This is gnupg.info, produced by makeinfo version 6.5 from gnupg.texi.
-This is the 'The GNU Privacy Guard Manual' (version 2.3.3-beta5, October
-2021).
+This is the 'The GNU Privacy Guard Manual' (version 2.3.8-beta83,
+October 2022).
(C) 2002, 2004, 2005, 2006, 2007, 2010 Free Software Foundation, Inc.
(C) 2013, 2014, 2015 Werner Koch.
Using the GNU Privacy Guard
***************************
-This is the 'The GNU Privacy Guard Manual' (version 2.3.3-beta5, October
-2021).
+This is the 'The GNU Privacy Guard Manual' (version 2.3.8-beta83,
+October 2022).
(C) 2002, 2004, 2005, 2006, 2007, 2010 Free Software Foundation, Inc.
(C) 2013, 2014, 2015 Werner Koch.
'--supervised'
Run in the foreground, sending logs by default to stderr, and
listening on provided file descriptors, which must already be bound
- to listening sockets. This command is useful when running under
- systemd or other similar process supervision schemes. This option
- is not supported on Windows.
+ to listening sockets. This option is deprecated and not supported
+ on Windows.
+
+ If in 'common.conf' the option 'no-autostart' is set, any start
+ attemps will be ignored.
In -supervised mode, different file descriptors can be provided for
use as different socket types (e.g. ssh, extra) as long as they
Don't detach the process from the console. This is mainly useful
for debugging.
+'--steal-socket'
+ In '--daemon' mode, gpg-agent detects an already running gpg-agent
+ and does not allow to start a new instance. This option can be
+ used to override this check: the new gpg-agent process will try to
+ take over the communication sockets from the already running
+ process and start anyway. This option should in general not be
+ used.
+
'-s'
'--sh'
'-c'
the 'trustlist.txt' file. This makes it harder for users to
inadvertently accept Root-CA keys.
+'--no-user-trustlist'
+ Entirely ignore the user trust list and consider only the global
+ trustlist ('/etc/gnupg/trustlist.txt'). This implies the *note
+ option --no-allow-mark-trusted::.
+
+'--sys-trustlist-name FILE'
+ Changes the default name for the global trustlist from
+ "trustlist.txt" to FILE. If FILE does not contain any slashes and
+ does not start with "~/" it is searched in the system configuration
+ directory ('/etc/gnupg').
+
'--allow-preset-passphrase'
This option allows the use of 'gpg-preset-passphrase' to seed the
internal cache of 'gpg-agent' with passphrases.
As a special feature a line 'include-default' will include a global
list of trusted certificates (e.g. '/etc/gnupg/trustlist.txt').
- This global list is also used if the local list is not available.
+ This global list is also used if the local list is not available;
+ the *note option --no-user-trustlist:: enforces the use of only
+ this global list.
It is possible to add further flags after the 'S' for use by the
caller:
this flag set fails, try again using the chain validation
model.
+ 'qual'
+ The CA is allowed to issue certificates for qualified
+ signatures. This flag has an effect only if used in the
+ global list. This is now the preferred way to mark such CA;
+ the old way of having a separate file 'qualified.txt' is still
+ supported.
+
'sshcontrol'
This file is used when support for the secure shell agent protocol
has been enabled (*note option --enable-ssh-support::). Only keys
'--supervised'
Run in the foreground, sending logs to stderr, and listening on
file descriptor 3, which must already be bound to a listening
- socket. This is useful when running under systemd or other similar
- process supervision schemes. This option is not supported on
- Windows.
+ socket. This option is deprecated and not supported on Windows.
'--list-crls'
List the contents of the CRL cache on 'stdout'. This is probably
'ntds'
On Windows authenticate the LDAP connection using the Active
Directory with the current user.
+ 'areconly'
+ On Windows use only the A or AAAA record when resolving the
+ LDAP server name.
Note that in an URL style specification the scheme 'ldaps://'
refers to STARTTLS and _not_ to LDAP-over-TLS.
STDIN. With the second form (or a deprecated "*" for ALGO) digests
for all available algorithms are printed.
-'--gen-random 0|1|2 COUNT'
+'--gen-random 0|1|2|16|30 COUNT'
Emit COUNT random bytes of the given quality level 0, 1 or 2. If
COUNT is not given or zero, an endless sequence of random bytes
will be emitted. If used with '--armor' the output will be base64
- encoded. PLEASE, don't use this command unless you know what you
- are doing; it may remove precious entropy from the system!
+ encoded. The special level 16 uses a quality level of 1 and
+ outpust end endless stream of hex-encoded octets. The special
+ level 30 outputs random as 30 zBase-32 characters.
'--gen-prime MODE BITS'
Use the source, Luke :-). The output format is subject to change
'--dearmor'
Pack or unpack an arbitrary input into/from an OpenPGP ASCII armor.
This is a GnuPG extension to OpenPGP and in general not very
- useful.
+ useful. The '--dearmor' command can also be used to dearmor PEM
+ armors.
'--unwrap'
This command is similar to '--decrypt' with the change that the
ntds
Locate the key using the Active Directory (Windows only).
This method also allows to search by fingerprint using the
- command '--locate-external-key'.
+ command '--locate-external-key'. Note that this mechanism is
+ actually a shortcut for the mechanism 'keyserver' but using
+ "ldap:///" as the keyserver.
keyserver
Locate a key using a keyserver. This method also allows to
'--compliance STRING'
This option can be used instead of one of the options above. Valid
values for STRING are the above option names (without the double
- dash) and possibly others as shown when using "help" for VALUE.
+ dash) and possibly others as shown when using "help" for STRING.
+
+'--min-rsa-length N'
+ This option adjusts the compliance mode "de-vs" for stricter key
+ size requirements. For example, a value of 3000 turns rsa2048 and
+ dsa2048 keys into non-VS-NfD compliant keys.
+
+'--require-compliance'
+ To check that data has been encrypted according to the rules of the
+ current compliance mode, a gpg user needs to evaluate the status
+ lines. This is allows frontends to handle compliance check in a
+ more flexible way. However, for scripted use the required
+ evaluation of the status-line requires quite some effort; this
+ option can be used instead to make sure that the gpg process exits
+ with a failure if the compliance rules are not fulfilled. Note
+ that this option has currently an effect only in "de-vs" mode.
\1f
File: gnupg.info, Node: GPG Esoteric Options, Next: Deprecated Options, Prev: Compliance Options, Up: GPG Options
signatures made using SHA-1, those key signatures are considered
invalid. This options allows to override this restriction.
+'--override-compliance-check'
+ The signature verification only allows the use of keys suitable in
+ the current compliance mode. If the compliance mode has been
+ forced by a global option, there might be no way to check certain
+ signature. This option allows to override this and prints an extra
+ warning in such a case. This option is ignored in -batch mode so
+ that no accidental unattended verification may happen.
+
'--no-default-keyring'
Do not add the default keyring to the list of keyrings. Note that
GnuPG needs for almost all operations a keyring. Thus if you use
sub-commands of '--edit-key' by forcing the creation of a key
signature, even if one already exists.
+'--forbid-gen-key'
+ This option is intended for use in the global config file to
+ disallow the use of generate key commands. Those commands will
+ then fail with the error code for Not Enabled.
+
'--allow-secret-key-import'
This is an obsolete option and is not used anywhere.
$ cd ~/.gnupg
$ gpg --export-ownertrust >otrust.lst
$ mv pubring.gpg publickeys.backup
- $ gpg --import-options restore --import publickeys.backups
+ $ gpg --import-options restore --import publickeys.backup
$ gpg --import-ownertrust otrust.lst
'~/.gnupg/pubring.kbx.lock'
under operating systems without proper support to figure out the
name of a process' text file.
+GNUPG_EXEC_DEBUG_FLAGS
+ This variable allows to enable diagnostics for process management.
+ A numeric decimal value is expected. Bit 0 enables general
+ diagnostics, bit 1 enables certain warnings on Windows.
+
When calling the gpg-agent component 'gpg' sends a set of environment
variables to gpg-agent. The names of these variables can be listed
using the command:
verbosity by giving several verbose commands to 'gpgsm', such as
'-vv'.
-'--ldapserver STRING'
'--keyserver STRING'
- Add an LDAP server to use for X.509 certificate and CRL lookup.
- This option can be given multiple times to configure more than one
- LDAP server. Note that in general 'dirmngr' should be configured
- with the list of LDAP servers; if this option is also configured
- here, it is used in addition to those configured in dirmngr. For
- the syntax see the description of dirmngr's ldapserver option.
+ This is a deprecated option. It was used to add an LDAP server to
+ use for X.509 certificate and CRL lookup. The alias '--ldapserver'
+ existed from version 2.2.28 to 2.2.33 and 2.3.2 to 2.3.4 but is now
+ entirely ignored.
+
+ LDAP servers must be given in the configuration for 'dirmngr'.
'--policy-file FILENAME'
Change the default name of the policy file to FILENAME. The
like "digest algo 8 has not been enabled" you may want to try this
option, with 'SHA256' for NAME.
+'--compliance STRING'
+ Set the compliance mode. Valid values are shown when using "help"
+ for STRING.
+
+'--min-rsa-length N'
+ This option adjusts the compliance mode "de-vs" for stricter key
+ size requirements. For example, a value of 3000 turns rsa2048 and
+ dsa2048 keys into non-VS-NfD compliant keys.
+
+'--require-compliance'
+ To check that data has been encrypted according to the rules of the
+ current compliance mode, a gpgsm user needs to evaluate the status
+ lines. This is allows frontends to handle compliance check in a
+ more flexible way. However, for scripted use the required
+ evaluation of the status-line requires quite some effort; this
+ option can be used instead to make sure that the gpgsm process
+ exits with a failure if the compliance rules are not fulfilled.
+ Note that this option has currently an effect only in "de-vs" mode.
+
+'--ignore-cert-with-oid OID'
+ Add OID to the list of OIDs to be checked while reading
+ certificates from smartcards. The OID is expected to be in dotted
+ decimal form, like '2.5.29.3'. This option may be used more than
+ once. As of now certificates with an extended key usage matching
+ one of those OIDs are ignored during a '--learn-card' operation and
+ not imported. This option can help to keep the local key database
+ clear of unneeded certificates stored on smartcards.
+
'--faked-system-time EPOCH'
This option is only useful for testing; it sets the system time
back or forth to EPOCH which is the number of seconds elapsed since
that they are included anyway if the key specification for a
listing is given as fingerprint or keygrip.
+'--compatibility-flags FLAGS'
+ Set compatibility flags to work around problems due to
+ non-compliant certificates or data. The FLAGS are given as a comma
+ separated list of flag names and are OR-ed together. The special
+ flag "none" clears the list and allows to start over with an empty
+ list. To get a list of available flags the sole word "help" can be
+ used.
+
'--debug-level LEVEL'
Select the debug level for investigating problems. LEVEL may be a
numeric value or by a keyword: