2003-01-09 13:24:01 +00:00
|
|
|
@c Copyright (C) 2002 Free Software Foundation, Inc.
|
|
|
|
@c This is part of the GnuPG manual.
|
|
|
|
@c For copying conditions, see the file gnupg.texi.
|
|
|
|
|
2015-06-09 21:29:15 +02:00
|
|
|
@include defs.inc
|
|
|
|
|
2003-01-09 13:24:01 +00:00
|
|
|
@node Invoking GPGSM
|
|
|
|
@chapter Invoking GPGSM
|
|
|
|
@cindex GPGSM command options
|
|
|
|
@cindex command options
|
|
|
|
@cindex options, GPGSM command
|
|
|
|
|
2006-08-17 18:01:25 +00:00
|
|
|
@manpage gpgsm.1
|
|
|
|
@ifset manverb
|
|
|
|
.B gpgsm
|
2006-08-17 19:58:28 +00:00
|
|
|
\- CMS encryption and signing tool
|
2006-08-17 18:01:25 +00:00
|
|
|
@end ifset
|
|
|
|
|
|
|
|
@mansect synopsis
|
|
|
|
@ifset manverb
|
|
|
|
.B gpgsm
|
|
|
|
.RB [ \-\-homedir
|
|
|
|
.IR dir ]
|
|
|
|
.RB [ \-\-options
|
|
|
|
.IR file ]
|
2011-03-01 17:08:49 +01:00
|
|
|
.RI [ options ]
|
2006-08-17 18:01:25 +00:00
|
|
|
.I command
|
|
|
|
.RI [ args ]
|
|
|
|
@end ifset
|
|
|
|
|
|
|
|
|
|
|
|
@mansect description
|
2004-09-30 08:38:32 +00:00
|
|
|
@command{gpgsm} is a tool similar to @command{gpg} to provide digital
|
2009-07-22 13:33:46 +00:00
|
|
|
encryption and signing services on X.509 certificates and the CMS
|
2005-04-20 18:46:51 +00:00
|
|
|
protocol. It is mainly used as a backend for S/MIME mail processing.
|
2010-10-01 20:33:53 +00:00
|
|
|
@command{gpgsm} includes a full featured certificate management and
|
2004-09-30 08:38:32 +00:00
|
|
|
complies with all rules defined for the German Sphinx project.
|
2003-01-09 13:24:01 +00:00
|
|
|
|
2006-08-17 18:01:25 +00:00
|
|
|
@manpause
|
2004-09-30 08:38:32 +00:00
|
|
|
@xref{Option Index}, for an index to @command{GPGSM}'s commands and options.
|
2006-08-17 18:01:25 +00:00
|
|
|
@mancont
|
2003-01-09 13:24:01 +00:00
|
|
|
|
|
|
|
@menu
|
|
|
|
* GPGSM Commands:: List of all commands.
|
|
|
|
* GPGSM Options:: List of all options.
|
2006-02-14 13:34:23 +00:00
|
|
|
* GPGSM Configuration:: Configuration files.
|
2003-01-09 13:24:01 +00:00
|
|
|
* GPGSM Examples:: Some usage examples.
|
|
|
|
|
|
|
|
Developer information:
|
2004-09-30 08:38:32 +00:00
|
|
|
* Unattended Usage:: Using @command{gpgsm} from other programs.
|
2003-01-09 13:24:01 +00:00
|
|
|
* GPGSM Protocol:: The protocol the server mode uses.
|
|
|
|
@end menu
|
|
|
|
|
2006-08-17 18:01:25 +00:00
|
|
|
@c *******************************************
|
|
|
|
@c *************** ****************
|
|
|
|
@c *************** COMMANDS ****************
|
|
|
|
@c *************** ****************
|
|
|
|
@c *******************************************
|
|
|
|
@mansect commands
|
2003-01-09 13:24:01 +00:00
|
|
|
@node GPGSM Commands
|
|
|
|
@section Commands
|
|
|
|
|
2008-01-28 08:03:08 +00:00
|
|
|
Commands are not distinguished from options except for the fact that
|
2006-08-16 14:54:19 +00:00
|
|
|
only one command is allowed.
|
2003-01-09 13:24:01 +00:00
|
|
|
|
|
|
|
@menu
|
2006-08-16 14:54:19 +00:00
|
|
|
* General GPGSM Commands:: Commands not specific to the functionality.
|
|
|
|
* Operational GPGSM Commands:: Commands to select the type of operation.
|
|
|
|
* Certificate Management:: How to manage certificates.
|
2003-01-09 13:24:01 +00:00
|
|
|
@end menu
|
|
|
|
|
2006-08-17 18:01:25 +00:00
|
|
|
|
|
|
|
@c *******************************************
|
|
|
|
@c ********** GENERAL COMMANDS *************
|
|
|
|
@c *******************************************
|
2006-08-16 14:54:19 +00:00
|
|
|
@node General GPGSM Commands
|
2003-01-09 13:24:01 +00:00
|
|
|
@subsection Commands not specific to the function
|
|
|
|
|
|
|
|
@table @gnupgtabopt
|
|
|
|
@item --version
|
|
|
|
@opindex version
|
2008-12-12 14:04:22 +00:00
|
|
|
Print the program version and licensing information. Note that you
|
|
|
|
cannot abbreviate this command.
|
2003-01-09 13:24:01 +00:00
|
|
|
|
|
|
|
@item --help, -h
|
|
|
|
@opindex help
|
2009-07-22 13:33:46 +00:00
|
|
|
Print a usage message summarizing the most useful command-line options.
|
2016-09-20 08:32:25 +02:00
|
|
|
Note that you cannot abbreviate this command.
|
2003-01-09 13:24:01 +00:00
|
|
|
|
2006-08-17 18:01:25 +00:00
|
|
|
@item --warranty
|
|
|
|
@opindex warranty
|
2008-12-12 14:04:22 +00:00
|
|
|
Print warranty information. Note that you cannot abbreviate this
|
|
|
|
command.
|
2006-08-17 18:01:25 +00:00
|
|
|
|
2003-01-09 13:24:01 +00:00
|
|
|
@item --dump-options
|
|
|
|
@opindex dump-options
|
2008-12-12 14:04:22 +00:00
|
|
|
Print a list of all available options and commands. Note that you cannot
|
2003-01-09 13:24:01 +00:00
|
|
|
abbreviate this command.
|
|
|
|
@end table
|
|
|
|
|
|
|
|
|
2006-08-17 18:01:25 +00:00
|
|
|
@c *******************************************
|
|
|
|
@c ******** OPERATIONAL COMMANDS ***********
|
|
|
|
@c *******************************************
|
2006-08-16 14:54:19 +00:00
|
|
|
@node Operational GPGSM Commands
|
2003-01-09 13:24:01 +00:00
|
|
|
@subsection Commands to select the type of operation
|
|
|
|
|
|
|
|
@table @gnupgtabopt
|
|
|
|
@item --encrypt
|
|
|
|
@opindex encrypt
|
2016-03-04 15:20:47 +00:00
|
|
|
Perform an encryption. The keys the data is encrypted to must be set
|
2006-09-08 17:02:06 +00:00
|
|
|
using the option @option{--recipient}.
|
2003-01-09 13:24:01 +00:00
|
|
|
|
|
|
|
@item --decrypt
|
|
|
|
@opindex decrypt
|
2006-09-08 17:02:06 +00:00
|
|
|
Perform a decryption; the type of input is automatically determined. It
|
2003-01-09 13:24:01 +00:00
|
|
|
may either be in binary form or PEM encoded; automatic determination of
|
|
|
|
base-64 encoding is not done.
|
|
|
|
|
|
|
|
@item --sign
|
|
|
|
@opindex sign
|
|
|
|
Create a digital signature. The key used is either the fist one found
|
2006-09-08 17:02:06 +00:00
|
|
|
in the keybox or those set with the @option{--local-user} option.
|
2003-01-09 13:24:01 +00:00
|
|
|
|
|
|
|
@item --verify
|
|
|
|
@opindex verify
|
|
|
|
Check a signature file for validity. Depending on the arguments a
|
2009-07-22 13:33:46 +00:00
|
|
|
detached signature may also be checked.
|
2011-03-01 17:08:49 +01:00
|
|
|
|
2003-01-09 13:24:01 +00:00
|
|
|
@item --server
|
|
|
|
@opindex server
|
|
|
|
Run in server mode and wait for commands on the @code{stdin}.
|
|
|
|
|
|
|
|
@item --call-dirmngr @var{command} [@var{args}]
|
|
|
|
@opindex call-dirmngr
|
|
|
|
Behave as a Dirmngr client issuing the request @var{command} with the
|
|
|
|
optional list of @var{args}. The output of the Dirmngr is printed
|
2004-02-04 19:13:16 +00:00
|
|
|
stdout. Please note that file names given as arguments should have an
|
2016-03-04 15:20:47 +00:00
|
|
|
absolute file name (i.e. commencing with @code{/}) because they are
|
2004-02-04 19:13:16 +00:00
|
|
|
passed verbatim to the Dirmngr and the working directory of the
|
|
|
|
Dirmngr might not be the same as the one of this client. Currently it
|
|
|
|
is not possible to pass data via stdin to the Dirmngr. @var{command}
|
|
|
|
should not contain spaces.
|
2003-01-09 13:24:01 +00:00
|
|
|
|
|
|
|
This is command is required for certain maintaining tasks of the dirmngr
|
2004-09-30 08:38:32 +00:00
|
|
|
where a dirmngr must be able to call back to @command{gpgsm}. See the Dirmngr
|
2003-01-09 13:24:01 +00:00
|
|
|
manual for details.
|
|
|
|
|
|
|
|
@item --call-protect-tool @var{arguments}
|
|
|
|
@opindex call-protect-tool
|
|
|
|
Certain maintenance operations are done by an external program call
|
|
|
|
@command{gpg-protect-tool}; this is usually not installed in a directory
|
|
|
|
listed in the PATH variable. This command provides a simple wrapper to
|
|
|
|
access this tool. @var{arguments} are passed verbatim to this command;
|
2011-03-01 17:08:49 +01:00
|
|
|
use @samp{--help} to get a list of supported operations.
|
2003-01-09 13:24:01 +00:00
|
|
|
|
|
|
|
|
|
|
|
@end table
|
|
|
|
|
|
|
|
|
2006-08-17 18:01:25 +00:00
|
|
|
@c *******************************************
|
|
|
|
@c ******* CERTIFICATE MANAGEMENT **********
|
|
|
|
@c *******************************************
|
2003-01-09 13:24:01 +00:00
|
|
|
@node Certificate Management
|
2006-08-17 18:01:25 +00:00
|
|
|
@subsection How to manage the certificates and keys
|
2003-01-09 13:24:01 +00:00
|
|
|
|
|
|
|
@table @gnupgtabopt
|
2016-11-14 16:59:23 +01:00
|
|
|
@item --generate-key
|
|
|
|
@opindex generate-key
|
2016-12-15 12:44:52 +01:00
|
|
|
@itemx --gen-key
|
|
|
|
@opindex gen-key
|
2011-03-01 17:08:49 +01:00
|
|
|
This command allows the creation of a certificate signing request or a
|
|
|
|
self-signed certificate. It is commonly used along with the
|
|
|
|
@option{--output} option to save the created CSR or certificate into a
|
|
|
|
file. If used with the @option{--batch} a parameter file is used to
|
|
|
|
create the CSR or certificate and it is further possible to create
|
|
|
|
non-self-signed certificates.
|
2003-01-09 13:24:01 +00:00
|
|
|
|
|
|
|
@item --list-keys
|
2011-03-01 17:08:49 +01:00
|
|
|
@itemx -k
|
2003-01-09 13:24:01 +00:00
|
|
|
@opindex list-keys
|
|
|
|
List all available certificates stored in the local key database.
|
2004-08-18 14:38:47 +00:00
|
|
|
Note that the displayed data might be reformatted for better human
|
|
|
|
readability and illegal characters are replaced by safe substitutes.
|
2003-01-09 13:24:01 +00:00
|
|
|
|
|
|
|
@item --list-secret-keys
|
2004-04-26 08:09:25 +00:00
|
|
|
@itemx -K
|
2003-01-09 13:24:01 +00:00
|
|
|
@opindex list-secret-keys
|
2004-04-26 08:09:25 +00:00
|
|
|
List all available certificates for which a corresponding a secret key
|
|
|
|
is available.
|
2003-01-09 13:24:01 +00:00
|
|
|
|
|
|
|
@item --list-external-keys @var{pattern}
|
|
|
|
@opindex list-keys
|
|
|
|
List certificates matching @var{pattern} using an external server. This
|
2011-03-01 17:08:49 +01:00
|
|
|
utilizes the @code{dirmngr} service.
|
2004-04-26 08:09:25 +00:00
|
|
|
|
2006-09-13 15:57:30 +00:00
|
|
|
@item --list-chain
|
|
|
|
@opindex list-chain
|
|
|
|
Same as @option{--list-keys} but also prints all keys making up the chain.
|
|
|
|
|
|
|
|
|
2006-09-21 13:30:45 +00:00
|
|
|
@item --dump-cert
|
|
|
|
@itemx --dump-keys
|
|
|
|
@opindex dump-cert
|
2004-04-26 08:09:25 +00:00
|
|
|
@opindex dump-keys
|
|
|
|
List all available certificates stored in the local key database using a
|
|
|
|
format useful mainly for debugging.
|
|
|
|
|
2006-09-13 15:57:30 +00:00
|
|
|
@item --dump-chain
|
|
|
|
@opindex dump-chain
|
|
|
|
Same as @option{--dump-keys} but also prints all keys making up the chain.
|
|
|
|
|
2004-04-26 08:09:25 +00:00
|
|
|
@item --dump-secret-keys
|
|
|
|
@opindex dump-secret-keys
|
|
|
|
List all available certificates for which a corresponding a secret key
|
|
|
|
is available using a format useful mainly for debugging.
|
|
|
|
|
|
|
|
@item --dump-external-keys @var{pattern}
|
2004-08-18 14:38:47 +00:00
|
|
|
@opindex dump-external-keys
|
2004-04-26 08:09:25 +00:00
|
|
|
List certificates matching @var{pattern} using an external server.
|
|
|
|
This utilizes the @code{dirmngr} service. It uses a format useful
|
|
|
|
mainly for debugging.
|
2003-01-09 13:24:01 +00:00
|
|
|
|
2021-04-20 09:37:56 +02:00
|
|
|
@item --show-certs [@var{files}]
|
|
|
|
@opindex show-certs
|
|
|
|
This command takes certificate files as input and prints information
|
|
|
|
about them in the same format as @option{--dump-cert} does. Each file
|
|
|
|
may either contain a single binary certificate or several PEM encoded
|
|
|
|
certificates. If no files are given, the input is taken from stdin.
|
|
|
|
|
|
|
|
Please note that the listing format may be changed in future releases
|
|
|
|
and that the option @option{--with-colons} has currently no effect.
|
|
|
|
|
|
|
|
|
2004-04-28 08:59:34 +00:00
|
|
|
@item --keydb-clear-some-cert-flags
|
|
|
|
@opindex keydb-clear-some-cert-flags
|
|
|
|
This is a debugging aid to reset certain flags in the key database
|
2019-08-20 15:14:39 -04:00
|
|
|
which are used to cache certain certificate statuses. It is especially
|
2009-07-22 13:33:46 +00:00
|
|
|
useful if a bad CRL or a weird running OCSP responder did accidentally
|
2004-04-28 08:59:34 +00:00
|
|
|
revoke certificate. There is no security issue with this command
|
2004-09-30 08:38:32 +00:00
|
|
|
because @command{gpgsm} always make sure that the validity of a certificate is
|
2004-04-28 08:59:34 +00:00
|
|
|
checked right before it is used.
|
|
|
|
|
2003-01-09 13:24:01 +00:00
|
|
|
@item --delete-keys @var{pattern}
|
|
|
|
@opindex delete-keys
|
2008-10-13 09:29:20 +00:00
|
|
|
Delete the keys matching @var{pattern}. Note that there is no command
|
|
|
|
to delete the secret part of the key directly. In case you need to do
|
2008-10-14 18:18:21 +00:00
|
|
|
this, you should run the command @code{gpgsm --dump-secret-keys KEYID}
|
2008-10-13 09:29:20 +00:00
|
|
|
before you delete the key, copy the string of hex-digits in the
|
|
|
|
``keygrip'' line and delete the file consisting of these hex-digits
|
|
|
|
and the suffix @code{.key} from the @file{private-keys-v1.d} directory
|
|
|
|
below our GnuPG home directory (usually @file{~/.gnupg}).
|
2003-01-09 13:24:01 +00:00
|
|
|
|
|
|
|
@item --export [@var{pattern}]
|
|
|
|
@opindex export
|
|
|
|
Export all certificates stored in the Keybox or those specified by the
|
2007-05-15 16:10:48 +00:00
|
|
|
optional @var{pattern}. Those pattern consist of a list of user ids
|
|
|
|
(@pxref{how-to-specify-a-user-id}). When used along with the
|
|
|
|
@option{--armor} option a few informational lines are prepended before
|
|
|
|
each block. There is one limitation: As there is no commonly agreed
|
2009-03-06 17:31:27 +00:00
|
|
|
upon way to pack more than one certificate into an ASN.1 structure,
|
|
|
|
the binary export (i.e. without using @option{armor}) works only for
|
|
|
|
the export of one certificate. Thus it is required to specify a
|
|
|
|
@var{pattern} which yields exactly one certificate. Ephemeral
|
|
|
|
certificate are only exported if all @var{pattern} are given as
|
|
|
|
fingerprints or keygrips.
|
2003-01-09 13:24:01 +00:00
|
|
|
|
2004-02-19 16:26:32 +00:00
|
|
|
@item --export-secret-key-p12 @var{key-id}
|
2014-06-03 18:57:33 +02:00
|
|
|
@opindex export-secret-key-p12
|
2018-02-22 16:39:52 +01:00
|
|
|
Export the private key and the certificate identified by @var{key-id}
|
2018-02-22 10:24:24 +01:00
|
|
|
using the PKCS#12 format. When used with the @code{--armor} option a few
|
2007-03-20 10:00:55 +00:00
|
|
|
informational lines are prepended to the output. Note, that the PKCS#12
|
2018-02-22 10:24:24 +01:00
|
|
|
format is not very secure and proper transport security should be used
|
|
|
|
to convey the exported key. (@xref{option --p12-charset}.)
|
2004-02-19 16:26:32 +00:00
|
|
|
|
2014-06-03 18:57:33 +02:00
|
|
|
@item --export-secret-key-p8 @var{key-id}
|
|
|
|
@itemx --export-secret-key-raw @var{key-id}
|
|
|
|
@opindex export-secret-key-p8
|
|
|
|
@opindex export-secret-key-raw
|
|
|
|
Export the private key of the certificate identified by @var{key-id}
|
|
|
|
with any encryption stripped. The @code{...-raw} command exports in
|
|
|
|
PKCS#1 format; the @code{...-p8} command exports in PKCS#8 format.
|
|
|
|
When used with the @code{--armor} option a few informational lines are
|
|
|
|
prepended to the output. These commands are useful to prepare a key
|
|
|
|
for use on a TLS server.
|
|
|
|
|
2005-02-22 18:08:28 +00:00
|
|
|
@item --import [@var{files}]
|
|
|
|
@opindex import
|
|
|
|
Import the certificates from the PEM or binary encoded files as well as
|
|
|
|
from signed-only messages. This command may also be used to import a
|
|
|
|
secret key from a PKCS#12 file.
|
|
|
|
|
2003-01-09 13:24:01 +00:00
|
|
|
@item --learn-card
|
|
|
|
@opindex learn-card
|
|
|
|
Read information about the private keys from the smartcard and import
|
2006-08-17 18:01:25 +00:00
|
|
|
the certificates from there. This command utilizes the @command{gpg-agent}
|
|
|
|
and in turn the @command{scdaemon}.
|
2003-01-09 13:24:01 +00:00
|
|
|
|
2016-12-13 17:49:47 +01:00
|
|
|
@item --change-passphrase @var{user_id}
|
|
|
|
@opindex change-passphrase
|
2016-12-15 12:44:52 +01:00
|
|
|
@itemx --passwd @var{user_id}
|
|
|
|
@opindex passwd
|
2003-01-09 13:24:01 +00:00
|
|
|
Change the passphrase of the private key belonging to the certificate
|
|
|
|
specified as @var{user_id}. Note, that changing the passphrase/PIN of a
|
|
|
|
smartcard is not yet supported.
|
|
|
|
|
|
|
|
@end table
|
|
|
|
|
|
|
|
|
2006-08-17 18:01:25 +00:00
|
|
|
@c *******************************************
|
|
|
|
@c *************** ****************
|
|
|
|
@c *************** OPTIONS ****************
|
|
|
|
@c *************** ****************
|
|
|
|
@c *******************************************
|
|
|
|
@mansect options
|
2003-01-09 13:24:01 +00:00
|
|
|
@node GPGSM Options
|
|
|
|
@section Option Summary
|
|
|
|
|
2010-10-01 20:33:53 +00:00
|
|
|
@command{GPGSM} features a bunch of options to control the exact behaviour
|
2003-01-09 13:24:01 +00:00
|
|
|
and to change the default configuration.
|
|
|
|
|
2011-03-01 17:08:49 +01:00
|
|
|
@menu
|
2003-01-09 13:24:01 +00:00
|
|
|
* Configuration Options:: How to change the configuration.
|
|
|
|
* Certificate Options:: Certificate related options.
|
|
|
|
* Input and Output:: Input and Output.
|
|
|
|
* CMS Options:: How to change how the CMS is created.
|
2011-10-18 14:18:36 +02:00
|
|
|
* Esoteric Options:: Doing things one usually do not want to do.
|
2003-01-09 13:24:01 +00:00
|
|
|
@end menu
|
|
|
|
|
|
|
|
|
2006-08-17 18:01:25 +00:00
|
|
|
@c *******************************************
|
|
|
|
@c ******** CONFIGURATION OPTIONS **********
|
|
|
|
@c *******************************************
|
2003-01-09 13:24:01 +00:00
|
|
|
@node Configuration Options
|
|
|
|
@subsection How to change the configuration
|
|
|
|
|
2009-07-22 13:33:46 +00:00
|
|
|
These options are used to change the configuration and are usually found
|
2003-01-09 13:24:01 +00:00
|
|
|
in the option file.
|
|
|
|
|
|
|
|
@table @gnupgtabopt
|
|
|
|
|
2013-04-18 14:40:43 +02:00
|
|
|
@anchor{gpgsm-option --options}
|
2003-01-09 13:24:01 +00:00
|
|
|
@item --options @var{file}
|
|
|
|
@opindex options
|
|
|
|
Reads configuration from @var{file} instead of from the default
|
2004-02-04 19:13:16 +00:00
|
|
|
per-user configuration file. The default configuration file is named
|
|
|
|
@file{gpgsm.conf} and expected in the @file{.gnupg} directory directly
|
|
|
|
below the home directory of the user.
|
2003-01-09 13:24:01 +00:00
|
|
|
|
2006-08-18 13:05:39 +00:00
|
|
|
@include opt-homedir.texi
|
2004-12-20 16:17:25 +00:00
|
|
|
|
|
|
|
|
2003-01-09 13:24:01 +00:00
|
|
|
@item -v
|
|
|
|
@item --verbose
|
|
|
|
@opindex v
|
|
|
|
@opindex verbose
|
|
|
|
Outputs additional information while running.
|
|
|
|
You can increase the verbosity by giving several
|
2004-09-30 08:38:32 +00:00
|
|
|
verbose commands to @command{gpgsm}, such as @samp{-vv}.
|
2003-01-09 13:24:01 +00:00
|
|
|
|
2022-01-27 15:13:16 +01:00
|
|
|
@item --keyserver @var{string}
|
2019-11-07 17:41:19 +01:00
|
|
|
@opindex keyserver
|
2022-01-27 15:13:16 +01:00
|
|
|
This is a deprecated option. It was used to add an LDAP server to use
|
|
|
|
for X.509 certificate and CRL lookup. The alias @option{--ldapserver}
|
|
|
|
existed from version 2.2.28 to 2.2.33 and 2.3.2 to 2.3.4 but is now
|
|
|
|
entirely ignored.
|
|
|
|
|
|
|
|
LDAP servers must be given in the configuration for @command{dirmngr}.
|
2019-11-09 11:29:59 +01:00
|
|
|
|
2003-01-09 13:24:01 +00:00
|
|
|
@item --policy-file @var{filename}
|
|
|
|
@opindex policy-file
|
2019-06-09 17:33:09 -04:00
|
|
|
Change the default name of the policy file to @var{filename}. The
|
2019-06-14 16:49:27 +01:00
|
|
|
default name is @file{policies.txt}.
|
2003-01-09 13:24:01 +00:00
|
|
|
|
|
|
|
@item --agent-program @var{file}
|
|
|
|
@opindex agent-program
|
|
|
|
Specify an agent program to be used for secret key operations. The
|
2014-10-30 09:55:51 +01:00
|
|
|
default value is determined by running the command @command{gpgconf}.
|
|
|
|
Note that the pipe symbol (@code{|}) is used for a regression test
|
|
|
|
suite hack and may thus not be used in the file name.
|
2011-03-01 17:08:49 +01:00
|
|
|
|
2003-01-09 13:24:01 +00:00
|
|
|
@item --dirmngr-program @var{file}
|
2014-03-12 18:24:52 +01:00
|
|
|
@opindex dirmngr-program
|
2003-01-09 13:24:01 +00:00
|
|
|
Specify a dirmngr program to be used for @acronym{CRL} checks. The
|
2016-06-14 14:57:49 +02:00
|
|
|
default value is @file{@value{BINDIR}/dirmngr}.
|
2003-01-09 13:24:01 +00:00
|
|
|
|
2004-11-23 17:09:51 +00:00
|
|
|
@item --prefer-system-dirmngr
|
|
|
|
@opindex prefer-system-dirmngr
|
2017-07-01 14:28:08 +02:00
|
|
|
This option is obsolete and ignored.
|
2004-11-23 17:09:51 +00:00
|
|
|
|
2008-02-19 10:33:35 +00:00
|
|
|
@item --disable-dirmngr
|
|
|
|
Entirely disable the use of the Dirmngr.
|
|
|
|
|
2014-11-28 09:44:19 +01:00
|
|
|
@item --no-autostart
|
|
|
|
@opindex no-autostart
|
|
|
|
Do not start the gpg-agent or the dirmngr if it has not yet been
|
|
|
|
started and its service is required. This option is mostly useful on
|
|
|
|
machines where the connection to gpg-agent has been redirected to
|
|
|
|
another machines. If dirmngr is required on the remote machine, it
|
|
|
|
may be started manually using @command{gpgconf --launch dirmngr}.
|
|
|
|
|
2003-01-09 13:24:01 +00:00
|
|
|
@item --no-secmem-warning
|
|
|
|
@opindex no-secmem-warning
|
2011-10-18 14:18:36 +02:00
|
|
|
Do not print a warning when the so called "secure memory" cannot be used.
|
2003-01-09 13:24:01 +00:00
|
|
|
|
2004-09-29 16:16:47 +00:00
|
|
|
@item --log-file @var{file}
|
|
|
|
@opindex log-file
|
|
|
|
When running in server mode, append all logging output to @var{file}.
|
2016-08-29 11:45:47 +02:00
|
|
|
Use @file{socket://} to log to socket.
|
2003-01-09 13:24:01 +00:00
|
|
|
|
2023-03-08 15:10:52 +01:00
|
|
|
@item --log-time
|
|
|
|
@opindex log-time
|
|
|
|
Prefix all log output with a timestamp even if no log file is used.
|
|
|
|
|
2003-01-09 13:24:01 +00:00
|
|
|
@end table
|
|
|
|
|
|
|
|
|
2006-08-17 18:01:25 +00:00
|
|
|
@c *******************************************
|
|
|
|
@c ******** CERTIFICATE OPTIONS ************
|
|
|
|
@c *******************************************
|
2003-01-09 13:24:01 +00:00
|
|
|
@node Certificate Options
|
|
|
|
@subsection Certificate related options
|
|
|
|
|
|
|
|
@table @gnupgtabopt
|
|
|
|
|
|
|
|
@item --enable-policy-checks
|
|
|
|
@itemx --disable-policy-checks
|
|
|
|
@opindex enable-policy-checks
|
|
|
|
@opindex disable-policy-checks
|
|
|
|
By default policy checks are enabled. These options may be used to
|
|
|
|
change it.
|
|
|
|
|
|
|
|
@item --enable-crl-checks
|
|
|
|
@itemx --disable-crl-checks
|
|
|
|
@opindex enable-crl-checks
|
|
|
|
@opindex disable-crl-checks
|
2020-04-16 19:05:49 +02:00
|
|
|
By default the @acronym{CRL} checks are enabled and the DirMngr is
|
|
|
|
used to check for revoked certificates. The disable option is most
|
|
|
|
useful with an off-line network connection to suppress this check and
|
|
|
|
also to avoid that new certificates introduce a web bug by including a
|
|
|
|
certificate specific CRL DP. The disable option also disables an
|
|
|
|
issuer certificate lookup via the authorityInfoAccess property of the
|
|
|
|
certificate; the @option{--enable-issuer-key-retrieve} can be used
|
|
|
|
to make use of that property anyway.
|
2003-01-09 13:24:01 +00:00
|
|
|
|
2005-04-21 09:33:07 +00:00
|
|
|
@item --enable-trusted-cert-crl-check
|
|
|
|
@itemx --disable-trusted-cert-crl-check
|
|
|
|
@opindex enable-trusted-cert-crl-check
|
|
|
|
@opindex disable-trusted-cert-crl-check
|
|
|
|
By default the @acronym{CRL} for trusted root certificates are checked
|
|
|
|
like for any other certificates. This allows a CA to revoke its own
|
|
|
|
certificates voluntary without the need of putting all ever issued
|
|
|
|
certificates into a CRL. The disable option may be used to switch this
|
2011-10-18 14:18:36 +02:00
|
|
|
extra check off. Due to the caching done by the Dirmngr, there will not be
|
2005-04-21 09:33:07 +00:00
|
|
|
any noticeable performance gain. Note, that this also disables possible
|
2006-09-26 14:35:24 +00:00
|
|
|
OCSP checks for trusted root certificates. A more specific way of
|
|
|
|
disabling this check is by adding the ``relax'' keyword to the root CA
|
|
|
|
line of the @file{trustlist.txt}
|
|
|
|
|
2005-04-21 09:33:07 +00:00
|
|
|
|
2004-04-07 18:02:56 +00:00
|
|
|
@item --force-crl-refresh
|
|
|
|
@opindex force-crl-refresh
|
|
|
|
Tell the dirmngr to reload the CRL for each request. For better
|
|
|
|
performance, the dirmngr will actually optimize this by suppressing
|
2009-07-22 13:33:46 +00:00
|
|
|
the loading for short time intervals (e.g. 30 minutes). This option
|
2004-04-07 18:02:56 +00:00
|
|
|
is useful to make sure that a fresh CRL is available for certificates
|
|
|
|
hold in the keybox. The suggested way of doing this is by using it
|
2006-08-17 18:01:25 +00:00
|
|
|
along with the option @option{--with-validation} for a key listing
|
2011-03-01 17:08:49 +01:00
|
|
|
command. This option should not be used in a configuration file.
|
2004-04-07 18:02:56 +00:00
|
|
|
|
2020-03-27 21:11:25 +01:00
|
|
|
@item --enable-issuer-based-crl-check
|
|
|
|
@opindex enable-issuer-based-crl-check
|
|
|
|
Run a CRL check even for certificates which do not have any CRL
|
|
|
|
distribution point. This requires that a suitable LDAP server has
|
|
|
|
been configured in Dirmngr and that the CRL can be found using the
|
|
|
|
issuer. This option reverts to what GnuPG did up to version 2.2.20.
|
|
|
|
This option is in general not useful.
|
|
|
|
|
2003-12-01 10:53:40 +00:00
|
|
|
@item --enable-ocsp
|
|
|
|
@itemx --disable-ocsp
|
|
|
|
@opindex enable-ocsp
|
|
|
|
@opindex disable-ocsp
|
2011-10-18 14:18:36 +02:00
|
|
|
By default @acronym{OCSP} checks are disabled. The enable option may
|
2003-12-01 10:53:40 +00:00
|
|
|
be used to enable OCSP checks via Dirmngr. If @acronym{CRL} checks
|
2004-06-29 07:16:40 +00:00
|
|
|
are also enabled, CRLs will be used as a fallback if for some reason an
|
2011-10-18 14:18:36 +02:00
|
|
|
OCSP request will not succeed. Note, that you have to allow OCSP
|
2011-03-01 17:08:49 +01:00
|
|
|
requests in Dirmngr's configuration too (option
|
2011-10-18 14:18:36 +02:00
|
|
|
@option{--allow-ocsp}) and configure Dirmngr properly. If you do not do
|
2004-06-29 07:16:40 +00:00
|
|
|
so you will get the error code @samp{Not supported}.
|
2003-12-01 10:53:40 +00:00
|
|
|
|
2007-11-19 16:32:05 +00:00
|
|
|
@item --auto-issuer-key-retrieve
|
|
|
|
@opindex auto-issuer-key-retrieve
|
|
|
|
If a required certificate is missing while validating the chain of
|
|
|
|
certificates, try to load that certificate from an external location.
|
2009-07-22 13:33:46 +00:00
|
|
|
This usually means that Dirmngr is employed to search for the
|
2007-11-19 16:32:05 +00:00
|
|
|
certificate. Note that this option makes a "web bug" like behavior
|
|
|
|
possible. LDAP server operators can see which keys you request, so by
|
|
|
|
sending you a message signed by a brand new key (which you naturally
|
2023-03-08 10:57:25 +01:00
|
|
|
will not have on your local keybox), the operator can tell both your
|
|
|
|
IP address and the time when you verified the signature. Note that if
|
|
|
|
CRL checking is not disabled issuer certificates are retrieved in any
|
|
|
|
case using the caIssuers authorityInfoAccess method.
|
2007-11-19 16:32:05 +00:00
|
|
|
|
2007-08-10 16:52:05 +00:00
|
|
|
|
2015-06-29 11:03:58 +02:00
|
|
|
@anchor{gpgsm-option --validation-model}
|
2007-08-10 16:52:05 +00:00
|
|
|
@item --validation-model @var{name}
|
|
|
|
@opindex validation-model
|
|
|
|
This option changes the default validation model. The only possible
|
2011-12-07 16:15:15 +01:00
|
|
|
values are "shell" (which is the default), "chain" which forces the
|
|
|
|
use of the chain model and "steed" for a new simplified model. The
|
|
|
|
chain model is also used if an option in the @file{trustlist.txt} or
|
|
|
|
an attribute of the certificate requests it. However the standard
|
|
|
|
model (shell) is in that case always tried first.
|
2007-08-10 16:52:05 +00:00
|
|
|
|
2009-12-10 13:00:30 +00:00
|
|
|
@item --ignore-cert-extension @var{oid}
|
|
|
|
@opindex ignore-cert-extension
|
|
|
|
Add @var{oid} to the list of ignored certificate extensions. The
|
|
|
|
@var{oid} is expected to be in dotted decimal form, like
|
2009-12-17 17:25:26 +00:00
|
|
|
@code{2.5.29.3}. This option may be used more than once. Critical
|
2009-12-10 13:00:30 +00:00
|
|
|
flagged certificate extensions matching one of the OIDs in the list
|
|
|
|
are treated as if they are actually handled and thus the certificate
|
2011-10-18 14:18:36 +02:00
|
|
|
will not be rejected due to an unknown critical extension. Use this
|
2009-12-10 13:00:30 +00:00
|
|
|
option with care because extensions are usually flagged as critical
|
|
|
|
for a reason.
|
2007-08-10 16:52:05 +00:00
|
|
|
|
2003-01-09 13:24:01 +00:00
|
|
|
@end table
|
|
|
|
|
2006-08-17 18:01:25 +00:00
|
|
|
@c *******************************************
|
|
|
|
@c *********** INPUT AND OUTPUT ************
|
|
|
|
@c *******************************************
|
2003-01-09 13:24:01 +00:00
|
|
|
@node Input and Output
|
|
|
|
@subsection Input and Output
|
|
|
|
|
|
|
|
@table @gnupgtabopt
|
|
|
|
@item --armor
|
|
|
|
@itemx -a
|
|
|
|
@opindex armor
|
2011-03-01 17:08:49 +01:00
|
|
|
Create PEM encoded output. Default is binary output.
|
2003-01-09 13:24:01 +00:00
|
|
|
|
2011-03-01 17:08:49 +01:00
|
|
|
@item --base64
|
2003-01-09 13:24:01 +00:00
|
|
|
@opindex base64
|
|
|
|
Create Base-64 encoded output; i.e. PEM without the header lines.
|
|
|
|
|
|
|
|
@item --assume-armor
|
|
|
|
@opindex assume-armor
|
|
|
|
Assume the input data is PEM encoded. Default is to autodetect the
|
|
|
|
encoding but this is may fail.
|
|
|
|
|
|
|
|
@item --assume-base64
|
|
|
|
@opindex assume-base64
|
|
|
|
Assume the input data is plain base-64 encoded.
|
|
|
|
|
|
|
|
@item --assume-binary
|
|
|
|
@opindex assume-binary
|
|
|
|
Assume the input data is binary encoded.
|
|
|
|
|
2007-03-20 10:00:55 +00:00
|
|
|
@anchor{option --p12-charset}
|
|
|
|
@item --p12-charset @var{name}
|
|
|
|
@opindex p12-charset
|
|
|
|
@command{gpgsm} uses the UTF-8 encoding when encoding passphrases for
|
|
|
|
PKCS#12 files. This option may be used to force the passphrase to be
|
|
|
|
encoded in the specified encoding @var{name}. This is useful if the
|
|
|
|
application used to import the key uses a different encoding and thus
|
2011-10-18 14:18:36 +02:00
|
|
|
will not be able to import a file generated by @command{gpgsm}. Commonly
|
2007-03-20 10:00:55 +00:00
|
|
|
used values for @var{name} are @code{Latin1} and @code{CP850}. Note
|
|
|
|
that @command{gpgsm} itself automagically imports any file with a
|
|
|
|
passphrase encoded to the most commonly used encodings.
|
|
|
|
|
|
|
|
|
2007-07-17 18:11:24 +00:00
|
|
|
@item --default-key @var{user_id}
|
|
|
|
@opindex default-key
|
|
|
|
Use @var{user_id} as the standard key for signing. This key is used if
|
|
|
|
no other key has been defined as a signing key. Note, that the first
|
|
|
|
@option{--local-users} option also sets this key if it has not yet been
|
|
|
|
set; however @option{--default-key} always overrides this.
|
|
|
|
|
|
|
|
|
2003-01-09 13:24:01 +00:00
|
|
|
@item --local-user @var{user_id}
|
|
|
|
@item -u @var{user_id}
|
|
|
|
@opindex local-user
|
|
|
|
Set the user(s) to be used for signing. The default is the first
|
|
|
|
secret key found in the database.
|
|
|
|
|
2006-09-08 17:02:06 +00:00
|
|
|
|
|
|
|
@item --recipient @var{name}
|
|
|
|
@itemx -r
|
|
|
|
@opindex recipient
|
|
|
|
Encrypt to the user id @var{name}. There are several ways a user id
|
|
|
|
may be given (@pxref{how-to-specify-a-user-id}).
|
|
|
|
|
|
|
|
|
2006-08-29 16:18:30 +00:00
|
|
|
@item --output @var{file}
|
|
|
|
@itemx -o @var{file}
|
|
|
|
@opindex output
|
|
|
|
Write output to @var{file}. The default is to write it to stdout.
|
|
|
|
|
|
|
|
|
2015-06-29 11:03:58 +02:00
|
|
|
@anchor{gpgsm-option --with-key-data}
|
2003-01-09 13:24:01 +00:00
|
|
|
@item --with-key-data
|
|
|
|
@opindex with-key-data
|
|
|
|
Displays extra information with the @code{--list-keys} commands. Especially
|
|
|
|
a line tagged @code{grp} is printed which tells you the keygrip of a
|
2004-02-04 19:13:16 +00:00
|
|
|
key. This string is for example used as the file name of the
|
2017-05-31 12:11:56 +02:00
|
|
|
secret key. Implies @code{--with-colons}.
|
2003-01-09 13:24:01 +00:00
|
|
|
|
2015-06-29 11:03:58 +02:00
|
|
|
@anchor{gpgsm-option --with-validation}
|
2004-02-17 15:04:49 +00:00
|
|
|
@item --with-validation
|
|
|
|
@opindex with-validation
|
|
|
|
When doing a key listing, do a full validation check for each key and
|
|
|
|
print the result. This is usually a slow operation because it
|
2011-03-01 17:08:49 +01:00
|
|
|
requires a CRL lookup and other operations.
|
2004-08-17 15:26:22 +00:00
|
|
|
|
2016-03-04 16:38:09 +00:00
|
|
|
When used along with @option{--import}, a validation of the certificate to
|
2004-08-17 15:26:22 +00:00
|
|
|
import is done and only imported if it succeeds the test. Note that
|
2009-07-22 13:33:46 +00:00
|
|
|
this does not affect an already available certificate in the DB.
|
2004-08-17 15:26:22 +00:00
|
|
|
This option is therefore useful to simply verify a certificate.
|
|
|
|
|
2004-02-17 15:04:49 +00:00
|
|
|
|
|
|
|
@item --with-md5-fingerprint
|
|
|
|
For standard key listings, also print the MD5 fingerprint of the
|
|
|
|
certificate.
|
|
|
|
|
2010-10-08 11:11:08 +00:00
|
|
|
@item --with-keygrip
|
|
|
|
Include the keygrip in standard key listings. Note that the keygrip is
|
2016-03-04 16:38:09 +00:00
|
|
|
always listed in @option{--with-colons} mode.
|
2010-10-08 11:11:08 +00:00
|
|
|
|
2014-06-03 21:35:59 +02:00
|
|
|
@item --with-secret
|
|
|
|
@opindex with-secret
|
|
|
|
Include info about the presence of a secret key in public key listings
|
|
|
|
done with @code{--with-colons}.
|
|
|
|
|
2003-01-09 13:24:01 +00:00
|
|
|
@end table
|
|
|
|
|
2006-08-17 18:01:25 +00:00
|
|
|
@c *******************************************
|
|
|
|
@c ************* CMS OPTIONS ***************
|
|
|
|
@c *******************************************
|
2003-01-09 13:24:01 +00:00
|
|
|
@node CMS Options
|
2016-03-04 14:45:19 +00:00
|
|
|
@subsection How to change how the CMS is created
|
2003-01-09 13:24:01 +00:00
|
|
|
|
|
|
|
@table @gnupgtabopt
|
|
|
|
@item --include-certs @var{n}
|
2006-10-23 14:02:13 +00:00
|
|
|
@opindex include-certs
|
2003-01-09 13:24:01 +00:00
|
|
|
Using @var{n} of -2 includes all certificate except for the root cert,
|
2010-10-01 20:33:53 +00:00
|
|
|
-1 includes all certs, 0 does not include any certs, 1 includes only the
|
|
|
|
signers cert and all other positive values include up to @var{n}
|
|
|
|
certificates starting with the signer cert. The default is -2.
|
2006-10-23 14:02:13 +00:00
|
|
|
|
|
|
|
@item --cipher-algo @var{oid}
|
|
|
|
@opindex cipher-algo
|
|
|
|
Use the cipher algorithm with the ASN.1 object identifier @var{oid} for
|
|
|
|
encryption. For convenience the strings @code{3DES}, @code{AES} and
|
|
|
|
@code{AES256} may be used instead of their OIDs. The default is
|
2015-03-25 10:16:37 +01:00
|
|
|
@code{AES} (2.16.840.1.101.3.4.1.2).
|
2011-03-01 17:08:49 +01:00
|
|
|
|
2009-03-26 19:27:04 +00:00
|
|
|
@item --digest-algo @code{name}
|
|
|
|
Use @code{name} as the message digest algorithm. Usually this
|
|
|
|
algorithm is deduced from the respective signing certificate. This
|
|
|
|
option forces the use of the given algorithm and may lead to severe
|
|
|
|
interoperability problems.
|
|
|
|
|
2003-01-09 13:24:01 +00:00
|
|
|
@end table
|
|
|
|
|
|
|
|
|
|
|
|
|
2006-08-17 18:01:25 +00:00
|
|
|
@c *******************************************
|
|
|
|
@c ******** ESOTERIC OPTIONS ***************
|
|
|
|
@c *******************************************
|
2003-01-09 13:24:01 +00:00
|
|
|
@node Esoteric Options
|
2016-03-04 14:45:19 +00:00
|
|
|
@subsection Doing things one usually do not want to do
|
2003-01-09 13:24:01 +00:00
|
|
|
|
|
|
|
|
|
|
|
@table @gnupgtabopt
|
|
|
|
|
2020-08-06 16:02:59 +02:00
|
|
|
@item --chuid @var{uid}
|
|
|
|
@opindex chuid
|
|
|
|
Change the current user to @var{uid} which may either be a number or a
|
|
|
|
name. This can be used from the root account to run gpgsm for
|
|
|
|
another user. If @var{uid} is not the current UID a standard PATH is
|
|
|
|
set and the envvar GNUPGHOME is unset. To override the latter the
|
|
|
|
option @option{--homedir} can be used. This option has only an effect
|
|
|
|
when used on the command line. This option has currently no effect at
|
|
|
|
all on Windows.
|
|
|
|
|
|
|
|
|
2007-12-13 15:45:40 +00:00
|
|
|
@item --extra-digest-algo @var{name}
|
|
|
|
@opindex extra-digest-algo
|
|
|
|
Sometimes signatures are broken in that they announce a different digest
|
|
|
|
algorithm than actually used. @command{gpgsm} uses a one-pass data
|
2009-07-22 13:33:46 +00:00
|
|
|
processing model and thus needs to rely on the announced digest
|
2007-12-13 15:45:40 +00:00
|
|
|
algorithms to properly hash the data. As a workaround this option may
|
2016-03-04 16:27:21 +00:00
|
|
|
be used to tell @command{gpgsm} to also hash the data using the algorithm
|
More cleanup of "allow to".
* README, agent/command.c, agent/keyformat.txt, common/i18n.c,
common/iobuf.c, common/keyserver.h, dirmngr/cdblib.c,
dirmngr/ldap-wrapper.c, doc/DETAILS, doc/TRANSLATE,
doc/announce-2.1.txt, doc/gpg.texi, doc/gpgsm.texi,
doc/scdaemon.texi, doc/tools.texi, doc/whats-new-in-2.1.txt,
g10/export.c, g10/getkey.c, g10/import.c, g10/keyedit.c, m4/ksba.m4,
m4/libgcrypt.m4, m4/ntbtls.m4, po/ca.po, po/cs.po, po/da.po,
po/de.po, po/el.po, po/eo.po, po/es.po, po/et.po, po/fi.po,
po/fr.po, po/gl.po, po/hu.po, po/id.po, po/it.po, po/ja.po,
po/nb.po, po/pl.po, po/pt.po, po/ro.po, po/ru.po, po/sk.po,
po/sv.po, po/tr.po, po/uk.po, po/zh_CN.po, po/zh_TW.po,
scd/app-p15.c, scd/ccid-driver.c, scd/command.c, sm/gpgsm.c,
sm/sign.c, tools/gpgconf-comp.c, tools/gpgtar.h: replace "Allow to"
with clearer text.
In standard English, the normal construction is "${XXX} allows ${YYY}
to" -- that is, the subject (${XXX}) of the sentence is allowing the
object (${YYY}) to do something. When the object is missing, the
phrasing sounds awkward, even if the object is implied by context.
There's almost always a better construction that isn't as awkward.
These changes should make the language a bit clearer.
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2016-08-01 22:19:17 -04:00
|
|
|
@var{name}; this slows processing down a little bit but allows verification of
|
2007-12-13 15:45:40 +00:00
|
|
|
such broken signatures. If @command{gpgsm} prints an error like
|
|
|
|
``digest algo 8 has not been enabled'' you may want to try this option,
|
|
|
|
with @samp{SHA256} for @var{name}.
|
|
|
|
|
2021-11-18 20:44:14 +01:00
|
|
|
@item --compliance @var{string}
|
|
|
|
@opindex compliance
|
|
|
|
Set the compliance mode. Valid values are shown when using "help" for
|
|
|
|
@var{string}.
|
|
|
|
|
|
|
|
@item --min-rsa-length @var{n}
|
|
|
|
@opindex min-rsa-length
|
|
|
|
This option adjusts the compliance mode "de-vs" for stricter key size
|
|
|
|
requirements. For example, a value of 3000 turns rsa2048 and dsa2048
|
|
|
|
keys into non-VS-NfD compliant keys.
|
2007-12-13 15:45:40 +00:00
|
|
|
|
2022-03-08 19:06:30 +01:00
|
|
|
@item --require-compliance
|
|
|
|
@opindex require-compliance
|
|
|
|
To check that data has been encrypted according to the rules of the
|
|
|
|
current compliance mode, a gpgsm user needs to evaluate the status
|
|
|
|
lines. This is allows frontends to handle compliance check in a more
|
|
|
|
flexible way. However, for scripted use the required evaluation of
|
|
|
|
the status-line requires quite some effort; this option can be used
|
|
|
|
instead to make sure that the gpgsm process exits with a failure if
|
|
|
|
the compliance rules are not fulfilled. Note that this option has
|
|
|
|
currently an effect only in "de-vs" mode.
|
|
|
|
|
2022-02-03 14:14:14 +01:00
|
|
|
@item --ignore-cert-with-oid @var{oid}
|
|
|
|
@opindex ignore-cert-with-oid
|
|
|
|
Add @var{oid} to the list of OIDs to be checked while reading
|
|
|
|
certificates from smartcards. The @var{oid} is expected to be in
|
|
|
|
dotted decimal form, like @code{2.5.29.3}. This option may be used
|
|
|
|
more than once. As of now certificates with an extended key usage
|
|
|
|
matching one of those OIDs are ignored during a @option{--learn-card}
|
|
|
|
operation and not imported. This option can help to keep the local
|
|
|
|
key database clear of unneeded certificates stored on smartcards.
|
|
|
|
|
2003-01-09 13:24:01 +00:00
|
|
|
@item --faked-system-time @var{epoch}
|
|
|
|
@opindex faked-system-time
|
|
|
|
This option is only useful for testing; it sets the system time back or
|
|
|
|
forth to @var{epoch} which is the number of seconds elapsed since the year
|
2009-07-22 13:33:46 +00:00
|
|
|
1970. Alternatively @var{epoch} may be given as a full ISO time string
|
2007-08-10 16:52:05 +00:00
|
|
|
(e.g. "20070924T154812").
|
2003-01-09 13:24:01 +00:00
|
|
|
|
2004-08-06 16:14:10 +00:00
|
|
|
@item --with-ephemeral-keys
|
|
|
|
@opindex with-ephemeral-keys
|
2009-03-06 17:31:27 +00:00
|
|
|
Include ephemeral flagged keys in the output of key listings. Note
|
|
|
|
that they are included anyway if the key specification for a listing
|
|
|
|
is given as fingerprint or keygrip.
|
2004-08-06 16:14:10 +00:00
|
|
|
|
2022-06-13 17:46:40 +02:00
|
|
|
@item --compatibility-flags @var{flags}
|
|
|
|
@opindex compatibility-flags
|
|
|
|
Set compatibility flags to work around problems due to non-compliant
|
|
|
|
certificates or data. The @var{flags} are given as a comma separated
|
|
|
|
list of flag names and are OR-ed together. The special flag "none"
|
|
|
|
clears the list and allows to start over with an empty list. To get a
|
|
|
|
list of available flags the sole word "help" can be used.
|
|
|
|
|
2004-02-18 16:58:29 +00:00
|
|
|
@item --debug-level @var{level}
|
|
|
|
@opindex debug-level
|
|
|
|
Select the debug level for investigating problems. @var{level} may be
|
2009-12-03 18:04:40 +00:00
|
|
|
a numeric value or by a keyword:
|
2004-02-18 16:58:29 +00:00
|
|
|
|
2006-09-08 17:02:06 +00:00
|
|
|
@table @code
|
|
|
|
@item none
|
2009-12-03 18:04:40 +00:00
|
|
|
No debugging at all. A value of less than 1 may be used instead of
|
|
|
|
the keyword.
|
2011-03-01 17:08:49 +01:00
|
|
|
@item basic
|
2009-12-03 18:04:40 +00:00
|
|
|
Some basic debug messages. A value between 1 and 2 may be used
|
|
|
|
instead of the keyword.
|
2006-09-08 17:02:06 +00:00
|
|
|
@item advanced
|
2009-12-03 18:04:40 +00:00
|
|
|
More verbose debug messages. A value between 3 and 5 may be used
|
|
|
|
instead of the keyword.
|
2006-09-08 17:02:06 +00:00
|
|
|
@item expert
|
2009-12-03 18:04:40 +00:00
|
|
|
Even more detailed messages. A value between 6 and 8 may be used
|
|
|
|
instead of the keyword.
|
2006-09-08 17:02:06 +00:00
|
|
|
@item guru
|
2009-12-03 18:04:40 +00:00
|
|
|
All of the debug messages you can get. A value greater than 8 may be
|
|
|
|
used instead of the keyword. The creation of hash tracing files is
|
|
|
|
only enabled if the keyword is used.
|
2006-09-08 17:02:06 +00:00
|
|
|
@end table
|
2004-02-18 16:58:29 +00:00
|
|
|
|
|
|
|
How these messages are mapped to the actual debugging flags is not
|
2008-01-28 08:03:08 +00:00
|
|
|
specified and may change with newer releases of this program. They are
|
2004-02-18 16:58:29 +00:00
|
|
|
however carefully selected to best aid in debugging.
|
|
|
|
|
2003-01-09 13:24:01 +00:00
|
|
|
@item --debug @var{flags}
|
|
|
|
@opindex debug
|
2019-09-05 13:12:14 +02:00
|
|
|
Set debug flags. All flags are or-ed and @var{flags} may be given
|
|
|
|
in C syntax (e.g. 0x0042) or as a comma separated list of flag names.
|
|
|
|
To get a list of all supported flags the single word "help" can be
|
|
|
|
used. This option is only useful for debugging and the behavior may
|
|
|
|
change at any time without notice.
|
2003-01-09 13:24:01 +00:00
|
|
|
|
2009-07-22 13:33:46 +00:00
|
|
|
Note, that all flags set using this option may get overridden by
|
2004-02-18 16:58:29 +00:00
|
|
|
@code{--debug-level}.
|
|
|
|
|
2003-01-09 13:24:01 +00:00
|
|
|
@item --debug-all
|
|
|
|
@opindex debug-all
|
|
|
|
Same as @code{--debug=0xffffffff}
|
|
|
|
|
2004-05-11 09:54:52 +00:00
|
|
|
@item --debug-allow-core-dump
|
|
|
|
@opindex debug-allow-core-dump
|
2004-09-30 08:38:32 +00:00
|
|
|
Usually @command{gpgsm} tries to avoid dumping core by well written code and by
|
2004-05-11 09:54:52 +00:00
|
|
|
disabling core dumps for security reasons. However, bugs are pretty
|
|
|
|
durable beasts and to squash them it is sometimes useful to have a core
|
|
|
|
dump. This option enables core dumps unless the Bad Thing happened
|
|
|
|
before the option parsing.
|
|
|
|
|
2004-02-04 19:13:16 +00:00
|
|
|
@item --debug-no-chain-validation
|
|
|
|
@opindex debug-no-chain-validation
|
2003-01-09 13:24:01 +00:00
|
|
|
This is actually not a debugging option but only useful as such. It
|
2004-09-30 08:38:32 +00:00
|
|
|
lets @command{gpgsm} bypass all certificate chain validation checks.
|
2003-01-09 13:24:01 +00:00
|
|
|
|
2004-02-20 13:46:21 +00:00
|
|
|
@item --debug-ignore-expiration
|
|
|
|
@opindex debug-ignore-expiration
|
|
|
|
This is actually not a debugging option but only useful as such. It
|
2009-07-22 13:33:46 +00:00
|
|
|
lets @command{gpgsm} ignore all notAfter dates, this is used by the regression
|
2004-02-20 13:46:21 +00:00
|
|
|
tests.
|
|
|
|
|
2016-03-07 18:09:41 +01:00
|
|
|
@item --passphrase-fd @code{n}
|
|
|
|
@opindex passphrase-fd
|
|
|
|
Read the passphrase from file descriptor @code{n}. Only the first line
|
|
|
|
will be read from file descriptor @code{n}. If you use 0 for @code{n},
|
|
|
|
the passphrase will be read from STDIN. This can only be used if only
|
|
|
|
one passphrase is supplied.
|
|
|
|
|
|
|
|
Note that this passphrase is only used if the option @option{--batch}
|
|
|
|
has also been given.
|
|
|
|
|
|
|
|
@item --pinentry-mode @code{mode}
|
|
|
|
@opindex pinentry-mode
|
|
|
|
Set the pinentry mode to @code{mode}. Allowed values for @code{mode}
|
|
|
|
are:
|
|
|
|
@table @asis
|
|
|
|
@item default
|
|
|
|
Use the default of the agent, which is @code{ask}.
|
|
|
|
@item ask
|
|
|
|
Force the use of the Pinentry.
|
|
|
|
@item cancel
|
|
|
|
Emulate use of Pinentry's cancel button.
|
|
|
|
@item error
|
|
|
|
Return a Pinentry error (``No Pinentry'').
|
|
|
|
@item loopback
|
|
|
|
Redirect Pinentry queries to the caller. Note that in contrast to
|
|
|
|
Pinentry the user is not prompted again if he enters a bad password.
|
|
|
|
@end table
|
|
|
|
|
2018-03-23 09:06:20 +01:00
|
|
|
@item --request-origin @var{origin}
|
|
|
|
@opindex request-origin
|
|
|
|
Tell gpgsm to assume that the operation ultimately originated at
|
|
|
|
@var{origin}. Depending on the origin certain restrictions are applied
|
|
|
|
and the Pinentry may include an extra note on the origin. Supported
|
|
|
|
values for @var{origin} are: @code{local} which is the default,
|
|
|
|
@code{remote} to indicate a remote origin or @code{browser} for an
|
|
|
|
operation requested by a web browser.
|
|
|
|
|
2008-02-19 10:33:35 +00:00
|
|
|
@item --no-common-certs-import
|
|
|
|
@opindex no-common-certs-import
|
|
|
|
Suppress the import of common certificates on keybox creation.
|
|
|
|
|
2003-01-09 13:24:01 +00:00
|
|
|
@end table
|
|
|
|
|
|
|
|
All the long options may also be given in the configuration file after
|
|
|
|
stripping off the two leading dashes.
|
|
|
|
|
2006-09-08 17:02:06 +00:00
|
|
|
@c *******************************************
|
|
|
|
@c *************** ****************
|
|
|
|
@c *************** USER ID ****************
|
|
|
|
@c *************** ****************
|
|
|
|
@c *******************************************
|
|
|
|
@mansect how to specify a user id
|
|
|
|
@ifset isman
|
|
|
|
@include specify-user-id.texi
|
|
|
|
@end ifset
|
2003-01-09 13:24:01 +00:00
|
|
|
|
2006-08-17 18:01:25 +00:00
|
|
|
@c *******************************************
|
|
|
|
@c *************** ****************
|
|
|
|
@c *************** FILES ****************
|
|
|
|
@c *************** ****************
|
|
|
|
@c *******************************************
|
|
|
|
@mansect files
|
2006-02-14 13:34:23 +00:00
|
|
|
@node GPGSM Configuration
|
|
|
|
@section Configuration files
|
|
|
|
|
|
|
|
There are a few configuration files to control certain aspects of
|
|
|
|
@command{gpgsm}'s operation. Unless noted, they are expected in the
|
|
|
|
current home directory (@pxref{option --homedir}).
|
|
|
|
|
|
|
|
@table @file
|
|
|
|
|
|
|
|
@item gpgsm.conf
|
2016-06-14 14:57:49 +02:00
|
|
|
@efindex gpgsm.conf
|
2006-02-14 13:34:23 +00:00
|
|
|
This is the standard configuration file read by @command{gpgsm} on
|
|
|
|
startup. It may contain any valid long option; the leading two dashes
|
|
|
|
may not be entered and the option may not be abbreviated. This default
|
2013-04-18 14:40:43 +02:00
|
|
|
name may be changed on the command line (@pxref{gpgsm-option --options}).
|
|
|
|
You should backup this file.
|
2009-07-22 10:24:46 +00:00
|
|
|
|
2021-04-19 11:33:19 +02:00
|
|
|
@item common.conf
|
|
|
|
@efindex common.conf
|
|
|
|
This is an optional configuration file read by @command{gpgsm} on
|
|
|
|
startup. It may contain options pertaining to all components of
|
|
|
|
GnuPG. Its current main use is for the "use-keyboxd" option.
|
2006-02-14 13:34:23 +00:00
|
|
|
|
|
|
|
@item policies.txt
|
2016-06-14 14:57:49 +02:00
|
|
|
@efindex policies.txt
|
2006-02-14 13:34:23 +00:00
|
|
|
This is a list of allowed CA policies. This file should list the
|
|
|
|
object identifiers of the policies line by line. Empty lines and
|
|
|
|
lines starting with a hash mark are ignored. Policies missing in this
|
|
|
|
file and not marked as critical in the certificate will print only a
|
|
|
|
warning; certificates with policies marked as critical and not listed
|
2009-07-22 10:24:46 +00:00
|
|
|
in this file will fail the signature verification. You should backup
|
|
|
|
this file.
|
2006-02-14 13:34:23 +00:00
|
|
|
|
|
|
|
For example, to allow only the policy 2.289.9.9, the file should look
|
|
|
|
like this:
|
|
|
|
|
2006-08-17 18:01:25 +00:00
|
|
|
@c man:.RS
|
2006-02-14 13:34:23 +00:00
|
|
|
@example
|
|
|
|
# Allowed policies
|
2011-03-01 17:08:49 +01:00
|
|
|
2.289.9.9
|
2006-02-14 13:34:23 +00:00
|
|
|
@end example
|
2006-08-17 18:01:25 +00:00
|
|
|
@c man:.RE
|
2006-02-14 13:34:23 +00:00
|
|
|
|
|
|
|
@item qualified.txt
|
2016-06-14 14:57:49 +02:00
|
|
|
@efindex qualified.txt
|
2006-02-14 13:34:23 +00:00
|
|
|
This is the list of root certificates used for qualified certificates.
|
|
|
|
They are defined as certificates capable of creating legally binding
|
|
|
|
signatures in the same way as handwritten signatures are. Comments
|
|
|
|
start with a hash mark and empty lines are ignored. Lines do have a
|
|
|
|
length limit but this is not a serious limitation as the format of the
|
2016-03-04 16:38:09 +00:00
|
|
|
entries is fixed and checked by @command{gpgsm}: A non-comment line starts with
|
2016-03-04 15:20:47 +00:00
|
|
|
optional whitespace, followed by exactly 40 hex characters, white space
|
2006-02-14 13:34:23 +00:00
|
|
|
and a lowercased 2 letter country code. Additional data delimited with
|
|
|
|
by a white space is current ignored but might late be used for other
|
|
|
|
purposes.
|
|
|
|
|
|
|
|
Note that even if a certificate is listed in this file, this does not
|
2007-12-06 19:02:42 +00:00
|
|
|
mean that the certificate is trusted; in general the certificates listed
|
2017-09-01 22:19:26 +03:00
|
|
|
in this file need to be listed also in @file{trustlist.txt}. This is a global
|
|
|
|
file an installed in the sysconf directory (e.g.
|
|
|
|
@file{@value{SYSCONFDIR}/qualified.txt}).
|
2006-02-14 13:34:23 +00:00
|
|
|
|
Fix more spelling
* NEWS, acinclude.m4, agent/command-ssh.c, agent/command.c,
agent/gpg-agent.c, agent/keyformat.txt, agent/protect-tool.c,
common/asshelp.c, common/b64enc.c, common/recsel.c, doc/DETAILS,
doc/HACKING, doc/Notes, doc/TRANSLATE, doc/dirmngr.texi,
doc/faq.org, doc/gpg-agent.texi, doc/gpg.texi, doc/gpgsm.texi,
doc/instguide.texi, g10/armor.c, g10/gpg.c, g10/keyedit.c,
g10/mainproc.c, g10/pkclist.c, g10/tofu.c, g13/sh-cmd.c,
g13/sh-dmcrypt.c, kbx/keybox-init.c, m4/pkg.m4, sm/call-dirmngr.c,
sm/gpgsm.c, tests/Makefile.am, tests/gpgscm/Manual.txt,
tests/gpgscm/scheme.c, tests/openpgp/gpgv-forged-keyring.scm,
tests/openpgp/multisig.test, tests/openpgp/verify.scm,
tests/pkits/README, tools/applygnupgdefaults,
tools/gpg-connect-agent.c, tools/mime-maker.c, tools/mime-parser.c:
minor spelling cleanup.
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2016-09-15 14:21:15 -04:00
|
|
|
Every time @command{gpgsm} uses a certificate for signing or verification
|
2006-02-14 13:34:23 +00:00
|
|
|
this file will be consulted to check whether the certificate under
|
|
|
|
question has ultimately been issued by one of these CAs. If this is the
|
|
|
|
case the user will be informed that the verified signature represents a
|
|
|
|
legally binding (``qualified'') signature. When creating a signature
|
|
|
|
using such a certificate an extra prompt will be issued to let the user
|
|
|
|
confirm that such a legally binding signature shall really be created.
|
|
|
|
|
|
|
|
Because this software has not yet been approved for use with such
|
|
|
|
certificates, appropriate notices will be shown to indicate this fact.
|
|
|
|
|
2007-12-06 19:02:42 +00:00
|
|
|
@item help.txt
|
2016-06-14 14:57:49 +02:00
|
|
|
@efindex help.txt
|
2011-03-01 17:08:49 +01:00
|
|
|
This is plain text file with a few help entries used with
|
2007-12-06 19:02:42 +00:00
|
|
|
@command{pinentry} as well as a large list of help items for
|
|
|
|
@command{gpg} and @command{gpgsm}. The standard file has English help
|
|
|
|
texts; to install localized versions use filenames like @file{help.LL.txt}
|
|
|
|
with LL denoting the locale. GnuPG comes with a set of predefined help
|
2015-06-09 21:29:15 +02:00
|
|
|
files in the data directory (e.g. @file{@value{DATADIR}/gnupg/help.de.txt})
|
2007-12-06 19:02:42 +00:00
|
|
|
and allows overriding of any help item by help files stored in the
|
2015-06-09 21:29:15 +02:00
|
|
|
system configuration directory (e.g. @file{@value{SYSCONFDIR}/help.de.txt}).
|
2007-12-06 19:02:42 +00:00
|
|
|
For a reference of the help file's syntax, please see the installed
|
|
|
|
@file{help.txt} file.
|
|
|
|
|
|
|
|
|
2008-08-01 10:51:11 +00:00
|
|
|
@item com-certs.pem
|
2016-06-14 14:57:49 +02:00
|
|
|
@efindex com-certs.pem
|
2008-08-01 10:51:11 +00:00
|
|
|
This file is a collection of common certificates used to populated a
|
|
|
|
newly created @file{pubring.kbx}. An administrator may replace this
|
|
|
|
file with a custom one. The format is a concatenation of PEM encoded
|
|
|
|
X.509 certificates. This global file is installed in the data directory
|
2015-06-09 21:29:15 +02:00
|
|
|
(e.g. @file{@value{DATADIR}/com-certs.pem}).
|
2008-08-01 10:51:11 +00:00
|
|
|
|
2006-02-14 13:34:23 +00:00
|
|
|
@end table
|
|
|
|
|
2006-08-17 18:01:25 +00:00
|
|
|
@c man:.RE
|
2006-02-14 13:34:23 +00:00
|
|
|
Note that on larger installations, it is useful to put predefined files
|
|
|
|
into the directory @file{/etc/skel/.gnupg/} so that newly created users
|
2009-07-22 13:33:46 +00:00
|
|
|
start up with a working configuration. For existing users a small
|
2006-02-14 13:34:23 +00:00
|
|
|
helper script is provided to create these files (@pxref{addgnupghome}).
|
|
|
|
|
2016-03-04 16:38:09 +00:00
|
|
|
For internal purposes @command{gpgsm} creates and maintains a few other files;
|
2017-02-20 16:19:50 -05:00
|
|
|
they all live in the current home directory (@pxref{option
|
2006-02-14 13:34:23 +00:00
|
|
|
--homedir}). Only @command{gpgsm} may modify these files.
|
|
|
|
|
2006-08-17 18:01:25 +00:00
|
|
|
|
2006-02-14 13:34:23 +00:00
|
|
|
@table @file
|
|
|
|
@item pubring.kbx
|
2016-06-14 14:57:49 +02:00
|
|
|
@efindex pubring.kbx
|
2006-02-14 13:34:23 +00:00
|
|
|
This a database file storing the certificates as well as meta
|
|
|
|
information. For debugging purposes the tool @command{kbxutil} may be
|
2009-07-22 10:24:46 +00:00
|
|
|
used to show the internal structure of this file. You should backup
|
|
|
|
this file.
|
2008-08-01 10:51:11 +00:00
|
|
|
|
2006-02-14 13:34:23 +00:00
|
|
|
@item random_seed
|
2016-06-14 14:57:49 +02:00
|
|
|
@efindex random_seed
|
2006-02-14 13:34:23 +00:00
|
|
|
This content of this file is used to maintain the internal state of the
|
2009-07-22 13:33:46 +00:00
|
|
|
random number generator across invocations. The same file is used by
|
2006-02-14 13:34:23 +00:00
|
|
|
other programs of this software too.
|
|
|
|
|
2007-06-14 17:05:07 +00:00
|
|
|
@item S.gpg-agent
|
2016-06-14 14:57:49 +02:00
|
|
|
@efindex S.gpg-agent
|
2014-10-03 11:58:58 +02:00
|
|
|
If this file exists
|
|
|
|
@command{gpgsm} will first try to connect to this socket for
|
2007-06-14 17:05:07 +00:00
|
|
|
accessing @command{gpg-agent} before starting a new @command{gpg-agent}
|
|
|
|
instance. Under Windows this socket (which in reality be a plain file
|
2009-07-22 13:33:46 +00:00
|
|
|
describing a regular TCP listening port) is the standard way of
|
2007-06-14 17:05:07 +00:00
|
|
|
connecting the @command{gpg-agent}.
|
|
|
|
|
2006-02-14 13:34:23 +00:00
|
|
|
@end table
|
|
|
|
|
2003-01-09 13:24:01 +00:00
|
|
|
|
2006-08-17 18:01:25 +00:00
|
|
|
@c *******************************************
|
|
|
|
@c *************** ****************
|
|
|
|
@c *************** EXAMPLES ****************
|
|
|
|
@c *************** ****************
|
|
|
|
@c *******************************************
|
|
|
|
@mansect examples
|
2003-01-09 13:24:01 +00:00
|
|
|
@node GPGSM Examples
|
|
|
|
@section Examples
|
|
|
|
|
|
|
|
@example
|
|
|
|
$ gpgsm -er goo@@bar.net <plaintext >ciphertext
|
|
|
|
@end example
|
|
|
|
|
|
|
|
|
2006-08-17 18:01:25 +00:00
|
|
|
@c *******************************************
|
|
|
|
@c *************** **************
|
|
|
|
@c *************** UNATTENDED **************
|
|
|
|
@c *************** **************
|
|
|
|
@c *******************************************
|
2011-03-01 17:08:49 +01:00
|
|
|
@manpause
|
2003-01-09 13:24:01 +00:00
|
|
|
@node Unattended Usage
|
|
|
|
@section Unattended Usage
|
|
|
|
|
2004-09-30 08:38:32 +00:00
|
|
|
@command{gpgsm} is often used as a backend engine by other software. To help
|
2003-01-09 13:24:01 +00:00
|
|
|
with this a machine interface has been defined to have an unambiguous
|
|
|
|
way to do this. This is most likely used with the @code{--server} command
|
|
|
|
but may also be used in the standard operation mode by using the
|
|
|
|
@code{--status-fd} option.
|
|
|
|
|
|
|
|
@menu
|
|
|
|
* Automated signature checking:: Automated signature checking.
|
2011-03-01 17:08:49 +01:00
|
|
|
* CSR and certificate creation:: CSR and certificate creation.
|
2003-01-09 13:24:01 +00:00
|
|
|
@end menu
|
|
|
|
|
2013-04-25 12:00:16 +01:00
|
|
|
@node Automated signature checking
|
|
|
|
@subsection Automated signature checking
|
2003-01-09 13:24:01 +00:00
|
|
|
|
|
|
|
It is very important to understand the semantics used with signature
|
|
|
|
verification. Checking a signature is not as simple as it may sound and
|
2009-07-22 13:33:46 +00:00
|
|
|
so the operation is a bit complicated. In most cases it is required
|
2003-01-09 13:24:01 +00:00
|
|
|
to look at several status lines. Here is a table of all cases a signed
|
|
|
|
message may have:
|
|
|
|
|
|
|
|
@table @asis
|
|
|
|
@item The signature is valid
|
|
|
|
This does mean that the signature has been successfully verified, the
|
|
|
|
certificates are all sane. However there are two subcases with
|
|
|
|
important information: One of the certificates may have expired or a
|
|
|
|
signature of a message itself as expired. It is a sound practise to
|
|
|
|
consider such a signature still as valid but additional information
|
2004-09-30 08:38:32 +00:00
|
|
|
should be displayed. Depending on the subcase @command{gpgsm} will issue
|
2003-01-09 13:24:01 +00:00
|
|
|
these status codes:
|
2011-03-01 17:08:49 +01:00
|
|
|
@table @asis
|
2003-01-09 13:24:01 +00:00
|
|
|
@item signature valid and nothing did expire
|
|
|
|
@code{GOODSIG}, @code{VALIDSIG}, @code{TRUST_FULLY}
|
|
|
|
@item signature valid but at least one certificate has expired
|
|
|
|
@code{EXPKEYSIG}, @code{VALIDSIG}, @code{TRUST_FULLY}
|
|
|
|
@item signature valid but expired
|
|
|
|
@code{EXPSIG}, @code{VALIDSIG}, @code{TRUST_FULLY}
|
|
|
|
Note, that this case is currently not implemented.
|
|
|
|
@end table
|
|
|
|
|
|
|
|
@item The signature is invalid
|
|
|
|
This means that the signature verification failed (this is an indication
|
2016-03-04 15:20:47 +00:00
|
|
|
of a transfer error, a program error or tampering with the message).
|
2004-09-30 08:38:32 +00:00
|
|
|
@command{gpgsm} issues one of these status codes sequences:
|
2003-01-09 13:24:01 +00:00
|
|
|
@table @code
|
|
|
|
@item @code{BADSIG}
|
|
|
|
@item @code{GOODSIG}, @code{VALIDSIG} @code{TRUST_NEVER}
|
|
|
|
@end table
|
|
|
|
|
|
|
|
@item Error verifying a signature
|
2011-10-18 14:18:36 +02:00
|
|
|
For some reason the signature could not be verified, i.e. it cannot be
|
2003-01-09 13:24:01 +00:00
|
|
|
decided whether the signature is valid or invalid. A common reason for
|
|
|
|
this is a missing certificate.
|
|
|
|
|
|
|
|
@end table
|
|
|
|
|
2013-04-25 12:00:16 +01:00
|
|
|
@node CSR and certificate creation
|
|
|
|
@subsection CSR and certificate creation
|
2011-03-01 17:08:49 +01:00
|
|
|
|
2016-11-14 16:59:23 +01:00
|
|
|
The command @option{--generate-key} may be used along with the option
|
2011-08-08 10:17:33 +02:00
|
|
|
@option{--batch} to either create a certificate signing request (CSR)
|
2014-11-04 21:29:58 +01:00
|
|
|
or an X.509 certificate. This is controlled by a parameter file; the
|
2011-08-08 10:17:33 +02:00
|
|
|
format of this file is as follows:
|
2011-03-01 17:08:49 +01:00
|
|
|
|
|
|
|
@itemize @bullet
|
|
|
|
@item Text only, line length is limited to about 1000 characters.
|
|
|
|
@item UTF-8 encoding must be used to specify non-ASCII characters.
|
|
|
|
@item Empty lines are ignored.
|
|
|
|
@item Leading and trailing while space is ignored.
|
|
|
|
@item A hash sign as the first non white space character indicates
|
|
|
|
a comment line.
|
|
|
|
@item Control statements are indicated by a leading percent sign, the
|
|
|
|
arguments are separated by white space from the keyword.
|
|
|
|
@item Parameters are specified by a keyword, followed by a colon. Arguments
|
|
|
|
are separated by white space.
|
|
|
|
@item The first parameter must be @samp{Key-Type}, control statements
|
|
|
|
may be placed anywhere.
|
|
|
|
@item
|
|
|
|
The order of the parameters does not matter except for @samp{Key-Type}
|
|
|
|
which must be the first parameter. The parameters are only used for
|
|
|
|
the generated CSR/certificate; parameters from previous sets are not
|
|
|
|
used. Some syntactically checks may be performed.
|
|
|
|
@item
|
|
|
|
Key generation takes place when either the end of the parameter file
|
|
|
|
is reached, the next @samp{Key-Type} parameter is encountered or at the
|
|
|
|
control statement @samp{%commit} is encountered.
|
|
|
|
@end itemize
|
|
|
|
|
|
|
|
@noindent
|
|
|
|
Control statements:
|
|
|
|
|
|
|
|
@table @asis
|
|
|
|
|
|
|
|
@item %echo @var{text}
|
|
|
|
Print @var{text} as diagnostic.
|
|
|
|
|
|
|
|
@item %dry-run
|
|
|
|
Suppress actual key generation (useful for syntax checking).
|
|
|
|
|
|
|
|
@item %commit
|
|
|
|
Perform the key generation. Note that an implicit commit is done at
|
|
|
|
the next @asis{Key-Type} parameter.
|
|
|
|
|
|
|
|
@c %certfile <filename>
|
|
|
|
@c [Not yet implemented!]
|
|
|
|
@c Do not write the certificate to the keyDB but to <filename>.
|
|
|
|
@c This must be given before the first
|
|
|
|
@c commit to take place, duplicate specification of the same filename
|
|
|
|
@c is ignored, the last filename before a commit is used.
|
|
|
|
@c The filename is used until a new filename is used (at commit points)
|
|
|
|
@c and all keys are written to that file. If a new filename is given,
|
|
|
|
@c this file is created (and overwrites an existing one).
|
|
|
|
@c Both control statements must be given.
|
|
|
|
@end table
|
|
|
|
|
|
|
|
@noindent
|
|
|
|
General Parameters:
|
|
|
|
|
|
|
|
@table @asis
|
|
|
|
|
|
|
|
@item Key-Type: @var{algo}
|
|
|
|
Starts a new parameter block by giving the type of the primary
|
|
|
|
key. The algorithm must be capable of signing. This is a required
|
2020-05-19 14:30:24 +02:00
|
|
|
parameter. The supported values for @var{algo} are @samp{rsa},
|
|
|
|
@samp{ecdsa}, and @samp{eddsa}.
|
2011-03-01 17:08:49 +01:00
|
|
|
|
|
|
|
@item Key-Length: @var{nbits}
|
2020-05-19 14:30:24 +02:00
|
|
|
The requested length of a generated key in bits. Defaults to
|
|
|
|
3072. The value is ignored for ECC algorithms.
|
2011-03-01 17:08:49 +01:00
|
|
|
|
|
|
|
@item Key-Grip: @var{hexstring}
|
2016-03-04 15:20:47 +00:00
|
|
|
This is optional and used to generate a CSR or certificate for an
|
2011-03-01 17:08:49 +01:00
|
|
|
already existing key. Key-Length will be ignored when given.
|
|
|
|
|
|
|
|
@item Key-Usage: @var{usage-list}
|
|
|
|
Space or comma delimited list of key usage, allowed values are
|
2011-12-06 19:57:27 +01:00
|
|
|
@samp{encrypt}, @samp{sign} and @samp{cert}. This is used to generate
|
|
|
|
the keyUsage extension. Please make sure that the algorithm is
|
|
|
|
capable of this usage. Default is to allow encrypt and sign.
|
2011-03-01 17:08:49 +01:00
|
|
|
|
|
|
|
@item Name-DN: @var{subject-name}
|
|
|
|
This is the Distinguished Name (DN) of the subject in RFC-2253 format.
|
|
|
|
|
|
|
|
@item Name-Email: @var{string}
|
|
|
|
This is an email address for the altSubjectName. This parameter is
|
|
|
|
optional but may occur several times to add several email addresses to
|
|
|
|
a certificate.
|
|
|
|
|
|
|
|
@item Name-DNS: @var{string}
|
|
|
|
The is an DNS name for the altSubjectName. This parameter is optional
|
|
|
|
but may occur several times to add several DNS names to a certificate.
|
|
|
|
|
|
|
|
@item Name-URI: @var{string}
|
|
|
|
This is an URI for the altSubjectName. This parameter is optional but
|
|
|
|
may occur several times to add several URIs to a certificate.
|
|
|
|
@end table
|
|
|
|
|
|
|
|
@noindent
|
|
|
|
Additional parameters used to create a certificate (in contrast to a
|
|
|
|
certificate signing request):
|
|
|
|
|
|
|
|
@table @asis
|
|
|
|
|
|
|
|
@item Serial: @var{sn}
|
|
|
|
If this parameter is given an X.509 certificate will be generated.
|
|
|
|
@var{sn} is expected to be a hex string representing an unsigned
|
Fix more spelling
* NEWS, acinclude.m4, agent/command-ssh.c, agent/command.c,
agent/gpg-agent.c, agent/keyformat.txt, agent/protect-tool.c,
common/asshelp.c, common/b64enc.c, common/recsel.c, doc/DETAILS,
doc/HACKING, doc/Notes, doc/TRANSLATE, doc/dirmngr.texi,
doc/faq.org, doc/gpg-agent.texi, doc/gpg.texi, doc/gpgsm.texi,
doc/instguide.texi, g10/armor.c, g10/gpg.c, g10/keyedit.c,
g10/mainproc.c, g10/pkclist.c, g10/tofu.c, g13/sh-cmd.c,
g13/sh-dmcrypt.c, kbx/keybox-init.c, m4/pkg.m4, sm/call-dirmngr.c,
sm/gpgsm.c, tests/Makefile.am, tests/gpgscm/Manual.txt,
tests/gpgscm/scheme.c, tests/openpgp/gpgv-forged-keyring.scm,
tests/openpgp/multisig.test, tests/openpgp/verify.scm,
tests/pkits/README, tools/applygnupgdefaults,
tools/gpg-connect-agent.c, tools/mime-maker.c, tools/mime-parser.c:
minor spelling cleanup.
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2016-09-15 14:21:15 -04:00
|
|
|
integer of arbitrary length. The special value @samp{random} can be
|
2011-03-01 17:08:49 +01:00
|
|
|
used to create a 64 bit random serial number.
|
|
|
|
|
|
|
|
@item Issuer-DN: @var{issuer-name}
|
2016-03-04 16:34:23 +00:00
|
|
|
This is the DN name of the issuer in RFC-2253 format. If it is not set
|
2011-03-01 17:08:49 +01:00
|
|
|
it will default to the subject DN and a special GnuPG extension will
|
|
|
|
be included in the certificate to mark it as a standalone certificate.
|
|
|
|
|
|
|
|
@item Creation-Date: @var{iso-date}
|
|
|
|
@itemx Not-Before: @var{iso-date}
|
|
|
|
Set the notBefore date of the certificate. Either a date like
|
|
|
|
@samp{1986-04-26} or @samp{1986-04-26 12:00} or a standard ISO
|
|
|
|
timestamp like @samp{19860426T042640} may be used. The time is
|
|
|
|
considered to be UTC. If it is not given the current date is used.
|
|
|
|
|
|
|
|
@item Expire-Date: @var{iso-date}
|
|
|
|
@itemx Not-After: @var{iso-date}
|
|
|
|
Set the notAfter date of the certificate. Either a date like
|
|
|
|
@samp{2063-04-05} or @samp{2063-04-05 17:00} or a standard ISO
|
|
|
|
timestamp like @samp{20630405T170000} may be used. The time is
|
|
|
|
considered to be UTC. If it is not given a default value in the not
|
|
|
|
too far future is used.
|
|
|
|
|
|
|
|
@item Signing-Key: @var{keygrip}
|
|
|
|
This gives the keygrip of the key used to sign the certificate. If it
|
|
|
|
is not given a self-signed certificate will be created. For
|
|
|
|
compatibility with future versions, it is suggested to prefix the
|
|
|
|
keygrip with a @samp{&}.
|
|
|
|
|
|
|
|
@item Hash-Algo: @var{hash-algo}
|
|
|
|
Use @var{hash-algo} for this CSR or certificate. The supported hash
|
|
|
|
algorithms are: @samp{sha1}, @samp{sha256}, @samp{sha384} and
|
|
|
|
@samp{sha512}; they may also be specified with uppercase letters. The
|
2015-03-25 10:16:37 +01:00
|
|
|
default is @samp{sha256}.
|
2011-03-01 17:08:49 +01:00
|
|
|
|
2020-05-19 14:30:24 +02:00
|
|
|
@item Authority-Key-Id: @var{hexstring}
|
|
|
|
Insert the decoded value of @var{hexstring} as authorityKeyIdentifier.
|
|
|
|
If this is not given and an ECC algorithm is used the public part of
|
|
|
|
the certified public key is used as authorityKeyIdentifier. To
|
|
|
|
inhibit any authorityKeyIdentifier use the special value @code{none}
|
|
|
|
for @var{hexstring}.
|
|
|
|
|
|
|
|
@item Subject-Key-Id: @var{hexstring}
|
|
|
|
Insert the decoded value of @var{hexstring} as subjectKeyIdentifier.
|
|
|
|
If this is not given and an ECC algorithm is used the public part of
|
|
|
|
the signing key is used as authorityKeyIdentifier. To inhibit any
|
|
|
|
subjectKeyIdentifier use the special value @code{none} for
|
|
|
|
@var{hexstring}.
|
|
|
|
|
2011-03-01 17:08:49 +01:00
|
|
|
@end table
|
2003-01-09 13:24:01 +00:00
|
|
|
|
2006-08-17 18:01:25 +00:00
|
|
|
@c *******************************************
|
|
|
|
@c *************** *****************
|
|
|
|
@c *************** ASSSUAN *****************
|
|
|
|
@c *************** *****************
|
|
|
|
@c *******************************************
|
2003-01-09 13:24:01 +00:00
|
|
|
@node GPGSM Protocol
|
2016-03-04 14:45:19 +00:00
|
|
|
@section The Protocol the Server Mode Uses
|
2003-01-09 13:24:01 +00:00
|
|
|
|
2004-09-30 08:38:32 +00:00
|
|
|
Description of the protocol used to access @command{GPGSM}.
|
|
|
|
@command{GPGSM} does implement the Assuan protocol and in addition
|
|
|
|
provides a regular command line interface which exhibits a full client
|
|
|
|
to this protocol (but uses internal linking). To start
|
|
|
|
@command{gpgsm} as a server the command line the option
|
|
|
|
@code{--server} must be used. Additional options are provided to
|
|
|
|
select the communication method (i.e. the name of the socket).
|
2003-01-09 13:24:01 +00:00
|
|
|
|
|
|
|
We assume that the connection has already been established; see the
|
|
|
|
Assuan manual for details.
|
|
|
|
|
|
|
|
@menu
|
|
|
|
* GPGSM ENCRYPT:: Encrypting a message.
|
|
|
|
* GPGSM DECRYPT:: Decrypting a message.
|
|
|
|
* GPGSM SIGN:: Signing a message.
|
|
|
|
* GPGSM VERIFY:: Verifying a message.
|
|
|
|
* GPGSM GENKEY:: Generating a key.
|
|
|
|
* GPGSM LISTKEYS:: List available keys.
|
|
|
|
* GPGSM EXPORT:: Export certificates.
|
|
|
|
* GPGSM IMPORT:: Import certificates.
|
|
|
|
* GPGSM DELETE:: Delete certificates.
|
2015-06-29 11:03:58 +02:00
|
|
|
* GPGSM GETAUDITLOG:: Retrieve an audit log.
|
2008-02-13 16:47:14 +00:00
|
|
|
* GPGSM GETINFO:: Information about the process
|
2015-06-29 11:03:58 +02:00
|
|
|
* GPGSM OPTION:: Session options.
|
2003-01-09 13:24:01 +00:00
|
|
|
@end menu
|
|
|
|
|
|
|
|
|
|
|
|
@node GPGSM ENCRYPT
|
|
|
|
@subsection Encrypting a Message
|
|
|
|
|
2009-07-22 13:33:46 +00:00
|
|
|
Before encryption can be done the recipient must be set using the
|
2003-01-09 13:24:01 +00:00
|
|
|
command:
|
|
|
|
|
|
|
|
@example
|
|
|
|
RECIPIENT @var{userID}
|
|
|
|
@end example
|
|
|
|
|
|
|
|
Set the recipient for the encryption. @var{userID} should be the
|
|
|
|
internal representation of the key; the server may accept any other way
|
|
|
|
of specification. If this is a valid and trusted recipient the server
|
|
|
|
does respond with OK, otherwise the return is an ERR with the reason why
|
2011-10-18 14:18:36 +02:00
|
|
|
the recipient cannot be used, the encryption will then not be done for
|
2003-01-09 13:24:01 +00:00
|
|
|
this recipient. If the policy is not to encrypt at all if not all
|
|
|
|
recipients are valid, the client has to take care of this. All
|
|
|
|
@code{RECIPIENT} commands are cumulative until a @code{RESET} or an
|
|
|
|
successful @code{ENCRYPT} command.
|
|
|
|
|
|
|
|
@example
|
2006-09-18 13:23:18 +00:00
|
|
|
INPUT FD[=@var{n}] [--armor|--base64|--binary]
|
2003-01-09 13:24:01 +00:00
|
|
|
@end example
|
|
|
|
|
|
|
|
Set the file descriptor for the message to be encrypted to @var{n}.
|
|
|
|
Obviously the pipe must be open at that point, the server establishes
|
|
|
|
its own end. If the server returns an error the client should consider
|
2006-09-18 13:23:18 +00:00
|
|
|
this session failed. If @var{n} is not given, this commands uses the
|
|
|
|
last file descriptor passed to the application.
|
|
|
|
@xref{fun-assuan_sendfd, ,the assuan_sendfd function,assuan,the Libassuan
|
|
|
|
manual}, on how to do descriptor passing.
|
2003-01-09 13:24:01 +00:00
|
|
|
|
2020-09-16 11:11:43 +00:00
|
|
|
The @code{--armor} option may be used to advise the server that the
|
|
|
|
input data is in @acronym{PEM} format, @code{--base64} advises that a
|
|
|
|
raw base-64 encoding is used, @code{--binary} advises of raw binary
|
2003-01-09 13:24:01 +00:00
|
|
|
input (@acronym{BER}). If none of these options is used, the server
|
|
|
|
tries to figure out the used encoding, but this may not always be
|
|
|
|
correct.
|
|
|
|
|
|
|
|
@example
|
2006-09-18 13:23:18 +00:00
|
|
|
OUTPUT FD[=@var{n}] [--armor|--base64]
|
2003-01-09 13:24:01 +00:00
|
|
|
@end example
|
|
|
|
|
|
|
|
Set the file descriptor to be used for the output (i.e. the encrypted
|
|
|
|
message). Obviously the pipe must be open at that point, the server
|
2016-03-04 15:20:47 +00:00
|
|
|
establishes its own end. If the server returns an error the client
|
2003-01-09 13:24:01 +00:00
|
|
|
should consider this session failed.
|
|
|
|
|
2016-03-04 16:38:09 +00:00
|
|
|
The option @option{--armor} encodes the output in @acronym{PEM} format, the
|
|
|
|
@option{--base64} option applies just a base-64 encoding. No option
|
2003-01-09 13:24:01 +00:00
|
|
|
creates binary output (@acronym{BER}).
|
2011-03-01 17:08:49 +01:00
|
|
|
|
2003-01-09 13:24:01 +00:00
|
|
|
The actual encryption is done using the command
|
|
|
|
|
|
|
|
@example
|
2011-03-01 17:08:49 +01:00
|
|
|
ENCRYPT
|
2003-01-09 13:24:01 +00:00
|
|
|
@end example
|
|
|
|
|
|
|
|
It takes the plaintext from the @code{INPUT} command, writes to the
|
|
|
|
ciphertext to the file descriptor set with the @code{OUTPUT} command,
|
|
|
|
take the recipients from all the recipients set so far. If this command
|
|
|
|
fails the clients should try to delete all output currently done or
|
2011-10-18 14:18:36 +02:00
|
|
|
otherwise mark it as invalid. @command{GPGSM} does ensure that there
|
|
|
|
will not be any
|
2003-01-09 13:24:01 +00:00
|
|
|
security problem with leftover data on the output in this case.
|
|
|
|
|
|
|
|
This command should in general not fail, as all necessary checks have
|
|
|
|
been done while setting the recipients. The input and output pipes are
|
|
|
|
closed.
|
|
|
|
|
|
|
|
|
|
|
|
@node GPGSM DECRYPT
|
|
|
|
@subsection Decrypting a message
|
|
|
|
|
|
|
|
Input and output FDs are set the same way as in encryption, but
|
2016-03-04 16:38:09 +00:00
|
|
|
@code{INPUT} refers to the ciphertext and @code{OUTPUT} to the plaintext. There
|
2004-09-30 08:38:32 +00:00
|
|
|
is no need to set recipients. @command{GPGSM} automatically strips any
|
2003-01-09 13:24:01 +00:00
|
|
|
@acronym{S/MIME} headers from the input, so it is valid to pass an
|
|
|
|
entire MIME part to the INPUT pipe.
|
|
|
|
|
2016-03-04 16:27:21 +00:00
|
|
|
The decryption is done by using the command
|
2003-01-09 13:24:01 +00:00
|
|
|
|
|
|
|
@example
|
|
|
|
DECRYPT
|
|
|
|
@end example
|
|
|
|
|
|
|
|
It performs the decrypt operation after doing some check on the internal
|
2016-03-04 16:13:14 +00:00
|
|
|
state (e.g. that all needed data has been set). Because it utilizes
|
2003-01-09 13:24:01 +00:00
|
|
|
the GPG-Agent for the session key decryption, there is no need to ask
|
|
|
|
the client for a protecting passphrase - GpgAgent takes care of this by
|
|
|
|
requesting this from the user.
|
|
|
|
|
|
|
|
|
|
|
|
@node GPGSM SIGN
|
|
|
|
@subsection Signing a Message
|
|
|
|
|
|
|
|
Signing is usually done with these commands:
|
|
|
|
|
|
|
|
@example
|
2006-09-18 13:23:18 +00:00
|
|
|
INPUT FD[=@var{n}] [--armor|--base64|--binary]
|
2003-01-09 13:24:01 +00:00
|
|
|
@end example
|
|
|
|
|
2004-09-30 08:38:32 +00:00
|
|
|
This tells @command{GPGSM} to read the data to sign from file descriptor @var{n}.
|
2003-01-09 13:24:01 +00:00
|
|
|
|
|
|
|
@example
|
2006-09-18 13:23:18 +00:00
|
|
|
OUTPUT FD[=@var{m}] [--armor|--base64]
|
2003-01-09 13:24:01 +00:00
|
|
|
@end example
|
|
|
|
|
|
|
|
Write the output to file descriptor @var{m}. If a detached signature is
|
|
|
|
requested, only the signature is written.
|
|
|
|
|
|
|
|
@example
|
2011-03-01 17:08:49 +01:00
|
|
|
SIGN [--detached]
|
2003-01-09 13:24:01 +00:00
|
|
|
@end example
|
|
|
|
|
2016-03-04 16:38:09 +00:00
|
|
|
Sign the data set with the @code{INPUT} command and write it to the sink set by
|
|
|
|
@code{OUTPUT}. With @code{--detached}, a detached signature is created
|
2003-01-09 13:24:01 +00:00
|
|
|
(surprise).
|
|
|
|
|
2009-07-22 13:33:46 +00:00
|
|
|
The key used for signing is the default one or the one specified in
|
2003-01-09 13:24:01 +00:00
|
|
|
the configuration file. To get finer control over the keys, it is
|
|
|
|
possible to use the command
|
|
|
|
|
|
|
|
@example
|
|
|
|
SIGNER @var{userID}
|
|
|
|
@end example
|
|
|
|
|
2016-03-04 15:20:47 +00:00
|
|
|
to set the signer's key. @var{userID} should be the
|
2003-01-09 13:24:01 +00:00
|
|
|
internal representation of the key; the server may accept any other way
|
|
|
|
of specification. If this is a valid and trusted recipient the server
|
|
|
|
does respond with OK, otherwise the return is an ERR with the reason why
|
2011-10-18 14:18:36 +02:00
|
|
|
the key cannot be used, the signature will then not be created using
|
2003-01-09 13:24:01 +00:00
|
|
|
this key. If the policy is not to sign at all if not all
|
|
|
|
keys are valid, the client has to take care of this. All
|
|
|
|
@code{SIGNER} commands are cumulative until a @code{RESET} is done.
|
|
|
|
Note that a @code{SIGN} does not reset this list of signers which is in
|
2016-03-04 15:20:47 +00:00
|
|
|
contrast to the @code{RECIPIENT} command.
|
2003-01-09 13:24:01 +00:00
|
|
|
|
|
|
|
|
|
|
|
@node GPGSM VERIFY
|
|
|
|
@subsection Verifying a Message
|
|
|
|
|
2016-03-04 15:20:47 +00:00
|
|
|
To verify a message the command:
|
2003-01-09 13:24:01 +00:00
|
|
|
|
|
|
|
@example
|
|
|
|
VERIFY
|
|
|
|
@end example
|
|
|
|
|
|
|
|
is used. It does a verify operation on the message send to the input FD.
|
|
|
|
The result is written out using status lines. If an output FD was
|
|
|
|
given, the signed text will be written to that. If the signature is a
|
|
|
|
detached one, the server will inquire about the signed material and the
|
|
|
|
client must provide it.
|
|
|
|
|
|
|
|
@node GPGSM GENKEY
|
|
|
|
@subsection Generating a Key
|
|
|
|
|
|
|
|
This is used to generate a new keypair, store the secret part in the
|
|
|
|
@acronym{PSE} and the public key in the key database. We will probably
|
|
|
|
add optional commands to allow the client to select whether a hardware
|
2005-07-25 14:35:04 +00:00
|
|
|
token is used to store the key. Configuration options to
|
|
|
|
@command{GPGSM} can be used to restrict the use of this command.
|
2003-01-09 13:24:01 +00:00
|
|
|
|
|
|
|
@example
|
2011-03-01 17:08:49 +01:00
|
|
|
GENKEY
|
2003-01-09 13:24:01 +00:00
|
|
|
@end example
|
|
|
|
|
2004-09-30 08:38:32 +00:00
|
|
|
@command{GPGSM} checks whether this command is allowed and then does an
|
2003-01-09 13:24:01 +00:00
|
|
|
INQUIRY to get the key parameters, the client should then send the
|
|
|
|
key parameters in the native format:
|
|
|
|
|
|
|
|
@example
|
|
|
|
S: INQUIRE KEY_PARAM native
|
|
|
|
C: D foo:fgfgfg
|
|
|
|
C: D bar
|
|
|
|
C: END
|
2011-03-01 17:08:49 +01:00
|
|
|
@end example
|
2003-01-09 13:24:01 +00:00
|
|
|
|
|
|
|
Please note that the server may send Status info lines while reading the
|
|
|
|
data lines from the client. After this the key generation takes place
|
|
|
|
and the server eventually does send an ERR or OK response. Status lines
|
|
|
|
may be issued as a progress indicator.
|
|
|
|
|
|
|
|
|
|
|
|
@node GPGSM LISTKEYS
|
|
|
|
@subsection List available keys
|
2015-06-29 11:03:58 +02:00
|
|
|
@anchor{gpgsm-cmd listkeys}
|
2003-01-09 13:24:01 +00:00
|
|
|
|
|
|
|
To list the keys in the internal database or using an external key
|
|
|
|
provider, the command:
|
|
|
|
|
|
|
|
@example
|
|
|
|
LISTKEYS @var{pattern}
|
|
|
|
@end example
|
|
|
|
|
|
|
|
is used. To allow multiple patterns (which are ORed during the search)
|
|
|
|
quoting is required: Spaces are to be translated into "+" or into "%20";
|
|
|
|
in turn this requires that the usual escape quoting rules are done.
|
|
|
|
|
|
|
|
@example
|
|
|
|
LISTSECRETKEYS @var{pattern}
|
|
|
|
@end example
|
|
|
|
|
|
|
|
Lists only the keys where a secret key is available.
|
|
|
|
|
2016-03-04 15:20:47 +00:00
|
|
|
The list commands are affected by the option
|
2003-01-09 13:24:01 +00:00
|
|
|
|
|
|
|
@example
|
|
|
|
OPTION list-mode=@var{mode}
|
|
|
|
@end example
|
|
|
|
|
|
|
|
where mode may be:
|
|
|
|
@table @code
|
2011-03-01 17:08:49 +01:00
|
|
|
@item 0
|
2003-01-09 13:24:01 +00:00
|
|
|
Use default (which is usually the same as 1).
|
|
|
|
@item 1
|
|
|
|
List only the internal keys.
|
|
|
|
@item 2
|
|
|
|
List only the external keys.
|
|
|
|
@item 3
|
|
|
|
List internal and external keys.
|
|
|
|
@end table
|
|
|
|
|
|
|
|
Note that options are valid for the entire session.
|
2011-03-01 17:08:49 +01:00
|
|
|
|
2003-01-09 13:24:01 +00:00
|
|
|
|
|
|
|
@node GPGSM EXPORT
|
|
|
|
@subsection Export certificates
|
|
|
|
|
|
|
|
To export certificate from the internal key database the command:
|
|
|
|
|
|
|
|
@example
|
2006-11-14 10:23:21 +00:00
|
|
|
EXPORT [--data [--armor] [--base64]] [--] @var{pattern}
|
2003-01-09 13:24:01 +00:00
|
|
|
@end example
|
|
|
|
|
|
|
|
is used. To allow multiple patterns (which are ORed) quoting is
|
|
|
|
required: Spaces are to be translated into "+" or into "%20"; in turn
|
|
|
|
this requires that the usual escape quoting rules are done.
|
|
|
|
|
2006-11-14 10:23:21 +00:00
|
|
|
If the @option{--data} option has not been given, the format of the
|
2016-03-04 16:38:09 +00:00
|
|
|
output depends on what was set with the @code{OUTPUT} command. When using
|
2006-11-14 10:23:21 +00:00
|
|
|
@acronym{PEM} encoding a few informational lines are prepended.
|
|
|
|
|
2016-03-04 16:38:09 +00:00
|
|
|
If the @option{--data} has been given, a target set via @code{OUTPUT} is
|
2006-11-14 10:23:21 +00:00
|
|
|
ignored and the data is returned inline using standard
|
|
|
|
@code{D}-lines. This avoids the need for an extra file descriptor. In
|
|
|
|
this case the options @option{--armor} and @option{--base64} may be used
|
2016-03-04 16:38:09 +00:00
|
|
|
in the same way as with the @code{OUTPUT} command.
|
2003-01-09 13:24:01 +00:00
|
|
|
|
|
|
|
|
|
|
|
@node GPGSM IMPORT
|
|
|
|
@subsection Import certificates
|
|
|
|
|
|
|
|
To import certificates into the internal key database, the command
|
|
|
|
|
|
|
|
@example
|
2009-07-07 16:52:12 +00:00
|
|
|
IMPORT [--re-import]
|
2003-01-09 13:24:01 +00:00
|
|
|
@end example
|
|
|
|
|
|
|
|
is used. The data is expected on the file descriptor set with the
|
2009-07-22 13:33:46 +00:00
|
|
|
@code{INPUT} command. Certain checks are performed on the
|
2009-07-07 16:52:12 +00:00
|
|
|
certificate. Note that the code will also handle PKCS#12 files and
|
2004-02-17 15:04:49 +00:00
|
|
|
import private keys; a helper program is used for that.
|
|
|
|
|
2009-07-07 16:52:12 +00:00
|
|
|
With the option @option{--re-import} the input data is expected to a be
|
|
|
|
a linefeed separated list of fingerprints. The command will re-import
|
|
|
|
the corresponding certificates; that is they are made permanent by
|
|
|
|
removing their ephemeral flag.
|
|
|
|
|
2003-01-09 13:24:01 +00:00
|
|
|
|
|
|
|
@node GPGSM DELETE
|
|
|
|
@subsection Delete certificates
|
|
|
|
|
2008-02-13 16:47:14 +00:00
|
|
|
To delete a certificate the command
|
2003-01-09 13:24:01 +00:00
|
|
|
|
|
|
|
@example
|
|
|
|
DELKEYS @var{pattern}
|
|
|
|
@end example
|
|
|
|
|
|
|
|
is used. To allow multiple patterns (which are ORed) quoting is
|
|
|
|
required: Spaces are to be translated into "+" or into "%20"; in turn
|
|
|
|
this requires that the usual escape quoting rules are done.
|
|
|
|
|
|
|
|
The certificates must be specified unambiguously otherwise an error is
|
|
|
|
returned.
|
|
|
|
|
2015-06-29 11:03:58 +02:00
|
|
|
@node GPGSM GETAUDITLOG
|
2016-03-04 14:45:19 +00:00
|
|
|
@subsection Retrieve an audit log
|
2015-06-29 11:03:58 +02:00
|
|
|
@anchor{gpgsm-cmd getauditlog}
|
|
|
|
|
|
|
|
This command is used to retrieve an audit log.
|
|
|
|
|
|
|
|
@example
|
|
|
|
GETAUDITLOG [--data] [--html]
|
|
|
|
@end example
|
|
|
|
|
|
|
|
If @option{--data} is used, the audit log is send using D-lines
|
2016-03-04 16:38:09 +00:00
|
|
|
instead of being sent to the file descriptor given by an @code{OUTPUT}
|
More cleanup of "allow to".
* README, agent/command.c, agent/keyformat.txt, common/i18n.c,
common/iobuf.c, common/keyserver.h, dirmngr/cdblib.c,
dirmngr/ldap-wrapper.c, doc/DETAILS, doc/TRANSLATE,
doc/announce-2.1.txt, doc/gpg.texi, doc/gpgsm.texi,
doc/scdaemon.texi, doc/tools.texi, doc/whats-new-in-2.1.txt,
g10/export.c, g10/getkey.c, g10/import.c, g10/keyedit.c, m4/ksba.m4,
m4/libgcrypt.m4, m4/ntbtls.m4, po/ca.po, po/cs.po, po/da.po,
po/de.po, po/el.po, po/eo.po, po/es.po, po/et.po, po/fi.po,
po/fr.po, po/gl.po, po/hu.po, po/id.po, po/it.po, po/ja.po,
po/nb.po, po/pl.po, po/pt.po, po/ro.po, po/ru.po, po/sk.po,
po/sv.po, po/tr.po, po/uk.po, po/zh_CN.po, po/zh_TW.po,
scd/app-p15.c, scd/ccid-driver.c, scd/command.c, sm/gpgsm.c,
sm/sign.c, tools/gpgconf-comp.c, tools/gpgtar.h: replace "Allow to"
with clearer text.
In standard English, the normal construction is "${XXX} allows ${YYY}
to" -- that is, the subject (${XXX}) of the sentence is allowing the
object (${YYY}) to do something. When the object is missing, the
phrasing sounds awkward, even if the object is implied by context.
There's almost always a better construction that isn't as awkward.
These changes should make the language a bit clearer.
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2016-08-01 22:19:17 -04:00
|
|
|
command. If @option{--html} is used, the output is formatted as an
|
2015-06-29 11:03:58 +02:00
|
|
|
XHTML block. This is designed to be incorporated into a HTML
|
|
|
|
document.
|
|
|
|
|
|
|
|
|
2008-02-13 16:47:14 +00:00
|
|
|
@node GPGSM GETINFO
|
|
|
|
@subsection Return information about the process
|
|
|
|
|
|
|
|
This is a multipurpose function to return a variety of information.
|
|
|
|
|
|
|
|
@example
|
|
|
|
GETINFO @var{what}
|
|
|
|
@end example
|
|
|
|
|
|
|
|
The value of @var{what} specifies the kind of information returned:
|
|
|
|
@table @code
|
|
|
|
@item version
|
|
|
|
Return the version of the program.
|
|
|
|
@item pid
|
|
|
|
Return the process id of the process.
|
2009-07-07 16:52:12 +00:00
|
|
|
@item agent-check
|
2015-06-29 11:03:58 +02:00
|
|
|
Return OK if the agent is running.
|
2009-07-07 16:52:12 +00:00
|
|
|
@item cmd_has_option @var{cmd} @var{opt}
|
2015-06-29 11:03:58 +02:00
|
|
|
Return OK if the command @var{cmd} implements the option @var{opt}.
|
2009-07-07 16:52:12 +00:00
|
|
|
The leading two dashes usually used with @var{opt} shall not be given.
|
2015-06-29 11:03:58 +02:00
|
|
|
@item offline
|
|
|
|
Return OK if the connection is in offline mode. This may be either
|
|
|
|
due to a @code{OPTION offline=1} or due to @command{gpgsm} being
|
|
|
|
started with option @option{--disable-dirmngr}.
|
|
|
|
@end table
|
|
|
|
|
|
|
|
@node GPGSM OPTION
|
2016-03-04 14:45:19 +00:00
|
|
|
@subsection Session options
|
2015-06-29 11:03:58 +02:00
|
|
|
|
|
|
|
The standard Assuan option handler supports these options.
|
|
|
|
|
|
|
|
@example
|
|
|
|
OPTION @var{name}[=@var{value}]
|
|
|
|
@end example
|
|
|
|
|
|
|
|
These @var{name}s are recognized:
|
|
|
|
|
|
|
|
@table @code
|
|
|
|
|
|
|
|
@item putenv
|
|
|
|
Change the session's environment to be passed via gpg-agent to
|
|
|
|
Pinentry. @var{value} is a string of the form
|
|
|
|
@code{<KEY>[=[<STRING>]]}. If only @code{<KEY>} is given the
|
|
|
|
environment variable @code{<KEY>} is removed from the session
|
|
|
|
environment, if @code{<KEY>=} is given that environment variable is
|
|
|
|
set to the empty string, and if @code{<STRING>} is given it is set to
|
|
|
|
that string.
|
|
|
|
|
|
|
|
@item display
|
2016-06-14 14:57:49 +02:00
|
|
|
@efindex DISPLAY
|
2015-06-29 11:03:58 +02:00
|
|
|
Set the session environment variable @code{DISPLAY} is set to @var{value}.
|
|
|
|
@item ttyname
|
2016-06-14 14:57:49 +02:00
|
|
|
@efindex GPG_TTY
|
2015-06-29 11:03:58 +02:00
|
|
|
Set the session environment variable @code{GPG_TTY} is set to @var{value}.
|
|
|
|
@item ttytype
|
2016-06-14 14:57:49 +02:00
|
|
|
@efindex TERM
|
2015-06-29 11:03:58 +02:00
|
|
|
Set the session environment variable @code{TERM} is set to @var{value}.
|
|
|
|
@item lc-ctype
|
2016-06-14 14:57:49 +02:00
|
|
|
@efindex LC_CTYPE
|
2015-06-29 11:03:58 +02:00
|
|
|
Set the session environment variable @code{LC_CTYPE} is set to @var{value}.
|
|
|
|
@item lc-messages
|
2016-06-14 14:57:49 +02:00
|
|
|
@efindex LC_MESSAGES
|
2015-06-29 11:03:58 +02:00
|
|
|
Set the session environment variable @code{LC_MESSAGES} is set to @var{value}.
|
|
|
|
@item xauthority
|
2016-06-14 14:57:49 +02:00
|
|
|
@efindex XAUTHORITY
|
2015-06-29 11:03:58 +02:00
|
|
|
Set the session environment variable @code{XAUTHORITY} is set to @var{value}.
|
|
|
|
@item pinentry-user-data
|
2016-06-14 14:57:49 +02:00
|
|
|
@efindex PINENTRY_USER_DATA
|
2015-06-29 11:03:58 +02:00
|
|
|
Set the session environment variable @code{PINENTRY_USER_DATA} is set
|
|
|
|
to @var{value}.
|
|
|
|
|
|
|
|
@item include-certs
|
|
|
|
This option overrides the command line option
|
|
|
|
@option{--include-certs}. A @var{value} of -2 includes all
|
|
|
|
certificates except for the root certificate, -1 includes all
|
2017-04-28 10:06:33 +09:00
|
|
|
certificates, 0 does not include any certificates, 1 includes only the
|
|
|
|
signers certificate and all other positive values include up to
|
2015-06-29 11:03:58 +02:00
|
|
|
@var{value} certificates starting with the signer cert.
|
|
|
|
|
|
|
|
@item list-mode
|
|
|
|
@xref{gpgsm-cmd listkeys}.
|
|
|
|
|
|
|
|
@item list-to-output
|
|
|
|
If @var{value} is true the output of the list commands
|
|
|
|
(@pxref{gpgsm-cmd listkeys}) is written to the file descriptor set
|
2016-03-04 16:38:09 +00:00
|
|
|
with the last @code{OUTPUT} command. If @var{value} is false the output is
|
2015-06-29 11:03:58 +02:00
|
|
|
written via data lines; this is the default.
|
|
|
|
|
|
|
|
@item with-validation
|
|
|
|
If @var{value} is true for each listed certificate the validation
|
|
|
|
status is printed. This may result in the download of a CRL or the
|
|
|
|
user being asked about the trustworthiness of a root certificate. The
|
|
|
|
default is given by a command line option (@pxref{gpgsm-option
|
|
|
|
--with-validation}).
|
|
|
|
|
|
|
|
|
|
|
|
@item with-secret
|
|
|
|
If @var{value} is true certificates with a corresponding private key
|
|
|
|
are marked by the list commands.
|
|
|
|
|
|
|
|
@item validation-model
|
|
|
|
This option overrides the command line option
|
|
|
|
@option{validation-model} for the session.
|
2016-03-04 15:51:22 +00:00
|
|
|
(@xref{gpgsm-option --validation-model}.)
|
2015-06-29 11:03:58 +02:00
|
|
|
|
|
|
|
@item with-key-data
|
|
|
|
This option globally enables the command line option
|
2016-03-04 15:51:22 +00:00
|
|
|
@option{--with-key-data}. (@xref{gpgsm-option --with-key-data}.)
|
2015-06-29 11:03:58 +02:00
|
|
|
|
|
|
|
@item enable-audit-log
|
|
|
|
If @var{value} is true data to write an audit log is gathered.
|
2016-03-04 15:51:22 +00:00
|
|
|
(@xref{gpgsm-cmd getauditlog}.)
|
2015-06-29 11:03:58 +02:00
|
|
|
|
|
|
|
@item allow-pinentry-notify
|
|
|
|
If this option is used notifications about the launch of a Pinentry
|
|
|
|
are passed back to the client.
|
|
|
|
|
|
|
|
@item with-ephemeral-keys
|
|
|
|
If @var{value} is true ephemeral certificates are included in the
|
|
|
|
output of the list commands.
|
|
|
|
|
|
|
|
@item no-encrypt-to
|
|
|
|
If this option is used all keys set by the command line option
|
|
|
|
@option{--encrypt-to} are ignored.
|
|
|
|
|
|
|
|
@item offline
|
|
|
|
If @var{value} is true or @var{value} is not given all network access
|
|
|
|
is disabled for this session. This is the same as the command line
|
|
|
|
option @option{--disable-dirmngr}.
|
|
|
|
|
2008-02-13 16:47:14 +00:00
|
|
|
@end table
|
2006-09-04 14:53:20 +00:00
|
|
|
|
|
|
|
@mansect see also
|
|
|
|
@ifset isman
|
2011-03-01 17:08:49 +01:00
|
|
|
@command{gpg2}(1),
|
2006-09-04 14:53:20 +00:00
|
|
|
@command{gpg-agent}(1)
|
|
|
|
@end ifset
|
|
|
|
@include see-also-note.texi
|