2003-01-16 19:20:10 +00:00
|
|
|
# These first three lines are not copied to the gpg.conf file in
|
|
|
|
# the users home directory.
|
|
|
|
# $Id$
|
1998-10-25 19:00:01 +00:00
|
|
|
# Options for GnuPG
|
2010-09-28 16:13:24 +00:00
|
|
|
# Copyright 1998, 1999, 2000, 2001, 2002, 2003,
|
|
|
|
# 2010 Free Software Foundation, Inc.
|
2002-06-29 13:46:34 +00:00
|
|
|
#
|
|
|
|
# This file is free software; as a special exception the author gives
|
|
|
|
# unlimited permission to copy and/or distribute it, with or without
|
|
|
|
# modifications, as long as this notice is preserved.
|
|
|
|
#
|
|
|
|
# This file is distributed in the hope that it will be useful, but
|
|
|
|
# WITHOUT ANY WARRANTY, to the extent permitted by law; without even the
|
|
|
|
# implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
|
1998-10-25 19:00:01 +00:00
|
|
|
#
|
2002-08-09 02:23:42 +00:00
|
|
|
# Unless you specify which option file to use (with the command line
|
|
|
|
# option "--options filename"), GnuPG uses the file ~/.gnupg/gpg.conf
|
|
|
|
# by default.
|
1998-10-25 19:00:01 +00:00
|
|
|
#
|
2002-08-09 02:23:42 +00:00
|
|
|
# An options file can contain any long options which are available in
|
|
|
|
# GnuPG. If the first non white space character of a line is a '#',
|
|
|
|
# this line is ignored. Empty lines are also ignored.
|
1998-10-25 19:00:01 +00:00
|
|
|
#
|
|
|
|
# See the man page for a list of options.
|
|
|
|
|
2002-08-09 02:23:42 +00:00
|
|
|
# Uncomment the following option to get rid of the copyright notice
|
|
|
|
|
1998-10-25 19:00:01 +00:00
|
|
|
#no-greeting
|
|
|
|
|
2002-08-09 02:23:42 +00:00
|
|
|
# If you have more than 1 secret key in your keyring, you may want to
|
|
|
|
# uncomment the following option and set your preferred keyid.
|
1998-10-25 19:00:01 +00:00
|
|
|
|
1999-07-22 18:11:55 +00:00
|
|
|
#default-key 621CC013
|
1998-10-25 19:00:01 +00:00
|
|
|
|
2002-08-09 02:23:42 +00:00
|
|
|
# If you do not pass a recipient to gpg, it will ask for one. Using
|
|
|
|
# this option you can encrypt to a default key. Key validation will
|
|
|
|
# not be done in this case. The second form uses the default key as
|
|
|
|
# default recipient.
|
1999-07-13 15:41:14 +00:00
|
|
|
|
1999-07-22 18:11:55 +00:00
|
|
|
#default-recipient some-user-id
|
|
|
|
#default-recipient-self
|
1999-07-13 15:41:14 +00:00
|
|
|
|
2005-11-06 15:45:00 +00:00
|
|
|
# Use --encrypt-to to add the specified key as a recipient to all
|
|
|
|
# messages. This is useful, for example, when sending mail through a
|
|
|
|
# mail client that does not automatically encrypt mail to your key.
|
|
|
|
# In the example, this option allows you to read your local copy of
|
|
|
|
# encrypted mail that you've sent to others.
|
|
|
|
|
|
|
|
#encrypt-to some-key-id
|
|
|
|
|
2010-09-28 16:13:24 +00:00
|
|
|
# By default GnuPG creates version 4 signatures for data files as
|
|
|
|
# specified by OpenPGP. Some earlier (PGP 6, PGP 7) versions of PGP
|
|
|
|
# require the older version 3 signatures. Setting this option forces
|
|
|
|
# GnuPG to create version 3 signatures.
|
2002-08-09 02:23:42 +00:00
|
|
|
|
2010-09-28 16:13:24 +00:00
|
|
|
#force-v3-sigs
|
1998-10-25 19:00:01 +00:00
|
|
|
|
1998-12-17 17:36:05 +00:00
|
|
|
# Because some mailers change lines starting with "From " to ">From "
|
|
|
|
# it is good to handle such lines in a special way when creating
|
2002-06-29 13:46:34 +00:00
|
|
|
# cleartext signatures; all other PGP versions do it this way too.
|
2002-08-09 02:23:42 +00:00
|
|
|
|
2002-06-29 13:46:34 +00:00
|
|
|
#no-escape-from-lines
|
|
|
|
|
|
|
|
# If you do not use the Latin-1 (ISO-8859-1) charset, you should tell
|
|
|
|
# GnuPG which is the native character set. Please check the man page
|
|
|
|
# for supported character sets. This character set is only used for
|
2003-03-04 15:24:12 +00:00
|
|
|
# metadata and not for the actual message which does not undergo any
|
2002-06-29 13:46:34 +00:00
|
|
|
# translation. Note that future version of GnuPG will change to UTF-8
|
2006-12-15 04:37:47 +00:00
|
|
|
# as default character set. In most cases this option is not required
|
|
|
|
# as GnuPG is able to figure out the correct charset at runtime.
|
2002-08-20 17:16:33 +00:00
|
|
|
|
2002-06-29 13:46:34 +00:00
|
|
|
#charset utf-8
|
|
|
|
|
|
|
|
# Group names may be defined like this:
|
2002-12-13 21:10:53 +00:00
|
|
|
# group mynames = paige 0x12345678 joe patti
|
2002-06-29 13:46:34 +00:00
|
|
|
#
|
2002-07-01 16:47:22 +00:00
|
|
|
# Any time "mynames" is a recipient (-r or --recipient), it will be
|
2002-06-29 13:46:34 +00:00
|
|
|
# expanded to the names "paige", "joe", and "patti", and the key ID
|
|
|
|
# "0x12345678". Note there is only one level of expansion - you
|
2002-08-20 17:16:33 +00:00
|
|
|
# cannot make an group that points to another group. Note also that
|
|
|
|
# if there are spaces in the recipient name, this will appear as two
|
2002-08-09 02:23:42 +00:00
|
|
|
# recipients. In these cases it is better to use the key ID.
|
1998-11-13 19:41:41 +00:00
|
|
|
|
2002-12-13 21:10:53 +00:00
|
|
|
#group mynames = paige 0x12345678 joe patti
|
2002-08-20 17:16:33 +00:00
|
|
|
|
2002-08-09 02:23:42 +00:00
|
|
|
# Lock the file only once for the lifetime of a process. If you do
|
|
|
|
# not define this, the lock will be obtained and released every time
|
2003-10-10 03:05:05 +00:00
|
|
|
# it is needed, which is usually preferable.
|
1998-11-27 20:40:56 +00:00
|
|
|
|
2002-09-10 08:40:12 +00:00
|
|
|
#lock-once
|
1998-11-27 20:40:56 +00:00
|
|
|
|
2002-06-29 13:46:34 +00:00
|
|
|
# GnuPG can send and receive keys to and from a keyserver. These
|
|
|
|
# servers can be HKP, email, or LDAP (if GnuPG is built with LDAP
|
|
|
|
# support).
|
|
|
|
#
|
|
|
|
# Example HKP keyserver:
|
2008-03-25 08:34:02 +00:00
|
|
|
# hkp://keys.gnupg.net
|
* parse-packet.c (parse_signature): No need to reserve 8 bytes for the
unhashed signature cache any longer.
* misc.c (pct_expando): Add two new expandos - signer's fingerprint (%g),
and signer's primary fingerprint (%p).
* Makefile.am: Include W32LIBS where appropriate.
* g10.c (main): Add --rfc2440 alias for --openpgp since in a few months,
they won't be the same thing.
* keyserver.c (parse_keyserver_uri): Accept "http" as an alias for "hkp",
since it is occasionally written that way. (keyserver_spawn): Use
ascii_isspace to avoid locale issues.
* keygen.c (ask_user_id): Make --allow-freeform-uid apply to the email
field as well as the name field, and allow mixing fields when it is set.
* options.skel: Use subkeys.pgp.net as the default keyserver.
* trustdb.c (validate_one_keyblock): Certifications on revoked or expired
uids do not count in the web of trust.
* signal.c (init_one_signal, pause_on_sigusr, do_block): Only use
sigprocmask() if we have sigset_t, and only use sigaction() if we have
struct sigaction. This is for Forte c89 on Solaris which seems to define
only the function call half of the two pairs by default.
(pause_on_sigusr): Typo. (do_block): If we can't use sigprocmask() and
sigset_t, try to get the number of signals from NSIG as well as MAXSIG,
and if we can't, fail with an explanation.
* signal.c, tdbio.c: Comment out the transaction code. It was not used in
this version, and was causing some build problems on quasi-posix platforms
(Solaris and Forte c89).
* keylist.c (list_keyblock_colon): Don't include validity values when
listing secret keys since they can be incorrect and/or misleading. This
is a temporary kludge, and will be handled properly in 1.9/2.0.
* mainproc.c (check_sig_and_print): Only show the "key available from"
preferred keyserver line if the key is not currently present.
* keyedit.c (sign_uids): Do not sign expired uids without --expert (same
behavior as revoked uids). Do not allow signing a user ID without a
self-signature. --expert overrides. Add additional prompt to the
signature level question. (menu_expire): When changing expiration dates,
don't replace selfsigs on revoked uids since this would effectively
unrevoke them. There is also no point in replacing expired selfsigs.
This is bug #181
* g10.c (add_notation_data): Make sure that only ascii is passed to
iscntrl. Noted by Christian Biere.
* getkey.c (classify_user_id2): Replaced isspace by spacep
* keygen.c (ask_user_id): Ditto. (get_parameter_algo): Ditto.
* keyedit.c (keyedit_menu): Ditto.
* tdbdump.c (import_ownertrust): Ditto. s/isxdigit/hexdigitp/.
* revoke.c (ask_revocation_reason):
* keyserver.c (keyserver_spawn): Dito.
2003-07-10 14:30:07 +00:00
|
|
|
# hkp://subkeys.pgp.net
|
2002-06-29 13:46:34 +00:00
|
|
|
#
|
|
|
|
# Example email keyserver:
|
2003-06-05 02:06:12 +00:00
|
|
|
# mailto:pgp-public-keys@keys.pgp.net
|
2002-06-29 13:46:34 +00:00
|
|
|
#
|
2002-08-30 18:01:32 +00:00
|
|
|
# Example LDAP keyservers:
|
|
|
|
# ldap://keyserver.pgp.com
|
2002-06-29 13:46:34 +00:00
|
|
|
#
|
|
|
|
# Regular URL syntax applies, and you can set an alternate port
|
|
|
|
# through the usual method:
|
* parse-packet.c (parse_signature): No need to reserve 8 bytes for the
unhashed signature cache any longer.
* misc.c (pct_expando): Add two new expandos - signer's fingerprint (%g),
and signer's primary fingerprint (%p).
* Makefile.am: Include W32LIBS where appropriate.
* g10.c (main): Add --rfc2440 alias for --openpgp since in a few months,
they won't be the same thing.
* keyserver.c (parse_keyserver_uri): Accept "http" as an alias for "hkp",
since it is occasionally written that way. (keyserver_spawn): Use
ascii_isspace to avoid locale issues.
* keygen.c (ask_user_id): Make --allow-freeform-uid apply to the email
field as well as the name field, and allow mixing fields when it is set.
* options.skel: Use subkeys.pgp.net as the default keyserver.
* trustdb.c (validate_one_keyblock): Certifications on revoked or expired
uids do not count in the web of trust.
* signal.c (init_one_signal, pause_on_sigusr, do_block): Only use
sigprocmask() if we have sigset_t, and only use sigaction() if we have
struct sigaction. This is for Forte c89 on Solaris which seems to define
only the function call half of the two pairs by default.
(pause_on_sigusr): Typo. (do_block): If we can't use sigprocmask() and
sigset_t, try to get the number of signals from NSIG as well as MAXSIG,
and if we can't, fail with an explanation.
* signal.c, tdbio.c: Comment out the transaction code. It was not used in
this version, and was causing some build problems on quasi-posix platforms
(Solaris and Forte c89).
* keylist.c (list_keyblock_colon): Don't include validity values when
listing secret keys since they can be incorrect and/or misleading. This
is a temporary kludge, and will be handled properly in 1.9/2.0.
* mainproc.c (check_sig_and_print): Only show the "key available from"
preferred keyserver line if the key is not currently present.
* keyedit.c (sign_uids): Do not sign expired uids without --expert (same
behavior as revoked uids). Do not allow signing a user ID without a
self-signature. --expert overrides. Add additional prompt to the
signature level question. (menu_expire): When changing expiration dates,
don't replace selfsigs on revoked uids since this would effectively
unrevoke them. There is also no point in replacing expired selfsigs.
This is bug #181
* g10.c (add_notation_data): Make sure that only ascii is passed to
iscntrl. Noted by Christian Biere.
* getkey.c (classify_user_id2): Replaced isspace by spacep
* keygen.c (ask_user_id): Ditto. (get_parameter_algo): Ditto.
* keyedit.c (keyedit_menu): Ditto.
* tdbdump.c (import_ownertrust): Ditto. s/isxdigit/hexdigitp/.
* revoke.c (ask_revocation_reason):
* keyserver.c (keyserver_spawn): Dito.
2003-07-10 14:30:07 +00:00
|
|
|
# hkp://keyserver.example.net:22742
|
2002-06-29 13:46:34 +00:00
|
|
|
#
|
|
|
|
# Most users just set the name and type of their preferred keyserver.
|
* gpgv.c: Remove extra semicolon (typo).
* options.skel: Note that keyserver.pgp.com isn't synchronized, and
explain the roundrobin a bit better.
* sig-check.c (check_key_signature2), import.c (import_one,
import_revoke_cert, chk_self_sigs, delete_inv_parts, collapse_uids,
merge_blocks): Make much quieter during import of slightly munged, but
recoverable, keys. Use log_error for unrecoverable import failures.
* keyring.c (keyring_rebuild_cache): Comment.
* sign.c (mk_notation_and_policy): Making a v3 signature with notations or
policy urls is an error, not an info (i.e. increment the errorcount).
Don't print the notation or policy url to stdout since it can be mixed
into the output stream when piping and munge the stream.
2003-08-21 23:20:58 +00:00
|
|
|
# Note that most servers (with the notable exception of
|
|
|
|
# ldap://keyserver.pgp.com) synchronize changes with each other. Note
|
|
|
|
# also that a single server name may actually point to multiple
|
2008-03-25 08:34:02 +00:00
|
|
|
# servers via DNS round-robin. hkp://keys.gnupg.net is an example of
|
* gpgv.c: Remove extra semicolon (typo).
* options.skel: Note that keyserver.pgp.com isn't synchronized, and
explain the roundrobin a bit better.
* sig-check.c (check_key_signature2), import.c (import_one,
import_revoke_cert, chk_self_sigs, delete_inv_parts, collapse_uids,
merge_blocks): Make much quieter during import of slightly munged, but
recoverable, keys. Use log_error for unrecoverable import failures.
* keyring.c (keyring_rebuild_cache): Comment.
* sign.c (mk_notation_and_policy): Making a v3 signature with notations or
policy urls is an error, not an info (i.e. increment the errorcount).
Don't print the notation or policy url to stdout since it can be mixed
into the output stream when piping and munge the stream.
2003-08-21 23:20:58 +00:00
|
|
|
# such a "server", which spreads the load over a number of physical
|
2008-03-25 08:34:02 +00:00
|
|
|
# servers. To see the IP address of the server actually used, you may use
|
|
|
|
# the "--keyserver-options debug".
|
1999-01-16 08:29:29 +00:00
|
|
|
|
2008-03-25 14:47:48 +00:00
|
|
|
keyserver hkp://keys.gnupg.net
|
2002-06-29 13:46:34 +00:00
|
|
|
#keyserver mailto:pgp-public-keys@keys.nl.pgp.net
|
2002-08-30 18:01:32 +00:00
|
|
|
#keyserver ldap://keyserver.pgp.com
|
1999-01-16 08:29:29 +00:00
|
|
|
|
2002-08-20 17:16:33 +00:00
|
|
|
# Common options for keyserver functions:
|
2002-06-29 13:46:34 +00:00
|
|
|
#
|
2006-12-15 04:37:47 +00:00
|
|
|
# include-disabled : when searching, include keys marked as "disabled"
|
2002-06-29 13:46:34 +00:00
|
|
|
# on the keyserver (not all keyservers support this).
|
|
|
|
#
|
2006-12-15 04:37:47 +00:00
|
|
|
# no-include-revoked : when searching, do not include keys marked as
|
2002-08-22 17:47:42 +00:00
|
|
|
# "revoked" on the keyserver.
|
2002-06-29 13:46:34 +00:00
|
|
|
#
|
2006-12-15 04:37:47 +00:00
|
|
|
# verbose : show more information as the keys are fetched.
|
2002-06-29 13:46:34 +00:00
|
|
|
# Can be used more than once to increase the amount
|
|
|
|
# of information shown.
|
|
|
|
#
|
2006-12-15 04:37:47 +00:00
|
|
|
# use-temp-files : use temporary files instead of a pipe to talk to the
|
2002-06-29 13:46:34 +00:00
|
|
|
# keyserver. Some platforms (Win32 for one) always
|
|
|
|
# have this on.
|
|
|
|
#
|
2006-12-15 04:37:47 +00:00
|
|
|
# keep-temp-files : do not delete temporary files after using them
|
2002-06-29 13:46:34 +00:00
|
|
|
# (really only useful for debugging)
|
|
|
|
#
|
2006-12-15 04:37:47 +00:00
|
|
|
# http-proxy="proxy" : set the proxy to use for HTTP and HKP keyservers.
|
|
|
|
# This overrides the "http_proxy" environment variable,
|
|
|
|
# if any.
|
2002-06-29 13:46:34 +00:00
|
|
|
#
|
2006-12-15 04:37:47 +00:00
|
|
|
# auto-key-retrieve : automatically fetch keys as needed from the keyserver
|
2002-08-20 17:16:33 +00:00
|
|
|
# when verifying signatures or when importing keys that
|
|
|
|
# have been revoked by a revocation key that is not
|
|
|
|
# present on the keyring.
|
|
|
|
#
|
2006-12-15 04:37:47 +00:00
|
|
|
# no-include-attributes : do not include attribute IDs (aka "photo IDs")
|
2002-08-20 17:16:33 +00:00
|
|
|
# when sending keys to the keyserver.
|
2002-06-29 13:46:34 +00:00
|
|
|
|
2002-08-22 17:47:42 +00:00
|
|
|
#keyserver-options auto-key-retrieve
|
2000-07-31 08:04:16 +00:00
|
|
|
|
2003-10-10 03:05:05 +00:00
|
|
|
# Display photo user IDs in key listings
|
|
|
|
|
|
|
|
# list-options show-photos
|
|
|
|
|
|
|
|
# Display photo user IDs when a signature from a key with a photo is
|
|
|
|
# verified
|
2002-08-09 02:23:42 +00:00
|
|
|
|
2003-10-10 03:05:05 +00:00
|
|
|
# verify-options show-photos
|
2000-07-31 08:04:16 +00:00
|
|
|
|
2002-06-29 13:46:34 +00:00
|
|
|
# Use this program to display photo user IDs
|
|
|
|
#
|
|
|
|
# %i is expanded to a temporary file that contains the photo.
|
|
|
|
# %I is the same as %i, but the file isn't deleted afterwards by GnuPG.
|
|
|
|
# %k is expanded to the key ID of the key.
|
|
|
|
# %K is expanded to the long OpenPGP key ID of the key.
|
|
|
|
# %t is expanded to the extension of the image (e.g. "jpg").
|
|
|
|
# %T is expanded to the MIME type of the image (e.g. "image/jpeg").
|
|
|
|
# %f is expanded to the fingerprint of the key.
|
|
|
|
# %% is %, of course.
|
|
|
|
#
|
|
|
|
# If %i or %I are not present, then the photo is supplied to the
|
|
|
|
# viewer on standard input. If your platform supports it, standard
|
|
|
|
# input is the best way to do this as it avoids the time and effort in
|
|
|
|
# generating and then cleaning up a secure temp file.
|
|
|
|
#
|
2006-04-11 19:20:08 +00:00
|
|
|
# If no photo-viewer is provided, GnuPG will look for xloadimage, eog,
|
|
|
|
# or display (ImageMagick). On Mac OS X and Windows, the default is
|
|
|
|
# to use your regular JPEG image viewer.
|
2002-06-29 13:46:34 +00:00
|
|
|
#
|
|
|
|
# Some other viewers:
|
|
|
|
# photo-viewer "qiv %i"
|
|
|
|
# photo-viewer "ee %i"
|
|
|
|
#
|
|
|
|
# This one saves a copy of the photo ID in your home directory:
|
|
|
|
# photo-viewer "cat > ~/photoid-for-key-%k.%t"
|
|
|
|
#
|
|
|
|
# Use your MIME handler to view photos:
|
|
|
|
# photo-viewer "metamail -q -d -b -c %T -s 'KeyID 0x%k' -f GnuPG"
|
|
|
|
|
|
|
|
# Passphrase agent
|
|
|
|
#
|
2003-03-04 15:24:12 +00:00
|
|
|
# We support the old experimental passphrase agent protocol as well as
|
|
|
|
# the new Assuan based one (currently available in the "newpg" package
|
|
|
|
# at ftp.gnupg.org/gcrypt/alpha/aegypten/). To make use of the agent,
|
|
|
|
# you have to run an agent as daemon and use the option
|
2002-06-29 13:46:34 +00:00
|
|
|
#
|
|
|
|
# use-agent
|
|
|
|
#
|
|
|
|
# which tries to use the agent but will fallback to the regular mode
|
|
|
|
# if there is a problem connecting to the agent. The normal way to
|
|
|
|
# locate the agent is by looking at the environment variable
|
|
|
|
# GPG_AGENT_INFO which should have been set during gpg-agent startup.
|
|
|
|
# In certain situations the use of this variable is not possible, thus
|
|
|
|
# the option
|
|
|
|
#
|
|
|
|
# --gpg-agent-info=<path>:<pid>:1
|
|
|
|
#
|
|
|
|
# may be used to override it.
|
2006-02-27 19:31:13 +00:00
|
|
|
|
|
|
|
# Automatic key location
|
|
|
|
#
|
|
|
|
# GnuPG can automatically locate and retrieve keys as needed using the
|
|
|
|
# auto-key-locate option. This happens when encrypting to an email
|
|
|
|
# address (in the "user@example.com" form), and there are no
|
|
|
|
# user@example.com keys on the local keyring. This option takes the
|
|
|
|
# following arguments, in the order they are to be tried:
|
|
|
|
#
|
2006-12-15 04:37:47 +00:00
|
|
|
# cert = locate a key using DNS CERT, as specified in RFC-4398.
|
|
|
|
# GnuPG can handle both the PGP (key) and IPGP (URL + fingerprint)
|
|
|
|
# CERT methods.
|
2006-02-27 19:31:13 +00:00
|
|
|
#
|
|
|
|
# pka = locate a key using DNS PKA.
|
|
|
|
#
|
|
|
|
# ldap = locate a key using the PGP Universal method of checking
|
2006-12-15 04:37:47 +00:00
|
|
|
# "ldap://keys.(thedomain)". For example, encrypting to
|
|
|
|
# user@example.com will check ldap://keys.example.com.
|
2006-02-27 19:31:13 +00:00
|
|
|
#
|
|
|
|
# keyserver = locate a key using whatever keyserver is defined using
|
2006-12-15 04:37:47 +00:00
|
|
|
# the keyserver option.
|
2006-02-27 19:31:13 +00:00
|
|
|
#
|
|
|
|
# You may also list arbitrary keyservers here by URL.
|
|
|
|
#
|
|
|
|
# Try CERT, then PKA, then LDAP, then hkp://subkeys.net:
|
|
|
|
#auto-key-locate cert pka ldap hkp://subkeys.pgp.net
|