security-and-privacy/gnupg
security-and-privacy
/
gnupg
mirror of git://git.gnupg.org/gnupg.git
1
0
Fork 0
Code Releases Activity

doc: Change the manual source to be only for GnuPG 2.1 

Signed-off-by: Werner Koch <wk@gnupg.org>
This commit is contained in:
Werner Koch 2015-06-08 19:27:08 +02:00
parent c672572bd5
commit abbefdd04d
No known key found for this signature in database
GPG Key ID: E3FDFF218E45B72B
7 changed files with 27 additions and 432 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
doc/Makefile.am
View File

@ -57,9 +57,9 @@ gnupg_TEXINFOS = \
DVIPS = TEXINPUTS="$(srcdir)$(PATH_SEPARATOR)$$TEXINPUTS" dvips
AM_MAKEINFOFLAGS = -I $(srcdir) --css-ref=/share/site.css -D gpgtwoone
AM_MAKEINFOFLAGS = -I $(srcdir) --css-ref=/share/site.css
YAT2M_OPTIONS = -I $(srcdir) -D gpgtwoone \
YAT2M_OPTIONS = -I $(srcdir) \
--release "GnuPG @PACKAGE_VERSION@" --source "GNU Privacy Guard 2.1"
myman_sources = gnupg7.texi gpg.texi gpgsm.texi gpg-agent.texi \

2
doc/debugging.texi
View File

@ -103,7 +103,6 @@ used. Using the keyserver debug option as in
is thus often helpful. Note that the actual output depends on the
backend and may change from release to release.
@ifset gpgtwoone
@item Logging on WindowsCE
For development, the best logging method on WindowsCE is the use of
@ -113,7 +112,6 @@ on the given port. (@pxref{option watchgnupg --tcp}). For in the field
tests it is better to make use of the logging facility provided by the
@command{gpgcedev} driver (part of libassuan); this is enabled by using
a log file name of @file{GPG2:}. (@pxref{option --log-file}).
@end ifset
@end itemize

6
doc/gnupg.texi
View File

@ -52,10 +52,8 @@ section entitled ``Copying''.
* gpg2: (gnupg). OpenPGP encryption and signing tool.
* gpgsm: (gnupg). S/MIME encryption and signing tool.
* gpg-agent: (gnupg). The secret key daemon.
@ifset gpgtwoone
* dirmngr: (gnupg). X.509 CRL and OCSP server.
* dirmngr-client: (gnupg). X.509 CRL and OCSP client.
@end ifset
@end direntry
@ -127,9 +125,7 @@ the administration and the architecture.
* Installation:: A short installation guide.
* Invoking GPG-AGENT:: How to launch the secret key daemon.
@ifset gpgtwoone
* Invoking DIRMNGR:: How to launch the CRL and OCSP daemon.
@end ifset
* Invoking GPG:: Using the OpenPGP protocol.
* Invoking GPGSM:: Using the S/MIME protocol.
* Invoking SCDAEMON:: How to handle Smartcards.
@ -161,9 +157,7 @@ the administration and the architecture.
@include instguide.texi
@include gpg-agent.texi
@ifset gpgtwoone
@include dirmngr.texi
@end ifset
@include gpg.texi
@include gpgsm.texi
@include scdaemon.texi

205
doc/gpg-agent.texi
View File

@ -2,10 +2,6 @@
@c This is part of the GnuPG manual.
@c For copying conditions, see the file gnupg.texi.
@c Note that we use this texinfo file for all versions of GnuPG:
@c 2.0 and 2.1. The macro "gpgtwoone" controls parts which are only
@c valid for GnuPG 2.1 and later.
@node Invoking GPG-AGENT
@chapter Invoking GPG-AGENT
@ -52,7 +48,6 @@ independently from any protocol. It is used as a backend for
@command{gpg} and @command{gpgsm} as well as for a couple of other
utilities.
@ifset gpgtwoone
The agent is automatically started on demand by @command{gpg},
@command{gpgsm}, @command{gpgconf}, or @command{gpg-connect-agent}.
Thus there is no reason to start it manually. In case you want to use
@ -61,51 +56,6 @@ the included Secure Shell Agent you may start the agent using:
@example
gpg-connect-agent /bye
@end example
@end ifset
@ifclear gpgtwoone
@noindent
The usual way to run the agent is from the @code{~/.xsession} file:
@example
eval $(gpg-agent --daemon)
@end example
@noindent
If you don't use an X server, you can also put this into your regular
startup file @code{~/.profile} or @code{.bash_profile}. It is best not
to run multiple instance of the @command{gpg-agent}, so you should make
sure that only one is running: @command{gpg-agent} uses an environment
variable to inform clients about the communication parameters. You can
write the content of this environment variable to a file so that you can
test for a running agent. Here is an example using Bourne shell syntax:
@smallexample
gpg-agent --daemon --enable-ssh-support \
--write-env-file "$@{HOME@}/.gpg-agent-info"
@end smallexample
This code should only be run once per user session to initially fire up
the agent. In the example the optional support for the included Secure
Shell agent is enabled and the information about the agent is written to
a file in the HOME directory. Note that by running gpg-agent without
arguments you may test whether an agent is already running; however such
a test may lead to a race condition, thus it is not suggested.
@noindent
The second script needs to be run for each interactive session:
@smallexample
if [ -f "$@{HOME@}/.gpg-agent-info" ]; then
. "$@{HOME@}/.gpg-agent-info"
export GPG_AGENT_INFO
export SSH_AUTH_SOCK
fi
@end smallexample
@noindent
It reads the data out of the file and exports the variables. If you
don't use Secure Shell, you don't need the last two export statements.
@end ifclear
@noindent
You should always add the following lines to your @code{.bashrc} or
@ -175,17 +125,11 @@ default mode is to create a socket and listen for commands there.
@opindex daemon
Start the gpg-agent as a daemon; that is, detach it from the console
and run it in the background.
@ifclear gpgtwoone
Because @command{gpg-agent} prints out
important information required for further use, a common way of
invoking gpg-agent is: @code{eval $(gpg-agent --daemon)} to setup the
environment variables. The option @option{--write-env-file} is
another way commonly used to do this.
@end ifclear
Yet another way is creating
a new process as a child of gpg-agent: @code{gpg-agent --daemon
/bin/sh}. This way you get a new shell with the environment setup
properly; if you exit from this shell, gpg-agent terminates as well.
As an alternative you may create a new process as a child of
gpg-agent: @code{gpg-agent --daemon /bin/sh}. This way you get a new
shell with the environment setup properly; after you exit from this
shell, gpg-agent terminates within a few seconds.
@end table
@mansect options
@ -323,23 +267,6 @@ shell or the C-shell respectively. The default is to guess it based on
the environment variable @code{SHELL} which is correct in almost all
cases.
@ifclear gpgtwoone
@item --write-env-file @var{file}
@opindex write-env-file
Often it is required to connect to the agent from a process not being an
inferior of @command{gpg-agent} and thus the environment variable with
the socket name is not available. To help setting up those variables in
other sessions, this option may be used to write the information into
@var{file}. If @var{file} is not specified the default name
@file{$@{HOME@}/.gpg-agent-info} will be used. The format is suitable
to be evaluated by a Bourne shell like in this simple example:
@example
eval $(cat @var{file})
eval $(cut -d= -f 1 < @var{file} | xargs echo export)
@end example
@end ifclear
@item --no-grab
@opindex no-grab
@ -369,15 +296,12 @@ accept Root-CA keys.
This option allows the use of @command{gpg-preset-passphrase} to seed the
internal cache of @command{gpg-agent} with passphrases.
@ifset gpgtwoone
@anchor{option --allow-loopback-pinentry}
@item --allow-loopback-pinentry
@opindex allow-loopback-pinentry
Allow clients to use the loopback pinentry features; see the option
@option{pinentry-mode} for details.
@end ifset
@ifset gpgtwoone
@item --no-allow-external-cache
@opindex no-allow-external-cache
Tell Pinentry not to enable features which use an external cache for
@ -388,7 +312,6 @@ credentials with one master password and may have installed a Pinentry
which employs an additional external cache to implement such a policy.
By using this option the Pinentry is advised not to make use of such a
cache and instead always ask the user for the requested passphrase.
@end ifset
@item --ignore-cache-for-signing
@opindex ignore-cache-for-signing
@ -492,7 +415,6 @@ Do not make use of the scdaemon tool. This option has the effect of
disabling the ability to do smartcard operations. Note, that enabling
this option at runtime does not kill an already forked scdaemon.
@ifset gpgtwoone
@item --disable-check-own-socket
@opindex disable-check-own-socket
@command{gpg-agent} employs a periodic self-test to detect a stolen
@ -500,7 +422,6 @@ socket. This usually means a second instance of @command{gpg-agent}
has taken over the socket and @command{gpg-agent} will then terminate
itself. This option may be used to disable this self-test for
debugging purposes.
@end ifset
@item --use-standard-socket
@itemx --no-use-standard-socket
@ -508,30 +429,9 @@ debugging purposes.
@opindex use-standard-socket
@opindex no-use-standard-socket
@opindex use-standard-socket-p
@ifset gpgtwoone
Since GnuPG 2.1 the standard socket is always used. These options
have no more effect. The command @code{gpg-agent
--use-standard-socket-p} will thus always return success.
@end ifset
@ifclear gpgtwoone
By enabling this option @command{gpg-agent} will listen on the socket
named @file{S.gpg-agent}, located in the home directory, and not create
a random socket below a temporary directory. Tools connecting to
@command{gpg-agent} should first try to connect to the socket given in
environment variable @var{GPG_AGENT_INFO} and then fall back to this
socket. This option may not be used if the home directory is mounted on
a remote file system which does not support special files like fifos or
sockets.
Note, that @option{--use-standard-socket} is the default on
Windows systems.
The default may be changed at build time. It is
possible to test at runtime whether the agent has been configured for
use with the standard socket by issuing the command @command{gpg-agent
--use-standard-socket-p} which returns success if the standard socket
option has been enabled.
@end ifclear
@item --display @var{string}
@itemx --ttyname @var{string}
@ -810,7 +710,6 @@ This signal is used for internal purposes.
@node Agent Examples
@section Examples
@ifset gpgtwoone
It is important to set the GPG_TTY environment variable in
your login shell, for example in the @file{~/.bashrc} init script:
@ -831,45 +730,7 @@ if [ "$@{gnupg_SSH_AUTH_SOCK_by:-0@}" -ne $$ ]; then
fi
@end example
@end cartouche
@end ifset
@ifclear gpgtwoone
The usual way to invoke @command{gpg-agent} is
@example
$ eval $(gpg-agent --daemon)
@end example
An alternative way is by replacing @command{ssh-agent} with
@command{gpg-agent}. If for example @command{ssh-agent} is started as
part of the Xsession initialization, you may simply replace
@command{ssh-agent} by a script like:
@cartouche
@example
#!/bin/sh
exec /usr/local/bin/gpg-agent --enable-ssh-support --daemon \
--write-env-file $@{HOME@}/.gpg-agent-info "$@@"
@end example
@end cartouche
@noindent
and add something like (for Bourne shells)
@cartouche
@example
if [ -f "$@{HOME@}/.gpg-agent-info" ]; then
. "$@{HOME@}/.gpg-agent-info"
export GPG_AGENT_INFO
export SSH_AUTH_SOCK
fi
@end example
@end cartouche
@noindent
to your shell initialization file (e.g. @file{~/.bashrc}).
@end ifclear
@c
@c Assuan Protocol
@ -881,21 +742,8 @@ to your shell initialization file (e.g. @file{~/.bashrc}).
Note: this section does only document the protocol, which is used by
GnuPG components; it does not deal with the ssh-agent protocol.
@ifset gpgtwoone
The @command{gpg-agent} daemon is started on demand by the GnuPG
components.
@end ifset
@ifclear gpgtwoone
The @command{gpg-agent} should be started by the login shell and set an
environment variable to tell clients about the socket to be used.
Clients should deny to access an agent with a socket name which does
not match its own configuration. An application may choose to start
an instance of the gpg-agent if it does not figure that any has been
started; it should not do this if a gpg-agent is running but not
usable. Because @command{gpg-agent} can only be used in background mode, no
special command line option is required to activate the use of the
protocol.
@end ifclear
To identify a key we use a thing called keygrip which is the SHA-1 hash
of an canonical encoded S-Expression of the public key as used in
@ -905,13 +753,11 @@ certificate is that it will be possible to use the same keypair for
different protocols, thereby saving space on the token used to keep the
secret keys.
@ifset gpgtwoone
The @command{gpg-agent} may send status messages during a command or when
returning from a command to inform a client about the progress or result of an
operation. For example, the @var{INQUIRE_MAXLEN} status message may be sent
during a server inquire to inform the client of the maximum usable length of
the inquired data (which should not be exceeded).
@end ifset
@menu
* Agent PKDECRYPT:: Decrypting a session key
@ -922,9 +768,7 @@ the inquired data (which should not be exceeded).
* Agent ISTRUSTED:: Importing a Root Certificate
* Agent GET_PASSPHRASE:: Ask for a passphrase
* Agent CLEAR_PASSPHRASE:: Expire a cached passphrase
@ifset gpgtwoone
* Agent PRESET_PASSPHRASE:: Set a passphrase for a keygrip
@end ifset
* Agent GET_CONFIRMATION:: Ask for confirmation
* Agent HAVEKEY:: Check whether a key is available
* Agent LEARN:: Register a smartcard
@ -1104,12 +948,7 @@ option allows to choose the storage location. To get the secret key out
of the PSE, a special export tool has to be used.
@example
@ifset gpgtwoone
GENKEY [--no-protection] [--preset] [<cache_nonce>]
@end ifset
@ifclear gpgtwoone
GENKEY
@end ifclear
@end example
Invokes the key generation process and the server will then inquire
@ -1155,7 +994,6 @@ Here is an example session:
@end smallexample
@end cartouche
@ifset gpgtwoone
The @option{--no-protection} option may be used to prevent prompting for a
passphrase to protect the secret key while leaving the secret key unprotected.
The @option{--preset} option may be used to add the passphrase to the cache
@ -1167,7 +1005,6 @@ keyword @code{NEWPASSWD} to retrieve that passphrase. This option
takes precedence over @option{--no-protection}; however if the client
sends a empty (zero-length) passphrase, this is identical to
@option{--no-protection}.
@end ifset
@node Agent IMPORT
@subsection Importing a Secret Key
@ -1334,22 +1171,13 @@ function returns with OK even when there is no cached passphrase.
Use this command to remove a cached passphrase.
@example
@ifset gpgtwoone
CLEAR_PASSPHRASE [--mode=normal] <cache_id>
@end ifset
@ifclear gpgtwoone
CLEAR_PASSPHRASE <cache_id>
@end ifclear
@end example
@ifset gpgtwoone
The @option{--mode=normal} option can be used to clear a @var{cache_id} that
was set by gpg-agent.
@end ifset
@ifset gpgtwoone
@node Agent PRESET_PASSPHRASE
@subsection Set a passphrase for a keygrip
@ -1368,9 +1196,6 @@ The @var{timeout} parameter keeps the passphrase cached for the specified
number of seconds. A value of @code{-1} means infinate while @code{0} means
the default (currently only a timeout of -1 is allowed, which means to never
expire it).
@end ifset
@node Agent GET_CONFIRMATION
@ -1425,21 +1250,13 @@ option given the certificates are send back.
@subsection Change a Passphrase
@example
@ifset gpgtwoone
PASSWD [--cache-nonce=<c>] [--passwd-nonce=<s>] [--preset] @var{keygrip}
@end ifset
@ifclear gpgtwoone
PASSWD @var{keygrip}
@end ifclear
@end example
This command is used to interactively change the passphrase of the key
identified by the hex string @var{keygrip}.
@ifset gpgtwoone
The @option{--preset} option may be used to add the new passphrase to the
cache using the default cache parameters.
@end ifset
identified by the hex string @var{keygrip}. The @option{--preset}
option may be used to add the new passphrase to the cache using the
default cache parameters.
@node Agent UPDATESTARTUPTTY
@ -1540,7 +1357,6 @@ See Assuan command @code{PKSIGN}.
This does not need any value. It is used to enable the
PINENTRY_LAUNCHED inquiry.
@ifset gpgtwoone
@item pinentry-mode
This option is used to change the operation mode of the pinentry. The
following values are defined:
@ -1564,16 +1380,12 @@ following values are defined:
Use the @xref{option --allow-loopback-pinentry}.
@end table
@end ifset
@ifset gpgtwoone
@item cache-ttl-opt-preset
This option sets the cache TTL for new entries created by GENKEY and
PASSWD commands when using the @option{--preset} option. It it is not
used a default value is used.
@end ifset
@ifset gpgtwoone
@item s2k-count
Instead of using the standard S2K count (which is computed on the
fly), the given S2K count is used for new keys or when changing the
@ -1581,7 +1393,6 @@ passphrase of a key. Values below 65536 are considered to be 0. This
option is valid for the entire session or until reset to 0. This
option is useful if the key is later used on boxes which are either
much slower or faster than the actual box.
@end ifset
@end table

206
doc/gpg.texi
View File

@ -3,10 +3,6 @@
@c This is part of the GnuPG manual.
@c For copying conditions, see the file gnupg.texi.
@c Note that we use this texinfo file for all GnuPG-2 branches.
@c The macro "gpgtwoone" controls parts which are only
@c valid for GnuPG 2.1 and later.
@node Invoking GPG
@chapter Invoking GPG
@cindex GPG command options
@ -15,13 +11,7 @@
@c Begin algorithm defaults
@ifclear gpgtwoone
@set DEFSYMENCALGO CAST5
@end ifclear
@ifset gpgtwoone
@set DEFSYMENCALGO AES128
@end ifset
@c End algorithm defaults
@ -407,15 +397,9 @@ an additional signing subkey on a dedicated machine and then using
this command to export the key without the primary key to the main
machine.
@ifset gpgtwoone
GnuPG may ask you to enter the passphrase for the key. This is
required because the internal protection method of the secret key is
different from the one specified by the OpenPGP protocol.
@end ifset
@ifclear gpgtwoone
See the option @option{--simple-sk-checksum} if you want to import an
exported secret key into ancient OpenPGP implementations.
@end ifclear
@item --import
@itemx --fast-import
@ -565,7 +549,6 @@ This section explains the main commands for key management
@table @gnupgtabopt
@ifset gpgtwoone
@item --quick-gen-key @code{user-id}
@opindex quick-gen-key
This is a simple command to generate a standard key with one user id.
@ -586,20 +569,17 @@ the passphrase options (@option{--passphrase},
supplied passphrase is used for the new key and the agent does not ask
for it. To create a key without any protection @code{--passphrase ''}
may be used.
@end ifset
@item --gen-key
@opindex gen-key
Generate a new key pair using teh current default parameters. This is
the standard command to create a new key.
@ifset gpgtwoone
@item --full-gen-key
@opindex gen-key
Generate a new key pair with dialogs for all options. This is an
extended version of @option{--gen-key}.
@end ifset
There is also a feature which allows you to create keys in batch
mode. See the the manual section ``Unattended key generation'' on how
to use this.
@ -925,7 +905,6 @@ Signs a public key with your secret key but marks it as
non-exportable. This is a shortcut version of the subcommand "lsign"
from @option{--edit-key}.
@ifset gpgtwoone
@item --quick-sign-key @code{fpr} [@code{names}]
@itemx --quick-lsign-key @code{fpr} [@code{names}]
@opindex quick-sign-key
@ -943,9 +922,7 @@ This command uses reasonable defaults and thus does not provide the
full flexibility of the "sign" subcommand from @option{--edit-key}.
Its intended use is to help unattended key signing by utilizing a list
of verified fingerprints.
@end ifset
@ifset gpgtwoone
@item --quick-adduid @var{user-id} @var{new-user-id}
@opindex quick-adduid
This command adds a new user id to an existing key. In contrast to
@ -953,7 +930,6 @@ the interactive sub-command @code{adduid} of @option{--edit-key} the
@var{new-user-id} is added verbatim with only leading and trailing
white space removed, it is expected to be UTF-8 encoded, and no checks
on its form are applied.
@end ifset
@item --passwd @var{user_id}
@opindex passwd
@ -1271,13 +1247,8 @@ use the specified keyring alone, use @option{--keyring} along with
@item --secret-keyring @code{file}
@opindex secret-keyring
@ifset gpgtwoone
This is an obsolete option and ignored. All secret keys are stored in
the @file{private-keys-v1.d} directory below the GnuPG home directory.
@end ifset
@ifclear gpgtwoone
Same as @option{--keyring} but for the secret keyrings.
@end ifclear
@item --primary-keyring @code{file}
@opindex primary-keyring
@ -1610,21 +1581,6 @@ are available for all keyserver types, some common options are:
this option is not used with HKP keyservers, as they do not support
retrieving keys by subkey id.
@ifclear gpgtwoone
@item use-temp-files
On most Unix-like platforms, GnuPG communicates with the keyserver
helper program via pipes, which is the most efficient method. This
option forces GnuPG to use temporary files to communicate. On some
platforms (such as Win32 and RISC OS), this option is always enabled.
@end ifclear
@ifclear gpgtwoone
@item keep-temp-files
If using `use-temp-files', do not delete the temp files after using
them. This option is useful to learn the keyserver communication
protocol by reading the temporary files.
@end ifclear
@item timeout
Tell the keyserver helper program how long (in seconds) to try and
perform a keyserver action before giving up. Note that performing
@ -1635,64 +1591,23 @@ are available for all keyserver types, some common options are:
@item http-proxy=@code{value}
Set the proxy to use for HTTP and HKP keyservers.
@ifset gpgtwoone
This overrides any proxy defined in @file{dirmngr.conf}.
@end ifset
@ifclear gpgtwoone
This overrides the "http_proxy" environment variable, if any.
@end ifclear
@ifclear gpgtwoone
@item max-cert-size
When retrieving a key via DNS CERT, only accept keys up to this size.
Defaults to 16384 bytes.
@end ifclear
This overrides any proxy defined in @file{dirmngr.conf}.
@item verbose
@ifset gpgtwoone
This option has no more function since GnuPG 2.1. Use the
@code{dirmngr} configuration options instead.
@end ifset
@ifclear gpgtwoone
Tell the keyserver helper program to be more verbose. This option can
be repeated multiple times to increase the verbosity level.
@end ifclear
This option has no more function since GnuPG 2.1. Use the
@code{dirmngr} configuration options instead.
@item debug
@ifset gpgtwoone
This option has no more function since GnuPG 2.1. Use the
@code{dirmngr} configuration options instead.
@end ifset
@ifclear gpgtwoone
Turn on debug output in the keyserver helper program. Note that the
details of debug output depends on which keyserver helper program is
being used, and in turn, on any libraries that the keyserver helper
program uses internally (libcurl, openldap, etc).
@end ifclear
This option has no more function since GnuPG 2.1. Use the
@code{dirmngr} configuration options instead.
@item check-cert
@ifset gpgtwoone
This option has no more function since GnuPG 2.1. Use the
@code{dirmngr} configuration options instead.
@end ifset
@ifclear gpgtwoone
Enable certificate checking if the keyserver presents one (for hkps or
ldaps). Defaults to on.
@end ifclear
This option has no more function since GnuPG 2.1. Use the
@code{dirmngr} configuration options instead.
@item ca-cert-file
@ifset gpgtwoone
This option has no more function since GnuPG 2.1. Use the
@code{dirmngr} configuration options instead.
@end ifset
@ifclear gpgtwoone
Provide a certificate store to override the system default. Only
necessary if check-cert is enabled, and the keyserver is using a
certificate that is not present in a system default certificate list.
Note that depending on the SSL library that the keyserver helper is
built with, this may actually be a directory or a file.
@end ifclear
This option has no more function since GnuPG 2.1. Use the
@code{dirmngr} configuration options instead.
@end table
@ -1710,20 +1625,6 @@ key signer (defaults to 3)
@opindex max-cert-depth
Maximum depth of a certification chain (default is 5).
@ifclear gpgtwoone
@item --simple-sk-checksum
@opindex simple-sk-checksum
Secret keys are integrity protected by using a SHA-1 checksum. This
method is part of the upcoming enhanced OpenPGP specification but
GnuPG already uses it as a countermeasure against certain attacks.
Old applications don't understand this new format, so this option may
be used to switch back to the old behaviour. Using this option bears
a security risk. Note that using this option only takes effect when
the secret key is encrypted - the simplest way to make this happen is
to change the passphrase on the key (even changing it to the same
value is acceptable).
@end ifclear
@item --no-sig-cache
@opindex no-sig-cache
Do not cache the verification status of key signatures.
@ -1767,20 +1668,13 @@ default value is determined by running @command{gpgconf} with the
option @option{--list-dirs}. Note that the pipe symbol (@code{|}) is
used for a regression test suite hack and may thus not be used in the
file name.
@ifclear gpgtwoone
This is only used
as a fallback when the environment variable @code{GPG_AGENT_INFO} is not
set or a running agent cannot be connected.
@end ifclear
@ifset gpgtwoone
@item --dirmngr-program @var{file}
@opindex dirmngr-program
Specify a dirmngr program to be used for keyserver access. The
default value is @file{/usr/sbin/dirmngr}. This is only used as a
fallback when the environment variable @code{DIRMNGR_INFO} is not set or
a running dirmngr cannot be connected.
@end ifset
@item --no-autostart
@opindex no-autostart
@ -1969,7 +1863,6 @@ Remove all entries from the @option{--group} list.
Use @var{name} as the key to sign with. Note that this option overrides
@option{--default-key}.
@ifset gpgtwoone
@item --try-secret-key @var{name}
@opindex try-secret-key
For hidden recipients GPG needs to know the keys to use for trial
@ -1981,7 +1874,6 @@ the long keyid to avoid ambiguities. Note that gpg-agent might pop up a
pinentry for a lot keys to do the trial decryption. If you want to stop
all further trial decryption you may use close-window button instead of
the cancel button.
@end ifset
@item --try-all-secrets
@opindex try-all-secrets
@ -2112,15 +2004,13 @@ opposite meaning. The options are:
@c Since GnuPG 2.1 gpg-agent manages the secret key and thus the
@c export-reset-subkey-passwd hack is not anymore justified. Such use
@c cases need to be implemented using a specialized secret key export
@c cases may be implemented using a specialized secret key export
@c tool.
@ifclear gpgtwoone
@item export-reset-subkey-passwd
When using the @option{--export-secret-subkeys} command, this option resets
the passphrases for all exported subkeys to empty. This is useful
when the exported subkey is to be used on an unattended machine where
a passphrase doesn't necessarily make sense. Defaults to no.
@end ifclear
@c @item export-reset-subkey-passwd
@c When using the @option{--export-secret-subkeys} command, this option resets
@c the passphrases for all exported subkeys to empty. This is useful
@c when the exported subkey is to be used on an unattended machine where
@c a passphrase doesn't necessarily make sense. Defaults to no.
@item export-clean
Compact (remove all signatures from) user IDs on the key being
@ -2161,22 +2051,18 @@ listing mode and print all timestamps as seconds since 1970-01-01.
Since GnuPG 2.0.10, this mode is always used and thus this option is
obsolete; it does not harm to use it though.
@ifset gpgtwoone
@item --legacy-list-mode
@opindex legacy-list-mode
Revert to the pre-2.1 public key list mode. This only affects the
human readable output and not the machine interface
(i.e. @code{--with-colons}). Note that the legacy format does not
allow to convey suitable information for elliptic curves.
@end ifset
@item --with-fingerprint
@opindex with-fingerprint
Same as the command @option{--fingerprint} but changes only the format
of the output and may be used together with another command.
@ifset gpgtwoone
@item --with-icao-spelling
@opindex with-icao-spelling
Print the ICAO spelling of the fingerprint in addition to the hex digits.
@ -2190,8 +2076,6 @@ Include the keygrip in the key listings.
Include info about the presence of a secret key in public key listings
done with @code{--with-colons}.
@end ifset
@end table
@c *******************************************
@ -2214,34 +2098,11 @@ platforms that have different line ending conventions (UNIX-like to Mac,
Mac to Windows, etc). @option{--no-textmode} disables this option, and
is the default.
@ifclear gpgtwoone
@item --force-v3-sigs
@itemx --no-force-v3-sigs
@opindex force-v3-sigs
OpenPGP states that an implementation should generate v4 signatures
but PGP versions 5 through 7 only recognize v4 signatures on key
material. This option forces v3 signatures for signatures on data.
Note that this option implies @option{--no-ask-sig-expire}, and unsets
@option{--sig-policy-url}, @option{--sig-notation}, and
@option{--sig-keyserver-url}, as these features cannot be used with v3
signatures. @option{--no-force-v3-sigs} disables this option.
Defaults to no.
@item --force-v4-certs
@itemx --no-force-v4-certs
@opindex force-v4-certs
Always use v4 key signatures even on v3 keys. This option also
changes the default hash algorithm for v3 RSA keys from MD5 to SHA-1.
@option{--no-force-v4-certs} disables this option.
@end ifclear
@ifset gpgtwoone
@item --force-v3-sigs
@itemx --no-force-v3-sigs
@item --force-v4-certs
@itemx --no-force-v4-certs
These options are obsolete and have no effect since GnuPG 2.1.
@end ifset
@item --force-mdc
@opindex force-mdc
@ -2397,12 +2258,7 @@ compression algorithms none and ZIP. This also disables
--throw-keyids, and making signatures with signing subkeys as PGP 6
does not understand signatures made by signing subkeys.
@ifclear gpgtwoone
This option implies @option{--disable-mdc --escape-from-lines --force-v3-sigs}.
@end ifclear
@ifset gpgtwoone
This option implies @option{--disable-mdc --escape-from-lines}.
@end ifset
@item --pgp7
@opindex pgp7
@ -2761,7 +2617,6 @@ avoid it.
Note that this passphrase is only used if the option @option{--batch}
has also been given. This is different from GnuPG version 1.x.
@ifset gpgtwoone
@item --pinentry-mode @code{mode}
@opindex pinentry-mode
Set the pinentry mode to @code{mode}. Allowed values for @code{mode}
@ -2779,7 +2634,6 @@ are:
Redirect Pinentry queries to the caller. Note that in contrast to
Pinentry the user is not prompted again if he enters a bad password.
@end table
@end ifset
@item --command-fd @code{n}
@opindex command-fd
@ -3102,26 +2956,19 @@ files; They all live in in the current home directory (@pxref{option
@item ~/.gnupg/pubring.gpg.lock
The lock file for the public keyring.
@ifset gpgtwoone
@item ~/.gnupg/pubring.kbx
The public keyring using a different format. This file is sharred
with @command{gpgsm}. You should backup this file.
@item ~/.gnupg/pubring.kbx.lock
The lock file for @file{pubring.kbx}.
@end ifset
@item ~/.gnupg/secring.gpg
@ifclear gpgtwoone
The secret keyring. You should backup this file.
@end ifclear
@ifset gpgtwoone
A secret keyring as used by GnuPG versions before 2.1. It is not
used by GnuPG 2.1 and later.
@item ~/.gnupg/.gpg-v21-migrated
File indicating that a migration to GnuPG 2.1 has taken place.
@end ifset
File indicating that a migration to GnuPG 2.1 has been done.
@item ~/.gnupg/trustdb.gpg
The trust database. There is no need to backup this file; it is better
@ -3166,18 +3013,7 @@ Operation is further controlled by a few environment variables:
If set directory used instead of "~/.gnupg".
@item GPG_AGENT_INFO
@ifset gpgtwoone
This variable was used by GnuPG versions before 2.1
@end ifset
@ifclear gpgtwoone
Used to locate the gpg-agent.
The value consists of 3 colon delimited fields: The first is the path
to the Unix Domain Socket, the second the PID of the gpg-agent and the
protocol version which should be set to 1. When starting the gpg-agent
as described in its documentation, this variable is set to the correct
value. The option @option{--gpg-agent-info} can be used to override it.
@end ifclear
@item PINENTRY_USER_DATA
This value is passed via gpg-agent to pinentry. It is useful to convey
@ -3409,17 +3245,7 @@ control statements must be given. For GnuPG 2.1 and later
@item %ask-passphrase
@itemx %no-ask-passphrase
@ifclear gpgtwoone
Enable (or disable) a mode where the command @option{passphrase} is
ignored and instead the usual passphrase dialog is used. This does
not make sense for batch key generation; however the unattended key
generation feature is also used by GUIs and this feature relinquishes
the GUI from implementing its own passphrase entry code. These are
global control statements and affect all future key generations.
@end ifclear
@ifset gpgtwoone
This option is a no-op for GnuPG 2.1 and later.
@end ifset
@item %no-protection
Using this option allows the creation of keys without any passphrase

27
doc/gpgsm.texi
View File

@ -165,20 +165,12 @@ use @samp{--help} to get a list of supported operations.
@table @gnupgtabopt
@item --gen-key
@opindex gen-key
@ifclear gpgtwoone
-This command allows the creation of a certificate signing request. It
-is commonly used along with the @option{--output} option to save the
-created CSR into a file. If used with the @option{--batch} a parameter
-file is used to create the CSR.
@end ifclear
@ifset gpgtwoone
This command allows the creation of a certificate signing request or a
self-signed certificate. It is commonly used along with the
@option{--output} option to save the created CSR or certificate into a
file. If used with the @option{--batch} a parameter file is used to
create the CSR or certificate and it is further possible to create
non-self-signed certificates.
@end ifset
@item --list-keys
@itemx -k
@ -266,7 +258,6 @@ informational lines are prepended to the output. Note, that the PKCS#12
format is not very secure and this command is only provided if there is
no other way to exchange the private key. (@pxref{option --p12-charset})
@ifset gpgtwoone
@item --export-secret-key-p8 @var{key-id}
@itemx --export-secret-key-raw @var{key-id}
@opindex export-secret-key-p8
@ -277,7 +268,6 @@ PKCS#1 format; the @code{...-p8} command exports in PKCS#8 format.
When used with the @code{--armor} option a few informational lines are
prepended to the output. These commands are useful to prepare a key
for use on a TLS server.
@end ifset
@item --import [@var{files}]
@opindex import
@ -361,11 +351,6 @@ Specify an agent program to be used for secret key operations. The
default value is determined by running the command @command{gpgconf}.
Note that the pipe symbol (@code{|}) is used for a regression test
suite hack and may thus not be used in the file name.
@ifclear gpgtwoone
This is only used
as a fallback when the environment variable @code{GPG_AGENT_INFO} is not
set or a running agent cannot be connected.
@end ifclear
@item --dirmngr-program @var{file}
@opindex dirmngr-program
@ -594,12 +579,10 @@ certificate.
Include the keygrip in standard key listings. Note that the keygrip is
always listed in --with-colons mode.
@ifset gpgtwoone
@item --with-secret
@opindex with-secret
Include info about the presence of a secret key in public key listings
done with @code{--with-colons}.
@end ifset
@end table
@ -906,10 +889,6 @@ other programs of this software too.
@item S.gpg-agent
@cindex S.gpg-agent
If this file exists
@ifclear gpgtwoone
and the environment variable @env{GPG_AGENT_INFO} is
not set,
@end ifclear
@command{gpgsm} will first try to connect to this socket for
accessing @command{gpg-agent} before starting a new @command{gpg-agent}
instance. Under Windows this socket (which in reality be a plain file
@ -1000,12 +979,6 @@ this is a missing certificate.
@node CSR and certificate creation
@subsection CSR and certificate creation
@ifclear gpgtwoone
@strong{Please notice}: The immediate creation of certificates is only
supported by GnuPG version 2.1 or later. With a 2.0 version you may
only create a CSR.
@end ifclear
The command @option{--gen-key} may be used along with the option
@option{--batch} to either create a certificate signing request (CSR)
or an X.509 certificate. This is controlled by a parameter file; the

9
doc/tools.texi
View File

@ -16,9 +16,7 @@ GnuPG comes with a couple of smaller tools:
* gpgsm-gencert.sh:: Generate an X.509 certificate request.
* gpg-preset-passphrase:: Put a passphrase into the cache.
* gpg-connect-agent:: Communicate with a running agent.
@ifset gpgtwoone
* dirmngr-client:: How to use the Dirmngr client tool.
@end ifset
* gpgparsemail:: Parse a mail message into an annotated format
* symcryptrun:: Call a simple symmetric encryption tool.
* gpg-zip:: Encrypt or sign files into an archive.
@ -305,7 +303,6 @@ Reload all or the given component. This is basically the same as sending
a SIGHUP to the component. Components which don't support reloading are
ignored.
@ifset gpgtwoone
@item --launch [@var{component}]
@opindex launch
If the @var{component} is not already running, start it.
@ -320,7 +317,6 @@ Kill the given component. Components which support killing are
gpg-agent and scdaemon. Components which don't support reloading are
ignored. Note that as of now reload and kill have the same effect for
scdaemon.
@end ifset
@end table
@ -1210,7 +1206,6 @@ option @option{--list-dirs}. Note that the pipe symbol (@code{|}) is
used for a regression test suite hack and may thus not be used in the
file name.
@ifset gpgtwoone
@item --dirmngr-program @var{file}
@opindex dirmngr-program
Specify the directory manager (keyserver client) program to be started
@ -1221,7 +1216,6 @@ option @option{--dirmngr}.
@opindex dirmngr
Connect to a running directory manager (keyserver client) instead of
to the gpg-agent. If a dirmngr is not running, start it.
@end ifset
@item -S
@itemx --raw-socket @var{name}
@ -1487,7 +1481,6 @@ Print a list of available control commands.
@include see-also-note.texi
@end ifset
@ifset gpgtwoone
@c
@c DIRMNGR-CLIENT
@c
@ -1648,7 +1641,7 @@ Squid's @option{external_acl_type} option.
@command{gpgsm}(1)
@include see-also-note.texi
@end ifset
@end ifset
@c
@c GPGPARSEMAIL