Fix PASSWD to allow changing to an empty passphrase for PKI files.

[pwmd.git] / NEWS

PWMD v3.0.0
-----------
This version contains quite a few changes and enhancements. Most
commands and syntax have changed in this release so please read the
example configuration file and the generated texinfo documentation in
doc/pwmd.info, after doing ./configure && make.

You will need to convert your existing pwmd v2.x data file to the new
format by doing the following:

        $ pwmd --convert datafile -o newfile

then place "newfile" in ~/.pwmd/data. This will generate a new public
and private key pair (when using gpg-agent support by specifying
--use-agent) and prompt for the passphrase to use for protecting the
secret key. The secret portion of the key is stored in
~/.gnupg/private-keys-v1.d/ by gpg-agent. No keypair is generated by
default; the data file is symmetrically encrypted.

Pwmd now supports the use of the gpg-agent for passphrase caching and
key management. This means smartcards are also supported. A "stub" of
the secret key is stored in the above mentioned key directory, but the
secret portion of the key is stored on the smartcard. To convert your
existing data while encrypting to an existing public key, pass the
--keygrip option with --convert or --import along with
--use-agent. You may also need to pass the --sign-keygrip, too. See
the pwmd manual for details.

The XML document is now cached in pwmd when the passphrase is cached
in gpg-agent. This is needed to prevent requiring a smartcard to be
inserted for each OPEN command although it can be required by setting
the CACHETIMEOUT to 0. pwmd will operate on a copy of the cached
document and update the cached one after a SAVE. It is also much
faster than having to decrypt the data file during each OPEN although
the cached document is still encrypted, it is only encrypted with 1
iteration and with a generated key.

Ported to POSIX threads (pthreads).

Renamed error codes:
    PWMD_LIBXML_ERROR -> GPG_ERR_BAD_DATA
    PWMD_NO_FILE -> GPG_ERR_INV_STATE
    PWMD_FILE_MODIFIED -> GPG_ERR_CHECKSUM

Most commands now have an --inquire option to retrieve remaining
non-option arguments via a server inquire. This avoids the assuan line
length limit for longer element paths.

Added the PASSWD command to change the passphrase of a secret key or a
symmetrically encrypted key (SAVE --no-agent).

Added the AGENT command to send a command directly to gpg-agent.

Added the GETINFO command to retrieve server details. This removes the
VERSION and GETPID commands.

Removed the CONFIG and KEEPALIVE status messages.

Added the NEWFILE status message to determine when the file OPEN'ed is
a new one.

Added ISCACHED --lock to lock the file mutex. This doesn't require an
OPEN'd file. It was added to prevent a race condition with another
client accessing the same file when one client needed to determine the
cache status before the OPEN.

Texinfo documentation.

Commands that normally returned GPG_ERR_NO_VALUE now return
GPG_ERR_NO_DATA.

The --iterations command line, configuration and SAVE options have
been renamed to "s2k-count". The PASSWD command can be used to change
this value for an existing secret key.

The CLEARCACHE command returns an error when the file mutex associated
with the data file is locked by another client. Although an error is
returned the cached file is flagged for cache removal which will occur
when the data file mutex is released.

Added LIST --all to retrieve the entire element tree. Flags are
appended to each element path when this option is used. See the
documentation for details.

The checksum is now a CRC32 checksum rather than a stat() of the ctime
of the data file.

Data files are now portable across architectures and endianness.

Can now listen for remote connections via TLS (IPv4 and IPv6) as well
as the local UNIX domain socket.

Added tests. Run them with 'make tests' in the tests/ directory.

More portable: *BSD, SunOS/Solaris/OpenSolaris, Android and Linux and
32 and 64 bit versions of these as well as little and big endian.

Removed the libglib-2.0 dependency.