gpg/gpgme
Folders and files
| Name | Name | Last commit date | ||
|---|---|---|---|---|
Repository files navigation
GPGME - GnuPG Made Easy
---------------------------
Copyright 2001-2026 g10 Code GmbH
This file is free software; as a special exception the author gives
unlimited permission to copy and/or distribute it, with or without
modifications, as long as this notice is preserved.
This file is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY, to the extent permitted by law; without even the
implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
PURPOSE.
Introduction
--------------
GnuPG Made Easy (GPGME) is a C language library that allows to add
support for cryptography to a program. It is designed to make access
to public key crypto engines like GnuPG or GpgSM easier for
applications. GPGME provides a high-level crypto API for encryption,
decryption, signing, signature verification and key management.
GPGME comes with language bindings for Common Lisp. Language bindings
for C++, Qt, and Python are available in separate repositories.
GPGME uses GnuPG as its backend to support OpenPGP and the
Cryptographic Message Syntax (CMS).
See the files COPYING, COPYING.LESSER, and each file for copyright and
warranty information. The file AUTHORS has a list of authors and
useful web and mail addresses.
Installation
--------------
See the file INSTALL for generic installation instructions.
Check that you have unmodified sources. See below on how to do this.
Don't skip it - this is an important step!
To build GPGME, you need to install libgpg-error (>= 1.36) and
Libassuan (>= 2.4.2).
For support of the OpenPGP and the CMS protocols, you should use at
least GnuPG version 2.2.41 or 2.4.3, available at:
https://gnupg.org/ftp/gcrypt/gnupg/.
For building the Git version of GPGME please see the file README.GIT
for more information.
How to Verify the Source
--------------------------
In order to check that the version of GPGME which you are going to
install is an original and unmodified one, you can do it in one of the
following ways:
a) If you have a trusted Version of GnuPG installed, you can simply check
the supplied signature:
$ gpg --verify gpgme-x.y.z.tar.gz.sig gpgme-x.y.z.tar.gz
This checks that the detached signature gpgme-x.y.z.tar.gz.sig is
indeed a a signature of gpgme-x.y.z.tar.gz.
The keys used to create a signature are available at
<https://gnupg.org/signature_key.html> and in released GnuPG
tarballs in the file g10/distsigkey.gpg . You have to make sure
that these are really the desired keys and not faked one. You
should do this by comparing the fingerprints with the fingerprints
published for example with all GnuPG related release announcements.
b) If you don't have any of the above programs, you have to verify
the SHA1 checksum:
$ sha1sum gpgme-x.y.z.tar.gz
This should yield an output _similar_ to this:
fd9351b26b3189c1d577f0970f9dcadc3412def1 gpgme-x.y.z.tar.gz
Now check that this checksum is _exactly_ the same as the one
published via the announcement list and probably via Usenet.
Documentation
---------------
For information how to use the library you can read the info manual,
which is also a reference book, in the doc/ directory. The programs
in the tests/ directory may also prove useful.
Please subscribe to the gnupg-devel@gnupg.org mailing list if you want
to do serious work.
For hacking on GPGME, please have a look at doc/HACKING.