diff options
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/DETAILS | 12 | ||||
| -rw-r--r-- | doc/HACKING | 6 | ||||
| -rw-r--r-- | doc/Notes | 6 | ||||
| -rw-r--r-- | doc/dirmngr.texi | 2 | ||||
| -rw-r--r-- | doc/faq.org | 2 | ||||
| -rw-r--r-- | doc/gpg.texi | 69 | ||||
| -rw-r--r-- | doc/tools.texi | 6 | ||||
| -rw-r--r-- | doc/wks.texi | 74 | ||||
| -rw-r--r-- | doc/yat2m.c | 6 |
9 files changed, 134 insertions, 49 deletions
diff --git a/doc/DETAILS b/doc/DETAILS index eb6d7dd4b..74a63ef00 100644 --- a/doc/DETAILS +++ b/doc/DETAILS @@ -59,7 +59,7 @@ described here. - uat :: User attribute (same as user id except for field 10). - sig :: Signature - rev :: Revocation signature - - rvs :: Recocation signature (standalone) [since 2.2.9] + - rvs :: Revocation signature (standalone) [since 2.2.9] - fpr :: Fingerprint (fingerprint is in field 10) - pkd :: Public key data [*] - grp :: Keygrip @@ -126,7 +126,7 @@ described here. *** Field 4 - Public key algorithm The values here are those from the OpenPGP specs or if they are - greather than 255 the algorithm ids as used by Libgcrypt. + greater than 255 the algorithm ids as used by Libgcrypt. *** Field 5 - KeyID @@ -544,7 +544,7 @@ pkd:0:1024:B665B1435F4C2 .... FF26ABB: *** DECRYPTION_KEY <fpr> <fpr2> <otrust> This line is emitted when a public key decryption succeeded in providing a session key. <fpr> is the hexified fingerprint of the - actual key used for descryption. <fpr2> is the fingerprint of the + actual key used for decryption. <fpr2> is the fingerprint of the primary key. <otrust> is the letter with the ownertrust; this is in general a 'u' which stands for ultimately trusted. *** DECRYPTION_INFO <mdc_method> <sym_algo> [<aead_algo>] @@ -700,7 +700,7 @@ pkd:0:1024:B665B1435F4C2 .... FF26ABB: - 0 :: No specific reason given - 1 :: Not Found - - 2 :: Ambigious specification + - 2 :: Ambiguous specification - 3 :: Wrong key usage - 4 :: Key revoked - 5 :: Key expired @@ -1016,7 +1016,7 @@ pkd:0:1024:B665B1435F4C2 .... FF26ABB: - 2 :: bad PIN *** SC_OP_SUCCESS - A smart card operaion succeeded. This status is only printed for + A smart card operation succeeded. This status is only printed for certain operation and is mostly useful to check whether a PIN change really worked. @@ -1073,7 +1073,7 @@ pkd:0:1024:B665B1435F4C2 .... FF26ABB: Deleting a key failed. Reason codes are: - 1 :: No such key - 2 :: Must delete secret key first - - 3 :: Ambigious specification + - 3 :: Ambiguous specification - 4 :: Key is stored on a smartcard. *** PROGRESS <what> <char> <cur> <total> [<units>] diff --git a/doc/HACKING b/doc/HACKING index 17c58269b..4781bf62c 100644 --- a/doc/HACKING +++ b/doc/HACKING @@ -150,7 +150,7 @@ Note that such a comment will be removed if the git commit option if ( 42 == foo ) #+end_src this is harder to read and modern compilers are pretty good in - detecing accidential assignments. It is also suggested not to + detecing accidental assignments. It is also suggested not to compare to 0 or NULL but to test the value direct or with a '!'; this makes it easier to see that a boolean test is done. - We use our own printf style functions like =es_printf=, and @@ -342,7 +342,7 @@ Note that such a comment will be removed if the git commit option - g10/main.h :: Prototypes and some constants - g10/mainproc.c :: Message processing - g10/armor.c :: Ascii armor filter - - g10/mdfilter.c :: Filter to calculate hashs + - g10/mdfilter.c :: Filter to calculate hashes - g10/textfilter.c :: Filter to handle CR/LF and trailing white space - g10/cipher.c :: En-/Decryption filter - g10/misc.c :: Utility functions @@ -395,7 +395,7 @@ The *secure versions allocate memory in the secure memory. That is, swapping out of this memory is avoided and is gets overwritten on free. Use this for passphrases, session keys and other sensitive material. This memory set aside for secure memory is linited to a few -k. In general the function don't print a memeory message and +k. In general the function don't print a memory message and terminate the process if there is not enough memory available. The "try" versions of the functions return NULL instead. @@ -1,5 +1,5 @@ -Add an infor page for watchgnupg. +Add an info page for watchgnupg. > * How to mark a CA certificate as trusted. @@ -57,7 +57,7 @@ or In general you should first import the root certificates and then down to the end user certificate. You may put all into one file and gpgsm -will do the right thing in this case independend of the order. +will do the right thing in this case independent of the order. While verifying a signature, all included certificates are automagically imported. @@ -82,7 +82,7 @@ you get an output like: uid:::::::::CN=Werner Koch,OU=test,O=g10 Code,C=de:: uid:::::::::<[email protected]>:: -This should be familar to advanced gpg-users; see doc/DETAILS in gpg +This should be familiar to advanced gpg-users; see doc/DETAILS in gpg 1.3 (CVS HEAD) for a description of the records. The value in the "grp" tagged record is the so called keygrip and you should find a file ~/.gnupg/private-keys-v1.d/C92DB9CFD588ADE846BE3AC4E7A2E1B11A4A2ADB.key diff --git a/doc/dirmngr.texi b/doc/dirmngr.texi index 76be5286c..f5910a884 100644 --- a/doc/dirmngr.texi +++ b/doc/dirmngr.texi @@ -1096,7 +1096,7 @@ as a binary blob. @c In the end the same fucntionality is used, albeit hidden by a couple @c of indirection and argument and result code mangling. It furthere @c ingetrages OCSP checking depending on options are the way it is -@c called. GPGSM still uses this command but might eventuall switch over +@c called. GPGSM still uses this command but might eventually switch over @c to CHECKCRL and CHECKOCSP so that ISVALID can be retired. @c @c diff --git a/doc/faq.org b/doc/faq.org index ddbeafaf8..2f873e600 100644 --- a/doc/faq.org +++ b/doc/faq.org @@ -1096,7 +1096,7 @@ update this FAQ in the next month. See the section "Changes" for recent updates As of 1.0.3, keys generated with gpg are created with preferences to TWOFISH (and AES since 1.0.4) and that also means that they have the capability to use the new MDC encryption method. This will go into - OpenPGP soon, and is also suppoted by PGP 7. This new method avoids + OpenPGP soon, and is also supported by PGP 7. This new method avoids a (not so new) attack on all email encryption systems. This in turn means that pre-1.0.3 gpg binaries have problems with diff --git a/doc/gpg.texi b/doc/gpg.texi index 4cfd00079..dedb8cc42 100644 --- a/doc/gpg.texi +++ b/doc/gpg.texi @@ -624,9 +624,9 @@ fingerprint (preferred) or their keyid. @end table -@c ******************************************* -@c ******* KEY MANGEMENT COMMANDS ********** -@c ******************************************* +@c ******************************************** +@c ******* KEY MANAGEMENT COMMANDS ********** +@c ******************************************** @node OpenPGP Key Management @subsection How to manage your keys @@ -675,6 +675,10 @@ supplied passphrase is used for the new key and the agent does not ask for it. To create a key without any protection @code{--passphrase ''} may be used. +Note that it is possible to create a primary key and a subkey using +non-default algorithms by using ``default'' and changing the default +parameters using the option @option{--default-new-key-algo}. + @item --quick-set-expire @var{fpr} @var{expire} [*|@var{subfprs}] @opindex quick-set-expire With two arguments given, directly set the expiration time of the @@ -702,7 +706,8 @@ and other ECC curves. For example the string ``rsa'' adds an RSA key with the default key length; a string ``rsa4096'' requests that the key length is 4096 bits. The string ``future-default'' is an alias for the algorithm which will likely be used as default algorithm in -future versions of gpg. +future versions of gpg. To list the supported ECC curves the command +@code{gpg --with-colons --list-config curve} can be used. Depending on the given @var{algo} the subkey may either be an encryption subkey or a signing subkey. If an algorithm is capable of @@ -1719,7 +1724,8 @@ Set what trust model GnuPG should follow. The models are: @opindex trust-model:auto Select the trust model depending on whatever the internal trust database says. This is the default model if such a database already - exists. + exists. Note that a tofu trust model is not considered here and + must be enabled explicitly. @end table @item --auto-key-locate @var{mechanisms} @@ -2258,9 +2264,8 @@ The AEAD encryption mode encrypts the data in chunks so that a receiving side can check for transmission errors or tampering at the end of each chunk and does not need to delay this until all data has been received. The used chunk size is 2^@var{n} byte. The lowest -allowed value for @var{n} is 6 (64 byte) and the largest is 62 (4 -EiB). The default value for @var{n} is 30 which creates chunks not -larger than 1 GiB. +allowed value for @var{n} is 6 (64 byte) and the largest is the +default of 27 which creates chunks not larger than 128 MiB. @item --input-size-hint @var{n} @opindex input-size-hint @@ -2338,6 +2343,11 @@ opposite meaning. The options are: on the keyring. This option is the same as running the @option{--edit-key} command "clean" after import. Defaults to no. + @item import-drop-uids + Do not import any user ids or their binding signatures. This option + can be used to update only the subkeys or other non-user id related + information. + @item repair-keys. After import, fix various problems with the keys. For example, this reorders signatures, and strips duplicate signatures. Defaults to yes. @@ -2502,6 +2512,11 @@ opposite meaning. The options are: running the @option{--edit-key} command "minimize" before export except that the local copy of the key is not modified. Defaults to no. + @item export-drop-uids + Do no export any user id or attribute packets or their associates + signatures. Note that due to missing user ids the resulting output is + not strictly RFC-4880 compliant. + @item export-pka Instead of outputting the key material output PKA records suitable to put into DNS zone files. An ORIGIN line is printed before each @@ -2608,7 +2623,7 @@ These options are obsolete and have no effect since GnuPG 2.1. @item --force-aead @opindex force-aead Force the use of AEAD encryption over MDC encryption. AEAD is a -modern and faster way to do authenticated encrytion than the old MDC +modern and faster way to do authenticated encryption than the old MDC method. See also options @option{--aead-algo} and @option{--chunk-size}. @@ -2621,7 +2636,7 @@ to declare that a not yet standardized feature is used. @opindex disable-mdc These options are obsolete and have no effect since GnuPG 2.2.8. The MDC is always used unless the keys indicate that an AEAD algorithm can -be used in which case AEAD is used. But note: If the creation or of a +be used in which case AEAD is used. But note: If the creation of a legacy non-MDC message is exceptionally required, the option @option{--rfc2440} allows for this. @@ -2764,7 +2779,7 @@ This option is obsolete; it is handled as an alias for @option{--pgp7} @item --pgp7 @opindex pgp7 -Set up all options to be as PGP 7 compliant as possible. This allowd +Set up all options to be as PGP 7 compliant as possible. This allowed the ciphers IDEA, 3DES, CAST5,AES128, AES192, AES256, and TWOFISH., the hashes MD5, SHA1 and RIPEMD160, and the compression algorithms none and ZIP. This option implies @option{--escape-from-lines} and @@ -2862,6 +2877,13 @@ Change the buffer size of the IOBUFs to @var{n} kilobyte. Using 0 prints the current size. Note well: This is a maintainer only option and may thus be changed or removed at any time without notice. +@item --debug-allow-large-chunks +@opindex debug-allow-large-chunks +To facilitate in-memory decryption on the receiving site, the largest +recommended chunk size is 128 MiB (@code{--chunk-size 27}). This +option allows to specify a limit of up to 4 EiB (@code{--chunk-size +62}) for experiments. + @item --faked-system-time @var{epoch} @opindex faked-system-time This option is only useful for testing; it sets the system time back or @@ -2964,6 +2986,13 @@ smartcard, and "%%" results in a single "%". %k, %K, and %f are only meaningful when making a key signature (certification), and %c is only meaningful when using the OpenPGP smartcard. +@item --known-notation @var{name} +@opindex known-notation +Adds @var{name} to a list of known critical signature notations. The +effect of this is that gpg will not mark a signature with a critical +signature notation of that name as bad. Note that gpg already knows +by default about a few critical signatures notation names. + @item --sig-policy-url @var{string} @itemx --cert-policy-url @var{string} @itemx --set-policy-url @var{string} @@ -3022,7 +3051,7 @@ same thing. @opindex aead-algo Specify that the AEAD algorithm @var{name} is to be used. This is useful for symmetric encryption where no key preference are available -to select the AEAD algorithm. Runing @command{@gpgname} with option +to select the AEAD algorithm. Running @command{@gpgname} with option @option{--version} shows the available AEAD algorithms. In general, you do not want to use this option as it allows you to violate the OpenPGP standard. The option @option{--personal-aead-preferences} is @@ -3340,13 +3369,14 @@ user. @opindex override-session-key Don't use the public key but the session key @var{string} respective the session key taken from the first line read from file descriptor -@var{fd}. The format of this string is the same as the one printed -by @option{--show-session-key}. This option is normally not used but +@var{fd}. The format of this string is the same as the one printed by +@option{--show-session-key}. This option is normally not used but comes handy in case someone forces you to reveal the content of an encrypted message; using this option you can do this without handing out the secret key. Note that using @option{--override-session-key} may reveal the session key to all local users via the global process -table. +table. Often it is useful to combine this option with +@option{--no-keyring}. @item --ask-sig-expire @itemx --no-ask-sig-expire @@ -3637,6 +3667,15 @@ Operation is further controlled by a few environment variables: @end table +When calling the gpg-agent component @command{@gpgname} sends a set of +environment variables to gpg-agent. The names of these variables can +be listed using the command: + +@example + gpg-connect-agent 'getinfo std_env_names' /bye | awk '$1=="D" @{print $2@}' +@end example + + @c ******************************************* @c *************** **************** diff --git a/doc/tools.texi b/doc/tools.texi index 7becf67e2..6256c05ed 100644 --- a/doc/tools.texi +++ b/doc/tools.texi @@ -1561,7 +1561,7 @@ string @code{true} or @code{yes}. The evaluation is done by passing /subst /let i 3 /while $i - /echo loop couter is $i + /echo loop counter is $i /let i $@{- $i 1@} /end @end smallexample @@ -1962,7 +1962,7 @@ Extract all files from an encrypted archive. @item --sign @itemx -s -Make a signed archive from the given files and directories. Thsi can +Make a signed archive from the given files and directories. This can be combined with option @option{--encrypt} to create a signed and then encrypted archive. @@ -2031,7 +2031,7 @@ linefeed to separate file names. @item --openpgp @opindex openpgp -This option has no effect becuase OpenPGP encryption and signing is +This option has no effect because OpenPGP encryption and signing is the default. @item --cms diff --git a/doc/wks.texi b/doc/wks.texi index 4508ae2a1..03d748255 100644 --- a/doc/wks.texi +++ b/doc/wks.texi @@ -61,11 +61,12 @@ Service provider. This is usuallay done to upload a key into a Web Key Directory. With the @option{--supported} command the caller can test whether a -site supports the Web Key Service. The argument is an arbitray +site supports the Web Key Service. The argument is an arbitrary address in the to be tested domain. For example @file{foo@@example.net}. The command returns success if the Web Key Service is supported. The operation is silent; to get diagnostic -output use the option @option{--verbose}. +output use the option @option{--verbose}. See option +@option{--with-colons} for a variant of this command. With the @option{--check} command the caller can test whether a key exists for a supplied mail address. The command returns success if a @@ -109,6 +110,44 @@ $(gpgconf --list-dirs libexecdir)/gpg-wks-client --check foo@@example.net Directly send created mails using the @command{sendmail} command. Requires installation of that command. +@item --with-colons +@opindex with-colons +This option has currently only an effect on the @option{--supported} +command. If it is used all arguimenst on the command line are taken +as domain names and tested for WKD support. The output format is one +line per domain with colon delimited fields. The currently specified +fields are (future versions may specify additional fields): + +@table @asis + + @item 1 - domain + This is the domain name. Although quoting is not required for valid + domain names this field is specified to be quoted in standard C + manner. + + @item 2 - WKD + If the value is true the domain supports the Web Key Directory. + + @item 3 - WKS + If the value is true the domain supports the Web Key Service + protocol to upload keys to the directory. + + @item 4 - error-code + This may contain an gpg-error code to describe certain + failures. Use @samp{gpg-error CODE} to explain the code. + + @item 5 - protocol-version + The minimum protocol version supported by the server. + + @item 6 - auth-submit + The auth-submit flag from the policy file of the server. + + @item 7 - mailbox-only + The mailbox-only flag from the policy file of the server. +@end table + + + @item --output @var{file} @itemx -o @opindex output @@ -206,7 +245,7 @@ mail is processed. Commonly this command is used with the option @option{--send} to directly send the crerated mails back. See below for an installation example. -The command @option{--cron} is used for regualr cleanup tasks. For +The command @option{--cron} is used for regular cleanup tasks. For example non-confirmed requested should be removed after their expire time. It is best to run this command once a day from a cronjob. @@ -215,9 +254,9 @@ Further it creates missing directories for the configuration and prints warnings pertaining to problems in the configuration. The command @option{--check-key} (or just @option{--check}) checks -whether a key with the given user-id is installed. The process return -success in this case; to also print a diagnostic, use option -@option{-v}. If the key is not installed a diagnostics is printed and +whether a key with the given user-id is installed. The process returns +success in this case; to also print a diagnostic use the option +@option{-v}. If the key is not installed a diagnostic is printed and the process returns failure; to suppress the diagnostic, use option @option{-q}. More than one user-id can be given; see also option @option{with-file}. @@ -243,6 +282,12 @@ The command @option{--revoke-key} is not yet functional. @table @gnupgtabopt +@item -C @var{dir} +@itemx --directory @var{dir} +@opindex directory +Use @var{dir} as top level directory for domains. The default is +@file{/var/lib/gnupg/wks}. + @item --from @var{mailaddr} @opindex from Use @var{mailaddr} as the default sender address. @@ -256,21 +301,22 @@ Add the mail header "@var{name}: @var{value}" to all outgoing mails. Directly send created mails using the @command{sendmail} command. Requires installation of that command. -@item --output @var{file} -@itemx -o +@item -o @var{file} +@itemx --output @var{file} @opindex output Write the created mail also to @var{file}. Note that the value @code{-} for @var{file} would write it to stdout. @item --with-dir @opindex with-dir -Also print the directory name for each domain listed by command -@option{--list-domains}. +When used with the command @option{--list-domains} print for each +installed domain the domain name and its directory name. @item --with-file @opindex with-file -With command @option{--check-key} print for each user-id, the address, -'i' for installed key or 'n' for not installed key, and the filename. +When used with the command @option{--check-key} print for each user-id, +the address, 'i' for installed key or 'n' for not installed key, and +the filename. @item --verbose @opindex verbose @@ -316,7 +362,7 @@ Finally run $ gpg-wks-server --list-domains @end example -to create the required sub-directories with the permission set +to create the required sub-directories with the permissions set correctly. For each domain a submission address needs to be configured. All service mails are directed to that address. It can be the same address for all configured domains, for example: @@ -326,7 +372,7 @@ be the same address for all configured domains, for example: $ echo key-submission@@example.net >submission-address @end example -The protocol requires that the key to be published is sent with an +The protocol requires that the key to be published is send with an encrypted mail to the service. Thus you need to create a key for the submission address: diff --git a/doc/yat2m.c b/doc/yat2m.c index c7bec338f..be0ef17fd 100644 --- a/doc/yat2m.c +++ b/doc/yat2m.c @@ -55,7 +55,7 @@ .B whateever you want @end ifset - alternativly a special comment may be used: + alternatively a special comment may be used: @c man:.B whatever you want @@ -704,7 +704,7 @@ write_th (FILE *fp) /* Process the texinfo command COMMAND (without the leading @) and - write output if needed to FP. REST is the remainer of the line + write output if needed to FP. REST is the remainder of the line which should either point to an opening brace or to a white space. The function returns the number of characters already processed from REST. LEN is the usable length of REST. TABLE_LEVEL is used to @@ -1197,7 +1197,7 @@ parse_file (const char *fname, FILE *fp, char **section_name, int in_pause) if (*p == '@' && !strncmp (p+1, "item", 4)) item_indent = p - line; /* Set a new indent level. */ else if (p - line < item_indent) - item_indent = 0; /* Switch off indention. */ + item_indent = 0; /* Switch off indentation. */ if (item_indent) { |