[svn] GnuPG - r4002 - in branches/GNUPG-1-9-BRANCH: doc sm

svn author wk cvs at cvs.gnupg.org
Tue Feb 14 14:34:24 CET 2006 

Author: wk
Date: 2006-02-14 14:34:23 +0100 (Tue, 14 Feb 2006)
New Revision: 4002

Modified:
   branches/GNUPG-1-9-BRANCH/doc/ChangeLog
   branches/GNUPG-1-9-BRANCH/doc/gpgsm.texi
   branches/GNUPG-1-9-BRANCH/sm/qualified.c
Log:
Added documentation for qualified signatures


Modified: branches/GNUPG-1-9-BRANCH/doc/ChangeLog
===================================================================
--- branches/GNUPG-1-9-BRANCH/doc/ChangeLog	2006-02-14 10:17:57 UTC (rev 4001)
+++ branches/GNUPG-1-9-BRANCH/doc/ChangeLog	2006-02-14 13:34:23 UTC (rev 4002)
@@ -1,3 +1,7 @@
+2006-02-14  Werner Koch  <wk at gnupg.org>
+
+	* gpgsm.texi (GPGSM Configuration): New section.
+
 2005-11-14  Werner Koch  <wk at g10code.com>
 
 	* qualified.txt: Added real information.

Modified: branches/GNUPG-1-9-BRANCH/doc/gpgsm.texi
===================================================================
--- branches/GNUPG-1-9-BRANCH/doc/gpgsm.texi	2006-02-14 10:17:57 UTC (rev 4001)
+++ branches/GNUPG-1-9-BRANCH/doc/gpgsm.texi	2006-02-14 13:34:23 UTC (rev 4002)
@@ -23,6 +23,7 @@
 @menu
 * GPGSM Commands::        List of all commands.
 * GPGSM Options::         List of all options.
+* GPGSM Configuration::   Configuration files.
 * GPGSM Examples::        Some usage examples.
 
 Developer information:
@@ -526,7 +527,106 @@
 stripping off the two leading dashes.
 
 
+ at c man begin FILES
 
+ at node GPGSM Configuration
+ at section Configuration files
+
+There are a few configuration files to control certain aspects of
+ at command{gpgsm}'s operation. Unless noted, they are expected in the
+current home directory (@pxref{option --homedir}).
+
+ at table @file
+
+ at item gpgsm.conf
+ at cindex gpgsm.conf
+This is the standard configuration file read by @command{gpgsm} on
+startup.  It may contain any valid long option; the leading two dashes
+may not be entered and the option may not be abbreviated.  This default
+name may be changed on the command line (@pxref{option
+  --options}).
+
+ at item policies.txt
+ at cindex policies.txt
+This is a list of allowed CA policies.  This file should list the
+object identifiers of the policies line by line.  Empty lines and
+lines starting with a hash mark are ignored.  Policies missing in this
+file and not marked as critical in the certificate will print only a
+warning; certificates with policies marked as critical and not listed
+in this file will fail the signature verification.
+
+For example, to allow only the policy 2.289.9.9, the file should look
+like this:
+
+ at example
+# Allowed policies
+2.289.9.9  
+ at end example
+
+ at item qualified.txt
+ at cindex qualified.txt
+This is the list of root certificates used for qualified certificates.
+They are defined as certificates capable of creating legally binding
+signatures in the same way as handwritten signatures are.  Comments
+start with a hash mark and empty lines are ignored.  Lines do have a
+length limit but this is not a serious limitation as the format of the
+entries is fixed and checked by gpgsm: A non-comment line starts with
+optional white spaces, followed by exactly 40 hex character, white space
+and a lowercased 2 letter country code.  Additional data delimited with
+by a white space is current ignored but might late be used for other
+purposes.
+
+Note that even if a certificate is listed in this file, this does not
+mean that thecertificate is trusted; in general the certificates listed
+in this file need to be listed also in @file{trustlist.txt}.
+
+This is a global file an installed in the data directory
+(e.g. @file{/usr/share/gnupg/qualified.txt}).  GnuPG installs a suitable
+file with root certificates as used in Germany.  As new Root-CA
+certificates may be issued over time, these entries may need to be
+updated; new distributions of this software should come with an updated
+list but it is still the responsibility of the Administrator to check
+that this list is correct.
+
+Everytime @command{gpgsm} uses a certificate for signing or verification
+this file will be consulted to check whether the certificate under
+question has ultimately been issued by one of these CAs.  If this is the
+case the user will be informed that the verified signature represents a
+legally binding (``qualified'') signature.  When creating a signature
+using such a certificate an extra prompt will be issued to let the user
+confirm that such a legally binding signature shall really be created.
+
+Because this software has not yet been approved for use with such
+certificates, appropriate notices will be shown to indicate this fact.
+
+ at end table
+
+Note that on larger installations, it is useful to put predefined files
+into the directory @file{/etc/skel/.gnupg/} so that newly created users
+start up with a working configuration.  For existing users the a small
+helper script is provided to create these files (@pxref{addgnupghome}).
+
+
+For internal purposes gpgsm creates and maintaines a few other files;
+They all live in in the current home directory (@pxref{option
+--homedir}).  Only @command{gpgsm} may modify these files.
+
+ at table @file
+ at item pubring.kbx
+ at cindex pubring.kbx
+This a database file storing the certificates as well as meta
+information.  For debugging purposes the tool @command{kbxutil} may be
+used to show the internal structure of this file.
+      
+ at item random_seed
+ at cindex random_seed
+This content of this file is used to maintain the internal state of the
+random number generator accross invocations.  The same file is used by
+other programs of this software too.
+
+ at end table
+
+
 @c 
 @c  Examples
 @c

Modified: branches/GNUPG-1-9-BRANCH/sm/qualified.c
===================================================================
--- branches/GNUPG-1-9-BRANCH/sm/qualified.c	2006-02-14 10:17:57 UTC (rev 4001)
+++ branches/GNUPG-1-9-BRANCH/sm/qualified.c	2006-02-14 13:34:23 UTC (rev 4002)
@@ -270,7 +270,7 @@
 
 
 /* Popup a prompt to inform the user that the signature created is not
-   a qualified one.  This is of course only doen if we know that we
+   a qualified one.  This is of course only done if we know that we
    have been approved. */
 gpg_error_t
 gpgsm_not_qualified_warning (ctrl_t ctrl, ksba_cert_t cert)

More information about the Gnupg-commits mailing list