------BEGIN PGP SIGNED MESSAGE-----
+ The GNU Privacy Guard 2
+ =========================
+ Version 1.9.x
- GnuPG - The GNU Privacy Guard
- -------------------------------
- Version 0.9
- GnuPG is now in Beta test and you should report all bugs to the
- mailing list (see below). The 0.9.x versions are mainly released
- to fix all remaining serious bugs. As soon as version 1.0 is out,
- development will continue with a 1.1 series and bug fixes for the
- 1.0 version are released as needed.
+GnuPG 1.9 is the future version of GnuPG; it is based on the gnupg-1.3
+code and the previous newpg package. It will eventually lead to a
+GnuPG 2.0 release. Note that GnuPG 1.3 and 1.9 are not always in sync
+and thus features and bug fixes done in 1.3 are not necessary
+available in 1.9.
- GnuPG works best on GNU/Linux or *BSD. Other Unices are
- also supported but not as good tested as those Freenix ones.
- Please verify the tar file; there is a PGP2 and a GnuPG/PGP5
- signature available. My PGP2 key is well known and published in
- the "Global Trust Register for 1998", ISBN 0-9532397-0-5.
- I have included my pubring as "g10/pubring.asc", which contains
- the key used to make GnuPG signatures:
- "pub 1024D/57548DCD 1998-07-07 Werner Koch (gnupg sig) <dd9jn@gnu.org>"
- "Key fingerprint = 6BD9 050F D8FC 941B 4341 2DCC 68B7 AB89 5754 8DCD"
+BUILD INSTRUCTIONS
+==================
- My new DSA key is:
- "pub 1024D/621CC013 1998-07-07 Werner Koch <werner.koch@guug.de>"
- "Key fingerprint = ECAF 7590 EB34 43B5 C7CF 3ACB 6C7E E1B8 621C C013"
+GnuPG 1.9 depends on the following packages:
- You may want add it to your GnuPG pubring and use it in the future to
- verify new releases. Because you verified this README file and
- _checked_that_it_is_really_my PGP2 key 0C9857A5, you can be sure
- that the above fingerprints are correct.
+ libgpg-error (ftp://ftp.gnupg.org/gcrypt/alpha/libgpg-error/)
+ libgcrypt (ftp://ftp.gnupg.org/gcrypt/alpha/libgcrypt/)
+ libassuan (ftp://ftp.gnupg.org/gcrypt/alpha/libassuan/)
+ libksba (ftp://ftp.gnupg.org/gcrypt/alpha/libksba/)
+
+You also need the pinentry package for most function of GnupG; however
+it is not a build requirement. pinentry is available at
+ftp://ftp.gnupg.org/gcrypt/pinentry/ .
- Please subscribe to g10@net.lut.ac.uk by sending a mail with
- the word "subscribe" in the body to "g10-request@net.lut.ac.uk".
- This mailing list is a closed one (only subscribers are allowed
- to post) to avoid misuse by folks who don't know the Netiquette
- and trash your mailspool with commercial junk.
+You should get the latest versions of course, the GnuPG configure
+script complains if a version is not sufficient.
- See the file COPYING for copyright and warranty information.
+After building and installing the above packages in the order as given
+above, you may now continue with GnupG installation (you may also just
+try to build GnuPG to see whether your already installed versions are
+sufficient).
- GnuPG is in compliance with RFC2440 (OpenPGP), see doc/OpenPGP for
- details.
+As with all packages, you just have to do
- Due to the fact that GnuPG does not use use any patented algorithm,
- it cannot be compatible with PGP2 versions; PGP 2.x does only use
- IDEA (which is patented worldwide) and RSA (which is patented in
- the United States until Sep 20, 2000).
+ ./configure
+ make
+ make install
- The default algorithms are now DSA and ElGamal. ElGamal for signing
- is still available, but due to the larger size of such signatures it
- is depreciated (Please note that the GnuPG implementation of ElGamal
- signatures is *not* insecure). Symmetric algorithms are: 3DES,
- Blowfish and CAST5 (Twofish will come soon), available digest
- algorithms are MD5, RIPEMD160, SHA1 and TIGER/192.
+(Before doing install you might need to become root.)
+If everything succeeds, you have a working GnuPG with support for
+S/MIME and smartcards. Note that there is no binary gpg but a gpg2 so
+that this package won't confict with a GnuPG 1.2 or1.3
+installation. gpg2 behaves just like gpg and it is possible to symlink
+oto gpg if you want to use gpg 1.9.
- Installation
- ------------
+In case of problem please ask on gpa-dev@gnupg.org for advise. Note
+that this release is only expected to build on GNU and *BSD systems.
- Please read the file INSTALL!
+A texinfo manual named `gnupg.info' will get installed. Some commands
+and options given below. See also the section `SMARTCARD INTRO'.
- Here is a quick summary:
- 1) "./configure"
+COMMANDS
+========
- 2) "make"
+gpgsm:
+------
- 3) "make install"
+--learn-card
- 4) You end up with the binaries "gpg" and "gpgm" in /usr/local/bin.
+ Read information about the private keys from the smartcard and
+ import the certificates from there.
- 5) Optional, but suggested: install the binary "gpg" as suid root.
+--export
+ Export all certificates stored in the Keybox or those specified on
+ the command line. When using --armor a few informational lines are
+ prepended before each block.
- Intro
- -----
- This is a brief overview how to use GnuPG - it is highly suggested
- that you read the manual^H^H^H more information about the use
- of cryptography. GnuPG is only the technical tool to do it and
- the security highly depends on that YOU KNOW WHAT YOU ARE DOING.
+gpg2:
+-----
- If you already have a DSA key from PGP 5 (they call them DH/ElGamal)
- you can simply copy the pgp keyrings over the GnuPG keyrings after
- running gpg once, so that it can create the correct directory.
+--card-status
- The normal way to create a key is:
+ Show information pertaining smartcards implementing the OpenPGP
+ application.
- gpg --gen-key
+--change-pin
- This asks some questions and then starts key generation. To create
- good random numbers for the key parameters, GnuPG needs to gather
- enough noise (entropy) from your system. If you see no progress
- during key generation you should start some other activities such
- as mouse moves or hitting on the CTRL and SHIFT keys.
+ Offers a menu to change the PIN of OpenPGP smartcards and to reset
+ the retry counters.
- Generate a key ONLY on a machine where you have direct physical
- access - don't do it over the network or on a machine used also
- by others - especially if you have no access to the root account.
+--card-edit
- When you are asked for a passphrase; use a good one which you can easy
- remember. Don't make the passphrase too long because you have to
- type it for every decryption or signing; but - AND THIS IS VERY
- IMPORTANT - use a good one which is not easily guessable as the
- security of the whole system relies on your secret key and the
- passphrase is used to protect this secret key in case someone was
- able to get access to your secret keyring. A good way to select
- a passphrase is to figure out a short nonsense sentence which makes
- some sense for you and modify it by inserting extra spaces, non-letters
- and changing the case of some characters - this is really easy to
- remember especially if you associate some pictures with it.
+ Offers a menu to change any data object on the card and to generate
+ the keys.
- Then you should create a revocation certificate in case someone
- gets knowledge of your secret key or you forgot your passphrase:
- gpg --gen-revoke your_user_id
+OPTIONS
+=======
- Run this command and store it away; output is always ASCII armored,
- so that you can print it and (hopefully never) re-create it if
- your electronic media fails.
+gpgsm:
+------
- Now you can use your key to create digital signatures:
+--include-certs <n>
- gpg -s file
+ Using N of -2 includes all certificate except for the Root cert,
+ -1 includes all certs, 0 does not include any certs, 1 includes only
+ the signers cert (this is the default) and all other positives
+ values include up to N certs starting with the signer cert.
+
+--policy-file <filename>
- This creates a file file.gpg which is compressed and has a signature
- attached.
+ Chnage the deault name of the policy file
- gpg -sa file
+--enable-policy-checks
+--disable-policy-checks
- Same as above, but creates the file.asc which is ascii armored and
- and ready for sending by mail. Note: It is better to use your
- mailers features to create signatures (The mailer uses GnuPG to do
- this) because the mailer has the ability to MIME encode such
- signatures - but this is not a security issue.
+ By default policy checks are enabled. These options may be used to
+ change it.
- gpg -s -o out file
+--enable-crl-checks
+--disable-crl-checks
- Creates a signature of file, but writes the output to the file "out".
+ By default the CRL checks are enabled and the DirMngr is used to
+ check for revoked certificates. The disable option is most useful
+ with a off-line connection to suppres this check.
- Everyone who knows your public key (you can and should publish
- your key by putting it on a key server, a web page or in your .plan
- file) is now able to check whether you really signed this text;
+--agent-program <path_to_agent_program>
- gpg --verify file
+ Specify an agent program to be used for secret key operations. The
+ default value is "../agent/gpg-agent". This is only used as a
+ fallback when the envrionment varaibale GPG_AGENT_INFO is not set or
+ a running agent can't be connected.
+
+--dirmngr-program <path_to_dirmgr_program>
- GnuPG now checks whether the signature is valid and prints an
- appropriate message. If the signature is good, you know at least
- that the person (or machine) has access to the secret key which
- corresponds to the published public key.
- If you run gpg without an option it will verify the signature and
- create a new file which is identical to the original file. gpg
- can also run as a filter, so that you can pipe data to verify
- trough it:
+ Specify a dirmngr program to be used for CRL checks. The default
+ value is "/usr/sbin/dirmngr". This is only used as a fallback when
+ the environment varaibale DIRMNGR_INFO is not set or a running
+ dirmngr can't be connected.
- cat signed-file | gpg | wc -l
+--no-secmem-warning
- will check the signature of signed-file and then display the
- number of lines in the original file.
+ Don't print the warning "no secure memory"
- To send a message encrypted to someone you can use this:
+--armor
- gpg -e -r heine file
+ Create PEM ecoded output. Default is binary output.
- This encrypts file with the public key of the user "heine" and
- writes it to "file.gpg"
+--base64
- echo "hallo" | gpg -ea -r heine | mail heine
+ Create Base-64 encoded output; i.e. PEM without the header lines.
- Ditto, but encrypts "hallo\n" and mails it as ascii armored message
- to the user with the mail address heine.
-
- gpg -se -r heine file
-
- This encrypts file with the public key of "heine" and writes it
- to "file.gpg" after signing it with your user id.
-
- gpg -se -r heine -u Suttner file
-
- Ditto, but sign the file with your alternative user id "Suttner"
-
-
- GnuPG has some options to help you publish public keys; this is
- called "exporting" a key:
-
- gpg --export >all-my-keys
-
- exports all the keys in the keyring and writes them (in a binary format)
- to all-my-keys. You may then mail "all-my-keys" as an MIME attachment
- to someone else or put it on an FTP server. To export only some
- user IDs, you give them as arguments on the command line.
-
- To mail a public key or put it on a web page you have to create
- the key in ASCII armored format:
-
- gpg --export --armor | mail panther@tiger.int
-
- This will send all your public keys to your friend panther.
-
- If you have received a key from someone else you can put it
- into your public keyring; is called "importing":
-
- gpg --import [filenames]
-
- New keys are appended to your keyring and already existing
- keys are updated. Note that GnuPG does not allow keys which
- are not self-signed by the user.
-
- Because anyone can claim that the public key belongs to her
- we must have some way to check that the public key really belongs
- to the owner. This can be achieved by comparing the key during
- a phone call. Sure, it is not very easy to compare a binary file
- by reading the complete hex dump of the file - GnuPG (and nearly
- every other program used for management of cryptographic keys)
- provides other solutions:
-
- gpg --fingerprint <username>
-
- prints the so called "fingerprint" of the given username; this
- is a sequence of hex bytes (which you may have noticed in mail
- sigs or on business cards) which uniquely identify the public
- key - two different keys will always have different fingerprints.
- It is easy to compare this fingerprint by phone and I suggest
- that you print your fingerprint on the back of your business
- card.
-
- If you don't know the owner of the public key you are in trouble;
- but wait: A friend of you knows someone who knows someone who
- has met the owner of the public key at some computer conference.
- So all the persons between you and the public key holder may now
- act as introducer to you; this is done by signing the keys and
- thereby certifying the other keys. If you then trust all the
- introducers to correctly sign other keys, you can be be sure that
- the other key really belongs to the one who claims so.
-
- There are 2 steps to validate a target key:
- 1. First check that there is a complete chain
- of signed keys from the public key you want to use
- and your key and verify each signature.
- 2. Make sure that you have full trust in the certificates
- of all the introduces between the public key holder and
- you.
- Step 2 is the more complicated part because there is no easy way
- for a computer to decide who is trustworthy and who is not. GnuPG
- leaves this decision to you and will ask you for a trust value
- (here also referenced as the owner-trust of a key) for every key
- needed to check the chain of certificates. You may choose from:
- a) "I don't know" - then it is not possible to use any
- of the chains of certificates, in which this key is used
- as an introducer, to validate the target key. Use this if
- you don't know the introducer.
- b) "I do not trust" - Use this if you know that the introducer
- does not do a good job in certifying other keys. The effect
- is the same as with a) but for a) you may later want to
- change the value because you got new information about this
- introducer.
- c) "I trust marginally" - Use this if you assume that the
- introducer knows what he is doing. Together with some
- other marginally trusted keys, GnuPG validates the target
- key then as good.
- d) "I fully trust" - Use this if you really know that this
- introducer does a good job when certifying other keys.
- If all the introducer are of this trust value, GnuPG
- normally needs only one chain of signatures to validate
- a target key okay. (But this may be adjusted with the help
- of some options).
- These information are confidential because they give your
- personal opinion on the trustworthy of someone else. Therefore
- this data is not stored in the keyring but in the "trustdb"
- (~/.gnupg/trustdb.gpg). Do not assign a high trust value just
- because the introducer is a friend of you - decide how far she
- understands all the implications of key signatures and you may
- want to tell him more about public key cryptography so you
- can later change the trust value you assigned.
-
- Okay, here is how GnuPG helps you in key management: Most stuff is
- done with the --edit-key command:
-
- gpg --edit-key <keyid or username>
-
- GnuPG displays some information about the key and then prompts
- for a command (enter "help" to see a list of commands and see
- the man page for a more detailed explanation). To sign a key
- you select the user ID you want to sign by entering the number
- which is displayed in the leftmost column (or do nothing if the
- key has only one user ID) and then enter the command "sign" and
- follow all the prompts. When you are ready, give the command
- "save" (or use "quit" to cancel your actions).
-
- If you want to sign the key with another user ID of yours, you
- must give an "-u" option on the command line together with the
- "--edit-key".
-
- Normally you want to sign only one user ID because GnuPG
- does only use one and this keeps the public key certificate
- small. Because such key signatures are very important you
- should make sure that the signators of your key sign a user ID
- which is very likely to stay for a long time - choose one with an
- email address you have full control of or do not enter an email
- address at all. In future GnuPG will have a way to tell which
- user ID is the one with an email address you prefer - because
- you have no signatures on this email address it is easy to change
- this address. Remember: Your signators sign your public key (the
- primary one) together with one of your user IDs - so it is not possible
- to change the user ID later without voiding all the signatures.
-
- Tip: If you hear about a key signing party on a computer conference
- join it because this is a very convenient way to get your key
- certified (But remember that signatures have nothing to to with the
- trust you assign to a key).
-
-
- 7 Ways to Specify a User ID
- --------------------------
- There are several ways to specify a user ID, here are some examples:
-
- * Only by the short keyid (prepend a zero if it begins with A..F):
-
- "234567C4"
- "0F34E556E"
- "01347A56A"
- "0xAB123456
-
- * By a complete keyid:
-
- "234AABBCC34567C4"
- "0F323456784E56EAB"
- "01AB3FED1347A5612"
- "0x234AABBCC34567C4"
+--assume-armor
- * By a fingerprint:
+ Assume the input data is PEM encoded. Default is to autodetect the
+ encoding but this is may fail.
- "1234343434343434C434343434343434"
- "123434343434343C3434343434343734349A3434"
- "0E12343434343434343434EAB3484343434343434"
-
- The first one is MD5 the others are ripemd160 or sha1.
+--assume-base64
- * By an exact string:
+ Assume the input data is plain base-64 encoded.
- "=Heinrich Heine <heinrichh@uni-duesseldorf.de>"
+--assume-binary
- * By an email address:
+ Assume the input data is binary encoded.
- "<heinrichh@uni-duesseldorf.de>"
+--server
- * By the Local ID (from the trust DB):
+ Run in server mode. This is used by GPGME to control gpgsm. See
+ the assuan specification regarding gpgsm about the used protocol.
+ Some options are ignored in server mode.
- "#34"
+--local-user <user_id>
- This may be used by a MUA to specify an exact key after selecting
- a key from GnuPG (by the use of a special option or an extra utility)
+ Set the user to be used for signing. The default is the first
+ secret key found in the database.
- * Or by the usual substring:
+--with-key-data
- "Heine"
- "*Heine"
+ Displays extra information with the --list-keys commands. Especially
+ a line tagged "grp" is printed which tells you the keygrip of a
+ key. This is string is for example used as the filename of the
+ secret key.
- The '*' indicates substring search explicitly.
- Batch mode
- ----------
- If you use the option "--batch", GnuPG runs in non-interactive mode and
- never prompts for input data. This does not even allow entering the
- passphrase; until we have a better solution (something like ssh-agent),
- you can use the option "--passphrase-fd n", which works like PGPs
- PGPPASSFD.
+gpg-agent:
+---------
- Batch mode also causes GnuPG to terminate as soon as a BAD signature is
- detected.
+--pinentry-program <path_to_pinentry_program>
+ Specify the PINentry program. The default value is
+ "<prefix>/bin/pinentry" so you most likely want to specify it.
- Exit status
- -----------
- GnuPG returns with an exit status of 1 if in batch mode and a bad signature
- has been detected or 2 or higher for all other errors. You should parse
- stderr or better the output of the fd specified with --status-fd to get
- detailed information about the errors.
+--no-grab
+ Tell the pinentry not to grab keybourd and mouse. You most likely
+ want to give this option during testing and development to avoid
+ lockups in case of bugs.
- Esoteric commands
- -----------------
+
+scdaemon:
+--------
- gpg --list-packets datafile
+--ctapi-driver <libraryname>
- Use this to list the contents of a data file. If the file is encrypted
- you are asked for the passphrase, so that GnuPG is able to look at the
- inner structure of a encrypted packet. This command should be able
- to list all kinds of rfc2440 messages.
+ The default for Scdaemon is to use the PC/SC API currently provided
+ by libpcsclite.so. As an alternative the ctAPI can be used by
+ specify this option with the appropriate driver name
+ (e.g. libtowitoko.so).
- gpgm --list-trustdb
+--reader-port <portname>
- List the contents of the trust DB in a human readable format
+ This specifies the port of the chipcard reader. For PC/SC this is
+ currently ignored and the first PC/SC reader is used. For the
+ ctAPI, a number must be specified (the default is 32768 for the
+ first USB port).
- gpgm --list-trustdb <usernames>
+--disable-ccid
- List the tree of certificates for the given usernames
+ Disable the integrated support for CCID compliant readers. This
+ allows to fall back to one of the other drivers even if the internal
+ CCID driver can handle the reader. Note, that CCID support is only
+ available if libusb was available at build time.
- gpgm --list-trust-path username
- List the possible trust paths for the given username. The length
- of such a trust path is limited by the option --max-cert-depth
- which defaults to 5.
+FILES
+=====
- For more options/commands see the man page or use "gpg --help".
+The default home directory is ~/.gnupg. It can be changed by
+either the --homedir option or by seting the environment variable
+GNUPGHOME. This is a list of files usually found in this directory:
+gpgsm.conf
- Other Notes
- -----------
+ Options for gpgsm. Options are the same as the command line
+ options but don't enter the leading dashes and give arguments
+ without an equal sign. Blank lines and lines starting with a
+ hash mark as the first non whitye space character are ignored.
- The primary FTP site is "ftp://ftp.gnupg.org/pub/gcrypt/"
- The primary WWW page is "http://www.gnupg.org"
+gpg-agent.conf
+
+ Options for gpg-agent
+
+scdaemon.conf
+
+ Options for scdaemon.
+
+dirmngr.conf
+
+ Options for the DirMngr which is not part of this package and
+ the option file wilol most likely be moved to /etc
+
+gpg.conf
+
+ Options for gpg. Note that old versions of gpg use the
+ filename `options' instead of `gpg.conf'.
+
+gpg.conf-1.9.x
+
+ Options for gpg; tried before gpg.conf
+
+
+policies.txt
+
+ A list of allowed CA policies. This file should give the
+ object identifiers of the policies line by line. Empty lines
+ and lines startung with a hash mark are ignored.
+
+ ++++++++++
+ 2.289.9.9
+ ++++++++++
+
+trustlist.txt
+
+ A list of trusted certificates usually maintained by
+ gpg-agent. It can however be edited manually. The file will
+ be created automagically with some explaining comments.
+
+random_seed
+
+ Used internally for keeping the state of the RNG over
+ invocations.
+
+pubring.kbx
+
+ The database file with the certificates.
+
+pubring.gpg
+
+ The database file with the OpenPGP public keys. This will
+ eventually be merged with pubring.kbx
+
+secring.gpg
+
+ The database file with the OpenPGP secret keys. This will be
+ removed when gpg is changed to make use of the gpg-agent.
+
+
+private-keys-v1.d/
+
+ Directory holding the private keys maintained by gpg-agent.
+ For detailed info see agent/keyformat.txt. Note that there is
+ a helper tool gpg-protect-tool which may be used to protect or
+ unprotect keys. This is however nothing a user should care
+ about.
+
+
+SOURCE FILES
+============
+
+Here is a list of directories with source files:
+
+jnlib/ utility functions
+kbx/ keybox library
+g10/ the gpg program here called gpg2
+sm/ the gpgsm program
+agent/ the gpg-agent
+scd/ the smartcard daemon
+doc/ documentation
+
+
+
+HOW TO SPECIFY A USER ID
+========================
+
+Due to the way X.509 certificates are made up we need a few new ways
+to specify a certificate (aka key in OpenPGP). In addition to the
+ways a user ID can be specified with gpg, I have implemented 3 new
+modes for gpgsm, here is the entire list of ways to specify a key:
+
+ * By keyID.
+
+ This format is deducded from the length of the string and its
+ content or "0x" prefix. For use with OpenPGP a exclamation mark may
+ be appended to force use of the specified (sub)key.
+
+ As with v34 OpenPGP keys, the keyID of an X509 certificate are the
+ low 64 bits of the SHA-1 fingerprint. The use of keyIDs is just a
+ shortcut, for all automated processing the fingerprint should be
+ used.
+
+ Examples:
+
+ 234567C4
+ 0F34E556E
+ 01347A56A
+ 0xAB123456
+
+ 234AABBCC34567C4
+ 0F323456784E56EAB
+ 01AB3FED1347A5612
+ 0x234AABBCC34567C4
+
+ * By fingerprint
+
+ This is format is deduced from the length of the string and its
+ content or "0x" prefix. Note, that only the 20 byte fingerprint is
+ used with GPGSM (SHA-1 hash of the certificate). For use with
+ OpenPGP a exclamation mark may be appended to force use of the
+ specified (sub)key.
+
+ Examples:
+
+ 1234343434343434C434343434343434
+ 123434343434343C3434343434343734349A3434
+ 0E12343434343434343434EAB3484343434343434
+ 0xE12343434343434343434EAB3484343434343434
+
+ * Exact match on OpenPGP user ID
+
+ This is denoted by a leading equal sign. It does not make much
+ sense for X.509.
+
+ Example:
+
+ =Heinrich Heine <heinrichh@uni-duesseldorf.de>
+
+ * Exact match on an email address.
+
+ This is indicated by enclosing the email address in the usual way
+ with left and right angles
+
+ Example:
+
+ <heinrichh@uni-duesseldorf.de>
+
+ * Word match
+
+ All words must match exactly (not case sensitive) but can appear in
+ any order in the user ID or a subjects name. Words are any
+ sequences of letters, digits, the underscore and all characters
+ with bit 7 set.
+
+ Example:
+
+ +Heinrich Heine duesseldorf
+
+ * [NEW] Exact match by subject's DN
+
+ This is indicated by a leading slash, directly followed by the
+ rfc2253 encoded DN of the subject. Note that you can't use the
+ string printed by "gpgsm --list-keys" because that one as been
+ reordered and modified for better readability; use --with-colons to
+ print the raw (but standard escaped) rfc2253 string
+
+ Example:
+
+ /CN=Heinrich Heine,O=Poets,L=Paris,C=FR
+
+ * [NEW] Excact match by issuer's DN
+
+ This is indicated by a leading hash mark, directly followed by a
+ slash and then directly followed by the rfc2253 encoded DN of the
+ issuer. This should return the Root cert of the issuer. See note
+ above.
+
+ Example:
+
+ #/CN=Root Cert,O=Poets,L=Paris,C=FR
+
+ * [NEW] Exact match by serial number and subject's DN
+
+ This is indicated by a hash mark, followed by the hexadecmal
+ representation of the serial number, the followed by a slahs and
+ the RFC2253 encoded DN of the issuer. See note above.
+
+ Example:
+
+ #4F03/CN=Root Cert,O=Poets,L=Paris,C=FR
+
+ * Substring match
+
+ By case insensitive substring matching. This is the default mode
+ but applications may want to explicitly indicate this by putting
+ the asterisk in front.
+
+ Example:
+
+ Heine
+ *Heine
+
+
+Please note that we have reused the hash mark indentifier which was
+used in old GnuPG versions to indicate the so called local-id. It is
+not anymore used and there should be no conflict when used with X.509
+stuff.
+
+Using the rfc2253 format of DNs has the drawback that it is not
+possible to map them back to the original encoding, however we don't
+have to do this, because our key database stores this encoding as meta
+data.
+
+Some of the search modes are not yet implemented ;-)
+
+
+HOW TO IMPORT A PRIVATE KEY
+===========================
+There is some limited support to import a private key from a PKCS-12
+file.
+
+ gpgsm --import foo.p12
+
+This require that the gpg-agent is running.
+
+
+HOW TO EXPORT A PRIVATE KEY
+===========================
+There is also limited support to export a private key in PKCS-12
+format. However the certificate is not stored and there is no MAC applied.
+
+ gpgsm --call-protect-tool --p12-export foo.key >foo.p12
+
+
+SMARTCARD INTRO
+===============
+
+GPG, the OpenPGP part of GnuPG, supports the OpenPGP smartcard
+(surprise!); see http://g10code.com/p-card.html.
+
+[Fixme: We need to explain this further]
+
+
+GPGSM, the CMS (S/MIME) part of GnuPG, supports two kinds of
+smartcards. The most flexible way is to use PKCS#15 compliant cards,
+however you must have build GnuPG with support for the OpenSC library.
+The build process automagically detects the presence of this library
+and will include support for these cards.
+
+The other card we currently support is the Telesec NetKey card with
+the NKS 2.0 card application.
+
+Before GPGSM can make use of a new card it must gather some
+information, like the card's serial number, the public keys and the
+certificates stored on the card. Thus for a new card you need to run
+the command
+
+ gpgsm --learn-card
+
+once. This is also a good test to see whether your card reader is
+properly installed. See below in case of error. Once this has been
+done you may use the keys stored on the card in the same way you use
+keys stored on the disk. gpgsm automagically knows whether a card is
+required and will pop up the pinentry to ask you to insert the
+correct card.
+
+For selecting the driver, see the options of scdaemon. A useful
+debugging flag is "--debug 2048" showing the communication between
+scdaemon and the reader.
+
+[fixme: write more stuff]
- See http://www.gnupg.org/mirrors.html for a list of FTP mirrors
- and use them if possible.
- Please direct bug reports to <gnupg-bugs@gnu.org> or better
- post them to the mailing list <g10@net.lut.ac.uk> (this is a
- closed list - subscribe before posting, see above (~line 33)).
- Please direct questions about GnuPG to the mailing list or
- one of the pgp newsgroups; this gives me more time to improve
- GnuPG. Commercial support for GnuPG will be available soon.
- Have fun and remember: Echelon is looking at you kid.
------BEGIN PGP SIGNATURE-----
-Version: GnuPG v0.4.5 (GNU/Linux)
-Comment: For info finger gcrypt@ftp.guug.de
-iQB1AwUBNoD99h0Z9MEMmFelAQEuQwMAgfNPPUByoNlp0qGimiHADZE+8E15rmwq
-RhVhH63pEgMsPvazd01cMM9EwJyD80jjOrdZo1fyE2270NU4AjSlNsEkQ0pNZYg+
-N4GL70jrOtIvclVhcsQye8J53a/fzJe7
-=5+Dt
------END PGP SIGNATURE-----
projects / gnupg.git / blobdiff