summaryrefslogtreecommitdiffstats
path: root/debian/migrate-pubring-from-classic-gpg.1
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-07 16:14:08 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-07 16:14:08 +0000
commitafd7a175b53248d68095cecf5616705d093ffbc9 (patch)
tree5678015e96cc82aac7cf90a0b967aaea7a1c0841 /debian/migrate-pubring-from-classic-gpg.1
parentAdding upstream version 2.2.40. (diff)
downloadgnupg2-afd7a175b53248d68095cecf5616705d093ffbc9.tar.xz
gnupg2-afd7a175b53248d68095cecf5616705d093ffbc9.zip
Adding debian version 2.2.40-1.1.debian/2.2.40-1.1
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'debian/migrate-pubring-from-classic-gpg.1')
-rw-r--r--debian/migrate-pubring-from-classic-gpg.194
1 files changed, 94 insertions, 0 deletions
diff --git a/debian/migrate-pubring-from-classic-gpg.1 b/debian/migrate-pubring-from-classic-gpg.1
new file mode 100644
index 0000000..7cbeec7
--- /dev/null
+++ b/debian/migrate-pubring-from-classic-gpg.1
@@ -0,0 +1,94 @@
+.TH "MIGRATE-PUBRING-FROM-CLASSIC-GPG" 1 "April 2016"
+
+.SH NAME
+migrate\-pubring\-from\-classic\-gpg \- Migrate a public keyring from "classic" to "modern" GnuPG
+
+.SH SYNOPSIS
+.B migrate\-pubring\-from\-classic\-gpg
+.RB "[ " GPGHOMEDIR " | "
+.IR \-\-default " ]"
+
+.SH DESCRIPTION
+
+.B migrate\-pubring\-from\-classic\-gpg
+migrates the public keyring in GnuPG home directory GPGHOMEDIR from
+the "classic" keyring format (pubring.gpg) to the "modern" keybox format using GnuPG
+versions 2.1 or 2.2 (pubring.kbx).
+
+Specifying
+.B \-\-default
+selects the standard GnuPG home directory (looking at $GNUPGHOME
+first, and falling back to ~/.gnupg if unset.
+
+.SH OPTIONS
+.BR \-h ", " \-\-help ", " \-\-usage
+Output a short usage information.
+
+.SH DIAGNOSTICS
+The program sends quite a bit of text (perhaps too much) to stderr.
+
+During a migration, the tool backs up several pieces of data in a
+timestamped subdirectory of the GPGHOMEDIR.
+
+.SH LIMITATIONS
+The keybox format rejects a number of OpenPGP certificates that the
+"classic" keyring format used to accept. These filters are defensive,
+since the certificates rejected are unsafe -- either cryptographically
+unsound, or dangerously non-performant. This means that some
+migrations may produce warning messages about the migration being
+incomplete. This is generally a good thing!
+
+Known limitations:
+
+.B Flooded certificates
+.RS 4
+Some OpenPGP certificates have been flooded with bogus certifications
+as part of an attack on the SKS keyserver network (see
+https://tools.ietf.org/html/draft-dkg-openpgp-abuse-resistant-keystore-03#section-2.1).
+
+The keybox format rejects import of any OpenPGP certificate larger
+than 5MiB. As of GnuPG 2.2.17, if gpg encounters such a flooded
+certificate will retry the import while stripping all third-party
+certifications (see "self-sigs-only" in gpg(1)).
+
+The typical error message when migrating a keyring with a flooded
+certificate will be something like:
+
+.RE
+.RS 8
+error writing keyring 'pubring.kbx': Provided object is too large
+.RE
+
+.B OpenPGPv3 public keys (a.k.a. "PGP-2" keys)
+.RS 4
+Modern OpenPGP implementations use so-called "OpenPGP v4" public keys.
+Older versions of the public key format have serious known problems.
+See https://tools.ietf.org/html/rfc4880#section-5.5.2 for more details
+about and reasons for v3 key deprecation.
+
+The keybox format skips v3 keys entirely during migration, and GnuPG
+will produce a message like:
+
+.RE
+.RS 8
+skipped PGP-2 keys: 1
+.RE
+
+.SH ENVIRONMENT VARIABLES
+
+.B GNUPGHOME
+Selects the GnuPG home directory when set and --default is given.
+
+.B GPG
+The name of the
+.B gpg
+executable (defaults to
+.B gpg
+).
+
+.SH SEE ALSO
+.BR gpg (1)
+
+.SH AUTHOR
+Copyright (C) 2016 Daniel Kahn Gillmor for the Debian project. Please
+report bugs via the Debian BTS.