- Creates a signature of "file", but writes the output to the file
- "out".
-
- Everyone who knows your public key (you can and should publish
- your key by putting it on a key server, a web page or in your .plan
- file) is now able to check whether you really signed this text
-
- gpg --verify file
-
- GnuPG now checks whether the signature is valid and prints an
- appropriate message. If the signature is good, you know at least
- that the person (or machine) has access to the secret key which
- corresponds to the published public key.
-
- If you run gpg without an option it will verify the signature and
- create a new file that is identical to the original. gpg can also
- run as a filter, so that you can pipe data to verify trough it
-
- cat signed-file | gpg | wc -l
-
- which will check the signature of signed-file and then display the
- number of lines in the original file.
-
- To send a message encrypted to someone you can use
-
- gpg -e -r heine file
-
- This encrypts "file" with the public key of the user "heine" and
- writes it to "file.gpg"
-
- echo "hello" | gpg -ea -r heine | mail heine
-
- Ditto, but encrypts "hello\n" and mails it as ASCII armored message
- to the user with the mail address heine.
-
- gpg -se -r heine file
-
- This encrypts "file" with the public key of "heine" and writes it
- to "file.gpg" after signing it with your user id.
-
- gpg -se -r heine -u Suttner file
-
- Ditto, but sign the file with your alternative user id "Suttner"
-
-
- GnuPG has some options to help you publish public keys. This is
- called "exporting" a key, thus
-
- gpg --export >all-my-keys
-
- exports all the keys in the keyring and writes them (in a binary
- format) to "all-my-keys". You may then mail "all-my-keys" as an
- MIME attachment to someone else or put it on an FTP server. To
- export only some user IDs, you give them as arguments on the command
- line.
-
- To mail a public key or put it on a web page you have to create
- the key in ASCII armored format
-
- gpg --export --armor | mail panther@tiger.int
-
- This will send all your public keys to your friend panther.
-
- If you have received a key from someone else you can put it
- into your public keyring. This is called "importing"
-
- gpg --import [filenames]
-
- New keys are appended to your keyring and already existing
- keys are updated. Note that GnuPG does not import keys that
- are not self-signed.
-
- Because anyone can claim that a public key belongs to her
- we must have some way to check that a public key really belongs
- to the owner. This can be achieved by comparing the key during
- a phone call. Sure, it is not very easy to compare a binary file
- by reading the complete hex dump of the file - GnuPG (and nearly
- every other program used for management of cryptographic keys)
- provides other solutions.
-
- gpg --fingerprint <username>
-
- prints the so called "fingerprint" of the given username which
- is a sequence of hex bytes (which you may have noticed in mail
- sigs or on business cards) that uniquely identifies the public
- key - different keys will always have different fingerprints.
- It is easy to compare fingerprints by phone and I suggest
- that you print your fingerprint on the back of your business
- card. To see the fingerprints of the secondary keys, you can
- give the command twice; but this is normally not needed.
-
- If you don't know the owner of the public key you are in trouble.
- Suppose however that friend of yours knows someone who knows someone
- who has met the owner of the public key at some computer conference.
- Suppose that all the people between you and the public key holder
- may now act as introducers to you. Introducers signing keys thereby
- certify that they know the owner of the keys they sign. If you then
- trust all the introducers to have correctly signed other keys, you
- can be be sure that the other key really belongs to the one who
- claims to own it..
-
- There are 2 steps to validate a key:
- 1. First check that there is a complete chain
- of signed keys from the public key you want to use
- and your key and verify each signature.
- 2. Make sure that you have full trust in the certificates
- of all the introduces between the public key holder and
- you.
- Step 2 is the more complicated part because there is no easy way
- for a computer to decide who is trustworthy and who is not. GnuPG
- leaves this decision to you and will ask you for a trust value
- (here also referenced as the owner-trust of a key) for every key
- needed to check the chain of certificates. You may choose from:
- a) "I don't know" - then it is not possible to use any
- of the chains of certificates, in which this key is used
- as an introducer, to validate the target key. Use this if
- you don't know the introducer.
- b) "I do not trust" - Use this if you know that the introducer
- does not do a good job in certifying other keys. The effect
- is the same as with a) but for a) you may later want to
- change the value because you got new information about this
- introducer.
- c) "I trust marginally" - Use this if you assume that the
- introducer knows what he is doing. Together with some
- other marginally trusted keys, GnuPG validates the target
- key then as good.
- d) "I fully trust" - Use this if you really know that this
- introducer does a good job when certifying other keys.
- If all the introducer are of this trust value, GnuPG
- normally needs only one chain of signatures to validate
- a target key okay. (But this may be adjusted with the help
- of some options).
- This information is confidential because it gives your personal
- opinion on the trustworthiness of someone else. Therefore this data
- is not stored in the keyring but in the "trustdb"
- (~/.gnupg/trustdb.gpg). Do not assign a high trust value just
- because the introducer is a friend of yours - decide how well she
- understands the implications of key signatures and you may want to
- tell her more about public key cryptography so you can later change
- the trust value you assigned.
-
- Okay, here is how GnuPG helps you with key management. Most stuff
- is done with the --edit-key command
-
- gpg --edit-key <keyid or username>
-
- GnuPG displays some information about the key and then prompts
- for a command (enter "help" to see a list of commands and see
- the man page for a more detailed explanation). To sign a key
- you select the user ID you want to sign by entering the number
- that is displayed in the leftmost column (or do nothing if the
- key has only one user ID) and then enter the command "sign" and
- follow all the prompts. When you are ready, give the command
- "save" (or use "quit" to cancel your actions).
-
- If you want to sign the key with another of your user IDs, you
- must give an "-u" option on the command line together with the
- "--edit-key".
-
- Normally you want to sign only one user ID because GnuPG
- uses only one and this keeps the public key certificate
- small. Because such key signatures are very important you
- should make sure that the signatories of your key sign a user ID
- which is very likely to stay for a long time - choose one with an
- email address you have full control of or do not enter an email
- address at all. In future GnuPG will have a way to tell which
- user ID is the one with an email address you prefer - because
- you have no signatures on this email address it is easy to change
- this address. Remember, your signatories sign your public key (the
- primary one) together with one of your user IDs - so it is not possible
- to change the user ID later without voiding all the signatures.
-
- Tip: If you hear about a key signing party on a computer conference
- join it because this is a very convenient way to get your key
- certified (But remember that signatures have nothing to to with the
- trust you assign to a key).
-
-
- 8 Ways to Specify a User ID
- --------------------------
- There are several ways to specify a user ID, here are some examples.
-
- * Only by the short keyid (prepend a zero if it begins with A..F):
-
- "234567C4"
- "0F34E556E"
- "01347A56A"
- "0xAB123456
-
- * By a complete keyid:
-
- "234AABBCC34567C4"
- "0F323456784E56EAB"
- "01AB3FED1347A5612"
- "0x234AABBCC34567C4"
-
- * By a fingerprint:
-
- "1234343434343434C434343434343434"
- "123434343434343C3434343434343734349A3434"
- "0E12343434343434343434EAB3484343434343434"
-
- The first one is a short fingerprint for PGP 2.x style keys.
- The others are long fingerprints for OpenPGP keys.
-
- * By an exact string:
-
- "=Heinrich Heine <heinrichh@uni-duesseldorf.de>"
-
- * By an email address:
-
- "<heinrichh@uni-duesseldorf.de>"
-
- * By word match
-
- "+Heinrich Heine duesseldorf"
-
- All words must match exactly (not case sensitive) and appear in
- any order in the user ID. Words are any sequences of letters,
- digits, the underscore and characters with bit 7 set.
-
- * Or by the usual substring:
-
- "Heine"
- "*Heine"
-
- The '*' indicates substring search explicitly.
-
-
- Batch mode
- ----------
- If you use the option "--batch", GnuPG runs in non-interactive mode and
- never prompts for input data. This does not even allow entering the
- passphrase. Until we have a better solution (something like ssh-agent),
- you can use the option "--passphrase-fd n", which works like PGP's
- PGPPASSFD.
-
- Batch mode also causes GnuPG to terminate as soon as a BAD signature is
- detected.
-
-
- Exit status
- -----------
- GnuPG returns with an exit status of 1 if in batch mode and a bad signature
- has been detected or 2 or higher for all other errors. You should parse
- stderr or, better, the output of the fd specified with --status-fd to get
- detailed information about the errors.
-
-
- Configure options
- -----------------
- Here is a list of configure options which are sometime useful
- for installation.
-
- --enable-static-rnd=<name>
- Force the use of the random byte gathering
- module <name>. Default is either to use /dev/random
- or the auto mode. Value for name:
- egd - Use the module which accesses the
- Entropy Gathering Daemon. See the webpages
- for more information about it.
- unix - Use the standard Unix module which does not
- have a very good performance.
- linux - Use the module which accesses /dev/random.
- This is the first choice and the default one
- for GNU/Linux or *BSD.
- auto - Compile linux, egd and unix in and
- automagically select at runtime.
-
- --with-egd-socket=<name>
- This is only used when EGD is used as random
- gatherer. GnuPG uses by default "~/.gnupg/entropy"
- as the socket to connect EGD. Using this option the
- socket name can be changed. You may use any filename
- here with 2 exceptions: a filename starting with
- "~/" uses the socket in the home directory of the user
- and one starting with a "=" uses a socket in the
- GnuPG home directory which is "~/.gnupg" by default.
-
- --without-readline
- Do not include support for the readline library
- even if it is available. The default is to check
- whether the readline library is a available and
- use it to allow fancy command line editing.
-
- --with-included-zlib
- Forces usage of the local zlib sources. Default is
- to use the (shared) library of the system.
-
- --with-zlib=<DIR>
- Look for the system zlib in DIR.
-
- --with-bzip2=<DIR>
- Look for the system libbz2 in DIR.
-
- --without-bzip2
- Disable the BZIP2 compression algorithm.
-
- --with-included-gettext
- Forces usage of the local gettext sources instead of
- the one provided by your system.
-
- --disable-nls
- Disable NLS support (See the file ABOUT-NLS)
-
- --enable-m-guard
- Enable the integrated malloc checking code. Please
- note that this feature does not work on all CPUs
- (e.g. SunOS 5.7 on UltraSparc-2) and might give
- you a bus error.
-
- --disable-dynload
- If you have problems with dynamic loading, this
- option disables all dynamic loading stuff. Note
- that the use of dynamic linking is very limited.
-
- --disable-asm
- Do not use assembler modules. It is not possible
- to use this on some CPU types.
-
- --disable-exec
- Disable all remote program execution. This
- disables photo ID viewing as well as all keyserver
- access.
-
- --disable-photo-viewers
- Disable only photo ID viewing.
-
- --disable-keyserver-helpers
- Disable only keyserver helpers.
-
- --disable-keyserver-path
- Disables the user's ability to use the exec-path
- feature to add additional search directories when
- executing a keyserver helper.
-
- --with-photo-viewer=FIXED_VIEWER
- Force the photo viewer to be FIXED_VIEWER and
- disable any ability for the user to change it in
- their options file.
-
- --disable-rsa
- Removes support for the RSA public key algorithm.
- This can give a smaller gpg binary for places
- where space is tight.
-
- --disable-idea
- --disable-cast5
- --disable-blowfish
- --disable-aes
- --disable-twofish
- --disable-sha256
- --disable-sha512
- Removes support for the selected symmetric or hash
- algorithm. This can give a smaller gpg binary for
- places where space is tight.
-
- **** Note that if there are existing keys that
- have one of these algorithms as a preference,
- messages may be received that use one of these
- algorithms and you will not be able to decrypt the
- message! ****
-
- The public key preference list can be updated to
- match the list of available algorithms by using
- "gpg --edit-key (thekey)", and running the
- "setpref" command.
-
- --enable-minimal
- Build the smallest gpg binary possible (disables
- all optional algorithms, disables keyserver
- access, and disables photo IDs). Specifically,
- this means --disable-rsa --disable-idea,
- --disable-cast5, --disable-blowfish,
- --disable-aes, --disable-twofish,
- --disable-sha256, --disable-sha512,
- --without-bzip2, --disable-exec,
- --disable-card-support and
- --disable-agent-support.
- Configure command lines are read from left to
- right, so if you want to have an "almost minimal"
- configuration, you can do (for example)
- "--enable-minimal --enable-rsa" to have RSA added
- to the minimal build.
-
- --enable-key-cache=SIZE
- Set the internal key and UID cache size. This has
- a significant impact on performance with large
- keyrings. The default is 4096, but for use on
- platforms where memory is an issue, it can be set
- as low as 5.
-
- --disable-card-support
- Do not include smartcard support. The default is
- to include support if all required libraries are
- available.
-
- --disable-agent-support
- Do not include support for the gpg-agent. The
- default is to include support.
-
- --enable-selinux-support
- This prevents access to certain files and won't
- allow import or export of secret keys.
-
- --enable-noexecstack
- Pass option --noexecstack to as. Works only when
- using gcc.
-
- --disable-gnupg-iconv
- If iconv is available it is used to convert
- between utf-8 and the system character set. This
- is in general the preferable solution. However
- the code is new and under some cirumstances it may
- give different output than with the limited old
- support. This option allows to explicity disable
- the use of iconv. Note, that iconv is also
- disabled if gettext has been disabled.
-
- --enable-backsigs
- Enables "backsigs" support. This is a currently
- experimental solution to a subtle OpenPGP protocol
- problem involving signing subkeys. It is
- specified in the 2440bis drafts that will become
- the new OpenPGP standard, but is not finalized yet
- and has not had interoperability testing. Use at
- your own risk.
-
-
- Installation Problems
- ---------------------
- If you get unresolved externals "gettext" you should run configure
- again with the option "--with-included-gettext"; this is version
- 0.12.1 which is available at ftp.gnu.org.
-
- If you have other compile problems, try the configure options
- "--with-included-zlib" or "--disable-nls" (See ABOUT-NLS) or
- --disable-dynload.
-
- We can't check all assembler files, so if you have problems
- assembling them (or the program crashes) use --disable-asm with
- ./configure. If you opt to delete individual replacement files in
- hopes of using the remaining ones, be aware that the configure
- scripts may consider several subdirectories to get all available
- assembler files; be sure to delete the correct ones. The assembler
- replacements are in C and in mpi/generic; never delete
- udiv-qrnnd.S in any CPU directory, because there may be no C
- substitute. Don't forget to delete "config.cache" and run
- "./config.status --recheck". We have also heard reports of
- problems when using versions of gcc earlier than 2.96 along with a
- non-GNU assembler (as). If this applies to your platform, you can
- either upgrade gcc to a more recent version, or use the GNU
- assembler.
-
- Some make tools are broken - the best solution is to use GNU's
- make. Try gmake or grab the sources from a GNU archive and
- install them.
-
- On some OSF systems you may get unresolved externals. This is a
- libtool problem and the workaround is to manually remove all the
- "-lc -lz" but the last one from the linker line and execute them
- manually.
-
- On some architectures you see warnings like:
- longlong.h:175: warning: function declaration isn't a prototype
- or
- http.c:647: warning: cast increases required alignment of target type
- This doesn't matter and we know about it (actually it is due to
- some warning options which we have enabled for gcc)
-
-
- Specific problems on some machines
- ----------------------------------
-
- * Apple Darwin 6.1:
-
- ./configure --with-libiconv-prefix=/sw
-
- * Compaq C V6.2 for alpha:
-
- You may want to use the option "-msg-disable ptrmismatch1"
- to get rid of the sign/unsigned char mismatch warnings.
-
- * IBM RS/6000 running AIX:
-
- Due to a change in gcc (since version 2.8) the MPI stuff may
- not build. In this case try to run configure using:
- CFLAGS="-g -O2 -mcpu=powerpc" ./configure
-
- * SVR4.2 (ESIX V4.2 cc)
-
- Due to problems with the ESIX as, you probably want to do
- CFLAGS="-O -K pentium" ./configure --disable-asm
-
- * SunOS 4.1.4
-
- ./configure ac_cv_sys_symbol_underscore=yes
-
- The Random Device
- -----------------
-
- Random devices are available in Linux, FreeBSD and OpenBSD.
- Operating systems without a random devices must use another
- entropy collector.
-
- This collector works by running a lot of commands that yield more
- or less unpredictable output and feds this as entropy into the
- random generator - It should work reliably but you should check
- whether it produces good output for your version of Unix. There
- are some debug options to help you (see cipher/rndunix.c).
-
-
- Creating an RPM package
- -----------------------
- The file scripts/gnupg.spec is used to build a RPM package (both
- binary and src):
- 1. copy the spec file into /usr/src/redhat/SPECS
- 2. copy the tar file into /usr/src/redhat/SOURCES
- 3. type: rpm -ba SPECS/gnupg.spec
-
- Or use the -t (--tarbuild) option of rpm:
- 1. rpm -ta gnupg-x.x.x.tar.gz
-
- The binary rpm file can now be found in /usr/src/redhat/RPMS, source
- rpm in /usr/src/redhat/SRPMS
-
-
- How to Get More Information
- ---------------------------
-
- The primary WWW page is "http://www.gnupg.org"
- The primary FTP site is "ftp://ftp.gnupg.org/gcrypt/"
-
- See http://www.gnupg.org/download/mirrors.html for a list of
- mirrors and use them if possible. You may also find GnuPG
- mirrored on some of the regular GNU mirrors.
-
- We have some mailing lists dedicated to GnuPG:
-
- gnupg-announce@gnupg.org For important announcements like
- new versions and such stuff.
- This is a moderated list and has
- very low traffic.
-
- gnupg-users@gnupg.org For general user discussion and
- help.
-
- gnupg-devel@gnupg.org GnuPG developers main forum.
-
- You subscribe to one of the list by sending mail with a subject
- of "subscribe" to x-request@gnupg.org, where x is the name of the
- mailing list (gnupg-announce, gnupg-users, etc.). An archive of
- the mailing lists are available at
- http://www.gnupg.org/documentation/mailing-lists.html
-
- Please direct bug reports to http://bugs.gnupg.org or post
- them direct to the mailing list <gnupg-devel@gnupg.org>.
-
- Please direct questions about GnuPG to the users mailing list or
- one of the pgp newsgroups; please do not direct questions to one
- of the authors directly as we are busy working on improvements
- and bug fixes. Both mailing lists are watched by the authors
- and we try to answer questions when time allows us to do so.
-
- Commercial grade support for GnuPG is available; please see
- the GNU service directory or check out http://g10code.com.
projects / gnupg.git / blobdiff