
Plaintext
207 lines
8.2 KiB
Plaintext
The GNU Privacy Guard 2
|
|
=========================
|
|
Version 2.1
|
|
|
|
THIS IS A DEVELOPMENT VERSION AND NOT INTENDED FOR REGULAR USE.
|
|
|
|
Copyright 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005,
|
|
2006, 2007, 2008, 2009, 2010, 2011, 2012,
|
|
2013 Free Software Foundation, Inc.
|
|
|
|
|
|
INTRODUCTION
|
|
============
|
|
|
|
GnuPG is GNU's tool for secure communication and data storage. It can
|
|
be used to encrypt data and to create digital signatures. It includes
|
|
an advanced key management facility and is compliant with the proposed
|
|
OpenPGP Internet standard as described in RFC4880 and the S/MIME
|
|
standard as described by several RFCs.
|
|
|
|
GnuPG is distributed under the terms of the GNU General Public
|
|
License. See the file COPYING for details. GnuPG works best on
|
|
GNU/Linux or *BSD systems. Most other Unices are also supported but
|
|
are not as well tested as the Free Unices.
|
|
|
|
GnuPG 2.0 is the stable version of GnuPG integrating support for
|
|
OpenPGP and S/MIME. It does not conflict with an installed 1.4
|
|
OpenPGP-only version.
|
|
|
|
|
|
BUILD INSTRUCTIONS
|
|
==================
|
|
|
|
GnuPG 2.1 depends on the following packages:
|
|
|
|
npth (ftp://ftp.gnupg.org/gcrypt/npth/)
|
|
libgpg-error (ftp://ftp.gnupg.org/gcrypt/libgpg-error/)
|
|
libgcrypt (ftp://ftp.gnupg.org/gcrypt/libgcrypt/)
|
|
libksba (ftp://ftp.gnupg.org/gcrypt/libksba/)
|
|
libassuan (ftp://ftp.gnupg.org/gcrypt/libassuan/)
|
|
|
|
You should get the latest versions of course, the GnuPG configure
|
|
script complains if a version is not sufficient.
|
|
|
|
You also need the Pinentry package for most functions of GnuPG;
|
|
however it is not a build requirement. Pinentry is available at
|
|
ftp://ftp.gnupg.org/gcrypt/pinentry/ .
|
|
|
|
After building and installing the above packages in the order as given
|
|
above, you may continue with GnuPG installation (you may also just try
|
|
to build GnuPG to see whether your already installed versions are
|
|
sufficient).
|
|
|
|
As with all packages, you just have to do
|
|
|
|
./configure
|
|
make
|
|
make install
|
|
|
|
(Before doing install you might need to become root.)
|
|
|
|
If everything succeeds, you have a working GnuPG with support for
|
|
S/MIME and smartcards. Note that there is no binary gpg but a gpg2 so
|
|
that this package won't conflict with a GnuPG 1.4 installation. gpg2
|
|
behaves just like gpg.
|
|
|
|
In case of problem please ask on gnupg-users@gnupg.org mailing list
|
|
for advise.
|
|
|
|
Note that the PKITS tests are always skipped unless you copy the PKITS
|
|
test data file into the tests/pkits directory. There is no need to
|
|
run these test and some of them may even fail because the test scripts
|
|
are not yet complete.
|
|
|
|
You may run
|
|
|
|
gpgconf --list-dirs
|
|
|
|
to view the default directories used by GnuPG.
|
|
|
|
|
|
MIGRATION FROM 1.4 or 2.0 to 2.1
|
|
================================
|
|
|
|
The major change in 2.1 is gpg-agent taking care of the OpenPGP secret
|
|
keys (those managed by GPG). The former file "secring.gpg" will not
|
|
be used anymore. Newly generated keys are stored in the agent's key
|
|
store directory "~/.gnupg/private-keys-v1.d/".
|
|
|
|
To migrate your existing keys you need to run the command
|
|
|
|
gpg2 --batch --import ~/.gnupg/secring.gpg
|
|
|
|
Secret keys already imported are skipped by this command. It is
|
|
advisable to keep the secring.gpg for use with older versions of GPG.
|
|
|
|
The use of "--batch" with "--import" is highly recommended. If you do
|
|
not use "--batch" the agent would ask for the passphrase of each key.
|
|
In this case you may use the Cancel button of the Pinentry to skip
|
|
importing this key. If you want to stop the enite import process and
|
|
you use a decent version of Pinentry, you should close the Pinentry
|
|
window instead of hitting the Cancel button.
|
|
|
|
Note that gpg-agent now uses a fixed socket by default. All tools
|
|
will start the gpg-agent as needed. In general there is no more need
|
|
to set the GPG_AGENT_INFO environment variable. The SSH_AUTH_SOCK
|
|
environment variable should be set to a fixed value.
|
|
|
|
GPG's smartcard commands --card-edit and --card-status as well as some
|
|
of the card related sub-commands of --edit-key are not yet fully
|
|
supported. However, signing and decryption with a smartcard does
|
|
work.
|
|
|
|
The Dirmngr is now part of GnuPG proper. Thus there is no more need
|
|
to install the separate dirmngr package. The directroy layout of
|
|
Dirmngr changed to make use of the GnuPG directories; for example you
|
|
use /etc/gnupg/trusted-certs and /var/lib/gnupg/extra-certs. Dirmngr
|
|
needs to be started as a system daemon.
|
|
|
|
|
|
|
|
DOCUMENTATION
|
|
=============
|
|
|
|
The complete documentation is in the texinfo manual named
|
|
`gnupg.info'. Run "info gnupg" to read it. If you want a a printable
|
|
copy of the manual, change to the "doc" directory and enter "make pdf"
|
|
For a HTML version enter "make html" and point your browser to
|
|
gnupg.html/index.html. Standard man pages for all components are
|
|
provided as well. An online version of the manual is available at
|
|
http://www.gnupg.org/documentation/manuals/gnupg/ . A version of the
|
|
manual pertaining to the current development snapshot is at
|
|
http://www.gnupg.org/documentation/manuals/gnupg-devel/ .
|
|
|
|
|
|
GNUPG 1.4 AND GNUPG 2.0
|
|
=======================
|
|
|
|
GnuPG 2.0 is a newer version of GnuPG with additional support for
|
|
S/MIME. It has a different design philosophy that splits
|
|
functionality up into several modules. Both versions may be installed
|
|
simultaneously without any conflict (gpg is called gpg2 in GnuPG 2).
|
|
In fact, the gpg version from GnuPG 1.4 is able to make use of the
|
|
gpg-agent as included in GnuPG 2 and allows for seamless passphrase
|
|
caching. The advantage of GnuPG 1.4 is its smaller size and no
|
|
dependency on other modules at run and build time.
|
|
|
|
|
|
HOW TO GET MORE INFORMATION
|
|
===========================
|
|
|
|
The primary WWW page is "http://www.gnupg.org"
|
|
The primary FTP site is "ftp://ftp.gnupg.org/gcrypt/"
|
|
|
|
See http://www.gnupg.org/download/mirrors.html for a list of mirrors
|
|
and use them if possible. You may also find GnuPG mirrored on some of
|
|
the regular GNU mirrors.
|
|
|
|
We have some mailing lists dedicated to GnuPG:
|
|
|
|
gnupg-announce@gnupg.org For important announcements like new
|
|
versions and such stuff. This is a
|
|
moderated list and has very low traffic.
|
|
Do not post to this list.
|
|
|
|
gnupg-users@gnupg.org For general user discussion and
|
|
help (English).
|
|
|
|
gnupg-de@gnupg.org German speaking counterpart of
|
|
gnupg-users.
|
|
|
|
gnupg-ru@gnupg.org Russian speaking counterpart of
|
|
gnupg-users.
|
|
|
|
gnupg-devel@gnupg.org GnuPG developers main forum.
|
|
|
|
You subscribe to one of the list by sending mail with a subject of
|
|
"subscribe" to x-request@gnupg.org, where x is the name of the mailing
|
|
list (gnupg-announce, gnupg-users, etc.). An archive of the mailing
|
|
lists are available at http://www.gnupg.org/documentation/mailing-lists.html
|
|
|
|
Please direct bug reports to http://bugs.gnupg.org or post them direct
|
|
to the mailing list <gnupg-devel@gnupg.org>.
|
|
|
|
Please direct questions about GnuPG to the users mailing list or one
|
|
of the pgp newsgroups; please do not direct questions to one of the
|
|
authors directly as we are busy working on improvements and bug fixes.
|
|
The English and German mailing lists are watched by the authors and we
|
|
try to answer questions when time allows us to do so.
|
|
|
|
Commercial grade support for GnuPG is available; for a listing of
|
|
offers see http://www.gnupg.org/service.html . The driving force
|
|
behind the development of GnuPG is the company of its principal
|
|
author, Werner Koch. Maintenance and improvement of GnuPG and related
|
|
software takes up most of their resources. To allow him to continue
|
|
his work he asks to either purchase a support contract, engage them
|
|
for custom enhancements, or to donate money. See http://g10code.com .
|
|
|
|
|
|
This file is Free Software; as a special exception the authors gives
|
|
unlimited permission to copy and/or distribute it, with or without
|
|
modifications, as long as this notice is preserved. For conditions
|
|
of the whole package, please see the file COPYING. This file is
|
|
distributed in the hope that it will be useful, but WITHOUT ANY
|
|
WARRANTY, to the extent permitted by law; without even the implied
|
|
warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
|