;
[main]
backend=defaultdb4
-backends_dir=@LIBDIR@/onak/backends
-logfile=@STATEDIR@/log/onak.log
+backends_dir=@CMAKE_INSTALL_FULL_LIBDIR@/onak/backends
+logfile=@CMAKE_INSTALL_FULL_LOCALSTATEDIR@/log/onak.log
; Loglevel : 0 is highest debug, default is 3, nothing is 7+
loglevel=3
; Should we use the keyd backend?
use_keyd=false
-sock_dir=@RUNDIR@
+sock_dir=@CMAKE_INSTALL_FULL_RUNSTATEDIR@/onak
; Maximum number of keys to return in a reply to an index, verbose index or
; get. Setting it to -1 will allow any size of reply.
max_reply_keys=128
; Settings related to key verification options available.
[verification]
+; Blacklist certain fingerprints (e.g. EVIL32). One fingerprint per line,
+; comment lines start with #
+;blacklist=blacklist.txt
+; Check the size of packets, dropping overly large UIDs / signature packets
+; as per draft-dkg-openpgp-abuse-resistant-keystore 4.1
+;check_packet_size=false
; Verify signature hashes - verify that the hash a signature claims to be
; over matches the hash of the data. Does not actually verify the signature.
check_sighash=true
+; Drop v3 (and older) keys. These are long considered insecure, so unless there
+; is a good reason you should accept this default.
+drop_v3=true
+; Specify that a key must have a certificate from another key in order for it
+; to be accepted. Only valid when verify_signatures is set, meaning new keys
+; can only be added if they are certified by keys already present.
+;require_other_sig=false
+; Only allow keys that already exist to be update; silently drop the addition
+; of any key we don't already know about. Useful for allowing updates to
+; curated keys without the addition of new keys.
+;update_only=false
+; Verify signatures, dropping those that cannot or do not validate. Keys/UIDS
+; that lack valid self signatures will also be dropped. Note that in order to
+; valid a signature the signing key must be present in the key database, so
+; multiple passes may be required to import new keyrings fully.
+;verify_signatures=false
; Settings related to the email interface to onak.
[mail]
maintainer_email=PGP Key Server Administrator <pgp-keyserver-admin@the.earth.li>
-mail_dir=@STATEDIR@/spool/onak
+mail_dir=@CMAKE_INSTALL_FULL_LOCALSTATEDIR@/spool/onak
; Specify the envelope sender address as the -f argument to
; sendmail. This is the address which will receive any bounces.
; If you don't use sendmail, then change this to an equivalent command.
[backend:defaultdb4]
; The default DB4 backend. Recommended.
type=db4
-location=@STATEDIR@/lib/onak
+location=@CMAKE_INSTALL_FULL_LOCALSTATEDIR@/lib/onak
[backend:examplehkp]
; An example HKP backend; all operations will be done against the