aboutsummaryrefslogtreecommitdiffstats
path: root/doc
diff options
context:
space:
mode:
Diffstat (limited to 'doc')
-rw-r--r--doc/DETAILS11
-rw-r--r--doc/HACKING10
-rw-r--r--doc/Makefile.am16
-rw-r--r--doc/examples/README2
-rw-r--r--doc/examples/qualified.txt (renamed from doc/qualified.txt)12
-rw-r--r--doc/gpg.texi62
-rw-r--r--doc/gpgsm.texi14
-rw-r--r--doc/howto-create-a-server-cert.texi14
-rw-r--r--doc/wks.texi5
9 files changed, 92 insertions, 54 deletions
diff --git a/doc/DETAILS b/doc/DETAILS
index 16e77c79a..52051ed2c 100644
--- a/doc/DETAILS
+++ b/doc/DETAILS
@@ -237,12 +237,14 @@ described here.
*** Field 18 - Compliance flags
- Space separated list of asserted compliance modes for this key.
+ Space separated list of asserted compliance modes and
+ screening result for this key.
Valid values are:
- 8 :: The key is compliant with RFC4880bis
- 23 :: The key is compliant with compliance mode "de-vs".
+ - 6001 :: Screening hit on the ROCA vulnerability.
*** Field 19 - Last update
@@ -534,9 +536,10 @@ pkd:0:1024:B665B1435F4C2 .... FF26ABB:
actual key used for descryption. <fpr2> is the fingerprint of the
primary key. <otrust> is the letter with the ownertrust; this is
in general a 'u' which stands for ultimately trusted.
-*** DECRYPTION_INFO <mdc_method> <sym_algo>
+*** DECRYPTION_INFO <mdc_method> <sym_algo> [<aead_algo>]
Print information about the symmetric encryption algorithm and the
MDC method. This will be emitted even if the decryption fails.
+ For an AEAD algorithm AEAD_ALGO is not 0.
*** DECRYPTION_FAILED
The symmetric decryption failed - one reason could be a wrong
@@ -556,8 +559,10 @@ pkd:0:1024:B665B1435F4C2 .... FF26ABB:
--override-session-key. It is not an indication that the
decryption will or has succeeded.
-*** BEGIN_ENCRYPTION <mdc_method> <sym_algo>
+*** BEGIN_ENCRYPTION <mdc_method> <sym_algo> [<aead_algo>]
Mark the start of the actual encryption process.
+ MDC_METHOD shall be 0 if an AEAD_ALGO is not 0. Users should
+ however ignore MDC_METHOD if AEAD_ALGO is not 0.
*** END_ENCRYPTION
Mark the end of the actual encryption process.
diff --git a/doc/HACKING b/doc/HACKING
index bd1685678..17c58269b 100644
--- a/doc/HACKING
+++ b/doc/HACKING
@@ -33,9 +33,9 @@ not be copied to the ChangeLog, separate it by a line consisting of
two dashes at the begin of a line.
The one-line summary usually starts with a keyword to identify the
-mainly affected subsystem. If more than one keyword is required the
-are delimited by a comma (e.g. =scd,w32:=). Commonly found keywords
-are
+mainly affected subsystem (that is not the directory). If more than
+one keyword is required they are delimited by a comma
+(e.g. =scd,w32:=). Commonly found keywords are
- agent :: The gpg-agent component
- build :: Changes to the build system
@@ -207,10 +207,6 @@ Note that such a comment will be removed if the git commit option
- The predefined macro =__func__=:
: log_debug ("%s: Problem with foo\n", __func__);
- - Variable declaration inside a for():
- : for (int i = 0; i < 5; ++)
- : bar (i);
-
Although we usually make use of the =u16=, =u32=, and =u64= types,
it is also possible to include =<stdint.h>= and use =int16_t=,
=int32_t=, =int64_t=, =uint16_t=, =uint32_t=, and =uint64_t=. But do
diff --git a/doc/Makefile.am b/doc/Makefile.am
index d47d83ede..cb69cd993 100644
--- a/doc/Makefile.am
+++ b/doc/Makefile.am
@@ -22,7 +22,7 @@ AM_CPPFLAGS =
include $(top_srcdir)/am/cmacros.am
examples = examples/README examples/scd-event examples/trustlist.txt \
- examples/vsnfd.prf examples/debug.prf \
+ examples/vsnfd.prf examples/debug.prf examples/qualified.txt \
examples/systemd-user/README \
examples/systemd-user/dirmngr.service \
examples/systemd-user/dirmngr.socket \
@@ -43,7 +43,7 @@ helpfiles = help.txt help.be.txt help.ca.txt help.cs.txt \
profiles =
-EXTRA_DIST = samplekeys.asc mksamplekeys com-certs.pem qualified.txt \
+EXTRA_DIST = samplekeys.asc mksamplekeys com-certs.pem \
gnupg-logo.eps gnupg-logo.pdf gnupg-logo.png gnupg-logo-tr.png \
gnupg-module-overview.png gnupg-module-overview.pdf \
gnupg-card-architecture.png gnupg-card-architecture.pdf \
@@ -113,16 +113,8 @@ DISTCLEANFILES = gnupg.tmp gnupg.ops yat2m-stamp.tmp yat2m-stamp \
gnupg-module-overview.eps \
$(myman_pages) gnupg.7
-if HAVE_YAT2M
-YAT2M_CMD = $(YAT2M)
-YAT2M_DEP = $(YAT2M)
-else
-YAT2M_CMD = ./yat2m
-YAT2M_DEP = yat2m
-
yat2m: yat2m.c
$(CC_FOR_BUILD) -o $@ $(srcdir)/yat2m.c
-endif
mkdefsinc: mkdefsinc.c Makefile ../config.h
$(CC_FOR_BUILD) -I. -I.. -I$(srcdir) $(AM_CPPFLAGS) \
@@ -155,12 +147,12 @@ yat2m-stamp: $(myman_sources) defs.inc
@touch yat2m-stamp.tmp
incd="`test -f defsincdate || echo '$(srcdir)/'`defsincdate"; \
for file in $(myman_sources) ; do \
- $(YAT2M_CMD) $(YAT2M_OPTIONS) --store \
+ $(YAT2M) $(YAT2M_OPTIONS) --store \
--date "`cat $$incd 2>/dev/null`" \
`test -f '$$file' || echo '$(srcdir)/'`$$file ; done
@mv -f yat2m-stamp.tmp $@
-yat2m-stamp: $(YAT2M_DEP)
+yat2m-stamp: $(YAT2M)
$(myman_pages) gnupg.7 : yat2m-stamp defs.inc
@if test -f $@; then :; else \
diff --git a/doc/examples/README b/doc/examples/README
index 77ee80741..4d6a5be87 100644
--- a/doc/examples/README
+++ b/doc/examples/README
@@ -9,3 +9,5 @@ trustlist.txt A list of trustworthy root certificates
gpgconf.conf A sample configuration file for gpgconf.
systemd-user Sample files for a Linux-only init system.
+
+qualified.txt Sample file for qualified.txt.
diff --git a/doc/qualified.txt b/doc/examples/qualified.txt
index c0e4da582..eba11f244 100644
--- a/doc/qualified.txt
+++ b/doc/examples/qualified.txt
@@ -29,7 +29,7 @@
#
# Germany
#
-# The information for Germany is available
+# The information for Germany is available
# at http://www.bundesnetzagentur.de
#*******************************************
@@ -74,7 +74,7 @@ DB:45:3D:1B:B0:1A:F3:23:10:6B:DE:D0:09:61:57:AA:F4:25:E0:5B de
#Serial number: 02
# Issuer: /CN=9R-CA 1:PN/O=Regulierungsbehörde für
# Telekommunikation und Post/C=DE
-# Subject: /CN=9R-CA 1:PN/O=Regulierungsbehörde für
+# Subject: /CN=9R-CA 1:PN/O=Regulierungsbehörde für
# Telekommunikation und Post/C=DE
# validity: 2004-11-25 14:59:11 through 2007-12-31 14:56:59
# key type: 1024 bit RSA
@@ -118,7 +118,7 @@ A0:8B:DF:3B:AA:EE:3F:9D:64:6C:47:81:23:21:D4:A6:18:81:67:1D de
# key usage: certSign
# policies: 1.3.36.8.1.1:N:
# chain length: unlimited
-# [checked: 2008-06-25]
+# [checked: 2008-06-25]
44:7E:D4:E3:9A:D7:92:E2:07:FA:53:1A:2E:F5:B8:02:5B:47:57:B0 de
# ID: 0x46A2CC8A
@@ -130,7 +130,7 @@ A0:8B:DF:3B:AA:EE:3F:9D:64:6C:47:81:23:21:D4:A6:18:81:67:1D de
# key usage: certSign
# policies: 1.3.36.8.1.1:N:
# chain length: unlimited
-# [checked: 2008-06-25]
+# [checked: 2008-06-25]
AC:A7:BE:45:1F:A6:BF:09:F2:D1:3F:08:7B:BC:EB:7F:46:A2:CC:8A de
@@ -215,7 +215,7 @@ E0:BF:1B:91:91:6B:88:E4:F1:15:92:22:CE:37:23:96:B1:4A:2E:5C de
# key type: 2048 bit RSA
# key usage: certSign crlSign
# chain length: 1
-#[checked: 2007-12-13 via received ZIP file with qualified signature from
+#[checked: 2007-12-13 via received ZIP file with qualified signature from
# /CN=Dr. Matthias Stehle/O=Deutscher Sparkassenverlag
# /C=DE/SerialNumber=DSV0000000008/SN=Stehle/GN=Matthias Georg]
C9:2F:E6:50:DB:32:59:E0:CE:65:55:F3:8C:76:E0:B8:A8:FE:A3:CA de
@@ -230,7 +230,7 @@ C9:2F:E6:50:DB:32:59:E0:CE:65:55:F3:8C:76:E0:B8:A8:FE:A3:CA de
# key type: 2048 bit RSA
# key usage: certSign crlSign
# chain length: 1
-#[checked: 2007-12-13 via received ZIP file with qualified signature from
+#[checked: 2007-12-13 via received ZIP file with qualified signature from
# /CN=Dr. Matthias Stehle/O=Deutscher Sparkassenverlag
# /C=DE/SerialNumber=DSV0000000008/SN=Stehle/GN=Matthias Georg"]
D5:C7:50:F2:FE:4E:EE:D7:C7:B1:E4:13:7B:FB:54:84:3A:7D:97:9B de
diff --git a/doc/gpg.texi b/doc/gpg.texi
index 805a01fc3..00ac03308 100644
--- a/doc/gpg.texi
+++ b/doc/gpg.texi
@@ -2246,6 +2246,16 @@ works properly with such messages, there is often a desire to set a
maximum file size that will be generated before processing is forced to
stop by the OS limits. Defaults to 0, which means "no limit".
+@item --chunk-size @var{n}
+@opindex chunk-size
+The AEAD encryption mode encrypts the data in chunks so that a
+receiving side can check for transmission errors or tampering at the
+end of each chunk and does not need to delay this until all data has
+been received. The used chunk size is 2^@var{n} byte. The lowest
+allowed value for @var{n} is 6 (64 byte) and the largest is 62 (4
+EiB). The default value for @var{n} is 30 which creates chunks not
+larger than 1 GiB.
+
@item --input-size-hint @var{n}
@opindex input-size-hint
This option can be used to tell GPG the size of the input data in
@@ -2583,6 +2593,16 @@ is the default.
@itemx --no-force-v4-certs
These options are obsolete and have no effect since GnuPG 2.1.
+@item --force-aead
+@opindex force-aead
+Force the use of AEAD encryption over MDC encryption. AEAD is a
+modern and faster way to do authenticated encrytion than the old MDC
+method. See also options @option{--aead-algo} and
+@option{--chunk-size}.
+
+This option requires the use of option @option{--rfc4880bis} to
+declare that a not yet standardized feature is used.
+
@item --force-mdc
@opindex force-mdc
Force the use of encryption with a modification detection code. This
@@ -2614,6 +2634,16 @@ preferences, as GPG will only select an algorithm that is usable by
all recipients. The most highly ranked cipher in this list is also
used for the @option{--symmetric} encryption command.
+@item --personal-aead-preferences @var{string}
+@opindex personal-aead-preferences
+Set the list of personal AEAD preferences to @var{string}. Use
+@command{@gpgname --version} to get a list of available algorithms,
+and use @code{none} to set no preference at all. This allows the user
+to safely override the algorithm chosen by the recipient key
+preferences, as GPG will only select an algorithm that is usable by
+all recipients. The most highly ranked cipher in this list is also
+used for the @option{--symmetric} encryption command.
+
@item --personal-digest-preferences @var{string}
@opindex personal-digest-preferences
Set the list of personal digest preferences to @var{string}. Use
@@ -2820,6 +2850,12 @@ Set all useful debugging flags.
Set stdout into line buffered mode. This option is only honored when
given on the command line.
+@item --debug-set-iobuf-size @var{n}
+@opindex debug-iolbf
+Change the buffer size of the IOBUFs to @var{n} kilobyte. Using 0
+prints the current size. Note well: This is a maintainer only option
+and may thus be changed or removed at any time without notice.
+
@item --faked-system-time @var{epoch}
@opindex faked-system-time
This option is only useful for testing; it sets the system time back or
@@ -2972,17 +3008,28 @@ Use @var{name} as cipher algorithm. Running the program with the
command @option{--version} yields a list of supported algorithms. If
this is not used the cipher algorithm is selected from the preferences
stored with the key. In general, you do not want to use this option as
-it allows you to violate the OpenPGP standard.
+it allows you to violate the OpenPGP standard. The option
@option{--personal-cipher-preferences} is the safe way to accomplish the
same thing.
+@item --aead-algo @var{name}
+@opindex aead-algo
+Specify that the AEAD algorithm @var{name} is to be used. This is
+useful for symmetric encryption where no key preference are available
+to select the AEAD algorithm. Runing @command{@gpgname} with option
+@option{--version} shows the available AEAD algorithms. In general,
+you do not want to use this option as it allows you to violate the
+OpenPGP standard. The option @option{--personal-aead-preferences} is
+the safe way to accomplish the same thing.
+
@item --digest-algo @var{name}
@opindex digest-algo
Use @var{name} as the message digest algorithm. Running the program
-with the command @option{--version} yields a list of supported algorithms. In
-general, you do not want to use this option as it allows you to
-violate the OpenPGP standard. @option{--personal-digest-preferences} is the
-safe way to accomplish the same thing.
+with the command @option{--version} yields a list of supported
+algorithms. In general, you do not want to use this option as it
+allows you to violate the OpenPGP standard. The option
+@option{--personal-digest-preferences} is the safe way to accomplish
+the same thing.
@item --compress-algo @var{name}
@opindex compress-algo
@@ -3004,8 +3051,9 @@ significant in low memory situations. Note, however, that PGP (all
versions) only supports ZIP compression. Using any algorithm other
than ZIP or "none" will make the message unreadable with PGP. In
general, you do not want to use this option as it allows you to
-violate the OpenPGP standard. @option{--personal-compress-preferences} is the
-safe way to accomplish the same thing.
+violate the OpenPGP standard. The option
+@option{--personal-compress-preferences} is the safe way to accomplish
+the same thing.
@item --cert-digest-algo @var{name}
@opindex cert-digest-algo
diff --git a/doc/gpgsm.texi b/doc/gpgsm.texi
index ebe58bc61..1736ff111 100644
--- a/doc/gpgsm.texi
+++ b/doc/gpgsm.texi
@@ -852,15 +852,9 @@ purposes.
Note that even if a certificate is listed in this file, this does not
mean that the certificate is trusted; in general the certificates listed
-in this file need to be listed also in @file{trustlist.txt}.
-
-This is a global file an installed in the data directory
-(e.g. @file{@value{DATADIR}/qualified.txt}). GnuPG installs a suitable
-file with root certificates as used in Germany. As new Root-CA
-certificates may be issued over time, these entries may need to be
-updated; new distributions of this software should come with an updated
-list but it is still the responsibility of the Administrator to check
-that this list is correct.
+in this file need to be listed also in @file{trustlist.txt}. This is a global
+file an installed in the sysconf directory (e.g.
+@file{@value{SYSCONFDIR}/qualified.txt}).
Every time @command{gpgsm} uses a certificate for signing or verification
this file will be consulted to check whether the certificate under
@@ -1082,7 +1076,7 @@ key. The algorithm must be capable of signing. This is a required
parameter. The only supported value for @var{algo} is @samp{rsa}.
@item Key-Length: @var{nbits}
-The requested length of a generated key in bits. Defaults to 2048.
+The requested length of a generated key in bits. Defaults to 3072.
@item Key-Grip: @var{hexstring}
This is optional and used to generate a CSR or certificate for an
diff --git a/doc/howto-create-a-server-cert.texi b/doc/howto-create-a-server-cert.texi
index 55f1a91a4..30e28bdd0 100644
--- a/doc/howto-create-a-server-cert.texi
+++ b/doc/howto-create-a-server-cert.texi
@@ -31,14 +31,14 @@ Let's continue:
@cartouche
@example
- What keysize do you want? (2048)
- Requested keysize is 2048 bits
+ What keysize do you want? (3072)
+ Requested keysize is 3072 bits
@end example
@end cartouche
-Hitting enter chooses the default RSA key size of 2048 bits. Smaller
-keys are too weak on the modern Internet. If you choose a larger
-(stronger) key, your server will need to do more work.
+Hitting enter chooses the default RSA key size of 3072 bits. Keys
+smaller than 2048 bits are too weak on the modern Internet. If you
+choose a larger (stronger) key, your server will need to do more work.
@cartouche
@example
@@ -124,7 +124,7 @@ request:
@example
These parameters are used:
Key-Type: RSA
- Key-Length: 2048
+ Key-Length: 3072
Key-Usage: sign, encrypt
Name-DN: CN=example.com
Name-DNS: example.com
@@ -224,7 +224,7 @@ To see the content of your certificate, you may now enter:
aka: (dns-name example.com)
aka: (dns-name www.example.com)
validity: 2015-07-01 16:20:51 through 2016-07-01 16:20:51
- key type: 2048 bit RSA
+ key type: 3072 bit RSA
key usage: digitalSignature keyEncipherment
ext key usage: clientAuth (suggested), serverAuth (suggested), [...]
fingerprint: 0F:9C:27:B2:DA:05:5F:CB:33:D8:19:E9:65:B9:4F:BD:B1:98:CC:57
diff --git a/doc/wks.texi b/doc/wks.texi
index 6d622828f..4508ae2a1 100644
--- a/doc/wks.texi
+++ b/doc/wks.texi
@@ -338,10 +338,11 @@ the submission address:
The output of the last command looks similar to this:
@example
- sec rsa2048 2016-08-30 [SC]
+ sec rsa3072 2016-08-30 [SC]
C0FCF8642D830C53246211400346653590B3795B
uid [ultimate] key-submission@@example.net
- ssb rsa2048 2016-08-30 [E]
+ bxzcxpxk8h87z1k7bzk86xn5aj47intu@@example.net
+ ssb rsa3072 2016-08-30 [E]
@end example
Take the fingerprint from that output and manually publish the key:
generated by cgit v1.2.3 (git 2.25.1) at 2025-06-17 18:40:51 +0000