diff options
| author | Andre Heinecke <aheinecke@intevation.de> | 2014-12-05 11:16:14 +0100 |
|---|---|---|
| committer | Werner Koch <wk@gnupg.org> | 2014-12-05 15:26:37 +0100 |
| commit | f4ed04fca8885301b567ec004ffff0d6e24f4611 (patch) | |
| tree | 25f67061f9b3391cbb6fd549f5b8966b9d1116b9 /doc/gpg-agent.texi | |
| parent | scd: Fix for NIST P-256. (diff) | |
| download | gnupg2-f4ed04fca8885301b567ec004ffff0d6e24f4611.tar.xz gnupg2-f4ed04fca8885301b567ec004ffff0d6e24f4611.zip | |
Document no-allow-mark-trusted option
doc: Document no-allow-mark-trusted for gpg-agent
* doc/gpg-agent.texi: Change allow-mark-trusted doc to
no-allow-mark-trusted.
--
Since rev. 78a56b14 allow-mark-trusted is the default option
and was replaced by no-allow-mark-trusted to disable the
interactive prompt.
Signed-off-by: Andre Heinecke <aheinecke@intevation.de>
Diffstat (limited to '')
| -rw-r--r-- | doc/gpg-agent.texi | 23 |
1 files changed, 11 insertions, 12 deletions
diff --git a/doc/gpg-agent.texi b/doc/gpg-agent.texi index 7523043bb..36bd0c29f 100644 --- a/doc/gpg-agent.texi +++ b/doc/gpg-agent.texi @@ -350,12 +350,12 @@ descriptor has been set on a Windows platform, the Registry entry the logging output. -@anchor{option --allow-mark-trusted} -@item --allow-mark-trusted -@opindex allow-mark-trusted -Allow clients to mark keys as trusted, i.e. put them into the -@file{trustlist.txt} file. This is by default not allowed to make it -harder for users to inadvertently accept Root-CA keys. +@anchor{option --no-allow-mark-trusted} +@item --no-allow-mark-trusted +@opindex no-allow-mark-trusted +Do not allow clients to mark keys as trusted, i.e. put them into the +@file{trustlist.txt} file. This makes it harder for users to inadvertently +accept Root-CA keys. @anchor{option --allow-preset-passphrase} @item --allow-preset-passphrase @@ -650,11 +650,10 @@ administrator might have already entered those keys which are deemed trustworthy enough into this file. Places where to look for the fingerprint of a root certificate are letters received from the CA or the website of the CA (after making 100% sure that this is indeed the -website of that CA). You may want to consider allowing interactive -updates of this file by using the @xref{option --allow-mark-trusted}. -This is however not as secure as maintaining this file manually. It is -even advisable to change the permissions to read-only so that this file -can't be changed inadvertently. +website of that CA). You may want to consider disallowing interactive +updates of this file by using the @xref{option --no-allow-mark-trusted}. +It might even be advisable to change the permissions to read-only so +that this file can't be changed inadvertently. As a special feature a line @code{include-default} will include a global list of trusted certificates (e.g. @file{/etc/gnupg/trustlist.txt}). @@ -751,7 +750,7 @@ again. Only certain options are honored: @code{quiet}, @code{verbose}, @code{debug}, @code{debug-all}, @code{debug-level}, @code{no-grab}, @code{pinentry-program}, @code{default-cache-ttl}, @code{max-cache-ttl}, @code{ignore-cache-for-signing}, -@code{allow-mark-trusted}, @code{disable-scdaemon}, and +@code{no-allow-mark-trusted}, @code{disable-scdaemon}, and @code{disable-check-own-socket}. @code{scdaemon-program} is also supported but due to the current implementation, which calls the scdaemon only once, it is not of much use unless you manually kill the |