1 @c Copyright (C) 2004, 2008 Free Software Foundation, Inc.
2 @c This is part of the GnuPG manual.
3 @c For copying conditions, see the file GnuPG.texi.
10 GnuPG comes with a couple of smaller tools:
13 * watchgnupg:: Read logs from a socket.
14 * gpgv:: Verify OpenPGP signatures.
15 * addgnupghome:: Create .gnupg home directories.
16 * gpgconf:: Modify .gnupg home directories.
17 * applygnupgdefaults:: Run gpgconf for all users.
18 * gpg-preset-passphrase:: Put a passphrase into the cache.
19 * gpg-connect-agent:: Communicate with a running agent.
20 * dirmngr-client:: How to use the Dirmngr client tool.
21 * gpgparsemail:: Parse a mail message into an annotated format
22 * symcryptrun:: Call a simple symmetric encryption tool.
23 * gpg-zip:: Encrypt or sign files into an archive.
31 @section Read logs from a socket
34 \- Read and print logs from a socket
46 Most of the main utilities are able to write their log files to a Unix
47 Domain socket if configured that way. @command{watchgnupg} is a simple
48 listener for such a socket. It ameliorates the output with a time stamp
49 and makes sure that long lines are not interspersed with log output from
50 other utilities. This tool is not available for Windows.
54 @command{watchgnupg} is commonly invoked as
57 watchgnupg --force ~/.gnupg/S.log
62 This starts it on the current terminal for listening on the socket
63 @file{~/.gnupg/S.log}.
67 @command{watchgnupg} understands these options:
73 Delete an already existing socket file.
75 @anchor{option watchgnupg --tcp}
77 Instead of reading from a local socket, listen for connects on TCP port
82 Enable extra informational output.
86 Print version of the program and exit.
90 Display a brief help page and exit.
99 $ watchgnupg --force /home/foo/.gnupg/S.log
102 This waits for connections on the local socket
103 @file{/home/foo/.gnupg/S.log} and shows all log entries. To make this
104 work the option @option{log-file} needs to be used with all modules
105 which logs are to be shown. The value for that option must be given
106 with a special prefix (e.g. in the conf file):
109 log-file socket:///home/foo/.gnupg/S.log
112 For debugging purposes it is also possible to do remote logging. Take
113 care if you use this feature because the information is send in the
114 clear over the network. Use this syntax in the conf files:
117 log-file tcp://192.168.1.1:4711
120 You may use any port and not just 4711 as shown above; only IP addresses
121 are supported (v4 and v6) and no host names. You need to start
122 @command{watchgnupg} with the @option{tcp} option. Note that under
123 Windows the registry entry @var{HKCU\Software\GNU\GnuPG:DefaultLogFile}
124 can be used to change the default log output from @code{stderr} to
125 whatever is given by that entry. However the only useful entry is a TCP
126 name for remote debugging.
133 @command{gpg-agent}(1),
134 @command{scdaemon}(1)
136 @include see-also-note.texi
148 @manpage addgnupghome.8
150 @section Create .gnupg home directories.
153 \- Create .gnupg home directories
160 .IR account_2 ... account_n
164 If GnuPG is installed on a system with existing user accounts, it is
165 sometimes required to populate the GnuPG home directory with existing
166 files. Especially a @file{trustlist.txt} and a keybox with some
167 initial certificates are often desired. This scripts help to do this
168 by copying all files from @file{/etc/skel/.gnupg} to the home
169 directories of the accounts given on the command line. It takes care
170 not to overwrite existing GnuPG home directories.
173 @command{addgnupghome} is invoked by root as:
176 addgnupghome account1 account2 ... accountn
185 @section Modify .gnupg home directories.
188 \- Modify .gnupg home directories
195 .B \-\-list-components
204 .B \-\-change-options
210 The @command{gpgconf} is a utility to automatically and reasonable
211 safely query and modify configuration files in the @file{.gnupg} home
212 directory. It is designed not to be invoked manually by the user, but
213 automatically by graphical user interfaces (GUI).@footnote{Please note
214 that currently no locking is done, so concurrent access should be
215 avoided. There are some precautions to avoid corruption with
216 concurrent usage, but results may be inconsistent and some changes may
217 get lost. The stateless design makes it difficult to provide more
220 @command{gpgconf} provides access to the configuration of one or more
221 components of the GnuPG system. These components correspond more or
222 less to the programs that exist in the GnuPG framework, like GnuPG,
223 GPGSM, DirMngr, etc. But this is not a strict one-to-one
224 relationship. Not all configuration options are available through
225 @command{gpgconf}. @command{gpgconf} provides a generic and abstract
226 method to access the most important configuration options that can
227 feasibly be controlled via such a mechanism.
229 @command{gpgconf} can be used to gather and change the options
230 available in each component, and can also provide their default
231 values. @command{gpgconf} will give detailed type information that
232 can be used to restrict the user's input without making an attempt to
235 @command{gpgconf} provides the backend of a configuration editor. The
236 configuration editor would usually be a graphical user interface
237 program, that allows to display the current options, their default
238 values, and allows the user to make changes to the options. These
239 changes can then be made active with @command{gpgconf} again. Such a
240 program that uses @command{gpgconf} in this way will be called GUI
241 throughout this section.
244 * Invoking gpgconf:: List of all commands and options.
245 * Format conventions:: Formatting conventions relevant for all commands.
246 * Listing components:: List all gpgconf components.
247 * Checking programs:: Check all programs know to gpgconf.
248 * Listing options:: List all options of a component.
249 * Changing options:: Changing options of a component.
250 * Listing global options:: List all global options.
251 * Files used by gpgconf:: What files are used by gpgconf.
255 @node Invoking gpgconf
256 @subsection Invoking gpgconf
259 One of the following commands must be given:
263 @item --list-components
264 List all components. This is the default command used if none is
267 @item --check-programs
268 List all available backend programs and test whether they are runnable.
270 @item --list-options @var{component}
271 List all options of the component @var{component}.
273 @item --change-options @var{component}
274 Change the options of the component @var{component}.
276 @item --check-options @var{component}
277 Check the options for the component @var{component}.
279 @item --apply-defaults
280 Update all configuration files with values taken from the global
281 configuration file (usually @file{/etc/gnupg/gpgconf.conf}).
284 Lists the directories used by @command{gpgconf}. One directory is
285 listed per line, and each line consists of a colon-separated list where
286 the first field names the directory type (for example @code{sysconfdir})
287 and the second field contains the percent-escaped directory. Although
288 they are not directories, the socket file names used by
289 @command{gpg-agent} and @command{dirmngr} are printed as well. Note
290 that the socket file names and the @code{homedir} lines are the default
291 names and they may be overridden by command line switches.
293 @item --list-config [@var{filename}]
294 List the global configuration file in a colon separated format. If
295 @var{filename} is given, check that file instead.
297 @item --check-config [@var{filename}]
298 Run a syntax check on the global configuration file. If @var{filename}
299 is given, check that file instead.
301 @item --reload [@var{component}]
303 Reload all or the given component. This is basically the same as sending
304 a SIGHUP to the component. Components which don't support reloading are
307 @item --launch [@var{component}]
309 If the @var{component} is not already running, start it.
310 @command{component} must be a daemon. This is in general not required
311 because the system starts these daemons as needed. However, external
312 software making direct use of @command{gpg-agent} or @command{dirmngr}
313 may use this command to ensure that they are started.
315 @item --kill [@var{component}]
317 Kill the given component. Components which support killing are
318 gpg-agent and scdaemon. Components which don't support reloading are
319 ignored. Note that as of now reload and kill have the same effect for
327 The following options may be used:
332 @itemx --output @var{file}
333 Write output to @var{file}. Default is to write to stdout.
337 Outputs additional information while running. Specifically, this
338 extends numerical field values by human-readable descriptions.
343 Try to be as quiet as possible.
347 Do not actually change anything. This is currently only implemented
348 for @code{--change-options} and can be used for testing purposes.
352 Only used together with @code{--change-options}. If one of the
353 modified options can be changed in a running daemon process, signal
354 the running daemon to ask it to reparse its configuration file after
357 This means that the changes will take effect at run-time, as far as
358 this is possible. Otherwise, they will take effect at the next start
359 of the respective backend programs.
364 @node Format conventions
365 @subsection Format conventions
367 Some lines in the output of @command{gpgconf} contain a list of
368 colon-separated fields. The following conventions apply:
372 The GUI program is required to strip off trailing newline and/or
373 carriage return characters from the output.
376 @command{gpgconf} will never leave out fields. If a certain version
377 provides a certain field, this field will always be present in all
378 @command{gpgconf} versions from that time on.
381 Future versions of @command{gpgconf} might append fields to the list.
382 New fields will always be separated from the previously last field by
383 a colon separator. The GUI should be prepared to parse the last field
384 it knows about up until a colon or end of line.
387 Not all fields are defined under all conditions. You are required to
388 ignore the content of undefined fields.
391 There are several standard types for the content of a field:
395 Some fields contain strings that are not escaped in any way. Such
396 fields are described to be used @emph{verbatim}. These fields will
397 never contain a colon character (for obvious reasons). No de-escaping
398 or other formatting is required to use the field content. This is for
399 easy parsing of the output, when it is known that the content can
400 never contain any special characters.
402 @item percent-escaped
403 Some fields contain strings that are described to be
404 @emph{percent-escaped}. Such strings need to be de-escaped before
405 their content can be presented to the user. A percent-escaped string
406 is de-escaped by replacing all occurrences of @code{%XY} by the byte
407 that has the hexadecimal value @code{XY}. @code{X} and @code{Y} are
408 from the set @code{0-9a-f}.
411 Some fields contain strings that are described to be @emph{localised}.
412 Such strings are translated to the active language and formatted in
413 the active character set.
415 @item @w{unsigned number}
416 Some fields contain an @emph{unsigned number}. This number will
417 always fit into a 32-bit unsigned integer variable. The number may be
418 followed by a space, followed by a human readable description of that
419 value (if the verbose option is used). You should ignore everything
420 in the field that follows the number.
422 @item @w{signed number}
423 Some fields contain a @emph{signed number}. This number will always
424 fit into a 32-bit signed integer variable. The number may be followed
425 by a space, followed by a human readable description of that value (if
426 the verbose option is used). You should ignore everything in the
427 field that follows the number.
429 @item @w{boolean value}
430 Some fields contain a @emph{boolean value}. This is a number with
431 either the value 0 or 1. The number may be followed by a space,
432 followed by a human readable description of that value (if the verbose
433 option is used). You should ignore everything in the field that follows
434 the number; checking just the first character is sufficient in this
438 Some fields contain an @emph{option} argument. The format of an
439 option argument depends on the type of the option and on some flags:
443 The simplest case is that the option does not take an argument at all
444 (@var{type} @code{0}). Then the option argument is an unsigned number
445 that specifies how often the option occurs. If the @code{list} flag
446 is not set, then the only valid number is @code{1}. Options that do
447 not take an argument never have the @code{default} or @code{optional
451 If the option takes a number argument (@var{alt-type} is @code{2} or
452 @code{3}), and it can only occur once (@code{list} flag is not set),
453 then the option argument is either empty (only allowed if the argument
454 is optional), or it is a number. A number is a string that begins
455 with an optional minus character, followed by one or more digits. The
456 number must fit into an integer variable (unsigned or signed,
457 depending on @var{alt-type}).
460 If the option takes a number argument and it can occur more than once,
461 then the option argument is either empty, or it is a comma-separated
462 list of numbers as described above.
465 If the option takes a string argument (@var{alt-type} is 1), and it
466 can only occur once (@code{list} flag is not set) then the option
467 argument is either empty (only allowed if the argument is optional),
468 or it starts with a double quote character (@code{"}) followed by a
469 percent-escaped string that is the argument value. Note that there is
470 only a leading double quote character, no trailing one. The double
471 quote character is only needed to be able to differentiate between no
472 value and the empty string as value.
475 If the option takes a number argument and it can occur more than once,
476 then the option argument is either empty, or it is a comma-separated
477 list of string arguments as described above.
481 The active language and character set are currently determined from
482 the locale environment of the @command{gpgconf} program.
484 @c FIXME: Document the active language and active character set. Allow
485 @c to change it via the command line?
489 @node Listing components
490 @subsection Listing components
492 The command @code{--list-components} will list all components that can
493 be configured with @command{gpgconf}. Usually, one component will
494 correspond to one GnuPG-related program and contain the options of
495 that programs configuration file that can be modified using
496 @command{gpgconf}. However, this is not necessarily the case. A
497 component might also be a group of selected options from several
498 programs, or contain entirely virtual options that have a special
499 effect rather than changing exactly one option in one configuration
502 A component is a set of configuration options that semantically belong
503 together. Furthermore, several changes to a component can be made in
504 an atomic way with a single operation. The GUI could for example
505 provide a menu with one entry for each component, or a window with one
506 tabulator sheet per component.
508 The command argument @code{--list-components} lists all available
509 components, one per line. The format of each line is:
511 @code{@var{name}:@var{description}:@var{pgmname}:}
515 This field contains a name tag of the component. The name tag is used
516 to specify the component in all communication with @command{gpgconf}.
517 The name tag is to be used @emph{verbatim}. It is thus not in any
521 The @emph{string} in this field contains a human-readable description
522 of the component. It can be displayed to the user of the GUI for
523 informational purposes. It is @emph{percent-escaped} and
527 The @emph{string} in this field contains the absolute name of the
528 program's file. It can be used to unambiguously invoke that program.
529 It is @emph{percent-escaped}.
534 $ gpgconf --list-components
535 gpg:GPG for OpenPGP:/usr/local/bin/gpg2:
536 gpg-agent:GPG Agent:/usr/local/bin/gpg-agent:
537 scdaemon:Smartcard Daemon:/usr/local/bin/scdaemon:
538 gpgsm:GPG for S/MIME:/usr/local/bin/gpgsm:
539 dirmngr:Directory Manager:/usr/local/bin/dirmngr:
544 @node Checking programs
545 @subsection Checking programs
547 The command @code{--check-programs} is similar to
548 @code{--list-components} but works on backend programs and not on
549 components. It runs each program to test whether it is installed and
550 runnable. This also includes a syntax check of all config file options
553 The command argument @code{--check-programs} lists all available
554 programs, one per line. The format of each line is:
556 @code{@var{name}:@var{description}:@var{pgmname}:@var{avail}:@var{okay}:@var{cfgfile}:@var{line}:@var{error}:}
560 This field contains a name tag of the program which is identical to the
561 name of the component. The name tag is to be used @emph{verbatim}. It
562 is thus not in any escaped format. This field may be empty to indicate
563 a continuation of error descriptions for the last name. The description
564 and pgmname fields are then also empty.
567 The @emph{string} in this field contains a human-readable description
568 of the component. It can be displayed to the user of the GUI for
569 informational purposes. It is @emph{percent-escaped} and
573 The @emph{string} in this field contains the absolute name of the
574 program's file. It can be used to unambiguously invoke that program.
575 It is @emph{percent-escaped}.
578 The @emph{boolean value} in this field indicates whether the program is
579 installed and runnable.
582 The @emph{boolean value} in this field indicates whether the program's
583 config file is syntactically okay.
586 If an error occurred in the configuration file (as indicated by a false
587 value in the field @code{okay}), this field has the name of the failing
588 configuration file. It is @emph{percent-escaped}.
591 If an error occurred in the configuration file, this field has the line
592 number of the failing statement in the configuration file.
593 It is an @emph{unsigned number}.
596 If an error occurred in the configuration file, this field has the error
597 text of the failing statement in the configuration file. It is
598 @emph{percent-escaped} and @emph{localized}.
603 In the following example the @command{dirmngr} is not runnable and the
604 configuration file of @command{scdaemon} is not okay.
607 $ gpgconf --check-programs
608 gpg:GPG for OpenPGP:/usr/local/bin/gpg2:1:1:
609 gpg-agent:GPG Agent:/usr/local/bin/gpg-agent:1:1:
610 scdaemon:Smartcard Daemon:/usr/local/bin/scdaemon:1:0:
611 gpgsm:GPG for S/MIME:/usr/local/bin/gpgsm:1:1:
612 dirmngr:Directory Manager:/usr/local/bin/dirmngr:0:0:
616 The command @w{@code{--check-options @var{component}}} will verify the
617 configuration file in the same manner as @code{--check-programs}, but
618 only for the component @var{component}.
621 @node Listing options
622 @subsection Listing options
624 Every component contains one or more options. Options may be gathered
625 into option groups to allow the GUI to give visual hints to the user
626 about which options are related.
628 The command argument @code{@w{--list-options @var{component}}} lists
629 all options (and the groups they belong to) in the component
630 @var{component}, one per line. @var{component} must be the string in
631 the field @var{name} in the output of the @code{--list-components}
634 There is one line for each option and each group. First come all
635 options that are not in any group. Then comes a line describing a
636 group. Then come all options that belong into each group. Then comes
637 the next group and so on. There does not need to be any group (and in
638 this case the output will stop after the last non-grouped option).
640 The format of each line is:
642 @code{@var{name}:@var{flags}:@var{level}:@var{description}:@var{type}:@var{alt-type}:@var{argname}:@var{default}:@var{argdef}:@var{value}}
646 This field contains a name tag for the group or option. The name tag
647 is used to specify the group or option in all communication with
648 @command{gpgconf}. The name tag is to be used @emph{verbatim}. It is
649 thus not in any escaped format.
652 The flags field contains an @emph{unsigned number}. Its value is the
653 OR-wise combination of the following flag values:
657 If this flag is set, this is a line describing a group and not an
661 The following flag values are only defined for options (that is, if
662 the @code{group} flag is not used).
665 @item optional arg (2)
666 If this flag is set, the argument is optional. This is never set for
667 @var{type} @code{0} (none) options.
670 If this flag is set, the option can be given multiple times.
673 If this flag is set, the option can be changed at runtime.
676 If this flag is set, a default value is available.
678 @item default desc (32)
679 If this flag is set, a (runtime) default is available. This and the
680 @code{default} flag are mutually exclusive.
682 @item no arg desc (64)
683 If this flag is set, and the @code{optional arg} flag is set, then the
684 option has a special meaning if no argument is given.
686 @item no change (128)
687 If this flag is set, gpgconf ignores requests to change the value. GUI
688 frontends should grey out this option. Note, that manual changes of the
689 configuration files are still possible.
693 This field is defined for options and for groups. It contains an
694 @emph{unsigned number} that specifies the expert level under which
695 this group or option should be displayed. The following expert levels
696 are defined for options (they have analogous meaning for groups):
700 This option should always be offered to the user.
703 This option may be offered to advanced users.
706 This option should only be offered to expert users.
709 This option should normally never be displayed, not even to expert
713 This option is for internal use only. Ignore it.
716 The level of a group will always be the lowest level of all options it
720 This field is defined for options and groups. The @emph{string} in
721 this field contains a human-readable description of the option or
722 group. It can be displayed to the user of the GUI for informational
723 purposes. It is @emph{percent-escaped} and @emph{localized}.
726 This field is only defined for options. It contains an @emph{unsigned
727 number} that specifies the type of the option's argument, if any. The
728 following types are defined:
737 An @emph{unformatted string}.
740 A @emph{signed number}.
743 An @emph{unsigned number}.
750 A @emph{string} that describes the pathname of a file. The file does
751 not necessarily need to exist.
753 @item ldap server (33)
754 A @emph{string} that describes an LDAP server in the format:
756 @code{@var{hostname}:@var{port}:@var{username}:@var{password}:@var{base_dn}}
758 @item key fingerprint (34)
759 A @emph{string} with a 40 digit fingerprint specifying a certificate.
762 A @emph{string} that describes a certificate by user ID, key ID or
766 A @emph{string} that describes a certificate with a key by user ID,
767 key ID or fingerprint.
769 @item alias list (37)
770 A @emph{string} that describes an alias list, like the one used with
771 gpg's group option. The list consists of a key, an equal sign and space
775 More types will be added in the future. Please see the @var{alt-type}
776 field for information on how to cope with unknown types.
779 This field is identical to @var{type}, except that only the types
780 @code{0} to @code{31} are allowed. The GUI is expected to present the
781 user the option in the format specified by @var{type}. But if the
782 argument type @var{type} is not supported by the GUI, it can still
783 display the option in the more generic basic type @var{alt-type}. The
784 GUI must support all the defined basic types to be able to display all
785 options. More basic types may be added in future versions. If the
786 GUI encounters a basic type it doesn't support, it should report an
787 error and abort the operation.
790 This field is only defined for options with an argument type
791 @var{type} that is not @code{0}. In this case it may contain a
792 @emph{percent-escaped} and @emph{localised string} that gives a short
793 name for the argument. The field may also be empty, though, in which
794 case a short name is not known.
797 This field is defined only for options for which the @code{default} or
798 @code{default desc} flag is set. If the @code{default} flag is set,
799 its format is that of an @emph{option argument} (@xref{Format
800 conventions}, for details). If the default value is empty, then no
801 default is known. Otherwise, the value specifies the default value
802 for this option. If the @code{default desc} flag is set, the field is
803 either empty or contains a description of the effect if the option is
807 This field is defined only for options for which the @code{optional
808 arg} flag is set. If the @code{no arg desc} flag is not set, its
809 format is that of an @emph{option argument} (@xref{Format
810 conventions}, for details). If the default value is empty, then no
811 default is known. Otherwise, the value specifies the default argument
812 for this option. If the @code{no arg desc} flag is set, the field is
813 either empty or contains a description of the effect of this option if
814 no argument is given.
817 This field is defined only for options. Its format is that of an
818 @emph{option argument}. If it is empty, then the option is not
819 explicitly set in the current configuration, and the default applies
820 (if any). Otherwise, it contains the current value of the option.
821 Note that this field is also meaningful if the option itself does not
822 take a real argument (in this case, it contains the number of times
827 @node Changing options
828 @subsection Changing options
830 The command @w{@code{--change-options @var{component}}} will attempt
831 to change the options of the component @var{component} to the
832 specified values. @var{component} must be the string in the field
833 @var{name} in the output of the @code{--list-components} command. You
834 have to provide the options that shall be changed in the following
835 format on standard input:
837 @code{@var{name}:@var{flags}:@var{new-value}}
841 This is the name of the option to change. @var{name} must be the
842 string in the field @var{name} in the output of the
843 @code{--list-options} command.
846 The flags field contains an @emph{unsigned number}. Its value is the
847 OR-wise combination of the following flag values:
851 If this flag is set, the option is deleted and the default value is
852 used instead (if applicable).
856 The new value for the option. This field is only defined if the
857 @code{default} flag is not set. The format is that of an @emph{option
858 argument}. If it is empty (or the field is omitted), the default
859 argument is used (only allowed if the argument is optional for this
860 option). Otherwise, the option will be set to the specified value.
864 The output of the command is the same as that of
865 @code{--check-options} for the modified configuration file.
869 To set the force option, which is of basic type @code{none (0)}:
872 $ echo 'force:0:1' | gpgconf --change-options dirmngr
875 To delete the force option:
878 $ echo 'force:16:' | gpgconf --change-options dirmngr
881 The @code{--runtime} option can influence when the changes take
885 @node Listing global options
886 @subsection Listing global options
888 Sometimes it is useful for applications to look at the global options
889 file @file{gpgconf.conf}.
890 The colon separated listing format is record oriented and uses the first
891 field to identify the record type:
895 This describes a key record to start the definition of a new ruleset for
896 a user/group. The format of a key record is:
898 @code{k:@var{user}:@var{group}:}
902 This is the user field of the key. It is percent escaped. See the
903 definition of the gpgconf.conf format for details.
906 This is the group field of the key. It is percent escaped.
910 This describes a rule record. All rule records up to the next key record
911 make up a rule set for that key. The format of a rule record is:
913 @code{r:::@var{component}:@var{option}:@var{flags}:@var{value}:}
917 This is the component part of a rule. It is a plain string.
920 This is the option part of a rule. It is a plain string.
923 This is the flags part of a rule. There may be only one flag per rule
924 but by using the same component and option, several flags may be
925 assigned to an option. It is a plain string.
928 This is the optional value for the option. It is a percent escaped
929 string with a single quotation mark to indicate a string. The quotation
930 mark is only required to distinguish between no value specified and an
937 Unknown record types should be ignored. Note that there is intentionally
938 no feature to change the global option file through @command{gpgconf}.
943 @node Files used by gpgconf
944 @subsection Files used by gpgconf
948 @item /etc/gnupg/gpgconf.conf
950 If this file exists, it is processed as a global configuration file.
951 A commented example can be found in the @file{examples} directory of
960 @command{gpg-agent}(1),
961 @command{scdaemon}(1),
964 @include see-also-note.texi
969 @c APPLYGNUPGDEFAULTS
971 @manpage applygnupgdefaults.8
972 @node applygnupgdefaults
973 @section Run gpgconf for all users.
975 .B applygnupgdefaults
976 \- Run gpgconf --apply-defaults for all users.
981 .B applygnupgdefaults
985 This script is a wrapper around @command{gpgconf} to run it with the
986 command @code{--apply-defaults} for all real users with an existing
987 GnuPG home directory. Admins might want to use this script to update he
988 GnuPG configuration files for all users after
989 @file{/etc/gnupg/gpgconf.conf} has been changed. This allows to enforce
990 certain policies for all users. Note, that this is not a bulletproof of
991 forcing a user to use certain options. A user may always directly edit
992 the configuration files and bypass gpgconf.
995 @command{applygnupgdefaults} is invoked by root as:
1003 @c GPG-PRESET-PASSPHRASE
1005 @node gpg-preset-passphrase
1006 @section Put a passphrase into the cache.
1007 @manpage gpg-preset-passphrase.1
1009 .B gpg-preset-passphrase
1010 \- Put a passphrase into gpg-agent's cache
1015 .B gpg-preset-passphrase
1021 @mansect description
1022 The @command{gpg-preset-passphrase} is a utility to seed the internal
1023 cache of a running @command{gpg-agent} with passphrases. It is mainly
1024 useful for unattended machines, where the usual @command{pinentry} tool
1025 may not be used and the passphrases for the to be used keys are given at
1028 Passphrases set with this utility don't expire unless the
1029 @option{--forget} option is used to explicitly clear them from the
1030 cache --- or @command{gpg-agent} is either restarted or reloaded (by
1031 sending a SIGHUP to it). Note that the maximum cache time as set with
1032 @option{--max-cache-ttl} is still honored. It is necessary to allow
1033 this passphrase presetting by starting @command{gpg-agent} with the
1034 @option{--allow-preset-passphrase}.
1037 * Invoking gpg-preset-passphrase:: List of all commands and options.
1041 @node Invoking gpg-preset-passphrase
1042 @subsection List of all commands and options.
1046 @command{gpg-preset-passphrase} is invoked this way:
1049 gpg-preset-passphrase [options] [command] @var{cacheid}
1052 @var{cacheid} is either a 40 character keygrip of hexadecimal
1053 characters identifying the key for which the passphrase should be set
1054 or cleared. The keygrip is listed along with the key when running the
1055 command: @code{gpgsm --dump-secret-keys}. Alternatively an arbitrary
1056 string may be used to identify a passphrase; it is suggested that such
1057 a string is prefixed with the name of the application (e.g
1061 One of the following command options must be given:
1066 Preset a passphrase. This is what you usually will
1067 use. @command{gpg-preset-passphrase} will then read the passphrase from
1072 Flush the passphrase for the given cache ID from the cache.
1077 The following additional options may be used:
1083 Output additional information while running.
1085 @item -P @var{string}
1086 @itemx --passphrase @var{string}
1088 Instead of reading the passphrase from @code{stdin}, use the supplied
1089 @var{string} as passphrase. Note that this makes the passphrase visible
1097 @command{gpg-agent}(1),
1098 @command{scdaemon}(1)
1100 @include see-also-note.texi
1106 @c GPG-CONNECT-AGENT
1108 @node gpg-connect-agent
1109 @section Communicate with a running agent.
1110 @manpage gpg-connect-agent.1
1112 .B gpg-connect-agent
1113 \- Communicate with a running agent
1118 .B gpg-connect-agent
1119 .RI [ options ] [commands]
1122 @mansect description
1123 The @command{gpg-connect-agent} is a utility to communicate with a
1124 running @command{gpg-agent}. It is useful to check out the commands
1125 gpg-agent provides using the Assuan interface. It might also be useful
1126 for scripting simple applications. Input is expected at stdin and out
1127 put gets printed to stdout.
1129 It is very similar to running @command{gpg-agent} in server mode; but
1130 here we connect to a running instance.
1133 * Invoking gpg-connect-agent:: List of all options.
1134 * Controlling gpg-connect-agent:: Control commands.
1138 @node Invoking gpg-connect-agent
1139 @subsection List of all options.
1142 @command{gpg-connect-agent} is invoked this way:
1145 gpg-connect-agent [options] [commands]
1150 The following options may be used:
1156 Output additional information while running.
1162 Try to be as quiet as possible.
1164 @include opt-homedir.texi
1166 @item --agent-program @var{file}
1167 @opindex agent-program
1168 Specify the agent program to be started if none is running. The
1169 default value is determined by running @command{gpgconf} with the
1170 option @option{--list-dirs}. Note that the pipe symbol (@code{|}) is
1171 used for a regression test suite hack and may thus not be used in the
1174 @item --dirmngr-program @var{file}
1175 @opindex dirmngr-program
1176 Specify the directory manager (keyserver client) program to be started
1177 if none is running. This has only an effect if used together with the
1178 option @option{--dirmngr}.
1182 Connect to a running directory manager (keyserver client) instead of
1183 to the gpg-agent. If a dirmngr is not running, start it.
1186 @itemx --raw-socket @var{name}
1188 Connect to socket @var{name} assuming this is an Assuan style server.
1189 Do not run any special initializations or environment checks. This may
1190 be used to directly connect to any Assuan style socket server.
1195 Take the rest of the command line as a program and it's arguments and
1196 execute it as an assuan server. Here is how you would run @command{gpgsm}:
1198 gpg-connect-agent --exec gpgsm --server
1200 Note that you may not use options on the command line in this case.
1202 @item --no-ext-connect
1203 @opindex no-ext-connect
1204 When using @option{-S} or @option{--exec}, @command{gpg-connect-agent}
1205 connects to the assuan server in extended mode to allow descriptor
1206 passing. This option makes it use the old mode.
1208 @item --no-autostart
1209 @opindex no-autostart
1210 Do not start the gpg-agent or the dirmngr if it has not yet been
1214 @itemx --run @var{file}
1216 Run the commands from @var{file} at startup and then continue with the
1217 regular input method. Note, that commands given on the command line are
1218 executed after this file.
1223 Run the command @code{/subst} at startup.
1227 Print data lines in a hex format and the ASCII representation of
1228 non-control characters.
1232 Decode data lines. That is to remove percent escapes but make sure that
1233 a new line always starts with a D and a space.
1237 @mansect control commands
1238 @node Controlling gpg-connect-agent
1239 @subsection Control commands.
1241 While reading Assuan commands, gpg-agent also allows a few special
1242 commands to control its operation. These control commands all start
1243 with a slash (@code{/}).
1247 @item /echo @var{args}
1248 Just print @var{args}.
1250 @item /let @var{name} @var{value}
1251 Set the variable @var{name} to @var{value}. Variables are only
1252 substituted on the input if the @command{/subst} has been used.
1253 Variables are referenced by prefixing the name with a dollar sign and
1254 optionally include the name in curly braces. The rules for a valid name
1255 are identically to those of the standard bourne shell. This is not yet
1256 enforced but may be in the future. When used with curly braces no
1257 leading or trailing white space is allowed.
1259 If a variable is not found, it is searched in the environment and if
1260 found copied to the table of variables.
1262 Variable functions are available: The name of the function must be
1263 followed by at least one space and the at least one argument. The
1264 following functions are available:
1268 Return a value described by the argument. Available arguments are:
1272 The current working directory.
1276 GnuPG's system configuration directory.
1278 GnuPG's binary directory.
1280 GnuPG's library directory.
1282 GnuPG's library directory for executable files.
1284 GnuPG's data directory.
1286 The PID of the current server. Command @command{/serverpid} must
1287 have been given to return a useful value.
1290 @item unescape @var{args}
1291 Remove C-style escapes from @var{args}. Note that @code{\0} and
1292 @code{\x00} terminate the returned string implicitly. The string to be
1293 converted are the entire arguments right behind the delimiting space of
1296 @item unpercent @var{args}
1297 @itemx unpercent+ @var{args}
1298 Remove percent style escaping from @var{args}. Note that @code{%00}
1299 terminates the string implicitly. The string to be converted are the
1300 entire arguments right behind the delimiting space of the function
1301 name. @code{unpercent+} also maps plus signs to a spaces.
1303 @item percent @var{args}
1304 @itemx percent+ @var{args}
1305 Escape the @var{args} using percent style escaping. Tabs, formfeeds,
1306 linefeeds, carriage returns and colons are escaped. @code{percent+} also
1307 maps spaces to plus signs.
1309 @item errcode @var{arg}
1310 @itemx errsource @var{arg}
1311 @itemx errstring @var{arg}
1312 Assume @var{arg} is an integer and evaluate it using @code{strtol}. Return
1313 the gpg-error error code, error source or a formatted string with the
1314 error code and error source.
1322 Evaluate all arguments as long integers using @code{strtol} and apply
1323 this operator. A division by zero yields an empty string.
1328 Evaluate all arguments as long integers using @code{strtol} and apply
1329 the logical operators NOT, OR or AND. The NOT operator works on the
1336 @item /definq @var{name} @var{var}
1337 Use content of the variable @var{var} for inquiries with @var{name}.
1338 @var{name} may be an asterisk (@code{*}) to match any inquiry.
1341 @item /definqfile @var{name} @var{file}
1342 Use content of @var{file} for inquiries with @var{name}.
1343 @var{name} may be an asterisk (@code{*}) to match any inquiry.
1345 @item /definqprog @var{name} @var{prog}
1346 Run @var{prog} for inquiries matching @var{name} and pass the
1347 entire line to it as command line arguments.
1349 @item /datafile @var{name}
1350 Write all data lines from the server to the file @var{name}. The file
1351 is opened for writing and created if it does not exists. An existing
1352 file is first truncated to 0. The data written to the file fully
1353 decoded. Using a single dash for @var{name} writes to stdout. The
1354 file is kept open until a new file is set using this command or this
1355 command is used without an argument.
1358 Print all definitions
1361 Delete all definitions
1363 @item /sendfd @var{file} @var{mode}
1364 Open @var{file} in @var{mode} (which needs to be a valid @code{fopen}
1365 mode string) and send the file descriptor to the server. This is
1366 usually followed by a command like @code{INPUT FD} to set the
1367 input source for other commands.
1370 Not yet implemented.
1372 @item /open @var{var} @var{file} [@var{mode}]
1373 Open @var{file} and assign the file descriptor to @var{var}. Warning:
1374 This command is experimental and might change in future versions.
1376 @item /close @var{fd}
1377 Close the file descriptor @var{fd}. Warning: This command is
1378 experimental and might change in future versions.
1381 Show a list of open files.
1384 Send the Assuan command @command{GETINFO pid} to the server and store
1385 the returned PID for internal purposes.
1392 Same as the command line option @option{--hex}.
1396 Same as the command line option @option{--decode}.
1400 Enable and disable variable substitution. It defaults to disabled
1401 unless the command line option @option{--subst} has been used.
1402 If /subst as been enabled once, leading whitespace is removed from
1403 input lines which makes scripts easier to read.
1405 @item /while @var{condition}
1407 These commands provide a way for executing loops. All lines between
1408 the @code{while} and the corresponding @code{end} are executed as long
1409 as the evaluation of @var{condition} yields a non-zero value or is the
1410 string @code{true} or @code{yes}. The evaluation is done by passing
1411 @var{condition} to the @code{strtol} function. Example:
1417 /echo loop couter is $i
1422 @item /if @var{condition}
1424 These commands provide a way for conditional execution. All lines between
1425 the @code{if} and the corresponding @code{end} are executed only if
1426 the evaluation of @var{condition} yields a non-zero value or is the
1427 string @code{true} or @code{yes}. The evaluation is done by passing
1428 @var{condition} to the @code{strtol} function.
1430 @item /run @var{file}
1431 Run commands from @var{file}.
1434 Terminate the connection and the program
1437 Print a list of available control commands.
1444 @command{gpg-agent}(1),
1445 @command{scdaemon}(1)
1446 @include see-also-note.texi
1452 @node dirmngr-client
1453 @section The Dirmngr Client Tool
1455 @manpage dirmngr-client.1
1458 \- Tool to access the Dirmngr services
1465 .RI [ certfile | pattern ]
1468 @mansect description
1469 The @command{dirmngr-client} is a simple tool to contact a running
1470 dirmngr and test whether a certificate has been revoked --- either by
1471 being listed in the corresponding CRL or by running the OCSP protocol.
1472 If no dirmngr is running, a new instances will be started but this is
1473 in general not a good idea due to the huge performance overhead.
1476 The usual way to run this tool is either:
1479 dirmngr-client @var{acert}
1486 dirmngr-client <@var{acert}
1489 Where @var{acert} is one DER encoded (binary) X.509 certificates to be
1492 The return value of this command is
1495 @mansect return value
1497 @command{dirmngr-client} returns these values:
1502 The certificate under question is valid; i.e. there is a valid CRL
1503 available and it is not listed tehre or teh OCSP request returned that
1504 that certificate is valid.
1507 The certificate has been revoked
1509 @item 2 (and other values)
1510 There was a problem checking the revocation state of the certificate.
1511 A message to stderr has given more detailed information. Most likely
1512 this is due to a missing or expired CRL or due to a network problem.
1518 @command{dirmngr-client} may be called with the following options:
1524 Print the program version and licensing information. Note that you cannot
1525 abbreviate this command.
1529 Print a usage message summarizing the most useful command-line options.
1530 Note that you cannot abbreviate this command.
1534 Make the output extra brief by suppressing any informational messages.
1540 Outputs additional information while running.
1541 You can increase the verbosity by giving several
1542 verbose commands to @sc{dirmngr}, such as @samp{-vv}.
1546 Assume that the given certificate is in PEM (armored) format.
1550 Do the check using the OCSP protocol and ignore any CRLs.
1552 @item --force-default-responder
1553 @opindex force-default-responder
1554 When checking using the OCSP protocl, force the use of the default OCSP
1555 responder. That is not to use the Reponder as given by the certificate.
1559 Check whether the dirmngr daemon is up and running.
1563 Put the given certificate into the cache of a running dirmngr. This is
1564 mainly useful for debugging.
1568 Validate the given certificate using dirmngr's internal validation code.
1569 This is mainly useful for debugging.
1573 This command expects a list of filenames with DER encoded CRL files.
1574 With the option @option{--url} URLs are expected in place of filenames
1575 and they are loaded directly from the given location. All CRLs will be
1576 validated and then loaded into dirmngr's cache.
1580 Take the remaining arguments and run a lookup command on each of them.
1581 The results are Base-64 encoded outputs (without header lines). This
1582 may be used to retrieve certificates from a server. However the output
1583 format is not very well suited if more than one certificate is returned.
1588 Modify the @command{lookup} and @command{load-crl} commands to take an URL.
1593 Let the @command{lookup} command only search the local cache.
1597 Run @sc{dirmngr-client} in a mode suitable as a helper program for
1598 Squid's @option{external_acl_type} option.
1605 @command{dirmngr}(8),
1607 @include see-also-note.texi
1615 @section Parse a mail message into an annotated format
1617 @manpage gpgparsemail.1
1620 \- Parse a mail message into an annotated format
1630 @mansect description
1631 The @command{gpgparsemail} is a utility currently only useful for
1632 debugging. Run it with @code{--help} for usage information.
1640 @section Call a simple symmetric encryption tool.
1641 @manpage symcryptrun.1
1644 \- Call a simple symmetric encryption tool
1656 .RB [ --decrypt | --encrypt ]
1660 @mansect description
1661 Sometimes simple encryption tools are already in use for a long time and
1662 there might be a desire to integrate them into the GnuPG framework. The
1663 protocols and encryption methods might be non-standard or not even
1664 properly documented, so that a full-fledged encryption tool with an
1665 interface like gpg is not doable. @command{symcryptrun} provides a
1666 solution: It operates by calling the external encryption/decryption
1667 module and provides a passphrase for a key using the standard
1668 @command{pinentry} based mechanism through @command{gpg-agent}.
1670 Note, that @command{symcryptrun} is only available if GnuPG has been
1671 configured with @samp{--enable-symcryptrun} at build time.
1674 * Invoking symcryptrun:: List of all commands and options.
1678 @node Invoking symcryptrun
1679 @subsection List of all commands and options.
1682 @command{symcryptrun} is invoked this way:
1685 symcryptrun --class CLASS --program PROGRAM --keyfile KEYFILE
1686 [--decrypt | --encrypt] [inputfile]
1690 For encryption, the plain text must be provided on STDIN or as the
1691 argument @var{inputfile}, and the ciphertext will be output to STDOUT.
1692 For decryption vice versa.
1694 @var{CLASS} describes the calling conventions of the external tool.
1695 Currently it must be given as @samp{confucius}. @var{PROGRAM} is
1696 the full filename of that external tool.
1698 For the class @samp{confucius} the option @option{--keyfile} is
1699 required; @var{keyfile} is the name of a file containing the secret key,
1700 which may be protected by a passphrase. For detailed calling
1701 conventions, see the source code.
1704 Note, that @command{gpg-agent} must be running before starting
1705 @command{symcryptrun}.
1708 The following additional options may be used:
1714 Output additional information while running.
1720 Try to be as quiet as possible.
1722 @include opt-homedir.texi
1725 @item --log-file @var{file}
1727 Append all logging output to @var{file}. Default is to write logging
1728 information to STDERR.
1733 The possible exit status codes of @command{symcryptrun} are:
1741 No valid passphrase was provided.
1743 The operation was canceled by the user.
1751 @command{gpg-agent}(1),
1753 @include see-also-note.texi
1759 @c The original manpage on which this section is based was written
1760 @c by Colin Tuckley <colin@tuckley.org> and Daniel Leidert
1761 @c <daniel.leidert@wgdd.de> for the Debian distribution (but may be used by
1765 @section Encrypt or sign files into an archive
1767 .B gpg-zip \- Encrypt or sign files into an archive
1775 .I [ filename2, ... ]
1777 .I [ directory2, ... ]
1780 @mansect description
1781 @command{gpg-zip} encrypts or signs files into an archive. It is an
1782 gpg-ized tar using the same format as used by PGP's PGP Zip.
1786 @command{gpg-zip} is invoked this way:
1789 gpg-zip [options] @var{filename1} [@var{filename2}, ...] @var{directory} [@var{directory2}, ...]
1794 @command{gpg-zip} understands these options:
1801 Encrypt data. This option may be combined with @option{--symmetric} (for output that may be decrypted via a secret key or a passphrase).
1810 Encrypt with a symmetric cipher using a passphrase. The default
1811 symmetric cipher used is CAST5, but may be chosen with the
1812 @option{--cipher-algo} option to @command{gpg}.
1816 Make a signature. See @command{gpg}.
1818 @item --recipient @var{user}
1819 @itemx -r @var{user}
1821 Encrypt for user id @var{user}. See @command{gpg}.
1823 @item --local-user @var{user}
1824 @itemx -u @var{user}
1826 Use @var{user} as the key to sign with. See @command{gpg}.
1828 @item --list-archive
1829 @opindex list-archive
1830 List the contents of the specified archive.
1832 @item --output @var{file}
1833 @itemx -o @var{file}
1835 Write output to specified file @var{file}.
1837 @item --gpg @var{gpgcmd}
1839 Use the specified command @var{gpgcmd} instead of @command{gpg}.
1841 @item --gpg-args @var{args}
1843 Pass the specified options to @command{gpg}.
1845 @item --tar @var{tarcmd}
1847 Use the specified command @var{tarcmd} instead of @command{tar}.
1849 @item --tar-args @var{args}
1851 Pass the specified options to @command{tar}.
1855 Print version of the program and exit.
1859 Display a brief help page and exit.
1863 @mansect diagnostics
1865 The program returns 0 if everything was fine, 1 otherwise.
1875 Encrypt the contents of directory @file{mydocs} for user Bob to file
1879 gpg-zip --encrypt --output test1 --gpg-args -r Bob mydocs
1883 List the contents of archive @file{test1}:
1886 gpg-zip --list-archive test1
1895 @include see-also-note.texi