;
[main]
backend=defaultdb4
-backends_dir=@LIBDIR@/onak/backends
-logfile=@STATEDIR@/log/onak.log
+backends_dir=@CMAKE_INSTALL_FULL_LIBDIR@/onak/backends
+logfile=@CMAKE_INSTALL_FULL_LOCALSTATEDIR@/log/onak.log
; Loglevel : 0 is highest debug, default is 3, nothing is 7+
loglevel=3
; Should we use the keyd backend?
use_keyd=false
-sock_dir=@RUNDIR@
+sock_dir=@CMAKE_INSTALL_FULL_RUNSTATEDIR@/onak
; Maximum number of keys to return in a reply to an index, verbose index or
; get. Setting it to -1 will allow any size of reply.
max_reply_keys=128
; Settings related to key verification options available.
[verification]
+; Blacklist certain fingerprints (e.g. EVIL32). One fingerprint per line,
+; comment lines start with #
+;blacklist=blacklist.txt
+; Check the size of packets, dropping overly large UIDs / signature packets
+; as per draft-dkg-openpgp-abuse-resistant-keystore 4.1
+;check_packet_size=false
; Verify signature hashes - verify that the hash a signature claims to be
; over matches the hash of the data. Does not actually verify the signature.
check_sighash=true
+; Drop v3 (and older) keys. These are long considered insecure, so unless there
+; is a good reason you should accept this default.
+drop_v3=true
+; Specify that a key must have a certificate from another key in order for it
+; to be accepted. Only valid when verify_signatures is set, meaning new keys
+; can only be added if they are certified by keys already present.
+;require_other_sig=false
+; Only allow keys that already exist to be update; silently drop the addition
+; of any key we don't already know about. Useful for allowing updates to
+; curated keys without the addition of new keys.
+;update_only=false
+; Verify signatures, dropping those that cannot or do not validate. Keys/UIDS
+; that lack valid self signatures will also be dropped. Note that in order to
+; valid a signature the signing key must be present in the key database, so
+; multiple passes may be required to import new keyrings fully.
+;verify_signatures=false
; Settings related to the email interface to onak.
[mail]
maintainer_email=PGP Key Server Administrator <pgp-keyserver-admin@the.earth.li>
-mail_dir=@STATEDIR@/spool/onak
+mail_dir=@CMAKE_INSTALL_FULL_LOCALSTATEDIR@/spool/onak
; Specify the envelope sender address as the -f argument to
; sendmail. This is the address which will receive any bounces.
; If you don't use sendmail, then change this to an equivalent command.
; Database backend configurations below here
[backend:defaultdb4]
+; The default DB4 backend. Recommended.
type=db4
-location=@STATEDIR@/lib/onak
+location=@CMAKE_INSTALL_FULL_LOCALSTATEDIR@/lib/onak
+
+[backend:examplehkp]
+; An example HKP backend; all operations will be done against the
+; provided keyserver, with no local storage.
+type=hkp
+location=hkp://the.earth.li/
+
+[backend:examplestacked]
+; A stacked set of backends. All fetch operations will be tried against
+; the provided list of backends, from left to right, until one succeeds.
+; All store operations are against the first backend.
+; If a fetch does not succeed against the first backend, but against a
+; later one, then the returned keys are also stored in the first backend.
+; This example configuration essentially produces a caching keyserver,
+; with any key fetched from the HKP backend being stored in the DB4
+; backend.
+; Note keys are not expired from the DB4 backend, so without any other
+; update mechanism configured this will result in stale data eventually.
+type=stacked
+location=defaultdb4:examplehkp
projects / onak.git / blobdiff