mirror of
git://git.gnupg.org/gnupg.git
synced 2024-12-24 10:39:57 +01:00
doc: Improve the text in the gpg manual
* doc/gpg.texi: Improve the text. Signed-off-by: Neal H. Walfield <neal@g10code.com>
This commit is contained in:
parent
6102099985
commit
7572d270fc
142
doc/gpg.texi
142
doc/gpg.texi
@ -61,21 +61,24 @@
|
|||||||
@command{@gpgname} is the OpenPGP part of the GNU Privacy Guard (GnuPG). It
|
@command{@gpgname} is the OpenPGP part of the GNU Privacy Guard (GnuPG). It
|
||||||
is a tool to provide digital encryption and signing services using the
|
is a tool to provide digital encryption and signing services using the
|
||||||
OpenPGP standard. @command{@gpgname} features complete key management and
|
OpenPGP standard. @command{@gpgname} features complete key management and
|
||||||
all bells and whistles you can expect from a decent OpenPGP
|
all the bells and whistles you would expect from a full OpenPGP
|
||||||
implementation.
|
implementation.
|
||||||
|
|
||||||
|
There are two main versions of GnuPG: GnuPG 1.x and GnuPG 2.x. GnuPG
|
||||||
|
2.x supports modern encryption algorithms and thus should be preferred
|
||||||
|
over GnuPG 1.x. You only need to use GnuPG 1.x if your platform
|
||||||
|
doesn't support GnuPG 2.x, or you need support for some features that
|
||||||
|
GnuPG 2.x has deprecated, e.g., decrypting data created with PGP-2
|
||||||
|
keys.
|
||||||
|
|
||||||
@ifclear gpgtwohack
|
@ifclear gpgtwohack
|
||||||
Note that this version of GnuPG features all modern algorithms and
|
If you are looking for version 1 of GnuPG, you may find that version
|
||||||
should thus be preferred over older GnuPG versions. If you are
|
installed under the name @command{gpg1}.
|
||||||
looking for version 1 of GnuPG, you may find that version installed
|
|
||||||
under the name @command{gpg1}.
|
|
||||||
@end ifclear
|
@end ifclear
|
||||||
@ifset gpgtwohack
|
@ifset gpgtwohack
|
||||||
In contrast to the standalone command gpg from GnuPG 1.x, which
|
In contrast to the standalone command @command{gpg} from GnuPG 1.x,
|
||||||
might be better suited for server and embedded platforms, the 2.x
|
the 2.x version is commonly installed under the name
|
||||||
version is commonly installed under the name @command{@gpgname} and
|
@command{@gpgname}.
|
||||||
targeted to the desktop as it requires several other modules to be
|
|
||||||
installed.
|
|
||||||
@end ifset
|
@end ifset
|
||||||
|
|
||||||
@manpause
|
@manpause
|
||||||
@ -106,16 +109,18 @@ Developer information:
|
|||||||
@section Commands
|
@section Commands
|
||||||
|
|
||||||
Commands are not distinguished from options except for the fact that
|
Commands are not distinguished from options except for the fact that
|
||||||
only one command is allowed.
|
only one command is allowed. Generally speaking, irrelevant options
|
||||||
|
are silently ignored, and may not be checked for correctness.
|
||||||
|
|
||||||
@command{@gpgname} may be run with no commands, in which case it will
|
@command{@gpgname} may be run with no commands. In this case it will
|
||||||
perform a reasonable action depending on the type of file it is given
|
perform a reasonable action depending on the type of file it is given
|
||||||
as input (an encrypted message is decrypted, a signature is verified,
|
as input (an encrypted message is decrypted, a signature is verified,
|
||||||
a file containing keys is listed).
|
a file containing keys is listed, etc.).
|
||||||
|
|
||||||
Please remember that option as well as command parsing stops as soon as
|
Please remember that option and command parsing stops as soon as a
|
||||||
a non-option is encountered, you can explicitly stop parsing by
|
non-option is encountered. Thus, options must precede the command.
|
||||||
using the special option @option{--}.
|
You can explicitly stop parsing by using the special option
|
||||||
|
@option{--}.
|
||||||
|
|
||||||
|
|
||||||
@menu
|
@menu
|
||||||
@ -140,7 +145,7 @@ cannot abbreviate this command.
|
|||||||
@item --help
|
@item --help
|
||||||
@itemx -h
|
@itemx -h
|
||||||
@opindex help
|
@opindex help
|
||||||
Print a usage message summarizing the most useful command line options.
|
Print a usage message summarizing the most useful command-line options.
|
||||||
Note that you cannot abbreviate this command.
|
Note that you cannot abbreviate this command.
|
||||||
|
|
||||||
@item --warranty
|
@item --warranty
|
||||||
@ -166,22 +171,22 @@ abbreviate this command.
|
|||||||
@item --sign
|
@item --sign
|
||||||
@itemx -s
|
@itemx -s
|
||||||
@opindex sign
|
@opindex sign
|
||||||
Make a signature. This command may be combined with @option{--encrypt}
|
Sign a message. This command may be combined with @option{--encrypt}
|
||||||
(for a signed and encrypted message), @option{--symmetric} (for a
|
(to sign and encrypt a message), @option{--symmetric} (to sign and
|
||||||
signed and symmetrically encrypted message), or @option{--encrypt} and
|
symmetrically encrypt a message), or both @option{--encrypt} and
|
||||||
@option{--symmetric} together (for a signed message that may be
|
@option{--symmetric} (to sign and encrypt a message that can be
|
||||||
decrypted via a secret key or a passphrase). The key to be used for
|
decrypted using a secret key or a passphrase). The signing key is
|
||||||
signing is chosen by default or can be set with the
|
chosen by default or can be set explicitly using the
|
||||||
@option{--local-user} and @option{--default-key} options.
|
@option{--local-user} and @option{--default-key} options.
|
||||||
|
|
||||||
@item --clearsign
|
@item --clearsign
|
||||||
@opindex clearsign
|
@opindex clearsign
|
||||||
Make a cleartext signature. The content in a cleartext signature is
|
Make a cleartext signature. The content in a cleartext signature is
|
||||||
readable without any special software. OpenPGP software is only needed
|
readable without any special software. OpenPGP software is only needed
|
||||||
to verify the signature. Clear text signatures may modify end-of-line
|
to verify the signature. cleartext signatures may modify end-of-line
|
||||||
whitespace for platform independence and are not intended to be
|
whitespace for platform independence and are not intended to be
|
||||||
reversible. The key to be used for signing is chosen by default or
|
reversible. The signing key is chosen by default or can be set
|
||||||
can be set with the @option{--local-user} and @option{--default-key}
|
explicitly using the @option{--local-user} and @option{--default-key}
|
||||||
options.
|
options.
|
||||||
|
|
||||||
|
|
||||||
@ -193,11 +198,11 @@ Make a detached signature.
|
|||||||
@item --encrypt
|
@item --encrypt
|
||||||
@itemx -e
|
@itemx -e
|
||||||
@opindex encrypt
|
@opindex encrypt
|
||||||
Encrypt data. This command may be combined with @option{--sign} (for a
|
Encrypt data. This command may be combined with @option{--sign} (to
|
||||||
signed and encrypted message), @option{--symmetric} (for a message that
|
sign and encrypt a message), @option{--symmetric} (to encrypt a
|
||||||
may be decrypted via a secret key or a passphrase), or @option{--sign}
|
message that can decrypted using a secret key or a passphrase), or
|
||||||
and @option{--symmetric} together (for a signed message that may be
|
@option{--sign} and @option{--symmetric} together (for a signed
|
||||||
decrypted via a secret key or a passphrase).
|
message that can be decrypted using a secret key or a passphrase).
|
||||||
|
|
||||||
@item --symmetric
|
@item --symmetric
|
||||||
@itemx -c
|
@itemx -c
|
||||||
@ -223,32 +228,33 @@ is specified) and write it to STDOUT (or the file specified with
|
|||||||
@option{--output}). If the decrypted file is signed, the signature is also
|
@option{--output}). If the decrypted file is signed, the signature is also
|
||||||
verified. This command differs from the default operation, as it never
|
verified. This command differs from the default operation, as it never
|
||||||
writes to the filename which is included in the file and it rejects
|
writes to the filename which is included in the file and it rejects
|
||||||
files which don't begin with an encrypted message.
|
files that don't begin with an encrypted message.
|
||||||
|
|
||||||
@item --verify
|
@item --verify
|
||||||
@opindex verify
|
@opindex verify
|
||||||
Assume that the first argument is a signed file and verify it without
|
Assume that the first argument is a signed file and verify it without
|
||||||
generating any output. With no arguments, the signature packet is
|
generating any output. With no arguments, the signature packet is
|
||||||
read from STDIN. If only a one argument is given, it is expected to
|
read from STDIN. If only one argument is given, the specified file is
|
||||||
be a complete signature.
|
expected to include a complete signature.
|
||||||
|
|
||||||
With more than 1 argument, the first should be a detached signature
|
With more than one argument, the first argument should specify a file
|
||||||
and the remaining files make up the the signed data. To read the signed
|
with a detached signature and the remaining files should contain the
|
||||||
data from STDIN, use @samp{-} as the second filename. For security
|
signed data. To read the signed data from STDIN, use @samp{-} as the
|
||||||
reasons a detached signature cannot read the signed material from
|
second filename. For security reasons, a detached signature will not
|
||||||
STDIN without denoting it in the above way.
|
read the signed material from STDIN if not explicitly specified.
|
||||||
|
|
||||||
Note: If the option @option{--batch} is not used, @command{@gpgname}
|
Note: If the option @option{--batch} is not used, @command{@gpgname}
|
||||||
may assume that a single argument is a file with a detached signature
|
may assume that a single argument is a file with a detached signature,
|
||||||
and it will try to find a matching data file by stripping certain
|
and it will try to find a matching data file by stripping certain
|
||||||
suffixes. Using this historical feature to verify a detached
|
suffixes. Using this historical feature to verify a detached
|
||||||
signature is strongly discouraged; always specify the data file too.
|
signature is strongly discouraged; you should always specify the data file
|
||||||
|
explicitly.
|
||||||
|
|
||||||
Note: When verifying a cleartext signature, @command{gpg} verifies
|
Note: When verifying a cleartext signature, @command{@gpgname} verifies
|
||||||
only what makes up the cleartext signed data and not any extra data
|
only what makes up the cleartext signed data and not any extra data
|
||||||
outside of the cleartext signature or header lines following directly
|
outside of the cleartext signature or the header lines directly following
|
||||||
the dash marker line. The option @code{--output} may be used to write
|
the dash marker line. The option @code{--output} may be used to write
|
||||||
out the actual signed data; but there are other pitfalls with this
|
out the actual signed data, but there are other pitfalls with this
|
||||||
format as well. It is suggested to avoid cleartext signatures in
|
format as well. It is suggested to avoid cleartext signatures in
|
||||||
favor of detached signatures.
|
favor of detached signatures.
|
||||||
|
|
||||||
@ -277,22 +283,23 @@ Identical to @option{--multifile --decrypt}.
|
|||||||
@itemx -k
|
@itemx -k
|
||||||
@itemx --list-public-keys
|
@itemx --list-public-keys
|
||||||
@opindex list-keys
|
@opindex list-keys
|
||||||
List all keys from the public keyrings, or just the keys given on the
|
List the specified keys. If no keys are specified, then all keys from
|
||||||
command line.
|
the configured public keyrings are listed.
|
||||||
|
|
||||||
Avoid using the output of this command in scripts or other programs as
|
Never use the output of this command in scripts or other programs.
|
||||||
it is likely to change as GnuPG changes. See @option{--with-colons}
|
The output is intended only for humans and its format is likely to
|
||||||
for a machine-parseable key listing command that is appropriate for
|
change. The @option{--with-colons} option emits the output in a
|
||||||
use in scripts and other programs. Never use the regular output for
|
stable, machine-parseable format, which is intended for use by scripts
|
||||||
scripts --- it is only for human consumption.
|
and other programs.
|
||||||
|
|
||||||
@item --list-secret-keys
|
@item --list-secret-keys
|
||||||
@itemx -K
|
@itemx -K
|
||||||
@opindex list-secret-keys
|
@opindex list-secret-keys
|
||||||
List all keys from the secret keyrings, or just the ones given on the
|
List the specified secret keys. If no keys are specified, then all
|
||||||
command line. A @code{#} after the letters @code{sec} means that the
|
known secret keys are listed. A @code{#} after the letters @code{sec}
|
||||||
secret key is not usable (for example, if it was created via
|
means that the secret key is not usable (for example, if it was
|
||||||
@option{--export-secret-subkeys}). See also @option{--list-keys}.
|
exported using @option{--export-secret-subkeys}). See also
|
||||||
|
@option{--list-keys}.
|
||||||
|
|
||||||
@item --list-sigs
|
@item --list-sigs
|
||||||
@opindex list-sigs
|
@opindex list-sigs
|
||||||
@ -382,7 +389,7 @@ safeguard against accidental deletion of multiple keys.
|
|||||||
Remove key from the secret keyring. In batch mode the key must be
|
Remove key from the secret keyring. In batch mode the key must be
|
||||||
specified by fingerprint. The option @option{--yes} can be used to
|
specified by fingerprint. The option @option{--yes} can be used to
|
||||||
advice gpg-agent not to request a confirmation. This extra
|
advice gpg-agent not to request a confirmation. This extra
|
||||||
pre-caution is done because @command{gpg} can't be sure that the
|
pre-caution is done because @command{@gpgname} can't be sure that the
|
||||||
secret key (as controlled by gpg-agent) is only used for the given
|
secret key (as controlled by gpg-agent) is only used for the given
|
||||||
OpenPGP public key.
|
OpenPGP public key.
|
||||||
|
|
||||||
@ -408,7 +415,7 @@ Similar to @option{--export} but sends the keys to a keyserver.
|
|||||||
Fingerprints may be used instead of key IDs. Option @option{--keyserver}
|
Fingerprints may be used instead of key IDs. Option @option{--keyserver}
|
||||||
must be used to give the name of this keyserver. Don't send your
|
must be used to give the name of this keyserver. Don't send your
|
||||||
complete keyring to a keyserver --- select only those keys which are new
|
complete keyring to a keyserver --- select only those keys which are new
|
||||||
or changed by you. If no key IDs are given, @command{gpg} does nothing.
|
or changed by you. If no key IDs are given, @command{@gpgname} does nothing.
|
||||||
|
|
||||||
@item --export-secret-keys
|
@item --export-secret-keys
|
||||||
@itemx --export-secret-subkeys
|
@itemx --export-secret-subkeys
|
||||||
@ -417,21 +424,20 @@ or changed by you. If no key IDs are given, @command{gpg} does nothing.
|
|||||||
Same as @option{--export}, but exports the secret keys instead. The
|
Same as @option{--export}, but exports the secret keys instead. The
|
||||||
exported keys are written to STDOUT or to the file given with option
|
exported keys are written to STDOUT or to the file given with option
|
||||||
@option{--output}. This command is often used along with the option
|
@option{--output}. This command is often used along with the option
|
||||||
@option{--armor} to allow easy printing of the key for paper backup;
|
@option{--armor} to allow for easy printing of the key for paper backup;
|
||||||
however the external tool @command{paperkey} does a better job for
|
however the external tool @command{paperkey} does a better job of
|
||||||
creating backups on paper. Note that exporting a secret key can be a
|
creating backups on paper. Note that exporting a secret key can be a
|
||||||
security risk if the exported keys are sent over an insecure channel.
|
security risk if the exported keys are sent over an insecure channel.
|
||||||
|
|
||||||
The second form of the command has the special property to render the
|
The second form of the command has the special property to render the
|
||||||
secret part of the primary key useless; this is a GNU extension to
|
secret part of the primary key useless; this is a GNU extension to
|
||||||
OpenPGP and other implementations can not be expected to successfully
|
OpenPGP and other implementations can not be expected to successfully
|
||||||
import such a key. Its intended use is to generated a full key with
|
import such a key. Its intended use is in generating a full key with
|
||||||
an additional signing subkey on a dedicated machine and then using
|
an additional signing subkey on a dedicated machine. This command
|
||||||
this command to export the key without the primary key to the main
|
then exports the key without the primary key to the main machine.
|
||||||
machine.
|
|
||||||
|
|
||||||
GnuPG may ask you to enter the passphrase for the key. This is
|
GnuPG may ask you to enter the passphrase for the key. This is
|
||||||
required because the internal protection method of the secret key is
|
required, because the internal protection method of the secret key is
|
||||||
different from the one specified by the OpenPGP protocol.
|
different from the one specified by the OpenPGP protocol.
|
||||||
|
|
||||||
@item --export-ssh-key
|
@item --export-ssh-key
|
||||||
@ -2038,7 +2044,7 @@ limited countermeasure against traffic analysis. If this option or
|
|||||||
@opindex recipient-file
|
@opindex recipient-file
|
||||||
This option is similar to @option{--recipient} except that it
|
This option is similar to @option{--recipient} except that it
|
||||||
encrypts to a key stored in the given file. @var{file} must be the
|
encrypts to a key stored in the given file. @var{file} must be the
|
||||||
name of a file containing exactly one key. @command{gpg} assumes that
|
name of a file containing exactly one key. @command{@gpgname} assumes that
|
||||||
the key in this file is fully valid.
|
the key in this file is fully valid.
|
||||||
|
|
||||||
@item --hidden-recipient-file @var{file}
|
@item --hidden-recipient-file @var{file}
|
||||||
@ -2046,7 +2052,7 @@ the key in this file is fully valid.
|
|||||||
@opindex hidden-recipient-file
|
@opindex hidden-recipient-file
|
||||||
This option is similar to @option{--hidden-recipient} except that it
|
This option is similar to @option{--hidden-recipient} except that it
|
||||||
encrypts to a key stored in the given file. @var{file} must be the
|
encrypts to a key stored in the given file. @var{file} must be the
|
||||||
name of a file containing exactly one key. @command{gpg} assumes that
|
name of a file containing exactly one key. @command{@gpgname} assumes that
|
||||||
the key in this file is fully valid.
|
the key in this file is fully valid.
|
||||||
|
|
||||||
@item --encrypt-to @code{name}
|
@item --encrypt-to @code{name}
|
||||||
@ -3245,7 +3251,7 @@ internally used by the @command{gpgconf} tool.
|
|||||||
@opindex gpgconf-test
|
@opindex gpgconf-test
|
||||||
This is more or less dummy action. However it parses the configuration
|
This is more or less dummy action. However it parses the configuration
|
||||||
file and returns with failure if the configuration file would prevent
|
file and returns with failure if the configuration file would prevent
|
||||||
@command{gpg} from startup. Thus it may be used to run a syntax check
|
@command{@gpgname} from startup. Thus it may be used to run a syntax check
|
||||||
on the configuration file.
|
on the configuration file.
|
||||||
|
|
||||||
@end table
|
@end table
|
||||||
@ -3704,7 +3710,7 @@ already been reported to our bug tracker at http://bugs.gnupg.org .
|
|||||||
@node Unattended Usage of GPG
|
@node Unattended Usage of GPG
|
||||||
@section Unattended Usage
|
@section Unattended Usage
|
||||||
|
|
||||||
@command{gpg} is often used as a backend engine by other software. To help
|
@command{@gpgname} is often used as a backend engine by other software. To help
|
||||||
with this a machine interface has been defined to have an unambiguous
|
with this a machine interface has been defined to have an unambiguous
|
||||||
way to do this. The options @option{--status-fd} and @option{--batch}
|
way to do this. The options @option{--status-fd} and @option{--batch}
|
||||||
are almost always required for this.
|
are almost always required for this.
|
||||||
|
Loading…
x
Reference in New Issue
Block a user