This is gnupg.info, produced by makeinfo version 6.5 from gnupg.texi.
-This is the 'The GNU Privacy Guard Manual' (version 2.3.1-beta26, April
-2021).
+This is the 'The GNU Privacy Guard Manual' (version 2.3.8-beta83,
+October 2022).
(C) 2002, 2004, 2005, 2006, 2007, 2010 Free Software Foundation, Inc.
(C) 2013, 2014, 2015 Werner Koch.
Using the GNU Privacy Guard
***************************
-This is the 'The GNU Privacy Guard Manual' (version 2.3.1-beta26, April
-2021).
+This is the 'The GNU Privacy Guard Manual' (version 2.3.8-beta83,
+October 2022).
(C) 2002, 2004, 2005, 2006, 2007, 2010 Free Software Foundation, Inc.
(C) 2013, 2014, 2015 Werner Koch.
'--supervised'
Run in the foreground, sending logs by default to stderr, and
listening on provided file descriptors, which must already be bound
- to listening sockets. This command is useful when running under
- systemd or other similar process supervision schemes. This option
- is not supported on Windows.
+ to listening sockets. This option is deprecated and not supported
+ on Windows.
+
+ If in 'common.conf' the option 'no-autostart' is set, any start
+ attemps will be ignored.
In -supervised mode, different file descriptors can be provided for
use as different socket types (e.g. ssh, extra) as long as they
Don't detach the process from the console. This is mainly useful
for debugging.
+'--steal-socket'
+ In '--daemon' mode, gpg-agent detects an already running gpg-agent
+ and does not allow to start a new instance. This option can be
+ used to override this check: the new gpg-agent process will try to
+ take over the communication sockets from the already running
+ process and start anyway. This option should in general not be
+ used.
+
'-s'
'--sh'
'-c'
the 'trustlist.txt' file. This makes it harder for users to
inadvertently accept Root-CA keys.
+'--no-user-trustlist'
+ Entirely ignore the user trust list and consider only the global
+ trustlist ('/etc/gnupg/trustlist.txt'). This implies the *note
+ option --no-allow-mark-trusted::.
+
+'--sys-trustlist-name FILE'
+ Changes the default name for the global trustlist from
+ "trustlist.txt" to FILE. If FILE does not contain any slashes and
+ does not start with "~/" it is searched in the system configuration
+ directory ('/etc/gnupg').
+
'--allow-preset-passphrase'
This option allows the use of 'gpg-preset-passphrase' to seed the
internal cache of 'gpg-agent' with passphrases.
Defaults to 1.
'--check-passphrase-pattern FILE'
+'--check-sym-passphrase-pattern FILE'
Check the passphrase against the pattern given in FILE. When
entering a new passphrase matching one of these pattern a warning
- will be displayed. FILE should be an absolute filename. The
- default is not to use any pattern file.
+ will be displayed. If FILE does not contain any slashes and does
+ not start with "~/" it is searched in the system configuration
+ directory ('/etc/gnupg'). The default is not to use any pattern
+ file. The second version of this option is only used when creating
+ a new symmetric key to allow the use of different patterns for such
+ passphrases.
Security note: It is known that checking a passphrase against a
list of pattern or even against a complete dictionary is not very
timeout, however a Pinentry may use its own default timeout value
in this case. A Pinentry may or may not honor this request.
+'--pinentry-formatted-passphrase'
+ This option asks the Pinentry to enable passphrase formatting when
+ asking the user for a new passphrase and masking of the passphrase
+ is turned off.
+
+ If passphrase formatting is enabled, then all non-breaking space
+ characters are stripped from the entered passphrase. Passphrase
+ formatting is mostly useful in combination with passphrases
+ generated with the GENPIN feature of some Pinentries. Note that
+ such a generated passphrase, if not modified by the user, skips all
+ passphrase constraints checking because such constraints would
+ actually weaken the generated passphrase.
+
'--pinentry-program FILENAME'
Use program FILENAME as the PIN entry. The default is installation
dependent. With the default configuration the name of the default
As a special feature a line 'include-default' will include a global
list of trusted certificates (e.g. '/etc/gnupg/trustlist.txt').
- This global list is also used if the local list is not available.
+ This global list is also used if the local list is not available;
+ the *note option --no-user-trustlist:: enforces the use of only
+ this global list.
It is possible to add further flags after the 'S' for use by the
caller:
this flag set fails, try again using the chain validation
model.
+ 'qual'
+ The CA is allowed to issue certificates for qualified
+ signatures. This flag has an effect only if used in the
+ global list. This is now the preferred way to mark such CA;
+ the old way of having a separate file 'qualified.txt' is still
+ supported.
+
'sshcontrol'
This file is used when support for the secure shell agent protocol
has been enabled (*note option --enable-ssh-support::). Only keys
'--supervised'
Run in the foreground, sending logs to stderr, and listening on
file descriptor 3, which must already be bound to a listening
- socket. This is useful when running under systemd or other similar
- process supervision schemes. This option is not supported on
- Windows.
+ socket. This option is deprecated and not supported on Windows.
'--list-crls'
List the contents of the CRL cache on 'stdout'. This is probably
only to this particular keyserver.
Most keyservers synchronize with each other, so there is generally
- no need to send keys to more than one server. The keyserver
- 'hkp://keys.gnupg.net' uses round robin DNS to give a different
- keyserver each time you use it.
+ no need to send keys to more than one server. Somes keyservers use
+ round robin DNS to give a different keyserver each time you use it.
If exactly two keyservers are configured and only one is a Tor
hidden service (.onion), Dirmngr selects the keyserver to use
a running Tor is done for each new connection.
If no keyserver is explicitly configured, dirmngr will use the
- built-in default of 'hkps://hkps.pool.sks-keyservers.net'.
+ built-in default of 'https://keyserver.ubuntu.com'.
Windows users with a keyserver running on their Active Directory
- should use 'ldap:///' for NAME to access this directory. As an
- alternative it is also possible to add 'gpgNtds=1' as extension
- (i.e. after the fourth question mark).
+ may use the short form 'ldap:///' for NAME to access this
+ directory.
For accessing anonymous LDAP keyservers NAME is in general just a
'ldaps://ldap.example.com'. A BaseDN parameter should never be
- specified. If authentication is required the value of NAME is for
- example:
+ specified. If authentication is required things are more
+ complicated and two methods are available:
+
+ The modern method (since version 2.2.28) is to use the very same
+ syntax as used with the option '--ldapserver'. Please see over
+ there for details; here is an example:
+
+ keyserver ldap:ldap.example.com::uid=USERNAME,ou=GnuPG Users,
+ dc=example,dc=com:PASSWORD::starttls
+
+ The other method is to use a full URL for NAME; for example:
keyserver ldaps://ldap.example.com/????bindname=uid=USERNAME
%2Cou=GnuPG%20Users%2Cdc=example%2Cdc=com,password=PASSWORD
Put this all on one line without any spaces and keep the '%2C' as
given. Replace USERNAME, PASSWORD, and the 'dc' parts according to
- the instructions received from the LDAP administrator. Note that
+ the instructions received from your LDAP administrator. Note that
only simple authentication (i.e. cleartext passwords) is supported
- and thus using ldaps is strongly suggested.
+ and thus using ldaps is strongly suggested (since 2.2.28 "ldaps"
+ defaults to port 389 and uses STARTTLS). On Windows authentication
+ via AD can be requested by adding 'gpgNtds=1' after the fourth
+ question mark instead of the bindname and password parameter.
'--nameserver IPADDR'
In "Tor mode" Dirmngr uses a public resolver via Tor to resolve DNS
LDAP server if the connection using the "proxy" failed.
'--ldapserverlist-file FILE'
- Read a list of LDAP servers to consult for CRLs and certificates
- from file. This servers from this list are used after any servers
- set by a client for its session. The default value for FILE is
+ Read the list of LDAP servers to consult for CRLs and X.509
+ certificates from file instead of the default per-user ldap server
+ list file. The default value for FILE is
'dirmngr_ldapservers.conf'.
This server list file contains one LDAP server per line in the
Lines starting with a '#' are comments.
- The only defined flag is 'ldaps' to specify that a TLS connections
- shall be used. Flags are comma delimited; unknown flags are
- ignored.
-
Note that as usual all strings entered are expected to be UTF-8
encoded. Obviously this will lead to problems if the password has
originally been encoded as Latin-1. There is no other solution
here than to put such a password in the binary encoding into the
file (i.e. non-ascii characters won't show up readable).(1)
+'--ldapserver SPEC'
+ This is an alternative way to specify LDAP servers for CRL and
+ X.509 certificate retrieval. If this option is used the servers
+ configured in 'dirmngr_ldapservers.conf' (or the file given by
+ '--ldapserverlist-file') are cleared. Note that
+ 'dirmngr_ldapservers.conf' is not read again by a reload signal.
+ However, '--ldapserver' options are read again.
+
+ SPEC is either a proper LDAP URL or a colon delimited list of the
+ form
+
+ HOSTNAME:PORT:USERNAME:PASSWORD:BASE_DN:FLAGS:
+
+ with an optional prefix of 'ldap:' (but without the two slashes
+ which would turn this into a proper LDAP URL). FLAGS is a list of
+ one or more comma delimited keywords:
+ 'plain'
+ The default: Do not use a TLS secured connection at all; the
+ default port is 389.
+ 'starttls'
+ Use STARTTLS to secure the connection; the default port is
+ 389.
+ 'ldaptls'
+ Tunnel LDAP through a TLS connection; the default port is 636.
+ 'ntds'
+ On Windows authenticate the LDAP connection using the Active
+ Directory with the current user.
+ 'areconly'
+ On Windows use only the A or AAAA record when resolving the
+ LDAP server name.
+
+ Note that in an URL style specification the scheme 'ldaps://'
+ refers to STARTTLS and _not_ to LDAP-over-TLS.
+
'--ldaptimeout SECS'
Specify the number of seconds to wait for an LDAP query before
timing out. The default are 15 seconds. 0 will never timeout.
with care because extensions are usually flagged as critical for a
reason.
+'--ignore-cert FPR|FILE'
+ Entirely ignore certificates with the fingerprint FPR. As an
+ alternative to the fingerprint a filename can be given in which
+ case all certificates described in that file are ignored. Any
+ argument which contains a slash, dot or tilde is considered a
+ filename. Usual filename expansion takes place: A tilde at the
+ start followed by a slash is replaced by the content of 'HOME', no
+ slash at start describes a relative filename which will be searched
+ at the home directory. To make sure that the FILE is searched in
+ the home directory, either prepend the name with "./" or use a name
+ which contains a dot. The format of such a file is a list of SHA-1
+ fingerprint, one per line with optional colons between the bytes.
+ Empty lines and lines prefixed with a hash mark are ignored.
+
+ This option is useful as a quick workaround to exclude certain
+ certificates from the system store.
+
'--hkp-cacert FILE'
Use the root certificates in FILE for verification of the TLS
certificates used with 'hkps' (keyserver access over TLS). If the
This option may be given multiple times to add more root
certificates. Tilde expansion is supported.
- If no 'hkp-cacert' directive is present, dirmngr will make a
- reasonable choice: if the keyserver in question is the special pool
- 'hkps.pool.sks-keyservers.net', it will use the bundled root
- certificate for that pool. Otherwise, it will use the system CAs.
+ If no 'hkp-cacert' directive is present, dirmngr will use the
+ system CAs.
---------- Footnotes ----------
Locate the keys given as arguments. This command basically uses
the same algorithm as used when locating keys for encryption and
may thus be used to see what keys 'gpg' might use. In particular
- external methods as defined by '--auto-key-locate' may be used to
- locate a key. Only public keys are listed. The variant
- '--locate-external-keys' does not consider a locally existing key
- and can thus be used to force the refresh of a key via the defined
- external methods.
+ external methods as defined by '--auto-key-locate' are used to
+ locate a key if the arguments comain valid mail addresses. Only
+ public keys are listed.
+
+ The variant '--locate-external-keys' does not consider a locally
+ existing key and can thus be used to force the refresh of a key via
+ the defined external methods. If a fingerprint is given and and
+ the methods defined by -auto-key-locate define LDAP servers, the
+ key is fetched from these resources; defined non-LDAP keyservers
+ are skipped.
'--show-keys'
This commands takes OpenPGP keys as input and prints information
not to request a confirmation.
'--export'
- Either export all keys from all keyrings (default keyrings and
- those registered via option '--keyring'), or if at least one name
- is given, those of the given name. The exported keys are written
- to STDOUT or to the file given with option '--output'. Use
- together with '--armor' to mail those keys.
+ Either export all keys from all keyrings (default keyring and those
+ registered via option '--keyring'), or if at least one name is
+ given, those of the given name. The exported keys are written to
+ STDOUT or to the file given with option '--output'. Use together
+ with '--armor' to mail those keys.
'--send-keys KEYIDS'
Similar to '--export' but sends the keys to a keyserver.
STDIN. With the second form (or a deprecated "*" for ALGO) digests
for all available algorithms are printed.
-'--gen-random 0|1|2 COUNT'
+'--gen-random 0|1|2|16|30 COUNT'
Emit COUNT random bytes of the given quality level 0, 1 or 2. If
COUNT is not given or zero, an endless sequence of random bytes
will be emitted. If used with '--armor' the output will be base64
- encoded. PLEASE, don't use this command unless you know what you
- are doing; it may remove precious entropy from the system!
+ encoded. The special level 16 uses a quality level of 1 and
+ outpust end endless stream of hex-encoded octets. The special
+ level 30 outputs random as 30 zBase-32 characters.
'--gen-prime MODE BITS'
Use the source, Luke :-). The output format is subject to change
'--dearmor'
Pack or unpack an arbitrary input into/from an OpenPGP ASCII armor.
This is a GnuPG extension to OpenPGP and in general not very
- useful.
+ useful. The '--dearmor' command can also be used to dearmor PEM
+ armors.
'--unwrap'
This command is similar to '--decrypt' with the change that the
bring older keys up to date.
save
- Save all changes to the keyrings and quit.
+ Save all changes to the keyring and quit.
quit
- Quit the program without updating the keyrings.
+ Quit the program without updating the keyring.
The listing shows you the key with its secondary keys and all user
IDs. The primary user ID is indicated by a dot, and selected keys
Add FILE to the current list of keyrings. If FILE begins with a
tilde and a slash, these are replaced by the $HOME directory. If
the filename does not contain a slash, it is assumed to be in the
- GnuPG home directory ("~/.gnupg" if '--homedir' or $GNUPGHOME is
- not used).
+ GnuPG home directory ("~/.gnupg" unless '--homedir' or $GNUPGHOME
+ is used).
Note that this adds a keyring to the current list. If the intent
is to use the specified keyring alone, use '--keyring' along with
If the option '--no-keyring' has been used no keyrings will be used
at all.
+ Note that if the option 'use-keyboxd' is enabled in 'common.conf',
+ no keyrings are used at all and keys are all maintained by the
+ keyboxd process in its own database.
+
+'--primary-keyring FILE'
+ This is a varian of '--keyring' and designates FILE as the primary
+ public keyring. This means that newly imported keys (via
+ '--import' or keyserver '--recv-from') will go to this keyring.
+
'--secret-keyring FILE'
This is an obsolete option and ignored. All secret keys are stored
in the 'private-keys-v1.d' directory below the GnuPG home
directory.
-'--primary-keyring FILE'
- Designate FILE as the primary public keyring. This means that
- newly imported keys (via '--import' or keyserver '--recv-from')
- will go to this keyring.
-
'--trustdb-name FILE'
Use FILE instead of the default trustdb. If FILE begins with a
tilde and a slash, these are replaced by the $HOME directory. If
claim" signatures are always accepted.
'--trusted-key LONG KEY ID OR FINGERPRINT'
- Assume that the specified key (which must be given as a full 8 byte
- key ID, a 20 byte, or 32 byte fingerprint) is as trustworthy as one
- of your own secret keys. This option is useful if you don't want
- to keep your secret keys (or one of them) online but still want to
- be able to check the validity of a given recipient's or signator's
- key.
+ Assume that the specified key (which should be given as
+ fingerprint) is as trustworthy as one of your own secret keys.
+ This option is useful if you don't want to keep your secret keys
+ (or one of them) online but still want to be able to check the
+ validity of a given recipient's or signator's key. If the given
+ key is not locally available but an LDAP keyserver is configured
+ the missing key is imported from that server.
'--trust-model {pgp|classic|tofu|tofu+pgp|direct|always|auto}'
Set what trust model GnuPG should follow. The models are:
ntds
Locate the key using the Active Directory (Windows only).
+ This method also allows to search by fingerprint using the
+ command '--locate-external-key'. Note that this mechanism is
+ actually a shortcut for the mechanism 'keyserver' but using
+ "ldap:///" as the keyserver.
keyserver
- Locate a key using a keyserver.
+ Locate a key using a keyserver. This method also allows to
+ search by fingerprint using the command
+ '--locate-external-key' if any of the configured keyservers is
+ an LDAP server.
keyserver-URL
In addition, a keyserver URL as used in the 'dirmngr'
configuration may be used here to query that particular
- keyserver.
+ keyserver. This method also allows to search by fingerprint
+ using the command '--locate-external-key' if the URL specifies
+ an LDAP server.
local
Locate the key using the local keyrings. This mechanism
keyserver: "hkp"/"hkps" for the HTTP (or compatible) keyservers or
"ldap"/"ldaps" for the LDAP keyservers. Note that your particular
installation of GnuPG may have other keyserver types available as
- well. Keyserver schemes are case-insensitive. After the keyserver
- name, optional keyserver configuration options may be provided.
- These are the same as the global '--keyserver-options' from below,
- but apply only to this particular keyserver.
+ well. Keyserver schemes are case-insensitive.
Most keyservers synchronize with each other, so there is generally
no need to send keys to more than one server. The keyserver
the end of each chunk and does not need to delay this until all
data has been received. The used chunk size is 2^N byte. The
lowest allowed value for N is 6 (64 byte) and the largest is the
- default of 27 which creates chunks not larger than 128 MiB.
+ default of 22 which creates chunks not larger than 4 MiB.
'--input-size-hint N'
This option can be used to tell GPG the size of the input data in
signatures. Defaults to yes.
bulk-import
- When used the keyboxd (option "use-keyboxd" in 'common.conf')
- do the import within a single transaction. This is an
- experimental feature.
+ When used the keyboxd (option 'use-keyboxd' in 'common.conf')
+ does the import within a single transaction.
import-minimal
Import the smallest key possible. This removes all signatures
'--compliance STRING'
This option can be used instead of one of the options above. Valid
values for STRING are the above option names (without the double
- dash) and possibly others as shown when using "help" for VALUE.
+ dash) and possibly others as shown when using "help" for STRING.
+
+'--min-rsa-length N'
+ This option adjusts the compliance mode "de-vs" for stricter key
+ size requirements. For example, a value of 3000 turns rsa2048 and
+ dsa2048 keys into non-VS-NfD compliant keys.
+
+'--require-compliance'
+ To check that data has been encrypted according to the rules of the
+ current compliance mode, a gpg user needs to evaluate the status
+ lines. This is allows frontends to handle compliance check in a
+ more flexible way. However, for scripted use the required
+ evaluation of the status-line requires quite some effort; this
+ option can be used instead to make sure that the gpg process exits
+ with a failure if the compliance rules are not fulfilled. Note
+ that this option has currently an effect only in "de-vs" mode.
\1f
File: gnupg.info, Node: GPG Esoteric Options, Next: Deprecated Options, Prev: Compliance Options, Up: GPG Options
may thus be changed or removed at any time without notice.
'--debug-allow-large-chunks'
- To facilitate in-memory decryption on the receiving site, the
- largest recommended chunk size is 128 MiB ('--chunk-size 27').
- This option allows to specify a limit of up to 4 EiB ('--chunk-size
- 62') for experiments.
+ To facilitate software tests and experiments this option allows to
+ specify a limit of up to 4 EiB ('--chunk-size 62').
'--faked-system-time EPOCH'
This option is only useful for testing; it sets the system time
signatures made using SHA-1, those key signatures are considered
invalid. This options allows to override this restriction.
+'--override-compliance-check'
+ The signature verification only allows the use of keys suitable in
+ the current compliance mode. If the compliance mode has been
+ forced by a global option, there might be no way to check certain
+ signature. This option allows to override this and prints an extra
+ warning in such a case. This option is ignored in -batch mode so
+ that no accidental unattended verification may happen.
+
'--no-default-keyring'
- Do not add the default keyrings to the list of keyrings. Note that
- GnuPG will not operate without any keyrings, so if you use this
- option and do not provide alternate keyrings via '--keyring' or
- '--secret-keyring', then GnuPG will still use the default public or
- secret keyrings.
+ Do not add the default keyring to the list of keyrings. Note that
+ GnuPG needs for almost all operations a keyring. Thus if you use
+ this option and do not provide alternate keyrings via '--keyring',
+ then GnuPG will still use the default keyring.
+
+ Note that if the option 'use-keyboxd' is enabled in 'common.conf',
+ no keyrings are used at all and keys are all maintained by the
+ keyboxd process in its own database.
'--no-keyring'
Do not use any keyring at all. This overrides the default and all
sub-commands of '--edit-key' by forcing the creation of a key
signature, even if one already exists.
+'--forbid-gen-key'
+ This option is intended for use in the global config file to
+ disallow the use of generate key commands. Those commands will
+ then fail with the error code for Not Enabled.
+
'--allow-secret-key-import'
This is an obsolete option and is not used anywhere.
$ cd ~/.gnupg
$ gpg --export-ownertrust >otrust.lst
$ mv pubring.gpg publickeys.backup
- $ gpg --import-options restore --import publickeys.backups
+ $ gpg --import-options restore --import publickeys.backup
$ gpg --import-ownertrust otrust.lst
'~/.gnupg/pubring.kbx.lock'
loaded. If it can't be loaded the Registry is tried and as last
resort the native Windows locale system is used.
+GNUPG_BUILD_ROOT
+ This variable is only used by the regression test suite as a helper
+ under operating systems without proper support to figure out the
+ name of a process' text file.
+
+GNUPG_EXEC_DEBUG_FLAGS
+ This variable allows to enable diagnostics for process management.
+ A numeric decimal value is expected. Bit 0 enables general
+ diagnostics, bit 1 enables certain warnings on Windows.
+
When calling the gpg-agent component 'gpg' sends a set of environment
variables to gpg-agent. The names of these variables can be listed
using the command:
VALUE spans to the end of the expression.
-c
The string match in this part is done case-sensitive.
+-t
+ Leading and trailing spaces are not removed from VALUE. The
+ optional single space after OP is here required.
The filter options concatenate several specifications for a filter of
the same type. For example the four options in this example:
'-vv'.
'--keyserver STRING'
- Add an LDAP server to use for certificate and CRL lookup. This
- option can be given multiple times to configure more than one LDAP
- server. Note that the 'dirmngr' can in addition be configured with
- a default list of LDAP servers to be used after those configured
- with this option. The syntax of STRING is:
-
- HOSTNAME:PORT:USERNAME:PASSWORD:BASE_DN:FLAGS
-
- The only defined flag is 'ldaps' to specify that a TLS connections
- shall be used. Flags are comma delimited; unknown flags are
- ignored.
+ This is a deprecated option. It was used to add an LDAP server to
+ use for X.509 certificate and CRL lookup. The alias '--ldapserver'
+ existed from version 2.2.28 to 2.2.33 and 2.3.2 to 2.3.4 but is now
+ entirely ignored.
- Note that all parts of that string are expected to be UTF-8
- encoded. This may lead to problems if the PASSWORD has originally
- been encoded as Latin-1; in such a case better configure such an
- LDAP server using the global configuration of 'dirmngr'.
-
- Here is an example which uses the default port, no username, no
- password, and requests a TLS connection:
-
- --keyserver ldap.pca.dfn.de::::o=DFN-Verein,c=DE:ldaps
+ LDAP servers must be given in the configuration for 'dirmngr'.
'--policy-file FILENAME'
Change the default name of the policy file to FILENAME. The
like "digest algo 8 has not been enabled" you may want to try this
option, with 'SHA256' for NAME.
+'--compliance STRING'
+ Set the compliance mode. Valid values are shown when using "help"
+ for STRING.
+
+'--min-rsa-length N'
+ This option adjusts the compliance mode "de-vs" for stricter key
+ size requirements. For example, a value of 3000 turns rsa2048 and
+ dsa2048 keys into non-VS-NfD compliant keys.
+
+'--require-compliance'
+ To check that data has been encrypted according to the rules of the
+ current compliance mode, a gpgsm user needs to evaluate the status
+ lines. This is allows frontends to handle compliance check in a
+ more flexible way. However, for scripted use the required
+ evaluation of the status-line requires quite some effort; this
+ option can be used instead to make sure that the gpgsm process
+ exits with a failure if the compliance rules are not fulfilled.
+ Note that this option has currently an effect only in "de-vs" mode.
+
+'--ignore-cert-with-oid OID'
+ Add OID to the list of OIDs to be checked while reading
+ certificates from smartcards. The OID is expected to be in dotted
+ decimal form, like '2.5.29.3'. This option may be used more than
+ once. As of now certificates with an extended key usage matching
+ one of those OIDs are ignored during a '--learn-card' operation and
+ not imported. This option can help to keep the local key database
+ clear of unneeded certificates stored on smartcards.
+
'--faked-system-time EPOCH'
This option is only useful for testing; it sets the system time
back or forth to EPOCH which is the number of seconds elapsed since
that they are included anyway if the key specification for a
listing is given as fingerprint or keygrip.
+'--compatibility-flags FLAGS'
+ Set compatibility flags to work around problems due to
+ non-compliant certificates or data. The FLAGS are given as a comma
+ separated list of flag names and are OR-ed together. The special
+ flag "none" clears the list and allows to start over with an empty
+ list. To get a list of available flags the sole word "help" can be
+ used.
+
'--debug-level LEVEL'
Select the debug level for investigating problems. LEVEL may be a
numeric value or by a keyword:
file describing a regular TCP listening port) is the standard way
of connecting the 'gpg-agent'.
-\1f
-File: gnupg.info, Node: GPGSM Examples, Next: Unattended Usage, Prev: GPGSM Configuration, Up: Invoking GPGSM
-
-5.4 Examples
-============
-
- $ gpgsm -er goo@bar.net <plaintext >ciphertext
-
-\1f
-File: gnupg.info, Node: Unattended Usage, Next: GPGSM Protocol, Prev: GPGSM Examples, Up: Invoking GPGSM
-
-5.5 Unattended Usage
-====================
-
-'gpgsm' is often used as a backend engine by other software. To help
-with this a machine interface has been defined to have an unambiguous
-way to do this. This is most likely used with the '--server' command
-but may also be used in the standard operation mode by using the
-'--status-fd' option.
-
-* Menu:
-
-* Automated signature checking:: Automated signature checking.
-* CSR and certificate creation:: CSR and certificate creation.
-
-\1f
-File: gnupg.info, Node: Automated signature checking, Next: CSR and certificate creation, Up: Unattended Usage
-
-5.5.1 Automated signature checking
-----------------------------------
-
-It is very important to understand the semantics used with signature
-verification. Checking a signature is not as simple as it may sound and
-so the operation is a bit complicated. In most cases it is required to
-look at several status lines. Here is a table of all cases a signed
-message may have:
-
-The signature is valid
- This does mean that the signature has been successfully verified,
- the certificates are all sane. However there are two subcases with
- important information: One of the certificates may have expired or
- a signature of a message itself as expired. It is a sound practise
- to consider such a signature still as valid but additional
- information should be displayed. Depending on the subcase 'gpgsm'
- will issue these status codes:
- signature valid and nothing did expire
- 'GOODSIG', 'VALIDSIG', 'TRUST_FULLY'
- signature valid but at least one certificate has expired
- 'EXPKEYSIG', 'VALIDSIG', 'TRUST_FULLY'
- signature valid but expired
- 'EXPSIG', 'VALIDSIG', 'TRUST_FULLY' Note, that this case is
- currently not implemented.
-
-The signature is invalid
- This means that the signature verification failed (this is an
- indication of a transfer error, a program error or tampering with
- the message). 'gpgsm' issues one of these status codes sequences:
- 'BADSIG'
- 'GOODSIG, VALIDSIG TRUST_NEVER'
-
-Error verifying a signature
- For some reason the signature could not be verified, i.e. it
- cannot be decided whether the signature is valid or invalid. A
- common reason for this is a missing certificate.
-
-\1f
-File: gnupg.info, Node: CSR and certificate creation, Prev: Automated signature checking, Up: Unattended Usage
-
-5.5.2 CSR and certificate creation
-----------------------------------
-
-The command '--generate-key' may be used along with the option '--batch'
-to either create a certificate signing request (CSR) or an X.509
-certificate. This is controlled by a parameter file; the format of this
-file is as follows:
-
- * Text only, line length is limited to about 1000 characters.
- * UTF-8 encoding must be used to specify non-ASCII characters.
- * Empty lines are ignored.
- * Leading and trailing while space is ignored.
- * A hash sign as the first non white space character indicates a
- comment line.
- * Control statements are indicated by a leading percent sign, the
- arguments are separated by white space from the keyword.
- * Parameters are specified by a keyword, followed by a colon.
- Arguments are separated by white space.
- * The first parameter must be 'Key-Type', control statements may be
- placed anywhere.
- * The order of the parameters does not matter except for 'Key-Type'
- which must be the first parameter. The parameters are only used
- for the generated CSR/certificate; parameters from previous sets
- are not used. Some syntactically checks may be performed.
- * Key generation takes place when either the end of the parameter
- file is reached, the next 'Key-Type' parameter is encountered or at
- the control statement '%commit' is encountered.
-
-Control statements:
-
-%echo TEXT
- Print TEXT as diagnostic.
-
-%dry-run
- Suppress actual key generation (useful for syntax checking).
-
-%commit
- Perform the key generation. Note that an implicit commit is done
- at the next Key-Type parameter.
-
-General Parameters:
-
-Key-Type: ALGO
- Starts a new parameter block by giving the type of the primary key.
- The algorithm must be capable of signing. This is a required
- parameter. The supported values for ALGO are 'rsa', 'ecdsa', and
- 'eddsa'.
-
-Key-Length: NBITS
- The requested length of a generated key in bits. Defaults to 3072.
- The value is ignored for ECC algorithms.
-
-Key-Grip: HEXSTRING
- This is optional and used to generate a CSR or certificate for an
- already existing key. Key-Length will be ignored when given.
-
-Key-Usage: USAGE-LIST
- Space or comma delimited list of key usage, allowed values are
- 'encrypt', 'sign' and 'cert'. This is used to generate the
- keyUsage extension. Please make sure that the algorithm is capable
- of this usage. Default is to allow encrypt and sign.
-
-Name-DN: SUBJECT-NAME
- This is the Distinguished Name (DN) of the subject in RFC-2253
- format.
-
-Name-Email: STRING
- This is an email address for the altSubjectName. This parameter is
- optional but may occur several times to add several email addresses
- to a certificate.
-
-Name-DNS: STRING
- The is an DNS name for the altSubjectName. This parameter is
- optional but may occur several times to add several DNS names to a
- certificate.
-
-Name-URI: STRING
- This is an URI for the altSubjectName. This parameter is optional
- but may occur several times to add several URIs to a certificate.
-
-Additional parameters used to create a certificate (in contrast to a
-certificate signing request):
-
-Serial: SN
- If this parameter is given an X.509 certificate will be generated.
- SN is expected to be a hex string representing an unsigned integer
- of arbitrary length. The special value 'random' can be used to
- create a 64 bit random serial number.
-
-Issuer-DN: ISSUER-NAME
- This is the DN name of the issuer in RFC-2253 format. If it is not
- set it will default to the subject DN and a special GnuPG extension
- will be included in the certificate to mark it as a standalone
- certificate.
-
-Creation-Date: ISO-DATE
-Not-Before: ISO-DATE
- Set the notBefore date of the certificate. Either a date like
- '1986-04-26' or '1986-04-26 12:00' or a standard ISO timestamp like
- '19860426T042640' may be used. The time is considered to be UTC.
- If it is not given the current date is used.
-
-Expire-Date: ISO-DATE
-Not-After: ISO-DATE
- Set the notAfter date of the certificate. Either a date like
- '2063-04-05' or '2063-04-05 17:00' or a standard ISO timestamp like
- '20630405T170000' may be used. The time is considered to be UTC.
- If it is not given a default value in the not too far future is
- used.
-
-Signing-Key: KEYGRIP
- This gives the keygrip of the key used to sign the certificate. If
- it is not given a self-signed certificate will be created. For
- compatibility with future versions, it is suggested to prefix the
- keygrip with a '&'.
-
-Hash-Algo: HASH-ALGO
- Use HASH-ALGO for this CSR or certificate. The supported hash
- algorithms are: 'sha1', 'sha256', 'sha384' and 'sha512'; they may
- also be specified with uppercase letters. The default is 'sha256'.
-
-Authority-Key-Id: HEXSTRING
- Insert the decoded value of HEXSTRING as authorityKeyIdentifier.
- If this is not given and an ECC algorithm is used the public part
- of the certified public key is used as authorityKeyIdentifier. To
- inhibit any authorityKeyIdentifier use the special value 'none' for
- HEXSTRING.
-
-Subject-Key-Id: HEXSTRING
- Insert the decoded value of HEXSTRING as subjectKeyIdentifier. If
- this is not given and an ECC algorithm is used the public part of
- the signing key is used as authorityKeyIdentifier. To inhibit any
- subjectKeyIdentifier use the special value 'none' for HEXSTRING.
-
projects / platform / upstream / gpg2.git / blobdiff