1 @c Copyright (C) 2004, 2008 Free Software Foundation, Inc.
2 @c This is part of the GnuPG manual.
3 @c For copying conditions, see the file GnuPG.texi.
8 GnuPG comes with a couple of smaller tools:
11 * watchgnupg:: Read logs from a socket.
12 * gpgv:: Verify OpenPGP signatures.
13 * addgnupghome:: Create .gnupg home directories.
14 * gpgconf:: Modify .gnupg home directories.
15 * applygnupgdefaults:: Run gpgconf for all users.
16 * gpgsm-gencert.sh:: Generate an X.509 certificate request.
17 * gpg-preset-passphrase:: Put a passphrase into the cache.
18 * gpg-connect-agent:: Communicate with a running agent.
20 * dirmngr-client:: How to use the Dirmngr client tool.
22 * gpgparsemail:: Parse a mail message into an annotated format
23 * symcryptrun:: Call a simple symmetric encryption tool.
24 * gpg-zip:: Encrypt or sign files into an archive.
32 @section Read logs from a socket
35 \- Read and print logs from a socket
47 Most of the main utilities are able to write their log files to a Unix
48 Domain socket if configured that way. @command{watchgnupg} is a simple
49 listener for such a socket. It ameliorates the output with a time stamp
50 and makes sure that long lines are not interspersed with log output from
51 other utilities. This tool is not available for Windows.
55 @command{watchgnupg} is commonly invoked as
58 watchgnupg --force ~/.gnupg/S.log
63 This starts it on the current terminal for listening on the socket
64 @file{~/.gnupg/S.log}.
68 @command{watchgnupg} understands these options:
74 Delete an already existing socket file.
76 @anchor{option watchgnupg --tcp}
78 Instead of reading from a local socket, listen for connects on TCP port
83 Enable extra informational output.
87 Print version of the program and exit.
91 Display a brief help page and exit.
100 $ watchgnupg --force /home/foo/.gnupg/S.log
103 This waits for connections on the local socket
104 @file{/home/foo/.gnupg/S.log} and shows all log entries. To make this
105 work the option @option{log-file} needs to be used with all modules
106 which logs are to be shown. The value for that option must be given
107 with a special prefix (e.g. in the conf file):
110 log-file socket:///home/foo/.gnupg/S.log
113 For debugging purposes it is also possible to do remote logging. Take
114 care if you use this feature because the information is send in the
115 clear over the network. Use this syntax in the conf files:
118 log-file tcp://192.168.1.1:4711
121 You may use any port and not just 4711 as shown above; only IP addresses
122 are supported (v4 and v6) and no host names. You need to start
123 @command{watchgnupg} with the @option{tcp} option. Note that under
124 Windows the registry entry @var{HKCU\Software\GNU\GnuPG:DefaultLogFile}
125 can be used to change the default log output from @code{stderr} to
126 whatever is given by that entry. However the only useful entry is a TCP
127 name for remote debugging.
134 @command{gpg-agent}(1),
135 @command{scdaemon}(1)
137 @include see-also-note.texi
149 @manpage addgnupghome.8
151 @section Create .gnupg home directories.
154 \- Create .gnupg home directories
161 .IR account_2 ... account_n
165 If GnuPG is installed on a system with existing user accounts, it is
166 sometimes required to populate the GnuPG home directory with existing
167 files. Especially a @file{trustlist.txt} and a keybox with some
168 initial certificates are often desired. This scripts help to do this
169 by copying all files from @file{/etc/skel/.gnupg} to the home
170 directories of the accounts given on the command line. It takes care
171 not to overwrite existing GnuPG home directories.
174 @command{addgnupghome} is invoked by root as:
177 addgnupghome account1 account2 ... accountn
186 @section Modify .gnupg home directories.
189 \- Modify .gnupg home directories
196 .B \-\-list-components
205 .B \-\-change-options
211 The @command{gpgconf} is a utility to automatically and reasonable
212 safely query and modify configuration files in the @file{.gnupg} home
213 directory. It is designed not to be invoked manually by the user, but
214 automatically by graphical user interfaces (GUI).@footnote{Please note
215 that currently no locking is done, so concurrent access should be
216 avoided. There are some precautions to avoid corruption with
217 concurrent usage, but results may be inconsistent and some changes may
218 get lost. The stateless design makes it difficult to provide more
221 @command{gpgconf} provides access to the configuration of one or more
222 components of the GnuPG system. These components correspond more or
223 less to the programs that exist in the GnuPG framework, like GnuPG,
224 GPGSM, DirMngr, etc. But this is not a strict one-to-one
225 relationship. Not all configuration options are available through
226 @command{gpgconf}. @command{gpgconf} provides a generic and abstract
227 method to access the most important configuration options that can
228 feasibly be controlled via such a mechanism.
230 @command{gpgconf} can be used to gather and change the options
231 available in each component, and can also provide their default
232 values. @command{gpgconf} will give detailed type information that
233 can be used to restrict the user's input without making an attempt to
236 @command{gpgconf} provides the backend of a configuration editor. The
237 configuration editor would usually be a graphical user interface
238 program, that allows to display the current options, their default
239 values, and allows the user to make changes to the options. These
240 changes can then be made active with @command{gpgconf} again. Such a
241 program that uses @command{gpgconf} in this way will be called GUI
242 throughout this section.
245 * Invoking gpgconf:: List of all commands and options.
246 * Format conventions:: Formatting conventions relevant for all commands.
247 * Listing components:: List all gpgconf components.
248 * Checking programs:: Check all programs know to gpgconf.
249 * Listing options:: List all options of a component.
250 * Changing options:: Changing options of a component.
251 * Listing global options:: List all global options.
252 * Files used by gpgconf:: What files are used by gpgconf.
256 @node Invoking gpgconf
257 @subsection Invoking gpgconf
260 One of the following commands must be given:
264 @item --list-components
265 List all components. This is the default command used if none is
268 @item --check-programs
269 List all available backend programs and test whether they are runnable.
271 @item --list-options @var{component}
272 List all options of the component @var{component}.
274 @item --change-options @var{component}
275 Change the options of the component @var{component}.
277 @item --check-options @var{component}
278 Check the options for the component @var{component}.
280 @item --apply-defaults
281 Update all configuration files with values taken from the global
282 configuration file (usually @file{/etc/gnupg/gpgconf.conf}).
285 Lists the directories used by @command{gpgconf}. One directory is
286 listed per line, and each line consists of a colon-separated list where
287 the first field names the directory type (for example @code{sysconfdir})
288 and the second field contains the percent-escaped directory. Although
289 they are not directories, the socket file names used by
290 @command{gpg-agent} and @command{dirmngr} are printed as well. Note
291 that the socket file names and the @code{homedir} lines are the default
292 names and they may be overridden by command line switches.
294 @item --list-config [@var{filename}]
295 List the global configuration file in a colon separated format. If
296 @var{filename} is given, check that file instead.
298 @item --check-config [@var{filename}]
299 Run a syntax check on the global configuration file. If @var{filename}
300 is given, check that file instead.
302 @item --reload [@var{component}]
304 Reload all or the given component. This is basically the same as sending
305 a SIGHUP to the component. Components which don't support reloading are
309 @item --launch [@var{component}]
311 If the @var{component} is not already running, start it.
312 @command{component} must be a daemon. This is in general not required
313 because the system starts these daemons as needed. However, external
314 software making direct use of @command{gpg-agent} or @command{dirmngr}
315 may use this command to ensure that they are started.
317 @item --kill [@var{component}]
319 Kill the given component. Components which support killing are
320 gpg-agent and scdaemon. Components which don't support reloading are
321 ignored. Note that as of now reload and kill have the same effect for
330 The following options may be used:
333 @c FIXME: Not yet supported.
334 @c @item -o @var{file}
335 @c @itemx --output @var{file}
336 @c Use @var{file} as output file.
340 Outputs additional information while running. Specifically, this
341 extends numerical field values by human-readable descriptions.
345 Do not actually change anything. This is currently only implemented
346 for @code{--change-options} and can be used for testing purposes.
350 Only used together with @code{--change-options}. If one of the
351 modified options can be changed in a running daemon process, signal
352 the running daemon to ask it to reparse its configuration file after
355 This means that the changes will take effect at run-time, as far as
356 this is possible. Otherwise, they will take effect at the next start
357 of the respective backend programs.
362 @node Format conventions
363 @subsection Format conventions
365 Some lines in the output of @command{gpgconf} contain a list of
366 colon-separated fields. The following conventions apply:
370 The GUI program is required to strip off trailing newline and/or
371 carriage return characters from the output.
374 @command{gpgconf} will never leave out fields. If a certain version
375 provides a certain field, this field will always be present in all
376 @command{gpgconf} versions from that time on.
379 Future versions of @command{gpgconf} might append fields to the list.
380 New fields will always be separated from the previously last field by
381 a colon separator. The GUI should be prepared to parse the last field
382 it knows about up until a colon or end of line.
385 Not all fields are defined under all conditions. You are required to
386 ignore the content of undefined fields.
389 There are several standard types for the content of a field:
393 Some fields contain strings that are not escaped in any way. Such
394 fields are described to be used @emph{verbatim}. These fields will
395 never contain a colon character (for obvious reasons). No de-escaping
396 or other formatting is required to use the field content. This is for
397 easy parsing of the output, when it is known that the content can
398 never contain any special characters.
400 @item percent-escaped
401 Some fields contain strings that are described to be
402 @emph{percent-escaped}. Such strings need to be de-escaped before
403 their content can be presented to the user. A percent-escaped string
404 is de-escaped by replacing all occurrences of @code{%XY} by the byte
405 that has the hexadecimal value @code{XY}. @code{X} and @code{Y} are
406 from the set @code{0-9a-f}.
409 Some fields contain strings that are described to be @emph{localised}.
410 Such strings are translated to the active language and formatted in
411 the active character set.
413 @item @w{unsigned number}
414 Some fields contain an @emph{unsigned number}. This number will
415 always fit into a 32-bit unsigned integer variable. The number may be
416 followed by a space, followed by a human readable description of that
417 value (if the verbose option is used). You should ignore everything
418 in the field that follows the number.
420 @item @w{signed number}
421 Some fields contain a @emph{signed number}. This number will always
422 fit into a 32-bit signed integer variable. The number may be followed
423 by a space, followed by a human readable description of that value (if
424 the verbose option is used). You should ignore everything in the
425 field that follows the number.
427 @item @w{boolean value}
428 Some fields contain a @emph{boolean value}. This is a number with
429 either the value 0 or 1. The number may be followed by a space,
430 followed by a human readable description of that value (if the verbose
431 option is used). You should ignore everything in the field that follows
432 the number; checking just the first character is sufficient in this
436 Some fields contain an @emph{option} argument. The format of an
437 option argument depends on the type of the option and on some flags:
441 The simplest case is that the option does not take an argument at all
442 (@var{type} @code{0}). Then the option argument is an unsigned number
443 that specifies how often the option occurs. If the @code{list} flag
444 is not set, then the only valid number is @code{1}. Options that do
445 not take an argument never have the @code{default} or @code{optional
449 If the option takes a number argument (@var{alt-type} is @code{2} or
450 @code{3}), and it can only occur once (@code{list} flag is not set),
451 then the option argument is either empty (only allowed if the argument
452 is optional), or it is a number. A number is a string that begins
453 with an optional minus character, followed by one or more digits. The
454 number must fit into an integer variable (unsigned or signed,
455 depending on @var{alt-type}).
458 If the option takes a number argument and it can occur more than once,
459 then the option argument is either empty, or it is a comma-separated
460 list of numbers as described above.
463 If the option takes a string argument (@var{alt-type} is 1), and it
464 can only occur once (@code{list} flag is not set) then the option
465 argument is either empty (only allowed if the argument is optional),
466 or it starts with a double quote character (@code{"}) followed by a
467 percent-escaped string that is the argument value. Note that there is
468 only a leading double quote character, no trailing one. The double
469 quote character is only needed to be able to differentiate between no
470 value and the empty string as value.
473 If the option takes a number argument and it can occur more than once,
474 then the option argument is either empty, or it is a comma-separated
475 list of string arguments as described above.
479 The active language and character set are currently determined from
480 the locale environment of the @command{gpgconf} program.
482 @c FIXME: Document the active language and active character set. Allow
483 @c to change it via the command line?
487 @node Listing components
488 @subsection Listing components
490 The command @code{--list-components} will list all components that can
491 be configured with @command{gpgconf}. Usually, one component will
492 correspond to one GnuPG-related program and contain the options of
493 that programs configuration file that can be modified using
494 @command{gpgconf}. However, this is not necessarily the case. A
495 component might also be a group of selected options from several
496 programs, or contain entirely virtual options that have a special
497 effect rather than changing exactly one option in one configuration
500 A component is a set of configuration options that semantically belong
501 together. Furthermore, several changes to a component can be made in
502 an atomic way with a single operation. The GUI could for example
503 provide a menu with one entry for each component, or a window with one
504 tabulator sheet per component.
506 The command argument @code{--list-components} lists all available
507 components, one per line. The format of each line is:
509 @code{@var{name}:@var{description}:@var{pgmname}:}
513 This field contains a name tag of the component. The name tag is used
514 to specify the component in all communication with @command{gpgconf}.
515 The name tag is to be used @emph{verbatim}. It is thus not in any
519 The @emph{string} in this field contains a human-readable description
520 of the component. It can be displayed to the user of the GUI for
521 informational purposes. It is @emph{percent-escaped} and
525 The @emph{string} in this field contains the absolute name of the
526 program's file. It can be used to unambiguously invoke that program.
527 It is @emph{percent-escaped}.
532 $ gpgconf --list-components
533 gpg:GPG for OpenPGP:/usr/local/bin/gpg2:
534 gpg-agent:GPG Agent:/usr/local/bin/gpg-agent:
535 scdaemon:Smartcard Daemon:/usr/local/bin/scdaemon:
536 gpgsm:GPG for S/MIME:/usr/local/bin/gpgsm:
537 dirmngr:Directory Manager:/usr/local/bin/dirmngr:
542 @node Checking programs
543 @subsection Checking programs
545 The command @code{--check-programs} is similar to
546 @code{--list-components} but works on backend programs and not on
547 components. It runs each program to test whether it is installed and
548 runnable. This also includes a syntax check of all config file options
551 The command argument @code{--check-programs} lists all available
552 programs, one per line. The format of each line is:
554 @code{@var{name}:@var{description}:@var{pgmname}:@var{avail}:@var{okay}:@var{cfgfile}:@var{line}:@var{error}:}
558 This field contains a name tag of the program which is identical to the
559 name of the component. The name tag is to be used @emph{verbatim}. It
560 is thus not in any escaped format. This field may be empty to indicate
561 a continuation of error descriptions for the last name. The description
562 and pgmname fields are then also empty.
565 The @emph{string} in this field contains a human-readable description
566 of the component. It can be displayed to the user of the GUI for
567 informational purposes. It is @emph{percent-escaped} and
571 The @emph{string} in this field contains the absolute name of the
572 program's file. It can be used to unambiguously invoke that program.
573 It is @emph{percent-escaped}.
576 The @emph{boolean value} in this field indicates whether the program is
577 installed and runnable.
580 The @emph{boolean value} in this field indicates whether the program's
581 config file is syntactically okay.
584 If an error occurred in the configuration file (as indicated by a false
585 value in the field @code{okay}), this field has the name of the failing
586 configuration file. It is @emph{percent-escaped}.
589 If an error occurred in the configuration file, this field has the line
590 number of the failing statement in the configuration file.
591 It is an @emph{unsigned number}.
594 If an error occurred in the configuration file, this field has the error
595 text of the failing statement in the configuration file. It is
596 @emph{percent-escaped} and @emph{localized}.
601 In the following example the @command{dirmngr} is not runnable and the
602 configuration file of @command{scdaemon} is not okay.
605 $ gpgconf --check-programs
606 gpg:GPG for OpenPGP:/usr/local/bin/gpg2:1:1:
607 gpg-agent:GPG Agent:/usr/local/bin/gpg-agent:1:1:
608 scdaemon:Smartcard Daemon:/usr/local/bin/scdaemon:1:0:
609 gpgsm:GPG for S/MIME:/usr/local/bin/gpgsm:1:1:
610 dirmngr:Directory Manager:/usr/local/bin/dirmngr:0:0:
614 The command @w{@code{--check-options @var{component}}} will verify the
615 configuration file in the same manner as @code{--check-programs}, but
616 only for the component @var{component}.
619 @node Listing options
620 @subsection Listing options
622 Every component contains one or more options. Options may be gathered
623 into option groups to allow the GUI to give visual hints to the user
624 about which options are related.
626 The command argument @code{@w{--list-options @var{component}}} lists
627 all options (and the groups they belong to) in the component
628 @var{component}, one per line. @var{component} must be the string in
629 the field @var{name} in the output of the @code{--list-components}
632 There is one line for each option and each group. First come all
633 options that are not in any group. Then comes a line describing a
634 group. Then come all options that belong into each group. Then comes
635 the next group and so on. There does not need to be any group (and in
636 this case the output will stop after the last non-grouped option).
638 The format of each line is:
640 @code{@var{name}:@var{flags}:@var{level}:@var{description}:@var{type}:@var{alt-type}:@var{argname}:@var{default}:@var{argdef}:@var{value}}
644 This field contains a name tag for the group or option. The name tag
645 is used to specify the group or option in all communication with
646 @command{gpgconf}. The name tag is to be used @emph{verbatim}. It is
647 thus not in any escaped format.
650 The flags field contains an @emph{unsigned number}. Its value is the
651 OR-wise combination of the following flag values:
655 If this flag is set, this is a line describing a group and not an
659 The following flag values are only defined for options (that is, if
660 the @code{group} flag is not used).
663 @item optional arg (2)
664 If this flag is set, the argument is optional. This is never set for
665 @var{type} @code{0} (none) options.
668 If this flag is set, the option can be given multiple times.
671 If this flag is set, the option can be changed at runtime.
674 If this flag is set, a default value is available.
676 @item default desc (32)
677 If this flag is set, a (runtime) default is available. This and the
678 @code{default} flag are mutually exclusive.
680 @item no arg desc (64)
681 If this flag is set, and the @code{optional arg} flag is set, then the
682 option has a special meaning if no argument is given.
684 @item no change (128)
685 If this flag is set, gpgconf ignores requests to change the value. GUI
686 frontends should grey out this option. Note, that manual changes of the
687 configuration files are still possible.
691 This field is defined for options and for groups. It contains an
692 @emph{unsigned number} that specifies the expert level under which
693 this group or option should be displayed. The following expert levels
694 are defined for options (they have analogous meaning for groups):
698 This option should always be offered to the user.
701 This option may be offered to advanced users.
704 This option should only be offered to expert users.
707 This option should normally never be displayed, not even to expert
711 This option is for internal use only. Ignore it.
714 The level of a group will always be the lowest level of all options it
718 This field is defined for options and groups. The @emph{string} in
719 this field contains a human-readable description of the option or
720 group. It can be displayed to the user of the GUI for informational
721 purposes. It is @emph{percent-escaped} and @emph{localized}.
724 This field is only defined for options. It contains an @emph{unsigned
725 number} that specifies the type of the option's argument, if any. The
726 following types are defined:
735 An @emph{unformatted string}.
738 A @emph{signed number}.
741 An @emph{unsigned number}.
748 A @emph{string} that describes the pathname of a file. The file does
749 not necessarily need to exist.
751 @item ldap server (33)
752 A @emph{string} that describes an LDAP server in the format:
754 @code{@var{hostname}:@var{port}:@var{username}:@var{password}:@var{base_dn}}
756 @item key fingerprint (34)
757 A @emph{string} with a 40 digit fingerprint specifying a certificate.
760 A @emph{string} that describes a certificate by user ID, key ID or
764 A @emph{string} that describes a certificate with a key by user ID,
765 key ID or fingerprint.
767 @item alias list (37)
768 A @emph{string} that describes an alias list, like the one used with
769 gpg's group option. The list consists of a key, an equal sign and space
773 More types will be added in the future. Please see the @var{alt-type}
774 field for information on how to cope with unknown types.
777 This field is identical to @var{type}, except that only the types
778 @code{0} to @code{31} are allowed. The GUI is expected to present the
779 user the option in the format specified by @var{type}. But if the
780 argument type @var{type} is not supported by the GUI, it can still
781 display the option in the more generic basic type @var{alt-type}. The
782 GUI must support all the defined basic types to be able to display all
783 options. More basic types may be added in future versions. If the
784 GUI encounters a basic type it doesn't support, it should report an
785 error and abort the operation.
788 This field is only defined for options with an argument type
789 @var{type} that is not @code{0}. In this case it may contain a
790 @emph{percent-escaped} and @emph{localised string} that gives a short
791 name for the argument. The field may also be empty, though, in which
792 case a short name is not known.
795 This field is defined only for options for which the @code{default} or
796 @code{default desc} flag is set. If the @code{default} flag is set,
797 its format is that of an @emph{option argument} (@xref{Format
798 conventions}, for details). If the default value is empty, then no
799 default is known. Otherwise, the value specifies the default value
800 for this option. If the @code{default desc} flag is set, the field is
801 either empty or contains a description of the effect if the option is
805 This field is defined only for options for which the @code{optional
806 arg} flag is set. If the @code{no arg desc} flag is not set, its
807 format is that of an @emph{option argument} (@xref{Format
808 conventions}, for details). If the default value is empty, then no
809 default is known. Otherwise, the value specifies the default argument
810 for this option. If the @code{no arg desc} flag is set, the field is
811 either empty or contains a description of the effect of this option if
812 no argument is given.
815 This field is defined only for options. Its format is that of an
816 @emph{option argument}. If it is empty, then the option is not
817 explicitly set in the current configuration, and the default applies
818 (if any). Otherwise, it contains the current value of the option.
819 Note that this field is also meaningful if the option itself does not
820 take a real argument (in this case, it contains the number of times
825 @node Changing options
826 @subsection Changing options
828 The command @w{@code{--change-options @var{component}}} will attempt
829 to change the options of the component @var{component} to the
830 specified values. @var{component} must be the string in the field
831 @var{name} in the output of the @code{--list-components} command. You
832 have to provide the options that shall be changed in the following
833 format on standard input:
835 @code{@var{name}:@var{flags}:@var{new-value}}
839 This is the name of the option to change. @var{name} must be the
840 string in the field @var{name} in the output of the
841 @code{--list-options} command.
844 The flags field contains an @emph{unsigned number}. Its value is the
845 OR-wise combination of the following flag values:
849 If this flag is set, the option is deleted and the default value is
850 used instead (if applicable).
854 The new value for the option. This field is only defined if the
855 @code{default} flag is not set. The format is that of an @emph{option
856 argument}. If it is empty (or the field is omitted), the default
857 argument is used (only allowed if the argument is optional for this
858 option). Otherwise, the option will be set to the specified value.
862 The output of the command is the same as that of
863 @code{--check-options} for the modified configuration file.
867 To set the force option, which is of basic type @code{none (0)}:
870 $ echo 'force:0:1' | gpgconf --change-options dirmngr
873 To delete the force option:
876 $ echo 'force:16:' | gpgconf --change-options dirmngr
879 The @code{--runtime} option can influence when the changes take
883 @node Listing global options
884 @subsection Listing global options
886 Sometimes it is useful for applications to look at the global options
887 file @file{gpgconf.conf}.
888 The colon separated listing format is record oriented and uses the first
889 field to identify the record type:
893 This describes a key record to start the definition of a new ruleset for
894 a user/group. The format of a key record is:
896 @code{k:@var{user}:@var{group}:}
900 This is the user field of the key. It is percent escaped. See the
901 definition of the gpgconf.conf format for details.
904 This is the group field of the key. It is percent escaped.
908 This describes a rule record. All rule records up to the next key record
909 make up a rule set for that key. The format of a rule record is:
911 @code{r:::@var{component}:@var{option}:@var{flags}:@var{value}:}
915 This is the component part of a rule. It is a plain string.
918 This is the option part of a rule. It is a plain string.
921 This is the flags part of a rule. There may be only one flag per rule
922 but by using the same component and option, several flags may be
923 assigned to an option. It is a plain string.
926 This is the optional value for the option. It is a percent escaped
927 string with a single quotation mark to indicate a string. The quotation
928 mark is only required to distinguish between no value specified and an
935 Unknown record types should be ignored. Note that there is intentionally
936 no feature to change the global option file through @command{gpgconf}.
941 @node Files used by gpgconf
942 @subsection Files used by gpgconf
946 @item /etc/gnupg/gpgconf.conf
948 If this file exists, it is processed as a global configuration file.
949 A commented example can be found in the @file{examples} directory of
958 @command{gpg-agent}(1),
959 @command{scdaemon}(1),
962 @include see-also-note.texi
967 @c APPLYGNUPGDEFAULTS
969 @manpage applygnupgdefaults.8
970 @node applygnupgdefaults
971 @section Run gpgconf for all users.
973 .B applygnupgdefaults
974 \- Run gpgconf --apply-defaults for all users.
979 .B applygnupgdefaults
983 This script is a wrapper around @command{gpgconf} to run it with the
984 command @code{--apply-defaults} for all real users with an existing
985 GnuPG home directory. Admins might want to use this script to update he
986 GnuPG configuration files for all users after
987 @file{/etc/gnupg/gpgconf.conf} has been changed. This allows to enforce
988 certain policies for all users. Note, that this is not a bulletproof of
989 forcing a user to use certain options. A user may always directly edit
990 the configuration files and bypass gpgconf.
993 @command{applygnupgdefaults} is invoked by root as:
1003 @node gpgsm-gencert.sh
1004 @section Generate an X.509 certificate request
1005 @manpage gpgsm-gencert.sh.1
1008 \- Generate an X.509 certificate request
1016 @mansect description
1017 This is a simple tool to interactively generate a certificate request
1018 which will be printed to stdout.
1022 @command{gpgsm-gencert.sh} is invoked as:
1024 @samp{gpgsm-cencert.sh}
1029 @command{gpg-agent}(1),
1030 @command{scdaemon}(1)
1032 @include see-also-note.texi
1037 @c GPG-PRESET-PASSPHRASE
1039 @node gpg-preset-passphrase
1040 @section Put a passphrase into the cache.
1041 @manpage gpg-preset-passphrase.1
1043 .B gpg-preset-passphrase
1044 \- Put a passphrase into gpg-agent's cache
1049 .B gpg-preset-passphrase
1055 @mansect description
1056 The @command{gpg-preset-passphrase} is a utility to seed the internal
1057 cache of a running @command{gpg-agent} with passphrases. It is mainly
1058 useful for unattended machines, where the usual @command{pinentry} tool
1059 may not be used and the passphrases for the to be used keys are given at
1062 Passphrases set with this utility don't expire unless the
1063 @option{--forget} option is used to explicitly clear them from the
1064 cache --- or @command{gpg-agent} is either restarted or reloaded (by
1065 sending a SIGHUP to it). Nite that the maximum cache time as set with
1066 @option{--max-cache-ttl} is still honored. It is necessary to allow
1067 this passphrase presetting by starting @command{gpg-agent} with the
1068 @option{--allow-preset-passphrase}.
1071 * Invoking gpg-preset-passphrase:: List of all commands and options.
1075 @node Invoking gpg-preset-passphrase
1076 @subsection List of all commands and options.
1080 @command{gpg-preset-passphrase} is invoked this way:
1083 gpg-preset-passphrase [options] [command] @var{cacheid}
1086 @var{cacheid} is either a 40 character keygrip of hexadecimal
1087 characters identifying the key for which the passphrase should be set
1088 or cleared. The keygrip is listed along with the key when running the
1089 command: @code{gpgsm --dump-secret-keys}. Alternatively an arbitrary
1090 string may be used to identify a passphrase; it is suggested that such
1091 a string is prefixed with the name of the application (e.g
1095 One of the following command options must be given:
1100 Preset a passphrase. This is what you usually will
1101 use. @command{gpg-preset-passphrase} will then read the passphrase from
1106 Flush the passphrase for the given cache ID from the cache.
1111 The following additional options may be used:
1117 Output additional information while running.
1119 @item -P @var{string}
1120 @itemx --passphrase @var{string}
1122 Instead of reading the passphrase from @code{stdin}, use the supplied
1123 @var{string} as passphrase. Note that this makes the passphrase visible
1131 @command{gpg-agent}(1),
1132 @command{scdaemon}(1)
1134 @include see-also-note.texi
1140 @c GPG-CONNECT-AGENT
1142 @node gpg-connect-agent
1143 @section Communicate with a running agent.
1144 @manpage gpg-connect-agent.1
1146 .B gpg-connect-agent
1147 \- Communicate with a running agent
1152 .B gpg-connect-agent
1153 .RI [ options ] [commands]
1156 @mansect description
1157 The @command{gpg-connect-agent} is a utility to communicate with a
1158 running @command{gpg-agent}. It is useful to check out the commands
1159 gpg-agent provides using the Assuan interface. It might also be useful
1160 for scripting simple applications. Input is expected at stdin and out
1161 put gets printed to stdout.
1163 It is very similar to running @command{gpg-agent} in server mode; but
1164 here we connect to a running instance.
1167 * Invoking gpg-connect-agent:: List of all options.
1168 * Controlling gpg-connect-agent:: Control commands.
1172 @node Invoking gpg-connect-agent
1173 @subsection List of all options.
1176 @command{gpg-connect-agent} is invoked this way:
1179 gpg-connect-agent [options] [commands]
1184 The following options may be used:
1190 Output additional information while running.
1196 Try to be as quiet as possible.
1198 @include opt-homedir.texi
1200 @item --agent-program @var{file}
1201 @opindex agent-program
1202 Specify the agent program to be started if none is running.
1205 @item --dirmngr-program @var{file}
1206 @opindex dirmngr-program
1207 Specify the directory manager (keyserver client) program to be started
1208 if none is running. This has only an effect if used together with the
1209 option @option{--dirmngr}.
1213 Connect to a running directory manager (keyserver client) instead of
1214 to the gpg-agent. If a dirmngr is not running, start it.
1218 @itemx --raw-socket @var{name}
1220 Connect to socket @var{name} assuming this is an Assuan style server.
1221 Do not run any special initializations or environment checks. This may
1222 be used to directly connect to any Assuan style socket server.
1227 Take the rest of the command line as a program and it's arguments and
1228 execute it as an assuan server. Here is how you would run @command{gpgsm}:
1230 gpg-connect-agent --exec gpgsm --server
1232 Note that you may not use options on the command line in this case.
1234 @item --no-ext-connect
1235 @opindex no-ext-connect
1236 When using @option{-S} or @option{--exec}, @command{gpg-connect-agent}
1237 connects to the assuan server in extended mode to allow descriptor
1238 passing. This option makes it use the old mode.
1240 @item --run @var{file}
1242 Run the commands from @var{file} at startup and then continue with the
1243 regular input method. Note, that commands given on the command line are
1244 executed after this file.
1249 Run the command @code{/subst} at startup.
1253 Print data lines in a hex format and the ASCII representation of
1254 non-control characters.
1258 Decode data lines. That is to remove percent escapes but make sure that
1259 a new line always starts with a D and a space.
1263 @mansect control commands
1264 @node Controlling gpg-connect-agent
1265 @subsection Control commands.
1267 While reading Assuan commands, gpg-agent also allows a few special
1268 commands to control its operation. These control commands all start
1269 with a slash (@code{/}).
1273 @item /echo @var{args}
1274 Just print @var{args}.
1276 @item /let @var{name} @var{value}
1277 Set the variable @var{name} to @var{value}. Variables are only
1278 substituted on the input if the @command{/subst} has been used.
1279 Variables are referenced by prefixing the name with a dollar sign and
1280 optionally include the name in curly braces. The rules for a valid name
1281 are identically to those of the standard bourne shell. This is not yet
1282 enforced but may be in the future. When used with curly braces no
1283 leading or trailing white space is allowed.
1285 If a variable is not found, it is searched in the environment and if
1286 found copied to the table of variables.
1288 Variable functions are available: The name of the function must be
1289 followed by at least one space and the at least one argument. The
1290 following functions are available:
1294 Return a value described by the argument. Available arguments are:
1298 The current working directory.
1302 GnuPG's system configuration directory.
1304 GnuPG's binary directory.
1306 GnuPG's library directory.
1308 GnuPG's library directory for executable files.
1310 GnuPG's data directory.
1312 The PID of the current server. Command @command{/serverpid} must
1313 have been given to return a useful value.
1316 @item unescape @var{args}
1317 Remove C-style escapes from @var{args}. Note that @code{\0} and
1318 @code{\x00} terminate the returned string implicitly. The string to be
1319 converted are the entire arguments right behind the delimiting space of
1322 @item unpercent @var{args}
1323 @itemx unpercent+ @var{args}
1324 Remove percent style escaping from @var{args}. Note that @code{%00}
1325 terminates the string implicitly. The string to be converted are the
1326 entire arguments right behind the delimiting space of the function
1327 name. @code{unpercent+} also maps plus signs to a spaces.
1329 @item percent @var{args}
1330 @itemx percent+ @var{args}
1331 Escape the @var{args} using percent style escaping. Tabs, formfeeds,
1332 linefeeds, carriage returns and colons are escaped. @code{percent+} also
1333 maps spaces to plus signs.
1335 @item errcode @var{arg}
1336 @itemx errsource @var{arg}
1337 @itemx errstring @var{arg}
1338 Assume @var{arg} is an integer and evaluate it using @code{strtol}. Return
1339 the gpg-error error code, error source or a formatted string with the
1340 error code and error source.
1348 Evaluate all arguments as long integers using @code{strtol} and apply
1349 this operator. A division by zero yields an empty string.
1354 Evaluate all arguments as long integers using @code{strtol} and apply
1355 the logical oeprators NOT, OR or AND. The NOT operator works on the
1362 @item /definq @var{name} @var{var}
1363 Use content of the variable @var{var} for inquiries with @var{name}.
1364 @var{name} may be an asterisk (@code{*}) to match any inquiry.
1367 @item /definqfile @var{name} @var{file}
1368 Use content of @var{file} for inquiries with @var{name}.
1369 @var{name} may be an asterisk (@code{*}) to match any inquiry.
1371 @item /definqprog @var{name} @var{prog}
1372 Run @var{prog} for inquiries matching @var{name} and pass the
1373 entire line to it as command line arguments.
1375 @item /datafile @var{name}
1376 Write all data lines from the server to the file @var{name}. The file
1377 is opened for writing and created if it does not exists. An existing
1378 file is first truncated to 0. The data written to the file fully
1379 decoded. Using a single dash for @var{name} writes to stdout. The
1380 file is kept open until a new file is set using this command or this
1381 command is used without an argument.
1384 Print all definitions
1387 Delete all definitions
1389 @item /sendfd @var{file} @var{mode}
1390 Open @var{file} in @var{mode} (which needs to be a valid @code{fopen}
1391 mode string) and send the file descriptor to the server. This is
1392 usually followed by a command like @code{INPUT FD} to set the
1393 input source for other commands.
1396 Not yet implemented.
1398 @item /open @var{var} @var{file} [@var{mode}]
1399 Open @var{file} and assign the file descriptor to @var{var}. Warning:
1400 This command is experimental and might change in future versions.
1402 @item /close @var{fd}
1403 Close the file descriptor @var{fd}. Warning: This command is
1404 experimental and might change in future versions.
1407 Show a list of open files.
1410 Send the Assuan command @command{GETINFO pid} to the server and store
1411 the returned PID for internal purposes.
1418 Same as the command line option @option{--hex}.
1422 Same as the command line option @option{--decode}.
1426 Enable and disable variable substitution. It defaults to disabled
1427 unless the command line option @option{--subst} has been used.
1428 If /subst as been enabled once, leading whitespace is removed from
1429 input lines which makes scripts easier to read.
1431 @item /while @var{condition}
1433 These commands provide a way for executing loops. All lines between
1434 the @code{while} and the corresponding @code{end} are executed as long
1435 as the evaluation of @var{condition} yields a non-zero value or is the
1436 string @code{true} or @code{yes}. The evaluation is done by passing
1437 @var{condition} to the @code{strtol} function. Example:
1443 /echo loop couter is $i
1448 @item /if @var{condition}
1450 These commands provide a way for conditional execution. All lines between
1451 the @code{if} and the corresponding @code{end} are executed only if
1452 the evaluation of @var{condition} yields a non-zero value or is the
1453 string @code{true} or @code{yes}. The evaluation is done by passing
1454 @var{condition} to the @code{strtol} function.
1456 @item /run @var{file}
1457 Run commands from @var{file}.
1460 Terminate the connection and the program
1463 Print a list of available control commands.
1470 @command{gpg-agent}(1),
1471 @command{scdaemon}(1)
1472 @include see-also-note.texi
1479 @node dirmngr-client
1480 @section The Dirmngr Client Tool
1482 @manpage dirmngr-client.1
1485 \- Tool to access the Dirmngr services
1492 .RI [ certfile | pattern ]
1495 @mansect description
1496 The @command{dirmngr-client} is a simple tool to contact a running
1497 dirmngr and test whether a certificate has been revoked --- either by
1498 being listed in the corresponding CRL or by running the OCSP protocol.
1499 If no dirmngr is running, a new instances will be started but this is
1500 in general not a good idea due to the huge performance overhead.
1503 The usual way to run this tool is either:
1506 dirmngr-client @var{acert}
1513 dirmngr-client <@var{acert}
1516 Where @var{acert} is one DER encoded (binary) X.509 certificates to be
1519 The return value of this command is
1522 @mansect return value
1524 @command{dirmngr-client} returns these values:
1529 The certificate under question is valid; i.e. there is a valid CRL
1530 available and it is not listed tehre or teh OCSP request returned that
1531 that certificate is valid.
1534 The certificate has been revoked
1536 @item 2 (and other values)
1537 There was a problem checking the revocation state of the certificate.
1538 A message to stderr has given more detailed information. Most likely
1539 this is due to a missing or expired CRL or due to a network problem.
1545 @command{dirmngr-client} may be called with the following options:
1551 Print the program version and licensing information. Note that you cannot
1552 abbreviate this command.
1556 Print a usage message summarizing the most useful command-line options.
1557 Note that you cannot abbreviate this command.
1561 Make the output extra brief by suppressing any informational messages.
1567 Outputs additional information while running.
1568 You can increase the verbosity by giving several
1569 verbose commands to @sc{dirmngr}, such as @samp{-vv}.
1573 Assume that the given certificate is in PEM (armored) format.
1577 Do the check using the OCSP protocol and ignore any CRLs.
1579 @item --force-default-responder
1580 @opindex force-default-responder
1581 When checking using the OCSP protocl, force the use of the default OCSP
1582 responder. That is not to use the Reponder as given by the certificate.
1586 Check whether the dirmngr daemon is up and running.
1590 Put the given certificate into the cache of a running dirmngr. This is
1591 mainly useful for debugging.
1595 Validate the given certificate using dirmngr's internal validation code.
1596 This is mainly useful for debugging.
1600 This command expects a list of filenames with DER encoded CRL files.
1601 With the option @option{--url} URLs are expected in place of filenames
1602 and they are loaded directly from the given location. All CRLs will be
1603 validated and then loaded into dirmngr's cache.
1607 Take the remaining arguments and run a lookup command on each of them.
1608 The results are Base-64 encoded outputs (without header lines). This
1609 may be used to retrieve certificates from a server. However the output
1610 format is not very well suited if more than one certificate is returned.
1615 Modify the @command{lookup} and @command{load-crl} commands to take an URL.
1620 Let the @command{lookup} command only search the local cache.
1624 Run @sc{dirmngr-client} in a mode suitable as a helper program for
1625 Squid's @option{external_acl_type} option.
1632 @command{dirmngr}(8),
1634 @include see-also-note.texi
1642 @section Parse a mail message into an annotated format
1644 @manpage gpgparsemail.1
1647 \- Parse a mail message into an annotated format
1657 @mansect description
1658 The @command{gpgparsemail} is a utility currently only useful for
1659 debugging. Run it with @code{--help} for usage information.
1667 @section Call a simple symmetric encryption tool.
1668 @manpage symcryptrun.1
1671 \- Call a simple symmetric encryption tool
1683 .RB [ --decrypt | --encrypt ]
1687 @mansect description
1688 Sometimes simple encryption tools are already in use for a long time and
1689 there might be a desire to integrate them into the GnuPG framework. The
1690 protocols and encryption methods might be non-standard or not even
1691 properly documented, so that a full-fledged encryption tool with an
1692 interface like gpg is not doable. @command{symcryptrun} provides a
1693 solution: It operates by calling the external encryption/decryption
1694 module and provides a passphrase for a key using the standard
1695 @command{pinentry} based mechanism through @command{gpg-agent}.
1697 Note, that @command{symcryptrun} is only available if GnuPG has been
1698 configured with @samp{--enable-symcryptrun} at build time.
1701 * Invoking symcryptrun:: List of all commands and options.
1705 @node Invoking symcryptrun
1706 @subsection List of all commands and options.
1709 @command{symcryptrun} is invoked this way:
1712 symcryptrun --class CLASS --program PROGRAM --keyfile KEYFILE
1713 [--decrypt | --encrypt] [inputfile]
1717 For encryption, the plain text must be provided on STDIN or as the
1718 argument @var{inputfile}, and the ciphertext will be output to STDOUT.
1719 For decryption vice versa.
1721 @var{CLASS} describes the calling conventions of the external tool.
1722 Currently it must be given as @samp{confucius}. @var{PROGRAM} is
1723 the full filename of that external tool.
1725 For the class @samp{confucius} the option @option{--keyfile} is
1726 required; @var{keyfile} is the name of a file containing the secret key,
1727 which may be protected by a passphrase. For detailed calling
1728 conventions, see the source code.
1731 Note, that @command{gpg-agent} must be running before starting
1732 @command{symcryptrun}.
1735 The following additional options may be used:
1741 Output additional information while running.
1747 Try to be as quiet as possible.
1749 @include opt-homedir.texi
1752 @item --log-file @var{file}
1754 Append all logging output to @var{file}. Default is to write logging
1755 information to STDERR.
1760 The possible exit status codes of @command{symcryptrun} are:
1768 No valid passphrase was provided.
1770 The operation was canceled by the user.
1778 @command{gpg-agent}(1),
1780 @include see-also-note.texi
1786 @c The original manpage on which this section is based was written
1787 @c by Colin Tuckley <colin@tuckley.org> and Daniel Leidert
1788 @c <daniel.leidert@wgdd.de> for the Debian distribution (but may be used by
1792 @section Encrypt or sign files into an archive
1794 .B gpg-zip \- Encrypt or sign files into an archive
1802 .I [ filename2, ... ]
1804 .I [ directory2, ... ]
1807 @mansect description
1808 @command{gpg-zip} encrypts or signs files into an archive. It is an
1809 gpg-ized tar using the same format as used by PGP's PGP Zip.
1813 @command{gpg-zip} is invoked this way:
1816 gpg-zip [options] @var{filename1} [@var{filename2}, ...] @var{directory} [@var{directory2}, ...]
1821 @command{gpg-zip} understands these options:
1828 Encrypt data. This option may be combined with @option{--symmetric} (for output that may be decrypted via a secret key or a passphrase).
1837 Encrypt with a symmetric cipher using a passphrase. The default
1838 symmetric cipher used is CAST5, but may be chosen with the
1839 @option{--cipher-algo} option to @command{gpg}.
1843 Make a signature. See @command{gpg}.
1845 @item --recipient @var{user}
1846 @itemx -r @var{user}
1848 Encrypt for user id @var{user}. See @command{gpg}.
1850 @item --local-user @var{user}
1851 @itemx -u @var{user}
1853 Use @var{user} as the key to sign with. See @command{gpg}.
1855 @item --list-archive
1856 @opindex list-archive
1857 List the contents of the specified archive.
1859 @item --output @var{file}
1860 @itemx -o @var{file}
1862 Write output to specified file @var{file}.
1864 @item --gpg @var{gpgcmd}
1866 Use the specified command @var{gpgcmd} instead of @command{gpg}.
1868 @item --gpg-args @var{args}
1870 Pass the specified options to @command{gpg}.
1872 @item --tar @var{tarcmd}
1874 Use the specified command @var{tarcmd} instead of @command{tar}.
1876 @item --tar-args @var{args}
1878 Pass the specified options to @command{tar}.
1882 Print version of the program and exit.
1886 Display a brief help page and exit.
1890 @mansect diagnostics
1892 The program returns 0 if everything was fine, 1 otherwise.
1902 Encrypt the contents of directory @file{mydocs} for user Bob to file
1906 gpg-zip --encrypt --output test1 --gpg-args -r Bob mydocs
1910 List the contents of archive @file{test1}:
1913 gpg-zip --list-archive test1
1922 @include see-also-note.texi