changes:
* New option --url for the LOOKUP command and dirmngr-client.
* The LOOKUP command does now also consults the local cache. New
option --cache-only for it and --local for dirmngr-client.
* Port to Windows completed.
* Improved certificate chain construction.
* Support loading of PEM encoded CRLs via HTTP.
* Client based trust anchors are now supported.
* Configured certificates with the suffix ".der" are now also used.
* Libgcrypt 1.4 is now required.
reviewed by John R. Shannon
pkgsrc notes:
I've left the build against a private libassuan with GNU-pth support
alone for now, just updated libassuan to 1.0.5. We might build
pkgsrc/libassuan against pkgsrc/pth at some point, but this needs
to be checked for side effects. (As this pkg doesn't export a library
which might propagate the pth dependency, the possibility of
pthread-pth conflicts should be limited. Other uses of libassuan
need to be checked.)
Beiing here, support DESTDIR.
* The option --ocsp-signer may now take a filename to allow several
certificates to be valid signers for the default responder.
* New option --ocsp-max-period and improved the OCSP time checks.
* New option --force-default-signer for dirmngr-client.
Dirmngr is a server for managing and downloading certificate
revocation lists (CRLs) for X.509 certificates and for downloading the
certificates themselves. Dirmngr also handles OCSP requests as an
alternative to CRLs. Dirmngr is either invoked internally by gpgsm
(from GnuPG-2) or when running as a system daemon through the
dirmngr-client tool.
* A couple of bug fixes for OCSP.
* OCSP does now make use of the responder ID and optionally included
certificates in the response to locate certificates.
* No more lost file descriptors when loading CRLs via HTTP.
* HTTP redirection for CRL and OCSP has been implemented.
* Man pages are now build and installed from the texinfo source.
Note, that you need to update libksba to version 1.0.0 for this
release.
package builds and works correctly. This approach was taken prior to
this change. The is a problem because pth installs pthread.h in
${LOCALBASE}/include. This causes problems for things like Ada tasking
that depend on native pthreads when also linking against libraries in
pkgsrc (eg., gmp).
This change solve the problem by building a static pth library locally
and linking against it.
Dirmngr is a server for managing and downloading certificate
revocation lists (CRLs) for X.509 certificates and for downloading the
certificates themselves. Dirmngr also handles OCSP requests as an
alternative to CRLs. Dirmngr is either invoked internaly by gpgsm
(from gnupg 1.9) or when running as a system daemon through the
dirmngr-client tool.
Whats new in this release
=========================
* New option --daemon to start dirmngr as a system daemon. This
switches to the use of different directories and also does
CRL signing certificate validation on its own.
* New tool dirmngr-client.
* New options: --ldap-wrapper-program, --http-wrapper-program,
--disable-ldap, --disable-http, --honor-http-proxy, --http-proxy,
--ldap-proxy, --only-ldap-proxy, --ignore-ldap-dp and
--ignore-http-dp.
* Uses an external ldap wrapper to cope with timeouts and general
LDAP problems.
* SIGHUP may be used to reread the configuration and to flush the
certificate cache.
* An authorithyKeyIdentifier in a CRL is now handled correctly.
- Refill the DESCR file.
- Remove BUILD_USES_MSGFMT; distfile ships with prebuilt .gmo files.
- Do not use GNU make as it's not needed.
- Use BUILDLINK_PREFIX.openldap instead of LOCALBASE to locate openldap.
- Register info file properly and fix a typo in its directory entry so
that it can be accessed.
- Patch configure instead of configure.ac, so we can drop the build
dependency on autoconf.
- Add missing dependencies on libiconv and gettext-lib.
- Sort USE_* and include sections alphabetically.
- Remove BUILDLINK_DEPENDS.* version overrides because the respective
buildlink3.mk files already pull in a newer version.
- Drop all logic to detect the actual gettext-lib version. This was wrong
because it relied on the version currently installed (thus having a good
chance to produce different results between systems), and because it's
not the way to go. Instead, simply include gettext-lib's buildlink3.mk
file, and let the builtin.mk machinery decide what to do.
- Also add the locale files to the PLIST.
certificate revocation lists (CRLs) for X.509
certificates and for downloading the certificates
themselves. DirMngr also handles OCSP requests as
an alternative to CRLs. DirMngr is usually invoked
by gpgsm and in general not used directly.
