1 @c Copyright (C) 2004, 2008 Free Software Foundation, Inc.
2 @c This is part of the GnuPG manual.
3 @c For copying conditions, see the file GnuPG.texi.
10 GnuPG comes with a couple of smaller tools:
13 * watchgnupg:: Read logs from a socket.
14 * gpgv:: Verify OpenPGP signatures.
15 * addgnupghome:: Create .gnupg home directories.
16 * gpgconf:: Modify .gnupg home directories.
17 * applygnupgdefaults:: Run gpgconf for all users.
18 * gpgsm-gencert.sh:: Generate an X.509 certificate request.
19 * gpg-preset-passphrase:: Put a passphrase into the cache.
20 * gpg-connect-agent:: Communicate with a running agent.
21 * dirmngr-client:: How to use the Dirmngr client tool.
22 * gpgparsemail:: Parse a mail message into an annotated format
23 * symcryptrun:: Call a simple symmetric encryption tool.
24 * gpg-zip:: Encrypt or sign files into an archive.
32 @section Read logs from a socket
35 \- Read and print logs from a socket
47 Most of the main utilities are able to write their log files to a Unix
48 Domain socket if configured that way. @command{watchgnupg} is a simple
49 listener for such a socket. It ameliorates the output with a time stamp
50 and makes sure that long lines are not interspersed with log output from
51 other utilities. This tool is not available for Windows.
55 @command{watchgnupg} is commonly invoked as
58 watchgnupg --force ~/.gnupg/S.log
63 This starts it on the current terminal for listening on the socket
64 @file{~/.gnupg/S.log}.
68 @command{watchgnupg} understands these options:
74 Delete an already existing socket file.
76 @anchor{option watchgnupg --tcp}
78 Instead of reading from a local socket, listen for connects on TCP port
83 Enable extra informational output.
87 Print version of the program and exit.
91 Display a brief help page and exit.
100 $ watchgnupg --force /home/foo/.gnupg/S.log
103 This waits for connections on the local socket
104 @file{/home/foo/.gnupg/S.log} and shows all log entries. To make this
105 work the option @option{log-file} needs to be used with all modules
106 which logs are to be shown. The value for that option must be given
107 with a special prefix (e.g. in the conf file):
110 log-file socket:///home/foo/.gnupg/S.log
113 For debugging purposes it is also possible to do remote logging. Take
114 care if you use this feature because the information is send in the
115 clear over the network. Use this syntax in the conf files:
118 log-file tcp://192.168.1.1:4711
121 You may use any port and not just 4711 as shown above; only IP addresses
122 are supported (v4 and v6) and no host names. You need to start
123 @command{watchgnupg} with the @option{tcp} option. Note that under
124 Windows the registry entry @var{HKCU\Software\GNU\GnuPG:DefaultLogFile}
125 can be used to change the default log output from @code{stderr} to
126 whatever is given by that entry. However the only useful entry is a TCP
127 name for remote debugging.
134 @command{gpg-agent}(1),
135 @command{scdaemon}(1)
137 @include see-also-note.texi
149 @manpage addgnupghome.8
151 @section Create .gnupg home directories.
154 \- Create .gnupg home directories
161 .IR account_2 ... account_n
165 If GnuPG is installed on a system with existing user accounts, it is
166 sometimes required to populate the GnuPG home directory with existing
167 files. Especially a @file{trustlist.txt} and a keybox with some
168 initial certificates are often desired. This scripts help to do this
169 by copying all files from @file{/etc/skel/.gnupg} to the home
170 directories of the accounts given on the command line. It takes care
171 not to overwrite existing GnuPG home directories.
174 @command{addgnupghome} is invoked by root as:
177 addgnupghome account1 account2 ... accountn
186 @section Modify .gnupg home directories.
189 \- Modify .gnupg home directories
196 .B \-\-list-components
205 .B \-\-change-options
211 The @command{gpgconf} is a utility to automatically and reasonable
212 safely query and modify configuration files in the @file{.gnupg} home
213 directory. It is designed not to be invoked manually by the user, but
214 automatically by graphical user interfaces (GUI).@footnote{Please note
215 that currently no locking is done, so concurrent access should be
216 avoided. There are some precautions to avoid corruption with
217 concurrent usage, but results may be inconsistent and some changes may
218 get lost. The stateless design makes it difficult to provide more
221 @command{gpgconf} provides access to the configuration of one or more
222 components of the GnuPG system. These components correspond more or
223 less to the programs that exist in the GnuPG framework, like GnuPG,
224 GPGSM, DirMngr, etc. But this is not a strict one-to-one
225 relationship. Not all configuration options are available through
226 @command{gpgconf}. @command{gpgconf} provides a generic and abstract
227 method to access the most important configuration options that can
228 feasibly be controlled via such a mechanism.
230 @command{gpgconf} can be used to gather and change the options
231 available in each component, and can also provide their default
232 values. @command{gpgconf} will give detailed type information that
233 can be used to restrict the user's input without making an attempt to
236 @command{gpgconf} provides the backend of a configuration editor. The
237 configuration editor would usually be a graphical user interface
238 program, that allows to display the current options, their default
239 values, and allows the user to make changes to the options. These
240 changes can then be made active with @command{gpgconf} again. Such a
241 program that uses @command{gpgconf} in this way will be called GUI
242 throughout this section.
245 * Invoking gpgconf:: List of all commands and options.
246 * Format conventions:: Formatting conventions relevant for all commands.
247 * Listing components:: List all gpgconf components.
248 * Checking programs:: Check all programs know to gpgconf.
249 * Listing options:: List all options of a component.
250 * Changing options:: Changing options of a component.
251 * Listing global options:: List all global options.
252 * Files used by gpgconf:: What files are used by gpgconf.
256 @node Invoking gpgconf
257 @subsection Invoking gpgconf
260 One of the following commands must be given:
264 @item --list-components
265 List all components. This is the default command used if none is
268 @item --check-programs
269 List all available backend programs and test whether they are runnable.
271 @item --list-options @var{component}
272 List all options of the component @var{component}.
274 @item --change-options @var{component}
275 Change the options of the component @var{component}.
277 @item --check-options @var{component}
278 Check the options for the component @var{component}.
280 @item --apply-defaults
281 Update all configuration files with values taken from the global
282 configuration file (usually @file{/etc/gnupg/gpgconf.conf}).
285 Lists the directories used by @command{gpgconf}. One directory is
286 listed per line, and each line consists of a colon-separated list where
287 the first field names the directory type (for example @code{sysconfdir})
288 and the second field contains the percent-escaped directory. Although
289 they are not directories, the socket file names used by
290 @command{gpg-agent} and @command{dirmngr} are printed as well. Note
291 that the socket file names and the @code{homedir} lines are the default
292 names and they may be overridden by command line switches.
294 @item --list-config [@var{filename}]
295 List the global configuration file in a colon separated format. If
296 @var{filename} is given, check that file instead.
298 @item --check-config [@var{filename}]
299 Run a syntax check on the global configuration file. If @var{filename}
300 is given, check that file instead.
302 @item --reload [@var{component}]
304 Reload all or the given component. This is basically the same as sending
305 a SIGHUP to the component. Components which don't support reloading are
308 @item --launch [@var{component}]
310 If the @var{component} is not already running, start it.
311 @command{component} must be a daemon. This is in general not required
312 because the system starts these daemons as needed. However, external
313 software making direct use of @command{gpg-agent} or @command{dirmngr}
314 may use this command to ensure that they are started.
316 @item --kill [@var{component}]
318 Kill the given component. Components which support killing are
319 gpg-agent and scdaemon. Components which don't support reloading are
320 ignored. Note that as of now reload and kill have the same effect for
328 The following options may be used:
333 @itemx --output @var{file}
334 Write output to @var{file}. Default is to write to stdout.
338 Outputs additional information while running. Specifically, this
339 extends numerical field values by human-readable descriptions.
344 Try to be as quiet as possible.
348 Do not actually change anything. This is currently only implemented
349 for @code{--change-options} and can be used for testing purposes.
353 Only used together with @code{--change-options}. If one of the
354 modified options can be changed in a running daemon process, signal
355 the running daemon to ask it to reparse its configuration file after
358 This means that the changes will take effect at run-time, as far as
359 this is possible. Otherwise, they will take effect at the next start
360 of the respective backend programs.
365 @node Format conventions
366 @subsection Format conventions
368 Some lines in the output of @command{gpgconf} contain a list of
369 colon-separated fields. The following conventions apply:
373 The GUI program is required to strip off trailing newline and/or
374 carriage return characters from the output.
377 @command{gpgconf} will never leave out fields. If a certain version
378 provides a certain field, this field will always be present in all
379 @command{gpgconf} versions from that time on.
382 Future versions of @command{gpgconf} might append fields to the list.
383 New fields will always be separated from the previously last field by
384 a colon separator. The GUI should be prepared to parse the last field
385 it knows about up until a colon or end of line.
388 Not all fields are defined under all conditions. You are required to
389 ignore the content of undefined fields.
392 There are several standard types for the content of a field:
396 Some fields contain strings that are not escaped in any way. Such
397 fields are described to be used @emph{verbatim}. These fields will
398 never contain a colon character (for obvious reasons). No de-escaping
399 or other formatting is required to use the field content. This is for
400 easy parsing of the output, when it is known that the content can
401 never contain any special characters.
403 @item percent-escaped
404 Some fields contain strings that are described to be
405 @emph{percent-escaped}. Such strings need to be de-escaped before
406 their content can be presented to the user. A percent-escaped string
407 is de-escaped by replacing all occurrences of @code{%XY} by the byte
408 that has the hexadecimal value @code{XY}. @code{X} and @code{Y} are
409 from the set @code{0-9a-f}.
412 Some fields contain strings that are described to be @emph{localised}.
413 Such strings are translated to the active language and formatted in
414 the active character set.
416 @item @w{unsigned number}
417 Some fields contain an @emph{unsigned number}. This number will
418 always fit into a 32-bit unsigned integer variable. The number may be
419 followed by a space, followed by a human readable description of that
420 value (if the verbose option is used). You should ignore everything
421 in the field that follows the number.
423 @item @w{signed number}
424 Some fields contain a @emph{signed number}. This number will always
425 fit into a 32-bit signed integer variable. The number may be followed
426 by a space, followed by a human readable description of that value (if
427 the verbose option is used). You should ignore everything in the
428 field that follows the number.
430 @item @w{boolean value}
431 Some fields contain a @emph{boolean value}. This is a number with
432 either the value 0 or 1. The number may be followed by a space,
433 followed by a human readable description of that value (if the verbose
434 option is used). You should ignore everything in the field that follows
435 the number; checking just the first character is sufficient in this
439 Some fields contain an @emph{option} argument. The format of an
440 option argument depends on the type of the option and on some flags:
444 The simplest case is that the option does not take an argument at all
445 (@var{type} @code{0}). Then the option argument is an unsigned number
446 that specifies how often the option occurs. If the @code{list} flag
447 is not set, then the only valid number is @code{1}. Options that do
448 not take an argument never have the @code{default} or @code{optional
452 If the option takes a number argument (@var{alt-type} is @code{2} or
453 @code{3}), and it can only occur once (@code{list} flag is not set),
454 then the option argument is either empty (only allowed if the argument
455 is optional), or it is a number. A number is a string that begins
456 with an optional minus character, followed by one or more digits. The
457 number must fit into an integer variable (unsigned or signed,
458 depending on @var{alt-type}).
461 If the option takes a number argument and it can occur more than once,
462 then the option argument is either empty, or it is a comma-separated
463 list of numbers as described above.
466 If the option takes a string argument (@var{alt-type} is 1), and it
467 can only occur once (@code{list} flag is not set) then the option
468 argument is either empty (only allowed if the argument is optional),
469 or it starts with a double quote character (@code{"}) followed by a
470 percent-escaped string that is the argument value. Note that there is
471 only a leading double quote character, no trailing one. The double
472 quote character is only needed to be able to differentiate between no
473 value and the empty string as value.
476 If the option takes a number argument and it can occur more than once,
477 then the option argument is either empty, or it is a comma-separated
478 list of string arguments as described above.
482 The active language and character set are currently determined from
483 the locale environment of the @command{gpgconf} program.
485 @c FIXME: Document the active language and active character set. Allow
486 @c to change it via the command line?
490 @node Listing components
491 @subsection Listing components
493 The command @code{--list-components} will list all components that can
494 be configured with @command{gpgconf}. Usually, one component will
495 correspond to one GnuPG-related program and contain the options of
496 that programs configuration file that can be modified using
497 @command{gpgconf}. However, this is not necessarily the case. A
498 component might also be a group of selected options from several
499 programs, or contain entirely virtual options that have a special
500 effect rather than changing exactly one option in one configuration
503 A component is a set of configuration options that semantically belong
504 together. Furthermore, several changes to a component can be made in
505 an atomic way with a single operation. The GUI could for example
506 provide a menu with one entry for each component, or a window with one
507 tabulator sheet per component.
509 The command argument @code{--list-components} lists all available
510 components, one per line. The format of each line is:
512 @code{@var{name}:@var{description}:@var{pgmname}:}
516 This field contains a name tag of the component. The name tag is used
517 to specify the component in all communication with @command{gpgconf}.
518 The name tag is to be used @emph{verbatim}. It is thus not in any
522 The @emph{string} in this field contains a human-readable description
523 of the component. It can be displayed to the user of the GUI for
524 informational purposes. It is @emph{percent-escaped} and
528 The @emph{string} in this field contains the absolute name of the
529 program's file. It can be used to unambiguously invoke that program.
530 It is @emph{percent-escaped}.
535 $ gpgconf --list-components
536 gpg:GPG for OpenPGP:/usr/local/bin/gpg2:
537 gpg-agent:GPG Agent:/usr/local/bin/gpg-agent:
538 scdaemon:Smartcard Daemon:/usr/local/bin/scdaemon:
539 gpgsm:GPG for S/MIME:/usr/local/bin/gpgsm:
540 dirmngr:Directory Manager:/usr/local/bin/dirmngr:
545 @node Checking programs
546 @subsection Checking programs
548 The command @code{--check-programs} is similar to
549 @code{--list-components} but works on backend programs and not on
550 components. It runs each program to test whether it is installed and
551 runnable. This also includes a syntax check of all config file options
554 The command argument @code{--check-programs} lists all available
555 programs, one per line. The format of each line is:
557 @code{@var{name}:@var{description}:@var{pgmname}:@var{avail}:@var{okay}:@var{cfgfile}:@var{line}:@var{error}:}
561 This field contains a name tag of the program which is identical to the
562 name of the component. The name tag is to be used @emph{verbatim}. It
563 is thus not in any escaped format. This field may be empty to indicate
564 a continuation of error descriptions for the last name. The description
565 and pgmname fields are then also empty.
568 The @emph{string} in this field contains a human-readable description
569 of the component. It can be displayed to the user of the GUI for
570 informational purposes. It is @emph{percent-escaped} and
574 The @emph{string} in this field contains the absolute name of the
575 program's file. It can be used to unambiguously invoke that program.
576 It is @emph{percent-escaped}.
579 The @emph{boolean value} in this field indicates whether the program is
580 installed and runnable.
583 The @emph{boolean value} in this field indicates whether the program's
584 config file is syntactically okay.
587 If an error occurred in the configuration file (as indicated by a false
588 value in the field @code{okay}), this field has the name of the failing
589 configuration file. It is @emph{percent-escaped}.
592 If an error occurred in the configuration file, this field has the line
593 number of the failing statement in the configuration file.
594 It is an @emph{unsigned number}.
597 If an error occurred in the configuration file, this field has the error
598 text of the failing statement in the configuration file. It is
599 @emph{percent-escaped} and @emph{localized}.
604 In the following example the @command{dirmngr} is not runnable and the
605 configuration file of @command{scdaemon} is not okay.
608 $ gpgconf --check-programs
609 gpg:GPG for OpenPGP:/usr/local/bin/gpg2:1:1:
610 gpg-agent:GPG Agent:/usr/local/bin/gpg-agent:1:1:
611 scdaemon:Smartcard Daemon:/usr/local/bin/scdaemon:1:0:
612 gpgsm:GPG for S/MIME:/usr/local/bin/gpgsm:1:1:
613 dirmngr:Directory Manager:/usr/local/bin/dirmngr:0:0:
617 The command @w{@code{--check-options @var{component}}} will verify the
618 configuration file in the same manner as @code{--check-programs}, but
619 only for the component @var{component}.
622 @node Listing options
623 @subsection Listing options
625 Every component contains one or more options. Options may be gathered
626 into option groups to allow the GUI to give visual hints to the user
627 about which options are related.
629 The command argument @code{@w{--list-options @var{component}}} lists
630 all options (and the groups they belong to) in the component
631 @var{component}, one per line. @var{component} must be the string in
632 the field @var{name} in the output of the @code{--list-components}
635 There is one line for each option and each group. First come all
636 options that are not in any group. Then comes a line describing a
637 group. Then come all options that belong into each group. Then comes
638 the next group and so on. There does not need to be any group (and in
639 this case the output will stop after the last non-grouped option).
641 The format of each line is:
643 @code{@var{name}:@var{flags}:@var{level}:@var{description}:@var{type}:@var{alt-type}:@var{argname}:@var{default}:@var{argdef}:@var{value}}
647 This field contains a name tag for the group or option. The name tag
648 is used to specify the group or option in all communication with
649 @command{gpgconf}. The name tag is to be used @emph{verbatim}. It is
650 thus not in any escaped format.
653 The flags field contains an @emph{unsigned number}. Its value is the
654 OR-wise combination of the following flag values:
658 If this flag is set, this is a line describing a group and not an
662 The following flag values are only defined for options (that is, if
663 the @code{group} flag is not used).
666 @item optional arg (2)
667 If this flag is set, the argument is optional. This is never set for
668 @var{type} @code{0} (none) options.
671 If this flag is set, the option can be given multiple times.
674 If this flag is set, the option can be changed at runtime.
677 If this flag is set, a default value is available.
679 @item default desc (32)
680 If this flag is set, a (runtime) default is available. This and the
681 @code{default} flag are mutually exclusive.
683 @item no arg desc (64)
684 If this flag is set, and the @code{optional arg} flag is set, then the
685 option has a special meaning if no argument is given.
687 @item no change (128)
688 If this flag is set, gpgconf ignores requests to change the value. GUI
689 frontends should grey out this option. Note, that manual changes of the
690 configuration files are still possible.
694 This field is defined for options and for groups. It contains an
695 @emph{unsigned number} that specifies the expert level under which
696 this group or option should be displayed. The following expert levels
697 are defined for options (they have analogous meaning for groups):
701 This option should always be offered to the user.
704 This option may be offered to advanced users.
707 This option should only be offered to expert users.
710 This option should normally never be displayed, not even to expert
714 This option is for internal use only. Ignore it.
717 The level of a group will always be the lowest level of all options it
721 This field is defined for options and groups. The @emph{string} in
722 this field contains a human-readable description of the option or
723 group. It can be displayed to the user of the GUI for informational
724 purposes. It is @emph{percent-escaped} and @emph{localized}.
727 This field is only defined for options. It contains an @emph{unsigned
728 number} that specifies the type of the option's argument, if any. The
729 following types are defined:
738 An @emph{unformatted string}.
741 A @emph{signed number}.
744 An @emph{unsigned number}.
751 A @emph{string} that describes the pathname of a file. The file does
752 not necessarily need to exist.
754 @item ldap server (33)
755 A @emph{string} that describes an LDAP server in the format:
757 @code{@var{hostname}:@var{port}:@var{username}:@var{password}:@var{base_dn}}
759 @item key fingerprint (34)
760 A @emph{string} with a 40 digit fingerprint specifying a certificate.
763 A @emph{string} that describes a certificate by user ID, key ID or
767 A @emph{string} that describes a certificate with a key by user ID,
768 key ID or fingerprint.
770 @item alias list (37)
771 A @emph{string} that describes an alias list, like the one used with
772 gpg's group option. The list consists of a key, an equal sign and space
776 More types will be added in the future. Please see the @var{alt-type}
777 field for information on how to cope with unknown types.
780 This field is identical to @var{type}, except that only the types
781 @code{0} to @code{31} are allowed. The GUI is expected to present the
782 user the option in the format specified by @var{type}. But if the
783 argument type @var{type} is not supported by the GUI, it can still
784 display the option in the more generic basic type @var{alt-type}. The
785 GUI must support all the defined basic types to be able to display all
786 options. More basic types may be added in future versions. If the
787 GUI encounters a basic type it doesn't support, it should report an
788 error and abort the operation.
791 This field is only defined for options with an argument type
792 @var{type} that is not @code{0}. In this case it may contain a
793 @emph{percent-escaped} and @emph{localised string} that gives a short
794 name for the argument. The field may also be empty, though, in which
795 case a short name is not known.
798 This field is defined only for options for which the @code{default} or
799 @code{default desc} flag is set. If the @code{default} flag is set,
800 its format is that of an @emph{option argument} (@xref{Format
801 conventions}, for details). If the default value is empty, then no
802 default is known. Otherwise, the value specifies the default value
803 for this option. If the @code{default desc} flag is set, the field is
804 either empty or contains a description of the effect if the option is
808 This field is defined only for options for which the @code{optional
809 arg} flag is set. If the @code{no arg desc} flag is not set, its
810 format is that of an @emph{option argument} (@xref{Format
811 conventions}, for details). If the default value is empty, then no
812 default is known. Otherwise, the value specifies the default argument
813 for this option. If the @code{no arg desc} flag is set, the field is
814 either empty or contains a description of the effect of this option if
815 no argument is given.
818 This field is defined only for options. Its format is that of an
819 @emph{option argument}. If it is empty, then the option is not
820 explicitly set in the current configuration, and the default applies
821 (if any). Otherwise, it contains the current value of the option.
822 Note that this field is also meaningful if the option itself does not
823 take a real argument (in this case, it contains the number of times
828 @node Changing options
829 @subsection Changing options
831 The command @w{@code{--change-options @var{component}}} will attempt
832 to change the options of the component @var{component} to the
833 specified values. @var{component} must be the string in the field
834 @var{name} in the output of the @code{--list-components} command. You
835 have to provide the options that shall be changed in the following
836 format on standard input:
838 @code{@var{name}:@var{flags}:@var{new-value}}
842 This is the name of the option to change. @var{name} must be the
843 string in the field @var{name} in the output of the
844 @code{--list-options} command.
847 The flags field contains an @emph{unsigned number}. Its value is the
848 OR-wise combination of the following flag values:
852 If this flag is set, the option is deleted and the default value is
853 used instead (if applicable).
857 The new value for the option. This field is only defined if the
858 @code{default} flag is not set. The format is that of an @emph{option
859 argument}. If it is empty (or the field is omitted), the default
860 argument is used (only allowed if the argument is optional for this
861 option). Otherwise, the option will be set to the specified value.
865 The output of the command is the same as that of
866 @code{--check-options} for the modified configuration file.
870 To set the force option, which is of basic type @code{none (0)}:
873 $ echo 'force:0:1' | gpgconf --change-options dirmngr
876 To delete the force option:
879 $ echo 'force:16:' | gpgconf --change-options dirmngr
882 The @code{--runtime} option can influence when the changes take
886 @node Listing global options
887 @subsection Listing global options
889 Sometimes it is useful for applications to look at the global options
890 file @file{gpgconf.conf}.
891 The colon separated listing format is record oriented and uses the first
892 field to identify the record type:
896 This describes a key record to start the definition of a new ruleset for
897 a user/group. The format of a key record is:
899 @code{k:@var{user}:@var{group}:}
903 This is the user field of the key. It is percent escaped. See the
904 definition of the gpgconf.conf format for details.
907 This is the group field of the key. It is percent escaped.
911 This describes a rule record. All rule records up to the next key record
912 make up a rule set for that key. The format of a rule record is:
914 @code{r:::@var{component}:@var{option}:@var{flags}:@var{value}:}
918 This is the component part of a rule. It is a plain string.
921 This is the option part of a rule. It is a plain string.
924 This is the flags part of a rule. There may be only one flag per rule
925 but by using the same component and option, several flags may be
926 assigned to an option. It is a plain string.
929 This is the optional value for the option. It is a percent escaped
930 string with a single quotation mark to indicate a string. The quotation
931 mark is only required to distinguish between no value specified and an
938 Unknown record types should be ignored. Note that there is intentionally
939 no feature to change the global option file through @command{gpgconf}.
944 @node Files used by gpgconf
945 @subsection Files used by gpgconf
949 @item /etc/gnupg/gpgconf.conf
951 If this file exists, it is processed as a global configuration file.
952 A commented example can be found in the @file{examples} directory of
961 @command{gpg-agent}(1),
962 @command{scdaemon}(1),
965 @include see-also-note.texi
970 @c APPLYGNUPGDEFAULTS
972 @manpage applygnupgdefaults.8
973 @node applygnupgdefaults
974 @section Run gpgconf for all users.
976 .B applygnupgdefaults
977 \- Run gpgconf --apply-defaults for all users.
982 .B applygnupgdefaults
986 This script is a wrapper around @command{gpgconf} to run it with the
987 command @code{--apply-defaults} for all real users with an existing
988 GnuPG home directory. Admins might want to use this script to update he
989 GnuPG configuration files for all users after
990 @file{/etc/gnupg/gpgconf.conf} has been changed. This allows to enforce
991 certain policies for all users. Note, that this is not a bulletproof of
992 forcing a user to use certain options. A user may always directly edit
993 the configuration files and bypass gpgconf.
996 @command{applygnupgdefaults} is invoked by root as:
1006 @node gpgsm-gencert.sh
1007 @section Generate an X.509 certificate request
1008 @manpage gpgsm-gencert.sh.1
1011 \- Generate an X.509 certificate request
1019 @mansect description
1020 This is a simple tool to interactively generate a certificate request
1021 which will be printed to stdout.
1025 @command{gpgsm-gencert.sh} is invoked as:
1027 @samp{gpgsm-cencert.sh}
1032 @command{gpg-agent}(1),
1033 @command{scdaemon}(1)
1035 @include see-also-note.texi
1040 @c GPG-PRESET-PASSPHRASE
1042 @node gpg-preset-passphrase
1043 @section Put a passphrase into the cache.
1044 @manpage gpg-preset-passphrase.1
1046 .B gpg-preset-passphrase
1047 \- Put a passphrase into gpg-agent's cache
1052 .B gpg-preset-passphrase
1058 @mansect description
1059 The @command{gpg-preset-passphrase} is a utility to seed the internal
1060 cache of a running @command{gpg-agent} with passphrases. It is mainly
1061 useful for unattended machines, where the usual @command{pinentry} tool
1062 may not be used and the passphrases for the to be used keys are given at
1065 Passphrases set with this utility don't expire unless the
1066 @option{--forget} option is used to explicitly clear them from the
1067 cache --- or @command{gpg-agent} is either restarted or reloaded (by
1068 sending a SIGHUP to it). Note that the maximum cache time as set with
1069 @option{--max-cache-ttl} is still honored. It is necessary to allow
1070 this passphrase presetting by starting @command{gpg-agent} with the
1071 @option{--allow-preset-passphrase}.
1074 * Invoking gpg-preset-passphrase:: List of all commands and options.
1078 @node Invoking gpg-preset-passphrase
1079 @subsection List of all commands and options.
1083 @command{gpg-preset-passphrase} is invoked this way:
1086 gpg-preset-passphrase [options] [command] @var{cacheid}
1089 @var{cacheid} is either a 40 character keygrip of hexadecimal
1090 characters identifying the key for which the passphrase should be set
1091 or cleared. The keygrip is listed along with the key when running the
1092 command: @code{gpgsm --dump-secret-keys}. Alternatively an arbitrary
1093 string may be used to identify a passphrase; it is suggested that such
1094 a string is prefixed with the name of the application (e.g
1098 One of the following command options must be given:
1103 Preset a passphrase. This is what you usually will
1104 use. @command{gpg-preset-passphrase} will then read the passphrase from
1109 Flush the passphrase for the given cache ID from the cache.
1114 The following additional options may be used:
1120 Output additional information while running.
1122 @item -P @var{string}
1123 @itemx --passphrase @var{string}
1125 Instead of reading the passphrase from @code{stdin}, use the supplied
1126 @var{string} as passphrase. Note that this makes the passphrase visible
1134 @command{gpg-agent}(1),
1135 @command{scdaemon}(1)
1137 @include see-also-note.texi
1143 @c GPG-CONNECT-AGENT
1145 @node gpg-connect-agent
1146 @section Communicate with a running agent.
1147 @manpage gpg-connect-agent.1
1149 .B gpg-connect-agent
1150 \- Communicate with a running agent
1155 .B gpg-connect-agent
1156 .RI [ options ] [commands]
1159 @mansect description
1160 The @command{gpg-connect-agent} is a utility to communicate with a
1161 running @command{gpg-agent}. It is useful to check out the commands
1162 gpg-agent provides using the Assuan interface. It might also be useful
1163 for scripting simple applications. Input is expected at stdin and out
1164 put gets printed to stdout.
1166 It is very similar to running @command{gpg-agent} in server mode; but
1167 here we connect to a running instance.
1170 * Invoking gpg-connect-agent:: List of all options.
1171 * Controlling gpg-connect-agent:: Control commands.
1175 @node Invoking gpg-connect-agent
1176 @subsection List of all options.
1179 @command{gpg-connect-agent} is invoked this way:
1182 gpg-connect-agent [options] [commands]
1187 The following options may be used:
1193 Output additional information while running.
1199 Try to be as quiet as possible.
1201 @include opt-homedir.texi
1203 @item --agent-program @var{file}
1204 @opindex agent-program
1205 Specify the agent program to be started if none is running. The
1206 default value is determined by running @command{gpgconf} with the
1207 option @option{--list-dirs}. Note that the pipe symbol (@code{|}) is
1208 used for a regression test suite hack and may thus not be used in the
1211 @item --dirmngr-program @var{file}
1212 @opindex dirmngr-program
1213 Specify the directory manager (keyserver client) program to be started
1214 if none is running. This has only an effect if used together with the
1215 option @option{--dirmngr}.
1219 Connect to a running directory manager (keyserver client) instead of
1220 to the gpg-agent. If a dirmngr is not running, start it.
1223 @itemx --raw-socket @var{name}
1225 Connect to socket @var{name} assuming this is an Assuan style server.
1226 Do not run any special initializations or environment checks. This may
1227 be used to directly connect to any Assuan style socket server.
1232 Take the rest of the command line as a program and it's arguments and
1233 execute it as an assuan server. Here is how you would run @command{gpgsm}:
1235 gpg-connect-agent --exec gpgsm --server
1237 Note that you may not use options on the command line in this case.
1239 @item --no-ext-connect
1240 @opindex no-ext-connect
1241 When using @option{-S} or @option{--exec}, @command{gpg-connect-agent}
1242 connects to the assuan server in extended mode to allow descriptor
1243 passing. This option makes it use the old mode.
1245 @item --no-autostart
1246 @opindex no-autostart
1247 Do not start the gpg-agent or the dirmngr if it has not yet been
1251 @itemx --run @var{file}
1253 Run the commands from @var{file} at startup and then continue with the
1254 regular input method. Note, that commands given on the command line are
1255 executed after this file.
1260 Run the command @code{/subst} at startup.
1264 Print data lines in a hex format and the ASCII representation of
1265 non-control characters.
1269 Decode data lines. That is to remove percent escapes but make sure that
1270 a new line always starts with a D and a space.
1274 @mansect control commands
1275 @node Controlling gpg-connect-agent
1276 @subsection Control commands.
1278 While reading Assuan commands, gpg-agent also allows a few special
1279 commands to control its operation. These control commands all start
1280 with a slash (@code{/}).
1284 @item /echo @var{args}
1285 Just print @var{args}.
1287 @item /let @var{name} @var{value}
1288 Set the variable @var{name} to @var{value}. Variables are only
1289 substituted on the input if the @command{/subst} has been used.
1290 Variables are referenced by prefixing the name with a dollar sign and
1291 optionally include the name in curly braces. The rules for a valid name
1292 are identically to those of the standard bourne shell. This is not yet
1293 enforced but may be in the future. When used with curly braces no
1294 leading or trailing white space is allowed.
1296 If a variable is not found, it is searched in the environment and if
1297 found copied to the table of variables.
1299 Variable functions are available: The name of the function must be
1300 followed by at least one space and the at least one argument. The
1301 following functions are available:
1305 Return a value described by the argument. Available arguments are:
1309 The current working directory.
1313 GnuPG's system configuration directory.
1315 GnuPG's binary directory.
1317 GnuPG's library directory.
1319 GnuPG's library directory for executable files.
1321 GnuPG's data directory.
1323 The PID of the current server. Command @command{/serverpid} must
1324 have been given to return a useful value.
1327 @item unescape @var{args}
1328 Remove C-style escapes from @var{args}. Note that @code{\0} and
1329 @code{\x00} terminate the returned string implicitly. The string to be
1330 converted are the entire arguments right behind the delimiting space of
1333 @item unpercent @var{args}
1334 @itemx unpercent+ @var{args}
1335 Remove percent style escaping from @var{args}. Note that @code{%00}
1336 terminates the string implicitly. The string to be converted are the
1337 entire arguments right behind the delimiting space of the function
1338 name. @code{unpercent+} also maps plus signs to a spaces.
1340 @item percent @var{args}
1341 @itemx percent+ @var{args}
1342 Escape the @var{args} using percent style escaping. Tabs, formfeeds,
1343 linefeeds, carriage returns and colons are escaped. @code{percent+} also
1344 maps spaces to plus signs.
1346 @item errcode @var{arg}
1347 @itemx errsource @var{arg}
1348 @itemx errstring @var{arg}
1349 Assume @var{arg} is an integer and evaluate it using @code{strtol}. Return
1350 the gpg-error error code, error source or a formatted string with the
1351 error code and error source.
1359 Evaluate all arguments as long integers using @code{strtol} and apply
1360 this operator. A division by zero yields an empty string.
1365 Evaluate all arguments as long integers using @code{strtol} and apply
1366 the logical operators NOT, OR or AND. The NOT operator works on the
1373 @item /definq @var{name} @var{var}
1374 Use content of the variable @var{var} for inquiries with @var{name}.
1375 @var{name} may be an asterisk (@code{*}) to match any inquiry.
1378 @item /definqfile @var{name} @var{file}
1379 Use content of @var{file} for inquiries with @var{name}.
1380 @var{name} may be an asterisk (@code{*}) to match any inquiry.
1382 @item /definqprog @var{name} @var{prog}
1383 Run @var{prog} for inquiries matching @var{name} and pass the
1384 entire line to it as command line arguments.
1386 @item /datafile @var{name}
1387 Write all data lines from the server to the file @var{name}. The file
1388 is opened for writing and created if it does not exists. An existing
1389 file is first truncated to 0. The data written to the file fully
1390 decoded. Using a single dash for @var{name} writes to stdout. The
1391 file is kept open until a new file is set using this command or this
1392 command is used without an argument.
1395 Print all definitions
1398 Delete all definitions
1400 @item /sendfd @var{file} @var{mode}
1401 Open @var{file} in @var{mode} (which needs to be a valid @code{fopen}
1402 mode string) and send the file descriptor to the server. This is
1403 usually followed by a command like @code{INPUT FD} to set the
1404 input source for other commands.
1407 Not yet implemented.
1409 @item /open @var{var} @var{file} [@var{mode}]
1410 Open @var{file} and assign the file descriptor to @var{var}. Warning:
1411 This command is experimental and might change in future versions.
1413 @item /close @var{fd}
1414 Close the file descriptor @var{fd}. Warning: This command is
1415 experimental and might change in future versions.
1418 Show a list of open files.
1421 Send the Assuan command @command{GETINFO pid} to the server and store
1422 the returned PID for internal purposes.
1429 Same as the command line option @option{--hex}.
1433 Same as the command line option @option{--decode}.
1437 Enable and disable variable substitution. It defaults to disabled
1438 unless the command line option @option{--subst} has been used.
1439 If /subst as been enabled once, leading whitespace is removed from
1440 input lines which makes scripts easier to read.
1442 @item /while @var{condition}
1444 These commands provide a way for executing loops. All lines between
1445 the @code{while} and the corresponding @code{end} are executed as long
1446 as the evaluation of @var{condition} yields a non-zero value or is the
1447 string @code{true} or @code{yes}. The evaluation is done by passing
1448 @var{condition} to the @code{strtol} function. Example:
1454 /echo loop couter is $i
1459 @item /if @var{condition}
1461 These commands provide a way for conditional execution. All lines between
1462 the @code{if} and the corresponding @code{end} are executed only if
1463 the evaluation of @var{condition} yields a non-zero value or is the
1464 string @code{true} or @code{yes}. The evaluation is done by passing
1465 @var{condition} to the @code{strtol} function.
1467 @item /run @var{file}
1468 Run commands from @var{file}.
1471 Terminate the connection and the program
1474 Print a list of available control commands.
1481 @command{gpg-agent}(1),
1482 @command{scdaemon}(1)
1483 @include see-also-note.texi
1489 @node dirmngr-client
1490 @section The Dirmngr Client Tool
1492 @manpage dirmngr-client.1
1495 \- Tool to access the Dirmngr services
1502 .RI [ certfile | pattern ]
1505 @mansect description
1506 The @command{dirmngr-client} is a simple tool to contact a running
1507 dirmngr and test whether a certificate has been revoked --- either by
1508 being listed in the corresponding CRL or by running the OCSP protocol.
1509 If no dirmngr is running, a new instances will be started but this is
1510 in general not a good idea due to the huge performance overhead.
1513 The usual way to run this tool is either:
1516 dirmngr-client @var{acert}
1523 dirmngr-client <@var{acert}
1526 Where @var{acert} is one DER encoded (binary) X.509 certificates to be
1529 The return value of this command is
1532 @mansect return value
1534 @command{dirmngr-client} returns these values:
1539 The certificate under question is valid; i.e. there is a valid CRL
1540 available and it is not listed tehre or teh OCSP request returned that
1541 that certificate is valid.
1544 The certificate has been revoked
1546 @item 2 (and other values)
1547 There was a problem checking the revocation state of the certificate.
1548 A message to stderr has given more detailed information. Most likely
1549 this is due to a missing or expired CRL or due to a network problem.
1555 @command{dirmngr-client} may be called with the following options:
1561 Print the program version and licensing information. Note that you cannot
1562 abbreviate this command.
1566 Print a usage message summarizing the most useful command-line options.
1567 Note that you cannot abbreviate this command.
1571 Make the output extra brief by suppressing any informational messages.
1577 Outputs additional information while running.
1578 You can increase the verbosity by giving several
1579 verbose commands to @sc{dirmngr}, such as @samp{-vv}.
1583 Assume that the given certificate is in PEM (armored) format.
1587 Do the check using the OCSP protocol and ignore any CRLs.
1589 @item --force-default-responder
1590 @opindex force-default-responder
1591 When checking using the OCSP protocl, force the use of the default OCSP
1592 responder. That is not to use the Reponder as given by the certificate.
1596 Check whether the dirmngr daemon is up and running.
1600 Put the given certificate into the cache of a running dirmngr. This is
1601 mainly useful for debugging.
1605 Validate the given certificate using dirmngr's internal validation code.
1606 This is mainly useful for debugging.
1610 This command expects a list of filenames with DER encoded CRL files.
1611 With the option @option{--url} URLs are expected in place of filenames
1612 and they are loaded directly from the given location. All CRLs will be
1613 validated and then loaded into dirmngr's cache.
1617 Take the remaining arguments and run a lookup command on each of them.
1618 The results are Base-64 encoded outputs (without header lines). This
1619 may be used to retrieve certificates from a server. However the output
1620 format is not very well suited if more than one certificate is returned.
1625 Modify the @command{lookup} and @command{load-crl} commands to take an URL.
1630 Let the @command{lookup} command only search the local cache.
1634 Run @sc{dirmngr-client} in a mode suitable as a helper program for
1635 Squid's @option{external_acl_type} option.
1642 @command{dirmngr}(8),
1644 @include see-also-note.texi
1652 @section Parse a mail message into an annotated format
1654 @manpage gpgparsemail.1
1657 \- Parse a mail message into an annotated format
1667 @mansect description
1668 The @command{gpgparsemail} is a utility currently only useful for
1669 debugging. Run it with @code{--help} for usage information.
1677 @section Call a simple symmetric encryption tool.
1678 @manpage symcryptrun.1
1681 \- Call a simple symmetric encryption tool
1693 .RB [ --decrypt | --encrypt ]
1697 @mansect description
1698 Sometimes simple encryption tools are already in use for a long time and
1699 there might be a desire to integrate them into the GnuPG framework. The
1700 protocols and encryption methods might be non-standard or not even
1701 properly documented, so that a full-fledged encryption tool with an
1702 interface like gpg is not doable. @command{symcryptrun} provides a
1703 solution: It operates by calling the external encryption/decryption
1704 module and provides a passphrase for a key using the standard
1705 @command{pinentry} based mechanism through @command{gpg-agent}.
1707 Note, that @command{symcryptrun} is only available if GnuPG has been
1708 configured with @samp{--enable-symcryptrun} at build time.
1711 * Invoking symcryptrun:: List of all commands and options.
1715 @node Invoking symcryptrun
1716 @subsection List of all commands and options.
1719 @command{symcryptrun} is invoked this way:
1722 symcryptrun --class CLASS --program PROGRAM --keyfile KEYFILE
1723 [--decrypt | --encrypt] [inputfile]
1727 For encryption, the plain text must be provided on STDIN or as the
1728 argument @var{inputfile}, and the ciphertext will be output to STDOUT.
1729 For decryption vice versa.
1731 @var{CLASS} describes the calling conventions of the external tool.
1732 Currently it must be given as @samp{confucius}. @var{PROGRAM} is
1733 the full filename of that external tool.
1735 For the class @samp{confucius} the option @option{--keyfile} is
1736 required; @var{keyfile} is the name of a file containing the secret key,
1737 which may be protected by a passphrase. For detailed calling
1738 conventions, see the source code.
1741 Note, that @command{gpg-agent} must be running before starting
1742 @command{symcryptrun}.
1745 The following additional options may be used:
1751 Output additional information while running.
1757 Try to be as quiet as possible.
1759 @include opt-homedir.texi
1762 @item --log-file @var{file}
1764 Append all logging output to @var{file}. Default is to write logging
1765 information to STDERR.
1770 The possible exit status codes of @command{symcryptrun} are:
1778 No valid passphrase was provided.
1780 The operation was canceled by the user.
1788 @command{gpg-agent}(1),
1790 @include see-also-note.texi
1796 @c The original manpage on which this section is based was written
1797 @c by Colin Tuckley <colin@tuckley.org> and Daniel Leidert
1798 @c <daniel.leidert@wgdd.de> for the Debian distribution (but may be used by
1802 @section Encrypt or sign files into an archive
1804 .B gpg-zip \- Encrypt or sign files into an archive
1812 .I [ filename2, ... ]
1814 .I [ directory2, ... ]
1817 @mansect description
1818 @command{gpg-zip} encrypts or signs files into an archive. It is an
1819 gpg-ized tar using the same format as used by PGP's PGP Zip.
1823 @command{gpg-zip} is invoked this way:
1826 gpg-zip [options] @var{filename1} [@var{filename2}, ...] @var{directory} [@var{directory2}, ...]
1831 @command{gpg-zip} understands these options:
1838 Encrypt data. This option may be combined with @option{--symmetric} (for output that may be decrypted via a secret key or a passphrase).
1847 Encrypt with a symmetric cipher using a passphrase. The default
1848 symmetric cipher used is CAST5, but may be chosen with the
1849 @option{--cipher-algo} option to @command{gpg}.
1853 Make a signature. See @command{gpg}.
1855 @item --recipient @var{user}
1856 @itemx -r @var{user}
1858 Encrypt for user id @var{user}. See @command{gpg}.
1860 @item --local-user @var{user}
1861 @itemx -u @var{user}
1863 Use @var{user} as the key to sign with. See @command{gpg}.
1865 @item --list-archive
1866 @opindex list-archive
1867 List the contents of the specified archive.
1869 @item --output @var{file}
1870 @itemx -o @var{file}
1872 Write output to specified file @var{file}.
1874 @item --gpg @var{gpgcmd}
1876 Use the specified command @var{gpgcmd} instead of @command{gpg}.
1878 @item --gpg-args @var{args}
1880 Pass the specified options to @command{gpg}.
1882 @item --tar @var{tarcmd}
1884 Use the specified command @var{tarcmd} instead of @command{tar}.
1886 @item --tar-args @var{args}
1888 Pass the specified options to @command{tar}.
1892 Print version of the program and exit.
1896 Display a brief help page and exit.
1900 @mansect diagnostics
1902 The program returns 0 if everything was fine, 1 otherwise.
1912 Encrypt the contents of directory @file{mydocs} for user Bob to file
1916 gpg-zip --encrypt --output test1 --gpg-args -r Bob mydocs
1920 List the contents of archive @file{test1}:
1923 gpg-zip --list-archive test1
1932 @include see-also-note.texi