[svn] GnuPG - r5088 - trunk/doc
svn author wk
cvs at cvs.gnupg.org
Wed Jul 22 12:24:46 CEST 2009
Author: wk
Date: 2009-07-22 12:24:46 +0200 (Wed, 22 Jul 2009)
New Revision: 5088
Modified:
trunk/doc/ChangeLog
trunk/doc/gpg-agent.texi
trunk/doc/gpg.texi
trunk/doc/gpgsm.texi
trunk/doc/sysnotes.texi
Log:
Give hints on files to backup.
Modified: trunk/doc/ChangeLog
===================================================================
--- trunk/doc/ChangeLog 2009-07-22 09:43:10 UTC (rev 5087)
+++ trunk/doc/ChangeLog 2009-07-22 10:24:46 UTC (rev 5088)
@@ -1,3 +1,8 @@
+2009-07-22 Werner Koch <wk at g10code.com>
+
+ * gpg.texi (GPG Configuration Options): Tell what files to backup.
+ * sysnotes.texi: Remove some warning notes for W32.
+
2009-07-20 Werner Koch <wk at g10code.com>
* gpg.texi (Operational GPG Commands): Add a note for --send-keys.
Modified: trunk/doc/gpg-agent.texi
===================================================================
--- trunk/doc/gpg-agent.texi 2009-07-22 09:43:10 UTC (rev 5087)
+++ trunk/doc/gpg-agent.texi 2009-07-22 10:24:46 UTC (rev 5088)
@@ -514,16 +514,19 @@
two dashes may not be entered and the option may not be abbreviated.
This file is also read after a @code{SIGHUP} however only a few
options will actually have an effect. This default name may be
- changed on the command line (@pxref{option --options}).
+ changed on the command line (@pxref{option --options}).
+ You should backup this file.
@item trustlist.txt
- This is the list of trusted keys. Comment lines, indicated by a leading
- hash mark, as well as empty lines are ignored. To mark a key as trusted
- you need to enter its fingerprint followed by a space and a capital
- letter @code{S}. Colons may optionally be used to separate the bytes of
- a fingerprint; this allows to cut and paste the fingerprint from a key
- listing output. If the line is prefixed with a @code{!} the key is
- explicitly marked as not trusted.
+ This is the list of trusted keys. You should backup this file.
+
+ Comment lines, indicated by a leading hash mark, as well as empty
+ lines are ignored. To mark a key as trusted you need to enter its
+ fingerprint followed by a space and a capital letter @code{S}. Colons
+ may optionally be used to separate the bytes of a fingerprint; this
+ allows to cut and paste the fingerprint from a key listing output. If
+ the line is prefixed with a @code{!} the key is explicitly marked as
+ not trusted.
Here is an example where two keys are marked as ultimately trusted
and one as not trusted:
@@ -574,16 +577,17 @@
@item sshcontrol
This file is used when support for the secure shell agent protocol has
-been enabled (@pxref{option --enable-ssh-support}). Only keys present
-in this file are used in the SSH protocol. The @command{ssh-add} tool
-may be used to add new entries to this file; you may also add them
-manually. Comment lines, indicated by a leading hash mark, as well as
-empty lines are ignored. An entry starts with optional whitespace,
-followed by the keygrip of the key given as 40 hex digits, optionally
-followed by the caching TTL in seconds and another optional field for
-arbitrary flags. A non-zero TTL overrides the global default as
-set by @option{--default-cache-ttl-ssh}.
+been enabled (@pxref{option --enable-ssh-support}). Only keys present in
+this file are used in the SSH protocol. You should backup this file.
+The @command{ssh-add} tool may be used to add new entries to this file;
+you may also add them manually. Comment lines, indicated by a leading
+hash mark, as well as empty lines are ignored. An entry starts with
+optional whitespace, followed by the keygrip of the key given as 40 hex
+digits, optionally followed by the caching TTL in seconds and another
+optional field for arbitrary flags. A non-zero TTL overrides the global
+default as set by @option{--default-cache-ttl-ssh}.
+
The keygrip may be prefixed with a @code{!} to disable an entry entry.
The following example lists exactly one key. Note that keys available
@@ -599,7 +603,8 @@
This is the directory where gpg-agent stores the private keys. Each
key is stored in a file with the name made up of the keygrip and the
- suffix @file{key}.
+ suffix @file{key}. You should backup all files in this directory
+ and take great care to keep this backup closed away.
@end table
Modified: trunk/doc/gpg.texi
===================================================================
--- trunk/doc/gpg.texi 2009-07-22 09:43:10 UTC (rev 5087)
+++ trunk/doc/gpg.texi 2009-07-22 10:24:46 UTC (rev 5088)
@@ -485,17 +485,35 @@
a check is needed. To force a run even in batch mode add the option
@option{--yes}.
+ at anchor{option --export-ownertrust}
@item --export-ownertrust
@opindex export-ownertrust
Send the ownertrust values to STDOUT. This is useful for backup purposes
as these values are the only ones which can't be re-created from a
-corrupted trust DB.
+corrupted trustdb. Example:
+ at c man:.RS
+ at example
+ @gpgname{} --export-ownertrust > otrust.txt
+ at end example
+ at c man:.RE
+
@item --import-ownertrust
@opindex import-ownertrust
Update the trustdb with the ownertrust values stored in @code{files} (or
-STDIN if not given); existing values will be overwritten.
+STDIN if not given); existing values will be overwritten. In case of a
+severely damaged trustdb and if you have a recent backup of the
+ownertrust values (e.g. in the file @file{otrust.txt}, you may re-create
+the trustdb using these commands:
+ at c man:.RS
+ at example
+ cd ~/.gnupg
+ rm trustdb.gpg
+ @gpgname{} --import-ownertrust < otrust.txt
+ at end example
+ at c man:.RE
+
@item --rebuild-keydb-caches
@opindex rebuild-keydb-caches
When updating from version 1.0.6 to 1.0.7 this command should be used
@@ -2614,12 +2632,12 @@
@table @file
@item gpg.conf
- at cindex gpgsm.conf
+ at cindex gpg.conf
This is the standard configuration file read by @command{@gpgname} on
startup. It may contain any valid long option; the leading two dashes
may not be entered and the option may not be abbreviated. This default
-name may be changed on the command line (@pxref{option
- --options}).
+name may be changed on the command line (@pxref{option --options}).
+You should backup this file.
@end table
@@ -2639,31 +2657,32 @@
@table @file
@item ~/.gnupg/secring.gpg
-The secret keyring.
+The secret keyring. You should backup this file.
@item ~/.gnupg/secring.gpg.lock
-and the lock file
+The lock file for teh secret keyring.
@item ~/.gnupg/pubring.gpg
-The public keyring
+The public keyring. You should backup this file.
@item ~/.gnupg/pubring.gpg.lock
-and the lock file
+The lock file for the public keyring.
@item ~/.gnupg/trustdb.gpg
-The trust database
+The trust database. There is no need to backup this file; it is better
+to backup the ownertrust values (@pxref{option --export-ownertrust}).
@item ~/.gnupg/trustdb.gpg.lock
-and the lock file
+The lock file for the trust database.
@item ~/.gnupg/random_seed
-used to preserve the internal random pool
+A file used to preserve the state of theinternal random pool.
@item /usr[/local]/share/gnupg/options.skel
-Skeleton options file
+The skeleton options file.
@item /usr[/local]/lib/gnupg/
-Default location for extensions
+Default location for extensions.
@end table
Modified: trunk/doc/gpgsm.texi
===================================================================
--- trunk/doc/gpgsm.texi 2009-07-22 09:43:10 UTC (rev 5087)
+++ trunk/doc/gpgsm.texi 2009-07-22 10:24:46 UTC (rev 5088)
@@ -734,8 +734,9 @@
startup. It may contain any valid long option; the leading two dashes
may not be entered and the option may not be abbreviated. This default
name may be changed on the command line (@pxref{option
- --options}).
+ --options}). You should backup this file.
+
@item policies.txt
@cindex policies.txt
This is a list of allowed CA policies. This file should list the
@@ -743,7 +744,8 @@
lines starting with a hash mark are ignored. Policies missing in this
file and not marked as critical in the certificate will print only a
warning; certificates with policies marked as critical and not listed
-in this file will fail the signature verification.
+in this file will fail the signature verification. You should backup
+this file.
For example, to allow only the policy 2.289.9.9, the file should look
like this:
@@ -831,7 +833,8 @@
@cindex pubring.kbx
This a database file storing the certificates as well as meta
information. For debugging purposes the tool @command{kbxutil} may be
-used to show the internal structure of this file.
+used to show the internal structure of this file. You should backup
+this file.
@item random_seed
@cindex random_seed
Modified: trunk/doc/sysnotes.texi
===================================================================
--- trunk/doc/sysnotes.texi 2009-07-22 09:43:10 UTC (rev 5087)
+++ trunk/doc/sysnotes.texi 2009-07-22 10:24:46 UTC (rev 5088)
@@ -60,31 +60,11 @@
@node W32 Notes
@section Microsoft Windows Notes
-The port to Microsoft Windows based OSes is pretty new and has some
-limitations we might remove over time. Note, that we have not yet done
-any security audit and you should not use any valuable private key. In
-particular, @strong{using it on a box with more than one user, might
-lead to a key compromise}.
-
- at strong{It is quite possible that the current version does not even
-build.}
-
@noindent
Current limitations are:
@itemize
- at item
-The @code{LISTKEYS} Assuan command of @command{gpgsm} is not supported.
-Using the command line options @option{--list-keys} or
- at option{--list-secret-keys} does however work.
- at item
-No support for CRL checks. By default the option
- at option{--disable-crl-checks} has been turned on and the log will show
-an appropriate warning message. The reason for this is that the
-separate CRL checking daemin (@command{dirmngr}) has not been ported to
-W32.
-
@item
@command{gpgconf} does not create backup files, so in case of trouble
your configuration file might get lost.
@@ -97,10 +77,6 @@
The periodical smartcard status checking done by @command{scdaemon} is
not yet supported.
- at item
-Detached running of the gpg-agent is not directly supported. It needs
-to be started in a console and left alone then.
-
@end itemize
More information about the Gnupg-commits
mailing list