[Pkg-gnupg-commit] [gnupg2] 14/14: Add migrate-pubring-from-classic-pgp, NEWS, and README.Debian
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Fri Apr 1 16:20:30 UTC 2016
This is an automated email from the git hooks/post-receive script.
dkg pushed a commit to branch experimental-move-to-gnupg
in repository gnupg2.
commit 54a5eda992e1728e1cda8d02d3a90d325934c9b0
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Fri Apr 1 10:29:51 2016 -0300
Add migrate-pubring-from-classic-pgp, NEWS, and README.Debian
As users migrate to using modern gnupg, they might want to switch over
fully to the keybox format. This script tries to help them do that
safely.
We also provide notice about the transition via debian/NEWS, and
documentation in debian/README.Debian
---
debian/NEWS | 7 ++++
debian/README.Debian | 44 ++++++++++++++++++++
debian/gnupg.install | 1 +
debian/migrate-pubring-from-classic-gpg | 74 +++++++++++++++++++++++++++++++++
4 files changed, 126 insertions(+)
diff --git a/debian/NEWS b/debian/NEWS
new file mode 100644
index 0000000..524a9a0
--- /dev/null
+++ b/debian/NEWS
@@ -0,0 +1,7 @@
+gnupg2 (2.1.11-6+exp4) experimental; urgency=medium
+
+ * The gnupg package now provides the "modern" version of GnuPG.
+ * Please read /usr/share/doc/gnupg/README.Debian for details about the
+ transition from "classic" to "modern"
+
+ -- Daniel Kahn Gillmor <dkg at fifthhorseman.net> Wed, 30 Mar 2016 09:59:35 -0400
diff --git a/debian/README.Debian b/debian/README.Debian
new file mode 100644
index 0000000..8dbd3f1
--- /dev/null
+++ b/debian/README.Debian
@@ -0,0 +1,44 @@
+Using "Modern" GnuPG
+====================
+
+As of version 2.1.11-6+exp1, the gnupg package is provided by the "modern"
+version of GnuPG.
+
+This means:
+
+ * supporting daemons are auto-launched as needed
+
+ * all access to secret key material is handled by gpg-agent
+
+ * all smartcard access is handled by scdaemon
+
+ * all network access is handled by dirmngr
+
+ * PGPv3 keys are no longer supported
+
+ * secret keys are no longer stored in $GNUPGHOME/secring.gpg, but
+ instead in $GNUPGHOME/private-keys-v1.d/
+
+ * public keyrings are stored in keybox format (~/.gnupg/pubring.kbx) by
+ default for new users. Upgrading users will continue to use
+ pubring.gpg until they decide to explicitly convert.
+
+Converting an existing installation
+-----------------------------------
+
+If you have an existing GnuPG homedir from "classic" GnuPG, secret
+keys should be migrated automatically upon the first run of the
+"modern" version.
+
+If you have any secret keys that are stored only in a smartcard, after
+your first use of "modern" gpg you should insert the card and run:
+
+ gpg --card-status
+
+ (see https://bugs.debian.org/795881)
+
+Public keys will not be automatically migrated from pubring.gpg to
+pubring.kbx, however. If you want to migrate your public keyring, you
+can use a script like /usr/bin/migrate-pubring-from-classic-gpg
+
+ -- Daniel Kahn Gillmor <dkg at fifthhorseman.net>, Fri, 1 Apr 2016 09:57:57 -0300
diff --git a/debian/gnupg.install b/debian/gnupg.install
index b4b337b..862116a 100644
--- a/debian/gnupg.install
+++ b/debian/gnupg.install
@@ -12,3 +12,4 @@ debian/tmp/usr/share/gnupg/gpg-conf.skel
debian/tmp/usr/share/gnupg/help.*.txt
debian/tmp/usr/share/locale
tools/lspgpot usr/bin
+debian/migrate-pubring-from-classic-gpg usr/bin
diff --git a/debian/migrate-pubring-from-classic-gpg b/debian/migrate-pubring-from-classic-gpg
new file mode 100755
index 0000000..65fa770
--- /dev/null
+++ b/debian/migrate-pubring-from-classic-gpg
@@ -0,0 +1,74 @@
+#!/bin/bash
+
+# script to migrate fully from pubring.gpg to pubring.kbx
+
+# Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
+# Date: 2016-04-01
+# License: GPLv3+
+
+# This was written for the Debian project
+
+GPG="${GPG:-gpg}"
+
+# select the default GnuPG home directory to work from:
+GHD=${GNUPGHOME:-${HOME:-$(getent passwd "$(id -u)" | cut -f6 -d:)}/.gnupg}
+
+# Check that this is gnupg 2.1 or 2.2:
+VERSION=$("$GPG" --version | head -n1 | cut -f3 -d\ | cut -f1,2 -d.)
+if [ "$VERSION" != 2.1 ] && [ "$VERSION" != 2.2 ] ; then
+ printf '%s is version %s not version 2.1 or 2.2, this script might be wrong\n' "$GPG" "$VERSION" >&2
+ exit 1
+fi
+
+usage() {
+ printf 'Usage: %s [GPGHOMEDIR|--default]
+\tMigrate public keyring in GPGHOMEDIR from "classic" to "modern" GnuPG
+\tusing %s version %s.
+
+\t--default migrates the GnuPG home directory at "%s"
+' "$0" "$GPG" "$VERSION" "$GHD"
+}
+
+if [ -z "$1" ]; then
+ usage >&2
+ exit 1
+else
+ case "$1" in
+ --help|--usage|-h)
+ usage
+ exit
+ ;;
+ --default)
+ ;;
+ *)
+ GHD="$1"
+ ;;
+ esac
+fi
+
+# ensure that there is a pubring.gpg to migrate:
+if ! [ -f "$GHD/pubring.gpg" ]; then
+ printf 'There is no %s/pubring.gpg, no need to migrate\n' "$GHD" >&2
+ exit
+fi
+if ! [ -s "$GHD/pubring.gpg" ]; then
+ mv -- "$GHD/pubring.gpg" "$GHD/pubring.gpg.empty"
+ printf '%s/pubring.gpg was empty (and has been moved out of the way), no need to migrate\n' "$GHD" >&2
+ exit
+fi
+
+BACKUP="$(mktemp -d "$GHD/migrate-from-classic-backup.$(date +%F).XXXXXX")"
+printf 'Migrating from:\n%s\n[Backing up to %s]\n' "$(ls -l "$GHD/pubring.gpg")" "$BACKUP" >&2
+
+"$GPG" --export-ownertrust > "$BACKUP/ownertrust.txt"
+mv "$GHD/pubring.gpg" "$BACKUP/"
+"$GPG" --import < "$BACKUP/pubring.gpg"
+"$GPG" --import-ownertrust < "$BACKUP/ownertrust.txt"
+"$GPG" --check-trustdb
+
+if ! [ -f "$GHD/pubring.kbx" ]; then
+ printf 'No keybox was created at %s/pubring.kbx. Something went wrong!\n' "$GHD" >&2
+ exit 1
+fi
+
+printf 'Migration completed successfully:\n%s\n' "$(ls -l "$GHD/pubring.kbx")" >&2
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-gnupg/gnupg2.git
More information about the Pkg-gnupg-commit
mailing list