gpg: Align notes about minimal keysize with actual checks.

[gnupg.git] / README

diff --git a/README b/README
index d56ea71..f1215ef 100644 (file)
--- a/README
+++ b/README
@@ -1,418 +1,232 @@
-GnuPG 1.9 is a temporary project to work on GnuPG extensions; it is a
-merke fo gnupg 1.3 and the old newpg package.  It will eventually lead
-to a GnuPG 2.0 release.
+                       The GNU Privacy Guard 2
+                      =========================
+                             Version 2.1

 
 

-jnlib/  utility functions
-kbx/    keybox library
-g10/    the gpg program here called gpg2
-sm/     the gpgsm program
-agent/  the gpg-agent
-scd/    the smartcard daemon
+          Copyright 1997-2015 Werner Koch
+          Copyright 1998-2015 Free Software Foundation, Inc.

 
 
 
 

-You need the libgpg-error package.  Libassuan, Libksba and Libgcrypt
-are also required to build it.
+* INTRODUCTION

 
 

-Keybox is designed to be source include-able.
+  GnuPG is a complete and free implementation of the OpenPGP standard
+  as defined by RFC4880 (also known as PGP).  GnuPG allows to encrypt
+  and sign data and communication, features a versatile key management
+  system as well as access modules for public key directories.

 
 

-A texinfo manual `gnupg.info' will get installed.  Some commands and
-options given below.
+  GnuPG, also known as GPG, is a command line tool with features for
+  easy integration with other applications.  A wealth of frontend
+  applications and libraries making use of GnuPG are available.  Since
+  version 2 GnuPG provides support for S/MIME and Secure Shell in
+  addition to OpenPGP.

 
 

+  GnuPG is Free Software (meaning that it respects your freedom). It
+  can be freely used, modified and distributed under the terms of the
+  GNU General Public License.

 
 

-COMMANDS
-========
+  We are currently maintaining three branches of GnuPG:

 
 

-gpgsm:
-------
+  - 2.1 (i.e. this release) is the latest development with a lot of
+    new features.

 
 

---learn-card
+  - 2.0 is the current stable version for general use.

 
 

-   Read information about the private keys from the smartcard and
-   import the certificates from there.
+  - 1.4 is the old standalone version which is most suitable for older
+    or embedded platforms.

 
 

---export
+  You may not install 2.1 and 2.0 at the same time.  However, it is
+  possible to install 1.4 along with any of the 2.x versions.

 
 

-   Export all certificates stored in the Keybox or those specified on
-   the command line.  When using --armor a few informational lines are
-   prepended before each block.

 
 

+* BUILD INSTRUCTIONS

 
 

-gpg2:
------
+  GnuPG 2.1 depends on the following GnuPG related packages:

 
 

---card-status
+    npth         (ftp://ftp.gnupg.org/gcrypt/npth/)
+    libgpg-error (ftp://ftp.gnupg.org/gcrypt/libgpg-error/)
+    libgcrypt    (ftp://ftp.gnupg.org/gcrypt/libgcrypt/)
+    libksba      (ftp://ftp.gnupg.org/gcrypt/libksba/)
+    libassuan    (ftp://ftp.gnupg.org/gcrypt/libassuan/)

 
 

-   Show information pertaining smartcards implementing the OpenPGP
-   application.
+  You should get the latest versions of course, the GnuPG configure
+  script complains if a version is not sufficient.

 
 

---change-pin
+  For some advanced features several other libraries are required.
+  The configure script prints diagnostic messages if one of these
+  libraries is not available and a feature will not be available..

 
 

-   Offers a menu to change the PIN of OpenPGP smartcards and to reset
-   the retry counters.
+  You also need the Pinentry package for most functions of GnuPG;
+  however it is not a build requirement.  Pinentry is available at
+  ftp://ftp.gnupg.org/gcrypt/pinentry/ .

 
 

---card-edit
+  After building and installing the above packages in the order as
+  given above, you may continue with GnuPG installation (you may also
+  just try to build GnuPG to see whether your already installed
+  versions are sufficient).

 
 

-   Offers a menu to change any data object on the card and to generate
-   the keys. 
+  As with all packages, you just have to do

 
 

+    ./configure
+    make
+    make install

 
 

-OPTIONS
-=======
+  (Before doing install you might need to become root.)

 
 

-gpgsm:
-------
+  If everything succeeds, you have a working GnuPG with support for
+  OpenPGP, S/MIME, ssh-agent, and smartcards.  Note that there is no
+  binary gpg but a gpg2 so that this package won't conflict with a
+  GnuPG 1.4 installation.  gpg2 behaves just like gpg.

 
 

---include-certs <n>
+  In case of problem please ask on the gnupg-users@gnupg.org mailing
+  list for advise.

 
 

-  Using N of -2 includes all certificate except for the Root cert,
-  -1 includes all certs, 0 does not include any certs, 1 includes only
-  the signers cert (this is the default) and all other positives
-  values include up to N certs starting with the signer cert.
-  
---policy-file <filename>
+  Instruction on how to build for Windows can be found in the file
+  doc/HACKING in the section "How to build an installer for Windows".
+  This requires some experience as developer.

 
 

-  Chnage the deault name of the policy file
+  Note that the PKITS tests are always skipped unless you copy the
+  PKITS test data file into the tests/pkits directory.  There is no
+  need to run these test and some of them may even fail because the
+  test scripts are not yet complete.

 
 

---enable-policy-checks
---disable-policy-checks
+  You may run

 
 

-  By default policy checks are enabled.  These options may be used to
-  change it.
+    gpgconf --list-dirs

 
 

---enable-crl-checks
---disable-crl-checks
+  to view the default directories used by GnuPG.

 
 

-  By default the CRL checks are enabled and the DirMngr is used to
-  check for revoked certificates.  The disable option is most useful
-  with a off-line connection to suppres this check.
+  To quickly build all required software without installing it, the
+  Speedo method may be used:

 
 

---agent-program <path_to_agent_program>
+    make -f build-aux/speedo.mk  native

 
 

-  Specify an agent program to be used for secret key operations.  The
-  default value is "../agent/gpg-agent".  This is only used as a
-  fallback when the envrionment varaibale GPG_AGENT_INFO is not set or
-  a running agent can't be connected.
-  
---dirmngr-program <path_to_dirmgr_program>
+  This method downloads all required libraries and does a native build
+  of GnuPG to PLAY/inst/.  GNU make is required and you need to set
+  LD_LIBRARY_PATH to $(pwd)/PLAY/inst/lib to test the binaries.

 
 

-  Specify a dirmngr program to be used for CRL checks.  The default
-  value is "/usr/sbin/dirmngr".  This is only used as a fallback when
-  the environment varaibale DIRMNGR_INFO is not set or a running
-  dirmngr can't be connected.
+** Specific build problems on some machines:

 
 

---no-secmem-warning
+*** Apple OSX 10.x using XCode

 
 

-  Don't print the warning "no secure memory"
+  On some versions the correct location of a header file can't be
+  detected by configure.  To fix that you should run configure like
+  this

 
 

---armor
+    ./configure  gl_cv_absolute_stdint_h=/usr/include/stdint.h

 
 

-  Create PEM ecoded output.  Default is binary output. 
+  Add other options as needed.

 
 

---base64 

 
 

-  Create Base-64 encoded output; i.e. PEM without the header lines.
+* MIGRATION from 1.4 or 2.0 to 2.1

 
 

---assume-armor
+  The major change in 2.1 is gpg-agent taking care of the OpenPGP
+  secret keys (those managed by GPG).  The former file "secring.gpg"
+  will not be used anymore.  Newly generated keys are stored in the
+  agent's key store directory "~/.gnupg/private-keys-v1.d/".  The
+  first time gpg needs a secret key it checks whether a "secring.gpg"
+  exists and copies them to the new store.  The old secring.gpg is
+  kept for use by older versions of gpg.

 
 

-  Assume the input data is PEM encoded.  Default is to autodetect the
-  encoding but this is may fail.
+  Note that gpg-agent now uses a fixed socket.  All tools will start
+  the gpg-agent as needed.  The formerly used environment variable
+  GPG_AGENT_INFO is ignored by 2.1.  The SSH_AUTH_SOCK environment
+  variable should be set to a fixed value.

 
 

---assume-base64
+  The Dirmngr is now part of GnuPG proper and also used to access
+  OpenPGP keyservers.  The directory layout of Dirmngr changed to make
+  use of the GnuPG directories.  Dirmngr is started by gpg or gpgsm as
+  needed. There is no more need to install a separate Dirmngr package.

 
 

-  Assume the input data is plain base-64 encoded.

 
 

---assume-binary
+* DOCUMENTATION

 
 

-  Assume the input data is binary encoded.
+  The complete documentation is in the texinfo manual named
+  `gnupg.info'.  Run "info gnupg" to read it.  If you want a a
+  printable copy of the manual, change to the "doc" directory and
+  enter "make pdf" For a HTML version enter "make html" and point your
+  browser to gnupg.html/index.html.  Standard man pages for all
+  components are provided as well.  An online version of the manual is
+  available at [[https://gnupg.org/documentation/manuals/gnupg/]] .  A
+  version of the manual pertaining to the current development snapshot
+  is at [[https://gnupg.org/documentation/manuals/gnupg-devel/]] .

 
 

---server

 
 

-  Run in server mode.  This is used by GPGME to control gpgsm.  See
-  the assuan specification regarding gpgsm about the used protocol.
-  Some options are ignored in server mode.
+* GnuPG 1.4 and GnuPG 2.0

 
 

---local-user  <user_id>
+  GnuPG 2.0 is a newer version of GnuPG with additional support for
+  S/MIME.  It has a different design philosophy that splits
+  functionality up into several modules.  Both versions may be
+  installed simultaneously without any conflict (gpg is called gpg2 in
+  GnuPG 2).  In fact, the gpg version from GnuPG 1.4 is able to make
+  use of the gpg-agent as included in GnuPG 2 and allows for seamless
+  passphrase caching.  The advantage of GnuPG 1.4 is its smaller size
+  and no dependency on other modules at run and build time.

 
 

-  Set the user to be used for signing.  The default is the first
-  secret key found in the database.

 
 

---with-key-data
+* HOW TO GET MORE INFORMATION

 
 

-  Displays extra information with the --list-keys commands.  Especially
-  a line tagged "grp" is printed which tells you the keygrip of a
-  key.  This is string is for example used as the filename of the
-  secret key.
+  A description of new features and changes in version 2.1 can be
+  found in the file "doc/whats-new-in-2.1.txt" and online at
+  "https://gnupg.org/faq/whats-new-in-2.1.html" .

 
 

+  The primary WWW page is "https://www.gnupg.org"
+             or using Tor "http://ic6au7wa3f6naxjq.onion"
+  The primary FTP site is "ftp://ftp.gnupg.org/gcrypt/"

 
 

+  See [[https://gnupg.org/download/mirrors.html]] for a list of
+  mirrors and use them if possible.  You may also find GnuPG mirrored
+  on some of the regular GNU mirrors.

 
 

-gpg-agent:
----------
+  We have some mailing lists dedicated to GnuPG:

 
 

---pinentry-program <path_to_pinentry_program>
+     gnupg-announce@gnupg.org   For important announcements like new
+                                versions and such stuff.  This is a
+                                moderated list and has very low traffic.
+                                Do not post to this list.

 
 

-  Specify the PINentry program.  The default value is
-  "<prefix>/bin/pinentry" so you most likely want to specify it.
+     gnupg-users@gnupg.org      For general user discussion and
+                                help (English).

 
 

---no-grab
+     gnupg-de@gnupg.org         German speaking counterpart of
+                                gnupg-users.

 
 

-  Tell the pinentry not to grab keybourd and mouse.  You most likely
-  want to give this option during testing and development to avoid
-  lockups in case of bugs.
+     gnupg-ru@gnupg.org         Russian speaking counterpart of
+                                gnupg-users.

 
 

-                     
-scdaemon:
---------
+     gnupg-devel@gnupg.org      GnuPG developers main forum.

 
 

---ctapi-driver <libraryname>
+  You subscribe to one of the list by sending mail with a subject of
+  "subscribe" to x-request@gnupg.org, where x is the name of the
+  mailing list (gnupg-announce, gnupg-users, etc.). See
+  https://www.gnupg.org/documentation/mailing-lists.html for archives
+  of the mailing lists.

 
 

-  The default for Scdaemon is to use the PC/SC API currently provided
-  by libpcsclite.so.  As an alternative the ctAPI can be used by
-  specify this option with the appropriate driver name
-  (e.g. libtowitoko.so).
+  Please direct bug reports to http://bugs.gnupg.org or post them
+  direct to the mailing list <gnupg-devel@gnupg.org>.

 
 

---reader-port <portname>
-
-  This specifies the port of the chipcard reader.  For PC/SC this is
-  currently ignored and the first PC/SC reader is used.  For the
-  ctAPI, a number must be specified (the default is 32768 for the
-  first USB port).
-
-
-
-FILES
-=====
-
-The default home directory is ~/.gnupg.  It can be changed by
-either the --homedir option or by seting the environment variable
-GNUPGHOME.  This is a list of files usually found in this directory:
-
-gpgsm.conf 
-
-        Options for gpgsm.  Options are the same as the command line
-        options but don't enter the leading dashes and give arguments
-        without an equal sign.  Blank lines and lines starting with a
-        hash mark as the first non whitye space character are ignored.
-
-gpg-agent.conf
-        
-        Options for gpg-agent
-
-scdaemon.conf
-
-        Options for scdaemon.
-
-dirmngr.conf 
-
-        Options for the DirMngr which is not part of this package and
-        the option file wilol most likely be moved to /etc
-
-gpg.conf
-        
-        Options for gpg.  Note that old versions of gpg use the
-        filename `options' instead of `gpg.conf'.
-
-gpg.conf-1.9.x
-
-        Options for gpg; tried before gpg.conf
-
-
-policies.txt
-
-        A list of allowed CA policies.  This file should give the
-        object identifiers of the policies line by line.  Empty lines
-        and lines startung with a hash mark are ignored.
-
-        ++++++++++
-        2.289.9.9  
-        ++++++++++
-
-trustlist.txt
-
-        A list of trusted certificates usually maintained by
-        gpg-agent.  It can however be edited manually.  The file will
-        be created automagically with some explaining comments.
-
-random_seed
-
-        Used internally for keeping the state of the RNG over
-        invocations.
-
-pubring.kbx
-
-        The database file with the certificates. 
-
-pubring.gpg
-
-        The database file with the OpenPGP public keys.  This will
-        eventually be merged with pubring.kbx
-
-secring.gpg
-
-        The database file with the OpenPGP secret keys.  This will be
-        removed when gpg is changed to make use of the gpg-agent.
-
-
-private-keys-v1.d/
-
-        Directory holding the private keys maintained by gpg-agent.
-        For detailed info see agent/keyformat.txt. Note that there is
-        a helper tool gpg-protect-tool which may be used to protect or
-        unprotect keys.  This is however nothing a user should care
-        about.
-
-
-How to specify a user ID
-========================
-
-Due to the way X.509 certificates are made up we need a few new ways
-to specify a certificate (aka key in OpenPGP).  In addition to the
-ways a user ID can be specified with gpg, I have implemented 3 new
-modes for gpgsm, here is the entire list of ways to specify a key:
-
- * By keyID.
-
-   This format is deducded from the length of the string and its
-   content or "0x" prefix. For use with OpenPGP a exclamation mark may
-   be appended to force use of the specified (sub)key.
-
-   As with v34 OpenPGP keys, the keyID of an X509 certificate are the
-   low 64 bits of the SHA-1 fingerprint.  The use of keyIDs is just a
-   shortcut, for all automated processing the fingerprint should be
-   used.
-
-   Examples:
-
-       234567C4
-       0F34E556E
-       01347A56A
-       0xAB123456
-
-       234AABBCC34567C4
-       0F323456784E56EAB
-       01AB3FED1347A5612
-       0x234AABBCC34567C4
-
- * By fingerprint
-
-   This is format is deduced from the length of the string and its
-   content or "0x" prefix.  Note, that only the 20 byte fingerprint is
-   used with GPGSM (SHA-1 hash of the certificate).  For use with
-   OpenPGP a exclamation mark may be appended to force use of the
-   specified (sub)key.
-
-   Examples:
-
-       1234343434343434C434343434343434
-       123434343434343C3434343434343734349A3434
-       0E12343434343434343434EAB3484343434343434
-       0xE12343434343434343434EAB3484343434343434
-
- * Exact match on OpenPGP user ID
-
-   This is denoted by a leading equal sign. It does not make much
-   sense for X.509.
-
-   Example:
-
-       =Heinrich Heine <heinrichh@uni-duesseldorf.de>
-
- * Exact match on an email address.
-
-   This is indicated by enclosing the email address in the usual way
-   with left and right angles
-
-   Example:
-
-       <heinrichh@uni-duesseldorf.de>
-
- * Word match
-
-   All words must match exactly (not case sensitive) but can appear in
-   any order in the user ID or a subjects name.  Words are any
-   sequences of letters, digits, the underscore and all characters
-   with bit 7 set.
-
-   Example:
-
-       +Heinrich Heine duesseldorf
-
- * [NEW] Exact match by subject's DN
-
-   This is indicated by a leading slash, directly followed by the
-   rfc2253 encoded DN of the subject.  Note that you can't use the
-   string printed by "gpgsm --list-keys" because that one as been
-   reordered and modified for better readability; use --with-colons to 
-   print the raw (but standard escaped) rfc2253 string 
-
-   Example:
-
-      /CN=Heinrich Heine,O=Poets,L=Paris,C=FR
-
- * [NEW] Excact match by issuer's DN
-
-   This is indicated by a leading hash mark, directly followed by a
-   slash and then directly followed by the rfc2253 encoded DN of the
-   issuer.  This should return the Root cert of the issuer.  See note
-   above.
-
-   Example:
-
-      #/CN=Root Cert,O=Poets,L=Paris,C=FR
-
- * [NEW] Exact match by serial number and subject's DN
-
-   This is indicated by a hash mark, followed by the hexadecmal
-   representation of the serial number, the followed by a slahs and
-   the RFC2253 encoded DN of the issuer. See note above.
-
-   Example:
-
-      #4F03/CN=Root Cert,O=Poets,L=Paris,C=FR
-
- * Substring match
-
-   By case insensitive substring matching.  This is the default mode
-   but applications may want to explicitly indicate this by putting
-   the asterisk in front.
-
-   Example:
-
-        Heine
-        *Heine
-
-
-Please note that we have reused the hash mark indentifier which was
-used in old GnuPG versions to indicate the so called local-id.  It is
-not anymore used and there should be no conflict when used with X.509
-stuff.
-
-Using the rfc2253 format of DNs has the drawback that it is not
-possible to map them back to the original encoding, however we don't
-have to do this, because our key database stores this encoding as meta
-data.
-
-Some of the search modes are not yet implemented ;-)
-
-
-How to import a private key
-===========================
-There is some limited support to import a private key from a PKCS-12
-file.  Note, that this does only import the private key and not any
-certificates available in that file. 
-
- gpgsm --call-protect-tool --p12-import --store  foo.p12
-
-This require that the gpg-agent is running, alternative you may give
-the passphrase on the commandline using the option "-P <passphrase>" -
-however this is in general not a good idea.  If that key already
-exists, the protect-tool refuses to store it unless you use the option
-"--force". 
-
-How to export a private key
-===========================
-There is also limited support to export a private key in PKCS-12
-format. However the certificate is not stored and there is no MAC applied.
-
- gpgsm --call-protect-tool --p12-export  foo.key  >foo.p12
+  Please direct questions about GnuPG to the users mailing list or one
+  of the PGP newsgroups; please do not direct questions to one of the
+  authors directly as we are busy working on improvements and bug
+  fixes.  The English and German mailing lists are watched by the
+  authors and we try to answer questions when time allows us.

 
 

+  Commercial grade support for GnuPG is available; for a listing of
+  offers see https://www.gnupg.org/service.html .  Maintaining and
+  improving GnuPG requires a lot of time.  Since 2001, g10 Code GmbH,
+  a German company owned and headed by GnuPG's principal author Werner
+  Koch, is bearing the majority of these costs.  To keep GnuPG in a
+  healthy state, they need your support.

 
 

+  Please consider to donate at https://gnupg.org/donate/ .
+
+
+# This file is Free Software; as a special exception the authors gives
+# unlimited permission to copy and/or distribute it, with or without
+# modifications, as long as this notice is preserved. For conditions
+# of the whole package, please see the file COPYING.  This file is
+# distributed in the hope that it will be useful, but WITHOUT ANY
+# WARRANTY, to the extent permitted by law; without even the implied
+# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+#
+# Local Variables:
+# mode:org
+# End: