2003-01-09 13:24:01 +00:00
|
|
|
|
@c Copyright (C) 2002 Free Software Foundation, Inc.
|
|
|
|
|
@c This is part of the GnuPG manual.
|
|
|
|
|
@c For copying conditions, see the file gnupg.texi.
|
|
|
|
|
|
2015-06-09 21:29:15 +02:00
|
|
|
|
@include defs.inc
|
2010-10-06 11:29:10 +00:00
|
|
|
|
|
2003-01-09 13:24:01 +00:00
|
|
|
|
@node Invoking GPG-AGENT
|
|
|
|
|
@chapter Invoking GPG-AGENT
|
|
|
|
|
@cindex GPG-AGENT command options
|
|
|
|
|
@cindex command options
|
|
|
|
|
@cindex options, GPG-AGENT command
|
|
|
|
|
|
2006-08-17 18:01:25 +00:00
|
|
|
|
@manpage gpg-agent.1
|
|
|
|
|
@ifset manverb
|
|
|
|
|
.B gpg-agent
|
2006-08-17 19:58:28 +00:00
|
|
|
|
\- Secret key management for GnuPG
|
2006-08-17 18:01:25 +00:00
|
|
|
|
@end ifset
|
|
|
|
|
|
|
|
|
|
@mansect synopsis
|
|
|
|
|
@ifset manverb
|
|
|
|
|
.B gpg-agent
|
|
|
|
|
.RB [ \-\-homedir
|
|
|
|
|
.IR dir ]
|
|
|
|
|
.RB [ \-\-options
|
|
|
|
|
.IR file ]
|
2011-03-03 18:35:08 +01:00
|
|
|
|
.RI [ options ]
|
2006-08-17 18:01:25 +00:00
|
|
|
|
.br
|
|
|
|
|
.B gpg-agent
|
|
|
|
|
.RB [ \-\-homedir
|
|
|
|
|
.IR dir ]
|
|
|
|
|
.RB [ \-\-options
|
|
|
|
|
.IR file ]
|
2011-03-03 18:35:08 +01:00
|
|
|
|
.RI [ options ]
|
|
|
|
|
.B \-\-server
|
2006-08-17 18:01:25 +00:00
|
|
|
|
.br
|
|
|
|
|
.B gpg-agent
|
|
|
|
|
.RB [ \-\-homedir
|
|
|
|
|
.IR dir ]
|
|
|
|
|
.RB [ \-\-options
|
|
|
|
|
.IR file ]
|
2011-03-03 18:35:08 +01:00
|
|
|
|
.RI [ options ]
|
|
|
|
|
.B \-\-daemon
|
2006-08-17 18:01:25 +00:00
|
|
|
|
.RI [ command_line ]
|
|
|
|
|
@end ifset
|
|
|
|
|
|
|
|
|
|
@mansect description
|
2004-09-30 08:38:32 +00:00
|
|
|
|
@command{gpg-agent} is a daemon to manage secret (private) keys
|
2005-04-20 18:46:51 +00:00
|
|
|
|
independently from any protocol. It is used as a backend for
|
2004-09-30 08:38:32 +00:00
|
|
|
|
@command{gpg} and @command{gpgsm} as well as for a couple of other
|
|
|
|
|
utilities.
|
2003-01-09 13:24:01 +00:00
|
|
|
|
|
2014-10-03 11:58:58 +02:00
|
|
|
|
The agent is automatically started on demand by @command{gpg},
|
|
|
|
|
@command{gpgsm}, @command{gpgconf}, or @command{gpg-connect-agent}.
|
|
|
|
|
Thus there is no reason to start it manually. In case you want to use
|
|
|
|
|
the included Secure Shell Agent you may start the agent using:
|
2010-10-26 12:25:47 +00:00
|
|
|
|
|
|
|
|
|
@example
|
|
|
|
|
gpg-connect-agent /bye
|
|
|
|
|
@end example
|
2011-03-03 18:35:08 +01:00
|
|
|
|
|
2003-01-09 13:24:01 +00:00
|
|
|
|
@noindent
|
2004-12-20 16:17:25 +00:00
|
|
|
|
You should always add the following lines to your @code{.bashrc} or
|
2004-10-20 08:54:45 +00:00
|
|
|
|
whatever initialization file is used for all shell invocations:
|
2003-01-09 13:24:01 +00:00
|
|
|
|
|
|
|
|
|
@smallexample
|
2008-11-12 11:28:42 +00:00
|
|
|
|
GPG_TTY=$(tty)
|
2003-01-09 13:24:01 +00:00
|
|
|
|
export GPG_TTY
|
|
|
|
|
@end smallexample
|
|
|
|
|
|
2004-09-29 13:50:31 +00:00
|
|
|
|
@noindent
|
2003-01-09 13:24:01 +00:00
|
|
|
|
It is important that this environment variable always reflects the
|
2004-12-20 16:17:25 +00:00
|
|
|
|
output of the @code{tty} command. For W32 systems this option is not
|
|
|
|
|
required.
|
2003-01-09 13:24:01 +00:00
|
|
|
|
|
2004-09-29 13:50:31 +00:00
|
|
|
|
Please make sure that a proper pinentry program has been installed
|
2015-01-22 17:49:55 +01:00
|
|
|
|
under the default filename (which is system dependent) or use the
|
2007-11-19 16:03:50 +00:00
|
|
|
|
option @option{pinentry-program} to specify the full name of that program.
|
|
|
|
|
It is often useful to install a symbolic link from the actual used
|
2015-06-09 21:29:15 +02:00
|
|
|
|
pinentry (e.g. @file{@value{BINDIR}/pinentry-gtk}) to the expected
|
|
|
|
|
one (e.g. @file{@value{BINDIR}/pinentry}).
|
2004-09-29 13:50:31 +00:00
|
|
|
|
|
2006-08-17 18:01:25 +00:00
|
|
|
|
@manpause
|
2003-01-09 13:24:01 +00:00
|
|
|
|
@noindent
|
2006-08-17 18:01:25 +00:00
|
|
|
|
@xref{Option Index},for an index to @command{GPG-AGENT}'s commands and options.
|
|
|
|
|
@mancont
|
2003-01-09 13:24:01 +00:00
|
|
|
|
|
|
|
|
|
@menu
|
|
|
|
|
* Agent Commands:: List of all commands.
|
|
|
|
|
* Agent Options:: List of all options.
|
2005-04-20 18:46:51 +00:00
|
|
|
|
* Agent Configuration:: Configuration files.
|
2003-01-09 13:24:01 +00:00
|
|
|
|
* Agent Signals:: Use of some signals.
|
|
|
|
|
* Agent Examples:: Some usage examples.
|
|
|
|
|
* Agent Protocol:: The protocol the agent uses.
|
|
|
|
|
@end menu
|
|
|
|
|
|
2006-08-17 18:01:25 +00:00
|
|
|
|
@mansect commands
|
2003-01-09 13:24:01 +00:00
|
|
|
|
@node Agent Commands
|
|
|
|
|
@section Commands
|
|
|
|
|
|
2008-01-28 08:03:08 +00:00
|
|
|
|
Commands are not distinguished from options except for the fact that
|
|
|
|
|
only one command is allowed.
|
2003-01-09 13:24:01 +00:00
|
|
|
|
|
|
|
|
|
@table @gnupgtabopt
|
|
|
|
|
@item --version
|
|
|
|
|
@opindex version
|
2010-06-10 10:39:44 +00:00
|
|
|
|
Print the program version and licensing information. Note that you cannot
|
2003-01-09 13:24:01 +00:00
|
|
|
|
abbreviate this command.
|
|
|
|
|
|
2006-08-17 18:01:25 +00:00
|
|
|
|
@item --help
|
|
|
|
|
@itemx -h
|
2003-01-09 13:24:01 +00:00
|
|
|
|
@opindex help
|
2006-08-17 18:01:25 +00:00
|
|
|
|
Print a usage message summarizing the most useful command-line options.
|
2010-06-10 10:39:44 +00:00
|
|
|
|
Note that you cannot abbreviate this command.
|
2003-01-09 13:24:01 +00:00
|
|
|
|
|
|
|
|
|
@item --dump-options
|
|
|
|
|
@opindex dump-options
|
2010-06-10 10:39:44 +00:00
|
|
|
|
Print a list of all available options and commands. Note that you cannot
|
2003-01-09 13:24:01 +00:00
|
|
|
|
abbreviate this command.
|
|
|
|
|
|
|
|
|
|
@item --server
|
|
|
|
|
@opindex server
|
|
|
|
|
Run in server mode and wait for commands on the @code{stdin}. The
|
|
|
|
|
default mode is to create a socket and listen for commands there.
|
|
|
|
|
|
2006-08-17 18:01:25 +00:00
|
|
|
|
@item --daemon [@var{command line}]
|
2003-01-09 13:24:01 +00:00
|
|
|
|
@opindex daemon
|
2009-06-02 15:46:59 +00:00
|
|
|
|
Start the gpg-agent as a daemon; that is, detach it from the console
|
2014-10-03 11:58:58 +02:00
|
|
|
|
and run it in the background.
|
2015-06-08 19:27:08 +02:00
|
|
|
|
|
|
|
|
|
As an alternative you may create a new process as a child of
|
|
|
|
|
gpg-agent: @code{gpg-agent --daemon /bin/sh}. This way you get a new
|
|
|
|
|
shell with the environment setup properly; after you exit from this
|
|
|
|
|
shell, gpg-agent terminates within a few seconds.
|
2003-01-09 13:24:01 +00:00
|
|
|
|
@end table
|
|
|
|
|
|
2006-08-17 18:01:25 +00:00
|
|
|
|
@mansect options
|
2003-01-09 13:24:01 +00:00
|
|
|
|
@node Agent Options
|
|
|
|
|
@section Option Summary
|
|
|
|
|
|
|
|
|
|
@table @gnupgtabopt
|
|
|
|
|
|
2005-04-20 18:46:51 +00:00
|
|
|
|
@anchor{option --options}
|
2003-01-09 13:24:01 +00:00
|
|
|
|
@item --options @var{file}
|
|
|
|
|
@opindex options
|
|
|
|
|
Reads configuration from @var{file} instead of from the default
|
2004-02-04 19:13:16 +00:00
|
|
|
|
per-user configuration file. The default configuration file is named
|
|
|
|
|
@file{gpg-agent.conf} and expected in the @file{.gnupg} directory directly
|
|
|
|
|
below the home directory of the user.
|
2003-01-09 13:24:01 +00:00
|
|
|
|
|
2005-04-20 18:46:51 +00:00
|
|
|
|
@anchor{option --homedir}
|
2006-08-18 13:05:39 +00:00
|
|
|
|
@include opt-homedir.texi
|
|
|
|
|
|
2004-12-20 16:17:25 +00:00
|
|
|
|
|
2003-01-09 13:24:01 +00:00
|
|
|
|
@item -v
|
|
|
|
|
@item --verbose
|
|
|
|
|
@opindex verbose
|
|
|
|
|
Outputs additional information while running.
|
|
|
|
|
You can increase the verbosity by giving several
|
2006-08-17 18:01:25 +00:00
|
|
|
|
verbose commands to @command{gpgsm}, such as @samp{-vv}.
|
2003-01-09 13:24:01 +00:00
|
|
|
|
|
|
|
|
|
@item -q
|
|
|
|
|
@item --quiet
|
|
|
|
|
@opindex quiet
|
|
|
|
|
Try to be as quiet as possible.
|
|
|
|
|
|
|
|
|
|
@item --batch
|
|
|
|
|
@opindex batch
|
|
|
|
|
Don't invoke a pinentry or do any other thing requiring human interaction.
|
|
|
|
|
|
|
|
|
|
@item --faked-system-time @var{epoch}
|
|
|
|
|
@opindex faked-system-time
|
|
|
|
|
This option is only useful for testing; it sets the system time back or
|
|
|
|
|
forth to @var{epoch} which is the number of seconds elapsed since the year
|
|
|
|
|
1970.
|
|
|
|
|
|
2004-02-18 16:58:29 +00:00
|
|
|
|
@item --debug-level @var{level}
|
|
|
|
|
@opindex debug-level
|
|
|
|
|
Select the debug level for investigating problems. @var{level} may be
|
2009-12-03 18:04:40 +00:00
|
|
|
|
a numeric value or a keyword:
|
|
|
|
|
|
|
|
|
|
@table @code
|
|
|
|
|
@item none
|
|
|
|
|
No debugging at all. A value of less than 1 may be used instead of
|
|
|
|
|
the keyword.
|
2011-03-03 18:35:08 +01:00
|
|
|
|
@item basic
|
2009-12-03 18:04:40 +00:00
|
|
|
|
Some basic debug messages. A value between 1 and 2 may be used
|
|
|
|
|
instead of the keyword.
|
|
|
|
|
@item advanced
|
|
|
|
|
More verbose debug messages. A value between 3 and 5 may be used
|
|
|
|
|
instead of the keyword.
|
|
|
|
|
@item expert
|
|
|
|
|
Even more detailed messages. A value between 6 and 8 may be used
|
|
|
|
|
instead of the keyword.
|
|
|
|
|
@item guru
|
|
|
|
|
All of the debug messages you can get. A value greater than 8 may be
|
|
|
|
|
used instead of the keyword. The creation of hash tracing files is
|
|
|
|
|
only enabled if the keyword is used.
|
|
|
|
|
@end table
|
2004-02-18 16:58:29 +00:00
|
|
|
|
|
|
|
|
|
How these messages are mapped to the actual debugging flags is not
|
2008-01-28 08:03:08 +00:00
|
|
|
|
specified and may change with newer releases of this program. They are
|
2004-02-18 16:58:29 +00:00
|
|
|
|
however carefully selected to best aid in debugging.
|
|
|
|
|
|
2003-01-09 13:24:01 +00:00
|
|
|
|
@item --debug @var{flags}
|
|
|
|
|
@opindex debug
|
|
|
|
|
This option is only useful for debugging and the behaviour may change at
|
|
|
|
|
any time without notice. FLAGS are bit encoded and may be given in
|
|
|
|
|
usual C-Syntax. The currently defined bits are:
|
2004-02-18 16:58:29 +00:00
|
|
|
|
|
2006-08-17 18:01:25 +00:00
|
|
|
|
@table @code
|
|
|
|
|
@item 0 (1)
|
|
|
|
|
X.509 or OpenPGP protocol related data
|
2011-03-03 18:35:08 +01:00
|
|
|
|
@item 1 (2)
|
|
|
|
|
values of big number integers
|
2006-08-17 18:01:25 +00:00
|
|
|
|
@item 2 (4)
|
|
|
|
|
low level crypto operations
|
|
|
|
|
@item 5 (32)
|
|
|
|
|
memory allocation
|
|
|
|
|
@item 6 (64)
|
|
|
|
|
caching
|
|
|
|
|
@item 7 (128)
|
|
|
|
|
show memory statistics.
|
|
|
|
|
@item 9 (512)
|
|
|
|
|
write hashed data to files named @code{dbgmd-000*}
|
|
|
|
|
@item 10 (1024)
|
|
|
|
|
trace Assuan protocol
|
|
|
|
|
@item 12 (4096)
|
|
|
|
|
bypass all certificate validation
|
|
|
|
|
@end table
|
2003-01-09 13:24:01 +00:00
|
|
|
|
|
|
|
|
|
@item --debug-all
|
|
|
|
|
@opindex debug-all
|
|
|
|
|
Same as @code{--debug=0xffffffff}
|
|
|
|
|
|
|
|
|
|
@item --debug-wait @var{n}
|
|
|
|
|
@opindex debug-wait
|
|
|
|
|
When running in server mode, wait @var{n} seconds before entering the
|
|
|
|
|
actual processing loop and print the pid. This gives time to attach a
|
|
|
|
|
debugger.
|
|
|
|
|
|
2014-10-30 09:55:51 +01:00
|
|
|
|
@item --debug-quick-random
|
|
|
|
|
@opindex debug-quick-random
|
2015-03-24 09:22:24 +01:00
|
|
|
|
This option inhibits the use of the very secure random quality level
|
2014-10-30 09:55:51 +01:00
|
|
|
|
(Libgcrypt’s @code{GCRY_VERY_STRONG_RANDOM}) and degrades all request
|
|
|
|
|
down to standard random quality. It is only used for testing and
|
|
|
|
|
shall not be used for any production quality keys. This option is
|
|
|
|
|
only effective when given on the command line.
|
|
|
|
|
|
2015-05-11 10:23:24 +02:00
|
|
|
|
@item --debug-pinentry
|
|
|
|
|
@opindex debug-pinentry
|
|
|
|
|
This option enables extra debug information pertaining to the
|
|
|
|
|
Pinentry. As of now it is only useful when used along with
|
|
|
|
|
@code{--debug 1024}.
|
|
|
|
|
|
2003-01-09 13:24:01 +00:00
|
|
|
|
@item --no-detach
|
|
|
|
|
@opindex no-detach
|
2008-01-28 08:03:08 +00:00
|
|
|
|
Don't detach the process from the console. This is mainly useful for
|
2003-01-09 13:24:01 +00:00
|
|
|
|
debugging.
|
|
|
|
|
|
|
|
|
|
@item -s
|
|
|
|
|
@itemx --sh
|
|
|
|
|
@itemx -c
|
|
|
|
|
@itemx --csh
|
|
|
|
|
@opindex sh
|
|
|
|
|
@opindex csh
|
|
|
|
|
Format the info output in daemon mode for use with the standard Bourne
|
2008-01-30 13:26:32 +00:00
|
|
|
|
shell or the C-shell respectively. The default is to guess it based on
|
|
|
|
|
the environment variable @code{SHELL} which is correct in almost all
|
|
|
|
|
cases.
|
2003-01-09 13:24:01 +00:00
|
|
|
|
|
2005-09-06 18:42:13 +00:00
|
|
|
|
|
2003-01-09 13:24:01 +00:00
|
|
|
|
@item --no-grab
|
|
|
|
|
@opindex no-grab
|
2007-11-19 16:03:50 +00:00
|
|
|
|
Tell the pinentry not to grab the keyboard and mouse. This option
|
2007-10-31 13:09:16 +00:00
|
|
|
|
should in general not be used to avoid X-sniffing attacks.
|
2003-01-09 13:24:01 +00:00
|
|
|
|
|
2010-12-02 14:10:44 +00:00
|
|
|
|
@anchor{option --log-file}
|
2003-01-09 13:24:01 +00:00
|
|
|
|
@item --log-file @var{file}
|
|
|
|
|
@opindex log-file
|
2010-10-01 20:33:53 +00:00
|
|
|
|
Append all logging output to @var{file}. This is very helpful in seeing
|
|
|
|
|
what the agent actually does. If neither a log file nor a log file
|
|
|
|
|
descriptor has been set on a Windows platform, the Registry entry
|
2010-12-02 14:10:44 +00:00
|
|
|
|
@code{HKCU\Software\GNU\GnuPG:DefaultLogFile}, if set, is used to specify
|
2010-10-01 20:33:53 +00:00
|
|
|
|
the logging output.
|
|
|
|
|
|
2003-01-09 13:24:01 +00:00
|
|
|
|
|
2014-12-05 11:16:14 +01:00
|
|
|
|
@anchor{option --no-allow-mark-trusted}
|
|
|
|
|
@item --no-allow-mark-trusted
|
|
|
|
|
@opindex no-allow-mark-trusted
|
|
|
|
|
Do not allow clients to mark keys as trusted, i.e. put them into the
|
|
|
|
|
@file{trustlist.txt} file. This makes it harder for users to inadvertently
|
|
|
|
|
accept Root-CA keys.
|
2004-05-03 13:37:38 +00:00
|
|
|
|
|
2014-10-07 20:37:16 +02:00
|
|
|
|
@anchor{option --allow-preset-passphrase}
|
|
|
|
|
@item --allow-preset-passphrase
|
|
|
|
|
@opindex allow-preset-passphrase
|
|
|
|
|
This option allows the use of @command{gpg-preset-passphrase} to seed the
|
|
|
|
|
internal cache of @command{gpg-agent} with passphrases.
|
|
|
|
|
|
2011-03-03 18:35:08 +01:00
|
|
|
|
@anchor{option --allow-loopback-pinentry}
|
|
|
|
|
@item --allow-loopback-pinentry
|
|
|
|
|
@opindex allow-loopback-pinentry
|
|
|
|
|
Allow clients to use the loopback pinentry features; see the option
|
|
|
|
|
@option{pinentry-mode} for details.
|
|
|
|
|
|
2015-05-11 18:08:44 +02:00
|
|
|
|
@item --no-allow-external-cache
|
|
|
|
|
@opindex no-allow-external-cache
|
|
|
|
|
Tell Pinentry not to enable features which use an external cache for
|
|
|
|
|
passphrases.
|
|
|
|
|
|
|
|
|
|
Some desktop environments prefer to unlock all
|
|
|
|
|
credentials with one master password and may have installed a Pinentry
|
|
|
|
|
which employs an additional external cache to implement such a policy.
|
|
|
|
|
By using this option the Pinentry is advised not to make use of such a
|
|
|
|
|
cache and instead always ask the user for the requested passphrase.
|
|
|
|
|
|
2015-06-09 21:07:00 +09:00
|
|
|
|
@item --allow-emacs-pinentry
|
|
|
|
|
@opindex allow-emacs-pinentry
|
|
|
|
|
Tell Pinentry to allow features to divert the passphrase entry to a
|
|
|
|
|
running Emacs instance. How this is exactly handled depends on the
|
|
|
|
|
version of the used Pinentry.
|
|
|
|
|
|
2003-01-09 13:24:01 +00:00
|
|
|
|
@item --ignore-cache-for-signing
|
|
|
|
|
@opindex ignore-cache-for-signing
|
2004-09-30 08:38:32 +00:00
|
|
|
|
This option will let @command{gpg-agent} bypass the passphrase cache for all
|
2003-01-09 13:24:01 +00:00
|
|
|
|
signing operation. Note that there is also a per-session option to
|
|
|
|
|
control this behaviour but this command line option takes precedence.
|
|
|
|
|
|
|
|
|
|
@item --default-cache-ttl @var{n}
|
|
|
|
|
@opindex default-cache-ttl
|
2015-06-16 16:16:57 +02:00
|
|
|
|
Set the time a cache entry is valid to @var{n} seconds. The default
|
|
|
|
|
is 600 seconds. Each time a cache entry is accessed, the entry's
|
|
|
|
|
timer is reset. To set an entry's maximum lifetime, use
|
|
|
|
|
@command{max-cache-ttl}.
|
2003-01-09 13:24:01 +00:00
|
|
|
|
|
2005-06-07 19:09:18 +00:00
|
|
|
|
@item --default-cache-ttl-ssh @var{n}
|
|
|
|
|
@opindex default-cache-ttl
|
|
|
|
|
Set the time a cache entry used for SSH keys is valid to @var{n}
|
2015-06-16 16:16:57 +02:00
|
|
|
|
seconds. The default is 1800 seconds. Each time a cache entry is
|
|
|
|
|
accessed, the entry's timer is reset. To set an entry's maximum
|
|
|
|
|
lifetime, use @command{max-cache-ttl-ssh}.
|
2005-06-07 19:09:18 +00:00
|
|
|
|
|
2004-09-09 07:29:35 +00:00
|
|
|
|
@item --max-cache-ttl @var{n}
|
|
|
|
|
@opindex max-cache-ttl
|
|
|
|
|
Set the maximum time a cache entry is valid to @var{n} seconds. After
|
2008-01-28 08:03:08 +00:00
|
|
|
|
this time a cache entry will be expired even if it has been accessed
|
2014-06-24 13:46:52 +02:00
|
|
|
|
recently or has been set using @command{gpg-preset-passphrase}. The
|
|
|
|
|
default is 2 hours (7200 seconds).
|
2004-09-09 07:29:35 +00:00
|
|
|
|
|
2005-06-16 08:12:03 +00:00
|
|
|
|
@item --max-cache-ttl-ssh @var{n}
|
|
|
|
|
@opindex max-cache-ttl-ssh
|
2014-06-24 13:46:52 +02:00
|
|
|
|
Set the maximum time a cache entry used for SSH keys is valid to
|
|
|
|
|
@var{n} seconds. After this time a cache entry will be expired even
|
|
|
|
|
if it has been accessed recently or has been set using
|
|
|
|
|
@command{gpg-preset-passphrase}. The default is 2 hours (7200
|
|
|
|
|
seconds).
|
2005-06-16 08:12:03 +00:00
|
|
|
|
|
2007-08-27 18:10:27 +00:00
|
|
|
|
@item --enforce-passphrase-constraints
|
|
|
|
|
@opindex enforce-passphrase-constraints
|
|
|
|
|
Enforce the passphrase constraints by not allowing the user to bypass
|
|
|
|
|
them using the ``Take it anyway'' button.
|
|
|
|
|
|
2007-01-25 08:30:47 +00:00
|
|
|
|
@item --min-passphrase-len @var{n}
|
|
|
|
|
@opindex min-passphrase-len
|
2007-03-06 20:44:41 +00:00
|
|
|
|
Set the minimal length of a passphrase. When entering a new passphrase
|
2007-01-25 08:30:47 +00:00
|
|
|
|
shorter than this value a warning will be displayed. Defaults to 8.
|
|
|
|
|
|
2007-08-27 18:10:27 +00:00
|
|
|
|
@item --min-passphrase-nonalpha @var{n}
|
|
|
|
|
@opindex min-passphrase-nonalpha
|
|
|
|
|
Set the minimal number of digits or special characters required in a
|
|
|
|
|
passphrase. When entering a new passphrase with less than this number
|
|
|
|
|
of digits or special characters a warning will be displayed. Defaults
|
|
|
|
|
to 1.
|
|
|
|
|
|
|
|
|
|
@item --check-passphrase-pattern @var{file}
|
|
|
|
|
@opindex check-passphrase-pattern
|
|
|
|
|
Check the passphrase against the pattern given in @var{file}. When
|
|
|
|
|
entering a new passphrase matching one of these pattern a warning will
|
|
|
|
|
be displayed. @var{file} should be an absolute filename. The default is
|
2011-03-03 18:35:08 +01:00
|
|
|
|
not to use any pattern file.
|
2007-08-27 18:10:27 +00:00
|
|
|
|
|
|
|
|
|
Security note: It is known that checking a passphrase against a list of
|
|
|
|
|
pattern or even against a complete dictionary is not very effective to
|
|
|
|
|
enforce good passphrases. Users will soon figure up ways to bypass such
|
|
|
|
|
a policy. A better policy is to educate users on good security
|
2008-01-28 08:03:08 +00:00
|
|
|
|
behavior and optionally to run a passphrase cracker regularly on all
|
|
|
|
|
users passphrases to catch the very simple ones.
|
2007-08-27 18:10:27 +00:00
|
|
|
|
|
2007-08-28 17:48:13 +00:00
|
|
|
|
@item --max-passphrase-days @var{n}
|
2011-03-03 18:35:08 +01:00
|
|
|
|
@opindex max-passphrase-days
|
2007-08-28 17:48:13 +00:00
|
|
|
|
Ask the user to change the passphrase if @var{n} days have passed since
|
|
|
|
|
the last change. With @option{--enforce-passphrase-constraints} set the
|
|
|
|
|
user may not bypass this check.
|
|
|
|
|
|
|
|
|
|
@item --enable-passphrase-history
|
|
|
|
|
@opindex enable-passphrase-history
|
|
|
|
|
This option does nothing yet.
|
2007-08-27 18:10:27 +00:00
|
|
|
|
|
2004-02-04 19:13:16 +00:00
|
|
|
|
@item --pinentry-program @var{filename}
|
2003-01-09 13:24:01 +00:00
|
|
|
|
@opindex pinentry-program
|
2015-02-04 10:09:28 +01:00
|
|
|
|
Use program @var{filename} as the PIN entry. The default is
|
|
|
|
|
installation dependent. With the default configuration the name of
|
|
|
|
|
the default pinentry is @file{pinentry}; if that file does not exist
|
|
|
|
|
but a @file{pinentry-basic} exist the latter is used.
|
2003-01-09 13:24:01 +00:00
|
|
|
|
|
2015-07-28 12:52:26 +02:00
|
|
|
|
On a Windows platform the default is to use the first existing program
|
|
|
|
|
from this list:
|
|
|
|
|
@file{bin\pinentry.exe},
|
|
|
|
|
@file{..\Gpg4win\bin\pinentry.exe},
|
|
|
|
|
@file{..\Gpg4win\pinentry.exe},
|
|
|
|
|
@file{..\GNU\GnuPG\pinentry.exe},
|
|
|
|
|
@file{..\GNU\bin\pinentry.exe},
|
|
|
|
|
@file{bin\pinentry-basic.exe}
|
|
|
|
|
where the file names are relative to the GnuPG installation directory.
|
|
|
|
|
|
|
|
|
|
|
2007-02-14 16:27:55 +00:00
|
|
|
|
@item --pinentry-touch-file @var{filename}
|
|
|
|
|
@opindex pinentry-touch-file
|
2008-01-28 08:03:08 +00:00
|
|
|
|
By default the filename of the socket gpg-agent is listening for
|
2007-02-14 16:27:55 +00:00
|
|
|
|
requests is passed to Pinentry, so that it can touch that file before
|
|
|
|
|
exiting (it does this only in curses mode). This option changes the
|
|
|
|
|
file passed to Pinentry to @var{filename}. The special name
|
|
|
|
|
@code{/dev/null} may be used to completely disable this feature. Note
|
|
|
|
|
that Pinentry will not create that file, it will only change the
|
|
|
|
|
modification and access time.
|
|
|
|
|
|
|
|
|
|
|
2004-02-04 19:13:16 +00:00
|
|
|
|
@item --scdaemon-program @var{filename}
|
2003-01-09 13:24:01 +00:00
|
|
|
|
@opindex scdaemon-program
|
2004-02-04 19:13:16 +00:00
|
|
|
|
Use program @var{filename} as the Smartcard daemon. The default is
|
2010-08-19 09:53:55 +00:00
|
|
|
|
installation dependent and can be shown with the @command{gpgconf}
|
2004-02-04 19:13:16 +00:00
|
|
|
|
command.
|
2003-01-09 13:24:01 +00:00
|
|
|
|
|
2005-04-20 18:46:51 +00:00
|
|
|
|
@item --disable-scdaemon
|
|
|
|
|
@opindex disable-scdaemon
|
|
|
|
|
Do not make use of the scdaemon tool. This option has the effect of
|
|
|
|
|
disabling the ability to do smartcard operations. Note, that enabling
|
|
|
|
|
this option at runtime does not kill an already forked scdaemon.
|
|
|
|
|
|
2013-05-21 12:10:00 +01:00
|
|
|
|
@item --disable-check-own-socket
|
|
|
|
|
@opindex disable-check-own-socket
|
|
|
|
|
@command{gpg-agent} employs a periodic self-test to detect a stolen
|
|
|
|
|
socket. This usually means a second instance of @command{gpg-agent}
|
|
|
|
|
has taken over the socket and @command{gpg-agent} will then terminate
|
|
|
|
|
itself. This option may be used to disable this self-test for
|
|
|
|
|
debugging purposes.
|
|
|
|
|
|
2004-12-20 16:17:25 +00:00
|
|
|
|
@item --use-standard-socket
|
|
|
|
|
@itemx --no-use-standard-socket
|
2015-03-24 09:22:24 +01:00
|
|
|
|
@itemx --use-standard-socket-p
|
2004-12-20 16:17:25 +00:00
|
|
|
|
@opindex use-standard-socket
|
|
|
|
|
@opindex no-use-standard-socket
|
2015-03-24 09:22:24 +01:00
|
|
|
|
@opindex use-standard-socket-p
|
2014-10-03 11:58:58 +02:00
|
|
|
|
Since GnuPG 2.1 the standard socket is always used. These options
|
2015-03-24 09:22:24 +01:00
|
|
|
|
have no more effect. The command @code{gpg-agent
|
|
|
|
|
--use-standard-socket-p} will thus always return success.
|
2003-01-09 13:24:01 +00:00
|
|
|
|
|
|
|
|
|
@item --display @var{string}
|
|
|
|
|
@itemx --ttyname @var{string}
|
|
|
|
|
@itemx --ttytype @var{string}
|
2009-03-02 12:32:54 +00:00
|
|
|
|
@itemx --lc-ctype @var{string}
|
2003-01-09 13:24:01 +00:00
|
|
|
|
@itemx --lc-messages @var{string}
|
2007-11-19 16:03:50 +00:00
|
|
|
|
@itemx --xauthority @var{string}
|
2011-03-03 18:35:08 +01:00
|
|
|
|
@opindex display
|
|
|
|
|
@opindex ttyname
|
|
|
|
|
@opindex ttytype
|
|
|
|
|
@opindex lc-ctype
|
2004-09-29 11:04:30 +00:00
|
|
|
|
@opindex lc-messages
|
2007-11-19 16:03:50 +00:00
|
|
|
|
@opindex xauthority
|
2003-01-09 13:24:01 +00:00
|
|
|
|
These options are used with the server mode to pass localization
|
|
|
|
|
information.
|
|
|
|
|
|
|
|
|
|
@item --keep-tty
|
|
|
|
|
@itemx --keep-display
|
|
|
|
|
@opindex keep-tty
|
|
|
|
|
@opindex keep-display
|
2008-01-30 13:26:32 +00:00
|
|
|
|
Ignore requests to change the current @code{tty} or X window system's
|
|
|
|
|
@code{DISPLAY} variable respectively. This is useful to lock the
|
2006-08-17 18:01:25 +00:00
|
|
|
|
pinentry to pop up at the @code{tty} or display you started the agent.
|
2003-01-09 13:24:01 +00:00
|
|
|
|
|
2014-11-27 20:41:37 +01:00
|
|
|
|
|
|
|
|
|
@anchor{option --extra-socket}
|
|
|
|
|
@item --extra-socket @var{name}
|
|
|
|
|
@opindex extra-socket
|
|
|
|
|
Also listen on native gpg-agent connections on the given socket. The
|
|
|
|
|
intended use for this extra socket is to setup a Unix domain socket
|
|
|
|
|
forwarding from a remote machine to this socket on the local machine.
|
|
|
|
|
A @command{gpg} running on the remote machine may then connect to the
|
|
|
|
|
local gpg-agent and use its private keys. This allows to decrypt or
|
|
|
|
|
sign data on a remote machine without exposing the private keys to the
|
|
|
|
|
remote machine.
|
|
|
|
|
|
|
|
|
|
|
2005-04-20 18:46:51 +00:00
|
|
|
|
@anchor{option --enable-ssh-support}
|
2005-02-24 17:36:11 +00:00
|
|
|
|
@item --enable-ssh-support
|
2015-06-29 12:24:58 +02:00
|
|
|
|
@itemx --enable-putty-support
|
2005-02-24 17:36:11 +00:00
|
|
|
|
@opindex enable-ssh-support
|
2015-06-29 12:24:58 +02:00
|
|
|
|
@opindex enable-putty-support
|
2005-01-26 23:15:42 +00:00
|
|
|
|
|
2010-10-14 16:34:31 +00:00
|
|
|
|
Enable the OpenSSH Agent protocol.
|
2005-01-26 23:15:42 +00:00
|
|
|
|
|
|
|
|
|
In this mode of operation, the agent does not only implement the
|
|
|
|
|
gpg-agent protocol, but also the agent protocol used by OpenSSH
|
2008-01-28 08:03:08 +00:00
|
|
|
|
(through a separate socket). Consequently, it should be possible to use
|
2005-01-26 23:15:42 +00:00
|
|
|
|
the gpg-agent as a drop-in replacement for the well known ssh-agent.
|
|
|
|
|
|
|
|
|
|
SSH Keys, which are to be used through the agent, need to be added to
|
|
|
|
|
the gpg-agent initially through the ssh-add utility. When a key is
|
|
|
|
|
added, ssh-add will ask for the password of the provided key file and
|
|
|
|
|
send the unprotected key material to the agent; this causes the
|
|
|
|
|
gpg-agent to ask for a passphrase, which is to be used for encrypting
|
|
|
|
|
the newly received key and storing it in a gpg-agent specific
|
|
|
|
|
directory.
|
|
|
|
|
|
2008-01-28 08:03:08 +00:00
|
|
|
|
Once a key has been added to the gpg-agent this way, the gpg-agent
|
2005-01-26 23:15:42 +00:00
|
|
|
|
will be ready to use the key.
|
|
|
|
|
|
2005-06-03 13:57:24 +00:00
|
|
|
|
Note: in case the gpg-agent receives a signature request, the user might
|
|
|
|
|
need to be prompted for a passphrase, which is necessary for decrypting
|
|
|
|
|
the stored key. Since the ssh-agent protocol does not contain a
|
|
|
|
|
mechanism for telling the agent on which display/terminal it is running,
|
|
|
|
|
gpg-agent's ssh-support will use the TTY or X display where gpg-agent
|
|
|
|
|
has been started. To switch this display to the current one, the
|
2008-01-28 08:03:08 +00:00
|
|
|
|
following command may be used:
|
2005-06-03 13:57:24 +00:00
|
|
|
|
|
|
|
|
|
@smallexample
|
2010-10-14 16:34:31 +00:00
|
|
|
|
gpg-connect-agent updatestartuptty /bye
|
2005-06-03 13:57:24 +00:00
|
|
|
|
@end smallexample
|
|
|
|
|
|
2010-10-14 16:34:31 +00:00
|
|
|
|
Although all GnuPG components try to start the gpg-agent as needed, this
|
|
|
|
|
is not possible for the ssh support because ssh does not know about it.
|
|
|
|
|
Thus if no GnuPG tool which accesses the agent has been run, there is no
|
2015-01-22 17:49:55 +01:00
|
|
|
|
guarantee that ssh is able to use gpg-agent for authentication. To fix
|
2010-10-14 16:34:31 +00:00
|
|
|
|
this you may start gpg-agent if needed using this simple command:
|
2005-06-03 13:57:24 +00:00
|
|
|
|
|
2010-10-14 16:34:31 +00:00
|
|
|
|
@smallexample
|
|
|
|
|
gpg-connect-agent /bye
|
|
|
|
|
@end smallexample
|
|
|
|
|
|
|
|
|
|
Adding the @option{--verbose} shows the progress of starting the agent.
|
2003-01-09 13:24:01 +00:00
|
|
|
|
|
2015-06-29 12:24:58 +02:00
|
|
|
|
The @option{--enable-putty-support} is only available under Windows
|
|
|
|
|
and allows the use of gpg-agent with the ssh implementation
|
|
|
|
|
@command{putty}. This is similar to the regular ssh-agent support but
|
|
|
|
|
makes use of Windows message queue as required by @command{putty}.
|
|
|
|
|
|
|
|
|
|
|
2003-01-09 13:24:01 +00:00
|
|
|
|
@end table
|
|
|
|
|
|
|
|
|
|
All the long options may also be given in the configuration file after
|
|
|
|
|
stripping off the two leading dashes.
|
|
|
|
|
|
2005-04-20 18:46:51 +00:00
|
|
|
|
|
2006-08-17 18:01:25 +00:00
|
|
|
|
@mansect files
|
2005-04-20 18:46:51 +00:00
|
|
|
|
@node Agent Configuration
|
|
|
|
|
@section Configuration
|
|
|
|
|
|
|
|
|
|
There are a few configuration files needed for the operation of the
|
|
|
|
|
agent. By default they may all be found in the current home directory
|
|
|
|
|
(@pxref{option --homedir}).
|
|
|
|
|
|
|
|
|
|
@table @file
|
|
|
|
|
|
|
|
|
|
@item gpg-agent.conf
|
|
|
|
|
@cindex gpg-agent.conf
|
|
|
|
|
This is the standard configuration file read by @command{gpg-agent} on
|
|
|
|
|
startup. It may contain any valid long option; the leading
|
|
|
|
|
two dashes may not be entered and the option may not be abbreviated.
|
|
|
|
|
This file is also read after a @code{SIGHUP} however only a few
|
|
|
|
|
options will actually have an effect. This default name may be
|
2011-03-03 18:35:08 +01:00
|
|
|
|
changed on the command line (@pxref{option --options}).
|
2009-07-22 10:24:46 +00:00
|
|
|
|
You should backup this file.
|
2005-04-20 18:46:51 +00:00
|
|
|
|
|
|
|
|
|
@item trustlist.txt
|
2009-07-22 10:24:46 +00:00
|
|
|
|
This is the list of trusted keys. You should backup this file.
|
|
|
|
|
|
|
|
|
|
Comment lines, indicated by a leading hash mark, as well as empty
|
|
|
|
|
lines are ignored. To mark a key as trusted you need to enter its
|
|
|
|
|
fingerprint followed by a space and a capital letter @code{S}. Colons
|
|
|
|
|
may optionally be used to separate the bytes of a fingerprint; this
|
|
|
|
|
allows to cut and paste the fingerprint from a key listing output. If
|
|
|
|
|
the line is prefixed with a @code{!} the key is explicitly marked as
|
|
|
|
|
not trusted.
|
2011-03-03 18:35:08 +01:00
|
|
|
|
|
2009-03-19 10:21:51 +00:00
|
|
|
|
Here is an example where two keys are marked as ultimately trusted
|
|
|
|
|
and one as not trusted:
|
2011-03-03 18:35:08 +01:00
|
|
|
|
|
2014-06-25 11:15:45 +02:00
|
|
|
|
@cartouche
|
|
|
|
|
@smallexample
|
2005-04-20 18:46:51 +00:00
|
|
|
|
# CN=Wurzel ZS 3,O=Intevation GmbH,C=DE
|
|
|
|
|
A6935DD34EF3087973C706FC311AA2CCF733765B S
|
2011-03-03 18:35:08 +01:00
|
|
|
|
|
2005-04-20 18:46:51 +00:00
|
|
|
|
# CN=PCA-1-Verwaltung-02/O=PKI-1-Verwaltung/C=DE
|
2011-03-03 18:35:08 +01:00
|
|
|
|
DC:BD:69:25:48:BD:BB:7E:31:6E:BB:80:D3:00:80:35:D4:F8:A6:CD S
|
2009-03-19 10:21:51 +00:00
|
|
|
|
|
|
|
|
|
# CN=Root-CA/O=Schlapphuete/L=Pullach/C=DE
|
|
|
|
|
!14:56:98:D3:FE:9C:CA:5A:31:6E:BC:81:D3:11:4E:00:90:A3:44:C2 S
|
2014-06-25 11:15:45 +02:00
|
|
|
|
@end smallexample
|
|
|
|
|
@end cartouche
|
2011-03-03 18:35:08 +01:00
|
|
|
|
|
2006-09-15 18:53:37 +00:00
|
|
|
|
Before entering a key into this file, you need to ensure its
|
|
|
|
|
authenticity. How to do this depends on your organisation; your
|
|
|
|
|
administrator might have already entered those keys which are deemed
|
|
|
|
|
trustworthy enough into this file. Places where to look for the
|
|
|
|
|
fingerprint of a root certificate are letters received from the CA or
|
|
|
|
|
the website of the CA (after making 100% sure that this is indeed the
|
2014-12-05 11:16:14 +01:00
|
|
|
|
website of that CA). You may want to consider disallowing interactive
|
|
|
|
|
updates of this file by using the @xref{option --no-allow-mark-trusted}.
|
|
|
|
|
It might even be advisable to change the permissions to read-only so
|
|
|
|
|
that this file can't be changed inadvertently.
|
2006-09-15 18:53:37 +00:00
|
|
|
|
|
|
|
|
|
As a special feature a line @code{include-default} will include a global
|
2015-06-09 21:29:15 +02:00
|
|
|
|
list of trusted certificates (e.g. @file{@value{SYSCONFDIR}/trustlist.txt}).
|
2007-04-03 16:57:37 +00:00
|
|
|
|
This global list is also used if the local list is not available.
|
2006-09-15 18:53:37 +00:00
|
|
|
|
|
2007-08-14 16:50:27 +00:00
|
|
|
|
It is possible to add further flags after the @code{S} for use by the
|
|
|
|
|
caller:
|
|
|
|
|
|
|
|
|
|
@table @code
|
2010-10-05 19:05:43 +00:00
|
|
|
|
|
2007-08-14 16:50:27 +00:00
|
|
|
|
@item relax
|
2010-10-05 19:05:43 +00:00
|
|
|
|
@cindex relax
|
|
|
|
|
Relax checking of some root certificate requirements. As of now this
|
|
|
|
|
flag allows the use of root certificates with a missing basicConstraints
|
|
|
|
|
attribute (despite that it is a MUST for CA certificates) and disables
|
|
|
|
|
CRL checking for the root certificate.
|
2007-08-14 16:50:27 +00:00
|
|
|
|
|
|
|
|
|
@item cm
|
|
|
|
|
If validation of a certificate finally issued by a CA with this flag set
|
|
|
|
|
fails, try again using the chain validation model.
|
|
|
|
|
|
|
|
|
|
@end table
|
|
|
|
|
|
2011-03-03 18:35:08 +01:00
|
|
|
|
|
2006-08-17 18:01:25 +00:00
|
|
|
|
@item sshcontrol
|
2010-10-05 19:05:43 +00:00
|
|
|
|
@cindex sshcontrol
|
2007-08-14 16:50:27 +00:00
|
|
|
|
This file is used when support for the secure shell agent protocol has
|
2009-07-22 10:24:46 +00:00
|
|
|
|
been enabled (@pxref{option --enable-ssh-support}). Only keys present in
|
|
|
|
|
this file are used in the SSH protocol. You should backup this file.
|
|
|
|
|
|
|
|
|
|
The @command{ssh-add} tool may be used to add new entries to this file;
|
|
|
|
|
you may also add them manually. Comment lines, indicated by a leading
|
|
|
|
|
hash mark, as well as empty lines are ignored. An entry starts with
|
|
|
|
|
optional whitespace, followed by the keygrip of the key given as 40 hex
|
|
|
|
|
digits, optionally followed by the caching TTL in seconds and another
|
|
|
|
|
optional field for arbitrary flags. A non-zero TTL overrides the global
|
|
|
|
|
default as set by @option{--default-cache-ttl-ssh}.
|
2009-05-15 19:26:46 +00:00
|
|
|
|
|
2011-07-20 20:49:41 +02:00
|
|
|
|
The only flag support is @code{confirm}. If this flag is found for a
|
|
|
|
|
key, each use of the key will pop up a pinentry to confirm the use of
|
|
|
|
|
that key. The flag is automatically set if a new key was loaded into
|
|
|
|
|
@code{gpg-agent} using the option @option{-c} of the @code{ssh-add}
|
|
|
|
|
command.
|
|
|
|
|
|
2009-05-15 19:26:46 +00:00
|
|
|
|
The keygrip may be prefixed with a @code{!} to disable an entry entry.
|
2011-03-03 18:35:08 +01:00
|
|
|
|
|
2008-01-28 08:03:08 +00:00
|
|
|
|
The following example lists exactly one key. Note that keys available
|
2007-08-14 16:50:27 +00:00
|
|
|
|
through a OpenPGP smartcard in the active smartcard reader are
|
2008-01-28 08:03:08 +00:00
|
|
|
|
implicitly added to this list; i.e. there is no need to list them.
|
2011-03-03 18:35:08 +01:00
|
|
|
|
|
2014-10-10 13:51:19 +02:00
|
|
|
|
@cartouche
|
|
|
|
|
@smallexample
|
|
|
|
|
# Key added on: 2011-07-20 20:38:46
|
|
|
|
|
# Fingerprint: 5e:8d:c4:ad:e7:af:6e:27:8a:d6:13:e4:79:ad:0b:81
|
|
|
|
|
34B62F25E277CF13D3C6BCEBFD3F85D08F0A864B 0 confirm
|
|
|
|
|
@end smallexample
|
|
|
|
|
@end cartouche
|
2006-09-08 17:02:06 +00:00
|
|
|
|
|
|
|
|
|
@item private-keys-v1.d/
|
|
|
|
|
|
|
|
|
|
This is the directory where gpg-agent stores the private keys. Each
|
|
|
|
|
key is stored in a file with the name made up of the keygrip and the
|
2009-07-22 10:24:46 +00:00
|
|
|
|
suffix @file{key}. You should backup all files in this directory
|
|
|
|
|
and take great care to keep this backup closed away.
|
2006-09-08 17:02:06 +00:00
|
|
|
|
|
|
|
|
|
|
2005-04-20 18:46:51 +00:00
|
|
|
|
@end table
|
|
|
|
|
|
|
|
|
|
Note that on larger installations, it is useful to put predefined
|
2015-06-09 21:29:15 +02:00
|
|
|
|
files into the directory @file{@value{SYSCONFSKELDIR}} so that newly created
|
2005-04-20 18:46:51 +00:00
|
|
|
|
users start up with a working configuration. For existing users the
|
2008-01-28 08:03:08 +00:00
|
|
|
|
a small helper script is provided to create these files (@pxref{addgnupghome}).
|
2005-04-20 18:46:51 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2003-01-09 13:24:01 +00:00
|
|
|
|
@c
|
|
|
|
|
@c Agent Signals
|
|
|
|
|
@c
|
2006-08-17 18:01:25 +00:00
|
|
|
|
@mansect signals
|
2003-01-09 13:24:01 +00:00
|
|
|
|
@node Agent Signals
|
|
|
|
|
@section Use of some signals.
|
|
|
|
|
A running @command{gpg-agent} may be controlled by signals, i.e. using
|
2011-03-03 18:35:08 +01:00
|
|
|
|
the @command{kill} command to send a signal to the process.
|
2003-01-09 13:24:01 +00:00
|
|
|
|
|
|
|
|
|
Here is a list of supported signals:
|
|
|
|
|
|
|
|
|
|
@table @gnupgtabopt
|
|
|
|
|
|
|
|
|
|
@item SIGHUP
|
|
|
|
|
@cpindex SIGHUP
|
2008-01-28 08:03:08 +00:00
|
|
|
|
This signal flushes all cached passphrases and if the program has been
|
2013-05-21 12:10:00 +01:00
|
|
|
|
started with a configuration file, the configuration file is read
|
|
|
|
|
again. Only certain options are honored: @code{quiet},
|
|
|
|
|
@code{verbose}, @code{debug}, @code{debug-all}, @code{debug-level},
|
2015-05-11 10:23:24 +02:00
|
|
|
|
@code{debug-pinentry},
|
2013-05-21 12:10:00 +01:00
|
|
|
|
@code{no-grab}, @code{pinentry-program}, @code{default-cache-ttl},
|
|
|
|
|
@code{max-cache-ttl}, @code{ignore-cache-for-signing},
|
2015-06-09 21:07:00 +09:00
|
|
|
|
@code{no-allow-external-cache}, @code{allow-emacs-pinentry},
|
2014-12-05 11:16:14 +01:00
|
|
|
|
@code{no-allow-mark-trusted}, @code{disable-scdaemon}, and
|
2013-05-21 12:10:00 +01:00
|
|
|
|
@code{disable-check-own-socket}. @code{scdaemon-program} is also
|
|
|
|
|
supported but due to the current implementation, which calls the
|
|
|
|
|
scdaemon only once, it is not of much use unless you manually kill the
|
|
|
|
|
scdaemon.
|
2003-01-09 13:24:01 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
@item SIGTERM
|
|
|
|
|
@cpindex SIGTERM
|
|
|
|
|
Shuts down the process but waits until all current requests are
|
|
|
|
|
fulfilled. If the process has received 3 of these signals and requests
|
|
|
|
|
are still pending, a shutdown is forced.
|
|
|
|
|
|
|
|
|
|
@item SIGINT
|
|
|
|
|
@cpindex SIGINT
|
|
|
|
|
Shuts down the process immediately.
|
|
|
|
|
|
2004-04-21 14:43:51 +00:00
|
|
|
|
@item SIGUSR1
|
|
|
|
|
@cpindex SIGUSR1
|
2005-06-07 19:09:18 +00:00
|
|
|
|
Dump internal information to the log file.
|
|
|
|
|
|
|
|
|
|
@item SIGUSR2
|
2004-04-21 14:43:51 +00:00
|
|
|
|
@cpindex SIGUSR2
|
2005-06-07 19:09:18 +00:00
|
|
|
|
This signal is used for internal purposes.
|
2004-04-21 14:43:51 +00:00
|
|
|
|
|
2003-01-09 13:24:01 +00:00
|
|
|
|
@end table
|
|
|
|
|
|
2011-03-03 18:35:08 +01:00
|
|
|
|
@c
|
2003-01-09 13:24:01 +00:00
|
|
|
|
@c Examples
|
|
|
|
|
@c
|
2006-08-17 18:01:25 +00:00
|
|
|
|
@mansect examples
|
2003-01-09 13:24:01 +00:00
|
|
|
|
@node Agent Examples
|
|
|
|
|
@section Examples
|
|
|
|
|
|
2014-10-03 11:58:58 +02:00
|
|
|
|
It is important to set the GPG_TTY environment variable in
|
|
|
|
|
your login shell, for example in the @file{~/.bashrc} init script:
|
|
|
|
|
|
|
|
|
|
@cartouche
|
|
|
|
|
@example
|
|
|
|
|
export GPG_TTY=$(tty)
|
|
|
|
|
@end example
|
|
|
|
|
@end cartouche
|
|
|
|
|
|
|
|
|
|
If you enabled the Ssh Agent Support, you also need to tell ssh about
|
|
|
|
|
it by adding this to your init script:
|
|
|
|
|
|
|
|
|
|
@cartouche
|
|
|
|
|
@example
|
|
|
|
|
unset SSH_AGENT_PID
|
|
|
|
|
if [ "$@{gnupg_SSH_AUTH_SOCK_by:-0@}" -ne $$ ]; then
|
|
|
|
|
export SSH_AUTH_SOCK="$@{HOME@}/.gnupg/S.gpg-agent.ssh"
|
|
|
|
|
fi
|
|
|
|
|
@end example
|
|
|
|
|
@end cartouche
|
2005-06-07 19:09:18 +00:00
|
|
|
|
|
2003-01-09 13:24:01 +00:00
|
|
|
|
|
2011-03-03 18:35:08 +01:00
|
|
|
|
@c
|
2003-01-09 13:24:01 +00:00
|
|
|
|
@c Assuan Protocol
|
|
|
|
|
@c
|
2006-09-04 14:53:20 +00:00
|
|
|
|
@manpause
|
2003-01-09 13:24:01 +00:00
|
|
|
|
@node Agent Protocol
|
|
|
|
|
@section Agent's Assuan Protocol
|
|
|
|
|
|
2005-01-26 23:15:42 +00:00
|
|
|
|
Note: this section does only document the protocol, which is used by
|
|
|
|
|
GnuPG components; it does not deal with the ssh-agent protocol.
|
|
|
|
|
|
2014-10-03 11:58:58 +02:00
|
|
|
|
The @command{gpg-agent} daemon is started on demand by the GnuPG
|
|
|
|
|
components.
|
2003-01-09 13:24:01 +00:00
|
|
|
|
|
|
|
|
|
To identify a key we use a thing called keygrip which is the SHA-1 hash
|
2009-07-22 13:33:46 +00:00
|
|
|
|
of an canonical encoded S-Expression of the public key as used in
|
2003-01-09 13:24:01 +00:00
|
|
|
|
Libgcrypt. For the purpose of this interface the keygrip is given as a
|
|
|
|
|
hex string. The advantage of using this and not the hash of a
|
|
|
|
|
certificate is that it will be possible to use the same keypair for
|
|
|
|
|
different protocols, thereby saving space on the token used to keep the
|
|
|
|
|
secret keys.
|
|
|
|
|
|
2012-04-03 20:53:23 -04:00
|
|
|
|
The @command{gpg-agent} may send status messages during a command or when
|
|
|
|
|
returning from a command to inform a client about the progress or result of an
|
|
|
|
|
operation. For example, the @var{INQUIRE_MAXLEN} status message may be sent
|
|
|
|
|
during a server inquire to inform the client of the maximum usable length of
|
|
|
|
|
the inquired data (which should not be exceeded).
|
|
|
|
|
|
2003-01-09 13:24:01 +00:00
|
|
|
|
@menu
|
|
|
|
|
* Agent PKDECRYPT:: Decrypting a session key
|
|
|
|
|
* Agent PKSIGN:: Signing a Hash
|
|
|
|
|
* Agent GENKEY:: Generating a Key
|
|
|
|
|
* Agent IMPORT:: Importing a Secret Key
|
|
|
|
|
* Agent EXPORT:: Exporting a Secret Key
|
|
|
|
|
* Agent ISTRUSTED:: Importing a Root Certificate
|
|
|
|
|
* Agent GET_PASSPHRASE:: Ask for a passphrase
|
2012-04-03 20:53:19 -04:00
|
|
|
|
* Agent CLEAR_PASSPHRASE:: Expire a cached passphrase
|
2012-04-03 20:53:20 -04:00
|
|
|
|
* Agent PRESET_PASSPHRASE:: Set a passphrase for a keygrip
|
2003-10-31 12:12:17 +00:00
|
|
|
|
* Agent GET_CONFIRMATION:: Ask for confirmation
|
2003-01-09 13:24:01 +00:00
|
|
|
|
* Agent HAVEKEY:: Check whether a key is available
|
|
|
|
|
* Agent LEARN:: Register a smartcard
|
|
|
|
|
* Agent PASSWD:: Change a Passphrase
|
2005-06-03 13:57:24 +00:00
|
|
|
|
* Agent UPDATESTARTUPTTY:: Change the Standard Display
|
2006-11-14 14:53:42 +00:00
|
|
|
|
* Agent GETEVENTCOUNTER:: Get the Event Counters
|
2007-06-18 10:33:12 +00:00
|
|
|
|
* Agent GETINFO:: Return information about the process
|
2011-03-03 18:35:08 +01:00
|
|
|
|
* Agent OPTION:: Set options for the session
|
2003-01-09 13:24:01 +00:00
|
|
|
|
@end menu
|
|
|
|
|
|
|
|
|
|
@node Agent PKDECRYPT
|
|
|
|
|
@subsection Decrypting a session key
|
|
|
|
|
|
|
|
|
|
The client asks the server to decrypt a session key. The encrypted
|
|
|
|
|
session key should have all information needed to select the
|
|
|
|
|
appropriate secret key or to delegate it to a smartcard.
|
|
|
|
|
|
|
|
|
|
@example
|
|
|
|
|
SETKEY <keyGrip>
|
|
|
|
|
@end example
|
|
|
|
|
|
|
|
|
|
Tell the server about the key to be used for decryption. If this is
|
2004-09-30 08:38:32 +00:00
|
|
|
|
not used, @command{gpg-agent} may try to figure out the key by trying to
|
2003-01-09 13:24:01 +00:00
|
|
|
|
decrypt the message with each key available.
|
|
|
|
|
|
|
|
|
|
@example
|
|
|
|
|
PKDECRYPT
|
|
|
|
|
@end example
|
|
|
|
|
|
|
|
|
|
The agent checks whether this command is allowed and then does an
|
|
|
|
|
INQUIRY to get the ciphertext the client should then send the cipher
|
|
|
|
|
text.
|
|
|
|
|
|
|
|
|
|
@example
|
|
|
|
|
S: INQUIRE CIPHERTEXT
|
|
|
|
|
C: D (xxxxxx
|
|
|
|
|
C: D xxxx)
|
|
|
|
|
C: END
|
|
|
|
|
@end example
|
2011-03-03 18:35:08 +01:00
|
|
|
|
|
2003-01-09 13:24:01 +00:00
|
|
|
|
Please note that the server may send status info lines while reading the
|
|
|
|
|
data lines from the client. The data send is a SPKI like S-Exp with
|
|
|
|
|
this structure:
|
|
|
|
|
|
|
|
|
|
@example
|
2011-03-03 18:35:08 +01:00
|
|
|
|
(enc-val
|
2003-01-09 13:24:01 +00:00
|
|
|
|
(<algo>
|
|
|
|
|
(<param_name1> <mpi>)
|
|
|
|
|
...
|
|
|
|
|
(<param_namen> <mpi>)))
|
|
|
|
|
@end example
|
|
|
|
|
|
|
|
|
|
Where algo is a string with the name of the algorithm; see the libgcrypt
|
|
|
|
|
documentation for a list of valid algorithms. The number and names of
|
|
|
|
|
the parameters depend on the algorithm. The agent does return an error
|
|
|
|
|
if there is an inconsistency.
|
|
|
|
|
|
|
|
|
|
If the decryption was successful the decrypted data is returned by
|
2011-03-03 18:35:08 +01:00
|
|
|
|
means of "D" lines.
|
2003-01-09 13:24:01 +00:00
|
|
|
|
|
|
|
|
|
Here is an example session:
|
2014-06-25 11:15:45 +02:00
|
|
|
|
@cartouche
|
|
|
|
|
@smallexample
|
2003-01-09 13:24:01 +00:00
|
|
|
|
C: PKDECRYPT
|
|
|
|
|
S: INQUIRE CIPHERTEXT
|
2011-03-03 18:35:08 +01:00
|
|
|
|
C: D (enc-val elg (a 349324324)
|
2003-01-09 13:24:01 +00:00
|
|
|
|
C: D (b 3F444677CA)))
|
|
|
|
|
C: END
|
|
|
|
|
S: # session key follows
|
2013-08-26 17:29:54 +02:00
|
|
|
|
S: S PADDING 0
|
2006-08-29 16:18:30 +00:00
|
|
|
|
S: D (value 1234567890ABCDEF0)
|
2003-01-09 13:24:01 +00:00
|
|
|
|
S: OK descryption successful
|
2014-06-25 11:15:45 +02:00
|
|
|
|
@end smallexample
|
|
|
|
|
@end cartouche
|
2003-01-09 13:24:01 +00:00
|
|
|
|
|
2013-08-26 17:29:54 +02:00
|
|
|
|
The “PADDING” status line is only send if gpg-agent can tell what kind
|
|
|
|
|
of padding is used. As of now only the value 0 is used to indicate
|
|
|
|
|
that the padding has been removed.
|
|
|
|
|
|
2003-01-09 13:24:01 +00:00
|
|
|
|
|
|
|
|
|
@node Agent PKSIGN
|
|
|
|
|
@subsection Signing a Hash
|
|
|
|
|
|
|
|
|
|
The client ask the agent to sign a given hash value. A default key
|
|
|
|
|
will be chosen if no key has been set. To set a key a client first
|
|
|
|
|
uses:
|
|
|
|
|
|
|
|
|
|
@example
|
|
|
|
|
SIGKEY <keyGrip>
|
|
|
|
|
@end example
|
|
|
|
|
|
|
|
|
|
This can be used multiple times to create multiple signature, the list
|
|
|
|
|
of keys is reset with the next PKSIGN command or a RESET. The server
|
|
|
|
|
test whether the key is a valid key to sign something and responds with
|
|
|
|
|
okay.
|
|
|
|
|
|
|
|
|
|
@example
|
2006-10-10 11:11:04 +00:00
|
|
|
|
SETHASH --hash=<name>|<algo> <hexstring>
|
2003-01-09 13:24:01 +00:00
|
|
|
|
@end example
|
|
|
|
|
|
2006-10-05 11:06:42 +00:00
|
|
|
|
The client can use this command to tell the server about the data <hexstring>
|
|
|
|
|
(which usually is a hash) to be signed. <algo> is the decimal encoded hash
|
2006-10-10 11:11:04 +00:00
|
|
|
|
algorithm number as used by Libgcrypt. Either <algo> or --hash=<name>
|
|
|
|
|
must be given. Valid names for <name> are:
|
2003-01-09 13:24:01 +00:00
|
|
|
|
|
2006-10-10 11:11:04 +00:00
|
|
|
|
@table @code
|
|
|
|
|
@item sha1
|
2014-06-25 11:15:45 +02:00
|
|
|
|
The SHA-1 hash algorithm
|
2006-10-10 11:11:04 +00:00
|
|
|
|
@item sha256
|
2014-06-25 11:15:45 +02:00
|
|
|
|
The SHA-256 hash algorithm
|
2006-10-10 11:11:04 +00:00
|
|
|
|
@item rmd160
|
2014-06-25 11:15:45 +02:00
|
|
|
|
The RIPE-MD160 hash algorithm
|
2006-10-10 11:11:04 +00:00
|
|
|
|
@item md5
|
2014-06-25 11:15:45 +02:00
|
|
|
|
The old and broken MD5 hash algorithm
|
2006-10-10 11:11:04 +00:00
|
|
|
|
@item tls-md5sha1
|
2014-06-25 11:15:45 +02:00
|
|
|
|
A combined hash algorithm as used by the TLS protocol.
|
2006-10-10 11:11:04 +00:00
|
|
|
|
@end table
|
|
|
|
|
|
|
|
|
|
@noindent
|
2003-01-09 13:24:01 +00:00
|
|
|
|
The actual signing is done using
|
|
|
|
|
|
|
|
|
|
@example
|
|
|
|
|
PKSIGN <options>
|
|
|
|
|
@end example
|
|
|
|
|
|
2009-07-22 13:33:46 +00:00
|
|
|
|
Options are not yet defined, but my later be used to choose among
|
2006-10-10 11:11:04 +00:00
|
|
|
|
different algorithms. The agent does then some checks, asks for the
|
|
|
|
|
passphrase and as a result the server returns the signature as an SPKI
|
|
|
|
|
like S-expression in "D" lines:
|
2003-01-09 13:24:01 +00:00
|
|
|
|
|
2011-03-03 18:35:08 +01:00
|
|
|
|
@example
|
|
|
|
|
(sig-val
|
2003-01-09 13:24:01 +00:00
|
|
|
|
(<algo>
|
|
|
|
|
(<param_name1> <mpi>)
|
|
|
|
|
...
|
|
|
|
|
(<param_namen> <mpi>)))
|
|
|
|
|
@end example
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The operation is affected by the option
|
|
|
|
|
|
|
|
|
|
@example
|
|
|
|
|
OPTION use-cache-for-signing=0|1
|
|
|
|
|
@end example
|
|
|
|
|
|
|
|
|
|
The default of @code{1} uses the cache. Setting this option to @code{0}
|
2004-09-30 08:38:32 +00:00
|
|
|
|
will lead @command{gpg-agent} to ignore the passphrase cache. Note, that there is
|
|
|
|
|
also a global command line option for @command{gpg-agent} to globally disable the
|
2003-01-09 13:24:01 +00:00
|
|
|
|
caching.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Here is an example session:
|
2014-06-25 11:15:45 +02:00
|
|
|
|
@cartouche
|
|
|
|
|
@smallexample
|
2003-01-09 13:24:01 +00:00
|
|
|
|
C: SIGKEY <keyGrip>
|
|
|
|
|
S: OK key available
|
|
|
|
|
C: SIGKEY <keyGrip>
|
|
|
|
|
S: OK key available
|
|
|
|
|
C: PKSIGN
|
|
|
|
|
S: # I did ask the user whether he really wants to sign
|
|
|
|
|
S: # I did ask the user for the passphrase
|
|
|
|
|
S: INQUIRE HASHVAL
|
|
|
|
|
C: D ABCDEF012345678901234
|
|
|
|
|
C: END
|
|
|
|
|
S: # signature follows
|
|
|
|
|
S: D (sig-val rsa (s 45435453654612121212))
|
|
|
|
|
S: OK
|
2014-06-25 11:15:45 +02:00
|
|
|
|
@end smallexample
|
|
|
|
|
@end cartouche
|
2003-01-09 13:24:01 +00:00
|
|
|
|
|
|
|
|
|
@node Agent GENKEY
|
|
|
|
|
@subsection Generating a Key
|
|
|
|
|
|
|
|
|
|
This is used to create a new keypair and store the secret key inside the
|
2007-06-20 11:16:42 +00:00
|
|
|
|
active PSE --- which is in most cases a Soft-PSE. An not yet defined
|
2003-01-09 13:24:01 +00:00
|
|
|
|
option allows to choose the storage location. To get the secret key out
|
|
|
|
|
of the PSE, a special export tool has to be used.
|
|
|
|
|
|
|
|
|
|
@example
|
2012-04-03 20:53:21 -04:00
|
|
|
|
GENKEY [--no-protection] [--preset] [<cache_nonce>]
|
2003-01-09 13:24:01 +00:00
|
|
|
|
@end example
|
|
|
|
|
|
|
|
|
|
Invokes the key generation process and the server will then inquire
|
|
|
|
|
on the generation parameters, like:
|
|
|
|
|
|
|
|
|
|
@example
|
|
|
|
|
S: INQUIRE KEYPARM
|
|
|
|
|
C: D (genkey (rsa (nbits 1024)))
|
|
|
|
|
C: END
|
|
|
|
|
@end example
|
|
|
|
|
|
|
|
|
|
The format of the key parameters which depends on the algorithm is of
|
|
|
|
|
the form:
|
|
|
|
|
|
|
|
|
|
@example
|
|
|
|
|
(genkey
|
|
|
|
|
(algo
|
|
|
|
|
(parameter_name_1 ....)
|
|
|
|
|
....
|
|
|
|
|
(parameter_name_n ....)))
|
|
|
|
|
@end example
|
|
|
|
|
|
|
|
|
|
If everything succeeds, the server returns the *public key* in a SPKI
|
|
|
|
|
like S-Expression like this:
|
|
|
|
|
|
|
|
|
|
@example
|
|
|
|
|
(public-key
|
|
|
|
|
(rsa
|
|
|
|
|
(n <mpi>)
|
|
|
|
|
(e <mpi>)))
|
|
|
|
|
@end example
|
|
|
|
|
|
|
|
|
|
Here is an example session:
|
2014-06-25 11:15:45 +02:00
|
|
|
|
@cartouche
|
|
|
|
|
@smallexample
|
2003-01-09 13:24:01 +00:00
|
|
|
|
C: GENKEY
|
|
|
|
|
S: INQUIRE KEYPARM
|
|
|
|
|
C: D (genkey (rsa (nbits 1024)))
|
|
|
|
|
C: END
|
|
|
|
|
S: D (public-key
|
|
|
|
|
S: D (rsa (n 326487324683264) (e 10001)))
|
|
|
|
|
S OK key created
|
2014-06-25 11:15:45 +02:00
|
|
|
|
@end smallexample
|
|
|
|
|
@end cartouche
|
2003-01-09 13:24:01 +00:00
|
|
|
|
|
2012-04-03 20:53:21 -04:00
|
|
|
|
The @option{--no-protection} option may be used to prevent prompting for a
|
|
|
|
|
passphrase to protect the secret key while leaving the secret key unprotected.
|
|
|
|
|
The @option{--preset} option may be used to add the passphrase to the cache
|
|
|
|
|
using the default cache parameters.
|
2015-01-21 11:31:20 +01:00
|
|
|
|
|
|
|
|
|
The @option{--inq-passwd} option may be used to create the key with a
|
|
|
|
|
supplied passphrase. When used the agent does an inquiry with the
|
|
|
|
|
keyword @code{NEWPASSWD} to retrieve that passphrase. This option
|
|
|
|
|
takes precedence over @option{--no-protection}; however if the client
|
|
|
|
|
sends a empty (zero-length) passphrase, this is identical to
|
|
|
|
|
@option{--no-protection}.
|
2012-04-03 20:53:21 -04:00
|
|
|
|
|
2003-01-09 13:24:01 +00:00
|
|
|
|
@node Agent IMPORT
|
|
|
|
|
@subsection Importing a Secret Key
|
|
|
|
|
|
2009-07-22 13:33:46 +00:00
|
|
|
|
This operation is not yet supported by GpgAgent. Specialized tools
|
2003-01-09 13:24:01 +00:00
|
|
|
|
are to be used for this.
|
|
|
|
|
|
|
|
|
|
There is no actual need because we can expect that secret keys
|
|
|
|
|
created by a 3rd party are stored on a smartcard. If we have
|
|
|
|
|
generated the key ourself, we do not need to import it.
|
|
|
|
|
|
|
|
|
|
@node Agent EXPORT
|
|
|
|
|
@subsection Export a Secret Key
|
|
|
|
|
|
|
|
|
|
Not implemented.
|
|
|
|
|
|
|
|
|
|
Should be done by an extra tool.
|
|
|
|
|
|
|
|
|
|
@node Agent ISTRUSTED
|
|
|
|
|
@subsection Importing a Root Certificate
|
|
|
|
|
|
|
|
|
|
Actually we do not import a Root Cert but provide a way to validate
|
|
|
|
|
any piece of data by storing its Hash along with a description and
|
2009-07-22 13:33:46 +00:00
|
|
|
|
an identifier in the PSE. Here is the interface description:
|
2003-01-09 13:24:01 +00:00
|
|
|
|
|
|
|
|
|
@example
|
|
|
|
|
ISTRUSTED <fingerprint>
|
|
|
|
|
@end example
|
|
|
|
|
|
|
|
|
|
Check whether the OpenPGP primary key or the X.509 certificate with the
|
|
|
|
|
given fingerprint is an ultimately trusted key or a trusted Root CA
|
|
|
|
|
certificate. The fingerprint should be given as a hexstring (without
|
|
|
|
|
any blanks or colons or whatever in between) and may be left padded with
|
|
|
|
|
00 in case of an MD5 fingerprint. GPGAgent will answer with:
|
|
|
|
|
|
|
|
|
|
@example
|
|
|
|
|
OK
|
|
|
|
|
@end example
|
|
|
|
|
|
|
|
|
|
The key is in the table of trusted keys.
|
|
|
|
|
|
|
|
|
|
@example
|
|
|
|
|
ERR 304 (Not Trusted)
|
|
|
|
|
@end example
|
|
|
|
|
|
|
|
|
|
The key is not in this table.
|
|
|
|
|
|
|
|
|
|
Gpg needs the entire list of trusted keys to maintain the web of
|
|
|
|
|
trust; the following command is therefore quite helpful:
|
|
|
|
|
|
|
|
|
|
@example
|
|
|
|
|
LISTTRUSTED
|
|
|
|
|
@end example
|
|
|
|
|
|
|
|
|
|
GpgAgent returns a list of trusted keys line by line:
|
|
|
|
|
|
|
|
|
|
@example
|
|
|
|
|
S: D 000000001234454556565656677878AF2F1ECCFF P
|
|
|
|
|
S: D 340387563485634856435645634856438576457A P
|
|
|
|
|
S: D FEDC6532453745367FD83474357495743757435D S
|
|
|
|
|
S: OK
|
|
|
|
|
@end example
|
|
|
|
|
|
|
|
|
|
The first item on a line is the hexified fingerprint where MD5
|
2009-07-22 13:33:46 +00:00
|
|
|
|
fingerprints are @code{00} padded to the left and the second item is a
|
2003-01-09 13:24:01 +00:00
|
|
|
|
flag to indicate the type of key (so that gpg is able to only take care
|
|
|
|
|
of PGP keys). P = OpenPGP, S = S/MIME. A client should ignore the rest
|
|
|
|
|
of the line, so that we can extend the format in the future.
|
|
|
|
|
|
|
|
|
|
Finally a client should be able to mark a key as trusted:
|
|
|
|
|
|
|
|
|
|
@example
|
|
|
|
|
MARKTRUSTED @var{fingerprint} "P"|"S"
|
|
|
|
|
@end example
|
|
|
|
|
|
|
|
|
|
The server will then pop up a window to ask the user whether she
|
|
|
|
|
really trusts this key. For this it will probably ask for a text to
|
|
|
|
|
be displayed like this:
|
|
|
|
|
|
|
|
|
|
@example
|
|
|
|
|
S: INQUIRE TRUSTDESC
|
|
|
|
|
C: D Do you trust the key with the fingerprint @@FPR@@
|
|
|
|
|
C: D bla fasel blurb.
|
|
|
|
|
C: END
|
|
|
|
|
S: OK
|
|
|
|
|
@end example
|
|
|
|
|
|
|
|
|
|
Known sequences with the pattern @@foo@@ are replaced according to this
|
|
|
|
|
table:
|
|
|
|
|
|
|
|
|
|
@table @code
|
2011-03-03 18:35:08 +01:00
|
|
|
|
@item @@FPR16@@
|
2003-01-09 13:24:01 +00:00
|
|
|
|
Format the fingerprint according to gpg rules for a v3 keys.
|
2011-03-03 18:35:08 +01:00
|
|
|
|
@item @@FPR20@@
|
2003-01-09 13:24:01 +00:00
|
|
|
|
Format the fingerprint according to gpg rules for a v4 keys.
|
|
|
|
|
@item @@FPR@@
|
|
|
|
|
Choose an appropriate format to format the fingerprint.
|
2011-03-03 18:35:08 +01:00
|
|
|
|
@item @@@@
|
2003-01-09 13:24:01 +00:00
|
|
|
|
Replaced by a single @code{@@}
|
|
|
|
|
@end table
|
|
|
|
|
|
|
|
|
|
@node Agent GET_PASSPHRASE
|
|
|
|
|
@subsection Ask for a passphrase
|
|
|
|
|
|
|
|
|
|
This function is usually used to ask for a passphrase to be used for
|
2015-06-02 17:46:42 +02:00
|
|
|
|
symmetric encryption, but may also be used by programs which need
|
2003-01-09 13:24:01 +00:00
|
|
|
|
special handling of passphrases. This command uses a syntax which helps
|
|
|
|
|
clients to use the agent with minimum effort.
|
|
|
|
|
|
|
|
|
|
@example
|
2014-06-25 11:15:45 +02:00
|
|
|
|
GET_PASSPHRASE [--data] [--check] [--no-ask] [--repeat[=N]] \
|
|
|
|
|
[--qualitybar] @var{cache_id} \
|
|
|
|
|
[@var{error_message} @var{prompt} @var{description}]
|
2003-01-09 13:24:01 +00:00
|
|
|
|
@end example
|
|
|
|
|
|
2006-10-04 16:45:04 +00:00
|
|
|
|
@var{cache_id} is expected to be a string used to identify a cached
|
2003-01-09 13:24:01 +00:00
|
|
|
|
passphrase. Use a @code{X} to bypass the cache. With no other
|
2006-10-04 16:45:04 +00:00
|
|
|
|
arguments the agent returns a cached passphrase or an error. By
|
|
|
|
|
convention either the hexified fingerprint of the key shall be used for
|
|
|
|
|
@var{cache_id} or an arbitrary string prefixed with the name of the
|
|
|
|
|
calling application and a colon: Like @code{gpg:somestring}.
|
2011-03-03 18:35:08 +01:00
|
|
|
|
|
2003-01-09 13:24:01 +00:00
|
|
|
|
@var{error_message} is either a single @code{X} for no error message or
|
|
|
|
|
a string to be shown as an error message like (e.g. "invalid
|
|
|
|
|
passphrase"). Blanks must be percent escaped or replaced by @code{+}'.
|
|
|
|
|
|
|
|
|
|
@var{prompt} is either a single @code{X} for a default prompt or the
|
|
|
|
|
text to be shown as the prompt. Blanks must be percent escaped or
|
|
|
|
|
replaced by @code{+}.
|
|
|
|
|
|
|
|
|
|
@var{description} is a text shown above the entry field. Blanks must be
|
|
|
|
|
percent escaped or replaced by @code{+}.
|
|
|
|
|
|
2006-10-04 16:45:04 +00:00
|
|
|
|
The agent either returns with an error or with a OK followed by the hex
|
|
|
|
|
encoded passphrase. Note that the length of the strings is implicitly
|
|
|
|
|
limited by the maximum length of a command. If the option
|
|
|
|
|
@option{--data} is used, the passphrase is not returned on the OK line
|
|
|
|
|
but by regular data lines; this is the preferred method.
|
2003-01-09 13:24:01 +00:00
|
|
|
|
|
2007-01-25 08:30:47 +00:00
|
|
|
|
If the option @option{--check} is used, the standard passphrase
|
|
|
|
|
constraints checks are applied. A check is not done if the passphrase
|
|
|
|
|
has been found in the cache.
|
|
|
|
|
|
2008-12-10 12:41:15 +00:00
|
|
|
|
If the option @option{--no-ask} is used and the passphrase is not in the
|
|
|
|
|
cache the user will not be asked to enter a passphrase but the error
|
2011-03-03 18:35:08 +01:00
|
|
|
|
code @code{GPG_ERR_NO_DATA} is returned.
|
2008-12-10 12:41:15 +00:00
|
|
|
|
|
2009-05-15 19:26:46 +00:00
|
|
|
|
If the option @option{--qualitybar} is used and a minimum passphrase
|
|
|
|
|
length has been configured, a visual indication of the entered
|
|
|
|
|
passphrase quality is shown.
|
2008-12-10 12:41:15 +00:00
|
|
|
|
|
2003-01-09 13:24:01 +00:00
|
|
|
|
@example
|
|
|
|
|
CLEAR_PASSPHRASE @var{cache_id}
|
|
|
|
|
@end example
|
|
|
|
|
|
|
|
|
|
may be used to invalidate the cache entry for a passphrase. The
|
|
|
|
|
function returns with OK even when there is no cached passphrase.
|
|
|
|
|
|
|
|
|
|
|
2012-04-03 20:53:19 -04:00
|
|
|
|
|
|
|
|
|
@node Agent CLEAR_PASSPHRASE
|
|
|
|
|
@subsection Remove a cached passphrase
|
|
|
|
|
|
|
|
|
|
Use this command to remove a cached passphrase.
|
|
|
|
|
|
|
|
|
|
@example
|
|
|
|
|
CLEAR_PASSPHRASE [--mode=normal] <cache_id>
|
|
|
|
|
@end example
|
|
|
|
|
|
|
|
|
|
The @option{--mode=normal} option can be used to clear a @var{cache_id} that
|
|
|
|
|
was set by gpg-agent.
|
|
|
|
|
|
|
|
|
|
|
2012-04-03 20:53:20 -04:00
|
|
|
|
@node Agent PRESET_PASSPHRASE
|
|
|
|
|
@subsection Set a passphrase for a keygrip
|
|
|
|
|
|
|
|
|
|
This command adds a passphrase to the cache for the specified @var{keygrip}.
|
|
|
|
|
|
|
|
|
|
@example
|
|
|
|
|
PRESET_PASSPHRASE [--inquire] <string_or_keygrip> <timeout> [<hexstring>]
|
|
|
|
|
@end example
|
|
|
|
|
|
|
|
|
|
The passphrase is a hexidecimal string when specified. When not specified, the
|
|
|
|
|
passphrase will be retrieved from the pinentry module unless the
|
|
|
|
|
@option{--inquire} option was specified in which case the passphrase will be
|
|
|
|
|
retrieved from the client.
|
|
|
|
|
|
|
|
|
|
The @var{timeout} parameter keeps the passphrase cached for the specified
|
|
|
|
|
number of seconds. A value of @code{-1} means infinate while @code{0} means
|
|
|
|
|
the default (currently only a timeout of -1 is allowed, which means to never
|
|
|
|
|
expire it).
|
|
|
|
|
|
|
|
|
|
|
2003-10-31 12:12:17 +00:00
|
|
|
|
@node Agent GET_CONFIRMATION
|
|
|
|
|
@subsection Ask for confirmation
|
|
|
|
|
|
|
|
|
|
This command may be used to ask for a simple confirmation by
|
2009-07-22 13:33:46 +00:00
|
|
|
|
presenting a text and 2 buttons: Okay and Cancel.
|
2003-10-31 12:12:17 +00:00
|
|
|
|
|
|
|
|
|
@example
|
|
|
|
|
GET_CONFIRMATION @var{description}
|
|
|
|
|
@end example
|
|
|
|
|
|
|
|
|
|
@var{description}is displayed along with a Okay and Cancel
|
|
|
|
|
button. Blanks must be percent escaped or replaced by @code{+}. A
|
|
|
|
|
@code{X} may be used to display confirmation dialog with a default
|
|
|
|
|
text.
|
|
|
|
|
|
|
|
|
|
The agent either returns with an error or with a OK. Note, that the
|
|
|
|
|
length of @var{description} is implicitly limited by the maximum
|
|
|
|
|
length of a command.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2003-01-09 13:24:01 +00:00
|
|
|
|
@node Agent HAVEKEY
|
|
|
|
|
@subsection Check whether a key is available
|
|
|
|
|
|
|
|
|
|
This can be used to see whether a secret key is available. It does
|
|
|
|
|
not return any information on whether the key is somehow protected.
|
|
|
|
|
|
|
|
|
|
@example
|
2010-10-01 20:33:53 +00:00
|
|
|
|
HAVEKEY @var{keygrips}
|
2003-01-09 13:24:01 +00:00
|
|
|
|
@end example
|
|
|
|
|
|
2010-10-01 20:33:53 +00:00
|
|
|
|
The agent answers either with OK or @code{No_Secret_Key} (208). The
|
|
|
|
|
caller may want to check for other error codes as well. More than one
|
|
|
|
|
keygrip may be given. In this case the command returns success if at
|
|
|
|
|
least one of the keygrips corresponds to an available secret key.
|
2003-01-09 13:24:01 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
@node Agent LEARN
|
|
|
|
|
@subsection Register a smartcard
|
|
|
|
|
|
|
|
|
|
@example
|
|
|
|
|
LEARN [--send]
|
|
|
|
|
@end example
|
|
|
|
|
|
|
|
|
|
This command is used to register a smartcard. With the --send
|
|
|
|
|
option given the certificates are send back.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
@node Agent PASSWD
|
|
|
|
|
@subsection Change a Passphrase
|
|
|
|
|
|
|
|
|
|
@example
|
2012-04-03 20:53:22 -04:00
|
|
|
|
PASSWD [--cache-nonce=<c>] [--passwd-nonce=<s>] [--preset] @var{keygrip}
|
2003-01-09 13:24:01 +00:00
|
|
|
|
@end example
|
|
|
|
|
|
|
|
|
|
This command is used to interactively change the passphrase of the key
|
2015-06-08 19:27:08 +02:00
|
|
|
|
identified by the hex string @var{keygrip}. The @option{--preset}
|
|
|
|
|
option may be used to add the new passphrase to the cache using the
|
|
|
|
|
default cache parameters.
|
2012-04-03 20:53:22 -04:00
|
|
|
|
|
2003-01-09 13:24:01 +00:00
|
|
|
|
|
2005-06-03 13:57:24 +00:00
|
|
|
|
@node Agent UPDATESTARTUPTTY
|
|
|
|
|
@subsection Change the standard display
|
|
|
|
|
|
|
|
|
|
@example
|
|
|
|
|
UPDATESTARTUPTTY
|
|
|
|
|
@end example
|
|
|
|
|
|
|
|
|
|
Set the startup TTY and X-DISPLAY variables to the values of this
|
|
|
|
|
session. This command is useful to direct future pinentry invocations
|
|
|
|
|
to another screen. It is only required because there is no way in the
|
|
|
|
|
ssh-agent protocol to convey this information.
|
2006-09-04 14:53:20 +00:00
|
|
|
|
|
|
|
|
|
|
2006-11-14 14:53:42 +00:00
|
|
|
|
@node Agent GETEVENTCOUNTER
|
|
|
|
|
@subsection Get the Event Counters
|
|
|
|
|
|
|
|
|
|
@example
|
|
|
|
|
GETEVENTCOUNTER
|
|
|
|
|
@end example
|
|
|
|
|
|
|
|
|
|
This function return one status line with the current values of the
|
|
|
|
|
event counters. The event counters are useful to avoid polling by
|
|
|
|
|
delaying a poll until something has changed. The values are decimal
|
|
|
|
|
numbers in the range @code{0} to @code{UINT_MAX} and wrapping around to
|
|
|
|
|
0. The actual values should not be relied upon; they shall only be used
|
|
|
|
|
to detect a change.
|
|
|
|
|
|
|
|
|
|
The currently defined counters are are:
|
|
|
|
|
@table @code
|
|
|
|
|
@item ANY
|
|
|
|
|
Incremented with any change of any of the other counters.
|
|
|
|
|
@item KEY
|
|
|
|
|
Incremented for added or removed private keys.
|
|
|
|
|
@item CARD
|
|
|
|
|
Incremented for changes of the card readers stati.
|
|
|
|
|
@end table
|
|
|
|
|
|
2007-06-18 10:33:12 +00:00
|
|
|
|
@node Agent GETINFO
|
|
|
|
|
@subsection Return information about the process
|
|
|
|
|
|
|
|
|
|
This is a multipurpose function to return a variety of information.
|
|
|
|
|
|
|
|
|
|
@example
|
|
|
|
|
GETINFO @var{what}
|
|
|
|
|
@end example
|
|
|
|
|
|
|
|
|
|
The value of @var{what} specifies the kind of information returned:
|
|
|
|
|
@table @code
|
|
|
|
|
@item version
|
|
|
|
|
Return the version of the program.
|
2008-02-13 16:47:14 +00:00
|
|
|
|
@item pid
|
|
|
|
|
Return the process id of the process.
|
2007-06-18 10:33:12 +00:00
|
|
|
|
@item socket_name
|
|
|
|
|
Return the name of the socket used to connect the agent.
|
|
|
|
|
@item ssh_socket_name
|
|
|
|
|
Return the name of the socket used for SSH connections. If SSH support
|
|
|
|
|
has not been enabled the error @code{GPG_ERR_NO_DATA} will be returned.
|
|
|
|
|
@end table
|
|
|
|
|
|
2011-03-03 18:35:08 +01:00
|
|
|
|
@node Agent OPTION
|
|
|
|
|
@subsection Set options for the session
|
|
|
|
|
|
|
|
|
|
Here is a list of session options which are not yet described with
|
|
|
|
|
other commands. The general syntax for an Assuan option is:
|
|
|
|
|
|
|
|
|
|
@smallexample
|
|
|
|
|
OPTION @var{key}=@var{value}
|
|
|
|
|
@end smallexample
|
|
|
|
|
|
|
|
|
|
@noindent
|
|
|
|
|
Supported @var{key}s are:
|
|
|
|
|
|
|
|
|
|
@table @code
|
|
|
|
|
@item agent-awareness
|
|
|
|
|
This may be used to tell gpg-agent of which gpg-agent version the
|
|
|
|
|
client is aware of. gpg-agent uses this information to enable
|
|
|
|
|
features which might break older clients.
|
|
|
|
|
|
|
|
|
|
@item putenv
|
|
|
|
|
Change the session's environment to be used for the
|
|
|
|
|
Pinentry. Valid values are:
|
|
|
|
|
|
|
|
|
|
@table @code
|
|
|
|
|
@item @var{name}
|
|
|
|
|
Delete envvar @var{name}
|
|
|
|
|
@item @var{name}=
|
|
|
|
|
Set envvar @var{name} to the empty string
|
|
|
|
|
@item @var{name}=@var{value}
|
|
|
|
|
Set envvar @var{name} to the string @var{value}.
|
|
|
|
|
@end table
|
|
|
|
|
|
|
|
|
|
@item use-cache-for-signing
|
|
|
|
|
See Assuan command @code{PKSIGN}.
|
|
|
|
|
|
|
|
|
|
@item allow-pinentry-notify
|
|
|
|
|
This does not need any value. It is used to enable the
|
|
|
|
|
PINENTRY_LAUNCHED inquiry.
|
|
|
|
|
|
|
|
|
|
@item pinentry-mode
|
|
|
|
|
This option is used to change the operation mode of the pinentry. The
|
|
|
|
|
following values are defined:
|
|
|
|
|
|
|
|
|
|
@table @code
|
|
|
|
|
@item ask
|
|
|
|
|
This is the default mode which pops up a pinentry as needed.
|
|
|
|
|
|
|
|
|
|
@item cancel
|
|
|
|
|
Instead of popping up a pinentry, return the error code
|
|
|
|
|
@code{GPG_ERR_CANCELED}.
|
|
|
|
|
|
|
|
|
|
@item error
|
|
|
|
|
Instead of popping up a pinentry, return the error code
|
|
|
|
|
@code{GPG_ERR_NO_PIN_ENTRY}.
|
|
|
|
|
|
|
|
|
|
@item loopback
|
|
|
|
|
Use a loopback pinentry. This fakes a pinentry by using inquiries
|
|
|
|
|
back to the caller to ask for a passphrase. This option may only be
|
|
|
|
|
set if the agent has been configured for that.
|
|
|
|
|
Use the @xref{option --allow-loopback-pinentry}.
|
|
|
|
|
|
|
|
|
|
@end table
|
2011-04-21 15:40:48 +02:00
|
|
|
|
|
|
|
|
|
@item cache-ttl-opt-preset
|
|
|
|
|
This option sets the cache TTL for new entries created by GENKEY and
|
|
|
|
|
PASSWD commands when using the @option{--preset} option. It it is not
|
|
|
|
|
used a default value is used.
|
|
|
|
|
|
2011-06-29 13:23:41 +02:00
|
|
|
|
@item s2k-count
|
2011-08-10 13:26:17 +02:00
|
|
|
|
Instead of using the standard S2K count (which is computed on the
|
2011-06-29 13:23:41 +02:00
|
|
|
|
fly), the given S2K count is used for new keys or when changing the
|
|
|
|
|
passphrase of a key. Values below 65536 are considered to be 0. This
|
|
|
|
|
option is valid for the entire session or until reset to 0. This
|
|
|
|
|
option is useful if the key is later used on boxes which are either
|
|
|
|
|
much slower or faster than the actual box.
|
|
|
|
|
|
2011-03-03 18:35:08 +01:00
|
|
|
|
@end table
|
|
|
|
|
|
2006-11-14 14:53:42 +00:00
|
|
|
|
|
2006-09-04 14:53:20 +00:00
|
|
|
|
@mansect see also
|
|
|
|
|
@ifset isman
|
2011-03-03 18:35:08 +01:00
|
|
|
|
@command{gpg2}(1),
|
|
|
|
|
@command{gpgsm}(1),
|
2006-09-04 14:53:20 +00:00
|
|
|
|
@command{gpg-connect-agent}(1),
|
|
|
|
|
@command{scdaemon}(1)
|
|
|
|
|
@end ifset
|
|
|
|
|
@include see-also-note.texi
|