diff options
Diffstat (limited to '')
-rw-r--r-- | doc/examples/Automatic.prf | 15 | ||||
-rw-r--r-- | doc/examples/README | 11 | ||||
-rw-r--r-- | doc/examples/VS-NfD.prf | 24 | ||||
-rw-r--r-- | doc/examples/debug.prf | 29 | ||||
-rw-r--r-- | doc/examples/gpgconf.conf | 62 | ||||
-rw-r--r-- | doc/examples/gpgconf.rnames | 12 | ||||
-rw-r--r-- | doc/examples/pwpattern.list | 48 | ||||
-rwxr-xr-x | doc/examples/scd-event | 102 | ||||
-rw-r--r-- | doc/examples/systemd-user/README | 66 | ||||
-rw-r--r-- | doc/examples/systemd-user/dirmngr.service | 8 | ||||
-rw-r--r-- | doc/examples/systemd-user/dirmngr.socket | 11 | ||||
-rw-r--r-- | doc/examples/systemd-user/gpg-agent-browser.socket | 13 | ||||
-rw-r--r-- | doc/examples/systemd-user/gpg-agent-extra.socket | 13 | ||||
-rw-r--r-- | doc/examples/systemd-user/gpg-agent-ssh.socket | 13 | ||||
-rw-r--r-- | doc/examples/systemd-user/gpg-agent.service | 8 | ||||
-rw-r--r-- | doc/examples/systemd-user/gpg-agent.socket | 12 | ||||
-rw-r--r-- | doc/examples/trustlist.txt | 66 |
17 files changed, 513 insertions, 0 deletions
diff --git a/doc/examples/Automatic.prf b/doc/examples/Automatic.prf new file mode 100644 index 0000000..41f9bea --- /dev/null +++ b/doc/examples/Automatic.prf @@ -0,0 +1,15 @@ +# Automatic.prf - Configure options for a more automatic mode -*- conf -*- +# +# The options for each tool are configured in a section ("[TOOL]"); +# see the respective man page for a description of these options and +# the gpgconf manpage for a description of this file's syntax. + +[gpg] +auto-key-locate local,wkd,dane +auto-key-retrieve +trust-model tofu+pgp$\r$\n' + +[gpg-agent] +default-cache-ttl 900 +max-cache-ttl 3600 +min-passphrase-nonalpha 0 diff --git a/doc/examples/README b/doc/examples/README new file mode 100644 index 0000000..77ee807 --- /dev/null +++ b/doc/examples/README @@ -0,0 +1,11 @@ +Files in this directory: + + +scd-event A handler script used with scdaemon + +trustlist.txt A list of trustworthy root certificates + (Please check yourself whether you actually trust them) + +gpgconf.conf A sample configuration file for gpgconf. + +systemd-user Sample files for a Linux-only init system. diff --git a/doc/examples/VS-NfD.prf b/doc/examples/VS-NfD.prf new file mode 100644 index 0000000..edb9e01 --- /dev/null +++ b/doc/examples/VS-NfD.prf @@ -0,0 +1,24 @@ +# VS-NfD.prf - Configure options for the VS-NfD mode -*- conf -*- +# +# The options for each tool are configured in a section ("[TOOL]"); +# see the respective man page for a description of these options and +# the gpgconf manpage for a description of this file's syntax. + +[gpg] +compliance de-vs + +[gpgsm] +compliance de-vs +enable-crl-checks + +[gpg-agent] +default-cache-ttl 900 +max-cache-ttl 3600 +no-allow-mark-trusted +no-allow-external-cache +enforce-passphrase-constraints +min-passphrase-len 9 +min-passphrase-nonalpha 0 + +[dirmngr] +allow-ocsp diff --git a/doc/examples/debug.prf b/doc/examples/debug.prf new file mode 100644 index 0000000..f635fc8 --- /dev/null +++ b/doc/examples/debug.prf @@ -0,0 +1,29 @@ +# debug.prf - Configure options for easier debugging -*- conf -*- +# +# Note that the actual debug options for each component need to be set +# manually. Running the component with "--debug help" shows a list of +# supported values. To watch the logs this command can be used: +# +# watchgnupg --time-only --force $(gpgconf --list-dirs socketdir)/S.log +# + +[gpg] +log-file socket:// +verbose +#debug ipc + +[gpgsm] +log-file socket:// +verbose +#debug ipc + +[gpg-agent] +log-file socket:// +verbose +#debug ipc +#debug-pinentry + +[dirmngr] +log-file socket:// +verbose +#debug ipc,dns diff --git a/doc/examples/gpgconf.conf b/doc/examples/gpgconf.conf new file mode 100644 index 0000000..a61d4d4 --- /dev/null +++ b/doc/examples/gpgconf.conf @@ -0,0 +1,62 @@ +# gpgconf.conf - configuration for gpgconf +#---------------------------------------------------------------------- +# This file is read by gpgconf(1) to setup defaults for all or +# specified users and groups. It may be used to change the hardwired +# defaults in gpgconf and to enforce certain values for the various +# GnuPG related configuration files. +# +# NOTE: This is a legacy mechanism. The modern way is to use global +# configuration files like /etc/gnupg/gpg.conf which are more +# flexible and better integrated into the configuration system. +# +# Empty lines and comment lines, indicated by a hash mark as first non +# white space character, are ignored. The line is separated by white +# space into fields. The first field is used to match the user or +# group and must start at the first column, the file is processed +# sequential until a matching rule is found. A rule may contain +# several lines; continuation lines are indicated by a indenting them. +# +# Syntax of a line: +# <key>|WS <component> <option> ["["<flag>"]"] [<value>] +# +# Examples for the <key> field: +# foo - Matches the user "foo". +# foo: - Matches the user "foo". +# foo:staff - Matches the user "foo" or the group "staff". +# :staff - Matches the group "staff". +# * - Matches any user. +# All other variants are not defined and reserved for future use. +# +# <component> and <option> are as specified by gpgconf. +# <flag> may be one of: +# default - Delete the option so that the default is used. +# no-change - Mark the field as non changeable by gpgconf. +# change - Mark the field as changeable by gpgconf. +# +# Example file: +#========== +# :staff gpg-agent min-passphrase-len 6 [change] +# +# * gpg-agent min-passphrase-len [no-change] 8 +# gpg-agent min-passphrase-nonalpha [no-change] 1 +# gpg-agent max-passphrase-days [no-change] 700 +# gpg-agent enable-passphrase-history [no-change] +# gpg-agent enforce-passphrase-constraints [default] +# gpg-agent enforce-passphrase-constraints [no-change] +# gpg-agent max-cache-ttl [no-change] 10800 +# gpg-agent max-cache-ttl-ssh [no-change] 10800 +# gpgsm enable-ocsp +# gpg compliance [no-change] +# gpgsm compliance [no-change] +#=========== +# All users in the group "staff" are allowed to change the value for +# --allow-mark-trusted; gpgconf's default is not to allow a change +# through its interface. When "gpgconf --apply-defaults" is used, +# "allow-mark-trusted" will get enabled and "min-passphrase-len" set +# to 6. All other users are not allowed to change +# "min-passphrase-len" and "allow-mark-trusted". When "gpgconf +# --apply-defaults" is used for them, "min-passphrase-len" is set to +# 8, "allow-mark-trusted" deleted from the config file and +# "enable-ocsp" is put into the config file of gpgsm. The latter may +# be changed by any user. +#------------------------------------------------------------------- diff --git a/doc/examples/gpgconf.rnames b/doc/examples/gpgconf.rnames new file mode 100644 index 0000000..0e83732 --- /dev/null +++ b/doc/examples/gpgconf.rnames @@ -0,0 +1,12 @@ +# gpgconf-rnames.lst +# Additional registry settings to be shown by "gpgconf -X". +# +# Example: HKCU\Software\GNU\GnuPG:FooBar +# +# HKCU := The class. Other supported classes are HKLM, HKCR, HKU, +# and HKCC. If no class is given and the string thus starts +# with a backslash HKCU with a fallback to HKLM is used. +# Software\GNU\GnuPG := The actual key. +# FooBar := The name of the item. if a name is not given the default +# value is used. +# diff --git a/doc/examples/pwpattern.list b/doc/examples/pwpattern.list new file mode 100644 index 0000000..251c2d4 --- /dev/null +++ b/doc/examples/pwpattern.list @@ -0,0 +1,48 @@ +# pwpattern.list -*- default-generic -*- +# +# This is an example for a pattern file as used by gpg-check-pattern. +# The file is line based with comment lines beginning on the *first* +# position with a '#'. Empty lines and lines with just spaces are +# ignored. The other lines may be verbatim patterns and match as they +# are (trailing spaces are ignored) or extended regular expressions +# indicated by a / in the first column and terminated by another / or +# end of line. All comparisons are case insensitive. + +# Reject the usual metavariables. Usual not required because +# gpg-agent can be used to reject all passphrases shorter than 8 +# charactes. +foo +bar +baz + +# As well as very common passwords. Note that gpg-agent can be used +# to reject them due to missing non-alpha characters. +password +passwort +passphrase +mantra +test +abc +egal + +# German number plates. +/^[A-Z]{1,3}[ ]*-[ ]*[A-Z]{1,2}[ ]*[0-9]+/ + +# Dates (very limited, only ISO dates). */ +/^[012][0-9][0-9][0-9]-[012][0-9]-[0123][0-9]$/ + +# Arbitrary strings +the quick brown fox jumps over the lazy dogs back +no-password +no password + +12345678 +123456789 +1234567890 +87654321 +987654321 +0987654321 +qwertyuiop +qwertzuiop +asdfghjkl +zxcvbnm diff --git a/doc/examples/scd-event b/doc/examples/scd-event new file mode 100755 index 0000000..938465f --- /dev/null +++ b/doc/examples/scd-event @@ -0,0 +1,102 @@ +#!/bin/sh +# Sample script for scdaemon event mechanism. + +#exec >>/tmp/scd-event.log + +PGM=scd-event + +reader_port= +old_code=0x0000 +new_code=0x0000 +status= + +tick='`' +prev= +while [ $# -gt 0 ]; do + arg="$1" + case $arg in + -*=*) optarg=$(echo "X$arg" | sed -e '1s/^X//' -e 's/[-_a-zA-Z0-9]*=//') + ;; + *) optarg= + ;; + esac + if [ -n "$prev" ]; then + eval "$prev=\$arg" + prev= + shift + continue + fi + case $arg in + --help|-h) + cat <<EOF +Usage: $PGM [options] +$PGM is called by scdaemon on card reader status changes + +Options: + --reader-port N Reports change for port N + --old-code 0xNNNN Previous status code + --old-code 0xNNNN Current status code + --status USABLE|ACTIVE|PRESENT|NOCARD + Human readable status code + +Environment: + +GNUPGHOME=DIR Set to the active homedir + +EOF + exit 0 + ;; + + --reader-port) + prev=reader_port + ;; + --reader-port=*) + reader_port="$optarg" + ;; + --old-code) + prev=old_code + ;; + --old-code=*) + old_code="$optarg" + ;; + --new-code) + prev=new_code + ;; + --new-code=*) + new_code="$optarg" + ;; + --status) + prev=status + ;; + --new-code=*) + status="$optarg" + ;; + + -*) + echo "$PGM: invalid option $tick$arg'" >&2 + exit 1 + ;; + + *) + break + ;; + esac + shift +done +if [ -n "$prev" ]; then + echo "$PGM: argument missing for option $tick$prev'" >&2 + exit 1 +fi + +cat <<EOF +======================== +port: $reader_port +old-code: $old_code +new-code: $new_code +status: $status +EOF + +if [ x$status = xUSABLE ]; then + gpg --batch --card-status 2>&1 +fi + diff --git a/doc/examples/systemd-user/README b/doc/examples/systemd-user/README new file mode 100644 index 0000000..43122f5 --- /dev/null +++ b/doc/examples/systemd-user/README @@ -0,0 +1,66 @@ +Socket-activated dirmngr and gpg-agent with systemd +=================================================== + +When used on a GNU/Linux system supervised by systemd, you can ensure +that the GnuPG daemons dirmngr and gpg-agent are launched +automatically the first time they're needed, and shut down cleanly at +session logout. This is done by enabling user services via +socket-activation. + +System distributors +------------------- + +The *.service and *.socket files (from this directory) should be +placed in /usr/lib/systemd/user/ alongside other user-session services +and sockets. + +To enable socket-activated dirmngr for all accounts on the system, +use: + + systemctl --user --global enable dirmngr.socket + +To enable socket-activated gpg-agent for all accounts on the system, +use: + + systemctl --user --global enable gpg-agent.socket + +Additionally, you can enable socket-activated gpg-agent ssh-agent +emulation for all accounts on the system with: + + systemctl --user --global enable gpg-agent-ssh.socket + +You can also enable restricted ("--extra-socket"-style) gpg-agent +sockets for all accounts on the system with: + + systemctl --user --global enable gpg-agent-extra.socket + +Individual users +---------------- + +A user on a system with systemd where this has not been installed +system-wide can place these files in ~/.config/systemd/user/ to make +them available. + +If a given service isn't installed system-wide, or if it's installed +system-wide but not globally enabled, individual users will still need +to enable them. For example, to enable socket-activated dirmngr for +all future sessions: + + systemctl --user enable dirmngr.socket + +To enable socket-activated gpg-agent with ssh support, do: + + systemctl --user enable gpg-agent.socket gpg-agent-ssh.socket + +These changes won't take effect until your next login after you've +fully logged out (be sure to terminate any running daemons before +logging out). + +If you'd rather try a socket-activated GnuPG daemon in an +already-running session without logging out (with or without enabling +it for all future sessions), kill any existing daemon and start the +user socket directly. For example, to set up socket-activated dirmgnr +in the current session: + + gpgconf --kill dirmngr + systemctl --user start dirmngr.socket diff --git a/doc/examples/systemd-user/dirmngr.service b/doc/examples/systemd-user/dirmngr.service new file mode 100644 index 0000000..3c060cd --- /dev/null +++ b/doc/examples/systemd-user/dirmngr.service @@ -0,0 +1,8 @@ +[Unit] +Description=GnuPG network certificate management daemon +Documentation=man:dirmngr(8) +Requires=dirmngr.socket + +[Service] +ExecStart=/usr/bin/dirmngr --supervised +ExecReload=/usr/bin/gpgconf --reload dirmngr diff --git a/doc/examples/systemd-user/dirmngr.socket b/doc/examples/systemd-user/dirmngr.socket new file mode 100644 index 0000000..ebabf89 --- /dev/null +++ b/doc/examples/systemd-user/dirmngr.socket @@ -0,0 +1,11 @@ +[Unit] +Description=GnuPG network certificate management daemon +Documentation=man:dirmngr(8) + +[Socket] +ListenStream=%t/gnupg/S.dirmngr +SocketMode=0600 +DirectoryMode=0700 + +[Install] +WantedBy=sockets.target diff --git a/doc/examples/systemd-user/gpg-agent-browser.socket b/doc/examples/systemd-user/gpg-agent-browser.socket new file mode 100644 index 0000000..bc8d344 --- /dev/null +++ b/doc/examples/systemd-user/gpg-agent-browser.socket @@ -0,0 +1,13 @@ +[Unit] +Description=GnuPG cryptographic agent and passphrase cache (access for web browsers) +Documentation=man:gpg-agent(1) + +[Socket] +ListenStream=%t/gnupg/S.gpg-agent.browser +FileDescriptorName=browser +Service=gpg-agent.service +SocketMode=0600 +DirectoryMode=0700 + +[Install] +WantedBy=sockets.target diff --git a/doc/examples/systemd-user/gpg-agent-extra.socket b/doc/examples/systemd-user/gpg-agent-extra.socket new file mode 100644 index 0000000..5b87d09 --- /dev/null +++ b/doc/examples/systemd-user/gpg-agent-extra.socket @@ -0,0 +1,13 @@ +[Unit] +Description=GnuPG cryptographic agent and passphrase cache (restricted) +Documentation=man:gpg-agent(1) + +[Socket] +ListenStream=%t/gnupg/S.gpg-agent.extra +FileDescriptorName=extra +Service=gpg-agent.service +SocketMode=0600 +DirectoryMode=0700 + +[Install] +WantedBy=sockets.target diff --git a/doc/examples/systemd-user/gpg-agent-ssh.socket b/doc/examples/systemd-user/gpg-agent-ssh.socket new file mode 100644 index 0000000..798c1d9 --- /dev/null +++ b/doc/examples/systemd-user/gpg-agent-ssh.socket @@ -0,0 +1,13 @@ +[Unit] +Description=GnuPG cryptographic agent (ssh-agent emulation) +Documentation=man:gpg-agent(1) man:ssh-add(1) man:ssh-agent(1) man:ssh(1) + +[Socket] +ListenStream=%t/gnupg/S.gpg-agent.ssh +FileDescriptorName=ssh +Service=gpg-agent.service +SocketMode=0600 +DirectoryMode=0700 + +[Install] +WantedBy=sockets.target diff --git a/doc/examples/systemd-user/gpg-agent.service b/doc/examples/systemd-user/gpg-agent.service new file mode 100644 index 0000000..a050fcc --- /dev/null +++ b/doc/examples/systemd-user/gpg-agent.service @@ -0,0 +1,8 @@ +[Unit] +Description=GnuPG cryptographic agent and passphrase cache +Documentation=man:gpg-agent(1) +Requires=gpg-agent.socket + +[Service] +ExecStart=/usr/bin/gpg-agent --supervised +ExecReload=/usr/bin/gpgconf --reload gpg-agent diff --git a/doc/examples/systemd-user/gpg-agent.socket b/doc/examples/systemd-user/gpg-agent.socket new file mode 100644 index 0000000..4257c2c --- /dev/null +++ b/doc/examples/systemd-user/gpg-agent.socket @@ -0,0 +1,12 @@ +[Unit] +Description=GnuPG cryptographic agent and passphrase cache +Documentation=man:gpg-agent(1) + +[Socket] +ListenStream=%t/gnupg/S.gpg-agent +FileDescriptorName=std +SocketMode=0600 +DirectoryMode=0700 + +[Install] +WantedBy=sockets.target diff --git a/doc/examples/trustlist.txt b/doc/examples/trustlist.txt new file mode 100644 index 0000000..4d57242 --- /dev/null +++ b/doc/examples/trustlist.txt @@ -0,0 +1,66 @@ +# This is the global list of trusted keys. Comment lines, like this +# one, as well as empty lines are ignored. Lines have a length limit +# but this is not serious limitation as the format of the entries is +# fixed and checked by gpg-agent. A non-comment line starts with +# optional white space, followed by the SHA-1 fingerpint in hex, +# optionally followed by a flag character which my either be 'P', 'S' +# or '*'. This file will be read by gpg-agent if no local trustlist +# is available or if the statement "include-default" is used in the +# local list. You should give the gpg-agent(s) a HUP after editing +# this file. + + +#Serial number: 32D18D +# Issuer: /CN=6R-Ca 1:PN/NameDistinguisher=1/O=RegulierungsbehÈorde +# fÈur Telekommunikation und Post/C=DE +EA:8D:99:DD:36:AA:2D:07:1A:3C:7B:69:00:9E:51:B9:4A:2E:E7:60 S + +#Serial number: 00C48C8D +# Issuer: /CN=7R-CA 1:PN/NameDistinguisher=1/O=RegulierungsbehÈorde +# fÈur Telekommunikation und Post/C=DE +DB:45:3D:1B:B0:1A:F3:23:10:6B:DE:D0:09:61:57:AA:F4:25:E0:5B S + +#Serial number: 01 +# Issuer: /CN=8R-CA 1:PN/O=Regulierungsbehörde für +# Telekommunikation und Post/C=DE +42:6A:F6:78:30:E9:CE:24:5B:EF:41:A2:C1:A8:51:DA:C5:0A:6D:F5 S + +#Serial number: 02 +# Issuer: /CN=9R-CA 1:PN/O=Regulierungsbehörde für +# Telekommunikation und Post/C=DE +75:9A:4A:CE:7C:DA:7E:89:1B:B2:72:4B:E3:76:EA:47:3A:96:97:24 S + +#Serial number: 2A +# Issuer: /CN=10R-CA 1:PN/O=Bundesnetzagentur/C=DE +31:C9:D2:E6:31:4D:0B:CC:2C:1A:45:00:A6:6B:97:98:27:18:8E:CD S + +#Serial number: 2D +# Issuer: /CN=11R-CA 1:PN/O=Bundesnetzagentur/C=DE +A0:8B:DF:3B:AA:EE:3F:9D:64:6C:47:81:23:21:D4:A6:18:81:67:1D S + +# S/N: 0139 +# Issuer: /CN=12R-CA 1:PN/O=Bundesnetzagentur/C=DE +44:7E:D4:E3:9A:D7:92:E2:07:FA:53:1A:2E:F5:B8:02:5B:47:57:B0 de + +# S/N: 013C +# Issuer: /CN=13R-CA 1:PN/O=Bundesnetzagentur/C=DE +AC:A7:BE:45:1F:A6:BF:09:F2:D1:3F:08:7B:BC:EB:7F:46:A2:CC:8A de + + +# S/N: 00B3963E0E6C2D65125853E970665402E5 +# Issuer: /CN=S-TRUST Qualified Root CA 2008-001:PN +# /O=Deutscher Sparkassen Verlag GmbH/L=Stuttgart/C=DE +C9:2F:E6:50:DB:32:59:E0:CE:65:55:F3:8C:76:E0:B8:A8:FE:A3:CA S + +# S/N: 00C4216083F35C54F67B09A80C3C55FE7D +# Issuer: /CN=S-TRUST Qualified Root CA 2008-002:PN +# /O=Deutscher Sparkassen Verlag GmbH/L=Stuttgart/C=DE +D5:C7:50:F2:FE:4E:EE:D7:C7:B1:E4:13:7B:FB:54:84:3A:7D:97:9B S + + +#Serial number: 00 +# Issuer: /CN=CA Cert Signing Authority/OU=http:\x2f\x2fwww. +# cacert.org/O=Root CA/EMail=support@cacert.org +13:5C:EC:36:F4:9C:B8:E9:3B:1A:B2:70:CD:80:88:46:76:CE:8F:33 S + + |