{ "content": [ { "type": "text", "text": "# gpg (info)\n\n## Sections\n\n- **Using the GnuPG Version 1.4**\n- **1 Invoking GPG** (4 subsections)\n- **RETURN VALUE**\n- **WARNINGS**\n- **INTEROPERABILITY WITH OTHER OPENPGP PROGRAMS**\n- **BUGS** (1 subsections)\n- **2 How to Specify a User Id**\n- **GNU General Public License** (2 subsections)\n- **Option Index**\n- **Index**\n\nUse structuredContent.sections for detailed options, examples, and full documentation.\n" } ], "structuredContent": { "command": "gpg", "section": "", "mode": "info", "summary": null, "synopsis": null, "tldr_summary": null, "tldr_examples": [], "tldr_source": null, "flags": [], "examples": [], "see_also": [], "section_outline": [ { "name": "Using the GnuPG Version 1.4", "lines": 26, "subsections": [] }, { "name": "1 Invoking GPG", "lines": 26, "subsections": [ { "name": "1.1 Commands", "lines": 654 }, { "name": "1.2 Option Summary", "lines": 1690 }, { "name": "1.3 Configuration files", "lines": 103 }, { "name": "1.4 Examples", "lines": 27 } ] }, { "name": "RETURN VALUE", "lines": 3, "subsections": [] }, { "name": "WARNINGS", "lines": 13, "subsections": [] }, { "name": "INTEROPERABILITY WITH OTHER OPENPGP PROGRAMS", "lines": 27, "subsections": [] }, { "name": "BUGS", "lines": 21, "subsections": [ { "name": "1.5 Unattended Usage", "lines": 224 } ] }, { "name": "2 How to Specify a User Id", "lines": 115, "subsections": [] }, { "name": "GNU General Public License", "lines": 7, "subsections": [ { "name": "Preamble", "lines": 641 }, { "name": "How to Apply These Terms to Your New Programs", "lines": 56 } ] }, { "name": "Option Index", "lines": 599, "subsections": [] }, { "name": "Index", "lines": 8, "subsections": [] } ], "sections": { "Using the GnuPG Version 1.4": { "content": "This is the 'The GNU Privacy Guard Manual' (1.4.23, 22 April 2016).\n\nCopyright (C) 1998, 1999, 2000, 2001, 2002, 2004, 2005, 2006 Free\nSoftware Foundation, Inc.\n\nPermission is granted to copy, distribute and/or modify this\ndocument under the terms of the GNU General Public License as\npublished by the Free Software Foundation; either version 3 of the\nLicense, or (at your option) any later version. The text of the\nlicense can be found in the section entitled \"Copying\".\n\nThis manual documents how to use the standalone version of GNU Privacy\nGuard.\n\n* Menu:\n\n* Invoking GPG:: Using the classic GPG protocol.\n* Specify a User ID:: How to Specify a User Id.\n\n* Copying:: GNU General Public License says\nhow you can copy and share GnuPG\n* Option Index:: Index to command line options.\n* Index::\t Index of concepts and symbol names.\n\nFile: gnupg1.info, Node: Invoking GPG, Next: Specify a User ID, Prev: Top, Up: Top\n", "subsections": [] }, "1 Invoking GPG": { "content": "'gpg' is the OpenPGP only version of the GNU Privacy Guard (GnuPG). It\nis a tool to provide digital encryption and signing services using the\nOpenPGP standard. 'gpg' features complete key management and all bells\nand whistles you can expect from a decent OpenPGP implementation.\n\nThis is the standalone version of 'gpg'. For desktop use you should\nconsider using 'gpg2' from the GnuPG-2 package (1).\n\n*Note Option Index::, for an index to 'gpg''s commands and options.\n\n* Menu:\n\n* GPG Commands:: List of all commands.\n* GPG Options:: List of all options.\n* GPG Configuration:: Configuration files.\n* GPG Examples:: Some usage examples.\n\nDeveloper information:\n* Unattended Usage of GPG:: Using 'gpg' from other programs.\n\n---------- Footnotes ----------\n\n(1) On some platforms gpg2 is installed under the name 'gpg'\n\nFile: gnupg1.info, Node: GPG Commands, Next: GPG Options, Up: Invoking GPG\n", "subsections": [ { "name": "1.1 Commands", "content": "Commands are not distinguished from options except for the fact that\nonly one command is allowed.\n\n'gpg' may be run with no commands, in which case it will perform a\nreasonable action depending on the type of file it is given as input (an\nencrypted message is decrypted, a signature is verified, a file\ncontaining keys is listed).\n\nPlease remember that option as well as command parsing stops as soon\nas a non-option is encountered, you can explicitly stop parsing by using\nthe special option '--'.\n\n* Menu:\n\n* General GPG Commands:: Commands not specific to the functionality.\n* Operational GPG Commands:: Commands to select the type of operation.\n* OpenPGP Key Management:: How to manage your keys.\n\nFile: gnupg1.info, Node: General GPG Commands, Next: Operational GPG Commands, Up: GPG Commands\n\n\n'--version'\nPrint the program version and licensing information. Note that you\ncannot abbreviate this command.\n\n'--help'\n'-h'\nPrint a usage message summarizing the most useful command line\noptions. Note that you cannot abbreviate this command.\n\n'--warranty'\nPrint warranty information.\n\n'--dump-options'\nPrint a list of all available options and commands. Note that you\ncannot abbreviate this command.\n\nFile: gnupg1.info, Node: Operational GPG Commands, Next: OpenPGP Key Management, Prev: General GPG Commands, Up: GPG Commands\n\n\n'--sign'\n'-s'\nMake a signature. This command may be combined with '--encrypt'\n(for a signed and encrypted message), '--symmetric' (for a signed\nand symmetrically encrypted message), or '--encrypt' and\n'--symmetric' together (for a signed message that may be decrypted\nvia a secret key or a passphrase). The key to be used for signing\nis chosen by default or can be set with the '--local-user' and\n'--default-key' options.\n\n'--clearsign'\nMake a clear text signature. The content in a clear text signature\nis readable without any special software. OpenPGP software is only\nneeded to verify the signature. Clear text signatures may modify\nend-of-line whitespace for platform independence and are not\nintended to be reversible. The key to be used for signing is\nchosen by default or can be set with the '--local-user' and\n'--default-key' options.\n\n'--detach-sign'\n'-b'\nMake a detached signature.\n\n'--encrypt'\n'-e'\nEncrypt data. This option may be combined with '--sign' (for a\nsigned and encrypted message), '--symmetric' (for a message that\nmay be decrypted via a secret key or a passphrase), or '--sign' and\n'--symmetric' together (for a signed message that may be decrypted\nvia a secret key or a passphrase).\n\n'--symmetric'\n'-c'\nEncrypt with a symmetric cipher using a passphrase. The default\nsymmetric cipher used is AES128, but may be chosen with the\n'--cipher-algo' option. This option may be combined with '--sign'\n(for a signed and symmetrically encrypted message), '--encrypt'\n(for a message that may be decrypted via a secret key or a\npassphrase), or '--sign' and '--encrypt' together (for a signed\nmessage that may be decrypted via a secret key or a passphrase).\n\n'--store'\nStore only (make a simple RFC1991 literal data packet).\n\n'--decrypt'\n'-d'\nDecrypt the file given on the command line (or STDIN if no file is\nspecified) and write it to STDOUT (or the file specified with\n'--output'). If the decrypted file is signed, the signature is\nalso verified. This command differs from the default operation, as\nit never writes to the filename which is included in the file and\nit rejects files which don't begin with an encrypted message.\n\n'--verify'\nAssume that the first argument is a signed file and verify it\nwithout generating any output. With no arguments, the signature\npacket is read from STDIN. If only a one argument is given, it is\nexpected to be a complete signature.\n\nWith more than 1 argument, the first should be a detached signature\nand the remaining files make up the the signed data. To read the\nsigned data from STDIN, use '-' as the second filename. For\nsecurity reasons a detached signature cannot read the signed\nmaterial from STDIN without denoting it in the above way.\n\nNote: If the option '--batch' is not used, 'gpg' may assume that a\nsingle argument is a file with a detached signature and it will try\nto find a matching data file by stripping certain suffixes. Using\nthis historical feature to verify a detached signature is strongly\ndiscouraged; always specify the data file too.\n\nNote: When verifying a cleartext signature, 'gpg' verifies only\nwhat makes up the cleartext signed data and not any extra data\noutside of the cleartext signature or header lines following\ndirectly the dash marker line. The option '--output' may be used\nto write out the actual signed data; but there are other pitfalls\nwith this format as well. It is suggested to avoid cleartext\nsignatures in favor of detached signatures.\n\n'--multifile'\nThis modifies certain other commands to accept multiple files for\nprocessing on the command line or read from STDIN with each\nfilename on a separate line. This allows for many files to be\nprocessed at once. '--multifile' may currently be used along with\n'--verify', '--encrypt', and '--decrypt'. Note that '--multifile\n--verify' may not be used with detached signatures.\n\n'--verify-files'\nIdentical to '--multifile --verify'.\n\n'--encrypt-files'\nIdentical to '--multifile --encrypt'.\n\n'--decrypt-files'\nIdentical to '--multifile --decrypt'.\n\n'--list-keys'\n'-k'\n'--list-public-keys'\nList all keys from the public keyrings, or just the keys given on\nthe command line.\n\n'-k' is slightly different from '--list-keys' in that it allows\nonly for one argument and takes the second argument as the keyring\nto search. This is for command line compatibility with PGP 2 and\nhas been removed in 'gpg2'.\n\nAvoid using the output of this command in scripts or other programs\nas it is likely to change as GnuPG changes. See '--with-colons'\nfor a machine-parseable key listing command that is appropriate for\nuse in scripts and other programs.\n\n'--list-secret-keys'\n'-K'\nList all keys from the secret keyrings, or just the ones given on\nthe command line. A '#' after the letters 'sec' means that the\nsecret key is not usable (for example, if it was created via\n'--export-secret-subkeys').\n\n'--list-sigs'\nSame as '--list-keys', but the signatures are listed too.\n\nFor each signature listed, there are several flags in between the\n\"sig\" tag and keyid. These flags give additional information about\neach signature. From left to right, they are the numbers 1-3 for\ncertificate check level (see '--ask-cert-level'), \"L\" for a local\nor non-exportable signature (see '--lsign-key'), \"R\" for a\nnonRevocable signature (see the '--edit-key' command \"nrsign\"), \"P\"\nfor a signature that contains a policy URL (see\n'--cert-policy-url'), \"N\" for a signature that contains a notation\n(see '--cert-notation'), \"X\" for an eXpired signature (see\n'--ask-cert-expire'), and the numbers 1-9 or \"T\" for 10 and above\nto indicate trust signature levels (see the '--edit-key' command\n\"tsign\").\n\n'--check-sigs'\nSame as '--list-sigs', but the signatures are verified. Note that\nfor performance reasons the revocation status of a signing key is\nnot shown.\n\nThe status of the verification is indicated by a flag directly\nfollowing the \"sig\" tag (and thus before the flags described above\nfor '--list-sigs'). A \"!\" indicates that the signature has been\nsuccessfully verified, a \"-\" denotes a bad signature and a \"%\" is\nused if an error occurred while checking the signature (e.g. a non\nsupported algorithm).\n\n'--fingerprint'\nList all keys (or the specified ones) along with their\nfingerprints. This is the same output as '--list-keys' but with\nthe additional output of a line with the fingerprint. May also be\ncombined with '--list-sigs' or '--check-sigs'. If this command is\ngiven twice, the fingerprints of all secondary keys are listed too.\n\n'--list-packets'\nList only the sequence of packets. This is mainly useful for\ndebugging.\n\n'--card-edit'\nPresent a menu to work with a smartcard. The subcommand \"help\"\nprovides an overview on available commands. For a detailed\ndescription, please see the Card HOWTO at\nhttps://gnupg.org/documentation/howtos.html#GnuPG-cardHOWTO .\n\n'--card-status'\nShow the content of the smart card.\n\n'--change-pin'\nPresent a menu to allow changing the PIN of a smartcard. This\nfunctionality is also available as the subcommand \"passwd\" with the\n'--card-edit' command.\n\n'--delete-key name'\nRemove key from the public keyring. In batch mode either '--yes'\nis required or the key must be specified by fingerprint. This is a\nsafeguard against accidental deletion of multiple keys.\n\n'--delete-secret-key name'\nRemove key from the secret keyring. In batch mode the key must be\nspecified by fingerprint.\n\n'--delete-secret-and-public-key name'\nSame as '--delete-key', but if a secret key exists, it will be\nremoved first. In batch mode the key must be specified by\nfingerprint.\n\n'--export'\nEither export all keys from all keyrings (default keyrings and\nthose registered via option '--keyring'), or if at least one name\nis given, those of the given name. The exported keys are written\nto STDOUT or to the file given with option '--output'. Use\ntogether with '--armor' to mail those keys.\n\n'--send-keys key IDs'\nSimilar to '--export' but sends the keys to a keyserver.\nFingerprints may be used instead of key IDs. Option '--keyserver'\nmust be used to give the name of this keyserver. Don't send your\ncomplete keyring to a keyserver -- select only those keys which are\nnew or changed by you. If no key IDs are given, 'gpg' does\nnothing.\n\n'--export-secret-keys'\n'--export-secret-subkeys'\nSame as '--export', but exports the secret keys instead. The\nexported keys are written to STDOUT or to the file given with\noption '--output'. This command is often used along with the\noption '--armor' to allow easy printing of the key for paper\nbackup; however the external tool 'paperkey' does a better job for\ncreating backups on paper. Note that exporting a secret key can be\na security risk if the exported keys are send over an insecure\nchannel.\n\nThe second form of the command has the special property to render\nthe secret part of the primary key useless; this is a GNU extension\nto OpenPGP and other implementations can not be expected to\nsuccessfully import such a key. Its intended use is to generated a\nfull key with an additional signing subkey on a dedicated machine\nand then using this command to export the key without the primary\nkey to the main machine.\n\nSee the option '--simple-sk-checksum' if you want to import an\nexported secret key into ancient OpenPGP implementations.\n\n'--import'\n'--fast-import'\nImport/merge keys. This adds the given keys to the keyring. The\nfast version is currently just a synonym.\n\nThere are a few other options which control how this command works.\nMost notable here is the '--import-options merge-only' option which\ndoes not insert new keys but does only the merging of new\nsignatures, user-IDs and subkeys.\n\n'--recv-keys key IDs'\nImport the keys with the given key IDs from a keyserver. Option\n'--keyserver' must be used to give the name of this keyserver.\n\n'--refresh-keys'\nRequest updates from a keyserver for keys that already exist on the\nlocal keyring. This is useful for updating a key with the latest\nsignatures, user IDs, etc. Calling this with no arguments will\nrefresh the entire keyring. Option '--keyserver' must be used to\ngive the name of the keyserver for all keys that do not have\npreferred keyservers set (see '--keyserver-options\nhonor-keyserver-url').\n\n'--search-keys names'\nSearch the keyserver for the given names. Multiple names given\nhere will be joined together to create the search string for the\nkeyserver. Option '--keyserver' must be used to give the name of\nthis keyserver. Keyservers that support different search methods\nallow using the syntax specified in \"How to specify a user ID\"\nbelow. Note that different keyserver types support different\nsearch methods. Currently only LDAP supports them all.\n\n'--fetch-keys URIs'\nRetrieve keys located at the specified URIs. Note that different\ninstallations of GnuPG may support different protocols (HTTP, FTP,\nLDAP, etc.)\n\n'--update-trustdb'\nDo trust database maintenance. This command iterates over all keys\nand builds the Web of Trust. This is an interactive command\nbecause it may have to ask for the \"ownertrust\" values for keys.\nThe user has to give an estimation of how far she trusts the owner\nof the displayed key to correctly certify (sign) other keys. GnuPG\nonly asks for the ownertrust value if it has not yet been assigned\nto a key. Using the '--edit-key' menu, the assigned value can be\nchanged at any time.\n\n'--check-trustdb'\nDo trust database maintenance without user interaction. From time\nto time the trust database must be updated so that expired keys or\nsignatures and the resulting changes in the Web of Trust can be\ntracked. Normally, GnuPG will calculate when this is required and\ndo it automatically unless '--no-auto-check-trustdb' is set. This\ncommand can be used to force a trust database check at any time.\nThe processing is identical to that of '--update-trustdb' but it\nskips keys with a not yet defined \"ownertrust\".\n\nFor use with cron jobs, this command can be used together with\n'--batch' in which case the trust database check is done only if a\ncheck is needed. To force a run even in batch mode add the option\n'--yes'.\n\n'--export-ownertrust'\nSend the ownertrust values to STDOUT. This is useful for backup\npurposes as these values are the only ones which can't be\nre-created from a corrupted trustdb. Example:\ngpg --export-ownertrust > otrust.txt\n\n'--import-ownertrust'\nUpdate the trustdb with the ownertrust values stored in 'files' (or\nSTDIN if not given); existing values will be overwritten. In case\nof a severely damaged trustdb and if you have a recent backup of\nthe ownertrust values (e.g. in the file 'otrust.txt', you may\nre-create the trustdb using these commands:\ncd ~/.gnupg\nrm trustdb.gpg\ngpg --import-ownertrust < otrust.txt\n\n'--rebuild-keydb-caches'\nWhen updating from version 1.0.6 to 1.0.7 this command should be\nused to create signature caches in the keyring. It might be handy\nin other situations too.\n\n'--print-md algo'\n'--print-mds'\nPrint message digest of algorithm ALGO for all given files or\nSTDIN. With the second form (or a deprecated \"*\" as algo) digests\nfor all available algorithms are printed.\n\n'--gen-random 0|1|2 count'\nEmit COUNT random bytes of the given quality level 0, 1 or 2. If\nCOUNT is not given or zero, an endless sequence of random bytes\nwill be emitted. If used with '--armor' the output will be base64\nencoded. PLEASE, don't use this command unless you know what you\nare doing; it may remove precious entropy from the system!\n\n'--gen-prime mode bits'\nUse the source, Luke :-). The output format is still subject to\nchange.\n\n'--enarmor'\n'--dearmor'\nPack or unpack an arbitrary input into/from an OpenPGP ASCII armor.\nThis is a GnuPG extension to OpenPGP and in general not very\nuseful.\n\nFile: gnupg1.info, Node: OpenPGP Key Management, Prev: Operational GPG Commands, Up: GPG Commands\n\n\nThis section explains the main commands for key management\n\n'--gen-key'\nGenerate a new key pair using the current default parameters. This\nis the standard command to create a new key.\n\nThere is also a feature which allows you to create keys in batch\nmode. See the the manual section \"Unattended key generation\" on\nhow to use this.\n\n'--gen-revoke name'\nGenerate a revocation certificate for the complete key. To revoke\na subkey or a signature, use the '--edit' command.\n\n'--desig-revoke name'\nGenerate a designated revocation certificate for a key. This\nallows a user (with the permission of the keyholder) to revoke\nsomeone else's key.\n\n'--edit-key'\nPresent a menu which enables you to do most of the key management\nrelated tasks. It expects the specification of a key on the\ncommand line.\n\nuid 'n'\nToggle selection of user ID or photographic user ID with index\n'n'. Use '*' to select all and '0' to deselect all.\n\nkey 'n'\nToggle selection of subkey with index 'n'. Use '*' to select\nall and '0' to deselect all.\n\nsign\nMake a signature on key of user 'name' If the key is not yet\nsigned by the default user (or the users given with -u), the\nprogram displays the information of the key again, together\nwith its fingerprint and asks whether it should be signed.\nThis question is repeated for all users specified with -u.\n\nlsign\nSame as \"sign\" but the signature is marked as non-exportable\nand will therefore never be used by others. This may be used\nto make keys valid only in the local environment.\n\nnrsign\nSame as \"sign\" but the signature is marked as non-revocable\nand can therefore never be revoked.\n\ntsign\nMake a trust signature. This is a signature that combines the\nnotions of certification (like a regular signature), and trust\n(like the \"trust\" command). It is generally only useful in\ndistinct communities or groups.\n\nNote that \"l\" (for local / non-exportable), \"nr\" (for\nnon-revocable, and \"t\" (for trust) may be freely mixed and prefixed\nto \"sign\" to create a signature of any type desired.\n\ndelsig\nDelete a signature. Note that it is not possible to retract a\nsignature, once it has been send to the public (i.e. to a\nkeyserver). In that case you better use 'revsig'.\n\nrevsig\nRevoke a signature. For every signature which has been\ngenerated by one of the secret keys, GnuPG asks whether a\nrevocation certificate should be generated.\n\ncheck\nCheck the signatures on all selected user IDs.\n\nadduid\nCreate an additional user ID.\n\naddphoto\nCreate a photographic user ID. This will prompt for a JPEG\nfile that will be embedded into the user ID. Note that a very\nlarge JPEG will make for a very large key. Also note that\nsome programs will display your JPEG unchanged (GnuPG), and\nsome programs will scale it to fit in a dialog box (PGP).\n\nshowphoto\nDisplay the selected photographic user ID.\n\ndeluid\nDelete a user ID or photographic user ID. Note that it is not\npossible to retract a user id, once it has been send to the\npublic (i.e. to a keyserver). In that case you better use\n'revuid'.\n\nrevuid\nRevoke a user ID or photographic user ID.\n\nprimary\nFlag the current user id as the primary one, removes the\nprimary user id flag from all other user ids and sets the\ntimestamp of all affected self-signatures one second ahead.\nNote that setting a photo user ID as primary makes it primary\nover other photo user IDs, and setting a regular user ID as\nprimary makes it primary over other regular user IDs.\n\nkeyserver\nSet a preferred keyserver for the specified user ID(s). This\nallows other users to know where you prefer they get your key\nfrom. See '--keyserver-options honor-keyserver-url' for more\non how this works. Setting a value of \"none\" removes an\nexisting preferred keyserver.\n\nnotation\nSet a name=value notation for the specified user ID(s). See\n'--cert-notation' for more on how this works. Setting a value\nof \"none\" removes all notations, setting a notation prefixed\nwith a minus sign (-) removes that notation, and setting a\nnotation name (without the =value) prefixed with a minus sign\nremoves all notations with that name.\n\npref\nList preferences from the selected user ID. This shows the\nactual preferences, without including any implied preferences.\n\nshowpref\nMore verbose preferences listing for the selected user ID.\nThis shows the preferences in effect by including the implied\npreferences of 3DES (cipher), SHA-1 (digest), and Uncompressed\n(compression) if they are not already included in the\npreference list. In addition, the preferred keyserver and\nsignature notations (if any) are shown.\n\nsetpref 'string'\nSet the list of user ID preferences to 'string' for all (or\njust the selected) user IDs. Calling setpref with no\narguments sets the preference list to the default (either\nbuilt-in or set via '--default-preference-list'), and calling\nsetpref with \"none\" as the argument sets an empty preference\nlist. Use 'gpg --version' to get a list of available\nalgorithms. Note that while you can change the preferences on\nan attribute user ID (aka \"photo ID\"), GnuPG does not select\nkeys via attribute user IDs so these preferences will not be\nused by GnuPG.\n\nWhen setting preferences, you should list the algorithms in\nthe order which you'd like to see them used by someone else\nwhen encrypting a message to your key. If you don't include\n3DES, it will be automatically added at the end. Note that\nthere are many factors that go into choosing an algorithm (for\nexample, your key may not be the only recipient), and so the\nremote OpenPGP application being used to send to you may or\nmay not follow your exact chosen order for a given message.\nIt will, however, only choose an algorithm that is present on\nthe preference list of every recipient key. See also the\nINTEROPERABILITY WITH OTHER OPENPGP PROGRAMS section below.\n\naddkey\nAdd a subkey to this key.\n\naddcardkey\nGenerate a subkey on a card and add it to this key.\n\nkeytocard\nTransfer the selected secret subkey (or the primary key if no\nsubkey has been selected) to a smartcard. The secret key in\nthe keyring will be replaced by a stub if the key could be\nstored successfully on the card and you use the save command\nlater. Only certain key types may be transferred to the card.\nA sub menu allows you to select on what card to store the key.\nNote that it is not possible to get that key back from the\ncard - if the card gets broken your secret key will be lost\nunless you have a backup somewhere.\n\nbkuptocard 'file'\nRestore the given file to a card. This command may be used to\nrestore a backup key (as generated during card initialization)\nto a new card. In almost all cases this will be the\nencryption key. You should use this command only with the\ncorresponding public key and make sure that the file given as\nargument is indeed the backup to restore. You should then\nselect 2 to restore as encryption key. You will first be\nasked to enter the passphrase of the backup key and then for\nthe Admin PIN of the card.\n\ndelkey\nRemove a subkey (secondart key). Note that it is not possible\nto retract a subkey, once it has been send to the public (i.e.\nto a keyserver). In that case you better use 'revkey'.\n\nrevkey\nRevoke a subkey.\n\nexpire\nChange the key or subkey expiration time. If a subkey is\nselected, the expiration time of this subkey will be changed.\nWith no selection, the key expiration of the primary key is\nchanged.\n\ntrust\nChange the owner trust value for the key. This updates the\ntrust-db immediately and no save is required.\n\ndisable\nenable\nDisable or enable an entire key. A disabled key can not\nnormally be used for encryption.\n\naddrevoker\nAdd a designated revoker to the key. This takes one optional\nargument: \"sensitive\". If a designated revoker is marked as\nsensitive, it will not be exported by default (see\nexport-options).\n\npasswd\nChange the passphrase of the secret key.\n\ntoggle\nToggle between public and secret key listing.\n\nclean\nCompact (by removing all signatures except the selfsig) any\nuser ID that is no longer usable (e.g. revoked, or expired).\nThen, remove any signatures that are not usable by the trust\ncalculations. Specifically, this removes any signature that\ndoes not validate, any signature that is superseded by a later\nsignature, revoked signatures, and signatures issued by keys\nthat are not present on the keyring.\n\nminimize\nMake the key as small as possible. This removes all\nsignatures from each user ID except for the most recent\nself-signature.\n\ncross-certify\nAdd cross-certification signatures to signing subkeys that may\nnot currently have them. Cross-certification signatures\nprotect against a subtle attack against signing subkeys. See\n'--require-cross-certification'. All new keys generated have\nthis signature by default, so this option is only useful to\nbring older keys up to date.\n\nsave\nSave all changes to the key rings and quit.\n\nquit\nQuit the program without updating the key rings.\n\nThe listing shows you the key with its secondary keys and all user\nids. The primary user id is indicated by a dot, and selected keys\nor user ids are indicated by an asterisk. The trust value is\ndisplayed with the primary key: the first is the assigned owner\ntrust and the second is the calculated trust value. Letters are\nused for the values:\n\n-\nNo ownertrust assigned / not yet calculated.\n\ne\nTrust calculation has failed; probably due to an expired key.\n\nq\nNot enough information for calculation.\n\nn\nNever trust this key.\n\nm\nMarginally trusted.\n\nf\nFully trusted.\n\nu\nUltimately trusted.\n\n'--sign-key name'\nSigns a public key with your secret key. This is a shortcut\nversion of the subcommand \"sign\" from '--edit'.\n\n'--lsign-key name'\nSigns a public key with your secret key but marks it as\nnon-exportable. This is a shortcut version of the subcommand\n\"lsign\" from '--edit-key'.\n\nFile: gnupg1.info, Node: GPG Options, Next: GPG Configuration, Prev: GPG Commands, Up: Invoking GPG\n" }, { "name": "1.2 Option Summary", "content": "'gpg' features a bunch of options to control the exact behaviour and to\nchange the default configuration.\n\n* Menu:\n\n* GPG Configuration Options:: How to change the configuration.\n* GPG Key related Options:: Key related options.\n* GPG Input and Output:: Input and Output.\n* OpenPGP Options:: OpenPGP protocol specific options.\n* Compliance Options:: Compliance options.\n* GPG Esoteric Options:: Doing things one usually don't want to do.\n* Deprecated Options:: Deprecated options.\n\nLong options can be put in an options file (default\n\"~/.gnupg/gpg.conf\"). Short option names will not work - for example,\n\"armor\" is a valid option for the options file, while \"a\" is not. Do\nnot write the 2 dashes, but simply the name of the option and any\nrequired arguments. Lines with a hash ('#') as the first\nnon-white-space character are ignored. Commands may be put in this file\ntoo, but that is not generally useful as the command will execute\nautomatically with every execution of gpg.\n\nPlease remember that option parsing stops as soon as a non-option is\nencountered, you can explicitly stop parsing by using the special option\n'--'.\n\nFile: gnupg1.info, Node: GPG Configuration Options, Next: GPG Key related Options, Up: GPG Options\n\n\nThese options are used to change the configuration and are usually found\nin the option file.\n\n'--default-key NAME'\nUse NAME as the default key to sign with. If this option is not\nused, the default key is the first key found in the secret keyring.\nNote that '-u' or '--local-user' overrides this option.\n\n'--default-recipient NAME'\nUse NAME as default recipient if option '--recipient' is not used\nand don't ask if this is a valid one. NAME must be non-empty.\n\n'--default-recipient-self'\nUse the default key as default recipient if option '--recipient' is\nnot used and don't ask if this is a valid one. The default key is\nthe first one from the secret keyring or the one set with\n'--default-key'.\n\n'--no-default-recipient'\nReset '--default-recipient' and '--default-recipient-self'.\n\n'-v, --verbose'\nGive more information during processing. If used twice, the input\ndata is listed in detail.\n\n'--no-verbose'\nReset verbose level to 0.\n\n'-q, --quiet'\nTry to be as quiet as possible.\n\n'--batch'\n'--no-batch'\nUse batch mode. Never ask, do not allow interactive commands.\n'--no-batch' disables this option. This option is commonly used\nfor unattended operations.\n\nWARNING: Unattended operation bears a higher risk of being exposed\nto security attacks. In particular any unattended use of GnuPG\nwhich involves the use of secret keys should take care not to\nprovide an decryption oracle. There are several standard\npre-cautions against being used as an oracle. For example never\nreturn detailed error messages or any diagnostics printed by your\nsoftware to the remote site. Consult with an expert in case of\ndoubt.\n\nNote that even with a filename given on the command line, gpg might\nstill need to read from STDIN (in particular if gpg figures that\nthe input is a detached signature and no data file has been\nspecified). Thus if you do not want to feed data via STDIN, you\nshould connect STDIN to '/dev/null'.\n\n'--no-tty'\nMake sure that the TTY (terminal) is never used for any output.\nThis option is needed in some cases because GnuPG sometimes prints\nwarnings to the TTY even if '--batch' is used.\n\n'--yes'\nAssume \"yes\" on most questions.\n\n'--no'\nAssume \"no\" on most questions.\n\n'--list-options parameters'\nThis is a space or comma delimited string that gives options used\nwhen listing keys and signatures (that is, '--list-keys',\n'--list-sigs', '--list-public-keys', '--list-secret-keys', and the\n'--edit-key' functions). Options can be prepended with a 'no-'\n(after the two dashes) to give the opposite meaning. The options\nare:\n\nshow-photos\nCauses '--list-keys', '--list-sigs', '--list-public-keys', and\n'--list-secret-keys' to display any photo IDs attached to the\nkey. Defaults to no. See also '--photo-viewer'. Does not\nwork with '--with-colons': see '--attribute-fd' for the\nappropriate way to get photo data for scripts and other\nfrontends.\n\nshow-usage\nShow usage information for keys and subkeys in the standard\nkey listing. This is a list of letters indicating the allowed\nusage for a key ('E'=encryption, 'S'=signing,\n'C'=certification, 'A'=authentication). Defaults to no.\n\nshow-policy-urls\nShow policy URLs in the '--list-sigs' or '--check-sigs'\nlistings. Defaults to no.\n\nshow-notations\nshow-std-notations\nshow-user-notations\nShow all, IETF standard, or user-defined signature notations\nin the '--list-sigs' or '--check-sigs' listings. Defaults to\nno.\n\nshow-keyserver-urls\nShow any preferred keyserver URL in the '--list-sigs' or\n'--check-sigs' listings. Defaults to no.\n\nshow-uid-validity\nDisplay the calculated validity of user IDs during key\nlistings. Defaults to no.\n\nshow-unusable-uids\nShow revoked and expired user IDs in key listings. Defaults\nto no.\n\nshow-unusable-subkeys\nShow revoked and expired subkeys in key listings. Defaults to\nno.\n\nshow-keyring\nDisplay the keyring name at the head of key listings to show\nwhich keyring a given key resides on. Defaults to no.\n\nshow-sig-expire\nShow signature expiration dates (if any) during '--list-sigs'\nor '--check-sigs' listings. Defaults to no.\n\nshow-sig-subpackets\nInclude signature subpackets in the key listing. This option\ncan take an optional argument list of the subpackets to list.\nIf no argument is passed, list all subpackets. Defaults to\nno. This option is only meaningful when using '--with-colons'\nalong with '--list-sigs' or '--check-sigs'.\n\n'--verify-options parameters'\nThis is a space or comma delimited string that gives options used\nwhen verifying signatures. Options can be prepended with a 'no-'\nto give the opposite meaning. The options are:\n\nshow-photos\nDisplay any photo IDs present on the key that issued the\nsignature. Defaults to no. See also '--photo-viewer'.\n\nshow-policy-urls\nShow policy URLs in the signature being verified. Defaults to\nno.\n\nshow-notations\nshow-std-notations\nshow-user-notations\nShow all, IETF standard, or user-defined signature notations\nin the signature being verified. Defaults to IETF standard.\n\nshow-keyserver-urls\nShow any preferred keyserver URL in the signature being\nverified. Defaults to no.\n\nshow-uid-validity\nDisplay the calculated validity of the user IDs on the key\nthat issued the signature. Defaults to no.\n\nshow-unusable-uids\nShow revoked and expired user IDs during signature\nverification. Defaults to no.\n\nshow-primary-uid-only\nShow only the primary user ID during signature verification.\nThat is all the AKA lines as well as photo Ids are not shown\nwith the signature verification status.\n\npka-lookups\nEnable PKA lookups to verify sender addresses. Note that PKA\nis based on DNS, and so enabling this option may disclose\ninformation on when and what signatures are verified or to\nwhom data is encrypted. This is similar to the \"web bug\"\ndescribed for the auto-key-retrieve feature.\n\npka-trust-increase\nRaise the trust in a signature to full if the signature passes\nPKA validation. This option is only meaningful if pka-lookups\nis set.\n\n'--enable-large-rsa'\n'--disable-large-rsa'\nWith -gen-key and -batch, enable the creation of larger RSA secret\nkeys than is generally recommended (up to 8192 bits). These large\nkeys are more expensive to use, and their signatures and\ncertifications are also larger.\n\n'--enable-dsa2'\n'--disable-dsa2'\nEnable hash truncation for all DSA keys even for old DSA Keys up to\n1024 bit. This is also the default with '--openpgp'. Note that\nolder versions of GnuPG also required this flag to allow the\ngeneration of DSA larger than 1024 bit.\n\n'--photo-viewer string'\nThis is the command line that should be run to view a photo ID.\n\"%i\" will be expanded to a filename containing the photo. \"%I\"\ndoes the same, except the file will not be deleted once the viewer\nexits. Other flags are \"%k\" for the key ID, \"%K\" for the long key\nID, \"%f\" for the key fingerprint, \"%t\" for the extension of the\nimage type (e.g. \"jpg\"), \"%T\" for the MIME type of the image (e.g.\n\"image/jpeg\"), \"%v\" for the single-character calculated validity of\nthe image being viewed (e.g. \"f\"), \"%V\" for the calculated\nvalidity as a string (e.g. \"full\"), \"%U\" for a base32 encoded hash\nof the user ID, and \"%%\" for an actual percent sign. If neither %i\nor %I are present, then the photo will be supplied to the viewer on\nstandard input.\n\nThe default viewer is \"xloadimage -fork -quiet -title 'KeyID 0x%k'\nSTDIN\". Note that if your image viewer program is not secure, then\nexecuting it from GnuPG does not make it secure.\n\n'--exec-path string'\nSets a list of directories to search for photo viewers and\nkeyserver helpers. If not provided, keyserver helpers use the\ncompiled-in default directory, and photo viewers use the $PATH\nenvironment variable. Note, that on W32 system this value is\nignored when searching for keyserver helpers.\n\n'--keyring file'\nAdd 'file' to the current list of keyrings. If 'file' begins with\na tilde and a slash, these are replaced by the $HOME directory. If\nthe filename does not contain a slash, it is assumed to be in the\nGnuPG home directory (\"~/.gnupg\" if '--homedir' or $GNUPGHOME is\nnot used).\n\nNote that this adds a keyring to the current list. If the intent\nis to use the specified keyring alone, use '--keyring' along with\n'--no-default-keyring'.\n\n'--secret-keyring file'\nSame as '--keyring' but for the secret keyrings.\n\n'--primary-keyring file'\nDesignate 'file' as the primary public keyring. This means that\nnewly imported keys (via '--import' or keyserver '--recv-from')\nwill go to this keyring.\n\n'--trustdb-name file'\nUse 'file' instead of the default trustdb. If 'file' begins with a\ntilde and a slash, these are replaced by the $HOME directory. If\nthe filename does not contain a slash, it is assumed to be in the\nGnuPG home directory ('~/.gnupg' if '--homedir' or $GNUPGHOME is\nnot used).\n\n'--homedir DIR'\nSet the name of the home directory to DIR. If this option is not\nused, the home directory defaults to '~/.gnupg'. It is only\nrecognized when given on the command line. It also overrides any\nhome directory stated through the environment variable 'GNUPGHOME'\nor (on Windows systems) by means of the Registry entry\nHKCU\\SOFTWARE\\GNU\\GNUPG:HOMEDIR.\n\nOn Windows systems it is possible to install GnuPG as a portable\napplication. In this case only this command line option is\nconsidered, all other ways to set a home directory are ignored.\n\nTo install GnuPG as a portable application under Windows, create an\nempty file name 'gpgconf.ctl' in the same directory as the tool\n'gpgconf.exe'. The root of the installation is than that\ndirectory; or, if 'gpgconf.exe' has been installed directly below a\ndirectory named 'bin', its parent directory. You also need to make\nsure that the following directories exist and are writable:\n'ROOT/home' for the GnuPG home and 'ROOT/var/cache/gnupg' for\ninternal cache files.\n\n'--pcsc-driver file'\nUse 'file' to access the smartcard reader. The current default is\n'libpcsclite.so.1' for GLIBC based systems,\n'/System/Library/Frameworks/PCSC.framework/PCSC' for MAC OS X,\n'winscard.dll' for Windows and 'libpcsclite.so' for other systems.\n\n'--disable-ccid'\nDisable the integrated support for CCID compliant readers. This\nallows falling back to one of the other drivers even if the\ninternal CCID driver can handle the reader. Note, that CCID\nsupport is only available if libusb was available at build time.\n\n'--reader-port numberorstring'\nThis option may be used to specify the port of the card terminal.\nA value of 0 refers to the first serial device; add 32768 to access\nUSB devices. The default is 32768 (first USB device). PC/SC or\nCCID readers might need a string here; run the program in verbose\nmode to get a list of available readers. The default is then the\nfirst reader found.\n\n'--display-charset name'\nSet the name of the native character set. This is used to convert\nsome informational strings like user IDs to the proper UTF-8\nencoding. Note that this has nothing to do with the character set\nof data to be encrypted or signed; GnuPG does not recode\nuser-supplied data. If this option is not used, the default\ncharacter set is determined from the current locale. A verbosity\nlevel of 3 shows the chosen set. Valid values for 'name' are:\n\niso-8859-1\nThis is the Latin 1 set.\n\niso-8859-2\nThe Latin 2 set.\n\niso-8859-15\nThis is currently an alias for the Latin 1 set.\n\nkoi8-r\nThe usual Russian set (rfc1489).\n\nutf-8\nBypass all translations and assume that the OS uses native\nUTF-8 encoding.\n\n'--utf8-strings'\n'--no-utf8-strings'\nAssume that command line arguments are given as UTF8 strings. The\ndefault ('--no-utf8-strings') is to assume that arguments are\nencoded in the character set as specified by '--display-charset'.\nThese options affect all following arguments. Both options may be\nused multiple times.\n\n'--options file'\nRead options from 'file' and do not try to read them from the\ndefault options file in the homedir (see '--homedir'). This option\nis ignored if used in an options file.\n\n'--no-options'\nShortcut for '--options /dev/null'. This option is detected before\nan attempt to open an option file. Using this option will also\nprevent the creation of a '~/.gnupg' homedir.\n\n'-z n'\n'--compress-level n'\n'--bzip2-compress-level n'\nSet compression level to 'n' for the ZIP and ZLIB compression\nalgorithms. The default is to use the default compression level of\nzlib (normally 6). '--bzip2-compress-level' sets the compression\nlevel for the BZIP2 compression algorithm (defaulting to 6 as\nwell). This is a different option from '--compress-level' since\nBZIP2 uses a significant amount of memory for each additional\ncompression level. '-z' sets both. A value of 0 for 'n' disables\ncompression.\n\n'--bzip2-decompress-lowmem'\nUse a different decompression method for BZIP2 compressed files.\nThis alternate method uses a bit more than half the memory, but\nalso runs at half the speed. This is useful under extreme low\nmemory circumstances when the file was originally compressed at a\nhigh '--bzip2-compress-level'.\n\n'--mangle-dos-filenames'\n'--no-mangle-dos-filenames'\nOlder version of Windows cannot handle filenames with more than one\ndot. '--mangle-dos-filenames' causes GnuPG to replace (rather than\nadd to) the extension of an output filename to avoid this problem.\nThis option is off by default and has no effect on non-Windows\nplatforms.\n\n'--ask-cert-level'\n'--no-ask-cert-level'\nWhen making a key signature, prompt for a certification level. If\nthis option is not specified, the certification level used is set\nvia '--default-cert-level'. See '--default-cert-level' for\ninformation on the specific levels and how they are used.\n'--no-ask-cert-level' disables this option. This option defaults\nto no.\n\n'--default-cert-level n'\nThe default to use for the check level when signing a key.\n\n0 means you make no particular claim as to how carefully you\nverified the key.\n\n1 means you believe the key is owned by the person who claims to\nown it but you could not, or did not verify the key at all. This\nis useful for a \"persona\" verification, where you sign the key of a\npseudonymous user.\n\n2 means you did casual verification of the key. For example, this\ncould mean that you verified the key fingerprint and checked the\nuser ID on the key against a photo ID.\n\n3 means you did extensive verification of the key. For example,\nthis could mean that you verified the key fingerprint with the\nowner of the key in person, and that you checked, by means of a\nhard to forge document with a photo ID (such as a passport) that\nthe name of the key owner matches the name in the user ID on the\nkey, and finally that you verified (by exchange of email) that the\nemail address on the key belongs to the key owner.\n\nNote that the examples given above for levels 2 and 3 are just\nthat: examples. In the end, it is up to you to decide just what\n\"casual\" and \"extensive\" mean to you.\n\nThis option defaults to 0 (no particular claim).\n\n'--min-cert-level'\nWhen building the trust database, treat any signatures with a\ncertification level below this as invalid. Defaults to 2, which\ndisregards level 1 signatures. Note that level 0 \"no particular\nclaim\" signatures are always accepted.\n\n'--trusted-key long key ID'\nAssume that the specified key (which must be given as a full 8 byte\nkey ID) is as trustworthy as one of your own secret keys. This\noption is useful if you don't want to keep your secret keys (or one\nof them) online but still want to be able to check the validity of\na given recipient's or signator's key.\n\n'--trust-model pgp|classic|direct|always|auto'\nSet what trust model GnuPG should follow. The models are:\n\npgp\nThis is the Web of Trust combined with trust signatures as\nused in PGP 5.x and later. This is the default trust model\nwhen creating a new trust database.\n\nclassic\nThis is the standard Web of Trust as introduced by PGP 2.\n\ndirect\nKey validity is set directly by the user and not calculated\nvia the Web of Trust.\n\nalways\nSkip key validation and assume that used keys are always fully\nvalid. You generally won't use this unless you are using some\nexternal validation scheme. This option also suppresses the\n\"[uncertain]\" tag printed with signature checks when there is\nno evidence that the user ID is bound to the key. Note that\nthis trust model still does not allow the use of expired,\nrevoked, or disabled keys.\n\nauto\nSelect the trust model depending on whatever the internal\ntrust database says. This is the default model if such a\ndatabase already exists.\n\n'--auto-key-locate parameters'\n'--no-auto-key-locate'\nGnuPG can automatically locate and retrieve keys as needed using\nthis option. This happens when encrypting to an email address (in\nthe \"user@example.com\" form), and there are no user@example.com\nkeys on the local keyring. This option takes any number of the\nfollowing mechanisms, in the order they are to be tried:\n\ncert\nLocate a key using DNS CERT, as specified in rfc4398.\n\npka\nLocate a key using DNS PKA.\n\nldap\nUsing DNS Service Discovery, check the domain in question for\nany LDAP keyservers to use. If this fails, attempt to locate\nthe key using the PGP Universal method of checking\n'ldap://keys.(thedomain)'.\n\nkeyserver\nLocate a key using whatever keyserver is defined using the\n'--keyserver' option.\n\nkeyserver-URL\nIn addition, a keyserver URL as used in the '--keyserver'\noption may be used here to query that particular keyserver.\n\nlocal\nLocate the key using the local keyrings. This mechanism\nallows the user to select the order a local key lookup is\ndone. Thus using '--auto-key-locate local' is identical to\n'--no-auto-key-locate'.\n\nnodefault\nThis flag disables the standard local key lookup, done before\nany of the mechanisms defined by the '--auto-key-locate' are\ntried. The position of this mechanism in the list does not\nmatter. It is not required if 'local' is also used.\n\nclear\nClear all defined mechanisms. This is useful to override\nmechanisms given in a config file.\n\n'--keyid-format short|0xshort|long|0xlong'\nSelect how to display key IDs. \"short\" is the traditional\n8-character key ID. \"long\" is the more accurate (but less\nconvenient) 16-character key ID. Add an \"0x\" to either to include\nan \"0x\" at the beginning of the key ID, as in 0x99242560. Note\nthat this option is ignored if the option -with-colons is used.\n\n'--keyserver name'\nUse 'name' as your keyserver. This is the server that\n'--recv-keys', '--send-keys', and '--search-keys' will communicate\nwith to receive keys from, send keys to, and search for keys on.\nThe format of the 'name' is a URI:\n'scheme:[//]keyservername[:port]' The scheme is the type of\nkeyserver: \"hkp\" for the HTTP (or compatible) keyservers, \"ldap\"\nfor the LDAP keyservers, or \"mailto\" for the Graff email keyserver.\nNote that your particular installation of GnuPG may have other\nkeyserver types available as well. Keyserver schemes are\ncase-insensitive. After the keyserver name, optional keyserver\nconfiguration options may be provided. These are the same as the\nglobal '--keyserver-options' from below, but apply only to this\nparticular keyserver.\n\nMost keyservers synchronize with each other, so there is generally\nno need to send keys to more than one server. The keyserver\n'hkp://keys.gnupg.net' uses round robin DNS to give a different\nkeyserver each time you use it.\n\n'--keyserver-options name=value1 '\nThis is a space or comma delimited string that gives options for\nthe keyserver. Options can be prefixed with a 'no-' to give the\nopposite meaning. Valid import-options or export-options may be\nused here as well to apply to importing ('--recv-key') or exporting\n('--send-key') a key from a keyserver. While not all options are\navailable for all keyserver types, some common options are:\n\ninclude-revoked\nWhen searching for a key with '--search-keys', include keys\nthat are marked on the keyserver as revoked. Note that not\nall keyservers differentiate between revoked and unrevoked\nkeys, and for such keyservers this option is meaningless.\nNote also that most keyservers do not have cryptographic\nverification of key revocations, and so turning this option\noff may result in skipping keys that are incorrectly marked as\nrevoked.\n\ninclude-disabled\nWhen searching for a key with '--search-keys', include keys\nthat are marked on the keyserver as disabled. Note that this\noption is not used with HKP keyservers.\n\nauto-key-retrieve\nThis option enables the automatic retrieving of keys from a\nkeyserver when verifying signatures made by keys that are not\non the local keyring.\n\nNote that this option makes a \"web bug\" like behavior\npossible. Keyserver operators can see which keys you request,\nso by sending you a message signed by a brand new key (which\nyou naturally will not have on your local keyring), the\noperator can tell both your IP address and the time when you\nverified the signature.\n\nhonor-keyserver-url\nWhen using '--refresh-keys', if the key in question has a\npreferred keyserver URL, then use that preferred keyserver to\nrefresh the key from. In addition, if auto-key-retrieve is\nset, and the signature being verified has a preferred\nkeyserver URL, then use that preferred keyserver to fetch the\nkey from. Defaults to yes.\n\nhonor-pka-record\nIf auto-key-retrieve is set, and the signature being verified\nhas a PKA record, then use the PKA information to fetch the\nkey. Defaults to yes.\n\ninclude-subkeys\nWhen receiving a key, include subkeys as potential targets.\nNote that this option is not used with HKP keyservers, as they\ndo not support retrieving keys by subkey id.\n\nuse-temp-files\nOn most Unix-like platforms, GnuPG communicates with the\nkeyserver helper program via pipes, which is the most\nefficient method. This option forces GnuPG to use temporary\nfiles to communicate. On some platforms (such as Win32 and\nRISC OS), this option is always enabled.\n\nkeep-temp-files\nIf using 'use-temp-files', do not delete the temp files after\nusing them. This option is useful to learn the keyserver\ncommunication protocol by reading the temporary files.\n\nverbose\nTell the keyserver helper program to be more verbose. This\noption can be repeated multiple times to increase the\nverbosity level.\n\ntimeout\nTell the keyserver helper program how long (in seconds) to try\nand perform a keyserver action before giving up. Note that\nperforming multiple actions at the same time uses this timeout\nvalue per action. For example, when retrieving multiple keys\nvia '--recv-keys', the timeout applies separately to each key\nretrieval, and not to the '--recv-keys' command as a whole.\nDefaults to 30 seconds.\n\nhttp-proxy='value'\nSet the proxy to use for HTTP and HKP keyservers. This\noverrides the \"httpproxy\" environment variable, if any.\n\nmax-cert-size\nWhen retrieving a key via DNS CERT, only accept keys up to\nthis size. Defaults to 16384 bytes.\n\ndebug\nTurn on debug output in the keyserver helper program. Note\nthat the details of debug output depends on which keyserver\nhelper program is being used, and in turn, on any libraries\nthat the keyserver helper program uses internally (libcurl,\nopenldap, etc).\n\ncheck-cert\nEnable certificate checking if the keyserver presents one (for\nhkps or ldaps). Defaults to on.\n\nca-cert-file\nProvide a certificate store to override the system default.\nOnly necessary if check-cert is enabled, and the keyserver is\nusing a certificate that is not present in a system default\ncertificate list.\n\nNote that depending on the SSL library that the keyserver\nhelper is built with, this may actually be a directory or a\nfile.\n\n'--completes-needed n'\nNumber of completely trusted users to introduce a new key signer\n(defaults to 1).\n\n'--marginals-needed n'\nNumber of marginally trusted users to introduce a new key signer\n(defaults to 3)\n\n'--max-cert-depth n'\nMaximum depth of a certification chain (default is 5).\n\n'--simple-sk-checksum'\nSecret keys are integrity protected by using a SHA-1 checksum.\nThis method is part of the upcoming enhanced OpenPGP specification\nbut GnuPG already uses it as a countermeasure against certain\nattacks. Old applications don't understand this new format, so\nthis option may be used to switch back to the old behaviour. Using\nthis option bears a security risk. Note that using this option\nonly takes effect when the secret key is encrypted - the simplest\nway to make this happen is to change the passphrase on the key\n(even changing it to the same value is acceptable).\n\n'--no-sig-cache'\nDo not cache the verification status of key signatures. Caching\ngives a much better performance in key listings. However, if you\nsuspect that your public keyring is not save against write\nmodifications, you can use this option to disable the caching. It\nprobably does not make sense to disable it because all kind of\ndamage can be done if someone else has write access to your public\nkeyring.\n\n'--no-sig-create-check'\nThis options is obsolete. It has no function.\n\n'--auto-check-trustdb'\n'--no-auto-check-trustdb'\nIf GnuPG feels that its information about the Web of Trust has to\nbe updated, it automatically runs the '--check-trustdb' command\ninternally. This may be a time consuming process.\n'--no-auto-check-trustdb' disables this option.\n\n'--use-agent'\n'--no-use-agent'\nTry to use the GnuPG-Agent. With this option, GnuPG first tries to\nconnect to the agent before it asks for a passphrase.\n'--no-use-agent' disables this option. Note, that the tool\n'gpg-preset-passphrase', which comes with GnuPG-2, cannot be used\nto preset a passphrase for this version of GnuPG.\n\n'--gpg-agent-info'\nOverride the value of the environment variable 'GPGAGENTINFO'.\nThis is only used when '--use-agent' has been given. Given that\nthis option is not anymore used by 'gpg2', it should be avoided if\npossible.\n\n'--lock-once'\nLock the databases the first time a lock is requested and do not\nrelease the lock until the process terminates.\n\n'--lock-multiple'\nRelease the locks every time a lock is no longer needed. Use this\nto override a previous '--lock-once' from a config file.\n\n'--lock-never'\nDisable locking entirely. This option should be used only in very\nspecial environments, where it can be assured that only one process\nis accessing those files. A bootable floppy with a stand-alone\nencryption system will probably use this. Improper usage of this\noption may lead to data and key corruption.\n\n'--exit-on-status-write-error'\nThis option will cause write errors on the status FD to immediately\nterminate the process. That should in fact be the default but it\nnever worked this way and thus we need an option to enable this, so\nthat the change won't break applications which close their end of a\nstatus fd connected pipe too early. Using this option along with\n'--enable-progress-filter' may be used to cleanly cancel long\nrunning gpg operations.\n\n'--limit-card-insert-tries n'\nWith 'n' greater than 0 the number of prompts asking to insert a\nsmartcard gets limited to N-1. Thus with a value of 1 gpg won't at\nall ask to insert a card if none has been inserted at startup.\nThis option is useful in the configuration file in case an\napplication does not know about the smartcard support and waits ad\ninfinitum for an inserted card.\n\n'--no-random-seed-file'\nGnuPG uses a file to store its internal random pool over\ninvocations. This makes random generation faster; however\nsometimes write operations are not desired. This option can be\nused to achieve that with the cost of slower random generation.\n\n'--no-greeting'\nSuppress the initial copyright message.\n\n'--no-secmem-warning'\nSuppress the warning about \"using insecure memory\".\n\n'--no-permission-warning'\nSuppress the warning about unsafe file and home directory\n('--homedir') permissions. Note that the permission checks that\nGnuPG performs are not intended to be authoritative, but rather\nthey simply warn about certain common permission problems. Do not\nassume that the lack of a warning means that your system is secure.\n\nNote that the warning for unsafe '--homedir' permissions cannot be\nsuppressed in the gpg.conf file, as this would allow an attacker to\nplace an unsafe gpg.conf file in place, and use this file to\nsuppress warnings about itself. The '--homedir' permissions\nwarning may only be suppressed on the command line.\n\n'--no-mdc-warning'\nSuppress the warning about missing MDC integrity protection.\n\n'--require-secmem'\n'--no-require-secmem'\nRefuse to run if GnuPG cannot get secure memory. Defaults to no\n(i.e. run, but give a warning).\n\n'--require-cross-certification'\n'--no-require-cross-certification'\nWhen verifying a signature made from a subkey, ensure that the\ncross certification \"back signature\" on the subkey is present and\nvalid. This protects against a subtle attack against subkeys that\ncan sign. Defaults to '--require-cross-certification' for 'gpg'.\n\n'--expert'\n'--no-expert'\nAllow the user to do certain nonsensical or \"silly\" things like\nsigning an expired or revoked key, or certain potentially\nincompatible things like generating unusual key types. This also\ndisables certain warning messages about potentially incompatible\nactions. As the name implies, this option is for experts only. If\nyou don't fully understand the implications of what it allows you\nto do, leave this off. '--no-expert' disables this option.\n\nFile: gnupg1.info, Node: GPG Key related Options, Next: GPG Input and Output, Prev: GPG Configuration Options, Up: GPG Options\n\n\n'--recipient NAME'\n'-r'\nEncrypt for user id NAME. If this option or '--hidden-recipient'\nis not specified, GnuPG asks for the user-id unless\n'--default-recipient' is given.\n\n'--hidden-recipient NAME'\n'-R'\nEncrypt for user ID NAME, but hide the key ID of this user's key.\nThis option helps to hide the receiver of the message and is a\nlimited countermeasure against traffic analysis. If this option or\n'--recipient' is not specified, GnuPG asks for the user ID unless\n'--default-recipient' is given.\n\n'--encrypt-to name'\nSame as '--recipient' but this one is intended for use in the\noptions file and may be used with your own user-id as an\n\"encrypt-to-self\". These keys are only used when there are other\nrecipients given either by use of '--recipient' or by the asked\nuser id. No trust checking is performed for these user ids and\neven disabled keys can be used.\n\n'--hidden-encrypt-to name'\nSame as '--hidden-recipient' but this one is intended for use in\nthe options file and may be used with your own user-id as a hidden\n\"encrypt-to-self\". These keys are only used when there are other\nrecipients given either by use of '--recipient' or by the asked\nuser id. No trust checking is performed for these user ids and\neven disabled keys can be used.\n\n'--no-encrypt-to'\nDisable the use of all '--encrypt-to' and '--hidden-encrypt-to'\nkeys.\n\n'--group name=value1 '\nSets up a named group, which is similar to aliases in email\nprograms. Any time the group name is a recipient ('-r' or\n'--recipient'), it will be expanded to the values specified.\nMultiple groups with the same name are automatically merged into a\nsingle group.\n\nThe values are 'key IDs' or fingerprints, but any key description\nis accepted. Note that a value with spaces in it will be treated\nas two different values. Note also there is only one level of\nexpansion -- you cannot make an group that points to another group.\nWhen used from the command line, it may be necessary to quote the\nargument to this option to prevent the shell from treating it as\nmultiple arguments.\n\n'--ungroup name'\nRemove a given entry from the '--group' list.\n\n'--no-groups'\nRemove all entries from the '--group' list.\n\n'--local-user NAME'\n'-u'\nUse NAME as the key to sign with. Note that this option overrides\n'--default-key'.\n\n'--try-all-secrets'\nDon't look at the key ID as stored in the message but try all\nsecret keys in turn to find the right decryption key. This option\nforces the behaviour as used by anonymous recipients (created by\nusing '--throw-keyids' or '--hidden-recipient') and might come\nhandy in case where an encrypted message contains a bogus key ID.\n\nFile: gnupg1.info, Node: GPG Input and Output, Next: OpenPGP Options, Prev: GPG Key related Options, Up: GPG Options\n\n\n'--armor'\n'-a'\nCreate ASCII armored output. The default is to create the binary\nOpenPGP format.\n\n'--no-armor'\nAssume the input data is not in ASCII armored format.\n\n'--output FILE'\n'-o FILE'\nWrite output to FILE.\n\n'--max-output n'\nThis option sets a limit on the number of bytes that will be\ngenerated when processing a file. Since OpenPGP supports various\nlevels of compression, it is possible that the plaintext of a given\nmessage may be significantly larger than the original OpenPGP\nmessage. While GnuPG works properly with such messages, there is\noften a desire to set a maximum file size that will be generated\nbefore processing is forced to stop by the OS limits. Defaults to\n0, which means \"no limit\".\n\n'--import-options parameters'\nThis is a space or comma delimited string that gives options for\nimporting keys. Options can be prepended with a 'no-' to give the\nopposite meaning. The options are:\n\nimport-local-sigs\nAllow importing key signatures marked as \"local\". This is not\ngenerally useful unless a shared keyring scheme is being used.\nDefaults to no.\n\nkeep-ownertrust\nNormally possible still existing ownertrust values of a key\nare cleared if a key is imported. This is in general\ndesirable so that a formerly deleted key does not\nautomatically gain an ownertrust values merely due to import.\nOn the other hand it is sometimes necessary to re-import a\ntrusted set of keys again but keeping already assigned\nownertrust values. This can be achieved by using this option.\n\nrepair-pks-subkey-bug\nDuring import, attempt to repair the damage caused by the PKS\nkeyserver bug (pre version 0.9.6) that mangles keys with\nmultiple subkeys. Note that this cannot completely repair the\ndamaged key as some crucial data is removed by the keyserver,\nbut it does at least give you back one subkey. Defaults to no\nfor regular '--import' and to yes for keyserver '--recv-keys'.\n\nmerge-only\nDuring import, allow key updates to existing keys, but do not\nallow any new keys to be imported. Defaults to no.\n\nimport-clean\nAfter import, compact (remove all signatures except the\nself-signature) any user IDs from the new key that are not\nusable. Then, remove any signatures from the new key that are\nnot usable. This includes signatures that were issued by keys\nthat are not present on the keyring. This option is the same\nas running the '--edit-key' command \"clean\" after import.\nDefaults to no.\n\nimport-minimal\nImport the smallest key possible. This removes all signatures\nexcept the most recent self-signature on each user ID. This\noption is the same as running the '--edit-key' command\n\"minimize\" after import. Defaults to no.\n\n'--export-options parameters'\nThis is a space or comma delimited string that gives options for\nexporting keys. Options can be prepended with a 'no-' to give the\nopposite meaning. The options are:\n\nexport-local-sigs\nAllow exporting key signatures marked as \"local\". This is not\ngenerally useful unless a shared keyring scheme is being used.\nDefaults to no.\n\nexport-attributes\nInclude attribute user IDs (photo IDs) while exporting. This\nis useful to export keys if they are going to be used by an\nOpenPGP program that does not accept attribute user IDs.\nDefaults to yes.\n\nexport-sensitive-revkeys\nInclude designated revoker information that was marked as\n\"sensitive\". Defaults to no.\n\nexport-reset-subkey-passwd\nWhen using the '--export-secret-subkeys' command, this option\nresets the passphrases for all exported subkeys to empty.\nThis is useful when the exported subkey is to be used on an\nunattended machine where a passphrase doesn't necessarily make\nsense. Defaults to no.\n\nexport-clean\nCompact (remove all signatures from) user IDs on the key being\nexported if the user IDs are not usable. Also, do not export\nany signatures that are not usable. This includes signatures\nthat were issued by keys that are not present on the keyring.\nThis option is the same as running the '--edit-key' command\n\"clean\" before export except that the local copy of the key is\nnot modified. Defaults to no.\n\nexport-minimal\nExport the smallest key possible. This removes all signatures\nexcept the most recent self-signature on each user ID. This\noption is the same as running the '--edit-key' command\n\"minimize\" before export except that the local copy of the key\nis not modified. Defaults to no.\n\n'--with-colons'\nPrint key listings delimited by colons. Note that the output will\nbe encoded in UTF-8 regardless of any '--display-charset' setting.\nThis format is useful when GnuPG is called from scripts and other\nprograms as it is easily machine parsed. The details of this\nformat are documented in the file 'doc/DETAILS', which is included\nin the GnuPG source distribution.\n\n'--fixed-list-mode'\nDo not merge primary user ID and primary key in '--with-colon'\nlisting mode and print all timestamps as seconds since 1970-01-01.\n\n'--with-fingerprint'\nSame as the command '--fingerprint' but changes only the format of\nthe output and may be used together with another command.\n\nFile: gnupg1.info, Node: OpenPGP Options, Next: Compliance Options, Prev: GPG Input and Output, Up: GPG Options\n\n\n'-t, --textmode'\n'--no-textmode'\nTreat input files as text and store them in the OpenPGP canonical\ntext form with standard \"CRLF\" line endings. This also sets the\nnecessary flags to inform the recipient that the encrypted or\nsigned data is text and may need its line endings converted back to\nwhatever the local system uses. This option is useful when\ncommunicating between two platforms that have different line ending\nconventions (UNIX-like to Mac, Mac to Windows, etc).\n'--no-textmode' disables this option, and is the default.\n\nIf '-t' (but not '--textmode') is used together with armoring and\nsigning, this enables clearsigned messages. This kludge is needed\nfor command-line compatibility with command-line versions of PGP;\nnormally you would use '--sign' or '--clearsign' to select the type\nof the signature.\n\n'--force-v3-sigs'\n'--no-force-v3-sigs'\nOpenPGP states that an implementation should generate v4 signatures\nbut PGP versions 5 through 7 only recognize v4 signatures on key\nmaterial. This option forces v3 signatures for signatures on data.\nNote that this option implies '--no-ask-sig-expire', and unsets\n'--sig-policy-url', '--sig-notation', and '--sig-keyserver-url', as\nthese features cannot be used with v3 signatures.\n'--no-force-v3-sigs' disables this option. Defaults to no.\n\n'--force-v4-certs'\n'--no-force-v4-certs'\nAlways use v4 key signatures even on v3 keys. This option also\nchanges the default hash algorithm for v3 RSA keys from MD5 to\nSHA-1. '--no-force-v4-certs' disables this option.\n\n'--force-mdc'\nForce the use of encryption with a modification detection code.\nThis is always used with the newer ciphers (those with a blocksize\ngreater than 64 bits), or if all of the recipient keys indicate MDC\nsupport in their feature flags.\n\n'--disable-mdc'\nDisable the use of the modification detection code. Note that by\nusing this option, the encrypted message becomes vulnerable to a\nmessage modification attack.\n\n'--personal-cipher-preferences string'\nSet the list of personal cipher preferences to 'string'. Use 'gpg\n--version' to get a list of available algorithms, and use 'none' to\nset no preference at all. This allows the user to safely override\nthe algorithm chosen by the recipient key preferences, as GPG will\nonly select an algorithm that is usable by all recipients. The\nmost highly ranked cipher in this list is also used for the\n'--symmetric' encryption command.\n\n'--personal-digest-preferences string'\nSet the list of personal digest preferences to 'string'. Use 'gpg\n--version' to get a list of available algorithms, and use 'none' to\nset no preference at all. This allows the user to safely override\nthe algorithm chosen by the recipient key preferences, as GPG will\nonly select an algorithm that is usable by all recipients. The\nmost highly ranked digest algorithm in this list is also used when\nsigning without encryption (e.g. '--clearsign' or '--sign').\n\n'--personal-compress-preferences string'\nSet the list of personal compression preferences to 'string'. Use\n'gpg --version' to get a list of available algorithms, and use\n'none' to set no preference at all. This allows the user to safely\noverride the algorithm chosen by the recipient key preferences, as\nGPG will only select an algorithm that is usable by all recipients.\nThe most highly ranked compression algorithm in this list is also\nused when there are no recipient keys to consider (e.g.\n'--symmetric').\n\n'--s2k-cipher-algo name'\nUse 'name' as the cipher algorithm used to protect secret keys.\nThe default cipher is AES128. This cipher is also used for\nconventional encryption if '--personal-cipher-preferences' and\n'--cipher-algo' is not given.\n\n'--s2k-digest-algo name'\nUse 'name' as the digest algorithm used to mangle the passphrases.\nThe default algorithm is SHA-1.\n\n'--s2k-mode n'\nSelects how passphrases are mangled. If 'n' is 0 a plain\npassphrase (which is not recommended) will be used, a 1 adds a salt\nto the passphrase and a 3 (the default) iterates the whole process\na number of times (see -s2k-count). Unless '--rfc1991' is used,\nthis mode is also used for conventional encryption.\n\n'--s2k-count n'\nSpecify how many times the passphrase mangling is repeated. This\nvalue may range between 1024 and 65011712 inclusive. The default\nis inquired from gpg-agent. Note that not all values in the\n1024-65011712 range are legal and if an illegal value is selected,\nGnuPG will round up to the nearest legal value. This option is\nonly meaningful if '--s2k-mode' is 3.\n\nFile: gnupg1.info, Node: Compliance Options, Next: GPG Esoteric Options, Prev: OpenPGP Options, Up: GPG Options\n\n\nThese options control what GnuPG is compliant to. Only one of these\noptions may be active at a time. Note that the default setting of this\nis nearly always the correct one. See the INTEROPERABILITY WITH OTHER\nOPENPGP PROGRAMS section below before using one of these options.\n\n'--gnupg'\nUse standard GnuPG behavior. This is essentially OpenPGP behavior\n(see '--openpgp'), but with some additional workarounds for common\ncompatibility problems in different versions of PGP. This is the\ndefault option, so it is not generally needed, but it may be useful\nto override a different compliance option in the gpg.conf file.\n\n'--openpgp'\nReset all packet, cipher and digest options to strict OpenPGP\nbehavior. Use this option to reset all previous options like\n'--s2k-*', '--cipher-algo', '--digest-algo' and '--compress-algo'\nto OpenPGP compliant values. All PGP workarounds are disabled.\n\n'--rfc4880'\nReset all packet, cipher and digest options to strict RFC-4880\nbehavior. Note that this is currently the same thing as\n'--openpgp'.\n\n'--rfc2440'\nReset all packet, cipher and digest options to strict RFC-2440\nbehavior.\n\n'--rfc1991'\nTry to be more RFC-1991 (PGP 2.x) compliant. This option is\ndeprecated will be removed in GnuPG 2.1.\n\n'--pgp2'\nSet up all options to be as PGP 2.x compliant as possible, and warn\nif an action is taken (e.g. encrypting to a non-RSA key) that will\ncreate a message that PGP 2.x will not be able to handle. Note\nthat 'PGP 2.x' here means 'MIT PGP 2.6.2'. There are other\nversions of PGP 2.x available, but the MIT release is a good common\nbaseline.\n\nThis option implies '--rfc1991 --disable-mdc --no-force-v4-certs\n--escape-from-lines --force-v3-sigs --allow-weak-digest-algos\n--cipher-algo IDEA --digest-algo MD5 --compress-algo ZIP'. It also\ndisables '--textmode' when encrypting.\n\nThis option is deprecated will be removed in GnuPG 2.1. The reason\nfor dropping PGP-2 support is that the PGP 2 format is not anymore\nconsidered safe (for example due to the use of the broken MD5\nalgorithm). Note that the decryption of PGP-2 created messages\nwill continue to work.\n\n'--pgp6'\nSet up all options to be as PGP 6 compliant as possible. This\nrestricts you to the ciphers IDEA (if the IDEA plugin is\ninstalled), 3DES, and CAST5, the hashes MD5, SHA1 and RIPEMD160,\nand the compression algorithms none and ZIP. This also disables\n-throw-keyids, and making signatures with signing subkeys as PGP 6\ndoes not understand signatures made by signing subkeys.\n\nThis option implies '--disable-mdc --escape-from-lines\n--force-v3-sigs'.\n\n'--pgp7'\nSet up all options to be as PGP 7 compliant as possible. This is\nidentical to '--pgp6' except that MDCs are not disabled, and the\nlist of allowable ciphers is expanded to add AES128, AES192,\nAES256, and TWOFISH.\n\n'--pgp8'\nSet up all options to be as PGP 8 compliant as possible. PGP 8 is\na lot closer to the OpenPGP standard than previous versions of PGP,\nso all this does is disable '--throw-keyids' and set\n'--escape-from-lines'. All algorithms are allowed except for the\nSHA224, SHA384, and SHA512 digests.\n\nFile: gnupg1.info, Node: GPG Esoteric Options, Next: Deprecated Options, Prev: Compliance Options, Up: GPG Options\n\n\n'-n'\n'--dry-run'\nDon't make any changes (this is not completely implemented).\n\n'--list-only'\nChanges the behaviour of some commands. This is like '--dry-run'\nbut different in some cases. The semantic of this command may be\nextended in the future. Currently it only skips the actual\ndecryption pass and therefore enables a fast listing of the\nencryption keys.\n\n'-i'\n'--interactive'\nPrompt before overwriting any files.\n\n'--debug-level LEVEL'\nSelect the debug level for investigating problems. LEVEL may be a\nnumeric value or by a keyword:\n\n'none'\nNo debugging at all. A value of less than 1 may be used\ninstead of the keyword.\n'basic'\nSome basic debug messages. A value between 1 and 2 may be\nused instead of the keyword.\n'advanced'\nMore verbose debug messages. A value between 3 and 5 may be\nused instead of the keyword.\n'expert'\nEven more detailed messages. A value between 6 and 8 may be\nused instead of the keyword.\n'guru'\nAll of the debug messages you can get. A value greater than 8\nmay be used instead of the keyword. The creation of hash\ntracing files is only enabled if the keyword is used.\n\nHow these messages are mapped to the actual debugging flags is not\nspecified and may change with newer releases of this program. They\nare however carefully selected to best aid in debugging.\n\n'--debug FLAGS'\nSet debugging flags. All flags are or-ed and FLAGS may be given in\nC syntax (e.g. 0x0042).\n\n'--debug-all'\nSet all useful debugging flags.\n\n'--debug-ccid-driver'\nEnable debug output from the included CCID driver for smartcards.\nNote that this option is only available on some system.\n\n'--enable-progress-filter'\nEnable certain PROGRESS status outputs. This option allows\nfrontends to display a progress indicator while gpg is processing\nlarger files. There is a slight performance overhead using it.\n\n'--status-fd n'\nWrite special status strings to the file descriptor 'n'. See the\nfile DETAILS in the documentation for a listing of them.\n\n'--status-file file'\nSame as '--status-fd', except the status data is written to file\n'file'.\n\n'--logger-fd n'\nWrite log output to file descriptor 'n' and not to STDERR.\n\n'--log-file file'\n'--logger-file file'\nSame as '--logger-fd', except the logger data is written to file\n'file'. Note that '--log-file' is only implemented for GnuPG-2.\n\n'--attribute-fd n'\nWrite attribute subpackets to the file descriptor 'n'. This is\nmost useful for use with '--status-fd', since the status messages\nare needed to separate out the various subpackets from the stream\ndelivered to the file descriptor.\n\n'--attribute-file file'\nSame as '--attribute-fd', except the attribute data is written to\nfile 'file'.\n\n'--comment string'\n'--no-comments'\nUse 'string' as a comment string in clear text signatures and ASCII\narmored messages or keys (see '--armor'). The default behavior is\nnot to use a comment string. '--comment' may be repeated multiple\ntimes to get multiple comment strings. '--no-comments' removes all\ncomments. It is a good idea to keep the length of a single comment\nbelow 60 characters to avoid problems with mail programs wrapping\nsuch lines. Note that comment lines, like all other header lines,\nare not protected by the signature.\n\n'--emit-version'\n'--no-emit-version'\nForce inclusion of the version string in ASCII armored output. If\ngiven once only the name of the program and the major number is\nemitted, given twice the minor is also emitted, given triple the\nmicro is added, and given quad an operating system identification\nis also emitted. '--no-emit-version' (default) disables the\nversion line.\n\n'--sig-notation name=value'\n'--cert-notation name=value'\n'-N, --set-notation name=value'\nPut the name value pair into the signature as notation data.\n'name' must consist only of printable characters or spaces, and\nmust contain a '@' character in the form keyname@domain.example.com\n(substituting the appropriate keyname and domain name, of course).\nThis is to help prevent pollution of the IETF reserved notation\nnamespace. The '--expert' flag overrides the '@' check. 'value'\nmay be any printable string; it will be encoded in UTF8, so you\nshould check that your '--display-charset' is set correctly. If\nyou prefix 'name' with an exclamation mark (!), the notation data\nwill be flagged as critical (rfc4880:5.2.3.16). '--sig-notation'\nsets a notation for data signatures. '--cert-notation' sets a\nnotation for key signatures (certifications). '--set-notation'\nsets both.\n\nThere are special codes that may be used in notation names. \"%k\"\nwill be expanded into the key ID of the key being signed, \"%K\" into\nthe long key ID of the key being signed, \"%f\" into the fingerprint\nof the key being signed, \"%s\" into the key ID of the key making the\nsignature, \"%S\" into the long key ID of the key making the\nsignature, \"%g\" into the fingerprint of the key making the\nsignature (which might be a subkey), \"%p\" into the fingerprint of\nthe primary key of the key making the signature, \"%c\" into the\nsignature count from the OpenPGP smartcard, and \"%%\" results in a\nsingle \"%\". %k, %K, and %f are only meaningful when making a key\nsignature (certification), and %c is only meaningful when using the\nOpenPGP smartcard.\n\n'--sig-policy-url string'\n'--cert-policy-url string'\n'--set-policy-url string'\nUse 'string' as a Policy URL for signatures (rfc4880:5.2.3.20). If\nyou prefix it with an exclamation mark (!), the policy URL packet\nwill be flagged as critical. '--sig-policy-url' sets a policy url\nfor data signatures. '--cert-policy-url' sets a policy url for key\nsignatures (certifications). '--set-policy-url' sets both.\n\nThe same %-expandos used for notation data are available here as\nwell.\n\n'--sig-keyserver-url string'\nUse 'string' as a preferred keyserver URL for data signatures. If\nyou prefix it with an exclamation mark (!), the keyserver URL\npacket will be flagged as critical.\n\nThe same %-expandos used for notation data are available here as\nwell.\n\n'--set-filename string'\nUse 'string' as the filename which is stored inside messages. This\noverrides the default, which is to use the actual filename of the\nfile being encrypted.\n\n'--for-your-eyes-only'\n'--no-for-your-eyes-only'\nSet the 'for your eyes only' flag in the message. This causes\nGnuPG to refuse to save the file unless the '--output' option is\ngiven, and PGP to use a \"secure viewer\" with a claimed\nTempest-resistant font to display the message. This option\noverrides '--set-filename'. '--no-for-your-eyes-only' disables\nthis option.\n\n'--use-embedded-filename'\n'--no-use-embedded-filename'\nTry to create a file with a name as embedded in the data. This can\nbe a dangerous option as it enables overwriting files. Defaults to\nno.\n\n'--cipher-algo name'\nUse 'name' as cipher algorithm. Running the program with the\ncommand '--version' yields a list of supported algorithms. If this\nis not used the cipher algorithm is selected from the preferences\nstored with the key. In general, you do not want to use this\noption as it allows you to violate the OpenPGP standard.\n'--personal-cipher-preferences' is the safe way to accomplish the\nsame thing.\n\n'--digest-algo name'\nUse 'name' as the message digest algorithm. Running the program\nwith the command '--version' yields a list of supported algorithms.\nIn general, you do not want to use this option as it allows you to\nviolate the OpenPGP standard. '--personal-digest-preferences' is\nthe safe way to accomplish the same thing.\n\n'--compress-algo name'\nUse compression algorithm 'name'. \"zlib\" is RFC-1950 ZLIB\ncompression. \"zip\" is RFC-1951 ZIP compression which is used by\nPGP. \"bzip2\" is a more modern compression scheme that can compress\nsome things better than zip or zlib, but at the cost of more memory\nused during compression and decompression. \"uncompressed\" or\n\"none\" disables compression. If this option is not used, the\ndefault behavior is to examine the recipient key preferences to see\nwhich algorithms the recipient supports. If all else fails, ZIP is\nused for maximum compatibility.\n\nZLIB may give better compression results than ZIP, as the\ncompression window size is not limited to 8k. BZIP2 may give even\nbetter compression results than that, but will use a significantly\nlarger amount of memory while compressing and decompressing. This\nmay be significant in low memory situations. Note, however, that\nPGP (all versions) only supports ZIP compression. Using any\nalgorithm other than ZIP or \"none\" will make the message unreadable\nwith PGP. In general, you do not want to use this option as it\nallows you to violate the OpenPGP standard.\n'--personal-compress-preferences' is the safe way to accomplish the\nsame thing.\n\n'--cert-digest-algo name'\nUse 'name' as the message digest algorithm used when signing a key.\nRunning the program with the command '--version' yields a list of\nsupported algorithms. Be aware that if you choose an algorithm\nthat GnuPG supports but other OpenPGP implementations do not, then\nsome users will not be able to use the key signatures you make, or\nquite possibly your entire key.\n\n'--disable-cipher-algo name'\nNever allow the use of 'name' as cipher algorithm. The given name\nwill not be checked so that a later loaded algorithm will still get\ndisabled.\n\n'--disable-pubkey-algo name'\nNever allow the use of 'name' as public key algorithm. The given\nname will not be checked so that a later loaded algorithm will\nstill get disabled.\n\n'--throw-keyids'\n'--no-throw-keyids'\nDo not put the recipient key IDs into encrypted messages. This\nhelps to hide the receivers of the message and is a limited\ncountermeasure against traffic analysis.(1) On the receiving side,\nit may slow down the decryption process because all available\nsecret keys must be tried. '--no-throw-keyids' disables this\noption. This option is essentially the same as using\n'--hidden-recipient' for all recipients.\n\n'--not-dash-escaped'\nThis option changes the behavior of cleartext signatures so that\nthey can be used for patch files. You should not send such an\narmored file via email because all spaces and line endings are\nhashed too. You can not use this option for data which has 5\ndashes at the beginning of a line, patch files don't have this. A\nspecial armor header line tells GnuPG about this cleartext\nsignature option.\n\n'--escape-from-lines'\n'--no-escape-from-lines'\nBecause some mailers change lines starting with \"From \" to \">From \"\nit is good to handle such lines in a special way when creating\ncleartext signatures to prevent the mail system from breaking the\nsignature. Note that all other PGP versions do it this way too.\nEnabled by default. '--no-escape-from-lines' disables this option.\n\n'--passphrase-repeat n'\nSpecify how many times 'gpg' will request a new passphrase be\nrepeated. This is useful for helping memorize a passphrase.\nDefaults to 1 repetition.\n\n'--passphrase-fd n'\nRead the passphrase from file descriptor 'n'. Only the first line\nwill be read from file descriptor 'n'. If you use 0 for 'n', the\npassphrase will be read from STDIN. This can only be used if only\none passphrase is supplied.\n\n'--passphrase-file file'\nRead the passphrase from file 'file'. Only the first line will be\nread from file 'file'. This can only be used if only one\npassphrase is supplied. Obviously, a passphrase stored in a file\nis of questionable security if other users can read this file.\nDon't use this option if you can avoid it.\n\n'--passphrase string'\nUse 'string' as the passphrase. This can only be used if only one\npassphrase is supplied. Obviously, this is of very questionable\nsecurity on a multi-user system. Don't use this option if you can\navoid it.\n\n'--command-fd n'\nThis is a replacement for the deprecated shared-memory IPC mode.\nIf this option is enabled, user input on questions is not expected\nfrom the TTY but from the given file descriptor. It should be used\ntogether with '--status-fd'. See the file doc/DETAILS in the\nsource distribution for details on how to use it.\n\n'--command-file file'\nSame as '--command-fd', except the commands are read out of file\n'file'\n\n'--allow-non-selfsigned-uid'\n'--no-allow-non-selfsigned-uid'\nAllow the import and use of keys with user IDs which are not\nself-signed. This is not recommended, as a non self-signed user ID\nis trivial to forge. '--no-allow-non-selfsigned-uid' disables.\n\n'--allow-freeform-uid'\nDisable all checks on the form of the user ID while generating a\nnew one. This option should only be used in very special\nenvironments as it does not ensure the de-facto standard format of\nuser IDs.\n\n'--ignore-time-conflict'\nGnuPG normally checks that the timestamps associated with keys and\nsignatures have plausible values. However, sometimes a signature\nseems to be older than the key due to clock problems. This option\nmakes these checks just a warning. See also '--ignore-valid-from'\nfor timestamp issues on subkeys.\n\n'--ignore-valid-from'\nGnuPG normally does not select and use subkeys created in the\nfuture. This option allows the use of such keys and thus exhibits\nthe pre-1.0.7 behaviour. You should not use this option unless\nthere is some clock problem. See also '--ignore-time-conflict' for\ntimestamp issues with signatures.\n\n'--ignore-crc-error'\nThe ASCII armor used by OpenPGP is protected by a CRC checksum\nagainst transmission errors. Occasionally the CRC gets mangled\nsomewhere on the transmission channel but the actual content (which\nis protected by the OpenPGP protocol anyway) is still okay. This\noption allows GnuPG to ignore CRC errors.\n\n'--ignore-mdc-error'\nThis option changes a MDC integrity protection failure into a\nwarning. This can be useful if a message is partially corrupt, but\nit is necessary to get as much data as possible out of the corrupt\nmessage. However, be aware that a MDC protection failure may also\nmean that the message was tampered with intentionally by an\nattacker.\n\n'--allow-weak-digest-algos'\nSignatures made with known-weak digest algorithms are normally\nrejected with an \"invalid digest algorithm\" message. This option\nallows the verification of signatures made with such weak\nalgorithms. MD5 is the only digest algorithm considered weak by\ndefault. See also '--weak-digest' to reject other digest\nalgorithms.\n\n'--weak-digest name'\nTreat the specified digest algorithm as weak. Signatures made over\nweak digests algorithms are normally rejected. This option can be\nsupplied multiple times if multiple algorithms should be considered\nweak. See also '--allow-weak-digest-algos' to disable rejection of\nweak digests. MD5 is always considered weak, and does not need to\nbe listed explicitly.\n\n'--no-default-keyring'\nDo not add the default keyrings to the list of keyrings. Note that\nGnuPG will not operate without any keyrings, so if you use this\noption and do not provide alternate keyrings via '--keyring' or\n'--secret-keyring', then GnuPG will still use the default public or\nsecret keyrings.\n\n'--skip-verify'\nSkip the signature verification step. This may be used to make the\ndecryption faster if the signature verification is not needed.\n\n'--with-key-data'\nPrint key listings delimited by colons (like '--with-colons') and\nprint the public key data.\n\n'--fast-list-mode'\nChanges the output of the list commands to work faster; this is\nachieved by leaving some parts empty. Some applications don't need\nthe user ID and the trust information given in the listings. By\nusing this options they can get a faster listing. The exact\nbehaviour of this option may change in future versions. If you are\nmissing some information, don't use this option.\n\n'--no-literal'\nThis is not for normal use. Use the source to see for what it\nmight be useful.\n\n'--set-filesize'\nThis is not for normal use. Use the source to see for what it\nmight be useful.\n\n'--show-session-key'\nDisplay the session key used for one message. See\n'--override-session-key' for the counterpart of this option.\n\nWe think that Key Escrow is a Bad Thing; however the user should\nhave the freedom to decide whether to go to prison or to reveal the\ncontent of one specific message without compromising all messages\never encrypted for one secret key. DON'T USE IT UNLESS YOU ARE\nREALLY FORCED TO DO SO.\n\n'--override-session-key string'\nDon't use the public key but the session key 'string'. The format\nof this string is the same as the one printed by\n'--show-session-key'. This option is normally not used but comes\nhandy in case someone forces you to reveal the content of an\nencrypted message; using this option you can do this without\nhanding out the secret key.\n\n'--ask-sig-expire'\n'--no-ask-sig-expire'\nWhen making a data signature, prompt for an expiration time. If\nthis option is not specified, the expiration time set via\n'--default-sig-expire' is used. '--no-ask-sig-expire' disables\nthis option.\n\n'--default-sig-expire'\nThe default expiration time to use for signature expiration. Valid\nvalues are \"0\" for no expiration, a number followed by the letter d\n(for days), w (for weeks), m (for months), or y (for years) (for\nexample \"2m\" for two months, or \"5y\" for five years), or an\nabsolute date in the form YYYY-MM-DD. Defaults to \"0\".\n\n'--ask-cert-expire'\n'--no-ask-cert-expire'\nWhen making a key signature, prompt for an expiration time. If\nthis option is not specified, the expiration time set via\n'--default-cert-expire' is used. '--no-ask-cert-expire' disables\nthis option.\n\n'--default-cert-expire'\nThe default expiration time to use for key signature expiration.\nValid values are \"0\" for no expiration, a number followed by the\nletter d (for days), w (for weeks), m (for months), or y (for\nyears) (for example \"2m\" for two months, or \"5y\" for five years),\nor an absolute date in the form YYYY-MM-DD. Defaults to \"0\".\n\n'--allow-secret-key-import'\nThis is an obsolete option and is not used anywhere.\n\n'--allow-multiple-messages'\n'--no-allow-multiple-messages'\nAllow processing of multiple OpenPGP messages contained in a single\nfile or stream. Some programs that call GPG are not prepared to\ndeal with multiple messages being processed together, so this\noption defaults to no. Note that versions of GPG prior to 1.4.7\nalways allowed multiple messages.\n\nWarning: Do not use this option unless you need it as a temporary\nworkaround!\n\n'--enable-special-filenames'\nThis options enables a mode in which filenames of the form '-&n',\nwhere n is a non-negative decimal number, refer to the file\ndescriptor n and not to a file with that name.\n\n'--no-expensive-trust-checks'\nExperimental use only.\n\n'--preserve-permissions'\nDon't change the permissions of a secret keyring back to user\nread/write only. Use this option only if you really know what you\nare doing.\n\n'--default-preference-list string'\nSet the list of default preferences to 'string'. This preference\nlist is used for new keys and becomes the default for \"setpref\" in\nthe edit menu.\n\n'--default-keyserver-url name'\nSet the default keyserver URL to 'name'. This keyserver will be\nused as the keyserver URL when writing a new self-signature on a\nkey, which includes key generation and changing preferences.\n\n'--list-config'\nDisplay various internal configuration parameters of GnuPG. This\noption is intended for external programs that call GnuPG to perform\ntasks, and is thus not generally useful. See the file\n'doc/DETAILS' in the source distribution for the details of which\nconfiguration items may be listed. '--list-config' is only usable\nwith '--with-colons' set.\n\n'--gpgconf-list'\nThis command is similar to '--list-config' but in general only\ninternally used by the 'gpgconf' tool.\n\n'--gpgconf-test'\nThis is more or less dummy action. However it parses the\nconfiguration file and returns with failure if the configuration\nfile would prevent 'gpg' from startup. Thus it may be used to run\na syntax check on the configuration file.\n\n---------- Footnotes ----------\n\n(1) Using a little social engineering anyone who is able to decrypt\nthe message can check whether one of the other recipients is the one he\nsuspects.\n\nFile: gnupg1.info, Node: Deprecated Options, Prev: GPG Esoteric Options, Up: GPG Options\n\n\n'--load-extension name'\nLoad an extension module. If 'name' does not contain a slash it is\nsearched for in the directory configured when GnuPG was built\n(generally \"/usr/local/lib/gnupg\"). Extensions are not generally\nuseful anymore, and the use of this option is deprecated.\n\n'--show-photos'\n'--no-show-photos'\nCauses '--list-keys', '--list-sigs', '--list-public-keys',\n'--list-secret-keys', and verifying a signature to also display the\nphoto ID attached to the key, if any. See also '--photo-viewer'.\nThese options are deprecated. Use '--list-options\n[no-]show-photos' and/or '--verify-options [no-]show-photos'\ninstead.\n\n'--show-keyring'\nDisplay the keyring name at the head of key listings to show which\nkeyring a given key resides on. This option is deprecated: use\n'--list-options [no-]show-keyring' instead.\n\n'--ctapi-driver file'\nUse 'file' to access the smartcard reader. The current default is\n'libtowitoko.so'. Note that the use of this interface is\ndeprecated; it may be removed in future releases.\n\n'--always-trust'\nIdentical to '--trust-model always'. This option is deprecated.\n\n'--show-notation'\n'--no-show-notation'\nShow signature notations in the '--list-sigs' or '--check-sigs'\nlistings as well as when verifying a signature with a notation in\nit. These options are deprecated. Use '--list-options\n[no-]show-notation' and/or '--verify-options [no-]show-notation'\ninstead.\n\n'--show-policy-url'\n'--no-show-policy-url'\nShow policy URLs in the '--list-sigs' or '--check-sigs' listings as\nwell as when verifying a signature with a policy URL in it. These\noptions are deprecated. Use '--list-options [no-]show-policy-url'\nand/or '--verify-options [no-]show-policy-url' instead.\n\nFile: gnupg1.info, Node: GPG Configuration, Next: GPG Examples, Prev: GPG Options, Up: Invoking GPG\n" }, { "name": "1.3 Configuration files", "content": "There are a few configuration files to control certain aspects of\n'gpg''s operation. Unless noted, they are expected in the current home\ndirectory (*note option --homedir::).\n\n'gpg.conf'\nThis is the standard configuration file read by 'gpg' on startup.\nIt may contain any valid long option; the leading two dashes may\nnot be entered and the option may not be abbreviated. This default\nname may be changed on the command line (*note gpg-option\n--options::). You should backup this file.\n\nNote that on larger installations, it is useful to put predefined\nfiles into the directory '/etc/skel/.gnupg/' so that newly created users\nstart up with a working configuration.\n\nFor internal purposes 'gpg' creates and maintains a few other files;\nThey all live in in the current home directory (*note option\n--homedir::). Only the 'gpg' may modify these files.\n\n'~/.gnupg/pubring.gpg'\nThe public keyring. You should backup this file.\n\n'~/.gnupg/pubring.gpg.lock'\nThe lock file for the public keyring.\n\n'~/.gnupg/pubring.kbx'\n'~/.gnupg/pubring.kbx.lock'\nA public keyring and its lock file used by GnuPG versions >= 2. It\nis ignored by GnuPG 1.x\n\n'~/.gnupg/secring.gpg'\nThe secret keyring. You should backup this file.\n\n'~/.gnupg/trustdb.gpg'\nThe trust database. There is no need to backup this file; it is\nbetter to backup the ownertrust values (*note option\n--export-ownertrust::).\n\n'~/.gnupg/trustdb.gpg.lock'\nThe lock file for the trust database.\n\n'~/.gnupg/randomseed'\nA file used to preserve the state of the internal random pool.\n\n'~/.gnupg/secring.gpg.lock'\nThe lock file for the secret keyring.\n\n'~/.gnupg/openpgp-revocs.d/'\nThis is the directory where gpg stores pre-generated revocation\ncertificates. The file name corresponds to the OpenPGP fingerprint\nof the respective key. It is suggested to backup those\ncertificates and if the primary private key is not stored on the\ndisk to move them to an external storage device. Anyone who can\naccess theses files is able to revoke the corresponding key. You\nmay want to print them out. You should backup all files in this\ndirectory and take care to keep this backup closed away.\n\n'/usr[/local]/share/gnupg/options.skel'\nThe skeleton options file.\n\n'/usr[/local]/lib/gnupg/'\nDefault location for extensions.\n\nOperation is further controlled by a few environment variables:\n\nHOME\nUsed to locate the default home directory.\n\nGNUPGHOME\nIf set directory used instead of \"~/.gnupg\".\n\nGPGAGENTINFO\nUsed to locate the gpg-agent. This is only honored when\n'--use-agent' is set.\n\nThe value consists of 3 colon delimited fields: The first is the\npath to the Unix Domain Socket, the second the PID of the gpg-agent\nand the protocol version which should be set to 1. When starting\nthe gpg-agent as described in its documentation, this variable is\nset to the correct value. The option '--gpg-agent-info' can be\nused to override it.\n\nPINENTRYUSERDATA\nThis value is passed via gpg-agent to pinentry. It is useful to\nconvey extra information to a custom pinentry.\n\nCOLUMNS\nLINES\nUsed to size some displays to the full size of the screen.\n\nLANGUAGE\nApart from its use by GNU, it is used in the W32 version to\noverride the language selection done through the Registry. If used\nand set to a valid and available language name (LANGID), the file\nwith the translation is loaded from\n\n'GPGDIR/gnupg.nls/LANGID.mo'. Here GPGDIR is the directory out of\nwhich the gpg binary has been loaded. If it can't be loaded the\nRegistry is tried and as last resort the native Windows locale\nsystem is used.\n\nFile: gnupg1.info, Node: GPG Examples, Next: Unattended Usage of GPG, Prev: GPG Configuration, Up: Invoking GPG\n" }, { "name": "1.4 Examples", "content": "gpg -se -r 'Bob' 'file'\nsign and encrypt for user Bob\n\ngpg -clearsign 'file'\nmake a clear text signature\n\ngpg -sb 'file'\nmake a detached signature\n\ngpg -u 0x12345678 -sb 'file'\nmake a detached signature with the key 0x12345678\n\ngpg -list-keys 'userID'\nshow keys\n\ngpg -fingerprint 'userID'\nshow fingerprint\n\ngpg -verify 'pgpfile'\ngpg -verify 'sigfile'\nVerify the signature of the file but do not output the data. The\nsecond form is used for detached signatures, where 'sigfile' is the\ndetached signature (either ASCII armored or binary) and are the\nsigned data; if this is not given, the name of the file holding the\nsigned data is constructed by cutting off the extension (\".asc\" or\n\".sig\") of 'sigfile' or by asking the user for the filename.\n" } ] }, "RETURN VALUE": { "content": "The program returns 0 if everything was fine, 1 if at least a signature\nwas bad, and other error codes for fatal errors.\n", "subsections": [] }, "WARNINGS": { "content": "Use a *good* password for your user account and a *good* passphrase to\nprotect your secret key. This passphrase is the weakest part of the\nwhole system. Programs to do dictionary attacks on your secret keyring\nare very easy to write and so you should protect your \"~/.gnupg/\"\ndirectory very well.\n\nKeep in mind that, if this program is used over a network (telnet),\nit is *very* easy to spy out your passphrase!\n\nIf you are going to verify detached signatures, make sure that the\nprogram knows about it; either give both filenames on the command line\nor use '-' to specify STDIN.\n", "subsections": [] }, "INTEROPERABILITY WITH OTHER OPENPGP PROGRAMS": { "content": "GnuPG tries to be a very flexible implementation of the OpenPGP\nstandard. In particular, GnuPG implements many of the optional parts of\nthe standard, such as the SHA-512 hash, and the ZLIB and BZIP2\ncompression algorithms. It is important to be aware that not all\nOpenPGP programs implement these optional algorithms and that by forcing\ntheir use via the '--cipher-algo', '--digest-algo',\n'--cert-digest-algo', or '--compress-algo' options in GnuPG, it is\npossible to create a perfectly valid OpenPGP message, but one that\ncannot be read by the intended recipient.\n\nThere are dozens of variations of OpenPGP programs available, and\neach supports a slightly different subset of these optional algorithms.\nFor example, until recently, no (unhacked) version of PGP supported the\nBLOWFISH cipher algorithm. A message using BLOWFISH simply could not be\nread by a PGP user. By default, GnuPG uses the standard OpenPGP\npreferences system that will always do the right thing and create\nmessages that are usable by all recipients, regardless of which OpenPGP\nprogram they use. Only override this safe default if you really know\nwhat you are doing.\n\nIf you absolutely must override the safe default, or if the\npreferences on a given key are invalid for some reason, you are far\nbetter off using the '--pgp6', '--pgp7', or '--pgp8' options. These\noptions are safe as they do not force any particular algorithms in\nviolation of OpenPGP, but rather reduce the available algorithms to a\n\"PGP-safe\" list.\n", "subsections": [] }, "BUGS": { "content": "On older systems this program should be installed as setuid(root). This\nis necessary to lock memory pages. Locking memory pages prevents the\noperating system from writing memory pages (which may contain\npassphrases or other sensitive material) to disk. If you get no warning\nmessage about insecure memory your operating system supports locking\nwithout being root. The program drops root privileges as soon as locked\nmemory is allocated.\n\nNote also that some systems (especially laptops) have the ability to\n\"suspend to disk\" (also known as \"safe sleep\" or \"hibernate\"). This\nwrites all memory to disk before going into a low power or even powered\noff mode. Unless measures are taken in the operating system to protect\nthe saved memory, passphrases or other sensitive material may be\nrecoverable from it later.\n\nBefore you report a bug you should first search the mailing list\narchives for similar problems and second check whether such a bug has\nalready been reported to our bug tracker at http://bugs.gnupg.org .\n\nFile: gnupg1.info, Node: Unattended Usage of GPG, Prev: GPG Examples, Up: Invoking GPG\n", "subsections": [ { "name": "1.5 Unattended Usage", "content": "'gpg' is often used as a backend engine by other software. To help with\nthis a machine interface has been defined to have an unambiguous way to\ndo this. The options '--status-fd' and '--batch' are almost always\nrequired for this.\n\n* Menu:\n\n* Unattended GPG key generation:: Unattended key generation\n\nFile: gnupg1.info, Node: Unattended GPG key generation, Up: Unattended Usage of GPG\n\n\nThe command '--gen-key' may be used along with the option '--batch' for\nunattended key generation. The parameters are either read from stdin or\ngiven as a file on the command line. The format of the parameter file\nis as follows:\n\n* Text only, line length is limited to about 1000 characters.\n* UTF-8 encoding must be used to specify non-ASCII characters.\n* Empty lines are ignored.\n* Leading and trailing while space is ignored.\n* A hash sign as the first non white space character indicates a\ncomment line.\n* Control statements are indicated by a leading percent sign, the\narguments are separated by white space from the keyword.\n* Parameters are specified by a keyword, followed by a colon.\nArguments are separated by white space.\n* The first parameter must be 'Key-Type'; control statements may be\nplaced anywhere.\n* The order of the parameters does not matter except for 'Key-Type'\nwhich must be the first parameter. The parameters are only used\nfor the generated keyblock (primary and subkeys); parameters from\nprevious sets are not used. Some syntactically checks may be\nperformed.\n* Key generation takes place when either the end of the parameter\nfile is reached, the next 'Key-Type' parameter is encountered or at\nthe control statement '%commit' is encountered.\n\nControl statements:\n\n%echo TEXT\nPrint TEXT as diagnostic.\n\n%dry-run\nSuppress actual key generation (useful for syntax checking).\n\n%commit\nPerform the key generation. Note that an implicit commit is done\nat the next Key-Type parameter.\n\n%pubring FILENAME\n%secring FILENAME\nDo not write the key to the default or commandline given keyring\nbut to FILENAME. This must be given before the first commit to\ntake place, duplicate specification of the same filename is\nignored, the last filename before a commit is used. The filename\nis used until a new filename is used (at commit points) and all\nkeys are written to that file. If a new filename is given, this\nfile is created (and overwrites an existing one). For GnuPG\nversions prior to 2.1, both control statements must be given. For\nGnuPG 2.1 and later '%secring' is a no-op.\n\n%ask-passphrase\n%no-ask-passphrase\nEnable (or disable) a mode where the command 'passphrase' is\nignored and instead the usual passphrase dialog is used. This does\nnot make sense for batch key generation; however the unattended key\ngeneration feature is also used by GUIs and this feature\nrelinquishes the GUI from implementing its own passphrase entry\ncode. These are global control statements and affect all future\nkey genrations.\n\n%no-protection\nSince GnuPG version 2.1 it is not anymore possible to specify a\npassphrase for unattended key generation. The passphrase command\nis simply ignored and '%ask-passpharse' is thus implicitly enabled.\nUsing this option allows the creation of keys without any\npassphrase protection. This option is mainly intended for\nregression tests.\n\n%transient-key\nIf given the keys are created using a faster and a somewhat less\nsecure random number generator. This option may be used for keys\nwhich are only used for a short time and do not require full\ncryptographic strength. It takes only effect if used together with\nthe control statement '%no-protection'.\n\nGeneral Parameters:\n\nKey-Type: ALGO\nStarts a new parameter block by giving the type of the primary key.\nThe algorithm must be capable of signing. This is a required\nparameter. ALGO may either be an OpenPGP algorithm number or a\nstring with the algorithm name. The special value 'default' may be\nused for ALGO to create the default key type; in this case a\n'Key-Usage' shall not be given and 'default' also be used for\n'Subkey-Type'.\n\nKey-Length: NBITS\nThe requested length of the generated key in bits. The default is\nreturned by running the command 'gpg2 --gpgconf-list'.\n\nKey-Grip: HEXSTRING\nThis is optional and used to generate a CSR or certificate for an\nalready existing key. Key-Length will be ignored when given.\n\nKey-Usage: USAGE-LIST\nSpace or comma delimited list of key usages. Allowed values are\n'encrypt', 'sign', and 'auth'. This is used to generate the key\nflags. Please make sure that the algorithm is capable of this\nusage. Note that OpenPGP requires that all primary keys are\ncapable of certification, so no matter what usage is given here,\nthe 'cert' flag will be on. If no 'Key-Usage' is specified and the\n'Key-Type' is not 'default', all allowed usages for that particular\nalgorithm are used; if it is not given but 'default' is used the\nusage will be 'sign'.\n\nSubkey-Type: ALGO\nThis generates a secondary key (subkey). Currently only one subkey\ncan be handled. See also 'Key-Type' above.\n\nSubkey-Length: NBITS\nLength of the secondary key (subkey) in bits. The default is\nreturned by running the command 'gpg2 --gpgconf-list'\".\n\nSubkey-Usage: USAGE-LIST\nKey usage lists for a subkey; similar to 'Key-Usage'.\n\nPassphrase: STRING\nIf you want to specify a passphrase for the secret key, enter it\nhere.\t Default is not to use any passphrase.\n\nName-Real: NAME\nName-Comment: COMMENT\nName-Email: EMAIL\nThe three parts of a user name. Remember to use UTF-8 encoding\nhere. If you don't give any of them, no user ID is created.\n\nExpire-Date: ISO-DATE|(NUMBER[d|w|m|y])\nSet the expiration date for the key (and the subkey). It may\neither be entered in ISO date format (e.g. \"20000815T145012\") or\nas number of days, weeks, month or years after the creation date.\nThe special notation \"seconds=N\" is also allowed to specify a\nnumber of seconds since creation. Without a letter days are\nassumed. Note that there is no check done on the overflow of the\ntype used by OpenPGP for timestamps. Thus you better make sure\nthat the given value make sense. Although OpenPGP works with time\nintervals, GnuPG uses an absolute value internally and thus the\nlast year we can represent is 2105.\n\nCreation-Date: ISO-DATE\nSet the creation date of the key as stored in the key information\nand which is also part of the fingerprint calculation. Either a\ndate like \"1986-04-26\" or a full timestamp like \"19860426T042640\"\nmay be used. The time is considered to be UTC. The special\nnotation \"seconds=N\" may be used to directly specify a the number\nof seconds since Epoch (Unix time). If it is not given the current\ntime is used.\n\nPreferences: STRING\nSet the cipher, hash, and compression preference values for this\nkey. This expects the same type of string as the sub-command\n'setpref' in the '--edit-key' menu.\n\nRevoker: ALGO:FPR [sensitive]\nAdd a designated revoker to the generated key. Algo is the public\nkey algorithm of the designated revoker (i.e. RSA=1, DSA=17, etc.)\nFPR is the fingerprint of the designated revoker. The optional\n'sensitive' flag marks the designated revoker as sensitive\ninformation. Only v4 keys may be designated revokers.\n\nKeyserver: STRING\nThis is an optional parameter that specifies the preferred\nkeyserver URL for the key.\n\nHandle: STRING\nThis is an optional parameter only used with the status lines\nKEYCREATED and KEYNOTCREATED. STRING may be up to 100 characters\nand should not contain spaces. It is useful for batch key\ngeneration to associate a key parameter block with a status line.\n\nHere is an example on how to create a key:\n$ cat >foo <\nssb 1024g/8F70E2C0 2000-03-09\n\nIf you want to create a key with the default algorithms you would use\nthese parameters:\n%echo Generating a default key\nKey-Type: default\nSubkey-Type: default\nName-Real: Joe Tester\nName-Comment: with stupid passphrase\nName-Email: joe@foo.bar\nExpire-Date: 0\nPassphrase: abc\n%pubring foo.pub\n%secring foo.sec\n# Do a commit here, so that we can later print \"done\" :-)\n%commit\n%echo done\n\nFile: gnupg1.info, Node: Specify a User ID, Next: Copying, Prev: Invoking GPG, Up: Top\n" } ] }, "2 How to Specify a User Id": { "content": "There are different ways to specify a user ID to GnuPG. Some of them are\nonly valid for 'gpg' others are only good for 'gpgsm'. Here is the\nentire list of ways to specify a key:\n\n* By key Id. This format is deduced from the length of the string\nand its content or '0x' prefix. The key Id of an X.509 certificate\nare the low 64 bits of its SHA-1 fingerprint. The use of key Ids\nis just a shortcut, for all automated processing the fingerprint\nshould be used.\n\nWhen using 'gpg' an exclamation mark (!) may be appended to force\nusing the specified primary or secondary key and not to try and\ncalculate which primary or secondary key to use.\n\nThe last four lines of the example give the key ID in their long\nform as internally used by the OpenPGP protocol. You can see the\nlong key ID using the option '--with-colons'.\n\n234567C4\n0F34E556E\n01347A56A\n0xAB123456\n\n234AABBCC34567C4\n0F323456784E56EAB\n01AB3FED1347A5612\n0x234AABBCC34567C4\n\n* By fingerprint. This format is deduced from the length of the\nstring and its content or the '0x' prefix. Note, that only the 20\nbyte version fingerprint is available with 'gpgsm' (i.e. the SHA-1\nhash of the certificate).\n\nWhen using 'gpg' an exclamation mark (!) may be appended to force\nusing the specified primary or secondary key and not to try and\ncalculate which primary or secondary key to use.\n\nThe best way to specify a key Id is by using the fingerprint. This\navoids any ambiguities in case that there are duplicated key IDs.\n\n1234343434343434C434343434343434\n123434343434343C3434343434343734349A3434\n0E12343434343434343434EAB3484343434343434\n0xE12343434343434343434EAB3484343434343434\n\n'gpgsm' also accepts colons between each pair of hexadecimal digits\nbecause this is the de-facto standard on how to present X.509\nfingerprints. 'gpg' also allows the use of the space separated\nSHA-1 fingerprint as printed by the key listing commands.\n\n* By exact match on OpenPGP user ID. This is denoted by a leading\nequal sign. It does not make sense for X.509 certificates.\n\n=Heinrich Heine \n\n* By exact match on an email address. This is indicated by enclosing\nthe email address in the usual way with left and right angles.\n\n\n\n* By word match. All words must match exactly (not case sensitive)\nbut can appear in any order in the user ID or a subjects name.\nWords are any sequences of letters, digits, the underscore and all\ncharacters with bit 7 set.\n\n+Heinrich Heine duesseldorf\n\n* By exact match on the subject's DN. This is indicated by a leading\nslash, directly followed by the RFC-2253 encoded DN of the subject.\nNote that you can't use the string printed by \"gpgsm -list-keys\"\nbecause that one as been reordered and modified for better\nreadability; use -with-colons to print the raw (but standard\nescaped) RFC-2253 string\n\n/CN=Heinrich Heine,O=Poets,L=Paris,C=FR\n\n* By exact match on the issuer's DN. This is indicated by a leading\nhash mark, directly followed by a slash and then directly followed\nby the rfc2253 encoded DN of the issuer. This should return the\nRoot cert of the issuer. See note above.\n\n#/CN=Root Cert,O=Poets,L=Paris,C=FR\n\n* By exact match on serial number and issuer's DN. This is indicated\nby a hash mark, followed by the hexadecimal representation of the\nserial number, then followed by a slash and the RFC-2253 encoded DN\nof the issuer. See note above.\n\n#4F03/CN=Root Cert,O=Poets,L=Paris,C=FR\n\n* By keygrip This is indicated by an ampersand followed by the 40 hex\ndigits of a keygrip. 'gpgsm' prints the keygrip when using the\ncommand '--dump-cert'. It does not yet work for OpenPGP keys.\n\n&D75F22C3F86E355877348498CDC92BD21010A480\n\n* By substring match. This is the default mode but applications may\nwant to explicitly indicate this by putting the asterisk in front.\nMatch is not case sensitive.\n\nHeine\n*Heine\n\nPlease note that we have reused the hash mark identifier which was\nused in old GnuPG versions to indicate the so called local-id. It is\nnot anymore used and there should be no conflict when used with X.509\nstuff.\n\nUsing the RFC-2253 format of DNs has the drawback that it is not\npossible to map them back to the original encoding, however we don't\nhave to do this because our key database stores this encoding as meta\ndata.\n\nFile: gnupg1.info, Node: Copying, Next: Option Index, Prev: Specify a User ID, Up: Top\n", "subsections": [] }, "GNU General Public License": { "content": "Version 3, 29 June 2007\n\nCopyright (C) 2007 Free Software Foundation, Inc. \n\nEveryone is permitted to copy and distribute verbatim copies of this\nlicense document, but changing it is not allowed.\n", "subsections": [ { "name": "Preamble", "content": "The GNU General Public License is a free, copyleft license for software\nand other kinds of works.\n\nThe licenses for most software and other practical works are designed\nto take away your freedom to share and change the works. By contrast,\nthe GNU General Public License is intended to guarantee your freedom to\nshare and change all versions of a program-to make sure it remains free\nsoftware for all its users. We, the Free Software Foundation, use the\nGNU General Public License for most of our software; it applies also to\nany other work released this way by its authors. You can apply it to\nyour programs, too.\n\nWhen we speak of free software, we are referring to freedom, not\nprice. Our General Public Licenses are designed to make sure that you\nhave the freedom to distribute copies of free software (and charge for\nthem if you wish), that you receive source code or can get it if you\nwant it, that you can change the software or use pieces of it in new\nfree programs, and that you know you can do these things.\n\nTo protect your rights, we need to prevent others from denying you\nthese rights or asking you to surrender the rights. Therefore, you have\ncertain responsibilities if you distribute copies of the software, or if\nyou modify it: responsibilities to respect the freedom of others.\n\nFor example, if you distribute copies of such a program, whether\ngratis or for a fee, you must pass on to the recipients the same\nfreedoms that you received. You must make sure that they, too, receive\nor can get the source code. And you must show them these terms so they\nknow their rights.\n\nDevelopers that use the GNU GPL protect your rights with two steps:\n(1) assert copyright on the software, and (2) offer you this License\ngiving you legal permission to copy, distribute and/or modify it.\n\nFor the developers' and authors' protection, the GPL clearly explains\nthat there is no warranty for this free software. For both users' and\nauthors' sake, the GPL requires that modified versions be marked as\nchanged, so that their problems will not be attributed erroneously to\nauthors of previous versions.\n\nSome devices are designed to deny users access to install or run\nmodified versions of the software inside them, although the manufacturer\ncan do so. This is fundamentally incompatible with the aim of\nprotecting users' freedom to change the software. The systematic\npattern of such abuse occurs in the area of products for individuals to\nuse, which is precisely where it is most unacceptable. Therefore, we\nhave designed this version of the GPL to prohibit the practice for those\nproducts. If such problems arise substantially in other domains, we\nstand ready to extend this provision to those domains in future versions\nof the GPL, as needed to protect the freedom of users.\n\nFinally, every program is threatened constantly by software patents.\nStates should not allow patents to restrict development and use of\nsoftware on general-purpose computers, but in those that do, we wish to\navoid the special danger that patents applied to a free program could\nmake it effectively proprietary. To prevent this, the GPL assures that\npatents cannot be used to render the program non-free.\n\nThe precise terms and conditions for copying, distribution and\nmodification follow.\n\nTERMS AND CONDITIONS\n\n0. Definitions.\n\n\"This License\" refers to version 3 of the GNU General Public\nLicense.\n\n\"Copyright\" also means copyright-like laws that apply to other\nkinds of works, such as semiconductor masks.\n\n\"The Program\" refers to any copyrightable work licensed under this\nLicense. Each licensee is addressed as \"you\". \"Licensees\" and\n\"recipients\" may be individuals or organizations.\n\nTo \"modify\" a work means to copy from or adapt all or part of the\nwork in a fashion requiring copyright permission, other than the\nmaking of an exact copy. The resulting work is called a \"modified\nversion\" of the earlier work or a work \"based on\" the earlier work.\n\nA \"covered work\" means either the unmodified Program or a work\nbased on the Program.\n\nTo \"propagate\" a work means to do anything with it that, without\npermission, would make you directly or secondarily liable for\ninfringement under applicable copyright law, except executing it on\na computer or modifying a private copy. Propagation includes\ncopying, distribution (with or without modification), making\navailable to the public, and in some countries other activities as\nwell.\n\nTo \"convey\" a work means any kind of propagation that enables other\nparties to make or receive copies. Mere interaction with a user\nthrough a computer network, with no transfer of a copy, is not\nconveying.\n\nAn interactive user interface displays \"Appropriate Legal Notices\"\nto the extent that it includes a convenient and prominently visible\nfeature that (1) displays an appropriate copyright notice, and (2)\ntells the user that there is no warranty for the work (except to\nthe extent that warranties are provided), that licensees may convey\nthe work under this License, and how to view a copy of this\nLicense. If the interface presents a list of user commands or\noptions, such as a menu, a prominent item in the list meets this\ncriterion.\n\n1. Source Code.\n\nThe \"source code\" for a work means the preferred form of the work\nfor making modifications to it. \"Object code\" means any non-source\nform of a work.\n\nA \"Standard Interface\" means an interface that either is an\nofficial standard defined by a recognized standards body, or, in\nthe case of interfaces specified for a particular programming\nlanguage, one that is widely used among developers working in that\nlanguage.\n\nThe \"System Libraries\" of an executable work include anything,\nother than the work as a whole, that (a) is included in the normal\nform of packaging a Major Component, but which is not part of that\nMajor Component, and (b) serves only to enable use of the work with\nthat Major Component, or to implement a Standard Interface for\nwhich an implementation is available to the public in source code\nform. A \"Major Component\", in this context, means a major\nessential component (kernel, window system, and so on) of the\nspecific operating system (if any) on which the executable work\nruns, or a compiler used to produce the work, or an object code\ninterpreter used to run it.\n\nThe \"Corresponding Source\" for a work in object code form means all\nthe source code needed to generate, install, and (for an executable\nwork) run the object code and to modify the work, including scripts\nto control those activities. However, it does not include the\nwork's System Libraries, or general-purpose tools or generally\navailable free programs which are used unmodified in performing\nthose activities but which are not part of the work. For example,\nCorresponding Source includes interface definition files associated\nwith source files for the work, and the source code for shared\nlibraries and dynamically linked subprograms that the work is\nspecifically designed to require, such as by intimate data\ncommunication or control flow between those subprograms and other\nparts of the work.\n\nThe Corresponding Source need not include anything that users can\nregenerate automatically from other parts of the Corresponding\nSource.\n\nThe Corresponding Source for a work in source code form is that\nsame work.\n\n2. Basic Permissions.\n\nAll rights granted under this License are granted for the term of\ncopyright on the Program, and are irrevocable provided the stated\nconditions are met. This License explicitly affirms your unlimited\npermission to run the unmodified Program. The output from running\na covered work is covered by this License only if the output, given\nits content, constitutes a covered work. This License acknowledges\nyour rights of fair use or other equivalent, as provided by\ncopyright law.\n\nYou may make, run and propagate covered works that you do not\nconvey, without conditions so long as your license otherwise\nremains in force. You may convey covered works to others for the\nsole purpose of having them make modifications exclusively for you,\nor provide you with facilities for running those works, provided\nthat you comply with the terms of this License in conveying all\nmaterial for which you do not control copyright. Those thus making\nor running the covered works for you must do so exclusively on your\nbehalf, under your direction and control, on terms that prohibit\nthem from making any copies of your copyrighted material outside\ntheir relationship with you.\n\nConveying under any other circumstances is permitted solely under\nthe conditions stated below. Sublicensing is not allowed; section\n10 makes it unnecessary.\n\n3. Protecting Users' Legal Rights From Anti-Circumvention Law.\n\nNo covered work shall be deemed part of an effective technological\nmeasure under any applicable law fulfilling obligations under\narticle 11 of the WIPO copyright treaty adopted on 20 December\n1996, or similar laws prohibiting or restricting circumvention of\nsuch measures.\n\nWhen you convey a covered work, you waive any legal power to forbid\ncircumvention of technological measures to the extent such\ncircumvention is effected by exercising rights under this License\nwith respect to the covered work, and you disclaim any intention to\nlimit operation or modification of the work as a means of\nenforcing, against the work's users, your or third parties' legal\nrights to forbid circumvention of technological measures.\n\n4. Conveying Verbatim Copies.\n\nYou may convey verbatim copies of the Program's source code as you\nreceive it, in any medium, provided that you conspicuously and\nappropriately publish on each copy an appropriate copyright notice;\nkeep intact all notices stating that this License and any\nnon-permissive terms added in accord with section 7 apply to the\ncode; keep intact all notices of the absence of any warranty; and\ngive all recipients a copy of this License along with the Program.\n\nYou may charge any price or no price for each copy that you convey,\nand you may offer support or warranty protection for a fee.\n\n5. Conveying Modified Source Versions.\n\nYou may convey a work based on the Program, or the modifications to\nproduce it from the Program, in the form of source code under the\nterms of section 4, provided that you also meet all of these\nconditions:\n\na. The work must carry prominent notices stating that you\nmodified it, and giving a relevant date.\n\nb. The work must carry prominent notices stating that it is\nreleased under this License and any conditions added under\nsection 7. This requirement modifies the requirement in\nsection 4 to \"keep intact all notices\".\n\nc. You must license the entire work, as a whole, under this\nLicense to anyone who comes into possession of a copy. This\nLicense will therefore apply, along with any applicable\nsection 7 additional terms, to the whole of the work, and all\nits parts, regardless of how they are packaged. This License\ngives no permission to license the work in any other way, but\nit does not invalidate such permission if you have separately\nreceived it.\n\nd. If the work has interactive user interfaces, each must display\nAppropriate Legal Notices; however, if the Program has\ninteractive interfaces that do not display Appropriate Legal\nNotices, your work need not make them do so.\n\nA compilation of a covered work with other separate and independent\nworks, which are not by their nature extensions of the covered\nwork, and which are not combined with it such as to form a larger\nprogram, in or on a volume of a storage or distribution medium, is\ncalled an \"aggregate\" if the compilation and its resulting\ncopyright are not used to limit the access or legal rights of the\ncompilation's users beyond what the individual works permit.\nInclusion of a covered work in an aggregate does not cause this\nLicense to apply to the other parts of the aggregate.\n\n6. Conveying Non-Source Forms.\n\nYou may convey a covered work in object code form under the terms\nof sections 4 and 5, provided that you also convey the\nmachine-readable Corresponding Source under the terms of this\nLicense, in one of these ways:\n\na. Convey the object code in, or embodied in, a physical product\n(including a physical distribution medium), accompanied by the\nCorresponding Source fixed on a durable physical medium\ncustomarily used for software interchange.\n\nb. Convey the object code in, or embodied in, a physical product\n(including a physical distribution medium), accompanied by a\nwritten offer, valid for at least three years and valid for as\nlong as you offer spare parts or customer support for that\nproduct model, to give anyone who possesses the object code\neither (1) a copy of the Corresponding Source for all the\nsoftware in the product that is covered by this License, on a\ndurable physical medium customarily used for software\ninterchange, for a price no more than your reasonable cost of\nphysically performing this conveying of source, or (2) access\nto copy the Corresponding Source from a network server at no\ncharge.\n\nc. Convey individual copies of the object code with a copy of the\nwritten offer to provide the Corresponding Source. This\nalternative is allowed only occasionally and noncommercially,\nand only if you received the object code with such an offer,\nin accord with subsection 6b.\n\nd. Convey the object code by offering access from a designated\nplace (gratis or for a charge), and offer equivalent access to\nthe Corresponding Source in the same way through the same\nplace at no further charge. You need not require recipients\nto copy the Corresponding Source along with the object code.\nIf the place to copy the object code is a network server, the\nCorresponding Source may be on a different server (operated by\nyou or a third party) that supports equivalent copying\nfacilities, provided you maintain clear directions next to the\nobject code saying where to find the Corresponding Source.\nRegardless of what server hosts the Corresponding Source, you\nremain obligated to ensure that it is available for as long as\nneeded to satisfy these requirements.\n\ne. Convey the object code using peer-to-peer transmission,\nprovided you inform other peers where the object code and\nCorresponding Source of the work are being offered to the\ngeneral public at no charge under subsection 6d.\n\nA separable portion of the object code, whose source code is\nexcluded from the Corresponding Source as a System Library, need\nnot be included in conveying the object code work.\n\nA \"User Product\" is either (1) a \"consumer product\", which means\nany tangible personal property which is normally used for personal,\nfamily, or household purposes, or (2) anything designed or sold for\nincorporation into a dwelling. In determining whether a product is\na consumer product, doubtful cases shall be resolved in favor of\ncoverage. For a particular product received by a particular user,\n\"normally used\" refers to a typical or common use of that class of\nproduct, regardless of the status of the particular user or of the\nway in which the particular user actually uses, or expects or is\nexpected to use, the product. A product is a consumer product\nregardless of whether the product has substantial commercial,\nindustrial or non-consumer uses, unless such uses represent the\nonly significant mode of use of the product.\n\n\"Installation Information\" for a User Product means any methods,\nprocedures, authorization keys, or other information required to\ninstall and execute modified versions of a covered work in that\nUser Product from a modified version of its Corresponding Source.\nThe information must suffice to ensure that the continued\nfunctioning of the modified object code is in no case prevented or\ninterfered with solely because modification has been made.\n\nIf you convey an object code work under this section in, or with,\nor specifically for use in, a User Product, and the conveying\noccurs as part of a transaction in which the right of possession\nand use of the User Product is transferred to the recipient in\nperpetuity or for a fixed term (regardless of how the transaction\nis characterized), the Corresponding Source conveyed under this\nsection must be accompanied by the Installation Information. But\nthis requirement does not apply if neither you nor any third party\nretains the ability to install modified object code on the User\nProduct (for example, the work has been installed in ROM).\n\nThe requirement to provide Installation Information does not\ninclude a requirement to continue to provide support service,\nwarranty, or updates for a work that has been modified or installed\nby the recipient, or for the User Product in which it has been\nmodified or installed. Access to a network may be denied when the\nmodification itself materially and adversely affects the operation\nof the network or violates the rules and protocols for\ncommunication across the network.\n\nCorresponding Source conveyed, and Installation Information\nprovided, in accord with this section must be in a format that is\npublicly documented (and with an implementation available to the\npublic in source code form), and must require no special password\nor key for unpacking, reading or copying.\n\n7. Additional Terms.\n\n\"Additional permissions\" are terms that supplement the terms of\nthis License by making exceptions from one or more of its\nconditions. Additional permissions that are applicable to the\nentire Program shall be treated as though they were included in\nthis License, to the extent that they are valid under applicable\nlaw. If additional permissions apply only to part of the Program,\nthat part may be used separately under those permissions, but the\nentire Program remains governed by this License without regard to\nthe additional permissions.\n\nWhen you convey a copy of a covered work, you may at your option\nremove any additional permissions from that copy, or from any part\nof it. (Additional permissions may be written to require their own\nremoval in certain cases when you modify the work.) You may place\nadditional permissions on material, added by you to a covered work,\nfor which you have or can give appropriate copyright permission.\n\nNotwithstanding any other provision of this License, for material\nyou add to a covered work, you may (if authorized by the copyright\nholders of that material) supplement the terms of this License with\nterms:\n\na. Disclaiming warranty or limiting liability differently from\nthe terms of sections 15 and 16 of this License; or\n\nb. Requiring preservation of specified reasonable legal notices\nor author attributions in that material or in the Appropriate\nLegal Notices displayed by works containing it; or\n\nc. Prohibiting misrepresentation of the origin of that material,\nor requiring that modified versions of such material be marked\nin reasonable ways as different from the original version; or\n\nd. Limiting the use for publicity purposes of names of licensors\nor authors of the material; or\n\ne. Declining to grant rights under trademark law for use of some\ntrade names, trademarks, or service marks; or\n\nf. Requiring indemnification of licensors and authors of that\nmaterial by anyone who conveys the material (or modified\nversions of it) with contractual assumptions of liability to\nthe recipient, for any liability that these contractual\nassumptions directly impose on those licensors and authors.\n\nAll other non-permissive additional terms are considered \"further\nrestrictions\" within the meaning of section 10. If the Program as\nyou received it, or any part of it, contains a notice stating that\nit is governed by this License along with a term that is a further\nrestriction, you may remove that term. If a license document\ncontains a further restriction but permits relicensing or conveying\nunder this License, you may add to a covered work material governed\nby the terms of that license document, provided that the further\nrestriction does not survive such relicensing or conveying.\n\nIf you add terms to a covered work in accord with this section, you\nmust place, in the relevant source files, a statement of the\nadditional terms that apply to those files, or a notice indicating\nwhere to find the applicable terms.\n\nAdditional terms, permissive or non-permissive, may be stated in\nthe form of a separately written license, or stated as exceptions;\nthe above requirements apply either way.\n\n8. Termination.\n\nYou may not propagate or modify a covered work except as expressly\nprovided under this License. Any attempt otherwise to propagate or\nmodify it is void, and will automatically terminate your rights\nunder this License (including any patent licenses granted under the\nthird paragraph of section 11).\n\nHowever, if you cease all violation of this License, then your\nlicense from a particular copyright holder is reinstated (a)\nprovisionally, unless and until the copyright holder explicitly and\nfinally terminates your license, and (b) permanently, if the\ncopyright holder fails to notify you of the violation by some\nreasonable means prior to 60 days after the cessation.\n\nMoreover, your license from a particular copyright holder is\nreinstated permanently if the copyright holder notifies you of the\nviolation by some reasonable means, this is the first time you have\nreceived notice of violation of this License (for any work) from\nthat copyright holder, and you cure the violation prior to 30 days\nafter your receipt of the notice.\n\nTermination of your rights under this section does not terminate\nthe licenses of parties who have received copies or rights from you\nunder this License. If your rights have been terminated and not\npermanently reinstated, you do not qualify to receive new licenses\nfor the same material under section 10.\n\n9. Acceptance Not Required for Having Copies.\n\nYou are not required to accept this License in order to receive or\nrun a copy of the Program. Ancillary propagation of a covered work\noccurring solely as a consequence of using peer-to-peer\ntransmission to receive a copy likewise does not require\nacceptance. However, nothing other than this License grants you\npermission to propagate or modify any covered work. These actions\ninfringe copyright if you do not accept this License. Therefore,\nby modifying or propagating a covered work, you indicate your\nacceptance of this License to do so.\n\n10. Automatic Licensing of Downstream Recipients.\n\nEach time you convey a covered work, the recipient automatically\nreceives a license from the original licensors, to run, modify and\npropagate that work, subject to this License. You are not\nresponsible for enforcing compliance by third parties with this\nLicense.\n\nAn \"entity transaction\" is a transaction transferring control of an\norganization, or substantially all assets of one, or subdividing an\norganization, or merging organizations. If propagation of a\ncovered work results from an entity transaction, each party to that\ntransaction who receives a copy of the work also receives whatever\nlicenses to the work the party's predecessor in interest had or\ncould give under the previous paragraph, plus a right to possession\nof the Corresponding Source of the work from the predecessor in\ninterest, if the predecessor has it or can get it with reasonable\nefforts.\n\nYou may not impose any further restrictions on the exercise of the\nrights granted or affirmed under this License. For example, you\nmay not impose a license fee, royalty, or other charge for exercise\nof rights granted under this License, and you may not initiate\nlitigation (including a cross-claim or counterclaim in a lawsuit)\nalleging that any patent claim is infringed by making, using,\nselling, offering for sale, or importing the Program or any portion\nof it.\n\n11. Patents.\n\nA \"contributor\" is a copyright holder who authorizes use under this\nLicense of the Program or a work on which the Program is based.\nThe work thus licensed is called the contributor's \"contributor\nversion\".\n\nA contributor's \"essential patent claims\" are all patent claims\nowned or controlled by the contributor, whether already acquired or\nhereafter acquired, that would be infringed by some manner,\npermitted by this License, of making, using, or selling its\ncontributor version, but do not include claims that would be\ninfringed only as a consequence of further modification of the\ncontributor version. For purposes of this definition, \"control\"\nincludes the right to grant patent sublicenses in a manner\nconsistent with the requirements of this License.\n\nEach contributor grants you a non-exclusive, worldwide,\nroyalty-free patent license under the contributor's essential\npatent claims, to make, use, sell, offer for sale, import and\notherwise run, modify and propagate the contents of its contributor\nversion.\n\nIn the following three paragraphs, a \"patent license\" is any\nexpress agreement or commitment, however denominated, not to\nenforce a patent (such as an express permission to practice a\npatent or covenant not to sue for patent infringement). To \"grant\"\nsuch a patent license to a party means to make such an agreement or\ncommitment not to enforce a patent against the party.\n\nIf you convey a covered work, knowingly relying on a patent\nlicense, and the Corresponding Source of the work is not available\nfor anyone to copy, free of charge and under the terms of this\nLicense, through a publicly available network server or other\nreadily accessible means, then you must either (1) cause the\nCorresponding Source to be so available, or (2) arrange to deprive\nyourself of the benefit of the patent license for this particular\nwork, or (3) arrange, in a manner consistent with the requirements\nof this License, to extend the patent license to downstream\nrecipients. \"Knowingly relying\" means you have actual knowledge\nthat, but for the patent license, your conveying the covered work\nin a country, or your recipient's use of the covered work in a\ncountry, would infringe one or more identifiable patents in that\ncountry that you have reason to believe are valid.\n\nIf, pursuant to or in connection with a single transaction or\narrangement, you convey, or propagate by procuring conveyance of, a\ncovered work, and grant a patent license to some of the parties\nreceiving the covered work authorizing them to use, propagate,\nmodify or convey a specific copy of the covered work, then the\npatent license you grant is automatically extended to all\nrecipients of the covered work and works based on it.\n\nA patent license is \"discriminatory\" if it does not include within\nthe scope of its coverage, prohibits the exercise of, or is\nconditioned on the non-exercise of one or more of the rights that\nare specifically granted under this License. You may not convey a\ncovered work if you are a party to an arrangement with a third\nparty that is in the business of distributing software, under which\nyou make payment to the third party based on the extent of your\nactivity of conveying the work, and under which the third party\ngrants, to any of the parties who would receive the covered work\nfrom you, a discriminatory patent license (a) in connection with\ncopies of the covered work conveyed by you (or copies made from\nthose copies), or (b) primarily for and in connection with specific\nproducts or compilations that contain the covered work, unless you\nentered into that arrangement, or that patent license was granted,\nprior to 28 March 2007.\n\nNothing in this License shall be construed as excluding or limiting\nany implied license or other defenses to infringement that may\notherwise be available to you under applicable patent law.\n\n12. No Surrender of Others' Freedom.\n\nIf conditions are imposed on you (whether by court order, agreement\nor otherwise) that contradict the conditions of this License, they\ndo not excuse you from the conditions of this License. If you\ncannot convey a covered work so as to satisfy simultaneously your\nobligations under this License and any other pertinent obligations,\nthen as a consequence you may not convey it at all. For example,\nif you agree to terms that obligate you to collect a royalty for\nfurther conveying from those to whom you convey the Program, the\nonly way you could satisfy both those terms and this License would\nbe to refrain entirely from conveying the Program.\n\n13. Use with the GNU Affero General Public License.\n\nNotwithstanding any other provision of this License, you have\npermission to link or combine any covered work with a work licensed\nunder version 3 of the GNU Affero General Public License into a\nsingle combined work, and to convey the resulting work. The terms\nof this License will continue to apply to the part which is the\ncovered work, but the special requirements of the GNU Affero\nGeneral Public License, section 13, concerning interaction through\na network will apply to the combination as such.\n\n14. Revised Versions of this License.\n\nThe Free Software Foundation may publish revised and/or new\nversions of the GNU General Public License from time to time. Such\nnew versions will be similar in spirit to the present version, but\nmay differ in detail to address new problems or concerns.\n\nEach version is given a distinguishing version number. If the\nProgram specifies that a certain numbered version of the GNU\nGeneral Public License \"or any later version\" applies to it, you\nhave the option of following the terms and conditions either of\nthat numbered version or of any later version published by the Free\nSoftware Foundation. If the Program does not specify a version\nnumber of the GNU General Public License, you may choose any\nversion ever published by the Free Software Foundation.\n\nIf the Program specifies that a proxy can decide which future\nversions of the GNU General Public License can be used, that\nproxy's public statement of acceptance of a version permanently\nauthorizes you to choose that version for the Program.\n\nLater license versions may give you additional or different\npermissions. However, no additional obligations are imposed on any\nauthor or copyright holder as a result of your choosing to follow a\nlater version.\n\n15. Disclaimer of Warranty.\n\nTHERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY\nAPPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE\nCOPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM \"AS IS\"\nWITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED,\nINCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF\nMERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE\nRISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.\nSHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL\nNECESSARY SERVICING, REPAIR OR CORRECTION.\n\n16. Limitation of Liability.\n\nIN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN\nWRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES\nAND/OR CONVEYS THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR\nDAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR\nCONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE\nTHE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA\nBEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD\nPARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER\nPROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF\nTHE POSSIBILITY OF SUCH DAMAGES.\n\n17. Interpretation of Sections 15 and 16.\n\nIf the disclaimer of warranty and limitation of liability provided\nabove cannot be given local legal effect according to their terms,\nreviewing courts shall apply local law that most closely\napproximates an absolute waiver of all civil liability in\nconnection with the Program, unless a warranty or assumption of\nliability accompanies a copy of the Program in return for a fee.\n\nEND OF TERMS AND CONDITIONS\n" }, { "name": "How to Apply These Terms to Your New Programs", "content": "If you develop a new program, and you want it to be of the greatest\npossible use to the public, the best way to achieve this is to make it\nfree software which everyone can redistribute and change under these\nterms.\n\nTo do so, attach the following notices to the program. It is safest\nto attach them to the start of each source file to most effectively\nstate the exclusion of warranty; and each file should have at least the\n\"copyright\" line and a pointer to where the full notice is found.\n\nONE LINE TO GIVE THE PROGRAM'S NAME AND A BRIEF IDEA OF WHAT IT DOES.\nCopyright (C) YEAR NAME OF AUTHOR\n\nThis program is free software: you can redistribute it and/or modify\nit under the terms of the GNU General Public License as published by\nthe Free Software Foundation, either version 3 of the License, or (at\nyour option) any later version.\n\nThis program is distributed in the hope that it will be useful, but\nWITHOUT ANY WARRANTY; without even the implied warranty of\nMERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU\nGeneral Public License for more details.\n\nYou should have received a copy of the GNU General Public License\nalong with this program. If not, see .\n\nAlso add information on how to contact you by electronic and paper mail.\n\nIf the program does terminal interaction, make it output a short notice\nlike this when it starts in an interactive mode:\n\nPROGRAM Copyright (C) YEAR NAME OF AUTHOR\nThis program comes with ABSOLUTELY NO WARRANTY; for details\ntype 'show w'. This is free software, and you are\nwelcome to redistribute it under certain conditions;\ntype 'show c' for details.\n\nThe hypothetical commands 'show w' and 'show c' should show the\nappropriate parts of the General Public License. Of course, your\nprogram's commands might be different; for a GUI interface, you would\nuse an \"about box\".\n\nYou should also get your employer (if you work as a programmer) or\nschool, if any, to sign a \"copyright disclaimer\" for the program, if\nnecessary. For more information on this, and how to apply and follow\nthe GNU GPL, see .\n\nThe GNU General Public License does not permit incorporating your\nprogram into proprietary programs. If your program is a subroutine\nlibrary, you may consider it more useful to permit linking proprietary\napplications with the library. If this is what you want to do, use the\nGNU Lesser General Public License instead of this License. But first,\nplease read .\n\nFile: gnupg1.info, Node: Option Index, Next: Index, Prev: Copying, Up: Top\n" } ] }, "Option Index": { "content": "* Menu:\n\n* allow-freeform-uid: GPG Esoteric Options.\n(line 304)\n* allow-multiple-messages: GPG Esoteric Options.\n(line 436)\n* allow-non-selfsigned-uid: GPG Esoteric Options.\n(line 299)\n* allow-secret-key-import: GPG Esoteric Options.\n(line 432)\n* allow-weak-digest-algos: GPG Esoteric Options.\n(line 339)\n* always-trust: Deprecated Options. (line 32)\n* armor: GPG Input and Output.\n(line 8)\n* ask-cert-expire: GPG Esoteric Options.\n(line 419)\n* ask-cert-level: GPG Configuration Options.\n(line 359)\n* ask-sig-expire: GPG Esoteric Options.\n(line 405)\n* attribute-fd: GPG Esoteric Options.\n(line 79)\n* attribute-file: GPG Esoteric Options.\n(line 85)\n* auto-check-trustdb: GPG Configuration Options.\n(line 652)\n* auto-key-locate: GPG Configuration Options.\n(line 439)\n* batch: GPG Configuration Options.\n(line 39)\n* bzip2-compress-level: GPG Configuration Options.\n(line 333)\n* bzip2-decompress-lowmem: GPG Configuration Options.\n(line 343)\n* card-edit: Operational GPG Commands.\n(line 165)\n* card-status: Operational GPG Commands.\n(line 171)\n* cert-digest-algo: GPG Esoteric Options.\n(line 218)\n* cert-notation: GPG Esoteric Options.\n(line 111)\n* cert-policy-url: GPG Esoteric Options.\n(line 141)\n* change-pin: Operational GPG Commands.\n(line 174)\n* check-sigs: Operational GPG Commands.\n(line 142)\n* check-trustdb: Operational GPG Commands.\n(line 277)\n* cipher-algo: GPG Esoteric Options.\n(line 179)\n* clearsign: Operational GPG Commands.\n(line 17)\n* command-fd: GPG Esoteric Options.\n(line 287)\n* command-file: GPG Esoteric Options.\n(line 294)\n* comment: GPG Esoteric Options.\n(line 90)\n* compliant-needed: GPG Configuration Options.\n(line 617)\n* compress-algo: GPG Esoteric Options.\n(line 195)\n* compress-level: GPG Configuration Options.\n(line 333)\n* ctapi-driver: Deprecated Options. (line 27)\n* dearmor: Operational GPG Commands.\n(line 331)\n* debug: GPG Esoteric Options.\n(line 47)\n* debug-all: GPG Esoteric Options.\n(line 51)\n* debug-ccid-driver: GPG Esoteric Options.\n(line 54)\n* debug-level: GPG Esoteric Options.\n(line 22)\n* decrypt: Operational GPG Commands.\n(line 52)\n* decrypt-files: Operational GPG Commands.\n(line 100)\n* default-cert-expire: GPG Esoteric Options.\n(line 425)\n* default-cert-level: GPG Configuration Options.\n(line 367)\n* default-key: GPG Configuration Options.\n(line 10)\n* default-keyserver-url: GPG Esoteric Options.\n(line 464)\n* default-preference-list: GPG Esoteric Options.\n(line 459)\n* default-recipient: GPG Configuration Options.\n(line 15)\n* default-recipient-self: GPG Configuration Options.\n(line 19)\n* default-sig-expire: GPG Esoteric Options.\n(line 411)\n* delete-key: Operational GPG Commands.\n(line 179)\n* delete-secret-and-public-key: Operational GPG Commands.\n(line 188)\n* delete-secret-key: Operational GPG Commands.\n(line 184)\n* desig-revoke: OpenPGP Key Management.\n(line 21)\n* detach-sign: Operational GPG Commands.\n(line 27)\n* digest-algo: GPG Esoteric Options.\n(line 188)\n* disable-ccid: GPG Configuration Options.\n(line 274)\n* disable-cipher-algo: GPG Esoteric Options.\n(line 226)\n* disable-dsa2: GPG Configuration Options.\n(line 190)\n* disable-large-rsa: GPG Configuration Options.\n(line 183)\n* disable-mdc: OpenPGP Options. (line 46)\n* disable-pubkey-algo: GPG Esoteric Options.\n(line 231)\n* display-charset: GPG Configuration Options.\n(line 288)\n* display-charset:iso-8859-1: GPG Configuration Options.\n(line 297)\n* display-charset:iso-8859-15: GPG Configuration Options.\n(line 303)\n* display-charset:iso-8859-2: GPG Configuration Options.\n(line 300)\n* display-charset:koi8-r: GPG Configuration Options.\n(line 306)\n* display-charset:utf-8: GPG Configuration Options.\n(line 309)\n* dry-run: GPG Esoteric Options.\n(line 8)\n* dump-options: General GPG Commands.\n(line 19)\n* edit-key: OpenPGP Key Management.\n(line 26)\n* emit-version: GPG Esoteric Options.\n(line 101)\n* enable-dsa2: GPG Configuration Options.\n(line 190)\n* enable-large-rsa: GPG Configuration Options.\n(line 183)\n* enable-progress-filter: GPG Esoteric Options.\n(line 58)\n* enable-special-filenames: GPG Esoteric Options.\n(line 446)\n* enarmor: Operational GPG Commands.\n(line 331)\n* encrypt: Operational GPG Commands.\n(line 31)\n* encrypt-files: Operational GPG Commands.\n(line 97)\n* encrypt-to: GPG Key related Options.\n(line 21)\n* escape-from-lines: GPG Esoteric Options.\n(line 256)\n* exec-path: GPG Configuration Options.\n(line 214)\n* exit-on-status-write-error: GPG Configuration Options.\n(line 687)\n* expert: GPG Configuration Options.\n(line 745)\n* export: Operational GPG Commands.\n(line 193)\n* export-options: GPG Input and Output.\n(line 75)\n* export-ownertrust: Operational GPG Commands.\n(line 292)\n* export-secret-keys: Operational GPG Commands.\n(line 209)\n* export-secret-subkeys: Operational GPG Commands.\n(line 209)\n* fast-list-mode: GPG Esoteric Options.\n(line 370)\n* fetch-keys: Operational GPG Commands.\n(line 262)\n* fingerprint: Operational GPG Commands.\n(line 154)\n* fixed-list-mode: GPG Input and Output.\n(line 126)\n* for-your-eyes-only: GPG Esoteric Options.\n(line 165)\n* force-mdc: OpenPGP Options. (line 40)\n* force-v3-sigs: OpenPGP Options. (line 25)\n* force-v4-certs: OpenPGP Options. (line 35)\n* gen-key: OpenPGP Key Management.\n(line 9)\n* gen-prime: Operational GPG Commands.\n(line 326)\n* gen-random: Operational GPG Commands.\n(line 319)\n* gen-revoke: OpenPGP Key Management.\n(line 17)\n* gnupg: Compliance Options. (line 12)\n* gpg-agent-info: GPG Configuration Options.\n(line 666)\n* gpgconf-list: GPG Esoteric Options.\n(line 477)\n* gpgconf-test: GPG Esoteric Options.\n(line 481)\n* group: GPG Key related Options.\n(line 41)\n* help: General GPG Commands.\n(line 12)\n* hidden-encrypt-to: GPG Key related Options.\n(line 29)\n* hidden-recipient: GPG Key related Options.\n(line 14)\n* homedir: GPG Configuration Options.\n(line 247)\n* ignore-crc-error: GPG Esoteric Options.\n(line 324)\n* ignore-mdc-error: GPG Esoteric Options.\n(line 331)\n* ignore-time-conflict: GPG Esoteric Options.\n(line 310)\n* ignore-valid-from: GPG Esoteric Options.\n(line 317)\n* import: Operational GPG Commands.\n(line 231)\n* import-options: GPG Input and Output.\n(line 29)\n* import-ownertrust: Operational GPG Commands.\n(line 298)\n* interactive: GPG Esoteric Options.\n(line 19)\n* keyedit:addcardkey: OpenPGP Key Management.\n(line 162)\n* keyedit:addkey: OpenPGP Key Management.\n(line 159)\n* keyedit:addphoto: OpenPGP Key Management.\n(line 81)\n* keyedit:addrevoker: OpenPGP Key Management.\n(line 210)\n* keyedit:adduid: OpenPGP Key Management.\n(line 78)\n* keyedit:bkuptocard: OpenPGP Key Management.\n(line 176)\n* keyedit:check: OpenPGP Key Management.\n(line 75)\n* keyedit:clean: OpenPGP Key Management.\n(line 222)\n* keyedit:cross-certify: OpenPGP Key Management.\n(line 236)\n* keyedit:delkey: OpenPGP Key Management.\n(line 187)\n* keyedit:delsig: OpenPGP Key Management.\n(line 65)\n* keyedit:deluid: OpenPGP Key Management.\n(line 91)\n* keyedit:disable: OpenPGP Key Management.\n(line 206)\n* keyedit:enable: OpenPGP Key Management.\n(line 206)\n* keyedit:expire: OpenPGP Key Management.\n(line 195)\n* keyedit:key: OpenPGP Key Management.\n(line 35)\n* keyedit:keyserver: OpenPGP Key Management.\n(line 108)\n* keyedit:keytocard: OpenPGP Key Management.\n(line 165)\n* keyedit:lsign: OpenPGP Key Management.\n(line 46)\n* keyedit:minimize: OpenPGP Key Management.\n(line 231)\n* keyedit:notation: OpenPGP Key Management.\n(line 115)\n* keyedit:nrsign: OpenPGP Key Management.\n(line 51)\n* keyedit:passwd: OpenPGP Key Management.\n(line 216)\n* keyedit:pref: OpenPGP Key Management.\n(line 123)\n* keyedit:primary: OpenPGP Key Management.\n(line 100)\n* keyedit:quit: OpenPGP Key Management.\n(line 247)\n* keyedit:revkey: OpenPGP Key Management.\n(line 192)\n* keyedit:revsig: OpenPGP Key Management.\n(line 70)\n* keyedit:revuid: OpenPGP Key Management.\n(line 97)\n* keyedit:save: OpenPGP Key Management.\n(line 244)\n* keyedit:setpref: OpenPGP Key Management.\n(line 135)\n* keyedit:showphoto: OpenPGP Key Management.\n(line 88)\n* keyedit:showpref: OpenPGP Key Management.\n(line 127)\n* keyedit:sign: OpenPGP Key Management.\n(line 39)\n* keyedit:toggle: OpenPGP Key Management.\n(line 219)\n* keyedit:trust: OpenPGP Key Management.\n(line 201)\n* keyedit:tsign: OpenPGP Key Management.\n(line 55)\n* keyedit:uid: OpenPGP Key Management.\n(line 31)\n* keyid-format: GPG Configuration Options.\n(line 482)\n* keyring: GPG Configuration Options.\n(line 221)\n* keyserver: GPG Configuration Options.\n(line 489)\n* keyserver-options: GPG Configuration Options.\n(line 509)\n* limit-card-insert-tries: GPG Configuration Options.\n(line 696)\n* list-config: GPG Esoteric Options.\n(line 469)\n* list-keys: Operational GPG Commands.\n(line 105)\n* list-only: GPG Esoteric Options.\n(line 11)\n* list-options: GPG Configuration Options.\n(line 70)\n* list-options:show-keyring: GPG Configuration Options.\n(line 119)\n* list-options:show-keyserver-urls: GPG Configuration Options.\n(line 103)\n* list-options:show-notations: GPG Configuration Options.\n(line 98)\n* list-options:show-photos: GPG Configuration Options.\n(line 78)\n* list-options:show-policy-urls: GPG Configuration Options.\n(line 92)\n* list-options:show-sig-expire: GPG Configuration Options.\n(line 123)\n* list-options:show-sig-subpackets: GPG Configuration Options.\n(line 127)\n* list-options:show-std-notations: GPG Configuration Options.\n(line 98)\n* list-options:show-uid-validity: GPG Configuration Options.\n(line 107)\n* list-options:show-unusable-subkeys: GPG Configuration Options.\n(line 115)\n* list-options:show-unusable-uids: GPG Configuration Options.\n(line 111)\n* list-options:show-usage: GPG Configuration Options.\n(line 86)\n* list-options:show-user-notations: GPG Configuration Options.\n(line 98)\n* list-packets: Operational GPG Commands.\n(line 161)\n* list-secret-keys: Operational GPG Commands.\n(line 120)\n* list-sigs: Operational GPG Commands.\n(line 126)\n* load-extension: Deprecated Options. (line 7)\n* local-user: GPG Key related Options.\n(line 63)\n* lock-multiple: GPG Configuration Options.\n(line 676)\n* lock-never: GPG Configuration Options.\n(line 680)\n* lock-once: GPG Configuration Options.\n(line 672)\n* log-file: GPG Esoteric Options.\n(line 75)\n* logger-fd: GPG Esoteric Options.\n(line 71)\n* lsign-key: OpenPGP Key Management.\n(line 282)\n* mangle-dos-filenames: GPG Configuration Options.\n(line 351)\n* marginals-needed: GPG Configuration Options.\n(line 621)\n* max-cert-depth: GPG Configuration Options.\n(line 625)\n* max-output: GPG Input and Output.\n(line 19)\n* min-cert-level: GPG Configuration Options.\n(line 396)\n* multifile: Operational GPG Commands.\n(line 86)\n* no: GPG Configuration Options.\n(line 67)\n* no-armor: GPG Input and Output.\n(line 12)\n* no-batch: GPG Configuration Options.\n(line 39)\n* no-default-keyring: GPG Esoteric Options.\n(line 355)\n* no-default-recipient: GPG Configuration Options.\n(line 25)\n* no-encrypt-to: GPG Key related Options.\n(line 37)\n* no-expensive-trust-checks: GPG Esoteric Options.\n(line 451)\n* no-greeting: GPG Configuration Options.\n(line 710)\n* no-groups: GPG Key related Options.\n(line 59)\n* no-literal: GPG Esoteric Options.\n(line 378)\n* no-mangle-dos-filenames: GPG Configuration Options.\n(line 351)\n* no-mdc-warning: GPG Configuration Options.\n(line 729)\n* no-options: GPG Configuration Options.\n(line 326)\n* no-random-seed-file: GPG Configuration Options.\n(line 704)\n* no-secmem-warning: GPG Configuration Options.\n(line 713)\n* no-sig-cache: GPG Configuration Options.\n(line 639)\n* no-sig-create-check: GPG Configuration Options.\n(line 648)\n* no-tty: GPG Configuration Options.\n(line 59)\n* no-verbose: GPG Configuration Options.\n(line 32)\n* not-dash-escaped: GPG Esoteric Options.\n(line 246)\n* openpgp: Compliance Options. (line 19)\n* options: GPG Configuration Options.\n(line 321)\n* output: GPG Input and Output.\n(line 16)\n* override-session-key: GPG Esoteric Options.\n(line 396)\n* passphrase: GPG Esoteric Options.\n(line 281)\n* passphrase-fd: GPG Esoteric Options.\n(line 268)\n* passphrase-file: GPG Esoteric Options.\n(line 274)\n* passphrase-repeat: GPG Esoteric Options.\n(line 263)\n* pcsc-driver: GPG Configuration Options.\n(line 268)\n* permission-warning: GPG Configuration Options.\n(line 716)\n* personal-cipher-preferences: OpenPGP Options. (line 51)\n* personal-compress-preferences: OpenPGP Options. (line 69)\n* personal-digest-preferences: OpenPGP Options. (line 60)\n* pgp2: Compliance Options. (line 38)\n* pgp6: Compliance Options. (line 57)\n* pgp7: Compliance Options. (line 68)\n* pgp8: Compliance Options. (line 74)\n* photo-viewer: GPG Configuration Options.\n(line 196)\n* preserve-permissions: GPG Esoteric Options.\n(line 454)\n* primary-keyring: GPG Configuration Options.\n(line 235)\n* print-md: Operational GPG Commands.\n(line 314)\n* quiet: GPG Configuration Options.\n(line 35)\n* reader-port: GPG Configuration Options.\n(line 280)\n* rebuild-keydb-caches: Operational GPG Commands.\n(line 308)\n* recipient: GPG Key related Options.\n(line 8)\n* recv-keys: Operational GPG Commands.\n(line 240)\n* refresh-keys: Operational GPG Commands.\n(line 244)\n* require-cross-certification: GPG Configuration Options.\n(line 738)\n* require-secmem: GPG Configuration Options.\n(line 733)\n* rfc1991: Compliance Options. (line 34)\n* rfc2440: Compliance Options. (line 30)\n* rfc4880: Compliance Options. (line 25)\n* s2k-cipher-algo: OpenPGP Options. (line 79)\n* s2k-count: OpenPGP Options. (line 96)\n* s2k-digest-algo: OpenPGP Options. (line 85)\n* s2k-mode: OpenPGP Options. (line 89)\n* search-keys: Operational GPG Commands.\n(line 253)\n* secret-keyring: GPG Configuration Options.\n(line 232)\n* send-keys: Operational GPG Commands.\n(line 200)\n* set-filename: GPG Esoteric Options.\n(line 159)\n* set-filesize: GPG Esoteric Options.\n(line 382)\n* set-notation: GPG Esoteric Options.\n(line 111)\n* set-policy-url: GPG Esoteric Options.\n(line 141)\n* show-keyring: Deprecated Options. (line 22)\n* show-notation: Deprecated Options. (line 36)\n* show-photos: Deprecated Options. (line 14)\n* show-policy-url: Deprecated Options. (line 44)\n* show-session-key: GPG Esoteric Options.\n(line 386)\n* sig-keyserver-url: GPG Esoteric Options.\n(line 151)\n* sig-notation: GPG Esoteric Options.\n(line 111)\n* sig-policy-url: GPG Esoteric Options.\n(line 141)\n* sign: Operational GPG Commands.\n(line 8)\n* sign-key: OpenPGP Key Management.\n(line 278)\n* simple-sk-checksum: GPG Configuration Options.\n(line 628)\n* skip-verify: GPG Esoteric Options.\n(line 362)\n* status-fd: GPG Esoteric Options.\n(line 63)\n* status-file: GPG Esoteric Options.\n(line 67)\n* store: Operational GPG Commands.\n(line 48)\n* symmetric: Operational GPG Commands.\n(line 39)\n* textmode: OpenPGP Options. (line 8)\n* throw-keyids: GPG Esoteric Options.\n(line 237)\n* trust-mode:always: GPG Configuration Options.\n(line 424)\n* trust-mode:auto: GPG Configuration Options.\n(line 433)\n* trust-mode:classic: GPG Configuration Options.\n(line 417)\n* trust-mode:direct: GPG Configuration Options.\n(line 420)\n* trust-mode:pgp: GPG Configuration Options.\n(line 412)\n* trust-model: GPG Configuration Options.\n(line 409)\n* trustdb-name: GPG Configuration Options.\n(line 240)\n* trusted-key: GPG Configuration Options.\n(line 402)\n* try-all-secrets: GPG Key related Options.\n(line 67)\n* ungroup: GPG Key related Options.\n(line 56)\n* update-trustdb: Operational GPG Commands.\n(line 267)\n* use-agent: GPG Configuration Options.\n(line 659)\n* use-embedded-filename: GPG Esoteric Options.\n(line 174)\n* utf8-strings: GPG Configuration Options.\n(line 314)\n* verbose: GPG Configuration Options.\n(line 28)\n* verify: Operational GPG Commands.\n(line 60)\n* verify-files: Operational GPG Commands.\n(line 94)\n* verify-options: GPG Configuration Options.\n(line 134)\n* verify-options:pka-lookups: GPG Configuration Options.\n(line 170)\n* verify-options:pka-trust-increase: GPG Configuration Options.\n(line 177)\n* verify-options:show-keyserver-urls: GPG Configuration Options.\n(line 153)\n* verify-options:show-notations: GPG Configuration Options.\n(line 149)\n* verify-options:show-photos: GPG Configuration Options.\n(line 139)\n* verify-options:show-policy-urls: GPG Configuration Options.\n(line 143)\n* verify-options:show-primary-uid-only: GPG Configuration Options.\n(line 165)\n* verify-options:show-std-notations: GPG Configuration Options.\n(line 149)\n* verify-options:show-uid-validity: GPG Configuration Options.\n(line 157)\n* verify-options:show-unusable-uids: GPG Configuration Options.\n(line 161)\n* verify-options:show-user-notations: GPG Configuration Options.\n(line 149)\n* version: General GPG Commands.\n(line 7)\n* warranty: General GPG Commands.\n(line 16)\n* weak-digest: GPG Esoteric Options.\n(line 347)\n* with-colons: GPG Input and Output.\n(line 118)\n* with-fingerprint: GPG Input and Output.\n(line 130)\n* with-key-data: GPG Esoteric Options.\n(line 366)\n* yes: GPG Configuration Options.\n(line 64)\n\nFile: gnupg1.info, Node: Index, Prev: Option Index, Up: Top\n", "subsections": [] }, "Index": { "content": "* Menu:\n\n* command options: Invoking GPG. (line 6)\n* GPG command options: Invoking GPG. (line 6)\n* gpg.conf: GPG Configuration. (line 11)\n* options, GPG command: Invoking GPG. (line 6)\n\n", "subsections": [] } } } }