[git] GnuPG - branch, master, updated. gnupg-2.1.0-39-g0082766
by Werner Koch
cvs at cvs.gnupg.org
Mon Nov 24 11:22:53 CET 2014
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "The GNU Privacy Guard".
The branch, master has been updated
via 0082766aace354e49a23227475e664c515217a8d (commit)
via eed16ccebf8fd1fdf9709affbd5c831f6957b8ae (commit)
via a3cf781e3bc144aff60e007b9ba59bff7b1b2c9e (commit)
via e5697fefbe5f518cfca2579b8d698b7bf98e9335 (commit)
from 0bfabe579d31742ac006954e38a20b105fe8b8b7 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 0082766aace354e49a23227475e664c515217a8d
Author: Werner Koch <wk at gnupg.org>
Date: Mon Nov 24 11:23:22 2014 +0100
doc: Update dirmngr.texi
--
diff --git a/doc/dirmngr.texi b/doc/dirmngr.texi
index 7b2f92c..5f2cfd4 100644
--- a/doc/dirmngr.texi
+++ b/doc/dirmngr.texi
@@ -24,15 +24,17 @@
@end ifset
@mansect description
-Dirmngr is a server for managing and downloading certificate revocation
-lists (CRLs) for X.509 certificates and for downloading the certificates
-themselves. Dirmngr also handles OCSP requests as an alternative to
-CRLs. Dirmngr is either invoked internally by gpgsm or when running as a
-system daemon through the @command{dirmngr-client} tool.
+Since version 2.1 of GnuPG, @command{dirmngr} takes care of accessing
+the OpenPGP keyservers. As with previous versions it is also used as
+a server for managing and downloading certificate revocation lists
+(CRLs) for X.509 certificates, downloading X.509 certificates, and
+providing access to OCSP providers. Dirmngr is invoked internally by
+ at command{gpg}, @command{gpgsm}, or via the @command{gpg-connect-agent}
+tool.
-If @command{dirmngr} is started in system daemon mode, it uses a
-directory layout as common for system daemons and does not make use of
-the default @file{~/.gnupg} directory.
+For historical reasons it is also possible to start @command{dirmngr}
+in a system daemon mode which uses a different directory layout.
+However, this mode is deprecated and may eventually be removed.
@manpause
@@ -78,12 +80,13 @@ abbreviate this command.
@opindex server
Run in server mode and wait for commands on the @code{stdin}. The
default mode is to create a socket and listen for commands there.
+This is only used for testing.
@item --daemon
@opindex daemon
Run in background daemon mode and listen for commands on a socket.
Note that this also changes the default home directory and enables the
-internal certificate validation code.
+internal certificate validation code. This mode is deprecated.
@item --list-crls
@opindex list-crls
@@ -420,51 +423,63 @@ Dirmngr makes use of several directories when running in daemon mode:
@table @file
- at item /etc/gnupg
-This is where all the configuration files are expected by default.
-
- at item /etc/gnupg/trusted-certs
-This directory should be filled with certificates of Root CAs you are
-trusting in checking the CRLS and signing OCSP Reponses. Usually
-these are the same certificates you use with the applications making
-use of dirmngr. It is expected that each of these certificate files
-contain exactly one @acronym{DER} encoded certificate in a file with
-the suffix @file{.crt} or @file{.der}. @command{dirmngr} reads those
-certificates on startup and when given a SIGHUP. Certificates which
-are not readable or do not make up a proper X.509 certificate are
-ignored; see the log file for details.
+ at item ~/.gnupg
+ at itemx /etc/gnupg
+The first is the standard home directory for all configuration files.
+In the deprecated system daemon mode the second directory is used instead.
+
+ at item ~/.gnupg/trusted-certs
+ at itemx /etc/gnupg/trusted-certs
+The first directory should be filled with certificates of Root CAs you
+are trusting in checking the CRLs and signing OCSP Reponses. The
+second directory is used in the deprecated systems daemon mode.
+
+Usually these are the same certificates you use with the applications
+making use of dirmngr. It is expected that each of these certificate
+files contain exactly one @acronym{DER} encoded certificate in a file
+with the suffix @file{.crt} or @file{.der}. @command{dirmngr} reads
+those certificates on startup and when given a SIGHUP. Certificates
+which are not readable or do not make up a proper X.509 certificate
+are ignored; see the log file for details.
Note that for OCSP responses the certificate specified using the option
@option{--ocsp-signer} is always considered valid to sign OCSP requests.
- at item /var/lib/gnupg/extra-certs
-This directory may contain extra certificates which are preloaded into
-the interal cache on startup. This is convenient in cases you have a
-couple intermediate CA certificates or certificates ususally used to
-sign OCSP reponses. These certificates are first tried before going out
-to the net to look for them. These certificates must also be
+ at item ~/.gnupg/extra-certs
+ at itemx /var/lib/gnupg/extra-certs
+The first directory may contain extra certificates which are preloaded
+into the interal cache on startup.This is convenient in cases you have
+a couple intermediate CA certificates or certificates ususally used to
+sign OCSP reponses. These certificates are first tried before going
+out to the net to look for them. These certificates must also be
@acronym{DER} encoded and suffixed with @file{.crt} or @file{.der}.
+The second directory is used instead in the deprecated systems daemon
+mode.
@item /var/run/gnupg
-This directory keeps the socket file for accsing @command{dirmngr} services.
-The name of the socket file will be @file{S.dirmngr}. Make sure that this
-directory has the proper permissions to let @command{dirmngr} create the
-socket file and that eligible users may read and write to that socket.
-
- at item /var/cache/gnupg/crls.d
-This directory is used to store cached CRLs. The @file{crls.d} part
-will be created by dirmngr if it does not exists but you need to make
-sure that the upper directory exists.
+This directory is only used in the deprecated system daemon mode. It
+keeps the socket file for accessing @command{dirmngr} services. The
+name of the socket file will be @file{S.dirmngr}. Make sure that this
+directory has the proper permissions to let @command{dirmngr} create
+the socket file and that eligible users may read and write to that
+socket.
+
+ at item ~/.gnupg/crls.d
+ at itemx /var/cache/gnupg/crls.d
+The first directory is used to store cached CRLs. The @file{crls.d}
+part will be created by dirmngr if it does not exists but you need to
+make sure that the upper directory exists. The second directory is
+used instead in the deprecated systems daemon mode.
@end table
@manpause
To be able to see what's going on you should create the configure file
- at file{/etc/dirmngr/dirmngr.conf} with at least one line:
+ at file{~/gnupg/dirmngr.conf} with at least one line:
@example
-log-file /var/log/gnupg/dirmngr.log
+log-file ~/dirmngr.log
@end example
To be able to perform OCSP requests you probably want to add the line:
@@ -473,14 +488,16 @@ To be able to perform OCSP requests you probably want to add the line:
allow-ocsp
@end example
-Now you may start dirmngr as a system daemon using:
+To make sure that new options are read and that after the installation
+of a new GnuPG versions the installed dirmngr is running, you may want
+to kill an existing dirmngr first:
@example
-dirmngr --daemon
+gpgconf --kill dirmngr
@end example
-Please ignore the output; it is not needed anymore. Check the log file
-to see whether all trusted root certificates have been loaded correctly.
+You may check the log file to see whether all desired root
+certificates have been loaded correctly.
@c
@@ -501,13 +518,21 @@ Here is a list of supported signals:
@cpindex SIGHUP
This signals flushes all internally cached CRLs as well as any cached
certificates. Then the certificate cache is reinitialized as on
-startup. Options are re-read from the configuration file.
+startup. Options are re-read from the configuration file. Instead of
+sending this signal it is better to use
+ at example
+gpgconf --reload dirmngr
+ at end example
@item SIGTERM
@cpindex SIGTERM
Shuts down the process but waits until all current requests are
fulfilled. If the process has received 3 of these signals and requests
-are still pending, a shutdown is forced.
+are still pending, a shutdown is forced. You may also use
+ at example
+gpgconf --kill dirmngr
+ at end example
+instead of this signal
@item SIGINT
@cpindex SIGINT
@@ -529,25 +554,25 @@ This prints some caching statistics to the log file.
@node Dirmngr Examples
@section Examples
-
-Dirmngr is supposed to be used as a system wide daemon, it should be
-started like:
+Here is an example on how to show dirmngr's internal table of OpenPGP
+keyserver addresses. The output is intended for debugging purposes
+and not part of a defined API.
@example
- dirmngr --daemon
+ gpg-connect-agent --dirmngr 'keyserver --hosttable' /bye
@end example
-This will force it to go into the backround, read the default
-certificates (including the trusted root certificates) and listen on a
-socket for client requests. It does also print information about the
-socket used but they are only for compatibilty reasons with old GnuPG
-versions and may be ignored.
+To inhibit the use of a particular host you have noticed in one of the
+keyserver pools, you may use
+
+ at example
+ gpg-connect-agent --dirmngr 'keyserver --dead pgpkeys.bnd.de' /bye
+ at end example
-For debugging purposes it is also possible to start Dirmngr in the
-foreground:
+The description of the @code{keyserver} command can be printed using
@example
- dirmngr --server -v
+ gpg-connect-agent --dirmngr 'help keyserver' /bye
@end example
commit eed16ccebf8fd1fdf9709affbd5c831f6957b8ae
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Fri Nov 21 17:04:42 2014 -0500
Distinguish between ARGPARSE_AMBIGUOUS_{OPTION,COMMAND}
* common/argparse.c (initialize): Use correct value.
--
This avoids a dead path in the argparse code.
It's not clear that this is needed, however, since
ARGPARSE_AMBIGUOUS_COMMAND is never actually used in the code.
Another approach would be to trim out ARGPARSE_AMBIGUOUS_COMMAND
entirely.
diff --git a/common/argparse.c b/common/argparse.c
index 0a36a9e..169e234 100644
--- a/common/argparse.c
+++ b/common/argparse.c
@@ -290,7 +290,7 @@ initialize( ARGPARSE_ARGS *arg, const char *filename, unsigned *lineno )
jnlib_log_error (_("invalid command \"%.50s\"\n"), s);
else if ( arg->r_opt == ARGPARSE_AMBIGUOUS_OPTION )
jnlib_log_error (_("option \"%.50s\" is ambiguous\n"), s);
- else if ( arg->r_opt == ARGPARSE_AMBIGUOUS_OPTION )
+ else if ( arg->r_opt == ARGPARSE_AMBIGUOUS_COMMAND )
jnlib_log_error (_("command \"%.50s\" is ambiguous\n"),s );
else if ( arg->r_opt == ARGPARSE_OUT_OF_CORE )
jnlib_log_error ("%s\n", _("out of core\n"));
commit a3cf781e3bc144aff60e007b9ba59bff7b1b2c9e
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Fri Nov 21 17:33:01 2014 -0500
gpg: Refer to --throw-keyids instead of --throw-keyid
* g10/encrypt.c: adjust error message
--
The full option name is --throw-keyids, so we should refer to it
consistently.
diff --git a/g10/encrypt.c b/g10/encrypt.c
index d1ce933..518b544 100644
--- a/g10/encrypt.c
+++ b/g10/encrypt.c
@@ -872,7 +872,7 @@ write_pubkey_enc_from_list (PK_LIST pk_list, DEK *dek, iobuf_t out)
if (opt.throw_keyid && (PGP6 || PGP7 || PGP8))
{
log_info(_("you may not use %s while in %s mode\n"),
- "--throw-keyid",compliance_option_string());
+ "--throw-keyids",compliance_option_string());
compliance_failure();
}
commit e5697fefbe5f518cfca2579b8d698b7bf98e9335
Author: Werner Koch <wk at gnupg.org>
Date: Mon Nov 24 09:44:18 2014 +0100
speedo: Distribute installer graphics.
--
diff --git a/Makefile.am b/Makefile.am
index b462b9f..57529b6 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -38,6 +38,8 @@ EXTRA_DIST = build-aux/config.rpath build-aux/potomo autogen.sh autogen.rc \
build-aux/speedo/w32/gdk-pixbuf-loaders.cache \
build-aux/speedo/w32/exdll.h \
build-aux/speedo/w32/README.txt \
+ build-aux/speedo/w32/gnupg-logo-150x57.bmp \
+ build-aux/speedo/w32/gnupg-logo-164x314.bmp \
build-aux/speedo/patches/atk-1.32.0.patch \
build-aux/speedo/patches/libiconv-1.14.patch \
build-aux/speedo/patches/pango-1.29.4.patch
-----------------------------------------------------------------------
Summary of changes:
Makefile.am | 2 +
common/argparse.c | 2 +-
doc/dirmngr.texi | 139 +++++++++++++++++++++++++++++++----------------------
g10/encrypt.c | 2 +-
4 files changed, 86 insertions(+), 59 deletions(-)
hooks/post-receive
--
The GNU Privacy Guard
http://git.gnupg.org
More information about the Gnupg-commits
mailing list