1 2 GnuPG - The GNU Privacy Guard 3 ------------------------------- 4 Version 1.4.23 5 6 Copyright 1998-2018 Free Software Foundation, Inc. 7 Copyright 1997-2018 Werner Koch 8 9 This file is free software; as a special exception the author 10 gives unlimited permission to copy and/or distribute it, with or 11 without modifications, as long as this notice is preserved. 12 13 This file is distributed in the hope that it will be useful, but 14 WITHOUT ANY WARRANTY, to the extent permitted by law; without even 15 the implied warranty of MERCHANTABILITY or FITNESS FOR A 16 PARTICULAR PURPOSE. 17 18 Warning 19 ------- 20 21 This version is from a legacy branch of GnuPG. We provide this 22 version only for two purposes: 23 24 - To decrypt and verify old messages created using PGP-2 keys. 25 Due to security problems with PGP-2 keys, these keys are not 26 anymore supported by the current stable GnuPG versions. 27 28 - For ancient pre-POSIX platforms which are not capable of 29 building the modern GnuPG-2. 30 31 Although there are no plans to stop basic maintenance of the 1.4 32 branch, it will not see any updates except for severe security 33 problems. Side-channel attacks and the like won't be fixed in 34 this branch. It is strongly suggested to migrate to the current 35 stable GnuPG version and - if at all needed - use the 1.4 version 36 only for the above listed purposes. 37 38 39 Intro 40 ----- 41 42 GnuPG is GNU's tool for secure communication and data storage. 43 It can be used to encrypt data and to create digital signatures. 44 It includes an advanced key management facility and is compliant 45 with the proposed OpenPGP Internet standard as described in RFC4880. 46 47 GnuPG works best on GNU/Linux or *BSD systems. Most other Unices 48 are also supported but are not as well tested as the Free Unices. 49 See https://gnupg.org/download/supported_systems.html for a 50 list of systems which are known to work. 51 52 GnuPG is distributed under the terms of the GNU General Public 53 License. See the files AUTHORS and COPYING for copyright and 54 warranty information. 55 56 Because GnuPG does not use any patented algorithms it used not to 57 be fully compatible with PGP 2. Now, that the patent on the IDEA 58 cipher algorithm has expired, we support that algorithm and thus 59 provide full compatibility with PGP 2. This allows the decryption 60 of data once encrypted using PGP 2. 61 62 The default public key algorithm is RSA, but DSA and Elgamal are 63 also supported. Symmetric algorithms available are AES (with 128, 64 192, and 256 bit keys), 3DES, Blowfish, CAST5 and Twofish. Digest 65 algorithms available are MD5, RIPEMD/160, SHA-1, SHA-256, SHA-384, 66 and SHA-512. Compression algorithms available are ZIP, ZLIB, and 67 BZIP2 (with libbz2 installed). 68 69 70 Installation 71 ------------ 72 73 Please read the file INSTALL and the sections in this file 74 related to the installation. Here is a quick summary: 75 76 1) Check that you have unmodified sources. See below on how to do 77 this. Don't skip it - this is an important step! 78 79 2) Unpack the tarball. With GNU tar you can do it this way: 80 "tar xzvf gnupg-x.y.z.tar.gz". If you got a bzip2 compressed 81 tarball you need to use: "tar xjvf gnupg-x.y.z.tar.bz2". 82 83 3) "cd gnupg-x.y.z" 84 85 4) "./configure" 86 87 5) "make" 88 89 6) "make install" 90 91 7) You end up with a "gpg" binary in /usr/local/bin. 92 93 8) To avoid swapping out of sensitive data, you may need to 94 install "gpg" setuid root. If you don't do so, you may want to 95 add the option "no-secmem-warning" to ~/.gnupg/gpg.conf. Note 96 that on modern GNU/Linux systems swapping protection does not 97 anymore require GPG to be installed setuid root. 98 99 100 How to Verify the Source 101 ------------------------ 102 103 In order to check that the version of GnuPG which you are going to 104 install is an original and unmodified one, you can do it in one of 105 the following ways: 106 107 a) If you already have a trusted Version of GnuPG installed, you 108 can simply check the supplied signature: 109 110 $ gpg --verify gnupg-x.y.z.tar.gz.sig 111 112 This checks that the detached signature gnupg-x.y.z.tar.gz.sig 113 is indeed a signature of gnupg-x.y.z.tar.gz. The key currently 114 used to create this signature is: 115 116 "pub 2048R/4F25E3B6 2011-01-12 [expires: 2019-12-31] 117 "uid Werner Koch (dist sig) 118 119 If you do not have this key, you can get it from the source in 120 the file doc/samplekeys.asc (use "gpg --import doc/samplekeys.asc" 121 to add it to the keyring) or from any keyserver. You have to 122 make sure that this is really the key and not a faked one. You 123 can do this by comparing the output of: 124 125 $ gpg --fingerprint 0x4F25E3B6 126 127 with the fingerprint published elsewhere. 128 129 Please note, that you have to use an old version of GnuPG to 130 do all this stuff. *Never* use the version which you are going 131 to check! 132 133 134 b) If you don't have any of the above programs, you have to verify 135 the SHA1 checksum: 136 137 $ sha1sum gnupg-x.y.z.tar.gz 138 139 This should yield an output _similar_ to this: 140 141 fd9351b26b3189c1d577f0970f9dcadc1234abcd gnupg-x.y.z.tar.gz 142 143 Now check that this checksum is _exactly_ the same as the one 144 published via the announcement list and probably via Usenet. 145 146 147 Documentation 148 ------------- 149 150 The manual will be distributed separately under the name "gph". 151 An online version of the latest manual draft is available at the 152 GnuPG web pages: 153 154 https://gnupg.org/documentation/ 155 156 A list of frequently asked questions is available in the GnuPG 157 distribution in the file doc/FAQ and online as: 158 159 https://gnupg.org/documentation/faqs.html 160 161 A couple of HOWTO documents are available online; for a listing see: 162 163 https://gnupg.org/documentation/howtos.html 164 165 A man page with a description of all commands and options gets installed 166 along with the program. 167 168 169 Introduction 170 ------------ 171 172 Here is a brief overview on how to use GnuPG - it is strongly suggested 173 that you read the manual and other information about the use of 174 cryptography. GnuPG is only a tool, secure usage requires that 175 YOU KNOW WHAT YOU ARE DOING. 176 177 The first time you run gpg, it will create a .gnupg directory in 178 your home directory and populate it with a default configuration 179 file. Once this is done, you may create a new key, or if you 180 already have keyrings from PGP, you can import them into GnuPG 181 with: 182 183 gpg --import path/to/pgp/keyring/pubring.pkr 184 and 185 gpg --import path/to/pgp/keyring/secring.skr 186 187 The normal way to create a key is 188 189 gpg --gen-key 190 191 This asks some questions and then starts key generation. To create 192 good random numbers for the key parameters, GnuPG needs to gather 193 enough noise (entropy) from your system. If you see no progress 194 during key generation you should start some other activities such 195 as moving the mouse or hitting the CTRL and SHIFT keys. 196 197 Generate a key ONLY on a machine where you have direct physical 198 access - don't do it over the network or on a machine also used 199 by others, especially if you have no access to the root account. 200 201 When you are asked for a passphrase use a good one which you can 202 easily remember. Don't make the passphrase too long because you 203 have to type it for every decryption or signing; but, - AND THIS 204 IS VERY IMPORTANT - use a good one that is not easily to guess 205 because the security of the whole system relies on your secret key 206 and the passphrase that protects it when someone gains access to 207 your secret keyring. One good way to select a passphrase is to 208 figure out a short nonsense sentence which makes some sense for 209 you and modify it by inserting extra spaces, non-letters and 210 changing the case of some characters - this is really easy to 211 remember especially if you associate some pictures with it. 212 213 Next, you should create a revocation certificate in case someone 214 gets knowledge of your secret key or you forgot your passphrase 215 216 gpg --gen-revoke your_user_id 217 218 Run this command and store the revocation certificate away. The output 219 is always ASCII armored, so that you can print it and (hopefully 220 never) re-create it if your electronic media fails. 221 222 Now you can use your key to create digital signatures 223 224 gpg -s file 225 226 This creates a file "file.gpg" which is compressed and has a 227 signature attached. 228 229 gpg -sa file 230 231 Same as above, but creates a file "file.asc" which is ASCII armored 232 and and ready for sending by mail. It is better to use your 233 mailers features to create signatures (The mailer uses GnuPG to do 234 this) because the mailer has the ability to MIME encode such 235 signatures - but this is not a security issue. 236 237 gpg -s -o out file 238 239 Creates a signature of "file", but writes the output to the file 240 "out". 241 242 Everyone who knows your public key (you can and should publish 243 your key by putting it on a key server, a web page or in your .plan 244 file) is now able to check whether you really signed this text 245 246 gpg --verify file 247 248 GnuPG now checks whether the signature is valid and prints an 249 appropriate message. If the signature is good, you know at least 250 that the person (or machine) has access to the secret key which 251 corresponds to the published public key. 252 253 If you run gpg without an option it will verify the signature and 254 create a new file that is identical to the original. gpg can also 255 run as a filter, so that you can pipe data to verify trough it 256 257 cat signed-file | gpg | wc -l 258 259 which will check the signature of signed-file and then display the 260 number of lines in the original file. 261 262 To send a message encrypted to someone you can use 263 264 gpg -e -r heine file 265 266 This encrypts "file" with the public key of the user "heine" and 267 writes it to "file.gpg" 268 269 echo "hello" | gpg -ea -r heine | mail heine 270 271 Ditto, but encrypts "hello\n" and mails it as ASCII armored message 272 to the user with the mail address heine. 273 274 gpg -se -r heine file 275 276 This encrypts "file" with the public key of "heine" and writes it 277 to "file.gpg" after signing it with your user id. 278 279 gpg -se -r heine -u Suttner file 280 281 Ditto, but sign the file with your alternative user id "Suttner" 282 283 284 GnuPG has some options to help you publish public keys. This is 285 called "exporting" a key, thus 286 287 gpg --export >all-my-keys 288 289 exports all the keys in the keyring and writes them (in a binary 290 format) to "all-my-keys". You may then mail "all-my-keys" as an 291 MIME attachment to someone else or put it on an FTP server. To 292 export only some user IDs, you give them as arguments on the command 293 line. 294 295 To mail a public key or put it on a web page you have to create 296 the key in ASCII armored format 297 298 gpg --export --armor | mail panther@tiger.int 299 300 This will send all your public keys to your friend panther. 301 302 If you have received a key from someone else you can put it 303 into your public keyring. This is called "importing" 304 305 gpg --import [filenames] 306 307 New keys are appended to your keyring and already existing 308 keys are updated. Note that GnuPG does not import keys that 309 are not self-signed. 310 311 Because anyone can claim that a public key belongs to her 312 we must have some way to check that a public key really belongs 313 to the owner. This can be achieved by comparing the key during 314 a phone call. Sure, it is not very easy to compare a binary file 315 by reading the complete hex dump of the file - GnuPG (and nearly 316 every other program used for management of cryptographic keys) 317 provides other solutions. 318 319 gpg --fingerprint <username> 320 321 prints the so called "fingerprint" of the given username which 322 is a sequence of hex bytes (which you may have noticed in mail 323 sigs or on business cards) that uniquely identifies the public 324 key - different keys will always have different fingerprints. 325 It is easy to compare fingerprints by phone and I suggest 326 that you print your fingerprint on the back of your business 327 card. To see the fingerprints of the secondary keys, you can 328 give the command twice; but this is normally not needed. 329 330 NEVER use the keyid to verify a key - always use the complete 331 fingerprint. The keyid is just a convenience handle to identify a 332 key by a short semi-unique name which is trivial to spoof. You 333 may want to put the line "keyid-format long" into your gpg.conf to 334 tell gpg to print the long keyid (which is still spoof-able). 335 336 If you don't know the owner of the public key you are in trouble. 337 Suppose however that friend of yours knows someone who knows someone 338 who has met the owner of the public key at some computer conference. 339 Suppose that all the people between you and the public key holder 340 may now act as introducers to you. Introducers signing keys thereby 341 certify that they know the owner of the keys they sign. If you then 342 trust all the introducers to have correctly signed other keys, you 343 can be be sure that the other key really belongs to the one who 344 claims to own it. 345 346 There are 2 steps to validate a key: 347 348 1. First check that there is a complete chain 349 of signed keys from the public key you want to use 350 and your key and verify each signature. 351 2. Make sure that you have full trust in the certificates 352 of all the introduces between the public key holder and 353 you. 354 355 Step 2 is the more complicated part because there is no easy way 356 for a computer to decide who is trustworthy and who is not. GnuPG 357 leaves this decision to you and will ask you for a trust value 358 (here also referenced as the owner-trust of a key) for every key 359 needed to check the chain of certificates. You may choose from: 360 361 a) "I don't know" - then it is not possible to use any 362 of the chains of certificates, in which this key is used 363 as an introducer, to validate the target key. Use this if 364 you don't know the introducer. 365 b) "I do not trust" - Use this if you know that the introducer 366 does not do a good job in certifying other keys. The effect 367 is the same as with a) but for a) you may later want to 368 change the value because you got new information about this 369 introducer. 370 c) "I trust marginally" - Use this if you assume that the 371 introducer knows what he is doing. Together with some 372 other marginally trusted keys, GnuPG validates the target 373 key then as good. 374 d) "I fully trust" - Use this if you really know that this 375 introducer does a good job when certifying other keys. 376 If all the introducer are of this trust value, GnuPG 377 normally needs only one chain of signatures to validate 378 a target key okay. (But this may be adjusted with the help 379 of some options). 380 381 This information is confidential because it gives your personal 382 opinion on the trustworthiness of someone else. Therefore this data 383 is not stored in the keyring but in the "trustdb" 384 (~/.gnupg/trustdb.gpg). Do not assign a high trust value just 385 because the introducer is a friend of yours - decide how well she 386 understands the implications of key signatures and you may want to 387 tell her more about public key cryptography so you can later change 388 the trust value you assigned. 389 390 Okay, here is how GnuPG helps you with key management. Most stuff 391 is done with the --edit-key command 392 393 gpg --edit-key <keyid or username> 394 395 GnuPG displays some information about the key and then prompts 396 for a command (enter "help" to see a list of commands and see 397 the man page for a more detailed explanation). To sign a key 398 you select the user ID you want to sign by entering the number 399 that is displayed in the leftmost column (or do nothing if the 400 key has only one user ID) and then enter the command "sign" and 401 follow all the prompts. When you are ready, give the command 402 "save" (or use "quit" to cancel your actions). 403 404 If you want to sign the key with another of your user IDs, you 405 must give an "-u" option on the command line together with the 406 "--edit-key". 407 408 Normally you want to sign only one user ID because GnuPG 409 uses only one and this keeps the public key certificate 410 small. Because such key signatures are very important you 411 should make sure that the signatories of your key sign a user ID 412 which is very likely to stay for a long time - choose one with an 413 email address you have full control of or do not enter an email 414 address at all. In future GnuPG will have a way to tell which 415 user ID is the one with an email address you prefer - because 416 you have no signatures on this email address it is easy to change 417 this address. Remember, your signatories sign your public key (the 418 primary one) together with one of your user IDs - so it is not possible 419 to change the user ID later without voiding all the signatures. 420 421 Tip: If you hear about a key signing party on a computer conference 422 join it because this is a very convenient way to get your key 423 certified (But remember that signatures have nothing to to with the 424 trust you assign to a key). 425 426 427 8 Ways to Specify a User ID 428 ---------=----------------- 429 430 There are several ways to specify a user ID, here are some examples. 431 432 * By a fingerprint: 433 434 "1234343434343434C434343434343434" 435 "123434343434343C3434343434343734349A3434" 436 "0E12343434343434343434EAB3484343434343434" 437 438 The first one is a short fingerprint for PGP 2.x style keys. 439 The others are long fingerprints for OpenPGP keys. 440 441 * By a complete keyid (prepend a zero if it begins with A..F): 442 443 "234AABBCC34567C4" 444 "0F323456784E56EAB" 445 "01AB3FED1347A5612" 446 "0x234AABBCC34567C4" 447 448 * By the short keyid: 449 450 "234567C4" 451 "0F34E556E" 452 "01347A56A" 453 "0xAB123456 454 455 * By an exact string: 456 457 "=Heinrich Heine <heinrichh@uni-duesseldorf.de>" 458 459 * By an email address: 460 461 "<heinrichh@uni-duesseldorf.de>" 462 463 * Or by the usual substring: 464 465 "Heine" 466 "*Heine" 467 468 The '*' indicates substring search explicitly. 469 470 471 Batch mode 472 ---------- 473 474 If you use the option "--batch", GnuPG runs in non-interactive mode and 475 never prompts for input data. This does not even allow entering the 476 passphrase. Until we have a better solution (something like ssh-agent), 477 you can use the option "--passphrase-fd n", which works like PGP's 478 PGPPASSFD. 479 480 Batch mode also causes GnuPG to terminate as soon as a BAD signature is 481 detected. 482 483 484 Exit status 485 ----------- 486 487 GnuPG returns with an exit status of 1 if in batch mode and a bad signature 488 has been detected or 2 or higher for all other errors. You should parse 489 stderr or, better, the output of the fd specified with --status-fd to get 490 detailed information about the errors. 491 492 493 Configure options 494 ----------------- 495 496 Here is a list of configure options which are sometime useful 497 for installation. 498 499 --enable-static-rnd=<name> 500 Force the use of the random byte gathering 501 module <name>. Default is either to use /dev/random 502 or the auto mode. Value for name: 503 egd - Use the module which accesses the 504 Entropy Gathering Daemon. See the webpages 505 for more information about it. 506 unix - Use the standard Unix module which does not 507 have a very good performance. 508 linux - Use the module which accesses /dev/random. 509 This is the first choice and the default one 510 for GNU/Linux or *BSD. 511 auto - Compile linux, egd and unix in and 512 automagically select at runtime. 513 514 --with-egd-socket=<name> 515 This is only used when EGD is used as random 516 gatherer. GnuPG uses by default "~/.gnupg/entropy" 517 as the socket to connect EGD. Using this option the 518 socket name can be changed. You may use any filename 519 here with 2 exceptions: a filename starting with 520 "~/" uses the socket in the home directory of the user 521 and one starting with a "=" uses a socket in the 522 GnuPG home directory which is "~/.gnupg" by default. 523 524 --without-readline 525 Do not include support for the readline library 526 even if it is available. The default is to check 527 whether the readline library is a available and 528 use it to allow fancy command line editing. 529 530 --with-included-zlib 531 Forces usage of the local zlib sources. Default is 532 to use the (shared) library of the system. 533 534 --with-zlib=<DIR> 535 Look for the system zlib in DIR. 536 537 --with-bzip2=<DIR> 538 Look for the system libbz2 in DIR. 539 540 --without-bzip2 541 Disable the BZIP2 compression algorithm. 542 543 --with-included-gettext 544 Forces usage of the local gettext sources instead of 545 the one provided by your system. 546 547 --disable-nls 548 Disable NLS support (See the file ABOUT-NLS) 549 550 --enable-m-guard 551 Enable the integrated malloc checking code. Please 552 note that this feature does not work on all CPUs 553 (e.g. SunOS 5.7 on UltraSparc-2) and might give 554 you a bus error. 555 556 --disable-dynload 557 If you have problems with dynamic loading, this 558 option disables all dynamic loading stuff. Note 559 that the use of dynamic linking is very limited. 560 561 --disable-asm 562 Do not use assembler modules. It is not possible 563 to use this on some CPU types. 564 565 --disable-exec 566 Disable all remote program execution. This 567 disables photo ID viewing as well as all keyserver 568 access. 569 570 --disable-photo-viewers 571 Disable only photo ID viewing. 572 573 --disable-keyserver-helpers 574 Disable only keyserver helpers. 575 576 --disable-keyserver-path 577 Disables the user's ability to use the exec-path 578 feature to add additional search directories when 579 executing a keyserver helper. 580 581 --with-photo-viewer=FIXED_VIEWER 582 Force the photo viewer to be FIXED_VIEWER and 583 disable any ability for the user to change it in 584 their options file. 585 586 --disable-rsa 587 Removes support for the RSA public key algorithm. 588 This can give a smaller gpg binary for places 589 where space is tight. 590 591 --disable-idea 592 --disable-cast5 593 --disable-blowfish 594 --disable-aes 595 --disable-twofish 596 --disable-sha256 597 --disable-sha512 598 Removes support for the selected symmetric or hash 599 algorithm. This can give a smaller gpg binary for 600 places where space is tight. 601 602 **** Note that if there are existing keys that 603 have one of these algorithms as a preference, 604 messages may be received that use one of these 605 algorithms and you will not be able to decrypt the 606 message! **** 607 608 The public key preference list can be updated to 609 match the list of available algorithms by using 610 "gpg --edit-key (thekey)", and running the 611 "setpref" command. 612 613 --enable-minimal 614 Build the smallest gpg binary possible (disables 615 all optional algorithms, disables keyserver 616 access, and disables photo IDs). Specifically, 617 this means --disable-rsa --disable-idea, 618 --disable-cast5, --disable-blowfish, 619 --disable-aes, --disable-twofish, 620 --disable-sha256, --disable-sha512, 621 --without-bzip2, --disable-exec, 622 --disable-card-support and 623 --disable-agent-support. 624 Configure command lines are read from left to 625 right, so if you want to have an "almost minimal" 626 configuration, you can do (for example) 627 "--enable-minimal --enable-rsa" to have RSA added 628 to the minimal build. Adding the option 629 --disable-nls may be useful too. 630 631 --enable-key-cache=SIZE 632 Set the internal key and UID cache size. This has 633 a significant impact on performance with large 634 keyrings. The default is 4096, but for use on 635 platforms where memory is an issue, it can be set 636 as low as 5. 637 638 --disable-card-support 639 Do not include smartcard support. The default is 640 to include support if all required libraries are 641 available. 642 643 --disable-agent-support 644 Do not include support for the gpg-agent. The 645 default is to include support. 646 647 --enable-selinux-support 648 This prevents access to certain files and won't 649 allow import or export of secret keys. 650 651 --enable-noexecstack 652 Pass option --noexecstack to as. Autodetect wether 653 the tool chain actually support this. 654 655 --disable-gnupg-iconv 656 If iconv is available it is used to convert 657 between utf-8 and the system character set. This 658 is in general the preferable solution. However 659 the code is new and under some cirumstances it may 660 give different output than with the limited old 661 support. This option explicitly disables 662 the use of iconv. Note, that iconv is also 663 disabled if gettext has been disabled. 664 665 666 Installation Problems 667 --------------------- 668 669 If you get unresolved externals "gettext" you should run configure 670 again with the option "--with-included-gettext"; this is version 671 0.12.1 which is available at ftp.gnu.org. 672 673 If you have other compile problems, try the configure options 674 "--with-included-zlib" or "--disable-nls" (See ABOUT-NLS) or 675 --disable-dynload. 676 677 We can't check all assembler files, so if you have problems 678 assembling them (or the program crashes) use --disable-asm with 679 ./configure. If you opt to delete individual replacement files in 680 hopes of using the remaining ones, be aware that the configure 681 scripts may consider several subdirectories to get all available 682 assembler files; be sure to delete the correct ones. The assembler 683 replacements are in C and in mpi/generic; never delete 684 udiv-qrnnd.S in any CPU directory, because there may be no C 685 substitute. Don't forget to delete "config.cache" and run 686 "./config.status --recheck". We have also heard reports of 687 problems when using versions of gcc earlier than 2.96 along with a 688 non-GNU assembler (as). If this applies to your platform, you can 689 either upgrade gcc to a more recent version, or use the GNU 690 assembler. 691 692 Some make tools are broken - the best solution is to use GNU's 693 make. Try gmake or grab the sources from a GNU archive and 694 install them. 695 696 On some OSF systems you may get unresolved externals. This is a 697 libtool problem and the workaround is to manually remove all the 698 "-lc -lz" but the last one from the linker line and execute them 699 manually. 700 701 On some architectures you see warnings like: 702 longlong.h:175: warning: function declaration isn't a prototype 703 or 704 http.c:647: warning: cast increases required alignment of target type 705 This doesn't matter and we know about it (actually it is due to 706 some warning options which we have enabled for gcc) 707 708 If you are cross-compiling and you get an error either building a 709 tool called "yat2m" or running that tool, the problem is most 710 likely a bad or missing native compiler. We require a standard 711 C-89 compiler to produce an executable to be run on the build 712 platform. You can explicitly set such a compiler with configure 713 arguments. On HP/UX you might want to try: "CC_FOR_BUILD=c89". 714 715 716 717 Specific problems on some machines 718 ---------------------------------- 719 720 * Apple Darwin 6.1: 721 722 ./configure --with-libiconv-prefix=/sw 723 724 * IBM RS/6000 running AIX: 725 726 Due to a change in gcc (since version 2.8) the MPI stuff may 727 not build. In this case try to run configure using: 728 CFLAGS="-g -O2 -mcpu=powerpc" ./configure 729 730 * SVR4.2 (ESIX V4.2 cc) 731 732 Due to problems with the ESIX as, you probably want to do 733 CFLAGS="-O -K pentium" ./configure --disable-asm 734 735 * SunOS 4.1.4 736 737 ./configure ac_cv_sys_symbol_underscore=yes 738 739 740 The Random Device 741 ----------------- 742 743 Random devices are available in Linux, FreeBSD and OpenBSD. 744 Operating systems without a random devices must use another 745 entropy collector. 746 747 This collector works by running a lot of commands that yield more 748 or less unpredictable output and feds this as entropy into the 749 random generator - It should work reliably but you should check 750 whether it produces good output for your version of Unix. There 751 are some debug options to help you (see cipher/rndunix.c). 752 753 754 Creating an RPM package 755 ----------------------- 756 757 The file scripts/gnupg.spec is used to build a RPM package (both 758 binary and src): 759 1. copy the spec file into /usr/src/redhat/SPECS 760 2. copy the tar file into /usr/src/redhat/SOURCES 761 3. type: rpm -ba SPECS/gnupg.spec 762 763 Or use the -t (--tarbuild) option of rpm: 764 1. rpm -ta gnupg-x.x.x.tar.gz 765 766 The binary rpm file can now be found in /usr/src/redhat/RPMS, source 767 rpm in /usr/src/redhat/SRPMS 768 769 770 Building Universal Binaries on Apple OS X 771 ----------------------------------------- 772 773 You can build a universal ("fat") binary that will work on both 774 PPC and Intel Macs with something like: 775 776 ./configure CFLAGS="-arch ppc -arch i386" --disable-endian-check \ 777 --disable-dependency-tracking --disable-asm 778 779 If you are doing the build on a OS X 10.4 (Tiger) PPC machine you 780 may need to add "-isysroot /Developer/SDKs/MacOSX10.4u.sdk" to 781 those CFLAGS. This additional isysroot is not necessary on Intel 782 Tiger boxes, or any OS X 10.5 (Leopard) or later boxes. 783 784 Note that when building a universal binary, any third-party 785 libraries you may link with need to be universal as well. All 786 Apple-supplied libraries (even libraries not originally written by 787 Apple like curl, zip, and BZ2) are universal. 788 789 790 GnuPG 1.4 and GnuPG 2.x 791 ----------------------- 792 793 GnuPG 2.x is a newer version of GnuPG with additional support for 794 S/MIME. It has a different design philosophy that splits 795 functionality up into several modules. Both versions may be 796 installed simultaneously without any conflict (gpg is usually 797 installed under the name gpg2 in GnuPG-2). In fact, the GPG 798 version from GnuPG 1.4 is able to make use of the gpg-agent as 799 included in GnuPG-2 and allows for seamless passphrase caching. 800 The advantage of GnuPG 1.4 is its somewhat smaller size and no 801 dependency on other modules at run and build time. The drawback 802 of 1.4 is its much older code base and that only minimal 803 maintainance is done. It is highly suggested to switch to 2.x 804 unless your system is not supported by 2.x. 805 806 807 How to Get More Information 808 --------------------------- 809 810 The primary WWW page is https://gnupg.org 811 or using TOR http://ic6au7wa3f6naxjq.onion 812 813 The primary FTP site is ftp://ftp.gnupg.org/gcrypt/ 814 or https://gnupg.org/ftp/gcrypt/ 815 816 See https://gnupg.org/download/mirrors.html for a list of 817 mirrors and use them if possible. You may also find GnuPG 818 mirrored on some of the regular GNU mirrors. 819 820 We have some mailing lists dedicated to GnuPG: 821 822 gnupg-announce@gnupg.org For important announcements like 823 new versions and such stuff. 824 This is a moderated list and has 825 very low traffic. Do not post to 826 this list. 827 828 gnupg-users@gnupg.org For general user discussion and 829 help (English). 830 831 gnupg-de@gnupg.org German speaking counterpart of 832 gnupg-users. 833 834 gnupg-ru@gnupg.org Russian speaking counterpart of 835 gnupg-users. 836 837 gnupg-devel@gnupg.org GnuPG developers main forum. 838 839 You subscribe to one of the list by sending mail with a subject 840 of "subscribe" to x-request@gnupg.org, where x is the name of the 841 mailing list (gnupg-announce, gnupg-users, etc.). An archive of 842 the mailing lists are available at 843 https://gnupg.org/documentation/mailing-lists.html 844 845 Please direct bug reports to https://bugs.gnupg.org or post 846 them direct to the mailing list <gnupg-devel@gnupg.org>. 847 848 Please direct questions about GnuPG to the users mailing list or 849 one of the pgp newsgroups; please do not direct questions to one 850 of the authors directly as we are busy working on improvements and 851 bug fixes. The English and German GnuPG mailing lists are watched 852 by the authors and we try to answer questions when time allows us 853 to do so. 854 855 Commercial grade support for GnuPG is available; for a listing of 856 offers see https://gnupg.org/service.html . Maintaining and 857 improving GnuPG is costly. Since 2001, g10 Code GmbH, a German 858 company owned and headed by GnuPG's principal author Werner Koch, 859 is bearing the majority of these costs. To help them carry on 860 this work, they need your support. See https://gnupg.org/donate/ 861