{ "mode": "info", "parameter": "gpg-agent", "section": "", "url": "https://www.chedong.com/phpMan.php/info/gpg-agent/json", "generated": "2026-06-17T21:44:00Z", "sections": { "Using the GNU Privacy Guard": { "content": "This is the 'The GNU Privacy Guard Manual' (version 2.2.27, December\n2020).\n\n(C) 2002, 2004, 2005, 2006, 2007, 2010 Free Software Foundation, Inc.\n(C) 2013, 2014, 2015 Werner Koch.\n(C) 2015, 2016, 2017 g10 Code GmbH.\n\nPermission is granted to copy, distribute and/or modify this\ndocument under the terms of the GNU General Public License as\npublished by the Free Software Foundation; either version 3 of the\nLicense, or (at your option) any later version. The text of the\nlicense can be found in the section entitled \"Copying\".\n\nThis manual documents how to use the GNU Privacy Guard system as well\nas the administration and the architecture.\n\n* Menu:\n\n* Installation:: A short installation guide.\n\n* Invoking GPG-AGENT:: How to launch the secret key daemon.\n* Invoking DIRMNGR:: How to launch the CRL and OCSP daemon.\n* Invoking GPG:: Using the OpenPGP protocol.\n* Invoking GPGSM:: Using the S/MIME protocol.\n* Invoking SCDAEMON:: How to handle Smartcards.\n* Specify a User ID:: How to Specify a User Id.\n* Trust Values:: How GnuPG displays trust values.\n\n* Helper Tools:: Description of small helper tools\n* Web Key Service:: Tools for the Web Key Service\n\n* Howtos:: How to do certain things.\n* System Notes:: Notes pertaining to certain OSes.\n* Debugging:: How to solve problems\n\n* Copying:: GNU General Public License says\nhow you can copy and share GnuPG\n* Contributors:: People who have contributed to GnuPG.\n\n* Glossary:: Short description of terms used.\n* Option Index:: Index to command line options.\n* Environment Index:: Index to environment variables and files.\n* Index::\t Index of concepts and symbol names.\n\nFile: gnupg.info, Node: Installation, Next: Invoking GPG-AGENT, Prev: Top, Up: Top\n", "subsections": [] }, "1 A short installation guide": { "content": "Unfortunately the installation guide has not been finished in time.\nInstead of delaying the release of GnuPG 2.0 even further, I decided to\nrelease without that guide. The chapter on gpg-agent and gpgsm do\ninclude brief information on how to set up the whole thing. Please\nwatch the GnuPG website for updates of the documentation. In the\nmeantime you may search the GnuPG mailing list archives or ask on the\ngnupg-users mailing list for advise on how to solve problems or how to\nget that whole thing up and running.\n\nBuilding the software\n\nBuilding the software is described in the file 'INSTALL'. Given that\nyou are already reading this documentation we can only give some extra\nhints.\n\nTo comply with the rules on GNU systems you should have build time\nconfigured 'gnupg' using:\n\n./configure --sysconfdir=/etc --localstatedir=/var\n\nThis is to make sure that system wide configuration files are\nsearched in the directory '/etc' and variable data below '/var'; the\ndefault would be to also install them below '/usr/local' where the\nbinaries get installed. If you selected to use the '--prefix=/' you\nobviously don't need those option as they are the default then.\n\nNotes on setting a root CA key to trusted\n\nX.509 is based on a hierarchical key infrastructure. At the root of\nthe tree a trusted anchor (root certificate) is required. There are\nusually no other means of verifying whether this root certificate is\ntrustworthy than looking it up in a list. GnuPG uses a file\n('trustlist.txt') to keep track of all root certificates it knows about.\nThere are 3 ways to get certificates into this list:\n\n* Use the list which comes with GnuPG. However this list only\ncontains a few root certificates. Most installations will need\nmore.\n\n* Let 'gpgsm' ask you whether you want to insert a new root\ncertificate. This feature is enabled by default; you may disable\nit using the option 'no-allow-mark-trusted' into 'gpg-agent.conf'.\n\n* Manually maintain the list of trusted root certificates. For a\nmulti user installation this can be done once for all users on a\nmachine. Specific changes on a per-user base are also possible.\n\nFile: gnupg.info, Node: Invoking GPG-AGENT, Next: Invoking DIRMNGR, Prev: Installation, Up: Top\n", "subsections": [] }, "2 Invoking GPG-AGENT": { "content": "'gpg-agent' is a daemon to manage secret (private) keys independently\nfrom any protocol. It is used as a backend for 'gpg' and 'gpgsm' as\nwell as for a couple of other utilities.\n\nThe agent is automatically started on demand by 'gpg', 'gpgsm',\n'gpgconf', or 'gpg-connect-agent'. Thus there is no reason to start it\nmanually. In case you want to use the included Secure Shell Agent you\nmay start the agent using:\n\ngpg-connect-agent /bye\n\nIf you want to manually terminate the currently-running agent, you can\nsafely do so with:\n\ngpgconf --kill gpg-agent\n\nYou should always add the following lines to your '.bashrc' or whatever\ninitialization file is used for all shell invocations:\n\nGPGTTY=$(tty)\nexport GPGTTY\n\nIt is important that this environment variable always reflects the\noutput of the 'tty' command. For W32 systems this option is not\nrequired.\n\nPlease make sure that a proper pinentry program has been installed\nunder the default filename (which is system dependent) or use the option\n'pinentry-program' to specify the full name of that program. It is\noften useful to install a symbolic link from the actual used pinentry\n(e.g. '/usr/bin/pinentry-gtk') to the expected one (e.g.\n'/usr/bin/pinentry').\n\n*Note Option Index::, for an index to 'GPG-AGENT''s commands and\noptions.\n\n* Menu:\n\n* Agent Commands:: List of all commands.\n* Agent Options:: List of all options.\n* Agent Configuration:: Configuration files.\n* Agent Signals:: Use of some signals.\n* Agent Examples:: Some usage examples.\n* Agent Protocol:: The protocol the agent uses.\n\nFile: gnupg.info, Node: Agent Commands, Next: Agent Options, Up: Invoking GPG-AGENT\n", "subsections": [ { "name": "2.1 Commands", "content": "Commands are not distinguished from options except for the fact that\nonly one command is allowed.\n\n'--version'\nPrint the program version and licensing information. Note that you\ncannot abbreviate this command.\n\n'--help'\n'-h'\nPrint a usage message summarizing the most useful command-line\noptions. Note that you cannot abbreviate this command.\n\n'--dump-options'\nPrint a list of all available options and commands. Note that you\ncannot abbreviate this command.\n\n'--server'\nRun in server mode and wait for commands on the 'stdin'. The\ndefault mode is to create a socket and listen for commands there.\n\n'--daemon [COMMAND LINE]'\nStart the gpg-agent as a daemon; that is, detach it from the\nconsole and run it in the background.\n\nAs an alternative you may create a new process as a child of\ngpg-agent: 'gpg-agent --daemon /bin/sh'. This way you get a new\nshell with the environment setup properly; after you exit from this\nshell, gpg-agent terminates within a few seconds.\n\n'--supervised'\nRun in the foreground, sending logs by default to stderr, and\nlistening on provided file descriptors, which must already be bound\nto listening sockets. This command is useful when running under\nsystemd or other similar process supervision schemes. This option\nis not supported on Windows.\n\nIn -supervised mode, different file descriptors can be provided for\nuse as different socket types (e.g. ssh, extra) as long as they\nare identified in the environment variable 'LISTENFDNAMES' (see\nsdlistenfds(3) on some Linux distributions for more information\non this convention).\n\nFile: gnupg.info, Node: Agent Options, Next: Agent Configuration, Prev: Agent Commands, Up: Invoking GPG-AGENT\n" }, { "name": "2.2 Option Summary", "content": "Options may either be used on the command line or, after stripping off\nthe two leading dashes, in the configuration file.\n\n'--options FILE'\nReads configuration from FILE instead of from the default per-user\nconfiguration file. The default configuration file is named\n'gpg-agent.conf' and expected in the '.gnupg' directory directly\nbelow the home directory of the user. This option is ignored if\nused in an options file.\n\n'--homedir DIR'\nSet the name of the home directory to DIR. If this option is not\nused, the home directory defaults to '~/.gnupg'. It is only\nrecognized when given on the command line. It also overrides any\nhome directory stated through the environment variable 'GNUPGHOME'\nor (on Windows systems) by means of the Registry entry\nHKCU\\SOFTWARE\\GNU\\GNUPG:HOMEDIR.\n\nOn Windows systems it is possible to install GnuPG as a portable\napplication. In this case only this command line option is\nconsidered, all other ways to set a home directory are ignored.\n\nTo install GnuPG as a portable application under Windows, create an\nempty file named 'gpgconf.ctl' in the same directory as the tool\n'gpgconf.exe'. The root of the installation is then that\ndirectory; or, if 'gpgconf.exe' has been installed directly below a\ndirectory named 'bin', its parent directory. You also need to make\nsure that the following directories exist and are writable:\n'ROOT/home' for the GnuPG home and 'ROOT/var/cache/gnupg' for\ninternal cache files.\n\n'-v'\n'--verbose'\nOutputs additional information while running. You can increase the\nverbosity by giving several verbose commands to 'gpg-agent', such\nas '-vv'.\n\n'-q'\n'--quiet'\nTry to be as quiet as possible.\n\n'--batch'\nDon't invoke a pinentry or do any other thing requiring human\ninteraction.\n\n'--faked-system-time EPOCH'\nThis option is only useful for testing; it sets the system time\nback or forth to EPOCH which is the number of seconds elapsed since\nthe year 1970.\n\n'--debug-level LEVEL'\nSelect the debug level for investigating problems. LEVEL may be a\nnumeric value or a keyword:\n\n'none'\nNo debugging at all. A value of less than 1 may be used\ninstead of the keyword.\n'basic'\nSome basic debug messages. A value between 1 and 2 may be\nused instead of the keyword.\n'advanced'\nMore verbose debug messages. A value between 3 and 5 may be\nused instead of the keyword.\n'expert'\nEven more detailed messages. A value between 6 and 8 may be\nused instead of the keyword.\n'guru'\nAll of the debug messages you can get. A value greater than 8\nmay be used instead of the keyword. The creation of hash\ntracing files is only enabled if the keyword is used.\n\nHow these messages are mapped to the actual debugging flags is not\nspecified and may change with newer releases of this program. They\nare however carefully selected to best aid in debugging.\n\n'--debug FLAGS'\nThis option is only useful for debugging and the behavior may\nchange at any time without notice. FLAGS are bit encoded and may\nbe given in usual C-Syntax. The currently defined bits are:\n\n'0 (1)'\nX.509 or OpenPGP protocol related data\n'1 (2)'\nvalues of big number integers\n'2 (4)'\nlow level crypto operations\n'5 (32)'\nmemory allocation\n'6 (64)'\ncaching\n'7 (128)'\nshow memory statistics\n'9 (512)'\nwrite hashed data to files named 'dbgmd-000*'\n'10 (1024)'\ntrace Assuan protocol\n'12 (4096)'\nbypass all certificate validation\n\n'--debug-all'\nSame as '--debug=0xffffffff'\n\n'--debug-wait N'\nWhen running in server mode, wait N seconds before entering the\nactual processing loop and print the pid. This gives time to\nattach a debugger.\n\n'--debug-quick-random'\nThis option inhibits the use of the very secure random quality\nlevel (Libgcrypt's 'GCRYVERYSTRONGRANDOM') and degrades all\nrequest down to standard random quality. It is only used for\ntesting and should not be used for any production quality keys.\nThis option is only effective when given on the command line.\n\nOn GNU/Linux, another way to quickly generate insecure keys is to\nuse 'rngd' to fill the kernel's entropy pool with lower quality\nrandom data. 'rngd' is typically provided by the 'rng-tools'\npackage. It can be run as follows: 'sudo rngd -f -r /dev/urandom'.\n\n'--debug-pinentry'\nThis option enables extra debug information pertaining to the\nPinentry. As of now it is only useful when used along with\n'--debug 1024'.\n\n'--no-detach'\nDon't detach the process from the console. This is mainly useful\nfor debugging.\n\n'-s'\n'--sh'\n'-c'\n'--csh'\nFormat the info output in daemon mode for use with the standard\nBourne shell or the C-shell respectively. The default is to guess\nit based on the environment variable 'SHELL' which is correct in\nalmost all cases.\n\n'--grab'\n'--no-grab'\nTell the pinentry to grab the keyboard and mouse. This option\nshould be used on X-Servers to avoid X-sniffing attacks. Any use\nof the option '--grab' overrides an used option '--no-grab'. The\ndefault is '--no-grab'.\n\n'--log-file FILE'\nAppend all logging output to FILE. This is very helpful in seeing\nwhat the agent actually does. Use 'socket://' to log to socket.\nIf neither a log file nor a log file descriptor has been set on a\nWindows platform, the Registry entry\n'HKCU\\Software\\GNU\\GnuPG:DefaultLogFile', if set, is used to\nspecify the logging output.\n\n'--no-allow-mark-trusted'\nDo not allow clients to mark keys as trusted, i.e. put them into\nthe 'trustlist.txt' file. This makes it harder for users to\ninadvertently accept Root-CA keys.\n\n'--allow-preset-passphrase'\nThis option allows the use of 'gpg-preset-passphrase' to seed the\ninternal cache of 'gpg-agent' with passphrases.\n\n'--no-allow-loopback-pinentry'\n'--allow-loopback-pinentry'\nDisallow or allow clients to use the loopback pinentry features;\nsee the option 'pinentry-mode' for details. Allow is the default.\n\nThe '--force' option of the Assuan command 'DELETEKEY' is also\ncontrolled by this option: The option is ignored if a loopback\npinentry is disallowed.\n\n'--no-allow-external-cache'\nTell Pinentry not to enable features which use an external cache\nfor passphrases.\n\nSome desktop environments prefer to unlock all credentials with one\nmaster password and may have installed a Pinentry which employs an\nadditional external cache to implement such a policy. By using\nthis option the Pinentry is advised not to make use of such a cache\nand instead always ask the user for the requested passphrase.\n\n'--allow-emacs-pinentry'\nTell Pinentry to allow features to divert the passphrase entry to a\nrunning Emacs instance. How this is exactly handled depends on the\nversion of the used Pinentry.\n\n'--ignore-cache-for-signing'\nThis option will let 'gpg-agent' bypass the passphrase cache for\nall signing operation. Note that there is also a per-session\noption to control this behavior but this command line option takes\nprecedence.\n\n'--default-cache-ttl N'\nSet the time a cache entry is valid to N seconds. The default is\n600 seconds. Each time a cache entry is accessed, the entry's\ntimer is reset. To set an entry's maximum lifetime, use\n'max-cache-ttl'. Note that a cached passphrase may not be evicted\nimmediately from memory if no client requests a cache operation.\nThis is due to an internal housekeeping function which is only run\nevery few seconds.\n\n'--default-cache-ttl-ssh N'\nSet the time a cache entry used for SSH keys is valid to N seconds.\nThe default is 1800 seconds. Each time a cache entry is accessed,\nthe entry's timer is reset. To set an entry's maximum lifetime,\nuse 'max-cache-ttl-ssh'.\n\n'--max-cache-ttl N'\nSet the maximum time a cache entry is valid to N seconds. After\nthis time a cache entry will be expired even if it has been\naccessed recently or has been set using 'gpg-preset-passphrase'.\nThe default is 2 hours (7200 seconds).\n\n'--max-cache-ttl-ssh N'\nSet the maximum time a cache entry used for SSH keys is valid to N\nseconds. After this time a cache entry will be expired even if it\nhas been accessed recently or has been set using\n'gpg-preset-passphrase'. The default is 2 hours (7200 seconds).\n\n'--enforce-passphrase-constraints'\nEnforce the passphrase constraints by not allowing the user to\nbypass them using the \"Take it anyway\" button.\n\n'--min-passphrase-len N'\nSet the minimal length of a passphrase. When entering a new\npassphrase shorter than this value a warning will be displayed.\nDefaults to 8.\n\n'--min-passphrase-nonalpha N'\nSet the minimal number of digits or special characters required in\na passphrase. When entering a new passphrase with less than this\nnumber of digits or special characters a warning will be displayed.\nDefaults to 1.\n\n'--check-passphrase-pattern FILE'\nCheck the passphrase against the pattern given in FILE. When\nentering a new passphrase matching one of these pattern a warning\nwill be displayed. FILE should be an absolute filename. The\ndefault is not to use any pattern file.\n\nSecurity note: It is known that checking a passphrase against a\nlist of pattern or even against a complete dictionary is not very\neffective to enforce good passphrases. Users will soon figure up\nways to bypass such a policy. A better policy is to educate users\non good security behavior and optionally to run a passphrase\ncracker regularly on all users passphrases to catch the very simple\nones.\n\n'--max-passphrase-days N'\nAsk the user to change the passphrase if N days have passed since\nthe last change. With '--enforce-passphrase-constraints' set the\nuser may not bypass this check.\n\n'--enable-passphrase-history'\nThis option does nothing yet.\n\n'--pinentry-invisible-char CHAR'\nThis option asks the Pinentry to use CHAR for displaying hidden\ncharacters. CHAR must be one character UTF-8 string. A Pinentry\nmay or may not honor this request.\n\n'--pinentry-timeout N'\nThis option asks the Pinentry to timeout after N seconds with no\nuser input. The default value of 0 does not ask the pinentry to\ntimeout, however a Pinentry may use its own default timeout value\nin this case. A Pinentry may or may not honor this request.\n\n'--pinentry-program FILENAME'\nUse program FILENAME as the PIN entry. The default is installation\ndependent. With the default configuration the name of the default\npinentry is 'pinentry'; if that file does not exist but a\n'pinentry-basic' exist the latter is used.\n\nOn a Windows platform the default is to use the first existing\nprogram from this list: 'bin\\pinentry.exe',\n'..\\Gpg4win\\bin\\pinentry.exe', '..\\Gpg4win\\pinentry.exe',\n'..\\GNU\\GnuPG\\pinentry.exe', '..\\GNU\\bin\\pinentry.exe',\n'bin\\pinentry-basic.exe' where the file names are relative to the\nGnuPG installation directory.\n\n'--pinentry-touch-file FILENAME'\nBy default the filename of the socket gpg-agent is listening for\nrequests is passed to Pinentry, so that it can touch that file\nbefore exiting (it does this only in curses mode). This option\nchanges the file passed to Pinentry to FILENAME. The special name\n'/dev/null' may be used to completely disable this feature. Note\nthat Pinentry will not create that file, it will only change the\nmodification and access time.\n\n'--scdaemon-program FILENAME'\nUse program FILENAME as the Smartcard daemon. The default is\ninstallation dependent and can be shown with the 'gpgconf' command.\n\n'--disable-scdaemon'\nDo not make use of the scdaemon tool. This option has the effect\nof disabling the ability to do smartcard operations. Note, that\nenabling this option at runtime does not kill an already forked\nscdaemon.\n\n'--disable-check-own-socket'\n'gpg-agent' employs a periodic self-test to detect a stolen socket.\nThis usually means a second instance of 'gpg-agent' has taken over\nthe socket and 'gpg-agent' will then terminate itself. This option\nmay be used to disable this self-test for debugging purposes.\n\n'--use-standard-socket'\n'--no-use-standard-socket'\n'--use-standard-socket-p'\nSince GnuPG 2.1 the standard socket is always used. These options\nhave no more effect. The command 'gpg-agent\n--use-standard-socket-p' will thus always return success.\n\n'--display STRING'\n'--ttyname STRING'\n'--ttytype STRING'\n'--lc-ctype STRING'\n'--lc-messages STRING'\n'--xauthority STRING'\nThese options are used with the server mode to pass localization\ninformation.\n\n'--keep-tty'\n'--keep-display'\nIgnore requests to change the current 'tty' or X window system's\n'DISPLAY' variable respectively. This is useful to lock the\npinentry to pop up at the 'tty' or display you started the agent.\n\n'--listen-backlog N'\nSet the size of the queue for pending connections. The default is\n64.\n\n'--extra-socket NAME'\nThe extra socket is created by default, you may use this option to\nchange the name of the socket. To disable the creation of the\nsocket use \"none\" or \"/dev/null\" for NAME.\n\nAlso listen on native gpg-agent connections on the given socket.\nThe intended use for this extra socket is to setup a Unix domain\nsocket forwarding from a remote machine to this socket on the local\nmachine. A 'gpg' running on the remote machine may then connect to\nthe local gpg-agent and use its private keys. This enables\ndecrypting or signing data on a remote machine without exposing the\nprivate keys to the remote machine.\n\n'--enable-extended-key-format'\n'--disable-extended-key-format'\nSince version 2.2.22 keys are created in the extended private key\nformat by default. Changing the passphrase of a key will also\nconvert the key to that new format. This key format is supported\nsince GnuPG version 2.1.12 and thus there should be no need to\ndisable it. Anyway, the disable option still allows to revert to\nthe old behavior for new keys; be aware that keys are never\nmigrated back to the old format. If the enable option has been\nused the disable option won't have an effect. The advantage of the\nextended private key format is that it is text based and can carry\nadditional meta data. In extended key format the OCB mode is used\nfor key protection.\n\n'--enable-ssh-support'\n'--enable-putty-support'\n\nThe OpenSSH Agent protocol is always enabled, but 'gpg-agent' will\nonly set the 'SSHAUTHSOCK' variable if this flag is given.\n\nIn this mode of operation, the agent does not only implement the\ngpg-agent protocol, but also the agent protocol used by OpenSSH\n(through a separate socket). Consequently, it should be possible\nto use the gpg-agent as a drop-in replacement for the well known\nssh-agent.\n\nSSH Keys, which are to be used through the agent, need to be added\nto the gpg-agent initially through the ssh-add utility. When a key\nis added, ssh-add will ask for the password of the provided key\nfile and send the unprotected key material to the agent; this\ncauses the gpg-agent to ask for a passphrase, which is to be used\nfor encrypting the newly received key and storing it in a gpg-agent\nspecific directory.\n\nOnce a key has been added to the gpg-agent this way, the gpg-agent\nwill be ready to use the key.\n\nNote: in case the gpg-agent receives a signature request, the user\nmight need to be prompted for a passphrase, which is necessary for\ndecrypting the stored key. Since the ssh-agent protocol does not\ncontain a mechanism for telling the agent on which display/terminal\nit is running, gpg-agent's ssh-support will use the TTY or X\ndisplay where gpg-agent has been started. To switch this display\nto the current one, the following command may be used:\n\ngpg-connect-agent updatestartuptty /bye\n\nAlthough all GnuPG components try to start the gpg-agent as needed,\nthis is not possible for the ssh support because ssh does not know\nabout it. Thus if no GnuPG tool which accesses the agent has been\nrun, there is no guarantee that ssh is able to use gpg-agent for\nauthentication. To fix this you may start gpg-agent if needed\nusing this simple command:\n\ngpg-connect-agent /bye\n\nAdding the '--verbose' shows the progress of starting the agent.\n\nThe '--enable-putty-support' is only available under Windows and\nallows the use of gpg-agent with the ssh implementation 'putty'.\nThis is similar to the regular ssh-agent support but makes use of\nWindows message queue as required by 'putty'.\n\n'--ssh-fingerprint-digest'\n\nSelect the digest algorithm used to compute ssh fingerprints that\nare communicated to the user, e.g. in pinentry dialogs. OpenSSH\nhas transitioned from using MD5 to the more secure SHA256.\n\n'--auto-expand-secmem N'\nAllow Libgcrypt to expand its secure memory area as required. The\noptional value N is a non-negative integer with a suggested size in\nbytes of each additionally allocated secure memory area. The value\nis rounded up to the next 32 KiB; usual C style prefixes are\nallowed. For an heavy loaded gpg-agent with many concurrent\nconnection this option avoids sign or decrypt errors due to out of\nsecure memory error returns.\n\n'--s2k-calibration MILLISECONDS'\nChange the default calibration time to MILLISECONDS. The given\nvalue is capped at 60 seconds; a value of 0 resets to the\ncompiled-in default. This option is re-read on a SIGHUP (or\n'gpgconf --reload gpg-agent') and the S2K count is then\nre-calibrated.\n\n'--s2k-count N'\nSpecify the iteration count used to protect the passphrase. This\noption can be used to override the auto-calibration done by\ndefault. The auto-calibration computes a count which requires by\ndefault 100ms to mangle a given passphrase. See also\n'--s2k-calibration'.\n\nTo view the actually used iteration count and the milliseconds\nrequired for an S2K operation use:\n\ngpg-connect-agent 'GETINFO s2kcount' /bye\ngpg-connect-agent 'GETINFO s2ktime' /bye\n\nTo view the auto-calibrated count use:\n\ngpg-connect-agent 'GETINFO s2kcountcal' /bye\n\nFile: gnupg.info, Node: Agent Configuration, Next: Agent Signals, Prev: Agent Options, Up: Invoking GPG-AGENT\n" }, { "name": "2.3 Configuration", "content": "There are a few configuration files needed for the operation of the\nagent. By default they may all be found in the current home directory\n(*note option --homedir::).\n\n'gpg-agent.conf'\nThis is the standard configuration file read by 'gpg-agent' on\nstartup. It may contain any valid long option; the leading two\ndashes may not be entered and the option may not be abbreviated.\nThis file is also read after a 'SIGHUP' however only a few options\nwill actually have an effect. This default name may be changed on\nthe command line (*note option --options::). You should backup\nthis file.\n\n'trustlist.txt'\nThis is the list of trusted keys. You should backup this file.\n\nComment lines, indicated by a leading hash mark, as well as empty\nlines are ignored. To mark a key as trusted you need to enter its\nfingerprint followed by a space and a capital letter 'S'. Colons\nmay optionally be used to separate the bytes of a fingerprint; this\nenables cutting and pasting the fingerprint from a key listing\noutput. If the line is prefixed with a '!' the key is explicitly\nmarked as not trusted.\n\nHere is an example where two keys are marked as ultimately trusted\nand one as not trusted:\n\n# CN=Wurzel ZS 3,O=Intevation GmbH,C=DE\nA6935DD34EF3087973C706FC311AA2CCF733765B S\n\n# CN=PCA-1-Verwaltung-02/O=PKI-1-Verwaltung/C=DE\nDC:BD:69:25:48:BD:BB:7E:31:6E:BB:80:D3:00:80:35:D4:F8:A6:CD S\n\n# CN=Root-CA/O=Schlapphuete/L=Pullach/C=DE\n!14:56:98:D3:FE:9C:CA:5A:31:6E:BC:81:D3:11:4E:00:90:A3:44:C2 S\n\nBefore entering a key into this file, you need to ensure its\nauthenticity. How to do this depends on your organisation; your\nadministrator might have already entered those keys which are\ndeemed trustworthy enough into this file. Places where to look for\nthe fingerprint of a root certificate are letters received from the\nCA or the website of the CA (after making 100% sure that this is\nindeed the website of that CA). You may want to consider\ndisallowing interactive updates of this file by using the *note\noption --no-allow-mark-trusted::. It might even be advisable to\nchange the permissions to read-only so that this file can't be\nchanged inadvertently.\n\nAs a special feature a line 'include-default' will include a global\nlist of trusted certificates (e.g. '/etc/gnupg/trustlist.txt').\nThis global list is also used if the local list is not available.\n\nIt is possible to add further flags after the 'S' for use by the\ncaller:\n\n'relax'\nRelax checking of some root certificate requirements. As of\nnow this flag allows the use of root certificates with a\nmissing basicConstraints attribute (despite that it is a MUST\nfor CA certificates) and disables CRL checking for the root\ncertificate.\n\n'cm'\nIf validation of a certificate finally issued by a CA with\nthis flag set fails, try again using the chain validation\nmodel.\n\n'sshcontrol'\nThis file is used when support for the secure shell agent protocol\nhas been enabled (*note option --enable-ssh-support::). Only keys\npresent in this file are used in the SSH protocol. You should\nbackup this file.\n\nThe 'ssh-add' tool may be used to add new entries to this file; you\nmay also add them manually. Comment lines, indicated by a leading\nhash mark, as well as empty lines are ignored. An entry starts\nwith optional whitespace, followed by the keygrip of the key given\nas 40 hex digits, optionally followed by the caching TTL in seconds\nand another optional field for arbitrary flags. A non-zero TTL\noverrides the global default as set by '--default-cache-ttl-ssh'.\n\nThe only flag support is 'confirm'. If this flag is found for a\nkey, each use of the key will pop up a pinentry to confirm the use\nof that key. The flag is automatically set if a new key was loaded\ninto 'gpg-agent' using the option '-c' of the 'ssh-add' command.\n\nThe keygrip may be prefixed with a '!' to disable an entry.\n\nThe following example lists exactly one key. Note that keys\navailable through a OpenPGP smartcard in the active smartcard\nreader are implicitly added to this list; i.e. there is no need to\nlist them.\n\n# Key added on: 2011-07-20 20:38:46\n# Fingerprint: 5e:8d:c4:ad:e7:af:6e:27:8a:d6:13:e4:79:ad:0b:81\n34B62F25E277CF13D3C6BCEBFD3F85D08F0A864B 0 confirm\n\n'private-keys-v1.d/'\n\nThis is the directory where gpg-agent stores the private keys.\nEach key is stored in a file with the name made up of the keygrip\nand the suffix 'key'. You should backup all files in this\ndirectory and take great care to keep this backup closed away.\n\nNote that on larger installations, it is useful to put predefined\nfiles into the directory '/etc/skel/.gnupg' so that newly created users\nstart up with a working configuration. For existing users the a small\nhelper script is provided to create these files (*note addgnupghome::).\n\nFile: gnupg.info, Node: Agent Signals, Next: Agent Examples, Prev: Agent Configuration, Up: Invoking GPG-AGENT\n" }, { "name": "2.4 Use of some signals", "content": "A running 'gpg-agent' may be controlled by signals, i.e. using the\n'kill' command to send a signal to the process.\n\nHere is a list of supported signals:\n\n'SIGHUP'\nThis signal flushes all cached passphrases and if the program has\nbeen started with a configuration file, the configuration file is\nread again. Only certain options are honored: 'quiet', 'verbose',\n'debug', 'debug-all', 'debug-level', 'debug-pinentry', 'no-grab',\n'pinentry-program', 'pinentry-invisible-char', 'default-cache-ttl',\n'max-cache-ttl', 'ignore-cache-for-signing', 's2k-count',\n'no-allow-external-cache', 'allow-emacs-pinentry',\n'no-allow-mark-trusted', 'disable-scdaemon', and\n'disable-check-own-socket'. 'scdaemon-program' is also supported\nbut due to the current implementation, which calls the scdaemon\nonly once, it is not of much use unless you manually kill the\nscdaemon.\n\n'SIGTERM'\nShuts down the process but waits until all current requests are\nfulfilled. If the process has received 3 of these signals and\nrequests are still pending, a shutdown is forced.\n\n'SIGINT'\nShuts down the process immediately.\n\n'SIGUSR1'\nDump internal information to the log file.\n\n'SIGUSR2'\nThis signal is used for internal purposes.\n\nFile: gnupg.info, Node: Agent Examples, Next: Agent Protocol, Prev: Agent Signals, Up: Invoking GPG-AGENT\n" }, { "name": "2.5 Examples", "content": "It is important to set the environment variable 'GPGTTY' in your login\nshell, for example in the '~/.bashrc' init script:\n\nexport GPGTTY=$(tty)\n\nIf you enabled the Ssh Agent Support, you also need to tell ssh about\nit by adding this to your init script:\n\nunset SSHAGENTPID\nif [ \"${gnupgSSHAUTHSOCKby:-0}\" -ne $$ ]; then\nexport SSHAUTHSOCK=\"$(gpgconf --list-dirs agent-ssh-socket)\"\nfi\n\nFile: gnupg.info, Node: Agent Protocol, Prev: Agent Examples, Up: Invoking GPG-AGENT\n" }, { "name": "2.6 Agent's Assuan Protocol", "content": "Note: this section does only document the protocol, which is used by\nGnuPG components; it does not deal with the ssh-agent protocol. To see\nthe full specification of each command, use\n\ngpg-connect-agent 'help COMMAND' /bye\n\nor just 'help' to list all available commands.\n\nThe 'gpg-agent' daemon is started on demand by the GnuPG components.\n\nTo identify a key we use a thing called keygrip which is the SHA-1\nhash of an canonical encoded S-Expression of the public key as used in\nLibgcrypt. For the purpose of this interface the keygrip is given as a\nhex string. The advantage of using this and not the hash of a\ncertificate is that it will be possible to use the same keypair for\ndifferent protocols, thereby saving space on the token used to keep the\nsecret keys.\n\nThe 'gpg-agent' may send status messages during a command or when\nreturning from a command to inform a client about the progress or result\nof an operation. For example, the INQUIREMAXLEN status message may be\nsent during a server inquire to inform the client of the maximum usable\nlength of the inquired data (which should not be exceeded).\n\n* Menu:\n\n* Agent PKDECRYPT:: Decrypting a session key\n* Agent PKSIGN:: Signing a Hash\n* Agent GENKEY:: Generating a Key\n* Agent IMPORT:: Importing a Secret Key\n* Agent EXPORT:: Exporting a Secret Key\n* Agent ISTRUSTED:: Importing a Root Certificate\n* Agent GETPASSPHRASE:: Ask for a passphrase\n* Agent CLEARPASSPHRASE:: Expire a cached passphrase\n* Agent PRESETPASSPHRASE:: Set a passphrase for a keygrip\n* Agent GETCONFIRMATION:: Ask for confirmation\n* Agent HAVEKEY:: Check whether a key is available\n* Agent LEARN:: Register a smartcard\n* Agent PASSWD:: Change a Passphrase\n* Agent UPDATESTARTUPTTY:: Change the Standard Display\n* Agent GETEVENTCOUNTER:: Get the Event Counters\n* Agent GETINFO:: Return information about the process\n* Agent OPTION:: Set options for the session\n\nFile: gnupg.info, Node: Agent PKDECRYPT, Next: Agent PKSIGN, Up: Agent Protocol\n\n\nThe client asks the server to decrypt a session key. The encrypted\nsession key should have all information needed to select the appropriate\nsecret key or to delegate it to a smartcard.\n\nSETKEY \n\nTell the server about the key to be used for decryption. If this is\nnot used, 'gpg-agent' may try to figure out the key by trying to decrypt\nthe message with each key available.\n\nPKDECRYPT\n\nThe agent checks whether this command is allowed and then does an\nINQUIRY to get the ciphertext the client should then send the cipher\ntext.\n\nS: INQUIRE CIPHERTEXT\nC: D (xxxxxx\nC: D xxxx)\nC: END\n\nPlease note that the server may send status info lines while reading\nthe data lines from the client. The data send is a SPKI like S-Exp with\nthis structure:\n\n(enc-val\n(\n( )\n...\n( )))\n\nWhere algo is a string with the name of the algorithm; see the\nlibgcrypt documentation for a list of valid algorithms. The number and\nnames of the parameters depend on the algorithm. The agent does return\nan error if there is an inconsistency.\n\nIf the decryption was successful the decrypted data is returned by\nmeans of \"D\" lines.\n\nHere is an example session:\nC: PKDECRYPT\nS: INQUIRE CIPHERTEXT\nC: D (enc-val elg (a 349324324)\nC: D (b 3F444677CA)))\nC: END\nS: # session key follows\nS: S PADDING 0\nS: D (value 1234567890ABCDEF0)\nS: OK decryption successful\n\nThe \"PADDING\" status line is only send if gpg-agent can tell what\nkind of padding is used. As of now only the value 0 is used to indicate\nthat the padding has been removed.\n\nFile: gnupg.info, Node: Agent PKSIGN, Next: Agent GENKEY, Prev: Agent PKDECRYPT, Up: Agent Protocol\n\n\nThe client asks the agent to sign a given hash value. A default key\nwill be chosen if no key has been set. To set a key a client first\nuses:\n\nSIGKEY \n\nThis can be used multiple times to create multiple signature, the\nlist of keys is reset with the next PKSIGN command or a RESET. The\nserver tests whether the key is a valid key to sign something and\nresponds with okay.\n\nSETHASH --hash=| \n\nThe client can use this command to tell the server about the data\n (which usually is a hash) to be signed. is the\ndecimal encoded hash algorithm number as used by Libgcrypt. Either\n or -hash= must be given. Valid names for are:\n\n'sha1'\nThe SHA-1 hash algorithm\n'sha256'\nThe SHA-256 hash algorithm\n'rmd160'\nThe RIPE-MD160 hash algorithm\n'md5'\nThe old and broken MD5 hash algorithm\n'tls-md5sha1'\nA combined hash algorithm as used by the TLS protocol.\n\nThe actual signing is done using\n\nPKSIGN \n\nOptions are not yet defined, but may later be used to choose among\ndifferent algorithms. The agent does then some checks, asks for the\npassphrase and as a result the server returns the signature as an SPKI\nlike S-expression in \"D\" lines:\n\n(sig-val\n(\n( )\n...\n( )))\n\nThe operation is affected by the option\n\nOPTION use-cache-for-signing=0|1\n\nThe default of '1' uses the cache. Setting this option to '0' will\nlead 'gpg-agent' to ignore the passphrase cache. Note, that there is\nalso a global command line option for 'gpg-agent' to globally disable\nthe caching.\n\nHere is an example session:\nC: SIGKEY \nS: OK key available\nC: SIGKEY \nS: OK key available\nC: PKSIGN\nS: # I did ask the user whether he really wants to sign\nS: # I did ask the user for the passphrase\nS: INQUIRE HASHVAL\nC: D ABCDEF012345678901234\nC: END\nS: # signature follows\nS: D (sig-val rsa (s 45435453654612121212))\nS: OK\n\nFile: gnupg.info, Node: Agent GENKEY, Next: Agent IMPORT, Prev: Agent PKSIGN, Up: Agent Protocol\n\n\nThis is used to create a new keypair and store the secret key inside the\nactive PSE -- which is in most cases a Soft-PSE. A not-yet-defined\noption allows choosing the storage location. To get the secret key out\nof the PSE, a special export tool has to be used.\n\nGENKEY [--no-protection] [--preset] []\n\nInvokes the key generation process and the server will then inquire\non the generation parameters, like:\n\nS: INQUIRE KEYPARM\nC: D (genkey (rsa (nbits 1024)))\nC: END\n\nThe format of the key parameters which depends on the algorithm is of\nthe form:\n\n(genkey\n(algo\n(parametername1 ....)\n....\n(parameternamen ....)))\n\nIf everything succeeds, the server returns the *public key* in a SPKI\nlike S-Expression like this:\n\n(public-key\n(rsa\n(n )\n(e )))\n\nHere is an example session:\nC: GENKEY\nS: INQUIRE KEYPARM\nC: D (genkey (rsa (nbits 1024)))\nC: END\nS: D (public-key\nS: D (rsa (n 326487324683264) (e 10001)))\nS OK key created\n\nThe '--no-protection' option may be used to prevent prompting for a\npassphrase to protect the secret key while leaving the secret key\nunprotected. The '--preset' option may be used to add the passphrase to\nthe cache using the default cache parameters.\n\nThe '--inq-passwd' option may be used to create the key with a\nsupplied passphrase. When used the agent does an inquiry with the\nkeyword 'NEWPASSWD' to retrieve that passphrase. This option takes\nprecedence over '--no-protection'; however if the client sends a empty\n(zero-length) passphrase, this is identical to '--no-protection'.\n\nFile: gnupg.info, Node: Agent IMPORT, Next: Agent EXPORT, Prev: Agent GENKEY, Up: Agent Protocol\n\n\nThis operation is not yet supported by GpgAgent. Specialized tools are\nto be used for this.\n\nThere is no actual need because we can expect that secret keys\ncreated by a 3rd party are stored on a smartcard. If we have generated\nthe key ourselves, we do not need to import it.\n\nFile: gnupg.info, Node: Agent EXPORT, Next: Agent ISTRUSTED, Prev: Agent IMPORT, Up: Agent Protocol\n\n\nNot implemented.\n\nShould be done by an extra tool.\n\nFile: gnupg.info, Node: Agent ISTRUSTED, Next: Agent GETPASSPHRASE, Prev: Agent EXPORT, Up: Agent Protocol\n\n\nActually we do not import a Root Cert but provide a way to validate any\npiece of data by storing its Hash along with a description and an\nidentifier in the PSE. Here is the interface description:\n\nISTRUSTED \n\nCheck whether the OpenPGP primary key or the X.509 certificate with\nthe given fingerprint is an ultimately trusted key or a trusted Root CA\ncertificate. The fingerprint should be given as a hexstring (without\nany blanks or colons or whatever in between) and may be left padded with\n00 in case of an MD5 fingerprint. GPGAgent will answer with:\n\nOK\n\nThe key is in the table of trusted keys.\n\nERR 304 (Not Trusted)\n\nThe key is not in this table.\n\nGpg needs the entire list of trusted keys to maintain the web of\ntrust; the following command is therefore quite helpful:\n\nLISTTRUSTED\n\nGpgAgent returns a list of trusted keys line by line:\n\nS: D 000000001234454556565656677878AF2F1ECCFF P\nS: D 340387563485634856435645634856438576457A P\nS: D FEDC6532453745367FD83474357495743757435D S\nS: OK\n\nThe first item on a line is the hexified fingerprint where MD5\nfingerprints are '00' padded to the left and the second item is a flag\nto indicate the type of key (so that gpg is able to only take care of\nPGP keys). P = OpenPGP, S = S/MIME. A client should ignore the rest of\nthe line, so that we can extend the format in the future.\n\nFinally a client should be able to mark a key as trusted:\n\nMARKTRUSTED FINGERPRINT \"P\"|\"S\"\n\nThe server will then pop up a window to ask the user whether she\nreally trusts this key. For this it will probably ask for a text to be\ndisplayed like this:\n\nS: INQUIRE TRUSTDESC\nC: D Do you trust the key with the fingerprint @FPR@\nC: D bla fasel blurb.\nC: END\nS: OK\n\nKnown sequences with the pattern @foo@ are replaced according to this\ntable:\n\n'@FPR16@'\nFormat the fingerprint according to gpg rules for a v3 keys.\n'@FPR20@'\nFormat the fingerprint according to gpg rules for a v4 keys.\n'@FPR@'\nChoose an appropriate format to format the fingerprint.\n'@@'\nReplaced by a single '@'.\n\nFile: gnupg.info, Node: Agent GETPASSPHRASE, Next: Agent CLEARPASSPHRASE, Prev: Agent ISTRUSTED, Up: Agent Protocol\n\n\nThis function is usually used to ask for a passphrase to be used for\nsymmetric encryption, but may also be used by programs which need\nspecial handling of passphrases. This command uses a syntax which helps\nclients to use the agent with minimum effort.\n\nGETPASSPHRASE [--data] [--check] [--no-ask] [--repeat[=N]] \\\n[--qualitybar] CACHEID \\\n[ERRORMESSAGE PROMPT DESCRIPTION]\n\nCACHEID is expected to be a string used to identify a cached\npassphrase. Use a 'X' to bypass the cache. With no other arguments the\nagent returns a cached passphrase or an error. By convention either the\nhexified fingerprint of the key shall be used for CACHEID or an\narbitrary string prefixed with the name of the calling application and a\ncolon: Like 'gpg:somestring'.\n\nERRORMESSAGE is either a single 'X' for no error message or a string\nto be shown as an error message like (e.g. \"invalid passphrase\").\nBlanks must be percent escaped or replaced by '+''.\n\nPROMPT is either a single 'X' for a default prompt or the text to be\nshown as the prompt. Blanks must be percent escaped or replaced by '+'.\n\nDESCRIPTION is a text shown above the entry field. Blanks must be\npercent escaped or replaced by '+'.\n\nThe agent either returns with an error or with a OK followed by the\nhex encoded passphrase. Note that the length of the strings is\nimplicitly limited by the maximum length of a command. If the option\n'--data' is used, the passphrase is not returned on the OK line but by\nregular data lines; this is the preferred method.\n\nIf the option '--check' is used, the standard passphrase constraints\nchecks are applied. A check is not done if the passphrase has been\nfound in the cache.\n\nIf the option '--no-ask' is used and the passphrase is not in the\ncache the user will not be asked to enter a passphrase but the error\ncode 'GPGERRNODATA' is returned.\n\nIf the option '--qualitybar' is used and a minimum passphrase length\nhas been configured, a visual indication of the entered passphrase\nquality is shown.\n\nCLEARPASSPHRASE CACHEID\n\nmay be used to invalidate the cache entry for a passphrase. The\nfunction returns with OK even when there is no cached passphrase.\n\nFile: gnupg.info, Node: Agent CLEARPASSPHRASE, Next: Agent PRESETPASSPHRASE, Prev: Agent GETPASSPHRASE, Up: Agent Protocol\n\n\nUse this command to remove a cached passphrase.\n\nCLEARPASSPHRASE [--mode=normal] \n\nThe '--mode=normal' option can be used to clear a CACHEID that was\nset by gpg-agent.\n\nFile: gnupg.info, Node: Agent PRESETPASSPHRASE, Next: Agent GETCONFIRMATION, Prev: Agent CLEARPASSPHRASE, Up: Agent Protocol\n\n\nThis command adds a passphrase to the cache for the specified KEYGRIP.\n\nPRESETPASSPHRASE [--inquire] []\n\nThe passphrase is a hexadecimal string when specified. When not\nspecified, the passphrase will be retrieved from the pinentry module\nunless the '--inquire' option was specified in which case the passphrase\nwill be retrieved from the client.\n\nThe TIMEOUT parameter keeps the passphrase cached for the specified\nnumber of seconds. A value of '-1' means infinite while '0' means the\ndefault (currently only a timeout of -1 is allowed, which means to never\nexpire it).\n\nFile: gnupg.info, Node: Agent GETCONFIRMATION, Next: Agent HAVEKEY, Prev: Agent PRESETPASSPHRASE, Up: Agent Protocol\n\n\nThis command may be used to ask for a simple confirmation by presenting\na text and 2 buttons: Okay and Cancel.\n\nGETCONFIRMATION DESCRIPTION\n\nDESCRIPTIONis displayed along with a Okay and Cancel button. Blanks\nmust be percent escaped or replaced by '+'. A 'X' may be used to\ndisplay confirmation dialog with a default text.\n\nThe agent either returns with an error or with a OK. Note, that the\nlength of DESCRIPTION is implicitly limited by the maximum length of a\ncommand.\n\nFile: gnupg.info, Node: Agent HAVEKEY, Next: Agent LEARN, Prev: Agent GETCONFIRMATION, Up: Agent Protocol\n\n\nThis can be used to see whether a secret key is available. It does not\nreturn any information on whether the key is somehow protected.\n\nHAVEKEY KEYGRIPS\n\nThe agent answers either with OK or 'NoSecretKey' (208). The\ncaller may want to check for other error codes as well. More than one\nkeygrip may be given. In this case the command returns success if at\nleast one of the keygrips corresponds to an available secret key.\n\nFile: gnupg.info, Node: Agent LEARN, Next: Agent PASSWD, Prev: Agent HAVEKEY, Up: Agent Protocol\n\n\nLEARN [--send]\n\nThis command is used to register a smartcard. With the '--send'\noption given the certificates are sent back.\n\nFile: gnupg.info, Node: Agent PASSWD, Next: Agent UPDATESTARTUPTTY, Prev: Agent LEARN, Up: Agent Protocol\n\n\nPASSWD [--cache-nonce=] [--passwd-nonce=] [--preset] KEYGRIP\n\nThis command is used to interactively change the passphrase of the\nkey identified by the hex string KEYGRIP. The '--preset' option may be\nused to add the new passphrase to the cache using the default cache\nparameters.\n\nFile: gnupg.info, Node: Agent UPDATESTARTUPTTY, Next: Agent GETEVENTCOUNTER, Prev: Agent PASSWD, Up: Agent Protocol\n\n\nUPDATESTARTUPTTY\n\nSet the startup TTY and X-DISPLAY variables to the values of this\nsession. This command is useful to direct future pinentry invocations\nto another screen. It is only required because there is no way in the\nssh-agent protocol to convey this information.\n\nFile: gnupg.info, Node: Agent GETEVENTCOUNTER, Next: Agent GETINFO, Prev: Agent UPDATESTARTUPTTY, Up: Agent Protocol\n\n\nGETEVENTCOUNTER\n\nThis function return one status line with the current values of the\nevent counters. The event counters are useful to avoid polling by\ndelaying a poll until something has changed. The values are decimal\nnumbers in the range '0' to 'UINTMAX' and wrapping around to 0. The\nactual values should not be relied upon; they shall only be used to\ndetect a change.\n\nThe currently defined counters are:\n'ANY'\nIncremented with any change of any of the other counters.\n'KEY'\nIncremented for added or removed private keys.\n'CARD'\nIncremented for changes of the card readers stati.\n\nFile: gnupg.info, Node: Agent GETINFO, Next: Agent OPTION, Prev: Agent GETEVENTCOUNTER, Up: Agent Protocol\n\n\nThis is a multipurpose function to return a variety of information.\n\nGETINFO WHAT\n\nThe value of WHAT specifies the kind of information returned:\n'version'\nReturn the version of the program.\n'pid'\nReturn the process id of the process.\n'socketname'\nReturn the name of the socket used to connect the agent.\n'sshsocketname'\nReturn the name of the socket used for SSH connections. If SSH\nsupport has not been enabled the error 'GPGERRNODATA' will be\nreturned.\n\nFile: gnupg.info, Node: Agent OPTION, Prev: Agent GETINFO, Up: Agent Protocol\n\n\nHere is a list of session options which are not yet described with other\ncommands. The general syntax for an Assuan option is:\n\nOPTION KEY=VALUE\n\nSupported KEYs are:\n\n'agent-awareness'\nThis may be used to tell gpg-agent of which gpg-agent version the\nclient is aware of. gpg-agent uses this information to enable\nfeatures which might break older clients.\n\n'putenv'\nChange the session's environment to be used for the Pinentry.\nValid values are:\n\n'NAME'\nDelete envvar NAME\n'NAME='\nSet envvar NAME to the empty string\n'NAME=VALUE'\nSet envvar NAME to the string VALUE.\n\n'use-cache-for-signing'\nSee Assuan command 'PKSIGN'.\n\n'allow-pinentry-notify'\nThis does not need any value. It is used to enable the\nPINENTRYLAUNCHED inquiry.\n\n'pinentry-mode'\nThis option is used to change the operation mode of the pinentry.\nThe following values are defined:\n\n'ask'\nThis is the default mode which pops up a pinentry as needed.\n\n'cancel'\nInstead of popping up a pinentry, return the error code\n'GPGERRCANCELED'.\n\n'error'\nInstead of popping up a pinentry, return the error code\n'GPGERRNOPINENTRY'.\n\n'loopback'\nUse a loopback pinentry. This fakes a pinentry by using\ninquiries back to the caller to ask for a passphrase. This\noption may only be set if the agent has been configured for\nthat. To disable this feature use *note option\n--no-allow-loopback-pinentry::.\n\n'cache-ttl-opt-preset'\nThis option sets the cache TTL for new entries created by GENKEY\nand PASSWD commands when using the '--preset' option. It is not\nused a default value is used.\n\n's2k-count'\nInstead of using the standard S2K count (which is computed on the\nfly), the given S2K count is used for new keys or when changing the\npassphrase of a key. Values below 65536 are considered to be 0.\nThis option is valid for the entire session or until reset to 0.\nThis option is useful if the key is later used on boxes which are\neither much slower or faster than the actual box.\n\n'pretend-request-origin'\nThis option switches the connection into a restricted mode which\nhandles all further commands in the same way as they would be\nhandled when originating from the extra or browser socket. Note\nthat this option is not available in the restricted mode. Valid\nvalues for this option are:\n\n'none'\n'local'\nThis is a NOP and leaves the connection in the standard way.\n\n'remote'\nPretend to come from a remote origin in the same way as\nconnections from the '--extra-socket'.\n\n'browser'\nPretend to come from a local web browser in the same way as\nconnections from the '--browser-socket'.\n\nFile: gnupg.info, Node: Invoking DIRMNGR, Next: Invoking GPG, Prev: Invoking GPG-AGENT, Up: Top\n" } ] }, "3 Invoking DIRMNGR": { "content": "Since version 2.1 of GnuPG, 'dirmngr' takes care of accessing the\nOpenPGP keyservers. As with previous versions it is also used as a\nserver for managing and downloading certificate revocation lists (CRLs)\nfor X.509 certificates, downloading X.509 certificates, and providing\naccess to OCSP providers. Dirmngr is invoked internally by 'gpg',\n'gpgsm', or via the 'gpg-connect-agent' tool.\n\n*Note Option Index::,for an index to 'DIRMNGR''s commands and options.\n\n* Menu:\n\n* Dirmngr Commands:: List of all commands.\n* Dirmngr Options:: List of all options.\n* Dirmngr Configuration:: Configuration files.\n* Dirmngr Signals:: Use of signals.\n* Dirmngr Examples:: Some usage examples.\n* Dirmngr Protocol:: The protocol dirmngr uses.\n\nFile: gnupg.info, Node: Dirmngr Commands, Next: Dirmngr Options, Up: Invoking DIRMNGR\n", "subsections": [ { "name": "3.1 Commands", "content": "Commands are not distinguished from options except for the fact that\nonly one command is allowed.\n\n'--version'\nPrint the program version and licensing information. Note that you\ncannot abbreviate this command.\n\n'--help, -h'\nPrint a usage message summarizing the most useful command-line\noptions. Note that you cannot abbreviate this command.\n\n'--dump-options'\nPrint a list of all available options and commands. Note that you\ncannot abbreviate this command.\n\n'--server'\nRun in server mode and wait for commands on the 'stdin'. The\ndefault mode is to create a socket and listen for commands there.\nThis is only used for testing.\n\n'--daemon'\nRun in background daemon mode and listen for commands on a socket.\nThis is the way 'dirmngr' is started on demand by the other GnuPG\ncomponents. To force starting 'dirmngr' it is in general best to\nuse 'gpgconf --launch dirmngr'.\n\n'--supervised'\nRun in the foreground, sending logs to stderr, and listening on\nfile descriptor 3, which must already be bound to a listening\nsocket. This is useful when running under systemd or other similar\nprocess supervision schemes. This option is not supported on\nWindows.\n\n'--list-crls'\nList the contents of the CRL cache on 'stdout'. This is probably\nonly useful for debugging purposes.\n\n'--load-crl FILE'\nThis command requires a filename as additional argument, and it\nwill make Dirmngr try to import the CRL in FILE into it's cache.\nNote, that this is only possible if Dirmngr is able to retrieve the\nCA's certificate directly by its own means. In general it is\nbetter to use 'gpgsm''s '--call-dirmngr loadcrl filename' command\nso that 'gpgsm' can help dirmngr.\n\n'--fetch-crl URL'\nThis command requires an URL as additional argument, and it will\nmake dirmngr try to retrieve and import the CRL from that URL into\nit's cache. This is mainly useful for debugging purposes. The\n'dirmngr-client' provides the same feature for a running dirmngr.\n\n'--shutdown'\nThis commands shuts down an running instance of Dirmngr. This\ncommand has currently no effect.\n\n'--flush'\nThis command removes all CRLs from Dirmngr's cache. Client\nrequests will thus trigger reading of fresh CRLs.\n\nFile: gnupg.info, Node: Dirmngr Options, Next: Dirmngr Configuration, Prev: Dirmngr Commands, Up: Invoking DIRMNGR\n" }, { "name": "3.2 Option Summary", "content": "Note that all long options with the exception of '--options' and\n'--homedir' may also be given in the configuration file after stripping\noff the two leading dashes.\n\n'--options FILE'\nReads configuration from FILE instead of from the default per-user\nconfiguration file. The default configuration file is named\n'dirmngr.conf' and expected in the home directory.\n\n'--homedir DIR'\nSet the name of the home directory to DIR. This option is only\neffective when used on the command line. The default is the\ndirectory named '.gnupg' directly below the home directory of the\nuser unless the environment variable 'GNUPGHOME' has been set in\nwhich case its value will be used. Many kinds of data are stored\nwithin this directory.\n\n'-v'\n'--verbose'\nOutputs additional information while running. You can increase the\nverbosity by giving several verbose commands to DIRMNGR, such as\n'-vv'.\n\n'--log-file FILE'\nAppend all logging output to FILE. This is very helpful in seeing\nwhat the agent actually does. Use 'socket://' to log to socket.\n\n'--debug-level LEVEL'\nSelect the debug level for investigating problems. LEVEL may be a\nnumeric value or by a keyword:\n\n'none'\nNo debugging at all. A value of less than 1 may be used\ninstead of the keyword.\n'basic'\nSome basic debug messages. A value between 1 and 2 may be\nused instead of the keyword.\n'advanced'\nMore verbose debug messages. A value between 3 and 5 may be\nused instead of the keyword.\n'expert'\nEven more detailed messages. A value between 6 and 8 may be\nused instead of the keyword.\n'guru'\nAll of the debug messages you can get. A value greater than 8\nmay be used instead of the keyword. The creation of hash\ntracing files is only enabled if the keyword is used.\n\nHow these messages are mapped to the actual debugging flags is not\nspecified and may change with newer releases of this program. They\nare however carefully selected to best aid in debugging.\n\n'--debug FLAGS'\nSet debugging flags. This option is only useful for debugging and\nits behavior may change with a new release. All flags are or-ed\nand may be given in C syntax (e.g. 0x0042) or as a comma separated\nlist of flag names. To get a list of all supported flags the\nsingle word \"help\" can be used.\n\n'--debug-all'\nSame as '--debug=0xffffffff'\n\n'--tls-debug LEVEL'\nEnable debugging of the TLS layer at LEVEL. The details of the\ndebug level depend on the used TLS library and are not set in\nstone.\n\n'--debug-wait N'\nWhen running in server mode, wait N seconds before entering the\nactual processing loop and print the pid. This gives time to\nattach a debugger.\n\n'--disable-check-own-socket'\nOn some platforms 'dirmngr' is able to detect the removal of its\nsocket file and shutdown itself. This option disable this\nself-test for debugging purposes.\n\n'-s'\n'--sh'\n'-c'\n'--csh'\nFormat the info output in daemon mode for use with the standard\nBourne shell respective the C-shell. The default is to guess it\nbased on the environment variable 'SHELL' which is in almost all\ncases sufficient.\n\n'--force'\nEnabling this option forces loading of expired CRLs; this is only\nuseful for debugging.\n\n'--use-tor'\n'--no-use-tor'\nThe option '--use-tor' switches Dirmngr and thus GnuPG into \"Tor\nmode\" to route all network access via Tor (an anonymity network).\nCertain other features are disabled in this mode. The effect of\n'--use-tor' cannot be overridden by any other command or even by\nreloading dirmngr. The use of '--no-use-tor' disables the use of\nTor. The default is to use Tor if it is available on startup or\nafter reloading dirmngr.\n\n'--standard-resolver'\nThis option forces the use of the system's standard DNS resolver\ncode. This is mainly used for debugging. Note that on Windows a\nstandard resolver is not used and all DNS access will return the\nerror \"Not Implemented\" if this option is used. Using this\ntogether with enabled Tor mode returns the error \"Not Enabled\".\n\n'--recursive-resolver'\nWhen possible use a recursive resolver instead of a stub resolver.\n\n'--resolver-timeout N'\nSet the timeout for the DNS resolver to N seconds. The default are\n30 seconds.\n\n'--connect-timeout N'\n'--connect-quick-timeout N'\nSet the timeout for HTTP and generic TCP connection attempts to N\nseconds. The value set with the quick variant is used when the\n-quick option has been given to certain Assuan commands. The quick\nvalue is capped at the value of the regular connect timeout. The\ndefault values are 15 and 2 seconds. Note that the timeout values\nare for each connection attempt; the connection code will attempt\nto connect all addresses listed for a server.\n\n'--listen-backlog N'\nSet the size of the queue for pending connections. The default is\n64.\n\n'--allow-version-check'\nAllow Dirmngr to connect to 'https://versions.gnupg.org' to get the\nlist of current software versions. On debian-packaged versions,\nthis option does nothing since software updates should be handled\nby the distribution. See the option '--query-swdb' of the command\n'gpgconf' for more details. Note, that regardless of this option a\nversion check can always be triggered using this command:\n\ngpg-connect-agent --dirmngr 'loadswdb --force' /bye\n\n'--keyserver NAME'\nUse NAME as your keyserver. This is the server that 'gpg'\ncommunicates with to receive keys, send keys, and search for keys.\nThe format of the NAME is a URI: 'scheme:[//]keyservername[:port]'\nThe scheme is the type of keyserver: \"hkp\" for the HTTP (or\ncompatible) keyservers, \"ldap\" for the LDAP keyservers, or \"mailto\"\nfor the Graff email keyserver. Note that your particular\ninstallation of GnuPG may have other keyserver types available as\nwell. Keyserver schemes are case-insensitive. After the keyserver\nname, optional keyserver configuration options may be provided.\nThese are the same as the '--keyserver-options' of 'gpg', but apply\nonly to this particular keyserver.\n\nMost keyservers synchronize with each other, so there is generally\nno need to send keys to more than one server. The keyserver\n'hkp://keys.gnupg.net' uses round robin DNS to give a different\nkeyserver each time you use it.\n\nIf exactly two keyservers are configured and only one is a Tor\nhidden service (.onion), Dirmngr selects the keyserver to use\ndepending on whether Tor is locally running or not. The check for\na running Tor is done for each new connection.\n\nIf no keyserver is explicitly configured, dirmngr will use the\nbuilt-in default of 'hkps://keys.openpgp.org'.\n\nNote that the above default is a Debian-specific choice. Upstream\nGnuPG prefers 'hkps://hkps.pool.sks-keyservers.net'. See\n/usr/share/doc/gpgconf/NEWS.Debian.gz for more details.\n\nWindows users with a keyserver running on their Active Directory\nshould use 'ldap:///' for NAME to access this directory.\n\nFor accessing anonymous LDAP keyservers NAME is in general just a\n'ldaps://ldap.example.com'. A BaseDN parameter should never be\nspecified. If authentication is required the value of NAME is for\nexample:\n\nkeyserver ldaps://ldap.example.com/????bindname=uid=USERNAME\n%2Cou=GnuPG%20Users%2Cdc=example%2Cdc=com,password=PASSWORD\n\nPut this all on one line without any spaces and keep the '%2C' as\ngiven. Replace USERNAME, PASSWORD, and the 'dc' parts according to\nthe instructions received from the LDAP administrator. Note that\nonly simple authentication (i.e. cleartext passwords) is supported\nand thus using ldaps is strongly suggested.\n\n'--nameserver IPADDR'\nIn \"Tor mode\" Dirmngr uses a public resolver via Tor to resolve DNS\nnames. If the default public resolver, which is '8.8.8.8', shall\nnot be used a different one can be given using this option. Note\nthat a numerical IP address must be given (IPv6 or IPv4) and that\nno error checking is done for IPADDR.\n\n'--disable-ipv4'\n'--disable-ipv6'\nDisable the use of all IPv4 or IPv6 addresses.\n\n'--disable-ldap'\nEntirely disables the use of LDAP.\n\n'--disable-http'\nEntirely disables the use of HTTP.\n\n'--ignore-http-dp'\nWhen looking for the location of a CRL, the to be tested\ncertificate usually contains so called \"CRL Distribution Point\"\n(DP) entries which are URLs describing the way to access the CRL.\nThe first found DP entry is used. With this option all entries\nusing the HTTP scheme are ignored when looking for a suitable DP.\n\n'--ignore-ldap-dp'\nThis is similar to '--ignore-http-dp' but ignores entries using the\nLDAP scheme. Both options may be combined resulting in ignoring\nDPs entirely.\n\n'--ignore-ocsp-service-url'\nIgnore all OCSP URLs contained in the certificate. The effect is\nto force the use of the default responder.\n\n'--honor-http-proxy'\nIf the environment variable 'httpproxy' has been set, use its\nvalue to access HTTP servers.\n\n'--http-proxy HOST[:PORT]'\nUse HOST and PORT to access HTTP servers. The use of this option\noverrides the environment variable 'httpproxy' regardless whether\n'--honor-http-proxy' has been set.\n\n'--ldap-proxy HOST[:PORT]'\nUse HOST and PORT to connect to LDAP servers. If PORT is omitted,\nport 389 (standard LDAP port) is used. This overrides any\nspecified host and port part in a LDAP URL and will also be used if\nhost and port have been omitted from the URL.\n\n'--only-ldap-proxy'\nNever use anything else but the LDAP \"proxy\" as configured with\n'--ldap-proxy'. Usually 'dirmngr' tries to use other configured\nLDAP server if the connection using the \"proxy\" failed.\n\n'--ldapserverlist-file FILE'\nRead the list of LDAP servers to consult for CRLs and certificates\nfrom file instead of the default per-user ldap server list file.\nThe default value for FILE is 'dirmngrldapservers.conf'.\n\nThis server list file contains one LDAP server per line in the\nformat\n\nHOSTNAME:PORT:USERNAME:PASSWORD:BASEDN\n\nLines starting with a '#' are comments.\n\nNote that as usual all strings entered are expected to be UTF-8\nencoded. Obviously this will lead to problems if the password has\noriginally been encoded as Latin-1. There is no other solution\nhere than to put such a password in the binary encoding into the\nfile (i.e. non-ascii characters won't show up readable).(1)\n\n'--ldaptimeout SECS'\nSpecify the number of seconds to wait for an LDAP query before\ntiming out. The default are 15 seconds. 0 will never timeout.\n\n'--add-servers'\nThis option makes dirmngr add any servers it discovers when\nvalidating certificates against CRLs to the internal list of\nservers to consult for certificates and CRLs.\n\nThis option is useful when trying to validate a certificate that\nhas a CRL distribution point that points to a server that is not\nalready listed in the ldapserverlist. Dirmngr will always go to\nthis server and try to download the CRL, but chances are high that\nthe certificate used to sign the CRL is located on the same server.\nSo if dirmngr doesn't add that new server to list, it will often\nnot be able to verify the signature of the CRL unless the\n'--add-servers' option is used.\n\nNote: The current version of dirmngr has this option disabled by\ndefault.\n\n'--allow-ocsp'\nThis option enables OCSP support if requested by the client.\n\nOCSP requests are rejected by default because they may violate the\nprivacy of the user; for example it is possible to track the time\nwhen a user is reading a mail.\n\n'--ocsp-responder URL'\nUse URL as the default OCSP Responder if the certificate does not\ncontain information about an assigned responder. Note, that\n'--ocsp-signer' must also be set to a valid certificate.\n\n'--ocsp-signer FPR|FILE'\nUse the certificate with the fingerprint FPR to check the responses\nof the default OCSP Responder. Alternatively a filename can be\ngiven in which case the response is expected to be signed by one of\nthe certificates described in that file. Any argument which\ncontains a slash, dot or tilde is considered a filename. Usual\nfilename expansion takes place: A tilde at the start followed by a\nslash is replaced by the content of 'HOME', no slash at start\ndescribes a relative filename which will be searched at the home\ndirectory. To make sure that the FILE is searched in the home\ndirectory, either prepend the name with \"./\" or use a name which\ncontains a dot.\n\nIf a response has been signed by a certificate described by these\nfingerprints no further check upon the validity of this certificate\nis done.\n\nThe format of the FILE is a list of SHA-1 fingerprint, one per line\nwith optional colons between the bytes. Empty lines and lines\nprefix with a hash mark are ignored.\n\n'--ocsp-max-clock-skew N'\nThe number of seconds a skew between the OCSP responder and them\nlocal clock is accepted. Default is 600 (10 minutes).\n\n'--ocsp-max-period N'\nSeconds a response is at maximum considered valid after the time\ngiven in the thisUpdate field. Default is 7776000 (90 days).\n\n'--ocsp-current-period N'\nThe number of seconds an OCSP response is considered valid after\nthe time given in the NEXTUPDATE datum. Default is 10800 (3\nhours).\n\n'--max-replies N'\nDo not return more that N items in one query. The default is 10.\n\n'--ignore-cert-extension OID'\nAdd OID to the list of ignored certificate extensions. The OID is\nexpected to be in dotted decimal form, like '2.5.29.3'. This\noption may be used more than once. Critical flagged certificate\nextensions matching one of the OIDs in the list are treated as if\nthey are actually handled and thus the certificate won't be\nrejected due to an unknown critical extension. Use this option\nwith care because extensions are usually flagged as critical for a\nreason.\n\n'--hkp-cacert FILE'\nUse the root certificates in FILE for verification of the TLS\ncertificates used with 'hkps' (keyserver access over TLS). If the\nfile is in PEM format a suffix of '.pem' is expected for FILE.\nThis option may be given multiple times to add more root\ncertificates. Tilde expansion is supported.\n\nIf no 'hkp-cacert' directive is present, dirmngr will make a\nreasonable choice: if the keyserver in question is the special pool\n'hkps.pool.sks-keyservers.net', it will use the bundled root\ncertificate for that pool. Otherwise, it will use the system CAs.\n\n---------- Footnotes ----------\n\n(1) The 'gpgconf' tool might be helpful for frontends as it enables\nediting this configuration file using percent-escaped strings.\n\nFile: gnupg.info, Node: Dirmngr Configuration, Next: Dirmngr Signals, Prev: Dirmngr Options, Up: Invoking DIRMNGR\n" }, { "name": "3.3 Configuration", "content": "Dirmngr makes use of several directories when running in daemon mode:\nThere are a few configuration files whih control the operation of\ndirmngr. By default they may all be found in the current home directory\n(*note option --homedir::).\n\n'dirmngr.conf'\nThis is the standard configuration file read by 'dirmngr' on\nstartup. It may contain any valid long option; the leading two\ndashes may not be entered and the option may not be abbreviated.\nThis file is also read after a 'SIGHUP' however not all options\nwill actually have an effect. This default name may be changed on\nthe command line (*note option --options::). You should backup\nthis file.\n\n'/etc/gnupg/trusted-certs'\nThis directory should be filled with certificates of Root CAs you\nare trusting in checking the CRLs and signing OCSP Responses.\n\nUsually these are the same certificates you use with the\napplications making use of dirmngr. It is expected that each of\nthese certificate files contain exactly one DER encoded certificate\nin a file with the suffix '.crt' or '.der'. 'dirmngr' reads those\ncertificates on startup and when given a SIGHUP. Certificates which\nare not readable or do not make up a proper X.509 certificate are\nignored; see the log file for details.\n\nApplications using dirmngr (e.g. gpgsm) can request these\ncertificates to complete a trust chain in the same way as with the\nextra-certs directory (see below).\n\nNote that for OCSP responses the certificate specified using the\noption '--ocsp-signer' is always considered valid to sign OCSP\nrequests.\n\n'/etc/gnupg/extra-certs'\nThis directory may contain extra certificates which are preloaded\ninto the internal cache on startup. Applications using dirmngr\n(e.g. gpgsm) can request cached certificates to complete a trust\nchain. This is convenient in cases you have a couple intermediate\nCA certificates or certificates usually used to sign OCSP\nresponses. These certificates are first tried before going out to\nthe net to look for them. These certificates must also be DER\nencoded and suffixed with '.crt' or '.der'.\n\n'~/.gnupg/crls.d'\nThis directory is used to store cached CRLs. The 'crls.d' part\nwill be created by dirmngr if it does not exists but you need to\nmake sure that the upper directory exists.\n\nTo be able to see what's going on you should create the configure\nfile '~/gnupg/dirmngr.conf' with at least one line:\n\nlog-file ~/dirmngr.log\n\nTo be able to perform OCSP requests you probably want to add the\nline:\n\nallow-ocsp\n\nTo make sure that new options are read and that after the\ninstallation of a new GnuPG versions the installed dirmngr is running,\nyou may want to kill an existing dirmngr first:\n\ngpgconf --kill dirmngr\n\nYou may check the log file to see whether all desired root\ncertificates have been loaded correctly.\n\nFile: gnupg.info, Node: Dirmngr Signals, Next: Dirmngr Examples, Prev: Dirmngr Configuration, Up: Invoking DIRMNGR\n" }, { "name": "3.4 Use of signals", "content": "A running 'dirmngr' may be controlled by signals, i.e. using the 'kill'\ncommand to send a signal to the process.\n\nHere is a list of supported signals:\n\n'SIGHUP'\nThis signal flushes all internally cached CRLs as well as any\ncached certificates. Then the certificate cache is reinitialized\nas on startup. Options are re-read from the configuration file.\nInstead of sending this signal it is better to use\ngpgconf --reload dirmngr\n\n'SIGTERM'\nShuts down the process but waits until all current requests are\nfulfilled. If the process has received 3 of these signals and\nrequests are still pending, a shutdown is forced. You may also use\ngpgconf --kill dirmngr\ninstead of this signal\n\n'SIGINT'\nShuts down the process immediately.\n\n'SIGUSR1'\nThis prints some caching statistics to the log file.\n\nFile: gnupg.info, Node: Dirmngr Examples, Next: Dirmngr Protocol, Prev: Dirmngr Signals, Up: Invoking DIRMNGR\n" }, { "name": "3.5 Examples", "content": "Here is an example on how to show dirmngr's internal table of OpenPGP\nkeyserver addresses. The output is intended for debugging purposes and\nnot part of a defined API.\n\ngpg-connect-agent --dirmngr 'keyserver --hosttable' /bye\n\nTo inhibit the use of a particular host you have noticed in one of\nthe keyserver pools, you may use\n\ngpg-connect-agent --dirmngr 'keyserver --dead pgpkeys.bnd.de' /bye\n\nThe description of the 'keyserver' command can be printed using\n\ngpg-connect-agent --dirmngr 'help keyserver' /bye\n\nFile: gnupg.info, Node: Dirmngr Protocol, Prev: Dirmngr Examples, Up: Invoking DIRMNGR\n" }, { "name": "3.6 Dirmngr's Assuan Protocol", "content": "Assuan is the IPC protocol used to access dirmngr. This is a\ndescription of the commands implemented by dirmngr.\n\n* Menu:\n\n* Dirmngr LOOKUP:: Look up a certificate via LDAP\n* Dirmngr ISVALID:: Validate a certificate using a CRL or OCSP.\n* Dirmngr CHECKCRL:: Validate a certificate using a CRL.\n* Dirmngr CHECKOCSP:: Validate a certificate using OCSP.\n* Dirmngr CACHECERT:: Put a certificate into the internal cache.\n* Dirmngr VALIDATE:: Validate a certificate for debugging.\n\nFile: gnupg.info, Node: Dirmngr LOOKUP, Next: Dirmngr ISVALID, Up: Dirmngr Protocol\n\n\nLookup certificate. To allow multiple patterns (which are ORed) quoting\nis required: Spaces are to be translated into \"+\" or into \"%20\";\nobviously this requires that the usual escape quoting rules are applied.\nThe server responds with:\n\nS: D \nS: END\nS: D \nS: END\nS: OK\n\nIn this example 2 certificates are returned. The server may return\nany number of certificates; OK will also be returned when no\ncertificates were found. The dirmngr might return a status line\n\nS: S TRUNCATED \n\nTo indicate that the output was truncated to N items due to a\nlimitation of the server or by an arbitrary set limit.\n\nThe option '--url' may be used if instead of a search pattern a\ncomplete URL to the certificate is known:\n\nC: LOOKUP --url CN%3DWerner%20Koch,o%3DIntevation%20GmbH,c%3DDE?userCertificate\n\nIf the option '--cache-only' is given, no external lookup is done so\nthat only certificates from the cache are returned.\n\nWith the option '--single', the first and only the first match will\nbe returned. Unless option '--cache-only' is also used, no local lookup\nwill be done in this case.\n\nFile: gnupg.info, Node: Dirmngr ISVALID, Next: Dirmngr CHECKCRL, Prev: Dirmngr LOOKUP, Up: Dirmngr Protocol\n\n\nISVALID [--only-ocsp] [--force-default-responder] CERTID|CERTFPR\n\nCheck whether the certificate described by the CERTID has been\nrevoked. Due to caching, the Dirmngr is able to answer immediately in\nmost cases.\n\nThe CERTID is a hex encoded string consisting of two parts, delimited\nby a single dot. The first part is the SHA-1 hash of the issuer name\nand the second part the serial number.\n\nAlternatively the certificate's SHA-1 fingerprint CERTFPR may be\ngiven in which case an OCSP request is done before consulting the CRL.\nIf the option '--only-ocsp' is given, no fallback to a CRL check will be\nused. If the option '--force-default-responder' is given, only the\ndefault OCSP responder will be used and any other methods of obtaining\nan OCSP responder URL won't be used.\n\nCommon return values are:\n\n'GPGERRNOERROR (0)'\nThis is the positive answer: The certificate is not revoked and we\nhave an up-to-date revocation list for that certificate. If OCSP\nwas used the responder confirmed that the certificate has not been\nrevoked.\n\n'GPGERRCERTREVOKED'\nThis is the negative answer: The certificate has been revoked.\nEither it is in a CRL and that list is up to date or an OCSP\nresponder informed us that it has been revoked.\n\n'GPGERRNOCRLKNOWN'\nNo CRL is known for this certificate or the CRL is not valid or out\nof date.\n\n'GPGERRNODATA'\nThe OCSP responder returned an \"unknown\" status. This means that\nit is not aware of the certificate's status.\n\n'GPGERRNOTSUPPORTED'\nThis is commonly seen if OCSP support has not been enabled in the\nconfiguration.\n\nIf DirMngr has not enough information about the given certificate\n(which is the case for not yet cached certificates), it will inquire the\nmissing data:\n\nS: INQUIRE SENDCERT \nC: D \nC: END\n\nA client should be aware that DirMngr may ask for more than one\ncertificate.\n\nIf Dirmngr has a certificate but the signature of the certificate\ncould not been validated because the root certificate is not known to\ndirmngr as trusted, it may ask back to see whether the client trusts\nthis the root certificate:\n\nS: INQUIRE ISTRUSTED \nC: D 1\nC: END\n\nOnly this answer will let Dirmngr consider the certificate as valid.\n\nFile: gnupg.info, Node: Dirmngr CHECKCRL, Next: Dirmngr CHECKOCSP, Prev: Dirmngr ISVALID, Up: Dirmngr Protocol\n\n\nCheck whether the certificate with FINGERPRINT (SHA-1 hash of the entire\nX.509 certificate blob) is valid or not by consulting the CRL\nresponsible for this certificate. If the fingerprint has not been given\nor the certificate is not known, the function inquires the certificate\nusing:\n\nS: INQUIRE TARGETCERT\nC: D \nC: END\n\nThus the caller is expected to return the certificate for the request\n(which should match FINGERPRINT) as a binary blob. Processing then\ntakes place without further interaction; in particular dirmngr tries to\nlocate other required certificate by its own mechanism which includes a\nlocal certificate store as well as a list of trusted root certificates.\n\nThe return code is 0 for success; i.e. the certificate has not been\nrevoked or one of the usual error codes from libgpg-error.\n\nFile: gnupg.info, Node: Dirmngr CHECKOCSP, Next: Dirmngr CACHECERT, Prev: Dirmngr CHECKCRL, Up: Dirmngr Protocol\n\n\nCHECKOCSP [--force-default-responder] [FINGERPRINT]\n\nCheck whether the certificate with FINGERPRINT (the SHA-1 hash of the\nentire X.509 certificate blob) is valid by consulting the appropriate\nOCSP responder. If the fingerprint has not been given or the\ncertificate is not known by Dirmngr, the function inquires the\ncertificate using:\n\nS: INQUIRE TARGETCERT\nC: D \nC: END\n\nThus the caller is expected to return the certificate for the request\n(which should match FINGERPRINT) as a binary blob. Processing then\ntakes place without further interaction; in particular dirmngr tries to\nlocate other required certificates by its own mechanism which includes a\nlocal certificate store as well as a list of trusted root certificates.\n\nIf the option '--force-default-responder' is given, only the default\nOCSP responder is used. This option is the per-command variant of the\nglobal option '--ignore-ocsp-service-url'.\n\nThe return code is 0 for success; i.e. the certificate has not been\nrevoked or one of the usual error codes from libgpg-error.\n\nFile: gnupg.info, Node: Dirmngr CACHECERT, Next: Dirmngr VALIDATE, Prev: Dirmngr CHECKOCSP, Up: Dirmngr Protocol\n\n\nPut a certificate into the internal cache. This command might be useful\nif a client knows in advance certificates required for a test and wants\nto make sure they get added to the internal cache. It is also helpful\nfor debugging. To get the actual certificate, this command immediately\ninquires it using\n\nS: INQUIRE TARGETCERT\nC: D \nC: END\n\nThus the caller is expected to return the certificate for the request\nas a binary blob.\n\nThe return code is 0 for success; i.e. the certificate has not been\nsuccessfully cached or one of the usual error codes from libgpg-error.\n\nFile: gnupg.info, Node: Dirmngr VALIDATE, Prev: Dirmngr CACHECERT, Up: Dirmngr Protocol\n\n\nValidate a certificate using the certificate validation function used\ninternally by dirmngr. This command is only useful for debugging. To\nget the actual certificate, this command immediately inquires it using\n\nS: INQUIRE TARGETCERT\nC: D \nC: END\n\nThus the caller is expected to return the certificate for the request\nas a binary blob.\n\nFile: gnupg.info, Node: Invoking GPG, Next: Invoking GPGSM, Prev: Invoking DIRMNGR, Up: Top\n" } ] }, "4 Invoking GPG": { "content": "'gpg' is the OpenPGP part of the GNU Privacy Guard (GnuPG). It is a tool\nto provide digital encryption and signing services using the OpenPGP\nstandard. 'gpg' features complete key management and all the bells and\nwhistles you would expect from a full OpenPGP implementation.\n\nThere are two main versions of GnuPG: GnuPG 1.x and GnuPG 2.x. GnuPG\n2.x supports modern encryption algorithms and thus should be preferred\nover GnuPG 1.x. You only need to use GnuPG 1.x if your platform doesn't\nsupport GnuPG 2.x, or you need support for some features that GnuPG 2.x\nhas deprecated, e.g., decrypting data created with PGP-2 keys.\n\nIf you are looking for version 1 of GnuPG, you may find that version\ninstalled under the name 'gpg1'.\n\n*Note Option Index::, for an index to 'gpg''s commands and options.\n\n* Menu:\n\n* GPG Commands:: List of all commands.\n* GPG Options:: List of all options.\n* GPG Configuration:: Configuration files.\n* GPG Examples:: Some usage examples.\n\nDeveloper information:\n* Unattended Usage of GPG:: Using 'gpg' from other programs.\n\nFile: gnupg.info, Node: GPG Commands, Next: GPG Options, Up: Invoking GPG\n", "subsections": [ { "name": "4.1 Commands", "content": "Commands are not distinguished from options except for the fact that\nonly one command is allowed. Generally speaking, irrelevant options are\nsilently ignored, and may not be checked for correctness.\n\n'gpg' may be run with no commands. In this case it will print a\nwarning perform a reasonable action depending on the type of file it is\ngiven as input (an encrypted message is decrypted, a signature is\nverified, a file containing keys is listed, etc.).\n\nIf you run into any problems, please add the option '--verbose' to\nthe invocation to see more diagnostics.\n\n* Menu:\n\n* General GPG Commands:: Commands not specific to the functionality.\n* Operational GPG Commands:: Commands to select the type of operation.\n* OpenPGP Key Management:: How to manage your keys.\n\nFile: gnupg.info, Node: General GPG Commands, Next: Operational GPG Commands, Up: GPG Commands\n\n\n'--version'\nPrint the program version and licensing information. Note that you\ncannot abbreviate this command.\n\n'--help'\n'-h'\nPrint a usage message summarizing the most useful command-line\noptions. Note that you cannot arbitrarily abbreviate this command\n(though you can use its short form '-h').\n\n'--warranty'\nPrint warranty information.\n\n'--dump-options'\nPrint a list of all available options and commands. Note that you\ncannot abbreviate this command.\n\nFile: gnupg.info, Node: Operational GPG Commands, Next: OpenPGP Key Management, Prev: General GPG Commands, Up: GPG Commands\n\n\n'--sign'\n'-s'\nSign a message. This command may be combined with '--encrypt' (to\nsign and encrypt a message), '--symmetric' (to sign and\nsymmetrically encrypt a message), or both '--encrypt' and\n'--symmetric' (to sign and encrypt a message that can be decrypted\nusing a secret key or a passphrase). The signing key is chosen by\ndefault or can be set explicitly using the '--local-user' and\n'--default-key' options.\n\n'--clear-sign'\n'--clearsign'\nMake a cleartext signature. The content in a cleartext signature\nis readable without any special software. OpenPGP software is only\nneeded to verify the signature. cleartext signatures may modify\nend-of-line whitespace for platform independence and are not\nintended to be reversible. The signing key is chosen by default or\ncan be set explicitly using the '--local-user' and '--default-key'\noptions.\n\n'--detach-sign'\n'-b'\nMake a detached signature.\n\n'--encrypt'\n'-e'\nEncrypt data to one or more public keys. This command may be\ncombined with '--sign' (to sign and encrypt a message),\n'--symmetric' (to encrypt a message that can be decrypted using a\nsecret key or a passphrase), or '--sign' and '--symmetric' together\n(for a signed message that can be decrypted using a secret key or a\npassphrase). '--recipient' and related options specify which\npublic keys to use for encryption.\n\n'--symmetric'\n'-c'\nEncrypt with a symmetric cipher using a passphrase. The default\nsymmetric cipher used is AES-128, but may be chosen with the\n'--cipher-algo' option. This command may be combined with '--sign'\n(for a signed and symmetrically encrypted message), '--encrypt'\n(for a message that may be decrypted via a secret key or a\npassphrase), or '--sign' and '--encrypt' together (for a signed\nmessage that may be decrypted via a secret key or a passphrase).\n'gpg' caches the passphrase used for symmetric encryption so that a\ndecrypt operation may not require that the user needs to enter the\npassphrase. The option '--no-symkey-cache' can be used to disable\nthis feature.\n\n'--store'\nStore only (make a simple literal data packet).\n\n'--decrypt'\n'-d'\nDecrypt the file given on the command line (or STDIN if no file is\nspecified) and write it to STDOUT (or the file specified with\n'--output'). If the decrypted file is signed, the signature is\nalso verified. This command differs from the default operation, as\nit never writes to the filename which is included in the file and\nit rejects files that don't begin with an encrypted message.\n\n'--verify'\nAssume that the first argument is a signed file and verify it\nwithout generating any output. With no arguments, the signature\npacket is read from STDIN. If only one argument is given, the\nspecified file is expected to include a complete signature.\n\nWith more than one argument, the first argument should specify a\nfile with a detached signature and the remaining files should\ncontain the signed data. To read the signed data from STDIN, use\n'-' as the second filename. For security reasons, a detached\nsignature will not read the signed material from STDIN if not\nexplicitly specified.\n\nNote: If the option '--batch' is not used, 'gpg' may assume that a\nsingle argument is a file with a detached signature, and it will\ntry to find a matching data file by stripping certain suffixes.\nUsing this historical feature to verify a detached signature is\nstrongly discouraged; you should always specify the data file\nexplicitly.\n\nNote: When verifying a cleartext signature, 'gpg' verifies only\nwhat makes up the cleartext signed data and not any extra data\noutside of the cleartext signature or the header lines directly\nfollowing the dash marker line. The option '--output' may be used\nto write out the actual signed data, but there are other pitfalls\nwith this format as well. It is suggested to avoid cleartext\nsignatures in favor of detached signatures.\n\nNote: Sometimes the use of the 'gpgv' tool is easier than using the\nfull-fledged 'gpg' with this option. 'gpgv' is designed to compare\nsigned data against a list of trusted keys and returns with success\nonly for a good signature. It has its own manual page.\n\n'--multifile'\nThis modifies certain other commands to accept multiple files for\nprocessing on the command line or read from STDIN with each\nfilename on a separate line. This allows for many files to be\nprocessed at once. '--multifile' may currently be used along with\n'--verify', '--encrypt', and '--decrypt'. Note that '--multifile\n--verify' may not be used with detached signatures.\n\n'--verify-files'\nIdentical to '--multifile --verify'.\n\n'--encrypt-files'\nIdentical to '--multifile --encrypt'.\n\n'--decrypt-files'\nIdentical to '--multifile --decrypt'.\n\n'--list-keys'\n'-k'\n'--list-public-keys'\nList the specified keys. If no keys are specified, then all keys\nfrom the configured public keyrings are listed.\n\nNever use the output of this command in scripts or other programs.\nThe output is intended only for humans and its format is likely to\nchange. The '--with-colons' option emits the output in a stable,\nmachine-parseable format, which is intended for use by scripts and\nother programs.\n\n'--list-secret-keys'\n'-K'\nList the specified secret keys. If no keys are specified, then all\nknown secret keys are listed. A '#' after the initial tags 'sec'\nor 'ssb' means that the secret key or subkey is currently not\nusable. We also say that this key has been taken offline (for\nexample, a primary key can be taken offline by exporting the key\nusing the command '--export-secret-subkeys'). A '>' after these\ntags indicate that the key is stored on a smartcard. See also\n'--list-keys'.\n\n'--check-signatures'\n'--check-sigs'\nSame as '--list-keys', but the key signatures are verified and\nlisted too. Note that for performance reasons the revocation\nstatus of a signing key is not shown. This command has the same\neffect as using '--list-keys' with '--with-sig-check'.\n\nThe status of the verification is indicated by a flag directly\nfollowing the \"sig\" tag (and thus before the flags described below.\nA \"!\" indicates that the signature has been successfully verified,\na \"-\" denotes a bad signature and a \"%\" is used if an error\noccurred while checking the signature (e.g. a non supported\nalgorithm). Signatures where the public key is not available are\nnot listed; to see their keyids the command '--list-sigs' can be\nused.\n\nFor each signature listed, there are several flags in between the\nsignature status flag and keyid. These flags give additional\ninformation about each key signature. From left to right, they are\nthe numbers 1-3 for certificate check level (see\n'--ask-cert-level'), \"L\" for a local or non-exportable signature\n(see '--lsign-key'), \"R\" for a nonRevocable signature (see the\n'--edit-key' command \"nrsign\"), \"P\" for a signature that contains a\npolicy URL (see '--cert-policy-url'), \"N\" for a signature that\ncontains a notation (see '--cert-notation'), \"X\" for an eXpired\nsignature (see '--ask-cert-expire'), and the numbers 1-9 or \"T\" for\n10 and above to indicate trust signature levels (see the\n'--edit-key' command \"tsign\").\n\n'--locate-keys'\n'--locate-external-keys'\nLocate the keys given as arguments. This command basically uses\nthe same algorithm as used when locating keys for encryption or\nsigning and may thus be used to see what keys 'gpg' might use. In\nparticular external methods as defined by '--auto-key-locate' may\nbe used to locate a key. Only public keys are listed. The variant\n'--locate-external-keys' does not consider a locally existing key\nand can thus be used to force the refresh of a key via the defined\nexternal methods.\n\n'--show-keys'\nThis commands takes OpenPGP keys as input and prints information\nabout them in the same way the command '--list-keys' does for\nlocally stored key. In addition the list options\n'show-unusable-uids', 'show-unusable-subkeys', 'show-notations' and\n'show-policy-urls' are also enabled. As usual for automated\nprocessing, this command should be combined with the option\n'--with-colons'.\n\n'--fingerprint'\nList all keys (or the specified ones) along with their\nfingerprints. This is the same output as '--list-keys' but with\nthe additional output of a line with the fingerprint. May also be\ncombined with '--check-signatures'. If this command is given\ntwice, the fingerprints of all secondary keys are listed too. This\ncommand also forces pretty printing of fingerprints if the keyid\nformat has been set to \"none\".\n\n'--list-packets'\nList only the sequence of packets. This command is only useful for\ndebugging. When used with option '--verbose' the actual MPI values\nare dumped and not only their lengths. Note that the output of\nthis command may change with new releases.\n\n'--edit-card'\n'--card-edit'\nPresent a menu to work with a smartcard. The subcommand \"help\"\nprovides an overview on available commands. For a detailed\ndescription, please see the Card HOWTO at\nhttps://gnupg.org/documentation/howtos.html#GnuPG-cardHOWTO .\n\n'--card-status'\nShow the content of the smart card.\n\n'--change-pin'\nPresent a menu to allow changing the PIN of a smartcard. This\nfunctionality is also available as the subcommand \"passwd\" with the\n'--edit-card' command.\n\n'--delete-keys NAME'\nRemove key from the public keyring. In batch mode either '--yes'\nis required or the key must be specified by fingerprint. This is a\nsafeguard against accidental deletion of multiple keys. If the\nexclamation mark syntax is used with the fingerprint of a subkey\nonly that subkey is deleted; if the exclamation mark is used with\nthe fingerprint of the primary key the entire public key is\ndeleted.\n\n'--delete-secret-keys NAME'\nRemove key from the secret keyring. In batch mode the key must be\nspecified by fingerprint. The option '--yes' can be used to advise\ngpg-agent not to request a confirmation. This extra pre-caution is\ndone because 'gpg' can't be sure that the secret key (as controlled\nby gpg-agent) is only used for the given OpenPGP public key. If\nthe exclamation mark syntax is used with the fingerprint of a\nsubkey only the secret part of that subkey is deleted; if the\nexclamation mark is used with the fingerprint of the primary key\nonly the secret part of the primary key is deleted.\n\n'--delete-secret-and-public-key NAME'\nSame as '--delete-key', but if a secret key exists, it will be\nremoved first. In batch mode the key must be specified by\nfingerprint. The option '--yes' can be used to advise gpg-agent\nnot to request a confirmation.\n\n'--export'\nEither export all keys from all keyrings (default keyrings and\nthose registered via option '--keyring'), or if at least one name\nis given, those of the given name. The exported keys are written\nto STDOUT or to the file given with option '--output'. Use\ntogether with '--armor' to mail those keys.\n\n'--send-keys KEYIDS'\nSimilar to '--export' but sends the keys to a keyserver.\nFingerprints may be used instead of key IDs. Don't send your\ncomplete keyring to a keyserver -- select only those keys which are\nnew or changed by you. If no KEYIDS are given, 'gpg' does nothing.\n\nTake care: Keyservers are by design write only systems and thus it\nis not possible to ever delete keys once they have been send to a\nkeyserver.\n\n'--export-secret-keys'\n'--export-secret-subkeys'\nSame as '--export', but exports the secret keys instead. The\nexported keys are written to STDOUT or to the file given with\noption '--output'. This command is often used along with the\noption '--armor' to allow for easy printing of the key for paper\nbackup; however the external tool 'paperkey' does a better job of\ncreating backups on paper. Note that exporting a secret key can be\na security risk if the exported keys are sent over an insecure\nchannel.\n\nThe second form of the command has the special property to render\nthe secret part of the primary key useless; this is a GNU extension\nto OpenPGP and other implementations can not be expected to\nsuccessfully import such a key. Its intended use is in generating\na full key with an additional signing subkey on a dedicated\nmachine. This command then exports the key without the primary key\nto the main machine.\n\nGnuPG may ask you to enter the passphrase for the key. This is\nrequired, because the internal protection method of the secret key\nis different from the one specified by the OpenPGP protocol.\n\n'--export-ssh-key'\nThis command is used to export a key in the OpenSSH public key\nformat. It requires the specification of one key by the usual\nmeans and exports the latest valid subkey which has an\nauthentication capability to STDOUT or to the file given with\noption '--output'. That output can directly be added to ssh's\n'authorizedkey' file.\n\nBy specifying the key to export using a key ID or a fingerprint\nsuffixed with an exclamation mark (!), a specific subkey or the\nprimary key can be exported. This does not even require that the\nkey has the authentication capability flag set.\n\n'--import'\n'--fast-import'\nImport/merge keys. This adds the given keys to the keyring. The\nfast version is currently just a synonym.\n\nThere are a few other options which control how this command works.\nMost notable here is the '--import-options merge-only' option which\ndoes not insert new keys but does only the merging of new\nsignatures, user-IDs and subkeys.\n\n'--receive-keys KEYIDS'\n'--recv-keys KEYIDS'\nImport the keys with the given KEYIDS from a keyserver.\n\n'--refresh-keys'\nRequest updates from a keyserver for keys that already exist on the\nlocal keyring. This is useful for updating a key with the latest\nsignatures, user IDs, etc. Calling this with no arguments will\nrefresh the entire keyring.\n\n'--search-keys NAMES'\nSearch the keyserver for the given NAMES. Multiple names given\nhere will be joined together to create the search string for the\nkeyserver. Note that keyservers search for NAMES in a different\nand simpler way than gpg does. The best choice is to use a mail\naddress. Due to data privacy reasons keyservers may even not even\nallow searching by user id or mail address and thus may only return\nresults when being used with the '--recv-key' command to search by\nkey fingerprint or keyid.\n\n'--fetch-keys URIS'\nRetrieve keys located at the specified URIS. Note that different\ninstallations of GnuPG may support different protocols (HTTP, FTP,\nLDAP, etc.). When using HTTPS the system provided root\ncertificates are used by this command.\n\n'--update-trustdb'\nDo trust database maintenance. This command iterates over all keys\nand builds the Web of Trust. This is an interactive command\nbecause it may have to ask for the \"ownertrust\" values for keys.\nThe user has to give an estimation of how far she trusts the owner\nof the displayed key to correctly certify (sign) other keys. GnuPG\nonly asks for the ownertrust value if it has not yet been assigned\nto a key. Using the '--edit-key' menu, the assigned value can be\nchanged at any time.\n\n'--check-trustdb'\nDo trust database maintenance without user interaction. From time\nto time the trust database must be updated so that expired keys or\nsignatures and the resulting changes in the Web of Trust can be\ntracked. Normally, GnuPG will calculate when this is required and\ndo it automatically unless '--no-auto-check-trustdb' is set. This\ncommand can be used to force a trust database check at any time.\nThe processing is identical to that of '--update-trustdb' but it\nskips keys with a not yet defined \"ownertrust\".\n\nFor use with cron jobs, this command can be used together with\n'--batch' in which case the trust database check is done only if a\ncheck is needed. To force a run even in batch mode add the option\n'--yes'.\n\n'--export-ownertrust'\nSend the ownertrust values to STDOUT. This is useful for backup\npurposes as these values are the only ones which can't be\nre-created from a corrupted trustdb. Example:\ngpg --export-ownertrust > otrust.txt\n\n'--import-ownertrust'\nUpdate the trustdb with the ownertrust values stored in 'files' (or\nSTDIN if not given); existing values will be overwritten. In case\nof a severely damaged trustdb and if you have a recent backup of\nthe ownertrust values (e.g. in the file 'otrust.txt'), you may\nre-create the trustdb using these commands:\ncd ~/.gnupg\nrm trustdb.gpg\ngpg --import-ownertrust < otrust.txt\n\n'--rebuild-keydb-caches'\nWhen updating from version 1.0.6 to 1.0.7 this command should be\nused to create signature caches in the keyring. It might be handy\nin other situations too.\n\n'--print-md ALGO'\n'--print-mds'\nPrint message digest of algorithm ALGO for all given files or\nSTDIN. With the second form (or a deprecated \"*\" for ALGO) digests\nfor all available algorithms are printed.\n\n'--gen-random 0|1|2 COUNT'\nEmit COUNT random bytes of the given quality level 0, 1 or 2. If\nCOUNT is not given or zero, an endless sequence of random bytes\nwill be emitted. If used with '--armor' the output will be base64\nencoded. PLEASE, don't use this command unless you know what you\nare doing; it may remove precious entropy from the system!\n\n'--gen-prime MODE BITS'\nUse the source, Luke :-). The output format is subject to change\nwith ant release.\n\n'--enarmor'\n'--dearmor'\nPack or unpack an arbitrary input into/from an OpenPGP ASCII armor.\nThis is a GnuPG extension to OpenPGP and in general not very\nuseful.\n\n'--tofu-policy {auto|good|unknown|bad|ask} KEYS'\nSet the TOFU policy for all the bindings associated with the\nspecified KEYS. For more information about the meaning of the\npolicies, *note trust-model-tofu::. The KEYS may be specified\neither by their fingerprint (preferred) or their keyid.\n\nFile: gnupg.info, Node: OpenPGP Key Management, Prev: Operational GPG Commands, Up: GPG Commands\n\n\nThis section explains the main commands for key management.\n\n'--quick-generate-key USER-ID [ALGO [USAGE [EXPIRE]]]'\n'--quick-gen-key'\nThis is a simple command to generate a standard key with one user\nid. In contrast to '--generate-key' the key is generated directly\nwithout the need to answer a bunch of prompts. Unless the option\n'--yes' is given, the key creation will be canceled if the given\nuser id already exists in the keyring.\n\nIf invoked directly on the console without any special options an\nanswer to a \"Continue?\" style confirmation prompt is required. In\ncase the user id already exists in the keyring a second prompt to\nforce the creation of the key will show up.\n\nIf ALGO or USAGE are given, only the primary key is created and no\nprompts are shown. To specify an expiration date but still create\na primary and subkey use \"default\" or \"future-default\" for ALGO and\n\"default\" for USAGE. For a description of these optional arguments\nsee the command '--quick-add-key'. The USAGE accepts also the\nvalue \"cert\" which can be used to create a certification only\nprimary key; the default is to a create certification and signing\nkey.\n\nThe EXPIRE argument can be used to specify an expiration date for\nthe key. Several formats are supported; commonly the ISO formats\n\"YYYY-MM-DD\" or \"YYYYMMDDThhmmss\" are used. To make the key expire\nin N seconds, N days, N weeks, N months, or N years use\n\"seconds=N\", \"Nd\", \"Nw\", \"Nm\", or \"Ny\" respectively. Not\nspecifying a value, or using \"-\" results in a key expiring in a\nreasonable default interval. The values \"never\", \"none\" can be\nused for no expiration date.\n\nIf this command is used with '--batch', '--pinentry-mode' has been\nset to 'loopback', and one of the passphrase options\n('--passphrase', '--passphrase-fd', or 'passphrase-file') is used,\nthe supplied passphrase is used for the new key and the agent does\nnot ask for it. To create a key without any protection\n'--passphrase ''' may be used.\n\nTo create an OpenPGP key from the keys available on the currently\ninserted smartcard, the special string \"card\" can be used for ALGO.\nIf the card features an encryption and a signing key, gpg will\nfigure them out and creates an OpenPGP key consisting of the usual\nprimary key and one subkey. This works only with certain\nsmartcards. Note that the interactive '--full-gen-key' command\nallows to do the same but with greater flexibility in the selection\nof the smartcard keys.\n\nNote that it is possible to create a primary key and a subkey using\nnon-default algorithms by using \"default\" and changing the default\nparameters using the option '--default-new-key-algo'.\n\n'--quick-set-expire FPR EXPIRE [*|SUBFPRS]'\nWith two arguments given, directly set the expiration time of the\nprimary key identified by FPR to EXPIRE. To remove the expiration\ntime '0' can be used. With three arguments and the third given as\nan asterisk, the expiration time of all non-revoked and not yet\nexpired subkeys are set to EXPIRE. With more than two arguments\nand a list of fingerprints given for SUBFPRS, all non-revoked\nsubkeys matching these fingerprints are set to EXPIRE.\n\n'--quick-add-key FPR [ALGO [USAGE [EXPIRE]]]'\nDirectly add a subkey to the key identified by the fingerprint FPR.\nWithout the optional arguments an encryption subkey is added. If\nany of the arguments are given a more specific subkey is added.\n\nALGO may be any of the supported algorithms or curve names given in\nthe format as used by key listings. To use the default algorithm\nthe string \"default\" or \"-\" can be used. Supported algorithms are\n\"rsa\", \"dsa\", \"elg\", \"ed25519\", \"cv25519\", and other ECC curves.\nFor example the string \"rsa\" adds an RSA key with the default key\nlength; a string \"rsa4096\" requests that the key length is 4096\nbits. The string \"future-default\" is an alias for the algorithm\nwhich will likely be used as default algorithm in future versions\nof gpg. To list the supported ECC curves the command 'gpg\n--with-colons --list-config curve' can be used.\n\nDepending on the given ALGO the subkey may either be an encryption\nsubkey or a signing subkey. If an algorithm is capable of signing\nand encryption and such a subkey is desired, a USAGE string must be\ngiven. This string is either \"default\" or \"-\" to keep the default\nor a comma delimited list (or space delimited list) of keywords:\n\"sign\" for a signing subkey, \"auth\" for an authentication subkey,\nand \"encr\" for an encryption subkey (\"encrypt\" can be used as alias\nfor \"encr\"). The valid combinations depend on the algorithm.\n\nThe EXPIRE argument can be used to specify an expiration date for\nthe key. Several formats are supported; commonly the ISO formats\n\"YYYY-MM-DD\" or \"YYYYMMDDThhmmss\" are used. To make the key expire\nin N seconds, N days, N weeks, N months, or N years use\n\"seconds=N\", \"Nd\", \"Nw\", \"Nm\", or \"Ny\" respectively. Not\nspecifying a value, or using \"-\" results in a key expiring in a\nreasonable default interval. The values \"never\", \"none\" can be\nused for no expiration date.\n\n'--generate-key'\n'--gen-key'\nGenerate a new key pair using the current default parameters. This\nis the standard command to create a new key. In addition to the\nkey a revocation certificate is created and stored in the\n'openpgp-revocs.d' directory below the GnuPG home directory.\n\n'--full-generate-key'\n'--full-gen-key'\nGenerate a new key pair with dialogs for all options. This is an\nextended version of '--generate-key'.\n\nThere is also a feature which allows you to create keys in batch\nmode. See the manual section \"Unattended key generation\" on how to\nuse this.\n\n'--generate-revocation NAME'\n'--gen-revoke NAME'\nGenerate a revocation certificate for the complete key. To only\nrevoke a subkey or a key signature, use the '--edit' command.\n\nThis command merely creates the revocation certificate so that it\ncan be used to revoke the key if that is ever needed. To actually\nrevoke a key the created revocation certificate needs to be merged\nwith the key to revoke. This is done by importing the revocation\ncertificate using the '--import' command. Then the revoked key\nneeds to be published, which is best done by sending the key to a\nkeyserver (command '--send-key') and by exporting ('--export') it\nto a file which is then send to frequent communication partners.\n\n'--generate-designated-revocation NAME'\n'--desig-revoke NAME'\nGenerate a designated revocation certificate for a key. This\nallows a user (with the permission of the keyholder) to revoke\nsomeone else's key.\n\n'--edit-key'\nPresent a menu which enables you to do most of the key management\nrelated tasks. It expects the specification of a key on the\ncommand line.\n\nuid N\nToggle selection of user ID or photographic user ID with index\nN. Use '*' to select all and '0' to deselect all.\n\nkey N\nToggle selection of subkey with index N or key ID N. Use '*'\nto select all and '0' to deselect all.\n\nsign\nMake a signature on key of user 'name'. If the key is not yet\nsigned by the default user (or the users given with '-u'), the\nprogram displays the information of the key again, together\nwith its fingerprint and asks whether it should be signed.\nThis question is repeated for all users specified with '-u'.\n\nlsign\nSame as \"sign\" but the signature is marked as non-exportable\nand will therefore never be used by others. This may be used\nto make keys valid only in the local environment.\n\nnrsign\nSame as \"sign\" but the signature is marked as non-revocable\nand can therefore never be revoked.\n\ntsign\nMake a trust signature. This is a signature that combines the\nnotions of certification (like a regular signature), and trust\n(like the \"trust\" command). It is generally only useful in\ndistinct communities or groups. For more information please\nread the sections \"Trust Signature\" and \"Regular Expression\"\nin RFC-4880.\n\nNote that \"l\" (for local / non-exportable), \"nr\" (for\nnon-revocable, and \"t\" (for trust) may be freely mixed and prefixed\nto \"sign\" to create a signature of any type desired.\n\nIf the option '--only-sign-text-ids' is specified, then any\nnon-text based user ids (e.g., photo IDs) will not be selected for\nsigning.\n\ndelsig\nDelete a signature. Note that it is not possible to retract a\nsignature, once it has been send to the public (i.e. to a\nkeyserver). In that case you better use 'revsig'.\n\nrevsig\nRevoke a signature. For every signature which has been\ngenerated by one of the secret keys, GnuPG asks whether a\nrevocation certificate should be generated.\n\ncheck\nCheck the signatures on all selected user IDs. With the extra\noption 'selfsig' only self-signatures are shown.\n\nadduid\nCreate an additional user ID.\n\naddphoto\nCreate a photographic user ID. This will prompt for a JPEG\nfile that will be embedded into the user ID. Note that a very\nlarge JPEG will make for a very large key. Also note that\nsome programs will display your JPEG unchanged (GnuPG), and\nsome programs will scale it to fit in a dialog box (PGP).\n\nshowphoto\nDisplay the selected photographic user ID.\n\ndeluid\nDelete a user ID or photographic user ID. Note that it is not\npossible to retract a user id, once it has been send to the\npublic (i.e. to a keyserver). In that case you better use\n'revuid'.\n\nrevuid\nRevoke a user ID or photographic user ID.\n\nprimary\nFlag the current user id as the primary one, removes the\nprimary user id flag from all other user ids and sets the\ntimestamp of all affected self-signatures one second ahead.\nNote that setting a photo user ID as primary makes it primary\nover other photo user IDs, and setting a regular user ID as\nprimary makes it primary over other regular user IDs.\n\nkeyserver\nSet a preferred keyserver for the specified user ID(s). This\nallows other users to know where you prefer they get your key\nfrom. See '--keyserver-options honor-keyserver-url' for more\non how this works. Setting a value of \"none\" removes an\nexisting preferred keyserver.\n\nnotation\nSet a name=value notation for the specified user ID(s). See\n'--cert-notation' for more on how this works. Setting a value\nof \"none\" removes all notations, setting a notation prefixed\nwith a minus sign (-) removes that notation, and setting a\nnotation name (without the =value) prefixed with a minus sign\nremoves all notations with that name.\n\npref\nList preferences from the selected user ID. This shows the\nactual preferences, without including any implied preferences.\n\nshowpref\nMore verbose preferences listing for the selected user ID.\nThis shows the preferences in effect by including the implied\npreferences of 3DES (cipher), SHA-1 (digest), and Uncompressed\n(compression) if they are not already included in the\npreference list. In addition, the preferred keyserver and\nsignature notations (if any) are shown.\n\nsetpref STRING\nSet the list of user ID preferences to STRING for all (or just\nthe selected) user IDs. Calling setpref with no arguments\nsets the preference list to the default (either built-in or\nset via '--default-preference-list'), and calling setpref with\n\"none\" as the argument sets an empty preference list. Use\n'gpg --version' to get a list of available algorithms. Note\nthat while you can change the preferences on an attribute user\nID (aka \"photo ID\"), GnuPG does not select keys via attribute\nuser IDs so these preferences will not be used by GnuPG.\n\nWhen setting preferences, you should list the algorithms in\nthe order which you'd like to see them used by someone else\nwhen encrypting a message to your key. If you don't include\n3DES, it will be automatically added at the end. Note that\nthere are many factors that go into choosing an algorithm (for\nexample, your key may not be the only recipient), and so the\nremote OpenPGP application being used to send to you may or\nmay not follow your exact chosen order for a given message.\nIt will, however, only choose an algorithm that is present on\nthe preference list of every recipient key. See also the\nINTEROPERABILITY WITH OTHER OPENPGP PROGRAMS section below.\n\naddkey\nAdd a subkey to this key.\n\naddcardkey\nGenerate a subkey on a card and add it to this key.\n\nkeytocard\nTransfer the selected secret subkey (or the primary key if no\nsubkey has been selected) to a smartcard. The secret key in\nthe keyring will be replaced by a stub if the key could be\nstored successfully on the card and you use the save command\nlater. Only certain key types may be transferred to the card.\nA sub menu allows you to select on what card to store the key.\nNote that it is not possible to get that key back from the\ncard - if the card gets broken your secret key will be lost\nunless you have a backup somewhere.\n\nbkuptocard FILE\nRestore the given FILE to a card. This command may be used to\nrestore a backup key (as generated during card initialization)\nto a new card. In almost all cases this will be the\nencryption key. You should use this command only with the\ncorresponding public key and make sure that the file given as\nargument is indeed the backup to restore. You should then\nselect 2 to restore as encryption key. You will first be\nasked to enter the passphrase of the backup key and then for\nthe Admin PIN of the card.\n\ndelkey\nRemove a subkey (secondary key). Note that it is not possible\nto retract a subkey, once it has been send to the public (i.e.\nto a keyserver). In that case you better use 'revkey'. Also\nnote that this only deletes the public part of a key.\n\nrevkey\nRevoke a subkey.\n\nexpire\nChange the key or subkey expiration time. If a subkey is\nselected, the expiration time of this subkey will be changed.\nWith no selection, the key expiration of the primary key is\nchanged.\n\ntrust\nChange the owner trust value for the key. This updates the\ntrust-db immediately and no save is required.\n\ndisable\nenable\nDisable or enable an entire key. A disabled key can not\nnormally be used for encryption.\n\naddrevoker\nAdd a designated revoker to the key. This takes one optional\nargument: \"sensitive\". If a designated revoker is marked as\nsensitive, it will not be exported by default (see\nexport-options).\n\npasswd\nChange the passphrase of the secret key.\n\ntoggle\nThis is dummy command which exists only for backward\ncompatibility.\n\nclean\nCompact (by removing all signatures except the selfsig) any\nuser ID that is no longer usable (e.g. revoked, or expired).\nThen, remove any signatures that are not usable by the trust\ncalculations. Specifically, this removes any signature that\ndoes not validate, any signature that is superseded by a later\nsignature, revoked signatures, and signatures issued by keys\nthat are not present on the keyring.\n\nminimize\nMake the key as small as possible. This removes all\nsignatures from each user ID except for the most recent\nself-signature.\n\nchange-usage\nChange the usage flags (capabilities) of the primary key or of\nsubkeys. These usage flags (e.g. Certify, Sign,\nAuthenticate, Encrypt) are set during key creation. Sometimes\nit is useful to have the opportunity to change them (for\nexample to add Authenticate) after they have been created.\nPlease take care when doing this; the allowed usage flags\ndepend on the key algorithm.\n\ncross-certify\nAdd cross-certification signatures to signing subkeys that may\nnot currently have them. Cross-certification signatures\nprotect against a subtle attack against signing subkeys. See\n'--require-cross-certification'. All new keys generated have\nthis signature by default, so this command is only useful to\nbring older keys up to date.\n\nsave\nSave all changes to the keyrings and quit.\n\nquit\nQuit the program without updating the keyrings.\n\nThe listing shows you the key with its secondary keys and all user\nIDs. The primary user ID is indicated by a dot, and selected keys\nor user IDs are indicated by an asterisk. The trust value is\ndisplayed with the primary key: \"trust\" is the assigned owner trust\nand \"validity\" is the calculated validity of the key. Validity\nvalues are also displayed for all user IDs. For possible values of\ntrust, *note trust-values::.\n\n'--sign-key NAME'\nSigns a public key with your secret key. This is a shortcut\nversion of the subcommand \"sign\" from '--edit'.\n\n'--lsign-key NAME'\nSigns a public key with your secret key but marks it as\nnon-exportable. This is a shortcut version of the subcommand\n\"lsign\" from '--edit-key'.\n\n'--quick-sign-key FPR [NAMES]'\n'--quick-lsign-key FPR [NAMES]'\nDirectly sign a key from the passphrase without any further user\ninteraction. The FPR must be the verified primary fingerprint of a\nkey in the local keyring. If no NAMES are given, all useful user\nids are signed; with given [NAMES] only useful user ids matching\none of theses names are signed. By default, or if a name is\nprefixed with a '*', a case insensitive substring match is used.\nIf a name is prefixed with a '=' a case sensitive exact match is\ndone.\n\nThe command '--quick-lsign-key' marks the signatures as\nnon-exportable. If such a non-exportable signature already exists\nthe '--quick-sign-key' turns it into a exportable signature.\n\nThis command uses reasonable defaults and thus does not provide the\nfull flexibility of the \"sign\" subcommand from '--edit-key'. Its\nintended use is to help unattended key signing by utilizing a list\nof verified fingerprints.\n\n'--quick-add-uid USER-ID NEW-USER-ID'\nThis command adds a new user id to an existing key. In contrast to\nthe interactive sub-command 'adduid' of '--edit-key' the\nNEW-USER-ID is added verbatim with only leading and trailing white\nspace removed, it is expected to be UTF-8 encoded, and no checks on\nits form are applied.\n\n'--quick-revoke-uid USER-ID USER-ID-TO-REVOKE'\nThis command revokes a user ID on an existing key. It cannot be\nused to revoke the last user ID on key (some non-revoked user ID\nmust remain), with revocation reason \"User ID is no longer valid\".\nIf you want to specify a different revocation reason, or to supply\nsupplementary revocation text, you should use the interactive\nsub-command 'revuid' of '--edit-key'.\n\n'--quick-revoke-sig FPR SIGNING-FPR [NAMES]'\nThis command revokes the key signatures made by SIGNING-FPR from\nthe key specified by the fingerprint FPR. With NAMES given only\nthe signatures on user ids of the key matching any of the given\nnames are affected (see '--quick-sign-key'). If a revocation\nalready exists a notice is printed instead of creating a new\nrevocation; no error is returned in this case. Note that key\nsignature revocations may be superseded by a newer key signature\nand in turn again revoked.\n\n'--quick-set-primary-uid USER-ID PRIMARY-USER-ID'\nThis command sets or updates the primary user ID flag on an\nexisting key. USER-ID specifies the key and PRIMARY-USER-ID the\nuser ID which shall be flagged as the primary user ID. The primary\nuser ID flag is removed from all other user ids and the timestamp\nof all affected self-signatures is set one second ahead.\n\n'--change-passphrase USER-ID'\n'--passwd USER-ID'\nChange the passphrase of the secret key belonging to the\ncertificate specified as USER-ID. This is a shortcut for the\nsub-command 'passwd' of the edit key menu. When using together\nwith the option '--dry-run' this will not actually change the\npassphrase but check that the current passphrase is correct.\n\nFile: gnupg.info, Node: GPG Options, Next: GPG Configuration, Prev: GPG Commands, Up: Invoking GPG\n" }, { "name": "4.2 Option Summary", "content": "'gpg' features a bunch of options to control the exact behaviour and to\nchange the default configuration.\n\n* Menu:\n\n* GPG Configuration Options:: How to change the configuration.\n* GPG Key related Options:: Key related options.\n* GPG Input and Output:: Input and Output.\n* OpenPGP Options:: OpenPGP protocol specific options.\n* Compliance Options:: Compliance options.\n* GPG Esoteric Options:: Doing things one usually doesn't want to do.\n* Deprecated Options:: Deprecated options.\n\nLong options can be put in an options file (default\n\"~/.gnupg/gpg.conf\"). Short option names will not work - for example,\n\"armor\" is a valid option for the options file, while \"a\" is not. Do\nnot write the 2 dashes, but simply the name of the option and any\nrequired arguments. Lines with a hash ('#') as the first\nnon-white-space character are ignored. Commands may be put in this file\ntoo, but that is not generally useful as the command will execute\nautomatically with every execution of gpg.\n\nPlease remember that option parsing stops as soon as a non-option is\nencountered, you can explicitly stop parsing by using the special option\n'--'.\n\nFile: gnupg.info, Node: GPG Configuration Options, Next: GPG Key related Options, Up: GPG Options\n\n\nThese options are used to change the configuration and are usually found\nin the option file.\n\n'--default-key NAME'\nUse NAME as the default key to sign with. If this option is not\nused, the default key is the first key found in the secret keyring.\nNote that '-u' or '--local-user' overrides this option. This\noption may be given multiple times. In this case, the last key for\nwhich a secret key is available is used. If there is no secret key\navailable for any of the specified values, GnuPG will not emit an\nerror message but continue as if this option wasn't given.\n\n'--default-recipient NAME'\nUse NAME as default recipient if option '--recipient' is not used\nand don't ask if this is a valid one. NAME must be non-empty.\n\n'--default-recipient-self'\nUse the default key as default recipient if option '--recipient' is\nnot used and don't ask if this is a valid one. The default key is\nthe first one from the secret keyring or the one set with\n'--default-key'.\n\n'--no-default-recipient'\nReset '--default-recipient' and '--default-recipient-self'.\n\n'-v, --verbose'\nGive more information during processing. If used twice, the input\ndata is listed in detail.\n\n'--no-verbose'\nReset verbose level to 0.\n\n'-q, --quiet'\nTry to be as quiet as possible.\n\n'--batch'\n'--no-batch'\nUse batch mode. Never ask, do not allow interactive commands.\n'--no-batch' disables this option. Note that even with a filename\ngiven on the command line, gpg might still need to read from STDIN\n(in particular if gpg figures that the input is a detached\nsignature and no data file has been specified). Thus if you do not\nwant to feed data via STDIN, you should connect STDIN to\ng'/dev/null'.\n\nIt is highly recommended to use this option along with the options\n'--status-fd' and '--with-colons' for any unattended use of 'gpg'.\n\n'--no-tty'\nMake sure that the TTY (terminal) is never used for any output.\nThis option is needed in some cases because GnuPG sometimes prints\nwarnings to the TTY even if '--batch' is used.\n\n'--yes'\nAssume \"yes\" on most questions.\n\n'--no'\nAssume \"no\" on most questions.\n\n'--list-options PARAMETERS'\nThis is a space or comma delimited string that gives options used\nwhen listing keys and signatures (that is, '--list-keys',\n'--check-signatures', '--list-public-keys', '--list-secret-keys',\nand the '--edit-key' functions). Options can be prepended with a\n'no-' (after the two dashes) to give the opposite meaning. The\noptions are:\n\nshow-photos\nCauses '--list-keys', '--check-signatures',\n'--list-public-keys', and '--list-secret-keys' to display any\nphoto IDs attached to the key. Defaults to no. See also\n'--photo-viewer'. Does not work with '--with-colons': see\n'--attribute-fd' for the appropriate way to get photo data for\nscripts and other frontends.\n\nshow-usage\nShow usage information for keys and subkeys in the standard\nkey listing. This is a list of letters indicating the allowed\nusage for a key ('E'=encryption, 'S'=signing,\n'C'=certification, 'A'=authentication). Defaults to yes.\n\nshow-policy-urls\nShow policy URLs in the '--check-signatures' listings.\nDefaults to no.\n\nshow-notations\nshow-std-notations\nshow-user-notations\nShow all, IETF standard, or user-defined signature notations\nin the '--check-signatures' listings. Defaults to no.\n\nshow-keyserver-urls\nShow any preferred keyserver URL in the '--check-signatures'\nlistings. Defaults to no.\n\nshow-uid-validity\nDisplay the calculated validity of user IDs during key\nlistings. Defaults to yes.\n\nshow-unusable-uids\nShow revoked and expired user IDs in key listings. Defaults\nto no.\n\nshow-unusable-subkeys\nShow revoked and expired subkeys in key listings. Defaults to\nno.\n\nshow-keyring\nDisplay the keyring name at the head of key listings to show\nwhich keyring a given key resides on. Defaults to no.\n\nshow-sig-expire\nShow signature expiration dates (if any) during\n'--check-signatures' listings. Defaults to no.\n\nshow-sig-subpackets\nInclude signature subpackets in the key listing. This option\ncan take an optional argument list of the subpackets to list.\nIf no argument is passed, list all subpackets. Defaults to\nno. This option is only meaningful when using '--with-colons'\nalong with '--check-signatures'.\n\nshow-only-fpr-mbox\nFor each user-id which has a valid mail address print only the\nfingerprint followed by the mail address.\n\n'--verify-options PARAMETERS'\nThis is a space or comma delimited string that gives options used\nwhen verifying signatures. Options can be prepended with a 'no-'\nto give the opposite meaning. The options are:\n\nshow-photos\nDisplay any photo IDs present on the key that issued the\nsignature. Defaults to no. See also '--photo-viewer'.\n\nshow-policy-urls\nShow policy URLs in the signature being verified. Defaults to\nyes.\n\nshow-notations\nshow-std-notations\nshow-user-notations\nShow all, IETF standard, or user-defined signature notations\nin the signature being verified. Defaults to IETF standard.\n\nshow-keyserver-urls\nShow any preferred keyserver URL in the signature being\nverified. Defaults to yes.\n\nshow-uid-validity\nDisplay the calculated validity of the user IDs on the key\nthat issued the signature. Defaults to yes.\n\nshow-unusable-uids\nShow revoked and expired user IDs during signature\nverification. Defaults to no.\n\nshow-primary-uid-only\nShow only the primary user ID during signature verification.\nThat is all the AKA lines as well as photo Ids are not shown\nwith the signature verification status.\n\npka-lookups\nEnable PKA lookups to verify sender addresses. Note that PKA\nis based on DNS, and so enabling this option may disclose\ninformation on when and what signatures are verified or to\nwhom data is encrypted. This is similar to the \"web bug\"\ndescribed for the '--auto-key-retrieve' option.\n\npka-trust-increase\nRaise the trust in a signature to full if the signature passes\nPKA validation. This option is only meaningful if pka-lookups\nis set.\n\n'--enable-large-rsa'\n'--disable-large-rsa'\nWith -generate-key and -batch, enable the creation of RSA secret\nkeys as large as 8192 bit. Note: 8192 bit is more than is\ngenerally recommended. These large keys don't significantly\nimprove security, but they are more expensive to use, and their\nsignatures and certifications are larger. This option is only\navailable if the binary was build with large-secmem support.\n\n'--enable-dsa2'\n'--disable-dsa2'\nEnable hash truncation for all DSA keys even for old DSA Keys up to\n1024 bit. This is also the default with '--openpgp'. Note that\nolder versions of GnuPG also required this flag to allow the\ngeneration of DSA larger than 1024 bit.\n\n'--photo-viewer STRING'\nThis is the command line that should be run to view a photo ID.\n\"%i\" will be expanded to a filename containing the photo. \"%I\"\ndoes the same, except the file will not be deleted once the viewer\nexits. Other flags are \"%k\" for the key ID, \"%K\" for the long key\nID, \"%f\" for the key fingerprint, \"%t\" for the extension of the\nimage type (e.g. \"jpg\"), \"%T\" for the MIME type of the image (e.g.\n\"image/jpeg\"), \"%v\" for the single-character calculated validity of\nthe image being viewed (e.g. \"f\"), \"%V\" for the calculated\nvalidity as a string (e.g. \"full\"), \"%U\" for a base32 encoded hash\nof the user ID, and \"%%\" for an actual percent sign. If neither %i\nor %I are present, then the photo will be supplied to the viewer on\nstandard input.\n\nOn Unix the default viewer is 'xloadimage -fork -quiet -title\n'KeyID 0x%k' STDIN' with a fallback to 'display -title 'KeyID 0x%k'\n%i' and finally to 'xdg-open %i'. On Windows '!ShellExecute 400\n%i' is used; here the command is a meta command to use that API\ncall followed by a wait time in milliseconds which is used to give\nthe viewer time to read the temporary image file before gpg deletes\nit again. Note that if your image viewer program is not secure,\nthen executing it from gpg does not make it secure.\n\n'--exec-path STRING'\nSets a list of directories to search for photo viewers If not\nprovided photo viewers use the 'PATH' environment variable.\n\n'--keyring FILE'\nAdd FILE to the current list of keyrings. If FILE begins with a\ntilde and a slash, these are replaced by the $HOME directory. If\nthe filename does not contain a slash, it is assumed to be in the\nGnuPG home directory (\"~/.gnupg\" if '--homedir' or $GNUPGHOME is\nnot used).\n\nNote that this adds a keyring to the current list. If the intent\nis to use the specified keyring alone, use '--keyring' along with\n'--no-default-keyring'.\n\nIf the option '--no-keyring' has been used no keyrings will be used\nat all.\n\n'--secret-keyring FILE'\nThis is an obsolete option and ignored. All secret keys are stored\nin the 'private-keys-v1.d' directory below the GnuPG home\ndirectory.\n\n'--primary-keyring FILE'\nDesignate FILE as the primary public keyring. This means that\nnewly imported keys (via '--import' or keyserver '--recv-from')\nwill go to this keyring.\n\n'--trustdb-name FILE'\nUse FILE instead of the default trustdb. If FILE begins with a\ntilde and a slash, these are replaced by the $HOME directory. If\nthe filename does not contain a slash, it is assumed to be in the\nGnuPG home directory ('~/.gnupg' if '--homedir' or $GNUPGHOME is\nnot used).\n\n'--homedir DIR'\nSet the name of the home directory to DIR. If this option is not\nused, the home directory defaults to '~/.gnupg'. It is only\nrecognized when given on the command line. It also overrides any\nhome directory stated through the environment variable 'GNUPGHOME'\nor (on Windows systems) by means of the Registry entry\nHKCU\\SOFTWARE\\GNU\\GNUPG:HOMEDIR.\n\nOn Windows systems it is possible to install GnuPG as a portable\napplication. In this case only this command line option is\nconsidered, all other ways to set a home directory are ignored.\n\nTo install GnuPG as a portable application under Windows, create an\nempty file named 'gpgconf.ctl' in the same directory as the tool\n'gpgconf.exe'. The root of the installation is then that\ndirectory; or, if 'gpgconf.exe' has been installed directly below a\ndirectory named 'bin', its parent directory. You also need to make\nsure that the following directories exist and are writable:\n'ROOT/home' for the GnuPG home and 'ROOT/var/cache/gnupg' for\ninternal cache files.\n\n'--display-charset NAME'\nSet the name of the native character set. This is used to convert\nsome informational strings like user IDs to the proper UTF-8\nencoding. Note that this has nothing to do with the character set\nof data to be encrypted or signed; GnuPG does not recode\nuser-supplied data. If this option is not used, the default\ncharacter set is determined from the current locale. A verbosity\nlevel of 3 shows the chosen set. Valid values for NAME are:\n\niso-8859-1\nThis is the Latin 1 set.\n\niso-8859-2\nThe Latin 2 set.\n\niso-8859-15\nThis is currently an alias for the Latin 1 set.\n\nkoi8-r\nThe usual Russian set (RFC-1489).\n\nutf-8\nBypass all translations and assume that the OS uses native\nUTF-8 encoding.\n\n'--utf8-strings'\n'--no-utf8-strings'\nAssume that command line arguments are given as UTF-8 strings. The\ndefault ('--no-utf8-strings') is to assume that arguments are\nencoded in the character set as specified by '--display-charset'.\nThese options affect all following arguments. Both options may be\nused multiple times.\n\n'--options FILE'\nRead options from FILE and do not try to read them from the default\noptions file in the homedir (see '--homedir'). This option is\nignored if used in an options file.\n\n'--no-options'\nShortcut for '--options /dev/null'. This option is detected before\nan attempt to open an option file. Using this option will also\nprevent the creation of a '~/.gnupg' homedir.\n\n'-z N'\n'--compress-level N'\n'--bzip2-compress-level N'\nSet compression level to N for the ZIP and ZLIB compression\nalgorithms. The default is to use the default compression level of\nzlib (normally 6). '--bzip2-compress-level' sets the compression\nlevel for the BZIP2 compression algorithm (defaulting to 6 as\nwell). This is a different option from '--compress-level' since\nBZIP2 uses a significant amount of memory for each additional\ncompression level. '-z' sets both. A value of 0 for N disables\ncompression.\n\n'--bzip2-decompress-lowmem'\nUse a different decompression method for BZIP2 compressed files.\nThis alternate method uses a bit more than half the memory, but\nalso runs at half the speed. This is useful under extreme low\nmemory circumstances when the file was originally compressed at a\nhigh '--bzip2-compress-level'.\n\n'--mangle-dos-filenames'\n'--no-mangle-dos-filenames'\nOlder version of Windows cannot handle filenames with more than one\ndot. '--mangle-dos-filenames' causes GnuPG to replace (rather than\nadd to) the extension of an output filename to avoid this problem.\nThis option is off by default and has no effect on non-Windows\nplatforms.\n\n'--ask-cert-level'\n'--no-ask-cert-level'\nWhen making a key signature, prompt for a certification level. If\nthis option is not specified, the certification level used is set\nvia '--default-cert-level'. See '--default-cert-level' for\ninformation on the specific levels and how they are used.\n'--no-ask-cert-level' disables this option. This option defaults\nto no.\n\n'--default-cert-level N'\nThe default to use for the check level when signing a key.\n\n0 means you make no particular claim as to how carefully you\nverified the key.\n\n1 means you believe the key is owned by the person who claims to\nown it but you could not, or did not verify the key at all. This\nis useful for a \"persona\" verification, where you sign the key of a\npseudonymous user.\n\n2 means you did casual verification of the key. For example, this\ncould mean that you verified the key fingerprint and checked the\nuser ID on the key against a photo ID.\n\n3 means you did extensive verification of the key. For example,\nthis could mean that you verified the key fingerprint with the\nowner of the key in person, and that you checked, by means of a\nhard to forge document with a photo ID (such as a passport) that\nthe name of the key owner matches the name in the user ID on the\nkey, and finally that you verified (by exchange of email) that the\nemail address on the key belongs to the key owner.\n\nNote that the examples given above for levels 2 and 3 are just\nthat: examples. In the end, it is up to you to decide just what\n\"casual\" and \"extensive\" mean to you.\n\nThis option defaults to 0 (no particular claim).\n\n'--min-cert-level'\nWhen building the trust database, treat any signatures with a\ncertification level below this as invalid. Defaults to 2, which\ndisregards level 1 signatures. Note that level 0 \"no particular\nclaim\" signatures are always accepted.\n\n'--trusted-key LONG KEY ID OR FINGERPRINT'\nAssume that the specified key (which must be given as a full 8 byte\nkey ID or 20 byte fingerprint) is as trustworthy as one of your own\nsecret keys. This option is useful if you don't want to keep your\nsecret keys (or one of them) online but still want to be able to\ncheck the validity of a given recipient's or signator's key.\n\n'--trust-model {pgp|classic|tofu|tofu+pgp|direct|always|auto}'\nSet what trust model GnuPG should follow. The models are:\n\npgp\nThis is the Web of Trust combined with trust signatures as\nused in PGP 5.x and later. This is the default trust model\nwhen creating a new trust database.\n\nclassic\nThis is the standard Web of Trust as introduced by PGP 2.\n\ntofu\nTOFU stands for Trust On First Use. In this trust model, the\nfirst time a key is seen, it is memorized. If later another\nkey with a user id with the same email address is seen, both\nkeys are marked as suspect. In that case, the next time\neither is used, a warning is displayed describing the\nconflict, why it might have occurred (either the user\ngenerated a new key and failed to cross sign the old and new\nkeys, the key is forgery, or a man-in-the-middle attack is\nbeing attempted), and the user is prompted to manually confirm\nthe validity of the key in question.\n\nBecause a potential attacker is able to control the email\naddress and thereby circumvent the conflict detection\nalgorithm by using an email address that is similar in\nappearance to a trusted email address, whenever a message is\nverified, statistics about the number of messages signed with\nthe key are shown. In this way, a user can easily identify\nattacks using fake keys for regular correspondents.\n\nWhen compared with the Web of Trust, TOFU offers significantly\nweaker security guarantees. In particular, TOFU only helps\nensure consistency (that is, that the binding between a key\nand email address doesn't change). A major advantage of TOFU\nis that it requires little maintenance to use correctly. To\nuse the web of trust properly, you need to actively sign keys\nand mark users as trusted introducers. This is a\ntime-consuming process and anecdotal evidence suggests that\neven security-conscious users rarely take the time to do this\nthoroughly and instead rely on an ad-hoc TOFU process.\n\nIn the TOFU model, policies are associated with bindings\nbetween keys and email addresses (which are extracted from\nuser ids and normalized). There are five policies, which can\nbe set manually using the '--tofu-policy' option. The default\npolicy can be set using the '--tofu-default-policy' option.\n\nThe TOFU policies are: 'auto', 'good', 'unknown', 'bad' and\n'ask'. The 'auto' policy is used by default (unless\noverridden by '--tofu-default-policy') and marks a binding as\nmarginally trusted. The 'good', 'unknown' and 'bad' policies\nmark a binding as fully trusted, as having unknown trust or as\nhaving trust never, respectively. The 'unknown' policy is\nuseful for just using TOFU to detect conflicts, but to never\nassign positive trust to a binding. The final policy, 'ask'\nprompts the user to indicate the binding's trust. If batch\nmode is enabled (or input is inappropriate in the context),\nthen the user is not prompted and the 'undefined' trust level\nis returned.\n\ntofu+pgp\nThis trust model combines TOFU with the Web of Trust. This is\ndone by computing the trust level for each model and then\ntaking the maximum trust level where the trust levels are\nordered as follows: 'unknown < undefined < marginal < fully <\nultimate < expired < never'.\n\nBy setting '--tofu-default-policy=unknown', this model can be\nused to implement the web of trust with TOFU's conflict\ndetection algorithm, but without its assignment of positive\ntrust values, which some security-conscious users don't like.\n\ndirect\nKey validity is set directly by the user and not calculated\nvia the Web of Trust. This model is solely based on the key\nand does not distinguish user IDs. Note that when changing to\nanother trust model the trust values assigned to a key are\ntransformed into ownertrust values, which also indicate how\nyou trust the owner of the key to sign other keys.\n\nalways\nSkip key validation and assume that used keys are always fully\nvalid. You generally won't use this unless you are using some\nexternal validation scheme. This option also suppresses the\n\"[uncertain]\" tag printed with signature checks when there is\nno evidence that the user ID is bound to the key. Note that\nthis trust model still does not allow the use of expired,\nrevoked, or disabled keys.\n\nauto\nSelect the trust model depending on whatever the internal\ntrust database says. This is the default model if such a\ndatabase already exists. Note that a tofu trust model is not\nconsidered here and must be enabled explicitly.\n\n'--auto-key-locate MECHANISMS'\n'--no-auto-key-locate'\nGnuPG can automatically locate and retrieve keys as needed using\nthis option. This happens when encrypting to an email address (in\nthe \"user@example.com\" form), and there are no \"user@example.com\"\nkeys on the local keyring. This option takes any number of the\nmechanisms listed below, in the order they are to be tried.\nInstead of listing the mechanisms as comma delimited arguments, the\noption may also be given several times to add more mechanism. The\noption '--no-auto-key-locate' or the mechanism \"clear\" resets the\nlist. The default is \"local,wkd\".\n\ncert\nLocate a key using DNS CERT, as specified in RFC-4398.\n\npka\nLocate a key using DNS PKA.\n\ndane\nLocate a key using DANE, as specified in\ndraft-ietf-dane-openpgpkey-05.txt.\n\nwkd\nLocate a key using the Web Key Directory protocol.\n\nldap\nUsing DNS Service Discovery, check the domain in question for\nany LDAP keyservers to use. If this fails, attempt to locate\nthe key using the PGP Universal method of checking\n'ldap://keys.(thedomain)'.\n\nntds\nLocate the key using the Active Directory (Windows only).\n\nkeyserver\nLocate a key using a keyserver.\n\nkeyserver-URL\nIn addition, a keyserver URL as used in the 'dirmngr'\nconfiguration may be used here to query that particular\nkeyserver.\n\nlocal\nLocate the key using the local keyrings. This mechanism\nallows the user to select the order a local key lookup is\ndone. Thus using '--auto-key-locate local' is identical to\n'--no-auto-key-locate'.\n\nnodefault\nThis flag disables the standard local key lookup, done before\nany of the mechanisms defined by the '--auto-key-locate' are\ntried. The position of this mechanism in the list does not\nmatter. It is not required if 'local' is also used.\n\nclear\nClear all defined mechanisms. This is useful to override\nmechanisms given in a config file. Note that a 'nodefault' in\nMECHANISMS will also be cleared unless it is given after the\n'clear'.\n\n'--auto-key-import'\n'--no-auto-key-import'\nThis is an offline mechanism to get a missing key for signature\nverification and for later encryption to this key. If this option\nis enabled and a signature includes an embedded key, that key is\nused to verify the signature and on verification success that key\nis imported. The default is '--no-auto-key-import'.\n\nOn the sender (signing) site the option '--include-key-block' needs\nto be used to put the public part of the signing key as \"Key Block\nsubpacket\" into the signature.\n\n'--auto-key-retrieve'\n'--no-auto-key-retrieve'\nThese options enable or disable the automatic retrieving of keys\nfrom a keyserver when verifying signatures made by keys that are\nnot on the local keyring. The default is '--no-auto-key-retrieve'.\n\nThe order of methods tried to lookup the key is:\n\n1. If the option '--auto-key-import' is set and the signatures\nincludes an embedded key, that key is used to verify the signature\nand on verification success that key is imported.\n\n2. If a preferred keyserver is specified in the signature and the\noption 'honor-keyserver-url' is active (which is not the default),\nthat keyserver is tried. Note that the creator of the signature\nuses the option '--sig-keyserver-url' to specify the preferred\nkeyserver for data signatures.\n\n3. If the signature has the Signer's UID set (e.g. using\n'--sender' while creating the signature) a Web Key Directory (WKD)\nlookup is done. This is the default configuration but can be\ndisabled by removing WKD from the auto-key-locate list or by using\nthe option '--disable-signer-uid'.\n\n4. If the option 'honor-pka-record' is active, the legacy PKA\nmethod is used.\n\n5. If any keyserver is configured and the Issuer Fingerprint is\npart of the signature (since GnuPG 2.1.16), the configured\nkeyservers are tried.\n\nNote that this option makes a \"web bug\" like behavior possible.\nKeyserver or Web Key Directory operators can see which keys you\nrequest, so by sending you a message signed by a brand new key\n(which you naturally will not have on your local keyring), the\noperator can tell both your IP address and the time when you\nverified the signature.\n\n'--keyid-format {none|short|0xshort|long|0xlong}'\nSelect how to display key IDs. \"none\" does not show the key ID at\nall but shows the fingerprint in a separate line. \"short\" is the\ntraditional 8-character key ID. \"long\" is the more accurate (but\nless convenient) 16-character key ID. Add an \"0x\" to either to\ninclude an \"0x\" at the beginning of the key ID, as in 0x99242560.\nNote that this option is ignored if the option '--with-colons' is\nused.\n\n'--keyserver NAME'\nThis option is deprecated - please use the '--keyserver' in\n'dirmngr.conf' instead.\n\nUse NAME as your keyserver. This is the server that\n'--receive-keys', '--send-keys', and '--search-keys' will\ncommunicate with to receive keys from, send keys to, and search for\nkeys on. The format of the NAME is a URI:\n'scheme:[//]keyservername[:port]' The scheme is the type of\nkeyserver: \"hkp\" for the HTTP (or compatible) keyservers, \"ldap\"\nfor the LDAP keyservers, or \"mailto\" for the Graff email keyserver.\nNote that your particular installation of GnuPG may have other\nkeyserver types available as well. Keyserver schemes are\ncase-insensitive. After the keyserver name, optional keyserver\nconfiguration options may be provided. These are the same as the\nglobal '--keyserver-options' from below, but apply only to this\nparticular keyserver.\n\nMost keyservers synchronize with each other, so there is generally\nno need to send keys to more than one server. The keyserver\n'hkp://keys.gnupg.net' uses round robin DNS to give a different\nkeyserver each time you use it.\n\n'--keyserver-options {NAME=VALUE}'\nThis is a space or comma delimited string that gives options for\nthe keyserver. Options can be prefixed with a 'no-' to give the\nopposite meaning. Valid import-options or export-options may be\nused here as well to apply to importing ('--recv-key') or exporting\n('--send-key') a key from a keyserver. While not all options are\navailable for all keyserver types, some common options are:\n\ninclude-revoked\nWhen searching for a key with '--search-keys', include keys\nthat are marked on the keyserver as revoked. Note that not\nall keyservers differentiate between revoked and unrevoked\nkeys, and for such keyservers this option is meaningless.\nNote also that most keyservers do not have cryptographic\nverification of key revocations, and so turning this option\noff may result in skipping keys that are incorrectly marked as\nrevoked.\n\ninclude-disabled\nWhen searching for a key with '--search-keys', include keys\nthat are marked on the keyserver as disabled. Note that this\noption is not used with HKP keyservers.\n\nauto-key-retrieve\nThis is an obsolete alias for the option 'auto-key-retrieve'.\nPlease do not use it; it will be removed in future versions..\n\nhonor-keyserver-url\nWhen using '--refresh-keys', if the key in question has a\npreferred keyserver URL, then use that preferred keyserver to\nrefresh the key from. In addition, if auto-key-retrieve is\nset, and the signature being verified has a preferred\nkeyserver URL, then use that preferred keyserver to fetch the\nkey from. Note that this option introduces a \"web bug\": The\ncreator of the key can see when the keys is refreshed. Thus\nthis option is not enabled by default.\n\nhonor-pka-record\nIf '--auto-key-retrieve' is used, and the signature being\nverified has a PKA record, then use the PKA information to\nfetch the key. Defaults to \"yes\".\n\ninclude-subkeys\nWhen receiving a key, include subkeys as potential targets.\nNote that this option is not used with HKP keyservers, as they\ndo not support retrieving keys by subkey id.\n\ntimeout\nhttp-proxy=VALUE\nverbose\ndebug\ncheck-cert\nca-cert-file\nThese options have no more function since GnuPG 2.1. Use the\n'dirmngr' configuration options instead.\n\nThe default list of options is: \"self-sigs-only, repair-keys,\nrepair-pks-subkey-bug, export-attributes, honor-pka-record\".\n\n'--completes-needed N'\nNumber of completely trusted users to introduce a new key signer\n(defaults to 1).\n\n'--marginals-needed N'\nNumber of marginally trusted users to introduce a new key signer\n(defaults to 3)\n\n'--tofu-default-policy {auto|good|unknown|bad|ask}'\nThe default TOFU policy (defaults to 'auto'). For more information\nabout the meaning of this option, *note trust-model-tofu::.\n\n'--max-cert-depth N'\nMaximum depth of a certification chain (default is 5).\n\n'--no-sig-cache'\nDo not cache the verification status of key signatures. Caching\ngives a much better performance in key listings. However, if you\nsuspect that your public keyring is not safe against write\nmodifications, you can use this option to disable the caching. It\nprobably does not make sense to disable it because all kind of\ndamage can be done if someone else has write access to your public\nkeyring.\n\n'--auto-check-trustdb'\n'--no-auto-check-trustdb'\nIf GnuPG feels that its information about the Web of Trust has to\nbe updated, it automatically runs the '--check-trustdb' command\ninternally. This may be a time consuming process.\n'--no-auto-check-trustdb' disables this option.\n\n'--use-agent'\n'--no-use-agent'\nThis is dummy option. 'gpg' always requires the agent.\n\n'--gpg-agent-info'\nThis is dummy option. It has no effect when used with 'gpg'.\n\n'--agent-program FILE'\nSpecify an agent program to be used for secret key operations. The\ndefault value is determined by running 'gpgconf' with the option\n'--list-dirs'. Note that the pipe symbol ('|') is used for a\nregression test suite hack and may thus not be used in the file\nname.\n\n'--dirmngr-program FILE'\nSpecify a dirmngr program to be used for keyserver access. The\ndefault value is '/usr/bin/dirmngr'.\n\n'--disable-dirmngr'\nEntirely disable the use of the Dirmngr.\n\n'--no-autostart'\nDo not start the gpg-agent or the dirmngr if it has not yet been\nstarted and its service is required. This option is mostly useful\non machines where the connection to gpg-agent has been redirected\nto another machines. If dirmngr is required on the remote machine,\nit may be started manually using 'gpgconf --launch dirmngr'.\n\n'--lock-once'\nLock the databases the first time a lock is requested and do not\nrelease the lock until the process terminates.\n\n'--lock-multiple'\nRelease the locks every time a lock is no longer needed. Use this\nto override a previous '--lock-once' from a config file.\n\n'--lock-never'\nDisable locking entirely. This option should be used only in very\nspecial environments, where it can be assured that only one process\nis accessing those files. A bootable floppy with a stand-alone\nencryption system will probably use this. Improper usage of this\noption may lead to data and key corruption.\n\n'--exit-on-status-write-error'\nThis option will cause write errors on the status FD to immediately\nterminate the process. That should in fact be the default but it\nnever worked this way and thus we need an option to enable this, so\nthat the change won't break applications which close their end of a\nstatus fd connected pipe too early. Using this option along with\n'--enable-progress-filter' may be used to cleanly cancel long\nrunning gpg operations.\n\n'--limit-card-insert-tries N'\nWith N greater than 0 the number of prompts asking to insert a\nsmartcard gets limited to N-1. Thus with a value of 1 gpg won't at\nall ask to insert a card if none has been inserted at startup.\nThis option is useful in the configuration file in case an\napplication does not know about the smartcard support and waits ad\ninfinitum for an inserted card.\n\n'--no-random-seed-file'\nGnuPG uses a file to store its internal random pool over\ninvocations. This makes random generation faster; however\nsometimes write operations are not desired. This option can be\nused to achieve that with the cost of slower random generation.\n\n'--no-greeting'\nSuppress the initial copyright message.\n\n'--no-secmem-warning'\nSuppress the warning about \"using insecure memory\".\n\n'--no-permission-warning'\nSuppress the warning about unsafe file and home directory\n('--homedir') permissions. Note that the permission checks that\nGnuPG performs are not intended to be authoritative, but rather\nthey simply warn about certain common permission problems. Do not\nassume that the lack of a warning means that your system is secure.\n\nNote that the warning for unsafe '--homedir' permissions cannot be\nsuppressed in the gpg.conf file, as this would allow an attacker to\nplace an unsafe gpg.conf file in place, and use this file to\nsuppress warnings about itself. The '--homedir' permissions\nwarning may only be suppressed on the command line.\n\n'--require-secmem'\n'--no-require-secmem'\nRefuse to run if GnuPG cannot get secure memory. Defaults to no\n(i.e. run, but give a warning).\n\n'--require-cross-certification'\n'--no-require-cross-certification'\nWhen verifying a signature made from a subkey, ensure that the\ncross certification \"back signature\" on the subkey is present and\nvalid. This protects against a subtle attack against subkeys that\ncan sign. Defaults to '--require-cross-certification' for 'gpg'.\n\n'--expert'\n'--no-expert'\nAllow the user to do certain nonsensical or \"silly\" things like\nsigning an expired or revoked key, or certain potentially\nincompatible things like generating unusual key types. This also\ndisables certain warning messages about potentially incompatible\nactions. As the name implies, this option is for experts only. If\nyou don't fully understand the implications of what it allows you\nto do, leave this off. '--no-expert' disables this option.\n\nFile: gnupg.info, Node: GPG Key related Options, Next: GPG Input and Output, Prev: GPG Configuration Options, Up: GPG Options\n\n\n'--recipient NAME'\n'-r'\nEncrypt for user id NAME. If this option or '--hidden-recipient'\nis not specified, GnuPG asks for the user-id unless\n'--default-recipient' is given.\n\n'--hidden-recipient NAME'\n'-R'\nEncrypt for user ID NAME, but hide the key ID of this user's key.\nThis option helps to hide the receiver of the message and is a\nlimited countermeasure against traffic analysis. If this option or\n'--recipient' is not specified, GnuPG asks for the user ID unless\n'--default-recipient' is given.\n\n'--recipient-file FILE'\n'-f'\nThis option is similar to '--recipient' except that it encrypts to\na key stored in the given file. FILE must be the name of a file\ncontaining exactly one key. 'gpg' assumes that the key in this\nfile is fully valid.\n\n'--hidden-recipient-file FILE'\n'-F'\nThis option is similar to '--hidden-recipient' except that it\nencrypts to a key stored in the given file. FILE must be the name\nof a file containing exactly one key. 'gpg' assumes that the key\nin this file is fully valid.\n\n'--encrypt-to NAME'\nSame as '--recipient' but this one is intended for use in the\noptions file and may be used with your own user-id as an\n\"encrypt-to-self\". These keys are only used when there are other\nrecipients given either by use of '--recipient' or by the asked\nuser id. No trust checking is performed for these user ids and\neven disabled keys can be used.\n\n'--hidden-encrypt-to NAME'\nSame as '--hidden-recipient' but this one is intended for use in\nthe options file and may be used with your own user-id as a hidden\n\"encrypt-to-self\". These keys are only used when there are other\nrecipients given either by use of '--recipient' or by the asked\nuser id. No trust checking is performed for these user ids and\neven disabled keys can be used.\n\n'--no-encrypt-to'\nDisable the use of all '--encrypt-to' and '--hidden-encrypt-to'\nkeys.\n\n'--group {NAME=VALUE}'\nSets up a named group, which is similar to aliases in email\nprograms. Any time the group name is a recipient ('-r' or\n'--recipient'), it will be expanded to the values specified.\nMultiple groups with the same name are automatically merged into a\nsingle group.\n\nThe values are 'key IDs' or fingerprints, but any key description\nis accepted. Note that a value with spaces in it will be treated\nas two different values. Note also there is only one level of\nexpansion -- you cannot make an group that points to another group.\nWhen used from the command line, it may be necessary to quote the\nargument to this option to prevent the shell from treating it as\nmultiple arguments.\n\n'--ungroup NAME'\nRemove a given entry from the '--group' list.\n\n'--no-groups'\nRemove all entries from the '--group' list.\n\n'--local-user NAME'\n'-u'\nUse NAME as the key to sign with. Note that this option overrides\n'--default-key'.\n\n'--sender MBOX'\nThis option has two purposes. MBOX must either be a complete user\nid with a proper mail address or just a mail address. When\ncreating a signature this option tells gpg the user id of a key\nused to make a signature if the key was not directly specified by a\nuser id. When verifying a signature the MBOX is used to restrict\nthe information printed by the TOFU code to matching user ids.\n\n'--try-secret-key NAME'\nFor hidden recipients GPG needs to know the keys to use for trial\ndecryption. The key set with '--default-key' is always tried\nfirst, but this is often not sufficient. This option allows\nsetting more keys to be used for trial decryption. Although any\nvalid user-id specification may be used for NAME it makes sense to\nuse at least the long keyid to avoid ambiguities. Note that\ngpg-agent might pop up a pinentry for a lot keys to do the trial\ndecryption. If you want to stop all further trial decryption you\nmay use close-window button instead of the cancel button.\n\n'--try-all-secrets'\nDon't look at the key ID as stored in the message but try all\nsecret keys in turn to find the right decryption key. This option\nforces the behaviour as used by anonymous recipients (created by\nusing '--throw-keyids' or '--hidden-recipient') and might come\nhandy in case where an encrypted message contains a bogus key ID.\n\n'--skip-hidden-recipients'\n'--no-skip-hidden-recipients'\nDuring decryption skip all anonymous recipients. This option helps\nin the case that people use the hidden recipients feature to hide\ntheir own encrypt-to key from others. If one has many secret keys\nthis may lead to a major annoyance because all keys are tried in\nturn to decrypt something which was not really intended for it.\nThe drawback of this option is that it is currently not possible to\ndecrypt a message which includes real anonymous recipients.\n\nFile: gnupg.info, Node: GPG Input and Output, Next: OpenPGP Options, Prev: GPG Key related Options, Up: GPG Options\n\n\n'--armor'\n'-a'\nCreate ASCII armored output. The default is to create the binary\nOpenPGP format.\n\n'--no-armor'\nAssume the input data is not in ASCII armored format.\n\n'--output FILE'\n'-o FILE'\nWrite output to FILE. To write to stdout use '-' as the filename.\n\n'--max-output N'\nThis option sets a limit on the number of bytes that will be\ngenerated when processing a file. Since OpenPGP supports various\nlevels of compression, it is possible that the plaintext of a given\nmessage may be significantly larger than the original OpenPGP\nmessage. While GnuPG works properly with such messages, there is\noften a desire to set a maximum file size that will be generated\nbefore processing is forced to stop by the OS limits. Defaults to\n0, which means \"no limit\".\n\n'--input-size-hint N'\nThis option can be used to tell GPG the size of the input data in\nbytes. N must be a positive base-10 number. This option is only\nuseful if the input is not taken from a file. GPG may use this\nhint to optimize its buffer allocation strategy. It is also used\nby the '--status-fd' line \"PROGRESS\" to provide a value for \"total\"\nif that is not available by other means.\n\n'--key-origin STRING[,URL]'\ngpg can track the origin of a key. Certain origins are implicitly\nknown (e.g. keyserver, web key directory) and set. For a standard\nimport the origin of the keys imported can be set with this option.\nTo list the possible values use \"help\" for STRING. Some origins\ncan store an optional URL argument. That URL can appended to\nSTRING after a comma.\n\n'--import-options PARAMETERS'\nThis is a space or comma delimited string that gives options for\nimporting keys. Options can be prepended with a 'no-' to give the\nopposite meaning. The options are:\n\nimport-local-sigs\nAllow importing key signatures marked as \"local\". This is not\ngenerally useful unless a shared keyring scheme is being used.\nDefaults to no.\n\nkeep-ownertrust\nNormally possible still existing ownertrust values of a key\nare cleared if a key is imported. This is in general\ndesirable so that a formerly deleted key does not\nautomatically gain an ownertrust values merely due to import.\nOn the other hand it is sometimes necessary to re-import a\ntrusted set of keys again but keeping already assigned\nownertrust values. This can be achieved by using this option.\n\nrepair-pks-subkey-bug\nDuring import, attempt to repair the damage caused by the PKS\nkeyserver bug (pre version 0.9.6) that mangles keys with\nmultiple subkeys. Note that this cannot completely repair the\ndamaged key as some crucial data is removed by the keyserver,\nbut it does at least give you back one subkey. Defaults to no\nfor regular '--import' and to yes for keyserver\n'--receive-keys'.\n\nimport-show\nshow-only\nShow a listing of the key as imported right before it is\nstored. This can be combined with the option '--dry-run' to\nonly look at keys; the option 'show-only' is a shortcut for\nthis combination. The command '--show-keys' is another\nshortcut for this. Note that suffixes like '#' for \"sec\" and\n\"sbb\" lines may or may not be printed.\n\nimport-export\nRun the entire import code but instead of storing the key to\nthe local keyring write it to the output. The export options\n'export-pka' and 'export-dane' affect the output. This option\ncan be used to remove all invalid parts from a key without the\nneed to store it.\n\nmerge-only\nDuring import, allow key updates to existing keys, but do not\nallow any new keys to be imported. Defaults to no.\n\nimport-clean\nAfter import, compact (remove all signatures except the\nself-signature) any user IDs from the new key that are not\nusable. Then, remove any signatures from the new key that are\nnot usable. This includes signatures that were issued by keys\nthat are not present on the keyring. This option is the same\nas running the '--edit-key' command \"clean\" after import.\nDefaults to no.\n\nself-sigs-only\nAccept only self-signatures while importing a key. All other\nkey signatures are skipped at an early import stage. This\noption can be used with 'keyserver-options' to mitigate\nattempts to flood a key with bogus signatures from a\nkeyserver. The drawback is that all other valid key\nsignatures, as required by the Web of Trust are also not\nimported. Note that when using this option along with\nimport-clean it suppresses the final clean step after merging\nthe imported key into the existing key.\n\nrepair-keys\nAfter import, fix various problems with the keys. For\nexample, this reorders signatures, and strips duplicate\nsignatures. Defaults to yes.\n\nimport-minimal\nImport the smallest key possible. This removes all signatures\nexcept the most recent self-signature on each user ID. This\noption is the same as running the '--edit-key' command\n\"minimize\" after import. Defaults to no.\n\nrestore\nimport-restore\nImport in key restore mode. This imports all data which is\nusually skipped during import; including all GnuPG specific\ndata. All other contradicting options are overridden.\n\n'--import-filter {NAME=EXPR}'\n'--export-filter {NAME=EXPR}'\nThese options define an import/export filter which are applied to\nthe imported/exported keyblock right before it will be\nstored/written. NAME defines the type of filter to use, EXPR the\nexpression to evaluate. The option can be used several times which\nthen appends more expression to the same NAME.\n\nThe available filter types are:\n\nkeep-uid\nThis filter will keep a user id packet and its dependent\npackets in the keyblock if the expression evaluates to true.\n\ndrop-subkey\nThis filter drops the selected subkeys. Currently only\nimplemented for -export-filter.\n\ndrop-sig\nThis filter drops the selected key signatures on user ids.\nSelf-signatures are not considered. Currently only\nimplemented for -import-filter.\n\nFor the syntax of the expression see the chapter \"FILTER\nEXPRESSIONS\". The property names for the expressions depend on the\nactual filter type and are indicated in the following table.\n\nThe available properties are:\n\nuid\nA string with the user id. (keep-uid)\n\nmbox\nThe addr-spec part of a user id with mailbox or the empty\nstring. (keep-uid)\n\nkeyalgo\nA number with the public key algorithm of a key or subkey\npacket. (drop-subkey)\n\nkeycreated\nkeycreatedd\nThe first is the timestamp a public key or subkey packet was\ncreated. The second is the same but given as an ISO string,\ne.g. \"2016-08-17\". (drop-subkey)\n\nfpr\nThe hexified fingerprint of the current subkey or primary key.\n(drop-subkey)\n\nprimary\nBoolean indicating whether the user id is the primary one.\n(keep-uid)\n\nexpired\nBoolean indicating whether a user id (keep-uid), a key\n(drop-subkey), or a signature (drop-sig) expired.\n\nrevoked\nBoolean indicating whether a user id (keep-uid) or a key\n(drop-subkey) has been revoked.\n\ndisabled\nBoolean indicating whether a primary key is disabled. (not\nused)\n\nsecret\nBoolean indicating whether a key or subkey is a secret one.\n(drop-subkey)\n\nusage\nA string indicating the usage flags for the subkey, from the\nsequence \"ecsa?\". For example, a subkey capable of just\nsigning and authentication would be an exact match for \"sa\".\n(drop-subkey)\n\nsigcreated\nsigcreatedd\nThe first is the timestamp a signature packet was created.\nThe second is the same but given as an ISO date string, e.g.\n\"2016-08-17\". (drop-sig)\n\nsigalgo\nA number with the public key algorithm of a signature packet.\n(drop-sig)\n\nsigdigestalgo\nA number with the digest algorithm of a signature packet.\n(drop-sig)\n\n'--export-options PARAMETERS'\nThis is a space or comma delimited string that gives options for\nexporting keys. Options can be prepended with a 'no-' to give the\nopposite meaning. The options are:\n\nexport-local-sigs\nAllow exporting key signatures marked as \"local\". This is not\ngenerally useful unless a shared keyring scheme is being used.\nDefaults to no.\n\nexport-attributes\nInclude attribute user IDs (photo IDs) while exporting. Not\nincluding attribute user IDs is useful to export keys that are\ngoing to be used by an OpenPGP program that does not accept\nattribute user IDs. Defaults to yes.\n\nexport-sensitive-revkeys\nInclude designated revoker information that was marked as\n\"sensitive\". Defaults to no.\n\nbackup\nexport-backup\nExport for use as a backup. The exported data includes all\ndata which is needed to restore the key or keys later with\nGnuPG. The format is basically the OpenPGP format but enhanced\nwith GnuPG specific data. All other contradicting options are\noverridden.\n\nexport-clean\nCompact (remove all signatures from) user IDs on the key being\nexported if the user IDs are not usable. Also, do not export\nany signatures that are not usable. This includes signatures\nthat were issued by keys that are not present on the keyring.\nThis option is the same as running the '--edit-key' command\n\"clean\" before export except that the local copy of the key is\nnot modified. Defaults to no.\n\nexport-minimal\nExport the smallest key possible. This removes all signatures\nexcept the most recent self-signature on each user ID. This\noption is the same as running the '--edit-key' command\n\"minimize\" before export except that the local copy of the key\nis not modified. Defaults to no.\n\nexport-pka\nInstead of outputting the key material output PKA records\nsuitable to put into DNS zone files. An ORIGIN line is\nprinted before each record to allow diverting the records to\nthe corresponding zone file.\n\nexport-dane\nInstead of outputting the key material output OpenPGP DANE\nrecords suitable to put into DNS zone files. An ORIGIN line\nis printed before each record to allow diverting the records\nto the corresponding zone file.\n\n'--with-colons'\nPrint key listings delimited by colons. Note that the output will\nbe encoded in UTF-8 regardless of any '--display-charset' setting.\nThis format is useful when GnuPG is called from scripts and other\nprograms as it is easily machine parsed. The details of this\nformat are documented in the file 'doc/DETAILS', which is included\nin the GnuPG source distribution.\n\n'--fixed-list-mode'\nDo not merge primary user ID and primary key in '--with-colon'\nlisting mode and print all timestamps as seconds since 1970-01-01.\nSince GnuPG 2.0.10, this mode is always used and thus this option\nis obsolete; it does not harm to use it though.\n\n'--legacy-list-mode'\nRevert to the pre-2.1 public key list mode. This only affects the\nhuman readable output and not the machine interface (i.e.\n'--with-colons'). Note that the legacy format does not convey\nsuitable information for elliptic curves.\n\n'--with-fingerprint'\nSame as the command '--fingerprint' but changes only the format of\nthe output and may be used together with another command.\n\n'--with-subkey-fingerprint'\nIf a fingerprint is printed for the primary key, this option forces\nprinting of the fingerprint for all subkeys. This could also be\nachieved by using the '--with-fingerprint' twice but by using this\noption along with keyid-format \"none\" a compact fingerprint is\nprinted.\n\n'--with-icao-spelling'\nPrint the ICAO spelling of the fingerprint in addition to the hex\ndigits.\n\n'--with-keygrip'\nInclude the keygrip in the key listings. In '--with-colons' mode\nthis is implicitly enable for secret keys.\n\n'--with-key-origin'\nInclude the locally held information on the origin and last update\nof a key in a key listing. In '--with-colons' mode this is always\nprinted. This data is currently experimental and shall not be\nconsidered part of the stable API.\n\n'--with-wkd-hash'\nPrint a Web Key Directory identifier along with each user ID in key\nlistings. This is an experimental feature and semantics may\nchange.\n\n'--with-secret'\nInclude info about the presence of a secret key in public key\nlistings done with '--with-colons'.\n\nFile: gnupg.info, Node: OpenPGP Options, Next: Compliance Options, Prev: GPG Input and Output, Up: GPG Options\n\n\n'-t, --textmode'\n'--no-textmode'\nTreat input files as text and store them in the OpenPGP canonical\ntext form with standard \"CRLF\" line endings. This also sets the\nnecessary flags to inform the recipient that the encrypted or\nsigned data is text and may need its line endings converted back to\nwhatever the local system uses. This option is useful when\ncommunicating between two platforms that have different line ending\nconventions (UNIX-like to Mac, Mac to Windows, etc).\n'--no-textmode' disables this option, and is the default.\n\n'--force-v3-sigs'\n'--no-force-v3-sigs'\n'--force-v4-certs'\n'--no-force-v4-certs'\nThese options are obsolete and have no effect since GnuPG 2.1.\n\n'--force-mdc'\n'--disable-mdc'\nThese options are obsolete and have no effect since GnuPG 2.2.8.\nThe MDC is always used. But note: If the creation of a legacy\nnon-MDC message is exceptionally required, the option '--rfc2440'\nallows for this.\n\n'--disable-signer-uid'\nBy default the user ID of the signing key is embedded in the data\nsignature. As of now this is only done if the signing key has been\nspecified with 'local-user' using a mail address, or with 'sender'.\nThis information can be helpful for verifier to locate the key; see\noption '--auto-key-retrieve'.\n\n'--include-key-block'\nThis option is used to embed the actual signing key into a data\nsignature. The embedded key is stripped down to a single user id\nand includes only the signing subkey used to create the signature\nas well as as valid encryption subkeys. All other info is removed\nfrom the key to keep it and thus the signature small. This option\nis the OpenPGP counterpart to the 'gpgsm' option '--include-certs'.\n\n'--personal-cipher-preferences STRING'\nSet the list of personal cipher preferences to STRING. Use 'gpg\n--version' to get a list of available algorithms, and use 'none' to\nset no preference at all. This allows the user to safely override\nthe algorithm chosen by the recipient key preferences, as GPG will\nonly select an algorithm that is usable by all recipients. The\nmost highly ranked cipher in this list is also used for the\n'--symmetric' encryption command.\n\n'--personal-digest-preferences STRING'\nSet the list of personal digest preferences to STRING. Use 'gpg\n--version' to get a list of available algorithms, and use 'none' to\nset no preference at all. This allows the user to safely override\nthe algorithm chosen by the recipient key preferences, as GPG will\nonly select an algorithm that is usable by all recipients. The\nmost highly ranked digest algorithm in this list is also used when\nsigning without encryption (e.g. '--clear-sign' or '--sign').\n\n'--personal-compress-preferences STRING'\nSet the list of personal compression preferences to STRING. Use\n'gpg --version' to get a list of available algorithms, and use\n'none' to set no preference at all. This allows the user to safely\noverride the algorithm chosen by the recipient key preferences, as\nGPG will only select an algorithm that is usable by all recipients.\nThe most highly ranked compression algorithm in this list is also\nused when there are no recipient keys to consider (e.g.\n'--symmetric').\n\n'--s2k-cipher-algo NAME'\nUse NAME as the cipher algorithm for symmetric encryption with a\npassphrase if '--personal-cipher-preferences' and '--cipher-algo'\nare not given. The default is AES-128.\n\n'--s2k-digest-algo NAME'\nUse NAME as the digest algorithm used to mangle the passphrases for\nsymmetric encryption. The default is SHA-1.\n\n'--s2k-mode N'\nSelects how passphrases for symmetric encryption are mangled. If N\nis 0 a plain passphrase (which is in general not recommended) will\nbe used, a 1 adds a salt (which should not be used) to the\npassphrase and a 3 (the default) iterates the whole process a\nnumber of times (see '--s2k-count').\n\n'--s2k-count N'\nSpecify how many times the passphrases mangling for symmetric\nencryption is repeated. This value may range between 1024 and\n65011712 inclusive. The default is inquired from gpg-agent. Note\nthat not all values in the 1024-65011712 range are legal and if an\nillegal value is selected, GnuPG will round up to the nearest legal\nvalue. This option is only meaningful if '--s2k-mode' is set to\nthe default of 3.\n\nFile: gnupg.info, Node: Compliance Options, Next: GPG Esoteric Options, Prev: OpenPGP Options, Up: GPG Options\n\n\nThese options control what GnuPG is compliant to. Only one of these\noptions may be active at a time. Note that the default setting of this\nis nearly always the correct one. See the INTEROPERABILITY WITH OTHER\nOPENPGP PROGRAMS section below before using one of these options.\n\n'--gnupg'\nUse standard GnuPG behavior. This is essentially OpenPGP behavior\n(see '--openpgp'), but with some additional workarounds for common\ncompatibility problems in different versions of PGP. This is the\ndefault option, so it is not generally needed, but it may be useful\nto override a different compliance option in the gpg.conf file.\n\n'--openpgp'\nReset all packet, cipher and digest options to strict OpenPGP\nbehavior. Use this option to reset all previous options like\n'--s2k-*', '--cipher-algo', '--digest-algo' and '--compress-algo'\nto OpenPGP compliant values. All PGP workarounds are disabled.\n\n'--rfc4880'\nReset all packet, cipher and digest options to strict RFC-4880\nbehavior. Note that this is currently the same thing as\n'--openpgp'.\n\n'--rfc4880bis'\nEnable experimental features from proposed updates to RFC-4880.\nThis option can be used in addition to the other compliance\noptions. Warning: The behavior may change with any GnuPG release\nand created keys or data may not be usable with future GnuPG\nversions.\n\n'--rfc2440'\nReset all packet, cipher and digest options to strict RFC-2440\nbehavior. Note that by using this option encryption packets are\ncreated in a legacy mode without MDC protection. This is dangerous\nand should thus only be used for experiments. See also option\n'--ignore-mdc-error'.\n\n'--pgp6'\nSet up all options to be as PGP 6 compliant as possible. This\nrestricts you to the ciphers IDEA (if the IDEA plugin is\ninstalled), 3DES, and CAST5, the hashes MD5, SHA1 and RIPEMD160,\nand the compression algorithms none and ZIP. This also disables\n'--throw-keyids', and making signatures with signing subkeys as PGP\n6 does not understand signatures made by signing subkeys.\n\nThis option implies '--escape-from-lines'.\n\n'--pgp7'\nSet up all options to be as PGP 7 compliant as possible. This is\nidentical to '--pgp6' except that MDCs are not disabled, and the\nlist of allowable ciphers is expanded to add AES128, AES192,\nAES256, and TWOFISH.\n\n'--pgp8'\nSet up all options to be as PGP 8 compliant as possible. PGP 8 is\na lot closer to the OpenPGP standard than previous versions of PGP,\nso all this does is disable '--throw-keyids' and set\n'--escape-from-lines'. All algorithms are allowed except for the\nSHA224, SHA384, and SHA512 digests.\n\n'--compliance STRING'\nThis option can be used instead of one of the options above. Valid\nvalues for STRING are the above option names (without the double\ndash) and possibly others as shown when using \"help\" for VALUE.\n\nFile: gnupg.info, Node: GPG Esoteric Options, Next: Deprecated Options, Prev: Compliance Options, Up: GPG Options\n\n\n'-n'\n'--dry-run'\nDon't make any changes (this is not completely implemented).\n\n'--list-only'\nChanges the behaviour of some commands. This is like '--dry-run'\nbut different in some cases. The semantic of this option may be\nextended in the future. Currently it only skips the actual\ndecryption pass and therefore enables a fast listing of the\nencryption keys.\n\n'-i'\n'--interactive'\nPrompt before overwriting any files.\n\n'--debug-level LEVEL'\nSelect the debug level for investigating problems. LEVEL may be a\nnumeric value or by a keyword:\n\n'none'\nNo debugging at all. A value of less than 1 may be used\ninstead of the keyword.\n'basic'\nSome basic debug messages. A value between 1 and 2 may be\nused instead of the keyword.\n'advanced'\nMore verbose debug messages. A value between 3 and 5 may be\nused instead of the keyword.\n'expert'\nEven more detailed messages. A value between 6 and 8 may be\nused instead of the keyword.\n'guru'\nAll of the debug messages you can get. A value greater than 8\nmay be used instead of the keyword. The creation of hash\ntracing files is only enabled if the keyword is used.\n\nHow these messages are mapped to the actual debugging flags is not\nspecified and may change with newer releases of this program. They\nare however carefully selected to best aid in debugging.\n\n'--debug FLAGS'\nSet debugging flags. All flags are or-ed and FLAGS may be given in\nC syntax (e.g. 0x0042) or as a comma separated list of flag names.\nTo get a list of all supported flags the single word \"help\" can be\nused.\n\n'--debug-all'\nSet all useful debugging flags.\n\n'--debug-iolbf'\nSet stdout into line buffered mode. This option is only honored\nwhen given on the command line.\n\n'--faked-system-time EPOCH'\nThis option is only useful for testing; it sets the system time\nback or forth to EPOCH which is the number of seconds elapsed since\nthe year 1970. Alternatively EPOCH may be given as a full ISO time\nstring (e.g. \"20070924T154812\").\n\nIf you suffix EPOCH with an exclamation mark (!), the system time\nwill appear to be frozen at the specified time.\n\n'--enable-progress-filter'\nEnable certain PROGRESS status outputs. This option allows\nfrontends to display a progress indicator while gpg is processing\nlarger files. There is a slight performance overhead using it.\n\n'--status-fd N'\nWrite special status strings to the file descriptor N. See the\nfile DETAILS in the documentation for a listing of them.\n\n'--status-file FILE'\nSame as '--status-fd', except the status data is written to file\nFILE.\n\n'--logger-fd N'\nWrite log output to file descriptor N and not to STDERR.\n\n'--log-file FILE'\n'--logger-file FILE'\nSame as '--logger-fd', except the logger data is written to file\nFILE. Use 'socket://' to log to a socket. Note that in this\nversion of gpg the option has only an effect if '--batch' is also\nused.\n\n'--attribute-fd N'\nWrite attribute subpackets to the file descriptor N. This is most\nuseful for use with '--status-fd', since the status messages are\nneeded to separate out the various subpackets from the stream\ndelivered to the file descriptor.\n\n'--attribute-file FILE'\nSame as '--attribute-fd', except the attribute data is written to\nfile FILE.\n\n'--comment STRING'\n'--no-comments'\nUse STRING as a comment string in cleartext signatures and ASCII\narmored messages or keys (see '--armor'). The default behavior is\nnot to use a comment string. '--comment' may be repeated multiple\ntimes to get multiple comment strings. '--no-comments' removes all\ncomments. It is a good idea to keep the length of a single comment\nbelow 60 characters to avoid problems with mail programs wrapping\nsuch lines. Note that comment lines, like all other header lines,\nare not protected by the signature.\n\n'--emit-version'\n'--no-emit-version'\nForce inclusion of the version string in ASCII armored output. If\ngiven once only the name of the program and the major number is\nemitted, given twice the minor is also emitted, given thrice the\nmicro is added, and given four times an operating system\nidentification is also emitted. '--no-emit-version' (default)\ndisables the version line.\n\n'--sig-notation {NAME=VALUE}'\n'--cert-notation {NAME=VALUE}'\n'-N, --set-notation {NAME=VALUE}'\nPut the name value pair into the signature as notation data. NAME\nmust consist only of printable characters or spaces, and must\ncontain a '@' character in the form keyname@domain.example.com\n(substituting the appropriate keyname and domain name, of course).\nThis is to help prevent pollution of the IETF reserved notation\nnamespace. The '--expert' flag overrides the '@' check. VALUE may\nbe any printable string; it will be encoded in UTF-8, so you should\ncheck that your '--display-charset' is set correctly. If you\nprefix NAME with an exclamation mark (!), the notation data will be\nflagged as critical (rfc4880:5.2.3.16). '--sig-notation' sets a\nnotation for data signatures. '--cert-notation' sets a notation\nfor key signatures (certifications). '--set-notation' sets both.\n\nThere are special codes that may be used in notation names. \"%k\"\nwill be expanded into the key ID of the key being signed, \"%K\" into\nthe long key ID of the key being signed, \"%f\" into the fingerprint\nof the key being signed, \"%s\" into the key ID of the key making the\nsignature, \"%S\" into the long key ID of the key making the\nsignature, \"%g\" into the fingerprint of the key making the\nsignature (which might be a subkey), \"%p\" into the fingerprint of\nthe primary key of the key making the signature, \"%c\" into the\nsignature count from the OpenPGP smartcard, and \"%%\" results in a\nsingle \"%\". %k, %K, and %f are only meaningful when making a key\nsignature (certification), and %c is only meaningful when using the\nOpenPGP smartcard.\n\n'--known-notation NAME'\nAdds NAME to a list of known critical signature notations. The\neffect of this is that gpg will not mark a signature with a\ncritical signature notation of that name as bad. Note that gpg\nalready knows by default about a few critical signatures notation\nnames.\n\n'--sig-policy-url STRING'\n'--cert-policy-url STRING'\n'--set-policy-url STRING'\nUse STRING as a Policy URL for signatures (rfc4880:5.2.3.20). If\nyou prefix it with an exclamation mark (!), the policy URL packet\nwill be flagged as critical. '--sig-policy-url' sets a policy url\nfor data signatures. '--cert-policy-url' sets a policy url for key\nsignatures (certifications). '--set-policy-url' sets both.\n\nThe same %-expandos used for notation data are available here as\nwell.\n\n'--sig-keyserver-url STRING'\nUse STRING as a preferred keyserver URL for data signatures. If\nyou prefix it with an exclamation mark (!), the keyserver URL\npacket will be flagged as critical.\n\nThe same %-expandos used for notation data are available here as\nwell.\n\n'--set-filename STRING'\nUse STRING as the filename which is stored inside messages. This\noverrides the default, which is to use the actual filename of the\nfile being encrypted. Using the empty string for STRING\neffectively removes the filename from the output.\n\n'--for-your-eyes-only'\n'--no-for-your-eyes-only'\nSet the 'for your eyes only' flag in the message. This causes\nGnuPG to refuse to save the file unless the '--output' option is\ngiven, and PGP to use a \"secure viewer\" with a claimed\nTempest-resistant font to display the message. This option\noverrides '--set-filename'. '--no-for-your-eyes-only' disables\nthis option.\n\n'--use-embedded-filename'\n'--no-use-embedded-filename'\nTry to create a file with a name as embedded in the data. This can\nbe a dangerous option as it enables overwriting files. Defaults to\nno. Note that the option '--output' overrides this option.\n\n'--cipher-algo NAME'\nUse NAME as cipher algorithm. Running the program with the command\n'--version' yields a list of supported algorithms. If this is not\nused the cipher algorithm is selected from the preferences stored\nwith the key. In general, you do not want to use this option as it\nallows you to violate the OpenPGP standard.\n'--personal-cipher-preferences' is the safe way to accomplish the\nsame thing.\n\n'--digest-algo NAME'\nUse NAME as the message digest algorithm. Running the program with\nthe command '--version' yields a list of supported algorithms. In\ngeneral, you do not want to use this option as it allows you to\nviolate the OpenPGP standard. '--personal-digest-preferences' is\nthe safe way to accomplish the same thing.\n\n'--compress-algo NAME'\nUse compression algorithm NAME. \"zlib\" is RFC-1950 ZLIB\ncompression. \"zip\" is RFC-1951 ZIP compression which is used by\nPGP. \"bzip2\" is a more modern compression scheme that can compress\nsome things better than zip or zlib, but at the cost of more memory\nused during compression and decompression. \"uncompressed\" or\n\"none\" disables compression. If this option is not used, the\ndefault behavior is to examine the recipient key preferences to see\nwhich algorithms the recipient supports. If all else fails, ZIP is\nused for maximum compatibility.\n\nZLIB may give better compression results than ZIP, as the\ncompression window size is not limited to 8k. BZIP2 may give even\nbetter compression results than that, but will use a significantly\nlarger amount of memory while compressing and decompressing. This\nmay be significant in low memory situations. Note, however, that\nPGP (all versions) only supports ZIP compression. Using any\nalgorithm other than ZIP or \"none\" will make the message unreadable\nwith PGP. In general, you do not want to use this option as it\nallows you to violate the OpenPGP standard.\n'--personal-compress-preferences' is the safe way to accomplish the\nsame thing.\n\n'--cert-digest-algo NAME'\nUse NAME as the message digest algorithm used when signing a key.\nRunning the program with the command '--version' yields a list of\nsupported algorithms. Be aware that if you choose an algorithm\nthat GnuPG supports but other OpenPGP implementations do not, then\nsome users will not be able to use the key signatures you make, or\nquite possibly your entire key.\n\n'--disable-cipher-algo NAME'\nNever allow the use of NAME as cipher algorithm. The given name\nwill not be checked so that a later loaded algorithm will still get\ndisabled.\n\n'--disable-pubkey-algo NAME'\nNever allow the use of NAME as public key algorithm. The given\nname will not be checked so that a later loaded algorithm will\nstill get disabled.\n\n'--throw-keyids'\n'--no-throw-keyids'\nDo not put the recipient key IDs into encrypted messages. This\nhelps to hide the receivers of the message and is a limited\ncountermeasure against traffic analysis.(1) On the receiving side,\nit may slow down the decryption process because all available\nsecret keys must be tried. '--no-throw-keyids' disables this\noption. This option is essentially the same as using\n'--hidden-recipient' for all recipients.\n\n'--not-dash-escaped'\nThis option changes the behavior of cleartext signatures so that\nthey can be used for patch files. You should not send such an\narmored file via email because all spaces and line endings are\nhashed too. You can not use this option for data which has 5\ndashes at the beginning of a line, patch files don't have this. A\nspecial armor header line tells GnuPG about this cleartext\nsignature option.\n\n'--escape-from-lines'\n'--no-escape-from-lines'\nBecause some mailers change lines starting with \"From \" to \">From \"\nit is good to handle such lines in a special way when creating\ncleartext signatures to prevent the mail system from breaking the\nsignature. Note that all other PGP versions do it this way too.\nEnabled by default. '--no-escape-from-lines' disables this option.\n\n'--passphrase-repeat N'\nSpecify how many times 'gpg' will request a new passphrase be\nrepeated. This is useful for helping memorize a passphrase.\nDefaults to 1 repetition; can be set to 0 to disable any passphrase\nrepetition. Note that a N greater than 1 will pop up the pinentry\nwindow N+1 times even if a modern pinentry with two entry fields is\nused.\n\n'--passphrase-fd N'\nRead the passphrase from file descriptor N. Only the first line\nwill be read from file descriptor N. If you use 0 for N, the\npassphrase will be read from STDIN. This can only be used if only\none passphrase is supplied.\n\nNote that since Version 2.0 this passphrase is only used if the\noption '--batch' has also been given. Since Version 2.1 the\n'--pinentry-mode' also needs to be set to 'loopback'.\n\n'--passphrase-file FILE'\nRead the passphrase from file FILE. Only the first line will be\nread from file FILE. This can only be used if only one passphrase\nis supplied. Obviously, a passphrase stored in a file is of\nquestionable security if other users can read this file. Don't use\nthis option if you can avoid it.\n\nNote that since Version 2.0 this passphrase is only used if the\noption '--batch' has also been given. Since Version 2.1 the\n'--pinentry-mode' also needs to be set to 'loopback'.\n\n'--passphrase STRING'\nUse STRING as the passphrase. This can only be used if only one\npassphrase is supplied. Obviously, this is of very questionable\nsecurity on a multi-user system. Don't use this option if you can\navoid it.\n\nNote that since Version 2.0 this passphrase is only used if the\noption '--batch' has also been given. Since Version 2.1 the\n'--pinentry-mode' also needs to be set to 'loopback'.\n\n'--pinentry-mode MODE'\nSet the pinentry mode to MODE. Allowed values for MODE are:\ndefault\nUse the default of the agent, which is 'ask'.\nask\nForce the use of the Pinentry.\ncancel\nEmulate use of Pinentry's cancel button.\nerror\nReturn a Pinentry error (\"No Pinentry\").\nloopback\nRedirect Pinentry queries to the caller. Note that in\ncontrast to Pinentry the user is not prompted again if he\nenters a bad password.\n\n'--no-symkey-cache'\nDisable the passphrase cache used for symmetrical en- and\ndecryption. This cache is based on the message specific salt value\n(cf. '--s2k-mode').\n\n'--request-origin ORIGIN'\nTell gpg to assume that the operation ultimately originated at\nORIGIN. Depending on the origin certain restrictions are applied\nand the Pinentry may include an extra note on the origin.\nSupported values for ORIGIN are: 'local' which is the default,\n'remote' to indicate a remote origin or 'browser' for an operation\nrequested by a web browser.\n\n'--command-fd N'\nThis is a replacement for the deprecated shared-memory IPC mode.\nIf this option is enabled, user input on questions is not expected\nfrom the TTY but from the given file descriptor. It should be used\ntogether with '--status-fd'. See the file doc/DETAILS in the\nsource distribution for details on how to use it.\n\n'--command-file FILE'\nSame as '--command-fd', except the commands are read out of file\nFILE\n\n'--allow-non-selfsigned-uid'\n'--no-allow-non-selfsigned-uid'\nAllow the import and use of keys with user IDs which are not\nself-signed. This is not recommended, as a non self-signed user ID\nis trivial to forge. '--no-allow-non-selfsigned-uid' disables.\n\n'--allow-freeform-uid'\nDisable all checks on the form of the user ID while generating a\nnew one. This option should only be used in very special\nenvironments as it does not ensure the de-facto standard format of\nuser IDs.\n\n'--ignore-time-conflict'\nGnuPG normally checks that the timestamps associated with keys and\nsignatures have plausible values. However, sometimes a signature\nseems to be older than the key due to clock problems. This option\nmakes these checks just a warning. See also '--ignore-valid-from'\nfor timestamp issues on subkeys.\n\n'--ignore-valid-from'\nGnuPG normally does not select and use subkeys created in the\nfuture. This option allows the use of such keys and thus exhibits\nthe pre-1.0.7 behaviour. You should not use this option unless\nthere is some clock problem. See also '--ignore-time-conflict' for\ntimestamp issues with signatures.\n\n'--ignore-crc-error'\nThe ASCII armor used by OpenPGP is protected by a CRC checksum\nagainst transmission errors. Occasionally the CRC gets mangled\nsomewhere on the transmission channel but the actual content (which\nis protected by the OpenPGP protocol anyway) is still okay. This\noption allows GnuPG to ignore CRC errors.\n\n'--ignore-mdc-error'\nThis option changes a MDC integrity protection failure into a\nwarning. It is required to decrypt old messages which did not use\nan MDC. It may also be useful if a message is partially garbled,\nbut it is necessary to get as much data as possible out of that\ngarbled message. Be aware that a missing or failed MDC can be an\nindication of an attack. Use with great caution; see also option\n'--rfc2440'.\n\n'--allow-weak-digest-algos'\nSignatures made with known-weak digest algorithms are normally\nrejected with an \"invalid digest algorithm\" message. This option\nallows the verification of signatures made with such weak\nalgorithms. MD5 is the only digest algorithm considered weak by\ndefault. See also '--weak-digest' to reject other digest\nalgorithms.\n\n'--weak-digest NAME'\nTreat the specified digest algorithm as weak. Signatures made over\nweak digests algorithms are normally rejected. This option can be\nsupplied multiple times if multiple algorithms should be considered\nweak. See also '--allow-weak-digest-algos' to disable rejection of\nweak digests. MD5 is always considered weak, and does not need to\nbe listed explicitly.\n\n'--allow-weak-key-signatures'\nTo avoid a minor risk of collision attacks on third-party key\nsignatures made using SHA-1, those key signatures are considered\ninvalid. This options allows to override this restriction.\n\n'--no-default-keyring'\nDo not add the default keyrings to the list of keyrings. Note that\nGnuPG will not operate without any keyrings, so if you use this\noption and do not provide alternate keyrings via '--keyring' or\n'--secret-keyring', then GnuPG will still use the default public or\nsecret keyrings.\n\n'--no-keyring'\nDo not use any keyring at all. This overrides the default and all\noptions which specify keyrings.\n\n'--skip-verify'\nSkip the signature verification step. This may be used to make the\ndecryption faster if the signature verification is not needed.\n\n'--with-key-data'\nPrint key listings delimited by colons (like '--with-colons') and\nprint the public key data.\n\n'--list-signatures'\n'--list-sigs'\nSame as '--list-keys', but the signatures are listed too. This\ncommand has the same effect as using '--list-keys' with\n'--with-sig-list'. Note that in contrast to '--check-signatures'\nthe key signatures are not verified. This command can be used to\ncreate a list of signing keys missing in the local keyring; for\nexample:\n\ngpg --list-sigs --with-colons USERID | \\\nawk -F: '$1==\"sig\" && $2==\"?\" {if($13){print $13}else{print $5}}'\n\n'--fast-list-mode'\nChanges the output of the list commands to work faster; this is\nachieved by leaving some parts empty. Some applications don't need\nthe user ID and the trust information given in the listings. By\nusing this options they can get a faster listing. The exact\nbehaviour of this option may change in future versions. If you are\nmissing some information, don't use this option.\n\n'--no-literal'\nThis is not for normal use. Use the source to see for what it\nmight be useful.\n\n'--set-filesize'\nThis is not for normal use. Use the source to see for what it\nmight be useful.\n\n'--show-session-key'\nDisplay the session key used for one message. See\n'--override-session-key' for the counterpart of this option.\n\nWe think that Key Escrow is a Bad Thing; however the user should\nhave the freedom to decide whether to go to prison or to reveal the\ncontent of one specific message without compromising all messages\never encrypted for one secret key.\n\nYou can also use this option if you receive an encrypted message\nwhich is abusive or offensive, to prove to the administrators of\nthe messaging system that the ciphertext transmitted corresponds to\nan inappropriate plaintext so they can take action against the\noffending user.\n\n'--override-session-key STRING'\n'--override-session-key-fd FD'\nDon't use the public key but the session key STRING respective the\nsession key taken from the first line read from file descriptor FD.\nThe format of this string is the same as the one printed by\n'--show-session-key'. This option is normally not used but comes\nhandy in case someone forces you to reveal the content of an\nencrypted message; using this option you can do this without\nhanding out the secret key. Note that using\n'--override-session-key' may reveal the session key to all local\nusers via the global process table. Often it is useful to combine\nthis option with '--no-keyring'.\n\n'--ask-sig-expire'\n'--no-ask-sig-expire'\nWhen making a data signature, prompt for an expiration time. If\nthis option is not specified, the expiration time set via\n'--default-sig-expire' is used. '--no-ask-sig-expire' disables\nthis option.\n\n'--default-sig-expire'\nThe default expiration time to use for signature expiration. Valid\nvalues are \"0\" for no expiration, a number followed by the letter d\n(for days), w (for weeks), m (for months), or y (for years) (for\nexample \"2m\" for two months, or \"5y\" for five years), or an\nabsolute date in the form YYYY-MM-DD. Defaults to \"0\".\n\n'--ask-cert-expire'\n'--no-ask-cert-expire'\nWhen making a key signature, prompt for an expiration time. If\nthis option is not specified, the expiration time set via\n'--default-cert-expire' is used. '--no-ask-cert-expire' disables\nthis option.\n\n'--default-cert-expire'\nThe default expiration time to use for key signature expiration.\nValid values are \"0\" for no expiration, a number followed by the\nletter d (for days), w (for weeks), m (for months), or y (for\nyears) (for example \"2m\" for two months, or \"5y\" for five years),\nor an absolute date in the form YYYY-MM-DD. Defaults to \"0\".\n\n'--default-new-key-algo STRING'\nThis option can be used to change the default algorithms for key\ngeneration. The STRING is similar to the arguments required for\nthe command '--quick-add-key' but slightly different. For example\nthe current default of '\"rsa2048/cert,sign+rsa2048/encr\"' (or\n'\"rsa3072\"') can be changed to the value of what we currently call\nfuture default, which is '\"ed25519/cert,sign+cv25519/encr\"'. You\nneed to consult the source code to learn the details. Note that\nthe advanced key generation commands can always be used to specify\na key algorithm directly.\n\n'--allow-secret-key-import'\nThis is an obsolete option and is not used anywhere.\n\n'--allow-multiple-messages'\n'--no-allow-multiple-messages'\nAllow processing of multiple OpenPGP messages contained in a single\nfile or stream. Some programs that call GPG are not prepared to\ndeal with multiple messages being processed together, so this\noption defaults to no. Note that versions of GPG prior to 1.4.7\nalways allowed multiple messages. Future versions of GnUPG will\nremove this option.\n\nWarning: Do not use this option unless you need it as a temporary\nworkaround!\n\n'--enable-special-filenames'\nThis option enables a mode in which filenames of the form '-&n',\nwhere n is a non-negative decimal number, refer to the file\ndescriptor n and not to a file with that name.\n\n'--no-expensive-trust-checks'\nExperimental use only.\n\n'--preserve-permissions'\nDon't change the permissions of a secret keyring back to user\nread/write only. Use this option only if you really know what you\nare doing.\n\n'--default-preference-list STRING'\nSet the list of default preferences to STRING. This preference\nlist is used for new keys and becomes the default for \"setpref\" in\nthe edit menu.\n\n'--default-keyserver-url NAME'\nSet the default keyserver URL to NAME. This keyserver will be used\nas the keyserver URL when writing a new self-signature on a key,\nwhich includes key generation and changing preferences.\n\n'--list-config'\nDisplay various internal configuration parameters of GnuPG. This\noption is intended for external programs that call GnuPG to perform\ntasks, and is thus not generally useful. See the file\n'doc/DETAILS' in the source distribution for the details of which\nconfiguration items may be listed. '--list-config' is only usable\nwith '--with-colons' set.\n\n'--list-gcrypt-config'\nDisplay various internal configuration parameters of Libgcrypt.\n\n'--gpgconf-list'\nThis command is similar to '--list-config' but in general only\ninternally used by the 'gpgconf' tool.\n\n'--gpgconf-test'\nThis is more or less dummy action. However it parses the\nconfiguration file and returns with failure if the configuration\nfile would prevent 'gpg' from startup. Thus it may be used to run\na syntax check on the configuration file.\n\n---------- Footnotes ----------\n\n(1) Using a little social engineering anyone who is able to decrypt\nthe message can check whether one of the other recipients is the one he\nsuspects.\n\nFile: gnupg.info, Node: Deprecated Options, Prev: GPG Esoteric Options, Up: GPG Options\n\n\n'--show-photos'\n'--no-show-photos'\nCauses '--list-keys', '--list-signatures', '--list-public-keys',\n'--list-secret-keys', and verifying a signature to also display the\nphoto ID attached to the key, if any. See also '--photo-viewer'.\nThese options are deprecated. Use '--list-options\n[no-]show-photos' and/or '--verify-options [no-]show-photos'\ninstead.\n\n'--show-keyring'\nDisplay the keyring name at the head of key listings to show which\nkeyring a given key resides on. This option is deprecated: use\n'--list-options [no-]show-keyring' instead.\n\n'--always-trust'\nIdentical to '--trust-model always'. This option is deprecated.\n\n'--show-notation'\n'--no-show-notation'\nShow signature notations in the '--list-signatures' or\n'--check-signatures' listings as well as when verifying a signature\nwith a notation in it. These options are deprecated. Use\n'--list-options [no-]show-notation' and/or '--verify-options\n[no-]show-notation' instead.\n\n'--show-policy-url'\n'--no-show-policy-url'\nShow policy URLs in the '--list-signatures' or '--check-signatures'\nlistings as well as when verifying a signature with a policy URL in\nit. These options are deprecated. Use '--list-options\n[no-]show-policy-url' and/or '--verify-options\n[no-]show-policy-url' instead.\n\nFile: gnupg.info, Node: GPG Configuration, Next: GPG Examples, Prev: GPG Options, Up: Invoking GPG\n" }, { "name": "4.3 Configuration files", "content": "There are a few configuration files to control certain aspects of\n'gpg''s operation. Unless noted, they are expected in the current home\ndirectory (*note option --homedir::).\n\n'gpg.conf'\nThis is the standard configuration file read by 'gpg' on startup.\nIt may contain any valid long option; the leading two dashes may\nnot be entered and the option may not be abbreviated. This default\nname may be changed on the command line (*note gpg-option\n--options::). You should backup this file.\n\nNote that on larger installations, it is useful to put predefined\nfiles into the directory '/etc/skel/.gnupg' so that newly created users\nstart up with a working configuration. For existing users a small\nhelper script is provided to create these files (*note addgnupghome::).\n\nFor internal purposes 'gpg' creates and maintains a few other files;\nThey all live in the current home directory (*note option --homedir::).\nOnly the 'gpg' program may modify these files.\n\n'~/.gnupg'\nThis is the default home directory which is used if neither the\nenvironment variable 'GNUPGHOME' nor the option '--homedir' is\ngiven.\n\n'~/.gnupg/pubring.gpg'\nThe public keyring using a legacy format. You should backup this\nfile.\n\nIf this file is not available, 'gpg' defaults to the new keybox\nformat and creates a file 'pubring.kbx' unless that file already\nexists in which case that file will also be used for OpenPGP keys.\n\nNote that in the case that both files, 'pubring.gpg' and\n'pubring.kbx' exists but the latter has no OpenPGP keys, the legacy\nfile 'pubring.gpg' will be used. Take care: GnuPG versions before\n2.1 will always use the file 'pubring.gpg' because they do not know\nabout the new keybox format. In the case that you have to use\nGnuPG 1.4 to decrypt archived data you should keep this file.\n\n'~/.gnupg/pubring.gpg.lock'\nThe lock file for the public keyring.\n\n'~/.gnupg/pubring.kbx'\nThe public keyring using the new keybox format. This file is\nshared with 'gpgsm'. You should backup this file. See above for\nthe relation between this file and it predecessor.\n\nTo convert an existing 'pubring.gpg' file to the keybox format, you\nfirst backup the ownertrust values, then rename 'pubring.gpg' to\n'publickeys.backup', so it won't be recognized by any GnuPG\nversion, run import, and finally restore the ownertrust values:\n\n$ cd ~/.gnupg\n$ gpg --export-ownertrust >otrust.lst\n$ mv pubring.gpg publickeys.backup\n$ gpg --import-options restore --import publickeys.backups\n$ gpg --import-ownertrust otrust.lst\n\n'~/.gnupg/pubring.kbx.lock'\nThe lock file for 'pubring.kbx'.\n\n'~/.gnupg/secring.gpg'\nThe legacy secret keyring as used by GnuPG versions before 2.1. It\nis not used by GnuPG 2.1 and later. You may want to keep it in\ncase you have to use GnuPG 1.4 to decrypt archived data.\n\n'~/.gnupg/secring.gpg.lock'\nThe lock file for the legacy secret keyring.\n\n'~/.gnupg/.gpg-v21-migrated'\nFile indicating that a migration to GnuPG 2.1 has been done.\n\n'~/.gnupg/trustdb.gpg'\nThe trust database. There is no need to backup this file; it is\nbetter to backup the ownertrust values (*note option\n--export-ownertrust::).\n\n'~/.gnupg/trustdb.gpg.lock'\nThe lock file for the trust database.\n\n'~/.gnupg/randomseed'\nA file used to preserve the state of the internal random pool.\n\n'~/.gnupg/openpgp-revocs.d/'\nThis is the directory where gpg stores pre-generated revocation\ncertificates. The file name corresponds to the OpenPGP fingerprint\nof the respective key. It is suggested to backup those\ncertificates and if the primary private key is not stored on the\ndisk to move them to an external storage device. Anyone who can\naccess theses files is able to revoke the corresponding key. You\nmay want to print them out. You should backup all files in this\ndirectory and take care to keep this backup closed away.\n\nOperation is further controlled by a few environment variables:\n\nHOME\nUsed to locate the default home directory.\n\nGNUPGHOME\nIf set directory used instead of \"~/.gnupg\".\n\nGPGAGENTINFO\nThis variable is obsolete; it was used by GnuPG versions before\n2.1.\n\nPINENTRYUSERDATA\nThis value is passed via gpg-agent to pinentry. It is useful to\nconvey extra information to a custom pinentry.\n\nCOLUMNS\nLINES\nUsed to size some displays to the full size of the screen.\n\nLANGUAGE\nApart from its use by GNU, it is used in the W32 version to\noverride the language selection done through the Registry. If used\nand set to a valid and available language name (LANGID), the file\nwith the translation is loaded from 'GPGDIR/gnupg.nls/LANGID.mo'.\nHere GPGDIR is the directory out of which the gpg binary has been\nloaded. If it can't be loaded the Registry is tried and as last\nresort the native Windows locale system is used.\n\nWhen calling the gpg-agent component 'gpg' sends a set of environment\nvariables to gpg-agent. The names of these variables can be listed\nusing the command:\n\ngpg-connect-agent 'getinfo stdenvnames' /bye | awk '$1==\"D\" {print $2}'\n\nFile: gnupg.info, Node: GPG Examples, Next: Unattended Usage of GPG, Prev: GPG Configuration, Up: Invoking GPG\n" }, { "name": "4.4 Examples", "content": "gpg -se -r 'Bob' 'file'\nsign and encrypt for user Bob\n\ngpg -clear-sign 'file'\nmake a cleartext signature\n\ngpg -sb 'file'\nmake a detached signature\n\ngpg -u 0x12345678 -sb 'file'\nmake a detached signature with the key 0x12345678\n\ngpg -list-keys 'userID'\nshow keys\n\ngpg -fingerprint 'userID'\nshow fingerprint\n\ngpg -verify 'pgpfile'\ngpg -verify 'sigfile' ['datafile']\nVerify the signature of the file but do not output the data unless\nrequested. The second form is used for detached signatures, where\n'sigfile' is the detached signature (either ASCII armored or\nbinary) and 'datafile' are the signed data; if this is not given,\nthe name of the file holding the signed data is constructed by\ncutting off the extension (\".asc\" or \".sig\") of 'sigfile' or by\nasking the user for the filename. If the option '--output' is also\nused the signed data is written to the file specified by that\noption; use '-' to write the signed data to stdout.\n" } ] }, "FILTER EXPRESSIONS": { "content": "The options '--import-filter' and '--export-filter' use expressions with\nthis syntax (square brackets indicate an optional part and curly braces\na repetition, white space between the elements are allowed):\n\n[lc] {[{flag}] PROPNAME op VALUE [lc]}\n\nThe name of a property (PROPNAME) may only consist of letters, digits\nand underscores. The description for the filter type describes which\nproperties are defined. If an undefined property is used it evaluates\nto the empty string. Unless otherwise noted, the VALUE must always be\ngiven and may not be the empty string. No quoting is defined for the\nvalue, thus the value may not contain the strings '&&' or '||', which\nare used as logical connection operators. The flag '--' can be used to\nremove this restriction.\n\nNumerical values are computed as long int; standard C notation\napplies. LC is the logical connection operator; either '&&' for a\nconjunction or '||' for a disjunction. A conjunction is assumed at the\nbegin of an expression. Conjunctions have higher precedence than\ndisjunctions. If VALUE starts with one of the characters used in any OP\na space after the OP is required.\n\nThe supported operators (OP) are:\n\n=~\nSubstring must match.\n\n!~\nSubstring must not match.\n\n=\nThe full string must match.\n\n<>\nThe full string must not match.\n\n==\nThe numerical value must match.\n\n!=\nThe numerical value must not match.\n\n<=\nThe numerical value of the field must be LE than the value.\n\n<\nThe numerical value of the field must be LT than the value.\n\n>\nThe numerical value of the field must be GT than the value.\n\n>=\nThe numerical value of the field must be GE than the value.\n\n-le\nThe string value of the field must be less or equal than the value.\n\n-lt\nThe string value of the field must be less than the value.\n\n-gt\nThe string value of the field must be greater than the value.\n\n-ge\nThe string value of the field must be greater or equal than the\nvalue.\n\n-n\nTrue if value is not empty (no value allowed).\n\n-z\nTrue if value is empty (no value allowed).\n\n-t\nAlias for \"PROPNAME != 0\" (no value allowed).\n\n-f\nAlias for \"PROPNAME == 0\" (no value allowed).\n\nValues for FLAG must be space separated. The supported flags are:\n\n-\nVALUE spans to the end of the expression.\n-c\nThe string match in this part is done case-sensitive.\n\nThe filter options concatenate several specifications for a filter of\nthe same type. For example the four options in this example:\n\n--import-filter keep-uid=\"uid =~ Alfa\"\n--import-filter keep-uid=\"&& uid !~ Test\"\n--import-filter keep-uid=\"|| uid =~ Alpha\"\n--import-filter keep-uid=\"uid !~ Test\"\n\nwhich is equivalent to\n\n--import-filter \\\nkeep-uid=\"uid =~ Alfa\" && uid !~ Test\" || uid =~ Alpha\" && \"uid !~ Test\"\n\nimports only the user ids of a key containing the strings \"Alfa\" or\n\"Alpha\" but not the string \"test\".\n", "subsections": [] }, "RETURN VALUE": { "content": "The program returns 0 if there are no severe errors, 1 if at least a\nsignature was bad, and other error codes for fatal errors.\n\nNote that signature verification requires exact knowledge of what has\nbeen signed and by whom it has beensigned. Using only the return code\nis thus not an appropriate way to verify a signature by a script.\nEither make proper use or the status codes or use the 'gpgv' tool which\nhas been designed to make signature verification easy for scripts.\n", "subsections": [] }, "WARNINGS": { "content": "Use a good password for your user account and make sure that all\nsecurity issues are always fixed on your machine. Also employ diligent\nphysical protection to your machine. Consider to use a good passphrase\nas a last resort protection to your secret key in the case your machine\ngets stolen. It is important that your secret key is never leaked.\nUsing an easy to carry around token or smartcard with the secret key is\noften a advisable.\n\nIf you are going to verify detached signatures, make sure that the\nprogram knows about it; either give both filenames on the command line\nor use '-' to specify STDIN.\n\nFor scripted or other unattended use of 'gpg' make sure to use the\nmachine-parseable interface and not the default interface which is\nintended for direct use by humans. The machine-parseable interface\nprovides a stable and well documented API independent of the locale or\nfuture changes of 'gpg'. To enable this interface use the options\n'--with-colons' and '--status-fd'. For certain operations the option\n'--command-fd' may come handy too. See this man page and the file\n'DETAILS' for the specification of the interface. Note that the GnuPG\n\"info\" pages as well as the PDF version of the GnuPG manual features a\nchapter on unattended use of GnuPG. As an alternative the library\n'GPGME' can be used as a high-level abstraction on top of that\ninterface.\n", "subsections": [] }, "INTEROPERABILITY WITH OTHER OPENPGP PROGRAMS": { "content": "GnuPG tries to be a very flexible implementation of the OpenPGP\nstandard. In particular, GnuPG implements many of the optional parts of\nthe standard, such as the SHA-512 hash, and the ZLIB and BZIP2\ncompression algorithms. It is important to be aware that not all\nOpenPGP programs implement these optional algorithms and that by forcing\ntheir use via the '--cipher-algo', '--digest-algo',\n'--cert-digest-algo', or '--compress-algo' options in GnuPG, it is\npossible to create a perfectly valid OpenPGP message, but one that\ncannot be read by the intended recipient.\n\nThere are dozens of variations of OpenPGP programs available, and\neach supports a slightly different subset of these optional algorithms.\nFor example, until recently, no (unhacked) version of PGP supported the\nBLOWFISH cipher algorithm. A message using BLOWFISH simply could not be\nread by a PGP user. By default, GnuPG uses the standard OpenPGP\npreferences system that will always do the right thing and create\nmessages that are usable by all recipients, regardless of which OpenPGP\nprogram they use. Only override this safe default if you really know\nwhat you are doing.\n\nIf you absolutely must override the safe default, or if the\npreferences on a given key are invalid for some reason, you are far\nbetter off using the '--pgp6', '--pgp7', or '--pgp8' options. These\noptions are safe as they do not force any particular algorithms in\nviolation of OpenPGP, but rather reduce the available algorithms to a\n\"PGP-safe\" list.\n", "subsections": [] }, "BUGS": { "content": "On older systems this program should be installed as setuid(root). This\nis necessary to lock memory pages. Locking memory pages prevents the\noperating system from writing memory pages (which may contain\npassphrases or other sensitive material) to disk. If you get no warning\nmessage about insecure memory your operating system supports locking\nwithout being root. The program drops root privileges as soon as locked\nmemory is allocated.\n\nNote also that some systems (especially laptops) have the ability to\n\"suspend to disk\" (also known as \"safe sleep\" or \"hibernate\"). This\nwrites all memory to disk before going into a low power or even powered\noff mode. Unless measures are taken in the operating system to protect\nthe saved memory, passphrases or other sensitive material may be\nrecoverable from it later.\n\nBefore you report a bug you should first search the mailing list\narchives for similar problems and second check whether such a bug has\nalready been reported to our bug tracker at .\n\nFile: gnupg.info, Node: Unattended Usage of GPG, Prev: GPG Examples, Up: Invoking GPG\n", "subsections": [ { "name": "4.5 Unattended Usage", "content": "'gpg' is often used as a backend engine by other software. To help with\nthis a machine interface has been defined to have an unambiguous way to\ndo this. The options '--status-fd' and '--batch' are almost always\nrequired for this.\n\n* Menu:\n\n* Programmatic use of GnuPG:: Programmatic use of GnuPG\n* Ephemeral home directories:: Ephemeral home directories\n* The quick key manipulation interface:: The quick key manipulation interface\n* Unattended GPG key generation:: Unattended key generation\n\nFile: gnupg.info, Node: Programmatic use of GnuPG, Next: Ephemeral home directories, Up: Unattended Usage of GPG\n\n\nPlease consider using GPGME instead of calling 'gpg' directly. GPGME\noffers a stable, backend-independent interface for many cryptographic\noperations. It supports OpenPGP and S/MIME, and also allows interaction\nwith various GnuPG components.\n\nGPGME provides a C-API, and comes with bindings for C++, Qt, and\nPython. Bindings for other languages are available.\n\nFile: gnupg.info, Node: Ephemeral home directories, Next: The quick key manipulation interface, Prev: Programmatic use of GnuPG, Up: Unattended Usage of GPG\n\n\nSometimes you want to contain effects of some operation, for example you\nwant to import a key to inspect it, but you do not want this key to be\nadded to your keyring. In earlier versions of GnuPG, it was possible to\nspecify alternate keyring files for both public and secret keys. In\nmodern GnuPG versions, however, we changed how secret keys are stored in\norder to better protect secret key material, and it was not possible to\npreserve this interface.\n\nThe preferred way to do this is to use ephemeral home directories.\nThis technique works across all versions of GnuPG.\n\nCreate a temporary directory, create (or copy) a configuration that\nmeets your needs, make 'gpg' use this directory either using the\nenvironment variable GNUPGHOME, or the option '--homedir'. GPGME\nsupports this too on a per-context basis, by modifying the engine info\nof contexts. Now execute whatever operation you like, import and export\nkey material as necessary. Once finished, you can delete the directory.\nAll GnuPG backend services that were started will detect this and shut\ndown.\n\nFile: gnupg.info, Node: The quick key manipulation interface, Next: Unattended GPG key generation, Prev: Ephemeral home directories, Up: Unattended Usage of GPG\n\n\nRecent versions of GnuPG have an interface to manipulate keys without\nusing the interactive command '--edit-key'. This interface was added\nmainly for the benefit of GPGME (please consider using GPGME, see the\nmanual subsection \"Programmatic use of GnuPG\"). This interface is\ndescribed in the subsection \"How to manage your keys\".\n\nFile: gnupg.info, Node: Unattended GPG key generation, Prev: The quick key manipulation interface, Up: Unattended Usage of GPG\n\n\nThe command '--generate-key' may be used along with the option '--batch'\nfor unattended key generation. This is the most flexible way of\ngenerating keys, but it is also the most complex one. Consider using\nthe quick key manipulation interface described in the previous\nsubsection \"The quick key manipulation interface\".\n\nThe parameters for the key are either read from stdin or given as a\nfile on the command line. The format of the parameter file is as\nfollows:\n\n* Text only, line length is limited to about 1000 characters.\n* UTF-8 encoding must be used to specify non-ASCII characters.\n* Empty lines are ignored.\n* Leading and trailing white space is ignored.\n* A hash sign as the first non white space character indicates a\ncomment line.\n* Control statements are indicated by a leading percent sign, the\narguments are separated by white space from the keyword.\n* Parameters are specified by a keyword, followed by a colon.\nArguments are separated by white space.\n* The first parameter must be 'Key-Type'; control statements may be\nplaced anywhere.\n* The order of the parameters does not matter except for 'Key-Type'\nwhich must be the first parameter. The parameters are only used\nfor the generated keyblock (primary and subkeys); parameters from\nprevious sets are not used. Some syntactically checks may be\nperformed.\n* Key generation takes place when either the end of the parameter\nfile is reached, the next 'Key-Type' parameter is encountered or at\nthe control statement '%commit' is encountered.\n\nControl statements:\n\n%echo TEXT\nPrint TEXT as diagnostic.\n\n%dry-run\nSuppress actual key generation (useful for syntax checking).\n\n%commit\nPerform the key generation. Note that an implicit commit is done\nat the next Key-Type parameter.\n\n%pubring FILENAME\nDo not write the key to the default or commandline given keyring\nbut to FILENAME. This must be given before the first commit to\ntake place, duplicate specification of the same filename is\nignored, the last filename before a commit is used. The filename\nis used until a new filename is used (at commit points) and all\nkeys are written to that file. If a new filename is given, this\nfile is created (and overwrites an existing one).\n\nSee the previous subsection \"Ephemeral home directories\" for a more\nrobust way to contain side-effects.\n\n%secring FILENAME\nThis option is a no-op for GnuPG 2.1 and later.\n\nSee the previous subsection \"Ephemeral home directories\".\n\n%ask-passphrase\n%no-ask-passphrase\nThis option is a no-op for GnuPG 2.1 and later.\n\n%no-protection\nUsing this option allows the creation of keys without any\npassphrase protection. This option is mainly intended for\nregression tests.\n\n%transient-key\nIf given the keys are created using a faster and a somewhat less\nsecure random number generator. This option may be used for keys\nwhich are only used for a short time and do not require full\ncryptographic strength. It takes only effect if used together with\nthe control statement '%no-protection'.\n\nGeneral Parameters:\n\nKey-Type: ALGO\nStarts a new parameter block by giving the type of the primary key.\nThe algorithm must be capable of signing. This is a required\nparameter. ALGO may either be an OpenPGP algorithm number or a\nstring with the algorithm name. The special value 'default' may be\nused for ALGO to create the default key type; in this case a\n'Key-Usage' shall not be given and 'default' also be used for\n'Subkey-Type'.\n\nKey-Length: NBITS\nThe requested length of the generated key in bits. The default is\nreturned by running the command 'gpg --gpgconf-list'. For ECC keys\nthis parameter is ignored.\n\nKey-Curve: CURVE\nThe requested elliptic curve of the generated key. This is a\nrequired parameter for ECC keys. It is ignored for non-ECC keys.\n\nKey-Grip: HEXSTRING\nThis is optional and used to generate a CSR or certificate for an\nalready existing key. Key-Length will be ignored when given.\n\nKey-Usage: USAGE-LIST\nSpace or comma delimited list of key usages. Allowed values are\n'encrypt', 'sign', and 'auth'. This is used to generate the key\nflags. Please make sure that the algorithm is capable of this\nusage. Note that OpenPGP requires that all primary keys are\ncapable of certification, so no matter what usage is given here,\nthe 'cert' flag will be on. If no 'Key-Usage' is specified and the\n'Key-Type' is not 'default', all allowed usages for that particular\nalgorithm are used; if it is not given but 'default' is used the\nusage will be 'sign'.\n\nSubkey-Type: ALGO\nThis generates a secondary key (subkey). Currently only one subkey\ncan be handled. See also 'Key-Type' above.\n\nSubkey-Length: NBITS\nLength of the secondary key (subkey) in bits. The default is\nreturned by running the command 'gpg --gpgconf-list'.\n\nSubkey-Curve: CURVE\nKey curve for a subkey; similar to 'Key-Curve'.\n\nSubkey-Usage: USAGE-LIST\nKey usage lists for a subkey; similar to 'Key-Usage'.\n\nPassphrase: STRING\nIf you want to specify a passphrase for the secret key, enter it\nhere. Default is to use the Pinentry dialog to ask for a\npassphrase.\n\nName-Real: NAME\nName-Comment: COMMENT\nName-Email: EMAIL\nThe three parts of a user name. Remember to use UTF-8 encoding\nhere. If you don't give any of them, no user ID is created.\n\nExpire-Date: ISO-DATE|(NUMBER[d|w|m|y])\nSet the expiration date for the key (and the subkey). It may\neither be entered in ISO date format (e.g. \"20000815T145012\") or\nas number of days, weeks, month or years after the creation date.\nThe special notation \"seconds=N\" is also allowed to specify a\nnumber of seconds since creation. Without a letter days are\nassumed. Note that there is no check done on the overflow of the\ntype used by OpenPGP for timestamps. Thus you better make sure\nthat the given value make sense. Although OpenPGP works with time\nintervals, GnuPG uses an absolute value internally and thus the\nlast year we can represent is 2105.\n\nCreation-Date: ISO-DATE\nSet the creation date of the key as stored in the key information\nand which is also part of the fingerprint calculation. Either a\ndate like \"1986-04-26\" or a full timestamp like \"19860426T042640\"\nmay be used. The time is considered to be UTC. The special\nnotation \"seconds=N\" may be used to directly specify a the number\nof seconds since Epoch (Unix time). If it is not given the current\ntime is used.\n\nPreferences: STRING\nSet the cipher, hash, and compression preference values for this\nkey. This expects the same type of string as the sub-command\n'setpref' in the '--edit-key' menu.\n\nRevoker: ALGO:FPR [sensitive]\nAdd a designated revoker to the generated key. Algo is the public\nkey algorithm of the designated revoker (i.e. RSA=1, DSA=17, etc.)\nFPR is the fingerprint of the designated revoker. The optional\n'sensitive' flag marks the designated revoker as sensitive\ninformation. Only v4 keys may be designated revokers.\n\nKeyserver: STRING\nThis is an optional parameter that specifies the preferred\nkeyserver URL for the key.\n\nHandle: STRING\nThis is an optional parameter only used with the status lines\nKEYCREATED and KEYNOTCREATED. STRING may be up to 100 characters\nand should not contain spaces. It is useful for batch key\ngeneration to associate a key parameter block with a status line.\n\nHere is an example on how to create a key in an ephemeral home\ndirectory:\n$ export GNUPGHOME=\"$(mktemp -d)\"\n$ cat >foo <\nssb elg1024 2016-12-16 [E]\n\nIf you want to create a key with the default algorithms you would use\nthese parameters:\n%echo Generating a default key\nKey-Type: default\nSubkey-Type: default\nName-Real: Joe Tester\nName-Comment: with stupid passphrase\nName-Email: joe@foo.bar\nExpire-Date: 0\nPassphrase: abc\n# Do a commit here, so that we can later print \"done\" :-)\n%commit\n%echo done\n\nFile: gnupg.info, Node: Invoking GPGSM, Next: Invoking SCDAEMON, Prev: Invoking GPG, Up: Top\n" } ] }, "5 Invoking GPGSM": { "content": "'gpgsm' is a tool similar to 'gpg' to provide digital encryption and\nsigning services on X.509 certificates and the CMS protocol. It is\nmainly used as a backend for S/MIME mail processing. 'gpgsm' includes a\nfull featured certificate management and complies with all rules defined\nfor the German Sphinx project.\n\n*Note Option Index::, for an index to 'GPGSM''s commands and options.\n\n* Menu:\n\n* GPGSM Commands:: List of all commands.\n* GPGSM Options:: List of all options.\n* GPGSM Configuration:: Configuration files.\n* GPGSM Examples:: Some usage examples.\n\nDeveloper information:\n* Unattended Usage:: Using 'gpgsm' from other programs.\n* GPGSM Protocol:: The protocol the server mode uses.\n\nFile: gnupg.info, Node: GPGSM Commands, Next: GPGSM Options, Up: Invoking GPGSM\n", "subsections": [ { "name": "5.1 Commands", "content": "Commands are not distinguished from options except for the fact that\nonly one command is allowed.\n\n* Menu:\n\n* General GPGSM Commands:: Commands not specific to the functionality.\n* Operational GPGSM Commands:: Commands to select the type of operation.\n* Certificate Management:: How to manage certificates.\n\nFile: gnupg.info, Node: General GPGSM Commands, Next: Operational GPGSM Commands, Up: GPGSM Commands\n\n\n'--version'\nPrint the program version and licensing information. Note that you\ncannot abbreviate this command.\n\n'--help, -h'\nPrint a usage message summarizing the most useful command-line\noptions. Note that you cannot abbreviate this command.\n\n'--warranty'\nPrint warranty information. Note that you cannot abbreviate this\ncommand.\n\n'--dump-options'\nPrint a list of all available options and commands. Note that you\ncannot abbreviate this command.\n\nFile: gnupg.info, Node: Operational GPGSM Commands, Next: Certificate Management, Prev: General GPGSM Commands, Up: GPGSM Commands\n\n\n'--encrypt'\nPerform an encryption. The keys the data is encrypted to must be\nset using the option '--recipient'.\n\n'--decrypt'\nPerform a decryption; the type of input is automatically\ndetermined. It may either be in binary form or PEM encoded;\nautomatic determination of base-64 encoding is not done.\n\n'--sign'\nCreate a digital signature. The key used is either the fist one\nfound in the keybox or those set with the '--local-user' option.\n\n'--verify'\nCheck a signature file for validity. Depending on the arguments a\ndetached signature may also be checked.\n\n'--server'\nRun in server mode and wait for commands on the 'stdin'.\n\n'--call-dirmngr COMMAND [ARGS]'\nBehave as a Dirmngr client issuing the request COMMAND with the\noptional list of ARGS. The output of the Dirmngr is printed\nstdout. Please note that file names given as arguments should have\nan absolute file name (i.e. commencing with '/') because they are\npassed verbatim to the Dirmngr and the working directory of the\nDirmngr might not be the same as the one of this client. Currently\nit is not possible to pass data via stdin to the Dirmngr. COMMAND\nshould not contain spaces.\n\nThis is command is required for certain maintaining tasks of the\ndirmngr where a dirmngr must be able to call back to 'gpgsm'. See\nthe Dirmngr manual for details.\n\n'--call-protect-tool ARGUMENTS'\nCertain maintenance operations are done by an external program call\n'gpg-protect-tool'; this is usually not installed in a directory\nlisted in the PATH variable. This command provides a simple\nwrapper to access this tool. ARGUMENTS are passed verbatim to this\ncommand; use '--help' to get a list of supported operations.\n\nFile: gnupg.info, Node: Certificate Management, Prev: Operational GPGSM Commands, Up: GPGSM Commands\n\n\n'--generate-key'\n'--gen-key'\nThis command allows the creation of a certificate signing request\nor a self-signed certificate. It is commonly used along with the\n'--output' option to save the created CSR or certificate into a\nfile. If used with the '--batch' a parameter file is used to\ncreate the CSR or certificate and it is further possible to create\nnon-self-signed certificates.\n\n'--list-keys'\n'-k'\nList all available certificates stored in the local key database.\nNote that the displayed data might be reformatted for better human\nreadability and illegal characters are replaced by safe\nsubstitutes.\n\n'--list-secret-keys'\n'-K'\nList all available certificates for which a corresponding a secret\nkey is available.\n\n'--list-external-keys PATTERN'\nList certificates matching PATTERN using an external server. This\nutilizes the 'dirmngr' service.\n\n'--list-chain'\nSame as '--list-keys' but also prints all keys making up the chain.\n\n'--dump-cert'\n'--dump-keys'\nList all available certificates stored in the local key database\nusing a format useful mainly for debugging.\n\n'--dump-chain'\nSame as '--dump-keys' but also prints all keys making up the chain.\n\n'--dump-secret-keys'\nList all available certificates for which a corresponding a secret\nkey is available using a format useful mainly for debugging.\n\n'--dump-external-keys PATTERN'\nList certificates matching PATTERN using an external server. This\nutilizes the 'dirmngr' service. It uses a format useful mainly for\ndebugging.\n\n'--keydb-clear-some-cert-flags'\nThis is a debugging aid to reset certain flags in the key database\nwhich are used to cache certain certificate stati. It is\nespecially useful if a bad CRL or a weird running OCSP responder\ndid accidentally revoke certificate. There is no security issue\nwith this command because 'gpgsm' always make sure that the\nvalidity of a certificate is checked right before it is used.\n\n'--delete-keys PATTERN'\nDelete the keys matching PATTERN. Note that there is no command to\ndelete the secret part of the key directly. In case you need to do\nthis, you should run the command 'gpgsm --dump-secret-keys KEYID'\nbefore you delete the key, copy the string of hex-digits in the\n\"keygrip\" line and delete the file consisting of these hex-digits\nand the suffix '.key' from the 'private-keys-v1.d' directory below\nour GnuPG home directory (usually '~/.gnupg').\n\n'--export [PATTERN]'\nExport all certificates stored in the Keybox or those specified by\nthe optional PATTERN. Those pattern consist of a list of user ids\n(*note how-to-specify-a-user-id::). When used along with the\n'--armor' option a few informational lines are prepended before\neach block. There is one limitation: As there is no commonly\nagreed upon way to pack more than one certificate into an ASN.1\nstructure, the binary export (i.e. without using 'armor') works\nonly for the export of one certificate. Thus it is required to\nspecify a PATTERN which yields exactly one certificate. Ephemeral\ncertificate are only exported if all PATTERN are given as\nfingerprints or keygrips.\n\n'--export-secret-key-p12 KEY-ID'\nExport the private key and the certificate identified by KEY-ID\nusing the PKCS#12 format. When used with the '--armor' option a\nfew informational lines are prepended to the output. Note, that\nthe PKCS#12 format is not very secure and proper transport security\nshould be used to convey the exported key. (*Note option\n--p12-charset::.)\n\n'--export-secret-key-p8 KEY-ID'\n'--export-secret-key-raw KEY-ID'\nExport the private key of the certificate identified by KEY-ID with\nany encryption stripped. The '...-raw' command exports in PKCS#1\nformat; the '...-p8' command exports in PKCS#8 format. When used\nwith the '--armor' option a few informational lines are prepended\nto the output. These commands are useful to prepare a key for use\non a TLS server.\n\n'--import [FILES]'\nImport the certificates from the PEM or binary encoded files as\nwell as from signed-only messages. This command may also be used\nto import a secret key from a PKCS#12 file.\n\n'--learn-card'\nRead information about the private keys from the smartcard and\nimport the certificates from there. This command utilizes the\n'gpg-agent' and in turn the 'scdaemon'.\n\n'--change-passphrase USERID'\n'--passwd USERID'\nChange the passphrase of the private key belonging to the\ncertificate specified as USERID. Note, that changing the\npassphrase/PIN of a smartcard is not yet supported.\n\nFile: gnupg.info, Node: GPGSM Options, Next: GPGSM Configuration, Prev: GPGSM Commands, Up: Invoking GPGSM\n" }, { "name": "5.2 Option Summary", "content": "'GPGSM' features a bunch of options to control the exact behaviour and\nto change the default configuration.\n\n* Menu:\n\n* Configuration Options:: How to change the configuration.\n* Certificate Options:: Certificate related options.\n* Input and Output:: Input and Output.\n* CMS Options:: How to change how the CMS is created.\n* Esoteric Options:: Doing things one usually do not want to do.\n\nFile: gnupg.info, Node: Configuration Options, Next: Certificate Options, Up: GPGSM Options\n\n\nThese options are used to change the configuration and are usually found\nin the option file.\n\n'--options FILE'\nReads configuration from FILE instead of from the default per-user\nconfiguration file. The default configuration file is named\n'gpgsm.conf' and expected in the '.gnupg' directory directly below\nthe home directory of the user.\n\n'--homedir DIR'\nSet the name of the home directory to DIR. If this option is not\nused, the home directory defaults to '~/.gnupg'. It is only\nrecognized when given on the command line. It also overrides any\nhome directory stated through the environment variable 'GNUPGHOME'\nor (on Windows systems) by means of the Registry entry\nHKCU\\SOFTWARE\\GNU\\GNUPG:HOMEDIR.\n\nOn Windows systems it is possible to install GnuPG as a portable\napplication. In this case only this command line option is\nconsidered, all other ways to set a home directory are ignored.\n\nTo install GnuPG as a portable application under Windows, create an\nempty file named 'gpgconf.ctl' in the same directory as the tool\n'gpgconf.exe'. The root of the installation is then that\ndirectory; or, if 'gpgconf.exe' has been installed directly below a\ndirectory named 'bin', its parent directory. You also need to make\nsure that the following directories exist and are writable:\n'ROOT/home' for the GnuPG home and 'ROOT/var/cache/gnupg' for\ninternal cache files.\n\n'-v'\n'--verbose'\nOutputs additional information while running. You can increase the\nverbosity by giving several verbose commands to 'gpgsm', such as\n'-vv'.\n\n'--policy-file FILENAME'\nChange the default name of the policy file to FILENAME.\n\n'--agent-program FILE'\nSpecify an agent program to be used for secret key operations. The\ndefault value is determined by running the command 'gpgconf'. Note\nthat the pipe symbol ('|') is used for a regression test suite hack\nand may thus not be used in the file name.\n\n'--dirmngr-program FILE'\nSpecify a dirmngr program to be used for CRL checks. The default\nvalue is '/usr/bin/dirmngr'.\n\n'--prefer-system-dirmngr'\nThis option is obsolete and ignored.\n\n'--disable-dirmngr'\nEntirely disable the use of the Dirmngr.\n\n'--no-autostart'\nDo not start the gpg-agent or the dirmngr if it has not yet been\nstarted and its service is required. This option is mostly useful\non machines where the connection to gpg-agent has been redirected\nto another machines. If dirmngr is required on the remote machine,\nit may be started manually using 'gpgconf --launch dirmngr'.\n\n'--no-secmem-warning'\nDo not print a warning when the so called \"secure memory\" cannot be\nused.\n\n'--log-file FILE'\nWhen running in server mode, append all logging output to FILE.\nUse 'socket://' to log to socket.\n\nFile: gnupg.info, Node: Certificate Options, Next: Input and Output, Prev: Configuration Options, Up: GPGSM Options\n\n\n'--enable-policy-checks'\n'--disable-policy-checks'\nBy default policy checks are enabled. These options may be used to\nchange it.\n\n'--enable-crl-checks'\n'--disable-crl-checks'\nBy default the CRL checks are enabled and the DirMngr is used to\ncheck for revoked certificates. The disable option is most useful\nwith an off-line network connection to suppress this check and also\nto avoid that new certificates introduce a web bug by including a\ncertificate specific CRL DP. The disable option also disables an\nissuer certificate lookup via the authorityInfoAccess property of\nthe certificate; the '--enable-issuer-key-retrieve' can be used to\nmake use of that property anyway.\n\n'--enable-trusted-cert-crl-check'\n'--disable-trusted-cert-crl-check'\nBy default the CRL for trusted root certificates are checked like\nfor any other certificates. This allows a CA to revoke its own\ncertificates voluntary without the need of putting all ever issued\ncertificates into a CRL. The disable option may be used to switch\nthis extra check off. Due to the caching done by the Dirmngr,\nthere will not be any noticeable performance gain. Note, that this\nalso disables possible OCSP checks for trusted root certificates.\nA more specific way of disabling this check is by adding the\n\"relax\" keyword to the root CA line of the 'trustlist.txt'\n\n'--force-crl-refresh'\nTell the dirmngr to reload the CRL for each request. For better\nperformance, the dirmngr will actually optimize this by suppressing\nthe loading for short time intervals (e.g. 30 minutes). This\noption is useful to make sure that a fresh CRL is available for\ncertificates hold in the keybox. The suggested way of doing this\nis by using it along with the option '--with-validation' for a key\nlisting command. This option should not be used in a configuration\nfile.\n\n'--enable-issuer-based-crl-check'\nRun a CRL check even for certificates which do not have any CRL\ndistribution point. This requires that a suitable LDAP server has\nbeen configured in Dirmngr and that the CRL can be found using the\nissuer. This option reverts to what GnuPG did up to version\n2.2.20. This option is in general not useful.\n\n'--enable-ocsp'\n'--disable-ocsp'\nBy default OCSP checks are disabled. The enable option may be used\nto enable OCSP checks via Dirmngr. If CRL checks are also enabled,\nCRLs will be used as a fallback if for some reason an OCSP request\nwill not succeed. Note, that you have to allow OCSP requests in\nDirmngr's configuration too (option '--allow-ocsp') and configure\nDirmngr properly. If you do not do so you will get the error code\n'Not supported'.\n\n'--auto-issuer-key-retrieve'\nIf a required certificate is missing while validating the chain of\ncertificates, try to load that certificate from an external\nlocation. This usually means that Dirmngr is employed to search\nfor the certificate. Note that this option makes a \"web bug\" like\nbehavior possible. LDAP server operators can see which keys you\nrequest, so by sending you a message signed by a brand new key\n(which you naturally will not have on your local keybox), the\noperator can tell both your IP address and the time when you\nverified the signature.\n\n'--validation-model NAME'\nThis option changes the default validation model. The only\npossible values are \"shell\" (which is the default), \"chain\" which\nforces the use of the chain model and \"steed\" for a new simplified\nmodel. The chain model is also used if an option in the\n'trustlist.txt' or an attribute of the certificate requests it.\nHowever the standard model (shell) is in that case always tried\nfirst.\n\n'--ignore-cert-extension OID'\nAdd OID to the list of ignored certificate extensions. The OID is\nexpected to be in dotted decimal form, like '2.5.29.3'. This\noption may be used more than once. Critical flagged certificate\nextensions matching one of the OIDs in the list are treated as if\nthey are actually handled and thus the certificate will not be\nrejected due to an unknown critical extension. Use this option\nwith care because extensions are usually flagged as critical for a\nreason.\n\nFile: gnupg.info, Node: Input and Output, Next: CMS Options, Prev: Certificate Options, Up: GPGSM Options\n\n\n'--armor'\n'-a'\nCreate PEM encoded output. Default is binary output.\n\n'--base64'\nCreate Base-64 encoded output; i.e. PEM without the header lines.\n\n'--assume-armor'\nAssume the input data is PEM encoded. Default is to autodetect the\nencoding but this is may fail.\n\n'--assume-base64'\nAssume the input data is plain base-64 encoded.\n\n'--assume-binary'\nAssume the input data is binary encoded.\n\n'--p12-charset NAME'\n'gpgsm' uses the UTF-8 encoding when encoding passphrases for\nPKCS#12 files. This option may be used to force the passphrase to\nbe encoded in the specified encoding NAME. This is useful if the\napplication used to import the key uses a different encoding and\nthus will not be able to import a file generated by 'gpgsm'.\nCommonly used values for NAME are 'Latin1' and 'CP850'. Note that\n'gpgsm' itself automagically imports any file with a passphrase\nencoded to the most commonly used encodings.\n\n'--default-key USERID'\nUse USERID as the standard key for signing. This key is used if\nno other key has been defined as a signing key. Note, that the\nfirst '--local-users' option also sets this key if it has not yet\nbeen set; however '--default-key' always overrides this.\n\n'--local-user USERID'\n'-u USERID'\nSet the user(s) to be used for signing. The default is the first\nsecret key found in the database.\n\n'--recipient NAME'\n'-r'\nEncrypt to the user id NAME. There are several ways a user id may\nbe given (*note how-to-specify-a-user-id::).\n\n'--output FILE'\n'-o FILE'\nWrite output to FILE. The default is to write it to stdout.\n\n'--with-key-data'\nDisplays extra information with the '--list-keys' commands.\nEspecially a line tagged 'grp' is printed which tells you the\nkeygrip of a key. This string is for example used as the file name\nof the secret key. Implies '--with-colons'.\n\n'--with-validation'\nWhen doing a key listing, do a full validation check for each key\nand print the result. This is usually a slow operation because it\nrequires a CRL lookup and other operations.\n\nWhen used along with '--import', a validation of the certificate to\nimport is done and only imported if it succeeds the test. Note\nthat this does not affect an already available certificate in the\nDB. This option is therefore useful to simply verify a certificate.\n\n'--with-md5-fingerprint'\nFor standard key listings, also print the MD5 fingerprint of the\ncertificate.\n\n'--with-keygrip'\nInclude the keygrip in standard key listings. Note that the\nkeygrip is always listed in '--with-colons' mode.\n\n'--with-secret'\nInclude info about the presence of a secret key in public key\nlistings done with '--with-colons'.\n\nFile: gnupg.info, Node: CMS Options, Next: Esoteric Options, Prev: Input and Output, Up: GPGSM Options\n\n\n'--include-certs N'\nUsing N of -2 includes all certificate except for the root cert, -1\nincludes all certs, 0 does not include any certs, 1 includes only\nthe signers cert and all other positive values include up to N\ncertificates starting with the signer cert. The default is -2.\n\n'--cipher-algo OID'\nUse the cipher algorithm with the ASN.1 object identifier OID for\nencryption. For convenience the strings '3DES', 'AES' and 'AES256'\nmay be used instead of their OIDs. The default is 'AES'\n(2.16.840.1.101.3.4.1.2).\n\n'--digest-algo name'\nUse 'name' as the message digest algorithm. Usually this algorithm\nis deduced from the respective signing certificate. This option\nforces the use of the given algorithm and may lead to severe\ninteroperability problems.\n\nFile: gnupg.info, Node: Esoteric Options, Prev: CMS Options, Up: GPGSM Options\n\n\n'--extra-digest-algo NAME'\nSometimes signatures are broken in that they announce a different\ndigest algorithm than actually used. 'gpgsm' uses a one-pass data\nprocessing model and thus needs to rely on the announced digest\nalgorithms to properly hash the data. As a workaround this option\nmay be used to tell 'gpgsm' to also hash the data using the\nalgorithm NAME; this slows processing down a little bit but allows\nverification of such broken signatures. If 'gpgsm' prints an error\nlike \"digest algo 8 has not been enabled\" you may want to try this\noption, with 'SHA256' for NAME.\n\n'--faked-system-time EPOCH'\nThis option is only useful for testing; it sets the system time\nback or forth to EPOCH which is the number of seconds elapsed since\nthe year 1970. Alternatively EPOCH may be given as a full ISO time\nstring (e.g. \"20070924T154812\").\n\n'--with-ephemeral-keys'\nInclude ephemeral flagged keys in the output of key listings. Note\nthat they are included anyway if the key specification for a\nlisting is given as fingerprint or keygrip.\n\n'--debug-level LEVEL'\nSelect the debug level for investigating problems. LEVEL may be a\nnumeric value or by a keyword:\n\n'none'\nNo debugging at all. A value of less than 1 may be used\ninstead of the keyword.\n'basic'\nSome basic debug messages. A value between 1 and 2 may be\nused instead of the keyword.\n'advanced'\nMore verbose debug messages. A value between 3 and 5 may be\nused instead of the keyword.\n'expert'\nEven more detailed messages. A value between 6 and 8 may be\nused instead of the keyword.\n'guru'\nAll of the debug messages you can get. A value greater than 8\nmay be used instead of the keyword. The creation of hash\ntracing files is only enabled if the keyword is used.\n\nHow these messages are mapped to the actual debugging flags is not\nspecified and may change with newer releases of this program. They\nare however carefully selected to best aid in debugging.\n\n'--debug FLAGS'\nThis option is only useful for debugging and the behaviour may\nchange at any time without notice; using '--debug-levels' is the\npreferred method to select the debug verbosity. FLAGS are bit\nencoded and may be given in usual C-Syntax. The currently defined\nbits are:\n\n'0 (1)'\nX.509 or OpenPGP protocol related data\n'1 (2)'\nvalues of big number integers\n'2 (4)'\nlow level crypto operations\n'5 (32)'\nmemory allocation\n'6 (64)'\ncaching\n'7 (128)'\nshow memory statistics\n'9 (512)'\nwrite hashed data to files named 'dbgmd-000*'\n'10 (1024)'\ntrace Assuan protocol\n\nNote, that all flags set using this option may get overridden by\n'--debug-level'.\n\n'--debug-all'\nSame as '--debug=0xffffffff'\n\n'--debug-allow-core-dump'\nUsually 'gpgsm' tries to avoid dumping core by well written code\nand by disabling core dumps for security reasons. However, bugs\nare pretty durable beasts and to squash them it is sometimes useful\nto have a core dump. This option enables core dumps unless the Bad\nThing happened before the option parsing.\n\n'--debug-no-chain-validation'\nThis is actually not a debugging option but only useful as such.\nIt lets 'gpgsm' bypass all certificate chain validation checks.\n\n'--debug-ignore-expiration'\nThis is actually not a debugging option but only useful as such.\nIt lets 'gpgsm' ignore all notAfter dates, this is used by the\nregression tests.\n\n'--passphrase-fd n'\nRead the passphrase from file descriptor 'n'. Only the first line\nwill be read from file descriptor 'n'. If you use 0 for 'n', the\npassphrase will be read from STDIN. This can only be used if only\none passphrase is supplied.\n\nNote that this passphrase is only used if the option '--batch' has\nalso been given.\n\n'--pinentry-mode mode'\nSet the pinentry mode to 'mode'. Allowed values for 'mode' are:\ndefault\nUse the default of the agent, which is 'ask'.\nask\nForce the use of the Pinentry.\ncancel\nEmulate use of Pinentry's cancel button.\nerror\nReturn a Pinentry error (\"No Pinentry\").\nloopback\nRedirect Pinentry queries to the caller. Note that in\ncontrast to Pinentry the user is not prompted again if he\nenters a bad password.\n\n'--request-origin ORIGIN'\nTell gpgsm to assume that the operation ultimately originated at\nORIGIN. Depending on the origin certain restrictions are applied\nand the Pinentry may include an extra note on the origin.\nSupported values for ORIGIN are: 'local' which is the default,\n'remote' to indicate a remote origin or 'browser' for an operation\nrequested by a web browser.\n\n'--no-common-certs-import'\nSuppress the import of common certificates on keybox creation.\n\nAll the long options may also be given in the configuration file\nafter stripping off the two leading dashes.\n\nFile: gnupg.info, Node: GPGSM Configuration, Next: GPGSM Examples, Prev: GPGSM Options, Up: Invoking GPGSM\n" }, { "name": "5.3 Configuration files", "content": "There are a few configuration files to control certain aspects of\n'gpgsm''s operation. Unless noted, they are expected in the current\nhome directory (*note option --homedir::).\n\n'gpgsm.conf'\nThis is the standard configuration file read by 'gpgsm' on startup.\nIt may contain any valid long option; the leading two dashes may\nnot be entered and the option may not be abbreviated. This default\nname may be changed on the command line (*note gpgsm-option\n--options::). You should backup this file.\n\n'policies.txt'\nThis is a list of allowed CA policies. This file should list the\nobject identifiers of the policies line by line. Empty lines and\nlines starting with a hash mark are ignored. Policies missing in\nthis file and not marked as critical in the certificate will print\nonly a warning; certificates with policies marked as critical and\nnot listed in this file will fail the signature verification. You\nshould backup this file.\n\nFor example, to allow only the policy 2.289.9.9, the file should\nlook like this:\n\n# Allowed policies\n2.289.9.9\n\n'qualified.txt'\nThis is the list of root certificates used for qualified\ncertificates. They are defined as certificates capable of creating\nlegally binding signatures in the same way as handwritten\nsignatures are. Comments start with a hash mark and empty lines\nare ignored. Lines do have a length limit but this is not a\nserious limitation as the format of the entries is fixed and\nchecked by 'gpgsm': A non-comment line starts with optional\nwhitespace, followed by exactly 40 hex characters, white space and\na lowercased 2 letter country code. Additional data delimited with\nby a white space is current ignored but might late be used for\nother purposes.\n\nNote that even if a certificate is listed in this file, this does\nnot mean that the certificate is trusted; in general the\ncertificates listed in this file need to be listed also in\n'trustlist.txt'.\n\nThis is a global file an installed in the data directory (e.g.\n'/usr/share/gnupg/qualified.txt'). GnuPG installs a suitable file\nwith root certificates as used in Germany. As new Root-CA\ncertificates may be issued over time, these entries may need to be\nupdated; new distributions of this software should come with an\nupdated list but it is still the responsibility of the\nAdministrator to check that this list is correct.\n\nEvery time 'gpgsm' uses a certificate for signing or verification\nthis file will be consulted to check whether the certificate under\nquestion has ultimately been issued by one of these CAs. If this\nis the case the user will be informed that the verified signature\nrepresents a legally binding (\"qualified\") signature. When\ncreating a signature using such a certificate an extra prompt will\nbe issued to let the user confirm that such a legally binding\nsignature shall really be created.\n\nBecause this software has not yet been approved for use with such\ncertificates, appropriate notices will be shown to indicate this\nfact.\n\n'help.txt'\nThis is plain text file with a few help entries used with\n'pinentry' as well as a large list of help items for 'gpg' and\n'gpgsm'. The standard file has English help texts; to install\nlocalized versions use filenames like 'help.LL.txt' with LL\ndenoting the locale. GnuPG comes with a set of predefined help\nfiles in the data directory (e.g.\n'/usr/share/gnupg/gnupg/help.de.txt') and allows overriding of any\nhelp item by help files stored in the system configuration\ndirectory (e.g. '/etc/gnupg/help.de.txt'). For a reference of the\nhelp file's syntax, please see the installed 'help.txt' file.\n\n'com-certs.pem'\nThis file is a collection of common certificates used to populated\na newly created 'pubring.kbx'. An administrator may replace this\nfile with a custom one. The format is a concatenation of PEM\nencoded X.509 certificates. This global file is installed in the\ndata directory (e.g. '/usr/share/gnupg/com-certs.pem').\n\nNote that on larger installations, it is useful to put predefined\nfiles into the directory '/etc/skel/.gnupg/' so that newly created users\nstart up with a working configuration. For existing users a small\nhelper script is provided to create these files (*note addgnupghome::).\n\nFor internal purposes 'gpgsm' creates and maintains a few other\nfiles; they all live in the current home directory (*note option\n--homedir::). Only 'gpgsm' may modify these files.\n\n'pubring.kbx'\nThis a database file storing the certificates as well as meta\ninformation. For debugging purposes the tool 'kbxutil' may be used\nto show the internal structure of this file. You should backup\nthis file.\n\n'randomseed'\nThis content of this file is used to maintain the internal state of\nthe random number generator across invocations. The same file is\nused by other programs of this software too.\n\n'S.gpg-agent'\nIf this file exists 'gpgsm' will first try to connect to this\nsocket for accessing 'gpg-agent' before starting a new 'gpg-agent'\ninstance. Under Windows this socket (which in reality be a plain\nfile describing a regular TCP listening port) is the standard way\nof connecting the 'gpg-agent'.\n\nFile: gnupg.info, Node: GPGSM Examples, Next: Unattended Usage, Prev: GPGSM Configuration, Up: Invoking GPGSM\n" }, { "name": "5.4 Examples", "content": "$ gpgsm -er goo@bar.net ciphertext\n\nFile: gnupg.info, Node: Unattended Usage, Next: GPGSM Protocol, Prev: GPGSM Examples, Up: Invoking GPGSM\n" }, { "name": "5.5 Unattended Usage", "content": "'gpgsm' is often used as a backend engine by other software. To help\nwith this a machine interface has been defined to have an unambiguous\nway to do this. This is most likely used with the '--server' command\nbut may also be used in the standard operation mode by using the\n'--status-fd' option.\n\n* Menu:\n\n* Automated signature checking:: Automated signature checking.\n* CSR and certificate creation:: CSR and certificate creation.\n\nFile: gnupg.info, Node: Automated signature checking, Next: CSR and certificate creation, Up: Unattended Usage\n\n\nIt is very important to understand the semantics used with signature\nverification. Checking a signature is not as simple as it may sound and\nso the operation is a bit complicated. In most cases it is required to\nlook at several status lines. Here is a table of all cases a signed\nmessage may have:\n\nThe signature is valid\nThis does mean that the signature has been successfully verified,\nthe certificates are all sane. However there are two subcases with\nimportant information: One of the certificates may have expired or\na signature of a message itself as expired. It is a sound practise\nto consider such a signature still as valid but additional\ninformation should be displayed. Depending on the subcase 'gpgsm'\nwill issue these status codes:\nsignature valid and nothing did expire\n'GOODSIG', 'VALIDSIG', 'TRUSTFULLY'\nsignature valid but at least one certificate has expired\n'EXPKEYSIG', 'VALIDSIG', 'TRUSTFULLY'\nsignature valid but expired\n'EXPSIG', 'VALIDSIG', 'TRUSTFULLY' Note, that this case is\ncurrently not implemented.\n\nThe signature is invalid\nThis means that the signature verification failed (this is an\nindication of a transfer error, a program error or tampering with\nthe message). 'gpgsm' issues one of these status codes sequences:\n'BADSIG'\n'GOODSIG, VALIDSIG TRUSTNEVER'\n\nError verifying a signature\nFor some reason the signature could not be verified, i.e. it\ncannot be decided whether the signature is valid or invalid. A\ncommon reason for this is a missing certificate.\n\nFile: gnupg.info, Node: CSR and certificate creation, Prev: Automated signature checking, Up: Unattended Usage\n\n\nThe command '--generate-key' may be used along with the option '--batch'\nto either create a certificate signing request (CSR) or an X.509\ncertificate. This is controlled by a parameter file; the format of this\nfile is as follows:\n\n* Text only, line length is limited to about 1000 characters.\n* UTF-8 encoding must be used to specify non-ASCII characters.\n* Empty lines are ignored.\n* Leading and trailing while space is ignored.\n* A hash sign as the first non white space character indicates a\ncomment line.\n* Control statements are indicated by a leading percent sign, the\narguments are separated by white space from the keyword.\n* Parameters are specified by a keyword, followed by a colon.\nArguments are separated by white space.\n* The first parameter must be 'Key-Type', control statements may be\nplaced anywhere.\n* The order of the parameters does not matter except for 'Key-Type'\nwhich must be the first parameter. The parameters are only used\nfor the generated CSR/certificate; parameters from previous sets\nare not used. Some syntactically checks may be performed.\n* Key generation takes place when either the end of the parameter\nfile is reached, the next 'Key-Type' parameter is encountered or at\nthe control statement '%commit' is encountered.\n\nControl statements:\n\n%echo TEXT\nPrint TEXT as diagnostic.\n\n%dry-run\nSuppress actual key generation (useful for syntax checking).\n\n%commit\nPerform the key generation. Note that an implicit commit is done\nat the next Key-Type parameter.\n\nGeneral Parameters:\n\nKey-Type: ALGO\nStarts a new parameter block by giving the type of the primary key.\nThe algorithm must be capable of signing. This is a required\nparameter. The only supported value for ALGO is 'rsa'.\n\nKey-Length: NBITS\nThe requested length of a generated key in bits. Defaults to 3072.\n\nKey-Grip: HEXSTRING\nThis is optional and used to generate a CSR or certificate for an\nalready existing key. Key-Length will be ignored when given.\n\nKey-Usage: USAGE-LIST\nSpace or comma delimited list of key usage, allowed values are\n'encrypt', 'sign' and 'cert'. This is used to generate the\nkeyUsage extension. Please make sure that the algorithm is capable\nof this usage. Default is to allow encrypt and sign.\n\nName-DN: SUBJECT-NAME\nThis is the Distinguished Name (DN) of the subject in RFC-2253\nformat.\n\nName-Email: STRING\nThis is an email address for the altSubjectName. This parameter is\noptional but may occur several times to add several email addresses\nto a certificate.\n\nName-DNS: STRING\nThe is an DNS name for the altSubjectName. This parameter is\noptional but may occur several times to add several DNS names to a\ncertificate.\n\nName-URI: STRING\nThis is an URI for the altSubjectName. This parameter is optional\nbut may occur several times to add several URIs to a certificate.\n\nAdditional parameters used to create a certificate (in contrast to a\ncertificate signing request):\n\nSerial: SN\nIf this parameter is given an X.509 certificate will be generated.\nSN is expected to be a hex string representing an unsigned integer\nof arbitrary length. The special value 'random' can be used to\ncreate a 64 bit random serial number.\n\nIssuer-DN: ISSUER-NAME\nThis is the DN name of the issuer in RFC-2253 format. If it is not\nset it will default to the subject DN and a special GnuPG extension\nwill be included in the certificate to mark it as a standalone\ncertificate.\n\nCreation-Date: ISO-DATE\nNot-Before: ISO-DATE\nSet the notBefore date of the certificate. Either a date like\n'1986-04-26' or '1986-04-26 12:00' or a standard ISO timestamp like\n'19860426T042640' may be used. The time is considered to be UTC.\nIf it is not given the current date is used.\n\nExpire-Date: ISO-DATE\nNot-After: ISO-DATE\nSet the notAfter date of the certificate. Either a date like\n'2063-04-05' or '2063-04-05 17:00' or a standard ISO timestamp like\n'20630405T170000' may be used. The time is considered to be UTC.\nIf it is not given a default value in the not too far future is\nused.\n\nSigning-Key: KEYGRIP\nThis gives the keygrip of the key used to sign the certificate. If\nit is not given a self-signed certificate will be created. For\ncompatibility with future versions, it is suggested to prefix the\nkeygrip with a '&'.\n\nHash-Algo: HASH-ALGO\nUse HASH-ALGO for this CSR or certificate. The supported hash\nalgorithms are: 'sha1', 'sha256', 'sha384' and 'sha512'; they may\nalso be specified with uppercase letters. The default is 'sha256'.\n\nFile: gnupg.info, Node: GPGSM Protocol, Prev: Unattended Usage, Up: Invoking GPGSM\n" }, { "name": "5.6 The Protocol the Server Mode Uses", "content": "Description of the protocol used to access 'GPGSM'. 'GPGSM' does\nimplement the Assuan protocol and in addition provides a regular command\nline interface which exhibits a full client to this protocol (but uses\ninternal linking). To start 'gpgsm' as a server the command line the\noption '--server' must be used. Additional options are provided to\nselect the communication method (i.e. the name of the socket).\n\nWe assume that the connection has already been established; see the\nAssuan manual for details.\n\n* Menu:\n\n* GPGSM ENCRYPT:: Encrypting a message.\n* GPGSM DECRYPT:: Decrypting a message.\n* GPGSM SIGN:: Signing a message.\n* GPGSM VERIFY:: Verifying a message.\n* GPGSM GENKEY:: Generating a key.\n* GPGSM LISTKEYS:: List available keys.\n* GPGSM EXPORT:: Export certificates.\n* GPGSM IMPORT:: Import certificates.\n* GPGSM DELETE:: Delete certificates.\n* GPGSM GETAUDITLOG:: Retrieve an audit log.\n* GPGSM GETINFO:: Information about the process\n* GPGSM OPTION:: Session options.\n\nFile: gnupg.info, Node: GPGSM ENCRYPT, Next: GPGSM DECRYPT, Up: GPGSM Protocol\n\n\nBefore encryption can be done the recipient must be set using the\ncommand:\n\nRECIPIENT USERID\n\nSet the recipient for the encryption. USERID should be the internal\nrepresentation of the key; the server may accept any other way of\nspecification. If this is a valid and trusted recipient the server does\nrespond with OK, otherwise the return is an ERR with the reason why the\nrecipient cannot be used, the encryption will then not be done for this\nrecipient. If the policy is not to encrypt at all if not all recipients\nare valid, the client has to take care of this. All 'RECIPIENT'\ncommands are cumulative until a 'RESET' or an successful 'ENCRYPT'\ncommand.\n\nINPUT FD[=N] [--armor|--base64|--binary]\n\nSet the file descriptor for the message to be encrypted to N.\nObviously the pipe must be open at that point, the server establishes\nits own end. If the server returns an error the client should consider\nthis session failed. If N is not given, this commands uses the last\nfile descriptor passed to the application. *Note the assuansendfd\nfunction: (assuan)fun-assuansendfd, on how to do descriptor passing.\n\nThe '--armor' option may be used to advise the server that the input\ndata is in PEM format, '--base64' advises that a raw base-64 encoding is\nused, '--binary' advises of raw binary input (BER). If none of these\noptions is used, the server tries to figure out the used encoding, but\nthis may not always be correct.\n\nOUTPUT FD[=N] [--armor|--base64]\n\nSet the file descriptor to be used for the output (i.e. the\nencrypted message). Obviously the pipe must be open at that point, the\nserver establishes its own end. If the server returns an error the\nclient should consider this session failed.\n\nThe option '--armor' encodes the output in PEM format, the '--base64'\noption applies just a base-64 encoding. No option creates binary output\n(BER).\n\nThe actual encryption is done using the command\n\nENCRYPT\n\nIt takes the plaintext from the 'INPUT' command, writes to the\nciphertext to the file descriptor set with the 'OUTPUT' command, take\nthe recipients from all the recipients set so far. If this command\nfails the clients should try to delete all output currently done or\notherwise mark it as invalid. 'GPGSM' does ensure that there will not\nbe any security problem with leftover data on the output in this case.\n\nThis command should in general not fail, as all necessary checks have\nbeen done while setting the recipients. The input and output pipes are\nclosed.\n\nFile: gnupg.info, Node: GPGSM DECRYPT, Next: GPGSM SIGN, Prev: GPGSM ENCRYPT, Up: GPGSM Protocol\n\n\nInput and output FDs are set the same way as in encryption, but 'INPUT'\nrefers to the ciphertext and 'OUTPUT' to the plaintext. There is no\nneed to set recipients. 'GPGSM' automatically strips any S/MIME headers\nfrom the input, so it is valid to pass an entire MIME part to the INPUT\npipe.\n\nThe decryption is done by using the command\n\nDECRYPT\n\nIt performs the decrypt operation after doing some check on the\ninternal state (e.g. that all needed data has been set). Because it\nutilizes the GPG-Agent for the session key decryption, there is no need\nto ask the client for a protecting passphrase - GpgAgent takes care of\nthis by requesting this from the user.\n\nFile: gnupg.info, Node: GPGSM SIGN, Next: GPGSM VERIFY, Prev: GPGSM DECRYPT, Up: GPGSM Protocol\n\n\nSigning is usually done with these commands:\n\nINPUT FD[=N] [--armor|--base64|--binary]\n\nThis tells 'GPGSM' to read the data to sign from file descriptor N.\n\nOUTPUT FD[=M] [--armor|--base64]\n\nWrite the output to file descriptor M. If a detached signature is\nrequested, only the signature is written.\n\nSIGN [--detached]\n\nSign the data set with the 'INPUT' command and write it to the sink\nset by 'OUTPUT'. With '--detached', a detached signature is created\n(surprise).\n\nThe key used for signing is the default one or the one specified in\nthe configuration file. To get finer control over the keys, it is\npossible to use the command\n\nSIGNER USERID\n\nto set the signer's key. USERID should be the internal\nrepresentation of the key; the server may accept any other way of\nspecification. If this is a valid and trusted recipient the server does\nrespond with OK, otherwise the return is an ERR with the reason why the\nkey cannot be used, the signature will then not be created using this\nkey. If the policy is not to sign at all if not all keys are valid, the\nclient has to take care of this. All 'SIGNER' commands are cumulative\nuntil a 'RESET' is done. Note that a 'SIGN' does not reset this list of\nsigners which is in contrast to the 'RECIPIENT' command.\n\nFile: gnupg.info, Node: GPGSM VERIFY, Next: GPGSM GENKEY, Prev: GPGSM SIGN, Up: GPGSM Protocol\n\n\nTo verify a message the command:\n\nVERIFY\n\nis used. It does a verify operation on the message send to the input\nFD. The result is written out using status lines. If an output FD was\ngiven, the signed text will be written to that. If the signature is a\ndetached one, the server will inquire about the signed material and the\nclient must provide it.\n\nFile: gnupg.info, Node: GPGSM GENKEY, Next: GPGSM LISTKEYS, Prev: GPGSM VERIFY, Up: GPGSM Protocol\n\n\nThis is used to generate a new keypair, store the secret part in the PSE\nand the public key in the key database. We will probably add optional\ncommands to allow the client to select whether a hardware token is used\nto store the key. Configuration options to 'GPGSM' can be used to\nrestrict the use of this command.\n\nGENKEY\n\n'GPGSM' checks whether this command is allowed and then does an\nINQUIRY to get the key parameters, the client should then send the key\nparameters in the native format:\n\nS: INQUIRE KEYPARAM native\nC: D foo:fgfgfg\nC: D bar\nC: END\n\nPlease note that the server may send Status info lines while reading\nthe data lines from the client. After this the key generation takes\nplace and the server eventually does send an ERR or OK response. Status\nlines may be issued as a progress indicator.\n\nFile: gnupg.info, Node: GPGSM LISTKEYS, Next: GPGSM EXPORT, Prev: GPGSM GENKEY, Up: GPGSM Protocol\n\n\nTo list the keys in the internal database or using an external key\nprovider, the command:\n\nLISTKEYS PATTERN\n\nis used. To allow multiple patterns (which are ORed during the\nsearch) quoting is required: Spaces are to be translated into \"+\" or\ninto \"%20\"; in turn this requires that the usual escape quoting rules\nare done.\n\nLISTSECRETKEYS PATTERN\n\nLists only the keys where a secret key is available.\n\nThe list commands are affected by the option\n\nOPTION list-mode=MODE\n\nwhere mode may be:\n'0'\nUse default (which is usually the same as 1).\n'1'\nList only the internal keys.\n'2'\nList only the external keys.\n'3'\nList internal and external keys.\n\nNote that options are valid for the entire session.\n\nFile: gnupg.info, Node: GPGSM EXPORT, Next: GPGSM IMPORT, Prev: GPGSM LISTKEYS, Up: GPGSM Protocol\n\n\nTo export certificate from the internal key database the command:\n\nEXPORT [--data [--armor] [--base64]] [--] PATTERN\n\nis used. To allow multiple patterns (which are ORed) quoting is\nrequired: Spaces are to be translated into \"+\" or into \"%20\"; in turn\nthis requires that the usual escape quoting rules are done.\n\nIf the '--data' option has not been given, the format of the output\ndepends on what was set with the 'OUTPUT' command. When using PEM\nencoding a few informational lines are prepended.\n\nIf the '--data' has been given, a target set via 'OUTPUT' is ignored\nand the data is returned inline using standard 'D'-lines. This avoids\nthe need for an extra file descriptor. In this case the options\n'--armor' and '--base64' may be used in the same way as with the\n'OUTPUT' command.\n\nFile: gnupg.info, Node: GPGSM IMPORT, Next: GPGSM DELETE, Prev: GPGSM EXPORT, Up: GPGSM Protocol\n\n\nTo import certificates into the internal key database, the command\n\nIMPORT [--re-import]\n\nis used. The data is expected on the file descriptor set with the\n'INPUT' command. Certain checks are performed on the certificate. Note\nthat the code will also handle PKCS#12 files and import private keys; a\nhelper program is used for that.\n\nWith the option '--re-import' the input data is expected to a be a\nlinefeed separated list of fingerprints. The command will re-import the\ncorresponding certificates; that is they are made permanent by removing\ntheir ephemeral flag.\n\nFile: gnupg.info, Node: GPGSM DELETE, Next: GPGSM GETAUDITLOG, Prev: GPGSM IMPORT, Up: GPGSM Protocol\n\n\nTo delete a certificate the command\n\nDELKEYS PATTERN\n\nis used. To allow multiple patterns (which are ORed) quoting is\nrequired: Spaces are to be translated into \"+\" or into \"%20\"; in turn\nthis requires that the usual escape quoting rules are done.\n\nThe certificates must be specified unambiguously otherwise an error\nis returned.\n\nFile: gnupg.info, Node: GPGSM GETAUDITLOG, Next: GPGSM GETINFO, Prev: GPGSM DELETE, Up: GPGSM Protocol\n\n\nThis command is used to retrieve an audit log.\n\nGETAUDITLOG [--data] [--html]\n\nIf '--data' is used, the audit log is send using D-lines instead of\nbeing sent to the file descriptor given by an 'OUTPUT' command. If\n'--html' is used, the output is formatted as an XHTML block. This is\ndesigned to be incorporated into a HTML document.\n\nFile: gnupg.info, Node: GPGSM GETINFO, Next: GPGSM OPTION, Prev: GPGSM GETAUDITLOG, Up: GPGSM Protocol\n\n\nThis is a multipurpose function to return a variety of information.\n\nGETINFO WHAT\n\nThe value of WHAT specifies the kind of information returned:\n'version'\nReturn the version of the program.\n'pid'\nReturn the process id of the process.\n'agent-check'\nReturn OK if the agent is running.\n'cmdhasoption CMD OPT'\nReturn OK if the command CMD implements the option OPT. The\nleading two dashes usually used with OPT shall not be given.\n'offline'\nReturn OK if the connection is in offline mode. This may be either\ndue to a 'OPTION offline=1' or due to 'gpgsm' being started with\noption '--disable-dirmngr'.\n\nFile: gnupg.info, Node: GPGSM OPTION, Prev: GPGSM GETINFO, Up: GPGSM Protocol\n\n\nThe standard Assuan option handler supports these options.\n\nOPTION NAME[=VALUE]\n\nThese NAMEs are recognized:\n\n'putenv'\nChange the session's environment to be passed via gpg-agent to\nPinentry. VALUE is a string of the form '<KEY>[=[<STRING>]]'. If\nonly '<KEY>' is given the environment variable '<KEY>' is removed\nfrom the session environment, if '<KEY>=' is given that environment\nvariable is set to the empty string, and if '<STRING>' is given it\nis set to that string.\n\n'display'\nSet the session environment variable 'DISPLAY' is set to VALUE.\n'ttyname'\nSet the session environment variable 'GPGTTY' is set to VALUE.\n'ttytype'\nSet the session environment variable 'TERM' is set to VALUE.\n'lc-ctype'\nSet the session environment variable 'LCCTYPE' is set to VALUE.\n'lc-messages'\nSet the session environment variable 'LCMESSAGES' is set to VALUE.\n'xauthority'\nSet the session environment variable 'XAUTHORITY' is set to VALUE.\n'pinentry-user-data'\nSet the session environment variable 'PINENTRYUSERDATA' is set to\nVALUE.\n\n'include-certs'\nThis option overrides the command line option '--include-certs'. A\nVALUE of -2 includes all certificates except for the root\ncertificate, -1 includes all certificates, 0 does not include any\ncertificates, 1 includes only the signers certificate and all other\npositive values include up to VALUE certificates starting with the\nsigner cert.\n\n'list-mode'\n*Note gpgsm-cmd listkeys::.\n\n'list-to-output'\nIf VALUE is true the output of the list commands (*note gpgsm-cmd\nlistkeys::) is written to the file descriptor set with the last\n'OUTPUT' command. If VALUE is false the output is written via data\nlines; this is the default.\n\n'with-validation'\nIf VALUE is true for each listed certificate the validation status\nis printed. This may result in the download of a CRL or the user\nbeing asked about the trustworthiness of a root certificate. The\ndefault is given by a command line option (*note gpgsm-option\n--with-validation::).\n\n'with-secret'\nIf VALUE is true certificates with a corresponding private key are\nmarked by the list commands.\n\n'validation-model'\nThis option overrides the command line option 'validation-model'\nfor the session. (*Note gpgsm-option --validation-model::.)\n\n'with-key-data'\nThis option globally enables the command line option\n'--with-key-data'. (*Note gpgsm-option --with-key-data::.)\n\n'enable-audit-log'\nIf VALUE is true data to write an audit log is gathered. (*Note\ngpgsm-cmd getauditlog::.)\n\n'allow-pinentry-notify'\nIf this option is used notifications about the launch of a Pinentry\nare passed back to the client.\n\n'with-ephemeral-keys'\nIf VALUE is true ephemeral certificates are included in the output\nof the list commands.\n\n'no-encrypt-to'\nIf this option is used all keys set by the command line option\n'--encrypt-to' are ignored.\n\n'offline'\nIf VALUE is true or VALUE is not given all network access is\ndisabled for this session. This is the same as the command line\noption '--disable-dirmngr'.\n\nFile: gnupg.info, Node: Invoking SCDAEMON, Next: Specify a User ID, Prev: Invoking GPGSM, Up: Top\n" } ] }, "6 Invoking the SCDAEMON": { "content": "The 'scdaemon' is a daemon to manage smartcards. It is usually invoked\nby 'gpg-agent' and in general not used directly.\n\n*Note Option Index::, for an index to 'scdaemon''s commands and\noptions.\n\n* Menu:\n\n* Scdaemon Commands:: List of all commands.\n* Scdaemon Options:: List of all options.\n* Card applications:: Description of card applications.\n* Scdaemon Configuration:: Configuration files.\n* Scdaemon Examples:: Some usage examples.\n* Scdaemon Protocol:: The protocol the daemon uses.\n\nFile: gnupg.info, Node: Scdaemon Commands, Next: Scdaemon Options, Up: Invoking SCDAEMON\n", "subsections": [ { "name": "6.1 Commands", "content": "Commands are not distinguished from options except for the fact that\nonly one command is allowed.\n\n'--version'\nPrint the program version and licensing information. Note that you\ncannot abbreviate this command.\n\n'--help, -h'\nPrint a usage message summarizing the most useful command-line\noptions. Note that you cannot abbreviate this command.\n\n'--dump-options'\nPrint a list of all available options and commands. Note that you\ncannot abbreviate this command.\n\n'--server'\nRun in server mode and wait for commands on the 'stdin'. The\ndefault mode is to create a socket and listen for commands there.\n\n'--multi-server'\nRun in server mode and wait for commands on the 'stdin' as well as\non an additional Unix Domain socket. The server command 'GETINFO'\nmay be used to get the name of that extra socket.\n\n'--daemon'\nRun the program in the background. This option is required to\nprevent it from being accidentally running in the background.\n\nFile: gnupg.info, Node: Scdaemon Options, Next: Card applications, Prev: Scdaemon Commands, Up: Invoking SCDAEMON\n" }, { "name": "6.2 Option Summary", "content": "'--options FILE'\nReads configuration from FILE instead of from the default per-user\nconfiguration file. The default configuration file is named\n'scdaemon.conf' and expected in the '.gnupg' directory directly\nbelow the home directory of the user.\n\n'--homedir DIR'\nSet the name of the home directory to DIR. If this option is not\nused, the home directory defaults to '~/.gnupg'. It is only\nrecognized when given on the command line. It also overrides any\nhome directory stated through the environment variable 'GNUPGHOME'\nor (on Windows systems) by means of the Registry entry\nHKCU\\SOFTWARE\\GNU\\GNUPG:HOMEDIR.\n\nOn Windows systems it is possible to install GnuPG as a portable\napplication. In this case only this command line option is\nconsidered, all other ways to set a home directory are ignored.\n\nTo install GnuPG as a portable application under Windows, create an\nempty file named 'gpgconf.ctl' in the same directory as the tool\n'gpgconf.exe'. The root of the installation is then that\ndirectory; or, if 'gpgconf.exe' has been installed directly below a\ndirectory named 'bin', its parent directory. You also need to make\nsure that the following directories exist and are writable:\n'ROOT/home' for the GnuPG home and 'ROOT/var/cache/gnupg' for\ninternal cache files.\n\n'-v'\n'--verbose'\nOutputs additional information while running. You can increase the\nverbosity by giving several verbose commands to 'gpgsm', such as\n'-vv'.\n\n'--debug-level LEVEL'\nSelect the debug level for investigating problems. LEVEL may be a\nnumeric value or a keyword:\n\n'none'\nNo debugging at all. A value of less than 1 may be used\ninstead of the keyword.\n'basic'\nSome basic debug messages. A value between 1 and 2 may be\nused instead of the keyword.\n'advanced'\nMore verbose debug messages. A value between 3 and 5 may be\nused instead of the keyword.\n'expert'\nEven more detailed messages. A value between 6 and 8 may be\nused instead of the keyword.\n'guru'\nAll of the debug messages you can get. A value greater than 8\nmay be used instead of the keyword. The creation of hash\ntracing files is only enabled if the keyword is used.\n\nHow these messages are mapped to the actual debugging flags is not\nspecified and may change with newer releases of this program. They\nare however carefully selected to best aid in debugging.\n\nNote: All debugging options are subject to change and thus\nshould not be used by any application program. As the name\nsays, they are only used as helpers to debug problems.\n\n'--debug FLAGS'\nThis option is only useful for debugging and the behavior may\nchange at any time without notice. FLAGS are bit encoded and may\nbe given in usual C-Syntax. The currently defined bits are:\n\n'0 (1)'\ncommand I/O\n'1 (2)'\nvalues of big number integers\n'2 (4)'\nlow level crypto operations\n'5 (32)'\nmemory allocation\n'6 (64)'\ncaching\n'7 (128)'\nshow memory statistics\n'9 (512)'\nwrite hashed data to files named 'dbgmd-000*'\n'10 (1024)'\ntrace Assuan protocol. See also option\n'--debug-assuan-log-cats'.\n'11 (2048)'\ntrace APDU I/O to the card. This may reveal sensitive data.\n'12 (4096)'\ntrace some card reader related function calls.\n\n'--debug-all'\nSame as '--debug=0xffffffff'\n\n'--debug-wait N'\nWhen running in server mode, wait N seconds before entering the\nactual processing loop and print the pid. This gives time to\nattach a debugger.\n\n'--debug-ccid-driver'\nEnable debug output from the included CCID driver for smartcards.\nUsing this option twice will also enable some tracing of the T=1\nprotocol. Note that this option may reveal sensitive data.\n\n'--debug-disable-ticker'\nThis option disables all ticker functions like checking for card\ninsertions.\n\n'--debug-allow-core-dump'\nFor security reasons we won't create a core dump when the process\naborts. For debugging purposes it is sometimes better to allow\ncore dump. This option enables it and also changes the working\ndirectory to '/tmp' when running in '--server' mode.\n\n'--debug-log-tid'\nThis option appends a thread ID to the PID in the log output.\n\n'--debug-assuan-log-cats CATS'\nChanges the active Libassuan logging categories to CATS. The value\nfor CATS is an unsigned integer given in usual C-Syntax. A value\nof 0 switches to a default category. If this option is not used\nthe categories are taken from the environment variable\n'ASSUANDEBUG'. Note that this option has only an effect if the\nAssuan debug flag has also been with the option '--debug'. For a\nlist of categories see the Libassuan manual.\n\n'--no-detach'\nDon't detach the process from the console. This is mainly useful\nfor debugging.\n\n'--listen-backlog N'\nSet the size of the queue for pending connections. The default is\n64. This option has an effect only if '--multi-server' is also\nused.\n\n'--log-file FILE'\nAppend all logging output to FILE. This is very helpful in seeing\nwhat the agent actually does. Use 'socket://' to log to socket.\n\n'--pcsc-driver LIBRARY'\nUse LIBRARY to access the smartcard reader. The current default is\n'libpcsclite.so'. Instead of using this option you might also want\nto install a symbolic link to the default file name (e.g. from\n'libpcsclite.so.1').\n\n'--ctapi-driver LIBRARY'\nUse LIBRARY to access the smartcard reader. The current default is\n'libtowitoko.so'. Note that the use of this interface is\ndeprecated; it may be removed in future releases.\n\n'--disable-ccid'\nDisable the integrated support for CCID compliant readers. This\nallows falling back to one of the other drivers even if the\ninternal CCID driver can handle the reader. Note, that CCID\nsupport is only available if libusb was available at build time.\n\n'--reader-port NUMBERORSTRING'\nThis option may be used to specify the port of the card terminal.\nA value of 0 refers to the first serial device; add 32768 to access\nUSB devices. The default is 32768 (first USB device). PC/SC or\nCCID readers might need a string here; run the program in verbose\nmode to get a list of available readers. The default is then the\nfirst reader found.\n\nTo get a list of available CCID readers you may use this command:\necho scd getinfo readerlist \\\n| gpg-connect-agent --decode | awk '/^D/ {print $2}'\n\n'--card-timeout N'\nIf N is not 0 and no client is actively using the card, the card\nwill be powered down after N seconds. Powering down the card\navoids a potential risk of damaging a card when used with certain\ncheap readers. This also allows applications that are not aware of\nScdaemon to access the card. The disadvantage of using a card\ntimeout is that accessing the card takes longer and that the user\nneeds to enter the PIN again after the next power up.\n\nNote that with the current version of Scdaemon the card is powered\ndown immediately at the next timer tick for any value of N other\nthan 0.\n\n'--enable-pinpad-varlen'\nPlease specify this option when the card reader supports variable\nlength input for pinpad (default is no). For known readers (listed\nin ccid-driver.c and apdu.c), this option is not needed. Note that\nif your card reader doesn't supports variable length input but you\nwant to use it, you need to specify your pinpad request on your\ncard.\n\n'--disable-pinpad'\nEven if a card reader features a pinpad, do not try to use it.\n\n'--deny-admin'\nThis option disables the use of admin class commands for card\napplications where this is supported. Currently we support it for\nthe OpenPGP card. This option is useful to inhibit accidental\naccess to admin class command which could ultimately lock the card\nthrough wrong PIN numbers. Note that GnuPG versions older than\n2.0.11 featured an '--allow-admin' option which was required to use\nsuch admin commands. This option has no more effect today because\nthe default is now to allow admin commands.\n\n'--disable-application NAME'\nThis option disables the use of the card application named NAME.\nThis is mainly useful for debugging or if a application with lower\npriority should be used by default.\n\nAll the long options may also be given in the configuration file\nafter stripping off the two leading dashes.\n\nFile: gnupg.info, Node: Card applications, Next: Scdaemon Configuration, Prev: Scdaemon Options, Up: Invoking SCDAEMON\n" }, { "name": "6.3 Description of card applications", "content": "'scdaemon' supports the card applications as described below.\n\n* Menu:\n\n* OpenPGP Card:: The OpenPGP card application\n* NKS Card:: The Telesec NetKey card application\n* DINSIG Card:: The DINSIG card application\n* PKCS#15 Card:: The PKCS#15 card application\n* Geldkarte Card:: The Geldkarte application\n* SmartCard-HSM:: The SmartCard-HSM application\n* Undefined Card:: The Undefined stub application\n\nFile: gnupg.info, Node: OpenPGP Card, Next: NKS Card, Up: Card applications\n\n\nThis application is currently only used by 'gpg' but may in future also\nbe useful with 'gpgsm'. Version 1 and version 2 of the card is\nsupported.\n\nThe specifications for these cards are available at\n<http://g10code.com/docs/openpgp-card-1.0.pdf> and\n<http://g10code.com/docs/openpgp-card-2.0.pdf>.\n\nFile: gnupg.info, Node: NKS Card, Next: DINSIG Card, Prev: OpenPGP Card, Up: Card applications\n\n\nThis is the main application of the Telesec cards as available in\nGermany. It is a superset of the German DINSIG card. The card is used\nby 'gpgsm'.\n\nFile: gnupg.info, Node: DINSIG Card, Next: PKCS#15 Card, Prev: NKS Card, Up: Card applications\n\n\nThis is an application as described in the German draft standard DIN V\n66291-1. It is intended to be used by cards supporting the German\nsignature law and its bylaws (SigG and SigV).\n\nFile: gnupg.info, Node: PKCS#15 Card, Next: Geldkarte Card, Prev: DINSIG Card, Up: Card applications\n\n\nThis is common framework for smart card applications. It is used by\n'gpgsm'.\n\nFile: gnupg.info, Node: Geldkarte Card, Next: SmartCard-HSM, Prev: PKCS#15 Card, Up: Card applications\n\n\nThis is a simple application to display information of a German\nGeldkarte. The Geldkarte is a small amount debit card application which\ncomes with almost all German banking cards.\n\nFile: gnupg.info, Node: SmartCard-HSM, Next: Undefined Card, Prev: Geldkarte Card, Up: Card applications\n\n\nThis application adds read-only support for keys and certificates stored\non a SmartCard-HSM (http://www.smartcard-hsm.com).\n\nTo generate keys and store certificates you may use OpenSC\n(https://github.com/OpenSC/OpenSC/wiki/SmartCardHSM) or the tools from\nOpenSCDP (http://www.openscdp.org).\n\nThe SmartCard-HSM cards requires a card reader that supports Extended\nLength APDUs.\n\nFile: gnupg.info, Node: Undefined Card, Prev: SmartCard-HSM, Up: Card applications\n\n\nThis is a stub application to allow the use of the APDU command even if\nno supported application is found on the card. This application is not\nused automatically but must be explicitly requested using the SERIALNO\ncommand.\n\nFile: gnupg.info, Node: Scdaemon Configuration, Next: Scdaemon Examples, Prev: Card applications, Up: Invoking SCDAEMON\n" }, { "name": "6.4 Configuration files", "content": "There are a few configuration files to control certain aspects of\n'scdaemons''s operation. Unless noted, they are expected in the current\nhome directory (*note option --homedir::).\n\n'scdaemon.conf'\nThis is the standard configuration file read by 'scdaemon' on\nstartup. It may contain any valid long option; the leading two\ndashes may not be entered and the option may not be abbreviated.\nThis default name may be changed on the command line (*note option\n--options::).\n\n'scd-event'\nIf this file is present and executable, it will be called on every\ncard reader's status change. An example of this script is provided\nwith the distribution\n\n'readerN.status'\nThis file is created by 'scdaemon' to let other applications now\nabout reader status changes. Its use is now deprecated in favor of\n'scd-event'.\n\nFile: gnupg.info, Node: Scdaemon Examples, Next: Scdaemon Protocol, Prev: Scdaemon Configuration, Up: Invoking SCDAEMON\n" }, { "name": "6.5 Examples", "content": "$ scdaemon --server -v\n\nFile: gnupg.info, Node: Scdaemon Protocol, Prev: Scdaemon Examples, Up: Invoking SCDAEMON\n" }, { "name": "6.6 Scdaemon's Assuan Protocol", "content": "The SC-Daemon should be started by the system to provide access to\nexternal tokens. Using Smartcards on a multi-user system does not make\nmuch sense except for system services, but in this case no regular user\naccounts are hosted on the machine.\n\nA client connects to the SC-Daemon by connecting to the socket named\n'/var/run/gnupg/scdaemon/socket', configuration information is read from\n/ETC/GNUPG/SCDAEMON.CONF\n\nEach connection acts as one session, SC-Daemon takes care of\nsynchronizing access to a token between sessions.\n\n* Menu:\n\n* Scdaemon SERIALNO:: Return the serial number.\n* Scdaemon LEARN:: Read all useful information from the card.\n* Scdaemon READCERT:: Return a certificate.\n* Scdaemon READKEY:: Return a public key.\n* Scdaemon PKSIGN:: Signing data with a Smartcard.\n* Scdaemon PKDECRYPT:: Decrypting data with a Smartcard.\n* Scdaemon GETATTR:: Read an attribute's value.\n* Scdaemon SETATTR:: Update an attribute's value.\n* Scdaemon WRITEKEY:: Write a key to a card.\n* Scdaemon GENKEY:: Generate a new key on-card.\n* Scdaemon RANDOM:: Return random bytes generated on-card.\n* Scdaemon PASSWD:: Change PINs.\n* Scdaemon CHECKPIN:: Perform a VERIFY operation.\n* Scdaemon RESTART:: Restart connection\n* Scdaemon APDU:: Send a verbatim APDU to the card\n\nFile: gnupg.info, Node: Scdaemon SERIALNO, Next: Scdaemon LEARN, Up: Scdaemon Protocol\n\n\nThis command should be used to check for the presence of a card. It is\nspecial in that it can be used to reset the card. Most other commands\nwill return an error when a card change has been detected and the use of\nthis function is therefore required.\n\nBackground: We want to keep the client clear of handling card changes\nbetween operations; i.e. the client can assume that all operations are\ndone on the same card unless he call this function.\n\nSERIALNO\n\nReturn the serial number of the card using a status response like:\n\nS SERIALNO D27600000000000000000000\n\nThe serial number is the hex encoded value identified by the '0x5A'\ntag in the GDO file (FIX=0x2F02).\n\nFile: gnupg.info, Node: Scdaemon LEARN, Next: Scdaemon READCERT, Prev: Scdaemon SERIALNO, Up: Scdaemon Protocol\n\n\nLEARN [--force]\n\nLearn all useful information of the currently inserted card. When\nused without the '--force' option, the command might do an INQUIRE like\nthis:\n\nINQUIRE KNOWNCARDP <hexstringwithserialNumber>\n\nThe client should just send an 'END' if the processing should go on\nor a 'CANCEL' to force the function to terminate with a cancel error\nmessage. The response of this command is a list of status lines\nformatted as this:\n\nS KEYPAIRINFO HEXSTRINGWITHKEYGRIP HEXSTRINGWITHID\n\nIf there is no certificate yet stored on the card a single \"X\" is\nreturned in HEXSTRINGWITHKEYGRIP.\n\nFile: gnupg.info, Node: Scdaemon READCERT, Next: Scdaemon READKEY, Prev: Scdaemon LEARN, Up: Scdaemon Protocol\n\n\nREADCERT HEXIFIEDCERTID|KEYID\n\nThis function is used to read a certificate identified by\nHEXIFIEDCERTID from the card. With OpenPGP cards the keyid 'OpenPGP.3'\nmay be used to read the certificate of version 2 cards.\n\nFile: gnupg.info, Node: Scdaemon READKEY, Next: Scdaemon PKSIGN, Prev: Scdaemon READCERT, Up: Scdaemon Protocol\n\n\nREADKEY HEXIFIEDCERTID\n\nReturn the public key for the given cert or key ID as an standard\nS-Expression.\n\nFile: gnupg.info, Node: Scdaemon PKSIGN, Next: Scdaemon PKDECRYPT, Prev: Scdaemon READKEY, Up: Scdaemon Protocol\n\n\nTo sign some data the caller should use the command\n\nSETDATA HEXSTRING\n\nto tell 'scdaemon' about the data to be signed. The data must be\ngiven in hex notation. The actual signing is done using the command\n\nPKSIGN KEYID\n\nwhere KEYID is the hexified ID of the key to be used. The key id may\nhave been retrieved using the command 'LEARN'. If another hash\nalgorithm than SHA-1 is used, that algorithm may be given like:\n\nPKSIGN --hash=ALGONAME KEYID\n\nWith ALGONAME are one of 'sha1', 'rmd160' or 'md5'.\n\nFile: gnupg.info, Node: Scdaemon PKDECRYPT, Next: Scdaemon GETATTR, Prev: Scdaemon PKSIGN, Up: Scdaemon Protocol\n\n\nTo decrypt some data the caller should use the command\n\nSETDATA HEXSTRING\n\nto tell 'scdaemon' about the data to be decrypted. The data must be\ngiven in hex notation. The actual decryption is then done using the\ncommand\n\nPKDECRYPT KEYID\n\nwhere KEYID is the hexified ID of the key to be used.\n\nIf the card is aware of the apdding format a status line with padding\ninformation is send before the plaintext data. The key for this status\nline is 'PADDING' with the only defined value being 0 and meaning\npadding has been removed.\n\nFile: gnupg.info, Node: Scdaemon GETATTR, Next: Scdaemon SETATTR, Prev: Scdaemon PKDECRYPT, Up: Scdaemon Protocol\n\n\nTO BE WRITTEN.\n\nFile: gnupg.info, Node: Scdaemon SETATTR, Next: Scdaemon WRITEKEY, Prev: Scdaemon GETATTR, Up: Scdaemon Protocol\n\n\nTO BE WRITTEN.\n\nFile: gnupg.info, Node: Scdaemon WRITEKEY, Next: Scdaemon GENKEY, Prev: Scdaemon SETATTR, Up: Scdaemon Protocol\n\n\nWRITEKEY [--force] KEYID\n\nThis command is used to store a secret key on a smartcard. The\nallowed keyids depend on the currently selected smartcard application.\nThe actual keydata is requested using the inquiry 'KEYDATA' and need to\nbe provided without any protection. With '--force' set an existing key\nunder this KEYID will get overwritten. The key data is expected to be\nthe usual canonical encoded S-expression.\n\nA PIN will be requested in most cases. This however depends on the\nactual card application.\n\nFile: gnupg.info, Node: Scdaemon GENKEY, Next: Scdaemon RANDOM, Prev: Scdaemon WRITEKEY, Up: Scdaemon Protocol\n\n\nTO BE WRITTEN.\n\nFile: gnupg.info, Node: Scdaemon RANDOM, Next: Scdaemon PASSWD, Prev: Scdaemon GENKEY, Up: Scdaemon Protocol\n\n\nTO BE WRITTEN.\n\nFile: gnupg.info, Node: Scdaemon PASSWD, Next: Scdaemon CHECKPIN, Prev: Scdaemon RANDOM, Up: Scdaemon Protocol\n\n\nPASSWD [--reset] [--nullpin] CHVNO\n\nChange the PIN or reset the retry counter of the card holder\nverification vector number CHVNO. The option '--nullpin' is used to\ninitialize the PIN of TCOS cards (6 byte NullPIN only).\n\nFile: gnupg.info, Node: Scdaemon CHECKPIN, Next: Scdaemon RESTART, Prev: Scdaemon PASSWD, Up: Scdaemon Protocol\n\n\nCHECKPIN IDSTR\n\nPerform a VERIFY operation without doing anything else. This may be\nused to initialize a the PIN cache earlier to long lasting operations.\nIts use is highly application dependent:\n\n*OpenPGP*\n\nPerform a simple verify operation for CHV1 and CHV2, so that\nfurther operations won't ask for CHV2 and it is possible to do a\ncheap check on the PIN: If there is something wrong with the PIN\nentry system, only the regular CHV will get blocked and not the\ndangerous CHV3. IDSTR is the usual card's serial number in hex\nnotation; an optional fingerprint part will get ignored.\n\nThere is however a special mode if IDSTR is suffixed with the\nliteral string '[CHV3]': In this case the Admin PIN is checked if\nand only if the retry counter is still at 3.\n\nFile: gnupg.info, Node: Scdaemon RESTART, Next: Scdaemon APDU, Prev: Scdaemon CHECKPIN, Up: Scdaemon Protocol\n\n\nRESTART\n\nRestart the current connection; this is a kind of warm reset. It\ndeletes the context used by this connection but does not actually reset\nthe card.\n\nThis is used by gpg-agent to reuse a primary pipe connection and may\nbe used by clients to backup from a conflict in the serial command; i.e.\nto select another application.\n\nFile: gnupg.info, Node: Scdaemon APDU, Prev: Scdaemon RESTART, Up: Scdaemon Protocol\n\n\nAPDU [--atr] [--more] [--exlen[=N]] [HEXSTRING]\n\nSend an APDU to the current reader. This command bypasses the high\nlevel functions and sends the data directly to the card. HEXSTRING is\nexpected to be a proper APDU. If HEXSTRING is not given no commands are\nsend to the card; However the command will implicitly check whether the\ncard is ready for use.\n\nUsing the option '--atr' returns the ATR of the card as a status\nmessage before any data like this:\nS CARD-ATR 3BFA1300FF813180450031C173C00100009000B1\n\nUsing the option '--more' handles the card status word MOREDATA\n(61xx) and concatenate all responses to one block.\n\nUsing the option '--exlen' the returned APDU may use extended length\nup to N bytes. If N is not given a default value is used (currently\n4096).\n\nFile: gnupg.info, Node: Specify a User ID, Next: Trust Values, Prev: Invoking SCDAEMON, Up: Top\n" } ] }, "7 How to Specify a User Id": { "content": "There are different ways to specify a user ID to GnuPG. Some of them are\nonly valid for 'gpg' others are only good for 'gpgsm'. Here is the\nentire list of ways to specify a key:\n\n* By key Id. This format is deduced from the length of the string\nand its content or '0x' prefix. The key Id of an X.509 certificate\nare the low 64 bits of its SHA-1 fingerprint. The use of key Ids\nis just a shortcut, for all automated processing the fingerprint\nshould be used.\n\nWhen using 'gpg' an exclamation mark (!) may be appended to force\nusing the specified primary or secondary key and not to try and\ncalculate which primary or secondary key to use.\n\nThe last four lines of the example give the key ID in their long\nform as internally used by the OpenPGP protocol. You can see the\nlong key ID using the option '--with-colons'.\n\n234567C4\n0F34E556E\n01347A56A\n0xAB123456\n\n234AABBCC34567C4\n0F323456784E56EAB\n01AB3FED1347A5612\n0x234AABBCC34567C4\n\n* By fingerprint. This format is deduced from the length of the\nstring and its content or the '0x' prefix. Note, that only the 20\nbyte version fingerprint is available with 'gpgsm' (i.e. the SHA-1\nhash of the certificate).\n\nWhen using 'gpg' an exclamation mark (!) may be appended to force\nusing the specified primary or secondary key and not to try and\ncalculate which primary or secondary key to use.\n\nThe best way to specify a key Id is by using the fingerprint. This\navoids any ambiguities in case that there are duplicated key IDs.\n\n1234343434343434C434343434343434\n123434343434343C3434343434343734349A3434\n0E12343434343434343434EAB3484343434343434\n0xE12343434343434343434EAB3484343434343434\n\n'gpgsm' also accepts colons between each pair of hexadecimal digits\nbecause this is the de-facto standard on how to present X.509\nfingerprints. 'gpg' also allows the use of the space separated\nSHA-1 fingerprint as printed by the key listing commands.\n\n* By exact match on OpenPGP user ID. This is denoted by a leading\nequal sign. It does not make sense for X.509 certificates.\n\n=Heinrich Heine <heinrichh@uni-duesseldorf.de>\n\n* By exact match on an email address. This is indicated by enclosing\nthe email address in the usual way with left and right angles.\n\n<heinrichh@uni-duesseldorf.de>\n\n* By partial match on an email address. This is indicated by\nprefixing the search string with an '@'. This uses a substring\nsearch but considers only the mail address (i.e. inside the angle\nbrackets).\n\n@heinrichh\n\n* By exact match on the subject's DN. This is indicated by a leading\nslash, directly followed by the RFC-2253 encoded DN of the subject.\nNote that you can't use the string printed by 'gpgsm --list-keys'\nbecause that one has been reordered and modified for better\nreadability; use '--with-colons' to print the raw (but standard\nescaped) RFC-2253 string.\n\n/CN=Heinrich Heine,O=Poets,L=Paris,C=FR\n\n* By exact match on the issuer's DN. This is indicated by a leading\nhash mark, directly followed by a slash and then directly followed\nby the RFC-2253 encoded DN of the issuer. This should return the\nRoot cert of the issuer. See note above.\n\n#/CN=Root Cert,O=Poets,L=Paris,C=FR\n\n* By exact match on serial number and issuer's DN. This is indicated\nby a hash mark, followed by the hexadecimal representation of the\nserial number, then followed by a slash and the RFC-2253 encoded DN\nof the issuer. See note above.\n\n#4F03/CN=Root Cert,O=Poets,L=Paris,C=FR\n\n* By keygrip. This is indicated by an ampersand followed by the 40\nhex digits of a keygrip. 'gpgsm' prints the keygrip when using the\ncommand '--dump-cert'.\n\n&D75F22C3F86E355877348498CDC92BD21010A480\n\n* By substring match. This is the default mode but applications may\nwant to explicitly indicate this by putting the asterisk in front.\nMatch is not case sensitive.\n\nHeine\n*Heine\n\n* . and + prefixes These prefixes are reserved for looking up mails\nanchored at the end and for a word search mode. They are not yet\nimplemented and using them is undefined.\n\nPlease note that we have reused the hash mark identifier which was\nused in old GnuPG versions to indicate the so called local-id. It is\nnot anymore used and there should be no conflict when used with X.509\nstuff.\n\nUsing the RFC-2253 format of DNs has the drawback that it is not\npossible to map them back to the original encoding, however we don't\nhave to do this because our key database stores this encoding as meta\ndata.\n\nFile: gnupg.info, Node: Trust Values, Next: Helper Tools, Prev: Specify a User ID, Up: Top\n", "subsections": [] }, "8 Trust Values": { "content": "Trust values are used to indicate ownertrust and validity of keys and\nuser IDs. They are displayed with letters or strings:\n\n-\nunknown\nNo ownertrust assigned / not yet calculated.\n\ne\nexpired\n\nTrust calculation has failed; probably due to an expired key.\n\nq\nundefined, undef\nNot enough information for calculation.\n\nn\nnever\nNever trust this key.\n\nm\nmarginal\nMarginally trusted.\n\nf\nfull\nFully trusted.\n\nu\nultimate\nUltimately trusted.\n\nr\nrevoked\nFor validity only: the key or the user ID has been revoked.\n\n?\nerr\nThe program encountered an unknown trust value.\n\nFile: gnupg.info, Node: Helper Tools, Next: Web Key Service, Prev: Trust Values, Up: Top\n", "subsections": [] }, "9 Helper Tools": { "content": "GnuPG comes with a couple of smaller tools:\n\n* Menu:\n\n* watchgnupg:: Read logs from a socket.\n* gpgv:: Verify OpenPGP signatures.\n* addgnupghome:: Create .gnupg home directories.\n* gpgconf:: Modify .gnupg home directories.\n* applygnupgdefaults:: Run gpgconf for all users.\n* gpg-preset-passphrase:: Put a passphrase into the cache.\n* gpg-connect-agent:: Communicate with a running agent.\n* dirmngr-client:: How to use the Dirmngr client tool.\n* gpgparsemail:: Parse a mail message into an annotated format\n* symcryptrun:: Call a simple symmetric encryption tool.\n* gpgtar:: Encrypt or sign files into an archive.\n\nFile: gnupg.info, Node: watchgnupg, Next: gpgv, Up: Helper Tools\n", "subsections": [ { "name": "9.1 Read logs from a socket", "content": "Most of the main utilities are able to write their log files to a Unix\nDomain socket if configured that way. 'watchgnupg' is a simple listener\nfor such a socket. It ameliorates the output with a time stamp and\nmakes sure that long lines are not interspersed with log output from\nother utilities. This tool is not available for Windows.\n\n'watchgnupg' is commonly invoked as\n\nwatchgnupg --force $(gpgconf --list-dirs socketdir)/S.log\n\nThis starts it on the current terminal for listening on the standard\nlogging socket (which is either '~/.gnupg/S.log' or\n'/var/run/user/UID/gnupg/S.log').\n\n'watchgnupg' understands these options:\n\n'--force'\nDelete an already existing socket file.\n\n'--tcp N'\nInstead of reading from a local socket, listen for connects on TCP\nport N.\n\n'--time-only'\nDo not print the date part of the timestamp.\n\n'--verbose'\nEnable extra informational output.\n\n'--version'\nPrint version of the program and exit.\n\n'--help'\nDisplay a brief help page and exit.\n\n" } ] }, "Examples": { "content": "The Web Key Service requires a working directory to store keys pending\nfor publication. As root create a working directory:\n\n# mkdir /var/lib/gnupg/wks\n# chown webkey:webkey /var/lib/gnupg/wks\n# chmod 2750 /var/lib/gnupg/wks\n\nThen under your webkey account create directories for all your\ndomains. Here we do it for \"example.net\":\n\n$ mkdir /var/lib/gnupg/wks/example.net\n\nFinally run\n\n$ gpg-wks-server --list-domains\n\nto create the required sub-directories with the permissions set\ncorrectly. For each domain a submission address needs to be configured.\nAll service mails are directed to that address. It can be the same\naddress for all configured domains, for example:\n\n$ cd /var/lib/gnupg/wks/example.net\n$ echo key-submission@example.net >submission-address\n\nThe protocol requires that the key to be published is send with an\nencrypted mail to the service. Thus you need to create a key for the\nsubmission address:\n\n$ gpg --batch --passphrase '' --quick-gen-key key-submission@example.net\n$ gpg -K key-submission@example.net\n\nThe output of the last command looks similar to this:\n\nsec rsa3072 2016-08-30 [SC]\nC0FCF8642D830C53246211400346653590B3795B\nuid [ultimate] key-submission@example.net\nssb rsa3072 2016-08-30 [E]\n\nTake the fingerprint from that output and manually publish the key:\n\n$ gpg-wks-server --install-key C0FCF8642D830C53246211400346653590B3795B \\\n> key-submission@example.net\n\nFinally that submission address needs to be redirected to a script\nrunning 'gpg-wks-server'. The 'procmail' command can be used for this:\nRedirect the submission address to the user \"webkey\" and put this into\nwebkey's '.procmailrc':\n\n:0\n* !^From: webkey@example.net\n* !^X-WKS-Loop: webkey.example.net\n|gpg-wks-server -v --receive \\\n--header X-WKS-Loop=webkey.example.net \\\n--from webkey@example.net --send\n\nFile: gnupg.info, Node: Howtos, Next: System Notes, Prev: Web Key Service, Up: Top\n", "subsections": [] }, "10 Web Key Service": { "content": "GnuPG comes with tools used to maintain and access a Web Key Directory.\n\n* Menu:\n\n* gpg-wks-client:: Send requests via WKS\n* gpg-wks-server:: Server to provide the WKS.\n\nFile: gnupg.info, Node: gpg-wks-client, Next: gpg-wks-server, Up: Web Key Service\n", "subsections": [ { "name": "10.1 Send requests via WKS", "content": "The 'gpg-wks-client' is used to send requests to a Web Key Service\nprovider. This is usuallay done to upload a key into a Web Key\nDirectory.\n\nWith the '--supported' command the caller can test whether a site\nsupports the Web Key Service. The argument is an arbitrary address in\nthe to be tested domain. For example 'foo@example.net'. The command\nreturns success if the Web Key Service is supported. The operation is\nsilent; to get diagnostic output use the option '--verbose'. See option\n'--with-colons' for a variant of this command.\n\nWith the '--check' command the caller can test whether a key exists\nfor a supplied mail address. The command returns success if a key is\navailable.\n\nThe '--create' command is used to send a request for publication in\nthe Web Key Directory. The arguments are the fingerprint of the key and\nthe user id to publish. The output from the command is a properly\nformatted mail with all standard headers. This mail can be fed to\n'sendmail(8)' or any other tool to actually send that mail. If\n'sendmail(8)' is installed the option '--send' can be used to directly\nsend the created request. If the provider request a 'mailbox-only' user\nid and no such user id is found, 'gpg-wks-client' will try an additional\nuser id.\n\nThe '--receive' and '--read' commands are used to process\nconfirmation mails as send from the service provider. The former\nexpects an encrypted MIME messages, the latter an already decrypted MIME\nmessage. The result of these commands are another mail which can be\nsend in the same way as the mail created with '--create'.\n\nThe command '--install-key' manually installs a key into a local\ndirectory (see option '-C') reflecting the structure of a WKD. The\narguments are a file with the keyblock and the user-id to install. If\nthe first argument resembles a fingerprint the key is taken from the\ncurrent keyring; to force the use of a file, prefix the first argument\nwith \"./\". If no arguments are given the parameters are read from\nstdin; the expected format are lines with the fingerprint and the\nmailbox separated by a space. The command '--remove-key' removes a key\nfrom that directory, its only argument is a user-id.\n\nThe command '--print-wkd-hash' prints the WKD user-id identifiers and\nthe corresponding mailboxes from the user-ids given on the command line\nor via stdin (one user-id per line).\n\nThe command '--print-wkd-url' prints the URLs used to fetch the key\nfor the given user-ids from WKD. The meanwhile preferred format with\nsub-domains is used here.\n\n'gpg-wks-client' is not commonly invoked directly and thus it is not\ninstalled in the bin directory. Here is an example how it can be\ninvoked manually to check for a Web Key Directory entry for\n'foo@example.org':\n\n$(gpgconf --list-dirs libexecdir)/gpg-wks-client --check foo@example.net\n\n'gpg-wks-client' understands these options:\n\n'--send'\nDirectly send created mails using the 'sendmail' command. Requires\ninstallation of that command.\n\n'--with-colons'\nThis option has currently only an effect on the '--supported'\ncommand. If it is used all arguments on the command line are taken\nas domain names and tested for WKD support. The output format is\none line per domain with colon delimited fields. The currently\nspecified fields are (future versions may specify additional\nfields):\n\n1 - domain\nThis is the domain name. Although quoting is not required for\nvalid domain names this field is specified to be quoted in\nstandard C manner.\n\n2 - WKD\nIf the value is true the domain supports the Web Key\nDirectory.\n\n3 - WKS\nIf the value is true the domain supports the Web Key Service\nprotocol to upload keys to the directory.\n\n4 - error-code\nThis may contain an gpg-error code to describe certain\nfailures. Use 'gpg-error CODE' to explain the code.\n\n5 - protocol-version\nThe minimum protocol version supported by the server.\n\n6 - auth-submit\nThe auth-submit flag from the policy file of the server.\n\n7 - mailbox-only\nThe mailbox-only flag from the policy file of the server.\n\n'--output FILE'\n'-o'\nWrite the created mail to FILE instead of stdout. Note that the\nvalue '-' for FILE is the same as writing to stdout.\n\n'--status-fd N'\nWrite special status strings to the file descriptor N. This\nprogram returns only the status messages SUCCESS or FAILURE which\nare helpful when the caller uses a double fork approach and can't\neasily get the return code of the process.\n\n'-C DIR'\n'--directory DIR'\nUse DIR as top level directory for the commands '--install-key' and\n'--remove-key'. The default is 'openpgpkey'.\n\n'--verbose'\nEnable extra informational output.\n\n'--quiet'\nDisable almost all informational output.\n\n'--version'\nPrint version of the program and exit.\n\n'--help'\nDisplay a brief help page and exit.\n\nFile: gnupg.info, Node: gpg-wks-server, Prev: gpg-wks-client, Up: Web Key Service\n" }, { "name": "10.2 Provide the Web Key Service", "content": "The 'gpg-wks-server' is a server site implementation of the Web Key\nService. It receives requests for publication, sends confirmation\nrequests, receives confirmations, and published the key. It also has\nfeatures to ease the setup and maintenance of a Web Key Directory.\n\nWhen used with the command '--receive' a single Web Key Service mail\nis processed. Commonly this command is used with the option '--send' to\ndirectly send the crerated mails back. See below for an installation\nexample.\n\nThe command '--cron' is used for regualr cleanup tasks. For example\nnon-confirmed requested should be removed after their expire time. It\nis best to run this command once a day from a cronjob.\n\nThe command '--list-domains' prints all configured domains. Further\nit creates missing directories for the configuration and prints warnings\npertaining to problems in the configuration.\n\nThe command '--check-key' (or just '--check') checks whether a key\nwith the given user-id is installed. The process returns success in\nthis case; to also print a diagnostic use the option '-v'. If the key\nis not installed a diagnostic is printed and the process returns\nfailure; to suppress the diagnostic, use option '-q'. More than one\nuser-id can be given; see also option 'with-file'.\n\nThe command '--install-key' manually installs a key into the WKD. The\narguments are a file with the keyblock and the user-id to install. If\nthe first argument resembles a fingerprint the key is taken from the\ncurrent keyring; to force the use of a file, prefix the first argument\nwith \"./\". If no arguments are given the parameters are read from\nstdin; the expected format are lines with the fingerprint and the\nmailbox separated by a space.\n\nThe command '--remove-key' uninstalls a key from the WKD. The process\nreturns success in this case; to also print a diagnostic, use option\n'-v'. If the key is not installed a diagnostic is printed and the\nprocess returns failure; to suppress the diagnostic, use option '-q'.\n\nThe command '--revoke-key' is not yet functional.\n\n'gpg-wks-server' understands these options:\n\n'-C DIR'\n'--directory DIR'\nUse DIR as top level directory for domains. The default is\n'/var/lib/gnupg/wks'.\n\n'--from MAILADDR'\nUse MAILADDR as the default sender address.\n\n'--header NAME=VALUE'\nAdd the mail header \"NAME: VALUE\" to all outgoing mails.\n\n'--send'\nDirectly send created mails using the 'sendmail' command. Requires\ninstallation of that command.\n\n'-o FILE'\n'--output FILE'\nWrite the created mail also to FILE. Note that the value '-' for\nFILE would write it to stdout.\n\n'--with-dir'\nWhen used with the command '--list-domains' print for each\ninstalled domain the domain name and its directory name.\n\n'--with-file'\nWhen used with the command '--check-key' print for each user-id,\nthe address, 'i' for installed key or 'n' for not installed key,\nand the filename.\n\n'--verbose'\nEnable extra informational output.\n\n'--quiet'\nDisable almost all informational output.\n\n'--version'\nPrint version of the program and exit.\n\n'--help'\nDisplay a brief help page and exit.\n\n" } ] }, "11 How to do certain things": { "content": "This is a collection of small howto documents.\n\n* Menu:\n\n* Howto Create a Server Cert:: Creating a TLS server certificate.\n\nFile: gnupg.info, Node: Howto Create a Server Cert, Up: Howtos\n", "subsections": [ { "name": "11.1 Creating a TLS server certificate", "content": "Here is a brief run up on how to create a server certificate. It has\nactually been done this way to get a certificate from CAcert to be used\non a real server. It has only been tested with this CA, but there\nshouldn't be any problem to run this against any other CA.\n\nWe start by generating an X.509 certificate signing request. As\nthere is no need for a configuration file, you may simply enter:\n\n$ gpgsm --generate-key >example.com.cert-req.pem\nPlease select what kind of key you want:\n(1) RSA\n(2) Existing key\n(3) Existing key from card\nYour selection? 1\n\nI opted for creating a new RSA key. The other option is to use an\nalready existing key, by selecting '2' and entering the so-called\nkeygrip. Running the command 'gpgsm --dump-secret-key USERID' shows you\nthis keygrip. Using '3' offers another menu to create a certificate\ndirectly from a smart card based key.\n\nLet's continue:\n\nWhat keysize do you want? (3072)\nRequested keysize is 3072 bits\n\nHitting enter chooses the default RSA key size of 3072 bits. Keys\nsmaller than 2048 bits are too weak on the modern Internet. If you\nchoose a larger (stronger) key, your server will need to do more work.\n\nPossible actions for a RSA key:\n(1) sign, encrypt\n(2) sign\n(3) encrypt\nYour selection? 1\n\nSelecting \"sign\" enables use of the key for Diffie-Hellman key\nexchange mechanisms (DHE and ECDHE) in TLS, which are preferred because\nthey offer forward secrecy. Selecting \"encrypt\" enables RSA key\nexchange mechanisms, which are still common in some places. Selecting\nboth enables both key exchange mechanisms.\n\nNow for some real data:\n\nEnter the X.509 subject name: CN=example.com\n\nThis is the most important value for a server certificate. Enter\nhere the canonical name of your server machine. You may add other\nvirtual server names later.\n\nE-Mail addresses (end with an empty line):\n>\n\nWe don't need email addresses in a TLS server certificate and CAcert\nwould anyway ignore such a request. Thus just hit enter.\n\nIf you want to create a client certificate for email encryption, this\nwould be the place to enter your mail address (e.g. <joe@example.org>).\nYou may enter as many addresses as you like, however the CA may not\naccept them all or reject the entire request.\n\nEnter DNS names (optional; end with an empty line):\n> example.com\n> www.example.com\n>\n\nHere I entered the names of the services which the machine actually\nprovides. You almost always want to include the canonical name here\ntoo. The browser will accept a certificate for any of these names. As\nusual the CA must approve all of these names.\n\nURIs (optional; end with an empty line):\n>\n\nIt is possible to insert arbitrary URIs into a certificate; for a\nserver certificate this does not make sense.\n\nCreate self-signed certificate? (y/N)\n\nSince we are creating a certificate signing request, and not a full\ncertificate, we answer no here, or just hit enter for the default.\n\nWe have now entered all required information and 'gpgsm' will display\nwhat it has gathered and ask whether to create the certificate request:\n\nThese parameters are used:\nKey-Type: RSA\nKey-Length: 3072\nKey-Usage: sign, encrypt\nName-DN: CN=example.com\nName-DNS: example.com\nName-DNS: www.example.com\n\nProceed with creation? (y/N) y\n\n'gpgsm' will now start working on creating the request. As this\nincludes the creation of an RSA key it may take a while. During this\ntime you will be asked 3 times for a passphrase to protect the created\nprivate key on your system. A pop up window will appear to ask for it.\nThe first two prompts are for the new passphrase and for re-entering it;\nthe third one is required to actually create the certificate signing\nrequest.\n\nWhen it is ready, you should see the final notice:\n\nReady. You should now send this request to your CA.\n\nNow, you may look at the created request:\n\n$ cat example.com.cert-req.pem\n-----BEGIN CERTIFICATE REQUEST-----\nMIIClTCCAX0CAQAwFjEUMBIGA1UEAxMLZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3\nDQEBAQUAA4IBDwAwggEKAoIBAQDP1QEcbTvOLLCX4gAoOzH9AW7jNOMj7OSOL0uW\nh2bCdkK5YVpnX212Z6COTC3ZG0pJiCeGt1TbbDJUlTa4syQ6JXavjK66N8ASZsyC\nRwcl0m6hbXp541t1dbgt2VgeGk25okWw3j+brw6zxLD2TnthJxOatID0lDIG47HW\nGqzZmA6WHbIBIONmGnReIHTpPAPCDm92vUkpKG1xLPszuRmsQbwEl870W/FHrsvm\nDPvVUUSdIvTV9NuRt7/WY6G4nPp9QlIuTf1ESPzIuIE91gKPdrRCAx0yuT708S1n\nxCv3ETQ/bKPoAQ67eE3mPBqkcVwv9SE/2/36Lz06kAizRgs5AgMBAAGgOjA4Bgkq\nhkiG9w0BCQ4xKzApMCcGA1UdEQQgMB6CC2V4YW1wbGUuY29tgg93d3cuZXhhbXBs\nZS5jb20wDQYJKoZIhvcNAQELBQADggEBAEWD0Qqz4OENLYp6yyO/KqF0ig9FDsLN\nb5/R+qhms5qlhdB5+Dh+j693Sj0UgbcNKc6JT86IuBqEBZmRCJuXRoKoo5aMS1cJ\nhXga7N9IA3qb4VBUzBWvlL92U2Iptr/cEbikFlYZF2Zv3PBv8RfopVlI3OLbKV9D\nbJJTt/6kuoydXKo/Vx4G0DFzIKNdFdJk86o/Ziz8NOs9JjZxw9H9VY5sHKFM5LKk\nVcLwnnLRlNjBGB+9VK/Tze575eG0cJomTp7UGIB+1xzIQVAhUZOizRDv9tHDeaK3\nk+tUhV0kuJcYHucpJycDSrP/uAY5zuVJ0rs2QSjdnav62YrRgEsxJrU=\n-----END CERTIFICATE REQUEST-----\n$\n\nYou may now proceed by logging into your account at the CAcert\nwebsite, choose 'Server Certificates - New', check 'sign by class 3 root\ncertificate', paste the above request block into the text field and\nclick on 'Submit'.\n\nIf everything works out fine, a certificate will be shown. Now run\n\n$ gpgsm --import\n\nand paste the certificate from the CAcert page into your terminal\nfollowed by a Ctrl-D\n\n-----BEGIN CERTIFICATE-----\nMIIEIjCCAgqgAwIBAgIBTDANBgkqhkiG9w0BAQQFADBUMRQwEgYDVQQKEwtDQWNl\n[...]\nrUTFlNElRXCwIl0YcJkIaYYqWf7+A/aqYJCi8+51usZwMy3Jsq3hJ6MA3h1BgwZs\nRtct3tIX\n-----END CERTIFICATE-----\ngpgsm: issuer certificate (#/CN=CAcert Class 3 Ro[...]) not found\ngpgsm: certificate imported\n\ngpgsm: total number processed: 1\ngpgsm: imported: 1\n\n'gpgsm' tells you that it has imported the certificate. It is now\nassociated with the key you used when creating the request. The root\ncertificate has not been found, so you may want to import it from the\nCACert website.\n\nTo see the content of your certificate, you may now enter:\n\n$ gpgsm -K example.com\nSerial number: 4C\nIssuer: /CN=CAcert Class 3 Root/OU=http:\\x2f\\x2fwww.[...]\nSubject: /CN=example.com\naka: (dns-name example.com)\naka: (dns-name www.example.com)\nvalidity: 2015-07-01 16:20:51 through 2016-07-01 16:20:51\nkey type: 3072 bit RSA\nkey usage: digitalSignature keyEncipherment\next key usage: clientAuth (suggested), serverAuth (suggested), [...]\nfingerprint: 0F:9C:27:B2:DA:05:5F:CB:33:D8:19:E9:65:B9:4F:BD:B1:98:CC:57\n\nI used '-K' above because this will only list certificates for which\na private key is available. To see more details, you may use\n'--dump-secret-keys' instead of '-K'.\n\nTo make actual use of the certificate you need to install it on your\nserver. Server software usually expects a PKCS\\#12 file with key and\ncertificate. To create such a file, run:\n\n$ gpgsm --export-secret-key-p12 -a >example.com-cert.pem\n\nYou will be asked for the passphrase as well as for a new passphrase\nto be used to protect the PKCS\\#12 file. The file now contains the\ncertificate as well as the private key:\n\n$ cat example-cert.pem\nIssuer ...: /CN=CAcert Class 3 Root/OU=http:\\x2f\\x2fwww.CA[...]\nSerial ...: 4C\nSubject ..: /CN=example.com\naka ..: (dns-name example.com)\naka ..: (dns-name www.example.com)\n\n-----BEGIN PKCS12-----\nMIIHlwIBAzCCB5AGCSqGSIb37QdHAaCCB4EEggd9MIIHeTk1BJ8GCSqGSIb3DQEu\n[...many more lines...]\n-----END PKCS12-----\n$\n\nCopy this file in a secure way to the server, install it there and\ndelete the file then. You may export the file again at any time as long\nas it is available in GnuPG's private key database.\n\nFile: gnupg.info, Node: System Notes, Next: Debugging, Prev: Howtos, Up: Top\n" } ] }, "12 Notes pertaining to certain OSes": { "content": "GnuPG has been developed on GNU/Linux systems and is know to work on\nalmost all Free OSes. All modern POSIX systems should be supported\nright now, however there are probably a lot of smaller glitches we need\nto fix first. The major problem areas are:\n\n* We are planning to use file descriptor passing for interprocess\ncommunication. This will allow us save a lot of resources and\nimprove performance of certain operations a lot. Systems not\nsupporting this won't gain these benefits but we try to keep them\nworking the standard way as it is done today.\n\n* We require more or less full POSIX compatibility. This has been\naround for 15 years now and thus we don't believe it makes sense to\nsupport non POSIX systems anymore. Well, we of course the usual\nworkarounds for near POSIX systems well be applied.\n\nThere is one exception of this rule: Systems based the Microsoft\nWindows API (called here W32) will be supported to some extend.\n\n* Menu:\n\n* W32 Notes:: Microsoft Windows Notes\n\nFile: gnupg.info, Node: W32 Notes, Up: System Notes\n", "subsections": [ { "name": "12.1 Microsoft Windows Notes", "content": "Current limitations are:\n\n* 'gpgconf' does not create backup files, so in case of trouble your\nconfiguration file might get lost.\n\n* 'watchgnupg' is not available. Logging to sockets is not possible.\n\n* The periodical smartcard status checking done by 'scdaemon' is not\nyet supported.\n\nFile: gnupg.info, Node: Debugging, Next: Copying, Prev: System Notes, Up: Top\n" } ] }, "13 How to solve problems": { "content": "Everyone knows that software often does not do what it should do and\nthus there is a need to track down problems. We call this debugging in\na reminiscent to the moth jamming a relay in a Mark II box back in 1947.\n\nMost of the problems a merely configuration and user problems but\nnevertheless they are the most annoying ones and responsible for many\ngray hairs. We try to give some guidelines here on how to identify and\nsolve the problem at hand.\n\n* Menu:\n\n* Debugging Tools:: Description of some useful tools.\n* Debugging Hints:: Various hints on debugging.\n* Common Problems:: Commonly seen problems.\n* Architecture Details:: How the whole thing works internally.\n\nFile: gnupg.info, Node: Debugging Tools, Next: Debugging Hints, Up: Debugging\n", "subsections": [ { "name": "13.1 Debugging Tools", "content": "The GnuPG distribution comes with a couple of tools, useful to help find\nand solving problems.\n\n* Menu:\n\n* kbxutil:: Scrutinizing a keybox file.\n\nFile: gnupg.info, Node: kbxutil, Up: Debugging Tools\n\n\nA keybox is a file format used to store public keys along with meta\ninformation and indices. The commonly used one is the file\n'pubring.kbx' in the '.gnupg' directory. It contains all X.509\ncertificates as well as OpenPGP keys.\n\nWhen called the standard way, e.g.:\n\n'kbxutil ~/.gnupg/pubring.kbx'\n\nit lists all records (called blobs) with there meta-information in a\nhuman readable format.\n\nTo see statistics on the keybox in question, run it using\n\n'kbxutil --stats ~/.gnupg/pubring.kbx'\n\nand you get an output like:\n\nTotal number of blobs: 99\nheader: 1\nempty: 0\nopenpgp: 0\nx509: 98\nnon flagged: 81\nsecret flagged: 0\nephemeral flagged: 17\n\nIn this example you see that the keybox does not have any OpenPGP\nkeys but contains 98 X.509 certificates and a total of 17 keys or\ncertificates are flagged as ephemeral, meaning that they are only\ntemporary stored (cached) in the keybox and won't get listed using the\nusual commands provided by 'gpgsm' or 'gpg'. 81 certificates are stored\nin a standard way and directly available from 'gpgsm'.\n\nTo find duplicated certificates and keyblocks in a keybox file (this\nshould not occur but sometimes things go wrong), run it using\n\n'kbxutil --find-dups ~/.gnupg/pubring.kbx'\n\nFile: gnupg.info, Node: Debugging Hints, Next: Common Problems, Prev: Debugging Tools, Up: Debugging\n" }, { "name": "13.2 Various hints on debugging", "content": "* How to find the IP address of a keyserver\n\nIf a round robin URL of is used for a keyserver (e.g.\nsubkeys.gnupg.org); it is not easy to see what server is actually\nused. Using the keyserver debug option as in\n\ngpg --keyserver-options debug=1 -v --refresh-key 1E42B367\n\nis thus often helpful. Note that the actual output depends on the\nbackend and may change from release to release.\n\n* Logging on WindowsCE\n\nFor development, the best logging method on WindowsCE is the use of\nremote debugging using a log file name of 'tcp://<ip-addr>:<port>'.\nThe command 'watchgnupg' may be used on the remote host to listen\non the given port (*note option watchgnupg --tcp::). For in the\nfield tests it is better to make use of the logging facility\nprovided by the 'gpgcedev' driver (part of libassuan); this is\nenabled by using a log file name of 'GPG2:' (*note option\n--log-file::).\n\nFile: gnupg.info, Node: Common Problems, Next: Architecture Details, Prev: Debugging Hints, Up: Debugging\n" }, { "name": "13.3 Commonly Seen Problems", "content": "* Error code 'Not supported' from Dirmngr\n\nMost likely the option 'enable-ocsp' is active for gpgsm but\nDirmngr's OCSP feature has not been enabled using 'allow-ocsp' in\n'dirmngr.conf'.\n\n* The Curses based Pinentry does not work\n\nThe far most common reason for this is that the environment\nvariable 'GPGTTY' has not been set correctly. Make sure that it\nhas been set to a real tty device and not just to '/dev/tty'; i.e.\n'GPGTTY=tty' is plainly wrong; what you want is 'GPGTTY=`tty`' --\nnote the back ticks. Also make sure that this environment variable\ngets exported, that is you should follow up the setting with an\n'export GPGTTY' (assuming a Bourne style shell). Even for GUI\nbased Pinentries; you should have set 'GPGTTY'. See the section\non installing the 'gpg-agent' on how to do it.\n\n* SSH hangs while a popping up pinentry was expected\n\nSSH has no way to tell the gpg-agent what terminal or X display it\nis running on. So when remotely logging into a box where a\ngpg-agent with SSH support is running, the pinentry will get popped\nup on whatever display the gpg-agent has been started. To solve\nthis problem you may issue the command\n\necho UPDATESTARTUPTTY | gpg-connect-agent\n\nand the next pinentry will pop up on your display or screen.\nHowever, you need to kill the running pinentry first because only\none pinentry may be running at once. If you plan to use ssh on a\nnew display you should issue the above command before invoking ssh\nor any other service making use of ssh.\n\n* Exporting a secret key without a certificate\n\nIt may happen that you have created a certificate request using\n'gpgsm' but not yet received and imported the certificate from the\nCA. However, you want to export the secret key to another machine\nright now to import the certificate over there then. You can do\nthis with a little trick but it requires that you know the\napproximate time you created the signing request. By running the\ncommand\n\nls -ltr ~/.gnupg/private-keys-v1.d\n\nyou get a listing of all private keys under control of 'gpg-agent'.\nPick the key which best matches the creation time and run the\ncommand\n\n/usr/lib/gnupg/gpg-protect-tool --p12-export \\\n~/.gnupg/private-keys-v1.d/FOO >FOO.p12\n\n(Please adjust the path to 'gpg-protect-tool' to the appropriate\nlocation). FOO is the name of the key file you picked (it should\nhave the suffix '.key'). A Pinentry box will pop up and ask you\nfor the current passphrase of the key and a new passphrase to\nprotect it in the pkcs#12 file.\n\nTo import the created file on the machine you use this command:\n\n/usr/lib/gnupg/gpg-protect-tool --p12-import --store FOO.p12\n\nYou will be asked for the pkcs#12 passphrase and a new passphrase\nto protect the imported private key at its new location.\n\nNote that there is no easy way to match existing certificates with\nstored private keys because some private keys are used for Secure\nShell or other purposes and don't have a corresponding certificate.\n\n* A root certificate does not verify\n\nA common problem is that the root certificate misses the required\nbasicConstraints attribute and thus 'gpgsm' rejects this\ncertificate. An error message indicating \"no value\" is a sign for\nsuch a certificate. You may use the 'relax' flag in\n'trustlist.txt' to accept the certificate anyway. Note that the\nfingerprint and this flag may only be added manually to\n'trustlist.txt'.\n\n* Error message: \"digest algorithm N has not been enabled\"\n\nThe signature is broken. You may try the option\n'--extra-digest-algo SHA256' to workaround the problem. The number\nN is the internal algorithm identifier; for example 8 refers to\nSHA-256.\n\n* The Windows version does not work under Wine\n\nWhen running the W32 version of 'gpg' under Wine you may get an\nerror messages like:\n\ngpg: fatal: WriteConsole failed: Access denied\n\nThe solution is to use the command 'wineconsole'.\n\nSome operations like '--generate-key' really want to talk to the\nconsole directly for increased security (for example to prevent the\npassphrase from appearing on the screen). So, you should use\n'wineconsole' instead of 'wine', which will launch a windows\nconsole that implements those additional features.\n\n* Why does GPG's -search-key list weird keys?\n\nFor performance reasons the keyservers do not check the keys the\nsame way 'gpg' does. It may happen that the listing of keys\navailable on the keyservers shows keys with wrong user IDs or with\nuser Ids from other keys. If you try to import this key, the bad\nkeys or bad user ids won't get imported, though. This is a bit\nunfortunate but we can't do anything about it without actually\ndownloading the keys.\n\nFile: gnupg.info, Node: Architecture Details, Prev: Common Problems, Up: Debugging\n" }, { "name": "13.4 How the whole thing works internally", "content": "* Menu:\n\n* Component interaction:: How the components work together.\n* GnuPG-1 and GnuPG-2:: Relationship between GnuPG 1.4 and 2.x.\n\nFile: gnupg.info, Node: Component interaction, Next: GnuPG-1 and GnuPG-2, Up: Architecture Details\n\n\n\nGnuPG modules\n\nFigure 13.1: GnuPG module overview\n\nFile: gnupg.info, Node: GnuPG-1 and GnuPG-2, Prev: Component interaction, Up: Architecture Details\n\n\nHere is a little picture showing how the different GnuPG versions make\nuse of a smartcard:\n\n\nGnuPG card architecture\n\nFigure 13.2: GnuPG card architecture\n\nFile: gnupg.info, Node: Copying, Next: Contributors, Prev: Debugging, Up: Top\n" } ] }, "GNU General Public License": { "content": "Version 3, 29 June 2007\n\nCopyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>\n\nEveryone is permitted to copy and distribute verbatim copies of this\nlicense document, but changing it is not allowed.\n", "subsections": [ { "name": "Preamble", "content": "The GNU General Public License is a free, copyleft license for software\nand other kinds of works.\n\nThe licenses for most software and other practical works are designed\nto take away your freedom to share and change the works. By contrast,\nthe GNU General Public License is intended to guarantee your freedom to\nshare and change all versions of a program-to make sure it remains free\nsoftware for all its users. We, the Free Software Foundation, use the\nGNU General Public License for most of our software; it applies also to\nany other work released this way by its authors. You can apply it to\nyour programs, too.\n\nWhen we speak of free software, we are referring to freedom, not\nprice. Our General Public Licenses are designed to make sure that you\nhave the freedom to distribute copies of free software (and charge for\nthem if you wish), that you receive source code or can get it if you\nwant it, that you can change the software or use pieces of it in new\nfree programs, and that you know you can do these things.\n\nTo protect your rights, we need to prevent others from denying you\nthese rights or asking you to surrender the rights. Therefore, you have\ncertain responsibilities if you distribute copies of the software, or if\nyou modify it: responsibilities to respect the freedom of others.\n\nFor example, if you distribute copies of such a program, whether\ngratis or for a fee, you must pass on to the recipients the same\nfreedoms that you received. You must make sure that they, too, receive\nor can get the source code. And you must show them these terms so they\nknow their rights.\n\nDevelopers that use the GNU GPL protect your rights with two steps:\n(1) assert copyright on the software, and (2) offer you this License\ngiving you legal permission to copy, distribute and/or modify it.\n\nFor the developers' and authors' protection, the GPL clearly explains\nthat there is no warranty for this free software. For both users' and\nauthors' sake, the GPL requires that modified versions be marked as\nchanged, so that their problems will not be attributed erroneously to\nauthors of previous versions.\n\nSome devices are designed to deny users access to install or run\nmodified versions of the software inside them, although the manufacturer\ncan do so. This is fundamentally incompatible with the aim of\nprotecting users' freedom to change the software. The systematic\npattern of such abuse occurs in the area of products for individuals to\nuse, which is precisely where it is most unacceptable. Therefore, we\nhave designed this version of the GPL to prohibit the practice for those\nproducts. If such problems arise substantially in other domains, we\nstand ready to extend this provision to those domains in future versions\nof the GPL, as needed to protect the freedom of users.\n\nFinally, every program is threatened constantly by software patents.\nStates should not allow patents to restrict development and use of\nsoftware on general-purpose computers, but in those that do, we wish to\navoid the special danger that patents applied to a free program could\nmake it effectively proprietary. To prevent this, the GPL assures that\npatents cannot be used to render the program non-free.\n\nThe precise terms and conditions for copying, distribution and\nmodification follow.\n\nTERMS AND CONDITIONS\n\n0. Definitions.\n\n\"This License\" refers to version 3 of the GNU General Public\nLicense.\n\n\"Copyright\" also means copyright-like laws that apply to other\nkinds of works, such as semiconductor masks.\n\n\"The Program\" refers to any copyrightable work licensed under this\nLicense. Each licensee is addressed as \"you\". \"Licensees\" and\n\"recipients\" may be individuals or organizations.\n\nTo \"modify\" a work means to copy from or adapt all or part of the\nwork in a fashion requiring copyright permission, other than the\nmaking of an exact copy. The resulting work is called a \"modified\nversion\" of the earlier work or a work \"based on\" the earlier work.\n\nA \"covered work\" means either the unmodified Program or a work\nbased on the Program.\n\nTo \"propagate\" a work means to do anything with it that, without\npermission, would make you directly or secondarily liable for\ninfringement under applicable copyright law, except executing it on\na computer or modifying a private copy. Propagation includes\ncopying, distribution (with or without modification), making\navailable to the public, and in some countries other activities as\nwell.\n\nTo \"convey\" a work means any kind of propagation that enables other\nparties to make or receive copies. Mere interaction with a user\nthrough a computer network, with no transfer of a copy, is not\nconveying.\n\nAn interactive user interface displays \"Appropriate Legal Notices\"\nto the extent that it includes a convenient and prominently visible\nfeature that (1) displays an appropriate copyright notice, and (2)\ntells the user that there is no warranty for the work (except to\nthe extent that warranties are provided), that licensees may convey\nthe work under this License, and how to view a copy of this\nLicense. If the interface presents a list of user commands or\noptions, such as a menu, a prominent item in the list meets this\ncriterion.\n\n1. Source Code.\n\nThe \"source code\" for a work means the preferred form of the work\nfor making modifications to it. \"Object code\" means any non-source\nform of a work.\n\nA \"Standard Interface\" means an interface that either is an\nofficial standard defined by a recognized standards body, or, in\nthe case of interfaces specified for a particular programming\nlanguage, one that is widely used among developers working in that\nlanguage.\n\nThe \"System Libraries\" of an executable work include anything,\nother than the work as a whole, that (a) is included in the normal\nform of packaging a Major Component, but which is not part of that\nMajor Component, and (b) serves only to enable use of the work with\nthat Major Component, or to implement a Standard Interface for\nwhich an implementation is available to the public in source code\nform. A \"Major Component\", in this context, means a major\nessential component (kernel, window system, and so on) of the\nspecific operating system (if any) on which the executable work\nruns, or a compiler used to produce the work, or an object code\ninterpreter used to run it.\n\nThe \"Corresponding Source\" for a work in object code form means all\nthe source code needed to generate, install, and (for an executable\nwork) run the object code and to modify the work, including scripts\nto control those activities. However, it does not include the\nwork's System Libraries, or general-purpose tools or generally\navailable free programs which are used unmodified in performing\nthose activities but which are not part of the work. For example,\nCorresponding Source includes interface definition files associated\nwith source files for the work, and the source code for shared\nlibraries and dynamically linked subprograms that the work is\nspecifically designed to require, such as by intimate data\ncommunication or control flow between those subprograms and other\nparts of the work.\n\nThe Corresponding Source need not include anything that users can\nregenerate automatically from other parts of the Corresponding\nSource.\n\nThe Corresponding Source for a work in source code form is that\nsame work.\n\n2. Basic Permissions.\n\nAll rights granted under this License are granted for the term of\ncopyright on the Program, and are irrevocable provided the stated\nconditions are met. This License explicitly affirms your unlimited\npermission to run the unmodified Program. The output from running\na covered work is covered by this License only if the output, given\nits content, constitutes a covered work. This License acknowledges\nyour rights of fair use or other equivalent, as provided by\ncopyright law.\n\nYou may make, run and propagate covered works that you do not\nconvey, without conditions so long as your license otherwise\nremains in force. You may convey covered works to others for the\nsole purpose of having them make modifications exclusively for you,\nor provide you with facilities for running those works, provided\nthat you comply with the terms of this License in conveying all\nmaterial for which you do not control copyright. Those thus making\nor running the covered works for you must do so exclusively on your\nbehalf, under your direction and control, on terms that prohibit\nthem from making any copies of your copyrighted material outside\ntheir relationship with you.\n\nConveying under any other circumstances is permitted solely under\nthe conditions stated below. Sublicensing is not allowed; section\n10 makes it unnecessary.\n\n3. Protecting Users' Legal Rights From Anti-Circumvention Law.\n\nNo covered work shall be deemed part of an effective technological\nmeasure under any applicable law fulfilling obligations under\narticle 11 of the WIPO copyright treaty adopted on 20 December\n1996, or similar laws prohibiting or restricting circumvention of\nsuch measures.\n\nWhen you convey a covered work, you waive any legal power to forbid\ncircumvention of technological measures to the extent such\ncircumvention is effected by exercising rights under this License\nwith respect to the covered work, and you disclaim any intention to\nlimit operation or modification of the work as a means of\nenforcing, against the work's users, your or third parties' legal\nrights to forbid circumvention of technological measures.\n\n4. Conveying Verbatim Copies.\n\nYou may convey verbatim copies of the Program's source code as you\nreceive it, in any medium, provided that you conspicuously and\nappropriately publish on each copy an appropriate copyright notice;\nkeep intact all notices stating that this License and any\nnon-permissive terms added in accord with section 7 apply to the\ncode; keep intact all notices of the absence of any warranty; and\ngive all recipients a copy of this License along with the Program.\n\nYou may charge any price or no price for each copy that you convey,\nand you may offer support or warranty protection for a fee.\n\n5. Conveying Modified Source Versions.\n\nYou may convey a work based on the Program, or the modifications to\nproduce it from the Program, in the form of source code under the\nterms of section 4, provided that you also meet all of these\nconditions:\n\na. The work must carry prominent notices stating that you\nmodified it, and giving a relevant date.\n\nb. The work must carry prominent notices stating that it is\nreleased under this License and any conditions added under\nsection 7. This requirement modifies the requirement in\nsection 4 to \"keep intact all notices\".\n\nc. You must license the entire work, as a whole, under this\nLicense to anyone who comes into possession of a copy. This\nLicense will therefore apply, along with any applicable\nsection 7 additional terms, to the whole of the work, and all\nits parts, regardless of how they are packaged. This License\ngives no permission to license the work in any other way, but\nit does not invalidate such permission if you have separately\nreceived it.\n\nd. If the work has interactive user interfaces, each must display\nAppropriate Legal Notices; however, if the Program has\ninteractive interfaces that do not display Appropriate Legal\nNotices, your work need not make them do so.\n\nA compilation of a covered work with other separate and independent\nworks, which are not by their nature extensions of the covered\nwork, and which are not combined with it such as to form a larger\nprogram, in or on a volume of a storage or distribution medium, is\ncalled an \"aggregate\" if the compilation and its resulting\ncopyright are not used to limit the access or legal rights of the\ncompilation's users beyond what the individual works permit.\nInclusion of a covered work in an aggregate does not cause this\nLicense to apply to the other parts of the aggregate.\n\n6. Conveying Non-Source Forms.\n\nYou may convey a covered work in object code form under the terms\nof sections 4 and 5, provided that you also convey the\nmachine-readable Corresponding Source under the terms of this\nLicense, in one of these ways:\n\na. Convey the object code in, or embodied in, a physical product\n(including a physical distribution medium), accompanied by the\nCorresponding Source fixed on a durable physical medium\ncustomarily used for software interchange.\n\nb. Convey the object code in, or embodied in, a physical product\n(including a physical distribution medium), accompanied by a\nwritten offer, valid for at least three years and valid for as\nlong as you offer spare parts or customer support for that\nproduct model, to give anyone who possesses the object code\neither (1) a copy of the Corresponding Source for all the\nsoftware in the product that is covered by this License, on a\ndurable physical medium customarily used for software\ninterchange, for a price no more than your reasonable cost of\nphysically performing this conveying of source, or (2) access\nto copy the Corresponding Source from a network server at no\ncharge.\n\nc. Convey individual copies of the object code with a copy of the\nwritten offer to provide the Corresponding Source. This\nalternative is allowed only occasionally and noncommercially,\nand only if you received the object code with such an offer,\nin accord with subsection 6b.\n\nd. Convey the object code by offering access from a designated\nplace (gratis or for a charge), and offer equivalent access to\nthe Corresponding Source in the same way through the same\nplace at no further charge. You need not require recipients\nto copy the Corresponding Source along with the object code.\nIf the place to copy the object code is a network server, the\nCorresponding Source may be on a different server (operated by\nyou or a third party) that supports equivalent copying\nfacilities, provided you maintain clear directions next to the\nobject code saying where to find the Corresponding Source.\nRegardless of what server hosts the Corresponding Source, you\nremain obligated to ensure that it is available for as long as\nneeded to satisfy these requirements.\n\ne. Convey the object code using peer-to-peer transmission,\nprovided you inform other peers where the object code and\nCorresponding Source of the work are being offered to the\ngeneral public at no charge under subsection 6d.\n\nA separable portion of the object code, whose source code is\nexcluded from the Corresponding Source as a System Library, need\nnot be included in conveying the object code work.\n\nA \"User Product\" is either (1) a \"consumer product\", which means\nany tangible personal property which is normally used for personal,\nfamily, or household purposes, or (2) anything designed or sold for\nincorporation into a dwelling. In determining whether a product is\na consumer product, doubtful cases shall be resolved in favor of\ncoverage. For a particular product received by a particular user,\n\"normally used\" refers to a typical or common use of that class of\nproduct, regardless of the status of the particular user or of the\nway in which the particular user actually uses, or expects or is\nexpected to use, the product. A product is a consumer product\nregardless of whether the product has substantial commercial,\nindustrial or non-consumer uses, unless such uses represent the\nonly significant mode of use of the product.\n\n\"Installation Information\" for a User Product means any methods,\nprocedures, authorization keys, or other information required to\ninstall and execute modified versions of a covered work in that\nUser Product from a modified version of its Corresponding Source.\nThe information must suffice to ensure that the continued\nfunctioning of the modified object code is in no case prevented or\ninterfered with solely because modification has been made.\n\nIf you convey an object code work under this section in, or with,\nor specifically for use in, a User Product, and the conveying\noccurs as part of a transaction in which the right of possession\nand use of the User Product is transferred to the recipient in\nperpetuity or for a fixed term (regardless of how the transaction\nis characterized), the Corresponding Source conveyed under this\nsection must be accompanied by the Installation Information. But\nthis requirement does not apply if neither you nor any third party\nretains the ability to install modified object code on the User\nProduct (for example, the work has been installed in ROM).\n\nThe requirement to provide Installation Information does not\ninclude a requirement to continue to provide support service,\nwarranty, or updates for a work that has been modified or installed\nby the recipient, or for the User Product in which it has been\nmodified or installed. Access to a network may be denied when the\nmodification itself materially and adversely affects the operation\nof the network or violates the rules and protocols for\ncommunication across the network.\n\nCorresponding Source conveyed, and Installation Information\nprovided, in accord with this section must be in a format that is\npublicly documented (and with an implementation available to the\npublic in source code form), and must require no special password\nor key for unpacking, reading or copying.\n\n7. Additional Terms.\n\n\"Additional permissions\" are terms that supplement the terms of\nthis License by making exceptions from one or more of its\nconditions. Additional permissions that are applicable to the\nentire Program shall be treated as though they were included in\nthis License, to the extent that they are valid under applicable\nlaw. If additional permissions apply only to part of the Program,\nthat part may be used separately under those permissions, but the\nentire Program remains governed by this License without regard to\nthe additional permissions.\n\nWhen you convey a copy of a covered work, you may at your option\nremove any additional permissions from that copy, or from any part\nof it. (Additional permissions may be written to require their own\nremoval in certain cases when you modify the work.) You may place\nadditional permissions on material, added by you to a covered work,\nfor which you have or can give appropriate copyright permission.\n\nNotwithstanding any other provision of this License, for material\nyou add to a covered work, you may (if authorized by the copyright\nholders of that material) supplement the terms of this License with\nterms:\n\na. Disclaiming warranty or limiting liability differently from\nthe terms of sections 15 and 16 of this License; or\n\nb. Requiring preservation of specified reasonable legal notices\nor author attributions in that material or in the Appropriate\nLegal Notices displayed by works containing it; or\n\nc. Prohibiting misrepresentation of the origin of that material,\nor requiring that modified versions of such material be marked\nin reasonable ways as different from the original version; or\n\nd. Limiting the use for publicity purposes of names of licensors\nor authors of the material; or\n\ne. Declining to grant rights under trademark law for use of some\ntrade names, trademarks, or service marks; or\n\nf. Requiring indemnification of licensors and authors of that\nmaterial by anyone who conveys the material (or modified\nversions of it) with contractual assumptions of liability to\nthe recipient, for any liability that these contractual\nassumptions directly impose on those licensors and authors.\n\nAll other non-permissive additional terms are considered \"further\nrestrictions\" within the meaning of section 10. If the Program as\nyou received it, or any part of it, contains a notice stating that\nit is governed by this License along with a term that is a further\nrestriction, you may remove that term. If a license document\ncontains a further restriction but permits relicensing or conveying\nunder this License, you may add to a covered work material governed\nby the terms of that license document, provided that the further\nrestriction does not survive such relicensing or conveying.\n\nIf you add terms to a covered work in accord with this section, you\nmust place, in the relevant source files, a statement of the\nadditional terms that apply to those files, or a notice indicating\nwhere to find the applicable terms.\n\nAdditional terms, permissive or non-permissive, may be stated in\nthe form of a separately written license, or stated as exceptions;\nthe above requirements apply either way.\n\n8. Termination.\n\nYou may not propagate or modify a covered work except as expressly\nprovided under this License. Any attempt otherwise to propagate or\nmodify it is void, and will automatically terminate your rights\nunder this License (including any patent licenses granted under the\nthird paragraph of section 11).\n\nHowever, if you cease all violation of this License, then your\nlicense from a particular copyright holder is reinstated (a)\nprovisionally, unless and until the copyright holder explicitly and\nfinally terminates your license, and (b) permanently, if the\ncopyright holder fails to notify you of the violation by some\nreasonable means prior to 60 days after the cessation.\n\nMoreover, your license from a particular copyright holder is\nreinstated permanently if the copyright holder notifies you of the\nviolation by some reasonable means, this is the first time you have\nreceived notice of violation of this License (for any work) from\nthat copyright holder, and you cure the violation prior to 30 days\nafter your receipt of the notice.\n\nTermination of your rights under this section does not terminate\nthe licenses of parties who have received copies or rights from you\nunder this License. If your rights have been terminated and not\npermanently reinstated, you do not qualify to receive new licenses\nfor the same material under section 10.\n\n9. Acceptance Not Required for Having Copies.\n\nYou are not required to accept this License in order to receive or\nrun a copy of the Program. Ancillary propagation of a covered work\noccurring solely as a consequence of using peer-to-peer\ntransmission to receive a copy likewise does not require\nacceptance. However, nothing other than this License grants you\npermission to propagate or modify any covered work. These actions\ninfringe copyright if you do not accept this License. Therefore,\nby modifying or propagating a covered work, you indicate your\nacceptance of this License to do so.\n\n10. Automatic Licensing of Downstream Recipients.\n\nEach time you convey a covered work, the recipient automatically\nreceives a license from the original licensors, to run, modify and\npropagate that work, subject to this License. You are not\nresponsible for enforcing compliance by third parties with this\nLicense.\n\nAn \"entity transaction\" is a transaction transferring control of an\norganization, or substantially all assets of one, or subdividing an\norganization, or merging organizations. If propagation of a\ncovered work results from an entity transaction, each party to that\ntransaction who receives a copy of the work also receives whatever\nlicenses to the work the party's predecessor in interest had or\ncould give under the previous paragraph, plus a right to possession\nof the Corresponding Source of the work from the predecessor in\ninterest, if the predecessor has it or can get it with reasonable\nefforts.\n\nYou may not impose any further restrictions on the exercise of the\nrights granted or affirmed under this License. For example, you\nmay not impose a license fee, royalty, or other charge for exercise\nof rights granted under this License, and you may not initiate\nlitigation (including a cross-claim or counterclaim in a lawsuit)\nalleging that any patent claim is infringed by making, using,\nselling, offering for sale, or importing the Program or any portion\nof it.\n\n11. Patents.\n\nA \"contributor\" is a copyright holder who authorizes use under this\nLicense of the Program or a work on which the Program is based.\nThe work thus licensed is called the contributor's \"contributor\nversion\".\n\nA contributor's \"essential patent claims\" are all patent claims\nowned or controlled by the contributor, whether already acquired or\nhereafter acquired, that would be infringed by some manner,\npermitted by this License, of making, using, or selling its\ncontributor version, but do not include claims that would be\ninfringed only as a consequence of further modification of the\ncontributor version. For purposes of this definition, \"control\"\nincludes the right to grant patent sublicenses in a manner\nconsistent with the requirements of this License.\n\nEach contributor grants you a non-exclusive, worldwide,\nroyalty-free patent license under the contributor's essential\npatent claims, to make, use, sell, offer for sale, import and\notherwise run, modify and propagate the contents of its contributor\nversion.\n\nIn the following three paragraphs, a \"patent license\" is any\nexpress agreement or commitment, however denominated, not to\nenforce a patent (such as an express permission to practice a\npatent or covenant not to sue for patent infringement). To \"grant\"\nsuch a patent license to a party means to make such an agreement or\ncommitment not to enforce a patent against the party.\n\nIf you convey a covered work, knowingly relying on a patent\nlicense, and the Corresponding Source of the work is not available\nfor anyone to copy, free of charge and under the terms of this\nLicense, through a publicly available network server or other\nreadily accessible means, then you must either (1) cause the\nCorresponding Source to be so available, or (2) arrange to deprive\nyourself of the benefit of the patent license for this particular\nwork, or (3) arrange, in a manner consistent with the requirements\nof this License, to extend the patent license to downstream\nrecipients. \"Knowingly relying\" means you have actual knowledge\nthat, but for the patent license, your conveying the covered work\nin a country, or your recipient's use of the covered work in a\ncountry, would infringe one or more identifiable patents in that\ncountry that you have reason to believe are valid.\n\nIf, pursuant to or in connection with a single transaction or\narrangement, you convey, or propagate by procuring conveyance of, a\ncovered work, and grant a patent license to some of the parties\nreceiving the covered work authorizing them to use, propagate,\nmodify or convey a specific copy of the covered work, then the\npatent license you grant is automatically extended to all\nrecipients of the covered work and works based on it.\n\nA patent license is \"discriminatory\" if it does not include within\nthe scope of its coverage, prohibits the exercise of, or is\nconditioned on the non-exercise of one or more of the rights that\nare specifically granted under this License. You may not convey a\ncovered work if you are a party to an arrangement with a third\nparty that is in the business of distributing software, under which\nyou make payment to the third party based on the extent of your\nactivity of conveying the work, and under which the third party\ngrants, to any of the parties who would receive the covered work\nfrom you, a discriminatory patent license (a) in connection with\ncopies of the covered work conveyed by you (or copies made from\nthose copies), or (b) primarily for and in connection with specific\nproducts or compilations that contain the covered work, unless you\nentered into that arrangement, or that patent license was granted,\nprior to 28 March 2007.\n\nNothing in this License shall be construed as excluding or limiting\nany implied license or other defenses to infringement that may\notherwise be available to you under applicable patent law.\n\n12. No Surrender of Others' Freedom.\n\nIf conditions are imposed on you (whether by court order, agreement\nor otherwise) that contradict the conditions of this License, they\ndo not excuse you from the conditions of this License. If you\ncannot convey a covered work so as to satisfy simultaneously your\nobligations under this License and any other pertinent obligations,\nthen as a consequence you may not convey it at all. For example,\nif you agree to terms that obligate you to collect a royalty for\nfurther conveying from those to whom you convey the Program, the\nonly way you could satisfy both those terms and this License would\nbe to refrain entirely from conveying the Program.\n\n13. Use with the GNU Affero General Public License.\n\nNotwithstanding any other provision of this License, you have\npermission to link or combine any covered work with a work licensed\nunder version 3 of the GNU Affero General Public License into a\nsingle combined work, and to convey the resulting work. The terms\nof this License will continue to apply to the part which is the\ncovered work, but the special requirements of the GNU Affero\nGeneral Public License, section 13, concerning interaction through\na network will apply to the combination as such.\n\n14. Revised Versions of this License.\n\nThe Free Software Foundation may publish revised and/or new\nversions of the GNU General Public License from time to time. Such\nnew versions will be similar in spirit to the present version, but\nmay differ in detail to address new problems or concerns.\n\nEach version is given a distinguishing version number. If the\nProgram specifies that a certain numbered version of the GNU\nGeneral Public License \"or any later version\" applies to it, you\nhave the option of following the terms and conditions either of\nthat numbered version or of any later version published by the Free\nSoftware Foundation. If the Program does not specify a version\nnumber of the GNU General Public License, you may choose any\nversion ever published by the Free Software Foundation.\n\nIf the Program specifies that a proxy can decide which future\nversions of the GNU General Public License can be used, that\nproxy's public statement of acceptance of a version permanently\nauthorizes you to choose that version for the Program.\n\nLater license versions may give you additional or different\npermissions. However, no additional obligations are imposed on any\nauthor or copyright holder as a result of your choosing to follow a\nlater version.\n\n15. Disclaimer of Warranty.\n\nTHERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY\nAPPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE\nCOPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM \"AS IS\"\nWITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED,\nINCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF\nMERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE\nRISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.\nSHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL\nNECESSARY SERVICING, REPAIR OR CORRECTION.\n\n16. Limitation of Liability.\n\nIN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN\nWRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES\nAND/OR CONVEYS THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR\nDAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR\nCONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE\nTHE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA\nBEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD\nPARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER\nPROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF\nTHE POSSIBILITY OF SUCH DAMAGES.\n\n17. Interpretation of Sections 15 and 16.\n\nIf the disclaimer of warranty and limitation of liability provided\nabove cannot be given local legal effect according to their terms,\nreviewing courts shall apply local law that most closely\napproximates an absolute waiver of all civil liability in\nconnection with the Program, unless a warranty or assumption of\nliability accompanies a copy of the Program in return for a fee.\n\nEND OF TERMS AND CONDITIONS\n" }, { "name": "How to Apply These Terms to Your New Programs", "content": "If you develop a new program, and you want it to be of the greatest\npossible use to the public, the best way to achieve this is to make it\nfree software which everyone can redistribute and change under these\nterms.\n\nTo do so, attach the following notices to the program. It is safest\nto attach them to the start of each source file to most effectively\nstate the exclusion of warranty; and each file should have at least the\n\"copyright\" line and a pointer to where the full notice is found.\n\nONE LINE TO GIVE THE PROGRAM'S NAME AND A BRIEF IDEA OF WHAT IT DOES.\nCopyright (C) YEAR NAME OF AUTHOR\n\nThis program is free software: you can redistribute it and/or modify\nit under the terms of the GNU General Public License as published by\nthe Free Software Foundation, either version 3 of the License, or (at\nyour option) any later version.\n\nThis program is distributed in the hope that it will be useful, but\nWITHOUT ANY WARRANTY; without even the implied warranty of\nMERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU\nGeneral Public License for more details.\n\nYou should have received a copy of the GNU General Public License\nalong with this program. If not, see <https://www.gnu.org/licenses/>.\n\nAlso add information on how to contact you by electronic and paper mail.\n\nIf the program does terminal interaction, make it output a short notice\nlike this when it starts in an interactive mode:\n\nPROGRAM Copyright (C) YEAR NAME OF AUTHOR\nThis program comes with ABSOLUTELY NO WARRANTY; for details\ntype 'show w'. This is free software, and you are\nwelcome to redistribute it under certain conditions;\ntype 'show c' for details.\n\nThe hypothetical commands 'show w' and 'show c' should show the\nappropriate parts of the General Public License. Of course, your\nprogram's commands might be different; for a GUI interface, you would\nuse an \"about box\".\n\nYou should also get your employer (if you work as a programmer) or\nschool, if any, to sign a \"copyright disclaimer\" for the program, if\nnecessary. For more information on this, and how to apply and follow\nthe GNU GPL, see <https://www.gnu.org/licenses/>.\n\nThe GNU General Public License does not permit incorporating your\nprogram into proprietary programs. If your program is a subroutine\nlibrary, you may consider it more useful to permit linking proprietary\napplications with the library. If this is what you want to do, use the\nGNU Lesser General Public License instead of this License. But first,\nplease read <https://www.gnu.org/philosophy/why-not-lgpl.html>.\n\nFile: gnupg.info, Node: Contributors, Next: Glossary, Prev: Copying, Up: Top\n" } ] }, "Contributors to GnuPG": { "content": "The GnuPG project would like to thank its many contributors. Without\nthem the project would not have been nearly as successful as it has\nbeen. Any omissions in this list are accidental. Feel free to contact\nthe maintainer if you have been left out or some of your contributions\nare not listed.\n\nDavid Shaw, Matthew Skala, Michael Roth, Niklas Hernaeus, Nils\nEllmenreich, Re'mi Guyomarch, Stefan Bellon, Timo Schulz and Werner Koch\nwrote the code. Birger Langkjer, Daniel Resare, Dokianakis Theofanis,\nEdmund GRIMLEY EVANS, Gae\"l Que'ri, Gregory Steuck, Nagy Ferenc L??szl??,\nIvo Timmermans, Jacobo Tarri'o Barreiro, Janusz Aleksander Urbanowicz,\nJedi Lin, Jouni Hiltunen, Laurentiu Buzdugan, Magda Procha'zkova',\nMichael Anckaert, Michal Majer, Marco d'Itri, Nilgun Belma Buguner,\nPedro Morais, Tedi Heriyanto, Thiago Jung Bauermann, Rafael Caetano dos\nSantos, Toomas Soome, Urko Lusa, Walter Koch, Yosiaki IIDA did the\nofficial translations. Mike Ashley wrote and maintains the GNU Privacy\nHandbook. David Scribner is the current FAQ editor. Lorenzo\nCappelletti maintains the web site.\n\nThe new modularized architecture of gnupg 1.9 as well as the\nX.509/CMS part has been developed as part of the A\"gypten project.\nDirect contributors to this project are: Bernhard Herzog, who did\nextensive testing and tracked down a lot of bugs. Bernhard Reiter, who\nmade sure that we met the specifications and the deadlines. He did\nextensive testing and came up with a lot of suggestions. Jan-Oliver\nWagner made sure that we met the specifications and the deadlines. He\nalso did extensive testing and came up with a lot of suggestions.\nKarl-Heinz Zimmer and Marc Mutz had to struggle with all the bugs and\nmisconceptions while working on KDE integration. Marcus Brinkman\nextended GPGME, cleaned up the Assuan code and fixed bugs all over the\nplace. Moritz Schulte took over Libgcrypt maintenance and developed it\ninto a stable an useful library. Steffen Hansen had a hard time to\nwrite the dirmngr due to underspecified interfaces. Thomas Koester did\nextensive testing and tracked down a lot of bugs. Werner Koch designed\nthe system and wrote most of the code.\n\nThe following people helped greatly by suggesting improvements,\ntesting, fixing bugs, providing resources and doing other important\ntasks: Adam Mitchell, Albert Chin, Alec Habig, Allan Clark, Anand\nKumria, Andreas Haumer, Anthony Mulcahy, Ariel T Glenn, Bob Mathews,\nBodo Moeller, Brendan O'Dea, Brenno de Winter, Brian M. Carlson, Brian\nMoore, Brian Warner, Bryan Fullerton, Caskey L. Dickson, Cees van de\nGriend, Charles Levert, Chip Salzenberg, Chris Adams, Christian Biere,\nChristian Kurz, Christian von Roques, Christopher Oliver, Christian\nRecktenwald, Dan Winship, Daniel Eisenbud, Daniel Koening, Dave Dykstra,\nDavid C Niemi, David Champion, David Ellement, David Hallinan, David\nHollenberg, David Mathog, David R. Bergstein, Detlef Lannert, Dimitri,\nDirk Lattermann, Dirk Meyer, Disastry, Douglas Calvert, Ed Boraas,\nEdmund GRIMLEY EVANS, Edwin Woudt, Enzo Michelangeli, Ernst Molitor,\nFabio Coatti, Felix von Leitner, fish stiqz, Florian Weimer, Francesco\nPotorti, Frank Donahoe, Frank Heckenbach, Frank Stajano, Frank Tobin,\nGabriel Rosenkoetter, Gae\"l Que'ri, Gene Carter, Geoff Keating, Georg\nSchwarz, Giampaolo Tomassoni, Gilbert Fernandes, Greg Louis, Greg\nTroxel, Gregory Steuck, Gregery Barton, Harald Denker, Holger Baust,\nHendrik Buschkamp, Holger Schurig, Holger Smolinski, Holger Trapp, Hugh\nDaniel, Huy Le, Ian McKellar, Ivo Timmermans, Jan Krueger, Jan\nNiehusmann, Janusz A. Urbanowicz, James Troup, Jean-loup Gailly, Jeff\nLong, Jeffery Von Ronne, Jens Bachem, Jeroen C. van Gelderen, J Horacio\nMG, J. Michael Ashley, Jim Bauer, Jim Small, Joachim Backes, Joe Rhett,\nJohn A. Martin, Johnny Tevessen, Jo\"rg Schilling, Jos Backus, Joseph\nWalton, Juan F. Codagnone, Jun Kuriyama, Kahil D. Jallad, Karl Fogel,\nKarsten Thygesen, Katsuhiro Kondou, Kazu Yamamoto, Keith Clayton, Kevin\nRyde, Klaus Singvogel, Kurt Garloff, Lars Kellogg-Stedman, L. Sassaman,\nM Taylor, Marcel Waldvogel, Marco d'Itri, Marco Parrone, Marcus\nBrinkmann, Mark Adler, Mark Elbrecht, Mark Pettit, Markus Friedl, Martin\nKahlert, Martin Hamilton, Martin Schulte, Matt Kraai, Matthew Skala,\nMatthew Wilcox, Matthias Urlichs, Max Valianskiy, Michael Engels,\nMichael Fischer v. Mollard, Michael Roth, Michael Sobolev, Michael\nTokarev, Nicolas Graner, Mike McEwan, Neal H Walfield, Nelson H. F.\nBeebe, NIIBE Yutaka, Niklas Hernaeus, Nimrod Zimerman, N J Doye, Oliver\nHaakert, Oskari Ja\"a\"skela\"inen, Pascal Scheffers, Paul D. Smith, Per\nCederqvist, Phil Blundell, Philippe Laliberte, Peter Fales, Peter\nGutmann, Peter Marschall, Peter Valchev, Piotr Krukowiecki, QingLong,\nRalph Gillen, Rat, Reinhard Wobst, Re'mi Guyomarch, Reuben Sumner,\nRichard Outerbridge, Robert Joop, Roddy Strachan, Roger Sondermann,\nRoland Rosenfeld, Roman Pavlik, Ross Golder, Ryan Malayter, Sam Roberts,\nSami Tolvanen, Sean MacLennan, Sebastian Klemke, Serge Munhoven, SL\nBaur, Stefan Bellon, Dr.Stefan.Dalibor, Stefan Karrmann, Stefan Keller,\nSteffen Ullrich, Steffen Zahn, Steven Bakker, Steven Murdoch, Susanne\nSchultz, Ted Cabeen, Thiago Jung Bauermann, Thijmen Klok, Thomas\nRoessler, Tim Mooney, Timo Schulz, Todd Vierling, TOGAWA Satoshi, Tom\nSpindler, Tom Zerucha, Tomas Fasth, Tommi Komulainen, Thomas Klausner,\nTomasz Kozlowski, Thomas Mikkelsen, Ulf Mo\"ller, Urko Lusa, Vincent P.\nBroman, Volker Quetschke, W Lewis, Walter Hofmann, Walter Koch, Wayne\nChapeskie, Wim Vandeputte, Winona Brown, Yosiaki IIDA, Yoshihiro Kajiki\nand Gerlinde Klaes.\n\nThis software has been made possible by the previous work of Chris\nWedgwood, Jean-loup Gailly, Jon Callas, Mark Adler, Martin Hellman, Paul\nKendall, Philip R. Zimmermann, Peter Gutmann, Philip A. Nelson, Taher\nElgamal, Torbjorn Granlund, Whitfield Diffie, some unknown NSA\nmathematicians and all the folks who have worked hard to create complete\nand free operating systems.\n\nAnd finally we'd like to thank everyone who uses these tools, submits\nbug reports and generally reminds us why we're doing this work in the\nfirst place.\n\nFile: gnupg.info, Node: Glossary, Next: Option Index, Prev: Contributors, Up: Top\n", "subsections": [] }, "Glossary": { "content": "'ARL'\nThe Authority Revocation List is technical identical to a CRL but\nused for CAs and not for end user certificates.\n\n'Chain model'\nVerification model for X.509 which uses the creation date of a\nsignature as the date the validation starts and in turn checks that\neach certificate has been issued within the time frame, the issuing\ncertificate was valid. This allows the verification of signatures\nafter the CA's certificate expired. The validation test also\nrequired an online check of the certificate status. The chain\nmodel is required by the German signature law. See also Shell\nmodel.\n\n'CMS'\nThe Cryptographic Message Standard describes a message format for\nencryption and digital signing. It is closely related to the X.509\ncertificate format. CMS was formerly known under the name 'PKCS#7'\nand is described by 'RFC3369'.\n\n'CRL'\nThe Certificate Revocation List is a list containing certificates\nrevoked by the issuer.\n\n'CSR'\nThe Certificate Signing Request is a message send to a CA to ask\nthem to issue a new certificate. The data format of such a signing\nrequest is called PCKS#10.\n\n'OpenPGP'\nA data format used to build a PKI and to exchange encrypted or\nsigned messages. In contrast to X.509, OpenPGP also includes the\nmessage format but does not explicitly demand a specific PKI.\nHowever any kind of PKI may be build upon the OpenPGP protocol.\n\n'Keygrip'\nThis term is used by GnuPG to describe a 20 byte hash value used to\nidentify a certain key without referencing to a concrete protocol.\nIt is used internally to access a private key. Usually it is shown\nand entered as a 40 character hexadecimal formatted string.\n\n'OCSP'\nThe Online Certificate Status Protocol is used as an alternative\nto a CRL. It is described in 'RFC 2560'.\n\n'PSE'\nThe Personal Security Environment describes a database to store\nprivate keys. This is either a smartcard or a collection of files\non a disk; the latter is often called a Soft-PSE.\n\n'Shell model'\nThe standard model for validation of certificates under X.509. At\nthe time of the verification all certificates must be valid and not\nexpired. See also Chain model.\n\n'X.509'\nDescription of a PKI used with CMS. It is for example defined by\n'RFC3280'.\n\nFile: gnupg.info, Node: Option Index, Next: Environment Index, Prev: Glossary, Up: Top\n", "subsections": [] }, "Option Index": { "content": "* Menu:\n\n* add-servers: Dirmngr Options. (line 267)\n* agent-program: GPG Configuration Options.\n(line 732)\n* agent-program <1>: Configuration Options.\n(line 46)\n* agent-program <2>: Invoking gpg-connect-agent.\n(line 42)\n* allow-admin: Scdaemon Options. (line 197)\n* allow-emacs-pinentry: Agent Options. (line 187)\n* allow-freeform-uid: GPG Esoteric Options.\n(line 367)\n* allow-loopback-pinentry: Agent Options. (line 169)\n* allow-multiple-messages: GPG Esoteric Options.\n(line 542)\n* allow-non-selfsigned-uid: GPG Esoteric Options.\n(line 362)\n* allow-ocsp: Dirmngr Options. (line 284)\n* allow-preset-passphrase: Agent Options. (line 164)\n* allow-secret-key-import: GPG Esoteric Options.\n(line 538)\n* allow-version-check: Dirmngr Options. (line 135)\n* allow-weak-digest-algos: GPG Esoteric Options.\n(line 403)\n* allow-weak-key-signatures: GPG Esoteric Options.\n(line 419)\n* always-trust: Deprecated Options. (line 21)\n* armor: GPG Input and Output.\n(line 8)\n* armor <1>: Input and Output. (line 8)\n* ask-cert-expire: GPG Esoteric Options.\n(line 514)\n* ask-cert-level: GPG Configuration Options.\n(line 347)\n* ask-sig-expire: GPG Esoteric Options.\n(line 500)\n* assume-armor: Input and Output. (line 14)\n* assume-base64: Input and Output. (line 18)\n* assume-binary: Input and Output. (line 21)\n* attribute-fd: GPG Esoteric Options.\n(line 92)\n* attribute-file: GPG Esoteric Options.\n(line 98)\n* auto-check-trustdb: GPG Configuration Options.\n(line 719)\n* auto-expand-secmem: Agent Options. (line 419)\n* auto-issuer-key-retrieve: Certificate Options. (line 62)\n* auto-key-import: GPG Configuration Options.\n(line 554)\n* auto-key-locate: GPG Configuration Options.\n(line 494)\n* auto-key-retrieve: GPG Configuration Options.\n(line 566)\n* base64: Input and Output. (line 11)\n* batch: Agent Options. (line 48)\n* batch <1>: GPG Configuration Options.\n(line 43)\n* bzip2-compress-level: GPG Configuration Options.\n(line 321)\n* bzip2-decompress-lowmem: GPG Configuration Options.\n(line 331)\n* c: Dirmngr Options. (line 87)\n* cache-cert: dirmngr-client. (line 72)\n* call-dirmngr: Operational GPGSM Commands.\n(line 27)\n* call-protect-tool: Operational GPGSM Commands.\n(line 41)\n* card-edit: Operational GPG Commands.\n(line 205)\n* card-status: Operational GPG Commands.\n(line 211)\n* card-timeout: Scdaemon Options. (line 173)\n* cert-digest-algo: GPG Esoteric Options.\n(line 238)\n* cert-notation: GPG Esoteric Options.\n(line 124)\n* cert-policy-url: GPG Esoteric Options.\n(line 160)\n* change-passphrase: OpenPGP Key Management.\n(line 449)\n* change-passphrase <1>: Certificate Management.\n(line 109)\n* change-pin: Operational GPG Commands.\n(line 214)\n* check-passphrase-pattern: Agent Options. (line 240)\n* check-signatures: Operational GPG Commands.\n(line 140)\n* check-sigs: Operational GPG Commands.\n(line 141)\n* check-trustdb: Operational GPG Commands.\n(line 344)\n* cipher-algo: GPG Esoteric Options.\n(line 199)\n* cipher-algo <1>: CMS Options. (line 13)\n* clear-sign: Operational GPG Commands.\n(line 17)\n* clearsign: Operational GPG Commands.\n(line 18)\n* cms: gpgtar. (line 99)\n* command-fd: GPG Esoteric Options.\n(line 350)\n* command-file: GPG Esoteric Options.\n(line 357)\n* comment: GPG Esoteric Options.\n(line 103)\n* compliance: Compliance Options. (line 67)\n* compliant-needed: GPG Configuration Options.\n(line 694)\n* compress-algo: GPG Esoteric Options.\n(line 215)\n* compress-level: GPG Configuration Options.\n(line 321)\n* connect-quick-timeout: Dirmngr Options. (line 122)\n* connect-timeout: Dirmngr Options. (line 122)\n* create: gpgtar. (line 16)\n* create-socketdir: Invoking gpgconf. (line 91)\n* csh: Agent Options. (line 138)\n* csh <1>: Dirmngr Options. (line 87)\n* ctapi-driver: Scdaemon Options. (line 150)\n* daemon: Agent Commands. (line 27)\n* daemon <1>: Dirmngr Commands. (line 27)\n* daemon <2>: Scdaemon Commands. (line 31)\n* dearmor: Operational GPG Commands.\n(line 398)\n* debug: Agent Options. (line 82)\n* debug <1>: Dirmngr Options. (line 59)\n* debug <2>: GPG Esoteric Options.\n(line 47)\n* debug <3>: Esoteric Options. (line 54)\n* debug <4>: Scdaemon Options. (line 69)\n* debug-all: Agent Options. (line 106)\n* debug-all <1>: Dirmngr Options. (line 66)\n* debug-all <2>: GPG Esoteric Options.\n(line 53)\n* debug-all <3>: Esoteric Options. (line 81)\n* debug-all <4>: Scdaemon Options. (line 96)\n* debug-allow-core-dump: Esoteric Options. (line 84)\n* debug-allow-core-dump <1>: Scdaemon Options. (line 113)\n* debug-assuan-log-cats: Scdaemon Options. (line 122)\n* debug-disable-ticker: Scdaemon Options. (line 109)\n* debug-ignore-expiration: Esoteric Options. (line 95)\n* debug-iolbf: GPG Esoteric Options.\n(line 56)\n* debug-level: Agent Options. (line 57)\n* debug-level <1>: Dirmngr Options. (line 34)\n* debug-level <2>: GPG Esoteric Options.\n(line 22)\n* debug-level <3>: Esoteric Options. (line 29)\n* debug-level <4>: Scdaemon Options. (line 40)\n* debug-log-tid: Scdaemon Options. (line 119)\n* debug-no-chain-validation: Esoteric Options. (line 91)\n* debug-pinentry: Agent Options. (line 126)\n* debug-quick-random: Agent Options. (line 114)\n* debug-wait: Agent Options. (line 109)\n* debug-wait <1>: Dirmngr Options. (line 74)\n* debug-wait <2>: Scdaemon Options. (line 99)\n* debug-wait <3>: Scdaemon Options. (line 104)\n* decode: Invoking gpg-connect-agent.\n(line 95)\n* decrypt: Operational GPG Commands.\n(line 59)\n* decrypt <1>: Operational GPGSM Commands.\n(line 11)\n* decrypt <2>: gpgtar. (line 29)\n* decrypt-files: Operational GPG Commands.\n(line 114)\n* default-cache-ttl: Agent Options. (line 198)\n* default-cache-ttl <1>: Agent Options. (line 207)\n* default-cert-expire: GPG Esoteric Options.\n(line 520)\n* default-cert-level: GPG Configuration Options.\n(line 355)\n* default-key: GPG Configuration Options.\n(line 10)\n* default-key <1>: Input and Output. (line 34)\n* default-keyserver-url: GPG Esoteric Options.\n(line 571)\n* default-new-key-algo STRING: GPG Esoteric Options.\n(line 527)\n* default-preference-list: GPG Esoteric Options.\n(line 566)\n* default-recipient: GPG Configuration Options.\n(line 19)\n* default-recipient-self: GPG Configuration Options.\n(line 23)\n* default-sig-expire: GPG Esoteric Options.\n(line 506)\n* delete-keys: Operational GPG Commands.\n(line 219)\n* delete-keys <1>: Certificate Management.\n(line 60)\n* delete-secret-and-public-key: Operational GPG Commands.\n(line 239)\n* delete-secret-keys: Operational GPG Commands.\n(line 228)\n* deny-admin: Scdaemon Options. (line 197)\n* desig-revoke: OpenPGP Key Management.\n(line 134)\n* detach-sign: Operational GPG Commands.\n(line 28)\n* digest-algo: GPG Esoteric Options.\n(line 208)\n* directory: gpgtar. (line 76)\n* directory <1>: gpg-wks-client. (line 115)\n* directory <2>: gpg-wks-server. (line 50)\n* dirmngr: Invoking gpg-connect-agent.\n(line 54)\n* dirmngr-program: GPG Configuration Options.\n(line 739)\n* dirmngr-program <1>: Configuration Options.\n(line 52)\n* dirmngr-program <2>: Invoking gpg-connect-agent.\n(line 49)\n* disable-application: Scdaemon Options. (line 207)\n* disable-ccid: Scdaemon Options. (line 155)\n* disable-check-own-socket: Agent Options. (line 305)\n* disable-check-own-socket <1>: Dirmngr Options. (line 79)\n* disable-cipher-algo: GPG Esoteric Options.\n(line 246)\n* disable-crl-checks: Certificate Options. (line 13)\n* disable-dsa2: GPG Configuration Options.\n(line 191)\n* disable-extended-key-format: Agent Options. (line 351)\n* disable-http: Dirmngr Options. (line 206)\n* disable-ipv4: Dirmngr Options. (line 200)\n* disable-ipv6: Dirmngr Options. (line 200)\n* disable-large-rsa: GPG Configuration Options.\n(line 182)\n* disable-ldap: Dirmngr Options. (line 203)\n* disable-mdc: OpenPGP Options. (line 25)\n* disable-ocsp: Certificate Options. (line 53)\n* disable-pinpad: Scdaemon Options. (line 194)\n* disable-policy-checks: Certificate Options. (line 8)\n* disable-pubkey-algo: GPG Esoteric Options.\n(line 251)\n* disable-scdaemon: Agent Options. (line 299)\n* disable-signer-uid: OpenPGP Options. (line 31)\n* disable-trusted-cert-crl-check: Certificate Options. (line 24)\n* display: Agent Options. (line 323)\n* display-charset: GPG Configuration Options.\n(line 276)\n* display-charset:iso-8859-1: GPG Configuration Options.\n(line 285)\n* display-charset:iso-8859-15: GPG Configuration Options.\n(line 291)\n* display-charset:iso-8859-2: GPG Configuration Options.\n(line 288)\n* display-charset:koi8-r: GPG Configuration Options.\n(line 294)\n* display-charset:utf-8: GPG Configuration Options.\n(line 297)\n* dry-run: GPG Esoteric Options.\n(line 8)\n* dry-run <1>: gpgtar. (line 72)\n* dump-cert: Certificate Management.\n(line 36)\n* dump-chain: Certificate Management.\n(line 40)\n* dump-external-keys: Certificate Management.\n(line 47)\n* dump-keys: Certificate Management.\n(line 36)\n* dump-options: Agent Commands. (line 19)\n* dump-options <1>: Dirmngr Commands. (line 18)\n* dump-options <2>: General GPG Commands.\n(line 20)\n* dump-options <3>: General GPGSM Commands.\n(line 19)\n* dump-options <4>: Scdaemon Commands. (line 18)\n* dump-secret-keys: Certificate Management.\n(line 43)\n* edit-card: Operational GPG Commands.\n(line 204)\n* edit-key: OpenPGP Key Management.\n(line 139)\n* emit-version: GPG Esoteric Options.\n(line 114)\n* enable-crl-checks: Certificate Options. (line 13)\n* enable-dsa2: GPG Configuration Options.\n(line 191)\n* enable-extended-key-format: Agent Options. (line 351)\n* enable-issuer-based-crl-check: Certificate Options. (line 45)\n* enable-large-rsa: GPG Configuration Options.\n(line 182)\n* enable-ocsp: Certificate Options. (line 53)\n* enable-passphrase-history: Agent Options. (line 259)\n* enable-pinpad-varlen: Scdaemon Options. (line 186)\n* enable-policy-checks: Certificate Options. (line 8)\n* enable-progress-filter: GPG Esoteric Options.\n(line 69)\n* enable-putty-support: Agent Options. (line 365)\n* enable-special-filenames: GPG Esoteric Options.\n(line 553)\n* enable-special-filenames <1>: gpgv. (line 97)\n* enable-ssh-support: Agent Options. (line 365)\n* enable-trusted-cert-crl-check: Certificate Options. (line 24)\n* enarmor: Operational GPG Commands.\n(line 398)\n* encrypt: Operational GPG Commands.\n(line 32)\n* encrypt <1>: Operational GPGSM Commands.\n(line 7)\n* encrypt <2>: gpgtar. (line 23)\n* encrypt-files: Operational GPG Commands.\n(line 111)\n* encrypt-to: GPG Key related Options.\n(line 35)\n* enforce-passphrase-constraints: Agent Options. (line 225)\n* escape-from-lines: GPG Esoteric Options.\n(line 276)\n* exec: Invoking gpg-connect-agent.\n(line 65)\n* exec-path: GPG Configuration Options.\n(line 220)\n* exit-on-status-write-error: GPG Configuration Options.\n(line 768)\n* expert: GPG Configuration Options.\n(line 823)\n* export: Operational GPG Commands.\n(line 245)\n* export <1>: Certificate Management.\n(line 69)\n* export-filter: GPG Input and Output.\n(line 131)\n* export-options: GPG Input and Output.\n(line 220)\n* export-ownertrust: Operational GPG Commands.\n(line 359)\n* export-secret-key-p12: Certificate Management.\n(line 82)\n* export-secret-key-p8: Certificate Management.\n(line 91)\n* export-secret-key-raw: Certificate Management.\n(line 91)\n* export-secret-keys: Operational GPG Commands.\n(line 263)\n* export-secret-subkeys: Operational GPG Commands.\n(line 263)\n* export-ssh-key: Operational GPG Commands.\n(line 285)\n* extra-digest-algo: Esoteric Options. (line 7)\n* extra-socket: Agent Options. (line 337)\n* extract: gpgtar. (line 19)\n* faked-system-time: Agent Options. (line 52)\n* faked-system-time <1>: GPG Esoteric Options.\n(line 60)\n* faked-system-time <2>: Esoteric Options. (line 18)\n* fast-list-mode: GPG Esoteric Options.\n(line 455)\n* fetch-crl: Dirmngr Commands. (line 52)\n* fetch-keys: Operational GPG Commands.\n(line 328)\n* fingerprint: Operational GPG Commands.\n(line 189)\n* fixed-list-mode: GPG Input and Output.\n(line 284)\n* flush: Dirmngr Commands. (line 62)\n* for-your-eyes-only: GPG Esoteric Options.\n(line 185)\n* force: Dirmngr Options. (line 93)\n* force <1>: watchgnupg. (line 23)\n* force-crl-refresh: Certificate Options. (line 35)\n* force-default-responder: dirmngr-client. (line 64)\n* force-mdc: OpenPGP Options. (line 25)\n* forget: Invoking gpg-preset-passphrase.\n(line 26)\n* from: gpg-wks-server. (line 54)\n* full-gen-key: OpenPGP Key Management.\n(line 111)\n* full-generate-key: OpenPGP Key Management.\n(line 110)\n* gen-key: OpenPGP Key Management.\n(line 104)\n* gen-key <1>: Certificate Management.\n(line 8)\n* gen-prime: Operational GPG Commands.\n(line 393)\n* gen-random: Operational GPG Commands.\n(line 386)\n* gen-revoke: OpenPGP Key Management.\n(line 120)\n* generate-designated-revocation: OpenPGP Key Management.\n(line 133)\n* generate-key: OpenPGP Key Management.\n(line 103)\n* generate-key <1>: Certificate Management.\n(line 7)\n* generate-revocation: OpenPGP Key Management.\n(line 119)\n* gnupg: Compliance Options. (line 12)\n* gpg: gpgtar. (line 110)\n* gpg-agent-info: GPG Configuration Options.\n(line 729)\n* gpg-args: gpgtar. (line 113)\n* gpgconf-list: GPG Esoteric Options.\n(line 587)\n* gpgconf-test: GPG Esoteric Options.\n(line 591)\n* grab: Agent Options. (line 145)\n* group: GPG Key related Options.\n(line 55)\n* header: gpg-wks-server. (line 57)\n* help: Agent Commands. (line 15)\n* help <1>: Dirmngr Commands. (line 14)\n* help <2>: General GPG Commands.\n(line 12)\n* help <3>: General GPGSM Commands.\n(line 11)\n* help <4>: Scdaemon Commands. (line 14)\n* help <5>: watchgnupg. (line 39)\n* help <6>: dirmngr-client. (line 44)\n* help <7>: gpgtar. (line 125)\n* help <8>: gpg-wks-client. (line 128)\n* help <9>: gpg-wks-server. (line 87)\n* hex: Invoking gpg-connect-agent.\n(line 91)\n* hidden-encrypt-to: GPG Key related Options.\n(line 43)\n* hidden-recipient: GPG Key related Options.\n(line 14)\n* hidden-recipient-file: GPG Key related Options.\n(line 29)\n* homedir: Agent Options. (line 17)\n* homedir <1>: GPG Configuration Options.\n(line 255)\n* homedir <2>: Configuration Options.\n(line 16)\n* homedir <3>: Scdaemon Options. (line 13)\n* homedir <4>: gpgv. (line 69)\n* homedir <5>: Invoking gpgconf. (line 115)\n* homedir <6>: Invoking gpg-connect-agent.\n(line 21)\n* homedir <7>: Invoking symcryptrun.\n(line 36)\n* honor-http-proxy: Dirmngr Options. (line 225)\n* http-proxy: Dirmngr Options. (line 229)\n* ignore-cache-for-signing: Agent Options. (line 192)\n* ignore-cert-extension: Dirmngr Options. (line 333)\n* ignore-cert-extension <1>: Certificate Options. (line 82)\n* ignore-crc-error: GPG Esoteric Options.\n(line 387)\n* ignore-http-dp: Dirmngr Options. (line 209)\n* ignore-ldap-dp: Dirmngr Options. (line 216)\n* ignore-mdc-error: GPG Esoteric Options.\n(line 394)\n* ignore-ocsp-service-url: Dirmngr Options. (line 221)\n* ignore-time-conflict: GPG Esoteric Options.\n(line 373)\n* ignore-time-conflict <1>: gpgv. (line 63)\n* ignore-valid-from: GPG Esoteric Options.\n(line 380)\n* import: Operational GPG Commands.\n(line 299)\n* import <1>: Certificate Management.\n(line 99)\n* import-filter: GPG Input and Output.\n(line 131)\n* import-options: GPG Input and Output.\n(line 45)\n* import-ownertrust: Operational GPG Commands.\n(line 365)\n* include-certs: CMS Options. (line 7)\n* include-key-block: OpenPGP Options. (line 38)\n* input-size-hint: GPG Input and Output.\n(line 29)\n* interactive: GPG Esoteric Options.\n(line 19)\n* keep-display: Agent Options. (line 328)\n* keep-tty: Agent Options. (line 328)\n* key-origin: GPG Input and Output.\n(line 37)\n* keydb-clear-some-cert-flags: Certificate Management.\n(line 52)\n* keyedit:addcardkey: OpenPGP Key Management.\n(line 281)\n* keyedit:addkey: OpenPGP Key Management.\n(line 278)\n* keyedit:addphoto: OpenPGP Key Management.\n(line 201)\n* keyedit:addrevoker: OpenPGP Key Management.\n(line 330)\n* keyedit:adduid: OpenPGP Key Management.\n(line 198)\n* keyedit:bkuptocard: OpenPGP Key Management.\n(line 295)\n* keyedit:change-usage: OpenPGP Key Management.\n(line 357)\n* keyedit:check: OpenPGP Key Management.\n(line 194)\n* keyedit:clean: OpenPGP Key Management.\n(line 343)\n* keyedit:cross-certify: OpenPGP Key Management.\n(line 366)\n* keyedit:delkey: OpenPGP Key Management.\n(line 306)\n* keyedit:delsig: OpenPGP Key Management.\n(line 184)\n* keyedit:deluid: OpenPGP Key Management.\n(line 211)\n* keyedit:disable: OpenPGP Key Management.\n(line 326)\n* keyedit:enable: OpenPGP Key Management.\n(line 326)\n* keyedit:expire: OpenPGP Key Management.\n(line 315)\n* keyedit:key: OpenPGP Key Management.\n(line 148)\n* keyedit:keyserver: OpenPGP Key Management.\n(line 228)\n* keyedit:keytocard: OpenPGP Key Management.\n(line 284)\n* keyedit:lsign: OpenPGP Key Management.\n(line 159)\n* keyedit:minimize: OpenPGP Key Management.\n(line 352)\n* keyedit:notation: OpenPGP Key Management.\n(line 235)\n* keyedit:nrsign: OpenPGP Key Management.\n(line 164)\n* keyedit:passwd: OpenPGP Key Management.\n(line 336)\n* keyedit:pref: OpenPGP Key Management.\n(line 243)\n* keyedit:primary: OpenPGP Key Management.\n(line 220)\n* keyedit:quit: OpenPGP Key Management.\n(line 377)\n* keyedit:revkey: OpenPGP Key Management.\n(line 312)\n* keyedit:revsig: OpenPGP Key Management.\n(line 189)\n* keyedit:revuid: OpenPGP Key Management.\n(line 217)\n* keyedit:save: OpenPGP Key Management.\n(line 374)\n* keyedit:setpref: OpenPGP Key Management.\n(line 255)\n* keyedit:showphoto: OpenPGP Key Management.\n(line 208)\n* keyedit:showpref: OpenPGP Key Management.\n(line 247)\n* keyedit:sign: OpenPGP Key Management.\n(line 152)\n* keyedit:toggle: OpenPGP Key Management.\n(line 339)\n* keyedit:trust: OpenPGP Key Management.\n(line 321)\n* keyedit:tsign: OpenPGP Key Management.\n(line 168)\n* keyedit:uid: OpenPGP Key Management.\n(line 144)\n* keyid-format: GPG Configuration Options.\n(line 603)\n* keyring: GPG Configuration Options.\n(line 224)\n* keyring <1>: gpgv. (line 38)\n* keyserver: Dirmngr Options. (line 145)\n* keyserver <1>: GPG Configuration Options.\n(line 612)\n* keyserver-options: GPG Configuration Options.\n(line 635)\n* kill: Invoking gpgconf. (line 84)\n* known-notation: GPG Esoteric Options.\n(line 151)\n* launch: Invoking gpgconf. (line 76)\n* lc-ctype: Agent Options. (line 323)\n* lc-messages: Agent Options. (line 323)\n* ldap-proxy: Dirmngr Options. (line 234)\n* ldapserverlist-file: Dirmngr Options. (line 245)\n* ldaptimeout: Dirmngr Options. (line 263)\n* learn-card: Certificate Management.\n(line 104)\n* legacy-list-mode: GPG Input and Output.\n(line 290)\n* limit-card-insert-tries: GPG Configuration Options.\n(line 777)\n* list-archive: gpgtar. (line 39)\n* list-chain: Certificate Management.\n(line 32)\n* list-config: GPG Esoteric Options.\n(line 576)\n* list-crls: Dirmngr Commands. (line 40)\n* list-gcrypt-config: GPG Esoteric Options.\n(line 584)\n* list-keys: Operational GPG Commands.\n(line 119)\n* list-keys <1>: Certificate Management.\n(line 17)\n* list-keys <2>: Certificate Management.\n(line 28)\n* list-only: GPG Esoteric Options.\n(line 11)\n* list-options: GPG Configuration Options.\n(line 66)\n* list-options:show-keyring: GPG Configuration Options.\n(line 114)\n* list-options:show-keyserver-urls: GPG Configuration Options.\n(line 98)\n* list-options:show-notations: GPG Configuration Options.\n(line 94)\n* list-options:show-only-fpr-mbox: GPG Configuration Options.\n(line 129)\n* list-options:show-photos: GPG Configuration Options.\n(line 74)\n* list-options:show-policy-urls: GPG Configuration Options.\n(line 88)\n* list-options:show-sig-expire: GPG Configuration Options.\n(line 118)\n* list-options:show-sig-subpackets: GPG Configuration Options.\n(line 122)\n* list-options:show-std-notations: GPG Configuration Options.\n(line 94)\n* list-options:show-uid-validity: GPG Configuration Options.\n(line 102)\n* list-options:show-unusable-subkeys: GPG Configuration Options.\n(line 110)\n* list-options:show-unusable-uids: GPG Configuration Options.\n(line 106)\n* list-options:show-usage: GPG Configuration Options.\n(line 82)\n* list-options:show-user-notations: GPG Configuration Options.\n(line 94)\n* list-packets: Operational GPG Commands.\n(line 198)\n* list-secret-keys: Operational GPG Commands.\n(line 130)\n* list-secret-keys <1>: Certificate Management.\n(line 24)\n* list-signatures: GPG Esoteric Options.\n(line 443)\n* list-sigs: GPG Esoteric Options.\n(line 444)\n* listen-backlog: Agent Options. (line 333)\n* listen-backlog <1>: Dirmngr Options. (line 131)\n* listen-backlog <2>: Scdaemon Options. (line 135)\n* load-crl: Dirmngr Commands. (line 44)\n* load-crl <1>: dirmngr-client. (line 80)\n* local-user: GPG Key related Options.\n(line 77)\n* local-user <1>: Input and Output. (line 41)\n* local-user <2>: gpgtar. (line 53)\n* locate-external-keys: Operational GPG Commands.\n(line 170)\n* locate-keys: Operational GPG Commands.\n(line 170)\n* lock-multiple: GPG Configuration Options.\n(line 757)\n* lock-never: GPG Configuration Options.\n(line 761)\n* lock-once: GPG Configuration Options.\n(line 753)\n* log-file: Agent Options. (line 151)\n* log-file <1>: Dirmngr Options. (line 30)\n* log-file <2>: GPG Esoteric Options.\n(line 86)\n* log-file <3>: Configuration Options.\n(line 73)\n* log-file <4>: Scdaemon Options. (line 140)\n* log-file <5>: gpgv. (line 59)\n* log-file <6>: Invoking symcryptrun.\n(line 57)\n* logger-fd: GPG Esoteric Options.\n(line 82)\n* logger-fd <1>: gpgv. (line 56)\n* lookup: dirmngr-client. (line 86)\n* lsign-key: OpenPGP Key Management.\n(line 392)\n* mangle-dos-filenames: GPG Configuration Options.\n(line 339)\n* marginals-needed: GPG Configuration Options.\n(line 698)\n* max-cache-ttl: Agent Options. (line 213)\n* max-cache-ttl-ssh: Agent Options. (line 219)\n* max-cert-depth: GPG Configuration Options.\n(line 706)\n* max-output: GPG Input and Output.\n(line 19)\n* max-passphrase-days: Agent Options. (line 254)\n* max-replies: Dirmngr Options. (line 330)\n* min-cert-level: GPG Configuration Options.\n(line 384)\n* min-passphrase-len: Agent Options. (line 229)\n* min-passphrase-nonalpha: Agent Options. (line 234)\n* multi-server: Scdaemon Commands. (line 26)\n* multifile: Operational GPG Commands.\n(line 100)\n* nameserver: Dirmngr Options. (line 192)\n* no: GPG Configuration Options.\n(line 63)\n* no-allow-external-cache: Agent Options. (line 177)\n* no-allow-loopback-pinentry: Agent Options. (line 169)\n* no-allow-mark-trusted: Agent Options. (line 159)\n* no-armor: GPG Input and Output.\n(line 12)\n* no-auto-key-import: GPG Configuration Options.\n(line 554)\n* no-auto-key-retrieve: GPG Configuration Options.\n(line 566)\n* no-autostart: GPG Configuration Options.\n(line 746)\n* no-autostart <1>: Configuration Options.\n(line 62)\n* no-autostart <2>: Invoking gpg-connect-agent.\n(line 77)\n* no-batch: GPG Configuration Options.\n(line 43)\n* no-common-certs-import: Esoteric Options. (line 132)\n* no-default-keyring: GPG Esoteric Options.\n(line 424)\n* no-default-recipient: GPG Configuration Options.\n(line 29)\n* no-detach: Agent Options. (line 131)\n* no-detach <1>: Scdaemon Options. (line 131)\n* no-encrypt-to: GPG Key related Options.\n(line 51)\n* no-expensive-trust-checks: GPG Esoteric Options.\n(line 558)\n* no-ext-connect: Invoking gpg-connect-agent.\n(line 72)\n* no-grab: Agent Options. (line 145)\n* no-greeting: GPG Configuration Options.\n(line 791)\n* no-groups: GPG Key related Options.\n(line 73)\n* no-keyring: GPG Esoteric Options.\n(line 431)\n* no-literal: GPG Esoteric Options.\n(line 463)\n* no-mangle-dos-filenames: GPG Configuration Options.\n(line 339)\n* no-options: GPG Configuration Options.\n(line 314)\n* no-random-seed-file: GPG Configuration Options.\n(line 785)\n* no-secmem-warning: GPG Configuration Options.\n(line 794)\n* no-secmem-warning <1>: Configuration Options.\n(line 69)\n* no-sig-cache: GPG Configuration Options.\n(line 709)\n* no-skip-hidden-recipients: GPG Key related Options.\n(line 108)\n* no-symkey-cache: GPG Esoteric Options.\n(line 337)\n* no-tty: GPG Configuration Options.\n(line 55)\n* no-use-standard-socket: Agent Options. (line 313)\n* no-use-tor: Dirmngr Options. (line 98)\n* no-verbose: GPG Configuration Options.\n(line 36)\n* not-dash-escaped: GPG Esoteric Options.\n(line 266)\n* null: gpgtar. (line 86)\n* ocsp: dirmngr-client. (line 61)\n* ocsp-current-period: Dirmngr Options. (line 325)\n* ocsp-max-clock-skew: Dirmngr Options. (line 317)\n* ocsp-max-period: Dirmngr Options. (line 321)\n* ocsp-responder: Dirmngr Options. (line 291)\n* ocsp-signer: Dirmngr Options. (line 296)\n* only-ldap-proxy: Dirmngr Options. (line 240)\n* openpgp: Compliance Options. (line 19)\n* openpgp <1>: gpgtar. (line 95)\n* options: Agent Options. (line 10)\n* options <1>: Dirmngr Options. (line 11)\n* options <2>: Dirmngr Options. (line 16)\n* options <3>: GPG Configuration Options.\n(line 309)\n* options <4>: Configuration Options.\n(line 10)\n* options <5>: Scdaemon Options. (line 7)\n* output: GPG Input and Output.\n(line 16)\n* output <1>: Input and Output. (line 51)\n* output <2>: gpgv. (line 45)\n* output <3>: gpgtar. (line 57)\n* output <4>: gpg-wks-client. (line 104)\n* output <5>: gpg-wks-server. (line 65)\n* override-session-key: GPG Esoteric Options.\n(line 487)\n* p12-charset: Input and Output. (line 24)\n* passphrase: GPG Esoteric Options.\n(line 312)\n* passphrase <1>: Invoking gpg-preset-passphrase.\n(line 36)\n* passphrase-fd: GPG Esoteric Options.\n(line 291)\n* passphrase-fd <1>: Esoteric Options. (line 100)\n* passphrase-file: GPG Esoteric Options.\n(line 301)\n* passphrase-repeat: GPG Esoteric Options.\n(line 283)\n* passwd: OpenPGP Key Management.\n(line 450)\n* passwd <1>: Certificate Management.\n(line 110)\n* pcsc-driver: Scdaemon Options. (line 144)\n* pem: dirmngr-client. (line 58)\n* permission-warning: GPG Configuration Options.\n(line 797)\n* personal-cipher-preferences: OpenPGP Options. (line 46)\n* personal-compress-preferences: OpenPGP Options. (line 64)\n* personal-digest-preferences: OpenPGP Options. (line 55)\n* pgp6: Compliance Options. (line 44)\n* pgp7: Compliance Options. (line 54)\n* pgp8: Compliance Options. (line 60)\n* photo-viewer: GPG Configuration Options.\n(line 197)\n* pinentry-invisible-char: Agent Options. (line 262)\n* pinentry-mode: GPG Esoteric Options.\n(line 322)\n* pinentry-mode <1>: Esoteric Options. (line 109)\n* pinentry-program: Agent Options. (line 273)\n* pinentry-timeout: Agent Options. (line 267)\n* pinentry-touch-file: Agent Options. (line 286)\n* ping: dirmngr-client. (line 69)\n* policy-file: Configuration Options.\n(line 43)\n* prefer-system-dirmngr: Configuration Options.\n(line 56)\n* preserve-permissions: GPG Esoteric Options.\n(line 561)\n* preset: Invoking gpg-preset-passphrase.\n(line 22)\n* primary-keyring: GPG Configuration Options.\n(line 243)\n* print-md: Operational GPG Commands.\n(line 381)\n* q: Invoking gpg-connect-agent.\n(line 18)\n* q <1>: Invoking symcryptrun.\n(line 33)\n* quick-add-key: OpenPGP Key Management.\n(line 69)\n* quick-add-uid: OpenPGP Key Management.\n(line 417)\n* quick-gen-key: OpenPGP Key Management.\n(line 10)\n* quick-generate-key: OpenPGP Key Management.\n(line 10)\n* quick-lsign-key: OpenPGP Key Management.\n(line 398)\n* quick-revoke-sig: OpenPGP Key Management.\n(line 432)\n* quick-revoke-uid: OpenPGP Key Management.\n(line 424)\n* quick-set-expire: OpenPGP Key Management.\n(line 60)\n* quick-set-primary-uid: OpenPGP Key Management.\n(line 442)\n* quick-sign-key: OpenPGP Key Management.\n(line 398)\n* quiet: Agent Options. (line 45)\n* quiet <1>: GPG Configuration Options.\n(line 39)\n* quiet <2>: gpgv. (line 35)\n* quiet <3>: Invoking gpgconf. (line 112)\n* quiet <4>: Invoking gpg-connect-agent.\n(line 18)\n* quiet <5>: dirmngr-client. (line 48)\n* quiet <6>: Invoking symcryptrun.\n(line 33)\n* quiet <7>: gpgtar. (line 65)\n* quiet <8>: gpg-wks-client. (line 122)\n* quiet <9>: gpg-wks-server. (line 81)\n* raw-socket: Invoking gpg-connect-agent.\n(line 59)\n* reader-port: Scdaemon Options. (line 161)\n* rebuild-keydb-caches: Operational GPG Commands.\n(line 375)\n* receive-keys: Operational GPG Commands.\n(line 308)\n* recipient: GPG Key related Options.\n(line 8)\n* recipient <1>: Input and Output. (line 46)\n* recipient <2>: gpgtar. (line 49)\n* recipient-file: GPG Key related Options.\n(line 22)\n* recursive-resolver: Dirmngr Options. (line 114)\n* recv-keys: Operational GPG Commands.\n(line 309)\n* refresh-keys: Operational GPG Commands.\n(line 312)\n* reload: Invoking gpgconf. (line 70)\n* remove-socketdir: Invoking gpgconf. (line 97)\n* request-origin: GPG Esoteric Options.\n(line 342)\n* request-origin <1>: Esoteric Options. (line 124)\n* require-cross-certification: GPG Configuration Options.\n(line 816)\n* require-secmem: GPG Configuration Options.\n(line 811)\n* resolver-timeout: Dirmngr Options. (line 117)\n* rfc2440: Compliance Options. (line 37)\n* rfc4880: Compliance Options. (line 25)\n* rfc4880bis: Compliance Options. (line 30)\n* run: Invoking gpg-connect-agent.\n(line 82)\n* s: Dirmngr Options. (line 87)\n* s2k-calibration: Agent Options. (line 428)\n* s2k-cipher-algo: OpenPGP Options. (line 74)\n* s2k-count: Agent Options. (line 435)\n* s2k-count <1>: OpenPGP Options. (line 90)\n* s2k-digest-algo: OpenPGP Options. (line 79)\n* s2k-mode: OpenPGP Options. (line 83)\n* scdaemon-program: Agent Options. (line 295)\n* search-keys: Operational GPG Commands.\n(line 318)\n* secret-keyring: GPG Configuration Options.\n(line 238)\n* send: gpg-wks-client. (line 65)\n* send <1>: gpg-wks-server. (line 60)\n* send-keys: Operational GPG Commands.\n(line 252)\n* sender: GPG Key related Options.\n(line 81)\n* server: Agent Commands. (line 23)\n* server <1>: Dirmngr Commands. (line 22)\n* server <2>: Operational GPGSM Commands.\n(line 24)\n* server <3>: Scdaemon Commands. (line 22)\n* set-filename: GPG Esoteric Options.\n(line 178)\n* set-filename <1>: gpgtar. (line 104)\n* set-filesize: GPG Esoteric Options.\n(line 467)\n* set-notation: GPG Esoteric Options.\n(line 124)\n* set-policy-url: GPG Esoteric Options.\n(line 160)\n* sh: Agent Options. (line 138)\n* sh <1>: Dirmngr Options. (line 87)\n* show-keyring: Deprecated Options. (line 16)\n* show-keys: Operational GPG Commands.\n(line 180)\n* show-notation: Deprecated Options. (line 25)\n* show-photos: Deprecated Options. (line 8)\n* show-policy-url: Deprecated Options. (line 33)\n* show-session-key: GPG Esoteric Options.\n(line 471)\n* shutdown: Dirmngr Commands. (line 58)\n* sig-keyserver-url: GPG Esoteric Options.\n(line 170)\n* sig-notation: GPG Esoteric Options.\n(line 124)\n* sig-policy-url: GPG Esoteric Options.\n(line 160)\n* sign: Operational GPG Commands.\n(line 8)\n* sign <1>: Operational GPGSM Commands.\n(line 16)\n* sign-key: OpenPGP Key Management.\n(line 388)\n* skip-crypto: gpgtar. (line 68)\n* skip-hidden-recipients: GPG Key related Options.\n(line 108)\n* skip-verify: GPG Esoteric Options.\n(line 435)\n* squid-mode: dirmngr-client. (line 101)\n* ssh-fingerprint-digest: Agent Options. (line 413)\n* standard-resolver: Dirmngr Options. (line 107)\n* status-fd: GPG Esoteric Options.\n(line 74)\n* status-fd <1>: gpgv. (line 52)\n* status-fd <2>: Invoking gpgconf. (line 153)\n* status-fd <3>: gpg-wks-client. (line 108)\n* status-file: GPG Esoteric Options.\n(line 78)\n* store: Operational GPG Commands.\n(line 55)\n* subst: Invoking gpg-connect-agent.\n(line 88)\n* supervised: Agent Commands. (line 36)\n* supervised <1>: Dirmngr Commands. (line 33)\n* symmetric: Operational GPG Commands.\n(line 42)\n* tar-args: gpgtar. (line 116)\n* textmode: OpenPGP Options. (line 8)\n* throw-keyids: GPG Esoteric Options.\n(line 257)\n* time-only: watchgnupg. (line 30)\n* tls-debug: Dirmngr Options. (line 69)\n* tofu-default-policy: GPG Configuration Options.\n(line 702)\n* tofu-policy: Operational GPG Commands.\n(line 403)\n* trust-model: GPG Configuration Options.\n(line 397)\n* trust-model:always: GPG Configuration Options.\n(line 478)\n* trust-model:auto: GPG Configuration Options.\n(line 487)\n* trust-model:classic: GPG Configuration Options.\n(line 405)\n* trust-model:direct: GPG Configuration Options.\n(line 470)\n* trust-model:pgp: GPG Configuration Options.\n(line 400)\n* trust-model:tofu: GPG Configuration Options.\n(line 408)\n* trust-model:tofu+pgp: GPG Configuration Options.\n(line 458)\n* trustdb-name: GPG Configuration Options.\n(line 248)\n* trusted-key: GPG Configuration Options.\n(line 390)\n* try-all-secrets: GPG Key related Options.\n(line 100)\n* try-secret-key: GPG Key related Options.\n(line 89)\n* ttyname: Agent Options. (line 323)\n* ttytype: Agent Options. (line 323)\n* ungroup: GPG Key related Options.\n(line 70)\n* update-trustdb: Operational GPG Commands.\n(line 334)\n* url: dirmngr-client. (line 94)\n* url <1>: dirmngr-client. (line 98)\n* use-agent: GPG Configuration Options.\n(line 726)\n* use-embedded-filename: GPG Esoteric Options.\n(line 194)\n* use-standard-socket: Agent Options. (line 313)\n* use-standard-socket-p: Agent Options. (line 313)\n* use-tor: Dirmngr Options. (line 98)\n* utf8-strings: GPG Configuration Options.\n(line 302)\n* utf8-strings <1>: gpgtar. (line 90)\n* v: Dirmngr Options. (line 25)\n* v <1>: Configuration Options.\n(line 38)\n* v <2>: Scdaemon Options. (line 35)\n* v <3>: dirmngr-client. (line 53)\n* validate: dirmngr-client. (line 76)\n* validation-model: Certificate Options. (line 73)\n* verbose: Agent Options. (line 39)\n* verbose <1>: Dirmngr Options. (line 25)\n* verbose <2>: GPG Configuration Options.\n(line 32)\n* verbose <3>: Configuration Options.\n(line 38)\n* verbose <4>: Scdaemon Options. (line 35)\n* verbose <5>: watchgnupg. (line 33)\n* verbose <6>: gpgv. (line 30)\n* verbose <7>: Invoking gpg-preset-passphrase.\n(line 32)\n* verbose <8>: Invoking gpg-connect-agent.\n(line 14)\n* verbose <9>: dirmngr-client. (line 53)\n* verbose <10>: Invoking symcryptrun.\n(line 29)\n* verbose <11>: gpgtar. (line 61)\n* verbose <12>: gpg-wks-client. (line 119)\n* verbose <13>: gpg-wks-server. (line 78)\n* verify: Operational GPG Commands.\n(line 67)\n* verify <1>: Operational GPGSM Commands.\n(line 20)\n* verify-files: Operational GPG Commands.\n(line 108)\n* verify-options: GPG Configuration Options.\n(line 133)\n* verify-options:pka-lookups: GPG Configuration Options.\n(line 169)\n* verify-options:pka-trust-increase: GPG Configuration Options.\n(line 176)\n* verify-options:show-keyserver-urls: GPG Configuration Options.\n(line 152)\n* verify-options:show-notations: GPG Configuration Options.\n(line 148)\n* verify-options:show-photos: GPG Configuration Options.\n(line 138)\n* verify-options:show-policy-urls: GPG Configuration Options.\n(line 142)\n* verify-options:show-primary-uid-only: GPG Configuration Options.\n(line 164)\n* verify-options:show-std-notations: GPG Configuration Options.\n(line 148)\n* verify-options:show-uid-validity: GPG Configuration Options.\n(line 156)\n* verify-options:show-unusable-uids: GPG Configuration Options.\n(line 160)\n* verify-options:show-user-notations: GPG Configuration Options.\n(line 148)\n* version: Agent Commands. (line 10)\n* version <1>: Dirmngr Commands. (line 10)\n* version <2>: General GPG Commands.\n(line 7)\n* version <3>: General GPGSM Commands.\n(line 7)\n* version <4>: Scdaemon Commands. (line 10)\n* version <5>: watchgnupg. (line 36)\n* version <6>: dirmngr-client. (line 40)\n* version <7>: gpgtar. (line 122)\n* version <8>: gpg-wks-client. (line 125)\n* version <9>: gpg-wks-server. (line 84)\n* warranty: General GPG Commands.\n(line 17)\n* warranty <1>: General GPGSM Commands.\n(line 15)\n* weak-digest: GPG Esoteric Options.\n(line 411)\n* weak-digest <1>: gpgv. (line 90)\n* with-colons: GPG Input and Output.\n(line 276)\n* with-colons <1>: gpg-wks-client. (line 69)\n* with-dir: gpg-wks-server. (line 69)\n* with-ephemeral-keys: Esoteric Options. (line 24)\n* with-file: gpg-wks-server. (line 73)\n* with-fingerprint: GPG Input and Output.\n(line 296)\n* with-icao-spelling: GPG Input and Output.\n(line 307)\n* with-key-data: GPG Esoteric Options.\n(line 439)\n* with-key-data <1>: Input and Output. (line 54)\n* with-key-origin: GPG Input and Output.\n(line 315)\n* with-keygrip: GPG Input and Output.\n(line 311)\n* with-secret: GPG Input and Output.\n(line 326)\n* with-secret <1>: Input and Output. (line 78)\n* with-subkey-fingerprint: GPG Input and Output.\n(line 300)\n* with-validation: Input and Output. (line 60)\n* with-wkd-hash: GPG Input and Output.\n(line 321)\n* xauthority: Agent Options. (line 323)\n* yes: GPG Configuration Options.\n(line 60)\n\nFile: gnupg.info, Node: Environment Index, Next: Index, Prev: Option Index, Up: Top\n", "subsections": [] }, "Environment Variable and File Index": { "content": "* Menu:\n\n* .gpg-v21-migrated: GPG Configuration. (line 77)\n* ~/.gnupg: GPG Configuration. (line 27)\n* ASSUANDEBUG: Scdaemon Options. (line 122)\n* COLUMNS: GPG Configuration. (line 118)\n* com-certs.pem: GPGSM Configuration. (line 84)\n* dirmngr.conf: Dirmngr Configuration.\n(line 12)\n* DISPLAY: GPGSM OPTION. (line 21)\n* GNUPGHOME: Agent Options. (line 17)\n* GNUPGHOME <1>: GPG Configuration Options.\n(line 255)\n* GNUPGHOME <2>: GPG Configuration. (line 106)\n* GNUPGHOME <3>: Configuration Options.\n(line 16)\n* GNUPGHOME <4>: Scdaemon Options. (line 13)\n* GNUPGHOME <5>: gpgv. (line 69)\n* GNUPGHOME <6>: Invoking gpgconf. (line 115)\n* GNUPGHOME <7>: Invoking gpg-connect-agent.\n(line 21)\n* GNUPGHOME <8>: Invoking symcryptrun.\n(line 36)\n* gpg-agent.conf: Agent Configuration. (line 11)\n* gpg.conf: GPG Configuration. (line 11)\n* gpgconf.ctl: Agent Options. (line 28)\n* gpgconf.ctl <1>: GPG Configuration Options.\n(line 266)\n* gpgconf.ctl <2>: Configuration Options.\n(line 27)\n* gpgconf.ctl <3>: Scdaemon Options. (line 24)\n* gpgconf.ctl <4>: gpgv. (line 80)\n* gpgconf.ctl <5>: Invoking gpgconf. (line 126)\n* gpgconf.ctl <6>: Invoking gpg-connect-agent.\n(line 32)\n* gpgconf.ctl <7>: Invoking symcryptrun.\n(line 47)\n* gpgsm.conf: GPGSM Configuration. (line 11)\n* GPGTTY: Invoking GPG-AGENT. (line 22)\n* GPGTTY <1>: GPGSM OPTION. (line 23)\n* help.txt: GPGSM Configuration. (line 72)\n* HKCU\\Software\\GNU\\GnuPG:DefaultLogFile: Agent Options. (line 151)\n* HKCU\\Software\\GNU\\GnuPG:HomeDir: Agent Options. (line 17)\n* HKCU\\Software\\GNU\\GnuPG:HomeDir <1>: GPG Configuration Options.\n(line 255)\n* HKCU\\Software\\GNU\\GnuPG:HomeDir <2>: Configuration Options.\n(line 16)\n* HKCU\\Software\\GNU\\GnuPG:HomeDir <3>: Scdaemon Options. (line 13)\n* HKCU\\Software\\GNU\\GnuPG:HomeDir <4>: gpgv. (line 69)\n* HKCU\\Software\\GNU\\GnuPG:HomeDir <5>: Invoking gpgconf. (line 115)\n* HKCU\\Software\\GNU\\GnuPG:HomeDir <6>: Invoking gpg-connect-agent.\n(line 21)\n* HKCU\\Software\\GNU\\GnuPG:HomeDir <7>: Invoking symcryptrun.\n(line 36)\n* HOME: GPG Configuration. (line 103)\n* httpproxy: Dirmngr Options. (line 229)\n* LANGUAGE: GPG Configuration. (line 121)\n* LCCTYPE: GPGSM OPTION. (line 27)\n* LCMESSAGES: GPGSM OPTION. (line 29)\n* LINES: GPG Configuration. (line 118)\n* openpgp-revocs.d: GPG Configuration. (line 91)\n* PATH: GPG Configuration Options.\n(line 220)\n* PINENTRYUSERDATA: GPG Configuration. (line 113)\n* PINENTRYUSERDATA <1>: GPGSM OPTION. (line 33)\n* policies.txt: GPGSM Configuration. (line 18)\n* private-keys-v1.d: Agent Configuration. (line 104)\n* pubring.gpg: GPG Configuration. (line 32)\n* pubring.kbx: GPG Configuration. (line 50)\n* pubring.kbx <1>: GPGSM Configuration. (line 100)\n* qualified.txt: GPGSM Configuration. (line 33)\n* randomseed: GPG Configuration. (line 88)\n* randomseed <1>: GPGSM Configuration. (line 106)\n* S.gpg-agent: GPGSM Configuration. (line 111)\n* secring.gpg: GPG Configuration. (line 69)\n* SHELL: Agent Options. (line 138)\n* sshcontrol: Agent Configuration. (line 74)\n* TERM: GPGSM OPTION. (line 25)\n* trustdb.gpg: GPG Configuration. (line 80)\n* trustlist.txt: Agent Configuration. (line 20)\n* XAUTHORITY: GPGSM OPTION. (line 31)\n\nFile: gnupg.info, Node: Index, Prev: Environment Index, Up: Top\n", "subsections": [] }, "Index": { "content": "* Menu:\n\n* command options: Invoking GPG-AGENT. (line 6)\n* command options <1>: Invoking DIRMNGR. (line 6)\n* command options <2>: Invoking GPG. (line 6)\n* command options <3>: Invoking GPGSM. (line 6)\n* command options <4>: Invoking SCDAEMON. (line 6)\n* contributors: Contributors. (line 6)\n* DIRMNGR command options: Invoking DIRMNGR. (line 6)\n* GPG command options: Invoking GPG. (line 6)\n* GPG-AGENT command options: Invoking GPG-AGENT. (line 6)\n* gpgconf.conf: Files used by gpgconf.\n(line 7)\n* GPGSM command options: Invoking GPGSM. (line 6)\n* options, DIRMNGR command: Invoking DIRMNGR. (line 6)\n* options, GPG command: Invoking GPG. (line 6)\n* options, GPG-AGENT command: Invoking GPG-AGENT. (line 6)\n* options, GPGSM command: Invoking GPGSM. (line 6)\n* options, SCDAEMON command: Invoking SCDAEMON. (line 6)\n* relax: Agent Configuration. (line 62)\n* scd-event: Scdaemon Configuration.\n(line 18)\n* SCDAEMON command options: Invoking SCDAEMON. (line 6)\n* scdaemon.conf: Scdaemon Configuration.\n(line 11)\n* SIGHUP: Agent Signals. (line 12)\n* SIGHUP <1>: Dirmngr Signals. (line 12)\n* SIGINT: Agent Signals. (line 31)\n* SIGINT <1>: Dirmngr Signals. (line 26)\n* SIGTERM: Agent Signals. (line 26)\n* SIGTERM <1>: Dirmngr Signals. (line 19)\n* SIGUSR1: Agent Signals. (line 34)\n* SIGUSR1 <1>: Dirmngr Signals. (line 29)\n* SIGUSR2: Agent Signals. (line 37)\n* swdb.lst: Files used by gpgconf.\n(line 12)\n* trust values: Trust Values. (line 6)\n", "subsections": [] } }, "flags": [], "examples": [], "see_also": [] }