mirror of
git://git.gnupg.org/gnupg.git
synced 2024-12-22 10:19:57 +01:00
doc: Change the manual source to be only for GnuPG 2.1
Signed-off-by: Werner Koch <wk@gnupg.org>
This commit is contained in:
parent
c672572bd5
commit
abbefdd04d
@ -57,9 +57,9 @@ gnupg_TEXINFOS = \
|
|||||||
|
|
||||||
DVIPS = TEXINPUTS="$(srcdir)$(PATH_SEPARATOR)$$TEXINPUTS" dvips
|
DVIPS = TEXINPUTS="$(srcdir)$(PATH_SEPARATOR)$$TEXINPUTS" dvips
|
||||||
|
|
||||||
AM_MAKEINFOFLAGS = -I $(srcdir) --css-ref=/share/site.css -D gpgtwoone
|
AM_MAKEINFOFLAGS = -I $(srcdir) --css-ref=/share/site.css
|
||||||
|
|
||||||
YAT2M_OPTIONS = -I $(srcdir) -D gpgtwoone \
|
YAT2M_OPTIONS = -I $(srcdir) \
|
||||||
--release "GnuPG @PACKAGE_VERSION@" --source "GNU Privacy Guard 2.1"
|
--release "GnuPG @PACKAGE_VERSION@" --source "GNU Privacy Guard 2.1"
|
||||||
|
|
||||||
myman_sources = gnupg7.texi gpg.texi gpgsm.texi gpg-agent.texi \
|
myman_sources = gnupg7.texi gpg.texi gpgsm.texi gpg-agent.texi \
|
||||||
|
@ -103,7 +103,6 @@ used. Using the keyserver debug option as in
|
|||||||
is thus often helpful. Note that the actual output depends on the
|
is thus often helpful. Note that the actual output depends on the
|
||||||
backend and may change from release to release.
|
backend and may change from release to release.
|
||||||
|
|
||||||
@ifset gpgtwoone
|
|
||||||
@item Logging on WindowsCE
|
@item Logging on WindowsCE
|
||||||
|
|
||||||
For development, the best logging method on WindowsCE is the use of
|
For development, the best logging method on WindowsCE is the use of
|
||||||
@ -113,7 +112,6 @@ on the given port. (@pxref{option watchgnupg --tcp}). For in the field
|
|||||||
tests it is better to make use of the logging facility provided by the
|
tests it is better to make use of the logging facility provided by the
|
||||||
@command{gpgcedev} driver (part of libassuan); this is enabled by using
|
@command{gpgcedev} driver (part of libassuan); this is enabled by using
|
||||||
a log file name of @file{GPG2:}. (@pxref{option --log-file}).
|
a log file name of @file{GPG2:}. (@pxref{option --log-file}).
|
||||||
@end ifset
|
|
||||||
|
|
||||||
@end itemize
|
@end itemize
|
||||||
|
|
||||||
|
@ -52,10 +52,8 @@ section entitled ``Copying''.
|
|||||||
* gpg2: (gnupg). OpenPGP encryption and signing tool.
|
* gpg2: (gnupg). OpenPGP encryption and signing tool.
|
||||||
* gpgsm: (gnupg). S/MIME encryption and signing tool.
|
* gpgsm: (gnupg). S/MIME encryption and signing tool.
|
||||||
* gpg-agent: (gnupg). The secret key daemon.
|
* gpg-agent: (gnupg). The secret key daemon.
|
||||||
@ifset gpgtwoone
|
|
||||||
* dirmngr: (gnupg). X.509 CRL and OCSP server.
|
* dirmngr: (gnupg). X.509 CRL and OCSP server.
|
||||||
* dirmngr-client: (gnupg). X.509 CRL and OCSP client.
|
* dirmngr-client: (gnupg). X.509 CRL and OCSP client.
|
||||||
@end ifset
|
|
||||||
@end direntry
|
@end direntry
|
||||||
|
|
||||||
|
|
||||||
@ -127,9 +125,7 @@ the administration and the architecture.
|
|||||||
* Installation:: A short installation guide.
|
* Installation:: A short installation guide.
|
||||||
|
|
||||||
* Invoking GPG-AGENT:: How to launch the secret key daemon.
|
* Invoking GPG-AGENT:: How to launch the secret key daemon.
|
||||||
@ifset gpgtwoone
|
|
||||||
* Invoking DIRMNGR:: How to launch the CRL and OCSP daemon.
|
* Invoking DIRMNGR:: How to launch the CRL and OCSP daemon.
|
||||||
@end ifset
|
|
||||||
* Invoking GPG:: Using the OpenPGP protocol.
|
* Invoking GPG:: Using the OpenPGP protocol.
|
||||||
* Invoking GPGSM:: Using the S/MIME protocol.
|
* Invoking GPGSM:: Using the S/MIME protocol.
|
||||||
* Invoking SCDAEMON:: How to handle Smartcards.
|
* Invoking SCDAEMON:: How to handle Smartcards.
|
||||||
@ -161,9 +157,7 @@ the administration and the architecture.
|
|||||||
@include instguide.texi
|
@include instguide.texi
|
||||||
|
|
||||||
@include gpg-agent.texi
|
@include gpg-agent.texi
|
||||||
@ifset gpgtwoone
|
|
||||||
@include dirmngr.texi
|
@include dirmngr.texi
|
||||||
@end ifset
|
|
||||||
@include gpg.texi
|
@include gpg.texi
|
||||||
@include gpgsm.texi
|
@include gpgsm.texi
|
||||||
@include scdaemon.texi
|
@include scdaemon.texi
|
||||||
|
@ -2,10 +2,6 @@
|
|||||||
@c This is part of the GnuPG manual.
|
@c This is part of the GnuPG manual.
|
||||||
@c For copying conditions, see the file gnupg.texi.
|
@c For copying conditions, see the file gnupg.texi.
|
||||||
|
|
||||||
@c Note that we use this texinfo file for all versions of GnuPG:
|
|
||||||
@c 2.0 and 2.1. The macro "gpgtwoone" controls parts which are only
|
|
||||||
@c valid for GnuPG 2.1 and later.
|
|
||||||
|
|
||||||
|
|
||||||
@node Invoking GPG-AGENT
|
@node Invoking GPG-AGENT
|
||||||
@chapter Invoking GPG-AGENT
|
@chapter Invoking GPG-AGENT
|
||||||
@ -52,7 +48,6 @@ independently from any protocol. It is used as a backend for
|
|||||||
@command{gpg} and @command{gpgsm} as well as for a couple of other
|
@command{gpg} and @command{gpgsm} as well as for a couple of other
|
||||||
utilities.
|
utilities.
|
||||||
|
|
||||||
@ifset gpgtwoone
|
|
||||||
The agent is automatically started on demand by @command{gpg},
|
The agent is automatically started on demand by @command{gpg},
|
||||||
@command{gpgsm}, @command{gpgconf}, or @command{gpg-connect-agent}.
|
@command{gpgsm}, @command{gpgconf}, or @command{gpg-connect-agent}.
|
||||||
Thus there is no reason to start it manually. In case you want to use
|
Thus there is no reason to start it manually. In case you want to use
|
||||||
@ -61,51 +56,6 @@ the included Secure Shell Agent you may start the agent using:
|
|||||||
@example
|
@example
|
||||||
gpg-connect-agent /bye
|
gpg-connect-agent /bye
|
||||||
@end example
|
@end example
|
||||||
@end ifset
|
|
||||||
|
|
||||||
@ifclear gpgtwoone
|
|
||||||
@noindent
|
|
||||||
The usual way to run the agent is from the @code{~/.xsession} file:
|
|
||||||
|
|
||||||
@example
|
|
||||||
eval $(gpg-agent --daemon)
|
|
||||||
@end example
|
|
||||||
@noindent
|
|
||||||
If you don't use an X server, you can also put this into your regular
|
|
||||||
startup file @code{~/.profile} or @code{.bash_profile}. It is best not
|
|
||||||
to run multiple instance of the @command{gpg-agent}, so you should make
|
|
||||||
sure that only one is running: @command{gpg-agent} uses an environment
|
|
||||||
variable to inform clients about the communication parameters. You can
|
|
||||||
write the content of this environment variable to a file so that you can
|
|
||||||
test for a running agent. Here is an example using Bourne shell syntax:
|
|
||||||
|
|
||||||
@smallexample
|
|
||||||
gpg-agent --daemon --enable-ssh-support \
|
|
||||||
--write-env-file "$@{HOME@}/.gpg-agent-info"
|
|
||||||
@end smallexample
|
|
||||||
|
|
||||||
This code should only be run once per user session to initially fire up
|
|
||||||
the agent. In the example the optional support for the included Secure
|
|
||||||
Shell agent is enabled and the information about the agent is written to
|
|
||||||
a file in the HOME directory. Note that by running gpg-agent without
|
|
||||||
arguments you may test whether an agent is already running; however such
|
|
||||||
a test may lead to a race condition, thus it is not suggested.
|
|
||||||
|
|
||||||
@noindent
|
|
||||||
The second script needs to be run for each interactive session:
|
|
||||||
|
|
||||||
@smallexample
|
|
||||||
if [ -f "$@{HOME@}/.gpg-agent-info" ]; then
|
|
||||||
. "$@{HOME@}/.gpg-agent-info"
|
|
||||||
export GPG_AGENT_INFO
|
|
||||||
export SSH_AUTH_SOCK
|
|
||||||
fi
|
|
||||||
@end smallexample
|
|
||||||
|
|
||||||
@noindent
|
|
||||||
It reads the data out of the file and exports the variables. If you
|
|
||||||
don't use Secure Shell, you don't need the last two export statements.
|
|
||||||
@end ifclear
|
|
||||||
|
|
||||||
@noindent
|
@noindent
|
||||||
You should always add the following lines to your @code{.bashrc} or
|
You should always add the following lines to your @code{.bashrc} or
|
||||||
@ -175,17 +125,11 @@ default mode is to create a socket and listen for commands there.
|
|||||||
@opindex daemon
|
@opindex daemon
|
||||||
Start the gpg-agent as a daemon; that is, detach it from the console
|
Start the gpg-agent as a daemon; that is, detach it from the console
|
||||||
and run it in the background.
|
and run it in the background.
|
||||||
@ifclear gpgtwoone
|
|
||||||
Because @command{gpg-agent} prints out
|
As an alternative you may create a new process as a child of
|
||||||
important information required for further use, a common way of
|
gpg-agent: @code{gpg-agent --daemon /bin/sh}. This way you get a new
|
||||||
invoking gpg-agent is: @code{eval $(gpg-agent --daemon)} to setup the
|
shell with the environment setup properly; after you exit from this
|
||||||
environment variables. The option @option{--write-env-file} is
|
shell, gpg-agent terminates within a few seconds.
|
||||||
another way commonly used to do this.
|
|
||||||
@end ifclear
|
|
||||||
Yet another way is creating
|
|
||||||
a new process as a child of gpg-agent: @code{gpg-agent --daemon
|
|
||||||
/bin/sh}. This way you get a new shell with the environment setup
|
|
||||||
properly; if you exit from this shell, gpg-agent terminates as well.
|
|
||||||
@end table
|
@end table
|
||||||
|
|
||||||
@mansect options
|
@mansect options
|
||||||
@ -323,23 +267,6 @@ shell or the C-shell respectively. The default is to guess it based on
|
|||||||
the environment variable @code{SHELL} which is correct in almost all
|
the environment variable @code{SHELL} which is correct in almost all
|
||||||
cases.
|
cases.
|
||||||
|
|
||||||
@ifclear gpgtwoone
|
|
||||||
@item --write-env-file @var{file}
|
|
||||||
@opindex write-env-file
|
|
||||||
Often it is required to connect to the agent from a process not being an
|
|
||||||
inferior of @command{gpg-agent} and thus the environment variable with
|
|
||||||
the socket name is not available. To help setting up those variables in
|
|
||||||
other sessions, this option may be used to write the information into
|
|
||||||
@var{file}. If @var{file} is not specified the default name
|
|
||||||
@file{$@{HOME@}/.gpg-agent-info} will be used. The format is suitable
|
|
||||||
to be evaluated by a Bourne shell like in this simple example:
|
|
||||||
|
|
||||||
@example
|
|
||||||
eval $(cat @var{file})
|
|
||||||
eval $(cut -d= -f 1 < @var{file} | xargs echo export)
|
|
||||||
@end example
|
|
||||||
@end ifclear
|
|
||||||
|
|
||||||
|
|
||||||
@item --no-grab
|
@item --no-grab
|
||||||
@opindex no-grab
|
@opindex no-grab
|
||||||
@ -369,15 +296,12 @@ accept Root-CA keys.
|
|||||||
This option allows the use of @command{gpg-preset-passphrase} to seed the
|
This option allows the use of @command{gpg-preset-passphrase} to seed the
|
||||||
internal cache of @command{gpg-agent} with passphrases.
|
internal cache of @command{gpg-agent} with passphrases.
|
||||||
|
|
||||||
@ifset gpgtwoone
|
|
||||||
@anchor{option --allow-loopback-pinentry}
|
@anchor{option --allow-loopback-pinentry}
|
||||||
@item --allow-loopback-pinentry
|
@item --allow-loopback-pinentry
|
||||||
@opindex allow-loopback-pinentry
|
@opindex allow-loopback-pinentry
|
||||||
Allow clients to use the loopback pinentry features; see the option
|
Allow clients to use the loopback pinentry features; see the option
|
||||||
@option{pinentry-mode} for details.
|
@option{pinentry-mode} for details.
|
||||||
@end ifset
|
|
||||||
|
|
||||||
@ifset gpgtwoone
|
|
||||||
@item --no-allow-external-cache
|
@item --no-allow-external-cache
|
||||||
@opindex no-allow-external-cache
|
@opindex no-allow-external-cache
|
||||||
Tell Pinentry not to enable features which use an external cache for
|
Tell Pinentry not to enable features which use an external cache for
|
||||||
@ -388,7 +312,6 @@ credentials with one master password and may have installed a Pinentry
|
|||||||
which employs an additional external cache to implement such a policy.
|
which employs an additional external cache to implement such a policy.
|
||||||
By using this option the Pinentry is advised not to make use of such a
|
By using this option the Pinentry is advised not to make use of such a
|
||||||
cache and instead always ask the user for the requested passphrase.
|
cache and instead always ask the user for the requested passphrase.
|
||||||
@end ifset
|
|
||||||
|
|
||||||
@item --ignore-cache-for-signing
|
@item --ignore-cache-for-signing
|
||||||
@opindex ignore-cache-for-signing
|
@opindex ignore-cache-for-signing
|
||||||
@ -492,7 +415,6 @@ Do not make use of the scdaemon tool. This option has the effect of
|
|||||||
disabling the ability to do smartcard operations. Note, that enabling
|
disabling the ability to do smartcard operations. Note, that enabling
|
||||||
this option at runtime does not kill an already forked scdaemon.
|
this option at runtime does not kill an already forked scdaemon.
|
||||||
|
|
||||||
@ifset gpgtwoone
|
|
||||||
@item --disable-check-own-socket
|
@item --disable-check-own-socket
|
||||||
@opindex disable-check-own-socket
|
@opindex disable-check-own-socket
|
||||||
@command{gpg-agent} employs a periodic self-test to detect a stolen
|
@command{gpg-agent} employs a periodic self-test to detect a stolen
|
||||||
@ -500,7 +422,6 @@ socket. This usually means a second instance of @command{gpg-agent}
|
|||||||
has taken over the socket and @command{gpg-agent} will then terminate
|
has taken over the socket and @command{gpg-agent} will then terminate
|
||||||
itself. This option may be used to disable this self-test for
|
itself. This option may be used to disable this self-test for
|
||||||
debugging purposes.
|
debugging purposes.
|
||||||
@end ifset
|
|
||||||
|
|
||||||
@item --use-standard-socket
|
@item --use-standard-socket
|
||||||
@itemx --no-use-standard-socket
|
@itemx --no-use-standard-socket
|
||||||
@ -508,30 +429,9 @@ debugging purposes.
|
|||||||
@opindex use-standard-socket
|
@opindex use-standard-socket
|
||||||
@opindex no-use-standard-socket
|
@opindex no-use-standard-socket
|
||||||
@opindex use-standard-socket-p
|
@opindex use-standard-socket-p
|
||||||
@ifset gpgtwoone
|
|
||||||
Since GnuPG 2.1 the standard socket is always used. These options
|
Since GnuPG 2.1 the standard socket is always used. These options
|
||||||
have no more effect. The command @code{gpg-agent
|
have no more effect. The command @code{gpg-agent
|
||||||
--use-standard-socket-p} will thus always return success.
|
--use-standard-socket-p} will thus always return success.
|
||||||
@end ifset
|
|
||||||
@ifclear gpgtwoone
|
|
||||||
By enabling this option @command{gpg-agent} will listen on the socket
|
|
||||||
named @file{S.gpg-agent}, located in the home directory, and not create
|
|
||||||
a random socket below a temporary directory. Tools connecting to
|
|
||||||
@command{gpg-agent} should first try to connect to the socket given in
|
|
||||||
environment variable @var{GPG_AGENT_INFO} and then fall back to this
|
|
||||||
socket. This option may not be used if the home directory is mounted on
|
|
||||||
a remote file system which does not support special files like fifos or
|
|
||||||
sockets.
|
|
||||||
|
|
||||||
Note, that @option{--use-standard-socket} is the default on
|
|
||||||
Windows systems.
|
|
||||||
|
|
||||||
The default may be changed at build time. It is
|
|
||||||
possible to test at runtime whether the agent has been configured for
|
|
||||||
use with the standard socket by issuing the command @command{gpg-agent
|
|
||||||
--use-standard-socket-p} which returns success if the standard socket
|
|
||||||
option has been enabled.
|
|
||||||
@end ifclear
|
|
||||||
|
|
||||||
@item --display @var{string}
|
@item --display @var{string}
|
||||||
@itemx --ttyname @var{string}
|
@itemx --ttyname @var{string}
|
||||||
@ -810,7 +710,6 @@ This signal is used for internal purposes.
|
|||||||
@node Agent Examples
|
@node Agent Examples
|
||||||
@section Examples
|
@section Examples
|
||||||
|
|
||||||
@ifset gpgtwoone
|
|
||||||
It is important to set the GPG_TTY environment variable in
|
It is important to set the GPG_TTY environment variable in
|
||||||
your login shell, for example in the @file{~/.bashrc} init script:
|
your login shell, for example in the @file{~/.bashrc} init script:
|
||||||
|
|
||||||
@ -831,45 +730,7 @@ if [ "$@{gnupg_SSH_AUTH_SOCK_by:-0@}" -ne $$ ]; then
|
|||||||
fi
|
fi
|
||||||
@end example
|
@end example
|
||||||
@end cartouche
|
@end cartouche
|
||||||
@end ifset
|
|
||||||
|
|
||||||
@ifclear gpgtwoone
|
|
||||||
The usual way to invoke @command{gpg-agent} is
|
|
||||||
|
|
||||||
@example
|
|
||||||
$ eval $(gpg-agent --daemon)
|
|
||||||
@end example
|
|
||||||
|
|
||||||
An alternative way is by replacing @command{ssh-agent} with
|
|
||||||
@command{gpg-agent}. If for example @command{ssh-agent} is started as
|
|
||||||
part of the Xsession initialization, you may simply replace
|
|
||||||
@command{ssh-agent} by a script like:
|
|
||||||
|
|
||||||
@cartouche
|
|
||||||
@example
|
|
||||||
#!/bin/sh
|
|
||||||
|
|
||||||
exec /usr/local/bin/gpg-agent --enable-ssh-support --daemon \
|
|
||||||
--write-env-file $@{HOME@}/.gpg-agent-info "$@@"
|
|
||||||
@end example
|
|
||||||
@end cartouche
|
|
||||||
|
|
||||||
@noindent
|
|
||||||
and add something like (for Bourne shells)
|
|
||||||
|
|
||||||
@cartouche
|
|
||||||
@example
|
|
||||||
if [ -f "$@{HOME@}/.gpg-agent-info" ]; then
|
|
||||||
. "$@{HOME@}/.gpg-agent-info"
|
|
||||||
export GPG_AGENT_INFO
|
|
||||||
export SSH_AUTH_SOCK
|
|
||||||
fi
|
|
||||||
@end example
|
|
||||||
@end cartouche
|
|
||||||
|
|
||||||
@noindent
|
|
||||||
to your shell initialization file (e.g. @file{~/.bashrc}).
|
|
||||||
@end ifclear
|
|
||||||
|
|
||||||
@c
|
@c
|
||||||
@c Assuan Protocol
|
@c Assuan Protocol
|
||||||
@ -881,21 +742,8 @@ to your shell initialization file (e.g. @file{~/.bashrc}).
|
|||||||
Note: this section does only document the protocol, which is used by
|
Note: this section does only document the protocol, which is used by
|
||||||
GnuPG components; it does not deal with the ssh-agent protocol.
|
GnuPG components; it does not deal with the ssh-agent protocol.
|
||||||
|
|
||||||
@ifset gpgtwoone
|
|
||||||
The @command{gpg-agent} daemon is started on demand by the GnuPG
|
The @command{gpg-agent} daemon is started on demand by the GnuPG
|
||||||
components.
|
components.
|
||||||
@end ifset
|
|
||||||
@ifclear gpgtwoone
|
|
||||||
The @command{gpg-agent} should be started by the login shell and set an
|
|
||||||
environment variable to tell clients about the socket to be used.
|
|
||||||
Clients should deny to access an agent with a socket name which does
|
|
||||||
not match its own configuration. An application may choose to start
|
|
||||||
an instance of the gpg-agent if it does not figure that any has been
|
|
||||||
started; it should not do this if a gpg-agent is running but not
|
|
||||||
usable. Because @command{gpg-agent} can only be used in background mode, no
|
|
||||||
special command line option is required to activate the use of the
|
|
||||||
protocol.
|
|
||||||
@end ifclear
|
|
||||||
|
|
||||||
To identify a key we use a thing called keygrip which is the SHA-1 hash
|
To identify a key we use a thing called keygrip which is the SHA-1 hash
|
||||||
of an canonical encoded S-Expression of the public key as used in
|
of an canonical encoded S-Expression of the public key as used in
|
||||||
@ -905,13 +753,11 @@ certificate is that it will be possible to use the same keypair for
|
|||||||
different protocols, thereby saving space on the token used to keep the
|
different protocols, thereby saving space on the token used to keep the
|
||||||
secret keys.
|
secret keys.
|
||||||
|
|
||||||
@ifset gpgtwoone
|
|
||||||
The @command{gpg-agent} may send status messages during a command or when
|
The @command{gpg-agent} may send status messages during a command or when
|
||||||
returning from a command to inform a client about the progress or result of an
|
returning from a command to inform a client about the progress or result of an
|
||||||
operation. For example, the @var{INQUIRE_MAXLEN} status message may be sent
|
operation. For example, the @var{INQUIRE_MAXLEN} status message may be sent
|
||||||
during a server inquire to inform the client of the maximum usable length of
|
during a server inquire to inform the client of the maximum usable length of
|
||||||
the inquired data (which should not be exceeded).
|
the inquired data (which should not be exceeded).
|
||||||
@end ifset
|
|
||||||
|
|
||||||
@menu
|
@menu
|
||||||
* Agent PKDECRYPT:: Decrypting a session key
|
* Agent PKDECRYPT:: Decrypting a session key
|
||||||
@ -922,9 +768,7 @@ the inquired data (which should not be exceeded).
|
|||||||
* Agent ISTRUSTED:: Importing a Root Certificate
|
* Agent ISTRUSTED:: Importing a Root Certificate
|
||||||
* Agent GET_PASSPHRASE:: Ask for a passphrase
|
* Agent GET_PASSPHRASE:: Ask for a passphrase
|
||||||
* Agent CLEAR_PASSPHRASE:: Expire a cached passphrase
|
* Agent CLEAR_PASSPHRASE:: Expire a cached passphrase
|
||||||
@ifset gpgtwoone
|
|
||||||
* Agent PRESET_PASSPHRASE:: Set a passphrase for a keygrip
|
* Agent PRESET_PASSPHRASE:: Set a passphrase for a keygrip
|
||||||
@end ifset
|
|
||||||
* Agent GET_CONFIRMATION:: Ask for confirmation
|
* Agent GET_CONFIRMATION:: Ask for confirmation
|
||||||
* Agent HAVEKEY:: Check whether a key is available
|
* Agent HAVEKEY:: Check whether a key is available
|
||||||
* Agent LEARN:: Register a smartcard
|
* Agent LEARN:: Register a smartcard
|
||||||
@ -1104,12 +948,7 @@ option allows to choose the storage location. To get the secret key out
|
|||||||
of the PSE, a special export tool has to be used.
|
of the PSE, a special export tool has to be used.
|
||||||
|
|
||||||
@example
|
@example
|
||||||
@ifset gpgtwoone
|
|
||||||
GENKEY [--no-protection] [--preset] [<cache_nonce>]
|
GENKEY [--no-protection] [--preset] [<cache_nonce>]
|
||||||
@end ifset
|
|
||||||
@ifclear gpgtwoone
|
|
||||||
GENKEY
|
|
||||||
@end ifclear
|
|
||||||
@end example
|
@end example
|
||||||
|
|
||||||
Invokes the key generation process and the server will then inquire
|
Invokes the key generation process and the server will then inquire
|
||||||
@ -1155,7 +994,6 @@ Here is an example session:
|
|||||||
@end smallexample
|
@end smallexample
|
||||||
@end cartouche
|
@end cartouche
|
||||||
|
|
||||||
@ifset gpgtwoone
|
|
||||||
The @option{--no-protection} option may be used to prevent prompting for a
|
The @option{--no-protection} option may be used to prevent prompting for a
|
||||||
passphrase to protect the secret key while leaving the secret key unprotected.
|
passphrase to protect the secret key while leaving the secret key unprotected.
|
||||||
The @option{--preset} option may be used to add the passphrase to the cache
|
The @option{--preset} option may be used to add the passphrase to the cache
|
||||||
@ -1167,7 +1005,6 @@ keyword @code{NEWPASSWD} to retrieve that passphrase. This option
|
|||||||
takes precedence over @option{--no-protection}; however if the client
|
takes precedence over @option{--no-protection}; however if the client
|
||||||
sends a empty (zero-length) passphrase, this is identical to
|
sends a empty (zero-length) passphrase, this is identical to
|
||||||
@option{--no-protection}.
|
@option{--no-protection}.
|
||||||
@end ifset
|
|
||||||
|
|
||||||
@node Agent IMPORT
|
@node Agent IMPORT
|
||||||
@subsection Importing a Secret Key
|
@subsection Importing a Secret Key
|
||||||
@ -1334,22 +1171,13 @@ function returns with OK even when there is no cached passphrase.
|
|||||||
Use this command to remove a cached passphrase.
|
Use this command to remove a cached passphrase.
|
||||||
|
|
||||||
@example
|
@example
|
||||||
@ifset gpgtwoone
|
|
||||||
CLEAR_PASSPHRASE [--mode=normal] <cache_id>
|
CLEAR_PASSPHRASE [--mode=normal] <cache_id>
|
||||||
@end ifset
|
|
||||||
@ifclear gpgtwoone
|
|
||||||
CLEAR_PASSPHRASE <cache_id>
|
|
||||||
@end ifclear
|
|
||||||
@end example
|
@end example
|
||||||
|
|
||||||
@ifset gpgtwoone
|
|
||||||
The @option{--mode=normal} option can be used to clear a @var{cache_id} that
|
The @option{--mode=normal} option can be used to clear a @var{cache_id} that
|
||||||
was set by gpg-agent.
|
was set by gpg-agent.
|
||||||
@end ifset
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
@ifset gpgtwoone
|
|
||||||
@node Agent PRESET_PASSPHRASE
|
@node Agent PRESET_PASSPHRASE
|
||||||
@subsection Set a passphrase for a keygrip
|
@subsection Set a passphrase for a keygrip
|
||||||
|
|
||||||
@ -1368,9 +1196,6 @@ The @var{timeout} parameter keeps the passphrase cached for the specified
|
|||||||
number of seconds. A value of @code{-1} means infinate while @code{0} means
|
number of seconds. A value of @code{-1} means infinate while @code{0} means
|
||||||
the default (currently only a timeout of -1 is allowed, which means to never
|
the default (currently only a timeout of -1 is allowed, which means to never
|
||||||
expire it).
|
expire it).
|
||||||
@end ifset
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
@node Agent GET_CONFIRMATION
|
@node Agent GET_CONFIRMATION
|
||||||
@ -1425,21 +1250,13 @@ option given the certificates are send back.
|
|||||||
@subsection Change a Passphrase
|
@subsection Change a Passphrase
|
||||||
|
|
||||||
@example
|
@example
|
||||||
@ifset gpgtwoone
|
|
||||||
PASSWD [--cache-nonce=<c>] [--passwd-nonce=<s>] [--preset] @var{keygrip}
|
PASSWD [--cache-nonce=<c>] [--passwd-nonce=<s>] [--preset] @var{keygrip}
|
||||||
@end ifset
|
|
||||||
@ifclear gpgtwoone
|
|
||||||
PASSWD @var{keygrip}
|
|
||||||
@end ifclear
|
|
||||||
@end example
|
@end example
|
||||||
|
|
||||||
This command is used to interactively change the passphrase of the key
|
This command is used to interactively change the passphrase of the key
|
||||||
identified by the hex string @var{keygrip}.
|
identified by the hex string @var{keygrip}. The @option{--preset}
|
||||||
|
option may be used to add the new passphrase to the cache using the
|
||||||
@ifset gpgtwoone
|
default cache parameters.
|
||||||
The @option{--preset} option may be used to add the new passphrase to the
|
|
||||||
cache using the default cache parameters.
|
|
||||||
@end ifset
|
|
||||||
|
|
||||||
|
|
||||||
@node Agent UPDATESTARTUPTTY
|
@node Agent UPDATESTARTUPTTY
|
||||||
@ -1540,7 +1357,6 @@ See Assuan command @code{PKSIGN}.
|
|||||||
This does not need any value. It is used to enable the
|
This does not need any value. It is used to enable the
|
||||||
PINENTRY_LAUNCHED inquiry.
|
PINENTRY_LAUNCHED inquiry.
|
||||||
|
|
||||||
@ifset gpgtwoone
|
|
||||||
@item pinentry-mode
|
@item pinentry-mode
|
||||||
This option is used to change the operation mode of the pinentry. The
|
This option is used to change the operation mode of the pinentry. The
|
||||||
following values are defined:
|
following values are defined:
|
||||||
@ -1564,16 +1380,12 @@ following values are defined:
|
|||||||
Use the @xref{option --allow-loopback-pinentry}.
|
Use the @xref{option --allow-loopback-pinentry}.
|
||||||
|
|
||||||
@end table
|
@end table
|
||||||
@end ifset
|
|
||||||
|
|
||||||
@ifset gpgtwoone
|
|
||||||
@item cache-ttl-opt-preset
|
@item cache-ttl-opt-preset
|
||||||
This option sets the cache TTL for new entries created by GENKEY and
|
This option sets the cache TTL for new entries created by GENKEY and
|
||||||
PASSWD commands when using the @option{--preset} option. It it is not
|
PASSWD commands when using the @option{--preset} option. It it is not
|
||||||
used a default value is used.
|
used a default value is used.
|
||||||
@end ifset
|
|
||||||
|
|
||||||
@ifset gpgtwoone
|
|
||||||
@item s2k-count
|
@item s2k-count
|
||||||
Instead of using the standard S2K count (which is computed on the
|
Instead of using the standard S2K count (which is computed on the
|
||||||
fly), the given S2K count is used for new keys or when changing the
|
fly), the given S2K count is used for new keys or when changing the
|
||||||
@ -1581,7 +1393,6 @@ passphrase of a key. Values below 65536 are considered to be 0. This
|
|||||||
option is valid for the entire session or until reset to 0. This
|
option is valid for the entire session or until reset to 0. This
|
||||||
option is useful if the key is later used on boxes which are either
|
option is useful if the key is later used on boxes which are either
|
||||||
much slower or faster than the actual box.
|
much slower or faster than the actual box.
|
||||||
@end ifset
|
|
||||||
|
|
||||||
@end table
|
@end table
|
||||||
|
|
||||||
|
206
doc/gpg.texi
206
doc/gpg.texi
@ -3,10 +3,6 @@
|
|||||||
@c This is part of the GnuPG manual.
|
@c This is part of the GnuPG manual.
|
||||||
@c For copying conditions, see the file gnupg.texi.
|
@c For copying conditions, see the file gnupg.texi.
|
||||||
|
|
||||||
@c Note that we use this texinfo file for all GnuPG-2 branches.
|
|
||||||
@c The macro "gpgtwoone" controls parts which are only
|
|
||||||
@c valid for GnuPG 2.1 and later.
|
|
||||||
|
|
||||||
@node Invoking GPG
|
@node Invoking GPG
|
||||||
@chapter Invoking GPG
|
@chapter Invoking GPG
|
||||||
@cindex GPG command options
|
@cindex GPG command options
|
||||||
@ -15,13 +11,7 @@
|
|||||||
|
|
||||||
@c Begin algorithm defaults
|
@c Begin algorithm defaults
|
||||||
|
|
||||||
@ifclear gpgtwoone
|
|
||||||
@set DEFSYMENCALGO CAST5
|
|
||||||
@end ifclear
|
|
||||||
|
|
||||||
@ifset gpgtwoone
|
|
||||||
@set DEFSYMENCALGO AES128
|
@set DEFSYMENCALGO AES128
|
||||||
@end ifset
|
|
||||||
|
|
||||||
@c End algorithm defaults
|
@c End algorithm defaults
|
||||||
|
|
||||||
@ -407,15 +397,9 @@ an additional signing subkey on a dedicated machine and then using
|
|||||||
this command to export the key without the primary key to the main
|
this command to export the key without the primary key to the main
|
||||||
machine.
|
machine.
|
||||||
|
|
||||||
@ifset gpgtwoone
|
|
||||||
GnuPG may ask you to enter the passphrase for the key. This is
|
GnuPG may ask you to enter the passphrase for the key. This is
|
||||||
required because the internal protection method of the secret key is
|
required because the internal protection method of the secret key is
|
||||||
different from the one specified by the OpenPGP protocol.
|
different from the one specified by the OpenPGP protocol.
|
||||||
@end ifset
|
|
||||||
@ifclear gpgtwoone
|
|
||||||
See the option @option{--simple-sk-checksum} if you want to import an
|
|
||||||
exported secret key into ancient OpenPGP implementations.
|
|
||||||
@end ifclear
|
|
||||||
|
|
||||||
@item --import
|
@item --import
|
||||||
@itemx --fast-import
|
@itemx --fast-import
|
||||||
@ -565,7 +549,6 @@ This section explains the main commands for key management
|
|||||||
|
|
||||||
@table @gnupgtabopt
|
@table @gnupgtabopt
|
||||||
|
|
||||||
@ifset gpgtwoone
|
|
||||||
@item --quick-gen-key @code{user-id}
|
@item --quick-gen-key @code{user-id}
|
||||||
@opindex quick-gen-key
|
@opindex quick-gen-key
|
||||||
This is a simple command to generate a standard key with one user id.
|
This is a simple command to generate a standard key with one user id.
|
||||||
@ -586,20 +569,17 @@ the passphrase options (@option{--passphrase},
|
|||||||
supplied passphrase is used for the new key and the agent does not ask
|
supplied passphrase is used for the new key and the agent does not ask
|
||||||
for it. To create a key without any protection @code{--passphrase ''}
|
for it. To create a key without any protection @code{--passphrase ''}
|
||||||
may be used.
|
may be used.
|
||||||
@end ifset
|
|
||||||
|
|
||||||
@item --gen-key
|
@item --gen-key
|
||||||
@opindex gen-key
|
@opindex gen-key
|
||||||
Generate a new key pair using teh current default parameters. This is
|
Generate a new key pair using teh current default parameters. This is
|
||||||
the standard command to create a new key.
|
the standard command to create a new key.
|
||||||
|
|
||||||
@ifset gpgtwoone
|
|
||||||
@item --full-gen-key
|
@item --full-gen-key
|
||||||
@opindex gen-key
|
@opindex gen-key
|
||||||
Generate a new key pair with dialogs for all options. This is an
|
Generate a new key pair with dialogs for all options. This is an
|
||||||
extended version of @option{--gen-key}.
|
extended version of @option{--gen-key}.
|
||||||
|
|
||||||
@end ifset
|
|
||||||
There is also a feature which allows you to create keys in batch
|
There is also a feature which allows you to create keys in batch
|
||||||
mode. See the the manual section ``Unattended key generation'' on how
|
mode. See the the manual section ``Unattended key generation'' on how
|
||||||
to use this.
|
to use this.
|
||||||
@ -925,7 +905,6 @@ Signs a public key with your secret key but marks it as
|
|||||||
non-exportable. This is a shortcut version of the subcommand "lsign"
|
non-exportable. This is a shortcut version of the subcommand "lsign"
|
||||||
from @option{--edit-key}.
|
from @option{--edit-key}.
|
||||||
|
|
||||||
@ifset gpgtwoone
|
|
||||||
@item --quick-sign-key @code{fpr} [@code{names}]
|
@item --quick-sign-key @code{fpr} [@code{names}]
|
||||||
@itemx --quick-lsign-key @code{fpr} [@code{names}]
|
@itemx --quick-lsign-key @code{fpr} [@code{names}]
|
||||||
@opindex quick-sign-key
|
@opindex quick-sign-key
|
||||||
@ -943,9 +922,7 @@ This command uses reasonable defaults and thus does not provide the
|
|||||||
full flexibility of the "sign" subcommand from @option{--edit-key}.
|
full flexibility of the "sign" subcommand from @option{--edit-key}.
|
||||||
Its intended use is to help unattended key signing by utilizing a list
|
Its intended use is to help unattended key signing by utilizing a list
|
||||||
of verified fingerprints.
|
of verified fingerprints.
|
||||||
@end ifset
|
|
||||||
|
|
||||||
@ifset gpgtwoone
|
|
||||||
@item --quick-adduid @var{user-id} @var{new-user-id}
|
@item --quick-adduid @var{user-id} @var{new-user-id}
|
||||||
@opindex quick-adduid
|
@opindex quick-adduid
|
||||||
This command adds a new user id to an existing key. In contrast to
|
This command adds a new user id to an existing key. In contrast to
|
||||||
@ -953,7 +930,6 @@ the interactive sub-command @code{adduid} of @option{--edit-key} the
|
|||||||
@var{new-user-id} is added verbatim with only leading and trailing
|
@var{new-user-id} is added verbatim with only leading and trailing
|
||||||
white space removed, it is expected to be UTF-8 encoded, and no checks
|
white space removed, it is expected to be UTF-8 encoded, and no checks
|
||||||
on its form are applied.
|
on its form are applied.
|
||||||
@end ifset
|
|
||||||
|
|
||||||
@item --passwd @var{user_id}
|
@item --passwd @var{user_id}
|
||||||
@opindex passwd
|
@opindex passwd
|
||||||
@ -1271,13 +1247,8 @@ use the specified keyring alone, use @option{--keyring} along with
|
|||||||
|
|
||||||
@item --secret-keyring @code{file}
|
@item --secret-keyring @code{file}
|
||||||
@opindex secret-keyring
|
@opindex secret-keyring
|
||||||
@ifset gpgtwoone
|
|
||||||
This is an obsolete option and ignored. All secret keys are stored in
|
This is an obsolete option and ignored. All secret keys are stored in
|
||||||
the @file{private-keys-v1.d} directory below the GnuPG home directory.
|
the @file{private-keys-v1.d} directory below the GnuPG home directory.
|
||||||
@end ifset
|
|
||||||
@ifclear gpgtwoone
|
|
||||||
Same as @option{--keyring} but for the secret keyrings.
|
|
||||||
@end ifclear
|
|
||||||
|
|
||||||
@item --primary-keyring @code{file}
|
@item --primary-keyring @code{file}
|
||||||
@opindex primary-keyring
|
@opindex primary-keyring
|
||||||
@ -1610,21 +1581,6 @@ are available for all keyserver types, some common options are:
|
|||||||
this option is not used with HKP keyservers, as they do not support
|
this option is not used with HKP keyservers, as they do not support
|
||||||
retrieving keys by subkey id.
|
retrieving keys by subkey id.
|
||||||
|
|
||||||
@ifclear gpgtwoone
|
|
||||||
@item use-temp-files
|
|
||||||
On most Unix-like platforms, GnuPG communicates with the keyserver
|
|
||||||
helper program via pipes, which is the most efficient method. This
|
|
||||||
option forces GnuPG to use temporary files to communicate. On some
|
|
||||||
platforms (such as Win32 and RISC OS), this option is always enabled.
|
|
||||||
@end ifclear
|
|
||||||
|
|
||||||
@ifclear gpgtwoone
|
|
||||||
@item keep-temp-files
|
|
||||||
If using `use-temp-files', do not delete the temp files after using
|
|
||||||
them. This option is useful to learn the keyserver communication
|
|
||||||
protocol by reading the temporary files.
|
|
||||||
@end ifclear
|
|
||||||
|
|
||||||
@item timeout
|
@item timeout
|
||||||
Tell the keyserver helper program how long (in seconds) to try and
|
Tell the keyserver helper program how long (in seconds) to try and
|
||||||
perform a keyserver action before giving up. Note that performing
|
perform a keyserver action before giving up. Note that performing
|
||||||
@ -1635,64 +1591,23 @@ are available for all keyserver types, some common options are:
|
|||||||
|
|
||||||
@item http-proxy=@code{value}
|
@item http-proxy=@code{value}
|
||||||
Set the proxy to use for HTTP and HKP keyservers.
|
Set the proxy to use for HTTP and HKP keyservers.
|
||||||
@ifset gpgtwoone
|
This overrides any proxy defined in @file{dirmngr.conf}.
|
||||||
This overrides any proxy defined in @file{dirmngr.conf}.
|
|
||||||
@end ifset
|
|
||||||
@ifclear gpgtwoone
|
|
||||||
This overrides the "http_proxy" environment variable, if any.
|
|
||||||
@end ifclear
|
|
||||||
|
|
||||||
@ifclear gpgtwoone
|
|
||||||
@item max-cert-size
|
|
||||||
When retrieving a key via DNS CERT, only accept keys up to this size.
|
|
||||||
Defaults to 16384 bytes.
|
|
||||||
@end ifclear
|
|
||||||
|
|
||||||
@item verbose
|
@item verbose
|
||||||
@ifset gpgtwoone
|
This option has no more function since GnuPG 2.1. Use the
|
||||||
This option has no more function since GnuPG 2.1. Use the
|
@code{dirmngr} configuration options instead.
|
||||||
@code{dirmngr} configuration options instead.
|
|
||||||
@end ifset
|
|
||||||
@ifclear gpgtwoone
|
|
||||||
Tell the keyserver helper program to be more verbose. This option can
|
|
||||||
be repeated multiple times to increase the verbosity level.
|
|
||||||
@end ifclear
|
|
||||||
|
|
||||||
@item debug
|
@item debug
|
||||||
@ifset gpgtwoone
|
This option has no more function since GnuPG 2.1. Use the
|
||||||
This option has no more function since GnuPG 2.1. Use the
|
@code{dirmngr} configuration options instead.
|
||||||
@code{dirmngr} configuration options instead.
|
|
||||||
@end ifset
|
|
||||||
@ifclear gpgtwoone
|
|
||||||
Turn on debug output in the keyserver helper program. Note that the
|
|
||||||
details of debug output depends on which keyserver helper program is
|
|
||||||
being used, and in turn, on any libraries that the keyserver helper
|
|
||||||
program uses internally (libcurl, openldap, etc).
|
|
||||||
@end ifclear
|
|
||||||
|
|
||||||
@item check-cert
|
@item check-cert
|
||||||
@ifset gpgtwoone
|
This option has no more function since GnuPG 2.1. Use the
|
||||||
This option has no more function since GnuPG 2.1. Use the
|
@code{dirmngr} configuration options instead.
|
||||||
@code{dirmngr} configuration options instead.
|
|
||||||
@end ifset
|
|
||||||
@ifclear gpgtwoone
|
|
||||||
Enable certificate checking if the keyserver presents one (for hkps or
|
|
||||||
ldaps). Defaults to on.
|
|
||||||
@end ifclear
|
|
||||||
|
|
||||||
@item ca-cert-file
|
@item ca-cert-file
|
||||||
@ifset gpgtwoone
|
This option has no more function since GnuPG 2.1. Use the
|
||||||
This option has no more function since GnuPG 2.1. Use the
|
@code{dirmngr} configuration options instead.
|
||||||
@code{dirmngr} configuration options instead.
|
|
||||||
@end ifset
|
|
||||||
@ifclear gpgtwoone
|
|
||||||
Provide a certificate store to override the system default. Only
|
|
||||||
necessary if check-cert is enabled, and the keyserver is using a
|
|
||||||
certificate that is not present in a system default certificate list.
|
|
||||||
|
|
||||||
Note that depending on the SSL library that the keyserver helper is
|
|
||||||
built with, this may actually be a directory or a file.
|
|
||||||
@end ifclear
|
|
||||||
|
|
||||||
@end table
|
@end table
|
||||||
|
|
||||||
@ -1710,20 +1625,6 @@ key signer (defaults to 3)
|
|||||||
@opindex max-cert-depth
|
@opindex max-cert-depth
|
||||||
Maximum depth of a certification chain (default is 5).
|
Maximum depth of a certification chain (default is 5).
|
||||||
|
|
||||||
@ifclear gpgtwoone
|
|
||||||
@item --simple-sk-checksum
|
|
||||||
@opindex simple-sk-checksum
|
|
||||||
Secret keys are integrity protected by using a SHA-1 checksum. This
|
|
||||||
method is part of the upcoming enhanced OpenPGP specification but
|
|
||||||
GnuPG already uses it as a countermeasure against certain attacks.
|
|
||||||
Old applications don't understand this new format, so this option may
|
|
||||||
be used to switch back to the old behaviour. Using this option bears
|
|
||||||
a security risk. Note that using this option only takes effect when
|
|
||||||
the secret key is encrypted - the simplest way to make this happen is
|
|
||||||
to change the passphrase on the key (even changing it to the same
|
|
||||||
value is acceptable).
|
|
||||||
@end ifclear
|
|
||||||
|
|
||||||
@item --no-sig-cache
|
@item --no-sig-cache
|
||||||
@opindex no-sig-cache
|
@opindex no-sig-cache
|
||||||
Do not cache the verification status of key signatures.
|
Do not cache the verification status of key signatures.
|
||||||
@ -1767,20 +1668,13 @@ default value is determined by running @command{gpgconf} with the
|
|||||||
option @option{--list-dirs}. Note that the pipe symbol (@code{|}) is
|
option @option{--list-dirs}. Note that the pipe symbol (@code{|}) is
|
||||||
used for a regression test suite hack and may thus not be used in the
|
used for a regression test suite hack and may thus not be used in the
|
||||||
file name.
|
file name.
|
||||||
@ifclear gpgtwoone
|
|
||||||
This is only used
|
|
||||||
as a fallback when the environment variable @code{GPG_AGENT_INFO} is not
|
|
||||||
set or a running agent cannot be connected.
|
|
||||||
@end ifclear
|
|
||||||
|
|
||||||
@ifset gpgtwoone
|
|
||||||
@item --dirmngr-program @var{file}
|
@item --dirmngr-program @var{file}
|
||||||
@opindex dirmngr-program
|
@opindex dirmngr-program
|
||||||
Specify a dirmngr program to be used for keyserver access. The
|
Specify a dirmngr program to be used for keyserver access. The
|
||||||
default value is @file{/usr/sbin/dirmngr}. This is only used as a
|
default value is @file{/usr/sbin/dirmngr}. This is only used as a
|
||||||
fallback when the environment variable @code{DIRMNGR_INFO} is not set or
|
fallback when the environment variable @code{DIRMNGR_INFO} is not set or
|
||||||
a running dirmngr cannot be connected.
|
a running dirmngr cannot be connected.
|
||||||
@end ifset
|
|
||||||
|
|
||||||
@item --no-autostart
|
@item --no-autostart
|
||||||
@opindex no-autostart
|
@opindex no-autostart
|
||||||
@ -1969,7 +1863,6 @@ Remove all entries from the @option{--group} list.
|
|||||||
Use @var{name} as the key to sign with. Note that this option overrides
|
Use @var{name} as the key to sign with. Note that this option overrides
|
||||||
@option{--default-key}.
|
@option{--default-key}.
|
||||||
|
|
||||||
@ifset gpgtwoone
|
|
||||||
@item --try-secret-key @var{name}
|
@item --try-secret-key @var{name}
|
||||||
@opindex try-secret-key
|
@opindex try-secret-key
|
||||||
For hidden recipients GPG needs to know the keys to use for trial
|
For hidden recipients GPG needs to know the keys to use for trial
|
||||||
@ -1981,7 +1874,6 @@ the long keyid to avoid ambiguities. Note that gpg-agent might pop up a
|
|||||||
pinentry for a lot keys to do the trial decryption. If you want to stop
|
pinentry for a lot keys to do the trial decryption. If you want to stop
|
||||||
all further trial decryption you may use close-window button instead of
|
all further trial decryption you may use close-window button instead of
|
||||||
the cancel button.
|
the cancel button.
|
||||||
@end ifset
|
|
||||||
|
|
||||||
@item --try-all-secrets
|
@item --try-all-secrets
|
||||||
@opindex try-all-secrets
|
@opindex try-all-secrets
|
||||||
@ -2112,15 +2004,13 @@ opposite meaning. The options are:
|
|||||||
|
|
||||||
@c Since GnuPG 2.1 gpg-agent manages the secret key and thus the
|
@c Since GnuPG 2.1 gpg-agent manages the secret key and thus the
|
||||||
@c export-reset-subkey-passwd hack is not anymore justified. Such use
|
@c export-reset-subkey-passwd hack is not anymore justified. Such use
|
||||||
@c cases need to be implemented using a specialized secret key export
|
@c cases may be implemented using a specialized secret key export
|
||||||
@c tool.
|
@c tool.
|
||||||
@ifclear gpgtwoone
|
@c @item export-reset-subkey-passwd
|
||||||
@item export-reset-subkey-passwd
|
@c When using the @option{--export-secret-subkeys} command, this option resets
|
||||||
When using the @option{--export-secret-subkeys} command, this option resets
|
@c the passphrases for all exported subkeys to empty. This is useful
|
||||||
the passphrases for all exported subkeys to empty. This is useful
|
@c when the exported subkey is to be used on an unattended machine where
|
||||||
when the exported subkey is to be used on an unattended machine where
|
@c a passphrase doesn't necessarily make sense. Defaults to no.
|
||||||
a passphrase doesn't necessarily make sense. Defaults to no.
|
|
||||||
@end ifclear
|
|
||||||
|
|
||||||
@item export-clean
|
@item export-clean
|
||||||
Compact (remove all signatures from) user IDs on the key being
|
Compact (remove all signatures from) user IDs on the key being
|
||||||
@ -2161,22 +2051,18 @@ listing mode and print all timestamps as seconds since 1970-01-01.
|
|||||||
Since GnuPG 2.0.10, this mode is always used and thus this option is
|
Since GnuPG 2.0.10, this mode is always used and thus this option is
|
||||||
obsolete; it does not harm to use it though.
|
obsolete; it does not harm to use it though.
|
||||||
|
|
||||||
@ifset gpgtwoone
|
|
||||||
@item --legacy-list-mode
|
@item --legacy-list-mode
|
||||||
@opindex legacy-list-mode
|
@opindex legacy-list-mode
|
||||||
Revert to the pre-2.1 public key list mode. This only affects the
|
Revert to the pre-2.1 public key list mode. This only affects the
|
||||||
human readable output and not the machine interface
|
human readable output and not the machine interface
|
||||||
(i.e. @code{--with-colons}). Note that the legacy format does not
|
(i.e. @code{--with-colons}). Note that the legacy format does not
|
||||||
allow to convey suitable information for elliptic curves.
|
allow to convey suitable information for elliptic curves.
|
||||||
@end ifset
|
|
||||||
|
|
||||||
@item --with-fingerprint
|
@item --with-fingerprint
|
||||||
@opindex with-fingerprint
|
@opindex with-fingerprint
|
||||||
Same as the command @option{--fingerprint} but changes only the format
|
Same as the command @option{--fingerprint} but changes only the format
|
||||||
of the output and may be used together with another command.
|
of the output and may be used together with another command.
|
||||||
|
|
||||||
@ifset gpgtwoone
|
|
||||||
|
|
||||||
@item --with-icao-spelling
|
@item --with-icao-spelling
|
||||||
@opindex with-icao-spelling
|
@opindex with-icao-spelling
|
||||||
Print the ICAO spelling of the fingerprint in addition to the hex digits.
|
Print the ICAO spelling of the fingerprint in addition to the hex digits.
|
||||||
@ -2190,8 +2076,6 @@ Include the keygrip in the key listings.
|
|||||||
Include info about the presence of a secret key in public key listings
|
Include info about the presence of a secret key in public key listings
|
||||||
done with @code{--with-colons}.
|
done with @code{--with-colons}.
|
||||||
|
|
||||||
@end ifset
|
|
||||||
|
|
||||||
@end table
|
@end table
|
||||||
|
|
||||||
@c *******************************************
|
@c *******************************************
|
||||||
@ -2214,34 +2098,11 @@ platforms that have different line ending conventions (UNIX-like to Mac,
|
|||||||
Mac to Windows, etc). @option{--no-textmode} disables this option, and
|
Mac to Windows, etc). @option{--no-textmode} disables this option, and
|
||||||
is the default.
|
is the default.
|
||||||
|
|
||||||
@ifclear gpgtwoone
|
|
||||||
@item --force-v3-sigs
|
|
||||||
@itemx --no-force-v3-sigs
|
|
||||||
@opindex force-v3-sigs
|
|
||||||
OpenPGP states that an implementation should generate v4 signatures
|
|
||||||
but PGP versions 5 through 7 only recognize v4 signatures on key
|
|
||||||
material. This option forces v3 signatures for signatures on data.
|
|
||||||
Note that this option implies @option{--no-ask-sig-expire}, and unsets
|
|
||||||
@option{--sig-policy-url}, @option{--sig-notation}, and
|
|
||||||
@option{--sig-keyserver-url}, as these features cannot be used with v3
|
|
||||||
signatures. @option{--no-force-v3-sigs} disables this option.
|
|
||||||
Defaults to no.
|
|
||||||
|
|
||||||
@item --force-v4-certs
|
|
||||||
@itemx --no-force-v4-certs
|
|
||||||
@opindex force-v4-certs
|
|
||||||
Always use v4 key signatures even on v3 keys. This option also
|
|
||||||
changes the default hash algorithm for v3 RSA keys from MD5 to SHA-1.
|
|
||||||
@option{--no-force-v4-certs} disables this option.
|
|
||||||
@end ifclear
|
|
||||||
|
|
||||||
@ifset gpgtwoone
|
|
||||||
@item --force-v3-sigs
|
@item --force-v3-sigs
|
||||||
@itemx --no-force-v3-sigs
|
@itemx --no-force-v3-sigs
|
||||||
@item --force-v4-certs
|
@item --force-v4-certs
|
||||||
@itemx --no-force-v4-certs
|
@itemx --no-force-v4-certs
|
||||||
These options are obsolete and have no effect since GnuPG 2.1.
|
These options are obsolete and have no effect since GnuPG 2.1.
|
||||||
@end ifset
|
|
||||||
|
|
||||||
@item --force-mdc
|
@item --force-mdc
|
||||||
@opindex force-mdc
|
@opindex force-mdc
|
||||||
@ -2397,12 +2258,7 @@ compression algorithms none and ZIP. This also disables
|
|||||||
--throw-keyids, and making signatures with signing subkeys as PGP 6
|
--throw-keyids, and making signatures with signing subkeys as PGP 6
|
||||||
does not understand signatures made by signing subkeys.
|
does not understand signatures made by signing subkeys.
|
||||||
|
|
||||||
@ifclear gpgtwoone
|
|
||||||
This option implies @option{--disable-mdc --escape-from-lines --force-v3-sigs}.
|
|
||||||
@end ifclear
|
|
||||||
@ifset gpgtwoone
|
|
||||||
This option implies @option{--disable-mdc --escape-from-lines}.
|
This option implies @option{--disable-mdc --escape-from-lines}.
|
||||||
@end ifset
|
|
||||||
|
|
||||||
@item --pgp7
|
@item --pgp7
|
||||||
@opindex pgp7
|
@opindex pgp7
|
||||||
@ -2761,7 +2617,6 @@ avoid it.
|
|||||||
Note that this passphrase is only used if the option @option{--batch}
|
Note that this passphrase is only used if the option @option{--batch}
|
||||||
has also been given. This is different from GnuPG version 1.x.
|
has also been given. This is different from GnuPG version 1.x.
|
||||||
|
|
||||||
@ifset gpgtwoone
|
|
||||||
@item --pinentry-mode @code{mode}
|
@item --pinentry-mode @code{mode}
|
||||||
@opindex pinentry-mode
|
@opindex pinentry-mode
|
||||||
Set the pinentry mode to @code{mode}. Allowed values for @code{mode}
|
Set the pinentry mode to @code{mode}. Allowed values for @code{mode}
|
||||||
@ -2779,7 +2634,6 @@ are:
|
|||||||
Redirect Pinentry queries to the caller. Note that in contrast to
|
Redirect Pinentry queries to the caller. Note that in contrast to
|
||||||
Pinentry the user is not prompted again if he enters a bad password.
|
Pinentry the user is not prompted again if he enters a bad password.
|
||||||
@end table
|
@end table
|
||||||
@end ifset
|
|
||||||
|
|
||||||
@item --command-fd @code{n}
|
@item --command-fd @code{n}
|
||||||
@opindex command-fd
|
@opindex command-fd
|
||||||
@ -3102,26 +2956,19 @@ files; They all live in in the current home directory (@pxref{option
|
|||||||
@item ~/.gnupg/pubring.gpg.lock
|
@item ~/.gnupg/pubring.gpg.lock
|
||||||
The lock file for the public keyring.
|
The lock file for the public keyring.
|
||||||
|
|
||||||
@ifset gpgtwoone
|
|
||||||
@item ~/.gnupg/pubring.kbx
|
@item ~/.gnupg/pubring.kbx
|
||||||
The public keyring using a different format. This file is sharred
|
The public keyring using a different format. This file is sharred
|
||||||
with @command{gpgsm}. You should backup this file.
|
with @command{gpgsm}. You should backup this file.
|
||||||
|
|
||||||
@item ~/.gnupg/pubring.kbx.lock
|
@item ~/.gnupg/pubring.kbx.lock
|
||||||
The lock file for @file{pubring.kbx}.
|
The lock file for @file{pubring.kbx}.
|
||||||
@end ifset
|
|
||||||
|
|
||||||
@item ~/.gnupg/secring.gpg
|
@item ~/.gnupg/secring.gpg
|
||||||
@ifclear gpgtwoone
|
|
||||||
The secret keyring. You should backup this file.
|
|
||||||
@end ifclear
|
|
||||||
@ifset gpgtwoone
|
|
||||||
A secret keyring as used by GnuPG versions before 2.1. It is not
|
A secret keyring as used by GnuPG versions before 2.1. It is not
|
||||||
used by GnuPG 2.1 and later.
|
used by GnuPG 2.1 and later.
|
||||||
|
|
||||||
@item ~/.gnupg/.gpg-v21-migrated
|
@item ~/.gnupg/.gpg-v21-migrated
|
||||||
File indicating that a migration to GnuPG 2.1 has taken place.
|
File indicating that a migration to GnuPG 2.1 has been done.
|
||||||
@end ifset
|
|
||||||
|
|
||||||
@item ~/.gnupg/trustdb.gpg
|
@item ~/.gnupg/trustdb.gpg
|
||||||
The trust database. There is no need to backup this file; it is better
|
The trust database. There is no need to backup this file; it is better
|
||||||
@ -3166,18 +3013,7 @@ Operation is further controlled by a few environment variables:
|
|||||||
If set directory used instead of "~/.gnupg".
|
If set directory used instead of "~/.gnupg".
|
||||||
|
|
||||||
@item GPG_AGENT_INFO
|
@item GPG_AGENT_INFO
|
||||||
@ifset gpgtwoone
|
|
||||||
This variable was used by GnuPG versions before 2.1
|
This variable was used by GnuPG versions before 2.1
|
||||||
@end ifset
|
|
||||||
@ifclear gpgtwoone
|
|
||||||
Used to locate the gpg-agent.
|
|
||||||
|
|
||||||
The value consists of 3 colon delimited fields: The first is the path
|
|
||||||
to the Unix Domain Socket, the second the PID of the gpg-agent and the
|
|
||||||
protocol version which should be set to 1. When starting the gpg-agent
|
|
||||||
as described in its documentation, this variable is set to the correct
|
|
||||||
value. The option @option{--gpg-agent-info} can be used to override it.
|
|
||||||
@end ifclear
|
|
||||||
|
|
||||||
@item PINENTRY_USER_DATA
|
@item PINENTRY_USER_DATA
|
||||||
This value is passed via gpg-agent to pinentry. It is useful to convey
|
This value is passed via gpg-agent to pinentry. It is useful to convey
|
||||||
@ -3409,17 +3245,7 @@ control statements must be given. For GnuPG 2.1 and later
|
|||||||
|
|
||||||
@item %ask-passphrase
|
@item %ask-passphrase
|
||||||
@itemx %no-ask-passphrase
|
@itemx %no-ask-passphrase
|
||||||
@ifclear gpgtwoone
|
|
||||||
Enable (or disable) a mode where the command @option{passphrase} is
|
|
||||||
ignored and instead the usual passphrase dialog is used. This does
|
|
||||||
not make sense for batch key generation; however the unattended key
|
|
||||||
generation feature is also used by GUIs and this feature relinquishes
|
|
||||||
the GUI from implementing its own passphrase entry code. These are
|
|
||||||
global control statements and affect all future key generations.
|
|
||||||
@end ifclear
|
|
||||||
@ifset gpgtwoone
|
|
||||||
This option is a no-op for GnuPG 2.1 and later.
|
This option is a no-op for GnuPG 2.1 and later.
|
||||||
@end ifset
|
|
||||||
|
|
||||||
@item %no-protection
|
@item %no-protection
|
||||||
Using this option allows the creation of keys without any passphrase
|
Using this option allows the creation of keys without any passphrase
|
||||||
|
@ -165,20 +165,12 @@ use @samp{--help} to get a list of supported operations.
|
|||||||
@table @gnupgtabopt
|
@table @gnupgtabopt
|
||||||
@item --gen-key
|
@item --gen-key
|
||||||
@opindex gen-key
|
@opindex gen-key
|
||||||
@ifclear gpgtwoone
|
|
||||||
-This command allows the creation of a certificate signing request. It
|
|
||||||
-is commonly used along with the @option{--output} option to save the
|
|
||||||
-created CSR into a file. If used with the @option{--batch} a parameter
|
|
||||||
-file is used to create the CSR.
|
|
||||||
@end ifclear
|
|
||||||
@ifset gpgtwoone
|
|
||||||
This command allows the creation of a certificate signing request or a
|
This command allows the creation of a certificate signing request or a
|
||||||
self-signed certificate. It is commonly used along with the
|
self-signed certificate. It is commonly used along with the
|
||||||
@option{--output} option to save the created CSR or certificate into a
|
@option{--output} option to save the created CSR or certificate into a
|
||||||
file. If used with the @option{--batch} a parameter file is used to
|
file. If used with the @option{--batch} a parameter file is used to
|
||||||
create the CSR or certificate and it is further possible to create
|
create the CSR or certificate and it is further possible to create
|
||||||
non-self-signed certificates.
|
non-self-signed certificates.
|
||||||
@end ifset
|
|
||||||
|
|
||||||
@item --list-keys
|
@item --list-keys
|
||||||
@itemx -k
|
@itemx -k
|
||||||
@ -266,7 +258,6 @@ informational lines are prepended to the output. Note, that the PKCS#12
|
|||||||
format is not very secure and this command is only provided if there is
|
format is not very secure and this command is only provided if there is
|
||||||
no other way to exchange the private key. (@pxref{option --p12-charset})
|
no other way to exchange the private key. (@pxref{option --p12-charset})
|
||||||
|
|
||||||
@ifset gpgtwoone
|
|
||||||
@item --export-secret-key-p8 @var{key-id}
|
@item --export-secret-key-p8 @var{key-id}
|
||||||
@itemx --export-secret-key-raw @var{key-id}
|
@itemx --export-secret-key-raw @var{key-id}
|
||||||
@opindex export-secret-key-p8
|
@opindex export-secret-key-p8
|
||||||
@ -277,7 +268,6 @@ PKCS#1 format; the @code{...-p8} command exports in PKCS#8 format.
|
|||||||
When used with the @code{--armor} option a few informational lines are
|
When used with the @code{--armor} option a few informational lines are
|
||||||
prepended to the output. These commands are useful to prepare a key
|
prepended to the output. These commands are useful to prepare a key
|
||||||
for use on a TLS server.
|
for use on a TLS server.
|
||||||
@end ifset
|
|
||||||
|
|
||||||
@item --import [@var{files}]
|
@item --import [@var{files}]
|
||||||
@opindex import
|
@opindex import
|
||||||
@ -361,11 +351,6 @@ Specify an agent program to be used for secret key operations. The
|
|||||||
default value is determined by running the command @command{gpgconf}.
|
default value is determined by running the command @command{gpgconf}.
|
||||||
Note that the pipe symbol (@code{|}) is used for a regression test
|
Note that the pipe symbol (@code{|}) is used for a regression test
|
||||||
suite hack and may thus not be used in the file name.
|
suite hack and may thus not be used in the file name.
|
||||||
@ifclear gpgtwoone
|
|
||||||
This is only used
|
|
||||||
as a fallback when the environment variable @code{GPG_AGENT_INFO} is not
|
|
||||||
set or a running agent cannot be connected.
|
|
||||||
@end ifclear
|
|
||||||
|
|
||||||
@item --dirmngr-program @var{file}
|
@item --dirmngr-program @var{file}
|
||||||
@opindex dirmngr-program
|
@opindex dirmngr-program
|
||||||
@ -594,12 +579,10 @@ certificate.
|
|||||||
Include the keygrip in standard key listings. Note that the keygrip is
|
Include the keygrip in standard key listings. Note that the keygrip is
|
||||||
always listed in --with-colons mode.
|
always listed in --with-colons mode.
|
||||||
|
|
||||||
@ifset gpgtwoone
|
|
||||||
@item --with-secret
|
@item --with-secret
|
||||||
@opindex with-secret
|
@opindex with-secret
|
||||||
Include info about the presence of a secret key in public key listings
|
Include info about the presence of a secret key in public key listings
|
||||||
done with @code{--with-colons}.
|
done with @code{--with-colons}.
|
||||||
@end ifset
|
|
||||||
|
|
||||||
@end table
|
@end table
|
||||||
|
|
||||||
@ -906,10 +889,6 @@ other programs of this software too.
|
|||||||
@item S.gpg-agent
|
@item S.gpg-agent
|
||||||
@cindex S.gpg-agent
|
@cindex S.gpg-agent
|
||||||
If this file exists
|
If this file exists
|
||||||
@ifclear gpgtwoone
|
|
||||||
and the environment variable @env{GPG_AGENT_INFO} is
|
|
||||||
not set,
|
|
||||||
@end ifclear
|
|
||||||
@command{gpgsm} will first try to connect to this socket for
|
@command{gpgsm} will first try to connect to this socket for
|
||||||
accessing @command{gpg-agent} before starting a new @command{gpg-agent}
|
accessing @command{gpg-agent} before starting a new @command{gpg-agent}
|
||||||
instance. Under Windows this socket (which in reality be a plain file
|
instance. Under Windows this socket (which in reality be a plain file
|
||||||
@ -1000,12 +979,6 @@ this is a missing certificate.
|
|||||||
@node CSR and certificate creation
|
@node CSR and certificate creation
|
||||||
@subsection CSR and certificate creation
|
@subsection CSR and certificate creation
|
||||||
|
|
||||||
@ifclear gpgtwoone
|
|
||||||
@strong{Please notice}: The immediate creation of certificates is only
|
|
||||||
supported by GnuPG version 2.1 or later. With a 2.0 version you may
|
|
||||||
only create a CSR.
|
|
||||||
@end ifclear
|
|
||||||
|
|
||||||
The command @option{--gen-key} may be used along with the option
|
The command @option{--gen-key} may be used along with the option
|
||||||
@option{--batch} to either create a certificate signing request (CSR)
|
@option{--batch} to either create a certificate signing request (CSR)
|
||||||
or an X.509 certificate. This is controlled by a parameter file; the
|
or an X.509 certificate. This is controlled by a parameter file; the
|
||||||
|
@ -16,9 +16,7 @@ GnuPG comes with a couple of smaller tools:
|
|||||||
* gpgsm-gencert.sh:: Generate an X.509 certificate request.
|
* gpgsm-gencert.sh:: Generate an X.509 certificate request.
|
||||||
* gpg-preset-passphrase:: Put a passphrase into the cache.
|
* gpg-preset-passphrase:: Put a passphrase into the cache.
|
||||||
* gpg-connect-agent:: Communicate with a running agent.
|
* gpg-connect-agent:: Communicate with a running agent.
|
||||||
@ifset gpgtwoone
|
|
||||||
* dirmngr-client:: How to use the Dirmngr client tool.
|
* dirmngr-client:: How to use the Dirmngr client tool.
|
||||||
@end ifset
|
|
||||||
* gpgparsemail:: Parse a mail message into an annotated format
|
* gpgparsemail:: Parse a mail message into an annotated format
|
||||||
* symcryptrun:: Call a simple symmetric encryption tool.
|
* symcryptrun:: Call a simple symmetric encryption tool.
|
||||||
* gpg-zip:: Encrypt or sign files into an archive.
|
* gpg-zip:: Encrypt or sign files into an archive.
|
||||||
@ -305,7 +303,6 @@ Reload all or the given component. This is basically the same as sending
|
|||||||
a SIGHUP to the component. Components which don't support reloading are
|
a SIGHUP to the component. Components which don't support reloading are
|
||||||
ignored.
|
ignored.
|
||||||
|
|
||||||
@ifset gpgtwoone
|
|
||||||
@item --launch [@var{component}]
|
@item --launch [@var{component}]
|
||||||
@opindex launch
|
@opindex launch
|
||||||
If the @var{component} is not already running, start it.
|
If the @var{component} is not already running, start it.
|
||||||
@ -320,7 +317,6 @@ Kill the given component. Components which support killing are
|
|||||||
gpg-agent and scdaemon. Components which don't support reloading are
|
gpg-agent and scdaemon. Components which don't support reloading are
|
||||||
ignored. Note that as of now reload and kill have the same effect for
|
ignored. Note that as of now reload and kill have the same effect for
|
||||||
scdaemon.
|
scdaemon.
|
||||||
@end ifset
|
|
||||||
|
|
||||||
@end table
|
@end table
|
||||||
|
|
||||||
@ -1210,7 +1206,6 @@ option @option{--list-dirs}. Note that the pipe symbol (@code{|}) is
|
|||||||
used for a regression test suite hack and may thus not be used in the
|
used for a regression test suite hack and may thus not be used in the
|
||||||
file name.
|
file name.
|
||||||
|
|
||||||
@ifset gpgtwoone
|
|
||||||
@item --dirmngr-program @var{file}
|
@item --dirmngr-program @var{file}
|
||||||
@opindex dirmngr-program
|
@opindex dirmngr-program
|
||||||
Specify the directory manager (keyserver client) program to be started
|
Specify the directory manager (keyserver client) program to be started
|
||||||
@ -1221,7 +1216,6 @@ option @option{--dirmngr}.
|
|||||||
@opindex dirmngr
|
@opindex dirmngr
|
||||||
Connect to a running directory manager (keyserver client) instead of
|
Connect to a running directory manager (keyserver client) instead of
|
||||||
to the gpg-agent. If a dirmngr is not running, start it.
|
to the gpg-agent. If a dirmngr is not running, start it.
|
||||||
@end ifset
|
|
||||||
|
|
||||||
@item -S
|
@item -S
|
||||||
@itemx --raw-socket @var{name}
|
@itemx --raw-socket @var{name}
|
||||||
@ -1487,7 +1481,6 @@ Print a list of available control commands.
|
|||||||
@include see-also-note.texi
|
@include see-also-note.texi
|
||||||
@end ifset
|
@end ifset
|
||||||
|
|
||||||
@ifset gpgtwoone
|
|
||||||
@c
|
@c
|
||||||
@c DIRMNGR-CLIENT
|
@c DIRMNGR-CLIENT
|
||||||
@c
|
@c
|
||||||
@ -1648,7 +1641,7 @@ Squid's @option{external_acl_type} option.
|
|||||||
@command{gpgsm}(1)
|
@command{gpgsm}(1)
|
||||||
@include see-also-note.texi
|
@include see-also-note.texi
|
||||||
@end ifset
|
@end ifset
|
||||||
@end ifset
|
|
||||||
|
|
||||||
@c
|
@c
|
||||||
@c GPGPARSEMAIL
|
@c GPGPARSEMAIL
|
||||||
|
Loading…
x
Reference in New Issue
Block a user