17 files changed, 513 insertions, 0 deletions
diff --git a/doc/examples/Automatic.prf b/doc/examples/Automatic.prf
new file mode 100644
index 0000000..41f9bea
--- /dev/null
+++ b/doc/examples/Automatic.prf
@@ -0,0 +1,15 @@
+# Automatic.prf - Configure options for a more automatic mode  -*- conf -*-
+#
+# The options for each tool are configured in a section ("[TOOL]");
+# see the respective man page for a description of these options and
+# the gpgconf manpage for a description of this file's syntax.
+
+[gpg]
+auto-key-locate local,wkd,dane
+auto-key-retrieve
+trust-model tofu+pgp$\r$\n'
+
+[gpg-agent]
+default-cache-ttl 900
+max-cache-ttl 3600
+min-passphrase-nonalpha 0
diff --git a/doc/examples/README b/doc/examples/README
new file mode 100644
index 0000000..77ee807
--- /dev/null
+++ b/doc/examples/README
@@ -0,0 +1,11 @@
+Files in this directory:
+
+
+scd-event       A handler script used with scdaemon
+
+trustlist.txt   A list of trustworthy root certificates
+                (Please check yourself whether you actually trust them)
+
+gpgconf.conf    A sample configuration file for gpgconf.
+
+systemd-user    Sample files for a Linux-only init system.
diff --git a/doc/examples/VS-NfD.prf b/doc/examples/VS-NfD.prf
new file mode 100644
index 0000000..edb9e01
--- /dev/null
+++ b/doc/examples/VS-NfD.prf
@@ -0,0 +1,24 @@
+# VS-NfD.prf - Configure options for the VS-NfD mode           -*- conf -*-
+#
+# The options for each tool are configured in a section ("[TOOL]");
+# see the respective man page for a description of these options and
+# the gpgconf manpage for a description of this file's syntax.
+
+[gpg]
+compliance de-vs
+
+[gpgsm]
+compliance de-vs
+enable-crl-checks
+
+[gpg-agent]
+default-cache-ttl 900
+max-cache-ttl 3600
+no-allow-mark-trusted
+no-allow-external-cache
+enforce-passphrase-constraints
+min-passphrase-len 9
+min-passphrase-nonalpha 0
+
+[dirmngr]
+allow-ocsp
diff --git a/doc/examples/debug.prf b/doc/examples/debug.prf
new file mode 100644
index 0000000..f635fc8
--- /dev/null
+++ b/doc/examples/debug.prf
@@ -0,0 +1,29 @@
+# debug.prf - Configure options for easier debugging       -*- conf -*-
+#
+# Note that the actual debug options for each component need to be set
+# manually.  Running the component with "--debug help" shows a list of
+# supported values.  To watch the logs this command can be used:
+#
+#   watchgnupg --time-only --force $(gpgconf --list-dirs socketdir)/S.log
+#
+
+[gpg]
+log-file socket://
+verbose
+#debug ipc
+
+[gpgsm]
+log-file socket://
+verbose
+#debug ipc
+
+[gpg-agent]
+log-file socket://
+verbose
+#debug ipc
+#debug-pinentry
+
+[dirmngr]
+log-file socket://
+verbose
+#debug ipc,dns
diff --git a/doc/examples/gpgconf.conf b/doc/examples/gpgconf.conf
new file mode 100644
index 0000000..a61d4d4
--- /dev/null
+++ b/doc/examples/gpgconf.conf
@@ -0,0 +1,62 @@
+# gpgconf.conf - configuration for gpgconf
+#----------------------------------------------------------------------
+# This file is read by gpgconf(1) to setup defaults for all or
+# specified users and groups.  It may be used to change the hardwired
+# defaults in gpgconf and to enforce certain values for the various
+# GnuPG related configuration files.
+#
+# NOTE: This is a legacy mechanism.  The modern way is to use global
+#       configuration files like /etc/gnupg/gpg.conf which are more
+#       flexible and better integrated into the configuration system.
+#
+# Empty lines and comment lines, indicated by a hash mark as first non
+# white space character, are ignored.  The line is separated by white
+# space into fields. The first field is used to match the user or
+# group and must start at the first column, the file is processed
+# sequential until a matching rule is found.  A rule may contain
+# several lines; continuation lines are indicated by a indenting them.
+#
+# Syntax of a line:
+# <key>|WS  <component> <option> ["["<flag>"]"] [<value>]
+#
+# Examples for the <key> field:
+#   foo         - Matches the user "foo".
+#   foo:        - Matches the user "foo".
+#   foo:staff   - Matches the user "foo" or the group "staff".
+#   :staff      - Matches the group "staff".
+#   *           - Matches any user.
+# All other variants are not defined and reserved for future use.
+#
+# <component> and <option> are as specified by gpgconf.
+# <flag> may be one of:
+#   default     - Delete the option so that the default is used.
+#   no-change   - Mark the field as non changeable by gpgconf.
+#   change      - Mark the field as changeable by gpgconf.
+#
+# Example file:
+#==========
+# :staff  gpg-agent min-passphrase-len 6 [change]
+#
+# *       gpg-agent min-passphrase-len [no-change] 8
+#         gpg-agent min-passphrase-nonalpha [no-change] 1
+#         gpg-agent max-passphrase-days [no-change] 700
+#         gpg-agent enable-passphrase-history [no-change]
+#         gpg-agent enforce-passphrase-constraints [default]
+#         gpg-agent enforce-passphrase-constraints [no-change]
+#         gpg-agent max-cache-ttl [no-change] 10800
+#         gpg-agent max-cache-ttl-ssh [no-change] 10800
+#         gpgsm     enable-ocsp
+#         gpg       compliance [no-change]
+#         gpgsm     compliance [no-change]
+#===========
+# All users in the group "staff" are allowed to change the value for
+# --allow-mark-trusted; gpgconf's default is not to allow a change
+# through its interface.  When "gpgconf --apply-defaults" is used,
+# "allow-mark-trusted" will get enabled and "min-passphrase-len" set
+# to 6.  All other users are not allowed to change
+# "min-passphrase-len" and "allow-mark-trusted".  When "gpgconf
+# --apply-defaults" is used for them, "min-passphrase-len" is set to
+# 8, "allow-mark-trusted" deleted from the config file and
+# "enable-ocsp" is put into the config file of gpgsm.  The latter may
+# be changed by any user.
+#-------------------------------------------------------------------
diff --git a/doc/examples/gpgconf.rnames b/doc/examples/gpgconf.rnames
new file mode 100644
index 0000000..0e83732
--- /dev/null
+++ b/doc/examples/gpgconf.rnames
@@ -0,0 +1,12 @@
+# gpgconf-rnames.lst
+# Additional registry settings to be shown by "gpgconf -X".
+#
+# Example: HKCU\Software\GNU\GnuPG:FooBar
+#
+#  HKCU := The class.  Other supported classes are HKLM, HKCR, HKU,
+#          and HKCC.  If no class is given and the string thus starts
+#          with a backslash HKCU with a fallback to HKLM is used.
+#  Software\GNU\GnuPG := The actual key.
+#  FooBar := The name of the item.  if a name is not given the default
+#            value is used.
+#
diff --git a/doc/examples/pwpattern.list b/doc/examples/pwpattern.list
new file mode 100644
index 0000000..251c2d4
--- /dev/null
+++ b/doc/examples/pwpattern.list
@@ -0,0 +1,48 @@
+# pwpattern.list                                   -*- default-generic -*-
+#
+# This is an example for a pattern file as used by gpg-check-pattern.
+# The file is line based with comment lines beginning on the *first*
+# position with a '#'.  Empty lines and lines with just spaces are
+# ignored.  The other lines may be verbatim patterns and match as they
+# are (trailing spaces are ignored) or extended regular expressions
+# indicated by a / in the first column and terminated by another / or
+# end of line.  All comparisons are case insensitive.
+ 
+# Reject the usual metavariables.  Usual not required because
+# gpg-agent can be used to reject all passphrases shorter than 8
+# charactes.
+foo
+bar
+baz
+
+# As well as very common passwords.  Note that gpg-agent can be used
+# to reject them due to missing non-alpha characters.
+password
+passwort
+passphrase
+mantra
+test
+abc
+egal
+
+# German number plates.
+/^[A-Z]{1,3}[ ]*-[ ]*[A-Z]{1,2}[ ]*[0-9]+/
+
+# Dates (very limited, only ISO dates). */
+/^[012][0-9][0-9][0-9]-[012][0-9]-[0123][0-9]$/
+
+# Arbitrary strings
+the quick brown fox jumps over the lazy dogs back
+no-password
+no password
+
+12345678
+123456789
+1234567890
+87654321
+987654321
+0987654321
+qwertyuiop
+qwertzuiop
+asdfghjkl
+zxcvbnm
diff --git a/doc/examples/scd-event b/doc/examples/scd-event
new file mode 100755
index 0000000..938465f
--- /dev/null
+++ b/doc/examples/scd-event
@@ -0,0 +1,102 @@
+#!/bin/sh
+# Sample script for scdaemon event mechanism.
+
+#exec >>/tmp/scd-event.log
+
+PGM=scd-event
+
+reader_port=
+old_code=0x0000
+new_code=0x0000
+status=
+
+tick='`'
+prev=
+while [ $# -gt 0 ]; do
+  arg="$1"
+  case $arg in
+      -*=*) optarg=$(echo "X$arg" | sed -e '1s/^X//' -e 's/[-_a-zA-Z0-9]*=//')
+            ;;
+         *) optarg=
+            ;;
+  esac
+  if [ -n "$prev" ]; then
+    eval "$prev=\$arg"
+    prev=
+    shift
+    continue
+  fi
+  case $arg in
+      --help|-h)
+          cat <<EOF
+Usage: $PGM [options]
+$PGM is called by scdaemon on card reader status changes
+
+Options:
+  --reader-port N        Reports change for port N
+  --old-code 0xNNNN      Previous status code
+  --old-code 0xNNNN      Current status code
+  --status USABLE|ACTIVE|PRESENT|NOCARD 
+                         Human readable status code
+
+Environment:
+
+GNUPGHOME=DIR            Set to the active homedir
+
+EOF
+          exit 0
+          ;;
+    
+      --reader-port)  
+          prev=reader_port
+          ;;
+      --reader-port=*)
+          reader_port="$optarg"
+          ;;
+      --old-code)  
+          prev=old_code
+          ;;
+      --old-code=*)
+          old_code="$optarg"
+          ;;
+      --new-code)  
+          prev=new_code
+          ;;
+      --new-code=*)
+          new_code="$optarg"
+          ;;
+      --status)  
+          prev=status
+          ;;
+      --new-code=*)
+          status="$optarg"
+          ;;
+
+      -*)
+          echo "$PGM: invalid option $tick$arg'" >&2
+          exit 1
+          ;;
+
+      *)
+          break
+          ;;
+  esac
+  shift
+done
+if [ -n "$prev" ]; then
+  echo "$PGM: argument missing for option $tick$prev'" >&2
+  exit 1
+fi
+
+cat <<EOF
+========================
+port:     $reader_port
+old-code: $old_code
+new-code: $new_code
+status:   $status
+EOF
+
+if [ x$status = xUSABLE ]; then
+    gpg --batch --card-status 2>&1
+fi
+
diff --git a/doc/examples/systemd-user/README b/doc/examples/systemd-user/README
new file mode 100644
index 0000000..43122f5
--- /dev/null
+++ b/doc/examples/systemd-user/README
@@ -0,0 +1,66 @@
+Socket-activated dirmngr and gpg-agent with systemd
+===================================================
+
+When used on a GNU/Linux system supervised by systemd, you can ensure
+that the GnuPG daemons dirmngr and gpg-agent are launched
+automatically the first time they're needed, and shut down cleanly at
+session logout.  This is done by enabling user services via
+socket-activation.
+
+System distributors
+-------------------
+
+The *.service and *.socket files (from this directory) should be
+placed in /usr/lib/systemd/user/ alongside other user-session services
+and sockets.
+
+To enable socket-activated dirmngr for all accounts on the system,
+use:
+
+    systemctl --user --global enable dirmngr.socket
+
+To enable socket-activated gpg-agent for all accounts on the system,
+use:
+
+    systemctl --user --global enable gpg-agent.socket
+
+Additionally, you can enable socket-activated gpg-agent ssh-agent
+emulation for all accounts on the system with:
+
+    systemctl --user --global enable gpg-agent-ssh.socket
+
+You can also enable restricted ("--extra-socket"-style) gpg-agent
+sockets for all accounts on the system with:
+
+    systemctl --user --global enable gpg-agent-extra.socket
+
+Individual users
+----------------
+
+A user on a system with systemd where this has not been installed
+system-wide can place these files in ~/.config/systemd/user/ to make
+them available.
+
+If a given service isn't installed system-wide, or if it's installed
+system-wide but not globally enabled, individual users will still need
+to enable them.  For example, to enable socket-activated dirmngr for
+all future sessions:
+
+    systemctl --user enable dirmngr.socket
+
+To enable socket-activated gpg-agent with ssh support, do:
+
+    systemctl --user enable gpg-agent.socket gpg-agent-ssh.socket
+
+These changes won't take effect until your next login after you've
+fully logged out (be sure to terminate any running daemons before
+logging out).
+
+If you'd rather try a socket-activated GnuPG daemon in an
+already-running session without logging out (with or without enabling
+it for all future sessions), kill any existing daemon and start the
+user socket directly.  For example, to set up socket-activated dirmgnr
+in the current session:
+
+    gpgconf --kill dirmngr
+    systemctl --user start dirmngr.socket
diff --git a/doc/examples/systemd-user/dirmngr.service b/doc/examples/systemd-user/dirmngr.service
new file mode 100644
index 0000000..3c060cd
--- /dev/null
+++ b/doc/examples/systemd-user/dirmngr.service
@@ -0,0 +1,8 @@
+[Unit]
+Description=GnuPG network certificate management daemon
+Documentation=man:dirmngr(8)
+Requires=dirmngr.socket
+
+[Service]
+ExecStart=/usr/bin/dirmngr --supervised
+ExecReload=/usr/bin/gpgconf --reload dirmngr
diff --git a/doc/examples/systemd-user/dirmngr.socket b/doc/examples/systemd-user/dirmngr.socket
new file mode 100644
index 0000000..ebabf89
--- /dev/null
+++ b/doc/examples/systemd-user/dirmngr.socket
@@ -0,0 +1,11 @@
+[Unit]
+Description=GnuPG network certificate management daemon
+Documentation=man:dirmngr(8)
+
+[Socket]
+ListenStream=%t/gnupg/S.dirmngr
+SocketMode=0600
+DirectoryMode=0700
+
+[Install]
+WantedBy=sockets.target
diff --git a/doc/examples/systemd-user/gpg-agent-browser.socket b/doc/examples/systemd-user/gpg-agent-browser.socket
new file mode 100644
index 0000000..bc8d344
--- /dev/null
+++ b/doc/examples/systemd-user/gpg-agent-browser.socket
@@ -0,0 +1,13 @@
+[Unit]
+Description=GnuPG cryptographic agent and passphrase cache (access for web browsers)
+Documentation=man:gpg-agent(1)
+
+[Socket]
+ListenStream=%t/gnupg/S.gpg-agent.browser
+FileDescriptorName=browser
+Service=gpg-agent.service
+SocketMode=0600
+DirectoryMode=0700
+
+[Install]
+WantedBy=sockets.target
diff --git a/doc/examples/systemd-user/gpg-agent-extra.socket b/doc/examples/systemd-user/gpg-agent-extra.socket
new file mode 100644
index 0000000..5b87d09
--- /dev/null
+++ b/doc/examples/systemd-user/gpg-agent-extra.socket
@@ -0,0 +1,13 @@
+[Unit]
+Description=GnuPG cryptographic agent and passphrase cache (restricted)
+Documentation=man:gpg-agent(1)
+
+[Socket]
+ListenStream=%t/gnupg/S.gpg-agent.extra
+FileDescriptorName=extra
+Service=gpg-agent.service
+SocketMode=0600
+DirectoryMode=0700
+
+[Install]
+WantedBy=sockets.target
diff --git a/doc/examples/systemd-user/gpg-agent-ssh.socket b/doc/examples/systemd-user/gpg-agent-ssh.socket
new file mode 100644
index 0000000..798c1d9
--- /dev/null
+++ b/doc/examples/systemd-user/gpg-agent-ssh.socket
@@ -0,0 +1,13 @@
+[Unit]
+Description=GnuPG cryptographic agent (ssh-agent emulation)
+Documentation=man:gpg-agent(1) man:ssh-add(1) man:ssh-agent(1) man:ssh(1)
+
+[Socket]
+ListenStream=%t/gnupg/S.gpg-agent.ssh
+FileDescriptorName=ssh
+Service=gpg-agent.service
+SocketMode=0600
+DirectoryMode=0700
+
+[Install]
+WantedBy=sockets.target
diff --git a/doc/examples/systemd-user/gpg-agent.service b/doc/examples/systemd-user/gpg-agent.service
new file mode 100644
index 0000000..a050fcc
--- /dev/null
+++ b/doc/examples/systemd-user/gpg-agent.service
@@ -0,0 +1,8 @@
+[Unit]
+Description=GnuPG cryptographic agent and passphrase cache
+Documentation=man:gpg-agent(1)
+Requires=gpg-agent.socket
+
+[Service]
+ExecStart=/usr/bin/gpg-agent --supervised
+ExecReload=/usr/bin/gpgconf --reload gpg-agent
diff --git a/doc/examples/systemd-user/gpg-agent.socket b/doc/examples/systemd-user/gpg-agent.socket
new file mode 100644
index 0000000..4257c2c
--- /dev/null
+++ b/doc/examples/systemd-user/gpg-agent.socket
@@ -0,0 +1,12 @@
+[Unit]
+Description=GnuPG cryptographic agent and passphrase cache
+Documentation=man:gpg-agent(1)
+
+[Socket]
+ListenStream=%t/gnupg/S.gpg-agent
+FileDescriptorName=std
+SocketMode=0600
+DirectoryMode=0700
+
+[Install]
+WantedBy=sockets.target
diff --git a/doc/examples/trustlist.txt b/doc/examples/trustlist.txt
new file mode 100644
index 0000000..4d57242
--- /dev/null
+++ b/doc/examples/trustlist.txt
@@ -0,0 +1,66 @@
+# This is the global list of trusted keys.  Comment lines, like this
+# one, as well as empty lines are ignored.  Lines have a length limit
+# but this is not serious limitation as the format of the entries is
+# fixed and checked by gpg-agent.  A non-comment line starts with
+# optional white space, followed by the SHA-1 fingerpint in hex,
+# optionally followed by a flag character which my either be 'P', 'S'
+# or '*'.  This file will be read by gpg-agent if no local trustlist
+# is available or if the statement "include-default" is used in the
+# local list. You should give the gpg-agent(s) a HUP after editing
+# this file.
+
+
+#Serial number: 32D18D
+#       Issuer: /CN=6R-Ca 1:PN/NameDistinguisher=1/O=RegulierungsbehÈorde
+#               fÈur Telekommunikation und Post/C=DE
+EA:8D:99:DD:36:AA:2D:07:1A:3C:7B:69:00:9E:51:B9:4A:2E:E7:60  S
+
+#Serial number: 00C48C8D
+#       Issuer: /CN=7R-CA 1:PN/NameDistinguisher=1/O=RegulierungsbehÈorde
+#               fÈur Telekommunikation und Post/C=DE
+DB:45:3D:1B:B0:1A:F3:23:10:6B:DE:D0:09:61:57:AA:F4:25:E0:5B  S
+
+#Serial number: 01
+#       Issuer: /CN=8R-CA 1:PN/O=Regulierungsbehörde für
+#               Telekommunikation und Post/C=DE
+42:6A:F6:78:30:E9:CE:24:5B:EF:41:A2:C1:A8:51:DA:C5:0A:6D:F5  S
+
+#Serial number: 02
+#       Issuer: /CN=9R-CA 1:PN/O=Regulierungsbehörde für
+#               Telekommunikation und Post/C=DE
+75:9A:4A:CE:7C:DA:7E:89:1B:B2:72:4B:E3:76:EA:47:3A:96:97:24  S
+
+#Serial number: 2A
+#       Issuer: /CN=10R-CA 1:PN/O=Bundesnetzagentur/C=DE
+31:C9:D2:E6:31:4D:0B:CC:2C:1A:45:00:A6:6B:97:98:27:18:8E:CD  S
+
+#Serial number: 2D
+#       Issuer: /CN=11R-CA 1:PN/O=Bundesnetzagentur/C=DE
+A0:8B:DF:3B:AA:EE:3F:9D:64:6C:47:81:23:21:D4:A6:18:81:67:1D  S
+
+#          S/N: 0139
+#       Issuer: /CN=12R-CA 1:PN/O=Bundesnetzagentur/C=DE
+44:7E:D4:E3:9A:D7:92:E2:07:FA:53:1A:2E:F5:B8:02:5B:47:57:B0  de
+
+#          S/N: 013C
+#       Issuer: /CN=13R-CA 1:PN/O=Bundesnetzagentur/C=DE
+AC:A7:BE:45:1F:A6:BF:09:F2:D1:3F:08:7B:BC:EB:7F:46:A2:CC:8A  de
+
+
+#          S/N: 00B3963E0E6C2D65125853E970665402E5
+#       Issuer: /CN=S-TRUST Qualified Root CA 2008-001:PN
+#               /O=Deutscher Sparkassen Verlag GmbH/L=Stuttgart/C=DE
+C9:2F:E6:50:DB:32:59:E0:CE:65:55:F3:8C:76:E0:B8:A8:FE:A3:CA  S
+
+#          S/N: 00C4216083F35C54F67B09A80C3C55FE7D
+#       Issuer: /CN=S-TRUST Qualified Root CA 2008-002:PN
+#               /O=Deutscher Sparkassen Verlag GmbH/L=Stuttgart/C=DE
+D5:C7:50:F2:FE:4E:EE:D7:C7:B1:E4:13:7B:FB:54:84:3A:7D:97:9B  S
+
+
+#Serial number: 00
+#       Issuer: /CN=CA Cert Signing Authority/OU=http:\x2f\x2fwww.
+#               cacert.org/O=Root CA/EMail=support@cacert.org
+13:5C:EC:36:F4:9C:B8:E9:3B:1A:B2:70:CD:80:88:46:76:CE:8F:33  S
+
+