From 9214e1b282100980789bd6eb9c9940ed02689c2d Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Sat, 19 Oct 2002 07:55:27 +0000 Subject: Merged Top directory of NewPG with GnuPG. --- README | 802 +++++++++++++++++++++-------------------------------------------- 1 file changed, 261 insertions(+), 541 deletions(-) (limited to 'README') diff --git a/README b/README index da477639d..93dc1c8f0 100644 --- a/README +++ b/README @@ -1,652 +1,372 @@ +NewPG is a temporary protect to work on GnuPG extensions. It will be +merged into the regular GnuPG sources for a GnuPG 2.0 release. - GnuPG - The GNU Privacy Guard - ------------------------------- - Version 1.3 +jnlib/ utility functions +assuan/ assuan protocol library +kbx/ keybox library +sm/ the gpgsm program +agent/ the gpg-agent +scd/ the smartcard daemon - Copyright 1998, 1999, 2000, 2001, 2002 Free Software Foundation, Inc. +Libksba and Libgcrypt are required to build it. - This file is free software; as a special exception the author gives - unlimited permission to copy and/or distribute it, with or without - modifications, as long as this notice is preserved. +Assuan and Keybox are both designed to be source include-able. - This file is distributed in the hope that it will be useful, but - WITHOUT ANY WARRANTY, to the extent permitted by law; without even the - implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. +A texinfo manual `gnupg.info' will get installed. Some commands and +options given below. - Intro - ----- +COMMANDS +======== - GnuPG is GNU's tool for secure communication and data storage. - It can be used to encrypt data and to create digital signatures. - It includes an advanced key management facility and is compliant - with the proposed OpenPGP Internet standard as described in RFC2440. +gpgsm: +------ - GnuPG works best on GNU/Linux or *BSD systems. Most other Unices - are also supported but are not as well tested as the Free Unices. - See http://www.gnupg.org/gnupg.html#supsys for a list of systems - which are known to work. +--learn-card - See the file COPYING for copyright and warranty information. + Read tinformation about the private keys from the smartcard and + import the certificates from there. - Because GnuPG does not use use any patented algorithm it cannot be - compatible with PGP2 versions. PGP 2.x uses IDEA (which is patented - worldwide). +--export - The default algorithms are DSA and ElGamal, but RSA is also - supported. ElGamal for signing is available, but because of the - larger size of such signatures it is deprecated (Please note that - the GnuPG implementation of ElGamal signatures is *not* insecure). - Symmetric algorithms are: AES, 3DES, Blowfish, CAST5 and Twofish. - Digest algorithms available are MD5, RIPEMD160 and SHA1. + Export all certificates storein the Keybox or those specified on + the commandline. When using --armor a few informational lines are + prepended before each block. - Installation - ------------ - Please read the file INSTALL and the sections in this file - related to the installation. Here is a quick summary: +OPTIONS +======= - 1) Check that you have unmodified sources. See below on how to do - this. Don't skip it - this is an important step! +gpgsm: +------ - 2) Unpack the TAR. With GNU tar you can do it this way: - "tar xzvf gnupg-x.y.z.tar.gz" +--include-certs - 3) "cd gnupg-x.y.z" + Using N of -2 includes all certificate except for the Root cert, + -1 includes all certs, 0 does not include any certs, 1 includes only + the signers cert (this is the default) and all other positives + values include up to N certs starting with the signer cert. + +--policy-file - 4) "./configure" + Chnage the deault name of the policy file - 5) "make" +--enable-policy-checks +--disable-policy-checks - 6) "make install" + By default policy checks are enabled. These options may be used to + change it. - 7) You end up with a "gpg" binary in /usr/local/bin. +--enable-crl-checks +--disable-crl-checks - 8) To avoid swapping out of sensitive data, you can install "gpg" as - suid root. If you don't do so, you may want to add the option - "no-secmem-warning" to ~/.gnupg/gpg.conf + By default the CRL checks are enabled and the DirMngr is used to + check for revoked certificates. The disable option is most useful + with a off-line connection to suppres this check. +--agent-program - How to Verify the Source - ------------------------ - In order to check that the version of GnuPG which you are going to - install is an original and unmodified one, you can do it in one of - the following ways: + Specify an agent program to be used for secret key operations. The + default value is "../agent/gpg-agent". This is only used as a + fallback when the envrionment varaibale GPG_AGENT_INFO is not set or + a running agent can't be connected. + +--dirmngr-program - a) If you already have a trusted Version of GnuPG installed, you - can simply check the supplied signature: + Specify a dirmngr program to be used for CRL checks. The default + value is "/usr/sbin/dirmngr". This is only used as a fallback when + the envrionment varaibale DIRMNGR_INFO is not set or a running + dirmngr can't be connected. - $ gpg --verify gnupg-x.y.z.tar.gz.asc +--no-secmem-warning - This checks that the detached signature gnupg-x.y.z.tar.gz.asc - is indeed a a signature of gnupg-x.y.z.tar.gz. The key used to - create this signature is: + Don't print the warning "no secure memory" - "pub 1024D/57548DCD 1998-07-07 Werner Koch (gnupg sig) " +--armor - If you do not have this key, you can get it from the source in - the file doc/samplekeys.asc (use "gpg --import doc/samplekeys.asc" - to add it to the keyring) or from any keyserver. You have to - make sure that this is really the key and not a faked one. You - can do this by comparing the output of: + Create PEM ecoded output. Default is binary output. - $ gpg --fingerprint 0x57548DCD +--base64 - with the fingerprint published elsewhere. + Create Base-64 encoded output; i.e. PEM without the header lines. - Please note, that you have to use an old version of GnuPG to - do all this stuff. *Never* use the version which you are going - to check! +--assume-armor + Assume the input data is PEM encoded. Default is to autodetect the + encoding but this is may fail. - b) If you don't have any of the above programs, you have to verify - the MD5 checksum: +--assume-base64 - $ md5sum gnupg-x.y.z.tar.gz + Assume the input data is plain base-64 encoded. - This should yield an output _similar_ to this: +--assume-binary - fd9351b26b3189c1d577f0970f9dcadc gnupg-x.y.z.tar.gz + Assume the input data is binary encoded. - Now check that this checksum is _exactly_ the same as the one - published via the announcement list and probably via Usenet. +--server + Run in server mode. This is used by GPGME to control gpgsm. See + the assuan specification regarding gpgsm about the used protocol. + Some options are ignored in server mode. +--local-user - Documentation - ------------- - The manual will be distributed separate under the name "gph". - An online version of the latest manual draft is available at the - GnuPG web pages: + Set the user to be used for signing. The default is the first + secret key found in the database. - http://www.gnupg.org/gph/ +--with-key-data - A list of frequently asked questions is available in GnuPG's - distibution in the file doc/FAQ and online as: + Displays extra information with the --list-keys commands. Especiall + a line tagged "grp" si printed which tells you the keygrip of a + key. This is string is for example used as the filename of the + secret key. - http://www.gnupg.org/faq.html - A couple of HOWTO documents are available online; for a listing see: - http://www.gnupg.org/docs.html#howtos +gpg-agent: +--------- - A man page with a description of all commands and options gets installed - along with the program. +--pinentry-program + Specify the PINentry program. The default value is + "../../pinentry/kpinentry/kpinentry" so you most likely want to + specify it. - Introduction - ------------ - Here is a brief overview on how to use GnuPG - it is strongly suggested - that you read the manual and other information about the use of - cryptography. GnuPG is only a tool, secure usage requires that - YOU KNOW WHAT YOU ARE DOING. +--no-grab - If you already have a DSA key from PGP 5 (they call them DH/ElGamal) - you can simply copy the pgp keyrings over the GnuPG keyrings after - running gpg once to create the correct directory. + Tel the pinentry not to grab keybourd and mouse. You most likely + want to give this option during testing and development to avoid + lockups in case of bugs. - The normal way to create a key is + - gpg --gen-key - This asks some questions and then starts key generation. To create - good random numbers for the key parameters, GnuPG needs to gather - enough noise (entropy) from your system. If you see no progress - during key generation you should start some other activities such - as mouse moves or hitting on the CTRL and SHIFT keys. - Generate a key ONLY on a machine where you have direct physical - access - don't do it over the network or on a machine used also - by others - especially if you have no access to the root account. +FILES +===== - When you are asked for a passphrase use a good one which you can - easy remember. Don't make the passphrase too long because you have - to type it for every decryption or signing; but, - AND THIS IS VERY - IMPORTANT - use a good one that is not easily to guess because the - security of the whole system relies on your secret key and the - passphrase that protects it when someone gains access to your secret - keyring. A good way to select a passphrase is to figure out a short - nonsense sentence which makes some sense for you and modify it by - inserting extra spaces, non-letters and changing the case of some - characters - this is really easy to remember especially if you - associate some pictures with it. +The default home directory is ~/.gnupg. It can be changed by +either the --homedir option or by seting the environment variable +GNUPGHOME. This is a list of files usually found in this directory: - Next, you should create a revocation certificate in case someone - gets knowledge of your secret key or you forgot your passphrase +gpgsm.conf - gpg --gen-revoke your_user_id + Options for gpgsm. Options are the same as the command line + options but don't enter the leading dashes and give arguments + without an equal sign. Blank lines and lines starting with a + hash mark as the first non whitye space character are ignored. - Run this command and store the revocation certificate away. The output - is always ASCII armored, so that you can print it and (hopefully - never) re-create it if your electronic media fails. +gpg-agent.conf + + Options for gpg-agent - Now you can use your key to create digital signatures +scdaemon.conf - gpg -s file + Options for scdaemon. - This creates a file "file.gpg" which is compressed and has a - signature attached. +dirmngr.conf - gpg -sa file + Options for the DirMngr which is not part of this package and + the option file wilol most likely be moved to /etc - Same as above, but creates a file "file.asc" which is ASCII armored - and and ready for sending by mail. It is better to use your - mailers features to create signatures (The mailer uses GnuPG to do - this) because the mailer has the ability to MIME encode such - signatures - but this is not a security issue. +gpg.conf + + Options for gpg. Note that old versions of gpg use the + filename `options' instead of `gpg.conf'. - gpg -s -o out file +policies.txt - Creates a signature of "file", but writes the output to the file - "out". + A list of allowed CA policies. This file should give the + object identifiers of the policies line by line. emptry lines + and lines startung with a hash mark are ignored. - Everyone who knows your public key (you can and should publish - your key by putting it on a key server, a web page or in your .plan - file) is now able to check whether you really signed this text + ++++++++++ + 2.289.9.9 + ++++++++++ - gpg --verify file +trustlist.txt - GnuPG now checks whether the signature is valid and prints an - appropriate message. If the signature is good, you know at least - that the person (or machine) has access to the secret key which - corresponds to the published public key. + A list of trusted certificates usually maintained by + gpg-agent. It can however be edited manually. The file will + be created automagically with some explaining comments. - If you run gpg without an option it will verify the signature and - create a new file that is identical to the original. gpg can also - run as a filter, so that you can pipe data to verify trough it +random_seed - cat signed-file | gpg | wc -l + Used internally for keeping the state of the RNG over + invocations. - which will check the signature of signed-file and then display the - number of lines in the original file. +pubring.kbx - To send a message encrypted to someone you can use + The database file with the certificates. - gpg -e -r heine file +pubring.gpg - This encrypts "file" with the public key of the user "heine" and - writes it to "file.gpg" + The database file with the OpenPGP public keys. This will + eventually be merged with pubring.kbx - echo "hello" | gpg -ea -r heine | mail heine - - Ditto, but encrypts "hello\n" and mails it as ASCII armored message - to the user with the mail address heine. - - gpg -se -r heine file - - This encrypts "file" with the public key of "heine" and writes it - to "file.gpg" after signing it with your user id. - - gpg -se -r heine -u Suttner file - - Ditto, but sign the file with your alternative user id "Suttner" - - - GnuPG has some options to help you publish public keys. This is - called "exporting" a key, thus - - gpg --export >all-my-keys - - exports all the keys in the keyring and writes them (in a binary - format) to "all-my-keys". You may then mail "all-my-keys" as an - MIME attachment to someone else or put it on an FTP server. To - export only some user IDs, you give them as arguments on the command - line. - - To mail a public key or put it on a web page you have to create - the key in ASCII armored format - - gpg --export --armor | mail panther@tiger.int - - This will send all your public keys to your friend panther. - - If you have received a key from someone else you can put it - into your public keyring. This is called "importing" - - gpg --import [filenames] - - New keys are appended to your keyring and already existing - keys are updated. Note that GnuPG does not import keys that - are not self-signed. - - Because anyone can claim that a public key belongs to her - we must have some way to check that a public key really belongs - to the owner. This can be achieved by comparing the key during - a phone call. Sure, it is not very easy to compare a binary file - by reading the complete hex dump of the file - GnuPG (and nearly - every other program used for management of cryptographic keys) - provides other solutions. - - gpg --fingerprint - - prints the so called "fingerprint" of the given username which - is a sequence of hex bytes (which you may have noticed in mail - sigs or on business cards) that uniquely identifies the public - key - different keys will always have different fingerprints. - It is easy to compare fingerprints by phone and I suggest - that you print your fingerprint on the back of your business - card. To see the fingerprints of the secondary keys, you can - give the command twice; but this is normally not needed. - - If you don't know the owner of the public key you are in trouble. - Suppose however that friend of yours knows someone who knows someone - who has met the owner of the public key at some computer conference. - Suppose that all the people between you and the public key holder - may now act as introducers to you. Introducers signing keys thereby - certify that they know the owner of the keys they sign. If you then - trust all the introducers to have correctly signed other keys, you - can be be sure that the other key really belongs to the one who - claims to own it.. - - There are 2 steps to validate a key: - 1. First check that there is a complete chain - of signed keys from the public key you want to use - and your key and verify each signature. - 2. Make sure that you have full trust in the certificates - of all the introduces between the public key holder and - you. - Step 2 is the more complicated part because there is no easy way - for a computer to decide who is trustworthy and who is not. GnuPG - leaves this decision to you and will ask you for a trust value - (here also referenced as the owner-trust of a key) for every key - needed to check the chain of certificates. You may choose from: - a) "I don't know" - then it is not possible to use any - of the chains of certificates, in which this key is used - as an introducer, to validate the target key. Use this if - you don't know the introducer. - b) "I do not trust" - Use this if you know that the introducer - does not do a good job in certifying other keys. The effect - is the same as with a) but for a) you may later want to - change the value because you got new information about this - introducer. - c) "I trust marginally" - Use this if you assume that the - introducer knows what he is doing. Together with some - other marginally trusted keys, GnuPG validates the target - key then as good. - d) "I fully trust" - Use this if you really know that this - introducer does a good job when certifying other keys. - If all the introducer are of this trust value, GnuPG - normally needs only one chain of signatures to validate - a target key okay. (But this may be adjusted with the help - of some options). - This information is confidential because it gives your personal - opinion on the trustworthiness of someone else. Therefore this data - is not stored in the keyring but in the "trustdb" - (~/.gnupg/trustdb.gpg). Do not assign a high trust value just - because the introducer is a friend of yours - decide how well she - understands the implications of key signatures and you may want to - tell her more about public key cryptography so you can later change - the trust value you assigned. - - Okay, here is how GnuPG helps you with key management. Most stuff - is done with the --edit-key command - - gpg --edit-key - - GnuPG displays some information about the key and then prompts - for a command (enter "help" to see a list of commands and see - the man page for a more detailed explanation). To sign a key - you select the user ID you want to sign by entering the number - that is displayed in the leftmost column (or do nothing if the - key has only one user ID) and then enter the command "sign" and - follow all the prompts. When you are ready, give the command - "save" (or use "quit" to cancel your actions). - - If you want to sign the key with another of your user IDs, you - must give an "-u" option on the command line together with the - "--edit-key". - - Normally you want to sign only one user ID because GnuPG - uses only one and this keeps the public key certificate - small. Because such key signatures are very important you - should make sure that the signatories of your key sign a user ID - which is very likely to stay for a long time - choose one with an - email address you have full control of or do not enter an email - address at all. In future GnuPG will have a way to tell which - user ID is the one with an email address you prefer - because - you have no signatures on this email address it is easy to change - this address. Remember, your signatories sign your public key (the - primary one) together with one of your user IDs - so it is not possible - to change the user ID later without voiding all the signatures. - - Tip: If you hear about a key signing party on a computer conference - join it because this is a very convenient way to get your key - certified (But remember that signatures have nothing to to with the - trust you assign to a key). - - - 8 Ways to Specify a User ID - -------------------------- - There are several ways to specify a user ID, here are some examples. - - * Only by the short keyid (prepend a zero if it begins with A..F): - - "234567C4" - "0F34E556E" - "01347A56A" - "0xAB123456 - - * By a complete keyid: - - "234AABBCC34567C4" - "0F323456784E56EAB" - "01AB3FED1347A5612" - "0x234AABBCC34567C4" - - * By a fingerprint: - - "1234343434343434C434343434343434" - "123434343434343C3434343434343734349A3434" - "0E12343434343434343434EAB3484343434343434" - - The first one is MD5 the others are ripemd160 or sha1. - - * By an exact string: - - "=Heinrich Heine " - - * By an email address: - - "" - - * By word match - - "+Heinrich Heine duesseldorf" - - All words must match exactly (not case sensitive) and appear in - any order in the user ID. Words are any sequences of letters, - digits, the underscore and characters with bit 7 set. - - * Or by the usual substring: - - "Heine" - "*Heine" - - The '*' indicates substring search explicitly. - - - Batch mode - ---------- - If you use the option "--batch", GnuPG runs in non-interactive mode and - never prompts for input data. This does not even allow entering the - passphrase. Until we have a better solution (something like ssh-agent), - you can use the option "--passphrase-fd n", which works like PGP's - PGPPASSFD. +secring.gpg - Batch mode also causes GnuPG to terminate as soon as a BAD signature is - detected. + The database file with the OpenPGP secret keys. This will be + removed when gpg is changed to make use of the gpg-agent. - Exit status - ----------- - GnuPG returns with an exit status of 1 if in batch mode and a bad signature - has been detected or 2 or higher for all other errors. You should parse - stderr or, better, the output of the fd specified with --status-fd to get - detailed information about the errors. +private-keys-v1.d/ + Directory holding the private keys maintained by gpg-agent. + For detailed info see agent/keyformat.txt. Note that there is + a helper tool gpg-protect-tool which may be used to protect or + unprotect keys. This is however nothing a user should care + about. - Configure options - ----------------- - Here is a list of configure options which are sometime useful - for installation. - --enable-static-rnd= - Force the use of the random byte gathering - module . Default is either to use /dev/random - or the auto mode. Value for name: - egd - Use the module which accesses the - Entropy Gathering Daemon. See the webpages - for more information about it. - unix - Use the standard Unix module which does not - have a very good performance. - linux - Use the module which accesses /dev/random. - This is the first choice and the default one - for GNU/Linux or *BSD. - auto - Compile linux, egd and unix in and - automagically select at runtime. - - --with-egd-socket= - This is only used when EGD is used as random - gatherer. GnuPG uses by default "~/.gnupg/entropy" - as the socket to connect EGD. Using this option the - socket name can be changed. You may use any filename - here with 2 exceptions: a filename starting with - "~/" uses the socket in the homedirectory of the user - and one starting with a "=" uses a socket in the - GnuPG homedirectory which is bye default "~/.gnupg". - - --with-included-zlib - Forces usage of the local zlib sources. Default is - to use the (shared) library of the system. - - --with-included-gettext - Forces usage of the local gettext sources instead of - the one provided by your system. - - --disable-nls - Disable NLS support (See the file ABOUT-NLS) - - --enable-m-guard - Enable the integrated malloc checking code. Please - note that this feature does not work on all CPUs - (e.g. SunOS 5.7 on UltraSparc-2) and might give - you a bus error. - - --disable-dynload - If you have problems with dynamic loading, this - option disables all dynamic loading stuff. Note - that the use of dynamic linking is very limited. - - --disable-asm - Do not use assembler modules. It is not possible - to use this on some CPU types. - - --disable-exec - Disable all remote program execution. This - disables photo ID viewing as well as all keyserver - types aside from HKP. - - --disable-photo-viewers - Disable only photo ID viewing. - - --disable-keyserver-helpers - Disable only keyserver helpers (not including - HKP). - - --disable-keyserver-path - Disables the user's ability to use the exec-path - feature to add additional search directories when - executing a keyserver helper. - - --with-photo-viewer=FIXED_VIEWER - Force the photo viewer to be FIXED_VIEWER and - disable any ability for the user to change it in - their options file. +How to specify a user ID +======================== + +Due to the way X.509 certificates are made up we need a few new ways +to specify a certificate (aka key in OpenPGP). In addition to the +ways a user ID can be specified with gpg, I have implemented 3 new +modes for gpgsm, here is the entire list of ways to specify a key: + + * By keyID. + + This format is deducded from the length of the string and its + content or "0x" prefix. For use with OpenPGP a exclamation mark may + be appended to force use of the specified (sub)key. + + As with v34 OpenPGP keys, the keyID of an X509 certificate are the + low 64 bits of the SHA-1 fingerprint. The use of keyIDs is just a + shortcut, for all automated processing the fingerprint should be + used. + + Examples: + + 234567C4 + 0F34E556E + 01347A56A + 0xAB123456 + + 234AABBCC34567C4 + 0F323456784E56EAB + 01AB3FED1347A5612 + 0x234AABBCC34567C4 + + * By fingerprint + + This is format is deduced from the length of the string and its + content or "0x" prefix. Note, that only the 20 byte fingerprint is + used with GPGSM (SHA-1 hash of the certificate). For use with + OpenPGP a exclamation mark may be appended to force use of the + specified (sub)key. + + Examples: + + 1234343434343434C434343434343434 + 123434343434343C3434343434343734349A3434 + 0E12343434343434343434EAB3484343434343434 + 0xE12343434343434343434EAB3484343434343434 + + * Exact match on OpenPGP user ID + + This is denoted by a leading equal sign. It does not make much + sense for X.509. + + Example: + + =Heinrich Heine + + * Exact match on an email address. + + This is indicated by enclosing the email address in the usual way + with left and right angles + + Example: + + + + * Word match + All words must match exactly (not case sensitive) but can appear in + any order in the user ID or a subjects name. Words are any + sequences of letters, digits, the underscore and all characters + with bit 7 set. - Installation Problems - --------------------- - If you get unresolved externals "gettext" you should run configure - again with the option "--with-included-gettext"; this is version - 0.10.35 which is available at alpha.gnu.org. - - If you have other compile problems, try the configure options - "--with-included-zlib" or "--disable-nls" (See ABOUT-NLS) or - --disable-dynload. + Example: - We can't check all assembler files, so if you have problems - assembling them (or the program crashes) use --disable-asm with - ./configure. The configure scripts may consider several - subdirectories to get all available assembler files; be sure to - delete the correct ones. The assembler replacements are in C and - in mpi/generic; never delete udiv-qrnnd.S in any CPU directory, - because there may be no C substitute. Don't forget to delete - "config.cache" and run "./config.status --recheck". + +Heinrich Heine duesseldorf - Some make tools are broken - the best solution is to use GNU's - make. Try gmake or grab the sources from a GNU archive and - install them. + * [NEW] Exact match by subject's DN - On some OSF systems you may get unresolved externals. This is a - libtool problem and the workaround is to manually remove all the - "-lc -lz" but the last one from the linker line and execute them - manually. - - On some architectures you see warnings like: - longlong.h:175: warning: function declaration isn't a prototype - or - http.c:647: warning: cast increases required alignment of target type - This doesn't matter and we know about it (actually it is due to - some warning options which we have enabled for gcc) - - - Specific problems on some machines - ---------------------------------- - - * IBM RS/6000 running AIX: - - Due to a change in gcc (since version 2.8) the MPI stuff may - not build. In this case try to run configure using: - CFLAGS="-g -O2 -mcpu=powerpc" ./configure + This is indicated by a leading slash, directly followed by the + rfc2253 encoded DN of the subject. - * Compaq C V6.2 for alpha: + Example: - You may want to use the option "-msg-disable ptrmismatch1" - to get rid of the sign/unsigned char mismatch warnings. + /CN=Henrich Heine,O=Poets,L=Paris,C=FR - * SVR4.2 (ESIX V4.2 cc) + * [NEW] Excact match by issuer's DN - Due to problems with the ESIX as, you probably want to do - CFLAGS="-O -K pentium" ./configure --disable-asm - Reported by Reinhard Wobst. + This is indicated by a leading hash mark, directly followed by a + slash and then directly followed by the rfc2253 encoded DN of the + issuer. This should return the Root cert of the issuer + Example: + #/CN=Root Cert,O=Poets,L=Paris,C=FR - The Random Device - ----------------- + * [NEW] Exact match by serial number and subject's DN - Random devices are available in Linux, FreeBSD and OpenBSD. - Operating systems without a random devices must use another - entropy collector. + This is indicated by a hash mark, followed by the hexadecmal + representation of the serial number, the followed by a slahs and + the RFC2253 encoded DN of the issuer. - This collector works by running a lot of commands that yield more - or less unpredictable output and feds this as entropy into the - random generator - It should work reliably but you should check - whether it produces good output for your version of Unix. There - are some debug options to help you (see cipher/rndunix.c). + Example: + #4F03/CN=Root Cert,O=Poets,L=Paris,C=FR - Creating an RPM package - ----------------------- - The file scripts/gnupg.spec is used to build a RPM package (both - binary and src): - 1. copy the spec file into /usr/src/redhat/SPECS - 2. copy the tar file into /usr/src/redhat/SOURCES - 3. type: rpm -ba SPECS/gnupg.spec + * Substring match - Or use the -t (--tarbuild) option of rpm: - 1. rpm -ta gnupg-x.x.x.tar.gz + By case insensitive substring matching. This is the default mode + but applications may want to explicitly indicate this by putting + the asterisk in front. - The binary rpm file can now be found in /usr/src/redhat/RPMS, source - rpm in /usr/src/redhat/SRPMS + Example: + Heine + *Heine - How to Get More Information - --------------------------- - The primary WWW page is "http://www.gnupg.org" - The primary FTP site is "ftp://ftp.gnupg.org/gcrypt/" +Please note that we have reused the hash mark indentifier which was +used in old GnuPG versions to indicate the so called local-id. It is +not anymore used and there should be no conflict when used with X.509 +stuff. - See http://www.gnupg.org/mirrors.html for a list of mirrors - and use them if possible. You may also find GnuPG mirrored on - some of the regular GNU mirrors. +Using the rfc2253 format of DNs has the drawback that it is not +possible to map them back to the original encoding, however we don't +have to do this, because our key database stores this encoding as meta +data. - We have some mailing lists dedicated to GnuPG: +Some of the search modes are not yet implemented ;-) - gnupg-announce@gnupg.org For important announcements like - new versions and such stuff. - This is a moderated list and has - very low traffic. - gnupg-users@gnupg.org For general user discussion and - help. +How to import a private key +=========================== +There is some limited support to import a private key from a PKCS-12 +file. Note, that this does only import the private key and not any +certificates available in that file. - gnupg-devel@gnupg.org GnuPG developers main forum. + gpg-protect-tool --p12-import --store foo.p12 - You subscribe to one of the list by sending mail with a subject - of "subscribe" to x-request@gnupg.org, where x is the name of the - mailing list (gnupg-announce, gnupg-users, etc.). An archive of - the mailing lists is available at http://lists.gnupg.org . +This require that the gpg-agent is running, alternative you may give +the passphrase on the commandline using the option "-P " - +however this is in general not a good idea. If that key already +exists, the protect-tool refuses to store it unless you use the option +"--force". - Please direct bug reports to or post - them direct to the mailing list . +How to export a private key +=========================== +There is also limited support to export a private key in PKCS-12 +format. However the certificate is not stored and there is no MAC applied. - Please direct questions about GnuPG to the users mailing list or - one of the pgp newsgroups; please do not direct questions to one - of the authors directly as we are busy working on improvements - and bug fixes. Both mailing lists are watched by the authors - and we try to answer questions when time allows us to do so. + gpg-protect-tool --p12-export foo.key >foo.p12 - Commercial grade support for GnuPG is available; please see - the GNU service directory or search other resources. -- cgit v1.2.3