X-Git-Url: https://the.earth.li/gitweb/?a=blobdiff_plain;f=onak.ini.in;h=fd6b9e499481245ba0645033e0f00744c96b5a09;hb=6d60149434eed130c201d4d670ce7b3be5c2866b;hp=465b4e5362a592843fe6a0f5592ba00b1578bf03;hpb=a04a68c405b6927a6b4fdf9682f697847036ecf7;p=onak.git diff --git a/onak.ini.in b/onak.ini.in index 465b4e5..fd6b9e4 100644 --- a/onak.ini.in +++ b/onak.ini.in @@ -3,27 +3,49 @@ ; [main] backend=defaultdb4 -backends_dir=@LIBDIR@/onak/backends -logfile=@STATEDIR@/log/onak.log +backends_dir=@CMAKE_INSTALL_FULL_LIBDIR@/onak/backends +logfile=@CMAKE_INSTALL_FULL_LOCALSTATEDIR@/log/onak.log ; Loglevel : 0 is highest debug, default is 3, nothing is 7+ loglevel=3 ; Should we use the keyd backend? use_keyd=false -sock_dir=@RUNDIR@ +sock_dir=@CMAKE_INSTALL_FULL_RUNSTATEDIR@/onak ; Maximum number of keys to return in a reply to an index, verbose index or ; get. Setting it to -1 will allow any size of reply. max_reply_keys=128 ; Settings related to key verification options available. [verification] +; Blacklist certain fingerprints (e.g. EVIL32). One fingerprint per line, +; comment lines start with # +;blacklist=blacklist.txt +; Check the size of packets, dropping overly large UIDs / signature packets +; as per draft-dkg-openpgp-abuse-resistant-keystore 4.1 +;check_packet_size=false ; Verify signature hashes - verify that the hash a signature claims to be ; over matches the hash of the data. Does not actually verify the signature. check_sighash=true +; Drop v3 (and older) keys. These are long considered insecure, so unless there +; is a good reason you should accept this default. +drop_v3=true +; Specify that a key must have a certificate from another key in order for it +; to be accepted. Only valid when verify_signatures is set, meaning new keys +; can only be added if they are certified by keys already present. +;require_other_sig=false +; Only allow keys that already exist to be update; silently drop the addition +; of any key we don't already know about. Useful for allowing updates to +; curated keys without the addition of new keys. +;update_only=false +; Verify signatures, dropping those that cannot or do not validate. Keys/UIDS +; that lack valid self signatures will also be dropped. Note that in order to +; valid a signature the signing key must be present in the key database, so +; multiple passes may be required to import new keyrings fully. +;verify_signatures=false ; Settings related to the email interface to onak. [mail] maintainer_email=PGP Key Server Administrator -mail_dir=@STATEDIR@/spool/onak +mail_dir=@CMAKE_INSTALL_FULL_LOCALSTATEDIR@/spool/onak ; Specify the envelope sender address as the -f argument to ; sendmail. This is the address which will receive any bounces. ; If you don't use sendmail, then change this to an equivalent command. @@ -49,7 +71,7 @@ this_site=pgp-public-keys@the.earth.li [backend:defaultdb4] ; The default DB4 backend. Recommended. type=db4 -location=@STATEDIR@/lib/onak +location=@CMAKE_INSTALL_FULL_LOCALSTATEDIR@/lib/onak [backend:examplehkp] ; An example HKP backend; all operations will be done against the