[Pkg-gnupg-commit] [gnupg2] 14/14: Add migrate-pubring-from-classic-pgp, NEWS, and README.Debian

Daniel Kahn Gillmor dkg at fifthhorseman.net
Fri Apr 1 16:20:30 UTC 2016


This is an automated email from the git hooks/post-receive script.

dkg pushed a commit to branch experimental-move-to-gnupg
in repository gnupg2.

commit 54a5eda992e1728e1cda8d02d3a90d325934c9b0
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date:   Fri Apr 1 10:29:51 2016 -0300

    Add migrate-pubring-from-classic-pgp, NEWS, and README.Debian
    
    As users migrate to using modern gnupg, they might want to switch over
    fully to the keybox format.  This script tries to help them do that
    safely.
    
    We also provide notice about the transition via debian/NEWS, and
    documentation in debian/README.Debian
---
 debian/NEWS                             |  7 ++++
 debian/README.Debian                    | 44 ++++++++++++++++++++
 debian/gnupg.install                    |  1 +
 debian/migrate-pubring-from-classic-gpg | 74 +++++++++++++++++++++++++++++++++
 4 files changed, 126 insertions(+)

diff --git a/debian/NEWS b/debian/NEWS
new file mode 100644
index 0000000..524a9a0
--- /dev/null
+++ b/debian/NEWS
@@ -0,0 +1,7 @@
+gnupg2 (2.1.11-6+exp4) experimental; urgency=medium
+
+  * The gnupg package now provides the "modern" version of GnuPG.
+  * Please read /usr/share/doc/gnupg/README.Debian for details about the
+    transition from "classic" to "modern"
+
+ -- Daniel Kahn Gillmor <dkg at fifthhorseman.net>  Wed, 30 Mar 2016 09:59:35 -0400
diff --git a/debian/README.Debian b/debian/README.Debian
new file mode 100644
index 0000000..8dbd3f1
--- /dev/null
+++ b/debian/README.Debian
@@ -0,0 +1,44 @@
+Using "Modern" GnuPG
+====================
+
+As of version 2.1.11-6+exp1, the gnupg package is provided by the "modern"
+version of GnuPG.
+
+This means:
+
+  * supporting daemons are auto-launched as needed
+
+  * all access to secret key material is handled by gpg-agent
+
+  * all smartcard access is handled by scdaemon
+
+  * all network access is handled by dirmngr
+
+  * PGPv3 keys are no longer supported
+
+  * secret keys are no longer stored in $GNUPGHOME/secring.gpg, but
+    instead in $GNUPGHOME/private-keys-v1.d/
+
+  * public keyrings are stored in keybox format (~/.gnupg/pubring.kbx) by
+    default for new users.  Upgrading users will continue to use
+    pubring.gpg until they decide to explicitly convert.
+
+Converting an existing installation
+-----------------------------------
+
+If you have an existing GnuPG homedir from "classic" GnuPG, secret
+keys should be migrated automatically upon the first run of the
+"modern" version.
+
+If you have any secret keys that are stored only in a smartcard, after
+your first use of "modern" gpg you should insert the card and run:
+
+   gpg --card-status
+
+ (see https://bugs.debian.org/795881)
+
+Public keys will not be automatically migrated from pubring.gpg to
+pubring.kbx, however.  If you want to migrate your public keyring, you
+can use a script like /usr/bin/migrate-pubring-from-classic-gpg
+
+ -- Daniel Kahn Gillmor <dkg at fifthhorseman.net>, Fri,  1 Apr 2016 09:57:57 -0300
diff --git a/debian/gnupg.install b/debian/gnupg.install
index b4b337b..862116a 100644
--- a/debian/gnupg.install
+++ b/debian/gnupg.install
@@ -12,3 +12,4 @@ debian/tmp/usr/share/gnupg/gpg-conf.skel
 debian/tmp/usr/share/gnupg/help.*.txt
 debian/tmp/usr/share/locale
 tools/lspgpot usr/bin
+debian/migrate-pubring-from-classic-gpg usr/bin
diff --git a/debian/migrate-pubring-from-classic-gpg b/debian/migrate-pubring-from-classic-gpg
new file mode 100755
index 0000000..65fa770
--- /dev/null
+++ b/debian/migrate-pubring-from-classic-gpg
@@ -0,0 +1,74 @@
+#!/bin/bash
+
+# script to migrate fully from pubring.gpg to pubring.kbx
+
+# Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
+# Date: 2016-04-01
+# License: GPLv3+
+
+# This was written for the Debian project
+
+GPG="${GPG:-gpg}"
+
+# select the default GnuPG home directory to work from:
+GHD=${GNUPGHOME:-${HOME:-$(getent passwd "$(id -u)" | cut -f6 -d:)}/.gnupg}
+
+# Check that this is gnupg 2.1 or 2.2:
+VERSION=$("$GPG" --version | head -n1 | cut -f3 -d\  | cut -f1,2 -d.)
+if [ "$VERSION" != 2.1 ] && [ "$VERSION" != 2.2 ] ; then
+    printf '%s is version %s not version 2.1 or 2.2, this script might be wrong\n' "$GPG" "$VERSION" >&2
+    exit 1
+fi    
+
+usage() {
+    printf 'Usage: %s [GPGHOMEDIR|--default]
+\tMigrate public keyring in GPGHOMEDIR from "classic" to "modern" GnuPG
+\tusing %s version %s.
+
+\t--default migrates the GnuPG home directory at "%s"
+' "$0" "$GPG" "$VERSION" "$GHD"
+}
+
+if [ -z "$1" ]; then
+    usage >&2
+    exit 1
+else
+    case "$1" in
+        --help|--usage|-h)
+            usage
+            exit
+            ;;
+        --default)
+            ;;
+        *)
+            GHD="$1"
+            ;;
+    esac
+fi
+
+# ensure that there is a pubring.gpg to migrate:
+if ! [ -f "$GHD/pubring.gpg" ]; then
+    printf 'There is no %s/pubring.gpg, no need to migrate\n' "$GHD" >&2
+    exit
+fi
+if ! [ -s "$GHD/pubring.gpg" ]; then
+    mv -- "$GHD/pubring.gpg" "$GHD/pubring.gpg.empty"
+    printf '%s/pubring.gpg was empty (and has been moved out of the way), no need to migrate\n' "$GHD" >&2
+    exit
+fi
+
+BACKUP="$(mktemp -d "$GHD/migrate-from-classic-backup.$(date +%F).XXXXXX")"
+printf 'Migrating from:\n%s\n[Backing up to %s]\n' "$(ls -l "$GHD/pubring.gpg")" "$BACKUP" >&2
+
+"$GPG" --export-ownertrust > "$BACKUP/ownertrust.txt"
+mv "$GHD/pubring.gpg" "$BACKUP/"
+"$GPG" --import < "$BACKUP/pubring.gpg"
+"$GPG" --import-ownertrust < "$BACKUP/ownertrust.txt"
+"$GPG" --check-trustdb
+
+if ! [ -f "$GHD/pubring.kbx" ]; then
+    printf 'No keybox was created at %s/pubring.kbx.  Something went wrong!\n' "$GHD" >&2
+    exit 1
+fi
+
+printf 'Migration completed successfully:\n%s\n' "$(ls -l "$GHD/pubring.kbx")" >&2 

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-gnupg/gnupg2.git



More information about the Pkg-gnupg-commit mailing list