| Commit message (Collapse) | Author | Files | Lines |
|---|
|
than whatever key selector the user used on the command line.
|
|
|
|
|
|
shows no prblems. Needs more testing of course.
|
|
|
|
|
|
but no --keyserver set.
|
|
to add "_uri" to certain gpgkeys_xxx helpers when the meaning is
different if a path is provided (i.e. ldap).
|
|
a place not in the regular include search path.
|
|
|
|
Still does not build.
|
|
The gpg part does not yet build.
|
|
both the fingerprint alone, and fingerprint+URL cases.
* getkey.c (get_pubkey_byname): Minor cleanup.
|
|
|
|
same API as the other auto-key-locate fetchers.
* getkey.c (get_pubkey_byname): Use the fingerprint of the key that we
actually fetched. This helps prevent problems where the key that we
fetched doesn't have the same name that we used to fetch it. In the
case of CERT and PKA, this is an actual security requirement as the
URL might point to a key put in by an attacker. By forcing the use of
the fingerprint, we won't use the attacker's key here.
|
|
keyserver_import_cert, keyserver_import_name, keyserver_import_ldap):
Pass fingerprint info through.
|
|
the key being imported. (import_keys_internal, import_keys_stream,
import): Change all callers.
|
|
--no-auto-key-locate.
* options.h, gpg.c (main): Keep track of each keyserver registered so
we can match on them later.
* keyserver-internal.h, keyserver.c (cmp_keyserver_spec,
keyserver_match), gpgv.c: New. Find a keyserver that matches ours and
return its spec.
* getkey.c (get_pubkey_byname): Use it here to get the per-keyserver
options from an earlier keyserver.
|
|
used.
|
|
treatment of include-revoked, include-subkeys, and try-dns-srv. These are
keyserver features, and GPG shouldn't get involved here.
|
|
options to the list, as ordering may be significant to the user.
|
|
(parse_keyserver_options): Moved from here. (parse_keyserver_uri): Use it
here so each keyserver can have some private options in addition to the
main keyserver-options (e.g. per-keyserver auth).
|
|
getkey.c (free_akl, parse_auto_key_locate, get_pubkey_byname): The obvious
next step: allow arbitrary keyservers in the auto-key-locate list.
|
|
auto-cert-retrieve as it is no longer meaningful. Add max-cert-size to
allow users to pick a max key size retrieved via CERT.
|
|
(keyserver_opts): Rename auto-pka-retrieve to honor-pka-record to be
consistent with honor-keyserver-url.
|
|
importing at -r time. The URL in the PKA record may point to a key put in
by an attacker. Fix is to use the fingerprint from the PKA record as the
recipient. This ensures that the PKA record is followed.
* keyserver-internal.h, keyserver.c (keyserver_import_pka): Return the
fingerprint we requested.
|
|
* keyserver-internal.h, keyserver.c (keyserver_import_ldap): Import using
the PGP Universal trick of asking ldap://keys.(maildomain) for the key.
|
|
even when we've assumed "hkp" when there was no scheme.
|
|
direct_uri flag so the right keyserver helper is run.
|
|
keyserver helpers on systems that use extensions.
* misc.c (path_access) [HAVE_DRIVE_LETTERS]: Do the right thing with
drive letter systems.
|
|
in a refresh batch has a preferred keyserver set. Noted by Nicolas
Rachinsky.
|
|
(keyserver_import_pka), card-util.c (fetch_url): Always require a
scheme:// for keyserver URLs except when used as part of the
--keyserver command for backwards compatibility.
|
|
getkey.c:get_pubkey_byname which was getting crowded.
* keyserver.c (keyserver_import_cert): Import a key found in DNS via CERT
records. Can handle both the PGP (actual key) and IPGP (URL) CERT types.
* getkey.c (get_pubkey_byname): Call them both here.
* options.h, keyserver.c (parse_keyserver_options): Add
"auto-cert-retrieve" option with optional max size argument.
|
|
* keyserver-internal.h, keyserver.c (keyserver_spawn, keyserver_work,
keygerver_getname): New keyserver_getname function to fetch keys by name.
* getkey.c (get_pubkey_byname): Call it here to enable locating keys by
full mailbox from a keyserver a la PKA. Try PKA first, though, as it is
likely to be faster.
|
|
|
|
--fetch-keys so we don't rebuild the trustdb after each fetch.
|
|
|
|
keyserver_fetch): Set a flag to indicate that we're doing a direct URI
fetch so we can differentiate between a keyserver operation and a URI
fetch for protocols like LDAP that can do either.
|
|
when fetching a URI.
* keyserver-internal.h, keyserver.c (keyserver_fetch): New. Fetch an
arbitrary URI using the keyserver helpers.
* gpg.c (main): Call it from here for --fetch-keys.
|
|
strings in xxx-options commands.
* keyserver.c (keyserver_opts), import.c (parse_import_options),
export.c (parse_export_options), g10.c (parse_list_options, main):
Add help strings to xxx-options.
|
|
algorithms.
* keyedit.c (sign_uids): Don't request a signing key to make a
certification.
* keygen.c (do_add_key_flags): Force the certify flag on for all
primary keys, as the spec requires primary keys must be able to
certify (if nothing else, which key is going to issue the user ID
signature?) (print_key_flags): Show certify flag. (ask_key_flags,
ask_algo): Don't allow setting the C flag for subkeys.
* keyid.c (usagestr_from_pk), getkey.c (parse_key_usage): Distinguish
between a sign/certify key and a certify-only key.
|
|
* main.h, misc.c (path_access): New. Same as access() but does a PATH
search like execlp.
* keyserver.c (curl_can_handle): Removed. Replaced by...
(curl_cant_handle): We are now relying on curl as the handler of last
resort. This is necessary because PGP LDAP and curl LDAP are apples
and oranges. (keyserver_typemap): Only test for ldap and ldaps.
(keyserver_spawn): If a given handler is unusable (as determined by
path_access()) then try gpgkeys_curl.
|
|
so that gpg can get the key from DNS. This helps with opportunistic
encryption. No integration with the trust modell yet.
|
|
|
|
report that it can handle it, and we don't want it to.
|
|
* g10.c, options.h: New option --exit-on-status-write-error.
* status.c (write_status_text): Make use of this option.
|
|
to see if it can handle a particular protocol. (keyserver_typemap): Call
it here.
* Makefile.am: Pull in libcurl for curl_version_info() if used.
|
|
* export.c (parse_export_options): New option
export-reset-subkey-passwd.
(do_export_stream): Implement it.
* misc.c (get_libexecdir): New.
* keyserver.c (keyserver_spawn): Use it
|
|
|
|
* sign.c (hash_for): Comments.
|
