[Pkg-gnupg-commit] [gnupg2] 136/159: gpg: Improve header text of the auto-created revocations.
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Wed Jan 27 13:24:03 UTC 2016
This is an automated email from the git hooks/post-receive script.
dkg pushed a commit to branch master
in repository gnupg2.
commit bb99b40bd1e624f58ca806ca16dc73d4d594a30a
Author: Werner Koch <wk at gnupg.org>
Date: Thu Jan 21 18:30:51 2016 +0100
gpg: Improve header text of the auto-created revocations.
* g10/revoke.c (gen_standard_revoke): Improve header text for the
file. Add info output.
--
GnuPG-bug-id: 1724
Signed-off-by: Werner Koch <wk at gnupg.org>
---
doc/DETAILS | 5 -----
doc/gpg.texi | 20 ++++++++++++++++----
g10/revoke.c | 13 ++++++++++---
3 files changed, 26 insertions(+), 12 deletions(-)
diff --git a/doc/DETAILS b/doc/DETAILS
index 69c2e5b..7d5a5a8 100644
--- a/doc/DETAILS
+++ b/doc/DETAILS
@@ -950,11 +950,6 @@ pkd:0:1024:B665B1435F4C2 .... FF26ABB:
All other data after this header is raw image (JPEG) data.
-* Unattended key generation
-
- Please see the GnuPG manual for a description.
-
-
* Layout of the TrustDB
The TrustDB is built from fixed length records, where the first byte
diff --git a/doc/gpg.texi b/doc/gpg.texi
index c6731c0..e1835cf 100644
--- a/doc/gpg.texi
+++ b/doc/gpg.texi
@@ -587,7 +587,9 @@ may be used.
@item --gen-key
@opindex gen-key
Generate a new key pair using the current default parameters. This is
-the standard command to create a new key.
+the standard command to create a new key. In addition to the key a
+revocation certificate is created and stored in the
+ at file{openpgp-revocs.d} directory below the GnuPG home directory.
@item --full-gen-key
@opindex gen-key
@@ -595,13 +597,23 @@ Generate a new key pair with dialogs for all options. This is an
extended version of @option{--gen-key}.
There is also a feature which allows you to create keys in batch
-mode. See the the manual section ``Unattended key generation'' on how
+mode. See the manual section ``Unattended key generation'' on how
to use this.
@item --gen-revoke @code{name}
@opindex gen-revoke
-Generate a revocation certificate for the complete key. To revoke
-a subkey or a signature, use the @option{--edit} command.
+Generate a revocation certificate for the complete key. To only revoke
+a subkey or a key signature, use the @option{--edit} command.
+
+This command merely creates the revocation certificate so that it can
+be used to revoke the key if that is ever needed. To actually revoke
+a key the created revocation certificate needs to be merged with the
+key to revoke. This is done by importing the revocation certificate
+using the @option{--import} command. Then the revoked key needs to be
+published, which is best done by sending the key to a keyserver
+(command @option{--send-key}) and by exporting (@option{--export}) it
+to a file which is then send to frequent communication partners.
+
@item --desig-revoke @code{name}
@opindex desig-revoke
diff --git a/g10/revoke.c b/g10/revoke.c
index ba87f35..a8f7658 100644
--- a/g10/revoke.c
+++ b/g10/revoke.c
@@ -564,14 +564,18 @@ gen_standard_revoke (PKT_public_key *psk, const char *cache_nonce)
(int)len, tmpstr);
xfree (tmpstr);
- es_fprintf (memfp, "%s\n\n%s\n\n:",
+ es_fprintf (memfp, "%s\n\n%s\n\n%s\n\n:",
+ _("A revocation certificate is a kind of \"kill switch\" to publicly\n"
+ "declare that a key shall not anymore be used. It is not possible\n"
+ "to retract such a revocation certificate once it has been published."),
_("Use it to revoke this key in case of a compromise or loss of\n"
"the secret key. However, if the secret key is still accessible,\n"
"it is better to generate a new revocation certificate and give\n"
- "a reason for the revocation."),
+ "a reason for the revocation. For details see the description of\n"
+ "of the gpg command \"--gen-revoke\" in the GnuPG manual."),
_("To avoid an accidental use of this file, a colon has been inserted\n"
"before the 5 dashes below. Remove this colon with a text editor\n"
- "before making use of this revocation certificate."));
+ "before importing and publishing this revocation certificate."));
es_putc (0, memfp);
@@ -583,6 +587,9 @@ gen_standard_revoke (PKT_public_key *psk, const char *cache_nonce)
reason.code = 0x00; /* No particular reason. */
reason.desc = NULL;
rc = create_revocation (fname, &reason, psk, NULL, leadin, 3, cache_nonce);
+ if (!rc && !opt.quiet)
+ log_info (_("revocation certificate stored as '%s.rev'\n"), fname);
+
xfree (leadin);
xfree (fname);
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-gnupg/gnupg2.git
More information about the Pkg-gnupg-commit
mailing list