From: Daniel Kahn Gillmor Date: Fri, 22 Aug 2008 05:47:46 +0000 (-0400) Subject: documenting new patched GnuTLS offerings. X-Git-Tag: monkeysphere_0.12-1~77 X-Git-Url: https://codewiz.org/gitweb?a=commitdiff_plain;h=48067bbda5a53150ae4810544ead38c06f23c0a3;p=monkeysphere.git documenting new patched GnuTLS offerings. --- diff --git a/website/download.mdwn b/website/download.mdwn index dbae309..3a2252e 100644 --- a/website/download.mdwn +++ b/website/download.mdwn @@ -9,9 +9,29 @@ You can add this repo to your system by putting the following lines in deb http://monkeysphere.info/debian experimental monkeysphere deb-src http://monkeysphere.info/debian experimental monkeysphere -The repository is currently signed by [Daniel Kahn Gillmor's OpenPGP key](http://fifthhorseman.net/dkg.gpg "dkg's key"), key id D21739E9 +The repository is currently signed by [Daniel Kahn Gillmor's OpenPGP +key](http://fifthhorseman.net/dkg.gpg "dkg's key"), key id D21739E9 (fingerprint: `0EE5 BE97 9282 D80B 9F75 40F1 CCD2 ED94 D217 39E9`). -To cryptographically verify the packages, you'll want to [add `dkg`'s key to your apt configuration](http://cmrg.fifthhorseman.net/wiki/apt/importing-keys "Instructions for adding dkg's key to apt") +To cryptographically verify the packages, you'll want to [add `dkg`'s +key to your apt +configuration](http://cmrg.fifthhorseman.net/wiki/apt/importing-keys +"Instructions for adding dkg's key to apt") + +### Enhancements ### + +As of 2008-08-22, If you run debian lenny you're very close to being +able to run a fully monkeysphere-enabled system. One gap in the +system is that lenny's GnuTLS can't support the `monkeysphere +subkey-to-ssh-agent` subcommand. + +You can install a patched version of GnuTLS to enable this feature of +the MonkeySphere by adjusting the monkeysphere `sources.list` lines to +include the `gnutls` component. So they'd look like this instead: + + deb http://monkeysphere.info/debian experimental monkeysphere gnutls + deb-src http://monkeysphere.info/debian experimental monkeysphere gnutls + +You can [read more about this offering](/news/modified-gnutls-2.4.x-available.mdwn). ## git repositories ## diff --git a/website/news/modified-gnutls-2.4.x-available.mdwn b/website/news/modified-gnutls-2.4.x-available.mdwn new file mode 100644 index 0000000..d933675 --- /dev/null +++ b/website/news/modified-gnutls-2.4.x-available.mdwn @@ -0,0 +1,41 @@ +[[meta title="Modified GnuTLS 2.4.x available"]] + +The MonkeySphere project is now making available a patched version of +[GnuTLS](http://gnutls.org/) version 2.4.x, which enhances the utility +of the `monkeysphere` package by enabling it to read authentication +subkeys emitted by [GnuPG](http://gnupg.org/) under certain +circumstances. + +You can track this package in debian lenny by adding the following +lines to `/etc/apt/sources.list`: + + deb http://monkeysphere.info/debian experimental gnutls + deb-src http://monkeysphere.info/debian experimental gnutls + +Or you can patch and build the packages yourself with the patches and +scripts provided in [the MonkeySphere git repo](/download). + +The only modification needed simply enables the library to parse a GNU +extension to the String-to-key (S2K) mechanism as laid out in [RFC +4880](http://tools.ietf.org/html/rfc4880#section-3.7). + +The specific S2K extension supported is known as gnu-dummy, and it +simply allows a "secret" key block to be written *without* storing any +of the secret key material. This is used by GnuPG on the primary key +when the `--export-secret-subkeys` argument is given. + +You can read notes about the GNU S2K extensions in DETAILS from GnuPG, +which you can fetch this way: + + svn co svn://cvs.gnupg.org/gnupg/trunk/doc + less doc/DETAILS + +A version of this patch was first proposed [on +`gnutls-dev`](http://lists.gnu.org/archive/html/gnutls-devel/2008-08/msg00005.html), +and looks like it will be adopted upstream in the GnuTLS 2.6.x series, +at which point these packages will be unnecessary. + +Until that time, these packages are provided to tide over users of +`monkeysphere` on debian lenny (or compatible systems) who want to be +able to hand off the authentication-capable OpenPGP subkeys in their +GnuPG keyring to their SSH agent.