2012-03-03 01:17:29 +01:00
|
|
|
# $NetBSD: Makefile,v 1.110 2012/03/03 00:17:29 wiz Exp $
|
1999-04-08 01:01:27 +02:00
|
|
|
|
2012-03-03 01:17:29 +01:00
|
|
|
DISTNAME= gnupg-1.4.12
|
1999-04-08 01:01:27 +02:00
|
|
|
CATEGORIES= security
|
upgrade to 1.2.0, from skrueger@europe.com
2002-09-21 Werner Koch <wk@gnupg.org>
Released 1.2.0.
* configure.ac: Bumbed version number and set development version
to no.
2002-09-19 David Shaw <dshaw@jabberwocky.com>
* configure.ac: Try linking LDAP as just -lldap as it seems very
recent OpenLDAPs (>=2.0.23) support that.
2002-09-14 David Shaw <dshaw@jabberwocky.com>
* configure.ac: Try linking LDAP without -lresolv first, just in
case the platform has libresolv, but doesn't actually need it to
use LDAP.
2002-09-12 David Shaw <dshaw@jabberwocky.com>
* NEWS: Note that the old IDEA plugin won't work with post-1.1.90
gpg.
2002-09-11 Werner Koch <wk@gnupg.org>
Released 1.1.92.
* configure.ac (random_modules): The default random module for
system lacking a /dev/random is now auto selected at runtime.
2002-09-09 David Shaw <dshaw@jabberwocky.com>
* NEWS: typo.
* configure.ac: Add a link test for LDAP without -lresolv for
HPUX. Remove "hstrerror" test as it is no longer needed.
2002-09-02 Werner Koch <wk@gnupg.org>
* README: Removed the note about a development version so that we
later don't forget this. Minor other changes.
2002-08-29 Werner Koch <wk@gnupg.org>
* configure.ac (random_modules): Reworked the code to select the
random module. Define USE_ALL_RANDOM_MODULES for value all.
2002-08-27 David Shaw <dshaw@jabberwocky.com>
* configure.ac: Check type of mode_t.
* NEWS: Clarify that --libexecdir is a configure option.
* configure.ac: Check for hstrerror.
2002-08-19 David Shaw <dshaw@jabberwocky.com>
* NEWS: Document new ways to enable MDC, and change in automatic
compression disabling.
* configure.ac: No such thing as the "none" random gather any
longer.
2002-08-08 David Shaw <dshaw@jabberwocky.com>
* configure.ac: Add an --enable-tiger.
* NEWS: Clarify new permission checks.
2002-08-07 David Shaw <dshaw@jabberwocky.com>
* configure.ac: If the static IDEA cipher is present, disable
dynamic loading. Also fix backwards grammar of keyserver
exec-path CHECKING message.
2002-08-05 Werner Koch <wk@gnupg.org>
* configure.ac: Bumbed version number.
2002-08-04 Werner Koch <wk@gnupg.org>
Released 1.1.91.
* configure.ac (ALL_LINGUAS): Added Catalan.
2002-08-02 Werner Koch <wk@gnupg.org>
* configure.ac: Removed all extension stuff but keep the tests for
dlopen. We don't need to figure out the flags required. All
stuff is now statically loaded.
2002-07-30 David Shaw <dshaw@jabberwocky.com>
* README, configure.ac: --with-exec-path is now clarified into
--disable-keyserver-path
* NEWS: changes since 1.1.90.
2002-07-24 David Shaw <dshaw@jabberwocky.com>
* configure.ac: Include a GNUPG_LIBEXECDIR in g10defs.h, as well
as a SUBST for Makefiles.
2002-07-22 Timo Schulz <ts@winpt.org>
* configure.ac: Replace the 'c:/' variables with 'c:\' due
to the fact we already use '\' in the remaining code.
2002-07-08 David Shaw <dshaw@jabberwocky.com>
* configure.ac: Add --with-mailprog to override the use of
sendmail with another MTA. We can use anything that follows the
"$MAILPROG -t" convention.
2002-07-04 David Shaw <dshaw@jabberwocky.com>
* configure.ac: --enable-exec-path should be a 'with'. Fix 'no'
cases of --with-exec-path and --with-photo-viewer.
* README: Document --disable-exec, --disable-photo-viewers,
--disable-keyserver-helpers, --enable-exec-path, and
--with-photo-viewer.
* configure.ac: Add --with-photo-viewer to lock the viewer at
compile time and --disable-keyserver-helpers and
--disable-photo-viewers to allow disabling one without disabling
the other.
2002-07-03 David Shaw <dshaw@jabberwocky.com>
* configure.ac: Allow setting USE_EXEC_PATH to lock the exec-path
to a fixed value.
2002-07-01 Werner Koch <wk@gnupg.org>
* configure.ac: Set version number to 1.1.91.
Released 1.1.90.
* INSTALL: Replaced by generic install file.
* README: Marked as development version and moved most stuff of
the old INSTALL file to here.
2002-06-30 Werner Koch <wk@gnupg.org>
* configure.ac: Link W32 version against libwsock32.
2002-06-29 Werner Koch <wk@gnupg.org>
* configure.ac (development_version): New.
(HAVE_DEV_RANDOM_IOCTL): Removed test for it; it was never used.
* BUGS, AUTHORS: Add a note on how to send security related bug
reports.
2002-06-20 David Shaw <dshaw@jabberwocky.com>
* NEWS: changes since 1.0.7.
* configure.ac: Set new version number (1.1.90), and fix Solaris
compiler flags for shared objects.
2002-06-11 David Shaw <dshaw@jabberwocky.com>
* configure.ac: Move -lsocket and -lnsl checks before LDAP link
tests so they work properly on Solaris. Noted by David Champion.
Also, check for the Mozilla LDAP library if the OpenLDAP library
check fails. Put -lsocket and -lnsl in NETLIBS rather than LIBS
so not all programs are forced to link to them.
2002-06-05 David Shaw <dshaw@jabberwocky.com>
* configure.ac: Add a switch for the experimental external HKP
keyserver interface.
2002-05-22 Werner Koch <wk@gnupg.org>
* configure.ac: Check for strcasecmp and strncasecmp. Removed
stricmp and memicmp checks.
2002-05-08 David Shaw <dshaw@jabberwocky.com>
* configure.ac: If LDAP comes up unusable, try #including <lber.h>
before giving up. Old versions of OpenLDAP require that.
2002-05-03 David Shaw <dshaw@jabberwocky.com>
* configure.ac: In g10defs.h, use \ for the directory separator
when HAVE_DOSISH_SYSTEM is on.
* configure.ac: Add --disable-exec flag to disable all remote
program execution. --disable-exec implies --disable-ldap and
--disable-mailto. Also look in /usr/lib for sendmail. If
sendmail is not found, do not default - just fail.
2002-04-30 David Shaw <dshaw@jabberwocky.com>
* configure.ac: Try and link to a sample LDAP program to check if
the LDAP we're about to use is really sane. The most common
problem (using a very old OpenLDAP), could be fixed with an extra
#include, but this would not be very portable to other LDAP
libraries.
2002-10-09 16:16:55 +02:00
|
|
|
MASTER_SITES= ftp://ftp.gnupg.org/gcrypt/gnupg/ \
|
2009-10-27 17:25:21 +01:00
|
|
|
http://gd.tuwien.ac.at/privacy/gnupg/gnupg/ \
|
2003-05-06 17:48:24 +02:00
|
|
|
ftp://ftp.jyu.fi/pub/crypt/gcrypt/gnupg/ \
|
2009-09-28 22:15:08 +02:00
|
|
|
ftp://ftp.ring.gr.jp/pub/net/gnupg/gnupg/
|
upgrade to 1.2.0, from skrueger@europe.com
2002-09-21 Werner Koch <wk@gnupg.org>
Released 1.2.0.
* configure.ac: Bumbed version number and set development version
to no.
2002-09-19 David Shaw <dshaw@jabberwocky.com>
* configure.ac: Try linking LDAP as just -lldap as it seems very
recent OpenLDAPs (>=2.0.23) support that.
2002-09-14 David Shaw <dshaw@jabberwocky.com>
* configure.ac: Try linking LDAP without -lresolv first, just in
case the platform has libresolv, but doesn't actually need it to
use LDAP.
2002-09-12 David Shaw <dshaw@jabberwocky.com>
* NEWS: Note that the old IDEA plugin won't work with post-1.1.90
gpg.
2002-09-11 Werner Koch <wk@gnupg.org>
Released 1.1.92.
* configure.ac (random_modules): The default random module for
system lacking a /dev/random is now auto selected at runtime.
2002-09-09 David Shaw <dshaw@jabberwocky.com>
* NEWS: typo.
* configure.ac: Add a link test for LDAP without -lresolv for
HPUX. Remove "hstrerror" test as it is no longer needed.
2002-09-02 Werner Koch <wk@gnupg.org>
* README: Removed the note about a development version so that we
later don't forget this. Minor other changes.
2002-08-29 Werner Koch <wk@gnupg.org>
* configure.ac (random_modules): Reworked the code to select the
random module. Define USE_ALL_RANDOM_MODULES for value all.
2002-08-27 David Shaw <dshaw@jabberwocky.com>
* configure.ac: Check type of mode_t.
* NEWS: Clarify that --libexecdir is a configure option.
* configure.ac: Check for hstrerror.
2002-08-19 David Shaw <dshaw@jabberwocky.com>
* NEWS: Document new ways to enable MDC, and change in automatic
compression disabling.
* configure.ac: No such thing as the "none" random gather any
longer.
2002-08-08 David Shaw <dshaw@jabberwocky.com>
* configure.ac: Add an --enable-tiger.
* NEWS: Clarify new permission checks.
2002-08-07 David Shaw <dshaw@jabberwocky.com>
* configure.ac: If the static IDEA cipher is present, disable
dynamic loading. Also fix backwards grammar of keyserver
exec-path CHECKING message.
2002-08-05 Werner Koch <wk@gnupg.org>
* configure.ac: Bumbed version number.
2002-08-04 Werner Koch <wk@gnupg.org>
Released 1.1.91.
* configure.ac (ALL_LINGUAS): Added Catalan.
2002-08-02 Werner Koch <wk@gnupg.org>
* configure.ac: Removed all extension stuff but keep the tests for
dlopen. We don't need to figure out the flags required. All
stuff is now statically loaded.
2002-07-30 David Shaw <dshaw@jabberwocky.com>
* README, configure.ac: --with-exec-path is now clarified into
--disable-keyserver-path
* NEWS: changes since 1.1.90.
2002-07-24 David Shaw <dshaw@jabberwocky.com>
* configure.ac: Include a GNUPG_LIBEXECDIR in g10defs.h, as well
as a SUBST for Makefiles.
2002-07-22 Timo Schulz <ts@winpt.org>
* configure.ac: Replace the 'c:/' variables with 'c:\' due
to the fact we already use '\' in the remaining code.
2002-07-08 David Shaw <dshaw@jabberwocky.com>
* configure.ac: Add --with-mailprog to override the use of
sendmail with another MTA. We can use anything that follows the
"$MAILPROG -t" convention.
2002-07-04 David Shaw <dshaw@jabberwocky.com>
* configure.ac: --enable-exec-path should be a 'with'. Fix 'no'
cases of --with-exec-path and --with-photo-viewer.
* README: Document --disable-exec, --disable-photo-viewers,
--disable-keyserver-helpers, --enable-exec-path, and
--with-photo-viewer.
* configure.ac: Add --with-photo-viewer to lock the viewer at
compile time and --disable-keyserver-helpers and
--disable-photo-viewers to allow disabling one without disabling
the other.
2002-07-03 David Shaw <dshaw@jabberwocky.com>
* configure.ac: Allow setting USE_EXEC_PATH to lock the exec-path
to a fixed value.
2002-07-01 Werner Koch <wk@gnupg.org>
* configure.ac: Set version number to 1.1.91.
Released 1.1.90.
* INSTALL: Replaced by generic install file.
* README: Marked as development version and moved most stuff of
the old INSTALL file to here.
2002-06-30 Werner Koch <wk@gnupg.org>
* configure.ac: Link W32 version against libwsock32.
2002-06-29 Werner Koch <wk@gnupg.org>
* configure.ac (development_version): New.
(HAVE_DEV_RANDOM_IOCTL): Removed test for it; it was never used.
* BUGS, AUTHORS: Add a note on how to send security related bug
reports.
2002-06-20 David Shaw <dshaw@jabberwocky.com>
* NEWS: changes since 1.0.7.
* configure.ac: Set new version number (1.1.90), and fix Solaris
compiler flags for shared objects.
2002-06-11 David Shaw <dshaw@jabberwocky.com>
* configure.ac: Move -lsocket and -lnsl checks before LDAP link
tests so they work properly on Solaris. Noted by David Champion.
Also, check for the Mozilla LDAP library if the OpenLDAP library
check fails. Put -lsocket and -lnsl in NETLIBS rather than LIBS
so not all programs are forced to link to them.
2002-06-05 David Shaw <dshaw@jabberwocky.com>
* configure.ac: Add a switch for the experimental external HKP
keyserver interface.
2002-05-22 Werner Koch <wk@gnupg.org>
* configure.ac: Check for strcasecmp and strncasecmp. Removed
stricmp and memicmp checks.
2002-05-08 David Shaw <dshaw@jabberwocky.com>
* configure.ac: If LDAP comes up unusable, try #including <lber.h>
before giving up. Old versions of OpenLDAP require that.
2002-05-03 David Shaw <dshaw@jabberwocky.com>
* configure.ac: In g10defs.h, use \ for the directory separator
when HAVE_DOSISH_SYSTEM is on.
* configure.ac: Add --disable-exec flag to disable all remote
program execution. --disable-exec implies --disable-ldap and
--disable-mailto. Also look in /usr/lib for sendmail. If
sendmail is not found, do not default - just fail.
2002-04-30 David Shaw <dshaw@jabberwocky.com>
* configure.ac: Try and link to a sample LDAP program to check if
the LDAP we're about to use is really sane. The most common
problem (using a very old OpenLDAP), could be fixed with an extra
#include, but this would not be very portable to other LDAP
libraries.
2002-10-09 16:16:55 +02:00
|
|
|
EXTRACT_SUFX= .tar.bz2
|
Update to 1.4.0, provided by Stefan Krüger in PR 28738.
While here, convert to options.mk.
GnuPG 1.4 Highlights
====================
This is a brief overview of the changes between the GnuPG 1.2 series
and the new GnuPG 1.4 series. To read the full list of highlights for
each revision that led up to 1.4, see the NEWS file in the GnuPG
distribution. This document is based on the NEWS file, and is thus
the highlights of the highlights.
When upgrading, note that RFC-2440, the OpenPGP standard, is currently
being revised. Most of the revisions in the latest draft (2440bis-12)
have already been incorporated into GnuPG 1.4.
Algorithm Changes
-----------------
OpenPGP supports many different algorithms for encryption, hashing,
and compression, and taking into account the OpenPGP revisions, GnuPG
1.4 supports a slightly different algorithm set than 1.2 did.
The SHA256, SHA384, and SHA512 hashes are now supported for read and
write.
The BZIP2 compression algorithm is now supported for read and write.
Due to the recent successful attack on the MD5 hash algorithm
(discussed in <http://www.rsasecurity.com/rsalabs/node.asp?id=2738>,
among other places), MD5 is deprecated for OpenPGP use. It is still
allowed in GnuPG 1.4 for backwards compatibility, but a warning is
given when it is used.
The TIGER/192 hash is no longer available. This should not be
interpreted as a statement as to the quality of TIGER/192 - rather,
the revised OpenPGP standard removes support for several unused or
mostly unused hashes, and TIGER/192 was one of them.
Similarly, Elgamal signatures and the Elgamal signing key type have
been removed from the OpenPGP standard, and thus from GnuPG. Please
do not confuse Elgamal signatures with DSA or DSS signatures or with
Elgamal encryption. Elgamal signatures were very rarely used and were
not supported in any product other than GnuPG. Elgamal encryption was
and still is part of OpenPGP and GnuPG.
Very old (pre-1.0) versions of GnuPG supported a nonstandard (contrary
to OpenPGP) Elgamal key type. While no recent version of GnuPG
permitted the generation of such keys, GnuPG 1.2 could still use them.
GnuPG 1.4 no longer allows the use of these keys or the (also
nonstandard) messages generated using them.
At build time, it is possible to select which algorithms will be built
into GnuPG. This can be used to build a smaller program binary for
embedded uses where space is tight.
Keyserver Changes
-----------------
GnuPG 1.4 does all keyserver operations via plugin or helper
applications. This allows the main GnuPG program to be smaller and
simpler. People who package GnuPG for various reasons have the
flexibility to include or leave out support for any keyserver type as
desired.
Support for fetching keys via HTTP and finger has been added. This is
mainly useful for setting a preferred keyserver URL like
"http://www.jabberwocky.com/key.asc". or "finger:wk at g10code.com".
The LDAP keyserver helper now supports storing, retrieving, and
searching for keys in both the old NAI "LDAP keyserver" as well as the
more recent method to store OpenPGP keys in standard LDAP servers.
This is compatible with the storage schema that PGP uses, so both
products can interoperate with the same LDAP server.
The LDAP keyserver helper is compatible with the PGP company's new
"Global Directory" service.
If the LDAP library you use supports LDAP-over-TLS and LDAPS, then
GnuPG detects this and supports them as well. Note that using TLS or
LDAPS does not improve the security of GnuPG itself, but may be useful
in certain key distribution scenarios.
HTTP Basic authentication is now supported for all HKP and HTTP
keyserver functions, either through a proxy or via direct access.
The HKP keyserver plugin supports the new machine-readable key
listing format for those keyservers that provide it.
IPv6 is supported for HKP and HTTP keyserver access.
When using a HKP keyserver with multiple DNS records (such as
subkeys.pgp.net which has the addresses of multiple servers around the
world), all DNS address records are tried until one succeeds. This
prevents a single down server in the rotation from stopping access.
DNS SRV records are used in HKP keyserver lookups to allow
administrators to load balance and select keyserver ports
automatically.
Timeout support has been added to the keyserver plugins. This allows
users to set an upper limit on how long to wait for the keyserver
before giving up.
Preferred Keyserver URL
-----------------------
Preferred keyserver support has been added. Users may set a preferred
keyserver via the --edit-key command "keyserver". If the
--keyserver-option honor-keyserver-url is set (and it is by default),
then the preferred keyserver is used when refreshing that key with
--refresh-keys.
The --sig-keyserver-url option can be used to inform signature
recipients where the signing key can be downloaded. When verifying
the signature, if the signing key is not present, and the keyserver
options honor-keyserver-url and auto-key-retrieve are set, this URL
will be used to retrieve the key.
Trust Signatures
----------------
GnuPG 1.4 supports OpenPGP trust signatures, which allow a user to
specify the trust level and distance from the user along with the
signature so users can delegate different levels of certification
ability to other users, possibly restricted by a regular expression on
the user ID.
Trust Models
------------
GnuPG 1.4 supports several ways of looking at trust:
Classic - The classic PGP trust model, where people sign each others
keys and thus build up an assurance (called "validity") that
the key belongs to the right person. This was the default
trust model in GnuPG 1.2.
Always - Bypass all trust checks, and make all keys fully valid.
Direct - Users may set key validity directly.
PGP - The PGP 7 and 8 behavior which combines Classic trust with trust
signatures overlaid on top. This is the default trust model in
GnuPG 1.4.
The OpenPGP Smartcard
---------------------
GnuPG 1.4 supports the OpenPGP smartcard
(<http://www.g10code.de/p-card.html>)
Secret keys may be kept fully or partially on the smartcard. The
smartcard may be used for primary keys or subkeys.
Other Interesting New Features
------------------------------
For those using Security-Enhanced Linux <http://www.nsa.gov/selinux/>,
the configure option --enable-selinux-support prevents GnuPG from
processing its own files (i.e. reading the secret keyring for
something other than getting a secret key from it). This simplifies
writing ACLs for the SELinux kernel.
Readline support is now available at all prompts if the system
provides a readline library.
GnuPG can now create messages that can be decrypted with either a
passphrase or a secret key. These messages may be generated with
--symmetric --encrypt or --symmetric --sign --encrypt.
--list-options and --verify-options allow the user to customize
exactly what key listings or signature verifications look like,
enabling or disabling things such as photo display, preferred
keyserver URL, calculated validity for each user ID, etc.
The --primary-keyring option designates the keyring that the user
wants new keys imported into.
The --hidden-recipient (or -R) command encrypts to a user, but hides
the identity of that user. This is the same functionality as
--throw-keyid, but can be used on a per-user basis.
Full algorithm names (e.g. "3DES", "SHA1", "ZIP") can now be used
interchangeably with the short algorithm names (e.g. "S2", "H2", "Z1")
anywhere algorithm names are used in GnuPG.
The --keyid-format option selects short (99242560), long
(DB698D7199242560), 0xshort (0x99242560), or 0xlong
(0xDB698D7199242560) key ID displays. This lets users tune the
display to what they prefer.
While it is not recommended for extended periods, it is possible to
run both GnuPG 1.2.x and GnuPG 1.4 during the transition. To aid in
this, GnuPG 1.4 tries to load a config file suffixed with its version
before it loads the default config file. For example, 1.4 will try
for gpg.conf-1.4 and gpg.conf-1 before falling back to the regular
gpg.conf file.
2004-12-25 03:54:13 +01:00
|
|
|
# don't remove this -- we may add idea.c.gz to it in options.mk
|
2001-01-29 12:52:59 +01:00
|
|
|
DISTFILES= ${DISTNAME}${EXTRACT_SUFX}
|
1999-04-08 01:01:27 +02:00
|
|
|
|
2009-03-05 11:46:23 +01:00
|
|
|
MAINTAINER= wiz@NetBSD.org
|
1999-12-02 16:50:43 +01:00
|
|
|
HOMEPAGE= http://www.gnupg.org/
|
2004-11-08 22:17:01 +01:00
|
|
|
COMMENT= GNU Privacy Guard, public-Key encryption and digital signatures
|
2009-05-19 10:59:00 +02:00
|
|
|
LICENSE= gnu-gpl-v3
|
1999-12-02 16:50:43 +01:00
|
|
|
|
2004-07-28 17:55:45 +02:00
|
|
|
PKG_INSTALLATION_TYPES= overwrite pkgviews
|
2006-11-03 08:45:44 +01:00
|
|
|
PKG_DESTDIR_SUPPORT= user-destdir
|
2004-07-28 17:55:45 +02:00
|
|
|
|
2003-01-10 08:39:46 +01:00
|
|
|
CRYPTO= yes
|
|
|
|
|
GNU_CONFIGURE= yes
|
|
|
|
|
USE_PKGLOCALEDIR= yes
|
2006-04-13 20:23:29 +02:00
|
|
|
USE_TOOLS+= gmake msgfmt
|
Update to 1.4.0, provided by Stefan Krüger in PR 28738.
While here, convert to options.mk.
GnuPG 1.4 Highlights
====================
This is a brief overview of the changes between the GnuPG 1.2 series
and the new GnuPG 1.4 series. To read the full list of highlights for
each revision that led up to 1.4, see the NEWS file in the GnuPG
distribution. This document is based on the NEWS file, and is thus
the highlights of the highlights.
When upgrading, note that RFC-2440, the OpenPGP standard, is currently
being revised. Most of the revisions in the latest draft (2440bis-12)
have already been incorporated into GnuPG 1.4.
Algorithm Changes
-----------------
OpenPGP supports many different algorithms for encryption, hashing,
and compression, and taking into account the OpenPGP revisions, GnuPG
1.4 supports a slightly different algorithm set than 1.2 did.
The SHA256, SHA384, and SHA512 hashes are now supported for read and
write.
The BZIP2 compression algorithm is now supported for read and write.
Due to the recent successful attack on the MD5 hash algorithm
(discussed in <http://www.rsasecurity.com/rsalabs/node.asp?id=2738>,
among other places), MD5 is deprecated for OpenPGP use. It is still
allowed in GnuPG 1.4 for backwards compatibility, but a warning is
given when it is used.
The TIGER/192 hash is no longer available. This should not be
interpreted as a statement as to the quality of TIGER/192 - rather,
the revised OpenPGP standard removes support for several unused or
mostly unused hashes, and TIGER/192 was one of them.
Similarly, Elgamal signatures and the Elgamal signing key type have
been removed from the OpenPGP standard, and thus from GnuPG. Please
do not confuse Elgamal signatures with DSA or DSS signatures or with
Elgamal encryption. Elgamal signatures were very rarely used and were
not supported in any product other than GnuPG. Elgamal encryption was
and still is part of OpenPGP and GnuPG.
Very old (pre-1.0) versions of GnuPG supported a nonstandard (contrary
to OpenPGP) Elgamal key type. While no recent version of GnuPG
permitted the generation of such keys, GnuPG 1.2 could still use them.
GnuPG 1.4 no longer allows the use of these keys or the (also
nonstandard) messages generated using them.
At build time, it is possible to select which algorithms will be built
into GnuPG. This can be used to build a smaller program binary for
embedded uses where space is tight.
Keyserver Changes
-----------------
GnuPG 1.4 does all keyserver operations via plugin or helper
applications. This allows the main GnuPG program to be smaller and
simpler. People who package GnuPG for various reasons have the
flexibility to include or leave out support for any keyserver type as
desired.
Support for fetching keys via HTTP and finger has been added. This is
mainly useful for setting a preferred keyserver URL like
"http://www.jabberwocky.com/key.asc". or "finger:wk at g10code.com".
The LDAP keyserver helper now supports storing, retrieving, and
searching for keys in both the old NAI "LDAP keyserver" as well as the
more recent method to store OpenPGP keys in standard LDAP servers.
This is compatible with the storage schema that PGP uses, so both
products can interoperate with the same LDAP server.
The LDAP keyserver helper is compatible with the PGP company's new
"Global Directory" service.
If the LDAP library you use supports LDAP-over-TLS and LDAPS, then
GnuPG detects this and supports them as well. Note that using TLS or
LDAPS does not improve the security of GnuPG itself, but may be useful
in certain key distribution scenarios.
HTTP Basic authentication is now supported for all HKP and HTTP
keyserver functions, either through a proxy or via direct access.
The HKP keyserver plugin supports the new machine-readable key
listing format for those keyservers that provide it.
IPv6 is supported for HKP and HTTP keyserver access.
When using a HKP keyserver with multiple DNS records (such as
subkeys.pgp.net which has the addresses of multiple servers around the
world), all DNS address records are tried until one succeeds. This
prevents a single down server in the rotation from stopping access.
DNS SRV records are used in HKP keyserver lookups to allow
administrators to load balance and select keyserver ports
automatically.
Timeout support has been added to the keyserver plugins. This allows
users to set an upper limit on how long to wait for the keyserver
before giving up.
Preferred Keyserver URL
-----------------------
Preferred keyserver support has been added. Users may set a preferred
keyserver via the --edit-key command "keyserver". If the
--keyserver-option honor-keyserver-url is set (and it is by default),
then the preferred keyserver is used when refreshing that key with
--refresh-keys.
The --sig-keyserver-url option can be used to inform signature
recipients where the signing key can be downloaded. When verifying
the signature, if the signing key is not present, and the keyserver
options honor-keyserver-url and auto-key-retrieve are set, this URL
will be used to retrieve the key.
Trust Signatures
----------------
GnuPG 1.4 supports OpenPGP trust signatures, which allow a user to
specify the trust level and distance from the user along with the
signature so users can delegate different levels of certification
ability to other users, possibly restricted by a regular expression on
the user ID.
Trust Models
------------
GnuPG 1.4 supports several ways of looking at trust:
Classic - The classic PGP trust model, where people sign each others
keys and thus build up an assurance (called "validity") that
the key belongs to the right person. This was the default
trust model in GnuPG 1.2.
Always - Bypass all trust checks, and make all keys fully valid.
Direct - Users may set key validity directly.
PGP - The PGP 7 and 8 behavior which combines Classic trust with trust
signatures overlaid on top. This is the default trust model in
GnuPG 1.4.
The OpenPGP Smartcard
---------------------
GnuPG 1.4 supports the OpenPGP smartcard
(<http://www.g10code.de/p-card.html>)
Secret keys may be kept fully or partially on the smartcard. The
smartcard may be used for primary keys or subkeys.
Other Interesting New Features
------------------------------
For those using Security-Enhanced Linux <http://www.nsa.gov/selinux/>,
the configure option --enable-selinux-support prevents GnuPG from
processing its own files (i.e. reading the secret keyring for
something other than getting a secret key from it). This simplifies
writing ACLs for the SELinux kernel.
Readline support is now available at all prompts if the system
provides a readline library.
GnuPG can now create messages that can be decrypted with either a
passphrase or a secret key. These messages may be generated with
--symmetric --encrypt or --symmetric --sign --encrypt.
--list-options and --verify-options allow the user to customize
exactly what key listings or signature verifications look like,
enabling or disabling things such as photo display, preferred
keyserver URL, calculated validity for each user ID, etc.
The --primary-keyring option designates the keyring that the user
wants new keys imported into.
The --hidden-recipient (or -R) command encrypts to a user, but hides
the identity of that user. This is the same functionality as
--throw-keyid, but can be used on a per-user basis.
Full algorithm names (e.g. "3DES", "SHA1", "ZIP") can now be used
interchangeably with the short algorithm names (e.g. "S2", "H2", "Z1")
anywhere algorithm names are used in GnuPG.
The --keyid-format option selects short (99242560), long
(DB698D7199242560), 0xshort (0x99242560), or 0xlong
(0xDB698D7199242560) key ID displays. This lets users tune the
display to what they prefer.
While it is not recommended for extended periods, it is possible to
run both GnuPG 1.2.x and GnuPG 1.4 during the transition. To aid in
this, GnuPG 1.4 tries to load a config file suffixed with its version
before it loads the default config file. For example, 1.4 will try
for gpg.conf-1.4 and gpg.conf-1 before falling back to the regular
gpg.conf file.
2004-12-25 03:54:13 +01:00
|
|
|
CONFIGURE_ARGS+= --with-static-rnd=auto
|
2004-04-09 02:36:06 +02:00
|
|
|
CONFIGURE_ARGS+= --with-mailprog=/usr/sbin/sendmail
|
2003-01-10 08:39:46 +01:00
|
|
|
TEST_TARGET= check
|
2010-10-21 23:48:12 +02:00
|
|
|
INFO_FILES= yes
|
1999-04-08 17:22:40 +02:00
|
|
|
|
2001-01-29 12:52:59 +01:00
|
|
|
EXTRACT_ONLY= ${DISTNAME}${EXTRACT_SUFX}
|
|
|
|
|
|
Update to 1.4.0, provided by Stefan Krüger in PR 28738.
While here, convert to options.mk.
GnuPG 1.4 Highlights
====================
This is a brief overview of the changes between the GnuPG 1.2 series
and the new GnuPG 1.4 series. To read the full list of highlights for
each revision that led up to 1.4, see the NEWS file in the GnuPG
distribution. This document is based on the NEWS file, and is thus
the highlights of the highlights.
When upgrading, note that RFC-2440, the OpenPGP standard, is currently
being revised. Most of the revisions in the latest draft (2440bis-12)
have already been incorporated into GnuPG 1.4.
Algorithm Changes
-----------------
OpenPGP supports many different algorithms for encryption, hashing,
and compression, and taking into account the OpenPGP revisions, GnuPG
1.4 supports a slightly different algorithm set than 1.2 did.
The SHA256, SHA384, and SHA512 hashes are now supported for read and
write.
The BZIP2 compression algorithm is now supported for read and write.
Due to the recent successful attack on the MD5 hash algorithm
(discussed in <http://www.rsasecurity.com/rsalabs/node.asp?id=2738>,
among other places), MD5 is deprecated for OpenPGP use. It is still
allowed in GnuPG 1.4 for backwards compatibility, but a warning is
given when it is used.
The TIGER/192 hash is no longer available. This should not be
interpreted as a statement as to the quality of TIGER/192 - rather,
the revised OpenPGP standard removes support for several unused or
mostly unused hashes, and TIGER/192 was one of them.
Similarly, Elgamal signatures and the Elgamal signing key type have
been removed from the OpenPGP standard, and thus from GnuPG. Please
do not confuse Elgamal signatures with DSA or DSS signatures or with
Elgamal encryption. Elgamal signatures were very rarely used and were
not supported in any product other than GnuPG. Elgamal encryption was
and still is part of OpenPGP and GnuPG.
Very old (pre-1.0) versions of GnuPG supported a nonstandard (contrary
to OpenPGP) Elgamal key type. While no recent version of GnuPG
permitted the generation of such keys, GnuPG 1.2 could still use them.
GnuPG 1.4 no longer allows the use of these keys or the (also
nonstandard) messages generated using them.
At build time, it is possible to select which algorithms will be built
into GnuPG. This can be used to build a smaller program binary for
embedded uses where space is tight.
Keyserver Changes
-----------------
GnuPG 1.4 does all keyserver operations via plugin or helper
applications. This allows the main GnuPG program to be smaller and
simpler. People who package GnuPG for various reasons have the
flexibility to include or leave out support for any keyserver type as
desired.
Support for fetching keys via HTTP and finger has been added. This is
mainly useful for setting a preferred keyserver URL like
"http://www.jabberwocky.com/key.asc". or "finger:wk at g10code.com".
The LDAP keyserver helper now supports storing, retrieving, and
searching for keys in both the old NAI "LDAP keyserver" as well as the
more recent method to store OpenPGP keys in standard LDAP servers.
This is compatible with the storage schema that PGP uses, so both
products can interoperate with the same LDAP server.
The LDAP keyserver helper is compatible with the PGP company's new
"Global Directory" service.
If the LDAP library you use supports LDAP-over-TLS and LDAPS, then
GnuPG detects this and supports them as well. Note that using TLS or
LDAPS does not improve the security of GnuPG itself, but may be useful
in certain key distribution scenarios.
HTTP Basic authentication is now supported for all HKP and HTTP
keyserver functions, either through a proxy or via direct access.
The HKP keyserver plugin supports the new machine-readable key
listing format for those keyservers that provide it.
IPv6 is supported for HKP and HTTP keyserver access.
When using a HKP keyserver with multiple DNS records (such as
subkeys.pgp.net which has the addresses of multiple servers around the
world), all DNS address records are tried until one succeeds. This
prevents a single down server in the rotation from stopping access.
DNS SRV records are used in HKP keyserver lookups to allow
administrators to load balance and select keyserver ports
automatically.
Timeout support has been added to the keyserver plugins. This allows
users to set an upper limit on how long to wait for the keyserver
before giving up.
Preferred Keyserver URL
-----------------------
Preferred keyserver support has been added. Users may set a preferred
keyserver via the --edit-key command "keyserver". If the
--keyserver-option honor-keyserver-url is set (and it is by default),
then the preferred keyserver is used when refreshing that key with
--refresh-keys.
The --sig-keyserver-url option can be used to inform signature
recipients where the signing key can be downloaded. When verifying
the signature, if the signing key is not present, and the keyserver
options honor-keyserver-url and auto-key-retrieve are set, this URL
will be used to retrieve the key.
Trust Signatures
----------------
GnuPG 1.4 supports OpenPGP trust signatures, which allow a user to
specify the trust level and distance from the user along with the
signature so users can delegate different levels of certification
ability to other users, possibly restricted by a regular expression on
the user ID.
Trust Models
------------
GnuPG 1.4 supports several ways of looking at trust:
Classic - The classic PGP trust model, where people sign each others
keys and thus build up an assurance (called "validity") that
the key belongs to the right person. This was the default
trust model in GnuPG 1.2.
Always - Bypass all trust checks, and make all keys fully valid.
Direct - Users may set key validity directly.
PGP - The PGP 7 and 8 behavior which combines Classic trust with trust
signatures overlaid on top. This is the default trust model in
GnuPG 1.4.
The OpenPGP Smartcard
---------------------
GnuPG 1.4 supports the OpenPGP smartcard
(<http://www.g10code.de/p-card.html>)
Secret keys may be kept fully or partially on the smartcard. The
smartcard may be used for primary keys or subkeys.
Other Interesting New Features
------------------------------
For those using Security-Enhanced Linux <http://www.nsa.gov/selinux/>,
the configure option --enable-selinux-support prevents GnuPG from
processing its own files (i.e. reading the secret keyring for
something other than getting a secret key from it). This simplifies
writing ACLs for the SELinux kernel.
Readline support is now available at all prompts if the system
provides a readline library.
GnuPG can now create messages that can be decrypted with either a
passphrase or a secret key. These messages may be generated with
--symmetric --encrypt or --symmetric --sign --encrypt.
--list-options and --verify-options allow the user to customize
exactly what key listings or signature verifications look like,
enabling or disabling things such as photo display, preferred
keyserver URL, calculated validity for each user ID, etc.
The --primary-keyring option designates the keyring that the user
wants new keys imported into.
The --hidden-recipient (or -R) command encrypts to a user, but hides
the identity of that user. This is the same functionality as
--throw-keyid, but can be used on a per-user basis.
Full algorithm names (e.g. "3DES", "SHA1", "ZIP") can now be used
interchangeably with the short algorithm names (e.g. "S2", "H2", "Z1")
anywhere algorithm names are used in GnuPG.
The --keyid-format option selects short (99242560), long
(DB698D7199242560), 0xshort (0x99242560), or 0xlong
(0xDB698D7199242560) key ID displays. This lets users tune the
display to what they prefer.
While it is not recommended for extended periods, it is possible to
run both GnuPG 1.2.x and GnuPG 1.4 during the transition. To aid in
this, GnuPG 1.4 tries to load a config file suffixed with its version
before it loads the default config file. For example, 1.4 will try
for gpg.conf-1.4 and gpg.conf-1 before falling back to the regular
gpg.conf file.
2004-12-25 03:54:13 +01:00
|
|
|
.include "options.mk"
|
2001-01-29 12:52:59 +01:00
|
|
|
|
2005-02-09 12:35:50 +01:00
|
|
|
.if ${OPSYS} == "SunOS" || (${OPSYS} == "NetBSD" && !empty(OS_VERSION:M1.[0-6]*))
|
|
|
|
|
CONFIGURE_ARGS+= --disable-gnupg-iconv
|
|
|
|
|
.endif
|
|
|
|
|
|
2009-11-03 08:28:17 +01:00
|
|
|
.if (${OPSYS} == "AIX" || ${OPSYS} == "Darwin" || ${OPSYS} == "SunOS") \
|
|
|
|
|
&& defined(ABI) && ${ABI} == 64
|
2009-09-28 22:15:08 +02:00
|
|
|
CONFIGURE_ARGS+= --disable-asm
|
|
|
|
|
.endif
|
|
|
|
|
|
Update to 1.4.0, provided by Stefan Krüger in PR 28738.
While here, convert to options.mk.
GnuPG 1.4 Highlights
====================
This is a brief overview of the changes between the GnuPG 1.2 series
and the new GnuPG 1.4 series. To read the full list of highlights for
each revision that led up to 1.4, see the NEWS file in the GnuPG
distribution. This document is based on the NEWS file, and is thus
the highlights of the highlights.
When upgrading, note that RFC-2440, the OpenPGP standard, is currently
being revised. Most of the revisions in the latest draft (2440bis-12)
have already been incorporated into GnuPG 1.4.
Algorithm Changes
-----------------
OpenPGP supports many different algorithms for encryption, hashing,
and compression, and taking into account the OpenPGP revisions, GnuPG
1.4 supports a slightly different algorithm set than 1.2 did.
The SHA256, SHA384, and SHA512 hashes are now supported for read and
write.
The BZIP2 compression algorithm is now supported for read and write.
Due to the recent successful attack on the MD5 hash algorithm
(discussed in <http://www.rsasecurity.com/rsalabs/node.asp?id=2738>,
among other places), MD5 is deprecated for OpenPGP use. It is still
allowed in GnuPG 1.4 for backwards compatibility, but a warning is
given when it is used.
The TIGER/192 hash is no longer available. This should not be
interpreted as a statement as to the quality of TIGER/192 - rather,
the revised OpenPGP standard removes support for several unused or
mostly unused hashes, and TIGER/192 was one of them.
Similarly, Elgamal signatures and the Elgamal signing key type have
been removed from the OpenPGP standard, and thus from GnuPG. Please
do not confuse Elgamal signatures with DSA or DSS signatures or with
Elgamal encryption. Elgamal signatures were very rarely used and were
not supported in any product other than GnuPG. Elgamal encryption was
and still is part of OpenPGP and GnuPG.
Very old (pre-1.0) versions of GnuPG supported a nonstandard (contrary
to OpenPGP) Elgamal key type. While no recent version of GnuPG
permitted the generation of such keys, GnuPG 1.2 could still use them.
GnuPG 1.4 no longer allows the use of these keys or the (also
nonstandard) messages generated using them.
At build time, it is possible to select which algorithms will be built
into GnuPG. This can be used to build a smaller program binary for
embedded uses where space is tight.
Keyserver Changes
-----------------
GnuPG 1.4 does all keyserver operations via plugin or helper
applications. This allows the main GnuPG program to be smaller and
simpler. People who package GnuPG for various reasons have the
flexibility to include or leave out support for any keyserver type as
desired.
Support for fetching keys via HTTP and finger has been added. This is
mainly useful for setting a preferred keyserver URL like
"http://www.jabberwocky.com/key.asc". or "finger:wk at g10code.com".
The LDAP keyserver helper now supports storing, retrieving, and
searching for keys in both the old NAI "LDAP keyserver" as well as the
more recent method to store OpenPGP keys in standard LDAP servers.
This is compatible with the storage schema that PGP uses, so both
products can interoperate with the same LDAP server.
The LDAP keyserver helper is compatible with the PGP company's new
"Global Directory" service.
If the LDAP library you use supports LDAP-over-TLS and LDAPS, then
GnuPG detects this and supports them as well. Note that using TLS or
LDAPS does not improve the security of GnuPG itself, but may be useful
in certain key distribution scenarios.
HTTP Basic authentication is now supported for all HKP and HTTP
keyserver functions, either through a proxy or via direct access.
The HKP keyserver plugin supports the new machine-readable key
listing format for those keyservers that provide it.
IPv6 is supported for HKP and HTTP keyserver access.
When using a HKP keyserver with multiple DNS records (such as
subkeys.pgp.net which has the addresses of multiple servers around the
world), all DNS address records are tried until one succeeds. This
prevents a single down server in the rotation from stopping access.
DNS SRV records are used in HKP keyserver lookups to allow
administrators to load balance and select keyserver ports
automatically.
Timeout support has been added to the keyserver plugins. This allows
users to set an upper limit on how long to wait for the keyserver
before giving up.
Preferred Keyserver URL
-----------------------
Preferred keyserver support has been added. Users may set a preferred
keyserver via the --edit-key command "keyserver". If the
--keyserver-option honor-keyserver-url is set (and it is by default),
then the preferred keyserver is used when refreshing that key with
--refresh-keys.
The --sig-keyserver-url option can be used to inform signature
recipients where the signing key can be downloaded. When verifying
the signature, if the signing key is not present, and the keyserver
options honor-keyserver-url and auto-key-retrieve are set, this URL
will be used to retrieve the key.
Trust Signatures
----------------
GnuPG 1.4 supports OpenPGP trust signatures, which allow a user to
specify the trust level and distance from the user along with the
signature so users can delegate different levels of certification
ability to other users, possibly restricted by a regular expression on
the user ID.
Trust Models
------------
GnuPG 1.4 supports several ways of looking at trust:
Classic - The classic PGP trust model, where people sign each others
keys and thus build up an assurance (called "validity") that
the key belongs to the right person. This was the default
trust model in GnuPG 1.2.
Always - Bypass all trust checks, and make all keys fully valid.
Direct - Users may set key validity directly.
PGP - The PGP 7 and 8 behavior which combines Classic trust with trust
signatures overlaid on top. This is the default trust model in
GnuPG 1.4.
The OpenPGP Smartcard
---------------------
GnuPG 1.4 supports the OpenPGP smartcard
(<http://www.g10code.de/p-card.html>)
Secret keys may be kept fully or partially on the smartcard. The
smartcard may be used for primary keys or subkeys.
Other Interesting New Features
------------------------------
For those using Security-Enhanced Linux <http://www.nsa.gov/selinux/>,
the configure option --enable-selinux-support prevents GnuPG from
processing its own files (i.e. reading the secret keyring for
something other than getting a secret key from it). This simplifies
writing ACLs for the SELinux kernel.
Readline support is now available at all prompts if the system
provides a readline library.
GnuPG can now create messages that can be decrypted with either a
passphrase or a secret key. These messages may be generated with
--symmetric --encrypt or --symmetric --sign --encrypt.
--list-options and --verify-options allow the user to customize
exactly what key listings or signature verifications look like,
enabling or disabling things such as photo display, preferred
keyserver URL, calculated validity for each user ID, etc.
The --primary-keyring option designates the keyring that the user
wants new keys imported into.
The --hidden-recipient (or -R) command encrypts to a user, but hides
the identity of that user. This is the same functionality as
--throw-keyid, but can be used on a per-user basis.
Full algorithm names (e.g. "3DES", "SHA1", "ZIP") can now be used
interchangeably with the short algorithm names (e.g. "S2", "H2", "Z1")
anywhere algorithm names are used in GnuPG.
The --keyid-format option selects short (99242560), long
(DB698D7199242560), 0xshort (0x99242560), or 0xlong
(0xDB698D7199242560) key ID displays. This lets users tune the
display to what they prefer.
While it is not recommended for extended periods, it is possible to
run both GnuPG 1.2.x and GnuPG 1.4 during the transition. To aid in
this, GnuPG 1.4 tries to load a config file suffixed with its version
before it loads the default config file. For example, 1.4 will try
for gpg.conf-1.4 and gpg.conf-1 before falling back to the regular
gpg.conf file.
2004-12-25 03:54:13 +01:00
|
|
|
# XXX: still needed?
|
2010-10-21 23:48:12 +02:00
|
|
|
#.if ${OPSYS} == "FreeBSD"
|
|
|
|
|
#SUBST_CLASSES+= fixme
|
|
|
|
|
#SUBST_STAGE.fixme= post-configure
|
|
|
|
|
#SUBST_FILES.fixme= mpi/i386/mpih-add1.S mpi/i386/mpih-lshift.S \
|
|
|
|
|
# mpi/i386/mpih-mul1.S mpi/i386/mpih-mul2.S \
|
|
|
|
|
# mpi/i386/mpih-mul3.S mpi/i386/mpih-rshift.S \
|
|
|
|
|
# mpi/i386/mpih-sub1.S
|
|
|
|
|
#SUBST_SED.fixme= -e "s,ALIGN (3),ALIGN (4),g"
|
|
|
|
|
#.endif
|
2004-02-03 00:41:32 +01:00
|
|
|
|
2004-02-08 02:00:13 +01:00
|
|
|
post-install:
|
|
|
|
|
${INSTALL_DATA} ${WRKSRC}/doc/DETAILS \
|
2006-11-03 08:45:44 +01:00
|
|
|
${DESTDIR}${PREFIX}/share/gnupg
|
2004-02-08 02:00:13 +01:00
|
|
|
|
2011-11-16 09:23:48 +01:00
|
|
|
.include "../../devel/readline/buildlink3.mk"
|
2004-04-08 22:58:32 +02:00
|
|
|
.include "../../converters/libiconv/buildlink3.mk"
|
|
|
|
|
.include "../../devel/gettext-lib/buildlink3.mk"
|
|
|
|
|
.include "../../devel/zlib/buildlink3.mk"
|
|
|
|
|
.include "../../archivers/bzip2/buildlink3.mk"
|
2002-08-25 23:48:57 +02:00
|
|
|
|
1999-04-08 17:22:40 +02:00
|
|
|
.include "../../mk/bsd.pkg.mk"
|
