This is gnupg.info, produced by makeinfo version 6.5 from gnupg.texi.
-This is the 'The GNU Privacy Guard Manual' (version 2.2.33-beta28,
-November 2021).
+This is the 'The GNU Privacy Guard Manual' (version 2.3.8-beta83,
+October 2022).
(C) 2002, 2004, 2005, 2006, 2007, 2010 Free Software Foundation, Inc.
(C) 2013, 2014, 2015 Werner Koch.
Using the GNU Privacy Guard
***************************
-This is the 'The GNU Privacy Guard Manual' (version 2.2.33-beta28,
-November 2021).
+This is the 'The GNU Privacy Guard Manual' (version 2.3.8-beta83,
+October 2022).
(C) 2002, 2004, 2005, 2006, 2007, 2010 Free Software Foundation, Inc.
(C) 2013, 2014, 2015 Werner Koch.
* Specify a User ID:: How to Specify a User Id.
* Trust Values:: How GnuPG displays trust values.
-* Helper Tools:: Description of small helper tools
-* Web Key Service:: Tools for the Web Key Service
+* Smart Card Tool:: Tool to administrate smart cards.
+* Helper Tools:: Description of small helper tools.
+* Web Key Service:: Tools for the Web Key Service.
* Howtos:: How to do certain things.
* System Notes:: Notes pertaining to certain OSes.
-* Debugging:: How to solve problems
+* Debugging:: How to solve problems.
* Copying:: GNU General Public License says
- how you can copy and share GnuPG
+ how you can copy and share GnuPG.
* Contributors:: People who have contributed to GnuPG.
* Glossary:: Short description of terms used.
'--supervised'
Run in the foreground, sending logs by default to stderr, and
listening on provided file descriptors, which must already be bound
- to listening sockets. This command is useful when running under
- systemd or other similar process supervision schemes. This option
- is not supported on Windows.
+ to listening sockets. This option is deprecated and not supported
+ on Windows.
+
+ If in 'common.conf' the option 'no-autostart' is set, any start
+ attemps will be ignored.
In -supervised mode, different file descriptors can be provided for
use as different socket types (e.g. ssh, extra) as long as they
are however carefully selected to best aid in debugging.
'--debug FLAGS'
- This option is only useful for debugging and the behavior may
- change at any time without notice. FLAGS are bit encoded and may
- be given in usual C-Syntax. The currently defined bits are:
-
- '0 (1)'
- X.509 or OpenPGP protocol related data
- '1 (2)'
- values of big number integers
- '2 (4)'
- low level crypto operations
- '5 (32)'
- memory allocation
- '6 (64)'
- caching
- '7 (128)'
- show memory statistics
- '9 (512)'
- write hashed data to files named 'dbgmd-000*'
- '10 (1024)'
- trace Assuan protocol
- '12 (4096)'
- bypass all certificate validation
+ Set debug flags. All flags are or-ed and FLAGS may be given in C
+ syntax (e.g. 0x0042) or as a comma separated list of flag names.
+ To get a list of all supported flags the single word "help" can be
+ used. This option is only useful for debugging and the behavior
+ may change at any time without notice.
'--debug-all'
Same as '--debug=0xffffffff'
the 'trustlist.txt' file. This makes it harder for users to
inadvertently accept Root-CA keys.
+'--no-user-trustlist'
+ Entirely ignore the user trust list and consider only the global
+ trustlist ('/etc/gnupg/trustlist.txt'). This implies the *note
+ option --no-allow-mark-trusted::.
+
+'--sys-trustlist-name FILE'
+ Changes the default name for the global trustlist from
+ "trustlist.txt" to FILE. If FILE does not contain any slashes and
+ does not start with "~/" it is searched in the system configuration
+ directory ('/etc/gnupg').
+
'--allow-preset-passphrase'
This option allows the use of 'gpg-preset-passphrase' to seed the
internal cache of 'gpg-agent' with passphrases.
'--enable-extended-key-format'
'--disable-extended-key-format'
- Since version 2.2.22 keys are created in the extended private key
- format by default. Changing the passphrase of a key will also
- convert the key to that new format. This key format is supported
- since GnuPG version 2.1.12 and thus there should be no need to
- disable it. Anyway, the disable option still allows to revert to
- the old behavior for new keys; be aware that keys are never
- migrated back to the old format. If the enable option has been
- used the disable option won't have an effect. The advantage of the
- extended private key format is that it is text based and can carry
- additional meta data. In extended key format the OCB mode is used
- for key protection.
+ Since version 2.3 keys are created in the extended private key
+ format. Changing the passphrase of a key will also convert the key
+ to that new format. This new key format is supported since GnuPG
+ version 2.1.12 and thus there should be no need to disable it. The
+ disable option allows to revert to the old behavior for new keys;
+ be aware that keys are never migrated back to the old format.
+ However if the enable option has been used the disable option won't
+ have an effect. The advantage of the extended private key format
+ is that it is text based and can carry additional meta data.
'--enable-ssh-support'
'--enable-putty-support'
As a special feature a line 'include-default' will include a global
list of trusted certificates (e.g. '/etc/gnupg/trustlist.txt').
- This global list is also used if the local list is not available.
+ This global list is also used if the local list is not available;
+ the *note option --no-user-trustlist:: enforces the use of only
+ this global list.
It is possible to add further flags after the 'S' for use by the
caller:
this flag set fails, try again using the chain validation
model.
+ 'qual'
+ The CA is allowed to issue certificates for qualified
+ signatures. This flag has an effect only if used in the
+ global list. This is now the preferred way to mark such CA;
+ the old way of having a separate file 'qualified.txt' is still
+ supported.
+
'sshcontrol'
This file is used when support for the secure shell agent protocol
has been enabled (*note option --enable-ssh-support::). Only keys
'KEY'
Incremented for added or removed private keys.
'CARD'
- Incremented for changes of the card readers stati.
+ Incremented for each change of the card reader's status.
\1f
File: gnupg.info, Node: Agent GETINFO, Next: Agent OPTION, Prev: Agent GETEVENTCOUNTER, Up: Agent Protocol
'--supervised'
Run in the foreground, sending logs to stderr, and listening on
file descriptor 3, which must already be bound to a listening
- socket. This is useful when running under systemd or other similar
- process supervision schemes. This option is not supported on
- Windows.
+ socket. This option is deprecated and not supported on Windows.
'--list-crls'
List the contents of the CRL cache on 'stdout'. This is probably
are however carefully selected to best aid in debugging.
'--debug FLAGS'
- Set debugging flags. This option is only useful for debugging and
- its behavior may change with a new release. All flags are or-ed
- and may be given in C syntax (e.g. 0x0042) or as a comma separated
- list of flag names. To get a list of all supported flags the
- single word "help" can be used.
+ Set debug flags. All flags are or-ed and FLAGS may be given in C
+ syntax (e.g. 0x0042) or as a comma separated list of flag names.
+ To get a list of all supported flags the single word "help" can be
+ used. This option is only useful for debugging and the behavior
+ may change at any time without notice.
'--debug-all'
Same as '--debug=0xffffffff'
'--use-tor' cannot be overridden by any other command or even by
reloading dirmngr. The use of '--no-use-tor' disables the use of
Tor. The default is to use Tor if it is available on startup or
- after reloading dirmngr. The test on the available of Tor is done
- by trying to connects to a SOCKS proxy at either port 9050 or
- 9150); if another type of proxy is listening on one of these ports,
+ after reloading dirmngr. The test on the availability of Tor is
+ done by trying to connect to a SOCKS proxy at either port 9050 or
+ 9150; if another type of proxy is listening on one of these ports,
you should use '--no-use-tor'.
'--standard-resolver'
If the environment variable 'http_proxy' has been set, use its
value to access HTTP servers.
-'--http-proxy [http://]HOST[:PORT]'
+'--http-proxy HOST[:PORT]'
Use HOST and PORT to access HTTP servers. The use of this option
overrides the environment variable 'http_proxy' regardless whether
'--honor-http-proxy' has been set.
'ntds'
On Windows authenticate the LDAP connection using the Active
Directory with the current user.
+ 'areconly'
+ On Windows use only the A or AAAA record when resolving the
+ LDAP server name.
Note that in an URL style specification the scheme 'ldaps://'
refers to STARTTLS and _not_ to LDAP-over-TLS.
'--add-servers'
This option makes dirmngr add any servers it discovers when
validating certificates against CRLs to the internal list of
- servers to consult for certificates and CRLs.
-
- This option is useful when trying to validate a certificate that
- has a CRL distribution point that points to a server that is not
- already listed in the ldapserverlist. Dirmngr will always go to
- this server and try to download the CRL, but chances are high that
- the certificate used to sign the CRL is located on the same server.
- So if dirmngr doesn't add that new server to list, it will often
- not be able to verify the signature of the CRL unless the
+ servers to consult for certificates and CRLs. This option should
+ in general not be used.
+
+ This option might be useful when trying to validate a certificate
+ that has a CRL distribution point that points to a server that is
+ not already listed in the ldapserverlist. Dirmngr will always go
+ to this server and try to download the CRL, but chances are high
+ that the certificate used to sign the CRL is located on the same
+ server. So if dirmngr doesn't add that new server to list, it will
+ often not be able to verify the signature of the CRL unless the
'--add-servers' option is used.
- Note: The current version of dirmngr has this option disabled by
- default.
+ Caveat emptor: Using this option may enable denial-of-service
+ attacks and leak search requests to unknown third parties. This is
+ because arbitrary servers are added to the internal list of LDAP
+ servers which in turn is used for all unspecific LDAP queries as
+ well as a fallback for queries which did not return a result.
'--allow-ocsp'
This option enables OCSP support if requested by the client.
=================
Dirmngr makes use of several directories when running in daemon mode:
-There are a few configuration files whih control the operation of
-dirmngr. By default they may all be found in the current home directory
-(*note option --homedir::).
+There are a few configuration files to control the operation of dirmngr.
+By default they may all be found in the current home directory (*note
+option --homedir::).
'dirmngr.conf'
This is the standard configuration file read by 'dirmngr' on
will be created by dirmngr if it does not exists but you need to
make sure that the upper directory exists.
- To be able to see what's going on you should create the configure
-file '~/gnupg/dirmngr.conf' with at least one line:
+ Several options control the use of trusted certificates for TLS and
+CRLs. Here is an Overview on the use and origin of those Root CA
+certificates:
+
+System
+
+ These System root certificates are used by: FIXME
+
+ The origin of the system provided certificates depends on the
+ platform. On Windows all certificates from the Windows System
+ Stores 'ROOT' and 'CA' are used.
+
+ On other platforms the certificates are read from the first file
+ found form this list: '/etc/ssl/ca-bundle.pem',
+ '/etc/ssl/certs/ca-certificates.crt', '/etc/pki/tls/cert.pem',
+ '/usr/local/share/certs/ca-root-nss.crt', '/etc/ssl/cert.pem'.
+
+GnuPG
+
+ The GnuPG specific certificates stored in the directory
+ '/etc/gnupg/trusted-certs' are only used to validate CRLs.
+
+OpenPGP keyserver
+
+ For accessing the OpenPGP keyservers the only certificates used are
+ those set with the configuration option 'hkp-cacert'.
+
+OpenPGP keyserver pool
+
+ This is usually only one certificate read from the file
+ '/usr/local/share/gnupg/gnupg/sks-keyservers.netCA.pem'. If this
+ certificate exists it is used to access the special keyservers
+ 'hkps.pool.sks-keyservers.net' (or 'hkps://keys.gnupg.net').
+
+ Please note that 'gpgsm' accepts Root CA certificates for its own
+purposes only if they are listed in its file 'trustlist.txt'. 'dirmngr'
+does not make use of this list - except FIXME.
+
+ To be able to see diagnostics it is often useful to put at least the
+following lines into the configuration file '~/gnupg/dirmngr.conf':
log-file ~/dirmngr.log
+ verbose
+
+ You may want to check the log file to see whether all desired root CA
+certificates are correctly loaded.
To be able to perform OCSP requests you probably want to add the
line:
allow-ocsp
- To make sure that new options are read and that after the
-installation of a new GnuPG versions the installed dirmngr is running,
-you may want to kill an existing dirmngr first:
+ To make sure that new options are read or that after the installation
+of a new GnuPG versions the right dirmngr version is running, you should
+kill an existing dirmngr so that a new instance is started as needed by
+the otehr components:
gpgconf --kill dirmngr
- You may check the log file to see whether all desired root
-certificates have been loaded correctly.
+ Direct interfaction with the dirmngr is possible by using the command
+
+ gpg-connect-agent --dirmngr
+
+ Enter 'HELP' at the prompt to see a list of commands and enter 'HELP'
+followed by a command name to get help on that command.
\1f
File: gnupg.info, Node: Dirmngr Signals, Next: Dirmngr Examples, Prev: Dirmngr Configuration, Up: Invoking DIRMNGR
STDIN. With the second form (or a deprecated "*" for ALGO) digests
for all available algorithms are printed.
-'--gen-random 0|1|2 COUNT'
+'--gen-random 0|1|2|16|30 COUNT'
Emit COUNT random bytes of the given quality level 0, 1 or 2. If
COUNT is not given or zero, an endless sequence of random bytes
will be emitted. If used with '--armor' the output will be base64
- encoded. PLEASE, don't use this command unless you know what you
- are doing; it may remove precious entropy from the system!
+ encoded. The special level 16 uses a quality level of 1 and
+ outpust end endless stream of hex-encoded octets. The special
+ level 30 outputs random as 30 zBase-32 characters.
'--gen-prime MODE BITS'
Use the source, Luke :-). The output format is subject to change
'--dearmor'
Pack or unpack an arbitrary input into/from an OpenPGP ASCII armor.
This is a GnuPG extension to OpenPGP and in general not very
- useful.
+ useful. The '--dearmor' command can also be used to dearmor PEM
+ armors.
+
+'--unwrap'
+ This command is similar to '--decrypt' with the change that the
+ output is not the usual plaintext but the original message with the
+ decryption layer removed. Thus the output will be an OpenPGP data
+ structure which often means a signed OpenPGP message. Note that
+ this command may or may not remove a compression layer which is
+ often found beneath the encryption layer.
'--tofu-policy {auto|good|unknown|bad|ask} KEYS'
Set the TOFU policy for all the bindings associated with the
asked to enter the passphrase of the backup key and then for
the Admin PIN of the card.
+ keytotpm
+ Transfer the selected secret subkey (or the primary key if no
+ subkey has been selected) to TPM form. The secret key in the
+ keyring will be replaced by the TPM representation of that
+ key, which can only be read by the particular TPM that created
+ it (so the keyfile now becomes locked to the laptop containing
+ the TPM). Only certain key types may be transferred to the TPM
+ (all TPM 2.0 systems are mandated to have the rsa2048 and
+ nistp256 algorithms but newer TPMs may have more). Note that
+ the key itself is not transferred into the TPM, merely
+ encrypted by the TPM in-place, so if the keyfile is deleted,
+ the key will be lost. Once transferred to TPM representation,
+ the key file can never be converted back to non-TPM form and
+ the key will die when the TPM does, so you should first have a
+ backup on secure offline storage of the actual secret key file
+ before conversion. It is essential to use the physical system
+ TPM that you have rw permission on the TPM resource manager
+ device (/dev/tpmrm0). Usually this means you must be a member
+ of the tss group.
+
delkey
Remove a subkey (secondary key). Note that it is not possible
to retract a subkey, once it has been send to the public (i.e.
'--sign-key NAME'
Signs a public key with your secret key. This is a shortcut
- version of the subcommand "sign" from '--edit'.
+ version of the subcommand "sign" from '--edit-key'.
'--lsign-key NAME'
Signs a public key with your secret key but marks it as
interaction. The FPR must be the verified primary fingerprint of a
key in the local keyring. If no NAMES are given, all useful user
ids are signed; with given [NAMES] only useful user ids matching
- one of theses names are signed. By default, or if a name is
+ one of these names are signed. By default, or if a name is
prefixed with a '*', a case insensitive substring match is used.
If a name is prefixed with a '=' a case sensitive exact match is
done.
'--passwd USER-ID'
Change the passphrase of the secret key belonging to the
certificate specified as USER-ID. This is a shortcut for the
- sub-command 'passwd' of the edit key menu. When using together
+ sub-command 'passwd' of the '--edit-key' menu. When using together
with the option '--dry-run' this will not actually change the
passphrase but check that the current passphrase is correct.
For each user-id which has a valid mail address print only the
fingerprint followed by the mail address.
+ sort-sigs
+ With -list-sigs and -check-sigs sort the signatures by keyID
+ and creation time to make it easier to view the history of
+ these signatures. The self-signature is also listed before
+ other signatures. Defaults to yes.
+
'--verify-options PARAMETERS'
This is a space or comma delimited string that gives options used
when verifying signatures. Options can be prepended with a 'no-'
That is all the AKA lines as well as photo Ids are not shown
with the signature verification status.
- pka-lookups
- Enable PKA lookups to verify sender addresses. Note that PKA
- is based on DNS, and so enabling this option may disclose
- information on when and what signatures are verified or to
- whom data is encrypted. This is similar to the "web bug"
- described for the '--auto-key-retrieve' option.
-
- pka-trust-increase
- Raise the trust in a signature to full if the signature passes
- PKA validation. This option is only meaningful if pka-lookups
- is set.
-
'--enable-large-rsa'
'--disable-large-rsa'
With -generate-key and -batch, enable the creation of RSA secret
If the option '--no-keyring' has been used no keyrings will be used
at all.
+ Note that if the option 'use-keyboxd' is enabled in 'common.conf',
+ no keyrings are used at all and keys are all maintained by the
+ keyboxd process in its own database.
+
'--primary-keyring FILE'
This is a varian of '--keyring' and designates FILE as the primary
public keyring. This means that newly imported keys (via
cert
Locate a key using DNS CERT, as specified in RFC-4398.
- pka
- Locate a key using DNS PKA.
-
dane
Locate a key using DANE, as specified in
draft-ietf-dane-openpgpkey-05.txt.
This is an offline mechanism to get a missing key for signature
verification and for later encryption to this key. If this option
is enabled and a signature includes an embedded key, that key is
- used to verify the signature and on verification success that key
- is imported. The default is '--no-auto-key-import'.
+ used to verify the signature and on verification success the key is
+ imported. The default is '--no-auto-key-import'.
On the sender (signing) site the option '--include-key-block' needs
to be used to put the public part of the signing key as “Key Block
disabled by removing WKD from the auto-key-locate list or by using
the option '--disable-signer-uid'.
- 4. If the option 'honor-pka-record' is active, the legacy PKA
- method is used.
-
- 5. If any keyserver is configured and the Issuer Fingerprint is
+ 4. If any keyserver is configured and the Issuer Fingerprint is
part of the signature (since GnuPG 2.1.16), the configured
keyservers are tried.
creator of the key can see when the keys is refreshed. Thus
this option is not enabled by default.
- honor-pka-record
- If '--auto-key-retrieve' is used, and the signature being
- verified has a PKA record, then use the PKA information to
- fetch the key. Defaults to "yes".
-
include-subkeys
When receiving a key, include subkeys as potential targets.
Note that this option is not used with HKP keyservers, as they
'dirmngr' configuration options instead.
The default list of options is: "self-sigs-only, import-clean,
- repair-keys, repair-pks-subkey-bug, export-attributes,
- honor-pka-record". However, if the actual used source is an LDAP
- server "no-self-sigs-only" is assumed unless "self-sigs-only" has
- been explictly configured.
+ repair-keys, repair-pks-subkey-bug, export-attributes". However,
+ if the actual used source is an LDAP server "no-self-sigs-only" is
+ assumed unless "self-sigs-only" has been explictly configured.
'--completes-needed N'
Number of completely trusted users to introduce a new key signer
'--sender MBOX'
This option has two purposes. MBOX must either be a complete user
- id with a proper mail address or just a mail address. When
- creating a signature this option tells gpg the user id of a key
- used to make a signature if the key was not directly specified by a
- user id. When verifying a signature the MBOX is used to restrict
- the information printed by the TOFU code to matching user ids.
+ ID containing a proper mail address or just a plain mail address.
+ The option can be given multiple times.
+
+ When creating a signature this option tells gpg the signing key's
+ user id used to make the signature and embeds that user ID into the
+ created signature (using OpenPGP's "Signer's User ID" subpacket).
+ If the option is given multiple times a suitable user ID is picked.
+ However, if the signing key was specified directly by using a mail
+ address (i.e. not by using a fingerprint or key ID) this option is
+ used and the mail address is embedded in the created signature.
+
+ When verifying a signature MBOX is used to restrict the information
+ printed by the TOFU code to matching user IDs. If the option is
+ used and the signature contains a "Signer's User ID" subpacket that
+ information is is also used to restrict the printed information.
+ Note that GnuPG considers only the mail address part of a User ID.
+
+ If this option or the said subpacket is available the TRUST lines
+ as printed by option 'status-fd' correspond to the corresponding
+ User ID; if no User ID is known the TRUST lines are computed
+ directly on the key and do not give any information about the User
+ ID. In the latter case it his highly recommended to scripts and
+ other frontends to evaluate the VALIDSIG line, retrieve the key and
+ print all User IDs along with their validity (trust) information.
'--try-secret-key NAME'
For hidden recipients GPG needs to know the keys to use for trial
before processing is forced to stop by the OS limits. Defaults to
0, which means "no limit".
+'--chunk-size N'
+ The AEAD encryption mode encrypts the data in chunks so that a
+ receiving side can check for transmission errors or tampering at
+ the end of each chunk and does not need to delay this until all
+ data has been received. The used chunk size is 2^N byte. The
+ lowest allowed value for N is 6 (64 byte) and the largest is the
+ default of 22 which creates chunks not larger than 4 MiB.
+
'--input-size-hint N'
This option can be used to tell GPG the size of the input data in
bytes. N must be a positive base-10 number. This option is only
import-export
Run the entire import code but instead of storing the key to
- the local keyring write it to the output. The export options
- 'export-pka' and 'export-dane' affect the output. This option
- can be used to remove all invalid parts from a key without the
+ the local keyring write it to the output. The export option
+ 'export-dane' affect the output. This option can for example
+ be used to remove all invalid parts from a key without the
need to store it.
merge-only
example, this reorders signatures, and strips duplicate
signatures. Defaults to yes.
+ bulk-import
+ When used the keyboxd (option 'use-keyboxd' in 'common.conf')
+ does the import within a single transaction.
+
import-minimal
Import the smallest key possible. This removes all signatures
except the most recent self-signature on each user ID. This
"minimize" before export except that the local copy of the key
is not modified. Defaults to no.
- export-pka
- Instead of outputting the key material output PKA records
- suitable to put into DNS zone files. An ORIGIN line is
- printed before each record to allow diverting the records to
- the corresponding zone file.
-
export-dane
Instead of outputting the key material output OpenPGP DANE
records suitable to put into DNS zone files. An ORIGIN line
'--no-force-v4-certs'
These options are obsolete and have no effect since GnuPG 2.1.
+'--force-aead'
+ Force the use of AEAD encryption over MDC encryption. AEAD is a
+ modern and faster way to do authenticated encryption than the old
+ MDC method. See also options '--aead-algo' and '--chunk-size'.
+
'--force-mdc'
'--disable-mdc'
These options are obsolete and have no effect since GnuPG 2.2.8.
- The MDC is always used. But note: If the creation of a legacy
- non-MDC message is exceptionally required, the option '--rfc2440'
- allows for this.
+ The MDC is always used unless the keys indicate that an AEAD
+ algorithm can be used in which case AEAD is used. But note: If the
+ creation of a legacy non-MDC message is exceptionally required, the
+ option '--rfc2440' allows for this.
'--disable-signer-uid'
By default the user ID of the signing key is embedded in the data
option '--auto-key-retrieve'.
'--include-key-block'
+'--no-include-key-block'
This option is used to embed the actual signing key into a data
signature. The embedded key is stripped down to a single user id
and includes only the signing subkey used to create the signature
as well as as valid encryption subkeys. All other info is removed
from the key to keep it and thus the signature small. This option
- is the OpenPGP counterpart to the 'gpgsm' option '--include-certs'.
+ is the OpenPGP counterpart to the 'gpgsm' option '--include-certs'
+ and allows the recipient of a signed message to reply encrypted to
+ the sender without using any online directories to lookup the key.
+ The default is '--no-include-key-block'. See also the option
+ '--auto-key-import'.
'--personal-cipher-preferences STRING'
Set the list of personal cipher preferences to STRING. Use 'gpg
most highly ranked cipher in this list is also used for the
'--symmetric' encryption command.
+'--personal-aead-preferences STRING'
+ Set the list of personal AEAD preferences to STRING. Use 'gpg
+ --version' to get a list of available algorithms, and use 'none' to
+ set no preference at all. This allows the user to safely override
+ the algorithm chosen by the recipient key preferences, as GPG will
+ only select an algorithm that is usable by all recipients. The
+ most highly ranked cipher in this list is also used for the
+ '--symmetric' encryption command.
+
'--personal-digest-preferences STRING'
Set the list of personal digest preferences to STRING. Use 'gpg
--version' to get a list of available algorithms, and use 'none' to
'--gnupg'
Use standard GnuPG behavior. This is essentially OpenPGP behavior
- (see '--openpgp'), but with some additional workarounds for common
+ (see '--openpgp'), but with extension from the proposed update to
+ OpenPGP and with some additional workarounds for common
compatibility problems in different versions of PGP. This is the
default option, so it is not generally needed, but it may be useful
to override a different compliance option in the gpg.conf file.
'--openpgp'
Reset all packet, cipher and digest options to strict OpenPGP
- behavior. Use this option to reset all previous options like
- '--s2k-*', '--cipher-algo', '--digest-algo' and '--compress-algo'
- to OpenPGP compliant values. All PGP workarounds are disabled.
+ behavior. This option implies '--allow-old-cipher-algos'. Use
+ this option to reset all previous options like '--s2k-*',
+ '--cipher-algo', '--digest-algo' and '--compress-algo' to OpenPGP
+ compliant values. All PGP workarounds are disabled.
'--rfc4880'
Reset all packet, cipher and digest options to strict RFC-4880
- behavior. Note that this is currently the same thing as
- '--openpgp'.
+ behavior. This option implies '--allow-old-cipher-algos'. Note
+ that this is currently the same thing as '--openpgp'.
'--rfc4880bis'
- Enable experimental features from proposed updates to RFC-4880.
- This option can be used in addition to the other compliance
- options. Warning: The behavior may change with any GnuPG release
- and created keys or data may not be usable with future GnuPG
- versions.
+ Reset all packet, cipher and digest options to strict according to
+ the proposed updates of RFC-4880.
'--rfc2440'
Reset all packet, cipher and digest options to strict RFC-2440
behavior. Note that by using this option encryption packets are
created in a legacy mode without MDC protection. This is dangerous
- and should thus only be used for experiments. See also option
- '--ignore-mdc-error'.
+ and should thus only be used for experiments. This option implies
+ '--allow-old-cipher-algos'. See also option '--ignore-mdc-error'.
'--pgp6'
- Set up all options to be as PGP 6 compliant as possible. This
- restricts you to the ciphers IDEA (if the IDEA plugin is
- installed), 3DES, and CAST5, the hashes MD5, SHA1 and RIPEMD160,
- and the compression algorithms none and ZIP. This also disables
- '--throw-keyids', and making signatures with signing subkeys as PGP
- 6 does not understand signatures made by signing subkeys.
-
- This option implies '--escape-from-lines'.
+ This option is obsolete; it is handled as an alias for '--pgp7'
'--pgp7'
- Set up all options to be as PGP 7 compliant as possible. This is
- identical to '--pgp6' except that MDCs are not disabled, and the
- list of allowable ciphers is expanded to add AES128, AES192,
- AES256, and TWOFISH.
+ Set up all options to be as PGP 7 compliant as possible. This
+ allowed the ciphers IDEA, 3DES, CAST5,AES128, AES192, AES256, and
+ TWOFISH., the hashes MD5, SHA1 and RIPEMD160, and the compression
+ algorithms none and ZIP. This option implies '--escape-from-lines'
+ and disables '--throw-keyids',
'--pgp8'
Set up all options to be as PGP 8 compliant as possible. PGP 8 is
size requirements. For example, a value of 3000 turns rsa2048 and
dsa2048 keys into non-VS-NfD compliant keys.
+'--require-compliance'
+ To check that data has been encrypted according to the rules of the
+ current compliance mode, a gpg user needs to evaluate the status
+ lines. This is allows frontends to handle compliance check in a
+ more flexible way. However, for scripted use the required
+ evaluation of the status-line requires quite some effort; this
+ option can be used instead to make sure that the gpg process exits
+ with a failure if the compliance rules are not fulfilled. Note
+ that this option has currently an effect only in "de-vs" mode.
+
\1f
File: gnupg.info, Node: GPG Esoteric Options, Next: Deprecated Options, Prev: Compliance Options, Up: GPG Options
are however carefully selected to best aid in debugging.
'--debug FLAGS'
- Set debugging flags. All flags are or-ed and FLAGS may be given in
- C syntax (e.g. 0x0042) or as a comma separated list of flag names.
+ Set debug flags. All flags are or-ed and FLAGS may be given in C
+ syntax (e.g. 0x0042) or as a comma separated list of flag names.
To get a list of all supported flags the single word "help" can be
- used.
+ used. This option is only useful for debugging and the behavior
+ may change at any time without notice.
'--debug-all'
Set all useful debugging flags.
Set stdout into line buffered mode. This option is only honored
when given on the command line.
+'--debug-set-iobuf-size N'
+ Change the buffer size of the IOBUFs to N kilobyte. Using 0 prints
+ the current size. Note well: This is a maintainer only option and
+ may thus be changed or removed at any time without notice.
+
+'--debug-allow-large-chunks'
+ To facilitate software tests and experiments this option allows to
+ specify a limit of up to 4 EiB ('--chunk-size 62').
+
'--faked-system-time EPOCH'
This option is only useful for testing; it sets the system time
back or forth to EPOCH which is the number of seconds elapsed since
If you suffix EPOCH with an exclamation mark (!), the system time
will appear to be frozen at the specified time.
+'--full-timestrings'
+ Change the format of printed creation and expiration times from
+ just the date to the date and time. This is in general not useful
+ and the same information is anyway available in '--with-colons'
+ mode. These longer strings are also not well aligned with other
+ printed data.
+
'--enable-progress-filter'
Enable certain PROGRESS status outputs. This option allows
frontends to display a progress indicator while gpg is processing
'--log-file FILE'
'--logger-file FILE'
Same as '--logger-fd', except the logger data is written to file
- FILE. Use 'socket://' to log to a socket. Note that in this
- version of gpg the option has only an effect if '--batch' is also
- used.
+ FILE. Use 'socket://' to log to s socket.
'--attribute-fd N'
Write attribute subpackets to the file descriptor N. This is most
'--version' yields a list of supported algorithms. If this is not
used the cipher algorithm is selected from the preferences stored
with the key. In general, you do not want to use this option as it
- allows you to violate the OpenPGP standard.
+ allows you to violate the OpenPGP standard. The option
'--personal-cipher-preferences' is the safe way to accomplish the
same thing.
+'--aead-algo NAME'
+ Specify that the AEAD algorithm NAME is to be used. This is useful
+ for symmetric encryption where no key preference are available to
+ select the AEAD algorithm. Running 'gpg' with option '--version'
+ shows the available AEAD algorithms. In general, you do not want
+ to use this option as it allows you to violate the OpenPGP
+ standard. The option '--personal-aead-preferences' is the safe way
+ to accomplish the same thing.
+
'--digest-algo NAME'
Use NAME as the message digest algorithm. Running the program with
the command '--version' yields a list of supported algorithms. In
general, you do not want to use this option as it allows you to
- violate the OpenPGP standard. '--personal-digest-preferences' is
- the safe way to accomplish the same thing.
+ violate the OpenPGP standard. The option
+ '--personal-digest-preferences' is the safe way to accomplish the
+ same thing.
'--compress-algo NAME'
Use compression algorithm NAME. "zlib" is RFC-1950 ZLIB
PGP (all versions) only supports ZIP compression. Using any
algorithm other than ZIP or "none" will make the message unreadable
with PGP. In general, you do not want to use this option as it
- allows you to violate the OpenPGP standard.
+ allows you to violate the OpenPGP standard. The option
'--personal-compress-preferences' is the safe way to accomplish the
same thing.
supported algorithms. Be aware that if you choose an algorithm
that GnuPG supports but other OpenPGP implementations do not, then
some users will not be able to use the key signatures you make, or
- quite possibly your entire key.
+ quite possibly your entire key. Note also that a public key
+ algorithm must be compatible with the specified digest algorithm;
+ thus selecting an arbitrary digest algorithm may result in error
+ messages from lower crypto layers or lead to security flaws.
'--disable-cipher-algo NAME'
Never allow the use of NAME as cipher algorithm. The given name
indication of an attack. Use with great caution; see also option
'--rfc2440'.
+'--allow-old-cipher-algos'
+ Old cipher algorithms like 3DES, IDEA, or CAST5 encrypt data using
+ blocks of 64 bits; modern algorithms use blocks of 128 bit instead.
+ To avoid certain attack on these old algorithms it is suggested not
+ to encrypt more than 150 MiByte using the same key. For this
+ reason gpg does not allow the use of 64 bit block size algorithms
+ for encryption unless this option is specified.
+
'--allow-weak-digest-algos'
Signatures made with known-weak digest algorithms are normally
rejected with an "invalid digest algorithm" message. This option
this option and do not provide alternate keyrings via '--keyring',
then GnuPG will still use the default keyring.
+ Note that if the option 'use-keyboxd' is enabled in 'common.conf',
+ no keyrings are used at all and keys are all maintained by the
+ keyboxd process in its own database.
+
'--no-keyring'
Do not use any keyring at all. This overrides the default and all
options which specify keyrings.
the advanced key generation commands can always be used to specify
a key algorithm directly.
+'--no-auto-trust-new-key'
+ When creating a new key the ownertrust of the new key is set to
+ ultimate. This option disables this and the user needs to manually
+ assign an ownertrust value.
+
'--force-sign-key'
This option modifies the behaviour of the commands
'--quick-sign-key', '--quick-lsign-key', and the "sign"
'--allow-multiple-messages'
'--no-allow-multiple-messages'
- Allow processing of multiple OpenPGP messages contained in a single
- file or stream. Some programs that call GPG are not prepared to
- deal with multiple messages being processed together, so this
- option defaults to no. Note that versions of GPG prior to 1.4.7
- always allowed multiple messages. Future versions of GnUPG will
- remove this option.
-
- Warning: Do not use this option unless you need it as a temporary
- workaround!
+ These are obsolete options; they have no more effect since GnuPG
+ 2.2.8.
'--enable-special-filenames'
This option enables a mode in which filenames of the form '-&n',
'--default-preference-list STRING'
Set the list of default preferences to STRING. This preference
list is used for new keys and becomes the default for "setpref" in
- the edit menu.
+ the '--edit-key' menu.
'--default-keyserver-url NAME'
Set the default keyserver URL to NAME. This keyserver will be used
file would prevent 'gpg' from startup. Thus it may be used to run
a syntax check on the configuration file.
+'--chuid UID'
+ Change the current user to UID which may either be a number or a
+ name. This can be used from the root account to run gpg for
+ another user. If UID is not the current UID a standard PATH is set
+ and the envvar GNUPGHOME is unset. To override the latter the
+ option '--homedir' can be used. This option has only an effect
+ when used on the command line. This option has currently no effect
+ at all on Windows.
+
---------- Footnotes ----------
(1) Using a little social engineering anyone who is able to decrypt
name may be changed on the command line (*note gpg-option
--options::). You should backup this file.
+'common.conf'
+ This is an optional configuration file read by 'gpg' on startup.
+ It may contain options pertaining to all components of GnuPG. Its
+ current main use is for the "use-keyboxd" option.
+
Note that on larger installations, it is useful to put predefined
files into the directory '/etc/skel/.gnupg' so that newly created users
start up with a working configuration. For existing users a small
$ cd ~/.gnupg
$ gpg --export-ownertrust >otrust.lst
$ mv pubring.gpg publickeys.backup
- $ gpg --import-options restore --import publickeys.backups
+ $ gpg --import-options restore --import publickeys.backup
$ gpg --import-ownertrust otrust.lst
'~/.gnupg/pubring.kbx.lock'
of the respective key. It is suggested to backup those
certificates and if the primary private key is not stored on the
disk to move them to an external storage device. Anyone who can
- access theses files is able to revoke the corresponding key. You
+ access these files is able to revoke the corresponding key. You
may want to print them out. You should backup all files in this
directory and take care to keep this backup closed away.
under operating systems without proper support to figure out the
name of a process' text file.
+GNUPG_EXEC_DEBUG_FLAGS
+ This variable allows to enable diagnostics for process management.
+ A numeric decimal value is expected. Bit 0 enables general
+ diagnostics, bit 1 enables certain warnings on Windows.
+
When calling the gpg-agent component 'gpg' sends a set of environment
variables to gpg-agent. The names of these variables can be listed
using the command:
signature was bad, and other error codes for fatal errors.
Note that signature verification requires exact knowledge of what has
-been signed and by whom it has beensigned. Using only the return code
+been signed and by whom it has been signed. Using only the return code
is thus not an appropriate way to verify a signature by a script.
Either make proper use or the status codes or use the 'gpgv' tool which
has been designed to make signature verification easy for scripts.
utilizes the 'dirmngr' service. It uses a format useful mainly for
debugging.
+'--show-certs [FILES]'
+ This command takes certificate files as input and prints
+ information about them in the same format as '--dump-cert' does.
+ Each file may either contain a single binary certificate or several
+ PEM encoded certificates. If no files are given, the input is
+ taken from stdin.
+
+ Please note that the listing format may be changed in future
+ releases and that the option '--with-colons' has currently no
+ effect.
+
'--keydb-clear-some-cert-flags'
This is a debugging aid to reset certain flags in the key database
- which are used to cache certain certificate stati. It is
+ which are used to cache certain certificate statuses. It is
especially useful if a bad CRL or a weird running OCSP responder
did accidentally revoke certificate. There is no security issue
with this command because 'gpgsm' always make sure that the
verbosity by giving several verbose commands to 'gpgsm', such as
'-vv'.
-'--ldapserver STRING'
'--keyserver STRING'
- Add an LDAP server to use for X.509 certificate and CRL lookup.
- This option can be given multiple times to configure more than one
- LDAP server. Note that in general 'dirmngr' should be configured
- with the list of LDAP servers; if this option is also configured
- here, it is used in addition to those configured in dirmngr. For
- the syntax see the description of dirmngr's ldapserver option.
+ This is a deprecated option. It was used to add an LDAP server to
+ use for X.509 certificate and CRL lookup. The alias '--ldapserver'
+ existed from version 2.2.28 to 2.2.33 and 2.3.2 to 2.3.4 but is now
+ entirely ignored.
+
+ LDAP servers must be given in the configuration for 'dirmngr'.
'--policy-file FILENAME'
- Change the default name of the policy file to FILENAME.
+ Change the default name of the policy file to FILENAME. The
+ default name is 'policies.txt'.
'--agent-program FILE'
Specify an agent program to be used for secret key operations. The
5.2.5 Doing things one usually do not want to do
------------------------------------------------
+'--chuid UID'
+ Change the current user to UID which may either be a number or a
+ name. This can be used from the root account to run gpgsm for
+ another user. If UID is not the current UID a standard PATH is set
+ and the envvar GNUPGHOME is unset. To override the latter the
+ option '--homedir' can be used. This option has only an effect
+ when used on the command line. This option has currently no effect
+ at all on Windows.
+
'--extra-digest-algo NAME'
Sometimes signatures are broken in that they announce a different
digest algorithm than actually used. 'gpgsm' uses a one-pass data
size requirements. For example, a value of 3000 turns rsa2048 and
dsa2048 keys into non-VS-NfD compliant keys.
+'--require-compliance'
+ To check that data has been encrypted according to the rules of the
+ current compliance mode, a gpgsm user needs to evaluate the status
+ lines. This is allows frontends to handle compliance check in a
+ more flexible way. However, for scripted use the required
+ evaluation of the status-line requires quite some effort; this
+ option can be used instead to make sure that the gpgsm process
+ exits with a failure if the compliance rules are not fulfilled.
+ Note that this option has currently an effect only in "de-vs" mode.
+
+'--ignore-cert-with-oid OID'
+ Add OID to the list of OIDs to be checked while reading
+ certificates from smartcards. The OID is expected to be in dotted
+ decimal form, like '2.5.29.3'. This option may be used more than
+ once. As of now certificates with an extended key usage matching
+ one of those OIDs are ignored during a '--learn-card' operation and
+ not imported. This option can help to keep the local key database
+ clear of unneeded certificates stored on smartcards.
+
'--faked-system-time EPOCH'
This option is only useful for testing; it sets the system time
back or forth to EPOCH which is the number of seconds elapsed since
that they are included anyway if the key specification for a
listing is given as fingerprint or keygrip.
+'--compatibility-flags FLAGS'
+ Set compatibility flags to work around problems due to
+ non-compliant certificates or data. The FLAGS are given as a comma
+ separated list of flag names and are OR-ed together. The special
+ flag "none" clears the list and allows to start over with an empty
+ list. To get a list of available flags the sole word "help" can be
+ used.
+
'--debug-level LEVEL'
Select the debug level for investigating problems. LEVEL may be a
numeric value or by a keyword:
are however carefully selected to best aid in debugging.
'--debug FLAGS'
- This option is only useful for debugging and the behaviour may
- change at any time without notice; using '--debug-levels' is the
- preferred method to select the debug verbosity. FLAGS are bit
- encoded and may be given in usual C-Syntax. The currently defined
- bits are:
-
- '0 (1)'
- X.509 or OpenPGP protocol related data
- '1 (2)'
- values of big number integers
- '2 (4)'
- low level crypto operations
- '5 (32)'
- memory allocation
- '6 (64)'
- caching
- '7 (128)'
- show memory statistics
- '9 (512)'
- write hashed data to files named 'dbgmd-000*'
- '10 (1024)'
- trace Assuan protocol
+ Set debug flags. All flags are or-ed and FLAGS may be given in C
+ syntax (e.g. 0x0042) or as a comma separated list of flag names.
+ To get a list of all supported flags the single word "help" can be
+ used. This option is only useful for debugging and the behavior
+ may change at any time without notice.
Note, that all flags set using this option may get overridden by
'--debug-level'.
name may be changed on the command line (*note gpgsm-option
--options::). You should backup this file.
+'common.conf'
+ This is an optional configuration file read by 'gpgsm' on startup.
+ It may contain options pertaining to all components of GnuPG. Its
+ current main use is for the "use-keyboxd" option.
+
'policies.txt'
This is a list of allowed CA policies. This file should list the
object identifiers of the policies line by line. Empty lines and
Note that even if a certificate is listed in this file, this does
not mean that the certificate is trusted; in general the
certificates listed in this file need to be listed also in
- 'trustlist.txt'.
-
- This is a global file an installed in the data directory (e.g.
- '/usr/local/share/gnupg/qualified.txt'). GnuPG installs a suitable
- file with root certificates as used in Germany. As new Root-CA
- certificates may be issued over time, these entries may need to be
- updated; new distributions of this software should come with an
- updated list but it is still the responsibility of the
- Administrator to check that this list is correct.
+ 'trustlist.txt'. This is a global file an installed in the sysconf
+ directory (e.g. '/etc/gnupg/qualified.txt').
Every time 'gpgsm' uses a certificate for signing or verification
this file will be consulted to check whether the certificate under
file describing a regular TCP listening port) is the standard way
of connecting the 'gpg-agent'.
-\1f
-File: gnupg.info, Node: GPGSM Examples, Next: Unattended Usage, Prev: GPGSM Configuration, Up: Invoking GPGSM
-
-5.4 Examples
-============
-
- $ gpgsm -er goo@bar.net <plaintext >ciphertext
-
-\1f
-File: gnupg.info, Node: Unattended Usage, Next: GPGSM Protocol, Prev: GPGSM Examples, Up: Invoking GPGSM
-
-5.5 Unattended Usage
-====================
-
-'gpgsm' is often used as a backend engine by other software. To help
-with this a machine interface has been defined to have an unambiguous
-way to do this. This is most likely used with the '--server' command
-but may also be used in the standard operation mode by using the
-'--status-fd' option.
-
-* Menu:
-
-* Automated signature checking:: Automated signature checking.
-* CSR and certificate creation:: CSR and certificate creation.
-
-\1f
-File: gnupg.info, Node: Automated signature checking, Next: CSR and certificate creation, Up: Unattended Usage
-
-5.5.1 Automated signature checking
-----------------------------------
-
-It is very important to understand the semantics used with signature
-verification. Checking a signature is not as simple as it may sound and
-so the operation is a bit complicated. In most cases it is required to
-look at several status lines. Here is a table of all cases a signed
-message may have:
-
-The signature is valid
- This does mean that the signature has been successfully verified,
- the certificates are all sane. However there are two subcases with
- important information: One of the certificates may have expired or
- a signature of a message itself as expired. It is a sound practise
- to consider such a signature still as valid but additional
- information should be displayed. Depending on the subcase 'gpgsm'
- will issue these status codes:
- signature valid and nothing did expire
- 'GOODSIG', 'VALIDSIG', 'TRUST_FULLY'
- signature valid but at least one certificate has expired
- 'EXPKEYSIG', 'VALIDSIG', 'TRUST_FULLY'
- signature valid but expired
- 'EXPSIG', 'VALIDSIG', 'TRUST_FULLY' Note, that this case is
- currently not implemented.
-
-The signature is invalid
- This means that the signature verification failed (this is an
- indication of a transfer error, a program error or tampering with
- the message). 'gpgsm' issues one of these status codes sequences:
- 'BADSIG'
- 'GOODSIG, VALIDSIG TRUST_NEVER'
-
-Error verifying a signature
- For some reason the signature could not be verified, i.e. it
- cannot be decided whether the signature is valid or invalid. A
- common reason for this is a missing certificate.
-
-\1f
-File: gnupg.info, Node: CSR and certificate creation, Prev: Automated signature checking, Up: Unattended Usage
-
-5.5.2 CSR and certificate creation
-----------------------------------
-
-The command '--generate-key' may be used along with the option '--batch'
-to either create a certificate signing request (CSR) or an X.509
-certificate. This is controlled by a parameter file; the format of this
-file is as follows:
-
- * Text only, line length is limited to about 1000 characters.
- * UTF-8 encoding must be used to specify non-ASCII characters.
- * Empty lines are ignored.
- * Leading and trailing while space is ignored.
- * A hash sign as the first non white space character indicates a
- comment line.
- * Control statements are indicated by a leading percent sign, the
- arguments are separated by white space from the keyword.
- * Parameters are specified by a keyword, followed by a colon.
- Arguments are separated by white space.
- * The first parameter must be 'Key-Type', control statements may be
- placed anywhere.
- * The order of the parameters does not matter except for 'Key-Type'
- which must be the first parameter. The parameters are only used
- for the generated CSR/certificate; parameters from previous sets
- are not used. Some syntactically checks may be performed.
- * Key generation takes place when either the end of the parameter
- file is reached, the next 'Key-Type' parameter is encountered or at
- the control statement '%commit' is encountered.
-
-Control statements:
-
-%echo TEXT
- Print TEXT as diagnostic.
-
-%dry-run
- Suppress actual key generation (useful for syntax checking).
-
-%commit
- Perform the key generation. Note that an implicit commit is done
- at the next Key-Type parameter.
-
-General Parameters:
-
-Key-Type: ALGO
- Starts a new parameter block by giving the type of the primary key.
- The algorithm must be capable of signing. This is a required
- parameter. The only supported value for ALGO is 'rsa'.
-
-Key-Length: NBITS
- The requested length of a generated key in bits. Defaults to 3072.
-
-Key-Grip: HEXSTRING
- This is optional and used to generate a CSR or certificate for an
- already existing key. Key-Length will be ignored when given.
-
-Key-Usage: USAGE-LIST
- Space or comma delimited list of key usage, allowed values are
- 'encrypt', 'sign' and 'cert'. This is used to generate the
- keyUsage extension. Please make sure that the algorithm is capable
- of this usage. Default is to allow encrypt and sign.
-
-Name-DN: SUBJECT-NAME
- This is the Distinguished Name (DN) of the subject in RFC-2253
- format.
-
-Name-Email: STRING
- This is an email address for the altSubjectName. This parameter is
- optional but may occur several times to add several email addresses
- to a certificate.
-
-Name-DNS: STRING
- The is an DNS name for the altSubjectName. This parameter is
- optional but may occur several times to add several DNS names to a
- certificate.
-
-Name-URI: STRING
- This is an URI for the altSubjectName. This parameter is optional
- but may occur several times to add several URIs to a certificate.
-
-Additional parameters used to create a certificate (in contrast to a
-certificate signing request):
-
-Serial: SN
- If this parameter is given an X.509 certificate will be generated.
- SN is expected to be a hex string representing an unsigned integer
- of arbitrary length. The special value 'random' can be used to
- create a 64 bit random serial number.
-
-Issuer-DN: ISSUER-NAME
- This is the DN name of the issuer in RFC-2253 format. If it is not
- set it will default to the subject DN and a special GnuPG extension
- will be included in the certificate to mark it as a standalone
- certificate.
-
-Creation-Date: ISO-DATE
-Not-Before: ISO-DATE
- Set the notBefore date of the certificate. Either a date like
- '1986-04-26' or '1986-04-26 12:00' or a standard ISO timestamp like
- '19860426T042640' may be used. The time is considered to be UTC.
- If it is not given the current date is used.
-
-Expire-Date: ISO-DATE
-Not-After: ISO-DATE
- Set the notAfter date of the certificate. Either a date like
- '2063-04-05' or '2063-04-05 17:00' or a standard ISO timestamp like
- '20630405T170000' may be used. The time is considered to be UTC.
- If it is not given a default value in the not too far future is
- used.
-
-Signing-Key: KEYGRIP
- This gives the keygrip of the key used to sign the certificate. If
- it is not given a self-signed certificate will be created. For
- compatibility with future versions, it is suggested to prefix the
- keygrip with a '&'.
-
-Hash-Algo: HASH-ALGO
- Use HASH-ALGO for this CSR or certificate. The supported hash
- algorithms are: 'sha1', 'sha256', 'sha384' and 'sha512'; they may
- also be specified with uppercase letters. The default is 'sha256'.
-
projects / platform / upstream / gpg2.git / blobdiff