GPGME - GnuPG Made Easy
---------------------------
- !!!! THIS IS WORK IN PROGRESS !!!
+ Copyright 2004, 2006, 2010, 2012 g10 Code GmbH
-If you want to hack on it, start with one of the `tests/gpg/t-foo'
-programs.
+This file is free software; as a special exception the author gives
+unlimited permission to copy and/or distribute it, with or without
+modifications, as long as this notice is preserved.
-For support of the OpenPGP protocol (default), you need the latest CVS
-version of GnuPG 1.2, see `http://www.gnupg.org/cvs-access.html'.
+This file is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY, to the extent permitted by law; without even the
+implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+PURPOSE.
-You need at least GnuPG 1.2.0.
-If configure can't find the `gpg' binary in your path, you can specify
-the location with the --with-gpg=/path/to/gpg argument to configure.
+Introduction
+--------------
+
+GnuPG Made Easy (GPGME) is a C language library that allows to add
+support for cryptography to a program. It is designed to make access
+to public key crypto engines like GnuPG or GpgSM easier for
+applications. GPGME provides a high-level crypto API for encryption,
+decryption, signing, signature verification and key management.
+
+GPGME uses GnuPG and GpgSM as its backends to support OpenPGP and the
+Cryptographic Message Syntax (CMS).
+
+GPGME runs best on GNU/Linux or *BSD systems. Other Unices may
+require small portability fixes, send us your patches.
+
+See the file COPYING.LESSER and each file for copyright and warranty
+information.
+
+
+Installation
+--------------
+See the file INSTALL for generic installation instructions.
+
+Check that you have unmodified sources. See below on how to do this.
+Don't skip it - this is an important step!
+
+To build GPGME, you need to install libgpg-error (>= 1.8) and
+Libassuan (>= 2.0.2).
+
+For support of the OpenPGP protocol (default), you should use the
+latest version of GnuPG (>= 1.4) , available at:
+ftp://ftp.gnupg.org/gcrypt/gnupg/
For support of the CMS (Cryptographic Message Syntax) protocol, you
-need the latest CVS version of GpgSM, module name `newpg', at
-`:pserver:anoncvs@cvs.gnupg.org:/cvs/aegypten'.
+need a GnuPG version >= 2.0.
-You need at least GpgSM 0.9.0.
+If configure can't find the `gpg' binary in your path, you can specify
+the location with the --with-gpg=/path/to/gpg argument to configure.
If configure can't find the `gpgsm' binary in your path, you can
specify the location with the --with-gpgsm=/path/to/gpgsm argument to
configure.
-To enable the CryptPlug GPGME PlugIn for both protocols, use the
-`--enable-gpgmeplug' option to the configure script. `gpgmeplug' is
-experimental and you should not assume that it will stay with gpgme.
-The plug-ins are installed by `make install' in `pkglibdir', normally
-`PREFIX/lib/gpgme'.
+For building the GIT version of GPGME please see the file README.GIT
+for more information.
+
+
+How to Verify the Source
+--------------------------
+
+In order to check that the version of GPGME which you are going to
+install is an original and unmodified one, you can do it in one of the
+following ways:
-Before building the CVS version following the generic install
-instructions in `INSTALL', you need to set up the build scripts with
-`./autogen.sh'. To build the W32 version, use `./autogen.sh
---build-w32'. You also need to enable maintainer mode at configure
-time with `--enable-maintainer-mode', or the documentation will not
-built (because the version.texi won't be generated unless maintainer
-mode is enabled).
+a) If you have a trusted Version of GnuPG installed, you can simply check
+ the supplied signature:
+
+ $ gpg --verify gpgme-x.y.z.tar.gz.sig
+
+ This checks that the detached signature gpgme-x.y.z.tar.gz.sig is
+ indeed a a signature of gpgme-x.y.z.tar.gz. The key used to create
+ this signature is either of:
+
+ "pub 2048R/4F25E3B6 2011-01-12 Werner Koch (dist sig)"
+ "pub 1024D/87978569 1999-05-13
+ Marcus Brinkmann <Marcus.Brinkmann@ruhr-uni-bochum.de>
+ Marcus Brinkmann <mb@g10code.com>"
+
+ If you do not have this key, you can get it from any keyserver. You
+ have to make sure that this is really the key and not a faked one.
+ You can do this by comparing the output of:
+
+ $ gpg --fingerprint 0x4F25E3B6
+
+ with the fingerprint published elsewhere.
+
+b) If you don't have any of the above programs, you have to verify
+ the SHA1 checksum:
+
+ $ sha1sum gpgme-x.y.z.tar.gz
+
+ This should yield an output _similar_ to this:
+
+ fd9351b26b3189c1d577f0970f9dcadc3412def1 gpgme-x.y.z.tar.gz
+
+ Now check that this checksum is _exactly_ the same as the one
+ published via the announcement list and probably via Usenet.
+
+
+Documentation
+---------------
+
+For information how to use the library you can read the info manual,
+which is also a reference book, in the doc/ directory. The programs
+in the tests/gpg/ directory may also prove useful.
Please subscribe to the gnupg-devel@gnupg.org mailing list if you want
to do serious work.
+
+For hacking on GPGME, please have a look at doc/HACKING.
projects / gpgme.git / blobdiff