------BEGIN PGP SIGNED MESSAGE-----
+ The GNU Privacy Guard 2
+ =========================
+ Version 1.9.x
- GnuPG - The GNU Privacy Guard
- -------------------------------
- Version 0.9.9
- GnuPG is now in Beta test and you should report all bugs to the
- mailing list (see below). The 0.9.x versions are released mainly
- to fix all remaining serious bugs. As soon as version 1.0 is out,
- development will continue with a 1.1 series and bug fixes for the
- 1.0 version as needed.
+GnuPG 1.9 is the future version of GnuPG; it is based on the gnupg-1.3
+code and the previous newpg package. It will eventually lead to a
+GnuPG 2.0 release. Note that GnuPG 1.3 and 1.9 are not always in sync
+and thus features and bug fixes done in 1.3 are not necessary
+available in 1.9.
- GnuPG works best on GNU/Linux or *BSD. Other Unices are
- also supported but are not as well tested as the Free Unices.
- Please verify the tar file with the PGP2 or OpenPGP
- signatures provided. My PGP2 key is well known and published in
- the "Global Trust Register for 1998", ISBN 0-9532397-0-5.
- I have included my pubring as "g10/pubring.asc", which contains
- the key used to make GnuPG signatures:
+BUILD INSTRUCTIONS
+==================
- "pub 1024D/57548DCD 1998-07-07 Werner Koch (gnupg sig) <dd9jn@gnu.org>"
- "Key fingerprint = 6BD9 050F D8FC 941B 4341 2DCC 68B7 AB89 5754 8DCD"
+GnuPG 1.9 depends on the following packages:
- You may want to add this DSA key to your GnuPG pubring and use it in
- the future to verify new releases. Because you verified this README
- file and _checked_that_it_is_really_my PGP2 key 0C9857A5, you can be
- quite sure that the above fingerprint is correct.
+ libgpg-error (ftp://ftp.gnupg.org/gcrypt/alpha/libgpg-error/)
+ libgcrypt (ftp://ftp.gnupg.org/gcrypt/alpha/libgcrypt/)
+ libassuan (ftp://ftp.gnupg.org/gcrypt/alpha/libassuan/)
+ libksba (ftp://ftp.gnupg.org/gcrypt/alpha/libksba/)
+
+You also need the pinentry package for most function of GnupG; however
+it is not a build requirement. pinentry is available at
+ftp://ftp.gnupg.org/gcrypt/pinentry/ .
- Please subscribe to announce@gnupg.org by sending a mail with
- a subject of "subscribe" to "announce-request@gnupg.org". If you
- have problems, please subscribe to "gnupg-users@gnupg.org" by sending
- mail with the subject "subscribe" to "gnupg-users-request@gnupg.org"
- and ask there. The gnupg.org domain is hosted in Germany to avoid
- possible legal problems (technical advices may count as a violation
- of ITAR).
+You should get the latest versions of course, the GnuPG configure
+script complains if a version is not sufficient.
- See the file COPYING for copyright and warranty information.
+After building and installing the above packages in the order as given
+above, you may now continue with GnupG installation (you may also just
+try to build GnuPG to see whether your already installed versions are
+sufficient).
- GnuPG is in compliance with RFC2440 (OpenPGP), see doc/OpenPGP for
- details.
+As with all packages, you just have to do
- Because GnuPG does not use use any patented algorithm it cannot be
- compatible with PGP2 versions. PGP 2.x uses only IDEA (which is
- patented worldwide) and RSA (which is patented in the United States
- until Sep 20, 2000).
+ ./configure
+ make
+ make install
- The default algorithms are DSA and ElGamal. ElGamal for signing
- is still available, but because of the larger size of such
- signatures it is deprecated (Please note that the GnuPG
- implementation of ElGamal signatures is *not* insecure). Symmetric
- algorithms are: 3DES, Blowfish, CAST5 and Twofish (GnuPG does not
- yet create Twofish encrypted messages because there no agreement
- in the OpenPG WG on how to use it together with a MDC algorithm)
- Digest algorithms available are MD5, RIPEMD160, SHA1, and TIGER/192.
+(Before doing install you might need to become root.)
+If everything succeeds, you have a working GnuPG with support for
+S/MIME and smartcards. Note that there is no binary gpg but a gpg2 so
+that this package won't confict with a GnuPG 1.2 or1.3
+installation. gpg2 behaves just like gpg and it is possible to symlink
+oto gpg if you want to use gpg 1.9.
- Installation
- ------------
+In case of problem please ask on gpa-dev@gnupg.org for advise. Note
+that this release is only expected to build on GNU and *BSD systems.
- Please read the file INSTALL!
+A texinfo manual named `gnupg.info' will get installed. Some commands
+and options given below. See also the section `SMARTCARD INTRO'.
- Here is a quick summary:
- 1) "./configure"
+COMMANDS
+========
- 2) "make"
+gpgsm:
+------
- 3) "make install"
+--learn-card
- 4) You end up with a "gpg" binary in /usr/local/bin.
- Note: Because some programs rely on the existence of a
- binary named "gpgm"; you should install a symbolic link
- from gpgm to gpg:
- $ cd /usr/local/bin; ln -s gpg gpgm
+ Read information about the private keys from the smartcard and
+ import the certificates from there.
- 5) To avoid swapping out of sensitive data, you can install "gpg" as
- suid root. If you don't do so, you may want to add the option
- "no-secmem-warning" to ~/.gnupg/options
+--export
+ Export all certificates stored in the Keybox or those specified on
+ the command line. When using --armor a few informational lines are
+ prepended before each block.
- Introduction
- ------------
+gpg2:
+-----
- This is a brief overview how to use GnuPG - it is strongly suggested
- that you read the manual^H^H^H more information about the use of
- cryptography. GnuPG is only a tool, secure results require that YOU
- KNOW WHAT YOU ARE DOING.
+--card-status
- If you already have a DSA key from PGP 5 (they call them DH/ElGamal)
- you can simply copy the pgp keyrings over the GnuPG keyrings after
- running gpg once to create the correct directory.
+ Show information pertaining smartcards implementing the OpenPGP
+ application.
- The normal way to create a key is
+--change-pin
- gpg --gen-key
+ Offers a menu to change the PIN of OpenPGP smartcards and to reset
+ the retry counters.
- This asks some questions and then starts key generation. To create
- good random numbers for the key parameters, GnuPG needs to gather
- enough noise (entropy) from your system. If you see no progress
- during key generation you should start some other activities such
- as mouse moves or hitting on the CTRL and SHIFT keys.
+--card-edit
- Generate a key ONLY on a machine where you have direct physical
- access - don't do it over the network or on a machine used also
- by others - especially if you have no access to the root account.
+ Offers a menu to change any data object on the card and to generate
+ the keys.
- When you are asked for a passphrase use a good one which you can
- easy remember. Don't make the passphrase too long because you have
- to type it for every decryption or signing; but, - AND THIS IS VERY
- IMPORTANT - use a good one that is not easily to guess because the
- security of the whole system relies on your secret key and the
- passphrase that protects it when someone gains access to your secret
- keyring. A good way to select a passphrase is to figure out a short
- nonsense sentence which makes some sense for you and modify it by
- inserting extra spaces, non-letters and changing the case of some
- characters - this is really easy to remember especially if you
- associate some pictures with it.
- Next, you should create a revocation certificate in case someone
- gets knowledge of your secret key or you forgot your passphrase
+OPTIONS
+=======
- gpg --gen-revoke your_user_id
+gpgsm:
+------
- Run this command and store the revocation certificate away. The output
- is always ASCII armored, so that you can print it and (hopefully
- never) re-create it if your electronic media fails.
+--include-certs <n>
- Now you can use your key to create digital signatures
+ Using N of -2 includes all certificate except for the Root cert,
+ -1 includes all certs, 0 does not include any certs, 1 includes only
+ the signers cert (this is the default) and all other positives
+ values include up to N certs starting with the signer cert.
+
+--policy-file <filename>
- gpg -s file
+ Chnage the deault name of the policy file
- This creates a file "file.gpg" which is compressed and has a
- signature attached.
+--enable-policy-checks
+--disable-policy-checks
- gpg -sa file
+ By default policy checks are enabled. These options may be used to
+ change it.
- Same as above, but creates a file "file.asc" which is ASCII armored
- and and ready for sending by mail. It is better to use your
- mailers features to create signatures (The mailer uses GnuPG to do
- this) because the mailer has the ability to MIME encode such
- signatures - but this is not a security issue.
+--enable-crl-checks
+--disable-crl-checks
- gpg -s -o out file
+ By default the CRL checks are enabled and the DirMngr is used to
+ check for revoked certificates. The disable option is most useful
+ with a off-line connection to suppres this check.
- Creates a signature of "file", but writes the output to the file
- "out".
+--agent-program <path_to_agent_program>
- Everyone who knows your public key (you can and should publish
- your key by putting it on a key server, a web page or in your .plan
- file) is now able to check whether you really signed this text
+ Specify an agent program to be used for secret key operations. The
+ default value is "../agent/gpg-agent". This is only used as a
+ fallback when the envrionment varaibale GPG_AGENT_INFO is not set or
+ a running agent can't be connected.
+
+--dirmngr-program <path_to_dirmgr_program>
- gpg --verify file
+ Specify a dirmngr program to be used for CRL checks. The default
+ value is "/usr/sbin/dirmngr". This is only used as a fallback when
+ the environment varaibale DIRMNGR_INFO is not set or a running
+ dirmngr can't be connected.
- GnuPG now checks whether the signature is valid and prints an
- appropriate message. If the signature is good, you know at least
- that the person (or machine) has access to the secret key which
- corresponds to the published public key.
+--no-secmem-warning
- If you run gpg without an option it will verify the signature and
- create a new file that is identical to the original. gpg can also
- run as a filter, so that you can pipe data to verify trough it
+ Don't print the warning "no secure memory"
- cat signed-file | gpg | wc -l
+--armor
- which will check the signature of signed-file and then display the
- number of lines in the original file.
+ Create PEM ecoded output. Default is binary output.
- To send a message encrypted to someone you can use
+--base64
- gpg -e -r heine file
+ Create Base-64 encoded output; i.e. PEM without the header lines.
- This encrypts "file" with the public key of the user "heine" and
- writes it to "file.gpg"
+--assume-armor
- echo "hello" | gpg -ea -r heine | mail heine
+ Assume the input data is PEM encoded. Default is to autodetect the
+ encoding but this is may fail.
- Ditto, but encrypts "hello\n" and mails it as ASCII armored message
- to the user with the mail address heine.
-
- gpg -se -r heine file
-
- This encrypts "file" with the public key of "heine" and writes it
- to "file.gpg" after signing it with your user id.
-
- gpg -se -r heine -u Suttner file
-
- Ditto, but sign the file with your alternative user id "Suttner"
-
-
- GnuPG has some options to help you publish public keys. This is
- called "exporting" a key, thus
-
- gpg --export >all-my-keys
-
- exports all the keys in the keyring and writes them (in a binary
- format) to "all-my-keys". You may then mail "all-my-keys" as an
- MIME attachment to someone else or put it on an FTP server. To
- export only some user IDs, you give them as arguments on the command
- line.
-
- To mail a public key or put it on a web page you have to create
- the key in ASCII armored format
-
- gpg --export --armor | mail panther@tiger.int
-
- This will send all your public keys to your friend panther.
-
- If you have received a key from someone else you can put it
- into your public keyring. This is called "importing"
-
- gpg --import [filenames]
-
- New keys are appended to your keyring and already existing
- keys are updated. Note that GnuPG does not import keys that
- are not self-signed.
-
- Because anyone can claim that a public key belongs to her
- we must have some way to check that a public key really belongs
- to the owner. This can be achieved by comparing the key during
- a phone call. Sure, it is not very easy to compare a binary file
- by reading the complete hex dump of the file - GnuPG (and nearly
- every other program used for management of cryptographic keys)
- provides other solutions.
-
- gpg --fingerprint <username>
-
- prints the so called "fingerprint" of the given username which
- is a sequence of hex bytes (which you may have noticed in mail
- sigs or on business cards) that uniquely identifies the public
- key - different keys will always have different fingerprints.
- It is easy to compare fingerprints by phone and I suggest
- that you print your fingerprint on the back of your business
- card. To see the fingerprints of the secondary keys, you can
- give the command twice; but this is normally not needed.
-
- If you don't know the owner of the public key you are in trouble.
- Suppose however that friend of yours knows someone who knows someone
- who has met the owner of the public key at some computer conference.
- Suppose that all the people between you and the public key holder
- may now act as introducers to you. Introducers signing keys thereby
- certify that they know the owner of the keys they sign. If you then
- trust all the introducers to have correctly signed other keys, you
- can be be sure that the other key really belongs to the one who
- claims to own it..
-
- There are 2 steps to validate a key:
- 1. First check that there is a complete chain
- of signed keys from the public key you want to use
- and your key and verify each signature.
- 2. Make sure that you have full trust in the certificates
- of all the introduces between the public key holder and
- you.
- Step 2 is the more complicated part because there is no easy way
- for a computer to decide who is trustworthy and who is not. GnuPG
- leaves this decision to you and will ask you for a trust value
- (here also referenced as the owner-trust of a key) for every key
- needed to check the chain of certificates. You may choose from:
- a) "I don't know" - then it is not possible to use any
- of the chains of certificates, in which this key is used
- as an introducer, to validate the target key. Use this if
- you don't know the introducer.
- b) "I do not trust" - Use this if you know that the introducer
- does not do a good job in certifying other keys. The effect
- is the same as with a) but for a) you may later want to
- change the value because you got new information about this
- introducer.
- c) "I trust marginally" - Use this if you assume that the
- introducer knows what he is doing. Together with some
- other marginally trusted keys, GnuPG validates the target
- key then as good.
- d) "I fully trust" - Use this if you really know that this
- introducer does a good job when certifying other keys.
- If all the introducer are of this trust value, GnuPG
- normally needs only one chain of signatures to validate
- a target key okay. (But this may be adjusted with the help
- of some options).
- This information is confidential because it gives your personal
- opinion on the trustworthiness of someone else. Therefore this data
- is not stored in the keyring but in the "trustdb"
- (~/.gnupg/trustdb.gpg). Do not assign a high trust value just
- because the introducer is a friend of yours - decide how well she
- understands the implications of key signatures and you may want to
- tell her more about public key cryptography so you can later change
- the trust value you assigned.
-
- Okay, here is how GnuPG helps you with key management. Most stuff
- is done with the --edit-key command
-
- gpg --edit-key <keyid or username>
-
- GnuPG displays some information about the key and then prompts
- for a command (enter "help" to see a list of commands and see
- the man page for a more detailed explanation). To sign a key
- you select the user ID you want to sign by entering the number
- that is displayed in the leftmost column (or do nothing if the
- key has only one user ID) and then enter the command "sign" and
- follow all the prompts. When you are ready, give the command
- "save" (or use "quit" to cancel your actions).
-
- If you want to sign the key with another of your user IDs, you
- must give an "-u" option on the command line together with the
- "--edit-key".
-
- Normally you want to sign only one user ID because GnuPG
- uses only one and this keeps the public key certificate
- small. Because such key signatures are very important you
- should make sure that the signatories of your key sign a user ID
- which is very likely to stay for a long time - choose one with an
- email address you have full control of or do not enter an email
- address at all. In future GnuPG will have a way to tell which
- user ID is the one with an email address you prefer - because
- you have no signatures on this email address it is easy to change
- this address. Remember, your signatories sign your public key (the
- primary one) together with one of your user IDs - so it is not possible
- to change the user ID later without voiding all the signatures.
-
- Tip: If you hear about a key signing party on a computer conference
- join it because this is a very convenient way to get your key
- certified (But remember that signatures have nothing to to with the
- trust you assign to a key).
-
-
- 8 Ways to Specify a User ID
- --------------------------
- There are several ways to specify a user ID, here are some examples.
-
- * Only by the short keyid (prepend a zero if it begins with A..F):
-
- "234567C4"
- "0F34E556E"
- "01347A56A"
- "0xAB123456
+--assume-base64
- * By a complete keyid:
+ Assume the input data is plain base-64 encoded.
- "234AABBCC34567C4"
- "0F323456784E56EAB"
- "01AB3FED1347A5612"
- "0x234AABBCC34567C4"
+--assume-binary
- * By a fingerprint:
+ Assume the input data is binary encoded.
- "1234343434343434C434343434343434"
- "123434343434343C3434343434343734349A3434"
- "0E12343434343434343434EAB3484343434343434"
+--server
- The first one is MD5 the others are ripemd160 or sha1.
+ Run in server mode. This is used by GPGME to control gpgsm. See
+ the assuan specification regarding gpgsm about the used protocol.
+ Some options are ignored in server mode.
- * By an exact string:
+--local-user <user_id>
- "=Heinrich Heine <heinrichh@uni-duesseldorf.de>"
+ Set the user to be used for signing. The default is the first
+ secret key found in the database.
- * By an email address:
+--with-key-data
- "<heinrichh@uni-duesseldorf.de>"
+ Displays extra information with the --list-keys commands. Especially
+ a line tagged "grp" is printed which tells you the keygrip of a
+ key. This is string is for example used as the filename of the
+ secret key.
- * By word match
- "+Heinrich Heine duesseldorf"
- All words must match excatly (not case sensitive) and appear in
- any order in the user ID. Words are any sequences of letters,
- digits, the underscore and characters with bit 7 set.
+gpg-agent:
+---------
- * By the Local ID (from the trust DB):
+--pinentry-program <path_to_pinentry_program>
- "#34"
+ Specify the PINentry program. The default value is
+ "<prefix>/bin/pinentry" so you most likely want to specify it.
- This may be used by a MUA to specify an exact key after selecting
- a key from GnuPG (by using a special option or an extra utility)
+--no-grab
- * Or by the usual substring:
+ Tell the pinentry not to grab keybourd and mouse. You most likely
+ want to give this option during testing and development to avoid
+ lockups in case of bugs.
- "Heine"
- "*Heine"
+
+scdaemon:
+--------
- The '*' indicates substring search explicitly.
+--ctapi-driver <libraryname>
+ The default for Scdaemon is to use the PC/SC API currently provided
+ by libpcsclite.so. As an alternative the ctAPI can be used by
+ specify this option with the appropriate driver name
+ (e.g. libtowitoko.so).
- Batch mode
- ----------
- If you use the option "--batch", GnuPG runs in non-interactive mode and
- never prompts for input data. This does not even allow entering the
- passphrase. Until we have a better solution (something like ssh-agent),
- you can use the option "--passphrase-fd n", which works like PGPs
- PGPPASSFD.
+--reader-port <portname>
- Batch mode also causes GnuPG to terminate as soon as a BAD signature is
- detected.
+ This specifies the port of the chipcard reader. For PC/SC this is
+ currently ignored and the first PC/SC reader is used. For the
+ ctAPI, a number must be specified (the default is 32768 for the
+ first USB port).
+--disable-ccid
- Exit status
- -----------
- GnuPG returns with an exit status of 1 if in batch mode and a bad signature
- has been detected or 2 or higher for all other errors. You should parse
- stderr or, better, the output of the fd specified with --status-fd to get
- detailed information about the errors.
+ Disable the integrated support for CCID compliant readers. This
+ allows to fall back to one of the other drivers even if the internal
+ CCID driver can handle the reader. Note, that CCID support is only
+ available if libusb was available at build time.
- Esoteric commands
- -----------------
+FILES
+=====
- gpg --list-packets datafile
+The default home directory is ~/.gnupg. It can be changed by
+either the --homedir option or by seting the environment variable
+GNUPGHOME. This is a list of files usually found in this directory:
- Use this to list the contents of a data file. If the file is encrypted
- you are asked for the passphrase, so that GnuPG is able to look at the
- inner structure of a encrypted packet. This command should list all
- kinds of rfc2440 messages.
+gpgsm.conf
- gpgm --list-trustdb
+ Options for gpgsm. Options are the same as the command line
+ options but don't enter the leading dashes and give arguments
+ without an equal sign. Blank lines and lines starting with a
+ hash mark as the first non whitye space character are ignored.
- List the contents of the trust DB in a human readable format
+gpg-agent.conf
+
+ Options for gpg-agent
- gpgm --list-trustdb <usernames>
+scdaemon.conf
- List the tree of certificates for the given usernames
+ Options for scdaemon.
- gpgm --list-trust-path username
+dirmngr.conf
- List the possible trust paths for the given username. The length
- of such a trust path is limited by the option --max-cert-depth
- which defaults to 5.
+ Options for the DirMngr which is not part of this package and
+ the option file wilol most likely be moved to /etc
- For more options/commands see the man page or use "gpg --help".
+gpg.conf
+
+ Options for gpg. Note that old versions of gpg use the
+ filename `options' instead of `gpg.conf'.
+gpg.conf-1.9.x
- Other Notes
- -----------
+ Options for gpg; tried before gpg.conf
- The primary FTP site is "ftp://ftp.gnupg.org/pub/gcrypt/"
- The primary WWW page is "http://www.gnupg.org"
- See http://www.gnupg.org/mirrors.html for a list of FTP mirrors
- and use them if possible.
+policies.txt
+
+ A list of allowed CA policies. This file should give the
+ object identifiers of the policies line by line. Empty lines
+ and lines startung with a hash mark are ignored.
+
+ ++++++++++
+ 2.289.9.9
+ ++++++++++
+
+trustlist.txt
+
+ A list of trusted certificates usually maintained by
+ gpg-agent. It can however be edited manually. The file will
+ be created automagically with some explaining comments.
+
+random_seed
+
+ Used internally for keeping the state of the RNG over
+ invocations.
+
+pubring.kbx
+
+ The database file with the certificates.
+
+pubring.gpg
+
+ The database file with the OpenPGP public keys. This will
+ eventually be merged with pubring.kbx
+
+secring.gpg
+
+ The database file with the OpenPGP secret keys. This will be
+ removed when gpg is changed to make use of the gpg-agent.
+
+
+private-keys-v1.d/
+
+ Directory holding the private keys maintained by gpg-agent.
+ For detailed info see agent/keyformat.txt. Note that there is
+ a helper tool gpg-protect-tool which may be used to protect or
+ unprotect keys. This is however nothing a user should care
+ about.
+
+
+SOURCE FILES
+============
+
+Here is a list of directories with source files:
+
+jnlib/ utility functions
+kbx/ keybox library
+g10/ the gpg program here called gpg2
+sm/ the gpgsm program
+agent/ the gpg-agent
+scd/ the smartcard daemon
+doc/ documentation
+
+
+
+HOW TO SPECIFY A USER ID
+========================
+
+Due to the way X.509 certificates are made up we need a few new ways
+to specify a certificate (aka key in OpenPGP). In addition to the
+ways a user ID can be specified with gpg, I have implemented 3 new
+modes for gpgsm, here is the entire list of ways to specify a key:
+
+ * By keyID.
+
+ This format is deducded from the length of the string and its
+ content or "0x" prefix. For use with OpenPGP a exclamation mark may
+ be appended to force use of the specified (sub)key.
+
+ As with v34 OpenPGP keys, the keyID of an X509 certificate are the
+ low 64 bits of the SHA-1 fingerprint. The use of keyIDs is just a
+ shortcut, for all automated processing the fingerprint should be
+ used.
+
+ Examples:
+
+ 234567C4
+ 0F34E556E
+ 01347A56A
+ 0xAB123456
+
+ 234AABBCC34567C4
+ 0F323456784E56EAB
+ 01AB3FED1347A5612
+ 0x234AABBCC34567C4
+
+ * By fingerprint
+
+ This is format is deduced from the length of the string and its
+ content or "0x" prefix. Note, that only the 20 byte fingerprint is
+ used with GPGSM (SHA-1 hash of the certificate). For use with
+ OpenPGP a exclamation mark may be appended to force use of the
+ specified (sub)key.
+
+ Examples:
+
+ 1234343434343434C434343434343434
+ 123434343434343C3434343434343734349A3434
+ 0E12343434343434343434EAB3484343434343434
+ 0xE12343434343434343434EAB3484343434343434
+
+ * Exact match on OpenPGP user ID
+
+ This is denoted by a leading equal sign. It does not make much
+ sense for X.509.
+
+ Example:
+
+ =Heinrich Heine <heinrichh@uni-duesseldorf.de>
+
+ * Exact match on an email address.
+
+ This is indicated by enclosing the email address in the usual way
+ with left and right angles
+
+ Example:
+
+ <heinrichh@uni-duesseldorf.de>
+
+ * Word match
+
+ All words must match exactly (not case sensitive) but can appear in
+ any order in the user ID or a subjects name. Words are any
+ sequences of letters, digits, the underscore and all characters
+ with bit 7 set.
+
+ Example:
+
+ +Heinrich Heine duesseldorf
+
+ * [NEW] Exact match by subject's DN
+
+ This is indicated by a leading slash, directly followed by the
+ rfc2253 encoded DN of the subject. Note that you can't use the
+ string printed by "gpgsm --list-keys" because that one as been
+ reordered and modified for better readability; use --with-colons to
+ print the raw (but standard escaped) rfc2253 string
+
+ Example:
+
+ /CN=Heinrich Heine,O=Poets,L=Paris,C=FR
+
+ * [NEW] Excact match by issuer's DN
+
+ This is indicated by a leading hash mark, directly followed by a
+ slash and then directly followed by the rfc2253 encoded DN of the
+ issuer. This should return the Root cert of the issuer. See note
+ above.
+
+ Example:
+
+ #/CN=Root Cert,O=Poets,L=Paris,C=FR
+
+ * [NEW] Exact match by serial number and subject's DN
+
+ This is indicated by a hash mark, followed by the hexadecmal
+ representation of the serial number, the followed by a slahs and
+ the RFC2253 encoded DN of the issuer. See note above.
+
+ Example:
+
+ #4F03/CN=Root Cert,O=Poets,L=Paris,C=FR
+
+ * Substring match
+
+ By case insensitive substring matching. This is the default mode
+ but applications may want to explicitly indicate this by putting
+ the asterisk in front.
+
+ Example:
+
+ Heine
+ *Heine
+
+
+Please note that we have reused the hash mark indentifier which was
+used in old GnuPG versions to indicate the so called local-id. It is
+not anymore used and there should be no conflict when used with X.509
+stuff.
+
+Using the rfc2253 format of DNs has the drawback that it is not
+possible to map them back to the original encoding, however we don't
+have to do this, because our key database stores this encoding as meta
+data.
+
+Some of the search modes are not yet implemented ;-)
+
+
+HOW TO IMPORT A PRIVATE KEY
+===========================
+There is some limited support to import a private key from a PKCS-12
+file.
+
+ gpgsm --import foo.p12
+
+This require that the gpg-agent is running.
+
+
+HOW TO EXPORT A PRIVATE KEY
+===========================
+There is also limited support to export a private key in PKCS-12
+format. However the certificate is not stored and there is no MAC applied.
+
+ gpgsm --call-protect-tool --p12-export foo.key >foo.p12
+
+
+SMARTCARD INTRO
+===============
+
+GPG, the OpenPGP part of GnuPG, supports the OpenPGP smartcard
+(surprise!); see http://g10code.com/p-card.html.
+
+[Fixme: We need to explain this further]
+
+
+GPGSM, the CMS (S/MIME) part of GnuPG, supports two kinds of
+smartcards. The most flexible way is to use PKCS#15 compliant cards,
+however you must have build GnuPG with support for the OpenSC library.
+The build process automagically detects the presence of this library
+and will include support for these cards.
+
+The other card we currently support is the Telesec NetKey card with
+the NKS 2.0 card application.
+
+Before GPGSM can make use of a new card it must gather some
+information, like the card's serial number, the public keys and the
+certificates stored on the card. Thus for a new card you need to run
+the command
+
+ gpgsm --learn-card
+
+once. This is also a good test to see whether your card reader is
+properly installed. See below in case of error. Once this has been
+done you may use the keys stored on the card in the same way you use
+keys stored on the disk. gpgsm automagically knows whether a card is
+required and will pop up the pinentry to ask you to insert the
+correct card.
+
+For selecting the driver, see the options of scdaemon. A useful
+debugging flag is "--debug 2048" showing the communication between
+scdaemon and the reader.
+
+[fixme: write more stuff]
- To avoid possible legal problems we have decided, not to use
- the normal www.gnu.org webserver.
- Please direct bug reports to <gnupg-bugs@gnu.org> or post
- them direct to the mailing list <gnupg-devel@gnupg.org>.
- Please direct questions about GnuPG to the users mailing list or
- one of the pgp newsgroups and give me more time to improve
- GnuPG. Commercial support for GnuPG is also available; please
- see the GNU service directory or search other resources.
- Have fun and remember: Echelon is looking at you kid.
------BEGIN PGP SIGNATURE-----
-Version: GnuPG v0.9.8a (GNU/Linux)
-Comment: For info see http://www.gnupg.org
-iQB1AwUBN5g4Lx0Z9MEMmFelAQE+RwL/Ws+kNklTHJnABT8YU8BqN8x310DyUm+e
-ViS23npv3S/kRnHbCOOQo4cEjUYZFFrJXzQgodBvKbLVzMgdj4XQvkulTSBYK6pm
-B7GeQptWRCNJ7m+Hw0Z4gwJ7giQTdfF8
-=pJ7c
------END PGP SIGNATURE-----
projects / gnupg.git / blobdiff