diff options
| author | Werner Koch <wk@gnupg.org> | 2013-05-22 10:50:12 +0200 |
|---|---|---|
| committer | Werner Koch <wk@gnupg.org> | 2013-05-22 10:14:57 +0200 |
| commit | 7777e68d0482c942f527e91c04adbcfb40bc8bef (patch) | |
| tree | a739b575f0495cf34116f11abaa1f85e86f747e2 /README | |
| parent | New debug functions log_printcanon and log_printsexp. (diff) | |
| download | gnupg2-7777e68d0482c942f527e91c04adbcfb40bc8bef.tar.xz gnupg2-7777e68d0482c942f527e91c04adbcfb40bc8bef.zip | |
Implement unattended OpenPGP secret key import.
* agent/command.c (cmd_import_key): Add option --unattended.
* agent/cvt-openpgp.c (convert_transfer_key): New.
(do_unprotect): Factor some code out to ...
(prepare_unprotect): new function.
(convert_from_openpgp): Factor all code out to ...
(convert_from_openpgp_main): this. Add arg 'passphrase'. Implement
openpgp-native protection modes.
(convert_from_openpgp_native): New.
* agent/t-protect.c (convert_from_openpgp_native): New dummy fucntion
* agent/protect-tool.c (convert_from_openpgp_native): Ditto.
* agent/protect.c (agent_unprotect): Add arg CTRL. Adjust all
callers. Support openpgp-native protection.
* g10/call-agent.c (agent_import_key): Add arg 'unattended'.
* g10/import.c (transfer_secret_keys): Use unattended in batch mode.
--
With the gpg-agent taking care of the secret keys, the user needs to
migrate existing keys from secring.gpg to the agent. This and also
the standard import of secret keys required the user to unprotect the
secret keys first, so that gpg-agent was able to re-protected them
using its own scheme. With many secret keys this is quite some
usability hurdle. In particular if a passphrase is not instantly
available.
To make this migration smoother, this patch implements an unattended
key import/migration which delays the conversion to the gpg-agent
format until the key is actually used. For example:
gpg2 --batch --import mysecretkey.gpg
works without any user interaction due to the use of --batch. Now if
a key is used (e.g. "gpg2 -su USERID_FROM_MYSECRETKEY foo"), gpg-agent
has to ask for the passphrase anyway, converts the key from the
openpgp format to the internal format, signs, re-encrypts the key and
tries to store it in the gpg-agent format to the disk. The next time,
the internal format of the key is used.
This patch has only been tested with the old demo keys, more tests
with other protection formats and no protection are needed.
Signed-off-by: Werner Koch <wk@gnupg.org>
Diffstat (limited to 'README')
| -rw-r--r-- | README | 57 |
1 files changed, 34 insertions, 23 deletions
@@ -5,7 +5,8 @@ THIS IS A DEVELOPMENT VERSION AND NOT INTENDED FOR REGULAR USE. Copyright 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, - 2006, 2007, 2008, 2009, 2010, 2011 Free Software Foundation, Inc. + 2006, 2007, 2008, 2009, 2010, 2011, 2012, + 2013 Free Software Foundation, Inc. INTRODUCTION @@ -32,21 +33,22 @@ BUILD INSTRUCTIONS GnuPG 2.1 depends on the following packages: + npth (ftp://ftp.gnupg.org/gcrypt/npth/) libgpg-error (ftp://ftp.gnupg.org/gcrypt/libgpg-error/) libgcrypt (ftp://ftp.gnupg.org/gcrypt/libgcrypt/) libksba (ftp://ftp.gnupg.org/gcrypt/libksba/) libassuan (ftp://ftp.gnupg.org/gcrypt/libassuan/) -You also need the Pinentry package for most function of GnuPG; however -it is not a build requirement. Pinentry is available at -ftp://ftp.gnupg.org/gcrypt/pinentry/ . - You should get the latest versions of course, the GnuPG configure script complains if a version is not sufficient. +You also need the Pinentry package for most functions of GnuPG; +however it is not a build requirement. Pinentry is available at +ftp://ftp.gnupg.org/gcrypt/pinentry/ . + After building and installing the above packages in the order as given -above, you may now continue with GnuPG installation (you may also just -try to build GnuPG to see whether your already installed versions are +above, you may continue with GnuPG installation (you may also just try +to build GnuPG to see whether your already installed versions are sufficient). As with all packages, you just have to do @@ -62,7 +64,8 @@ S/MIME and smartcards. Note that there is no binary gpg but a gpg2 so that this package won't conflict with a GnuPG 1.4 installation. gpg2 behaves just like gpg. -In case of problem please ask on gnupg-users@gnupg.org for advise. +In case of problem please ask on gnupg-users@gnupg.org mailing list +for advise. Note that the PKITS tests are always skipped unless you copy the PKITS test data file into the tests/pkits directory. There is no need to @@ -79,21 +82,24 @@ to view the default directories used by GnuPG. MIGRATION FROM 1.4 or 2.0 to 2.1 ================================ -The major change in 2.1 is that gpg-agent now takes care of the -OpenPGP secret keys (those managed by GPG). The former secring.gpg -will not be used anymore. Newly generated keys are generated and -stored in the agent's key store (~/.gnupg/private-keys-v1.d/). To -migrate your existing keys to the agent you should run this command +The major change in 2.1 is gpg-agent taking care of the OpenPGP secret +keys (those managed by GPG). The former file "secring.gpg" will not +be used anymore. Newly generated keys are stored in the agent's key +store directory "~/.gnupg/private-keys-v1.d/". + +To migrate your existing keys you need to run the command + + gpg2 --batch --import ~/.gnupg/secring.gpg - gpg2 --import ~/.gnupg/secring.gpg +Secret keys already imported are skipped by this command. It is +advisable to keep the secring.gpg for use with older versions of GPG. -The agent will you ask for the passphrase of each key. You may use -the Cancel button of the Pinentry to skip importing this key. If you -want to stop the import process and you use one of the latest -pinentries, you should close the pinentry window instead of hitting -the cancel button. Secret keys already imported are skipped by the -import command. It is advisable to keep the secring.gpg for use with -older versions of GPG. +The use of "--batch" with "--import" is highly recommended. If you do +not use "--batch" the agent would ask for the passphrase of each key. +In this case you may use the Cancel button of the Pinentry to skip +importing this key. If you want to stop the enite import process and +you use a decent version of Pinentry, you should close the Pinentry +window instead of hitting the Cancel button. Note that gpg-agent now uses a fixed socket by default. All tools will start the gpg-agent as needed. In general there is no more need @@ -182,8 +188,13 @@ authors directly as we are busy working on improvements and bug fixes. The English and German mailing lists are watched by the authors and we try to answer questions when time allows us to do so. -Commercial grade support for GnuPG is available; please see -http://www.gnupg.org/service.html . +Commercial grade support for GnuPG is available; for a listing of +offers see http://www.gnupg.org/service.html . The driving force +behind the development of GnuPG is the company of its principal +author, Werner Koch. Maintenance and improvement of GnuPG and related +software takes up most of their resources. To allow him to continue +his work he asks to either purchase a support contract, engage them +for custom enhancements, or to donate money. See http://g10code.com . This file is Free Software; as a special exception the authors gives |