1 This is gnupg.info, produced by makeinfo version 6.7 from gnupg.texi.
3 This is the 'The GNU Privacy Guard Manual' (version 2.4.3-beta30, June
6 (C) 2002, 2004, 2005, 2006, 2007, 2010 Free Software Foundation, Inc.
7 (C) 2013, 2014, 2015 Werner Koch.
8 (C) 2015, 2016, 2017 g10 Code GmbH.
10 Permission is granted to copy, distribute and/or modify this
11 document under the terms of the GNU General Public License as
12 published by the Free Software Foundation; either version 3 of the
13 License, or (at your option) any later version. The text of the
14 license can be found in the section entitled "Copying".
15 INFO-DIR-SECTION GNU Utilities
17 * gpg2: (gnupg). OpenPGP encryption and signing tool.
18 * gpgsm: (gnupg). S/MIME encryption and signing tool.
19 * gpg-agent: (gnupg). The secret key daemon.
20 * dirmngr: (gnupg). X.509 CRL and OCSP server.
21 * dirmngr-client: (gnupg). X.509 CRL and OCSP client.
25 File: gnupg.info, Node: CMS Options, Next: Esoteric Options, Prev: Input and Output, Up: GPGSM Options
27 5.2.4 How to change how the CMS is created
28 ------------------------------------------
31 Using N of -2 includes all certificate except for the root cert, -1
32 includes all certs, 0 does not include any certs, 1 includes only
33 the signers cert and all other positive values include up to N
34 certificates starting with the signer cert. The default is -2.
37 Use the cipher algorithm with the ASN.1 object identifier OID for
38 encryption. For convenience the strings '3DES', 'AES' and 'AES256'
39 may be used instead of their OIDs. The default is 'AES'
40 (2.16.840.1.101.3.4.1.2).
43 Use 'name' as the message digest algorithm. Usually this algorithm
44 is deduced from the respective signing certificate. This option
45 forces the use of the given algorithm and may lead to severe
46 interoperability problems.
49 File: gnupg.info, Node: Esoteric Options, Prev: CMS Options, Up: GPGSM Options
51 5.2.5 Doing things one usually do not want to do
52 ------------------------------------------------
55 Change the current user to UID which may either be a number or a
56 name. This can be used from the root account to run gpgsm for
57 another user. If UID is not the current UID a standard PATH is set
58 and the envvar GNUPGHOME is unset. To override the latter the
59 option '--homedir' can be used. This option has only an effect
60 when used on the command line. This option has currently no effect
63 '--extra-digest-algo NAME'
64 Sometimes signatures are broken in that they announce a different
65 digest algorithm than actually used. 'gpgsm' uses a one-pass data
66 processing model and thus needs to rely on the announced digest
67 algorithms to properly hash the data. As a workaround this option
68 may be used to tell 'gpgsm' to also hash the data using the
69 algorithm NAME; this slows processing down a little bit but allows
70 verification of such broken signatures. If 'gpgsm' prints an error
71 like "digest algo 8 has not been enabled" you may want to try this
72 option, with 'SHA256' for NAME.
75 Set the compliance mode. Valid values are shown when using "help"
79 This option adjusts the compliance mode "de-vs" for stricter key
80 size requirements. For example, a value of 3000 turns rsa2048 and
81 dsa2048 keys into non-VS-NfD compliant keys.
83 '--require-compliance'
84 To check that data has been encrypted according to the rules of the
85 current compliance mode, a gpgsm user needs to evaluate the status
86 lines. This is allows frontends to handle compliance check in a
87 more flexible way. However, for scripted use the required
88 evaluation of the status-line requires quite some effort; this
89 option can be used instead to make sure that the gpgsm process
90 exits with a failure if the compliance rules are not fulfilled.
91 Note that this option has currently an effect only in "de-vs" mode.
93 '--ignore-cert-with-oid OID'
94 Add OID to the list of OIDs to be checked while reading
95 certificates from smartcards. The OID is expected to be in dotted
96 decimal form, like '2.5.29.3'. This option may be used more than
97 once. As of now certificates with an extended key usage matching
98 one of those OIDs are ignored during a '--learn-card' operation and
99 not imported. This option can help to keep the local key database
100 clear of unneeded certificates stored on smartcards.
102 '--faked-system-time EPOCH'
103 This option is only useful for testing; it sets the system time
104 back or forth to EPOCH which is the number of seconds elapsed since
105 the year 1970. Alternatively EPOCH may be given as a full ISO time
106 string (e.g. "20070924T154812").
108 '--with-ephemeral-keys'
109 Include ephemeral flagged keys in the output of key listings. Note
110 that they are included anyway if the key specification for a
111 listing is given as fingerprint or keygrip.
113 '--compatibility-flags FLAGS'
114 Set compatibility flags to work around problems due to
115 non-compliant certificates or data. The FLAGS are given as a comma
116 separated list of flag names and are OR-ed together. The special
117 flag "none" clears the list and allows to start over with an empty
118 list. To get a list of available flags the sole word "help" can be
121 '--debug-level LEVEL'
122 Select the debug level for investigating problems. LEVEL may be a
123 numeric value or by a keyword:
126 No debugging at all. A value of less than 1 may be used
127 instead of the keyword.
129 Some basic debug messages. A value between 1 and 2 may be
130 used instead of the keyword.
132 More verbose debug messages. A value between 3 and 5 may be
133 used instead of the keyword.
135 Even more detailed messages. A value between 6 and 8 may be
136 used instead of the keyword.
138 All of the debug messages you can get. A value greater than 8
139 may be used instead of the keyword. The creation of hash
140 tracing files is only enabled if the keyword is used.
142 How these messages are mapped to the actual debugging flags is not
143 specified and may change with newer releases of this program. They
144 are however carefully selected to best aid in debugging.
147 Set debug flags. All flags are or-ed and FLAGS may be given in C
148 syntax (e.g. 0x0042) or as a comma separated list of flag names.
149 To get a list of all supported flags the single word "help" can be
150 used. This option is only useful for debugging and the behavior
151 may change at any time without notice.
153 Note, that all flags set using this option may get overridden by
157 Same as '--debug=0xffffffff'
159 '--debug-allow-core-dump'
160 Usually 'gpgsm' tries to avoid dumping core by well written code
161 and by disabling core dumps for security reasons. However, bugs
162 are pretty durable beasts and to squash them it is sometimes useful
163 to have a core dump. This option enables core dumps unless the Bad
164 Thing happened before the option parsing.
166 '--debug-no-chain-validation'
167 This is actually not a debugging option but only useful as such.
168 It lets 'gpgsm' bypass all certificate chain validation checks.
170 '--debug-ignore-expiration'
171 This is actually not a debugging option but only useful as such.
172 It lets 'gpgsm' ignore all notAfter dates, this is used by the
176 Read the passphrase from file descriptor 'n'. Only the first line
177 will be read from file descriptor 'n'. If you use 0 for 'n', the
178 passphrase will be read from STDIN. This can only be used if only
179 one passphrase is supplied.
181 Note that this passphrase is only used if the option '--batch' has
184 '--pinentry-mode mode'
185 Set the pinentry mode to 'mode'. Allowed values for 'mode' are:
187 Use the default of the agent, which is 'ask'.
189 Force the use of the Pinentry.
191 Emulate use of Pinentry's cancel button.
193 Return a Pinentry error ("No Pinentry").
195 Redirect Pinentry queries to the caller. Note that in
196 contrast to Pinentry the user is not prompted again if he
197 enters a bad password.
199 '--request-origin ORIGIN'
200 Tell gpgsm to assume that the operation ultimately originated at
201 ORIGIN. Depending on the origin certain restrictions are applied
202 and the Pinentry may include an extra note on the origin.
203 Supported values for ORIGIN are: 'local' which is the default,
204 'remote' to indicate a remote origin or 'browser' for an operation
205 requested by a web browser.
207 '--no-common-certs-import'
208 Suppress the import of common certificates on keybox creation.
210 All the long options may also be given in the configuration file
211 after stripping off the two leading dashes.
214 File: gnupg.info, Node: GPGSM Configuration, Next: GPGSM Examples, Prev: GPGSM Options, Up: Invoking GPGSM
216 5.3 Configuration files
217 =======================
219 There are a few configuration files to control certain aspects of
220 'gpgsm''s operation. Unless noted, they are expected in the current
221 home directory (*note option --homedir::).
224 This is the standard configuration file read by 'gpgsm' on startup.
225 It may contain any valid long option; the leading two dashes may
226 not be entered and the option may not be abbreviated. This default
227 name may be changed on the command line (*note gpgsm-option
228 --options::). You should backup this file.
231 This is an optional configuration file read by 'gpgsm' on startup.
232 It may contain options pertaining to all components of GnuPG. Its
233 current main use is for the "use-keyboxd" option.
236 This is a list of allowed CA policies. This file should list the
237 object identifiers of the policies line by line. Empty lines and
238 lines starting with a hash mark are ignored. Policies missing in
239 this file and not marked as critical in the certificate will print
240 only a warning; certificates with policies marked as critical and
241 not listed in this file will fail the signature verification. You
242 should backup this file.
244 For example, to allow only the policy 2.289.9.9, the file should
251 This is the list of root certificates used for qualified
252 certificates. They are defined as certificates capable of creating
253 legally binding signatures in the same way as handwritten
254 signatures are. Comments start with a hash mark and empty lines
255 are ignored. Lines do have a length limit but this is not a
256 serious limitation as the format of the entries is fixed and
257 checked by 'gpgsm': A non-comment line starts with optional
258 whitespace, followed by exactly 40 hex characters, white space and
259 a lowercased 2 letter country code. Additional data delimited with
260 by a white space is current ignored but might late be used for
263 Note that even if a certificate is listed in this file, this does
264 not mean that the certificate is trusted; in general the
265 certificates listed in this file need to be listed also in
266 'trustlist.txt'. This is a global file an installed in the sysconf
267 directory (e.g. '/usr/local/etc/gnupg/qualified.txt').
269 Every time 'gpgsm' uses a certificate for signing or verification
270 this file will be consulted to check whether the certificate under
271 question has ultimately been issued by one of these CAs. If this
272 is the case the user will be informed that the verified signature
273 represents a legally binding ("qualified") signature. When
274 creating a signature using such a certificate an extra prompt will
275 be issued to let the user confirm that such a legally binding
276 signature shall really be created.
278 Because this software has not yet been approved for use with such
279 certificates, appropriate notices will be shown to indicate this
283 This is plain text file with a few help entries used with
284 'pinentry' as well as a large list of help items for 'gpg' and
285 'gpgsm'. The standard file has English help texts; to install
286 localized versions use filenames like 'help.LL.txt' with LL
287 denoting the locale. GnuPG comes with a set of predefined help
288 files in the data directory (e.g.
289 '/usr/local/share/gnupg/gnupg/help.de.txt') and allows overriding
290 of any help item by help files stored in the system configuration
291 directory (e.g. '/usr/local/etc/gnupg/help.de.txt'). For a
292 reference of the help file's syntax, please see the installed
296 This file is a collection of common certificates used to populated
297 a newly created 'pubring.kbx'. An administrator may replace this
298 file with a custom one. The format is a concatenation of PEM
299 encoded X.509 certificates. This global file is installed in the
300 data directory (e.g. '/usr/local/share/gnupg/com-certs.pem').
302 Note that on larger installations, it is useful to put predefined
303 files into the directory '/etc/skel/.gnupg/' so that newly created users
304 start up with a working configuration. For existing users a small
305 helper script is provided to create these files (*note addgnupghome::).
307 For internal purposes 'gpgsm' creates and maintains a few other
308 files; they all live in the current home directory (*note option
309 --homedir::). Only 'gpgsm' may modify these files.
312 This a database file storing the certificates as well as meta
313 information. For debugging purposes the tool 'kbxutil' may be used
314 to show the internal structure of this file. You should backup
318 This content of this file is used to maintain the internal state of
319 the random number generator across invocations. The same file is
320 used by other programs of this software too.
323 If this file exists 'gpgsm' will first try to connect to this
324 socket for accessing 'gpg-agent' before starting a new 'gpg-agent'
325 instance. Under Windows this socket (which in reality be a plain
326 file describing a regular TCP listening port) is the standard way
327 of connecting the 'gpg-agent'.
330 File: gnupg.info, Node: GPGSM Examples, Next: Unattended Usage, Prev: GPGSM Configuration, Up: Invoking GPGSM
335 $ gpgsm -er goo@bar.net <plaintext >ciphertext
338 File: gnupg.info, Node: Unattended Usage, Next: GPGSM Protocol, Prev: GPGSM Examples, Up: Invoking GPGSM
343 'gpgsm' is often used as a backend engine by other software. To help
344 with this a machine interface has been defined to have an unambiguous
345 way to do this. This is most likely used with the '--server' command
346 but may also be used in the standard operation mode by using the
347 '--status-fd' option.
351 * Automated signature checking:: Automated signature checking.
352 * CSR and certificate creation:: CSR and certificate creation.
355 File: gnupg.info, Node: Automated signature checking, Next: CSR and certificate creation, Up: Unattended Usage
357 5.5.1 Automated signature checking
358 ----------------------------------
360 It is very important to understand the semantics used with signature
361 verification. Checking a signature is not as simple as it may sound and
362 so the operation is a bit complicated. In most cases it is required to
363 look at several status lines. Here is a table of all cases a signed
366 The signature is valid
367 This does mean that the signature has been successfully verified,
368 the certificates are all sane. However there are two subcases with
369 important information: One of the certificates may have expired or
370 a signature of a message itself as expired. It is a sound practise
371 to consider such a signature still as valid but additional
372 information should be displayed. Depending on the subcase 'gpgsm'
373 will issue these status codes:
374 signature valid and nothing did expire
375 'GOODSIG', 'VALIDSIG', 'TRUST_FULLY'
376 signature valid but at least one certificate has expired
377 'EXPKEYSIG', 'VALIDSIG', 'TRUST_FULLY'
378 signature valid but expired
379 'EXPSIG', 'VALIDSIG', 'TRUST_FULLY' Note, that this case is
380 currently not implemented.
382 The signature is invalid
383 This means that the signature verification failed (this is an
384 indication of a transfer error, a program error or tampering with
385 the message). 'gpgsm' issues one of these status codes sequences:
387 'GOODSIG, VALIDSIG TRUST_NEVER'
389 Error verifying a signature
390 For some reason the signature could not be verified, i.e. it
391 cannot be decided whether the signature is valid or invalid. A
392 common reason for this is a missing certificate.
395 File: gnupg.info, Node: CSR and certificate creation, Prev: Automated signature checking, Up: Unattended Usage
397 5.5.2 CSR and certificate creation
398 ----------------------------------
400 The command '--generate-key' may be used along with the option '--batch'
401 to either create a certificate signing request (CSR) or an X.509
402 certificate. This is controlled by a parameter file; the format of this
405 * Text only, line length is limited to about 1000 characters.
406 * UTF-8 encoding must be used to specify non-ASCII characters.
407 * Empty lines are ignored.
408 * Leading and trailing while space is ignored.
409 * A hash sign as the first non white space character indicates a
411 * Control statements are indicated by a leading percent sign, the
412 arguments are separated by white space from the keyword.
413 * Parameters are specified by a keyword, followed by a colon.
414 Arguments are separated by white space.
415 * The first parameter must be 'Key-Type', control statements may be
417 * The order of the parameters does not matter except for 'Key-Type'
418 which must be the first parameter. The parameters are only used
419 for the generated CSR/certificate; parameters from previous sets
420 are not used. Some syntactically checks may be performed.
421 * Key generation takes place when either the end of the parameter
422 file is reached, the next 'Key-Type' parameter is encountered or at
423 the control statement '%commit' is encountered.
428 Print TEXT as diagnostic.
431 Suppress actual key generation (useful for syntax checking).
434 Perform the key generation. Note that an implicit commit is done
435 at the next Key-Type parameter.
440 Starts a new parameter block by giving the type of the primary key.
441 The algorithm must be capable of signing. This is a required
442 parameter. The supported values for ALGO are 'rsa', 'ecdsa', and
446 The requested length of a generated key in bits. Defaults to 3072.
447 The value is ignored for ECC algorithms.
450 This is optional and used to generate a CSR or certificate for an
451 already existing key. Key-Length will be ignored when given.
453 Key-Usage: USAGE-LIST
454 Space or comma delimited list of key usage, allowed values are
455 'encrypt', 'sign' and 'cert'. This is used to generate the
456 keyUsage extension. Please make sure that the algorithm is capable
457 of this usage. Default is to allow encrypt and sign.
459 Name-DN: SUBJECT-NAME
460 This is the Distinguished Name (DN) of the subject in RFC-2253
464 This is an email address for the altSubjectName. This parameter is
465 optional but may occur several times to add several email addresses
469 The is an DNS name for the altSubjectName. This parameter is
470 optional but may occur several times to add several DNS names to a
474 This is an URI for the altSubjectName. This parameter is optional
475 but may occur several times to add several URIs to a certificate.
477 Additional parameters used to create a certificate (in contrast to a
478 certificate signing request):
481 If this parameter is given an X.509 certificate will be generated.
482 SN is expected to be a hex string representing an unsigned integer
483 of arbitrary length. The special value 'random' can be used to
484 create a 64 bit random serial number.
486 Issuer-DN: ISSUER-NAME
487 This is the DN name of the issuer in RFC-2253 format. If it is not
488 set it will default to the subject DN and a special GnuPG extension
489 will be included in the certificate to mark it as a standalone
492 Creation-Date: ISO-DATE
494 Set the notBefore date of the certificate. Either a date like
495 '1986-04-26' or '1986-04-26 12:00' or a standard ISO timestamp like
496 '19860426T042640' may be used. The time is considered to be UTC.
497 If it is not given the current date is used.
499 Expire-Date: ISO-DATE
501 Set the notAfter date of the certificate. Either a date like
502 '2063-04-05' or '2063-04-05 17:00' or a standard ISO timestamp like
503 '20630405T170000' may be used. The time is considered to be UTC.
504 If it is not given a default value in the not too far future is
508 This gives the keygrip of the key used to sign the certificate. If
509 it is not given a self-signed certificate will be created. For
510 compatibility with future versions, it is suggested to prefix the
514 Use HASH-ALGO for this CSR or certificate. The supported hash
515 algorithms are: 'sha1', 'sha256', 'sha384' and 'sha512'; they may
516 also be specified with uppercase letters. The default is 'sha256'.
518 Authority-Key-Id: HEXSTRING
519 Insert the decoded value of HEXSTRING as authorityKeyIdentifier.
520 If this is not given and an ECC algorithm is used the public part
521 of the certified public key is used as authorityKeyIdentifier. To
522 inhibit any authorityKeyIdentifier use the special value 'none' for
525 Subject-Key-Id: HEXSTRING
526 Insert the decoded value of HEXSTRING as subjectKeyIdentifier. If
527 this is not given and an ECC algorithm is used the public part of
528 the signing key is used as authorityKeyIdentifier. To inhibit any
529 subjectKeyIdentifier use the special value 'none' for HEXSTRING.
532 File: gnupg.info, Node: GPGSM Protocol, Prev: Unattended Usage, Up: Invoking GPGSM
534 5.6 The Protocol the Server Mode Uses
535 =====================================
537 Description of the protocol used to access 'GPGSM'. 'GPGSM' does
538 implement the Assuan protocol and in addition provides a regular command
539 line interface which exhibits a full client to this protocol (but uses
540 internal linking). To start 'gpgsm' as a server the command line the
541 option '--server' must be used. Additional options are provided to
542 select the communication method (i.e. the name of the socket).
544 We assume that the connection has already been established; see the
545 Assuan manual for details.
549 * GPGSM ENCRYPT:: Encrypting a message.
550 * GPGSM DECRYPT:: Decrypting a message.
551 * GPGSM SIGN:: Signing a message.
552 * GPGSM VERIFY:: Verifying a message.
553 * GPGSM GENKEY:: Generating a key.
554 * GPGSM LISTKEYS:: List available keys.
555 * GPGSM EXPORT:: Export certificates.
556 * GPGSM IMPORT:: Import certificates.
557 * GPGSM DELETE:: Delete certificates.
558 * GPGSM GETAUDITLOG:: Retrieve an audit log.
559 * GPGSM GETINFO:: Information about the process
560 * GPGSM OPTION:: Session options.
563 File: gnupg.info, Node: GPGSM ENCRYPT, Next: GPGSM DECRYPT, Up: GPGSM Protocol
565 5.6.1 Encrypting a Message
566 --------------------------
568 Before encryption can be done the recipient must be set using the
573 Set the recipient for the encryption. USERID should be the internal
574 representation of the key; the server may accept any other way of
575 specification. If this is a valid and trusted recipient the server does
576 respond with OK, otherwise the return is an ERR with the reason why the
577 recipient cannot be used, the encryption will then not be done for this
578 recipient. If the policy is not to encrypt at all if not all recipients
579 are valid, the client has to take care of this. All 'RECIPIENT'
580 commands are cumulative until a 'RESET' or an successful 'ENCRYPT'
583 INPUT FD[=N] [--armor|--base64|--binary]
585 Set the file descriptor for the message to be encrypted to N.
586 Obviously the pipe must be open at that point, the server establishes
587 its own end. If the server returns an error the client should consider
588 this session failed. If N is not given, this commands uses the last
589 file descriptor passed to the application. *Note the assuan_sendfd
590 function: (assuan)fun-assuan_sendfd, on how to do descriptor passing.
592 The '--armor' option may be used to advise the server that the input
593 data is in PEM format, '--base64' advises that a raw base-64 encoding is
594 used, '--binary' advises of raw binary input (BER). If none of these
595 options is used, the server tries to figure out the used encoding, but
596 this may not always be correct.
598 OUTPUT FD[=N] [--armor|--base64]
600 Set the file descriptor to be used for the output (i.e. the
601 encrypted message). Obviously the pipe must be open at that point, the
602 server establishes its own end. If the server returns an error the
603 client should consider this session failed.
605 The option '--armor' encodes the output in PEM format, the '--base64'
606 option applies just a base-64 encoding. No option creates binary output
609 The actual encryption is done using the command
613 It takes the plaintext from the 'INPUT' command, writes to the
614 ciphertext to the file descriptor set with the 'OUTPUT' command, take
615 the recipients from all the recipients set so far. If this command
616 fails the clients should try to delete all output currently done or
617 otherwise mark it as invalid. 'GPGSM' does ensure that there will not
618 be any security problem with leftover data on the output in this case.
620 This command should in general not fail, as all necessary checks have
621 been done while setting the recipients. The input and output pipes are
625 File: gnupg.info, Node: GPGSM DECRYPT, Next: GPGSM SIGN, Prev: GPGSM ENCRYPT, Up: GPGSM Protocol
627 5.6.2 Decrypting a message
628 --------------------------
630 Input and output FDs are set the same way as in encryption, but 'INPUT'
631 refers to the ciphertext and 'OUTPUT' to the plaintext. There is no
632 need to set recipients. 'GPGSM' automatically strips any S/MIME headers
633 from the input, so it is valid to pass an entire MIME part to the INPUT
636 The decryption is done by using the command
640 It performs the decrypt operation after doing some check on the
641 internal state (e.g. that all needed data has been set). Because it
642 utilizes the GPG-Agent for the session key decryption, there is no need
643 to ask the client for a protecting passphrase - GpgAgent takes care of
644 this by requesting this from the user.
647 File: gnupg.info, Node: GPGSM SIGN, Next: GPGSM VERIFY, Prev: GPGSM DECRYPT, Up: GPGSM Protocol
649 5.6.3 Signing a Message
650 -----------------------
652 Signing is usually done with these commands:
654 INPUT FD[=N] [--armor|--base64|--binary]
656 This tells 'GPGSM' to read the data to sign from file descriptor N.
658 OUTPUT FD[=M] [--armor|--base64]
660 Write the output to file descriptor M. If a detached signature is
661 requested, only the signature is written.
665 Sign the data set with the 'INPUT' command and write it to the sink
666 set by 'OUTPUT'. With '--detached', a detached signature is created
669 The key used for signing is the default one or the one specified in
670 the configuration file. To get finer control over the keys, it is
671 possible to use the command
675 to set the signer's key. USERID should be the internal
676 representation of the key; the server may accept any other way of
677 specification. If this is a valid and trusted recipient the server does
678 respond with OK, otherwise the return is an ERR with the reason why the
679 key cannot be used, the signature will then not be created using this
680 key. If the policy is not to sign at all if not all keys are valid, the
681 client has to take care of this. All 'SIGNER' commands are cumulative
682 until a 'RESET' is done. Note that a 'SIGN' does not reset this list of
683 signers which is in contrast to the 'RECIPIENT' command.
686 File: gnupg.info, Node: GPGSM VERIFY, Next: GPGSM GENKEY, Prev: GPGSM SIGN, Up: GPGSM Protocol
688 5.6.4 Verifying a Message
689 -------------------------
691 To verify a message the command:
695 is used. It does a verify operation on the message send to the input
696 FD. The result is written out using status lines. If an output FD was
697 given, the signed text will be written to that. If the signature is a
698 detached one, the server will inquire about the signed material and the
699 client must provide it.
702 File: gnupg.info, Node: GPGSM GENKEY, Next: GPGSM LISTKEYS, Prev: GPGSM VERIFY, Up: GPGSM Protocol
704 5.6.5 Generating a Key
705 ----------------------
707 This is used to generate a new keypair, store the secret part in the PSE
708 and the public key in the key database. We will probably add optional
709 commands to allow the client to select whether a hardware token is used
710 to store the key. Configuration options to 'GPGSM' can be used to
711 restrict the use of this command.
715 'GPGSM' checks whether this command is allowed and then does an
716 INQUIRY to get the key parameters, the client should then send the key
717 parameters in the native format:
719 S: INQUIRE KEY_PARAM native
724 Please note that the server may send Status info lines while reading
725 the data lines from the client. After this the key generation takes
726 place and the server eventually does send an ERR or OK response. Status
727 lines may be issued as a progress indicator.
730 File: gnupg.info, Node: GPGSM LISTKEYS, Next: GPGSM EXPORT, Prev: GPGSM GENKEY, Up: GPGSM Protocol
732 5.6.6 List available keys
733 -------------------------
735 To list the keys in the internal database or using an external key
736 provider, the command:
740 is used. To allow multiple patterns (which are ORed during the
741 search) quoting is required: Spaces are to be translated into "+" or
742 into "%20"; in turn this requires that the usual escape quoting rules
745 LISTSECRETKEYS PATTERN
747 Lists only the keys where a secret key is available.
749 The list commands are affected by the option
751 OPTION list-mode=MODE
755 Use default (which is usually the same as 1).
757 List only the internal keys.
759 List only the external keys.
761 List internal and external keys.
763 Note that options are valid for the entire session.
766 File: gnupg.info, Node: GPGSM EXPORT, Next: GPGSM IMPORT, Prev: GPGSM LISTKEYS, Up: GPGSM Protocol
768 5.6.7 Export certificates
769 -------------------------
771 To export certificate from the internal key database the command:
773 EXPORT [--data [--armor] [--base64]] [--] PATTERN
775 is used. To allow multiple patterns (which are ORed) quoting is
776 required: Spaces are to be translated into "+" or into "%20"; in turn
777 this requires that the usual escape quoting rules are done.
779 If the '--data' option has not been given, the format of the output
780 depends on what was set with the 'OUTPUT' command. When using PEM
781 encoding a few informational lines are prepended.
783 If the '--data' has been given, a target set via 'OUTPUT' is ignored
784 and the data is returned inline using standard 'D'-lines. This avoids
785 the need for an extra file descriptor. In this case the options
786 '--armor' and '--base64' may be used in the same way as with the
790 File: gnupg.info, Node: GPGSM IMPORT, Next: GPGSM DELETE, Prev: GPGSM EXPORT, Up: GPGSM Protocol
792 5.6.8 Import certificates
793 -------------------------
795 To import certificates into the internal key database, the command
799 is used. The data is expected on the file descriptor set with the
800 'INPUT' command. Certain checks are performed on the certificate. Note
801 that the code will also handle PKCS#12 files and import private keys; a
802 helper program is used for that.
804 With the option '--re-import' the input data is expected to a be a
805 linefeed separated list of fingerprints. The command will re-import the
806 corresponding certificates; that is they are made permanent by removing
807 their ephemeral flag.
810 File: gnupg.info, Node: GPGSM DELETE, Next: GPGSM GETAUDITLOG, Prev: GPGSM IMPORT, Up: GPGSM Protocol
812 5.6.9 Delete certificates
813 -------------------------
815 To delete a certificate the command
819 is used. To allow multiple patterns (which are ORed) quoting is
820 required: Spaces are to be translated into "+" or into "%20"; in turn
821 this requires that the usual escape quoting rules are done.
823 The certificates must be specified unambiguously otherwise an error
827 File: gnupg.info, Node: GPGSM GETAUDITLOG, Next: GPGSM GETINFO, Prev: GPGSM DELETE, Up: GPGSM Protocol
829 5.6.10 Retrieve an audit log
830 ----------------------------
832 This command is used to retrieve an audit log.
834 GETAUDITLOG [--data] [--html]
836 If '--data' is used, the audit log is send using D-lines instead of
837 being sent to the file descriptor given by an 'OUTPUT' command. If
838 '--html' is used, the output is formatted as an XHTML block. This is
839 designed to be incorporated into a HTML document.
842 File: gnupg.info, Node: GPGSM GETINFO, Next: GPGSM OPTION, Prev: GPGSM GETAUDITLOG, Up: GPGSM Protocol
844 5.6.11 Return information about the process
845 -------------------------------------------
847 This is a multipurpose function to return a variety of information.
851 The value of WHAT specifies the kind of information returned:
853 Return the version of the program.
855 Return the process id of the process.
857 Return OK if the agent is running.
858 'cmd_has_option CMD OPT'
859 Return OK if the command CMD implements the option OPT. The
860 leading two dashes usually used with OPT shall not be given.
862 Return OK if the connection is in offline mode. This may be either
863 due to a 'OPTION offline=1' or due to 'gpgsm' being started with
864 option '--disable-dirmngr'.
867 File: gnupg.info, Node: GPGSM OPTION, Prev: GPGSM GETINFO, Up: GPGSM Protocol
869 5.6.12 Session options
870 ----------------------
872 The standard Assuan option handler supports these options.
876 These NAMEs are recognized:
879 Change the session's environment to be passed via gpg-agent to
880 Pinentry. VALUE is a string of the form '<KEY>[=[<STRING>]]'. If
881 only '<KEY>' is given the environment variable '<KEY>' is removed
882 from the session environment, if '<KEY>=' is given that environment
883 variable is set to the empty string, and if '<STRING>' is given it
884 is set to that string.
887 Set the session environment variable 'DISPLAY' is set to VALUE.
889 Set the session environment variable 'GPG_TTY' is set to VALUE.
891 Set the session environment variable 'TERM' is set to VALUE.
893 Set the session environment variable 'LC_CTYPE' is set to VALUE.
895 Set the session environment variable 'LC_MESSAGES' is set to VALUE.
897 Set the session environment variable 'XAUTHORITY' is set to VALUE.
899 Set the session environment variable 'PINENTRY_USER_DATA' is set to
903 This option overrides the command line option '--include-certs'. A
904 VALUE of -2 includes all certificates except for the root
905 certificate, -1 includes all certificates, 0 does not include any
906 certificates, 1 includes only the signers certificate and all other
907 positive values include up to VALUE certificates starting with the
911 *Note gpgsm-cmd listkeys::.
914 If VALUE is true the output of the list commands (*note gpgsm-cmd
915 listkeys::) is written to the file descriptor set with the last
916 'OUTPUT' command. If VALUE is false the output is written via data
917 lines; this is the default.
920 If VALUE is true for each listed certificate the validation status
921 is printed. This may result in the download of a CRL or the user
922 being asked about the trustworthiness of a root certificate. The
923 default is given by a command line option (*note gpgsm-option
924 --with-validation::).
927 If VALUE is true certificates with a corresponding private key are
928 marked by the list commands.
931 This option overrides the command line option 'validation-model'
932 for the session. (*Note gpgsm-option --validation-model::.)
935 This option globally enables the command line option
936 '--with-key-data'. (*Note gpgsm-option --with-key-data::.)
939 If VALUE is true data to write an audit log is gathered. (*Note
940 gpgsm-cmd getauditlog::.)
942 'allow-pinentry-notify'
943 If this option is used notifications about the launch of a Pinentry
944 are passed back to the client.
946 'with-ephemeral-keys'
947 If VALUE is true ephemeral certificates are included in the output
948 of the list commands.
951 If this option is used all keys set by the command line option
952 '--encrypt-to' are ignored.
955 If VALUE is true or VALUE is not given all network access is
956 disabled for this session. This is the same as the command line
957 option '--disable-dirmngr'.
960 This is the same as the '--input-size-hint' command line option.
963 File: gnupg.info, Node: Invoking SCDAEMON, Next: Specify a User ID, Prev: Invoking GPGSM, Up: Top
965 6 Invoking the SCDAEMON
966 ***********************
968 The 'scdaemon' is a daemon to manage smartcards. It is usually invoked
969 by 'gpg-agent' and in general not used directly.
971 *Note Option Index::, for an index to 'scdaemon''s commands and
976 * Scdaemon Commands:: List of all commands.
977 * Scdaemon Options:: List of all options.
978 * Card applications:: Description of card applications.
979 * Scdaemon Configuration:: Configuration files.
980 * Scdaemon Examples:: Some usage examples.
981 * Scdaemon Protocol:: The protocol the daemon uses.
984 File: gnupg.info, Node: Scdaemon Commands, Next: Scdaemon Options, Up: Invoking SCDAEMON
989 Commands are not distinguished from options except for the fact that
990 only one command is allowed.
993 Print the program version and licensing information. Note that you
994 cannot abbreviate this command.
997 Print a usage message summarizing the most useful command-line
998 options. Note that you cannot abbreviate this command.
1001 Print a list of all available options and commands. Note that you
1002 cannot abbreviate this command.
1005 Run in server mode and wait for commands on the 'stdin'. The
1006 default mode is to create a socket and listen for commands there.
1009 Run in server mode and wait for commands on the 'stdin' as well as
1010 on an additional Unix Domain socket. The server command 'GETINFO'
1011 may be used to get the name of that extra socket.
1014 Run the program in the background. This option is required to
1015 prevent it from being accidentally running in the background.
1018 File: gnupg.info, Node: Scdaemon Options, Next: Card applications, Prev: Scdaemon Commands, Up: Invoking SCDAEMON
1024 Reads configuration from FILE instead of from the default per-user
1025 configuration file. The default configuration file is named
1026 'scdaemon.conf' and expected in the '.gnupg' directory directly
1027 below the home directory of the user.
1030 Set the name of the home directory to DIR. If this option is not
1031 used, the home directory defaults to '~/.gnupg'. It is only
1032 recognized when given on the command line. It also overrides any
1033 home directory stated through the environment variable 'GNUPGHOME'
1034 or (on Windows systems) by means of the Registry entry
1035 HKCU\SOFTWARE\GNU\GNUPG:HOMEDIR.
1037 On Windows systems it is possible to install GnuPG as a portable
1038 application. In this case only this command line option is
1039 considered, all other ways to set a home directory are ignored.
1041 To install GnuPG as a portable application under Windows, create an
1042 empty file named 'gpgconf.ctl' in the same directory as the tool
1043 'gpgconf.exe'. The root of the installation is then that
1044 directory; or, if 'gpgconf.exe' has been installed directly below a
1045 directory named 'bin', its parent directory. You also need to make
1046 sure that the following directories exist and are writable:
1047 'ROOT/home' for the GnuPG home and 'ROOT/usr/local/var/cache/gnupg'
1048 for internal cache files.
1052 Outputs additional information while running. You can increase the
1053 verbosity by giving several verbose commands to 'gpgsm', such as
1056 '--debug-level LEVEL'
1057 Select the debug level for investigating problems. LEVEL may be a
1058 numeric value or a keyword:
1061 No debugging at all. A value of less than 1 may be used
1062 instead of the keyword.
1064 Some basic debug messages. A value between 1 and 2 may be
1065 used instead of the keyword.
1067 More verbose debug messages. A value between 3 and 5 may be
1068 used instead of the keyword.
1070 Even more detailed messages. A value between 6 and 8 may be
1071 used instead of the keyword.
1073 All of the debug messages you can get. A value greater than 8
1074 may be used instead of the keyword. The creation of hash
1075 tracing files is only enabled if the keyword is used.
1077 How these messages are mapped to the actual debugging flags is not
1078 specified and may change with newer releases of this program. They
1079 are however carefully selected to best aid in debugging.
1081 Note: All debugging options are subject to change and thus
1082 should not be used by any application program. As the name
1083 says, they are only used as helpers to debug problems.
1086 Set debug flags. All flags are or-ed and FLAGS may be given in C
1087 syntax (e.g. 0x0042) or as a comma separated list of flag names.
1088 To get a list of all supported flags the single word "help" can be
1089 used. This option is only useful for debugging and the behavior
1090 may change at any time without notice.
1093 Same as '--debug=0xffffffff'
1096 When running in server mode, wait N seconds before entering the
1097 actual processing loop and print the pid. This gives time to
1100 '--debug-ccid-driver'
1101 Enable debug output from the included CCID driver for smartcards.
1102 Using this option twice will also enable some tracing of the T=1
1103 protocol. Note that this option may reveal sensitive data.
1105 '--debug-disable-ticker'
1106 This option disables all ticker functions like checking for card
1109 '--debug-allow-core-dump'
1110 For security reasons we won't create a core dump when the process
1111 aborts. For debugging purposes it is sometimes better to allow
1112 core dump. This option enables it and also changes the working
1113 directory to '/tmp' when running in '--server' mode.
1116 This option appends a thread ID to the PID in the log output.
1118 '--debug-assuan-log-cats CATS'
1119 Changes the active Libassuan logging categories to CATS. The value
1120 for CATS is an unsigned integer given in usual C-Syntax. A value
1121 of 0 switches to a default category. If this option is not used
1122 the categories are taken from the environment variable
1123 'ASSUAN_DEBUG'. Note that this option has only an effect if the
1124 Assuan debug flag has also been with the option '--debug'. For a
1125 list of categories see the Libassuan manual.
1128 Don't detach the process from the console. This is mainly useful
1131 '--listen-backlog N'
1132 Set the size of the queue for pending connections. The default is
1133 64. This option has an effect only if '--multi-server' is also
1137 Append all logging output to FILE. This is very helpful in seeing
1138 what the agent actually does. Use 'socket://' to log to socket.
1141 Use shared mode to access the card via PC/SC. This is a somewhat
1142 dangerous option because Scdaemon assumes exclusive access to the
1143 card and for example caches certain information from the card. Use
1144 this option only if you know what you are doing.
1146 '--pcsc-driver LIBRARY'
1147 Use LIBRARY to access the smartcard reader. The current default on
1148 Unix is 'libpcsclite.so' and on Windows 'winscard.dll'. Instead of
1149 using this option you might also want to install a symbolic link to
1150 the default file name (e.g. from 'libpcsclite.so.1'). A Unicode
1151 file name may not be used on Windows.
1153 '--ctapi-driver LIBRARY'
1154 Use LIBRARY to access the smartcard reader. The current default is
1155 'libtowitoko.so'. Note that the use of this interface is
1156 deprecated; it may be removed in future releases.
1159 Disable the integrated support for CCID compliant readers. This
1160 allows falling back to one of the other drivers even if the
1161 internal CCID driver can handle the reader. Note, that CCID
1162 support is only available if libusb was available at build time.
1164 '--reader-port NUMBER_OR_STRING'
1165 This option may be used to specify the port of the card terminal.
1166 A value of 0 refers to the first serial device; add 32768 to access
1167 USB devices. The default is 32768 (first USB device). PC/SC or
1168 CCID readers might need a string here; run the program in verbose
1169 mode to get a list of available readers. The default is then the
1172 To get a list of available CCID readers you may use this command:
1173 echo scd getinfo reader_list \
1174 | gpg-connect-agent --decode | awk '/^D/ {print $2}'
1177 This option is deprecated. In GnuPG 2.0, it used to be used for
1178 DISCONNECT command to control timing issue. Since DISCONNECT
1179 command works synchronously, it has no effect.
1181 '--enable-pinpad-varlen'
1182 Please specify this option when the card reader supports variable
1183 length input for pinpad (default is no). For known readers (listed
1184 in ccid-driver.c and apdu.c), this option is not needed. Note that
1185 if your card reader doesn't supports variable length input but you
1186 want to use it, you need to specify your pinpad request on your
1190 Even if a card reader features a pinpad, do not try to use it.
1193 This option disables the use of admin class commands for card
1194 applications where this is supported. Currently we support it for
1195 the OpenPGP card. This option is useful to inhibit accidental
1196 access to admin class command which could ultimately lock the card
1197 through wrong PIN numbers. Note that GnuPG versions older than
1198 2.0.11 featured an '--allow-admin' option which was required to use
1199 such admin commands. This option has no more effect today because
1200 the default is now to allow admin commands.
1202 '--disable-application NAME'
1203 This option disables the use of the card application named NAME.
1204 This is mainly useful for debugging or if a application with lower
1205 priority should be used by default.
1207 '--application-priority NAMELIST'
1208 This option allows to change the order in which applications of a
1209 card a tried if no specific application was requested. NAMELIST is
1210 a space or comma delimited list of application names. Unknown
1211 names are simply skipped. Applications not mentioned in the list
1212 are put in the former order at the end of the new priority list.
1214 To get the list of current active applications, use
1215 gpg-connect-agent 'scd getinfo app_list' /bye
1217 All the long options may also be given in the configuration file
1218 after stripping off the two leading dashes.
1221 File: gnupg.info, Node: Card applications, Next: Scdaemon Configuration, Prev: Scdaemon Options, Up: Invoking SCDAEMON
1223 6.3 Description of card applications
1224 ====================================
1226 'scdaemon' supports the card applications as described below.
1230 * OpenPGP Card:: The OpenPGP card application
1231 * NKS Card:: The Telesec NetKey card application
1232 * DINSIG Card:: The DINSIG card application
1233 * PKCS#15 Card:: The PKCS#15 card application
1234 * Geldkarte Card:: The Geldkarte application
1235 * SmartCard-HSM:: The SmartCard-HSM application
1236 * Undefined Card:: The Undefined stub application
1239 File: gnupg.info, Node: OpenPGP Card, Next: NKS Card, Up: Card applications
1241 6.3.1 The OpenPGP card application "openpgp"
1242 --------------------------------------------
1244 This application is currently only used by 'gpg' but may in future also
1245 be useful with 'gpgsm'. Version 1 and version 2 of the card is
1248 The specifications for these cards are available at
1249 <http://g10code.com/docs/openpgp-card-1.0.pdf> and
1250 <http://g10code.com/docs/openpgp-card-2.0.pdf>.
1253 File: gnupg.info, Node: NKS Card, Next: DINSIG Card, Prev: OpenPGP Card, Up: Card applications
1255 6.3.2 The Telesec NetKey card "nks"
1256 -----------------------------------
1258 This is the main application of the Telesec cards as available in
1259 Germany. It is a superset of the German DINSIG card. The card is used
1263 File: gnupg.info, Node: DINSIG Card, Next: PKCS#15 Card, Prev: NKS Card, Up: Card applications
1265 6.3.3 The DINSIG card application "dinsig"
1266 ------------------------------------------
1268 This is an application as described in the German draft standard _DIN V
1269 66291-1_. It is intended to be used by cards supporting the German
1270 signature law and its bylaws (SigG and SigV).
1273 File: gnupg.info, Node: PKCS#15 Card, Next: Geldkarte Card, Prev: DINSIG Card, Up: Card applications
1275 6.3.4 The PKCS#15 card application "p15"
1276 ----------------------------------------
1278 This is common framework for smart card applications. It is used by
1282 File: gnupg.info, Node: Geldkarte Card, Next: SmartCard-HSM, Prev: PKCS#15 Card, Up: Card applications
1284 6.3.5 The Geldkarte card application "geldkarte"
1285 ------------------------------------------------
1287 This is a simple application to display information of a German
1288 Geldkarte. The Geldkarte is a small amount debit card application which
1289 comes with almost all German banking cards.
1292 File: gnupg.info, Node: SmartCard-HSM, Next: Undefined Card, Prev: Geldkarte Card, Up: Card applications
1294 6.3.6 The SmartCard-HSM card application "sc-hsm"
1295 -------------------------------------------------
1297 This application adds read-only support for keys and certificates stored
1298 on a SmartCard-HSM (http://www.smartcard-hsm.com).
1300 To generate keys and store certificates you may use OpenSC
1301 (https://github.com/OpenSC/OpenSC/wiki/SmartCardHSM) or the tools from
1302 OpenSCDP (http://www.openscdp.org).
1304 The SmartCard-HSM cards requires a card reader that supports Extended
1308 File: gnupg.info, Node: Undefined Card, Prev: SmartCard-HSM, Up: Card applications
1310 6.3.7 The Undefined card application "undefined"
1311 ------------------------------------------------
1313 This is a stub application to allow the use of the APDU command even if
1314 no supported application is found on the card. This application is not
1315 used automatically but must be explicitly requested using the SERIALNO
1319 File: gnupg.info, Node: Scdaemon Configuration, Next: Scdaemon Examples, Prev: Card applications, Up: Invoking SCDAEMON
1321 6.4 Configuration files
1322 =======================
1324 There are a few configuration files to control certain aspects of
1325 'scdaemons''s operation. Unless noted, they are expected in the current
1326 home directory (*note option --homedir::).
1329 This is the standard configuration file read by 'scdaemon' on
1330 startup. It may contain any valid long option; the leading two
1331 dashes may not be entered and the option may not be abbreviated.
1332 This default name may be changed on the command line (*note option
1336 If this file is present and executable, it will be called on every
1337 card reader's status change. An example of this script is provided
1338 with the source code distribution. This option is deprecated in
1339 favor of the 'DEVINFO --watch'.
1342 This file is created by 'scdaemon' to let other applications now
1343 about reader status changes. Its use is now deprecated in favor of
1347 File: gnupg.info, Node: Scdaemon Examples, Next: Scdaemon Protocol, Prev: Scdaemon Configuration, Up: Invoking SCDAEMON
1352 $ scdaemon --server -v
1355 File: gnupg.info, Node: Scdaemon Protocol, Prev: Scdaemon Examples, Up: Invoking SCDAEMON
1357 6.6 Scdaemon's Assuan Protocol
1358 ==============================
1360 The SC-Daemon should be started by the system to provide access to
1361 external tokens. Using Smartcards on a multi-user system does not make
1362 much sense except for system services, but in this case no regular user
1363 accounts are hosted on the machine.
1365 A client connects to the SC-Daemon by connecting to the socket named
1366 '/usr/local/var/run/gnupg/scdaemon/socket', configuration information is
1367 read from /USR/LOCAL/ETC/GNUPG/SCDAEMON.CONF
1369 Each connection acts as one session, SC-Daemon takes care of
1370 synchronizing access to a token between sessions.
1374 * Scdaemon SERIALNO:: Return the serial number.
1375 * Scdaemon LEARN:: Read all useful information from the card.
1376 * Scdaemon READCERT:: Return a certificate.
1377 * Scdaemon READKEY:: Return a public key.
1378 * Scdaemon PKSIGN:: Signing data with a Smartcard.
1379 * Scdaemon PKDECRYPT:: Decrypting data with a Smartcard.
1380 * Scdaemon GETATTR:: Read an attribute's value.
1381 * Scdaemon SETATTR:: Update an attribute's value.
1382 * Scdaemon WRITEKEY:: Write a key to a card.
1383 * Scdaemon GENKEY:: Generate a new key on-card.
1384 * Scdaemon RANDOM:: Return random bytes generated on-card.
1385 * Scdaemon PASSWD:: Change PINs.
1386 * Scdaemon CHECKPIN:: Perform a VERIFY operation.
1387 * Scdaemon RESTART:: Restart connection
1388 * Scdaemon APDU:: Send a verbatim APDU to the card
1391 File: gnupg.info, Node: Scdaemon SERIALNO, Next: Scdaemon LEARN, Up: Scdaemon Protocol
1393 6.6.1 Return the serial number
1394 ------------------------------
1396 This command should be used to check for the presence of a card. It is
1397 special in that it can be used to reset the card. Most other commands
1398 will return an error when a card change has been detected and the use of
1399 this function is therefore required.
1401 Background: We want to keep the client clear of handling card changes
1402 between operations; i.e. the client can assume that all operations are
1403 done on the same card unless he call this function.
1407 Return the serial number of the card using a status response like:
1409 S SERIALNO D27600000000000000000000
1411 The serial number is the hex encoded value identified by the '0x5A'
1412 tag in the GDO file (FIX=0x2F02).
1415 File: gnupg.info, Node: Scdaemon LEARN, Next: Scdaemon READCERT, Prev: Scdaemon SERIALNO, Up: Scdaemon Protocol
1417 6.6.2 Read all useful information from the card
1418 -----------------------------------------------
1422 Learn all useful information of the currently inserted card. When
1423 used without the '--force' option, the command might do an INQUIRE like
1426 INQUIRE KNOWNCARDP <hexstring_with_serialNumber>
1428 The client should just send an 'END' if the processing should go on
1429 or a 'CANCEL' to force the function to terminate with a cancel error
1430 message. The response of this command is a list of status lines
1433 S KEYPAIRINFO HEXSTRING_WITH_KEYGRIP HEXSTRING_WITH_ID
1435 If there is no certificate yet stored on the card a single "X" is
1436 returned in HEXSTRING_WITH_KEYGRIP.
1439 File: gnupg.info, Node: Scdaemon READCERT, Next: Scdaemon READKEY, Prev: Scdaemon LEARN, Up: Scdaemon Protocol
1441 6.6.3 Return a certificate
1442 --------------------------
1444 READCERT HEXIFIED_CERTID|KEYID
1446 This function is used to read a certificate identified by
1447 HEXIFIED_CERTID from the card. With OpenPGP cards the keyid 'OpenPGP.3'
1448 may be used to read the certificate of version 2 cards.
1451 File: gnupg.info, Node: Scdaemon READKEY, Next: Scdaemon PKSIGN, Prev: Scdaemon READCERT, Up: Scdaemon Protocol
1453 6.6.4 Return a public key
1454 -------------------------
1456 READKEY HEXIFIED_CERTID
1458 Return the public key for the given cert or key ID as an standard
1462 File: gnupg.info, Node: Scdaemon PKSIGN, Next: Scdaemon PKDECRYPT, Prev: Scdaemon READKEY, Up: Scdaemon Protocol
1464 6.6.5 Signing data with a Smartcard
1465 -----------------------------------
1467 To sign some data the caller should use the command
1471 to tell 'scdaemon' about the data to be signed. The data must be
1472 given in hex notation. The actual signing is done using the command
1476 where KEYID is the hexified ID of the key to be used. The key id may
1477 have been retrieved using the command 'LEARN'. If another hash
1478 algorithm than SHA-1 is used, that algorithm may be given like:
1480 PKSIGN --hash=ALGONAME KEYID
1482 With ALGONAME are one of 'sha1', 'rmd160' or 'md5'.
1485 File: gnupg.info, Node: Scdaemon PKDECRYPT, Next: Scdaemon GETATTR, Prev: Scdaemon PKSIGN, Up: Scdaemon Protocol
1487 6.6.6 Decrypting data with a Smartcard
1488 --------------------------------------
1490 To decrypt some data the caller should use the command
1494 to tell 'scdaemon' about the data to be decrypted. The data must be
1495 given in hex notation. The actual decryption is then done using the
1500 where KEYID is the hexified ID of the key to be used.
1502 If the card is aware of the apdding format a status line with padding
1503 information is send before the plaintext data. The key for this status
1504 line is 'PADDING' with the only defined value being 0 and meaning
1505 padding has been removed.
1508 File: gnupg.info, Node: Scdaemon GETATTR, Next: Scdaemon SETATTR, Prev: Scdaemon PKDECRYPT, Up: Scdaemon Protocol
1510 6.6.7 Read an attribute's value
1511 -------------------------------
1516 File: gnupg.info, Node: Scdaemon SETATTR, Next: Scdaemon WRITEKEY, Prev: Scdaemon GETATTR, Up: Scdaemon Protocol
1518 6.6.8 Update an attribute's value
1519 ---------------------------------
1524 File: gnupg.info, Node: Scdaemon WRITEKEY, Next: Scdaemon GENKEY, Prev: Scdaemon SETATTR, Up: Scdaemon Protocol
1526 6.6.9 Write a key to a card
1527 ---------------------------
1529 WRITEKEY [--force] KEYID
1531 This command is used to store a secret key on a smartcard. The
1532 allowed keyids depend on the currently selected smartcard application.
1533 The actual keydata is requested using the inquiry 'KEYDATA' and need to
1534 be provided without any protection. With '--force' set an existing key
1535 under this KEYID will get overwritten. The key data is expected to be
1536 the usual canonical encoded S-expression.
1538 A PIN will be requested in most cases. This however depends on the
1539 actual card application.
1542 File: gnupg.info, Node: Scdaemon GENKEY, Next: Scdaemon RANDOM, Prev: Scdaemon WRITEKEY, Up: Scdaemon Protocol
1544 6.6.10 Generate a new key on-card
1545 ---------------------------------
1550 File: gnupg.info, Node: Scdaemon RANDOM, Next: Scdaemon PASSWD, Prev: Scdaemon GENKEY, Up: Scdaemon Protocol
1552 6.6.11 Return random bytes generated on-card
1553 --------------------------------------------
1558 File: gnupg.info, Node: Scdaemon PASSWD, Next: Scdaemon CHECKPIN, Prev: Scdaemon RANDOM, Up: Scdaemon Protocol
1563 PASSWD [--reset] [--nullpin] CHVNO
1565 Change the PIN or reset the retry counter of the card holder
1566 verification vector number CHVNO. The option '--nullpin' is used to
1567 initialize the PIN of TCOS cards (6 byte NullPIN only).
1570 File: gnupg.info, Node: Scdaemon CHECKPIN, Next: Scdaemon RESTART, Prev: Scdaemon PASSWD, Up: Scdaemon Protocol
1572 6.6.13 Perform a VERIFY operation
1573 ---------------------------------
1577 Perform a VERIFY operation without doing anything else. This may be
1578 used to initialize a the PIN cache earlier to long lasting operations.
1579 Its use is highly application dependent:
1583 Perform a simple verify operation for CHV1 and CHV2, so that
1584 further operations won't ask for CHV2 and it is possible to do a
1585 cheap check on the PIN: If there is something wrong with the PIN
1586 entry system, only the regular CHV will get blocked and not the
1587 dangerous CHV3. IDSTR is the usual card's serial number in hex
1588 notation; an optional fingerprint part will get ignored.
1590 There is however a special mode if IDSTR is suffixed with the
1591 literal string '[CHV3]': In this case the Admin PIN is checked if
1592 and only if the retry counter is still at 3.
1595 File: gnupg.info, Node: Scdaemon RESTART, Next: Scdaemon APDU, Prev: Scdaemon CHECKPIN, Up: Scdaemon Protocol
1597 6.6.14 Perform a RESTART operation
1598 ----------------------------------
1602 Restart the current connection; this is a kind of warm reset. It
1603 deletes the context used by this connection but does not actually reset
1606 This is used by gpg-agent to reuse a primary pipe connection and may
1607 be used by clients to backup from a conflict in the serial command; i.e.
1608 to select another application.
1611 File: gnupg.info, Node: Scdaemon APDU, Prev: Scdaemon RESTART, Up: Scdaemon Protocol
1613 6.6.15 Send a verbatim APDU to the card
1614 ---------------------------------------
1616 APDU [--atr] [--more] [--exlen[=N]] [HEXSTRING]
1618 Send an APDU to the current reader. This command bypasses the high
1619 level functions and sends the data directly to the card. HEXSTRING is
1620 expected to be a proper APDU. If HEXSTRING is not given no commands are
1621 send to the card; However the command will implicitly check whether the
1622 card is ready for use.
1624 Using the option '--atr' returns the ATR of the card as a status
1625 message before any data like this:
1626 S CARD-ATR 3BFA1300FF813180450031C173C00100009000B1
1628 Using the option '--more' handles the card status word MORE_DATA
1629 (61xx) and concatenate all responses to one block.
1631 Using the option '--exlen' the returned APDU may use extended length
1632 up to N bytes. If N is not given a default value is used (currently
1636 File: gnupg.info, Node: Specify a User ID, Next: Trust Values, Prev: Invoking SCDAEMON, Up: Top
1638 7 How to Specify a User Id
1639 **************************
1641 There are different ways to specify a user ID to GnuPG. Some of them are
1642 only valid for 'gpg' others are only good for 'gpgsm'. Here is the
1643 entire list of ways to specify a key:
1645 * By key Id. This format is deduced from the length of the string
1646 and its content or '0x' prefix. The key Id of an X.509 certificate
1647 are the low 64 bits of its SHA-1 fingerprint. The use of key Ids
1648 is just a shortcut, for all automated processing the fingerprint
1651 When using 'gpg' an exclamation mark (!) may be appended to force
1652 using the specified primary or secondary key and not to try and
1653 calculate which primary or secondary key to use.
1655 The last four lines of the example give the key ID in their long
1656 form as internally used by the OpenPGP protocol. You can see the
1657 long key ID using the option '--with-colons'.
1669 * By fingerprint. This format is deduced from the length of the
1670 string and its content or the '0x' prefix. Note, that only the 20
1671 byte version fingerprint is available with 'gpgsm' (i.e. the SHA-1
1672 hash of the certificate).
1674 When using 'gpg' an exclamation mark (!) may be appended to force
1675 using the specified primary or secondary key and not to try and
1676 calculate which primary or secondary key to use.
1678 The best way to specify a key Id is by using the fingerprint. This
1679 avoids any ambiguities in case that there are duplicated key IDs.
1681 1234343434343434C434343434343434
1682 123434343434343C3434343434343734349A3434
1683 0E12343434343434343434EAB3484343434343434
1684 0xE12343434343434343434EAB3484343434343434
1686 'gpgsm' also accepts colons between each pair of hexadecimal digits
1687 because this is the de-facto standard on how to present X.509
1688 fingerprints. 'gpg' also allows the use of the space separated
1689 SHA-1 fingerprint as printed by the key listing commands.
1691 * By exact match on OpenPGP user ID. This is denoted by a leading
1692 equal sign. It does not make sense for X.509 certificates.
1694 =Heinrich Heine <heinrichh@uni-duesseldorf.de>
1696 * By exact match on an email address. This is indicated by enclosing
1697 the email address in the usual way with left and right angles.
1699 <heinrichh@uni-duesseldorf.de>
1701 * By partial match on an email address. This is indicated by
1702 prefixing the search string with an '@'. This uses a substring
1703 search but considers only the mail address (i.e. inside the angle
1708 * By exact match on the subject's DN. This is indicated by a leading
1709 slash, directly followed by the RFC-2253 encoded DN of the subject.
1710 Note that you can't use the string printed by 'gpgsm --list-keys'
1711 because that one has been reordered and modified for better
1712 readability; use '--with-colons' to print the raw (but standard
1713 escaped) RFC-2253 string.
1715 /CN=Heinrich Heine,O=Poets,L=Paris,C=FR
1717 * By exact match on the issuer's DN. This is indicated by a leading
1718 hash mark, directly followed by a slash and then directly followed
1719 by the RFC-2253 encoded DN of the issuer. This should return the
1720 Root cert of the issuer. See note above.
1722 #/CN=Root Cert,O=Poets,L=Paris,C=FR
1724 * By exact match on serial number and issuer's DN. This is indicated
1725 by a hash mark, followed by the hexadecimal representation of the
1726 serial number, then followed by a slash and the RFC-2253 encoded DN
1727 of the issuer. See note above.
1729 #4F03/CN=Root Cert,O=Poets,L=Paris,C=FR
1731 * By keygrip. This is indicated by an ampersand followed by the 40
1732 hex digits of a keygrip. 'gpgsm' prints the keygrip when using the
1733 command '--dump-cert'.
1735 &D75F22C3F86E355877348498CDC92BD21010A480
1737 * By substring match. This is the default mode but applications may
1738 want to explicitly indicate this by putting the asterisk in front.
1739 Match is not case sensitive.
1744 * . and + prefixes These prefixes are reserved for looking up mails
1745 anchored at the end and for a word search mode. They are not yet
1746 implemented and using them is undefined.
1748 Please note that we have reused the hash mark identifier which was
1749 used in old GnuPG versions to indicate the so called local-id. It is
1750 not anymore used and there should be no conflict when used with X.509
1753 Using the RFC-2253 format of DNs has the drawback that it is not
1754 possible to map them back to the original encoding, however we don't
1755 have to do this because our key database stores this encoding as meta
1759 File: gnupg.info, Node: Trust Values, Next: Smart Card Tool, Prev: Specify a User ID, Up: Top
1764 Trust values are used to indicate ownertrust and validity of keys and
1765 user IDs. They are displayed with letters or strings:
1769 No ownertrust assigned / not yet calculated.
1774 Trust calculation has failed; probably due to an expired key.
1778 Not enough information for calculation.
1782 Never trust this key.
1798 For validity only: the key or the user ID has been revoked.
1802 The program encountered an unknown trust value.
1805 File: gnupg.info, Node: Smart Card Tool, Next: Helper Tools, Prev: Trust Values, Up: Top
1810 GnuPG comes with a tool to administrate smart cards and USB tokens.
1811 This tool is an enhanced version of the '--edit-key' command available
1816 * gpg-card:: Administrate smart cards.
1819 File: gnupg.info, Node: gpg-card, Up: Smart Card Tool
1821 9.1 Administrate smart cards.
1822 =============================
1824 The 'gpg-card' is used to administrate smart cards and USB tokens. It
1825 provides a superset of features from 'gpg --card-edit' an can be
1826 considered a frontend to 'scdaemon' which is a daemon started by
1827 'gpg-agent' to handle smart cards.
1829 If 'gpg-card' is invoked without commands an interactive mode is
1832 If 'gpg-card' is invoked with one or more commands the same commands
1833 as available in the interactive mode are run from the command line.
1834 These commands need to be delimited with a double-dash. If a
1835 double-dash or a shell specific character is required as part of a
1836 command the entire command needs to be put in quotes. If one of those
1837 commands returns an error the remaining commands are not anymore run
1838 unless the command was prefixed with a single dash.
1840 A list of commands is available by using the command 'help' and a
1841 brief description of each command is printed by using 'help CMD'. See
1842 the section COMMANDS for a full description.
1844 See the NOTES sections for instructions pertaining to specific cards
1845 or card applications.
1847 'gpg-card' understands these options:
1850 This option has currently no effect.
1853 Write special status strings to the file descriptor N. This
1854 program returns only the status messages SUCCESS or FAILURE which
1855 are helpful when the caller uses a double fork approach and can't
1856 easily get the return code of the process.
1859 Enable extra informational output.
1862 Disable almost all informational output.
1865 Print version of the program and exit.
1868 Display a brief help page and exit.
1871 Do not start the gpg-agent if it has not yet been started and its
1872 service is required. This option is mostly useful on machines
1873 where the connection to gpg-agent has been redirected to another
1877 In interactive mode the command line history is usually saved and
1878 restored to and from a file below the GnuPG home directory. This
1879 option inhibits the use of that file.
1881 '--agent-program FILE'
1882 Specify the agent program to be started if none is running. The
1883 default value is determined by running 'gpgconf' with the option
1886 '--gpg-program FILE'
1887 Specify a non-default gpg binary to be used by certain commands.
1889 '--gpgsm-program FILE'
1890 Specify a non-default gpgsm binary to be used by certain commands.
1893 Change the current user to UID which may either be a number or a
1894 name. This can be used from the root account to run gpg-card for
1895 another user. If UID is not the current UID a standard PATH is set
1896 and the envvar GNUPGHOME is unset. To override the latter the
1897 option '--homedir' can be used. This option has only an effect
1898 when used on the command line. This option has currently no effect
1901 'gpg-card' understands the following commands, which have options of
1902 their own. The pseudo-option '--' can be used to separate command
1903 options from arguments; if this pseudo option is used on the command
1904 line the entire command with options and arguments must be quoted, so
1905 that it is not mixed up with the '--' as used on the command line to
1906 separate commands. Note that a short online help is available for all
1907 commands by prefixing them with "help". Command completion in the
1908 interactive mode is also supported.
1910 'AUTHENTICATE [--setkey] [--raw] [< FILE]|KEY]'
1912 Authenticate to the card. Perform a mutual authentication either
1913 by reading the key from FILE or by taking it from the command line
1914 as KEY. Without the option '--raw' the key is expected to be hex
1915 encoded. To install a new administration key '--setkey' is used;
1916 this requires a prior authentication with the old key. This is
1917 used with PIV cards.
1920 Change the CA fingerprint number N of an OpenPGP card. N must be
1921 in the range 1 to 3. The option '--clear' clears the specified CA
1922 fingerprint N or all of them if N is 0 or not given.
1925 Do a complete reset of some OpenPGP and PIV cards. This command
1926 deletes all data and keys and resets the PINs to their default.
1927 Don't worry, you need to confirm before the command proceeds.
1930 Retrieve a key using the URL data object of an OpenPGP card or if
1931 that is missing using the stored fingerprint.
1934 Toggle the forcesig flag of an OpenPGP card.
1936 'GENERATE [--force] [--algo=ALGO{+ALGO2}] KEYREF'
1937 Create a new key on a card. Use '--force' to overwrite an existing
1938 key. Use "help" for ALGO to get a list of known algorithms. For
1939 OpenPGP cards several algos may be given. Note that the OpenPGP
1940 key generation is done interactively unless '--algo' or KEYREF are
1944 Prepare the OpenPGP card KDF feature for this card.
1947 Change the language info for the card. This info can be used by
1948 applications for a personalized greeting. Up to 4 two-digit
1949 language identifiers can be entered as a preference. The option
1950 '--clear' removes all identifiers. GnuPG does not use this info.
1952 'LIST [--cards] [--apps] [--info] [--no-key-lookup] [N] [APP]'
1954 This command reads all information from the current card and
1955 display them in a human readable format. The first section shows
1956 generic information vaialable for all cards. The next section
1957 shows information pertaining to keys which depend on the actual
1958 card and application.
1960 With N given select and list the n-th card; with APP also given
1961 select that application. To select an APP on the current card use
1962 "-" for N. The serial number of the card may be used instead of N.
1964 The option '--cards' lists the serial numbers of available cards.
1965 The option '--apps' lists all card applications. The option
1966 '--info' selects a card and prints its serial number. The option
1967 '--no-key-lookup' suppresses the listing of matching OpenPGP or
1970 'LOGIN [--clear] [< FILE]'
1971 Set the login data object of OpenPGP cards. If FILE is given the
1972 data is is read from that file. This allows to store binary data
1973 in the login field. The option '--clear' deletes the login data
1977 Set the name field of an OpenPGP card. With option '--clear' the
1978 stored name is cleared off the card.
1980 'PASSWD [--reset|--nullpin] [PINREF]'
1981 Change or unblock the PINs. Note that in interactive mode and
1982 without a PINREF a menu is presented for certain cards." In
1983 non-interactive mode and without a PINREF a default value i used
1984 for these cards. The option '--reset' is used with TCOS cards to
1985 reset the PIN using the PUK or vice versa; the option -NULLPIN is
1986 used for these cards to set the initial PIN.
1988 'PRIVATEDO [--clear] N [< FILE]'
1989 Change the private data object N of an OpenPGP card. N must be in
1990 the range 1 to 4. If FILE is given the data is is read from that
1991 file. The option '--clear' clears the data.
1995 Stop processing and terminate 'gpg-card'.
1997 'READCERT [--openpgp] CERTREF > FILE'
1998 Read the certificate for key CERTREF and store it in FILE. With
1999 option '--openpgp' an OpenPGP keyblock wrapped in a dedicated CMS
2000 content type (OID=1.3.6.1.4.1.11591.2.3.1) is expected and
2001 extracted to FILE. Note that for current OpenPGP cards a
2002 certificate may only be available at the CERTREF "OPENPGP.3".
2005 Send a reset to the card daemon.
2007 'SALUTATION [--clear]'
2009 Change the salutation info for the card. This info can be used by
2010 applications for a personalized greeting. The option '--clear'
2011 removes this data object. GnuPG does not use this info.
2013 'UIF N [on|off|permanent]'
2014 Change the User Interaction Flag. That flags tells whether the
2015 confirmation button of a token shall be used. N must in the range
2016 1 to 3. "permanent" is the same as "on" but the flag can't be
2020 Unblock a PIN using a PUK or Reset Code. Note that OpenPGP cards
2021 prior to version 2 can't use this; instead the 'PASSWD' can be used
2025 Set the URL data object of an OpenPGP card. That data object can
2026 be used by by 'gpg''s '--fetch' command to retrieve the full public
2027 key. The option '--clear' deletes the content of that data object.
2030 Verify the PIN identified by CHVID or the default PIN.
2032 'WRITECERT CERTREF < FILE'
2033 'WRITECERT --openpgp CERTREF [< FILE|FPR]'
2034 'WRITECERT --clear CERTREF'
2035 Write a certificate to the card under the id CERTREF. The option
2036 '--clear' removes the certificate from the card. The option
2037 '--openpgp' expects an OpenPGP keyblock and stores it encapsulated
2038 in a CMS container; the keyblock is taken from FILE or directly
2039 from the OpenPGP key identified by fingerprint FPR.
2041 'WRITEKEY [--force] KEYREF KEYGRIP'
2042 Write a private key object identified by KEYGRIP to the card under
2043 the id KEYREF. Option '--force' allows overwriting an existing
2047 Various commands pertaining to Yubikey tokens with CMD being:
2049 List supported and enabled Yubikey applications.
2050 ENABLE USB|NFC|ALL [OTP|U2F|OPGP|PIV|OATH|FIDO2|ALL]
2052 Enable or disable the specified or all applications on the
2055 The support for OpenPGP cards in 'gpg-card' is not yet complete. For
2056 missing features, please continue to use 'gpg --card-edit'.
2058 GnuPG has support for PIV cards ("Personal Identity Verification" as
2059 specified by NIST Special Publication 800-73-4). This section describes
2060 how to initialize (personalize) a fresh Yubikey token featuring the PIV
2061 application (requires Yubikey-5). We assume that the credentials have
2062 not yet been changed and thus are:
2064 This is a 24 byte key described by the hex string
2065 '010203040506070801020304050607080102030405060708'.
2067 This is the string '123456'.
2069 This is the string '12345678'.
2070 See the example section on how to change these defaults. For
2071 production use it is important to use secure values for them. Note that
2072 the Authentication Key is not queried via the usual Pinentry dialog but
2073 needs to be entered manually or read from a file. The use of a
2074 dedicated machine to personalize tokens is strongly suggested.
2076 To see what is on the card, the command 'list' can be given. We will
2077 use the interactive mode in the following (the string _gpg/card>_ is the
2078 prompt). An example output for a fresh card is:
2081 Reader ...........: 1050:0407:X:0
2082 Card type ........: yubikey
2083 Card firmware ....: 5.1.2
2084 Serial number ....: D2760001240102010006090746250000
2085 Application type .: OpenPGP
2086 Version ..........: 2.1
2089 It can be seen by the "Application type" line that GnuPG selected the
2090 OpenPGP application of the Yubikey. This is because GnuPG assigns the
2091 highest priority to the OpenPGP application. To use the PIV application
2092 of the Yubikey several methods can be used:
2094 With a Yubikey 5 or later the OpenPGP application on the Yubikey can
2097 gpg/card> yubikey disable all opgp
2098 gpg/card> yubikey list
2100 -----------------------
2109 The 'reset' is required so that the GnuPG system rereads the card.
2110 Note that disabled applications keep all their data and can at any time
2111 be re-enabled (use 'help yubikey').
2113 Another option, which works for all Yubikey versions, is to disable
2114 the support for OpenPGP cards in scdaemon. This is done by adding the
2117 disable-application openpgp
2119 to '~/.gnupg/scdaemon.conf' and by restarting scdaemon, either by
2120 killing the process or by using 'gpgconf --kill scdaemon'. Finally the
2121 default order in which card applications are tried by scdaemon can be
2122 changed. For example to prefer PIV over OpenPGP it is sufficient to add
2124 application-priority piv
2126 to '~/.gnupg/scdaemon.conf' and to restart 'scdaemon'. This has an
2127 effect only on tokens which support both, PIV and OpenPGP, but does not
2128 hamper the use of OpenPGP only tokens.
2130 With one of these methods employed the 'list' command of 'gpg-card'
2134 Reader ...........: 1050:0407:X:0
2135 Card type ........: yubikey
2136 Card firmware ....: 5.1.2
2137 Serial number ....: FF020001008A77C1
2138 Application type .: PIV
2139 Version ..........: 1.0
2140 Displayed s/n ....: yk-9074625
2141 PIN usage policy .: app-pin
2142 PIN retry counter : - 3 -
2143 PIV authentication: [none]
2144 keyref .....: PIV.9A
2145 Card authenticat. : [none]
2146 keyref .....: PIV.9E
2147 Digital signature : [none]
2148 keyref .....: PIV.9C
2149 Key management ...: [none]
2150 keyref .....: PIV.9D
2152 In case several tokens are plugged into the computer, gpg-card will
2153 show only one. To show another token the number of the token (0, 1, 2,
2154 ...) can be given as an argument to the 'list' command. The command
2155 'list --cards' prints a list of all inserted tokens.
2157 Note that the "Displayed s/n" is printed on the token and also shown
2158 in Pinentry prompts asking for the PIN. The four standard key slots are
2159 always shown, if other key slots are initialized they are shown as well.
2160 The _PIV authentication_ key (internal reference _PIV.9A_) is used to
2161 authenticate the card and the card holder. The use of the associated
2162 private key is protected by the Application PIN which needs to be
2163 provided once and the key can the be used until the card is reset or
2164 removed from the reader or USB port. GnuPG uses this key with its
2165 _Secure Shell_ support. The _Card authentication_ key (_PIV.9E_) is
2166 also known as the CAK and used to support physical access applications.
2167 The private key is not protected by a PIN and can thus immediately be
2168 used. The _Digital signature_ key (_PIV.9C_) is used to digitally sign
2169 documents. The use of the associated private key is protected by the
2170 Application PIN which needs to be provided for each signing operation.
2171 The _Key management_ key (_PIV.9D_) is used for encryption. The use of
2172 the associated private key is protected by the Application PIN which
2173 needs to be provided only once so that decryption operations can then be
2174 done until the card is reset or removed from the reader or USB port.
2176 We now generate three of the four keys. Note that GnuPG does
2177 currently not use the the _Card authentication_ key; however, that key
2178 is mandatory by the PIV standard and thus we create it too. Key
2179 generation requires that we authenticate to the card. This can be done
2180 either on the command line (which would reveal the key):
2182 gpg/card> auth 010203040506070801020304050607080102030405060708
2184 or by reading the key from a file. That file needs to consist of one
2185 LF terminated line with the hex encoded key (as above):
2187 gpg/card> auth < myauth.key
2189 As usual 'help auth' gives help for this command. An error message
2190 is printed if a non-matching key is used. The authentication is valid
2191 until a reset of the card or until the card is removed from the reader
2192 or the USB port. Note that that in non-interactive mode the '<' needs
2193 to be quoted so that the shell does not interpret it as a its own
2196 Here are the actual commands to generate the keys:
2198 gpg/card> generate --algo=nistp384 PIV.9A
2199 PIV card no. yk-9074625 detected
2200 gpg/card> generate --algo=nistp256 PIV.9E
2201 PIV card no. yk-9074625 detected
2202 gpg/card> generate --algo=rsa2048 PIV.9C
2203 PIV card no. yk-9074625 detected
2205 If a key has already been created for one of the slots an error will
2206 be printed; to create a new key anyway the option '--force' can be used.
2207 Note that only the private and public keys have been created but no
2208 certificates are stored in the key slots. In fact, GnuPG uses its own
2209 non-standard method to store just the public key in place of the the
2210 certificate. Other application will not be able to make use these keys
2211 until 'gpgsm' or another tool has been used to create and store the
2212 respective certificates. Let us see what the list command now shows:
2215 Reader ...........: 1050:0407:X:0
2216 Card type ........: yubikey
2217 Card firmware ....: 5.1.2
2218 Serial number ....: FF020001008A77C1
2219 Application type .: PIV
2220 Version ..........: 1.0
2221 Displayed s/n ....: yk-9074625
2222 PIN usage policy .: app-pin
2223 PIN retry counter : - 3 -
2224 PIV authentication: 213D1825FDE0F8240CB4E4229F01AF90AC658C2E
2225 keyref .....: PIV.9A (auth)
2226 algorithm ..: nistp384
2227 Card authenticat. : 7A53E6CFFE7220A0E646B4632EE29E5A7104499C
2228 keyref .....: PIV.9E (auth)
2229 algorithm ..: nistp256
2230 Digital signature : 32A6C6FAFCB8421878608AAB452D5470DD3223ED
2231 keyref .....: PIV.9C (sign,cert)
2232 algorithm ..: rsa2048
2233 Key management ...: [none]
2234 keyref .....: PIV.9D
2236 The primary information for each key is the _keygrip_, a 40 byte
2237 hex-string identifying the key. This keygrip is a unique identifier for
2238 the specific parameters of a key. It is used by 'gpg-agent' and other
2239 parts of GnuPG to associate a private key to its protocol specific
2240 certificate format (X.509, OpenPGP, or SecureShell). Below the keygrip
2241 the key reference along with the key usage capabilities are show.
2242 Finally the algorithm is printed in the format used by 'gpg'. At that
2243 point no other information is shown because for these new keys gpg won't
2244 be able to find matching certificates.
2246 Although we could have created the _Key management_ key also with the
2247 generate command, we will create that key off-card so that a backup
2248 exists. To accomplish this a key needs to be created with either 'gpg'
2249 or 'gpgsm' or imported in one of these tools. In our example we create
2250 a self-signed X.509 certificate (exit the gpg-card tool, first):
2252 $ gpgsm --gen-key -o encr.crt
2255 (3) Existing key from card
2257 What keysize do you want? (3072) 2048
2258 Requested keysize is 2048 bits
2259 Possible actions for a RSA key:
2264 Enter the X.509 subject name: CN=Encryption key for yk-9074625,O=example,C=DE
2265 Enter email addresses (end with an empty line):
2268 Enter DNS names (optional; end with an empty line):
2270 Enter URIs (optional; end with an empty line):
2272 Create self-signed certificate? (y/N) y
2273 These parameters are used:
2278 Name-DN: CN=Encryption key for yk-9074625,O=example,C=DE
2279 Name-Email: otto@example.net
2281 Proceed with creation? (y/N)
2282 Now creating self-signed certificate. This may take a while ...
2283 gpgsm: about to sign the certificate for key: &34798AAFE0A7565088101CC4AE31C5C8C74461CB
2284 gpgsm: certificate created
2286 $ gpgsm --import encr.crt
2287 gpgsm: certificate imported
2288 gpgsm: total number processed: 1
2291 Note the last step which imported the created certificate. If you
2292 you instead created a certificate signing request (CSR) instead of a
2293 self-signed certificate and sent this off to a CA you would do the same
2294 import step with the certificate received from the CA. Take note of the
2295 keygrip (prefixed with an ampersand) as shown during the certificate
2296 creation or listed it again using 'gpgsm --with-keygrip -k
2297 otto@example.net'. Now to move the key and certificate to the card
2298 start 'gpg-card' again and enter:
2300 gpg/card> writekey PIV.9D 34798AAFE0A7565088101CC4AE31C5C8C74461CB
2301 gpg/card> writecert PIV.9D < encr.crt
2303 If you entered a passphrase to protect the private key, you will be
2304 asked for it via the Pinentry prompt. On success the key and the
2305 certificate has been written to the card and a 'list' command shows:
2308 Key management ...: 34798AAFE0A7565088101CC4AE31C5C8C74461CB
2309 keyref .....: PIV.9D (encr)
2310 algorithm ..: rsa2048
2312 user id ..: CN=Encryption key for yk-9074625,O=example,C=DE
2313 user id ..: <otto@example.net>
2315 In case the same key (identified by the keygrip) has been used for
2316 several certificates you will see several "used for" parts. With this
2317 the encryption key is now fully functional and can be used to decrypt
2318 messages encrypted to this certificate. TAKE CARE: the original key is
2319 still stored on-disk and should be moved to a backup medium. This can
2320 simply be done by copying the file
2321 '34798AAFE0A7565088101CC4AE31C5C8C74461CB.key' from the directory
2322 '~/.gnupg/private-keys-v1.d/' to the backup medium and deleting the file
2323 at its original place.
2325 The final example is to create a self-signed certificate for digital
2326 signatures. Leave 'gpg-card' using 'quit' or by pressing Control-D and
2330 $ gpgsm --gen-key -o sign.crt
2331 Please select what kind of key you want:
2334 (3) Existing key from card
2336 Serial number of the card: FF020001008A77C1
2338 (1) 213D1825FDE0F8240CB4E4229F01AF90AC658C2E PIV.9A nistp384
2339 (2) 7A53E6CFFE7220A0E646B4632EE29E5A7104499C PIV.9E nistp256
2340 (3) 32A6C6FAFCB8421878608AAB452D5470DD3223ED PIV.9C rsa2048
2341 (4) 34798AAFE0A7565088101CC4AE31C5C8C74461CB PIV.9D rsa2048
2343 Possible actions for a RSA key:
2348 Enter the X.509 subject name: CN=Signing key for yk-9074625,O=example,C=DE
2349 Enter email addresses (end with an empty line):
2352 Enter DNS names (optional; end with an empty line):
2354 Enter URIs (optional; end with an empty line):
2356 Create self-signed certificate? (y/N)
2357 These parameters are used:
2358 Key-Type: card:PIV.9C
2362 Name-DN: CN=Signing key for yk-9074625,O=example,C=DE
2363 Name-Email: otto@example.net
2365 Proceed with creation? (y/N) y
2366 Now creating self-signed certificate. This may take a while ...
2367 gpgsm: about to sign the certificate for key: &32A6C6FAFCB8421878608AAB452D5470DD3223ED
2368 gpgsm: certificate created
2370 $ gpgsm --import sign.crt
2371 gpgsm: certificate imported
2372 gpgsm: total number processed: 1
2375 The use of 'gpgsm --learn' is currently necessary so that gpg-agent
2376 knows what keys are available on the card. The need for this command
2377 will eventually be removed. The remaining commands are similar to the
2378 creation of an on-disk key. However, here we select the 'Digital
2379 signature' key. During the creation process you will be asked for the
2380 Application PIN of the card. The final step is to write the certificate
2381 to the card using 'gpg-card':
2383 gpg/card> writecert PIV.9C < sign.crt
2385 By running list again we will see the fully initialized card:
2387 Reader ...........: 1050:0407:X:0
2388 Card type ........: yubikey
2389 Card firmware ....: 5.1.2
2390 Serial number ....: FF020001008A77C1
2391 Application type .: PIV
2392 Version ..........: 1.0
2393 Displayed s/n ....: yk-9074625
2394 PIN usage policy .: app-pin
2395 PIN retry counter : - [verified] -
2396 PIV authentication: 213D1825FDE0F8240CB4E4229F01AF90AC658C2E
2397 keyref .....: PIV.9A (auth)
2398 algorithm ..: nistp384
2399 Card authenticat. : 7A53E6CFFE7220A0E646B4632EE29E5A7104499C
2400 keyref .....: PIV.9E (auth)
2401 algorithm ..: nistp256
2402 Digital signature : 32A6C6FAFCB8421878608AAB452D5470DD3223ED
2403 keyref .....: PIV.9C (sign,cert)
2404 algorithm ..: rsa2048
2406 user id ..: CN=Signing key for yk-9074625,O=example,C=DE
2407 user id ..: <otto@example.net>
2408 Key management ...: 34798AAFE0A7565088101CC4AE31C5C8C74461CB
2409 keyref .....: PIV.9D (encr)
2410 algorithm ..: rsa2048
2412 user id ..: CN=Encryption key for yk-9074625,O=example,C=DE
2413 user id ..: <otto@example.net>
2415 It is now possible to sign and to encrypt with this card using gpgsm
2416 and to use the 'PIV authentication' key with ssh:
2419 384 SHA256:0qnJ0Y0ehWxKcx2frLfEljf6GCdlO55OZed5HqGHsaU cardno:yk-9074625 (ECDSA)
2421 As usual use ssh-add with the uppercase '-L' to list the public ssh
2422 key. To use the certificates with Thunderbird or Mozilla, please
2423 consult the Scute manual for details.
2425 If you want to use the same PIV keys also for OpenPGP (for example on
2426 a Yubikey to avoid switching between OpenPGP and PIV), this is also
2430 $ gpg --full-gen-key
2431 Please select what kind of key you want:
2432 (1) RSA and RSA (default)
2436 (14) Existing key from card
2438 Serial number of the card: FF020001008A77C1
2440 (1) 213D1825FDE0F8240CB4E4229F01AF90AC658C2E PIV.9A nistp384 (auth)
2441 (2) 7A53E6CFFE7220A0E646B4632EE29E5A7104499C PIV.9E nistp256 (auth)
2442 (3) 32A6C6FAFCB8421878608AAB452D5470DD3223ED PIV.9C rsa2048 (cert,sign)
2443 (4) 34798AAFE0A7565088101CC4AE31C5C8C74461CB PIV.9D rsa2048 (encr)
2445 Please specify how long the key should be valid.
2446 0 = key does not expire
2447 <n> = key expires in n days
2448 <n>w = key expires in n weeks
2449 <n>m = key expires in n months
2450 <n>y = key expires in n years
2451 Key is valid for? (0)
2452 Key does not expire at all
2453 Is this correct? (y/N) y
2455 GnuPG needs to construct a user ID to identify your key.
2458 Email address: otto@example.net
2460 You selected this USER-ID:
2463 Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
2464 gpg: key C3AFA9ED971BB365 marked as ultimately trusted
2465 gpg: revocation certificate stored as '[...]D971BB365.rev'
2466 public and secret key created and signed.
2468 Note that this key cannot be used for encryption. You may want to use
2469 the command "--edit-key" to generate a subkey for this purpose.
2470 pub rsa2048 2019-04-04 [SC]
2471 7F899AE2FB73159DD68A1B20C3AFA9ED971BB365
2472 uid otto@example.net
2474 Note that you will be asked two times to enter the PIN of your PIV
2475 card. If you run 'gpg' in '--expert' mode you will also ge given the
2476 option to change the usage flags of the key. The next typescript shows
2477 how to add the encryption subkey:
2479 $ gpg --edit-key 7F899AE2FB73159DD68A1B20C3AFA9ED971BB365
2480 Secret key is available.
2482 sec rsa2048/C3AFA9ED971BB365
2483 created: 2019-04-04 expires: never usage: SC
2484 card-no: FF020001008A77C1
2485 trust: ultimate validity: ultimate
2486 [ultimate] (1). otto@example.net
2488 Secret parts of primary key are stored on-card.
2489 Please select what kind of key you want:
2492 (5) Elgamal (encrypt only)
2493 (6) RSA (encrypt only)
2494 (14) Existing key from card
2496 Serial number of the card: FF020001008A77C1
2498 (1) 213D1825FDE0F8240CB4E4229F01AF90AC658C2E PIV.9A nistp384 (auth)
2499 (2) 7A53E6CFFE7220A0E646B4632EE29E5A7104499C PIV.9E nistp256 (auth)
2500 (3) 32A6C6FAFCB8421878608AAB452D5470DD3223ED PIV.9C rsa2048 (cert,sign)
2501 (4) 34798AAFE0A7565088101CC4AE31C5C8C74461CB PIV.9D rsa2048 (encr)
2503 Please specify how long the key should be valid.
2504 0 = key does not expire
2505 <n> = key expires in n days
2506 <n>w = key expires in n weeks
2507 <n>m = key expires in n months
2508 <n>y = key expires in n years
2509 Key is valid for? (0)
2510 Key does not expire at all
2511 Is this correct? (y/N) y
2512 Really create? (y/N) y
2514 sec rsa2048/C3AFA9ED971BB365
2515 created: 2019-04-04 expires: never usage: SC
2516 card-no: FF020001008A77C1
2517 trust: ultimate validity: ultimate
2518 ssb rsa2048/7067860A98FCE6E1
2519 created: 2019-04-04 expires: never usage: E
2520 card-no: FF020001008A77C1
2521 [ultimate] (1). otto@example.net
2525 Now you can use your PIV card also with 'gpg'.
2528 File: gnupg.info, Node: Helper Tools, Next: Web Key Service, Prev: Smart Card Tool, Up: Top
2533 GnuPG comes with a couple of smaller tools:
2537 * watchgnupg:: Read logs from a socket.
2538 * gpgv:: Verify OpenPGP signatures.
2539 * addgnupghome:: Create .gnupg home directories.
2540 * gpgconf:: Modify .gnupg home directories.
2541 * applygnupgdefaults:: Run gpgconf for all users.
2542 * gpg-preset-passphrase:: Put a passphrase into the cache.
2543 * gpg-connect-agent:: Communicate with a running agent.
2544 * dirmngr-client:: How to use the Dirmngr client tool.
2545 * gpgparsemail:: Parse a mail message into an annotated format
2546 * gpgtar:: Encrypt or sign files into an archive.
2547 * gpg-check-pattern:: Check a passphrase on stdin against the patternfile.
2550 File: gnupg.info, Node: watchgnupg, Next: gpgv, Up: Helper Tools
2552 10.1 Read logs from a socket
2553 ============================
2555 Most of the main utilities are able to write their log files to a Unix
2556 Domain socket if configured that way. 'watchgnupg' is a simple listener
2557 for such a socket. It ameliorates the output with a time stamp and
2558 makes sure that long lines are not interspersed with log output from
2559 other utilities. This tool is not available for Windows.
2561 'watchgnupg' is commonly invoked as
2565 which is a shorthand for
2567 watchgnupg --force $(gpgconf --list-dirs socketdir)/S.log
2569 To watch GnuPG running with a different home directory, use
2571 watchgnupg --homedir DIR
2573 This starts it on the current terminal for listening on the standard
2574 logging socket (this is commonly '/var/run/user/UID/gnupg/S.log' or if
2575 no such user directory hierarchy exists '~/.gnupg/S.log').
2577 'watchgnupg' understands these options:
2580 Delete an already existing socket file. This option is implicitly
2581 used if no socket name has been given on the command line.
2584 If no socket name is given on the command line, pass DIR to gpgconf
2585 so that the socket for a GnuPG running with DIR has its home
2586 directory is used. Note that the environment variable GNUPGHOME is
2587 ignored by watchgnupg.
2590 Instead of reading from a local socket, listen for connects on TCP
2591 port N. A Unix domain socket can optionally also be given as a
2592 second source. This option does not use a default socket name.
2595 Do not print the date part of the timestamp.
2598 Enable extra informational output.
2601 Print version of the program and exit.
2604 Display a brief help page and exit.
2610 $ watchgnupg --time-only
2612 This waits for connections on the local socket (e.g.
2613 '/var/run/user/1234/gnupg/S.log') and shows all log entries. To make
2614 this work the option 'log-file' needs to be used with all modules which
2615 logs are to be shown. The suggested entry for the configuration files
2620 If the default socket as given above and returned by "echo $(gpgconf
2621 -list-dirs socketdir)/S.log" is not desired an arbitrary socket name can
2622 be specified, for example 'socket:///home/foo/bar/mysocket'. For
2623 debugging purposes it is also possible to do remote logging. Take care
2624 if you use this feature because the information is send in the clear
2625 over the network. Use this syntax in the conf files:
2627 log-file tcp://192.168.1.1:4711
2629 You may use any port and not just 4711 as shown above; only IP
2630 addresses are supported (v4 and v6) and no host names. You need to
2631 start 'watchgnupg' with the 'tcp' option. Note that under Windows the
2632 registry entry HKCU\SOFTWARE\GNU\GNUPG:DEFAULTLOGFILE can be used to
2633 change the default log output from 'stderr' to whatever is given by that
2634 entry. However the only useful entry is a TCP name for remote
2638 File: gnupg.info, Node: gpgv, Next: addgnupghome, Prev: watchgnupg, Up: Helper Tools
2640 10.2 Verify OpenPGP signatures
2641 ==============================
2643 'gpgv' is an OpenPGP signature verification tool.
2645 This program is actually a stripped-down version of 'gpg' which is
2646 only able to check signatures. It is somewhat smaller than the
2647 fully-blown 'gpg' and uses a different (and simpler) way to check that
2648 the public keys used to make the signature are valid. There are no
2649 configuration files and only a few options are implemented.
2651 'gpgv' assumes that all keys in the keyring are trustworthy. That
2652 does also mean that it does not check for expired or revoked keys.
2654 If no '--keyring' option is given, 'gpgv' looks for a "default"
2655 keyring named 'trustedkeys.kbx' (preferred) or 'trustedkeys.gpg' in the
2656 home directory of GnuPG, either the default home directory or the one
2657 set by the '--homedir' option or the 'GNUPGHOME' environment variable.
2658 If any '--keyring' option is used, 'gpgv' will not look for the default
2659 keyring. The '--keyring' option may be used multiple times and all
2660 specified keyrings will be used together.
2663 'gpgv' recognizes these options:
2667 Gives more information during processing. If used twice, the input
2668 data is listed in detail.
2672 Try to be as quiet as possible.
2675 Add FILE to the list of keyrings. If FILE begins with a tilde and
2676 a slash, these are replaced by the HOME directory. If the filename
2677 does not contain a slash, it is assumed to be in the home-directory
2678 ("~/.gnupg" if -homedir is not used).
2682 Write output to FILE; to write to stdout use '-'. This option can
2683 be used to get the signed text from a cleartext or binary
2684 signature; it also works for detached signatures, but in that case
2685 this option is in general not useful. Note that an existing file
2686 will be overwritten.
2689 Write special status strings to the file descriptor N. See the
2690 file DETAILS in the documentation for a listing of them.
2693 Write log output to file descriptor 'n' and not to stderr.
2696 Same as '--logger-fd', except the logger data is written to file
2697 'file'. Use 'socket://' to log to socket.
2699 '--ignore-time-conflict'
2700 GnuPG normally checks that the timestamps associated with keys and
2701 signatures have plausible values. However, sometimes a signature
2702 seems to be older than the key due to clock problems. This option
2703 turns these checks into warnings.
2706 Set the name of the home directory to DIR. If this option is not
2707 used, the home directory defaults to '~/.gnupg'. It is only
2708 recognized when given on the command line. It also overrides any
2709 home directory stated through the environment variable 'GNUPGHOME'
2710 or (on Windows systems) by means of the Registry entry
2711 HKCU\SOFTWARE\GNU\GNUPG:HOMEDIR.
2713 On Windows systems it is possible to install GnuPG as a portable
2714 application. In this case only this command line option is
2715 considered, all other ways to set a home directory are ignored.
2717 To install GnuPG as a portable application under Windows, create an
2718 empty file named 'gpgconf.ctl' in the same directory as the tool
2719 'gpgconf.exe'. The root of the installation is then that
2720 directory; or, if 'gpgconf.exe' has been installed directly below a
2721 directory named 'bin', its parent directory. You also need to make
2722 sure that the following directories exist and are writable:
2723 'ROOT/home' for the GnuPG home and 'ROOT/usr/local/var/cache/gnupg'
2724 for internal cache files.
2726 '--weak-digest name'
2727 Treat the specified digest algorithm as weak. Signatures made over
2728 weak digests algorithms are normally rejected. This option can be
2729 supplied multiple times if multiple algorithms should be considered
2730 weak. MD5 is always considered weak, and does not need to be
2733 '--enable-special-filenames'
2734 This option enables a mode in which filenames of the form '-&n',
2735 where n is a non-negative decimal number, refer to the file
2736 descriptor n and not to a file with that name.
2738 The program returns 0 if everything is fine, 1 if at least one
2739 signature was bad, and other error codes for fatal errors.
2745 gpgv 'sigfile' ['datafile']
2746 Verify the signature of the file. The second form is used for
2747 detached signatures, where 'sigfile' is the detached signature
2748 (either ASCII-armored or binary) and 'datafile' contains the signed
2749 data; if 'datafile' is "-" the signed data is expected on 'stdin';
2750 if 'datafile' is not given the name of the file holding the signed
2751 data is constructed by cutting off the extension (".asc", ".sig" or
2752 ".sign") from 'sigfile'.
2758 Used to locate the default home directory.
2761 If set directory used instead of "~/.gnupg".
2766 ~/.gnupg/trustedkeys.gpg
2767 The default keyring with the allowed keys.
2772 File: gnupg.info, Node: addgnupghome, Next: gpgconf, Prev: gpgv, Up: Helper Tools
2774 10.3 Create .gnupg home directories
2775 ===================================
2777 If GnuPG is installed on a system with existing user accounts, it is
2778 sometimes required to populate the GnuPG home directory with existing
2779 files. Especially a 'trustlist.txt' and a keybox with some initial
2780 certificates are often desired. This script helps to do this by copying
2781 all files from '/etc/skel/.gnupg' to the home directories of the
2782 accounts given on the command line. It takes care not to overwrite
2783 existing GnuPG home directories.
2785 'addgnupghome' is invoked by root as:
2787 addgnupghome account1 account2 ... accountn
2790 File: gnupg.info, Node: gpgconf, Next: applygnupgdefaults, Prev: addgnupghome, Up: Helper Tools
2792 10.4 Modify .gnupg home directories
2793 ===================================
2795 The 'gpgconf' is a utility to automatically and reasonable safely query
2796 and modify configuration files in the '.gnupg' home directory. It is
2797 designed not to be invoked manually by the user, but automatically by
2798 graphical user interfaces (GUI).(1)
2800 'gpgconf' provides access to the configuration of one or more
2801 components of the GnuPG system. These components correspond more or
2802 less to the programs that exist in the GnuPG framework, like GPG, GPGSM,
2803 DirMngr, etc. But this is not a strict one-to-one relationship. Not
2804 all configuration options are available through 'gpgconf'. 'gpgconf'
2805 provides a generic and abstract method to access the most important
2806 configuration options that can feasibly be controlled via such a
2809 'gpgconf' can be used to gather and change the options available in
2810 each component, and can also provide their default values. 'gpgconf'
2811 will give detailed type information that can be used to restrict the
2812 user's input without making an attempt to commit the changes.
2814 'gpgconf' provides the backend of a configuration editor. The
2815 configuration editor would usually be a graphical user interface program
2816 that displays the current options, their default values, and allows the
2817 user to make changes to the options. These changes can then be made
2818 active with 'gpgconf' again. Such a program that uses 'gpgconf' in this
2819 way will be called GUI throughout this section.
2823 * Invoking gpgconf:: List of all commands and options.
2824 * Format conventions:: Formatting conventions relevant for all commands.
2825 * Listing components:: List all gpgconf components.
2826 * Checking programs:: Check all programs known to gpgconf.
2827 * Listing options:: List all options of a component.
2828 * Changing options:: Changing options of a component.
2829 * Listing global options:: List all global options.
2830 * Querying versions:: Get and compare software versions.
2831 * Files used by gpgconf:: What files are used by gpgconf.
2833 ---------- Footnotes ----------
2835 (1) Please note that currently no locking is done, so concurrent
2836 access should be avoided. There are some precautions to avoid
2837 corruption with concurrent usage, but results may be inconsistent and
2838 some changes may get lost. The stateless design makes it difficult to
2839 provide more guarantees.
2842 File: gnupg.info, Node: Invoking gpgconf, Next: Format conventions, Up: gpgconf
2844 10.4.1 Invoking gpgconf
2845 -----------------------
2847 One of the following commands must be given:
2850 List all components. This is the default command used if none is
2854 List all available backend programs and test whether they are
2857 '--list-options COMPONENT'
2858 List all options of the component COMPONENT.
2860 '--change-options COMPONENT'
2861 Change the options of the component COMPONENT.
2863 '--check-options COMPONENT'
2864 Check the options for the component COMPONENT.
2866 '--apply-profile FILE'
2867 Apply the configuration settings listed in FILE to the
2868 configuration files. If FILE has no suffix and no slashes the
2869 command first tries to read a file with the suffix '.prf' from the
2870 data directory ('gpgconf --list-dirs datadir') before it reads the
2871 file verbatim. A profile is divided into sections using the
2872 bracketed component name. Each section then lists the option which
2873 shall go into the respective configuration file.
2876 Update all configuration files with values taken from the global
2877 configuration file (usually '/etc/gnupg/gpgconf.conf'). Note: This
2878 is a legacy mechanism. Please use global configuration files
2881 '--list-dirs [NAMES]'
2883 Lists the directories used by 'gpgconf'. One directory is listed
2884 per line, and each line consists of a colon-separated list where
2885 the first field names the directory type (for example 'sysconfdir')
2886 and the second field contains the percent-escaped directory.
2887 Although they are not directories, the socket file names used by
2888 'gpg-agent' and 'dirmngr' are printed as well. Note that the
2889 socket file names and the 'homedir' lines are the default names and
2890 they may be overridden by command line switches. If NAMES are
2891 given only the directories or file names specified by the list
2892 names are printed without any escaping.
2894 '--list-config [FILENAME]'
2895 List the global configuration file in a colon separated format. If
2896 FILENAME is given, check that file instead.
2898 '--check-config [FILENAME]'
2899 Run a syntax check on the global configuration file. If FILENAME
2900 is given, check that file instead.
2902 '--query-swdb PACKAGE_NAME [VERSION_STRING]'
2903 Returns the current version for PACKAGE_NAME and if VERSION_STRING
2904 is given also an indicator on whether an update is available. The
2905 actual file with the software version is automatically downloaded
2906 and checked by 'dirmngr'. 'dirmngr' uses a thresholds to avoid
2907 download the file too often and it does this by default only if it
2908 can be done via Tor. To force an update of that file this command
2911 gpg-connect-agent --dirmngr 'loadswdb --force' /bye
2913 '--reload [COMPONENT]'
2915 Reload all or the given component. This is basically the same as
2916 sending a SIGHUP to the component. Components which don't support
2917 reloading are ignored. Without COMPONENT or by using "all" for
2918 COMPONENT all components which are daemons are reloaded.
2920 '--launch [COMPONENT]'
2921 If the COMPONENT is not already running, start it. 'component'
2922 must be a daemon. This is in general not required because the
2923 system starts these daemons as needed. However, external software
2924 making direct use of 'gpg-agent' or 'dirmngr' may use this command
2925 to ensure that they are started. Using "all" for COMPONENT
2926 launches all components which are daemons.
2928 '--kill [COMPONENT]'
2930 Kill the given component that runs as a daemon, including
2931 'gpg-agent', 'dirmngr', and 'scdaemon'. A 'component' which does
2932 not run as a daemon will be ignored. Using "all" for COMPONENT
2933 kills all components running as daemons. Note that as of now
2934 reload and kill have the same effect for 'scdaemon'.
2936 '--create-socketdir'
2937 Create a directory for sockets below /run/user or /var/run/user.
2938 This is command is only required if a non default home directory is
2939 used and the /run based sockets shall be used. For the default
2940 home directory GnUPG creates a directory on the fly.
2942 '--remove-socketdir'
2943 Remove a directory created with command '--create-socketdir'.
2945 The following options may be used:
2949 Write output to FILE. Default is to write to stdout.
2953 Outputs additional information while running. Specifically, this
2954 extends numerical field values by human-readable descriptions.
2958 Try to be as quiet as possible.
2961 Set the name of the home directory to DIR. If this option is not
2962 used, the home directory defaults to '~/.gnupg'. It is only
2963 recognized when given on the command line. It also overrides any
2964 home directory stated through the environment variable 'GNUPGHOME'
2965 or (on Windows systems) by means of the Registry entry
2966 HKCU\SOFTWARE\GNU\GNUPG:HOMEDIR.
2968 On Windows systems it is possible to install GnuPG as a portable
2969 application. In this case only this command line option is
2970 considered, all other ways to set a home directory are ignored.
2972 To install GnuPG as a portable application under Windows, create an
2973 empty file named 'gpgconf.ctl' in the same directory as the tool
2974 'gpgconf.exe'. The root of the installation is then that
2975 directory; or, if 'gpgconf.exe' has been installed directly below a
2976 directory named 'bin', its parent directory. You also need to make
2977 sure that the following directories exist and are writable:
2978 'ROOT/home' for the GnuPG home and 'ROOT/usr/local/var/cache/gnupg'
2979 for internal cache files.
2982 Change the current user to UID which may either be a number or a
2983 name. This can be used from the root account to get information on
2984 the GnuPG environment of the specified user or to start or kill
2985 daemons. If UID is not the current UID a standard PATH is set and
2986 the envvar GNUPGHOME is unset. To override the latter the option
2987 '--homedir' can be used. This option has currently no effect on
2992 Do not actually change anything. This is currently only
2993 implemented for '--change-options' and can be used for testing
2998 Only used together with '--change-options'. If one of the modified
2999 options can be changed in a running daemon process, signal the
3000 running daemon to ask it to reparse its configuration file after
3003 This means that the changes will take effect at run-time, as far as
3004 this is possible. Otherwise, they will take effect at the next
3005 start of the respective backend programs.
3008 Write special status strings to the file descriptor N. This
3009 program returns the status messages SUCCESS or FAILURE which are
3010 helpful when the caller uses a double fork approach and can't
3011 easily get the return code of the process.
3014 File: gnupg.info, Node: Format conventions, Next: Listing components, Prev: Invoking gpgconf, Up: gpgconf
3016 10.4.2 Format conventions
3017 -------------------------
3019 Some lines in the output of 'gpgconf' contain a list of colon-separated
3020 fields. The following conventions apply:
3022 * The GUI program is required to strip off trailing newline and/or
3023 carriage return characters from the output.
3025 * 'gpgconf' will never leave out fields. If a certain version
3026 provides a certain field, this field will always be present in all
3027 'gpgconf' versions from that time on.
3029 * Future versions of 'gpgconf' might append fields to the list. New
3030 fields will always be separated from the previously last field by a
3031 colon separator. The GUI should be prepared to parse the last
3032 field it knows about up until a colon or end of line.
3034 * Not all fields are defined under all conditions. You are required
3035 to ignore the content of undefined fields.
3037 There are several standard types for the content of a field:
3040 Some fields contain strings that are not escaped in any way. Such
3041 fields are described to be used _verbatim_. These fields will
3042 never contain a colon character (for obvious reasons). No
3043 de-escaping or other formatting is required to use the field
3044 content. This is for easy parsing of the output, when it is known
3045 that the content can never contain any special characters.
3048 Some fields contain strings that are described to be
3049 _percent-escaped_. Such strings need to be de-escaped before their
3050 content can be presented to the user. A percent-escaped string is
3051 de-escaped by replacing all occurrences of '%XY' by the byte that
3052 has the hexadecimal value 'XY'. 'X' and 'Y' are from the set
3056 Some fields contain strings that are described to be _localized_.
3057 Such strings are translated to the active language and formatted in
3058 the active character set.
3061 Some fields contain an _unsigned number_. This number will always
3062 fit into a 32-bit unsigned integer variable. The number may be
3063 followed by a space, followed by a human readable description of
3064 that value (if the verbose option is used). You should ignore
3065 everything in the field that follows the number.
3068 Some fields contain a _signed number_. This number will always fit
3069 into a 32-bit signed integer variable. The number may be followed
3070 by a space, followed by a human readable description of that value
3071 (if the verbose option is used). You should ignore everything in
3072 the field that follows the number.
3075 Some fields contain a _boolean value_. This is a number with
3076 either the value 0 or 1. The number may be followed by a space,
3077 followed by a human readable description of that value (if the
3078 verbose option is used). You should ignore everything in the field
3079 that follows the number; checking just the first character is
3080 sufficient in this case.
3083 Some fields contain an _option_ argument. The format of an option
3084 argument depends on the type of the option and on some flags:
3087 The simplest case is that the option does not take an argument
3088 at all (TYPE '0'). Then the option argument is an unsigned
3089 number that specifies how often the option occurs. If the
3090 'list' flag is not set, then the only valid number is '1'.
3091 Options that do not take an argument never have the 'default'
3092 or 'optional arg' flag set.
3095 If the option takes a number argument (ALT-TYPE is '2' or
3096 '3'), and it can only occur once ('list' flag is not set),
3097 then the option argument is either empty (only allowed if the
3098 argument is optional), or it is a number. A number is a
3099 string that begins with an optional minus character, followed
3100 by one or more digits. The number must fit into an integer
3101 variable (unsigned or signed, depending on ALT-TYPE).
3104 If the option takes a number argument and it can occur more
3105 than once, then the option argument is either empty, or it is
3106 a comma-separated list of numbers as described above.
3109 If the option takes a string argument (ALT-TYPE is 1), and it
3110 can only occur once ('list' flag is not set) then the option
3111 argument is either empty (only allowed if the argument is
3112 optional), or it starts with a double quote character ('"')
3113 followed by a percent-escaped string that is the argument
3114 value. Note that there is only a leading double quote
3115 character, no trailing one. The double quote character is
3116 only needed to be able to differentiate between no value and
3117 the empty string as value.
3120 If the option takes a string argument and it can occur more
3121 than once, then the option argument is either empty, or it is
3122 a comma-separated list of string arguments as described above.
3124 The active language and character set are currently determined from
3125 the locale environment of the 'gpgconf' program.
3128 File: gnupg.info, Node: Listing components, Next: Checking programs, Prev: Format conventions, Up: gpgconf
3130 10.4.3 Listing components
3131 -------------------------
3133 The command '--list-components' will list all components that can be
3134 configured with 'gpgconf'. Usually, one component will correspond to
3135 one GnuPG-related program and contain the options of that program's
3136 configuration file that can be modified using 'gpgconf'. However, this
3137 is not necessarily the case. A component might also be a group of
3138 selected options from several programs, or contain entirely virtual
3139 options that have a special effect rather than changing exactly one
3140 option in one configuration file.
3142 A component is a set of configuration options that semantically
3143 belong together. Furthermore, several changes to a component can be
3144 made in an atomic way with a single operation. The GUI could for
3145 example provide a menu with one entry for each component, or a window
3146 with one tabulator sheet per component.
3148 The command '--list-components' lists all available components, one
3149 per line. The format of each line is:
3151 'NAME:DESCRIPTION:PGMNAME:'
3154 This field contains a name tag of the component. The name tag is
3155 used to specify the component in all communication with 'gpgconf'.
3156 The name tag is to be used _verbatim_. It is thus not in any
3160 The _string_ in this field contains a human-readable description of
3161 the component. It can be displayed to the user of the GUI for
3162 informational purposes. It is _percent-escaped_ and _localized_.
3165 The _string_ in this field contains the absolute name of the
3166 program's file. It can be used to unambiguously invoke that
3167 program. It is _percent-escaped_.
3170 $ gpgconf --list-components
3171 gpg:GPG for OpenPGP:/usr/local/bin/gpg2:
3172 gpg-agent:GPG Agent:/usr/local/bin/gpg-agent:
3173 scdaemon:Smartcard Daemon:/usr/local/bin/scdaemon:
3174 gpgsm:GPG for S/MIME:/usr/local/bin/gpgsm:
3175 dirmngr:Directory Manager:/usr/local/bin/dirmngr:
3178 File: gnupg.info, Node: Checking programs, Next: Listing options, Prev: Listing components, Up: gpgconf
3180 10.4.4 Checking programs
3181 ------------------------
3183 The command '--check-programs' is similar to '--list-components' but
3184 works on backend programs and not on components. It runs each program
3185 to test whether it is installed and runnable. This also includes a
3186 syntax check of all config file options of the program.
3188 The command '--check-programs' lists all available programs, one per
3189 line. The format of each line is:
3191 'NAME:DESCRIPTION:PGMNAME:AVAIL:OKAY:CFGFILE:LINE:ERROR:'
3194 This field contains a name tag of the program which is identical to
3195 the name of the component. The name tag is to be used _verbatim_.
3196 It is thus not in any escaped format. This field may be empty to
3197 indicate a continuation of error descriptions for the last name.
3198 The description and pgmname fields are then also empty.
3201 The _string_ in this field contains a human-readable description of
3202 the component. It can be displayed to the user of the GUI for
3203 informational purposes. It is _percent-escaped_ and _localized_.
3206 The _string_ in this field contains the absolute name of the
3207 program's file. It can be used to unambiguously invoke that
3208 program. It is _percent-escaped_.
3211 The _boolean value_ in this field indicates whether the program is
3212 installed and runnable.
3215 The _boolean value_ in this field indicates whether the program's
3216 config file is syntactically okay.
3219 If an error occurred in the configuration file (as indicated by a
3220 false value in the field 'okay'), this field has the name of the
3221 failing configuration file. It is _percent-escaped_.
3224 If an error occurred in the configuration file, this field has the
3225 line number of the failing statement in the configuration file. It
3226 is an _unsigned number_.
3229 If an error occurred in the configuration file, this field has the
3230 error text of the failing statement in the configuration file. It
3231 is _percent-escaped_ and _localized_.
3233 In the following example the 'dirmngr' is not runnable and the
3234 configuration file of 'scdaemon' is not okay.
3236 $ gpgconf --check-programs
3237 gpg:GPG for OpenPGP:/usr/local/bin/gpg2:1:1:
3238 gpg-agent:GPG Agent:/usr/local/bin/gpg-agent:1:1:
3239 scdaemon:Smartcard Daemon:/usr/local/bin/scdaemon:1:0:
3240 gpgsm:GPG for S/MIME:/usr/local/bin/gpgsm:1:1:
3241 dirmngr:Directory Manager:/usr/local/bin/dirmngr:0:0:
3243 The command '--check-options COMPONENT' will verify the configuration
3244 file in the same manner as '--check-programs', but only for the
3245 component COMPONENT.
3248 File: gnupg.info, Node: Listing options, Next: Changing options, Prev: Checking programs, Up: gpgconf
3250 10.4.5 Listing options
3251 ----------------------
3253 Every component contains one or more options. Options may be gathered
3254 into option groups to allow the GUI to give visual hints to the user
3255 about which options are related.
3257 The command '--list-options COMPONENT' lists all options (and the
3258 groups they belong to) in the component COMPONENT, one per line.
3259 COMPONENT must be the string in the field NAME in the output of the
3260 '--list-components' command.
3262 There is one line for each option and each group. First come all
3263 options that are not in any group. Then comes a line describing a
3264 group. Then come all options that belong into each group. Then comes
3265 the next group and so on. There does not need to be any group (and in
3266 this case the output will stop after the last non-grouped option).
3268 The format of each line is:
3270 'NAME:FLAGS:LEVEL:DESCRIPTION:TYPE:ALT-TYPE:ARGNAME:DEFAULT:ARGDEF:VALUE'
3273 This field contains a name tag for the group or option. The name
3274 tag is used to specify the group or option in all communication
3275 with 'gpgconf'. The name tag is to be used _verbatim_. It is thus
3276 not in any escaped format.
3279 The flags field contains an _unsigned number_. Its value is the
3280 OR-wise combination of the following flag values:
3283 If this flag is set, this is a line describing a group and not
3286 The following flag values are only defined for options (that is, if
3287 the 'group' flag is not used).
3290 If this flag is set, the argument is optional. This is never
3291 set for TYPE '0' (none) options.
3294 If this flag is set, the option can be given multiple times.
3297 If this flag is set, the option can be changed at runtime.
3300 If this flag is set, a default value is available.
3303 If this flag is set, a (runtime) default is available. This
3304 and the 'default' flag are mutually exclusive.
3307 If this flag is set, and the 'optional arg' flag is set, then
3308 the option has a special meaning if no argument is given.
3311 If this flag is set, 'gpgconf' ignores requests to change the
3312 value. GUI frontends should grey out this option. Note, that
3313 manual changes of the configuration files are still possible.
3316 This field is defined for options and for groups. It contains an
3317 _unsigned number_ that specifies the expert level under which this
3318 group or option should be displayed. The following expert levels
3319 are defined for options (they have analogous meaning for groups):
3322 This option should always be offered to the user.
3325 This option may be offered to advanced users.
3328 This option should only be offered to expert users.
3331 This option should normally never be displayed, not even to
3335 This option is for internal use only. Ignore it.
3337 The level of a group will always be the lowest level of all options
3341 This field is defined for options and groups. The _string_ in this
3342 field contains a human-readable description of the option or group.
3343 It can be displayed to the user of the GUI for informational
3344 purposes. It is _percent-escaped_ and _localized_.
3347 This field is only defined for options. It contains an _unsigned
3348 number_ that specifies the type of the option's argument, if any.
3349 The following types are defined:
3354 No argument allowed.
3357 An _unformatted string_.
3363 An _unsigned number_.
3368 A _string_ that describes the pathname of a file. The file
3369 does not necessarily need to exist.
3372 A _string_ that describes an LDAP server in the format:
3374 'HOSTNAME:PORT:USERNAME:PASSWORD:BASE_DN'
3376 'key fingerprint (34)'
3377 A _string_ with a 40 digit fingerprint specifying a
3381 A _string_ that describes a certificate by user ID, key ID or
3385 A _string_ that describes a certificate with a key by user ID,
3386 key ID or fingerprint.
3389 A _string_ that describes an alias list, like the one used
3390 with gpg's group option. The list consists of a key, an equal
3391 sign and space separated values.
3393 More types will be added in the future. Please see the ALT-TYPE
3394 field for information on how to cope with unknown types.
3397 This field is identical to TYPE, except that only the types '0' to
3398 '31' are allowed. The GUI is expected to present the user the
3399 option in the format specified by TYPE. But if the argument type
3400 TYPE is not supported by the GUI, it can still display the option
3401 in the more generic basic type ALT-TYPE. The GUI must support all
3402 the defined basic types to be able to display all options. More
3403 basic types may be added in future versions. If the GUI encounters
3404 a basic type it doesn't support, it should report an error and
3405 abort the operation.
3408 This field is only defined for options with an argument type TYPE
3409 that is not '0'. In this case it may contain a _percent-escaped_
3410 and _localized string_ that gives a short name for the argument.
3411 The field may also be empty, though, in which case a short name is
3415 This field is defined only for options for which the 'default' or
3416 'default desc' flag is set. If the 'default' flag is set, its
3417 format is that of an _option argument_ (*note Format conventions::,
3418 for details). If the default value is empty, then no default is
3419 known. Otherwise, the value specifies the default value for this
3420 option. If the 'default desc' flag is set, the field is either
3421 empty or contains a description of the effect if the option is not
3425 This field is defined only for options for which the 'optional arg'
3426 flag is set. If the 'no arg desc' flag is not set, its format is
3427 that of an _option argument_ (*note Format conventions::, for
3428 details). If the default value is empty, then no default is known.
3429 Otherwise, the value specifies the default argument for this
3430 option. If the 'no arg desc' flag is set, the field is either
3431 empty or contains a description of the effect of this option if no
3435 This field is defined only for options. Its format is that of an
3436 _option argument_. If it is empty, then the option is not
3437 explicitly set in the current configuration, and the default
3438 applies (if any). Otherwise, it contains the current value of the
3439 option. Note that this field is also meaningful if the option
3440 itself does not take a real argument (in this case, it contains the
3441 number of times the option appears).
3444 File: gnupg.info, Node: Changing options, Next: Listing global options, Prev: Listing options, Up: gpgconf
3446 10.4.6 Changing options
3447 -----------------------
3449 The command '--change-options COMPONENT' will attempt to change the
3450 options of the component COMPONENT to the specified values. COMPONENT
3451 must be the string in the field NAME in the output of the
3452 '--list-components' command. You have to provide the options that shall
3453 be changed in the following format on standard input:
3455 'NAME:FLAGS:NEW-VALUE'
3458 This is the name of the option to change. NAME must be the string
3459 in the field NAME in the output of the '--list-options' command.
3462 The flags field contains an _unsigned number_. Its value is the
3463 OR-wise combination of the following flag values:
3466 If this flag is set, the option is deleted and the default
3467 value is used instead (if applicable).
3470 The new value for the option. This field is only defined if the
3471 'default' flag is not set. The format is that of an _option
3472 argument_. If it is empty (or the field is omitted), the default
3473 argument is used (only allowed if the argument is optional for this
3474 option). Otherwise, the option will be set to the specified value.
3476 The output of the command is the same as that of '--check-options' for
3477 the modified configuration file.
3481 To set the force option, which is of basic type 'none (0)':
3483 $ echo 'force:0:1' | gpgconf --change-options dirmngr
3485 To delete the force option:
3487 $ echo 'force:16:' | gpgconf --change-options dirmngr
3489 The '--runtime' option can influence when the changes take effect.
3492 File: gnupg.info, Node: Listing global options, Next: Querying versions, Prev: Changing options, Up: gpgconf
3494 10.4.7 Listing global options
3495 -----------------------------
3497 Some legacy applications look at the global configuration file for the
3498 gpgconf tool itself; this is the file 'gpgconf.conf'. Modern
3499 applications should not use it but use per component global
3500 configuration files which are more flexible than the 'gpgconf.conf'.
3501 Using both files is not suggested.
3503 The colon separated listing format is record oriented and uses the
3504 first field to identify the record type:
3507 This describes a key record to start the definition of a new
3508 ruleset for a user/group. The format of a key record is:
3513 This is the user field of the key. It is percent escaped.
3514 See the definition of the gpgconf.conf format for details.
3517 This is the group field of the key. It is percent escaped.
3520 This describes a rule record. All rule records up to the next key
3521 record make up a rule set for that key. The format of a rule
3524 'r:::COMPONENT:OPTION:FLAG:VALUE:'
3527 This is the component part of a rule. It is a plain string.
3530 This is the option part of a rule. It is a plain string.
3533 This is the flags part of a rule. There may be only one flag
3534 per rule but by using the same component and option, several
3535 flags may be assigned to an option. It is a plain string.
3538 This is the optional value for the option. It is a percent
3539 escaped string with a single quotation mark to indicate a
3540 string. The quotation mark is only required to distinguish
3541 between no value specified and an empty string.
3543 Unknown record types should be ignored. Note that there is
3544 intentionally no feature to change the global option file through
3548 File: gnupg.info, Node: Querying versions, Next: Files used by gpgconf, Prev: Listing global options, Up: gpgconf
3550 10.4.8 Get and compare software versions.
3551 -----------------------------------------
3553 The GnuPG Project operates a server to query the current versions of
3554 software packages related to GnuPG. 'gpgconf' can be used to access this
3555 online database. To allow for offline operations, this feature works by
3556 having 'dirmngr' download a file from 'https://versions.gnupg.org',
3557 checking the signature of that file and storing the file in the GnuPG
3558 home directory. If 'gpgconf' is used and 'dirmngr' is running, it may
3559 ask 'dirmngr' to refresh that file before itself uses the file.
3561 The command '--query-swdb' returns information for the given package
3562 in a colon delimited format:
3565 This is the name of the package as requested. Note that "gnupg" is
3566 a special name which is replaced by the actual package implementing
3567 this version of GnuPG. For this name it is also not required to
3568 specify a version because 'gpgconf' takes its own version in this
3572 The currently installed version or an empty string. The value is
3573 taken from the command line argument but may be provided by gpg if
3577 The status of the software package according to this table:
3579 No information available. This is either because no current
3580 version has been specified or due to an error.
3582 The given name is not known in the online database.
3584 An update of the software is available.
3586 The installed version of the software is current.
3588 The installed version is already newer than the released
3592 If the value (the empty string should be considered as zero) is
3593 greater than zero an important update is available.
3596 This returns an 'gpg-error' error code to distinguish between
3597 various failure modes.
3600 This gives the date of the file with the version numbers in
3601 standard ISO format ('yyyymmddThhmmss'). The date has been
3602 extracted by 'dirmngr' from the signature of the file.
3605 This gives the date in ISO format the file was downloaded. This
3606 value can be used to evaluate the freshness of the information.
3609 This returns the version string for the requested software from the
3613 This returns the release date in ISO format.
3616 This returns the size of the package as decimal number of bytes.
3619 This returns a hexified SHA-2 hash of the package.
3621 More fields may be added in future to the output.
3624 File: gnupg.info, Node: Files used by gpgconf, Prev: Querying versions, Up: gpgconf
3626 10.4.9 Files used by gpgconf
3627 ----------------------------
3629 '/etc/gnupg/gpgconf.conf'
3630 If this file exists, it is processed as a global configuration
3631 file. This is a legacy mechanism which should not be used tigether
3632 with the modern global per component configuration files. A
3633 commented example can be found in the 'examples' directory of the
3636 'GNUPGHOME/swdb.lst'
3637 A file with current software versions. 'dirmngr' creates this file
3638 on demand from an online resource.
3641 File: gnupg.info, Node: applygnupgdefaults, Next: gpg-preset-passphrase, Prev: gpgconf, Up: Helper Tools
3643 10.5 Run gpgconf for all users
3644 ==============================
3646 This is a legacy script. Modern application should use the per
3647 component global configuration files under '/etc/gnupg/'.
3649 This script is a wrapper around 'gpgconf' to run it with the command
3650 '--apply-defaults' for all real users with an existing GnuPG home
3651 directory. Admins might want to use this script to update he GnuPG
3652 configuration files for all users after '/etc/gnupg/gpgconf.conf' has
3653 been changed. This allows enforcing certain policies for all users.
3654 Note, that this is not a bulletproof way to force a user to use certain
3655 options. A user may always directly edit the configuration files and
3658 'applygnupgdefaults' is invoked by root as:
3663 File: gnupg.info, Node: gpg-preset-passphrase, Next: gpg-connect-agent, Prev: applygnupgdefaults, Up: Helper Tools
3665 10.6 Put a passphrase into the cache
3666 ====================================
3668 The 'gpg-preset-passphrase' is a utility to seed the internal cache of a
3669 running 'gpg-agent' with passphrases. It is mainly useful for
3670 unattended machines, where the usual 'pinentry' tool may not be used and
3671 the passphrases for the to be used keys are given at machine startup.
3673 This program works with GnuPG 2 and later. GnuPG 1.x is not
3676 Passphrases set with this utility don't expire unless the '--forget'
3677 option is used to explicitly clear them from the cache -- or 'gpg-agent'
3678 is either restarted or reloaded (by sending a SIGHUP to it). Note that
3679 the maximum cache time as set with '--max-cache-ttl' is still honored.
3680 It is necessary to allow this passphrase presetting by starting
3681 'gpg-agent' with the '--allow-preset-passphrase'.
3685 * Invoking gpg-preset-passphrase:: List of all commands and options.
3688 File: gnupg.info, Node: Invoking gpg-preset-passphrase, Up: gpg-preset-passphrase
3690 10.6.1 List of all commands and options
3691 ---------------------------------------
3693 'gpg-preset-passphrase' is invoked this way:
3695 gpg-preset-passphrase [options] [command] CACHEID
3697 CACHEID is either a 40 character keygrip of hexadecimal characters
3698 identifying the key for which the passphrase should be set or cleared.
3699 The keygrip is listed along with the key when running the command:
3700 'gpgsm --with-keygrip --list-secret-keys'. Alternatively an arbitrary
3701 string may be used to identify a passphrase; it is suggested that such a
3702 string is prefixed with the name of the application (e.g 'foo:12346').
3703 Scripts should always use the option '--with-colons', which provides the
3704 keygrip in a "grp" line (cf. 'doc/DETAILS')/
3706 One of the following command options must be given:
3709 Preset a passphrase. This is what you usually will use.
3710 'gpg-preset-passphrase' will then read the passphrase from 'stdin'.
3713 Flush the passphrase for the given cache ID from the cache.
3715 The following additional options may be used:
3719 Output additional information while running.
3722 '--passphrase STRING'
3723 Instead of reading the passphrase from 'stdin', use the supplied
3724 STRING as passphrase. Note that this makes the passphrase visible
3728 File: gnupg.info, Node: gpg-connect-agent, Next: dirmngr-client, Prev: gpg-preset-passphrase, Up: Helper Tools
3730 10.7 Communicate with a running agent
3731 =====================================
3733 The 'gpg-connect-agent' is a utility to communicate with a running
3734 'gpg-agent'. It is useful to check out the commands 'gpg-agent'
3735 provides using the Assuan interface. It might also be useful for
3736 scripting simple applications. Input is expected at stdin and output
3737 gets printed to stdout.
3739 It is very similar to running 'gpg-agent' in server mode; but here we
3740 connect to a running instance.
3744 * Invoking gpg-connect-agent:: List of all options.
3745 * Controlling gpg-connect-agent:: Control commands.
3748 File: gnupg.info, Node: Invoking gpg-connect-agent, Next: Controlling gpg-connect-agent, Up: gpg-connect-agent
3750 10.7.1 List of all options
3751 --------------------------
3753 'gpg-connect-agent' is invoked this way:
3755 gpg-connect-agent [options] [commands]
3757 The following options may be used:
3760 Connect to a running directory manager (keyserver client) instead
3761 of to the gpg-agent. If a dirmngr is not running, start it.
3764 Connect to a running keybox daemon instead of to the gpg-agent. If
3765 a keyboxd is not running, start it.
3769 Connect to socket NAME assuming this is an Assuan style server. Do
3770 not run any special initializations or environment checks. This
3771 may be used to directly connect to any Assuan style socket server.
3775 Take the rest of the command line as a program and it's arguments
3776 and execute it as an Assuan server. Here is how you would run
3778 gpg-connect-agent --exec gpgsm --server
3779 Note that you may not use options on the command line in this case.
3783 Output additional information while running.
3787 Try to be as quiet as possible.
3790 Set the name of the home directory to DIR. If this option is not
3791 used, the home directory defaults to '~/.gnupg'. It is only
3792 recognized when given on the command line. It also overrides any
3793 home directory stated through the environment variable 'GNUPGHOME'
3794 or (on Windows systems) by means of the Registry entry
3795 HKCU\SOFTWARE\GNU\GNUPG:HOMEDIR.
3797 On Windows systems it is possible to install GnuPG as a portable
3798 application. In this case only this command line option is
3799 considered, all other ways to set a home directory are ignored.
3801 To install GnuPG as a portable application under Windows, create an
3802 empty file named 'gpgconf.ctl' in the same directory as the tool
3803 'gpgconf.exe'. The root of the installation is then that
3804 directory; or, if 'gpgconf.exe' has been installed directly below a
3805 directory named 'bin', its parent directory. You also need to make
3806 sure that the following directories exist and are writable:
3807 'ROOT/home' for the GnuPG home and 'ROOT/usr/local/var/cache/gnupg'
3808 for internal cache files.
3811 Change the current user to UID which may either be a number or a
3812 name. This can be used from the root account to run
3813 gpg-connect-agent for another user. If UID is not the current UID
3814 a standard PATH is set and the envvar GNUPGHOME is unset. To
3815 override the latter the option '--homedir' can be used. This
3816 option has only an effect when used on the command line. This
3817 option has currently no effect at all on Windows.
3820 When using '-S' or '--exec', 'gpg-connect-agent' connects to the
3821 Assuan server in extended mode to allow descriptor passing. This
3822 option makes it use the old mode.
3825 Do not start the gpg-agent or the dirmngr if it has not yet been
3829 In interactive mode the command line history is usually saved and
3830 restored to and from a file below the GnuPG home directory. This
3831 option inhibits the use of that file.
3833 '--agent-program FILE'
3834 Specify the agent program to be started if none is running. The
3835 default value is determined by running 'gpgconf' with the option
3836 '--list-dirs'. Note that the pipe symbol ('|') is used for a
3837 regression test suite hack and may thus not be used in the file
3840 '--dirmngr-program FILE'
3841 Specify the directory manager (keyserver client) program to be
3842 started if none is running. This has only an effect if used
3843 together with the option '--dirmngr'.
3845 '--keyboxd-program FILE'
3846 Specify the keybox daemon program to be started if none is running.
3847 This has only an effect if used together with the option
3852 Run the commands from FILE at startup and then continue with the
3853 regular input method. Note, that commands given on the command
3854 line are executed after this file.
3858 Run the command '/subst' at startup.
3861 Print data lines in a hex format and the ASCII representation of
3862 non-control characters.
3865 Decode data lines. That is to remove percent escapes but make sure
3866 that a new line always starts with a D and a space.
3870 Set stdin and stdout into unbuffered I/O mode. This this sometimes
3871 useful for scripting.
3874 File: gnupg.info, Node: Controlling gpg-connect-agent, Prev: Invoking gpg-connect-agent, Up: gpg-connect-agent
3876 10.7.2 Control commands
3877 -----------------------
3879 While reading Assuan commands, gpg-agent also allows a few special
3880 commands to control its operation. These control commands all start
3887 Set the variable NAME to VALUE. Variables are only substituted on
3888 the input if the '/subst' has been used. Variables are referenced
3889 by prefixing the name with a dollar sign and optionally include the
3890 name in curly braces. The rules for a valid name are identically
3891 to those of the standard bourne shell. This is not yet enforced
3892 but may be in the future. When used with curly braces no leading
3893 or trailing white space is allowed.
3895 If a variable is not found, it is searched in the environment and
3896 if found copied to the table of variables.
3898 Variable functions are available: The name of the function must be
3899 followed by at least one space and the at least one argument. The
3900 following functions are available:
3903 Return a value described by the argument. Available arguments
3907 The current working directory.
3911 GnuPG's system configuration directory.
3913 GnuPG's binary directory.
3915 GnuPG's library directory.
3917 GnuPG's library directory for executable files.
3919 GnuPG's data directory.
3921 The PID of the current server. Command '/serverpid' must
3922 have been given to return a useful value.
3925 Remove C-style escapes from ARGS. Note that '\0' and '\x00'
3926 terminate the returned string implicitly. The string to be
3927 converted are the entire arguments right behind the delimiting
3928 space of the function name.
3932 Remove percent style escaping from ARGS. Note that '%00'
3933 terminates the string implicitly. The string to be converted
3934 are the entire arguments right behind the delimiting space of
3935 the function name. 'unpercent+' also maps plus signs to a
3940 Escape the ARGS using percent style escaping. Tabs,
3941 formfeeds, linefeeds, carriage returns and colons are escaped.
3942 'percent+' also maps spaces to plus signs.
3947 Assume ARG is an integer and evaluate it using 'strtol'.
3948 Return the gpg-error error code, error source or a formatted
3949 string with the error code and error source.
3956 Evaluate all arguments as long integers using 'strtol' and
3957 apply this operator. A division by zero yields an empty
3963 Evaluate all arguments as long integers using 'strtol' and
3964 apply the logical operators NOT, OR or AND. The NOT operator
3965 works on the last argument only.
3968 Use content of the variable VAR for inquiries with NAME. NAME may
3969 be an asterisk ('*') to match any inquiry.
3971 '/definqfile NAME FILE'
3972 Use content of FILE for inquiries with NAME. NAME may be an
3973 asterisk ('*') to match any inquiry.
3975 '/definqprog NAME PROG'
3976 Run PROG for inquiries matching NAME and pass the entire line to it
3977 as command line arguments.
3980 Write all data lines from the server to the file NAME. The file is
3981 opened for writing and created if it does not exists. An existing
3982 file is first truncated to 0. The data written to the file fully
3983 decoded. Using a single dash for NAME writes to stdout. The file
3984 is kept open until a new file is set using this command or this
3985 command is used without an argument.
3988 Print all definitions
3991 Delete all definitions
3994 Open FILE in MODE (which needs to be a valid 'fopen' mode string)
3995 and send the file descriptor to the server. This is usually
3996 followed by a command like 'INPUT FD' to set the input source for
4000 Not yet implemented.
4002 '/open VAR FILE [MODE]'
4003 Open FILE and assign the file descriptor to VAR. Warning: This
4004 command is experimental and might change in future versions.
4007 Close the file descriptor FD. Warning: This command is
4008 experimental and might change in future versions.
4011 Show a list of open files.
4014 Send the Assuan command 'GETINFO pid' to the server and store the
4015 returned PID for internal purposes.
4022 Same as the command line option '--hex'.
4026 Same as the command line option '--decode'.
4030 Enable and disable variable substitution. It defaults to disabled
4031 unless the command line option '--subst' has been used. If /subst
4032 as been enabled once, leading whitespace is removed from input
4033 lines which makes scripts easier to read.
4037 These commands provide a way for executing loops. All lines
4038 between the 'while' and the corresponding 'end' are executed as
4039 long as the evaluation of CONDITION yields a non-zero value or is
4040 the string 'true' or 'yes'. The evaluation is done by passing
4041 CONDITION to the 'strtol' function. Example:
4046 /echo loop counter is $i
4052 These commands provide a way for conditional execution. All lines
4053 between the 'if' and the corresponding 'end' are executed only if
4054 the evaluation of CONDITION yields a non-zero value or is the
4055 string 'true' or 'yes'. The evaluation is done by passing
4056 CONDITION to the 'strtol' function.
4059 Run commands from FILE.
4062 Clear the command history.
4065 Terminate the connection and the program.
4068 Print a list of available control commands.
4071 File: gnupg.info, Node: dirmngr-client, Next: gpgparsemail, Prev: gpg-connect-agent, Up: Helper Tools
4073 10.8 The Dirmngr Client Tool
4074 ============================
4076 The 'dirmngr-client' is a simple tool to contact a running dirmngr and
4077 test whether a certificate has been revoked -- either by being listed in
4078 the corresponding CRL or by running the OCSP protocol. If no dirmngr is
4079 running, a new instances will be started but this is in general not a
4080 good idea due to the huge performance overhead.
4082 The usual way to run this tool is either:
4084 dirmngr-client ACERT
4088 dirmngr-client <ACERT
4090 Where ACERT is one DER encoded (binary) X.509 certificates to be
4091 tested. The return value of this command is
4094 The certificate under question is valid; i.e. there is a valid CRL
4095 available and it is not listed there or the OCSP request returned
4096 that that certificate is valid.
4099 The certificate has been revoked
4101 '2 (and other values)'
4102 There was a problem checking the revocation state of the
4103 certificate. A message to stderr has given more detailed
4104 information. Most likely this is due to a missing or expired CRL
4105 or due to a network problem.
4107 'dirmngr-client' may be called with the following options:
4110 Print the program version and licensing information. Note that you
4111 cannot abbreviate this command.
4114 Print a usage message summarizing the most useful command-line
4115 options. Note that you cannot abbreviate this command.
4118 Make the output extra brief by suppressing any informational
4123 Outputs additional information while running. You can increase the
4124 verbosity by giving several verbose commands to DIRMNGR, such as
4128 Assume that the given certificate is in PEM (armored) format.
4131 Do the check using the OCSP protocol and ignore any CRLs.
4133 '--force-default-responder'
4134 When checking using the OCSP protocol, force the use of the default
4135 OCSP responder. That is not to use the Reponder as given by the
4139 Check whether the dirmngr daemon is up and running.
4142 Put the given certificate into the cache of a running dirmngr.
4143 This is mainly useful for debugging.
4146 Validate the given certificate using dirmngr's internal validation
4147 code. This is mainly useful for debugging.
4150 This command expects a list of filenames with DER encoded CRL
4151 files. With the option '--url' URLs are expected in place of
4152 filenames and they are loaded directly from the given location.
4153 All CRLs will be validated and then loaded into dirmngr's cache.
4156 Take the remaining arguments and run a lookup command on each of
4157 them. The results are Base-64 encoded outputs (without header
4158 lines). This may be used to retrieve certificates from a server.
4159 However the output format is not very well suited if more than one
4160 certificate is returned.
4164 Modify the 'lookup' and 'load-crl' commands to take an URL.
4168 Let the 'lookup' command only search the local cache.
4171 Run DIRMNGR-CLIENT in a mode suitable as a helper program for
4172 Squid's 'external_acl_type' option.
4175 File: gnupg.info, Node: gpgparsemail, Next: gpgtar, Prev: dirmngr-client, Up: Helper Tools
4177 10.9 Parse a mail message into an annotated format
4178 ==================================================
4180 The 'gpgparsemail' is a utility currently only useful for debugging.
4181 Run it with '--help' for usage information.
4184 File: gnupg.info, Node: gpgtar, Next: gpg-check-pattern, Prev: gpgparsemail, Up: Helper Tools
4186 10.10 Encrypt or sign files into an archive
4187 ===========================================
4189 'gpgtar' encrypts or signs files into an archive. It is an gpg-ized tar
4190 using the same format as used by PGP's PGP Zip.
4192 'gpgtar' is invoked this way:
4194 gpgtar [options] FILENAME1 [FILENAME2, ...] DIRECTORY [DIRECTORY2, ...]
4196 'gpgtar' understands these options:
4199 Put given files and directories into a vanilla "ustar" archive.
4202 Extract all files from a vanilla "ustar" archive. If no file name
4203 is given (or it is "-") the archive is taken from stdin.
4207 Encrypt given files and directories into an archive. This option
4208 may be combined with option '--symmetric' for an archive that may
4209 be decrypted via a secret key or a passphrase.
4213 Extract all files from an encrypted archive. If no file name is
4214 given (or it is "-") the archive is taken from stdin.
4218 Make a signed archive from the given files and directories. This
4219 can be combined with option '--encrypt' to create a signed and then
4224 List the contents of the specified archive. If no file name is
4225 given (or it is "-") the archive is taken from stdin.
4229 Encrypt with a symmetric cipher using a passphrase. The default
4230 symmetric cipher used is AES-128, but may be chosen with the
4231 '--cipher-algo' option to 'gpg'.
4235 Encrypt for user id USER. For details see 'gpg'.
4239 Use USER as the key to sign with. For details see 'gpg'.
4243 Write the archive to the specified file FILE.
4247 Enable extra informational output.
4251 Try to be as quiet as possible.
4254 Skip all crypto operations and create or extract vanilla "ustar"
4258 Do not actually output the extracted files.
4262 Extract the files into the directory DIR. The default is to take
4263 the directory name from the input filename. If no input filename
4264 is known a directory named 'GPGARCH' is used. For tarball
4265 creation, switch to directory DIR before performing any operations.
4269 Take the file names to work from the file FILE; one file per line.
4272 Modify option '--files-from' to use a binary nul instead of a
4273 linefeed to separate file names.
4276 Assume that the file names read by '--files-from' are UTF-8
4277 encoded. This option has an effect only on Windows where the
4278 active code page is otherwise assumed.
4281 This option has no effect because OpenPGP encryption and signing is
4285 This option is reserved and shall not be used. It will eventually
4286 be used to encrypt or sign using the CMS protocol; but that is not
4290 Use batch mode. Never ask but use the default action. This option
4291 is passed directly to 'gpg'.
4294 Assume "yes" on most questions. Often used together with '--batch'
4295 to overwrite existing files. This option is passed directly to
4299 Assume "no" on most questions. This option is passed directly to
4302 '--require-compliance'
4303 This option is passed directly to 'gpg'.
4306 Write special status strings to the file descriptor N. See the
4307 file DETAILS in the documentation for a listing of them.
4310 When extracting an encrypted tarball also write a log file with the
4311 gpg output to a file named after the extraction directory with the
4314 '--set-filename FILE'
4315 Use the last component of FILE as the output directory. The
4316 default is to take the directory name from the input filename. If
4317 no input filename is known a directory named 'GPGARCH' is used.
4318 This option is deprecated in favor of option '--directory'.
4321 This option tells gpg to disable compression (i.e. using option
4322 -z0). It is useful for archiving only large files which are are
4323 already compressed (e.g. a set of videos).
4326 Use the specified command GPGCMD instead of 'gpg'.
4329 Pass the specified extra options to 'gpg'.
4332 Assume ARGS are standard options of the command 'tar' and parse
4333 them. The only supported tar options are "-directory",
4334 "-files-from", and "-null" This is an obsolete options because
4335 those supported tar options can also be given directly.
4338 This is a dummy option for backward compatibility.
4341 Print version of the program and exit.
4344 Display a brief help page and exit.
4346 The program returns 0 if everything was fine, 1 otherwise.
4350 Encrypt the contents of directory 'mydocs' for user Bob to file 'test1':
4352 gpgtar --encrypt --output test1 -r Bob mydocs
4354 List the contents of archive 'test1':
4356 gpgtar --list-archive test1
4359 File: gnupg.info, Node: gpg-check-pattern, Prev: gpgtar, Up: Helper Tools
4361 10.11 Check a passphrase on stdin against the patternfile
4362 =========================================================
4364 'gpg-check-pattern' checks a passphrase given on stdin against a
4365 specified pattern file.
4367 The pattern file is line based with comment lines beginning on the
4368 _first_ position with a '#'. Empty lines and lines with only white
4369 spaces are ignored. The actual pattern lines may either be verbatim
4370 string pattern and match as they are (trailing spaces are ignored) or
4371 extended regular expressions indicated by a '/' or '!/' in the first
4372 column and terminated by another '/' or end of line. If a regular
4373 expression starts with '!/' the match result is reversed. By default
4374 all comparisons are case insensitive.
4376 Tag lines may be used to further control the operation of this tool.
4377 The currently defined tags are:
4380 Switch to case insensitive comparison for all further patterns.
4381 This is the default.
4384 Switch to case sensitive comparison for all further patterns.
4387 Switch to reject mode. This is the default mode.
4390 Switch to accept mode.
4392 In the future more tags may be introduced and thus it is advisable
4393 not to start a plain pattern string with an open bracket. The tags must
4394 be given verbatim on the line with no spaces to the left or any non
4395 white space characters to the right.
4397 In reject mode the program exits on the first match with an exit code
4398 of 1 (failure). If at the end of the pattern list the reject mode is
4399 still active the program exits with code 0 (success).
4401 In accept mode blocks of patterns are used. A block starts at the
4402 next pattern after an "accept" tag and ends with the last pattern before
4403 the next "accept" or "reject" tag or at the end of the pattern list. If
4404 all patterns in a block match the program exits with an exit code of 0
4405 (success). If any pattern in a block do not match the next pattern
4406 block is evaluated. If at the end of the pattern list the accept mode
4407 is still active the program exits with code 1 (failure).
4411 Enable extra informational output.
4414 Run only a syntax check on the patternfile.
4417 Input is expected to be null delimited.
4420 File: gnupg.info, Node: Web Key Service, Next: Howtos, Prev: Helper Tools, Up: Top
4425 GnuPG comes with tools used to maintain and access a Web Key Directory.
4429 * gpg-wks-client:: Send requests via WKS
4430 * gpg-wks-server:: Server to provide the WKS.
4433 File: gnupg.info, Node: gpg-wks-client, Next: gpg-wks-server, Up: Web Key Service
4435 11.1 Send requests via WKS
4436 ==========================
4438 The 'gpg-wks-client' is used to send requests to a Web Key Service
4439 provider. This is usually done to upload a key into a Web Key
4442 With the '--supported' command the caller can test whether a site
4443 supports the Web Key Service. The argument is an arbitrary address in
4444 the to be tested domain. For example 'foo@example.net'. The command
4445 returns success if the Web Key Service is supported. The operation is
4446 silent; to get diagnostic output use the option '--verbose'. See option
4447 '--with-colons' for a variant of this command.
4449 With the '--check' command the caller can test whether a key exists
4450 for a supplied mail address. The command returns success if a key is
4453 The '--create' command is used to send a request for publication in
4454 the Web Key Directory. The arguments are the fingerprint of the key and
4455 the user id to publish. The output from the command is a properly
4456 formatted mail with all standard headers. This mail can be fed to
4457 'sendmail(8)' or any other tool to actually send that mail. If
4458 'sendmail(8)' is installed the option '--send' can be used to directly
4459 send the created request. If the provider request a 'mailbox-only' user
4460 id and no such user id is found, 'gpg-wks-client' will try an additional
4463 The '--receive' and '--read' commands are used to process
4464 confirmation mails as send from the service provider. The former
4465 expects an encrypted MIME messages, the latter an already decrypted MIME
4466 message. The result of these commands are another mail which can be
4467 send in the same way as the mail created with '--create'.
4469 The command '--install-key' manually installs a key into a local
4470 directory (see option '-C') reflecting the structure of a WKD. The
4471 arguments are a file with the keyblock and the user-id to install. If
4472 the first argument resembles a fingerprint the key is taken from the
4473 current keyring; to force the use of a file, prefix the first argument
4474 with "./". If no arguments are given the parameters are read from
4475 stdin; the expected format are lines with the fingerprint and the
4476 mailbox separated by a space. The command '--remove-key' removes a key
4477 from that directory, its only argument is a user-id.
4479 The command '--mirror' is similar to '--install-key' but takes the
4480 keys from the the LDAP server configured for Dirmngr. If no arguments
4481 are given all keys and user ids are installed. If arguments are given
4482 they are taken as domain names to limit the to be installed keys. The
4483 option '--blacklist' may be used to further limit the to be installed
4486 The command '--print-wkd-hash' prints the WKD user-id identifiers and
4487 the corresponding mailboxes from the user-ids given on the command line
4488 or via stdin (one user-id per line).
4490 The command '--print-wkd-url' prints the URLs used to fetch the key
4491 for the given user-ids from WKD. The meanwhile preferred format with
4492 sub-domains is used here.
4494 'gpg-wks-client' understands these options:
4497 Directly send created mails using the 'sendmail' command. Requires
4498 installation of that command.
4501 This option has currently only an effect on the '--supported'
4502 command. If it is used all arguments on the command line are taken
4503 as domain names and tested for WKD support. The output format is
4504 one line per domain with colon delimited fields. The currently
4505 specified fields are (future versions may specify additional
4509 This is the domain name. Although quoting is not required for
4510 valid domain names this field is specified to be quoted in
4514 If the value is true the domain supports the Web Key
4518 If the value is true the domain supports the Web Key Service
4519 protocol to upload keys to the directory.
4522 This may contain an gpg-error code to describe certain
4523 failures. Use 'gpg-error CODE' to explain the code.
4525 5 - protocol-version
4526 The minimum protocol version supported by the server.
4529 The auth-submit flag from the policy file of the server.
4532 The mailbox-only flag from the policy file of the server.
4536 Write the created mail to FILE instead of stdout. Note that the
4537 value '-' for FILE is the same as writing to stdout. If this
4538 option is used with the '--check' command and a key was found it is
4539 written to the given file.
4542 Write special status strings to the file descriptor N. This
4543 program returns only the status messages SUCCESS or FAILURE which
4544 are helpful when the caller uses a double fork approach and can't
4545 easily get the return code of the process.
4549 Use DIR as top level directory for the commands '--mirror',
4550 '--install-key' and '--remove-key'. The default is 'openpgpkey'.
4553 This option is used to exclude certain mail addresses from a mirror
4554 operation. The format of FILE is one mail address (just the
4555 addrspec, e.g. "postel@isi.edu") per line. Empty lines and lines
4556 starting with a '#' are ignored.
4560 If enabled append revocation certificates for the same addrspec as
4561 used in the WKD to the key. Modern gpg version are able to import
4562 and apply them for existing keys. Note that when used with the
4563 '--mirror' command the revocation are searched in the local keyring
4564 and not in an LDAP directory. The default is '--add-revocs'.
4567 Enable extra informational output.
4570 Disable almost all informational output.
4573 Print version of the program and exit.
4576 Display a brief help page and exit.
4579 File: gnupg.info, Node: gpg-wks-server, Prev: gpg-wks-client, Up: Web Key Service
4581 11.2 Provide the Web Key Service
4582 ================================
4584 The 'gpg-wks-server' is a server side implementation of the Web Key
4585 Service. It receives requests for publication, sends confirmation
4586 requests, receives confirmations, and published the key. It also has
4587 features to ease the setup and maintenance of a Web Key Directory.
4589 When used with the command '--receive' a single Web Key Service mail
4590 is processed. Commonly this command is used with the option '--send' to
4591 directly send the created mails back. See below for an installation
4594 The command '--cron' is used for regular cleanup tasks. For example
4595 non-confirmed requested should be removed after their expire time. It
4596 is best to run this command once a day from a cronjob.
4598 The command '--list-domains' prints all configured domains. Further
4599 it creates missing directories for the configuration and prints warnings
4600 pertaining to problems in the configuration.
4602 The command '--check-key' (or just '--check') checks whether a key
4603 with the given user-id is installed. The process returns success in
4604 this case; to also print a diagnostic use the option '-v'. If the key
4605 is not installed a diagnostic is printed and the process returns
4606 failure; to suppress the diagnostic, use option '-q'. More than one
4607 user-id can be given; see also option 'with-file'.
4609 The command '--install-key' manually installs a key into the WKD. The
4610 arguments are a file with the keyblock and the user-id to install. If
4611 the first argument resembles a fingerprint the key is taken from the
4612 current keyring; to force the use of a file, prefix the first argument
4613 with "./". If no arguments are given the parameters are read from
4614 stdin; the expected format are lines with the fingerprint and the
4615 mailbox separated by a space.
4617 The command '--remove-key' uninstalls a key from the WKD. The process
4618 returns success in this case; to also print a diagnostic, use option
4619 '-v'. If the key is not installed a diagnostic is printed and the
4620 process returns failure; to suppress the diagnostic, use option '-q'.
4622 The command '--revoke-key' is not yet functional.
4624 'gpg-wks-server' understands these options:
4628 Use DIR as top level directory for domains. The default is
4629 '/var/lib/gnupg/wks'.
4632 Use MAILADDR as the default sender address.
4634 '--header NAME=VALUE'
4635 Add the mail header "NAME: VALUE" to all outgoing mails.
4638 Directly send created mails using the 'sendmail' command. Requires
4639 installation of that command.
4643 Write the created mail also to FILE. Note that the value '-' for
4644 FILE would write it to stdout.
4647 When used with the command '--list-domains' print for each
4648 installed domain the domain name and its directory name.
4651 When used with the command '--check-key' print for each user-id,
4652 the address, 'i' for installed key or 'n' for not installed key,
4656 Enable extra informational output.
4659 Disable almost all informational output.
4662 Print version of the program and exit.
4665 Display a brief help page and exit.
4671 The Web Key Service requires a working directory to store keys pending
4672 for publication. As root create a working directory:
4674 # mkdir /var/lib/gnupg/wks
4675 # chown webkey:webkey /var/lib/gnupg/wks
4676 # chmod 2750 /var/lib/gnupg/wks
4678 Then under your webkey account create directories for all your
4679 domains. Here we do it for "example.net":
4681 $ mkdir /var/lib/gnupg/wks/example.net
4685 $ gpg-wks-server --list-domains
4687 to create the required sub-directories with the permissions set
4688 correctly. For each domain a submission address needs to be configured.
4689 All service mails are directed to that address. It can be the same
4690 address for all configured domains, for example:
4692 $ cd /var/lib/gnupg/wks/example.net
4693 $ echo key-submission@example.net >submission-address
4695 The protocol requires that the key to be published is sent with an
4696 encrypted mail to the service. Thus you need to create a key for the
4699 $ gpg --batch --passphrase '' --quick-gen-key key-submission@example.net
4700 $ gpg -K key-submission@example.net
4702 The output of the last command looks similar to this:
4704 sec rsa3072 2016-08-30 [SC]
4705 C0FCF8642D830C53246211400346653590B3795B
4706 uid [ultimate] key-submission@example.net
4707 bxzcxpxk8h87z1k7bzk86xn5aj47intu@example.net
4708 ssb rsa3072 2016-08-30 [E]
4710 Take the fingerprint from that output and manually publish the key:
4712 $ gpg-wks-server --install-key C0FCF8642D830C53246211400346653590B3795B \
4713 > key-submission@example.net
4715 Finally that submission address needs to be redirected to a script
4716 running 'gpg-wks-server'. The 'procmail' command can be used for this:
4717 Redirect the submission address to the user "webkey" and put this into
4718 webkey's '.procmailrc':
4721 * !^From: webkey@example.net
4722 * !^X-WKS-Loop: webkey.example.net
4723 |gpg-wks-server -v --receive \
4724 --header X-WKS-Loop=webkey.example.net \
4725 --from webkey@example.net --send
4728 File: gnupg.info, Node: Howtos, Next: System Notes, Prev: Web Key Service, Up: Top
4730 12 How to do certain things
4731 ***************************
4733 This is a collection of small howto documents.
4737 * Howto Create a Server Cert:: Creating a TLS server certificate.
4740 File: gnupg.info, Node: Howto Create a Server Cert, Up: Howtos
4742 12.1 Creating a TLS server certificate
4743 ======================================
4745 Here is a brief run up on how to create a server certificate. It has
4746 actually been done this way to get a certificate from CAcert to be used
4747 on a real server. It has only been tested with this CA, but there
4748 shouldn't be any problem to run this against any other CA.
4750 We start by generating an X.509 certificate signing request. As
4751 there is no need for a configuration file, you may simply enter:
4753 $ gpgsm --generate-key >example.com.cert-req.pem
4754 Please select what kind of key you want:
4757 (3) Existing key from card
4760 I opted for creating a new RSA key. The other option is to use an
4761 already existing key, by selecting '2' and entering the so-called
4762 keygrip. Running the command 'gpgsm --dump-secret-key USERID' shows you
4763 this keygrip. Using '3' offers another menu to create a certificate
4764 directly from a smart card based key.
4768 What keysize do you want? (3072)
4769 Requested keysize is 3072 bits
4771 Hitting enter chooses the default RSA key size of 3072 bits. Keys
4772 smaller than 2048 bits are too weak on the modern Internet. If you
4773 choose a larger (stronger) key, your server will need to do more work.
4775 Possible actions for a RSA key:
4781 Selecting "sign" enables use of the key for Diffie-Hellman key
4782 exchange mechanisms (DHE and ECDHE) in TLS, which are preferred because
4783 they offer forward secrecy. Selecting "encrypt" enables RSA key
4784 exchange mechanisms, which are still common in some places. Selecting
4785 both enables both key exchange mechanisms.
4787 Now for some real data:
4789 Enter the X.509 subject name: CN=example.com
4791 This is the most important value for a server certificate. Enter
4792 here the canonical name of your server machine. You may add other
4793 virtual server names later.
4795 E-Mail addresses (end with an empty line):
4798 We don't need email addresses in a TLS server certificate and CAcert
4799 would anyway ignore such a request. Thus just hit enter.
4801 If you want to create a client certificate for email encryption, this
4802 would be the place to enter your mail address (e.g. <joe@example.org>).
4803 You may enter as many addresses as you like, however the CA may not
4804 accept them all or reject the entire request.
4806 Enter DNS names (optional; end with an empty line):
4811 Here I entered the names of the services which the machine actually
4812 provides. You almost always want to include the canonical name here
4813 too. The browser will accept a certificate for any of these names. As
4814 usual the CA must approve all of these names.
4816 URIs (optional; end with an empty line):
4819 It is possible to insert arbitrary URIs into a certificate; for a
4820 server certificate this does not make sense.
4822 Create self-signed certificate? (y/N)
4824 Since we are creating a certificate signing request, and not a full
4825 certificate, we answer no here, or just hit enter for the default.
4827 We have now entered all required information and 'gpgsm' will display
4828 what it has gathered and ask whether to create the certificate request:
4830 These parameters are used:
4833 Key-Usage: sign, encrypt
4834 Name-DN: CN=example.com
4835 Name-DNS: example.com
4836 Name-DNS: www.example.com
4838 Proceed with creation? (y/N) y
4840 'gpgsm' will now start working on creating the request. As this
4841 includes the creation of an RSA key it may take a while. During this
4842 time you will be asked 3 times for a passphrase to protect the created
4843 private key on your system. A pop up window will appear to ask for it.
4844 The first two prompts are for the new passphrase and for re-entering it;
4845 the third one is required to actually create the certificate signing
4848 When it is ready, you should see the final notice:
4850 Ready. You should now send this request to your CA.
4852 Now, you may look at the created request:
4854 $ cat example.com.cert-req.pem
4855 -----BEGIN CERTIFICATE REQUEST-----
4856 MIIClTCCAX0CAQAwFjEUMBIGA1UEAxMLZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3
4857 DQEBAQUAA4IBDwAwggEKAoIBAQDP1QEcbTvOLLCX4gAoOzH9AW7jNOMj7OSOL0uW
4858 h2bCdkK5YVpnX212Z6COTC3ZG0pJiCeGt1TbbDJUlTa4syQ6JXavjK66N8ASZsyC
4859 Rwcl0m6hbXp541t1dbgt2VgeGk25okWw3j+brw6zxLD2TnthJxOatID0lDIG47HW
4860 GqzZmA6WHbIBIONmGnReIHTpPAPCDm92vUkpKG1xLPszuRmsQbwEl870W/FHrsvm
4861 DPvVUUSdIvTV9NuRt7/WY6G4nPp9QlIuTf1ESPzIuIE91gKPdrRCAx0yuT708S1n
4862 xCv3ETQ/bKPoAQ67eE3mPBqkcVwv9SE/2/36Lz06kAizRgs5AgMBAAGgOjA4Bgkq
4863 hkiG9w0BCQ4xKzApMCcGA1UdEQQgMB6CC2V4YW1wbGUuY29tgg93d3cuZXhhbXBs
4864 ZS5jb20wDQYJKoZIhvcNAQELBQADggEBAEWD0Qqz4OENLYp6yyO/KqF0ig9FDsLN
4865 b5/R+qhms5qlhdB5+Dh+j693Sj0UgbcNKc6JT86IuBqEBZmRCJuXRoKoo5aMS1cJ
4866 hXga7N9IA3qb4VBUzBWvlL92U2Iptr/cEbikFlYZF2Zv3PBv8RfopVlI3OLbKV9D
4867 bJJTt/6kuoydXKo/Vx4G0DFzIKNdFdJk86o/Ziz8NOs9JjZxw9H9VY5sHKFM5LKk
4868 VcLwnnLRlNjBGB+9VK/Tze575eG0cJomTp7UGIB+1xzIQVAhUZOizRDv9tHDeaK3
4869 k+tUhV0kuJcYHucpJycDSrP/uAY5zuVJ0rs2QSjdnav62YrRgEsxJrU=
4870 -----END CERTIFICATE REQUEST-----
4873 You may now proceed by logging into your account at the CAcert
4874 website, choose 'Server Certificates - New', check 'sign by class 3 root
4875 certificate', paste the above request block into the text field and
4878 If everything works out fine, a certificate will be shown. Now run
4882 and paste the certificate from the CAcert page into your terminal
4883 followed by a Ctrl-D
4885 -----BEGIN CERTIFICATE-----
4886 MIIEIjCCAgqgAwIBAgIBTDANBgkqhkiG9w0BAQQFADBUMRQwEgYDVQQKEwtDQWNl
4888 rUTFlNElRXCwIl0YcJkIaYYqWf7+A/aqYJCi8+51usZwMy3Jsq3hJ6MA3h1BgwZs
4890 -----END CERTIFICATE-----
4891 gpgsm: issuer certificate (#/CN=CAcert Class 3 Ro[...]) not found
4892 gpgsm: certificate imported
4894 gpgsm: total number processed: 1
4897 'gpgsm' tells you that it has imported the certificate. It is now
4898 associated with the key you used when creating the request. The root
4899 certificate has not been found, so you may want to import it from the
4902 To see the content of your certificate, you may now enter:
4904 $ gpgsm -K example.com
4905 /home/foo/.gnupg/pubring.kbx
4906 ---------------------------
4908 Issuer: /CN=CAcert Class 3 Root/OU=http:\x2f\x2fwww.[...]
4909 Subject: /CN=example.com
4910 aka: (dns-name example.com)
4911 aka: (dns-name www.example.com)
4912 validity: 2015-07-01 16:20:51 through 2016-07-01 16:20:51
4913 key type: 3072 bit RSA
4914 key usage: digitalSignature keyEncipherment
4915 ext key usage: clientAuth (suggested), serverAuth (suggested), [...]
4916 fingerprint: 0F:9C:27:B2:DA:05:5F:CB:33:D8:19:E9:65:B9:4F:BD:B1:98:CC:57
4918 I used '-K' above because this will only list certificates for which
4919 a private key is available. To see more details, you may use
4920 '--dump-secret-keys' instead of '-K'.
4922 To make actual use of the certificate you need to install it on your
4923 server. Server software usually expects a PKCS\#12 file with key and
4924 certificate. To create such a file, run:
4926 $ gpgsm --export-secret-key-p12 -a >example.com-cert.pem
4928 You will be asked for the passphrase as well as for a new passphrase
4929 to be used to protect the PKCS\#12 file. The file now contains the
4930 certificate as well as the private key:
4932 $ cat example-cert.pem
4933 Issuer ...: /CN=CAcert Class 3 Root/OU=http:\x2f\x2fwww.CA[...]
4935 Subject ..: /CN=example.com
4936 aka ..: (dns-name example.com)
4937 aka ..: (dns-name www.example.com)
4939 -----BEGIN PKCS12-----
4940 MIIHlwIBAzCCB5AGCSqGSIb37QdHAaCCB4EEggd9MIIHeTk1BJ8GCSqGSIb3DQEu
4941 [...many more lines...]
4942 -----END PKCS12-----
4945 Copy this file in a secure way to the server, install it there and
4946 delete the file then. You may export the file again at any time as long
4947 as it is available in GnuPG's private key database.
4950 File: gnupg.info, Node: System Notes, Next: Debugging, Prev: Howtos, Up: Top
4952 13 Notes pertaining to certain OSes
4953 ***********************************
4955 GnuPG has been developed on GNU/Linux systems and is know to work on
4956 almost all Free OSes. All modern POSIX systems should be supported
4957 right now, however there are probably a lot of smaller glitches we need
4958 to fix first. The major problem areas are:
4960 * We are planning to use file descriptor passing for interprocess
4961 communication. This will allow us save a lot of resources and
4962 improve performance of certain operations a lot. Systems not
4963 supporting this won't gain these benefits but we try to keep them
4964 working the standard way as it is done today.
4966 * We require more or less full POSIX compatibility. This has been
4967 around for 15 years now and thus we don't believe it makes sense to
4968 support non POSIX systems anymore. Well, we of course the usual
4969 workarounds for near POSIX systems well be applied.
4971 There is one exception of this rule: Systems based the Microsoft
4972 Windows API (called here _W32_) will be supported to some extend.
4976 * W32 Notes:: Microsoft Windows Notes
4979 File: gnupg.info, Node: W32 Notes, Up: System Notes
4981 13.1 Microsoft Windows Notes
4982 ============================
4984 Current limitations are:
4986 * 'gpgconf' does not create backup files, so in case of trouble your
4987 configuration file might get lost.
4989 * 'watchgnupg' is not available. Logging to sockets is not possible.
4991 * The periodical smartcard status checking done by 'scdaemon' is not
4995 File: gnupg.info, Node: Debugging, Next: Copying, Prev: System Notes, Up: Top
4997 14 How to solve problems
4998 ************************
5000 Everyone knows that software often does not do what it should do and
5001 thus there is a need to track down problems. We call this debugging in
5002 a reminiscent to the moth jamming a relay in a Mark II box back in 1947.
5004 Most of the problems a merely configuration and user problems but
5005 nevertheless they are the most annoying ones and responsible for many
5006 gray hairs. We try to give some guidelines here on how to identify and
5007 solve the problem at hand.
5011 * Debugging Tools:: Description of some useful tools.
5012 * Debugging Hints:: Various hints on debugging.
5013 * Common Problems:: Commonly seen problems.
5014 * Architecture Details:: How the whole thing works internally.
5017 File: gnupg.info, Node: Debugging Tools, Next: Debugging Hints, Up: Debugging
5019 14.1 Debugging Tools
5020 ====================
5022 The GnuPG distribution comes with a couple of tools, useful to help find
5023 and solving problems.
5027 * kbxutil:: Scrutinizing a keybox file.
5030 File: gnupg.info, Node: kbxutil, Up: Debugging Tools
5032 14.1.1 Scrutinizing a keybox file
5033 ---------------------------------
5035 A keybox is a file format used to store public keys along with meta
5036 information and indices. The commonly used one is the file
5037 'pubring.kbx' in the '.gnupg' directory. It contains all X.509
5038 certificates as well as OpenPGP keys.
5040 When called the standard way, e.g.:
5042 'kbxutil ~/.gnupg/pubring.kbx'
5044 it lists all records (called blobs) with there meta-information in a
5045 human readable format.
5047 To see statistics on the keybox in question, run it using
5049 'kbxutil --stats ~/.gnupg/pubring.kbx'
5051 and you get an output like:
5053 Total number of blobs: 99
5060 ephemeral flagged: 17
5062 In this example you see that the keybox does not have any OpenPGP
5063 keys but contains 98 X.509 certificates and a total of 17 keys or
5064 certificates are flagged as ephemeral, meaning that they are only
5065 temporary stored (cached) in the keybox and won't get listed using the
5066 usual commands provided by 'gpgsm' or 'gpg'. 81 certificates are stored
5067 in a standard way and directly available from 'gpgsm'.
5069 To find duplicated certificates and keyblocks in a keybox file (this
5070 should not occur but sometimes things go wrong), run it using
5072 'kbxutil --find-dups ~/.gnupg/pubring.kbx'
5075 File: gnupg.info, Node: Debugging Hints, Next: Common Problems, Prev: Debugging Tools, Up: Debugging
5077 14.2 Various hints on debugging
5078 ===============================
5080 * How to find the IP address of a keyserver
5082 If a round robin URL of is used for a keyserver (e.g.
5083 subkeys.gnupg.org); it is not easy to see what server is actually
5084 used. Using the keyserver debug option as in
5086 gpg --keyserver-options debug=1 -v --refresh-key 1E42B367
5088 is thus often helpful. Note that the actual output depends on the
5089 backend and may change from release to release.
5091 * Logging on WindowsCE
5093 For development, the best logging method on WindowsCE is the use of
5094 remote debugging using a log file name of 'tcp://<ip-addr>:<port>'.
5095 The command 'watchgnupg' may be used on the remote host to listen
5096 on the given port (*note option watchgnupg --tcp::). For in the
5097 field tests it is better to make use of the logging facility
5098 provided by the 'gpgcedev' driver (part of libassuan); this is
5099 enabled by using a log file name of 'GPG2:' (*note option
5103 File: gnupg.info, Node: Common Problems, Next: Architecture Details, Prev: Debugging Hints, Up: Debugging
5105 14.3 Commonly Seen Problems
5106 ===========================
5108 * Error code 'Not supported' from Dirmngr
5110 Most likely the option 'enable-ocsp' is active for gpgsm but
5111 Dirmngr's OCSP feature has not been enabled using 'allow-ocsp' in
5114 * The Curses based Pinentry does not work
5116 The far most common reason for this is that the environment
5117 variable 'GPG_TTY' has not been set correctly. Make sure that it
5118 has been set to a real tty device and not just to '/dev/tty'; i.e.
5119 'GPG_TTY=tty' is plainly wrong; what you want is 'GPG_TTY=`tty`' --
5120 note the back ticks. Also make sure that this environment variable
5121 gets exported, that is you should follow up the setting with an
5122 'export GPG_TTY' (assuming a Bourne style shell). Even for GUI
5123 based Pinentries; you should have set 'GPG_TTY'. See the section
5124 on installing the 'gpg-agent' on how to do it.
5126 * SSH hangs while a popping up pinentry was expected
5128 SSH has no way to tell the gpg-agent what terminal or X display it
5129 is running on. So when remotely logging into a box where a
5130 gpg-agent with SSH support is running, the pinentry will get popped
5131 up on whatever display the gpg-agent has been started. To solve
5132 this problem you may issue the command
5134 echo UPDATESTARTUPTTY | gpg-connect-agent
5136 and the next pinentry will pop up on your display or screen.
5137 However, you need to kill the running pinentry first because only
5138 one pinentry may be running at once. If you plan to use ssh on a
5139 new display you should issue the above command before invoking ssh
5140 or any other service making use of ssh.
5142 * Exporting a secret key without a certificate
5144 It may happen that you have created a certificate request using
5145 'gpgsm' but not yet received and imported the certificate from the
5146 CA. However, you want to export the secret key to another machine
5147 right now to import the certificate over there then. You can do
5148 this with a little trick but it requires that you know the
5149 approximate time you created the signing request. By running the
5152 ls -ltr ~/.gnupg/private-keys-v1.d
5154 you get a listing of all private keys under control of 'gpg-agent'.
5155 Pick the key which best matches the creation time and run the
5158 /usr/local/libexec/gpg-protect-tool --p12-export \
5159 ~/.gnupg/private-keys-v1.d/FOO >FOO.p12
5161 (Please adjust the path to 'gpg-protect-tool' to the appropriate
5162 location). FOO is the name of the key file you picked (it should
5163 have the suffix '.key'). A Pinentry box will pop up and ask you
5164 for the current passphrase of the key and a new passphrase to
5165 protect it in the pkcs#12 file.
5167 To import the created file on the machine you use this command:
5169 /usr/local/libexec/gpg-protect-tool --p12-import --store FOO.p12
5171 You will be asked for the pkcs#12 passphrase and a new passphrase
5172 to protect the imported private key at its new location.
5174 Note that there is no easy way to match existing certificates with
5175 stored private keys because some private keys are used for Secure
5176 Shell or other purposes and don't have a corresponding certificate.
5178 * A root certificate does not verify
5180 A common problem is that the root certificate misses the required
5181 basicConstraints attribute and thus 'gpgsm' rejects this
5182 certificate. An error message indicating "no value" is a sign for
5183 such a certificate. You may use the 'relax' flag in
5184 'trustlist.txt' to accept the certificate anyway. Note that the
5185 fingerprint and this flag may only be added manually to
5188 * Error message: "digest algorithm N has not been enabled"
5190 The signature is broken. You may try the option
5191 '--extra-digest-algo SHA256' to workaround the problem. The number
5192 N is the internal algorithm identifier; for example 8 refers to
5195 * The Windows version does not work under Wine
5197 When running the W32 version of 'gpg' under Wine you may get an
5198 error messages like:
5200 gpg: fatal: WriteConsole failed: Access denied
5202 The solution is to use the command 'wineconsole'.
5204 Some operations like '--generate-key' really want to talk to the
5205 console directly for increased security (for example to prevent the
5206 passphrase from appearing on the screen). So, you should use
5207 'wineconsole' instead of 'wine', which will launch a windows
5208 console that implements those additional features.
5210 * Why does GPG's -search-key list weird keys?
5212 For performance reasons the keyservers do not check the keys the
5213 same way 'gpg' does. It may happen that the listing of keys
5214 available on the keyservers shows keys with wrong user IDs or with
5215 user Ids from other keys. If you try to import this key, the bad
5216 keys or bad user ids won't get imported, though. This is a bit
5217 unfortunate but we can't do anything about it without actually
5218 downloading the keys.
5221 File: gnupg.info, Node: Architecture Details, Prev: Common Problems, Up: Debugging
5223 14.4 How the whole thing works internally
5224 =========================================
5228 * Component interaction:: How the components work together.
5229 * GnuPG-1 and GnuPG-2:: Relationship between GnuPG 1.4 and 2.x.
5232 File: gnupg.info, Node: Component interaction, Next: GnuPG-1 and GnuPG-2, Up: Architecture Details
5234 14.4.1 How the components work together
5235 ---------------------------------------
5237 \0\b[image src="gnupg-module-overview.png" alt="GnuPG modules"
\0\b]
5239 Figure 14.1: GnuPG module overview
5242 File: gnupg.info, Node: GnuPG-1 and GnuPG-2, Prev: Component interaction, Up: Architecture Details
5244 14.4.2 Relationship between GnuPG 1.4 and 2.x
5245 ---------------------------------------------
5247 Here is a little picture showing how the different GnuPG versions make
5250 \0\b[image src="gnupg-card-architecture.png" alt="GnuPG card architecture"
\0\b]
5252 Figure 14.2: GnuPG card architecture
5255 File: gnupg.info, Node: Copying, Next: Contributors, Prev: Debugging, Up: Top
5257 GNU General Public License
5258 **************************
5260 Version 3, 29 June 2007
5262 Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
5264 Everyone is permitted to copy and distribute verbatim copies of this
5265 license document, but changing it is not allowed.
5270 The GNU General Public License is a free, copyleft license for software
5271 and other kinds of works.
5273 The licenses for most software and other practical works are designed
5274 to take away your freedom to share and change the works. By contrast,
5275 the GNU General Public License is intended to guarantee your freedom to
5276 share and change all versions of a program-to make sure it remains free
5277 software for all its users. We, the Free Software Foundation, use the
5278 GNU General Public License for most of our software; it applies also to
5279 any other work released this way by its authors. You can apply it to
5282 When we speak of free software, we are referring to freedom, not
5283 price. Our General Public Licenses are designed to make sure that you
5284 have the freedom to distribute copies of free software (and charge for
5285 them if you wish), that you receive source code or can get it if you
5286 want it, that you can change the software or use pieces of it in new
5287 free programs, and that you know you can do these things.
5289 To protect your rights, we need to prevent others from denying you
5290 these rights or asking you to surrender the rights. Therefore, you have
5291 certain responsibilities if you distribute copies of the software, or if
5292 you modify it: responsibilities to respect the freedom of others.
5294 For example, if you distribute copies of such a program, whether
5295 gratis or for a fee, you must pass on to the recipients the same
5296 freedoms that you received. You must make sure that they, too, receive
5297 or can get the source code. And you must show them these terms so they
5300 Developers that use the GNU GPL protect your rights with two steps:
5301 (1) assert copyright on the software, and (2) offer you this License
5302 giving you legal permission to copy, distribute and/or modify it.
5304 For the developers' and authors' protection, the GPL clearly explains
5305 that there is no warranty for this free software. For both users' and
5306 authors' sake, the GPL requires that modified versions be marked as
5307 changed, so that their problems will not be attributed erroneously to
5308 authors of previous versions.
5310 Some devices are designed to deny users access to install or run
5311 modified versions of the software inside them, although the manufacturer
5312 can do so. This is fundamentally incompatible with the aim of
5313 protecting users' freedom to change the software. The systematic
5314 pattern of such abuse occurs in the area of products for individuals to
5315 use, which is precisely where it is most unacceptable. Therefore, we
5316 have designed this version of the GPL to prohibit the practice for those
5317 products. If such problems arise substantially in other domains, we
5318 stand ready to extend this provision to those domains in future versions
5319 of the GPL, as needed to protect the freedom of users.
5321 Finally, every program is threatened constantly by software patents.
5322 States should not allow patents to restrict development and use of
5323 software on general-purpose computers, but in those that do, we wish to
5324 avoid the special danger that patents applied to a free program could
5325 make it effectively proprietary. To prevent this, the GPL assures that
5326 patents cannot be used to render the program non-free.
5328 The precise terms and conditions for copying, distribution and
5329 modification follow.
5331 TERMS AND CONDITIONS
5335 "This License" refers to version 3 of the GNU General Public
5338 "Copyright" also means copyright-like laws that apply to other
5339 kinds of works, such as semiconductor masks.
5341 "The Program" refers to any copyrightable work licensed under this
5342 License. Each licensee is addressed as "you". "Licensees" and
5343 "recipients" may be individuals or organizations.
5345 To "modify" a work means to copy from or adapt all or part of the
5346 work in a fashion requiring copyright permission, other than the
5347 making of an exact copy. The resulting work is called a "modified
5348 version" of the earlier work or a work "based on" the earlier work.
5350 A "covered work" means either the unmodified Program or a work
5351 based on the Program.
5353 To "propagate" a work means to do anything with it that, without
5354 permission, would make you directly or secondarily liable for
5355 infringement under applicable copyright law, except executing it on
5356 a computer or modifying a private copy. Propagation includes
5357 copying, distribution (with or without modification), making
5358 available to the public, and in some countries other activities as
5361 To "convey" a work means any kind of propagation that enables other
5362 parties to make or receive copies. Mere interaction with a user
5363 through a computer network, with no transfer of a copy, is not
5366 An interactive user interface displays "Appropriate Legal Notices"
5367 to the extent that it includes a convenient and prominently visible
5368 feature that (1) displays an appropriate copyright notice, and (2)
5369 tells the user that there is no warranty for the work (except to
5370 the extent that warranties are provided), that licensees may convey
5371 the work under this License, and how to view a copy of this
5372 License. If the interface presents a list of user commands or
5373 options, such as a menu, a prominent item in the list meets this
5378 The "source code" for a work means the preferred form of the work
5379 for making modifications to it. "Object code" means any non-source
5382 A "Standard Interface" means an interface that either is an
5383 official standard defined by a recognized standards body, or, in
5384 the case of interfaces specified for a particular programming
5385 language, one that is widely used among developers working in that
5388 The "System Libraries" of an executable work include anything,
5389 other than the work as a whole, that (a) is included in the normal
5390 form of packaging a Major Component, but which is not part of that
5391 Major Component, and (b) serves only to enable use of the work with
5392 that Major Component, or to implement a Standard Interface for
5393 which an implementation is available to the public in source code
5394 form. A "Major Component", in this context, means a major
5395 essential component (kernel, window system, and so on) of the
5396 specific operating system (if any) on which the executable work
5397 runs, or a compiler used to produce the work, or an object code
5398 interpreter used to run it.
5400 The "Corresponding Source" for a work in object code form means all
5401 the source code needed to generate, install, and (for an executable
5402 work) run the object code and to modify the work, including scripts
5403 to control those activities. However, it does not include the
5404 work's System Libraries, or general-purpose tools or generally
5405 available free programs which are used unmodified in performing
5406 those activities but which are not part of the work. For example,
5407 Corresponding Source includes interface definition files associated
5408 with source files for the work, and the source code for shared
5409 libraries and dynamically linked subprograms that the work is
5410 specifically designed to require, such as by intimate data
5411 communication or control flow between those subprograms and other
5414 The Corresponding Source need not include anything that users can
5415 regenerate automatically from other parts of the Corresponding
5418 The Corresponding Source for a work in source code form is that
5421 2. Basic Permissions.
5423 All rights granted under this License are granted for the term of
5424 copyright on the Program, and are irrevocable provided the stated
5425 conditions are met. This License explicitly affirms your unlimited
5426 permission to run the unmodified Program. The output from running
5427 a covered work is covered by this License only if the output, given
5428 its content, constitutes a covered work. This License acknowledges
5429 your rights of fair use or other equivalent, as provided by
5432 You may make, run and propagate covered works that you do not
5433 convey, without conditions so long as your license otherwise
5434 remains in force. You may convey covered works to others for the
5435 sole purpose of having them make modifications exclusively for you,
5436 or provide you with facilities for running those works, provided
5437 that you comply with the terms of this License in conveying all
5438 material for which you do not control copyright. Those thus making
5439 or running the covered works for you must do so exclusively on your
5440 behalf, under your direction and control, on terms that prohibit
5441 them from making any copies of your copyrighted material outside
5442 their relationship with you.
5444 Conveying under any other circumstances is permitted solely under
5445 the conditions stated below. Sublicensing is not allowed; section
5446 10 makes it unnecessary.
5448 3. Protecting Users' Legal Rights From Anti-Circumvention Law.
5450 No covered work shall be deemed part of an effective technological
5451 measure under any applicable law fulfilling obligations under
5452 article 11 of the WIPO copyright treaty adopted on 20 December
5453 1996, or similar laws prohibiting or restricting circumvention of
5456 When you convey a covered work, you waive any legal power to forbid
5457 circumvention of technological measures to the extent such
5458 circumvention is effected by exercising rights under this License
5459 with respect to the covered work, and you disclaim any intention to
5460 limit operation or modification of the work as a means of
5461 enforcing, against the work's users, your or third parties' legal
5462 rights to forbid circumvention of technological measures.
5464 4. Conveying Verbatim Copies.
5466 You may convey verbatim copies of the Program's source code as you
5467 receive it, in any medium, provided that you conspicuously and
5468 appropriately publish on each copy an appropriate copyright notice;
5469 keep intact all notices stating that this License and any
5470 non-permissive terms added in accord with section 7 apply to the
5471 code; keep intact all notices of the absence of any warranty; and
5472 give all recipients a copy of this License along with the Program.
5474 You may charge any price or no price for each copy that you convey,
5475 and you may offer support or warranty protection for a fee.
5477 5. Conveying Modified Source Versions.
5479 You may convey a work based on the Program, or the modifications to
5480 produce it from the Program, in the form of source code under the
5481 terms of section 4, provided that you also meet all of these
5484 a. The work must carry prominent notices stating that you
5485 modified it, and giving a relevant date.
5487 b. The work must carry prominent notices stating that it is
5488 released under this License and any conditions added under
5489 section 7. This requirement modifies the requirement in
5490 section 4 to "keep intact all notices".
5492 c. You must license the entire work, as a whole, under this
5493 License to anyone who comes into possession of a copy. This
5494 License will therefore apply, along with any applicable
5495 section 7 additional terms, to the whole of the work, and all
5496 its parts, regardless of how they are packaged. This License
5497 gives no permission to license the work in any other way, but
5498 it does not invalidate such permission if you have separately
5501 d. If the work has interactive user interfaces, each must display
5502 Appropriate Legal Notices; however, if the Program has
5503 interactive interfaces that do not display Appropriate Legal
5504 Notices, your work need not make them do so.
5506 A compilation of a covered work with other separate and independent
5507 works, which are not by their nature extensions of the covered
5508 work, and which are not combined with it such as to form a larger
5509 program, in or on a volume of a storage or distribution medium, is
5510 called an "aggregate" if the compilation and its resulting
5511 copyright are not used to limit the access or legal rights of the
5512 compilation's users beyond what the individual works permit.
5513 Inclusion of a covered work in an aggregate does not cause this
5514 License to apply to the other parts of the aggregate.
5516 6. Conveying Non-Source Forms.
5518 You may convey a covered work in object code form under the terms
5519 of sections 4 and 5, provided that you also convey the
5520 machine-readable Corresponding Source under the terms of this
5521 License, in one of these ways:
5523 a. Convey the object code in, or embodied in, a physical product
5524 (including a physical distribution medium), accompanied by the
5525 Corresponding Source fixed on a durable physical medium
5526 customarily used for software interchange.
5528 b. Convey the object code in, or embodied in, a physical product
5529 (including a physical distribution medium), accompanied by a
5530 written offer, valid for at least three years and valid for as
5531 long as you offer spare parts or customer support for that
5532 product model, to give anyone who possesses the object code
5533 either (1) a copy of the Corresponding Source for all the
5534 software in the product that is covered by this License, on a
5535 durable physical medium customarily used for software
5536 interchange, for a price no more than your reasonable cost of
5537 physically performing this conveying of source, or (2) access
5538 to copy the Corresponding Source from a network server at no
5541 c. Convey individual copies of the object code with a copy of the
5542 written offer to provide the Corresponding Source. This
5543 alternative is allowed only occasionally and noncommercially,
5544 and only if you received the object code with such an offer,
5545 in accord with subsection 6b.
5547 d. Convey the object code by offering access from a designated
5548 place (gratis or for a charge), and offer equivalent access to
5549 the Corresponding Source in the same way through the same
5550 place at no further charge. You need not require recipients
5551 to copy the Corresponding Source along with the object code.
5552 If the place to copy the object code is a network server, the
5553 Corresponding Source may be on a different server (operated by
5554 you or a third party) that supports equivalent copying
5555 facilities, provided you maintain clear directions next to the
5556 object code saying where to find the Corresponding Source.
5557 Regardless of what server hosts the Corresponding Source, you
5558 remain obligated to ensure that it is available for as long as
5559 needed to satisfy these requirements.
5561 e. Convey the object code using peer-to-peer transmission,
5562 provided you inform other peers where the object code and
5563 Corresponding Source of the work are being offered to the
5564 general public at no charge under subsection 6d.
5566 A separable portion of the object code, whose source code is
5567 excluded from the Corresponding Source as a System Library, need
5568 not be included in conveying the object code work.
5570 A "User Product" is either (1) a "consumer product", which means
5571 any tangible personal property which is normally used for personal,
5572 family, or household purposes, or (2) anything designed or sold for
5573 incorporation into a dwelling. In determining whether a product is
5574 a consumer product, doubtful cases shall be resolved in favor of
5575 coverage. For a particular product received by a particular user,
5576 "normally used" refers to a typical or common use of that class of
5577 product, regardless of the status of the particular user or of the
5578 way in which the particular user actually uses, or expects or is
5579 expected to use, the product. A product is a consumer product
5580 regardless of whether the product has substantial commercial,
5581 industrial or non-consumer uses, unless such uses represent the
5582 only significant mode of use of the product.
5584 "Installation Information" for a User Product means any methods,
5585 procedures, authorization keys, or other information required to
5586 install and execute modified versions of a covered work in that
5587 User Product from a modified version of its Corresponding Source.
5588 The information must suffice to ensure that the continued
5589 functioning of the modified object code is in no case prevented or
5590 interfered with solely because modification has been made.
5592 If you convey an object code work under this section in, or with,
5593 or specifically for use in, a User Product, and the conveying
5594 occurs as part of a transaction in which the right of possession
5595 and use of the User Product is transferred to the recipient in
5596 perpetuity or for a fixed term (regardless of how the transaction
5597 is characterized), the Corresponding Source conveyed under this
5598 section must be accompanied by the Installation Information. But
5599 this requirement does not apply if neither you nor any third party
5600 retains the ability to install modified object code on the User
5601 Product (for example, the work has been installed in ROM).
5603 The requirement to provide Installation Information does not
5604 include a requirement to continue to provide support service,
5605 warranty, or updates for a work that has been modified or installed
5606 by the recipient, or for the User Product in which it has been
5607 modified or installed. Access to a network may be denied when the
5608 modification itself materially and adversely affects the operation
5609 of the network or violates the rules and protocols for
5610 communication across the network.
5612 Corresponding Source conveyed, and Installation Information
5613 provided, in accord with this section must be in a format that is
5614 publicly documented (and with an implementation available to the
5615 public in source code form), and must require no special password
5616 or key for unpacking, reading or copying.
5618 7. Additional Terms.
5620 "Additional permissions" are terms that supplement the terms of
5621 this License by making exceptions from one or more of its
5622 conditions. Additional permissions that are applicable to the
5623 entire Program shall be treated as though they were included in
5624 this License, to the extent that they are valid under applicable
5625 law. If additional permissions apply only to part of the Program,
5626 that part may be used separately under those permissions, but the
5627 entire Program remains governed by this License without regard to
5628 the additional permissions.
5630 When you convey a copy of a covered work, you may at your option
5631 remove any additional permissions from that copy, or from any part
5632 of it. (Additional permissions may be written to require their own
5633 removal in certain cases when you modify the work.) You may place
5634 additional permissions on material, added by you to a covered work,
5635 for which you have or can give appropriate copyright permission.
5637 Notwithstanding any other provision of this License, for material
5638 you add to a covered work, you may (if authorized by the copyright
5639 holders of that material) supplement the terms of this License with
5642 a. Disclaiming warranty or limiting liability differently from
5643 the terms of sections 15 and 16 of this License; or
5645 b. Requiring preservation of specified reasonable legal notices
5646 or author attributions in that material or in the Appropriate
5647 Legal Notices displayed by works containing it; or
5649 c. Prohibiting misrepresentation of the origin of that material,
5650 or requiring that modified versions of such material be marked
5651 in reasonable ways as different from the original version; or
5653 d. Limiting the use for publicity purposes of names of licensors
5654 or authors of the material; or
5656 e. Declining to grant rights under trademark law for use of some
5657 trade names, trademarks, or service marks; or
5659 f. Requiring indemnification of licensors and authors of that
5660 material by anyone who conveys the material (or modified
5661 versions of it) with contractual assumptions of liability to
5662 the recipient, for any liability that these contractual
5663 assumptions directly impose on those licensors and authors.
5665 All other non-permissive additional terms are considered "further
5666 restrictions" within the meaning of section 10. If the Program as
5667 you received it, or any part of it, contains a notice stating that
5668 it is governed by this License along with a term that is a further
5669 restriction, you may remove that term. If a license document
5670 contains a further restriction but permits relicensing or conveying
5671 under this License, you may add to a covered work material governed
5672 by the terms of that license document, provided that the further
5673 restriction does not survive such relicensing or conveying.
5675 If you add terms to a covered work in accord with this section, you
5676 must place, in the relevant source files, a statement of the
5677 additional terms that apply to those files, or a notice indicating
5678 where to find the applicable terms.
5680 Additional terms, permissive or non-permissive, may be stated in
5681 the form of a separately written license, or stated as exceptions;
5682 the above requirements apply either way.
5686 You may not propagate or modify a covered work except as expressly
5687 provided under this License. Any attempt otherwise to propagate or
5688 modify it is void, and will automatically terminate your rights
5689 under this License (including any patent licenses granted under the
5690 third paragraph of section 11).
5692 However, if you cease all violation of this License, then your
5693 license from a particular copyright holder is reinstated (a)
5694 provisionally, unless and until the copyright holder explicitly and
5695 finally terminates your license, and (b) permanently, if the
5696 copyright holder fails to notify you of the violation by some
5697 reasonable means prior to 60 days after the cessation.
5699 Moreover, your license from a particular copyright holder is
5700 reinstated permanently if the copyright holder notifies you of the
5701 violation by some reasonable means, this is the first time you have
5702 received notice of violation of this License (for any work) from
5703 that copyright holder, and you cure the violation prior to 30 days
5704 after your receipt of the notice.
5706 Termination of your rights under this section does not terminate
5707 the licenses of parties who have received copies or rights from you
5708 under this License. If your rights have been terminated and not
5709 permanently reinstated, you do not qualify to receive new licenses
5710 for the same material under section 10.
5712 9. Acceptance Not Required for Having Copies.
5714 You are not required to accept this License in order to receive or
5715 run a copy of the Program. Ancillary propagation of a covered work
5716 occurring solely as a consequence of using peer-to-peer
5717 transmission to receive a copy likewise does not require
5718 acceptance. However, nothing other than this License grants you
5719 permission to propagate or modify any covered work. These actions
5720 infringe copyright if you do not accept this License. Therefore,
5721 by modifying or propagating a covered work, you indicate your
5722 acceptance of this License to do so.
5724 10. Automatic Licensing of Downstream Recipients.
5726 Each time you convey a covered work, the recipient automatically
5727 receives a license from the original licensors, to run, modify and
5728 propagate that work, subject to this License. You are not
5729 responsible for enforcing compliance by third parties with this
5732 An "entity transaction" is a transaction transferring control of an
5733 organization, or substantially all assets of one, or subdividing an
5734 organization, or merging organizations. If propagation of a
5735 covered work results from an entity transaction, each party to that
5736 transaction who receives a copy of the work also receives whatever
5737 licenses to the work the party's predecessor in interest had or
5738 could give under the previous paragraph, plus a right to possession
5739 of the Corresponding Source of the work from the predecessor in
5740 interest, if the predecessor has it or can get it with reasonable
5743 You may not impose any further restrictions on the exercise of the
5744 rights granted or affirmed under this License. For example, you
5745 may not impose a license fee, royalty, or other charge for exercise
5746 of rights granted under this License, and you may not initiate
5747 litigation (including a cross-claim or counterclaim in a lawsuit)
5748 alleging that any patent claim is infringed by making, using,
5749 selling, offering for sale, or importing the Program or any portion
5754 A "contributor" is a copyright holder who authorizes use under this
5755 License of the Program or a work on which the Program is based.
5756 The work thus licensed is called the contributor's "contributor
5759 A contributor's "essential patent claims" are all patent claims
5760 owned or controlled by the contributor, whether already acquired or
5761 hereafter acquired, that would be infringed by some manner,
5762 permitted by this License, of making, using, or selling its
5763 contributor version, but do not include claims that would be
5764 infringed only as a consequence of further modification of the
5765 contributor version. For purposes of this definition, "control"
5766 includes the right to grant patent sublicenses in a manner
5767 consistent with the requirements of this License.
5769 Each contributor grants you a non-exclusive, worldwide,
5770 royalty-free patent license under the contributor's essential
5771 patent claims, to make, use, sell, offer for sale, import and
5772 otherwise run, modify and propagate the contents of its contributor
5775 In the following three paragraphs, a "patent license" is any
5776 express agreement or commitment, however denominated, not to
5777 enforce a patent (such as an express permission to practice a
5778 patent or covenant not to sue for patent infringement). To "grant"
5779 such a patent license to a party means to make such an agreement or
5780 commitment not to enforce a patent against the party.
5782 If you convey a covered work, knowingly relying on a patent
5783 license, and the Corresponding Source of the work is not available
5784 for anyone to copy, free of charge and under the terms of this
5785 License, through a publicly available network server or other
5786 readily accessible means, then you must either (1) cause the
5787 Corresponding Source to be so available, or (2) arrange to deprive
5788 yourself of the benefit of the patent license for this particular
5789 work, or (3) arrange, in a manner consistent with the requirements
5790 of this License, to extend the patent license to downstream
5791 recipients. "Knowingly relying" means you have actual knowledge
5792 that, but for the patent license, your conveying the covered work
5793 in a country, or your recipient's use of the covered work in a
5794 country, would infringe one or more identifiable patents in that
5795 country that you have reason to believe are valid.
5797 If, pursuant to or in connection with a single transaction or
5798 arrangement, you convey, or propagate by procuring conveyance of, a
5799 covered work, and grant a patent license to some of the parties
5800 receiving the covered work authorizing them to use, propagate,
5801 modify or convey a specific copy of the covered work, then the
5802 patent license you grant is automatically extended to all
5803 recipients of the covered work and works based on it.
5805 A patent license is "discriminatory" if it does not include within
5806 the scope of its coverage, prohibits the exercise of, or is
5807 conditioned on the non-exercise of one or more of the rights that
5808 are specifically granted under this License. You may not convey a
5809 covered work if you are a party to an arrangement with a third
5810 party that is in the business of distributing software, under which
5811 you make payment to the third party based on the extent of your
5812 activity of conveying the work, and under which the third party
5813 grants, to any of the parties who would receive the covered work
5814 from you, a discriminatory patent license (a) in connection with
5815 copies of the covered work conveyed by you (or copies made from
5816 those copies), or (b) primarily for and in connection with specific
5817 products or compilations that contain the covered work, unless you
5818 entered into that arrangement, or that patent license was granted,
5819 prior to 28 March 2007.
5821 Nothing in this License shall be construed as excluding or limiting
5822 any implied license or other defenses to infringement that may
5823 otherwise be available to you under applicable patent law.
5825 12. No Surrender of Others' Freedom.
5827 If conditions are imposed on you (whether by court order, agreement
5828 or otherwise) that contradict the conditions of this License, they
5829 do not excuse you from the conditions of this License. If you
5830 cannot convey a covered work so as to satisfy simultaneously your
5831 obligations under this License and any other pertinent obligations,
5832 then as a consequence you may not convey it at all. For example,
5833 if you agree to terms that obligate you to collect a royalty for
5834 further conveying from those to whom you convey the Program, the
5835 only way you could satisfy both those terms and this License would
5836 be to refrain entirely from conveying the Program.
5838 13. Use with the GNU Affero General Public License.
5840 Notwithstanding any other provision of this License, you have
5841 permission to link or combine any covered work with a work licensed
5842 under version 3 of the GNU Affero General Public License into a
5843 single combined work, and to convey the resulting work. The terms
5844 of this License will continue to apply to the part which is the
5845 covered work, but the special requirements of the GNU Affero
5846 General Public License, section 13, concerning interaction through
5847 a network will apply to the combination as such.
5849 14. Revised Versions of this License.
5851 The Free Software Foundation may publish revised and/or new
5852 versions of the GNU General Public License from time to time. Such
5853 new versions will be similar in spirit to the present version, but
5854 may differ in detail to address new problems or concerns.
5856 Each version is given a distinguishing version number. If the
5857 Program specifies that a certain numbered version of the GNU
5858 General Public License "or any later version" applies to it, you
5859 have the option of following the terms and conditions either of
5860 that numbered version or of any later version published by the Free
5861 Software Foundation. If the Program does not specify a version
5862 number of the GNU General Public License, you may choose any
5863 version ever published by the Free Software Foundation.
5865 If the Program specifies that a proxy can decide which future
5866 versions of the GNU General Public License can be used, that
5867 proxy's public statement of acceptance of a version permanently
5868 authorizes you to choose that version for the Program.
5870 Later license versions may give you additional or different
5871 permissions. However, no additional obligations are imposed on any
5872 author or copyright holder as a result of your choosing to follow a
5875 15. Disclaimer of Warranty.
5877 THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
5878 APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE
5879 COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS"
5880 WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED,
5881 INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
5882 MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE
5883 RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.
5884 SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL
5885 NECESSARY SERVICING, REPAIR OR CORRECTION.
5887 16. Limitation of Liability.
5889 IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN
5890 WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES
5891 AND/OR CONVEYS THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR
5892 DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR
5893 CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE
5894 THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA
5895 BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
5896 PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
5897 PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF
5898 THE POSSIBILITY OF SUCH DAMAGES.
5900 17. Interpretation of Sections 15 and 16.
5902 If the disclaimer of warranty and limitation of liability provided
5903 above cannot be given local legal effect according to their terms,
5904 reviewing courts shall apply local law that most closely
5905 approximates an absolute waiver of all civil liability in
5906 connection with the Program, unless a warranty or assumption of
5907 liability accompanies a copy of the Program in return for a fee.
5909 END OF TERMS AND CONDITIONS
5911 How to Apply These Terms to Your New Programs
5912 =============================================
5914 If you develop a new program, and you want it to be of the greatest
5915 possible use to the public, the best way to achieve this is to make it
5916 free software which everyone can redistribute and change under these
5919 To do so, attach the following notices to the program. It is safest
5920 to attach them to the start of each source file to most effectively
5921 state the exclusion of warranty; and each file should have at least the
5922 "copyright" line and a pointer to where the full notice is found.
5924 ONE LINE TO GIVE THE PROGRAM'S NAME AND A BRIEF IDEA OF WHAT IT DOES.
5925 Copyright (C) YEAR NAME OF AUTHOR
5927 This program is free software: you can redistribute it and/or modify
5928 it under the terms of the GNU General Public License as published by
5929 the Free Software Foundation, either version 3 of the License, or (at
5930 your option) any later version.
5932 This program is distributed in the hope that it will be useful, but
5933 WITHOUT ANY WARRANTY; without even the implied warranty of
5934 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
5935 General Public License for more details.
5937 You should have received a copy of the GNU General Public License
5938 along with this program. If not, see <https://www.gnu.org/licenses/>.
5940 Also add information on how to contact you by electronic and paper mail.
5942 If the program does terminal interaction, make it output a short notice
5943 like this when it starts in an interactive mode:
5945 PROGRAM Copyright (C) YEAR NAME OF AUTHOR
5946 This program comes with ABSOLUTELY NO WARRANTY; for details
5947 type 'show w'. This is free software, and you are
5948 welcome to redistribute it under certain conditions;
5949 type 'show c' for details.
5951 The hypothetical commands 'show w' and 'show c' should show the
5952 appropriate parts of the General Public License. Of course, your
5953 program's commands might be different; for a GUI interface, you would
5956 You should also get your employer (if you work as a programmer) or
5957 school, if any, to sign a "copyright disclaimer" for the program, if
5958 necessary. For more information on this, and how to apply and follow
5959 the GNU GPL, see <https://www.gnu.org/licenses/>.
5961 The GNU General Public License does not permit incorporating your
5962 program into proprietary programs. If your program is a subroutine
5963 library, you may consider it more useful to permit linking proprietary
5964 applications with the library. If this is what you want to do, use the
5965 GNU Lesser General Public License instead of this License. But first,
5966 please read <https://www.gnu.org/philosophy/why-not-lgpl.html>.
5969 File: gnupg.info, Node: Contributors, Next: Glossary, Prev: Copying, Up: Top
5971 Contributors to GnuPG
5972 *********************
5974 The GnuPG project would like to thank its many contributors. Without
5975 them the project would not have been nearly as successful as it has
5976 been. Any omissions in this list are accidental. Feel free to contact
5977 the maintainer if you have been left out or some of your contributions
5980 David Shaw, Matthew Skala, Michael Roth, Niklas Hernaeus, Nils
5981 Ellmenreich, Rémi Guyomarch, Stefan Bellon, Timo Schulz and Werner Koch
5982 wrote the code. Birger Langkjer, Daniel Resare, Dokianakis Theofanis,
5983 Edmund GRIMLEY EVANS, Gaël Quéri, Gregory Steuck, Nagy Ferenc László,
5984 Ivo Timmermans, Jacobo Tarri'o Barreiro, Janusz Aleksander Urbanowicz,
5985 Jedi Lin, Jouni Hiltunen, Laurentiu Buzdugan, Magda Procha'zkova',
5986 Michael Anckaert, Michal Majer, Marco d'Itri, Nilgun Belma Buguner,
5987 Pedro Morais, Tedi Heriyanto, Thiago Jung Bauermann, Rafael Caetano dos
5988 Santos, Toomas Soome, Urko Lusa, Walter Koch, Yosiaki IIDA did the
5989 official translations. Mike Ashley wrote and maintains the GNU Privacy
5990 Handbook. David Scribner is the current FAQ editor. Lorenzo
5991 Cappelletti maintains the web site.
5993 The new modularized architecture of gnupg 1.9 as well as the
5994 X.509/CMS part has been developed as part of the Ägypten project.
5995 Direct contributors to this project are: Bernhard Herzog, who did
5996 extensive testing and tracked down a lot of bugs. Bernhard Reiter, who
5997 made sure that we met the specifications and the deadlines. He did
5998 extensive testing and came up with a lot of suggestions. Jan-Oliver
5999 Wagner made sure that we met the specifications and the deadlines. He
6000 also did extensive testing and came up with a lot of suggestions.
6001 Karl-Heinz Zimmer and Marc Mutz had to struggle with all the bugs and
6002 misconceptions while working on KDE integration. Marcus Brinkman
6003 extended GPGME, cleaned up the Assuan code and fixed bugs all over the
6004 place. Moritz Schulte took over Libgcrypt maintenance and developed it
6005 into a stable an useful library. Steffen Hansen had a hard time to
6006 write the dirmngr due to underspecified interfaces. Thomas Koester did
6007 extensive testing and tracked down a lot of bugs. Werner Koch designed
6008 the system and wrote most of the code.
6010 The following people helped greatly by suggesting improvements,
6011 testing, fixing bugs, providing resources and doing other important
6012 tasks: Adam Mitchell, Albert Chin, Alec Habig, Allan Clark, Anand
6013 Kumria, Andreas Haumer, Anthony Mulcahy, Ariel T Glenn, Bob Mathews,
6014 Bodo Moeller, Brendan O'Dea, Brenno de Winter, Brian M. Carlson, Brian
6015 Moore, Brian Warner, Bryan Fullerton, Caskey L. Dickson, Cees van de
6016 Griend, Charles Levert, Chip Salzenberg, Chris Adams, Christian Biere,
6017 Christian Kurz, Christian von Roques, Christopher Oliver, Christian
6018 Recktenwald, Dan Winship, Daniel Eisenbud, Daniel Koening, Dave Dykstra,
6019 David C Niemi, David Champion, David Ellement, David Hallinan, David
6020 Hollenberg, David Mathog, David R. Bergstein, Detlef Lannert, Dimitri,
6021 Dirk Lattermann, Dirk Meyer, Disastry, Douglas Calvert, Ed Boraas,
6022 Edmund GRIMLEY EVANS, Edwin Woudt, Enzo Michelangeli, Ernst Molitor,
6023 Fabio Coatti, Felix von Leitner, fish stiqz, Florian Weimer, Francesco
6024 Potorti, Frank Donahoe, Frank Heckenbach, Frank Stajano, Frank Tobin,
6025 Gabriel Rosenkoetter, Gaël Quéri, Gene Carter, Geoff Keating, Georg
6026 Schwarz, Giampaolo Tomassoni, Gilbert Fernandes, Greg Louis, Greg
6027 Troxel, Gregory Steuck, Gregery Barton, Harald Denker, Holger Baust,
6028 Hendrik Buschkamp, Holger Schurig, Holger Smolinski, Holger Trapp, Hugh
6029 Daniel, Huy Le, Ian McKellar, Ivo Timmermans, Jan Krueger, Jan
6030 Niehusmann, Janusz A. Urbanowicz, James Troup, Jean-loup Gailly, Jeff
6031 Long, Jeffery Von Ronne, Jens Bachem, Jeroen C. van Gelderen, J Horacio
6032 MG, J. Michael Ashley, Jim Bauer, Jim Small, Joachim Backes, Joe Rhett,
6033 John A. Martin, Johnny Teveßen, Jörg Schilling, Jos Backus, Joseph
6034 Walton, Juan F. Codagnone, Jun Kuriyama, Kahil D. Jallad, Karl Fogel,
6035 Karsten Thygesen, Katsuhiro Kondou, Kazu Yamamoto, Keith Clayton, Kevin
6036 Ryde, Klaus Singvogel, Kurt Garloff, Lars Kellogg-Stedman, L. Sassaman,
6037 M Taylor, Marcel Waldvogel, Marco d'Itri, Marco Parrone, Marcus
6038 Brinkmann, Mark Adler, Mark Elbrecht, Mark Pettit, Markus Friedl, Martin
6039 Kahlert, Martin Hamilton, Martin Schulte, Matt Kraai, Matthew Skala,
6040 Matthew Wilcox, Matthias Urlichs, Max Valianskiy, Michael Engels,
6041 Michael Fischer v. Mollard, Michael Roth, Michael Sobolev, Michael
6042 Tokarev, Nicolas Graner, Mike McEwan, Neal H Walfield, Nelson H. F.
6043 Beebe, NIIBE Yutaka, Niklas Hernaeus, Nimrod Zimerman, N J Doye, Oliver
6044 Haakert, Oskari Jääskeläinen, Pascal Scheffers, Paul D. Smith, Per
6045 Cederqvist, Phil Blundell, Philippe Laliberte, Peter Fales, Peter
6046 Gutmann, Peter Marschall, Peter Valchev, Piotr Krukowiecki, QingLong,
6047 Ralph Gillen, Rat, Reinhard Wobst, Rémi Guyomarch, Reuben Sumner,
6048 Richard Outerbridge, Robert Joop, Roddy Strachan, Roger Sondermann,
6049 Roland Rosenfeld, Roman Pavlik, Ross Golder, Ryan Malayter, Sam Roberts,
6050 Sami Tolvanen, Sean MacLennan, Sebastian Klemke, Serge Munhoven, SL
6051 Baur, Stefan Bellon, Dr.Stefan.Dalibor, Stefan Karrmann, Stefan Keller,
6052 Steffen Ullrich, Steffen Zahn, Steven Bakker, Steven Murdoch, Susanne
6053 Schultz, Ted Cabeen, Thiago Jung Bauermann, Thijmen Klok, Thomas
6054 Roessler, Tim Mooney, Timo Schulz, Todd Vierling, TOGAWA Satoshi, Tom
6055 Spindler, Tom Zerucha, Tomas Fasth, Tommi Komulainen, Thomas Klausner,
6056 Tomasz Kozlowski, Thomas Mikkelsen, Ulf Möller, Urko Lusa, Vincent P.
6057 Broman, Volker Quetschke, W Lewis, Walter Hofmann, Walter Koch, Wayne
6058 Chapeskie, Wim Vandeputte, Winona Brown, Yosiaki IIDA, Yoshihiro Kajiki
6061 This software has been made possible by the previous work of Chris
6062 Wedgwood, Jean-loup Gailly, Jon Callas, Mark Adler, Martin Hellman, Paul
6063 Kendall, Philip R. Zimmermann, Peter Gutmann, Philip A. Nelson, Taher
6064 Elgamal, Torbjorn Granlund, Whitfield Diffie, some unknown NSA
6065 mathematicians and all the folks who have worked hard to create complete
6066 and free operating systems.
6068 And finally we'd like to thank everyone who uses these tools, submits
6069 bug reports and generally reminds us why we're doing this work in the
6073 File: gnupg.info, Node: Glossary, Next: Option Index, Prev: Contributors, Up: Top
6079 The _Authority Revocation List_ is technical identical to a CRL but
6080 used for CAs and not for end user certificates.
6083 Verification model for X.509 which uses the creation date of a
6084 signature as the date the validation starts and in turn checks that
6085 each certificate has been issued within the time frame, the issuing
6086 certificate was valid. This allows the verification of signatures
6087 after the CA's certificate expired. The validation test also
6088 required an online check of the certificate status. The chain
6089 model is required by the German signature law. See also _Shell
6093 The _Cryptographic Message Standard_ describes a message format for
6094 encryption and digital signing. It is closely related to the X.509
6095 certificate format. CMS was formerly known under the name 'PKCS#7'
6096 and is described by 'RFC3369'.
6099 The _Certificate Revocation List_ is a list containing certificates
6100 revoked by the issuer.
6103 The _Certificate Signing Request_ is a message send to a CA to ask
6104 them to issue a new certificate. The data format of such a signing
6105 request is called PCKS#10.
6108 A data format used to build a PKI and to exchange encrypted or
6109 signed messages. In contrast to X.509, OpenPGP also includes the
6110 message format but does not explicitly demand a specific PKI.
6111 However any kind of PKI may be build upon the OpenPGP protocol.
6114 This term is used by GnuPG to describe a 20 byte hash value used to
6115 identify a certain key without referencing to a concrete protocol.
6116 It is used internally to access a private key. Usually it is shown
6117 and entered as a 40 character hexadecimal formatted string.
6120 The _Online Certificate Status Protocol_ is used as an alternative
6121 to a CRL. It is described in 'RFC 2560'.
6124 The _Personal Security Environment_ describes a database to store
6125 private keys. This is either a smartcard or a collection of files
6126 on a disk; the latter is often called a Soft-PSE.
6129 The standard model for validation of certificates under X.509. At
6130 the time of the verification all certificates must be valid and not
6131 expired. See also _Chain model_.
6134 Description of a PKI used with CMS. It is for example defined by
6138 File: gnupg.info, Node: Option Index, Next: Environment Index, Prev: Glossary, Up: Top
6146 * --no-history: gpg-card. (line 59)
6147 * --no-history <1>: Invoking gpg-connect-agent.
6149 * add-desig-revoker: GPG Configuration Options.
6151 * add-revocs: gpg-wks-client. (line 128)
6152 * add-servers: Dirmngr Options. (line 319)
6153 * agent-program: GPG Configuration Options.
6155 * agent-program <1>: Configuration Options.
6157 * agent-program <2>: gpg-card. (line 64)
6158 * agent-program <3>: Invoking gpg-connect-agent.
6160 * allow-admin: Scdaemon Options. (line 176)
6161 * allow-emacs-pinentry: Agent Options. (line 189)
6162 * allow-freeform-uid: GPG Esoteric Options.
6164 * allow-loopback-pinentry: Agent Options. (line 171)
6165 * allow-non-selfsigned-uid: GPG Esoteric Options.
6167 * allow-ocsp: Dirmngr Options. (line 340)
6168 * allow-old-cipher-algos: GPG Esoteric Options.
6170 * allow-preset-passphrase: Agent Options. (line 166)
6171 * allow-secret-key-import: GPG Esoteric Options.
6173 * allow-version-check: Dirmngr Options. (line 145)
6174 * allow-weak-digest-algos: GPG Esoteric Options.
6176 * allow-weak-key-signatures: GPG Esoteric Options.
6178 * always-trust: GPG Configuration Options.
6180 * application-priority: Scdaemon Options. (line 191)
6181 * armor: GPG Input and Output.
6183 * armor <1>: Input and Output. (line 8)
6184 * ask-cert-expire: GPG Esoteric Options.
6186 * ask-cert-level: GPG Configuration Options.
6188 * ask-sig-expire: GPG Esoteric Options.
6190 * assert-signer: GPG Configuration Options.
6192 * assume-armor: Input and Output. (line 14)
6193 * assume-base64: Input and Output. (line 18)
6194 * assume-binary: Input and Output. (line 21)
6195 * attribute-fd: GPG Esoteric Options.
6197 * attribute-file: GPG Esoteric Options.
6199 * authenticate: gpg-card. (line 94)
6200 * auto-check-trustdb: GPG Configuration Options.
6202 * auto-expand-secmem: Agent Options. (line 461)
6203 * auto-issuer-key-retrieve: Certificate Options. (line 62)
6204 * auto-key-import: GPG Configuration Options.
6206 * auto-key-locate: GPG Configuration Options.
6208 * auto-key-retrieve: GPG Configuration Options.
6210 * base64: Input and Output. (line 11)
6211 * batch: Agent Options. (line 48)
6212 * batch <1>: GPG Configuration Options.
6214 * batch <2>: gpgtar. (line 107)
6215 * blacklist: gpg-wks-client. (line 121)
6216 * bzip2-compress-level: GPG Configuration Options.
6218 * bzip2-decompress-lowmem: GPG Configuration Options.
6220 * c: Dirmngr Options. (line 94)
6221 * cache-cert: dirmngr-client. (line 72)
6222 * cafpr: gpg-card. (line 102)
6223 * call-dirmngr: Operational GPGSM Commands.
6225 * call-protect-tool: Operational GPGSM Commands.
6227 * card-edit: Operational GPG Commands.
6229 * card-status: Operational GPG Commands.
6231 * card-timeout: Scdaemon Options. (line 160)
6232 * cert-digest-algo: GPG Esoteric Options.
6234 * cert-notation: GPG Esoteric Options.
6236 * cert-policy-url: GPG Esoteric Options.
6238 * change-passphrase: OpenPGP Key Management.
6240 * change-passphrase <1>: Certificate Management.
6242 * change-pin: Operational GPG Commands.
6244 * check: gpg-check-pattern. (line 56)
6245 * check-passphrase-pattern: Agent Options. (line 243)
6246 * check-signatures: Operational GPG Commands.
6248 * check-sigs: Operational GPG Commands.
6250 * check-sym-passphrase-pattern: Agent Options. (line 243)
6251 * check-trustdb: Operational GPG Commands.
6253 * chuid: GPG Esoteric Options.
6255 * chuid <1>: Esoteric Options. (line 7)
6256 * chuid <2>: gpg-card. (line 75)
6257 * chuid <3>: Invoking gpgconf. (line 141)
6258 * chuid <4>: Invoking gpg-connect-agent.
6260 * chunk-size: GPG Input and Output.
6262 * cipher-algo: GPG Esoteric Options.
6264 * cipher-algo <1>: CMS Options. (line 13)
6265 * clear-sign: Operational GPG Commands.
6267 * clearsign: Operational GPG Commands.
6269 * cms: gpgtar. (line 102)
6270 * command-fd: GPG Esoteric Options.
6272 * command-file: GPG Esoteric Options.
6274 * comment: GPG Esoteric Options.
6276 * compatibility-flags: Dirmngr Options. (line 34)
6277 * compatibility-flags <1>: GPG Esoteric Options.
6279 * compatibility-flags <2>: Esoteric Options. (line 66)
6280 * compliance: Compliance Options. (line 60)
6281 * compliance <1>: Esoteric Options. (line 27)
6282 * compliant-needed: GPG Configuration Options.
6284 * compress-algo: GPG Esoteric Options.
6286 * compress-level: GPG Configuration Options.
6288 * connect-quick-timeout: Dirmngr Options. (line 132)
6289 * connect-timeout: Dirmngr Options. (line 132)
6290 * create: gpgtar. (line 16)
6291 * create-socketdir: Invoking gpgconf. (line 96)
6292 * csh: Agent Options. (line 129)
6293 * csh <1>: Dirmngr Options. (line 94)
6294 * ctapi-driver: Scdaemon Options. (line 137)
6295 * daemon: Agent Commands. (line 27)
6296 * daemon <1>: Dirmngr Commands. (line 27)
6297 * daemon <2>: Scdaemon Commands. (line 31)
6298 * dearmor: Operational GPG Commands.
6300 * debug: Agent Options. (line 82)
6301 * debug <1>: Dirmngr Options. (line 66)
6302 * debug <2>: GPG Esoteric Options.
6304 * debug <3>: Esoteric Options. (line 99)
6305 * debug <4>: Scdaemon Options. (line 69)
6306 * debug-all: Agent Options. (line 89)
6307 * debug-all <1>: Dirmngr Options. (line 73)
6308 * debug-all <2>: GPG Esoteric Options.
6310 * debug-all <3>: Esoteric Options. (line 109)
6311 * debug-all <4>: Scdaemon Options. (line 76)
6312 * debug-allow-core-dump: Esoteric Options. (line 112)
6313 * debug-allow-core-dump <1>: Scdaemon Options. (line 93)
6314 * debug-allow-large-chunks: GPG Esoteric Options.
6316 * debug-assuan-log-cats: Scdaemon Options. (line 102)
6317 * debug-disable-ticker: Scdaemon Options. (line 89)
6318 * debug-ignore-expiration: GPG Esoteric Options.
6320 * debug-ignore-expiration <1>: Esoteric Options. (line 123)
6321 * debug-iolbf: GPG Esoteric Options.
6323 * debug-iolbf <1>: GPG Esoteric Options.
6325 * debug-level: Agent Options. (line 57)
6326 * debug-level <1>: Dirmngr Options. (line 41)
6327 * debug-level <2>: GPG Esoteric Options.
6329 * debug-level <3>: Esoteric Options. (line 74)
6330 * debug-level <4>: Scdaemon Options. (line 40)
6331 * debug-log-tid: Scdaemon Options. (line 99)
6332 * debug-no-chain-validation: Esoteric Options. (line 119)
6333 * debug-pinentry: Agent Options. (line 109)
6334 * debug-quick-random: Agent Options. (line 97)
6335 * debug-wait: Agent Options. (line 92)
6336 * debug-wait <1>: Dirmngr Options. (line 81)
6337 * debug-wait <2>: Scdaemon Options. (line 79)
6338 * debug-wait <3>: Scdaemon Options. (line 84)
6339 * decode: Invoking gpg-connect-agent.
6341 * decrypt: Operational GPG Commands.
6343 * decrypt <1>: Operational GPGSM Commands.
6345 * decrypt <2>: gpgtar. (line 30)
6346 * decrypt-files: Operational GPG Commands.
6348 * default-cache-ttl: Agent Options. (line 200)
6349 * default-cache-ttl <1>: Agent Options. (line 209)
6350 * default-cert-expire: GPG Esoteric Options.
6352 * default-cert-level: GPG Configuration Options.
6354 * default-key: GPG Configuration Options.
6356 * default-key <1>: Input and Output. (line 40)
6357 * default-keyserver-url: GPG Esoteric Options.
6359 * default-new-key-algo STRING: GPG Esoteric Options.
6361 * default-preference-list: GPG Esoteric Options.
6363 * default-recipient: GPG Configuration Options.
6365 * default-recipient-self: GPG Configuration Options.
6367 * default-sig-expire: GPG Esoteric Options.
6369 * delete-keys: Operational GPG Commands.
6371 * delete-keys <1>: Certificate Management.
6373 * delete-secret-and-public-key: Operational GPG Commands.
6375 * delete-secret-keys: Operational GPG Commands.
6377 * deny-admin: Scdaemon Options. (line 176)
6378 * desig-revoke: OpenPGP Key Management.
6380 * detach-sign: Operational GPG Commands.
6382 * digest-algo: GPG Esoteric Options.
6384 * directory: gpgtar. (line 79)
6385 * directory <1>: gpg-wks-client. (line 117)
6386 * directory <2>: gpg-wks-server. (line 50)
6387 * dirmngr: Invoking gpg-connect-agent.
6389 * dirmngr-program: GPG Configuration Options.
6391 * dirmngr-program <1>: Configuration Options.
6393 * dirmngr-program <2>: Invoking gpg-connect-agent.
6395 * disable-application: Scdaemon Options. (line 186)
6396 * disable-ccid: Scdaemon Options. (line 142)
6397 * disable-check-own-socket: Agent Options. (line 325)
6398 * disable-check-own-socket <1>: Dirmngr Options. (line 86)
6399 * disable-cipher-algo: GPG Esoteric Options.
6401 * disable-crl-checks: Certificate Options. (line 13)
6402 * disable-dsa2: GPG Configuration Options.
6404 * disable-extended-key-format: Agent Options. (line 371)
6405 * disable-http: Dirmngr Options. (line 223)
6406 * disable-ipv4: Dirmngr Options. (line 217)
6407 * disable-ipv6: Dirmngr Options. (line 217)
6408 * disable-large-rsa: GPG Configuration Options.
6410 * disable-ldap: Dirmngr Options. (line 220)
6411 * disable-mdc: OpenPGP Options. (line 32)
6412 * disable-ocsp: Certificate Options. (line 53)
6413 * disable-pinpad: Scdaemon Options. (line 173)
6414 * disable-policy-checks: Certificate Options. (line 8)
6415 * disable-pubkey-algo: GPG Esoteric Options.
6417 * disable-scdaemon: Agent Options. (line 319)
6418 * disable-signer-uid: OpenPGP Options. (line 39)
6419 * disable-trusted-cert-crl-check: Certificate Options. (line 24)
6420 * display: Agent Options. (line 343)
6421 * display-charset: GPG Configuration Options.
6423 * display-charset:iso-8859-1: GPG Configuration Options.
6425 * display-charset:iso-8859-15: GPG Configuration Options.
6427 * display-charset:iso-8859-2: GPG Configuration Options.
6429 * display-charset:koi8-r: GPG Configuration Options.
6431 * display-charset:utf-8: GPG Configuration Options.
6433 * dry-run: GPG Esoteric Options.
6435 * dry-run <1>: gpgtar. (line 75)
6436 * dump-cert: Certificate Management.
6438 * dump-chain: Certificate Management.
6440 * dump-external-keys: Certificate Management.
6442 * dump-keys: Certificate Management.
6444 * dump-options: Agent Commands. (line 19)
6445 * dump-options <1>: Dirmngr Commands. (line 18)
6446 * dump-options <2>: General GPG Commands.
6448 * dump-options <3>: General GPGSM Commands.
6450 * dump-options <4>: Scdaemon Commands. (line 18)
6451 * dump-secret-keys: Certificate Management.
6453 * edit-card: Operational GPG Commands.
6455 * edit-key: OpenPGP Key Management.
6457 * emit-version: GPG Esoteric Options.
6459 * enable-crl-checks: Certificate Options. (line 13)
6460 * enable-dsa2: GPG Configuration Options.
6462 * enable-extended-key-format: Agent Options. (line 371)
6463 * enable-issuer-based-crl-check: Certificate Options. (line 45)
6464 * enable-large-rsa: GPG Configuration Options.
6466 * enable-ocsp: Certificate Options. (line 53)
6467 * enable-passphrase-history: Agent Options. (line 266)
6468 * enable-pinpad-varlen: Scdaemon Options. (line 165)
6469 * enable-policy-checks: Certificate Options. (line 8)
6470 * enable-progress-filter: GPG Esoteric Options.
6472 * enable-putty-support: Agent Options. (line 378)
6473 * enable-special-filenames: GPG Esoteric Options.
6475 * enable-special-filenames <1>: gpgv. (line 97)
6476 * enable-ssh-support: Agent Options. (line 378)
6477 * enable-trusted-cert-crl-check: Certificate Options. (line 24)
6478 * enarmor: Operational GPG Commands.
6480 * encrypt: Operational GPG Commands.
6482 * encrypt <1>: Operational GPGSM Commands.
6484 * encrypt <2>: gpgtar. (line 24)
6485 * encrypt-files: Operational GPG Commands.
6487 * encrypt-to: GPG Key related Options.
6489 * enforce-passphrase-constraints: Agent Options. (line 227)
6490 * escape-from-lines: GPG Esoteric Options.
6492 * exec: Invoking gpg-connect-agent.
6494 * exec-path: GPG Configuration Options.
6496 * exit-on-status-write-error: GPG Configuration Options.
6498 * expert: GPG Configuration Options.
6500 * export: Operational GPG Commands.
6502 * export <1>: Certificate Management.
6504 * export-filter: GPG Input and Output.
6506 * export-options: GPG Input and Output.
6508 * export-ownertrust: Operational GPG Commands.
6510 * export-secret-key-p12: Certificate Management.
6512 * export-secret-key-p8: Certificate Management.
6514 * export-secret-key-raw: Certificate Management.
6516 * export-secret-keys: Operational GPG Commands.
6518 * export-secret-subkeys: Operational GPG Commands.
6520 * export-ssh-key: Operational GPG Commands.
6522 * extra-digest-algo: Esoteric Options. (line 16)
6523 * extra-socket: Agent Options. (line 357)
6524 * extract: gpgtar. (line 19)
6525 * factory-reset: gpg-card. (line 107)
6526 * faked-system-time: Agent Options. (line 52)
6527 * faked-system-time <1>: GPG Esoteric Options.
6529 * faked-system-time <2>: Esoteric Options. (line 55)
6530 * fast-list-mode: GPG Esoteric Options.
6532 * fetch: gpg-card. (line 112)
6533 * fetch-crl: Dirmngr Commands. (line 50)
6534 * fetch-keys: Operational GPG Commands.
6536 * fingerprint: Operational GPG Commands.
6538 * fixed-list-mode: GPG Input and Output.
6540 * flush: Dirmngr Commands. (line 60)
6541 * for-your-eyes-only: GPG Esoteric Options.
6543 * forbid-gen-key: GPG Esoteric Options.
6545 * force: Dirmngr Options. (line 100)
6546 * force <1>: watchgnupg. (line 31)
6547 * force-aead: OpenPGP Options. (line 25)
6548 * force-crl-refresh: Certificate Options. (line 35)
6549 * force-default-responder: dirmngr-client. (line 64)
6550 * force-mdc: OpenPGP Options. (line 32)
6551 * force-ocb: OpenPGP Options. (line 25)
6552 * force-sign-key: GPG Esoteric Options.
6554 * forcesig: gpg-card. (line 116)
6555 * forget: Invoking gpg-preset-passphrase.
6557 * from: gpg-wks-server. (line 54)
6558 * full-gen-key: OpenPGP Key Management.
6560 * full-generate-key: OpenPGP Key Management.
6562 * full-timestrings: GPG Esoteric Options.
6564 * gen-key: OpenPGP Key Management.
6566 * gen-key <1>: Certificate Management.
6568 * gen-prime: Operational GPG Commands.
6570 * gen-random: Operational GPG Commands.
6572 * gen-revoke: OpenPGP Key Management.
6574 * generate: gpg-card. (line 119)
6575 * generate-designated-revocation: OpenPGP Key Management.
6577 * generate-key: OpenPGP Key Management.
6579 * generate-key <1>: Certificate Management.
6581 * generate-revocation: OpenPGP Key Management.
6583 * gnupg: Compliance Options. (line 12)
6584 * gpg: gpgtar. (line 143)
6585 * gpg-agent-info: GPG Configuration Options.
6587 * gpg-args: gpgtar. (line 146)
6588 * gpg-program: gpg-card. (line 69)
6589 * gpgconf-list: GPG Esoteric Options.
6591 * gpgconf-test: GPG Esoteric Options.
6593 * gpgsm-program: gpg-card. (line 72)
6594 * grab: Agent Options. (line 136)
6595 * group: GPG Key related Options.
6597 * header: gpg-wks-server. (line 57)
6598 * help: Agent Commands. (line 15)
6599 * help <1>: Dirmngr Commands. (line 14)
6600 * help <2>: General GPG Commands.
6602 * help <3>: General GPGSM Commands.
6604 * help <4>: Scdaemon Commands. (line 14)
6605 * help <5>: gpg-card. (line 50)
6606 * help <6>: watchgnupg. (line 55)
6607 * help <7>: dirmngr-client. (line 44)
6608 * help <8>: gpgtar. (line 161)
6609 * help <9>: gpg-wks-client. (line 144)
6610 * help <10>: gpg-wks-server. (line 87)
6611 * hex: Invoking gpg-connect-agent.
6613 * hidden-encrypt-to: GPG Key related Options.
6615 * hidden-recipient: GPG Key related Options.
6617 * hidden-recipient-file: GPG Key related Options.
6619 * homedir: Agent Options. (line 17)
6620 * homedir <1>: GPG Configuration Options.
6622 * homedir <2>: Configuration Options.
6624 * homedir <3>: Scdaemon Options. (line 13)
6625 * homedir <4>: gpgv. (line 69)
6626 * homedir <5>: Invoking gpgconf. (line 120)
6627 * homedir <6>: Invoking gpg-connect-agent.
6629 * honor-http-proxy: Dirmngr Options. (line 242)
6630 * http-proxy: Dirmngr Options. (line 246)
6631 * ignore-cache-for-signing: Agent Options. (line 194)
6632 * ignore-cert: Dirmngr Options. (line 407)
6633 * ignore-cert-extension: Dirmngr Options. (line 389)
6634 * ignore-cert-extension <1>: Certificate Options. (line 84)
6635 * ignore-cert-with-oid: Esoteric Options. (line 46)
6636 * ignore-crc-error: GPG Esoteric Options.
6638 * ignore-crl-extension: Dirmngr Options. (line 399)
6639 * ignore-http-dp: Dirmngr Options. (line 226)
6640 * ignore-ldap-dp: Dirmngr Options. (line 233)
6641 * ignore-mdc-error: GPG Esoteric Options.
6643 * ignore-ocsp-service-url: Dirmngr Options. (line 238)
6644 * ignore-time-conflict: GPG Esoteric Options.
6646 * ignore-time-conflict <1>: gpgv. (line 63)
6647 * ignore-valid-from: GPG Esoteric Options.
6649 * import: Operational GPG Commands.
6651 * import <1>: Certificate Management.
6653 * import-filter: GPG Input and Output.
6655 * import-options: GPG Input and Output.
6657 * import-ownertrust: Operational GPG Commands.
6659 * include-certs: CMS Options. (line 7)
6660 * include-key-block: OpenPGP Options. (line 47)
6661 * input-size-hint: GPG Input and Output.
6663 * input-size-hint <1>: Input and Output. (line 24)
6664 * interactive: GPG Esoteric Options.
6666 * kdf-setup: gpg-card. (line 126)
6667 * keep-display: Agent Options. (line 348)
6668 * keep-tty: Agent Options. (line 348)
6669 * key-origin: GPG Input and Output.
6671 * keyboxd: Invoking gpg-connect-agent.
6673 * keyboxd-program: Invoking gpg-connect-agent.
6675 * keydb-clear-some-cert-flags: Certificate Management.
6677 * keyedit:addadsk: OpenPGP Key Management.
6679 * keyedit:addcardkey: OpenPGP Key Management.
6681 * keyedit:addkey: OpenPGP Key Management.
6683 * keyedit:addphoto: OpenPGP Key Management.
6685 * keyedit:addrevoker: OpenPGP Key Management.
6687 * keyedit:adduid: OpenPGP Key Management.
6689 * keyedit:bkuptocard: OpenPGP Key Management.
6691 * keyedit:change-usage: OpenPGP Key Management.
6693 * keyedit:check: OpenPGP Key Management.
6695 * keyedit:clean: OpenPGP Key Management.
6697 * keyedit:cross-certify: OpenPGP Key Management.
6699 * keyedit:delkey: OpenPGP Key Management.
6701 * keyedit:delsig: OpenPGP Key Management.
6703 * keyedit:deluid: OpenPGP Key Management.
6705 * keyedit:disable: OpenPGP Key Management.
6707 * keyedit:enable: OpenPGP Key Management.
6709 * keyedit:expire: OpenPGP Key Management.
6711 * keyedit:key: OpenPGP Key Management.
6713 * keyedit:keyserver: OpenPGP Key Management.
6715 * keyedit:keytocard: OpenPGP Key Management.
6717 * keyedit:keytotpm: OpenPGP Key Management.
6719 * keyedit:lsign: OpenPGP Key Management.
6721 * keyedit:minimize: OpenPGP Key Management.
6723 * keyedit:notation: OpenPGP Key Management.
6725 * keyedit:nrsign: OpenPGP Key Management.
6727 * keyedit:passwd: OpenPGP Key Management.
6729 * keyedit:pref: OpenPGP Key Management.
6731 * keyedit:primary: OpenPGP Key Management.
6733 * keyedit:quit: OpenPGP Key Management.
6735 * keyedit:revkey: OpenPGP Key Management.
6737 * keyedit:revsig: OpenPGP Key Management.
6739 * keyedit:revuid: OpenPGP Key Management.
6741 * keyedit:save: OpenPGP Key Management.
6743 * keyedit:setpref: OpenPGP Key Management.
6745 * keyedit:showphoto: OpenPGP Key Management.
6747 * keyedit:showpref: OpenPGP Key Management.
6749 * keyedit:sign: OpenPGP Key Management.
6751 * keyedit:toggle: OpenPGP Key Management.
6753 * keyedit:trust: OpenPGP Key Management.
6755 * keyedit:tsign: OpenPGP Key Management.
6757 * keyedit:uid: OpenPGP Key Management.
6759 * keyid-format: GPG Configuration Options.
6761 * keyring: GPG Configuration Options.
6763 * keyring <1>: gpgv. (line 38)
6764 * keyserver: Dirmngr Options. (line 155)
6765 * keyserver <1>: GPG Configuration Options.
6767 * keyserver <2>: Configuration Options.
6769 * keyserver-options: GPG Configuration Options.
6771 * kill: Invoking gpgconf. (line 89)
6772 * known-notation: GPG Esoteric Options.
6774 * lang: gpg-card. (line 129)
6775 * launch: Invoking gpgconf. (line 80)
6776 * lc-ctype: Agent Options. (line 343)
6777 * lc-messages: Agent Options. (line 343)
6778 * ldap-proxy: Dirmngr Options. (line 251)
6779 * ldapserver: Dirmngr Options. (line 281)
6780 * ldapserverlist-file: Dirmngr Options. (line 262)
6781 * ldaptimeout: Dirmngr Options. (line 315)
6782 * learn-card: Certificate Management.
6784 * legacy-list-mode: GPG Input and Output.
6786 * limit-card-insert-tries: GPG Configuration Options.
6788 * list: gpg-card. (line 136)
6789 * list-archive: gpgtar. (line 41)
6790 * list-chain: Certificate Management.
6792 * list-config: GPG Esoteric Options.
6794 * list-crls: Dirmngr Commands. (line 38)
6795 * list-filter: GPG Configuration Options.
6797 * list-gcrypt-config: GPG Esoteric Options.
6799 * list-keys: Operational GPG Commands.
6801 * list-keys <1>: Certificate Management.
6803 * list-keys <2>: Certificate Management.
6805 * list-only: GPG Esoteric Options.
6807 * list-options: GPG Configuration Options.
6809 * list-options:show-keyring: GPG Configuration Options.
6811 * list-options:show-keyserver-urls: GPG Configuration Options.
6813 * list-options:show-notations: GPG Configuration Options.
6815 * list-options:show-only-fpr-mbox: GPG Configuration Options.
6817 * list-options:show-photos: GPG Configuration Options.
6819 * list-options:show-policy-urls: GPG Configuration Options.
6821 * list-options:show-sig-expire: GPG Configuration Options.
6823 * list-options:show-sig-subpackets: GPG Configuration Options.
6825 * list-options:show-std-notations: GPG Configuration Options.
6827 * list-options:show-uid-validity: GPG Configuration Options.
6829 * list-options:show-unusable-sigs: GPG Configuration Options.
6831 * list-options:show-unusable-subkeys: GPG Configuration Options.
6833 * list-options:show-unusable-uids: GPG Configuration Options.
6835 * list-options:show-usage: GPG Configuration Options.
6837 * list-options:show-user-notations: GPG Configuration Options.
6839 * list-options:sort-sigs: GPG Configuration Options.
6841 * list-packets: Operational GPG Commands.
6843 * list-secret-keys: Operational GPG Commands.
6845 * list-secret-keys <1>: Certificate Management.
6847 * list-signatures: GPG Esoteric Options.
6849 * list-sigs: GPG Esoteric Options.
6851 * listen-backlog: Agent Options. (line 353)
6852 * listen-backlog <1>: Dirmngr Options. (line 141)
6853 * listen-backlog <2>: Scdaemon Options. (line 115)
6854 * load-crl: Dirmngr Commands. (line 42)
6855 * load-crl <1>: dirmngr-client. (line 80)
6856 * local-user: GPG Key related Options.
6858 * local-user <1>: Input and Output. (line 47)
6859 * local-user <2>: gpgtar. (line 56)
6860 * locate-external-keys: Operational GPG Commands.
6862 * locate-keys: Operational GPG Commands.
6864 * lock-multiple: GPG Configuration Options.
6866 * lock-never: GPG Configuration Options.
6868 * lock-once: GPG Configuration Options.
6870 * log-file: Agent Options. (line 142)
6871 * log-file <1>: Dirmngr Options. (line 30)
6872 * log-file <2>: GPG Esoteric Options.
6874 * log-file <3>: Configuration Options.
6876 * log-file <4>: Scdaemon Options. (line 120)
6877 * log-file <5>: gpgv. (line 59)
6878 * log-time: GPG Esoteric Options.
6880 * log-time <1>: Configuration Options.
6882 * logger-fd: GPG Esoteric Options.
6884 * logger-fd <1>: gpgv. (line 56)
6885 * login: gpg-card. (line 153)
6886 * lookup: dirmngr-client. (line 86)
6887 * lsign-key: OpenPGP Key Management.
6889 * mangle-dos-filenames: GPG Configuration Options.
6891 * marginals-needed: GPG Configuration Options.
6893 * max-cache-ttl: Agent Options. (line 215)
6894 * max-cache-ttl-ssh: Agent Options. (line 221)
6895 * max-cert-depth: GPG Configuration Options.
6897 * max-output: GPG Input and Output.
6899 * max-passphrase-days: Agent Options. (line 261)
6900 * max-replies: Dirmngr Options. (line 386)
6901 * min-cert-level: GPG Configuration Options.
6903 * min-passphrase-len: Agent Options. (line 231)
6904 * min-passphrase-nonalpha: Agent Options. (line 236)
6905 * min-rsa-length: Compliance Options. (line 65)
6906 * min-rsa-length <1>: Esoteric Options. (line 31)
6907 * multi-server: Scdaemon Commands. (line 26)
6908 * multifile: Operational GPG Commands.
6910 * name: gpg-card. (line 159)
6911 * nameserver: Dirmngr Options. (line 209)
6912 * no: GPG Configuration Options.
6914 * no <1>: gpgtar. (line 116)
6915 * no-add-revocs: gpg-wks-client. (line 128)
6916 * no-allow-external-cache: Agent Options. (line 179)
6917 * no-allow-loopback-pinentry: Agent Options. (line 171)
6918 * no-allow-mark-trusted: Agent Options. (line 150)
6919 * no-armor: GPG Input and Output.
6921 * no-auto-key-import: GPG Configuration Options.
6923 * no-auto-key-retrieve: GPG Configuration Options.
6925 * no-auto-trust-new-key: GPG Esoteric Options.
6927 * no-autostart: GPG Configuration Options.
6929 * no-autostart <1>: Configuration Options.
6931 * no-autostart <2>: gpg-card. (line 53)
6932 * no-autostart <3>: Invoking gpg-connect-agent.
6934 * no-batch: GPG Configuration Options.
6936 * no-common-certs-import: Esoteric Options. (line 160)
6937 * no-compress: GPG Configuration Options.
6939 * no-compress <1>: gpgtar. (line 138)
6940 * no-default-keyring: GPG Esoteric Options.
6942 * no-default-recipient: GPG Configuration Options.
6944 * no-detach: Agent Options. (line 114)
6945 * no-detach <1>: Scdaemon Options. (line 111)
6946 * no-encrypt-to: GPG Key related Options.
6948 * no-expensive-trust-checks: GPG Esoteric Options.
6950 * no-ext-connect: Invoking gpg-connect-agent.
6952 * no-grab: Agent Options. (line 136)
6953 * no-greeting: GPG Configuration Options.
6955 * no-groups: GPG Key related Options.
6957 * no-include-key-block: OpenPGP Options. (line 47)
6958 * no-keyring: GPG Esoteric Options.
6960 * no-literal: GPG Esoteric Options.
6962 * no-mangle-dos-filenames: GPG Configuration Options.
6964 * no-options: GPG Configuration Options.
6966 * no-pretty-dn: Input and Output. (line 88)
6967 * no-random-seed-file: GPG Configuration Options.
6969 * no-secmem-warning: GPG Configuration Options.
6971 * no-secmem-warning <1>: Configuration Options.
6973 * no-sig-cache: GPG Configuration Options.
6975 * no-skip-hidden-recipients: GPG Key related Options.
6977 * no-symkey-cache: GPG Esoteric Options.
6979 * no-tty: GPG Configuration Options.
6981 * no-use-standard-socket: Agent Options. (line 333)
6982 * no-use-tor: Dirmngr Options. (line 105)
6983 * no-user-trustlist: Agent Options. (line 155)
6984 * no-verbose: GPG Configuration Options.
6986 * not-dash-escaped: GPG Esoteric Options.
6988 * null: gpgtar. (line 89)
6989 * null <1>: gpg-check-pattern. (line 59)
6990 * ocsp: dirmngr-client. (line 61)
6991 * ocsp-current-period: Dirmngr Options. (line 381)
6992 * ocsp-max-clock-skew: Dirmngr Options. (line 373)
6993 * ocsp-max-period: Dirmngr Options. (line 377)
6994 * ocsp-responder: Dirmngr Options. (line 347)
6995 * ocsp-signer: Dirmngr Options. (line 352)
6996 * only-ldap-proxy: Dirmngr Options. (line 257)
6997 * openpgp: Compliance Options. (line 20)
6998 * openpgp <1>: gpgtar. (line 98)
6999 * options: Agent Options. (line 10)
7000 * options <1>: Dirmngr Options. (line 11)
7001 * options <2>: Dirmngr Options. (line 16)
7002 * options <3>: GPG Configuration Options.
7004 * options <4>: Configuration Options.
7006 * options <5>: Scdaemon Options. (line 7)
7007 * output: GPG Input and Output.
7009 * output <1>: Input and Output. (line 57)
7010 * output <2>: gpgv. (line 45)
7011 * output <3>: gpgtar. (line 60)
7012 * output <4>: gpg-wks-client. (line 104)
7013 * output <5>: gpg-wks-server. (line 65)
7014 * override-session-key: GPG Esoteric Options.
7016 * p12-charset: Input and Output. (line 30)
7017 * passphrase: GPG Esoteric Options.
7019 * passphrase <1>: Invoking gpg-preset-passphrase.
7021 * passphrase-fd: GPG Esoteric Options.
7023 * passphrase-fd <1>: Esoteric Options. (line 128)
7024 * passphrase-file: GPG Esoteric Options.
7026 * passphrase-repeat: GPG Esoteric Options.
7028 * passwd: OpenPGP Key Management.
7030 * passwd <1>: Certificate Management.
7032 * passwd <2>: gpg-card. (line 163)
7033 * pcsc-driver: Scdaemon Options. (line 130)
7034 * pcsc-shared: Scdaemon Options. (line 124)
7035 * pem: dirmngr-client. (line 58)
7036 * permission-warning: GPG Configuration Options.
7038 * personal-aead-preferences: Deprecated Options. (line 37)
7039 * personal-cipher-preferences: OpenPGP Options. (line 59)
7040 * personal-compress-preferences: OpenPGP Options. (line 77)
7041 * personal-digest-preferences: OpenPGP Options. (line 68)
7042 * pgp6: Compliance Options. (line 43)
7043 * pgp7: Compliance Options. (line 46)
7044 * pgp8: Compliance Options. (line 53)
7045 * photo-viewer: GPG Configuration Options.
7047 * pinentry-formatted-passphrase: Agent Options. (line 280)
7048 * pinentry-invisible-char: Agent Options. (line 269)
7049 * pinentry-mode: GPG Esoteric Options.
7051 * pinentry-mode <1>: Esoteric Options. (line 137)
7052 * pinentry-program: Agent Options. (line 293)
7053 * pinentry-timeout: Agent Options. (line 274)
7054 * pinentry-touch-file: Agent Options. (line 306)
7055 * ping: dirmngr-client. (line 69)
7056 * policy-file: Configuration Options.
7058 * prefer-system-dirmngr: Configuration Options.
7060 * preserve-permissions: GPG Esoteric Options.
7062 * preset: Invoking gpg-preset-passphrase.
7064 * primary-keyring: GPG Configuration Options.
7066 * print-md: Operational GPG Commands.
7068 * privatedo: gpg-card. (line 171)
7069 * q: gpg-card. (line 177)
7070 * q <1>: Invoking gpg-connect-agent.
7072 * quick-add-adsk: OpenPGP Key Management.
7074 * quick-add-key: OpenPGP Key Management.
7076 * quick-add-uid: OpenPGP Key Management.
7078 * quick-gen-key: OpenPGP Key Management.
7080 * quick-generate-key: OpenPGP Key Management.
7082 * quick-lsign-key: OpenPGP Key Management.
7084 * quick-revoke-sig: OpenPGP Key Management.
7086 * quick-revoke-uid: OpenPGP Key Management.
7088 * quick-set-expire: OpenPGP Key Management.
7090 * quick-set-primary-uid: OpenPGP Key Management.
7092 * quick-sign-key: OpenPGP Key Management.
7094 * quick-update-pref: OpenPGP Key Management.
7096 * quiet: Agent Options. (line 45)
7097 * quiet <1>: GPG Configuration Options.
7099 * quiet <2>: gpg-card. (line 44)
7100 * quiet <3>: gpgv. (line 35)
7101 * quiet <4>: Invoking gpgconf. (line 117)
7102 * quiet <5>: Invoking gpg-connect-agent.
7104 * quiet <6>: dirmngr-client. (line 48)
7105 * quiet <7>: gpgtar. (line 68)
7106 * quiet <8>: gpg-wks-client. (line 138)
7107 * quiet <9>: gpg-wks-server. (line 81)
7108 * quit: gpg-card. (line 177)
7109 * raw-socket: Invoking gpg-connect-agent.
7111 * readcert: gpg-card. (line 180)
7112 * reader-port: Scdaemon Options. (line 148)
7113 * rebuild-keydb-caches: Operational GPG Commands.
7115 * receive-keys: Operational GPG Commands.
7117 * recipient: GPG Key related Options.
7119 * recipient <1>: Input and Output. (line 52)
7120 * recipient <2>: gpgtar. (line 52)
7121 * recipient-file: GPG Key related Options.
7123 * recursive-resolver: Dirmngr Options. (line 124)
7124 * recv-keys: Operational GPG Commands.
7126 * refresh-keys: Operational GPG Commands.
7128 * reload: Invoking gpgconf. (line 74)
7129 * remove-socketdir: Invoking gpgconf. (line 102)
7130 * request-origin: GPG Esoteric Options.
7132 * request-origin <1>: Esoteric Options. (line 152)
7133 * require-compliance: Compliance Options. (line 70)
7134 * require-compliance <1>: Esoteric Options. (line 36)
7135 * require-compliance <2>: gpgtar. (line 120)
7136 * require-cross-certification: GPG Configuration Options.
7138 * require-secmem: GPG Configuration Options.
7140 * reset: gpg-card. (line 187)
7141 * resolver-timeout: Dirmngr Options. (line 127)
7142 * rfc2440: Compliance Options. (line 36)
7143 * rfc4880: Compliance Options. (line 27)
7144 * rfc4880bis: Compliance Options. (line 32)
7145 * run: Invoking gpg-connect-agent.
7147 * s: Dirmngr Options. (line 94)
7148 * s2k-calibration: Agent Options. (line 470)
7149 * s2k-cipher-algo: OpenPGP Options. (line 87)
7150 * s2k-count: Agent Options. (line 477)
7151 * s2k-count <1>: OpenPGP Options. (line 103)
7152 * s2k-digest-algo: OpenPGP Options. (line 92)
7153 * s2k-mode: OpenPGP Options. (line 96)
7154 * salut: gpg-card. (line 191)
7155 * salutation: gpg-card. (line 191)
7156 * scdaemon-program: Agent Options. (line 315)
7157 * search-keys: Operational GPG Commands.
7159 * secret-keyring: GPG Configuration Options.
7161 * send: gpg-wks-client. (line 65)
7162 * send <1>: gpg-wks-server. (line 60)
7163 * send-keys: Operational GPG Commands.
7165 * sender: GPG Key related Options.
7167 * server: Agent Commands. (line 23)
7168 * server <1>: Dirmngr Commands. (line 22)
7169 * server <2>: Operational GPGSM Commands.
7171 * server <3>: Scdaemon Commands. (line 22)
7172 * set-filename: GPG Esoteric Options.
7174 * set-filename <1>: gpgtar. (line 132)
7175 * set-filesize: GPG Esoteric Options.
7177 * set-notation: GPG Esoteric Options.
7179 * set-policy-url: GPG Esoteric Options.
7181 * sh: Agent Options. (line 129)
7182 * sh <1>: Dirmngr Options. (line 94)
7183 * show-certs: Certificate Management.
7185 * show-keyring: Deprecated Options. (line 16)
7186 * show-keys: Operational GPG Commands.
7188 * show-notation: Deprecated Options. (line 22)
7189 * show-photos: Deprecated Options. (line 8)
7190 * show-policy-url: Deprecated Options. (line 30)
7191 * show-session-key: GPG Esoteric Options.
7193 * shutdown: Dirmngr Commands. (line 56)
7194 * sig-keyserver-url: GPG Esoteric Options.
7196 * sig-notation: GPG Esoteric Options.
7198 * sig-policy-url: GPG Esoteric Options.
7200 * sign: Operational GPG Commands.
7202 * sign <1>: Operational GPGSM Commands.
7204 * sign-key: OpenPGP Key Management.
7206 * skip-crypto: gpgtar. (line 71)
7207 * skip-hidden-recipients: GPG Key related Options.
7209 * skip-verify: GPG Esoteric Options.
7211 * squid-mode: dirmngr-client. (line 101)
7212 * ssh-fingerprint-digest: Agent Options. (line 455)
7213 * standard-resolver: Dirmngr Options. (line 117)
7214 * status-fd: GPG Esoteric Options.
7216 * status-fd <1>: gpg-card. (line 35)
7217 * status-fd <2>: gpgv. (line 52)
7218 * status-fd <3>: Invoking gpgconf. (line 167)
7219 * status-fd <4>: gpgtar. (line 123)
7220 * status-fd <5>: gpg-wks-client. (line 110)
7221 * status-file: GPG Esoteric Options.
7223 * steal-socket: Agent Options. (line 118)
7224 * store: Operational GPG Commands.
7226 * subst: Invoking gpg-connect-agent.
7228 * supervised: Agent Commands. (line 36)
7229 * supervised <1>: Dirmngr Commands. (line 33)
7230 * symmetric: Operational GPG Commands.
7232 * sys-trustlist-name: Agent Options. (line 160)
7233 * tar: gpgtar. (line 155)
7234 * tar-args: gpgtar. (line 149)
7235 * textmode: OpenPGP Options. (line 8)
7236 * throw-keyids: GPG Esoteric Options.
7238 * time-only: watchgnupg. (line 46)
7239 * tls-debug: Dirmngr Options. (line 76)
7240 * tofu-default-policy: GPG Configuration Options.
7242 * tofu-policy: Operational GPG Commands.
7244 * trust-model: GPG Configuration Options.
7246 * trust-model:always: GPG Configuration Options.
7248 * trust-model:auto: GPG Configuration Options.
7250 * trust-model:classic: GPG Configuration Options.
7252 * trust-model:direct: GPG Configuration Options.
7254 * trust-model:pgp: GPG Configuration Options.
7256 * trust-model:tofu: GPG Configuration Options.
7258 * trust-model:tofu+pgp: GPG Configuration Options.
7260 * trustdb-name: GPG Configuration Options.
7262 * trusted-key: GPG Configuration Options.
7264 * try-all-secrets: GPG Key related Options.
7266 * try-secret-key: GPG Key related Options.
7268 * ttyname: Agent Options. (line 343)
7269 * ttytype: Agent Options. (line 343)
7270 * uif: gpg-card. (line 196)
7271 * unblock: gpg-card. (line 202)
7272 * unbuffered: Invoking gpg-connect-agent.
7274 * ungroup: GPG Key related Options.
7276 * unwrap: Operational GPG Commands.
7278 * update-trustdb: Operational GPG Commands.
7280 * url: gpg-card. (line 207)
7281 * url <1>: dirmngr-client. (line 94)
7282 * url <2>: dirmngr-client. (line 98)
7283 * use-agent: GPG Configuration Options.
7285 * use-embedded-filename: GPG Esoteric Options.
7287 * use-standard-socket: Agent Options. (line 333)
7288 * use-standard-socket-p: Agent Options. (line 333)
7289 * use-tor: Dirmngr Options. (line 105)
7290 * utf8-strings: GPG Configuration Options.
7292 * utf8-strings <1>: gpgtar. (line 93)
7293 * v: Dirmngr Options. (line 25)
7294 * v <1>: Configuration Options.
7296 * v <2>: Scdaemon Options. (line 35)
7297 * v <3>: dirmngr-client. (line 53)
7298 * validate: dirmngr-client. (line 76)
7299 * validation-model: Certificate Options. (line 75)
7300 * verbose: Agent Options. (line 39)
7301 * verbose <1>: Dirmngr Options. (line 25)
7302 * verbose <2>: GPG Configuration Options.
7304 * verbose <3>: Configuration Options.
7306 * verbose <4>: Scdaemon Options. (line 35)
7307 * verbose <5>: gpg-card. (line 41)
7308 * verbose <6>: watchgnupg. (line 49)
7309 * verbose <7>: gpgv. (line 30)
7310 * verbose <8>: Invoking gpg-preset-passphrase.
7312 * verbose <9>: Invoking gpg-connect-agent.
7314 * verbose <10>: dirmngr-client. (line 53)
7315 * verbose <11>: gpgtar. (line 64)
7316 * verbose <12>: gpg-check-pattern. (line 53)
7317 * verbose <13>: gpg-wks-client. (line 135)
7318 * verbose <14>: gpg-wks-server. (line 78)
7319 * verify: Operational GPG Commands.
7321 * verify <1>: Operational GPGSM Commands.
7323 * verify <2>: gpg-card. (line 212)
7324 * verify-files: Operational GPG Commands.
7326 * verify-options: GPG Configuration Options.
7328 * verify-options:show-keyserver-urls: GPG Configuration Options.
7330 * verify-options:show-notations: GPG Configuration Options.
7332 * verify-options:show-photos: GPG Configuration Options.
7334 * verify-options:show-policy-urls: GPG Configuration Options.
7336 * verify-options:show-primary-uid-only: GPG Configuration Options.
7338 * verify-options:show-std-notations: GPG Configuration Options.
7340 * verify-options:show-uid-validity: GPG Configuration Options.
7342 * verify-options:show-unusable-uids: GPG Configuration Options.
7344 * verify-options:show-user-notations: GPG Configuration Options.
7346 * version: Agent Commands. (line 10)
7347 * version <1>: Dirmngr Commands. (line 10)
7348 * version <2>: General GPG Commands.
7350 * version <3>: General GPGSM Commands.
7352 * version <4>: Scdaemon Commands. (line 10)
7353 * version <5>: gpg-card. (line 47)
7354 * version <6>: watchgnupg. (line 52)
7355 * version <7>: dirmngr-client. (line 40)
7356 * version <8>: gpgtar. (line 158)
7357 * version <9>: gpg-wks-client. (line 141)
7358 * version <10>: gpg-wks-server. (line 84)
7359 * warranty: General GPG Commands.
7361 * warranty <1>: General GPGSM Commands.
7363 * weak-digest: GPG Esoteric Options.
7365 * weak-digest <1>: gpgv. (line 90)
7366 * with-colons: GPG Input and Output.
7368 * with-colons <1>: gpg-card. (line 32)
7369 * with-colons <2>: gpg-wks-client. (line 69)
7370 * with-dir: gpg-wks-server. (line 69)
7371 * with-ephemeral-keys: Esoteric Options. (line 61)
7372 * with-file: gpg-wks-server. (line 73)
7373 * with-fingerprint: GPG Input and Output.
7375 * with-icao-spelling: GPG Input and Output.
7377 * with-key-data: GPG Esoteric Options.
7379 * with-key-data <1>: Input and Output. (line 60)
7380 * with-key-origin: GPG Input and Output.
7382 * with-keygrip: GPG Input and Output.
7384 * with-log: gpgtar. (line 127)
7385 * with-secret: GPG Input and Output.
7387 * with-secret <1>: Input and Output. (line 84)
7388 * with-subkey-fingerprint: GPG Input and Output.
7390 * with-validation: Input and Output. (line 66)
7391 * with-wkd-hash: GPG Input and Output.
7393 * writecert: gpg-card. (line 217)
7394 * writekey: gpg-card. (line 224)
7395 * xauthority: Agent Options. (line 343)
7396 * yes: GPG Configuration Options.
7398 * yes <1>: gpgtar. (line 111)
7399 * yubikey: gpg-card. (line 229)