1
2 GnuPG - The GNU Privacy Guard
3 -------------------------------
4 Version 1.4.23
5
6 Copyright 1998-2018 Free Software Foundation, Inc.
7 Copyright 1997-2018 Werner Koch
8
9 This file is free software; as a special exception the author
10 gives unlimited permission to copy and/or distribute it, with or
11 without modifications, as long as this notice is preserved.
12
13 This file is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY, to the extent permitted by law; without even
15 the implied warranty of MERCHANTABILITY or FITNESS FOR A
16 PARTICULAR PURPOSE.
17
18 Warning
19 -------
20
21 This version is from a legacy branch of GnuPG. We provide this
22 version only for two purposes:
23
24 - To decrypt and verify old messages created using PGP-2 keys.
25 Due to security problems with PGP-2 keys, these keys are not
26 anymore supported by the current stable GnuPG versions.
27
28 - For ancient pre-POSIX platforms which are not capable of
29 building the modern GnuPG-2.
30
31 Although there are no plans to stop basic maintenance of the 1.4
32 branch, it will not see any updates except for severe security
33 problems. Side-channel attacks and the like won't be fixed in
34 this branch. It is strongly suggested to migrate to the current
35 stable GnuPG version and - if at all needed - use the 1.4 version
36 only for the above listed purposes.
37
38
39 Intro
40 -----
41
42 GnuPG is GNU's tool for secure communication and data storage.
43 It can be used to encrypt data and to create digital signatures.
44 It includes an advanced key management facility and is compliant
45 with the proposed OpenPGP Internet standard as described in RFC4880.
46
47 GnuPG works best on GNU/Linux or *BSD systems. Most other Unices
48 are also supported but are not as well tested as the Free Unices.
49 See https://gnupg.org/download/supported_systems.html for a
50 list of systems which are known to work.
51
52 GnuPG is distributed under the terms of the GNU General Public
53 License. See the files AUTHORS and COPYING for copyright and
54 warranty information.
55
56 Because GnuPG does not use any patented algorithms it used not to
57 be fully compatible with PGP 2. Now, that the patent on the IDEA
58 cipher algorithm has expired, we support that algorithm and thus
59 provide full compatibility with PGP 2. This allows the decryption
60 of data once encrypted using PGP 2.
61
62 The default public key algorithm is RSA, but DSA and Elgamal are
63 also supported. Symmetric algorithms available are AES (with 128,
64 192, and 256 bit keys), 3DES, Blowfish, CAST5 and Twofish. Digest
65 algorithms available are MD5, RIPEMD/160, SHA-1, SHA-256, SHA-384,
66 and SHA-512. Compression algorithms available are ZIP, ZLIB, and
67 BZIP2 (with libbz2 installed).
68
69
70 Installation
71 ------------
72
73 Please read the file INSTALL and the sections in this file
74 related to the installation. Here is a quick summary:
75
76 1) Check that you have unmodified sources. See below on how to do
77 this. Don't skip it - this is an important step!
78
79 2) Unpack the tarball. With GNU tar you can do it this way:
80 "tar xzvf gnupg-x.y.z.tar.gz". If you got a bzip2 compressed
81 tarball you need to use: "tar xjvf gnupg-x.y.z.tar.bz2".
82
83 3) "cd gnupg-x.y.z"
84
85 4) "./configure"
86
87 5) "make"
88
89 6) "make install"
90
91 7) You end up with a "gpg" binary in /usr/local/bin.
92
93 8) To avoid swapping out of sensitive data, you may need to
94 install "gpg" setuid root. If you don't do so, you may want to
95 add the option "no-secmem-warning" to ~/.gnupg/gpg.conf. Note
96 that on modern GNU/Linux systems swapping protection does not
97 anymore require GPG to be installed setuid root.
98
99
100 How to Verify the Source
101 ------------------------
102
103 In order to check that the version of GnuPG which you are going to
104 install is an original and unmodified one, you can do it in one of
105 the following ways:
106
107 a) If you already have a trusted Version of GnuPG installed, you
108 can simply check the supplied signature:
109
110 $ gpg --verify gnupg-x.y.z.tar.gz.sig
111
112 This checks that the detached signature gnupg-x.y.z.tar.gz.sig
113 is indeed a signature of gnupg-x.y.z.tar.gz. The key currently
114 used to create this signature is:
115
116 "pub 2048R/4F25E3B6 2011-01-12 [expires: 2019-12-31]
117 "uid Werner Koch (dist sig)
118
119 If you do not have this key, you can get it from the source in
120 the file doc/samplekeys.asc (use "gpg --import doc/samplekeys.asc"
121 to add it to the keyring) or from any keyserver. You have to
122 make sure that this is really the key and not a faked one. You
123 can do this by comparing the output of:
124
125 $ gpg --fingerprint 0x4F25E3B6
126
127 with the fingerprint published elsewhere.
128
129 Please note, that you have to use an old version of GnuPG to
130 do all this stuff. *Never* use the version which you are going
131 to check!
132
133
134 b) If you don't have any of the above programs, you have to verify
135 the SHA1 checksum:
136
137 $ sha1sum gnupg-x.y.z.tar.gz
138
139 This should yield an output _similar_ to this:
140
141 fd9351b26b3189c1d577f0970f9dcadc1234abcd gnupg-x.y.z.tar.gz
142
143 Now check that this checksum is _exactly_ the same as the one
144 published via the announcement list and probably via Usenet.
145
146
147 Documentation
148 -------------
149
150 The manual will be distributed separately under the name "gph".
151 An online version of the latest manual draft is available at the
152 GnuPG web pages:
153
154 https://gnupg.org/documentation/
155
156 A list of frequently asked questions is available in the GnuPG
157 distribution in the file doc/FAQ and online as:
158
159 https://gnupg.org/documentation/faqs.html
160
161 A couple of HOWTO documents are available online; for a listing see:
162
163 https://gnupg.org/documentation/howtos.html
164
165 A man page with a description of all commands and options gets installed
166 along with the program.
167
168
169 Introduction
170 ------------
171
172 Here is a brief overview on how to use GnuPG - it is strongly suggested
173 that you read the manual and other information about the use of
174 cryptography. GnuPG is only a tool, secure usage requires that
175 YOU KNOW WHAT YOU ARE DOING.
176
177 The first time you run gpg, it will create a .gnupg directory in
178 your home directory and populate it with a default configuration
179 file. Once this is done, you may create a new key, or if you
180 already have keyrings from PGP, you can import them into GnuPG
181 with:
182
183 gpg --import path/to/pgp/keyring/pubring.pkr
184 and
185 gpg --import path/to/pgp/keyring/secring.skr
186
187 The normal way to create a key is
188
189 gpg --gen-key
190
191 This asks some questions and then starts key generation. To create
192 good random numbers for the key parameters, GnuPG needs to gather
193 enough noise (entropy) from your system. If you see no progress
194 during key generation you should start some other activities such
195 as moving the mouse or hitting the CTRL and SHIFT keys.
196
197 Generate a key ONLY on a machine where you have direct physical
198 access - don't do it over the network or on a machine also used
199 by others, especially if you have no access to the root account.
200
201 When you are asked for a passphrase use a good one which you can
202 easily remember. Don't make the passphrase too long because you
203 have to type it for every decryption or signing; but, - AND THIS
204 IS VERY IMPORTANT - use a good one that is not easily to guess
205 because the security of the whole system relies on your secret key
206 and the passphrase that protects it when someone gains access to
207 your secret keyring. One good way to select a passphrase is to
208 figure out a short nonsense sentence which makes some sense for
209 you and modify it by inserting extra spaces, non-letters and
210 changing the case of some characters - this is really easy to
211 remember especially if you associate some pictures with it.
212
213 Next, you should create a revocation certificate in case someone
214 gets knowledge of your secret key or you forgot your passphrase
215
216 gpg --gen-revoke your_user_id
217
218 Run this command and store the revocation certificate away. The output
219 is always ASCII armored, so that you can print it and (hopefully
220 never) re-create it if your electronic media fails.
221
222 Now you can use your key to create digital signatures
223
224 gpg -s file
225
226 This creates a file "file.gpg" which is compressed and has a
227 signature attached.
228
229 gpg -sa file
230
231 Same as above, but creates a file "file.asc" which is ASCII armored
232 and and ready for sending by mail. It is better to use your
233 mailers features to create signatures (The mailer uses GnuPG to do
234 this) because the mailer has the ability to MIME encode such
235 signatures - but this is not a security issue.
236
237 gpg -s -o out file
238
239 Creates a signature of "file", but writes the output to the file
240 "out".
241
242 Everyone who knows your public key (you can and should publish
243 your key by putting it on a key server, a web page or in your .plan
244 file) is now able to check whether you really signed this text
245
246 gpg --verify file
247
248 GnuPG now checks whether the signature is valid and prints an
249 appropriate message. If the signature is good, you know at least
250 that the person (or machine) has access to the secret key which
251 corresponds to the published public key.
252
253 If you run gpg without an option it will verify the signature and
254 create a new file that is identical to the original. gpg can also
255 run as a filter, so that you can pipe data to verify trough it
256
257 cat signed-file | gpg | wc -l
258
259 which will check the signature of signed-file and then display the
260 number of lines in the original file.
261
262 To send a message encrypted to someone you can use
263
264 gpg -e -r heine file
265
266 This encrypts "file" with the public key of the user "heine" and
267 writes it to "file.gpg"
268
269 echo "hello" | gpg -ea -r heine | mail heine
270
271 Ditto, but encrypts "hello\n" and mails it as ASCII armored message
272 to the user with the mail address heine.
273
274 gpg -se -r heine file
275
276 This encrypts "file" with the public key of "heine" and writes it
277 to "file.gpg" after signing it with your user id.
278
279 gpg -se -r heine -u Suttner file
280
281 Ditto, but sign the file with your alternative user id "Suttner"
282
283
284 GnuPG has some options to help you publish public keys. This is
285 called "exporting" a key, thus
286
287 gpg --export >all-my-keys
288
289 exports all the keys in the keyring and writes them (in a binary
290 format) to "all-my-keys". You may then mail "all-my-keys" as an
291 MIME attachment to someone else or put it on an FTP server. To
292 export only some user IDs, you give them as arguments on the command
293 line.
294
295 To mail a public key or put it on a web page you have to create
296 the key in ASCII armored format
297
298 gpg --export --armor | mail panther@tiger.int
299
300 This will send all your public keys to your friend panther.
301
302 If you have received a key from someone else you can put it
303 into your public keyring. This is called "importing"
304
305 gpg --import [filenames]
306
307 New keys are appended to your keyring and already existing
308 keys are updated. Note that GnuPG does not import keys that
309 are not self-signed.
310
311 Because anyone can claim that a public key belongs to her
312 we must have some way to check that a public key really belongs
313 to the owner. This can be achieved by comparing the key during
314 a phone call. Sure, it is not very easy to compare a binary file
315 by reading the complete hex dump of the file - GnuPG (and nearly
316 every other program used for management of cryptographic keys)
317 provides other solutions.
318
319 gpg --fingerprint <username>
320
321 prints the so called "fingerprint" of the given username which
322 is a sequence of hex bytes (which you may have noticed in mail
323 sigs or on business cards) that uniquely identifies the public
324 key - different keys will always have different fingerprints.
325 It is easy to compare fingerprints by phone and I suggest
326 that you print your fingerprint on the back of your business
327 card. To see the fingerprints of the secondary keys, you can
328 give the command twice; but this is normally not needed.
329
330 NEVER use the keyid to verify a key - always use the complete
331 fingerprint. The keyid is just a convenience handle to identify a
332 key by a short semi-unique name which is trivial to spoof. You
333 may want to put the line "keyid-format long" into your gpg.conf to
334 tell gpg to print the long keyid (which is still spoof-able).
335
336 If you don't know the owner of the public key you are in trouble.
337 Suppose however that friend of yours knows someone who knows someone
338 who has met the owner of the public key at some computer conference.
339 Suppose that all the people between you and the public key holder
340 may now act as introducers to you. Introducers signing keys thereby
341 certify that they know the owner of the keys they sign. If you then
342 trust all the introducers to have correctly signed other keys, you
343 can be be sure that the other key really belongs to the one who
344 claims to own it.
345
346 There are 2 steps to validate a key:
347
348 1. First check that there is a complete chain
349 of signed keys from the public key you want to use
350 and your key and verify each signature.
351 2. Make sure that you have full trust in the certificates
352 of all the introduces between the public key holder and
353 you.
354
355 Step 2 is the more complicated part because there is no easy way
356 for a computer to decide who is trustworthy and who is not. GnuPG
357 leaves this decision to you and will ask you for a trust value
358 (here also referenced as the owner-trust of a key) for every key
359 needed to check the chain of certificates. You may choose from:
360
361 a) "I don't know" - then it is not possible to use any
362 of the chains of certificates, in which this key is used
363 as an introducer, to validate the target key. Use this if
364 you don't know the introducer.
365 b) "I do not trust" - Use this if you know that the introducer
366 does not do a good job in certifying other keys. The effect
367 is the same as with a) but for a) you may later want to
368 change the value because you got new information about this
369 introducer.
370 c) "I trust marginally" - Use this if you assume that the
371 introducer knows what he is doing. Together with some
372 other marginally trusted keys, GnuPG validates the target
373 key then as good.
374 d) "I fully trust" - Use this if you really know that this
375 introducer does a good job when certifying other keys.
376 If all the introducer are of this trust value, GnuPG
377 normally needs only one chain of signatures to validate
378 a target key okay. (But this may be adjusted with the help
379 of some options).
380
381 This information is confidential because it gives your personal
382 opinion on the trustworthiness of someone else. Therefore this data
383 is not stored in the keyring but in the "trustdb"
384 (~/.gnupg/trustdb.gpg). Do not assign a high trust value just
385 because the introducer is a friend of yours - decide how well she
386 understands the implications of key signatures and you may want to
387 tell her more about public key cryptography so you can later change
388 the trust value you assigned.
389
390 Okay, here is how GnuPG helps you with key management. Most stuff
391 is done with the --edit-key command
392
393 gpg --edit-key <keyid or username>
394
395 GnuPG displays some information about the key and then prompts
396 for a command (enter "help" to see a list of commands and see
397 the man page for a more detailed explanation). To sign a key
398 you select the user ID you want to sign by entering the number
399 that is displayed in the leftmost column (or do nothing if the
400 key has only one user ID) and then enter the command "sign" and
401 follow all the prompts. When you are ready, give the command
402 "save" (or use "quit" to cancel your actions).
403
404 If you want to sign the key with another of your user IDs, you
405 must give an "-u" option on the command line together with the
406 "--edit-key".
407
408 Normally you want to sign only one user ID because GnuPG
409 uses only one and this keeps the public key certificate
410 small. Because such key signatures are very important you
411 should make sure that the signatories of your key sign a user ID
412 which is very likely to stay for a long time - choose one with an
413 email address you have full control of or do not enter an email
414 address at all. In future GnuPG will have a way to tell which
415 user ID is the one with an email address you prefer - because
416 you have no signatures on this email address it is easy to change
417 this address. Remember, your signatories sign your public key (the
418 primary one) together with one of your user IDs - so it is not possible
419 to change the user ID later without voiding all the signatures.
420
421 Tip: If you hear about a key signing party on a computer conference
422 join it because this is a very convenient way to get your key
423 certified (But remember that signatures have nothing to to with the
424 trust you assign to a key).
425
426
427 8 Ways to Specify a User ID
428 ---------=-----------------
429
430 There are several ways to specify a user ID, here are some examples.
431
432 * By a fingerprint:
433
434 "1234343434343434C434343434343434"
435 "123434343434343C3434343434343734349A3434"
436 "0E12343434343434343434EAB3484343434343434"
437
438 The first one is a short fingerprint for PGP 2.x style keys.
439 The others are long fingerprints for OpenPGP keys.
440
441 * By a complete keyid (prepend a zero if it begins with A..F):
442
443 "234AABBCC34567C4"
444 "0F323456784E56EAB"
445 "01AB3FED1347A5612"
446 "0x234AABBCC34567C4"
447
448 * By the short keyid:
449
450 "234567C4"
451 "0F34E556E"
452 "01347A56A"
453 "0xAB123456
454
455 * By an exact string:
456
457 "=Heinrich Heine <heinrichh@uni-duesseldorf.de>"
458
459 * By an email address:
460
461 "<heinrichh@uni-duesseldorf.de>"
462
463 * Or by the usual substring:
464
465 "Heine"
466 "*Heine"
467
468 The '*' indicates substring search explicitly.
469
470
471 Batch mode
472 ----------
473
474 If you use the option "--batch", GnuPG runs in non-interactive mode and
475 never prompts for input data. This does not even allow entering the
476 passphrase. Until we have a better solution (something like ssh-agent),
477 you can use the option "--passphrase-fd n", which works like PGP's
478 PGPPASSFD.
479
480 Batch mode also causes GnuPG to terminate as soon as a BAD signature is
481 detected.
482
483
484 Exit status
485 -----------
486
487 GnuPG returns with an exit status of 1 if in batch mode and a bad signature
488 has been detected or 2 or higher for all other errors. You should parse
489 stderr or, better, the output of the fd specified with --status-fd to get
490 detailed information about the errors.
491
492
493 Configure options
494 -----------------
495
496 Here is a list of configure options which are sometime useful
497 for installation.
498
499 --enable-static-rnd=<name>
500 Force the use of the random byte gathering
501 module <name>. Default is either to use /dev/random
502 or the auto mode. Value for name:
503 egd - Use the module which accesses the
504 Entropy Gathering Daemon. See the webpages
505 for more information about it.
506 unix - Use the standard Unix module which does not
507 have a very good performance.
508 linux - Use the module which accesses /dev/random.
509 This is the first choice and the default one
510 for GNU/Linux or *BSD.
511 auto - Compile linux, egd and unix in and
512 automagically select at runtime.
513
514 --with-egd-socket=<name>
515 This is only used when EGD is used as random
516 gatherer. GnuPG uses by default "~/.gnupg/entropy"
517 as the socket to connect EGD. Using this option the
518 socket name can be changed. You may use any filename
519 here with 2 exceptions: a filename starting with
520 "~/" uses the socket in the home directory of the user
521 and one starting with a "=" uses a socket in the
522 GnuPG home directory which is "~/.gnupg" by default.
523
524 --without-readline
525 Do not include support for the readline library
526 even if it is available. The default is to check
527 whether the readline library is a available and
528 use it to allow fancy command line editing.
529
530 --with-included-zlib
531 Forces usage of the local zlib sources. Default is
532 to use the (shared) library of the system.
533
534 --with-zlib=<DIR>
535 Look for the system zlib in DIR.
536
537 --with-bzip2=<DIR>
538 Look for the system libbz2 in DIR.
539
540 --without-bzip2
541 Disable the BZIP2 compression algorithm.
542
543 --with-included-gettext
544 Forces usage of the local gettext sources instead of
545 the one provided by your system.
546
547 --disable-nls
548 Disable NLS support (See the file ABOUT-NLS)
549
550 --enable-m-guard
551 Enable the integrated malloc checking code. Please
552 note that this feature does not work on all CPUs
553 (e.g. SunOS 5.7 on UltraSparc-2) and might give
554 you a bus error.
555
556 --disable-dynload
557 If you have problems with dynamic loading, this
558 option disables all dynamic loading stuff. Note
559 that the use of dynamic linking is very limited.
560
561 --disable-asm
562 Do not use assembler modules. It is not possible
563 to use this on some CPU types.
564
565 --disable-exec
566 Disable all remote program execution. This
567 disables photo ID viewing as well as all keyserver
568 access.
569
570 --disable-photo-viewers
571 Disable only photo ID viewing.
572
573 --disable-keyserver-helpers
574 Disable only keyserver helpers.
575
576 --disable-keyserver-path
577 Disables the user's ability to use the exec-path
578 feature to add additional search directories when
579 executing a keyserver helper.
580
581 --with-photo-viewer=FIXED_VIEWER
582 Force the photo viewer to be FIXED_VIEWER and
583 disable any ability for the user to change it in
584 their options file.
585
586 --disable-rsa
587 Removes support for the RSA public key algorithm.
588 This can give a smaller gpg binary for places
589 where space is tight.
590
591 --disable-idea
592 --disable-cast5
593 --disable-blowfish
594 --disable-aes
595 --disable-twofish
596 --disable-sha256
597 --disable-sha512
598 Removes support for the selected symmetric or hash
599 algorithm. This can give a smaller gpg binary for
600 places where space is tight.
601
602 **** Note that if there are existing keys that
603 have one of these algorithms as a preference,
604 messages may be received that use one of these
605 algorithms and you will not be able to decrypt the
606 message! ****
607
608 The public key preference list can be updated to
609 match the list of available algorithms by using
610 "gpg --edit-key (thekey)", and running the
611 "setpref" command.
612
613 --enable-minimal
614 Build the smallest gpg binary possible (disables
615 all optional algorithms, disables keyserver
616 access, and disables photo IDs). Specifically,
617 this means --disable-rsa --disable-idea,
618 --disable-cast5, --disable-blowfish,
619 --disable-aes, --disable-twofish,
620 --disable-sha256, --disable-sha512,
621 --without-bzip2, --disable-exec,
622 --disable-card-support and
623 --disable-agent-support.
624 Configure command lines are read from left to
625 right, so if you want to have an "almost minimal"
626 configuration, you can do (for example)
627 "--enable-minimal --enable-rsa" to have RSA added
628 to the minimal build. Adding the option
629 --disable-nls may be useful too.
630
631 --enable-key-cache=SIZE
632 Set the internal key and UID cache size. This has
633 a significant impact on performance with large
634 keyrings. The default is 4096, but for use on
635 platforms where memory is an issue, it can be set
636 as low as 5.
637
638 --disable-card-support
639 Do not include smartcard support. The default is
640 to include support if all required libraries are
641 available.
642
643 --disable-agent-support
644 Do not include support for the gpg-agent. The
645 default is to include support.
646
647 --enable-selinux-support
648 This prevents access to certain files and won't
649 allow import or export of secret keys.
650
651 --enable-noexecstack
652 Pass option --noexecstack to as. Autodetect wether
653 the tool chain actually support this.
654
655 --disable-gnupg-iconv
656 If iconv is available it is used to convert
657 between utf-8 and the system character set. This
658 is in general the preferable solution. However
659 the code is new and under some cirumstances it may
660 give different output than with the limited old
661 support. This option explicitly disables
662 the use of iconv. Note, that iconv is also
663 disabled if gettext has been disabled.
664
665
666 Installation Problems
667 ---------------------
668
669 If you get unresolved externals "gettext" you should run configure
670 again with the option "--with-included-gettext"; this is version
671 0.12.1 which is available at ftp.gnu.org.
672
673 If you have other compile problems, try the configure options
674 "--with-included-zlib" or "--disable-nls" (See ABOUT-NLS) or
675 --disable-dynload.
676
677 We can't check all assembler files, so if you have problems
678 assembling them (or the program crashes) use --disable-asm with
679 ./configure. If you opt to delete individual replacement files in
680 hopes of using the remaining ones, be aware that the configure
681 scripts may consider several subdirectories to get all available
682 assembler files; be sure to delete the correct ones. The assembler
683 replacements are in C and in mpi/generic; never delete
684 udiv-qrnnd.S in any CPU directory, because there may be no C
685 substitute. Don't forget to delete "config.cache" and run
686 "./config.status --recheck". We have also heard reports of
687 problems when using versions of gcc earlier than 2.96 along with a
688 non-GNU assembler (as). If this applies to your platform, you can
689 either upgrade gcc to a more recent version, or use the GNU
690 assembler.
691
692 Some make tools are broken - the best solution is to use GNU's
693 make. Try gmake or grab the sources from a GNU archive and
694 install them.
695
696 On some OSF systems you may get unresolved externals. This is a
697 libtool problem and the workaround is to manually remove all the
698 "-lc -lz" but the last one from the linker line and execute them
699 manually.
700
701 On some architectures you see warnings like:
702 longlong.h:175: warning: function declaration isn't a prototype
703 or
704 http.c:647: warning: cast increases required alignment of target type
705 This doesn't matter and we know about it (actually it is due to
706 some warning options which we have enabled for gcc)
707
708 If you are cross-compiling and you get an error either building a
709 tool called "yat2m" or running that tool, the problem is most
710 likely a bad or missing native compiler. We require a standard
711 C-89 compiler to produce an executable to be run on the build
712 platform. You can explicitly set such a compiler with configure
713 arguments. On HP/UX you might want to try: "CC_FOR_BUILD=c89".
714
715
716
717 Specific problems on some machines
718 ----------------------------------
719
720 * Apple Darwin 6.1:
721
722 ./configure --with-libiconv-prefix=/sw
723
724 * IBM RS/6000 running AIX:
725
726 Due to a change in gcc (since version 2.8) the MPI stuff may
727 not build. In this case try to run configure using:
728 CFLAGS="-g -O2 -mcpu=powerpc" ./configure
729
730 * SVR4.2 (ESIX V4.2 cc)
731
732 Due to problems with the ESIX as, you probably want to do
733 CFLAGS="-O -K pentium" ./configure --disable-asm
734
735 * SunOS 4.1.4
736
737 ./configure ac_cv_sys_symbol_underscore=yes
738
739
740 The Random Device
741 -----------------
742
743 Random devices are available in Linux, FreeBSD and OpenBSD.
744 Operating systems without a random devices must use another
745 entropy collector.
746
747 This collector works by running a lot of commands that yield more
748 or less unpredictable output and feds this as entropy into the
749 random generator - It should work reliably but you should check
750 whether it produces good output for your version of Unix. There
751 are some debug options to help you (see cipher/rndunix.c).
752
753
754 Creating an RPM package
755 -----------------------
756
757 The file scripts/gnupg.spec is used to build a RPM package (both
758 binary and src):
759 1. copy the spec file into /usr/src/redhat/SPECS
760 2. copy the tar file into /usr/src/redhat/SOURCES
761 3. type: rpm -ba SPECS/gnupg.spec
762
763 Or use the -t (--tarbuild) option of rpm:
764 1. rpm -ta gnupg-x.x.x.tar.gz
765
766 The binary rpm file can now be found in /usr/src/redhat/RPMS, source
767 rpm in /usr/src/redhat/SRPMS
768
769
770 Building Universal Binaries on Apple OS X
771 -----------------------------------------
772
773 You can build a universal ("fat") binary that will work on both
774 PPC and Intel Macs with something like:
775
776 ./configure CFLAGS="-arch ppc -arch i386" --disable-endian-check \
777 --disable-dependency-tracking --disable-asm
778
779 If you are doing the build on a OS X 10.4 (Tiger) PPC machine you
780 may need to add "-isysroot /Developer/SDKs/MacOSX10.4u.sdk" to
781 those CFLAGS. This additional isysroot is not necessary on Intel
782 Tiger boxes, or any OS X 10.5 (Leopard) or later boxes.
783
784 Note that when building a universal binary, any third-party
785 libraries you may link with need to be universal as well. All
786 Apple-supplied libraries (even libraries not originally written by
787 Apple like curl, zip, and BZ2) are universal.
788
789
790 GnuPG 1.4 and GnuPG 2.x
791 -----------------------
792
793 GnuPG 2.x is a newer version of GnuPG with additional support for
794 S/MIME. It has a different design philosophy that splits
795 functionality up into several modules. Both versions may be
796 installed simultaneously without any conflict (gpg is usually
797 installed under the name gpg2 in GnuPG-2). In fact, the GPG
798 version from GnuPG 1.4 is able to make use of the gpg-agent as
799 included in GnuPG-2 and allows for seamless passphrase caching.
800 The advantage of GnuPG 1.4 is its somewhat smaller size and no
801 dependency on other modules at run and build time. The drawback
802 of 1.4 is its much older code base and that only minimal
803 maintainance is done. It is highly suggested to switch to 2.x
804 unless your system is not supported by 2.x.
805
806
807 How to Get More Information
808 ---------------------------
809
810 The primary WWW page is https://gnupg.org
811 or using TOR http://ic6au7wa3f6naxjq.onion
812
813 The primary FTP site is ftp://ftp.gnupg.org/gcrypt/
814 or https://gnupg.org/ftp/gcrypt/
815
816 See https://gnupg.org/download/mirrors.html for a list of
817 mirrors and use them if possible. You may also find GnuPG
818 mirrored on some of the regular GNU mirrors.
819
820 We have some mailing lists dedicated to GnuPG:
821
822 gnupg-announce@gnupg.org For important announcements like
823 new versions and such stuff.
824 This is a moderated list and has
825 very low traffic. Do not post to
826 this list.
827
828 gnupg-users@gnupg.org For general user discussion and
829 help (English).
830
831 gnupg-de@gnupg.org German speaking counterpart of
832 gnupg-users.
833
834 gnupg-ru@gnupg.org Russian speaking counterpart of
835 gnupg-users.
836
837 gnupg-devel@gnupg.org GnuPG developers main forum.
838
839 You subscribe to one of the list by sending mail with a subject
840 of "subscribe" to x-request@gnupg.org, where x is the name of the
841 mailing list (gnupg-announce, gnupg-users, etc.). An archive of
842 the mailing lists are available at
843 https://gnupg.org/documentation/mailing-lists.html
844
845 Please direct bug reports to https://bugs.gnupg.org or post
846 them direct to the mailing list <gnupg-devel@gnupg.org>.
847
848 Please direct questions about GnuPG to the users mailing list or
849 one of the pgp newsgroups; please do not direct questions to one
850 of the authors directly as we are busy working on improvements and
851 bug fixes. The English and German GnuPG mailing lists are watched
852 by the authors and we try to answer questions when time allows us
853 to do so.
854
855 Commercial grade support for GnuPG is available; for a listing of
856 offers see https://gnupg.org/service.html . Maintaining and
857 improving GnuPG is costly. Since 2001, g10 Code GmbH, a German
858 company owned and headed by GnuPG's principal author Werner Koch,
859 is bearing the majority of these costs. To help them carry on
860 this work, they need your support. See https://gnupg.org/donate/
861