mirror of
git://git.gnupg.org/gnupg.git
synced 2024-12-23 10:29:58 +01:00
42c18de83a
* apdu.c (open_pcsc_reader): Do not print empty reader string. * keygen.c (ask_algo): Allow creation of AUTH keys. * keyid.c (usagestr_from_pk): New. * app-openpgp.c (app_openpgp_storekey): Call flush_cache. * keyedit.c (keyedit_menu): New command "keytocard" (keyedit_menu): Bad hack for the not_with_sk element. (show_key_with_all_names): Print the usage. (find_pk_from_sknode): New. * card-util.c (card_store_subkey): New. (copy_mpi): New. * cardglue.c (agent_openpgp_storekey): New.
2952 lines
101 KiB
Plaintext
2952 lines
101 KiB
Plaintext
<!-- gpg.sgml - the man page for GnuPG
|
|
Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003,
|
|
2004 Free Software Foundation, Inc.
|
|
|
|
This file is part of GnuPG.
|
|
|
|
GnuPG is free software; you can redistribute it and/or modify
|
|
it under the terms of the GNU General Public License as published by
|
|
the Free Software Foundation; either version 2 of the License, or
|
|
(at your option) any later version.
|
|
|
|
GnuPG is distributed in the hope that it will be useful,
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
GNU General Public License for more details.
|
|
|
|
You should have received a copy of the GNU General Public License
|
|
along with this program; if not, write to the Free Software
|
|
Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
|
|
-->
|
|
<!-- This file should be processed by docbook-to-man to
|
|
create a manual page. This program has currently the bug
|
|
not to remove leading white space. So this source file does
|
|
not look very pretty
|
|
|
|
FIXME: generated a file with entity (e.g. pathnames) from the
|
|
configure scripts and include it here
|
|
-->
|
|
|
|
|
|
<!DOCTYPE refentry PUBLIC "-//Davenport//DTD DocBook V3.0//EN" [
|
|
<!entity ParmDir "<parameter>directory</parameter>">
|
|
<!entity ParmFile "<parameter>file</parameter>">
|
|
<!entity OptParmFile "<optional>&ParmFile;</optional>">
|
|
<!entity ParmFiles "<parameter>files</parameter>">
|
|
<!entity OptParmFiles "<optional>&ParmFiles;</optional>">
|
|
<!entity ParmNames "<parameter>names</parameter>">
|
|
<!entity OptParmNames "<optional>&ParmNames;</optional>">
|
|
<!entity ParmName "<parameter>name</parameter>">
|
|
<!entity OptParmName "<optional>&ParmName;</optional>">
|
|
<!entity ParmKeyIDs "<parameter>key IDs</parameter>">
|
|
<!entity OptParmKeyIDs "<optional>&ParmKeyIDs</optional>">
|
|
<!entity ParmN "<parameter>n</parameter>">
|
|
<!entity ParmFlags "<parameter>flags</parameter>">
|
|
<!entity ParmString "<parameter>string</parameter>">
|
|
<!entity ParmValue "<parameter>value</parameter>">
|
|
<!entity ParmNameValue "<parameter>name=value</parameter>">
|
|
<!entity ParmNameValues "<parameter>name=value1 <optional>value2 value3 ...</optional></parameter>">
|
|
<!entity OptEqualsValue "<optional>=value</optional>">
|
|
]>
|
|
|
|
<refentry id="gpg">
|
|
<refmeta>
|
|
<refentrytitle>gpg</refentrytitle>
|
|
<manvolnum>1</manvolnum>
|
|
<refmiscinfo class="gnu">GNU Tools</refmiscinfo>
|
|
</refmeta>
|
|
<refnamediv>
|
|
<refname/gpg/
|
|
<refpurpose>encryption and signing tool</>
|
|
</refnamediv>
|
|
<refsynopsisdiv>
|
|
<synopsis>
|
|
<command>gpg</command>
|
|
<optional>--homedir <parameter/name/</optional>
|
|
<optional>--options <parameter/file/</optional>
|
|
<optional><parameter/options/</optional>
|
|
<parameter>command</parameter>
|
|
<optional><parameter/args/</optional>
|
|
</synopsis>
|
|
</refsynopsisdiv>
|
|
|
|
<refsect1>
|
|
<title>DESCRIPTION</title>
|
|
<para>
|
|
<command/gpg/ is the main program for the GnuPG system.
|
|
</para>
|
|
<para>
|
|
This man page only lists the commands and options available. For more
|
|
verbose documentation get the GNU Privacy Handbook (GPH) or one of the
|
|
other documents at http://www.gnupg.org/documentation/ .
|
|
</para>
|
|
<para>
|
|
Please remember that option parsing stops as soon as a non option is
|
|
encountered, you can explicitly stop option parsing by using the
|
|
special option "--".
|
|
</para>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>COMMANDS</title>
|
|
|
|
<para>
|
|
<command/gpg/ may be run with no commands, in which case it will
|
|
perform a reasonable action depending on the type of file it is given
|
|
as input (an encrypted message is decrypted, a signature is verified,
|
|
a file containing keys is listed).
|
|
</para>
|
|
|
|
<para>
|
|
<command/gpg/ recognizes these commands:
|
|
</para>
|
|
|
|
<variablelist>
|
|
|
|
<varlistentry>
|
|
<term>-s, --sign</term>
|
|
<listitem><para>
|
|
Make a signature. This command may be combined with --encrypt (for a
|
|
signed and encrypted message), --symmetric (for a signed and
|
|
symmetrically encrypted message), or --encrypt and --symmetric
|
|
together (for a signed message that may be decrypted via a secret key
|
|
or a passphrase).
|
|
</para></listitem></varlistentry>
|
|
|
|
|
|
<varlistentry>
|
|
<term>--clearsign</term>
|
|
<listitem><para>
|
|
Make a clear text signature.
|
|
</para></listitem></varlistentry>
|
|
|
|
|
|
<varlistentry>
|
|
<term>-b, --detach-sign</term>
|
|
<listitem><para>
|
|
Make a detached signature.
|
|
</para></listitem></varlistentry>
|
|
|
|
|
|
<varlistentry>
|
|
<term>-e, --encrypt</term>
|
|
<listitem><para>
|
|
Encrypt data. This option may be combined with --sign (for a signed
|
|
and encrypted message), --symmetric (for a message that may be
|
|
decrypted via a secret key or a passphrase), or --sign and --symmetric
|
|
together (for a signed message that may be decrypted via a secret key
|
|
or a passphrase).
|
|
</para></listitem></varlistentry>
|
|
|
|
|
|
<varlistentry>
|
|
<term>-c, --symmetric</term>
|
|
<listitem><para>
|
|
Encrypt with a symmetric cipher using a passphrase. The default
|
|
symmetric cipher used is CAST5, but may be chosen with the
|
|
--cipher-algo option. This option may be combined with --sign (for a
|
|
signed and symmetrically encrypted message), --encrypt (for a message
|
|
that may be decrypted via a secret key or a passphrase), or --sign and
|
|
--encrypt together (for a signed message that may be decrypted via a
|
|
secret key or a passphrase).
|
|
</para></listitem></varlistentry>
|
|
|
|
|
|
<varlistentry>
|
|
<term>--store</term>
|
|
<listitem><para>
|
|
Store only (make a simple RFC1991 packet).
|
|
</para></listitem></varlistentry>
|
|
|
|
|
|
<varlistentry>
|
|
<term>--decrypt &OptParmFile;</term>
|
|
<listitem><para>
|
|
Decrypt &ParmFile; (or stdin if no file is specified) and
|
|
write it to stdout (or the file specified with
|
|
--output). If the decrypted file is signed, the
|
|
signature is also verified. This command differs
|
|
from the default operation, as it never writes to the
|
|
filename which is included in the file and it
|
|
rejects files which don't begin with an encrypted
|
|
message.
|
|
</para></listitem></varlistentry>
|
|
|
|
|
|
<varlistentry>
|
|
<term>--verify <optional><optional><parameter/sigfile/</optional>
|
|
<optional><parameter/signed-files/</optional></optional></term>
|
|
<listitem><para>
|
|
Assume that <parameter/sigfile/ is a signature and verify it
|
|
without generating any output. With no arguments,
|
|
the signature packet is read from stdin. If
|
|
only a sigfile is given, it may be a complete
|
|
signature or a detached signature, in which case
|
|
the signed stuff is expected in a file without the
|
|
".sig" or ".asc" extension.
|
|
With more than
|
|
1 argument, the first should be a detached signature
|
|
and the remaining files are the signed stuff. To read the signed
|
|
stuff from stdin, use <literal>-</literal> as the second filename.
|
|
For security reasons a detached signature cannot read the signed
|
|
material from stdin without denoting it in the above way.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--multifile</term>
|
|
<listitem><para>
|
|
This modifies certain other commands to accept multiple files for
|
|
processing on the command line or read from stdin with each filename
|
|
on a separate line. This allows for many files to be processed at
|
|
once. --multifile may currently be used along with --verify,
|
|
--encrypt, and --decrypt. Note that `--multifile --verify' may not be
|
|
used with detached signatures.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--verify-files <optional><parameter/files/</optional></term>
|
|
<listitem><para>
|
|
Identical to `--multifile --verify'.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--encrypt-files <optional><parameter/files/</optional></term>
|
|
<listitem><para>
|
|
Identical to `--multifile --encrypt'.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--decrypt-files <optional><parameter/files/</optional></term>
|
|
<listitem><para>
|
|
Identical to `--multifile --decrypt'.
|
|
</para></listitem></varlistentry>
|
|
|
|
<!--
|
|
B<-k> [I<username>] [I<keyring>]
|
|
Kludge to be somewhat compatible with PGP.
|
|
Without arguments, all public keyrings are listed.
|
|
With one argument, only I<keyring> is listed.
|
|
Special combinations are also allowed, but they may
|
|
give strange results when combined with more options.
|
|
B<-kv> Same as B<-k>
|
|
B<-kvv> List the signatures with every key.
|
|
B<-kvvv> Additionally check all signatures.
|
|
B<-kvc> List fingerprints
|
|
B<-kvvc> List fingerprints and signatures
|
|
|
|
B<This command may be removed in the future!>
|
|
-->
|
|
|
|
<varlistentry>
|
|
<term>--list-keys &OptParmNames;</term>
|
|
<term>--list-public-keys &OptParmNames;</term>
|
|
<listitem><para>
|
|
List all keys from the public keyrings, or just the ones given on the
|
|
command line.
|
|
</para><para>
|
|
Avoid using the output of this command in scripts or other programs as
|
|
it is likely to change as GnuPG changes. See --with-colons for a
|
|
machine-parseable key listing command that is appropriate for use in
|
|
scripts and other programs.
|
|
</para></listitem></varlistentry>
|
|
|
|
|
|
<varlistentry>
|
|
<term>-K, --list-secret-keys &OptParmNames;</term>
|
|
<listitem><para>
|
|
List all keys from the secret keyrings, or just the ones given on the
|
|
command line. A '#' after the letters 'sec' means that the secret key
|
|
is not usable (for example, if it was created via
|
|
--export-secret-subkeys).
|
|
</para></listitem></varlistentry>
|
|
|
|
|
|
<varlistentry>
|
|
<term>--list-sigs &OptParmNames;</term>
|
|
<listitem><para>
|
|
Same as --list-keys, but the signatures are listed too.
|
|
</para><para>
|
|
For each signature listed, there are several flags in between the
|
|
"sig" tag and keyid. These flags give additional information about
|
|
each signature. From left to right, they are the numbers 1-3 for
|
|
certificate check level (see --ask-cert-level), "L" for a local or
|
|
non-exportable signature (see --lsign-key), "R" for a nonRevocable
|
|
signature (see --nrsign-key), "P" for a signature that contains a
|
|
policy URL (see --cert-policy-url), "N" for a signature that contains
|
|
a notation (see --cert-notation), "X" for an eXpired signature (see
|
|
--ask-cert-expire), and the numbers 1-9 or "T" for 10 and above to
|
|
indicate trust signature levels (see the --edit-key command "tsign").
|
|
</para></listitem></varlistentry>
|
|
|
|
|
|
<varlistentry>
|
|
<term>--check-sigs &OptParmNames;</term>
|
|
<listitem><para>
|
|
Same as --list-sigs, but the signatures are verified.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--fingerprint &OptParmNames;</term>
|
|
<listitem><para>
|
|
List all keys with their fingerprints. This is the
|
|
same output as --list-keys but with the additional output
|
|
of a line with the fingerprint. May also be combined
|
|
with --list-sigs or --check-sigs.
|
|
If this command is given twice, the fingerprints of all
|
|
secondary keys are listed too.
|
|
</para></listitem></varlistentry>
|
|
|
|
|
|
<varlistentry>
|
|
<term>--list-packets</term>
|
|
<listitem><para>
|
|
List only the sequence of packets. This is mainly
|
|
useful for debugging.
|
|
</para></listitem></varlistentry>
|
|
|
|
|
|
<varlistentry>
|
|
<term>--gen-key</term>
|
|
<listitem><para>
|
|
Generate a new key pair. This command is normally only used
|
|
interactively.
|
|
</para>
|
|
<para>
|
|
There is an experimental feature which allows you to create keys
|
|
in batch mode. See the file <filename>doc/DETAILS</filename>
|
|
in the source distribution on how to use this.
|
|
</para></listitem></varlistentry>
|
|
|
|
|
|
<varlistentry>
|
|
<term>--edit-key &ParmName;</term>
|
|
<listitem><para>
|
|
Present a menu which enables you to do all key
|
|
related tasks:</para>
|
|
<variablelist>
|
|
|
|
<varlistentry>
|
|
<term>sign</term>
|
|
<listitem><para>
|
|
Make a signature on key of user &ParmName;
|
|
If the key is not yet signed by the default
|
|
user (or the users given with -u), the
|
|
program displays the information of the key
|
|
again, together with its fingerprint and
|
|
asks whether it should be signed. This
|
|
question is repeated for all users specified
|
|
with -u.</para></listitem></varlistentry>
|
|
<varlistentry>
|
|
<term>lsign</term>
|
|
<listitem><para>
|
|
Same as --sign but the signature is marked as
|
|
non-exportable and will therefore never be used
|
|
by others. This may be used to make keys valid
|
|
only in the local environment.</para></listitem></varlistentry>
|
|
<varlistentry>
|
|
<term>nrsign</term>
|
|
<listitem><para>
|
|
Same as --sign but the signature is marked as non-revocable and can
|
|
therefore never be revoked.</para></listitem></varlistentry>
|
|
<varlistentry>
|
|
<term>nrlsign</term>
|
|
<listitem><para>
|
|
Combines the functionality of nrsign and lsign to make a signature
|
|
that is both non-revocable and
|
|
non-exportable.</para></listitem></varlistentry>
|
|
<varlistentry>
|
|
<term>tsign</term>
|
|
<listitem><para>
|
|
Make a trust signature. This is a signature that combines the notions
|
|
of certification (like a regular signature), and trust (like the
|
|
"trust" command). It is generally only useful in distinct communities
|
|
or groups.
|
|
</para></listitem></varlistentry>
|
|
<varlistentry>
|
|
<term>revsig</term>
|
|
<listitem><para>
|
|
Revoke a signature. For every signature which has been generated by
|
|
one of the secret keys, GnuPG asks whether a revocation certificate
|
|
should be generated.
|
|
</para></listitem></varlistentry>
|
|
<varlistentry>
|
|
<term>trust</term>
|
|
<listitem><para>
|
|
Change the owner trust value. This updates the
|
|
trust-db immediately and no save is required.</para></listitem></varlistentry>
|
|
<varlistentry>
|
|
<term>disable</term>
|
|
<term>enable</term>
|
|
<listitem><para>
|
|
Disable or enable an entire key. A disabled key can not normally be
|
|
used for encryption.</para></listitem></varlistentry>
|
|
<varlistentry>
|
|
<term>adduid</term>
|
|
<listitem><para>
|
|
Create an alternate user id.</para></listitem></varlistentry>
|
|
<varlistentry>
|
|
<term>addphoto</term>
|
|
<listitem><para>
|
|
Create a photographic user id. This will prompt for a JPEG file that
|
|
will be embedded into the user ID. Note that a very large JPEG will
|
|
make for a very large key. Also note that some programs will display
|
|
your JPEG unchanged (GnuPG), and some programs will scale it to fit in
|
|
a dialog box (PGP).
|
|
</para></listitem></varlistentry>
|
|
<varlistentry>
|
|
<term>deluid</term>
|
|
<listitem><para>
|
|
Delete a user id.</para></listitem></varlistentry>
|
|
<varlistentry>
|
|
<term>delsig</term>
|
|
<listitem><para>
|
|
Delete a signature.</para></listitem></varlistentry>
|
|
<varlistentry>
|
|
<term>revuid</term>
|
|
<listitem><para>
|
|
Revoke a user id.</para></listitem></varlistentry>
|
|
<varlistentry>
|
|
<term>addkey</term>
|
|
<listitem><para>
|
|
Add a subkey to this key.</para></listitem></varlistentry>
|
|
<varlistentry>
|
|
<term>addcardkey</term>
|
|
<listitem><para>
|
|
Generate a key on a card and add it
|
|
to this key.</para></listitem></varlistentry>
|
|
<varlistentry>
|
|
<term>keytocard</term>
|
|
<listitem><para>
|
|
Transfer the selected secret key (or the primary key if no key has
|
|
been selected) to a smartcard. The secret key in the keyring will be
|
|
replaced by a stub if the key could be stored successfully on the card
|
|
and you use the save command later. Only certain key types may be
|
|
transferred to the card. A sub menu allows you to select on what card
|
|
to store the key. Note that it is not possible to get that key back
|
|
from the card - if the card gets broken your secret key will be lost
|
|
unless you have a backup somewhere.</para></listitem></varlistentry>
|
|
<varlistentry>
|
|
<term>delkey</term>
|
|
<listitem><para>
|
|
Remove a subkey.</para></listitem></varlistentry>
|
|
<varlistentry>
|
|
<term>addrevoker <optional>sensitive</optional></term>
|
|
<listitem><para>
|
|
Add a designated revoker. This takes one optional argument:
|
|
"sensitive". If a designated revoker is marked as sensitive, it will
|
|
not be exported by default (see
|
|
export-options).</para></listitem></varlistentry>
|
|
<varlistentry>
|
|
<term>revkey</term>
|
|
<listitem><para>
|
|
Revoke a subkey.</para></listitem></varlistentry>
|
|
<varlistentry>
|
|
<term>expire</term>
|
|
<listitem><para>
|
|
Change the key expiration time. If a subkey is selected, the
|
|
expiration time of this subkey will be changed. With no selection,
|
|
the key expiration of the primary key is changed.
|
|
</para></listitem></varlistentry>
|
|
<varlistentry>
|
|
<term>passwd</term>
|
|
<listitem><para>
|
|
Change the passphrase of the secret key.</para></listitem></varlistentry>
|
|
<varlistentry>
|
|
<term>primary</term>
|
|
<listitem><para>
|
|
Flag the current user id as the primary one, removes the primary user
|
|
id flag from all other user ids and sets the timestamp of all affected
|
|
self-signatures one second ahead. Note that setting a photo user ID
|
|
as primary makes it primary over other photo user IDs, and setting a
|
|
regular user ID as primary makes it primary over other regular user
|
|
IDs.
|
|
</para></listitem></varlistentry>
|
|
<varlistentry>
|
|
<term>uid &ParmN;</term>
|
|
<listitem><para>
|
|
Toggle selection of user id with index &ParmN;.
|
|
Use 0 to deselect all.</para></listitem></varlistentry>
|
|
<varlistentry>
|
|
<term>key &ParmN;</term>
|
|
<listitem><para>
|
|
Toggle selection of subkey with index &ParmN;.
|
|
Use 0 to deselect all.</para></listitem></varlistentry>
|
|
<varlistentry>
|
|
<term>check</term>
|
|
<listitem><para>
|
|
Check all selected user ids.</para></listitem></varlistentry>
|
|
<varlistentry>
|
|
<term>showphoto</term>
|
|
<listitem><para>
|
|
Display the selected photographic user
|
|
id.</para></listitem></varlistentry>
|
|
<varlistentry>
|
|
<term>pref</term>
|
|
<listitem><para>
|
|
List preferences from the selected user ID. This shows the actual
|
|
preferences, without including any implied preferences.
|
|
</para></listitem></varlistentry>
|
|
<varlistentry>
|
|
<term>showpref</term>
|
|
<listitem><para>
|
|
More verbose preferences listing for the selected user ID. This shows
|
|
the preferences in effect by including the implied preferences of
|
|
3DES (cipher), SHA-1 (digest), and Uncompressed (compression) if they
|
|
are not already included in the preference list.
|
|
</para></listitem></varlistentry>
|
|
<varlistentry>
|
|
<term>setpref &ParmString;</term>
|
|
<listitem><para>
|
|
Set the list of user ID preferences to &ParmString;, this should be a
|
|
string similar to the one printed by "pref". Using an empty string
|
|
will set the default preference string, using "none" will set the
|
|
preferences to nil. Use "gpg --version" to get a list of available
|
|
algorithms. This command just initializes an internal list and does
|
|
not change anything unless another command (such as "updpref") which
|
|
changes the self-signatures is used.
|
|
</para></listitem></varlistentry>
|
|
<varlistentry>
|
|
<term>updpref</term>
|
|
<listitem><para>
|
|
Change the preferences of all user IDs (or just of the selected ones
|
|
to the current list of preferences. The timestamp of all affected
|
|
self-signatures will be advanced by one second. Note that while you
|
|
can change the preferences on an attribute user ID (aka "photo ID"),
|
|
GnuPG does not select keys via attribute user IDs so these preferences
|
|
will not be used by GnuPG.
|
|
</para></listitem></varlistentry>
|
|
<varlistentry>
|
|
<term>keyserver</term>
|
|
<listitem><para>
|
|
Set a preferred keyserver for the specified user ID(s). This allows
|
|
other users to know where you prefer they get your key from. See
|
|
--keyserver-option honor-keyserver-url. Note that some versions of
|
|
PGP interpret the presence of a keyserver URL as an instruction to
|
|
enable PGP/MIME mail encoding.
|
|
</para></listitem></varlistentry>
|
|
<varlistentry>
|
|
<term>toggle</term>
|
|
<listitem><para>
|
|
Toggle between public and secret key listing.</para></listitem></varlistentry>
|
|
<varlistentry>
|
|
<term>save</term>
|
|
<listitem><para>
|
|
Save all changes to the key rings and quit.</para></listitem></varlistentry>
|
|
<varlistentry>
|
|
<term>quit</term>
|
|
<listitem><para>
|
|
Quit the program without updating the
|
|
key rings.</para></listitem></varlistentry>
|
|
</variablelist>
|
|
<para>
|
|
The listing shows you the key with its secondary
|
|
keys and all user ids. Selected keys or user ids
|
|
are indicated by an asterisk. The trust value is
|
|
displayed with the primary key: the first is the
|
|
assigned owner trust and the second is the calculated
|
|
trust value. Letters are used for the values:</para>
|
|
<variablelist>
|
|
<varlistentry><term>-</term><listitem><para>No ownertrust assigned / not yet calculated.</para></listitem></varlistentry>
|
|
<varlistentry><term>e</term><listitem><para>Trust
|
|
calculation has failed; probably due to an expired key.</para></listitem></varlistentry>
|
|
<varlistentry><term>q</term><listitem><para>Not enough information for calculation.</para></listitem></varlistentry>
|
|
<varlistentry><term>n</term><listitem><para>Never trust this key.</para></listitem></varlistentry>
|
|
<varlistentry><term>m</term><listitem><para>Marginally trusted.</para></listitem></varlistentry>
|
|
<varlistentry><term>f</term><listitem><para>Fully trusted.</para></listitem></varlistentry>
|
|
<varlistentry><term>u</term><listitem><para>Ultimately trusted.</para></listitem></varlistentry>
|
|
</variablelist>
|
|
</listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--sign-key &ParmName;</term>
|
|
<listitem><para>
|
|
Signs a public key with your secret key. This is a shortcut version of
|
|
the subcommand "sign" from --edit.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--lsign-key &ParmName;</term>
|
|
<listitem><para>
|
|
Signs a public key with your secret key but marks it as
|
|
non-exportable. This is a shortcut version of the subcommand "lsign"
|
|
from --edit.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--nrsign-key &ParmName;</term>
|
|
<listitem><para>
|
|
Signs a public key with your secret key but marks it as non-revocable.
|
|
This is a shortcut version of the subcommand "nrsign" from --edit.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--delete-key &ParmName;</term>
|
|
<listitem><para>
|
|
Remove key from the public keyring. In batch mode either --yes is
|
|
required or the key must be specified by fingerprint. This is a
|
|
safeguard against accidental deletion of multiple keys.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--delete-secret-key &ParmName;</term>
|
|
<listitem><para>
|
|
Remove key from the secret and public keyring. In batch mode the key
|
|
must be specified by fingerprint.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--delete-secret-and-public-key &ParmName;</term>
|
|
<listitem><para>
|
|
Same as --delete-key, but if a secret key exists, it will be removed
|
|
first. In batch mode the key must be specified by fingerprint.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--gen-revoke &ParmName;</term>
|
|
<listitem><para>
|
|
Generate a revocation certificate for the complete key. To revoke
|
|
a subkey or a signature, use the --edit command.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--desig-revoke &ParmName;</term>
|
|
<listitem><para>
|
|
Generate a designated revocation certificate for a key. This allows a
|
|
user (with the permission of the keyholder) to revoke someone else's
|
|
key.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--export &OptParmNames;</term>
|
|
<listitem><para>
|
|
Either export all keys from all keyrings (default
|
|
keyrings and those registered via option --keyring),
|
|
or if at least one name is given, those of the given
|
|
name. The new keyring is written to stdout or to
|
|
the file given with option "output". Use together
|
|
with --armor to mail those keys.
|
|
</para></listitem></varlistentry>
|
|
|
|
|
|
<varlistentry>
|
|
<term>--send-keys &OptParmNames;</term>
|
|
<listitem><para>
|
|
Same as --export but sends the keys to a keyserver.
|
|
Option --keyserver must be used to give the name
|
|
of this keyserver. Don't send your complete keyring
|
|
to a keyserver - select only those keys which are new
|
|
or changed by you.
|
|
</para></listitem></varlistentry>
|
|
|
|
|
|
<varlistentry>
|
|
<term>--export-secret-keys &OptParmNames;</term>
|
|
<term>--export-secret-subkeys &OptParmNames;</term>
|
|
<listitem><para>
|
|
Same as --export, but exports the secret keys instead.
|
|
This is normally not very useful and a security risk.
|
|
The second form of the command has the special property to
|
|
render the secret part of the primary key useless; this is
|
|
a GNU extension to OpenPGP and other implementations can
|
|
not be expected to successfully import such a key.
|
|
|
|
See the option --simple-sk-checksum if you want to import such an
|
|
exported key with an older OpenPGP implementation.
|
|
</para></listitem></varlistentry>
|
|
|
|
|
|
<varlistentry>
|
|
<term>--import &OptParmFiles;</term>
|
|
<term>--fast-import &OptParmFiles;</term>
|
|
<listitem><para>
|
|
Import/merge keys. This adds the given keys to the
|
|
keyring. The fast version is currently just a synonym.
|
|
</para>
|
|
<para>
|
|
There are a few other options which control how this command works.
|
|
Most notable here is the --keyserver-option merge-only option which
|
|
does not insert new keys but does only the merging of new signatures,
|
|
user-IDs and subkeys.
|
|
</para></listitem></varlistentry>
|
|
|
|
|
|
<varlistentry>
|
|
<term>--recv-keys &ParmKeyIDs;</term>
|
|
<listitem><para>
|
|
Import the keys with the given key IDs from a keyserver. Option
|
|
--keyserver must be used to give the name of this keyserver.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--refresh-keys &OptParmKeyIDs;</term>
|
|
<listitem><para>
|
|
Request updates from a keyserver for keys that already exist on the
|
|
local keyring. This is useful for updating a key with the latest
|
|
signatures, user IDs, etc. Calling this with no arguments will
|
|
refresh the entire keyring. Option --keyserver must be used to give
|
|
the name of the keyserver for all keys that do not have preferred
|
|
keyservers set (see --keyserver-option honor-keyserver-url).
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--search-keys &OptParmNames;</term>
|
|
<listitem><para>
|
|
Search the keyserver for the given names. Multiple names given here
|
|
will be joined together to create the search string for the keyserver.
|
|
Option --keyserver must be used to give the name of this keyserver.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--update-trustdb</term>
|
|
<listitem><para>
|
|
Do trust database maintenance. This command iterates over all keys
|
|
and builds the Web-of-Trust. This is an interactive command because it
|
|
may have to ask for the "ownertrust" values for keys. The user has to
|
|
give an estimation of how far she trusts the owner of the displayed
|
|
key to correctly certify (sign) other keys. GnuPG only asks for the
|
|
ownertrust value if it has not yet been assigned to a key. Using the
|
|
--edit-key menu, the assigned value can be changed at any time.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--check-trustdb</term>
|
|
<listitem><para>
|
|
Do trust database maintenance without user interaction. From time to
|
|
time the trust database must be updated so that expired keys or
|
|
signatures and the resulting changes in the Web-of-Trust can be
|
|
tracked. Normally, GnuPG will calculate when this is required and do
|
|
it automatically unless --no-auto-check-trustdb is set. This command
|
|
can be used to force a trust database check at any time. The
|
|
processing is identical to that of --update-trustdb but it skips keys
|
|
with a not yet defined "ownertrust".
|
|
</para>
|
|
<para>
|
|
For use with cron jobs, this command can be used together with --batch
|
|
in which case the trust database check is done only if a check is
|
|
needed. To force a run even in batch mode add the option --yes.
|
|
</para></listitem></varlistentry>
|
|
|
|
|
|
<varlistentry>
|
|
<term>--export-ownertrust</term>
|
|
<listitem><para>
|
|
Send the ownertrust values to stdout. This is useful for backup
|
|
purposes as these values are the only ones which can't be re-created
|
|
from a corrupted trust DB.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--import-ownertrust &OptParmFiles;</term>
|
|
<listitem><para>
|
|
Update the trustdb with the ownertrust values stored
|
|
in &ParmFiles; (or stdin if not given); existing
|
|
values will be overwritten.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--rebuild-keydb-caches</term>
|
|
<listitem><para>
|
|
When updating from version 1.0.6 to 1.0.7 this command should be used
|
|
to create signature caches in the keyring. It might be handy in other
|
|
situations too.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--print-md <parameter>algo</parameter> &OptParmFiles;</term>
|
|
<term>--print-mds &OptParmFiles;</term>
|
|
<listitem><para>
|
|
Print message digest of algorithm ALGO for all given files or stdin.
|
|
With the second form (or a deprecated "*" as algo) digests for all
|
|
available algorithms are printed.
|
|
</para></listitem></varlistentry>
|
|
|
|
|
|
<varlistentry>
|
|
<term>--gen-random <parameter>0|1|2</parameter>
|
|
<optional><parameter>count</parameter></optional></term>
|
|
<listitem><para>
|
|
Emit COUNT random bytes of the given quality level. If count is not given
|
|
or zero, an endless sequence of random bytes will be emitted.
|
|
PLEASE, don't use this command unless you know what you are doing; it may
|
|
remove precious entropy from the system!
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--gen-prime <parameter>mode</parameter>
|
|
<parameter>bits</parameter>
|
|
<optional><parameter>qbits</parameter></optional></term>
|
|
<listitem><para>
|
|
Use the source, Luke :-). The output format is still subject to change.
|
|
</para></listitem></varlistentry>
|
|
|
|
|
|
<varlistentry>
|
|
<term>--version</term>
|
|
<listitem><para>
|
|
Print version information along with a list
|
|
of supported algorithms.
|
|
</para></listitem></varlistentry>
|
|
|
|
|
|
<varlistentry>
|
|
<term>--warranty</term>
|
|
<listitem><para>
|
|
Print warranty information.
|
|
</para></listitem></varlistentry>
|
|
|
|
|
|
<varlistentry>
|
|
<term>-h, --help</term>
|
|
<listitem><para>
|
|
Print usage information. This is a really long list even though it
|
|
doesn't list all options. For every option, consult this manual.
|
|
</para></listitem></varlistentry>
|
|
|
|
</variablelist>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>OPTIONS</title>
|
|
<para>
|
|
Long options can be put in an options file (default
|
|
"~/.gnupg/gpg.conf"). Short option names will not work - for example,
|
|
"armor" is a valid option for the options file, while "a" is not. Do
|
|
not write the 2 dashes, but simply the name of the option and any
|
|
required arguments. Lines with a hash ('#') as the first
|
|
non-white-space character are ignored. Commands may be put in this
|
|
file too, but that is not generally useful as the command will execute
|
|
automatically with every execution of gpg.
|
|
</para>
|
|
<para>
|
|
<command/gpg/ recognizes these options:
|
|
</para>
|
|
|
|
<variablelist>
|
|
|
|
|
|
<varlistentry>
|
|
<term>-a, --armor</term>
|
|
<listitem><para>
|
|
Create ASCII armored output.
|
|
</para></listitem></varlistentry>
|
|
|
|
|
|
<varlistentry>
|
|
<term>-o, --output &ParmFile;</term>
|
|
<listitem><para>
|
|
Write output to &ParmFile;.
|
|
</para></listitem></varlistentry>
|
|
|
|
|
|
<varlistentry>
|
|
<term>--max-output &ParmN;</term>
|
|
<listitem><para>
|
|
This option sets a limit on the number of bytes that will be generated
|
|
when processing a file. Since OpenPGP supports various levels of
|
|
compression, it is possible that the plaintext of a given message may
|
|
be significantly larger than the original OpenPGP message. While
|
|
GnuPG works properly with such messages, there is often a desire to
|
|
set a maximum file size that will be generated before processing is
|
|
forced to stop by the OS limits. Defaults to 0, which means "no
|
|
limit".
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--mangle-dos-filenames</term>
|
|
<term>--no-mangle-dos-filenames</term>
|
|
<listitem><para>
|
|
Older version of Windows cannot handle filenames with more than one
|
|
dot. --mangle-dos-filenames causes GnuPG to replace (rather than add
|
|
to) the extension of an output filename to avoid this problem. This
|
|
option is off by default and has no effect on non-Windows platforms.
|
|
</para></listitem></varlistentry>
|
|
|
|
|
|
<varlistentry>
|
|
<term>-u, --local-user &ParmName;</term>
|
|
<listitem><para>
|
|
Use &ParmName; as the key to sign with. Note that this option
|
|
overrides --default-key.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--default-key &ParmName;</term>
|
|
<listitem><para>
|
|
Use &ParmName; as the default key to sign with. If this option is not
|
|
used, the default key is the first key found in the secret keyring.
|
|
Note that -u or --local-user overrides this option.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>-r, --recipient &ParmName;</term>
|
|
<term></term>
|
|
<listitem><para>
|
|
Encrypt for user id &ParmName;. If this option or --hidden-recipient
|
|
is not specified, GnuPG asks for the user-id unless
|
|
--default-recipient is given.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>-R, --hidden-recipient &ParmName;</term>
|
|
<term></term>
|
|
<listitem><para>
|
|
Encrypt for user id &ParmName;, but hide the keyid of the key. This
|
|
option hides the receiver of the message and is a countermeasure
|
|
against traffic analysis. If this option or --recipient is not
|
|
specified, GnuPG asks for the user-id unless --default-recipient is
|
|
given.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--default-recipient &ParmName;</term>
|
|
<listitem><para>
|
|
Use &ParmName; as default recipient if option --recipient is not used and
|
|
don't ask if this is a valid one. &ParmName; must be non-empty.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--default-recipient-self</term>
|
|
<listitem><para>
|
|
Use the default key as default recipient if option --recipient is not used and
|
|
don't ask if this is a valid one. The default key is the first one from the
|
|
secret keyring or the one set with --default-key.
|
|
</para></listitem></varlistentry>
|
|
|
|
|
|
<varlistentry>
|
|
<term>--no-default-recipient</term>
|
|
<listitem><para>
|
|
Reset --default-recipient and --default-recipient-self.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--encrypt-to &ParmName;</term>
|
|
<listitem><para>
|
|
Same as --recipient but this one is intended for use
|
|
in the options file and may be used with
|
|
your own user-id as an "encrypt-to-self". These keys
|
|
are only used when there are other recipients given
|
|
either by use of --recipient or by the asked user id.
|
|
No trust checking is performed for these user ids and
|
|
even disabled keys can be used.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--hidden-encrypt-to &ParmName;</term>
|
|
<listitem><para>
|
|
Same as --hidden-recipient but this one is intended for use in the
|
|
options file and may be used with your own user-id as a hidden
|
|
"encrypt-to-self". These keys are only used when there are other
|
|
recipients given either by use of --recipient or by the asked user id.
|
|
No trust checking is performed for these user ids and even disabled
|
|
keys can be used.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--no-encrypt-to</term>
|
|
<listitem><para>
|
|
Disable the use of all --encrypt-to and --hidden-encrypt-to keys.
|
|
</para></listitem></varlistentry>
|
|
|
|
|
|
<varlistentry>
|
|
<term>-v, --verbose</term>
|
|
<listitem><para>
|
|
Give more information during processing. If used
|
|
twice, the input data is listed in detail.
|
|
</para></listitem></varlistentry>
|
|
|
|
|
|
<varlistentry>
|
|
<term>-q, --quiet</term>
|
|
<listitem><para>
|
|
Try to be as quiet as possible.
|
|
</para></listitem></varlistentry>
|
|
|
|
|
|
<varlistentry>
|
|
<term>-z &ParmN;</term>
|
|
<term>--compress-level &ParmN;</term>
|
|
<term>--bzip2-compress-level &ParmN;</term>
|
|
<listitem><para>
|
|
Set compression level to &ParmN; for the ZIP and ZLIB compression
|
|
algorithms. The default is to use the default compression level of
|
|
zlib (normally 6). --bzip2-compress-level sets the compression level
|
|
for the BZIP2 compression algorithm (defaulting to 6 as well). This
|
|
is a different option from --compress-level since BZIP2 uses a
|
|
significant amount of memory for each additional compression level.
|
|
-z sets both. A value of 0 for &ParmN; disables compression.
|
|
</para></listitem></varlistentry>
|
|
|
|
|
|
<varlistentry>
|
|
<term>--bzip2-decompress-lowmem</term>
|
|
<listitem><para>
|
|
Use a different decompression method for BZIP2 compressed files. This
|
|
alternate method uses a bit more than half the memory, but also runs
|
|
at half the speed. This is useful under extreme low memory
|
|
circumstances when the file was originally compressed at a high
|
|
--bzip2-compress-level.
|
|
</para></listitem></varlistentry>
|
|
|
|
|
|
<varlistentry>
|
|
<term>-t, --textmode</term>
|
|
<term>--no-textmode</term>
|
|
<listitem><para>
|
|
Treat input files as text and store them in the OpenPGP canonical text
|
|
form with standard "CRLF" line endings. This also sets the necessary
|
|
flags to inform the recipient that the encrypted or signed data is
|
|
text and may need its line endings converted back to whatever the
|
|
local system uses. This option is useful when communicating between
|
|
two platforms that have different line ending conventions (UNIX-like
|
|
to Mac, Mac to Windows, etc). --no-textmode disables this option, and
|
|
is the default.
|
|
</para><para>
|
|
If -t (but not --textmode) is used together with armoring and signing,
|
|
this enables clearsigned messages. This kludge is needed for
|
|
command-line compatibility with command-line versions of PGP; normally
|
|
you would use --sign or --clearsign to select the type of the
|
|
signature.
|
|
</para></listitem></varlistentry>
|
|
|
|
|
|
<varlistentry>
|
|
<term>-n, --dry-run</term>
|
|
<listitem><para>
|
|
Don't make any changes (this is not completely implemented).
|
|
</para></listitem></varlistentry>
|
|
|
|
|
|
<varlistentry>
|
|
<term>-i, --interactive</term>
|
|
<listitem><para>
|
|
Prompt before overwriting any files.
|
|
</para></listitem></varlistentry>
|
|
|
|
|
|
<varlistentry>
|
|
<term>--batch</term>
|
|
<term>--no-batch</term>
|
|
<listitem><para>
|
|
Use batch mode. Never ask, do not allow interactive commands.
|
|
--no-batch disables this option.
|
|
</para></listitem></varlistentry>
|
|
|
|
|
|
<varlistentry>
|
|
<term>--no-tty</term>
|
|
<listitem><para>
|
|
Make sure that the TTY (terminal) is never used for any output.
|
|
This option is needed in some cases because GnuPG sometimes prints
|
|
warnings to the TTY if --batch is used.
|
|
</para></listitem></varlistentry>
|
|
|
|
|
|
<varlistentry>
|
|
<term>--yes</term>
|
|
<listitem><para>
|
|
Assume "yes" on most questions.
|
|
</para></listitem></varlistentry>
|
|
|
|
|
|
<varlistentry>
|
|
<term>--no</term>
|
|
<listitem><para>
|
|
Assume "no" on most questions.
|
|
</para></listitem></varlistentry>
|
|
|
|
|
|
<varlistentry>
|
|
<term>--ask-cert-level</term>
|
|
<term>--no-ask-cert-level</term>
|
|
<listitem><para>
|
|
When making a key signature, prompt for a certification level. If
|
|
this option is not specified, the certification level used is set via
|
|
--default-cert-level. See --default-cert-level for information on the
|
|
specific levels and how they are used. --no-ask-cert-level disables
|
|
this option. This option defaults to no.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--min-cert-level</term>
|
|
<listitem><para>
|
|
When building the trust database, disregard any signatures with a
|
|
certification level below this. Defaults to 2, which disregards level
|
|
1 signatures.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--default-cert-level &ParmN;</term>
|
|
<listitem><para>
|
|
The default to use for the check level when signing a key.
|
|
</para><para>
|
|
0 means you make no particular claim as to how carefully you verified
|
|
the key.
|
|
</para><para>
|
|
1 means you believe the key is owned by the person who claims to own
|
|
it but you could not, or did not verify the key at all. This is
|
|
useful for a "persona" verification, where you sign the key of a
|
|
pseudonymous user.
|
|
</para><para>
|
|
2 means you did casual verification of the key. For example, this
|
|
could mean that you verified that the key fingerprint and checked the
|
|
user ID on the key against a photo ID.
|
|
</para><para>
|
|
3 means you did extensive verification of the key. For example, this
|
|
could mean that you verified the key fingerprint with the owner of the
|
|
key in person, and that you checked, by means of a hard to forge
|
|
document with a photo ID (such as a passport) that the name of the key
|
|
owner matches the name in the user ID on the key, and finally that you
|
|
verified (by exchange of email) that the email address on the key
|
|
belongs to the key owner.
|
|
</para><para>
|
|
Note that the examples given above for levels 2 and 3 are just that:
|
|
examples. In the end, it is up to you to decide just what "casual"
|
|
and "extensive" mean to you.
|
|
</para><para>
|
|
This option defaults to 0 (no particular claim).
|
|
</para></listitem></varlistentry>
|
|
|
|
|
|
<varlistentry>
|
|
<term>--trusted-key <parameter>long key ID</parameter></term>
|
|
<listitem><para>
|
|
Assume that the specified key (which must be given
|
|
as a full 8 byte key ID) is as trustworthy as one of
|
|
your own secret keys. This option is useful if you
|
|
don't want to keep your secret keys (or one of them)
|
|
online but still want to be able to check the validity of a given
|
|
recipient's or signator's key.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--trust-model <parameter>pgp|classic|always</parameter></term>
|
|
<listitem><para>
|
|
|
|
Set what trust model GnuPG should follow. The models are:
|
|
|
|
<variablelist>
|
|
|
|
<varlistentry><term>pgp</term><listitem><para>
|
|
This is the web-of-trust combined with trust signatures as used in PGP
|
|
5.x and later. This is the default trust model.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry><term>classic</term><listitem><para>
|
|
This is the standard web-of-trust as used in PGP 2.x and earlier.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry><term>always</term><listitem><para>
|
|
Skip key validation and assume that used keys are always fully
|
|
trusted. You won't use this unless you have installed some external
|
|
validation scheme. This option also suppresses the "[uncertain]" tag
|
|
printed with signature checks when there is no evidence that the user
|
|
ID is bound to the key.
|
|
</para></listitem></varlistentry>
|
|
|
|
</variablelist></para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--always-trust</term>
|
|
<listitem><para>
|
|
Identical to `--trust-model always'. This option is deprecated.
|
|
</para></listitem></varlistentry>
|
|
|
|
|
|
<varlistentry>
|
|
<term>--keyid-format <parameter>short|0xshort|long|0xlong</parameter></term>
|
|
<listitem><para>
|
|
Select how to display key IDs. "short" is the traditional 8-character
|
|
key ID. "long" is the more accurate (but less convenient)
|
|
16-character key ID. Add an "0x" to either to include an "0x" at the
|
|
beginning of the key ID, as in 0x99242560.
|
|
</para></listitem></varlistentry>
|
|
|
|
|
|
<varlistentry>
|
|
<term>--keyserver &ParmName;</term>
|
|
<listitem><para>
|
|
Use &ParmName; as your keyserver. This is the server that
|
|
--recv-keys, --send-keys, and --search-keys will communicate with to
|
|
receive keys from, send keys to, and search for keys on. The format
|
|
of the &ParmName; is a URI: `scheme:[//]keyservername[:port]' The
|
|
scheme is the type of keyserver: "hkp" for the HTTP (or compatible)
|
|
keyservers, "ldap" for the NAI LDAP keyserver, or "mailto" for the
|
|
Graff email keyserver. Note that your particular installation of
|
|
GnuPG may have other keyserver types available as well. Keyserver
|
|
schemes are case-insensitive.
|
|
</para><para>
|
|
Most keyservers synchronize with each other, so there is generally no
|
|
need to send keys to more than one server. The keyserver
|
|
"hkp://subkeys.pgp.net" uses round robin DNS to give a different
|
|
keyserver each time you use it.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--keyserver-options <parameter>parameters</parameter></term>
|
|
<listitem><para>
|
|
This is a space or comma delimited string that gives options for the
|
|
keyserver. Options can be prepended with a `no-' to give the opposite
|
|
meaning. Valid import-options or export-options may be used here as
|
|
well to apply to importing (--recv-key) or exporting (--send-key) a
|
|
key from a keyserver. While not all options are available for all
|
|
keyserver types, some common options are:
|
|
<variablelist>
|
|
|
|
<varlistentry>
|
|
<term>include-revoked</term>
|
|
<listitem><para>
|
|
When searching for a key with --search-keys, include keys that are
|
|
marked on the keyserver as revoked. Note that not all keyservers
|
|
differentiate between revoked and unrevoked keys, and for such
|
|
keyservers this option is meaningless. Note also that most keyservers
|
|
do not have cryptographic verification of key revocations, and so
|
|
turning this option off may result in skipping keys that are
|
|
incorrectly marked as revoked. Defaults to on.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>include-disabled</term>
|
|
<listitem><para>
|
|
When searching for a key with --search-keys, include keys that are
|
|
marked on the keyserver as disabled. Note that this option is not
|
|
used with HKP keyservers.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>honor-keyserver-url</term>
|
|
<listitem><para>
|
|
When using --refresh-keys, if the key in question has a preferred
|
|
keyserver set, then use that preferred keyserver to refresh the key
|
|
from. Defaults to yes.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>include-subkeys</term>
|
|
<listitem><para>
|
|
When receiving a key, include subkeys as potential targets. Note that
|
|
this option is not used with HKP keyservers, as they do not support
|
|
retrieving keys by subkey id.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>use-temp-files</term>
|
|
<listitem><para>
|
|
On most Unix-like platforms, GnuPG communicates with the keyserver
|
|
helper program via pipes, which is the most efficient method. This
|
|
option forces GnuPG to use temporary files to communicate. On some
|
|
platforms (such as Win32 and RISC OS), this option is always enabled.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>keep-temp-files</term>
|
|
<listitem><para>
|
|
If using `use-temp-files', do not delete the temp files after using
|
|
them. This option is useful to learn the keyserver communication
|
|
protocol by reading the temporary files.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>verbose</term>
|
|
<listitem><para>
|
|
Tell the keyserver helper program to be more verbose. This option can
|
|
be repeated multiple times to increase the verbosity level.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>http-proxy&OptEqualsValue;</term>
|
|
<listitem><para>
|
|
For keyserver schemes that use HTTP (such as HKP), try to access the
|
|
keyserver over a proxy. If a &ParmValue; is specified, use this as
|
|
the HTTP proxy. If no &ParmValue; is specified, try to use the value
|
|
of the environment variable "http_proxy".
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>auto-key-retrieve</term>
|
|
<listitem><para>
|
|
This option enables the automatic retrieving of keys from a keyserver
|
|
when verifying signatures made by keys that are not on the local
|
|
keyring.
|
|
</para><para>
|
|
Note that this option makes a "web bug" like behavior possible.
|
|
Keyserver operators can see which keys you request, so by sending you
|
|
a message signed by a brand new key (which you naturally will not have
|
|
on your local keyring), the operator can tell both your IP address and
|
|
the time when you verified the signature.
|
|
</para></listitem></varlistentry>
|
|
|
|
</variablelist>
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--import-options <parameter>parameters</parameter></term>
|
|
<listitem><para>
|
|
This is a space or comma delimited string that gives options for
|
|
importing keys. Options can be prepended with a `no-' to give the
|
|
opposite meaning. The options are:
|
|
<variablelist>
|
|
|
|
<varlistentry>
|
|
<term>allow-local-sigs</term>
|
|
<listitem><para>
|
|
Allow importing key signatures marked as "local". This is not
|
|
generally useful unless a shared keyring scheme is being used.
|
|
Defaults to no.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>repair-pks-subkey-bug</term>
|
|
<listitem><para>
|
|
During import, attempt to repair the damage caused by the PKS
|
|
keyserver bug (pre version 0.9.6) that mangles keys with multiple
|
|
subkeys. Note that this cannot completely repair the damaged key as
|
|
some crucial data is removed by the keyserver, but it does at least
|
|
give you back one subkey. Defaults to no for regular --import and to
|
|
yes for keyserver --recv-keys.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>merge-only</term>
|
|
<listitem><para>
|
|
During import, allow key updates to existing keys, but do not allow
|
|
any new keys to be imported. Defaults to no.
|
|
</para></listitem></varlistentry>
|
|
|
|
</variablelist>
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--export-options <parameter>parameters</parameter></term>
|
|
<listitem><para>
|
|
This is a space or comma delimited string that gives options for
|
|
exporting keys. Options can be prepended with a `no-' to give the
|
|
opposite meaning. The options are:
|
|
<variablelist>
|
|
|
|
<varlistentry>
|
|
<term>include-local-sigs</term>
|
|
<listitem><para>
|
|
Allow exporting key signatures marked as "local". This is not
|
|
generally useful unless a shared keyring scheme is being used.
|
|
Defaults to no.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>include-attributes</term>
|
|
<listitem><para>
|
|
Include attribute user IDs (photo IDs) while exporting. This is
|
|
useful to export keys if they are going to be used by an OpenPGP
|
|
program that does not accept attribute user IDs. Defaults to yes.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>include-sensitive-revkeys</term>
|
|
<listitem><para>
|
|
Include designated revoker information that was marked as
|
|
"sensitive". Defaults to no.
|
|
</para></listitem></varlistentry>
|
|
|
|
</variablelist>
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--list-options <parameter>parameters</parameter></term>
|
|
<listitem><para>
|
|
This is a space or comma delimited string that gives options used when
|
|
listing keys and signatures (that is, --list-keys, --list-sigs,
|
|
--list-public-keys, --list-secret-keys, and the --edit-key functions).
|
|
Options can be prepended with a `no-' to give the opposite meaning.
|
|
The options are:
|
|
<variablelist>
|
|
|
|
<varlistentry>
|
|
<term>show-photos</term>
|
|
<listitem><para>
|
|
Causes --list-keys, --list-sigs, --list-public-keys, and
|
|
--list-secret-keys to display any photo IDs attached to the key.
|
|
Defaults to no. See also --photo-viewer.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>show-policy-urls</term>
|
|
<listitem><para>
|
|
Show policy URLs in the --list-sigs or --check-sigs listings.
|
|
Defaults to no.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>show-notations</term>
|
|
<term>show-std-notations</term>
|
|
<term>show-user-notations</term>
|
|
<listitem><para>
|
|
Show all, IETF standard, or user-defined signature notations in the
|
|
--list-sigs or --check-sigs listings. Defaults to no.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>show-keyserver-urls</term>
|
|
<listitem><para>
|
|
Show any preferred keyserver URL in the --list-sigs or --check-sigs
|
|
listings. Defaults to no.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>show-uid-validity</term>
|
|
<listitem><para>
|
|
Display the calculated validity of user IDs during key listings.
|
|
Defaults to no.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>show-unusable-uids</term>
|
|
<listitem><para>
|
|
Show revoked and expired user IDs in key listings. Defaults to no.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>show-unusable-subkeys</term>
|
|
<listitem><para>
|
|
Show revoked and expired subkeys in key listings. Defaults to no.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>show-keyring</term>
|
|
<listitem><para>
|
|
Display the keyring name at the head of key listings to show which
|
|
keyring a given key resides on. Defaults to no.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>show-sig-expire</term>
|
|
<listitem><para>
|
|
Show signature expiration dates (if any) during --list-sigs or
|
|
--check-sigs listings. Defaults to no.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>show-sig-subpackets</term>
|
|
<listitem><para>
|
|
Include signature subpackets in the key listing. This option can take
|
|
an optional argument list of the subpackets to list. If no argument
|
|
is passed, list all subpackets. Defaults to no. This option is only
|
|
meaningful when using --with-colons along with --list-sigs or
|
|
--check-sigs.
|
|
</para></listitem></varlistentry>
|
|
|
|
</variablelist>
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--verify-options <parameter>parameters</parameter></term>
|
|
<listitem><para>
|
|
This is a space or comma delimited string that gives options used when
|
|
verifying signatures. Options can be prepended with a `no-' to give
|
|
the opposite meaning. The options are:
|
|
<variablelist>
|
|
|
|
<varlistentry>
|
|
<term>show-photos</term>
|
|
<listitem><para>
|
|
Display any photo IDs present on the key that issued the signature.
|
|
Defaults to no. See also --photo-viewer.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>show-policy-urls</term>
|
|
<listitem><para>
|
|
Show policy URLs in the signature being verified. Defaults to no.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>show-notations</term>
|
|
<term>show-std-notations</term>
|
|
<term>show-user-notations</term>
|
|
<listitem><para>
|
|
Show all, IETF standard, or user-defined signature notations in the
|
|
signature being verified. Defaults to IETF standard.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>show-keyserver-urls</term>
|
|
<listitem><para>
|
|
Show any preferred keyserver URL in the signature being verified.
|
|
Defaults to no.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>show-uid-validity</term>
|
|
<listitem><para>
|
|
Display the calculated validity of the user IDs on the key that issued
|
|
the signature. Defaults to no.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>show-unusable-uids</term>
|
|
<listitem><para>
|
|
Show revoked and expired user IDs during signature verification.
|
|
Defaults to no.
|
|
</para></listitem></varlistentry>
|
|
|
|
</variablelist>
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--show-photos</term>
|
|
<term>--no-show-photos</term>
|
|
<listitem><para>
|
|
Causes --list-keys, --list-sigs, --list-public-keys,
|
|
--list-secret-keys, and verifying a signature to also display the
|
|
photo ID attached to the key, if any. See also --photo-viewer. These
|
|
options are deprecated. Use `--list-options [no-]show-photos' and/or
|
|
`--verify-options [no-]show-photos' instead.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--photo-viewer &ParmString;</term>
|
|
<listitem><para>
|
|
This is the command line that should be run to view a photo ID. "%i"
|
|
will be expanded to a filename containing the photo. "%I" does the
|
|
same, except the file will not be deleted once the viewer exits.
|
|
Other flags are "%k" for the key ID, "%K" for the long key ID, "%f"
|
|
for the key fingerprint, "%t" for the extension of the image type
|
|
(e.g. "jpg"), "%T" for the MIME type of the image (e.g. "image/jpeg"),
|
|
and "%%" for an actual percent sign. If neither %i or %I are present,
|
|
then the photo will be supplied to the viewer on standard input.
|
|
</para><para>
|
|
The default viewer is "xloadimage -fork -quiet -title 'KeyID 0x%k'
|
|
stdin". Note that if your image viewer program is not secure, then
|
|
executing it from GnuPG does not make it secure.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--exec-path &ParmString;</term>
|
|
<listitem><para>
|
|
Sets a list of directories to search for photo viewers and keyserver
|
|
helpers. If not provided, keyserver helpers use the compiled-in
|
|
default directory, and photo viewers use the $PATH environment
|
|
variable.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--show-keyring</term>
|
|
<listitem><para>
|
|
Display the keyring name at the head of key listings to show which
|
|
keyring a given key resides on. This option is deprecated: use
|
|
`--list-options [no-]show-keyring' instead.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--keyring &ParmFile;</term>
|
|
<listitem><para>
|
|
Add &ParmFile; to the current list of keyrings. If &ParmFile; begins
|
|
with a tilde and a slash, these are replaced by the $HOME
|
|
directory. If the filename does not contain a slash, it is assumed to
|
|
be in the GnuPG home directory ("~/.gnupg" if --homedir or $GNUPGHOME
|
|
is not used).
|
|
</para><para>
|
|
Note that this adds a keyring to the current list. If the intent is
|
|
to use the specified keyring alone, use --keyring along with
|
|
--no-default-keyring.
|
|
</para></listitem></varlistentry>
|
|
|
|
|
|
<varlistentry>
|
|
<term>--secret-keyring &ParmFile;</term>
|
|
<listitem><para>
|
|
Same as --keyring but for the secret keyrings.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--primary-keyring &ParmFile;</term>
|
|
<listitem><para>
|
|
Designate &ParmFile; as the primary public keyring. This means that
|
|
newly imported keys (via --import or keyserver --recv-from) will go to
|
|
this keyring.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--trustdb-name &ParmFile;</term>
|
|
<listitem><para>
|
|
Use &ParmFile; instead of the default trustdb. If &ParmFile; begins
|
|
with a tilde and a slash, these are replaced by the $HOME
|
|
directory. If the filename does not contain a slash, it is assumed to
|
|
be in the GnuPG home directory ("~/.gnupg" if --homedir or $GNUPGHOME
|
|
is not used).
|
|
</para></listitem></varlistentry>
|
|
|
|
|
|
<varlistentry>
|
|
<term>--homedir &ParmDir;</term>
|
|
<listitem><para>
|
|
Set the name of the home directory to &ParmDir; If this option is not
|
|
used it defaults to "~/.gnupg". It does not make sense to use this in
|
|
a options file. This also overrides the environment variable
|
|
$GNUPGHOME.
|
|
</para></listitem></varlistentry>
|
|
|
|
|
|
<varlistentry>
|
|
<term>--display-charset &ParmName;</term>
|
|
<listitem><para>
|
|
Set the name of the native character set. This is used to convert
|
|
some informational strings like user IDs to the proper UTF-8
|
|
encoding. If this option is not used, the default character set is
|
|
determined from the current locale. A verbosity level of 3 shows the
|
|
chosen set. Valid values for &ParmName; are:</para>
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>iso-8859-1</term><listitem><para>This is the Latin 1 set.</para></listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>iso-8859-2</term><listitem><para>The Latin 2 set.</para></listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>iso-8859-15</term><listitem><para>This is currently an alias for
|
|
the Latin 1 set.</para></listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>koi8-r</term><listitem><para>The usual Russian set (rfc1489).</para></listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>utf-8</term><listitem><para>Bypass all translations and assume
|
|
that the OS uses native UTF-8 encoding.</para></listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</listitem></varlistentry>
|
|
|
|
|
|
<varlistentry>
|
|
<term>--utf8-strings</term>
|
|
<term>--no-utf8-strings</term>
|
|
<listitem><para>
|
|
Assume that command line arguments are given as UTF8 strings. The
|
|
default (--no-utf8-strings) is to assume that arguments are encoded in
|
|
the character set as specified by --display-charset. These options
|
|
affect all following arguments. Both options may be used multiple
|
|
times.
|
|
</para></listitem></varlistentry>
|
|
|
|
|
|
<varlistentry>
|
|
<term>--options &ParmFile;</term>
|
|
<listitem><para>
|
|
Read options from &ParmFile; and do not try to read
|
|
them from the default options file in the homedir
|
|
(see --homedir). This option is ignored if used
|
|
in an options file.
|
|
</para></listitem></varlistentry>
|
|
|
|
|
|
<varlistentry>
|
|
<term>--no-options</term>
|
|
<listitem><para>
|
|
Shortcut for "--options /dev/null". This option is
|
|
detected before an attempt to open an option file.
|
|
Using this option will also prevent the creation of a
|
|
"~./gnupg" homedir.
|
|
</para></listitem></varlistentry>
|
|
|
|
|
|
<varlistentry>
|
|
<term>--load-extension &ParmName;</term>
|
|
<listitem><para>
|
|
Load an extension module. If &ParmName; does not contain a slash it is
|
|
searched for in the directory configured when GnuPG was built
|
|
(generally "/usr/local/lib/gnupg"). Extensions are not generally
|
|
useful anymore, and the use of this option is deprecated.
|
|
</para></listitem></varlistentry>
|
|
|
|
|
|
<varlistentry>
|
|
<term>--debug &ParmFlags;</term>
|
|
<listitem><para>
|
|
Set debugging flags. All flags are or-ed and &ParmFlags; may
|
|
be given in C syntax (e.g. 0x0042).
|
|
</para></listitem></varlistentry>
|
|
|
|
|
|
<varlistentry>
|
|
<term>--debug-all</term>
|
|
<listitem><para>
|
|
Set all useful debugging flags.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--debug-ccid-driver</term>
|
|
<listitem><para>
|
|
Enable debug output from the included CCID driver for smartcards.
|
|
Note that this option is only available on some system.
|
|
</para></listitem></varlistentry>
|
|
|
|
|
|
<varlistentry>
|
|
<term>--enable-progress-filter</term>
|
|
<listitem><para>
|
|
Enable certain PROGRESS status outputs. This option allows frontends
|
|
to display a progress indicator while gpg is processing larger files.
|
|
There is a slight performance overhead using it.
|
|
</para></listitem></varlistentry>
|
|
|
|
|
|
<varlistentry>
|
|
<term>--status-fd &ParmN;</term>
|
|
<listitem><para>
|
|
Write special status strings to the file descriptor &ParmN;.
|
|
See the file DETAILS in the documentation for a listing of them.
|
|
</para></listitem></varlistentry>
|
|
|
|
|
|
<varlistentry>
|
|
<term>--logger-fd &ParmN;</term>
|
|
<listitem><para>
|
|
Write log output to file descriptor &ParmN; and not to stderr.
|
|
</para></listitem></varlistentry>
|
|
|
|
|
|
<varlistentry>
|
|
<term>--attribute-fd &ParmN;</term>
|
|
<listitem><para>
|
|
Write attribute subpackets to the file descriptor &ParmN;. This is
|
|
most useful for use with --status-fd, since the status messages are
|
|
needed to separate out the various subpackets from the stream
|
|
delivered to the file descriptor.
|
|
</para></listitem></varlistentry>
|
|
|
|
|
|
<varlistentry>
|
|
<term>--sk-comments</term>
|
|
<term>--no-sk-comments</term>
|
|
<listitem><para>
|
|
Include secret key comment packets when exporting secret keys. This
|
|
is a GnuPG extension to the OpenPGP standard, and is off by default.
|
|
Please note that this has nothing to do with the comments in clear
|
|
text signatures or armor headers. --no-sk-comments disables this
|
|
option.
|
|
</para></listitem></varlistentry>
|
|
|
|
|
|
<varlistentry>
|
|
<term>--comment &ParmString;</term>
|
|
<term>--no-comments</term>
|
|
<listitem><para>
|
|
Use &ParmString; as a comment string in clear text signatures and
|
|
ASCII armored messages or keys (see --armor). The default behavior is
|
|
not to use a comment string. --comment may be repeated multiple times
|
|
to get multiple comment strings. --no-comments removes all comments.
|
|
</para></listitem></varlistentry>
|
|
|
|
|
|
<varlistentry>
|
|
<term>--emit-version</term>
|
|
<term>--no-emit-version</term>
|
|
<listitem><para>
|
|
Force inclusion of the version string in ASCII armored output.
|
|
--no-emit-version disables this option.
|
|
</para></listitem></varlistentry>
|
|
|
|
|
|
<varlistentry>
|
|
<term>--sig-notation &ParmNameValue;</term>
|
|
<term>--cert-notation &ParmNameValue;</term>
|
|
<term>-N, --set-notation &ParmNameValue;</term>
|
|
<listitem><para>
|
|
Put the name value pair into the signature as notation data.
|
|
&ParmName; must consist only of printable characters or spaces, and
|
|
must contain a '@' character. This is to help prevent pollution of
|
|
the IETF reserved notation namespace. The --expert flag overrides the
|
|
'@' check. &ParmValue; may be any printable string; it will be
|
|
encoded in UTF8, so you should check that your --display-charset is
|
|
set correctly. If you prefix &ParmName; with an exclamation mark (!),
|
|
the notation data will be flagged as critical (rfc2440:5.2.3.15).
|
|
--sig-notation sets a notation for data signatures. --cert-notation
|
|
sets a notation for key signatures (certifications). --set-notation
|
|
sets both.
|
|
</para>
|
|
|
|
<para>
|
|
There are special codes that may be used in notation names. "%k" will
|
|
be expanded into the key ID of the key being signed, "%K" into the
|
|
long key ID of the key being signed, "%f" into the fingerprint of the
|
|
key being signed, "%s" into the key ID of the key making the
|
|
signature, "%S" into the long key ID of the key making the signature,
|
|
"%g" into the fingerprint of the key making the signature (which might
|
|
be a subkey), "%p" into the fingerprint of the primary key of the key
|
|
making the signature, "%c" into the signature count from the OpenPGP
|
|
smartcard, and "%%" results in a single "%". %k, %K, and %f are only
|
|
meaningful when making a key signature (certification), and %c is only
|
|
meaningful when using the OpenPGP smartcard.
|
|
</para>
|
|
|
|
</listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--show-notation</term>
|
|
<term>--no-show-notation</term>
|
|
<listitem><para>
|
|
Show signature notations in the --list-sigs or --check-sigs listings
|
|
as well as when verifying a signature with a notation in it. These
|
|
options are deprecated. Use `--list-options [no-]show-notation'
|
|
and/or `--verify-options [no-]show-notation' instead.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--sig-policy-url &ParmString;</term>
|
|
<term>--cert-policy-url &ParmString;</term>
|
|
<term>--set-policy-url &ParmString;</term>
|
|
<listitem><para>
|
|
Use &ParmString; as a Policy URL for signatures (rfc2440:5.2.3.19).
|
|
If you prefix it with an exclamation mark (!), the policy URL packet
|
|
will be flagged as critical. --sig-policy-url sets a policy url for
|
|
data signatures. --cert-policy-url sets a policy url for key
|
|
signatures (certifications). --set-policy-url sets both.
|
|
</para><para>
|
|
The same %-expandos used for notation data are available here as well.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--show-policy-url</term>
|
|
<term>--no-show-policy-url</term>
|
|
<listitem><para>
|
|
Show policy URLs in the --list-sigs or --check-sigs listings as well
|
|
as when verifying a signature with a policy URL in it. These options
|
|
are deprecated. Use `--list-options [no-]show-policy-url' and/or
|
|
`--verify-options [no-]show-policy-url' instead.
|
|
</para></listitem></varlistentry>
|
|
|
|
|
|
<varlistentry>
|
|
<term>--sig-keyserver-url &ParmString;</term>
|
|
<listitem><para>
|
|
Use &ParmString; as a preferred keyserver URL for data signatures. If
|
|
you prefix it with an exclamation mark, the keyserver URL packet will
|
|
be flagged as critical. </para><para>
|
|
The same %-expandos used for notation data are available here as well.
|
|
</para></listitem></varlistentry>
|
|
|
|
|
|
<varlistentry>
|
|
<term>--set-filename &ParmString;</term>
|
|
<listitem><para>
|
|
Use &ParmString; as the filename which is stored inside messages.
|
|
This overrides the default, which is to use the actual filename of the
|
|
file being encrypted.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--for-your-eyes-only</term>
|
|
<term>--no-for-your-eyes-only</term>
|
|
<listitem><para>
|
|
Set the `for your eyes only' flag in the message. This causes GnuPG
|
|
to refuse to save the file unless the --output option is given, and
|
|
PGP to use the "secure viewer" with a Tempest-resistant font to
|
|
display the message. This option overrides --set-filename.
|
|
--no-for-your-eyes-only disables this option.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--use-embedded-filename</term>
|
|
<term>--no-use-embedded-filename</term>
|
|
<listitem><para>
|
|
Try to create a file with a name as embedded in the data. This can be
|
|
a dangerous option as it allows to overwrite files. Defaults to no.
|
|
</para></listitem></varlistentry>
|
|
|
|
|
|
<varlistentry>
|
|
<term>--completes-needed &ParmN;</term>
|
|
<listitem><para>
|
|
Number of completely trusted users to introduce a new
|
|
key signer (defaults to 1).
|
|
</para></listitem></varlistentry>
|
|
|
|
|
|
<varlistentry>
|
|
<term>--marginals-needed &ParmN;</term>
|
|
<listitem><para>
|
|
Number of marginally trusted users to introduce a new
|
|
key signer (defaults to 3)
|
|
</para></listitem></varlistentry>
|
|
|
|
|
|
<varlistentry>
|
|
<term>--max-cert-depth &ParmN;</term>
|
|
<listitem><para>
|
|
Maximum depth of a certification chain (default is 5).
|
|
</para></listitem></varlistentry>
|
|
|
|
|
|
<varlistentry>
|
|
<term>--cipher-algo &ParmName;</term>
|
|
<listitem><para>
|
|
Use &ParmName; as cipher algorithm. Running the program
|
|
with the command --version yields a list of supported
|
|
algorithms. If this is not used the cipher algorithm is
|
|
selected from the preferences stored with the key.
|
|
</para></listitem></varlistentry>
|
|
|
|
|
|
<varlistentry>
|
|
<term>--digest-algo &ParmName;</term>
|
|
<listitem><para>
|
|
Use &ParmName; as the message digest algorithm. Running the program
|
|
with the command --version yields a list of supported algorithms.
|
|
</para></listitem></varlistentry>
|
|
|
|
|
|
<varlistentry>
|
|
<term>--compress-algo &ParmName;</term>
|
|
<listitem><para>
|
|
Use compression algorithm &ParmName;. "zlib" is RFC-1950 ZLIB
|
|
compression. "zip" is RFC-1951 ZIP compression which is used by PGP.
|
|
"bzip2" is a more modern compression scheme that can compress some
|
|
things better than zip or zlib, but at the cost of more memory used
|
|
during compression and decompression. "uncompressed" or "none"
|
|
disables compression. If this option is not used, the default
|
|
behavior is to examine the recipient key preferences to see which
|
|
algorithms the recipient supports. If all else fails, ZIP is used for
|
|
maximum compatibility.
|
|
</para><para>
|
|
ZLIB may give better compression results than ZIP, as the compression
|
|
window size is not limited to 8k. BZIP2 may give even better
|
|
compression results than that, but will use a significantly larger
|
|
amount of memory while compressing and decompressing. This may be
|
|
significant in low memory situations. Note, however, that PGP (all
|
|
versions) only supports ZIP compression. Using any algorithm other
|
|
than ZIP or "none" will make the message unreadable with PGP.
|
|
</para></listitem></varlistentry>
|
|
|
|
|
|
<varlistentry>
|
|
<term>--cert-digest-algo &ParmName;</term>
|
|
<listitem><para>
|
|
Use &ParmName; as the message digest algorithm used when signing a
|
|
key. Running the program with the command --version yields a list of
|
|
supported algorithms. Be aware that if you choose an algorithm that
|
|
GnuPG supports but other OpenPGP implementations do not, then some
|
|
users will not be able to use the key signatures you make, or quite
|
|
possibly your entire key.
|
|
</para></listitem></varlistentry>
|
|
|
|
|
|
<varlistentry>
|
|
<term>--s2k-cipher-algo &ParmName;</term>
|
|
<listitem><para>
|
|
Use &ParmName; as the cipher algorithm used to protect secret keys.
|
|
The default cipher is CAST5. This cipher is also used for
|
|
conventional encryption if --personal-cipher-preferences and
|
|
--cipher-algo is not given.
|
|
</para></listitem></varlistentry>
|
|
|
|
|
|
<varlistentry>
|
|
<term>--s2k-digest-algo &ParmName;</term>
|
|
<listitem><para>
|
|
Use &ParmName; as the digest algorithm used to mangle the passphrases.
|
|
The default algorithm is SHA-1.
|
|
</para></listitem></varlistentry>
|
|
|
|
|
|
<varlistentry>
|
|
<term>--s2k-mode &ParmN;</term>
|
|
<listitem><para>
|
|
Selects how passphrases are mangled. If &ParmN; is 0 a plain
|
|
passphrase (which is not recommended) will be used, a 1 adds a salt to
|
|
the passphrase and a 3 (the default) iterates the whole process a
|
|
couple of times. Unless --rfc1991 is used, this mode is also used for
|
|
conventional encryption.
|
|
</para></listitem></varlistentry>
|
|
|
|
|
|
<varlistentry>
|
|
<term>--simple-sk-checksum</term>
|
|
<listitem><para>
|
|
Secret keys are integrity protected by using a SHA-1 checksum. This
|
|
method is part of the upcoming enhanced OpenPGP specification but
|
|
GnuPG already uses it as a countermeasure against certain attacks.
|
|
Old applications don't understand this new format, so this option may
|
|
be used to switch back to the old behaviour. Using this option bears
|
|
a security risk. Note that using this option only takes effect when
|
|
the secret key is encrypted - the simplest way to make this happen is
|
|
to change the passphrase on the key (even changing it to the same
|
|
value is acceptable).
|
|
</para></listitem></varlistentry>
|
|
|
|
|
|
<varlistentry>
|
|
<term>--disable-cipher-algo &ParmName;</term>
|
|
<listitem><para>
|
|
Never allow the use of &ParmName; as cipher algorithm.
|
|
The given name will not be checked so that a later loaded algorithm
|
|
will still get disabled.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--disable-pubkey-algo &ParmName;</term>
|
|
<listitem><para>
|
|
Never allow the use of &ParmName; as public key algorithm.
|
|
The given name will not be checked so that a later loaded algorithm
|
|
will still get disabled.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--no-sig-cache</term>
|
|
<listitem><para>
|
|
Do not cache the verification status of key signatures.
|
|
Caching gives a much better performance in key listings. However, if
|
|
you suspect that your public keyring is not save against write
|
|
modifications, you can use this option to disable the caching. It
|
|
probably does not make sense to disable it because all kind of damage
|
|
can be done if someone else has write access to your public keyring.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--no-sig-create-check</term>
|
|
<listitem><para>
|
|
GnuPG normally verifies each signature right after creation to protect
|
|
against bugs and hardware malfunctions which could leak out bits from
|
|
the secret key. This extra verification needs some time (about 115%
|
|
for DSA keys), and so this option can be used to disable it.
|
|
However, due to the fact that the signature creation needs manual
|
|
interaction, this performance penalty does not matter in most settings.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--auto-check-trustdb</term>
|
|
<term>--no-auto-check-trustdb</term>
|
|
<listitem><para>
|
|
If GnuPG feels that its information about the Web-of-Trust has to be
|
|
updated, it automatically runs the --check-trustdb command internally.
|
|
This may be a time consuming process. --no-auto-check-trustdb
|
|
disables this option.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--throw-keyids</term>
|
|
<term>--no-throw-keyids</term>
|
|
<listitem><para>
|
|
Do not put the recipient keyid into encrypted packets. This option
|
|
hides the receiver of the message and is a countermeasure against
|
|
traffic analysis. It may slow down the decryption process because all
|
|
available secret keys are tried. --no-throw-keyids disables this
|
|
option.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--not-dash-escaped</term>
|
|
<listitem><para>
|
|
This option changes the behavior of cleartext signatures
|
|
so that they can be used for patch files. You should not
|
|
send such an armored file via email because all spaces
|
|
and line endings are hashed too. You can not use this
|
|
option for data which has 5 dashes at the beginning of a
|
|
line, patch files don't have this. A special armor header
|
|
line tells GnuPG about this cleartext signature option.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--escape-from-lines</term>
|
|
<term>--no-escape-from-lines</term>
|
|
<listitem><para>
|
|
Because some mailers change lines starting with "From " to ">From
|
|
" it is good to handle such lines in a special way when creating
|
|
cleartext signatures to prevent the mail system from breaking the
|
|
signature. Note that all other PGP versions do it this way too.
|
|
Enabled by default. --no-escape-from-lines disables this option.
|
|
</para></listitem></varlistentry>
|
|
|
|
|
|
<varlistentry>
|
|
<term>--passphrase-fd &ParmN;</term>
|
|
<listitem><para>
|
|
Read the passphrase from file descriptor &ParmN;. If you use
|
|
0 for &ParmN;, the passphrase will be read from stdin. This
|
|
can only be used if only one passphrase is supplied.
|
|
<!--fixme: make this print strong-->
|
|
Don't use this option if you can avoid it.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--command-fd &ParmN;</term>
|
|
<listitem><para>
|
|
This is a replacement for the deprecated shared-memory IPC mode.
|
|
If this option is enabled, user input on questions is not expected
|
|
from the TTY but from the given file descriptor. It should be used
|
|
together with --status-fd. See the file doc/DETAILS in the source
|
|
distribution for details on how to use it.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--use-agent</term>
|
|
<term>--no-use-agent</term>
|
|
<listitem><para>
|
|
Try to use the GnuPG-Agent. Please note that this agent is still under
|
|
development. With this option, GnuPG first tries to connect to the
|
|
agent before it asks for a passphrase. --no-use-agent disables this
|
|
option.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--gpg-agent-info</term>
|
|
<listitem><para>
|
|
Override the value of the environment variable
|
|
<literal>GPG_AGENT_INFO</literal>. This is only used when --use-agent has been given
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>Compliance options</term>
|
|
<listitem><para>
|
|
These options control what GnuPG is compliant to. Only one of these
|
|
options may be active at a time. Note that the default setting of
|
|
this is nearly always the correct one. See the INTEROPERABILITY WITH
|
|
OTHER OPENPGP PROGRAMS section below before using one of these
|
|
options.
|
|
<variablelist>
|
|
|
|
<varlistentry>
|
|
<term>--gnupg</term>
|
|
<listitem><para>
|
|
Use standard GnuPG behavior. This is essentially OpenPGP behavior
|
|
(see --openpgp), but with some additional workarounds for common
|
|
compatibility problems in different versions of PGP. This is the
|
|
default option, so it is not generally needed, but it may be useful to
|
|
override a different compliance option in the gpg.conf file.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--openpgp</term>
|
|
<listitem><para>
|
|
Reset all packet, cipher and digest options to strict OpenPGP
|
|
behavior. Use this option to reset all previous options like
|
|
--rfc1991, --force-v3-sigs, --s2k-*, --cipher-algo, --digest-algo and
|
|
--compress-algo to OpenPGP compliant values. All PGP workarounds are
|
|
disabled.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--rfc2440</term>
|
|
<listitem><para>
|
|
Reset all packet, cipher and digest options to strict RFC-2440
|
|
behavior. Note that this is currently the same thing as --openpgp.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--rfc1991</term>
|
|
<listitem><para>
|
|
Try to be more RFC-1991 (PGP 2.x) compliant.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--pgp2</term>
|
|
<listitem><para>
|
|
Set up all options to be as PGP 2.x compliant as possible, and warn if
|
|
an action is taken (e.g. encrypting to a non-RSA key) that will create
|
|
a message that PGP 2.x will not be able to handle. Note that `PGP
|
|
2.x' here means `MIT PGP 2.6.2'. There are other versions of PGP 2.x
|
|
available, but the MIT release is a good common baseline.
|
|
</para><para>
|
|
This option implies `--rfc1991 --disable-mdc --no-force-v4-certs
|
|
--no-sk-comment --escape-from-lines --force-v3-sigs
|
|
--no-ask-sig-expire --no-ask-cert-expire --cipher-algo IDEA
|
|
--digest-algo MD5 --compress-algo 1'. It also disables --textmode
|
|
when encrypting.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--pgp6</term>
|
|
<listitem><para>
|
|
Set up all options to be as PGP 6 compliant as possible. This
|
|
restricts you to the ciphers IDEA (if the IDEA plugin is installed),
|
|
3DES, and CAST5, the hashes MD5, SHA1 and RIPEMD160, and the
|
|
compression algorithms none and ZIP. This also disables
|
|
--throw-keyids, and making signatures with signing subkeys as PGP 6
|
|
does not understand signatures made by signing subkeys.
|
|
</para><para>
|
|
This option implies `--disable-mdc --no-sk-comment --escape-from-lines
|
|
--force-v3-sigs --no-ask-sig-expire'
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--pgp7</term>
|
|
<listitem><para>
|
|
Set up all options to be as PGP 7 compliant as possible. This is
|
|
identical to --pgp6 except that MDCs are not disabled, and the list of
|
|
allowable ciphers is expanded to add AES128, AES192, AES256, and
|
|
TWOFISH.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--pgp8</term>
|
|
<listitem><para>
|
|
Set up all options to be as PGP 8 compliant as possible. PGP 8 is a
|
|
lot closer to the OpenPGP standard than previous versions of PGP, so
|
|
all this does is disable --throw-keyids and set --escape-from-lines.
|
|
All algorithms are allowed except for the SHA384 and SHA512 digests.
|
|
</para></listitem></varlistentry>
|
|
|
|
</variablelist></para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--force-v3-sigs</term>
|
|
<term>--no-force-v3-sigs</term>
|
|
<listitem><para>
|
|
OpenPGP states that an implementation should generate v4 signatures
|
|
but PGP versions 5 through 7 only recognize v4 signatures on key
|
|
material. This option forces v3 signatures for signatures on data.
|
|
Note that this option overrides --ask-sig-expire, as v3 signatures
|
|
cannot have expiration dates. --no-force-v3-sigs disables this
|
|
option.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--force-v4-certs</term>
|
|
<term>--no-force-v4-certs</term>
|
|
<listitem><para>
|
|
Always use v4 key signatures even on v3 keys. This option also
|
|
changes the default hash algorithm for v3 RSA keys from MD5 to SHA-1.
|
|
--no-force-v4-certs disables this option.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--force-mdc</term>
|
|
<listitem><para>
|
|
Force the use of encryption with a modification detection code. This
|
|
is always used with the newer ciphers (those with a blocksize greater
|
|
than 64 bits), or if all of the recipient keys indicate MDC support in
|
|
their feature flags.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--disable-mdc</term>
|
|
<listitem><para>
|
|
Disable the use of the modification detection code. Note that by
|
|
using this option, the encrypted message becomes vulnerable to a
|
|
message modification attack.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--allow-non-selfsigned-uid</term>
|
|
<term>--no-allow-non-selfsigned-uid</term>
|
|
<listitem><para>
|
|
Allow the import and use of keys with user IDs which are not
|
|
self-signed. This is not recommended, as a non self-signed user ID is
|
|
trivial to forge. --no-allow-non-selfsigned-uid disables.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--allow-freeform-uid</term>
|
|
<listitem><para>
|
|
Disable all checks on the form of the user ID while generating a new
|
|
one. This option should only be used in very special environments as
|
|
it does not ensure the de-facto standard format of user IDs.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--ignore-time-conflict</term>
|
|
<listitem><para>
|
|
GnuPG normally checks that the timestamps associated with keys and
|
|
signatures have plausible values. However, sometimes a signature
|
|
seems to be older than the key due to clock problems. This option
|
|
makes these checks just a warning. See also --ignore-valid-from for
|
|
timestamp issues on subkeys.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--ignore-valid-from</term>
|
|
<listitem><para>
|
|
GnuPG normally does not select and use subkeys created in the future.
|
|
This option allows the use of such keys and thus exhibits the
|
|
pre-1.0.7 behaviour. You should not use this option unless you there
|
|
is some clock problem. See also --ignore-time-conflict for timestamp
|
|
issues with signatures.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--ignore-crc-error</term>
|
|
<listitem><para>
|
|
The ASCII armor used by OpenPGP is protected by a CRC checksum against
|
|
transmission errors. Occasionally the CRC gets mangled somewhere on
|
|
the transmission channel but the actual content (which is protected by
|
|
the OpenPGP protocol anyway) is still okay. This option allows GnuPG
|
|
to ignore CRC errors.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--ignore-mdc-error</term>
|
|
<listitem><para>
|
|
This option changes a MDC integrity protection failure into a warning.
|
|
This can be useful if a message is partially corrupt, but it is
|
|
necessary to get as much data as possible out of the corrupt message.
|
|
However, be aware that a MDC protection failure may also mean that the
|
|
message was tampered with intentionally by an attacker.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--lock-once</term>
|
|
<listitem><para>
|
|
Lock the databases the first time a lock is requested
|
|
and do not release the lock until the process
|
|
terminates.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--lock-multiple</term>
|
|
<listitem><para>
|
|
Release the locks every time a lock is no longer
|
|
needed. Use this to override a previous --lock-once
|
|
from a config file.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--lock-never</term>
|
|
<listitem><para>
|
|
Disable locking entirely. This option should be used only in very
|
|
special environments, where it can be assured that only one process
|
|
is accessing those files. A bootable floppy with a stand-alone
|
|
encryption system will probably use this. Improper usage of this
|
|
option may lead to data and key corruption.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--no-random-seed-file</term>
|
|
<listitem><para>
|
|
GnuPG uses a file to store its internal random pool over invocations.
|
|
This makes random generation faster; however sometimes write operations
|
|
are not desired. This option can be used to achieve that with the cost of
|
|
slower random generation.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--no-verbose</term>
|
|
<listitem><para>
|
|
Reset verbose level to 0.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--no-greeting</term>
|
|
<listitem><para>
|
|
Suppress the initial copyright message.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--no-secmem-warning</term>
|
|
<listitem><para>
|
|
Suppress the warning about "using insecure memory".
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--no-permission-warning</term>
|
|
<listitem><para>
|
|
Suppress the warning about unsafe file and home directory (--homedir)
|
|
permissions. Note that the permission checks that GnuPG performs are
|
|
not intended to be authoritative, but rather they simply warn about
|
|
certain common permission problems. Do not assume that the lack of a
|
|
warning means that your system is secure.
|
|
</para><para>
|
|
Note that the warning for unsafe --homedir permissions cannot be
|
|
supressed in the gpg.conf file, as this would allow an attacker to
|
|
place an unsafe gpg.conf file in place, and use this file to supress
|
|
warnings about itself. The --homedir permissions warning may only be
|
|
supressed on the command line.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--no-mdc-warning</term>
|
|
<listitem><para>
|
|
Suppress the warning about missing MDC integrity protection.
|
|
</para></listitem></varlistentry>
|
|
|
|
|
|
<varlistentry>
|
|
<term>--no-armor</term>
|
|
<listitem><para>
|
|
Assume the input data is not in ASCII armored format.
|
|
</para></listitem></varlistentry>
|
|
|
|
|
|
<varlistentry>
|
|
<term>--no-default-keyring</term>
|
|
<listitem><para>
|
|
Do not add the default keyrings to the list of keyrings. Note that
|
|
GnuPG will not operate without any keyrings, so if you use this option
|
|
and do not provide alternate keyrings via --keyring or
|
|
--secret-keyring, then GnuPG will still use the default public or
|
|
secret keyrings.
|
|
</para></listitem></varlistentry>
|
|
|
|
|
|
<varlistentry>
|
|
<term>--skip-verify</term>
|
|
<listitem><para>
|
|
Skip the signature verification step. This may be
|
|
used to make the decryption faster if the signature
|
|
verification is not needed.
|
|
</para></listitem></varlistentry>
|
|
|
|
|
|
<varlistentry>
|
|
<term>--with-colons</term>
|
|
<listitem><para>
|
|
Print key listings delimited by colons. Note that the output will be
|
|
encoded in UTF-8 regardless of any --display-charset setting. This
|
|
format is useful when GnuPG is called from scripts and other programs
|
|
as it is easily machine parsed. The details of this format are
|
|
documented in the file doc/DETAILS, which is included in the GnuPG
|
|
source distribution.
|
|
</para></listitem></varlistentry>
|
|
|
|
|
|
<varlistentry>
|
|
<term>--with-key-data</term>
|
|
<listitem><para>
|
|
Print key listings delimited by colons (like --with-colons) and print the public key data.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--with-fingerprint</term>
|
|
<listitem><para>
|
|
Same as the command --fingerprint but changes only the format of the output
|
|
and may be used together with another command.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--fast-list-mode</term>
|
|
<listitem><para>
|
|
Changes the output of the list commands to work faster; this is achieved
|
|
by leaving some parts empty. Some applications don't need the user ID and
|
|
the trust information given in the listings. By using this options they
|
|
can get a faster listing. The exact behaviour of this option may change
|
|
in future versions.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--fixed-list-mode</term>
|
|
<listitem><para>
|
|
Do not merge primary user ID and primary key in --with-colon listing
|
|
mode and print all timestamps as seconds since 1970-01-01.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--list-only</term>
|
|
<listitem><para>
|
|
Changes the behaviour of some commands. This is like --dry-run but
|
|
different in some cases. The semantic of this command may be extended in
|
|
the future. Currently it only skips the actual decryption pass and
|
|
therefore enables a fast listing of the encryption keys.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--no-literal</term>
|
|
<listitem><para>
|
|
This is not for normal use. Use the source to see for what it might be useful.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--set-filesize</term>
|
|
<listitem><para>
|
|
This is not for normal use. Use the source to see for what it might be useful.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--show-session-key</term>
|
|
<listitem><para>
|
|
Display the session key used for one message. See --override-session-key
|
|
for the counterpart of this option.
|
|
</para>
|
|
<para>
|
|
We think that Key Escrow is a Bad Thing; however the user should have
|
|
the freedom to decide whether to go to prison or to reveal the content
|
|
of one specific message without compromising all messages ever
|
|
encrypted for one secret key. DON'T USE IT UNLESS YOU ARE REALLY
|
|
FORCED TO DO SO.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--override-session-key &ParmString; </term>
|
|
<listitem><para>
|
|
Don't use the public key but the session key &ParmString;. The format of this
|
|
string is the same as the one printed by --show-session-key. This option
|
|
is normally not used but comes handy in case someone forces you to reveal the
|
|
content of an encrypted message; using this option you can do this without
|
|
handing out the secret key.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--ask-sig-expire</term>
|
|
<term>--no-ask-sig-expire</term>
|
|
<listitem><para>
|
|
When making a data signature, prompt for an expiration time. If this
|
|
option is not specified, the expiration time is "never".
|
|
--no-ask-sig-expire disables this option.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--ask-cert-expire</term>
|
|
<term>--no-ask-cert-expire</term>
|
|
<listitem><para>
|
|
When making a key signature, prompt for an expiration time. If this
|
|
option is not specified, the expiration time is "never".
|
|
--no-ask-cert-expire disables this option.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--expert</term>
|
|
<term>--no-expert</term>
|
|
<listitem><para>
|
|
Allow the user to do certain nonsensical or "silly" things like
|
|
signing an expired or revoked key, or certain potentially incompatible
|
|
things like generating deprecated key types. This also disables
|
|
certain warning messages about potentially incompatible actions. As
|
|
the name implies, this option is for experts only. If you don't fully
|
|
understand the implications of what it allows you to do, leave this
|
|
off. --no-expert disables this option.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--allow-secret-key-import</term>
|
|
<listitem><para>
|
|
This is an obsolete option and is not used anywhere.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--try-all-secrets</term>
|
|
<listitem><para>
|
|
Don't look at the key ID as stored in the message but try all secret
|
|
keys in turn to find the right decryption key. This option forces the
|
|
behaviour as used by anonymous recipients (created by using
|
|
--throw-keyids) and might come handy in case where an encrypted
|
|
message contains a bogus key ID.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--enable-special-filenames</term>
|
|
<listitem><para>
|
|
This options enables a mode in which filenames of the form
|
|
<filename>-&n</filename>, where n is a non-negative decimal number,
|
|
refer to the file descriptor n and not to a file with that name.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--no-expensive-trust-checks</term>
|
|
<listitem><para>
|
|
Experimental use only.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--group &ParmNameValues;</term>
|
|
<listitem><para>
|
|
Sets up a named group, which is similar to aliases in email programs.
|
|
Any time the group name is a recipient (-r or --recipient), it will be
|
|
expanded to the values specified. Multiple groups with the same name
|
|
are automatically merged into a single group.
|
|
</para><para>
|
|
The values are &ParmKeyIDs; or fingerprints, but any key description
|
|
is accepted. Note that a value with spaces in it will be treated as
|
|
two different values. Note also there is only one level of expansion
|
|
- you cannot make an group that points to another group. When used
|
|
from the command line, it may be necessary to quote the argument to
|
|
this option to prevent the shell from treating it as multiple
|
|
arguments.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--ungroup &ParmName;</term>
|
|
<listitem><para>
|
|
Remove a given entry from the --group list.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--no-groups</term>
|
|
<listitem><para>
|
|
Remove all entries from the --group list.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--preserve-permissions</term>
|
|
<listitem><para>
|
|
Don't change the permissions of a secret keyring back to user
|
|
read/write only. Use this option only if you really know what you are doing.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--personal-cipher-preferences &ParmString;</term>
|
|
<listitem><para>
|
|
Set the list of personal cipher preferences to &ParmString;, this list
|
|
should be a string similar to the one printed by the command "pref" in
|
|
the edit menu. This allows the user to factor in their own preferred
|
|
algorithms when algorithms are chosen via recipient key preferences.
|
|
The most highly ranked cipher in this list is also used for the
|
|
--symmetric encryption command.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--personal-digest-preferences &ParmString;</term>
|
|
<listitem><para>
|
|
Set the list of personal digest preferences to &ParmString;, this list
|
|
should be a string similar to the one printed by the command "pref" in
|
|
the edit menu. This allows the user to factor in their own preferred
|
|
algorithms when algorithms are chosen via recipient key preferences.
|
|
The most highly ranked digest algorithm in this list is algo used when
|
|
signing without encryption (e.g. --clearsign or --sign). The default
|
|
value is SHA-1.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--personal-compress-preferences &ParmString;</term>
|
|
<listitem><para>
|
|
Set the list of personal compression preferences to &ParmString;, this
|
|
list should be a string similar to the one printed by the command
|
|
"pref" in the edit menu. This allows the user to factor in their own
|
|
preferred algorithms when algorithms are chosen via recipient key
|
|
preferences. The most highly ranked algorithm in this list is also
|
|
used when there are no recipient keys to consider (e.g. --symmetric).
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--default-preference-list &ParmString;</term>
|
|
<listitem><para>
|
|
Set the list of default preferences to &ParmString;, this list should
|
|
be a string similar to the one printed by the command "pref" in the
|
|
edit menu. This affects both key generation and "updpref" in the edit
|
|
menu.
|
|
</para></listitem></varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--list-config &OptParmNames;</term>
|
|
<listitem><para>
|
|
Display various internal configuration parameters of GnuPG. This
|
|
option is intended for external programs that call GnuPG to perform
|
|
tasks, and is thus not generally useful. See the file
|
|
<filename>doc/DETAILS</filename> in the source distribution for the
|
|
details of which configuration items may be listed. --list-config is
|
|
only usable with --with-colons set.
|
|
</para></listitem></varlistentry>
|
|
|
|
</variablelist>
|
|
</refsect1>
|
|
|
|
|
|
<refsect1>
|
|
<title>How to specify a user ID</title>
|
|
<para>
|
|
There are different ways to specify a user ID to GnuPG; here are some
|
|
examples:
|
|
</para>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term></term>
|
|
<listitem><para></para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>234567C4</term>
|
|
<term>0F34E556E</term>
|
|
<term>01347A56A</term>
|
|
<term>0xAB123456</term>
|
|
<listitem><para>
|
|
Here the key ID is given in the usual short form.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>234AABBCC34567C4</term>
|
|
<term>0F323456784E56EAB</term>
|
|
<term>01AB3FED1347A5612</term>
|
|
<term>0x234AABBCC34567C4</term>
|
|
<listitem><para>
|
|
Here the key ID is given in the long form as used by OpenPGP
|
|
(you can get the long key ID using the option --with-colons).
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>1234343434343434C434343434343434</term>
|
|
<term>123434343434343C3434343434343734349A3434</term>
|
|
<term>0E12343434343434343434EAB3484343434343434</term>
|
|
<term>0xE12343434343434343434EAB3484343434343434</term>
|
|
<listitem><para>
|
|
The best way to specify a key ID is by using the fingerprint of
|
|
the key. This avoids any ambiguities in case that there are duplicated
|
|
key IDs (which are really rare for the long key IDs).
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>=Heinrich Heine <heinrichh@uni-duesseldorf.de></term>
|
|
<listitem><para>
|
|
Using an exact to match string. The equal sign indicates this.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><heinrichh@uni-duesseldorf.de></term>
|
|
<listitem><para>
|
|
Using the email address part which must match exactly. The left angle bracket
|
|
indicates this email address mode.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>+Heinrich Heine duesseldorf</term>
|
|
<listitem><para>
|
|
All words must match exactly (not case sensitive) but can appear in
|
|
any order in the user ID. Words are any sequences of letters,
|
|
digits, the underscore and all characters with bit 7 set.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>Heine</term>
|
|
<term>*Heine</term>
|
|
<listitem><para>
|
|
By case insensitive substring matching. This is the default mode but
|
|
applications may want to explicitly indicate this by putting the asterisk
|
|
in front.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
</variablelist>
|
|
|
|
<para>
|
|
Note that you can append an exclamation mark (!) to key IDs or
|
|
fingerprints. This flag tells GnuPG to use the specified primary or
|
|
secondary key and not to try and calculate which primary or secondary
|
|
key to use.
|
|
</para>
|
|
|
|
</refsect1>
|
|
|
|
|
|
<refsect1>
|
|
<title>RETURN VALUE</title>
|
|
<para>
|
|
The program returns 0 if everything was fine, 1 if at least
|
|
a signature was bad, and other error codes for fatal errors.
|
|
</para>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>EXAMPLES</title>
|
|
<variablelist>
|
|
|
|
<varlistentry>
|
|
<term>gpg -se -r <parameter/Bob/ &ParmFile;</term>
|
|
<listitem><para>sign and encrypt for user Bob</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>gpg --clearsign &ParmFile;</term>
|
|
<listitem><para>make a clear text signature</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>gpg -sb &ParmFile;</term>
|
|
<listitem><para>make a detached signature</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>gpg --list-keys <parameter/user_ID/</term>
|
|
<listitem><para>show keys</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>gpg --fingerprint <parameter/user_ID/</term>
|
|
<listitem><para>show fingerprint</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>gpg --verify <parameter/pgpfile/</term>
|
|
<term>gpg --verify <parameter/sigfile/ &OptParmFiles;</term>
|
|
<listitem><para>
|
|
Verify the signature of the file but do not output the data. The
|
|
second form is used for detached signatures, where <parameter/sigfile/
|
|
is the detached signature (either ASCII armored or binary) and
|
|
&OptParmFiles; are the signed data; if this is not given, the name of
|
|
the file holding the signed data is constructed by cutting off the
|
|
extension (".asc" or ".sig") of <parameter/sigfile/ or by asking the
|
|
user for the filename.
|
|
</para></listitem></varlistentry>
|
|
|
|
</variablelist>
|
|
</refsect1>
|
|
|
|
|
|
<refsect1>
|
|
<title>ENVIRONMENT</title>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>HOME</term>
|
|
<listitem><para>Used to locate the default home directory.</para></listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>GNUPGHOME</term>
|
|
<listitem><para>If set directory used instead of "~/.gnupg".</para></listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>GPG_AGENT_INFO</term>
|
|
<listitem><para>Used to locate the gpg-agent; only honored when
|
|
--use-agent is set. The value consists of 3 colon delimited fields:
|
|
The first is the path to the Unix Domain Socket, the second the PID of
|
|
the gpg-agent and the protocol version which should be set to 1. When
|
|
starting the gpg-agent as described in its documentation, this
|
|
variable is set to the correct value. The option --gpg-agent-info can
|
|
be used to override it.</para></listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>http_proxy</term>
|
|
<listitem><para>Only honored when the keyserver-option
|
|
honor-http-proxy is set.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>COLUMNS</term>
|
|
<term>LINES</term>
|
|
<listitem><para>
|
|
Used to size some displays to the full size of the screen.
|
|
</para></listitem></varlistentry>
|
|
|
|
</variablelist>
|
|
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>FILES</title>
|
|
<variablelist>
|
|
|
|
<varlistentry>
|
|
<term>~/.gnupg/secring.gpg</term>
|
|
<listitem><para>The secret keyring</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>~/.gnupg/secring.gpg.lock</term>
|
|
<listitem><para>and the lock file</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>~/.gnupg/pubring.gpg</term>
|
|
<listitem><para>The public keyring</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>~/.gnupg/pubring.gpg.lock</term>
|
|
<listitem><para>and the lock file</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>~/.gnupg/trustdb.gpg</term>
|
|
<listitem><para>The trust database</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>~/.gnupg/trustdb.gpg.lock</term>
|
|
<listitem><para>and the lock file</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>~/.gnupg/random_seed</term>
|
|
<listitem><para>used to preserve the internal random pool</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>~/.gnupg/gpg.conf</term>
|
|
<listitem><para>Default configuration file</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>~/.gnupg/options</term>
|
|
<listitem><para>Old style configuration file; only used when gpg.conf
|
|
is not found</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>/usr[/local]/share/gnupg/options.skel</term>
|
|
<listitem><para>Skeleton options file</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>/usr[/local]/lib/gnupg/</term>
|
|
<listitem><para>Default location for extensions</para></listitem>
|
|
</varlistentry>
|
|
|
|
</variablelist>
|
|
</refsect1>
|
|
|
|
<!-- SEE ALSO not yet needed-->
|
|
|
|
<refsect1>
|
|
<title>WARNINGS</title>
|
|
<para>
|
|
Use a *good* password for your user account and a *good* passphrase
|
|
to protect your secret key. This passphrase is the weakest part of the
|
|
whole system. Programs to do dictionary attacks on your secret keyring
|
|
are very easy to write and so you should protect your "~/.gnupg/"
|
|
directory very well.
|
|
</para>
|
|
<para>
|
|
Keep in mind that, if this program is used over a network (telnet), it
|
|
is *very* easy to spy out your passphrase!
|
|
</para>
|
|
<para>
|
|
If you are going to verify detached signatures, make sure that the
|
|
program knows about it; either give both filenames on the command line
|
|
or use <literal>-</literal> to specify stdin.
|
|
</para>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>INTEROPERABILITY WITH OTHER OPENPGP PROGRAMS</title>
|
|
<para>
|
|
GnuPG tries to be a very flexible implementation of the OpenPGP
|
|
standard. In particular, GnuPG implements many of the optional parts
|
|
of the standard, such as the SHA-512 hash, and the ZLIB and BZIP2
|
|
compression algorithms. It is important to be aware that not all
|
|
OpenPGP programs implement these optional algorithms and that by
|
|
forcing their use via the --cipher-algo, --digest-algo,
|
|
--cert-digest-algo, or --compress-algo options in GnuPG, it is
|
|
possible to create a perfectly valid OpenPGP message, but one that
|
|
cannot be read by the intended recipient.
|
|
</para>
|
|
|
|
<para>
|
|
There are dozens of variations of OpenPGP programs available, and each
|
|
supports a slightly different subset of these optional algorithms.
|
|
For example, until recently, no (unhacked) version of PGP supported
|
|
the BLOWFISH cipher algorithm. A message using BLOWFISH simply could
|
|
not be read by a PGP user. By default, GnuPG uses the standard
|
|
OpenPGP preferences system that will always do the right thing and
|
|
create messages that are usable by all recipients, regardless of which
|
|
OpenPGP program they use. Only override this safe default if you
|
|
really know what you are doing.
|
|
</para>
|
|
|
|
<para>
|
|
If you absolutely must override the safe default, or if the
|
|
preferences on a given key are invalid for some reason, you are far
|
|
better off using the --pgp6, --pgp7, or --pgp8 options. These options
|
|
are safe as they do not force any particular algorithms in violation
|
|
of OpenPGP, but rather reduce the available algorithms to a "PGP-safe"
|
|
list.
|
|
</para>
|
|
|
|
</refsect1>
|
|
|
|
|
|
<refsect1>
|
|
<title>BUGS</title>
|
|
<para>
|
|
On many systems this program should be installed as setuid(root). This
|
|
is necessary to lock memory pages. Locking memory pages prevents the
|
|
operating system from writing memory pages (which may contain
|
|
passphrases or other sensitive material) to disk. If you get no
|
|
warning message about insecure memory your operating system supports
|
|
locking without being root. The program drops root privileges as soon
|
|
as locked memory is allocated.
|
|
</para>
|
|
</refsect1>
|
|
|
|
</refentry>
|