mirror of https://gitee.com/openkylin/gnupg2.git
7b2e8ffb0b
As of 2.2.17, GnuPG will refuse to accept any third-party certifications from OpenPGP certificates pulled from the keyserver network. The SKS keyserver network currently has at least a dozen popular certificates which are flooded with enough unusable third-party certifications that they cannot be retrieved in any reasonable amount of time. The hkps://keys.openpgp.org keyserver installation offers HKPS, performs cryptographic validation, and by policy does not distribute third-party certifications anyway. It is not distributed or federated yet, unfortunately, but it is functional, which is more than can be said for the dying SKS pool. And given that GnuPG is going to reject all the third-party certifications anyway, there is no clear "web of trust" rationale for relying on the SKS pool. One sticking point is that keys.openpgp.org does not distribute user IDs unless the user has proven control of the associated e-mail address. This means that on standard upstream GnuPG, retrieving revocations or subkey updates of those certificates will fail, because upstream GnuPG ignores any incoming certificate without a user ID, even if it knows a user ID in the local copy of the certificate (see https://dev.gnupg.org/T4393). However, we have three patches in debian/patches/import-merge-without-userid/ that together fix that bug. Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net> Gbp-Pq: Name Use-hkps-keys.openpgp.org-as-the-default-keyserver.patch |
||
---|---|---|
agent | ||
am | ||
build-aux | ||
common | ||
debian | ||
dirmngr | ||
doc | ||
g10 | ||
g13 | ||
kbx | ||
m4 | ||
po | ||
scd | ||
sm | ||
tests | ||
tools | ||
ABOUT-NLS | ||
AUTHORS | ||
COPYING | ||
COPYING.CC0 | ||
COPYING.GPL2 | ||
COPYING.LGPL3 | ||
COPYING.LGPL21 | ||
COPYING.other | ||
ChangeLog | ||
ChangeLog-2011 | ||
INSTALL | ||
Makefile.am | ||
Makefile.in | ||
NEWS | ||
README | ||
README.GIT | ||
THANKS | ||
TODO | ||
VERSION | ||
acinclude.m4 | ||
aclocal.m4 | ||
autogen.rc | ||
autogen.sh | ||
config.h.in | ||
configure | ||
configure.ac |
README
The GNU Privacy Guard 2 ========================= Version 2.2 Copyright 1997-2019 Werner Koch Copyright 1998-2019 Free Software Foundation, Inc. * INTRODUCTION GnuPG is a complete and free implementation of the OpenPGP standard as defined by RFC4880 (also known as PGP). GnuPG enables encryption and signing of data and communication, and features a versatile key management system as well as access modules for public key directories. GnuPG, also known as GPG, is a command line tool with features for easy integration with other applications. A wealth of frontend applications and libraries are available that make use of GnuPG. Starting with version 2 GnuPG provides support for S/MIME and Secure Shell in addition to OpenPGP. GnuPG is Free Software (meaning that it respects your freedom). It can be freely used, modified and distributed under the terms of the GNU General Public License. Note that the 2.0 series of GnuPG reached end-of-life on 2017-12-31. It is not possible to install a 2.2.x version along with any 2.0.x version. * BUILD INSTRUCTIONS GnuPG 2.2 depends on the following GnuPG related packages: npth (https://gnupg.org/ftp/gcrypt/npth/) libgpg-error (https://gnupg.org/ftp/gcrypt/libgpg-error/) libgcrypt (https://gnupg.org/ftp/gcrypt/libgcrypt/) libksba (https://gnupg.org/ftp/gcrypt/libksba/) libassuan (https://gnupg.org/ftp/gcrypt/libassuan/) You should get the latest versions of course, the GnuPG configure script complains if a version is not sufficient. For some advanced features several other libraries are required. The configure script prints diagnostic messages if one of these libraries is not available and a feature will not be available.. You also need the Pinentry package for most functions of GnuPG; however it is not a build requirement. Pinentry is available at https://gnupg.org/ftp/gcrypt/pinentry/ . After building and installing the above packages in the order as given above, you may continue with GnuPG installation (you may also just try to build GnuPG to see whether your already installed versions are sufficient). As with all packages, you just have to do ./configure make make check make install The "make check" is optional but highly recommended. To run even more tests you may add "--enable-all-tests" to the configure run. Before running the "make install" you might need to become root. If everything succeeds, you have a working GnuPG with support for OpenPGP, S/MIME, ssh-agent, and smartcards. Note that there is no binary gpg but a gpg2 so that this package won't conflict with a GnuPG 1.4 installation. gpg2 behaves just like gpg. In case of problem please ask on the gnupg-users@gnupg.org mailing list for advise. Instruction on how to build for Windows can be found in the file doc/HACKING in the section "How to build an installer for Windows". This requires some experience as developer. Note that the PKITS tests are always skipped unless you copy the PKITS test data file into the tests/pkits directory. There is no need to run these test and some of them may even fail because the test scripts are not yet complete. You may run gpgconf --list-dirs to view the default directories used by GnuPG. To quickly build all required software without installing it, the Speedo method may be used: make -f build-aux/speedo.mk native This method downloads all required libraries and does a native build of GnuPG to PLAY/inst/. GNU make is required and you need to set LD_LIBRARY_PATH to $(pwd)/PLAY/inst/lib to test the binaries. ** Specific build problems on some machines: *** Apple OSX 10.x using XCode On some versions the correct location of a header file can't be detected by configure. To fix that you should run configure like this ./configure gl_cv_absolute_stdint_h=/usr/include/stdint.h Add other options as needed. *** Systems without a full C99 compiler If you run into problems with your compiler complaining about dns.c you may use ./configure --disable-libdns Add other options as needed. * MIGRATION from 1.4 or 2.0 to 2.2 The major change in 2.2 is gpg-agent taking care of the OpenPGP secret keys (those managed by GPG). The former file "secring.gpg" will not be used anymore. Newly generated keys are stored in the agent's key store directory "~/.gnupg/private-keys-v1.d/". The first time gpg needs a secret key it checks whether a "secring.gpg" exists and copies them to the new store. The old secring.gpg is kept for use by older versions of gpg. Note that gpg-agent now uses a fixed socket. All tools will start the gpg-agent as needed. The formerly used environment variable GPG_AGENT_INFO is ignored by 2.2. The SSH_AUTH_SOCK environment variable should be set to a fixed value. The Dirmngr is now part of GnuPG proper and also used to access OpenPGP keyservers. The directory layout of Dirmngr changed to make use of the GnuPG directories. Dirmngr is started by gpg or gpgsm as needed. There is no more need to install a separate Dirmngr package. All changes introduced with GnuPG 2.2 have been developed in the 2.1 series of releases. See the respective entries in the file NEWS. * RECOMMENDATIONS ** Socket directory GnuPG uses Unix domain sockets to connect its components (on Windows an emulation of these sockets is used). Depending on the type of the file system, it is sometimes not possible to use the GnuPG home directory (i.e. ~/.gnupg) as the location for the sockets. To solve this problem GnuPG prefers the use of a per-user directory below the the /run (or /var/run) hierarchy for the the sockets. It is thus suggested to create per-user directories on system or session startup. For example the following snippet can be used in /etc/rc.local to create these directories: [ ! -d /run/user ] && mkdir /run/user awk -F: </etc/passwd '$3 >= 1000 && $3 < 65000 {print $3}' \ | ( while read uid rest; do if [ ! -d "/run/user/$uid" ]; then mkdir /run/user/$uid chown $uid /run/user/$uid chmod 700 /run/user/$uid fi done ) * DOCUMENTATION The complete documentation is in the texinfo manual named `gnupg.info'. Run "info gnupg" to read it. If you want a a printable copy of the manual, change to the "doc" directory and enter "make pdf" For a HTML version enter "make html" and point your browser to gnupg.html/index.html. Standard man pages for all components are provided as well. An online version of the manual is available at [[https://gnupg.org/documentation/manuals/gnupg/]] . A version of the manual pertaining to the current development snapshot is at [[https://gnupg.org/documentation/manuals/gnupg-devel/]] . * Installing GnuPG 2.2. and GnuPG 1.4 GnuPG 2.2 is a current version of GnuPG with state of the art security design and many more features. To install both versions alongside, it is suggested to rename the 1.4 version of "gpg" to "gpg1" as well as the corresponding man page. Newer releases of the 1.4 branch will likely do this by default. In case this is not possible, the 2.2 version can be installed under the name "gpg2" using the configure option --enable-gpg-is-gpg2. * HOW TO GET MORE INFORMATION A description of new features and changes since version 2.1 can be found in the file "doc/whats-new-in-2.1.txt" and online at "https://gnupg.org/faq/whats-new-in-2.1.html" . The primary WWW page is "https://gnupg.org" or using Tor "http://ic6au7wa3f6naxjq.onion" The primary FTP site is "https://gnupg.org/ftp/gcrypt/" See [[https://gnupg.org/download/mirrors.html]] for a list of mirrors and use them if possible. You may also find GnuPG mirrored on some of the regular GNU mirrors. We have some mailing lists dedicated to GnuPG: gnupg-announce@gnupg.org For important announcements like new versions and such stuff. This is a moderated list and has very low traffic. Do not post to this list. gnupg-users@gnupg.org For general user discussion and help (English). gnupg-de@gnupg.org German speaking counterpart of gnupg-users. gnupg-ru@gnupg.org Russian speaking counterpart of gnupg-users. gnupg-devel@gnupg.org GnuPG developers main forum. You subscribe to one of the list by sending mail with a subject of "subscribe" to x-request@gnupg.org, where x is the name of the mailing list (gnupg-announce, gnupg-users, etc.). See https://gnupg.org/documentation/mailing-lists.html for archives of the mailing lists. Please direct bug reports to [[https://bugs.gnupg.org]] or post them direct to the mailing list <gnupg-devel@gnupg.org>. Please direct questions about GnuPG to the users mailing list or one of the PGP newsgroups; please do not direct questions to one of the authors directly as we are busy working on improvements and bug fixes. The English and German mailing lists are watched by the authors and we try to answer questions when time allows us. Commercial grade support for GnuPG is available; for a listing of offers see https://gnupg.org/service.html . Maintaining and improving GnuPG requires a lot of time. Since 2001, g10 Code GmbH, a German company owned and headed by GnuPG's principal author Werner Koch, is bearing the majority of these costs. To keep GnuPG in a healthy state, they need your support. Please consider to donate at https://gnupg.org/donate/ . # This file is Free Software; as a special exception the authors gives # unlimited permission to copy and/or distribute it, with or without # modifications, as long as this notice is preserved. For conditions # of the whole package, please see the file COPYING. This file is # distributed in the hope that it will be useful, but WITHOUT ANY # WARRANTY, to the extent permitted by law; without even the implied # warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. # # Local Variables: # mode:org # End: