159 lines
4.4 KiB
HTML
159 lines
4.4 KiB
HTML
|
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
|
<HTML><HEAD><TITLE>Man page of MIGRATE-PUBRING-FROM-CLASSIC-GPG</TITLE>
|
|
</HEAD><BODY>
|
|
<H1>MIGRATE-PUBRING-FROM-CLASSIC-GPG</H1>
|
|
Section: User Commands (1)<BR>Updated: April 2016<BR><A HREF="#index">Index</A>
|
|
<A HREF="/cgi-bin/man/man2html">Return to Main Contents</A><HR>
|
|
|
|
<P>
|
|
<A NAME="lbAB"> </A>
|
|
<H2>NAME</H2>
|
|
|
|
migrate-pubring-from-classic-gpg - Migrate a public keyring from "classic" to "modern" GnuPG
|
|
<P>
|
|
<A NAME="lbAC"> </A>
|
|
<H2>SYNOPSIS</H2>
|
|
|
|
<B>migrate-pubring-from-classic-gpg</B>
|
|
|
|
[ <B>GPGHOMEDIR</B> |
|
|
|
|
<I>--default</I> ]
|
|
|
|
<P>
|
|
<A NAME="lbAD"> </A>
|
|
<H2>DESCRIPTION</H2>
|
|
|
|
<P>
|
|
<B>migrate-pubring-from-classic-gpg</B>
|
|
|
|
migrates the public keyring in GnuPG home directory GPGHOMEDIR from
|
|
the "classic" keyring format (pubring.gpg) to the "modern" keybox format using GnuPG
|
|
versions 2.1 or 2.2 (pubring.kbx).
|
|
<P>
|
|
Specifying
|
|
<B>--default</B>
|
|
|
|
selects the standard GnuPG home directory (looking at $GNUPGHOME
|
|
first, and falling back to ~/.gnupg if unset.
|
|
<P>
|
|
<A NAME="lbAE"> </A>
|
|
<H2>OPTIONS</H2>
|
|
|
|
<B>-h</B>, <B>--help</B>, <B>--usage</B>
|
|
|
|
Output a short usage information.
|
|
<P>
|
|
<A NAME="lbAF"> </A>
|
|
<H2>DIAGNOSTICS</H2>
|
|
|
|
The program sends quite a bit of text (perhaps too much) to stderr.
|
|
<P>
|
|
During a migration, the tool backs up several pieces of data in a
|
|
timestamped subdirectory of the GPGHOMEDIR.
|
|
<P>
|
|
<A NAME="lbAG"> </A>
|
|
<H2>LIMITATIONS</H2>
|
|
|
|
The keybox format rejects a number of OpenPGP certificates that the
|
|
"classic" keyring format used to accept. These filters are defensive,
|
|
since the certificates rejected are unsafe -- either cryptographically
|
|
unsound, or dangerously non-performant. This means that some
|
|
migrations may produce warning messages about the migration being
|
|
incomplete. This is generally a good thing!
|
|
<P>
|
|
Known limitations:
|
|
<P>
|
|
<B>Flooded certificates</B>
|
|
|
|
<DL COMPACT><DT id="1"><DD>
|
|
Some OpenPGP certificates have been flooded with bogus certifications
|
|
as part of an attack on the SKS keyserver network (see
|
|
<A HREF="https://tools.ietf.org/html/draft-dkg-openpgp-abuse-resistant-keystore-03#section-2.1).">https://tools.ietf.org/html/draft-dkg-openpgp-abuse-resistant-keystore-03#section-2.1).</A>
|
|
<P>
|
|
The keybox format rejects import of any OpenPGP certificate larger
|
|
than 5MiB. As of GnuPG 2.2.17, if gpg encounters such a flooded
|
|
certificate will retry the import while stripping all third-party
|
|
certifications (see "self-sigs-only" in <A HREF="/cgi-bin/man/man2html?1+gpg">gpg</A>(1)).
|
|
<P>
|
|
The typical error message when migrating a keyring with a flooded
|
|
certificate will be something like:
|
|
<P>
|
|
</DL>
|
|
|
|
<DL COMPACT><DT id="2"><DD>
|
|
error writing keyring 'pubring.kbx': Provided object is too large
|
|
</DL>
|
|
|
|
<P>
|
|
<B>OpenPGPv3 public keys (a.k.a. PGP-2 keys)</B>
|
|
|
|
<DL COMPACT><DT id="3"><DD>
|
|
Modern OpenPGP implementations use so-called "OpenPGP v4" public keys.
|
|
Older versions of the public key format have serious known problems.
|
|
See <A HREF="https://tools.ietf.org/html/rfc4880#section-5.5.2">https://tools.ietf.org/html/rfc4880#section-5.5.2</A> for more details
|
|
about and reasons for v3 key deprecation.
|
|
<P>
|
|
The keybox format skips v3 keys entirely during migration, and GnuPG
|
|
will produce a message like:
|
|
<P>
|
|
</DL>
|
|
|
|
<DL COMPACT><DT id="4"><DD>
|
|
skipped PGP-2 keys: 1
|
|
</DL>
|
|
|
|
<P>
|
|
<A NAME="lbAH"> </A>
|
|
<H2>ENVIRONMENT VARIABLES</H2>
|
|
|
|
<P>
|
|
<B>GNUPGHOME</B>
|
|
|
|
Selects the GnuPG home directory when set and --default is given.
|
|
<P>
|
|
<B>GPG</B>
|
|
|
|
The name of the
|
|
<B>gpg</B>
|
|
|
|
executable (defaults to
|
|
<B>gpg</B>
|
|
|
|
).
|
|
<P>
|
|
<A NAME="lbAI"> </A>
|
|
<H2>SEE ALSO</H2>
|
|
|
|
<B><A HREF="/cgi-bin/man/man2html?1+gpg">gpg</A></B>(1)
|
|
|
|
<P>
|
|
<A NAME="lbAJ"> </A>
|
|
<H2>AUTHOR</H2>
|
|
|
|
Copyright (C) 2016 Daniel Kahn Gillmor for the Debian project. Please
|
|
report bugs via the Debian BTS.
|
|
<P>
|
|
|
|
<HR>
|
|
<A NAME="index"> </A><H2>Index</H2>
|
|
<DL>
|
|
<DT id="5"><A HREF="#lbAB">NAME</A><DD>
|
|
<DT id="6"><A HREF="#lbAC">SYNOPSIS</A><DD>
|
|
<DT id="7"><A HREF="#lbAD">DESCRIPTION</A><DD>
|
|
<DT id="8"><A HREF="#lbAE">OPTIONS</A><DD>
|
|
<DT id="9"><A HREF="#lbAF">DIAGNOSTICS</A><DD>
|
|
<DT id="10"><A HREF="#lbAG">LIMITATIONS</A><DD>
|
|
<DT id="11"><A HREF="#lbAH">ENVIRONMENT VARIABLES</A><DD>
|
|
<DT id="12"><A HREF="#lbAI">SEE ALSO</A><DD>
|
|
<DT id="13"><A HREF="#lbAJ">AUTHOR</A><DD>
|
|
</DL>
|
|
<HR>
|
|
This document was created by
|
|
<A HREF="/cgi-bin/man/man2html">man2html</A>,
|
|
using the manual pages.<BR>
|
|
Time: 00:05:19 GMT, March 31, 2021
|
|
</BODY>
|
|
</HTML>
|