This is gnupg.info, produced by makeinfo version 6.5 from gnupg.texi.
-This is the 'The GNU Privacy Guard Manual' (version 2.2.26-beta25,
-December 2020).
+This is the 'The GNU Privacy Guard Manual' (version 2.3.8-beta83,
+October 2022).
(C) 2002, 2004, 2005, 2006, 2007, 2010 Free Software Foundation, Inc.
(C) 2013, 2014, 2015 Werner Koch.
Using the GNU Privacy Guard
***************************
-This is the 'The GNU Privacy Guard Manual' (version 2.2.26-beta25,
-December 2020).
+This is the 'The GNU Privacy Guard Manual' (version 2.3.8-beta83,
+October 2022).
(C) 2002, 2004, 2005, 2006, 2007, 2010 Free Software Foundation, Inc.
(C) 2013, 2014, 2015 Werner Koch.
* Specify a User ID:: How to Specify a User Id.
* Trust Values:: How GnuPG displays trust values.
-* Helper Tools:: Description of small helper tools
-* Web Key Service:: Tools for the Web Key Service
+* Smart Card Tool:: Tool to administrate smart cards.
+* Helper Tools:: Description of small helper tools.
+* Web Key Service:: Tools for the Web Key Service.
* Howtos:: How to do certain things.
* System Notes:: Notes pertaining to certain OSes.
-* Debugging:: How to solve problems
+* Debugging:: How to solve problems.
* Copying:: GNU General Public License says
- how you can copy and share GnuPG
+ how you can copy and share GnuPG.
* Contributors:: People who have contributed to GnuPG.
* Glossary:: Short description of terms used.
'--supervised'
Run in the foreground, sending logs by default to stderr, and
listening on provided file descriptors, which must already be bound
- to listening sockets. This command is useful when running under
- systemd or other similar process supervision schemes. This option
- is not supported on Windows.
+ to listening sockets. This option is deprecated and not supported
+ on Windows.
+
+ If in 'common.conf' the option 'no-autostart' is set, any start
+ attemps will be ignored.
In -supervised mode, different file descriptors can be provided for
use as different socket types (e.g. ssh, extra) as long as they
are however carefully selected to best aid in debugging.
'--debug FLAGS'
- This option is only useful for debugging and the behavior may
- change at any time without notice. FLAGS are bit encoded and may
- be given in usual C-Syntax. The currently defined bits are:
-
- '0 (1)'
- X.509 or OpenPGP protocol related data
- '1 (2)'
- values of big number integers
- '2 (4)'
- low level crypto operations
- '5 (32)'
- memory allocation
- '6 (64)'
- caching
- '7 (128)'
- show memory statistics
- '9 (512)'
- write hashed data to files named 'dbgmd-000*'
- '10 (1024)'
- trace Assuan protocol
- '12 (4096)'
- bypass all certificate validation
+ Set debug flags. All flags are or-ed and FLAGS may be given in C
+ syntax (e.g. 0x0042) or as a comma separated list of flag names.
+ To get a list of all supported flags the single word "help" can be
+ used. This option is only useful for debugging and the behavior
+ may change at any time without notice.
'--debug-all'
Same as '--debug=0xffffffff'
Don't detach the process from the console. This is mainly useful
for debugging.
+'--steal-socket'
+ In '--daemon' mode, gpg-agent detects an already running gpg-agent
+ and does not allow to start a new instance. This option can be
+ used to override this check: the new gpg-agent process will try to
+ take over the communication sockets from the already running
+ process and start anyway. This option should in general not be
+ used.
+
'-s'
'--sh'
'-c'
the 'trustlist.txt' file. This makes it harder for users to
inadvertently accept Root-CA keys.
+'--no-user-trustlist'
+ Entirely ignore the user trust list and consider only the global
+ trustlist ('/etc/gnupg/trustlist.txt'). This implies the *note
+ option --no-allow-mark-trusted::.
+
+'--sys-trustlist-name FILE'
+ Changes the default name for the global trustlist from
+ "trustlist.txt" to FILE. If FILE does not contain any slashes and
+ does not start with "~/" it is searched in the system configuration
+ directory ('/etc/gnupg').
+
'--allow-preset-passphrase'
This option allows the use of 'gpg-preset-passphrase' to seed the
internal cache of 'gpg-agent' with passphrases.
Defaults to 1.
'--check-passphrase-pattern FILE'
+'--check-sym-passphrase-pattern FILE'
Check the passphrase against the pattern given in FILE. When
entering a new passphrase matching one of these pattern a warning
- will be displayed. FILE should be an absolute filename. The
- default is not to use any pattern file.
+ will be displayed. If FILE does not contain any slashes and does
+ not start with "~/" it is searched in the system configuration
+ directory ('/etc/gnupg'). The default is not to use any pattern
+ file. The second version of this option is only used when creating
+ a new symmetric key to allow the use of different patterns for such
+ passphrases.
Security note: It is known that checking a passphrase against a
list of pattern or even against a complete dictionary is not very
timeout, however a Pinentry may use its own default timeout value
in this case. A Pinentry may or may not honor this request.
+'--pinentry-formatted-passphrase'
+ This option asks the Pinentry to enable passphrase formatting when
+ asking the user for a new passphrase and masking of the passphrase
+ is turned off.
+
+ If passphrase formatting is enabled, then all non-breaking space
+ characters are stripped from the entered passphrase. Passphrase
+ formatting is mostly useful in combination with passphrases
+ generated with the GENPIN feature of some Pinentries. Note that
+ such a generated passphrase, if not modified by the user, skips all
+ passphrase constraints checking because such constraints would
+ actually weaken the generated passphrase.
+
'--pinentry-program FILENAME'
Use program FILENAME as the PIN entry. The default is installation
dependent. With the default configuration the name of the default
'--enable-extended-key-format'
'--disable-extended-key-format'
- Since version 2.2.22 keys are created in the extended private key
- format by default. Changing the passphrase of a key will also
- convert the key to that new format. This key format is supported
- since GnuPG version 2.1.12 and thus there should be no need to
- disable it. Anyway, the disable option still allows to revert to
- the old behavior for new keys; be aware that keys are never
- migrated back to the old format. If the enable option has been
- used the disable option won't have an effect. The advantage of the
- extended private key format is that it is text based and can carry
- additional meta data. In extended key format the OCB mode is used
- for key protection.
+ Since version 2.3 keys are created in the extended private key
+ format. Changing the passphrase of a key will also convert the key
+ to that new format. This new key format is supported since GnuPG
+ version 2.1.12 and thus there should be no need to disable it. The
+ disable option allows to revert to the old behavior for new keys;
+ be aware that keys are never migrated back to the old format.
+ However if the enable option has been used the disable option won't
+ have an effect. The advantage of the extended private key format
+ is that it is text based and can carry additional meta data.
'--enable-ssh-support'
'--enable-putty-support'
As a special feature a line 'include-default' will include a global
list of trusted certificates (e.g. '/etc/gnupg/trustlist.txt').
- This global list is also used if the local list is not available.
+ This global list is also used if the local list is not available;
+ the *note option --no-user-trustlist:: enforces the use of only
+ this global list.
It is possible to add further flags after the 'S' for use by the
caller:
this flag set fails, try again using the chain validation
model.
+ 'qual'
+ The CA is allowed to issue certificates for qualified
+ signatures. This flag has an effect only if used in the
+ global list. This is now the preferred way to mark such CA;
+ the old way of having a separate file 'qualified.txt' is still
+ supported.
+
'sshcontrol'
This file is used when support for the secure shell agent protocol
has been enabled (*note option --enable-ssh-support::). Only keys
'KEY'
Incremented for added or removed private keys.
'CARD'
- Incremented for changes of the card readers stati.
+ Incremented for each change of the card reader's status.
\1f
File: gnupg.info, Node: Agent GETINFO, Next: Agent OPTION, Prev: Agent GETEVENTCOUNTER, Up: Agent Protocol
'--supervised'
Run in the foreground, sending logs to stderr, and listening on
file descriptor 3, which must already be bound to a listening
- socket. This is useful when running under systemd or other similar
- process supervision schemes. This option is not supported on
- Windows.
+ socket. This option is deprecated and not supported on Windows.
'--list-crls'
List the contents of the CRL cache on 'stdout'. This is probably
are however carefully selected to best aid in debugging.
'--debug FLAGS'
- Set debugging flags. This option is only useful for debugging and
- its behavior may change with a new release. All flags are or-ed
- and may be given in C syntax (e.g. 0x0042) or as a comma separated
- list of flag names. To get a list of all supported flags the
- single word "help" can be used.
+ Set debug flags. All flags are or-ed and FLAGS may be given in C
+ syntax (e.g. 0x0042) or as a comma separated list of flag names.
+ To get a list of all supported flags the single word "help" can be
+ used. This option is only useful for debugging and the behavior
+ may change at any time without notice.
'--debug-all'
Same as '--debug=0xffffffff'
'--use-tor' cannot be overridden by any other command or even by
reloading dirmngr. The use of '--no-use-tor' disables the use of
Tor. The default is to use Tor if it is available on startup or
- after reloading dirmngr.
+ after reloading dirmngr. The test on the availability of Tor is
+ done by trying to connect to a SOCKS proxy at either port 9050 or
+ 9150; if another type of proxy is listening on one of these ports,
+ you should use '--no-use-tor'.
'--standard-resolver'
This option forces the use of the system's standard DNS resolver
only to this particular keyserver.
Most keyservers synchronize with each other, so there is generally
- no need to send keys to more than one server. The keyserver
- 'hkp://keys.gnupg.net' uses round robin DNS to give a different
- keyserver each time you use it.
+ no need to send keys to more than one server. Somes keyservers use
+ round robin DNS to give a different keyserver each time you use it.
If exactly two keyservers are configured and only one is a Tor
hidden service (.onion), Dirmngr selects the keyserver to use
a running Tor is done for each new connection.
If no keyserver is explicitly configured, dirmngr will use the
- built-in default of 'hkps://hkps.pool.sks-keyservers.net'.
+ built-in default of 'https://keyserver.ubuntu.com'.
Windows users with a keyserver running on their Active Directory
- should use 'ldap:///' for NAME to access this directory.
+ may use the short form 'ldap:///' for NAME to access this
+ directory.
For accessing anonymous LDAP keyservers NAME is in general just a
'ldaps://ldap.example.com'. A BaseDN parameter should never be
- specified. If authentication is required the value of NAME is for
- example:
+ specified. If authentication is required things are more
+ complicated and two methods are available:
+
+ The modern method (since version 2.2.28) is to use the very same
+ syntax as used with the option '--ldapserver'. Please see over
+ there for details; here is an example:
+
+ keyserver ldap:ldap.example.com::uid=USERNAME,ou=GnuPG Users,
+ dc=example,dc=com:PASSWORD::starttls
+
+ The other method is to use a full URL for NAME; for example:
keyserver ldaps://ldap.example.com/????bindname=uid=USERNAME
%2Cou=GnuPG%20Users%2Cdc=example%2Cdc=com,password=PASSWORD
Put this all on one line without any spaces and keep the '%2C' as
given. Replace USERNAME, PASSWORD, and the 'dc' parts according to
- the instructions received from the LDAP administrator. Note that
+ the instructions received from your LDAP administrator. Note that
only simple authentication (i.e. cleartext passwords) is supported
- and thus using ldaps is strongly suggested.
+ and thus using ldaps is strongly suggested (since 2.2.28 "ldaps"
+ defaults to port 389 and uses STARTTLS). On Windows authentication
+ via AD can be requested by adding 'gpgNtds=1' after the fourth
+ question mark instead of the bindname and password parameter.
'--nameserver IPADDR'
In "Tor mode" Dirmngr uses a public resolver via Tor to resolve DNS
LDAP server if the connection using the "proxy" failed.
'--ldapserverlist-file FILE'
- Read the list of LDAP servers to consult for CRLs and certificates
- from file instead of the default per-user ldap server list file.
- The default value for FILE is 'dirmngr_ldapservers.conf'.
+ Read the list of LDAP servers to consult for CRLs and X.509
+ certificates from file instead of the default per-user ldap server
+ list file. The default value for FILE is
+ 'dirmngr_ldapservers.conf'.
This server list file contains one LDAP server per line in the
format
- HOSTNAME:PORT:USERNAME:PASSWORD:BASE_DN
+ HOSTNAME:PORT:USERNAME:PASSWORD:BASE_DN:FLAGS
Lines starting with a '#' are comments.
here than to put such a password in the binary encoding into the
file (i.e. non-ascii characters won't show up readable).(1)
+'--ldapserver SPEC'
+ This is an alternative way to specify LDAP servers for CRL and
+ X.509 certificate retrieval. If this option is used the servers
+ configured in 'dirmngr_ldapservers.conf' (or the file given by
+ '--ldapserverlist-file') are cleared. Note that
+ 'dirmngr_ldapservers.conf' is not read again by a reload signal.
+ However, '--ldapserver' options are read again.
+
+ SPEC is either a proper LDAP URL or a colon delimited list of the
+ form
+
+ HOSTNAME:PORT:USERNAME:PASSWORD:BASE_DN:FLAGS:
+
+ with an optional prefix of 'ldap:' (but without the two slashes
+ which would turn this into a proper LDAP URL). FLAGS is a list of
+ one or more comma delimited keywords:
+ 'plain'
+ The default: Do not use a TLS secured connection at all; the
+ default port is 389.
+ 'starttls'
+ Use STARTTLS to secure the connection; the default port is
+ 389.
+ 'ldaptls'
+ Tunnel LDAP through a TLS connection; the default port is 636.
+ 'ntds'
+ On Windows authenticate the LDAP connection using the Active
+ Directory with the current user.
+ 'areconly'
+ On Windows use only the A or AAAA record when resolving the
+ LDAP server name.
+
+ Note that in an URL style specification the scheme 'ldaps://'
+ refers to STARTTLS and _not_ to LDAP-over-TLS.
+
'--ldaptimeout SECS'
Specify the number of seconds to wait for an LDAP query before
timing out. The default are 15 seconds. 0 will never timeout.
'--add-servers'
This option makes dirmngr add any servers it discovers when
validating certificates against CRLs to the internal list of
- servers to consult for certificates and CRLs.
-
- This option is useful when trying to validate a certificate that
- has a CRL distribution point that points to a server that is not
- already listed in the ldapserverlist. Dirmngr will always go to
- this server and try to download the CRL, but chances are high that
- the certificate used to sign the CRL is located on the same server.
- So if dirmngr doesn't add that new server to list, it will often
- not be able to verify the signature of the CRL unless the
+ servers to consult for certificates and CRLs. This option should
+ in general not be used.
+
+ This option might be useful when trying to validate a certificate
+ that has a CRL distribution point that points to a server that is
+ not already listed in the ldapserverlist. Dirmngr will always go
+ to this server and try to download the CRL, but chances are high
+ that the certificate used to sign the CRL is located on the same
+ server. So if dirmngr doesn't add that new server to list, it will
+ often not be able to verify the signature of the CRL unless the
'--add-servers' option is used.
- Note: The current version of dirmngr has this option disabled by
- default.
+ Caveat emptor: Using this option may enable denial-of-service
+ attacks and leak search requests to unknown third parties. This is
+ because arbitrary servers are added to the internal list of LDAP
+ servers which in turn is used for all unspecific LDAP queries as
+ well as a fallback for queries which did not return a result.
'--allow-ocsp'
This option enables OCSP support if requested by the client.
with care because extensions are usually flagged as critical for a
reason.
+'--ignore-cert FPR|FILE'
+ Entirely ignore certificates with the fingerprint FPR. As an
+ alternative to the fingerprint a filename can be given in which
+ case all certificates described in that file are ignored. Any
+ argument which contains a slash, dot or tilde is considered a
+ filename. Usual filename expansion takes place: A tilde at the
+ start followed by a slash is replaced by the content of 'HOME', no
+ slash at start describes a relative filename which will be searched
+ at the home directory. To make sure that the FILE is searched in
+ the home directory, either prepend the name with "./" or use a name
+ which contains a dot. The format of such a file is a list of SHA-1
+ fingerprint, one per line with optional colons between the bytes.
+ Empty lines and lines prefixed with a hash mark are ignored.
+
+ This option is useful as a quick workaround to exclude certain
+ certificates from the system store.
+
'--hkp-cacert FILE'
Use the root certificates in FILE for verification of the TLS
certificates used with 'hkps' (keyserver access over TLS). If the
This option may be given multiple times to add more root
certificates. Tilde expansion is supported.
- If no 'hkp-cacert' directive is present, dirmngr will make a
- reasonable choice: if the keyserver in question is the special pool
- 'hkps.pool.sks-keyservers.net', it will use the bundled root
- certificate for that pool. Otherwise, it will use the system CAs.
+ If no 'hkp-cacert' directive is present, dirmngr will use the
+ system CAs.
---------- Footnotes ----------
=================
Dirmngr makes use of several directories when running in daemon mode:
-There are a few configuration files whih control the operation of
-dirmngr. By default they may all be found in the current home directory
-(*note option --homedir::).
+There are a few configuration files to control the operation of dirmngr.
+By default they may all be found in the current home directory (*note
+option --homedir::).
'dirmngr.conf'
This is the standard configuration file read by 'dirmngr' on
will be created by dirmngr if it does not exists but you need to
make sure that the upper directory exists.
- To be able to see what's going on you should create the configure
-file '~/gnupg/dirmngr.conf' with at least one line:
+ Several options control the use of trusted certificates for TLS and
+CRLs. Here is an Overview on the use and origin of those Root CA
+certificates:
+
+System
+
+ These System root certificates are used by: FIXME
+
+ The origin of the system provided certificates depends on the
+ platform. On Windows all certificates from the Windows System
+ Stores 'ROOT' and 'CA' are used.
+
+ On other platforms the certificates are read from the first file
+ found form this list: '/etc/ssl/ca-bundle.pem',
+ '/etc/ssl/certs/ca-certificates.crt', '/etc/pki/tls/cert.pem',
+ '/usr/local/share/certs/ca-root-nss.crt', '/etc/ssl/cert.pem'.
+
+GnuPG
+
+ The GnuPG specific certificates stored in the directory
+ '/etc/gnupg/trusted-certs' are only used to validate CRLs.
+
+OpenPGP keyserver
+
+ For accessing the OpenPGP keyservers the only certificates used are
+ those set with the configuration option 'hkp-cacert'.
+
+OpenPGP keyserver pool
+
+ This is usually only one certificate read from the file
+ '/usr/local/share/gnupg/gnupg/sks-keyservers.netCA.pem'. If this
+ certificate exists it is used to access the special keyservers
+ 'hkps.pool.sks-keyservers.net' (or 'hkps://keys.gnupg.net').
+
+ Please note that 'gpgsm' accepts Root CA certificates for its own
+purposes only if they are listed in its file 'trustlist.txt'. 'dirmngr'
+does not make use of this list - except FIXME.
+
+ To be able to see diagnostics it is often useful to put at least the
+following lines into the configuration file '~/gnupg/dirmngr.conf':
log-file ~/dirmngr.log
+ verbose
+
+ You may want to check the log file to see whether all desired root CA
+certificates are correctly loaded.
To be able to perform OCSP requests you probably want to add the
line:
allow-ocsp
- To make sure that new options are read and that after the
-installation of a new GnuPG versions the installed dirmngr is running,
-you may want to kill an existing dirmngr first:
+ To make sure that new options are read or that after the installation
+of a new GnuPG versions the right dirmngr version is running, you should
+kill an existing dirmngr so that a new instance is started as needed by
+the otehr components:
gpgconf --kill dirmngr
- You may check the log file to see whether all desired root
-certificates have been loaded correctly.
+ Direct interfaction with the dirmngr is possible by using the command
+
+ gpg-connect-agent --dirmngr
+
+ Enter 'HELP' at the prompt to see a list of commands and enter 'HELP'
+followed by a command name to get help on that command.
\1f
File: gnupg.info, Node: Dirmngr Signals, Next: Dirmngr Examples, Prev: Dirmngr Configuration, Up: Invoking DIRMNGR
'--locate-keys'
'--locate-external-keys'
Locate the keys given as arguments. This command basically uses
- the same algorithm as used when locating keys for encryption or
- signing and may thus be used to see what keys 'gpg' might use. In
- particular external methods as defined by '--auto-key-locate' may
- be used to locate a key. Only public keys are listed. The variant
- '--locate-external-keys' does not consider a locally existing key
- and can thus be used to force the refresh of a key via the defined
- external methods.
+ the same algorithm as used when locating keys for encryption and
+ may thus be used to see what keys 'gpg' might use. In particular
+ external methods as defined by '--auto-key-locate' are used to
+ locate a key if the arguments comain valid mail addresses. Only
+ public keys are listed.
+
+ The variant '--locate-external-keys' does not consider a locally
+ existing key and can thus be used to force the refresh of a key via
+ the defined external methods. If a fingerprint is given and and
+ the methods defined by -auto-key-locate define LDAP servers, the
+ key is fetched from these resources; defined non-LDAP keyservers
+ are skipped.
'--show-keys'
This commands takes OpenPGP keys as input and prints information
not to request a confirmation.
'--export'
- Either export all keys from all keyrings (default keyrings and
- those registered via option '--keyring'), or if at least one name
- is given, those of the given name. The exported keys are written
- to STDOUT or to the file given with option '--output'. Use
- together with '--armor' to mail those keys.
+ Either export all keys from all keyrings (default keyring and those
+ registered via option '--keyring'), or if at least one name is
+ given, those of the given name. The exported keys are written to
+ STDOUT or to the file given with option '--output'. Use together
+ with '--armor' to mail those keys.
'--send-keys KEYIDS'
Similar to '--export' but sends the keys to a keyserver.
STDIN. With the second form (or a deprecated "*" for ALGO) digests
for all available algorithms are printed.
-'--gen-random 0|1|2 COUNT'
+'--gen-random 0|1|2|16|30 COUNT'
Emit COUNT random bytes of the given quality level 0, 1 or 2. If
COUNT is not given or zero, an endless sequence of random bytes
will be emitted. If used with '--armor' the output will be base64
- encoded. PLEASE, don't use this command unless you know what you
- are doing; it may remove precious entropy from the system!
+ encoded. The special level 16 uses a quality level of 1 and
+ outpust end endless stream of hex-encoded octets. The special
+ level 30 outputs random as 30 zBase-32 characters.
'--gen-prime MODE BITS'
Use the source, Luke :-). The output format is subject to change
'--dearmor'
Pack or unpack an arbitrary input into/from an OpenPGP ASCII armor.
This is a GnuPG extension to OpenPGP and in general not very
- useful.
+ useful. The '--dearmor' command can also be used to dearmor PEM
+ armors.
+
+'--unwrap'
+ This command is similar to '--decrypt' with the change that the
+ output is not the usual plaintext but the original message with the
+ decryption layer removed. Thus the output will be an OpenPGP data
+ structure which often means a signed OpenPGP message. Note that
+ this command may or may not remove a compression layer which is
+ often found beneath the encryption layer.
'--tofu-policy {auto|good|unknown|bad|ask} KEYS'
Set the TOFU policy for all the bindings associated with the
If this command is used with '--batch', '--pinentry-mode' has been
set to 'loopback', and one of the passphrase options
- ('--passphrase', '--passphrase-fd', or 'passphrase-file') is used,
- the supplied passphrase is used for the new key and the agent does
- not ask for it. To create a key without any protection
+ ('--passphrase', '--passphrase-fd', or '--passphrase-file') is
+ used, the supplied passphrase is used for the new key and the agent
+ does not ask for it. To create a key without any protection
'--passphrase ''' may be used.
To create an OpenPGP key from the keys available on the currently
asked to enter the passphrase of the backup key and then for
the Admin PIN of the card.
+ keytotpm
+ Transfer the selected secret subkey (or the primary key if no
+ subkey has been selected) to TPM form. The secret key in the
+ keyring will be replaced by the TPM representation of that
+ key, which can only be read by the particular TPM that created
+ it (so the keyfile now becomes locked to the laptop containing
+ the TPM). Only certain key types may be transferred to the TPM
+ (all TPM 2.0 systems are mandated to have the rsa2048 and
+ nistp256 algorithms but newer TPMs may have more). Note that
+ the key itself is not transferred into the TPM, merely
+ encrypted by the TPM in-place, so if the keyfile is deleted,
+ the key will be lost. Once transferred to TPM representation,
+ the key file can never be converted back to non-TPM form and
+ the key will die when the TPM does, so you should first have a
+ backup on secure offline storage of the actual secret key file
+ before conversion. It is essential to use the physical system
+ TPM that you have rw permission on the TPM resource manager
+ device (/dev/tpmrm0). Usually this means you must be a member
+ of the tss group.
+
delkey
Remove a subkey (secondary key). Note that it is not possible
to retract a subkey, once it has been send to the public (i.e.
bring older keys up to date.
save
- Save all changes to the keyrings and quit.
+ Save all changes to the keyring and quit.
quit
- Quit the program without updating the keyrings.
+ Quit the program without updating the keyring.
The listing shows you the key with its secondary keys and all user
IDs. The primary user ID is indicated by a dot, and selected keys
'--sign-key NAME'
Signs a public key with your secret key. This is a shortcut
- version of the subcommand "sign" from '--edit'.
+ version of the subcommand "sign" from '--edit-key'.
'--lsign-key NAME'
Signs a public key with your secret key but marks it as
interaction. The FPR must be the verified primary fingerprint of a
key in the local keyring. If no NAMES are given, all useful user
ids are signed; with given [NAMES] only useful user ids matching
- one of theses names are signed. By default, or if a name is
+ one of these names are signed. By default, or if a name is
prefixed with a '*', a case insensitive substring match is used.
If a name is prefixed with a '=' a case sensitive exact match is
done.
The command '--quick-lsign-key' marks the signatures as
non-exportable. If such a non-exportable signature already exists
- the '--quick-sign-key' turns it into a exportable signature.
+ the '--quick-sign-key' turns it into a exportable signature. If
+ you need to update an existing signature, for example to add or
+ change notation data, you need to use the option
+ '--force-sign-key'.
This command uses reasonable defaults and thus does not provide the
full flexibility of the "sign" subcommand from '--edit-key'. Its
'--passwd USER-ID'
Change the passphrase of the secret key belonging to the
certificate specified as USER-ID. This is a shortcut for the
- sub-command 'passwd' of the edit key menu. When using together
+ sub-command 'passwd' of the '--edit-key' menu. When using together
with the option '--dry-run' this will not actually change the
passphrase but check that the current passphrase is correct.
4.2.1 How to change the configuration
-------------------------------------
-These options are used to change the configuration and are usually found
-in the option file.
+These options are used to change the configuration and most of them are
+usually found in the option file.
'--default-key NAME'
Use NAME as the default key to sign with. If this option is not
'--default-key'.
'--no-default-recipient'
- Reset '--default-recipient' and '--default-recipient-self'.
+ Reset '--default-recipient' and '--default-recipient-self'. Should
+ not be used in an option file.
'-v, --verbose'
Give more information during processing. If used twice, the input
data is listed in detail.
'--no-verbose'
- Reset verbose level to 0.
+ Reset verbose level to 0. Should not be used in an option file.
'-q, --quiet'
- Try to be as quiet as possible.
+ Try to be as quiet as possible. Should not be used in an option
+ file.
'--batch'
'--no-batch'
(in particular if gpg figures that the input is a detached
signature and no data file has been specified). Thus if you do not
want to feed data via STDIN, you should connect STDIN to
- g'/dev/null'.
+ '/dev/null'.
It is highly recommended to use this option along with the options
'--status-fd' and '--with-colons' for any unattended use of 'gpg'.
+ Should not be used in an option file.
'--no-tty'
Make sure that the TTY (terminal) is never used for any output.
warnings to the TTY even if '--batch' is used.
'--yes'
- Assume "yes" on most questions.
+ Assume "yes" on most questions. Should not be used in an option
+ file.
'--no'
- Assume "no" on most questions.
+ Assume "no" on most questions. Should not be used in an option
+ file.
'--list-options PARAMETERS'
This is a space or comma delimited string that gives options used
For each user-id which has a valid mail address print only the
fingerprint followed by the mail address.
+ sort-sigs
+ With -list-sigs and -check-sigs sort the signatures by keyID
+ and creation time to make it easier to view the history of
+ these signatures. The self-signature is also listed before
+ other signatures. Defaults to yes.
+
'--verify-options PARAMETERS'
This is a space or comma delimited string that gives options used
when verifying signatures. Options can be prepended with a 'no-'
That is all the AKA lines as well as photo Ids are not shown
with the signature verification status.
- pka-lookups
- Enable PKA lookups to verify sender addresses. Note that PKA
- is based on DNS, and so enabling this option may disclose
- information on when and what signatures are verified or to
- whom data is encrypted. This is similar to the "web bug"
- described for the '--auto-key-retrieve' option.
-
- pka-trust-increase
- Raise the trust in a signature to full if the signature passes
- PKA validation. This option is only meaningful if pka-lookups
- is set.
-
'--enable-large-rsa'
'--disable-large-rsa'
With -generate-key and -batch, enable the creation of RSA secret
Add FILE to the current list of keyrings. If FILE begins with a
tilde and a slash, these are replaced by the $HOME directory. If
the filename does not contain a slash, it is assumed to be in the
- GnuPG home directory ("~/.gnupg" if '--homedir' or $GNUPGHOME is
- not used).
+ GnuPG home directory ("~/.gnupg" unless '--homedir' or $GNUPGHOME
+ is used).
Note that this adds a keyring to the current list. If the intent
is to use the specified keyring alone, use '--keyring' along with
If the option '--no-keyring' has been used no keyrings will be used
at all.
+ Note that if the option 'use-keyboxd' is enabled in 'common.conf',
+ no keyrings are used at all and keys are all maintained by the
+ keyboxd process in its own database.
+
+'--primary-keyring FILE'
+ This is a varian of '--keyring' and designates FILE as the primary
+ public keyring. This means that newly imported keys (via
+ '--import' or keyserver '--recv-from') will go to this keyring.
+
'--secret-keyring FILE'
This is an obsolete option and ignored. All secret keys are stored
in the 'private-keys-v1.d' directory below the GnuPG home
directory.
-'--primary-keyring FILE'
- Designate FILE as the primary public keyring. This means that
- newly imported keys (via '--import' or keyserver '--recv-from')
- will go to this keyring.
-
'--trustdb-name FILE'
Use FILE instead of the default trustdb. If FILE begins with a
tilde and a slash, these are replaced by the $HOME directory. If
of data to be encrypted or signed; GnuPG does not recode
user-supplied data. If this option is not used, the default
character set is determined from the current locale. A verbosity
- level of 3 shows the chosen set. Valid values for NAME are:
+ level of 3 shows the chosen set. This option should not be used on
+ Windows. Valid values for NAME are:
iso-8859-1
This is the Latin 1 set.
default ('--no-utf8-strings') is to assume that arguments are
encoded in the character set as specified by '--display-charset'.
These options affect all following arguments. Both options may be
- used multiple times.
+ used multiple times. This option should not be used in an option
+ file.
+
+ This option has no effect on Windows. There the internal used
+ UTF-8 encoding is translated for console input and output. The
+ command line arguments are expected as Unicode and translated to
+ UTF-8. Thus when calling this program from another, make sure to
+ use the Unicode version of CreateProcess.
'--options FILE'
Read options from FILE and do not try to read them from the default
claim" signatures are always accepted.
'--trusted-key LONG KEY ID OR FINGERPRINT'
- Assume that the specified key (which must be given as a full 8 byte
- key ID or 20 byte fingerprint) is as trustworthy as one of your own
- secret keys. This option is useful if you don't want to keep your
- secret keys (or one of them) online but still want to be able to
- check the validity of a given recipient's or signator's key.
+ Assume that the specified key (which should be given as
+ fingerprint) is as trustworthy as one of your own secret keys.
+ This option is useful if you don't want to keep your secret keys
+ (or one of them) online but still want to be able to check the
+ validity of a given recipient's or signator's key. If the given
+ key is not locally available but an LDAP keyserver is configured
+ the missing key is imported from that server.
'--trust-model {pgp|classic|tofu|tofu+pgp|direct|always|auto}'
Set what trust model GnuPG should follow. The models are:
cert
Locate a key using DNS CERT, as specified in RFC-4398.
- pka
- Locate a key using DNS PKA.
-
dane
Locate a key using DANE, as specified in
draft-ietf-dane-openpgpkey-05.txt.
ntds
Locate the key using the Active Directory (Windows only).
+ This method also allows to search by fingerprint using the
+ command '--locate-external-key'. Note that this mechanism is
+ actually a shortcut for the mechanism 'keyserver' but using
+ "ldap:///" as the keyserver.
keyserver
- Locate a key using a keyserver.
+ Locate a key using a keyserver. This method also allows to
+ search by fingerprint using the command
+ '--locate-external-key' if any of the configured keyservers is
+ an LDAP server.
keyserver-URL
In addition, a keyserver URL as used in the 'dirmngr'
configuration may be used here to query that particular
- keyserver.
+ keyserver. This method also allows to search by fingerprint
+ using the command '--locate-external-key' if the URL specifies
+ an LDAP server.
local
Locate the key using the local keyrings. This mechanism
This is an offline mechanism to get a missing key for signature
verification and for later encryption to this key. If this option
is enabled and a signature includes an embedded key, that key is
- used to verify the signature and on verification success that key
- is imported. The default is '--no-auto-key-import'.
+ used to verify the signature and on verification success the key is
+ imported. The default is '--no-auto-key-import'.
On the sender (signing) site the option '--include-key-block' needs
to be used to put the public part of the signing key as “Key Block
disabled by removing WKD from the auto-key-locate list or by using
the option '--disable-signer-uid'.
- 4. If the option 'honor-pka-record' is active, the legacy PKA
- method is used.
-
- 5. If any keyserver is configured and the Issuer Fingerprint is
+ 4. If any keyserver is configured and the Issuer Fingerprint is
part of the signature (since GnuPG 2.1.16), the configured
keyservers are tried.
communicate with to receive keys from, send keys to, and search for
keys on. The format of the NAME is a URI:
'scheme:[//]keyservername[:port]' The scheme is the type of
- keyserver: "hkp" for the HTTP (or compatible) keyservers, "ldap"
- for the LDAP keyservers, or "mailto" for the Graff email keyserver.
- Note that your particular installation of GnuPG may have other
- keyserver types available as well. Keyserver schemes are
- case-insensitive. After the keyserver name, optional keyserver
- configuration options may be provided. These are the same as the
- global '--keyserver-options' from below, but apply only to this
- particular keyserver.
+ keyserver: "hkp"/"hkps" for the HTTP (or compatible) keyservers or
+ "ldap"/"ldaps" for the LDAP keyservers. Note that your particular
+ installation of GnuPG may have other keyserver types available as
+ well. Keyserver schemes are case-insensitive.
Most keyservers synchronize with each other, so there is generally
no need to send keys to more than one server. The keyserver
creator of the key can see when the keys is refreshed. Thus
this option is not enabled by default.
- honor-pka-record
- If '--auto-key-retrieve' is used, and the signature being
- verified has a PKA record, then use the PKA information to
- fetch the key. Defaults to "yes".
-
include-subkeys
When receiving a key, include subkeys as potential targets.
Note that this option is not used with HKP keyservers, as they
'dirmngr' configuration options instead.
The default list of options is: "self-sigs-only, import-clean,
- repair-keys, repair-pks-subkey-bug, export-attributes,
- honor-pka-record".
+ repair-keys, repair-pks-subkey-bug, export-attributes". However,
+ if the actual used source is an LDAP server "no-self-sigs-only" is
+ assumed unless "self-sigs-only" has been explictly configured.
'--completes-needed N'
Number of completely trusted users to introduce a new key signer
'--sender MBOX'
This option has two purposes. MBOX must either be a complete user
- id with a proper mail address or just a mail address. When
- creating a signature this option tells gpg the user id of a key
- used to make a signature if the key was not directly specified by a
- user id. When verifying a signature the MBOX is used to restrict
- the information printed by the TOFU code to matching user ids.
+ ID containing a proper mail address or just a plain mail address.
+ The option can be given multiple times.
+
+ When creating a signature this option tells gpg the signing key's
+ user id used to make the signature and embeds that user ID into the
+ created signature (using OpenPGP's "Signer's User ID" subpacket).
+ If the option is given multiple times a suitable user ID is picked.
+ However, if the signing key was specified directly by using a mail
+ address (i.e. not by using a fingerprint or key ID) this option is
+ used and the mail address is embedded in the created signature.
+
+ When verifying a signature MBOX is used to restrict the information
+ printed by the TOFU code to matching user IDs. If the option is
+ used and the signature contains a "Signer's User ID" subpacket that
+ information is is also used to restrict the printed information.
+ Note that GnuPG considers only the mail address part of a User ID.
+
+ If this option or the said subpacket is available the TRUST lines
+ as printed by option 'status-fd' correspond to the corresponding
+ User ID; if no User ID is known the TRUST lines are computed
+ directly on the key and do not give any information about the User
+ ID. In the latter case it his highly recommended to scripts and
+ other frontends to evaluate the VALIDSIG line, retrieve the key and
+ print all User IDs along with their validity (trust) information.
'--try-secret-key NAME'
For hidden recipients GPG needs to know the keys to use for trial
before processing is forced to stop by the OS limits. Defaults to
0, which means "no limit".
+'--chunk-size N'
+ The AEAD encryption mode encrypts the data in chunks so that a
+ receiving side can check for transmission errors or tampering at
+ the end of each chunk and does not need to delay this until all
+ data has been received. The used chunk size is 2^N byte. The
+ lowest allowed value for N is 6 (64 byte) and the largest is the
+ default of 22 which creates chunks not larger than 4 MiB.
+
'--input-size-hint N'
This option can be used to tell GPG the size of the input data in
bytes. N must be a positive base-10 number. This option is only
import-export
Run the entire import code but instead of storing the key to
- the local keyring write it to the output. The export options
- 'export-pka' and 'export-dane' affect the output. This option
- can be used to remove all invalid parts from a key without the
+ the local keyring write it to the output. The export option
+ 'export-dane' affect the output. This option can for example
+ be used to remove all invalid parts from a key without the
need to store it.
merge-only
example, this reorders signatures, and strips duplicate
signatures. Defaults to yes.
+ bulk-import
+ When used the keyboxd (option 'use-keyboxd' in 'common.conf')
+ does the import within a single transaction.
+
import-minimal
Import the smallest key possible. This removes all signatures
except the most recent self-signature on each user ID. This
"minimize" before export except that the local copy of the key
is not modified. Defaults to no.
- export-pka
- Instead of outputting the key material output PKA records
- suitable to put into DNS zone files. An ORIGIN line is
- printed before each record to allow diverting the records to
- the corresponding zone file.
-
export-dane
Instead of outputting the key material output OpenPGP DANE
records suitable to put into DNS zone files. An ORIGIN line
'--no-force-v4-certs'
These options are obsolete and have no effect since GnuPG 2.1.
+'--force-aead'
+ Force the use of AEAD encryption over MDC encryption. AEAD is a
+ modern and faster way to do authenticated encryption than the old
+ MDC method. See also options '--aead-algo' and '--chunk-size'.
+
'--force-mdc'
'--disable-mdc'
These options are obsolete and have no effect since GnuPG 2.2.8.
- The MDC is always used. But note: If the creation of a legacy
- non-MDC message is exceptionally required, the option '--rfc2440'
- allows for this.
+ The MDC is always used unless the keys indicate that an AEAD
+ algorithm can be used in which case AEAD is used. But note: If the
+ creation of a legacy non-MDC message is exceptionally required, the
+ option '--rfc2440' allows for this.
'--disable-signer-uid'
By default the user ID of the signing key is embedded in the data
option '--auto-key-retrieve'.
'--include-key-block'
+'--no-include-key-block'
This option is used to embed the actual signing key into a data
signature. The embedded key is stripped down to a single user id
and includes only the signing subkey used to create the signature
as well as as valid encryption subkeys. All other info is removed
from the key to keep it and thus the signature small. This option
- is the OpenPGP counterpart to the 'gpgsm' option '--include-certs'.
+ is the OpenPGP counterpart to the 'gpgsm' option '--include-certs'
+ and allows the recipient of a signed message to reply encrypted to
+ the sender without using any online directories to lookup the key.
+ The default is '--no-include-key-block'. See also the option
+ '--auto-key-import'.
'--personal-cipher-preferences STRING'
Set the list of personal cipher preferences to STRING. Use 'gpg
most highly ranked cipher in this list is also used for the
'--symmetric' encryption command.
+'--personal-aead-preferences STRING'
+ Set the list of personal AEAD preferences to STRING. Use 'gpg
+ --version' to get a list of available algorithms, and use 'none' to
+ set no preference at all. This allows the user to safely override
+ the algorithm chosen by the recipient key preferences, as GPG will
+ only select an algorithm that is usable by all recipients. The
+ most highly ranked cipher in this list is also used for the
+ '--symmetric' encryption command.
+
'--personal-digest-preferences STRING'
Set the list of personal digest preferences to STRING. Use 'gpg
--version' to get a list of available algorithms, and use 'none' to
'--gnupg'
Use standard GnuPG behavior. This is essentially OpenPGP behavior
- (see '--openpgp'), but with some additional workarounds for common
+ (see '--openpgp'), but with extension from the proposed update to
+ OpenPGP and with some additional workarounds for common
compatibility problems in different versions of PGP. This is the
default option, so it is not generally needed, but it may be useful
to override a different compliance option in the gpg.conf file.
'--openpgp'
Reset all packet, cipher and digest options to strict OpenPGP
- behavior. Use this option to reset all previous options like
- '--s2k-*', '--cipher-algo', '--digest-algo' and '--compress-algo'
- to OpenPGP compliant values. All PGP workarounds are disabled.
+ behavior. This option implies '--allow-old-cipher-algos'. Use
+ this option to reset all previous options like '--s2k-*',
+ '--cipher-algo', '--digest-algo' and '--compress-algo' to OpenPGP
+ compliant values. All PGP workarounds are disabled.
'--rfc4880'
Reset all packet, cipher and digest options to strict RFC-4880
- behavior. Note that this is currently the same thing as
- '--openpgp'.
+ behavior. This option implies '--allow-old-cipher-algos'. Note
+ that this is currently the same thing as '--openpgp'.
'--rfc4880bis'
- Enable experimental features from proposed updates to RFC-4880.
- This option can be used in addition to the other compliance
- options. Warning: The behavior may change with any GnuPG release
- and created keys or data may not be usable with future GnuPG
- versions.
+ Reset all packet, cipher and digest options to strict according to
+ the proposed updates of RFC-4880.
'--rfc2440'
Reset all packet, cipher and digest options to strict RFC-2440
behavior. Note that by using this option encryption packets are
created in a legacy mode without MDC protection. This is dangerous
- and should thus only be used for experiments. See also option
- '--ignore-mdc-error'.
+ and should thus only be used for experiments. This option implies
+ '--allow-old-cipher-algos'. See also option '--ignore-mdc-error'.
'--pgp6'
- Set up all options to be as PGP 6 compliant as possible. This
- restricts you to the ciphers IDEA (if the IDEA plugin is
- installed), 3DES, and CAST5, the hashes MD5, SHA1 and RIPEMD160,
- and the compression algorithms none and ZIP. This also disables
- '--throw-keyids', and making signatures with signing subkeys as PGP
- 6 does not understand signatures made by signing subkeys.
-
- This option implies '--escape-from-lines'.
+ This option is obsolete; it is handled as an alias for '--pgp7'
'--pgp7'
- Set up all options to be as PGP 7 compliant as possible. This is
- identical to '--pgp6' except that MDCs are not disabled, and the
- list of allowable ciphers is expanded to add AES128, AES192,
- AES256, and TWOFISH.
+ Set up all options to be as PGP 7 compliant as possible. This
+ allowed the ciphers IDEA, 3DES, CAST5,AES128, AES192, AES256, and
+ TWOFISH., the hashes MD5, SHA1 and RIPEMD160, and the compression
+ algorithms none and ZIP. This option implies '--escape-from-lines'
+ and disables '--throw-keyids',
'--pgp8'
Set up all options to be as PGP 8 compliant as possible. PGP 8 is
'--compliance STRING'
This option can be used instead of one of the options above. Valid
values for STRING are the above option names (without the double
- dash) and possibly others as shown when using "help" for VALUE.
+ dash) and possibly others as shown when using "help" for STRING.
+
+'--min-rsa-length N'
+ This option adjusts the compliance mode "de-vs" for stricter key
+ size requirements. For example, a value of 3000 turns rsa2048 and
+ dsa2048 keys into non-VS-NfD compliant keys.
+
+'--require-compliance'
+ To check that data has been encrypted according to the rules of the
+ current compliance mode, a gpg user needs to evaluate the status
+ lines. This is allows frontends to handle compliance check in a
+ more flexible way. However, for scripted use the required
+ evaluation of the status-line requires quite some effort; this
+ option can be used instead to make sure that the gpg process exits
+ with a failure if the compliance rules are not fulfilled. Note
+ that this option has currently an effect only in "de-vs" mode.
\1f
File: gnupg.info, Node: GPG Esoteric Options, Next: Deprecated Options, Prev: Compliance Options, Up: GPG Options
are however carefully selected to best aid in debugging.
'--debug FLAGS'
- Set debugging flags. All flags are or-ed and FLAGS may be given in
- C syntax (e.g. 0x0042) or as a comma separated list of flag names.
+ Set debug flags. All flags are or-ed and FLAGS may be given in C
+ syntax (e.g. 0x0042) or as a comma separated list of flag names.
To get a list of all supported flags the single word "help" can be
- used.
+ used. This option is only useful for debugging and the behavior
+ may change at any time without notice.
'--debug-all'
Set all useful debugging flags.
Set stdout into line buffered mode. This option is only honored
when given on the command line.
+'--debug-set-iobuf-size N'
+ Change the buffer size of the IOBUFs to N kilobyte. Using 0 prints
+ the current size. Note well: This is a maintainer only option and
+ may thus be changed or removed at any time without notice.
+
+'--debug-allow-large-chunks'
+ To facilitate software tests and experiments this option allows to
+ specify a limit of up to 4 EiB ('--chunk-size 62').
+
'--faked-system-time EPOCH'
This option is only useful for testing; it sets the system time
back or forth to EPOCH which is the number of seconds elapsed since
If you suffix EPOCH with an exclamation mark (!), the system time
will appear to be frozen at the specified time.
+'--full-timestrings'
+ Change the format of printed creation and expiration times from
+ just the date to the date and time. This is in general not useful
+ and the same information is anyway available in '--with-colons'
+ mode. These longer strings are also not well aligned with other
+ printed data.
+
'--enable-progress-filter'
Enable certain PROGRESS status outputs. This option allows
frontends to display a progress indicator while gpg is processing
'--log-file FILE'
'--logger-file FILE'
Same as '--logger-fd', except the logger data is written to file
- FILE. Use 'socket://' to log to a socket. Note that in this
- version of gpg the option has only an effect if '--batch' is also
- used.
+ FILE. Use 'socket://' to log to s socket.
'--attribute-fd N'
Write attribute subpackets to the file descriptor N. This is most
'--version' yields a list of supported algorithms. If this is not
used the cipher algorithm is selected from the preferences stored
with the key. In general, you do not want to use this option as it
- allows you to violate the OpenPGP standard.
+ allows you to violate the OpenPGP standard. The option
'--personal-cipher-preferences' is the safe way to accomplish the
same thing.
+'--aead-algo NAME'
+ Specify that the AEAD algorithm NAME is to be used. This is useful
+ for symmetric encryption where no key preference are available to
+ select the AEAD algorithm. Running 'gpg' with option '--version'
+ shows the available AEAD algorithms. In general, you do not want
+ to use this option as it allows you to violate the OpenPGP
+ standard. The option '--personal-aead-preferences' is the safe way
+ to accomplish the same thing.
+
'--digest-algo NAME'
Use NAME as the message digest algorithm. Running the program with
the command '--version' yields a list of supported algorithms. In
general, you do not want to use this option as it allows you to
- violate the OpenPGP standard. '--personal-digest-preferences' is
- the safe way to accomplish the same thing.
+ violate the OpenPGP standard. The option
+ '--personal-digest-preferences' is the safe way to accomplish the
+ same thing.
'--compress-algo NAME'
Use compression algorithm NAME. "zlib" is RFC-1950 ZLIB
PGP (all versions) only supports ZIP compression. Using any
algorithm other than ZIP or "none" will make the message unreadable
with PGP. In general, you do not want to use this option as it
- allows you to violate the OpenPGP standard.
+ allows you to violate the OpenPGP standard. The option
'--personal-compress-preferences' is the safe way to accomplish the
same thing.
supported algorithms. Be aware that if you choose an algorithm
that GnuPG supports but other OpenPGP implementations do not, then
some users will not be able to use the key signatures you make, or
- quite possibly your entire key.
+ quite possibly your entire key. Note also that a public key
+ algorithm must be compatible with the specified digest algorithm;
+ thus selecting an arbitrary digest algorithm may result in error
+ messages from lower crypto layers or lead to security flaws.
'--disable-cipher-algo NAME'
Never allow the use of NAME as cipher algorithm. The given name
indication of an attack. Use with great caution; see also option
'--rfc2440'.
+'--allow-old-cipher-algos'
+ Old cipher algorithms like 3DES, IDEA, or CAST5 encrypt data using
+ blocks of 64 bits; modern algorithms use blocks of 128 bit instead.
+ To avoid certain attack on these old algorithms it is suggested not
+ to encrypt more than 150 MiByte using the same key. For this
+ reason gpg does not allow the use of 64 bit block size algorithms
+ for encryption unless this option is specified.
+
'--allow-weak-digest-algos'
Signatures made with known-weak digest algorithms are normally
rejected with an "invalid digest algorithm" message. This option
signatures made using SHA-1, those key signatures are considered
invalid. This options allows to override this restriction.
+'--override-compliance-check'
+ The signature verification only allows the use of keys suitable in
+ the current compliance mode. If the compliance mode has been
+ forced by a global option, there might be no way to check certain
+ signature. This option allows to override this and prints an extra
+ warning in such a case. This option is ignored in -batch mode so
+ that no accidental unattended verification may happen.
+
'--no-default-keyring'
- Do not add the default keyrings to the list of keyrings. Note that
- GnuPG will not operate without any keyrings, so if you use this
- option and do not provide alternate keyrings via '--keyring' or
- '--secret-keyring', then GnuPG will still use the default public or
- secret keyrings.
+ Do not add the default keyring to the list of keyrings. Note that
+ GnuPG needs for almost all operations a keyring. Thus if you use
+ this option and do not provide alternate keyrings via '--keyring',
+ then GnuPG will still use the default keyring.
+
+ Note that if the option 'use-keyboxd' is enabled in 'common.conf',
+ no keyrings are used at all and keys are all maintained by the
+ keyboxd process in its own database.
'--no-keyring'
Do not use any keyring at all. This overrides the default and all
the advanced key generation commands can always be used to specify
a key algorithm directly.
+'--no-auto-trust-new-key'
+ When creating a new key the ownertrust of the new key is set to
+ ultimate. This option disables this and the user needs to manually
+ assign an ownertrust value.
+
+'--force-sign-key'
+ This option modifies the behaviour of the commands
+ '--quick-sign-key', '--quick-lsign-key', and the "sign"
+ sub-commands of '--edit-key' by forcing the creation of a key
+ signature, even if one already exists.
+
+'--forbid-gen-key'
+ This option is intended for use in the global config file to
+ disallow the use of generate key commands. Those commands will
+ then fail with the error code for Not Enabled.
+
'--allow-secret-key-import'
This is an obsolete option and is not used anywhere.
'--allow-multiple-messages'
'--no-allow-multiple-messages'
- Allow processing of multiple OpenPGP messages contained in a single
- file or stream. Some programs that call GPG are not prepared to
- deal with multiple messages being processed together, so this
- option defaults to no. Note that versions of GPG prior to 1.4.7
- always allowed multiple messages. Future versions of GnUPG will
- remove this option.
-
- Warning: Do not use this option unless you need it as a temporary
- workaround!
+ These are obsolete options; they have no more effect since GnuPG
+ 2.2.8.
'--enable-special-filenames'
This option enables a mode in which filenames of the form '-&n',
'--default-preference-list STRING'
Set the list of default preferences to STRING. This preference
list is used for new keys and becomes the default for "setpref" in
- the edit menu.
+ the '--edit-key' menu.
'--default-keyserver-url NAME'
Set the default keyserver URL to NAME. This keyserver will be used
file would prevent 'gpg' from startup. Thus it may be used to run
a syntax check on the configuration file.
+'--chuid UID'
+ Change the current user to UID which may either be a number or a
+ name. This can be used from the root account to run gpg for
+ another user. If UID is not the current UID a standard PATH is set
+ and the envvar GNUPGHOME is unset. To override the latter the
+ option '--homedir' can be used. This option has only an effect
+ when used on the command line. This option has currently no effect
+ at all on Windows.
+
---------- Footnotes ----------
(1) Using a little social engineering anyone who is able to decrypt
name may be changed on the command line (*note gpg-option
--options::). You should backup this file.
+'common.conf'
+ This is an optional configuration file read by 'gpg' on startup.
+ It may contain options pertaining to all components of GnuPG. Its
+ current main use is for the "use-keyboxd" option.
+
Note that on larger installations, it is useful to put predefined
files into the directory '/etc/skel/.gnupg' so that newly created users
start up with a working configuration. For existing users a small
$ cd ~/.gnupg
$ gpg --export-ownertrust >otrust.lst
$ mv pubring.gpg publickeys.backup
- $ gpg --import-options restore --import publickeys.backups
+ $ gpg --import-options restore --import publickeys.backup
$ gpg --import-ownertrust otrust.lst
'~/.gnupg/pubring.kbx.lock'
of the respective key. It is suggested to backup those
certificates and if the primary private key is not stored on the
disk to move them to an external storage device. Anyone who can
- access theses files is able to revoke the corresponding key. You
+ access these files is able to revoke the corresponding key. You
may want to print them out. You should backup all files in this
directory and take care to keep this backup closed away.
loaded. If it can't be loaded the Registry is tried and as last
resort the native Windows locale system is used.
+GNUPG_BUILD_ROOT
+ This variable is only used by the regression test suite as a helper
+ under operating systems without proper support to figure out the
+ name of a process' text file.
+
+GNUPG_EXEC_DEBUG_FLAGS
+ This variable allows to enable diagnostics for process management.
+ A numeric decimal value is expected. Bit 0 enables general
+ diagnostics, bit 1 enables certain warnings on Windows.
+
When calling the gpg-agent component 'gpg' sends a set of environment
variables to gpg-agent. The names of these variables can be listed
using the command:
VALUE spans to the end of the expression.
-c
The string match in this part is done case-sensitive.
+-t
+ Leading and trailing spaces are not removed from VALUE. The
+ optional single space after OP is here required.
The filter options concatenate several specifications for a filter of
the same type. For example the four options in this example:
signature was bad, and other error codes for fatal errors.
Note that signature verification requires exact knowledge of what has
-been signed and by whom it has beensigned. Using only the return code
+been signed and by whom it has been signed. Using only the return code
is thus not an appropriate way to verify a signature by a script.
Either make proper use or the status codes or use the 'gpgv' tool which
has been designed to make signature verification easy for scripts.
utilizes the 'dirmngr' service. It uses a format useful mainly for
debugging.
+'--show-certs [FILES]'
+ This command takes certificate files as input and prints
+ information about them in the same format as '--dump-cert' does.
+ Each file may either contain a single binary certificate or several
+ PEM encoded certificates. If no files are given, the input is
+ taken from stdin.
+
+ Please note that the listing format may be changed in future
+ releases and that the option '--with-colons' has currently no
+ effect.
+
'--keydb-clear-some-cert-flags'
This is a debugging aid to reset certain flags in the key database
- which are used to cache certain certificate stati. It is
+ which are used to cache certain certificate statuses. It is
especially useful if a bad CRL or a weird running OCSP responder
did accidentally revoke certificate. There is no security issue
with this command because 'gpgsm' always make sure that the
verbosity by giving several verbose commands to 'gpgsm', such as
'-vv'.
+'--keyserver STRING'
+ This is a deprecated option. It was used to add an LDAP server to
+ use for X.509 certificate and CRL lookup. The alias '--ldapserver'
+ existed from version 2.2.28 to 2.2.33 and 2.3.2 to 2.3.4 but is now
+ entirely ignored.
+
+ LDAP servers must be given in the configuration for 'dirmngr'.
+
'--policy-file FILENAME'
- Change the default name of the policy file to FILENAME.
+ Change the default name of the policy file to FILENAME. The
+ default name is 'policies.txt'.
'--agent-program FILE'
Specify an agent program to be used for secret key operations. The
5.2.5 Doing things one usually do not want to do
------------------------------------------------
+'--chuid UID'
+ Change the current user to UID which may either be a number or a
+ name. This can be used from the root account to run gpgsm for
+ another user. If UID is not the current UID a standard PATH is set
+ and the envvar GNUPGHOME is unset. To override the latter the
+ option '--homedir' can be used. This option has only an effect
+ when used on the command line. This option has currently no effect
+ at all on Windows.
+
'--extra-digest-algo NAME'
Sometimes signatures are broken in that they announce a different
digest algorithm than actually used. 'gpgsm' uses a one-pass data
like "digest algo 8 has not been enabled" you may want to try this
option, with 'SHA256' for NAME.
+'--compliance STRING'
+ Set the compliance mode. Valid values are shown when using "help"
+ for STRING.
+
+'--min-rsa-length N'
+ This option adjusts the compliance mode "de-vs" for stricter key
+ size requirements. For example, a value of 3000 turns rsa2048 and
+ dsa2048 keys into non-VS-NfD compliant keys.
+
+'--require-compliance'
+ To check that data has been encrypted according to the rules of the
+ current compliance mode, a gpgsm user needs to evaluate the status
+ lines. This is allows frontends to handle compliance check in a
+ more flexible way. However, for scripted use the required
+ evaluation of the status-line requires quite some effort; this
+ option can be used instead to make sure that the gpgsm process
+ exits with a failure if the compliance rules are not fulfilled.
+ Note that this option has currently an effect only in "de-vs" mode.
+
+'--ignore-cert-with-oid OID'
+ Add OID to the list of OIDs to be checked while reading
+ certificates from smartcards. The OID is expected to be in dotted
+ decimal form, like '2.5.29.3'. This option may be used more than
+ once. As of now certificates with an extended key usage matching
+ one of those OIDs are ignored during a '--learn-card' operation and
+ not imported. This option can help to keep the local key database
+ clear of unneeded certificates stored on smartcards.
+
'--faked-system-time EPOCH'
This option is only useful for testing; it sets the system time
back or forth to EPOCH which is the number of seconds elapsed since
that they are included anyway if the key specification for a
listing is given as fingerprint or keygrip.
+'--compatibility-flags FLAGS'
+ Set compatibility flags to work around problems due to
+ non-compliant certificates or data. The FLAGS are given as a comma
+ separated list of flag names and are OR-ed together. The special
+ flag "none" clears the list and allows to start over with an empty
+ list. To get a list of available flags the sole word "help" can be
+ used.
+
'--debug-level LEVEL'
Select the debug level for investigating problems. LEVEL may be a
numeric value or by a keyword:
are however carefully selected to best aid in debugging.
'--debug FLAGS'
- This option is only useful for debugging and the behaviour may
- change at any time without notice; using '--debug-levels' is the
- preferred method to select the debug verbosity. FLAGS are bit
- encoded and may be given in usual C-Syntax. The currently defined
- bits are:
-
- '0 (1)'
- X.509 or OpenPGP protocol related data
- '1 (2)'
- values of big number integers
- '2 (4)'
- low level crypto operations
- '5 (32)'
- memory allocation
- '6 (64)'
- caching
- '7 (128)'
- show memory statistics
- '9 (512)'
- write hashed data to files named 'dbgmd-000*'
- '10 (1024)'
- trace Assuan protocol
+ Set debug flags. All flags are or-ed and FLAGS may be given in C
+ syntax (e.g. 0x0042) or as a comma separated list of flag names.
+ To get a list of all supported flags the single word "help" can be
+ used. This option is only useful for debugging and the behavior
+ may change at any time without notice.
Note, that all flags set using this option may get overridden by
'--debug-level'.
name may be changed on the command line (*note gpgsm-option
--options::). You should backup this file.
+'common.conf'
+ This is an optional configuration file read by 'gpgsm' on startup.
+ It may contain options pertaining to all components of GnuPG. Its
+ current main use is for the "use-keyboxd" option.
+
'policies.txt'
This is a list of allowed CA policies. This file should list the
object identifiers of the policies line by line. Empty lines and
Note that even if a certificate is listed in this file, this does
not mean that the certificate is trusted; in general the
certificates listed in this file need to be listed also in
- 'trustlist.txt'.
-
- This is a global file an installed in the data directory (e.g.
- '/usr/local/share/gnupg/qualified.txt'). GnuPG installs a suitable
- file with root certificates as used in Germany. As new Root-CA
- certificates may be issued over time, these entries may need to be
- updated; new distributions of this software should come with an
- updated list but it is still the responsibility of the
- Administrator to check that this list is correct.
+ 'trustlist.txt'. This is a global file an installed in the sysconf
+ directory (e.g. '/etc/gnupg/qualified.txt').
Every time 'gpgsm' uses a certificate for signing or verification
this file will be consulted to check whether the certificate under
file describing a regular TCP listening port) is the standard way
of connecting the 'gpg-agent'.
-\1f
-File: gnupg.info, Node: GPGSM Examples, Next: Unattended Usage, Prev: GPGSM Configuration, Up: Invoking GPGSM
-
-5.4 Examples
-============
-
- $ gpgsm -er goo@bar.net <plaintext >ciphertext
-
-\1f
-File: gnupg.info, Node: Unattended Usage, Next: GPGSM Protocol, Prev: GPGSM Examples, Up: Invoking GPGSM
-
-5.5 Unattended Usage
-====================
-
-'gpgsm' is often used as a backend engine by other software. To help
-with this a machine interface has been defined to have an unambiguous
-way to do this. This is most likely used with the '--server' command
-but may also be used in the standard operation mode by using the
-'--status-fd' option.
-
-* Menu:
-
-* Automated signature checking:: Automated signature checking.
-* CSR and certificate creation:: CSR and certificate creation.
-
-\1f
-File: gnupg.info, Node: Automated signature checking, Next: CSR and certificate creation, Up: Unattended Usage
-
-5.5.1 Automated signature checking
-----------------------------------
-
-It is very important to understand the semantics used with signature
-verification. Checking a signature is not as simple as it may sound and
-so the operation is a bit complicated. In most cases it is required to
-look at several status lines. Here is a table of all cases a signed
-message may have:
-
-The signature is valid
- This does mean that the signature has been successfully verified,
- the certificates are all sane. However there are two subcases with
- important information: One of the certificates may have expired or
- a signature of a message itself as expired. It is a sound practise
- to consider such a signature still as valid but additional
- information should be displayed. Depending on the subcase 'gpgsm'
- will issue these status codes:
- signature valid and nothing did expire
- 'GOODSIG', 'VALIDSIG', 'TRUST_FULLY'
- signature valid but at least one certificate has expired
- 'EXPKEYSIG', 'VALIDSIG', 'TRUST_FULLY'
- signature valid but expired
- 'EXPSIG', 'VALIDSIG', 'TRUST_FULLY' Note, that this case is
- currently not implemented.
-
-The signature is invalid
- This means that the signature verification failed (this is an
- indication of a transfer error, a program error or tampering with
- the message). 'gpgsm' issues one of these status codes sequences:
- 'BADSIG'
- 'GOODSIG, VALIDSIG TRUST_NEVER'
-
-Error verifying a signature
- For some reason the signature could not be verified, i.e. it
- cannot be decided whether the signature is valid or invalid. A
- common reason for this is a missing certificate.
-
-\1f
-File: gnupg.info, Node: CSR and certificate creation, Prev: Automated signature checking, Up: Unattended Usage
-
-5.5.2 CSR and certificate creation
-----------------------------------
-
-The command '--generate-key' may be used along with the option '--batch'
-to either create a certificate signing request (CSR) or an X.509
-certificate. This is controlled by a parameter file; the format of this
-file is as follows:
-
- * Text only, line length is limited to about 1000 characters.
- * UTF-8 encoding must be used to specify non-ASCII characters.
- * Empty lines are ignored.
- * Leading and trailing while space is ignored.
- * A hash sign as the first non white space character indicates a
- comment line.
- * Control statements are indicated by a leading percent sign, the
- arguments are separated by white space from the keyword.
- * Parameters are specified by a keyword, followed by a colon.
- Arguments are separated by white space.
- * The first parameter must be 'Key-Type', control statements may be
- placed anywhere.
- * The order of the parameters does not matter except for 'Key-Type'
- which must be the first parameter. The parameters are only used
- for the generated CSR/certificate; parameters from previous sets
- are not used. Some syntactically checks may be performed.
- * Key generation takes place when either the end of the parameter
- file is reached, the next 'Key-Type' parameter is encountered or at
- the control statement '%commit' is encountered.
-
-Control statements:
-
-%echo TEXT
- Print TEXT as diagnostic.
-
-%dry-run
- Suppress actual key generation (useful for syntax checking).
-
-%commit
- Perform the key generation. Note that an implicit commit is done
- at the next Key-Type parameter.
-
-General Parameters:
-
-Key-Type: ALGO
- Starts a new parameter block by giving the type of the primary key.
- The algorithm must be capable of signing. This is a required
- parameter. The only supported value for ALGO is 'rsa'.
-
-Key-Length: NBITS
- The requested length of a generated key in bits. Defaults to 3072.
-
-Key-Grip: HEXSTRING
- This is optional and used to generate a CSR or certificate for an
- already existing key. Key-Length will be ignored when given.
-
-Key-Usage: USAGE-LIST
- Space or comma delimited list of key usage, allowed values are
- 'encrypt', 'sign' and 'cert'. This is used to generate the
- keyUsage extension. Please make sure that the algorithm is capable
- of this usage. Default is to allow encrypt and sign.
-
-Name-DN: SUBJECT-NAME
- This is the Distinguished Name (DN) of the subject in RFC-2253
- format.
-
-Name-Email: STRING
- This is an email address for the altSubjectName. This parameter is
- optional but may occur several times to add several email addresses
- to a certificate.
-
-Name-DNS: STRING
- The is an DNS name for the altSubjectName. This parameter is
- optional but may occur several times to add several DNS names to a
- certificate.
-
-Name-URI: STRING
- This is an URI for the altSubjectName. This parameter is optional
- but may occur several times to add several URIs to a certificate.
-
-Additional parameters used to create a certificate (in contrast to a
-certificate signing request):
-
-Serial: SN
- If this parameter is given an X.509 certificate will be generated.
- SN is expected to be a hex string representing an unsigned integer
- of arbitrary length. The special value 'random' can be used to
- create a 64 bit random serial number.
-
-Issuer-DN: ISSUER-NAME
- This is the DN name of the issuer in RFC-2253 format. If it is not
- set it will default to the subject DN and a special GnuPG extension
- will be included in the certificate to mark it as a standalone
- certificate.
-
-Creation-Date: ISO-DATE
-Not-Before: ISO-DATE
- Set the notBefore date of the certificate. Either a date like
- '1986-04-26' or '1986-04-26 12:00' or a standard ISO timestamp like
- '19860426T042640' may be used. The time is considered to be UTC.
- If it is not given the current date is used.
-
-Expire-Date: ISO-DATE
-Not-After: ISO-DATE
- Set the notAfter date of the certificate. Either a date like
- '2063-04-05' or '2063-04-05 17:00' or a standard ISO timestamp like
- '20630405T170000' may be used. The time is considered to be UTC.
- If it is not given a default value in the not too far future is
- used.
-
-Signing-Key: KEYGRIP
- This gives the keygrip of the key used to sign the certificate. If
- it is not given a self-signed certificate will be created. For
- compatibility with future versions, it is suggested to prefix the
- keygrip with a '&'.
-
-Hash-Algo: HASH-ALGO
- Use HASH-ALGO for this CSR or certificate. The supported hash
- algorithms are: 'sha1', 'sha256', 'sha384' and 'sha512'; they may
- also be specified with uppercase letters. The default is 'sha256'.
-
-\1f
-File: gnupg.info, Node: GPGSM Protocol, Prev: Unattended Usage, Up: Invoking GPGSM
-
-5.6 The Protocol the Server Mode Uses
-=====================================
-
-Description of the protocol used to access 'GPGSM'. 'GPGSM' does
-implement the Assuan protocol and in addition provides a regular command
-line interface which exhibits a full client to this protocol (but uses
-internal linking). To start 'gpgsm' as a server the command line the
-option '--server' must be used. Additional options are provided to
-select the communication method (i.e. the name of the socket).
-
- We assume that the connection has already been established; see the
-Assuan manual for details.
-
-* Menu:
-
-* GPGSM ENCRYPT:: Encrypting a message.
-* GPGSM DECRYPT:: Decrypting a message.
-* GPGSM SIGN:: Signing a message.
-* GPGSM VERIFY:: Verifying a message.
-* GPGSM GENKEY:: Generating a key.
-* GPGSM LISTKEYS:: List available keys.
-* GPGSM EXPORT:: Export certificates.
-* GPGSM IMPORT:: Import certificates.
-* GPGSM DELETE:: Delete certificates.
-* GPGSM GETAUDITLOG:: Retrieve an audit log.
-* GPGSM GETINFO:: Information about the process
-* GPGSM OPTION:: Session options.
-
-\1f
-File: gnupg.info, Node: GPGSM ENCRYPT, Next: GPGSM DECRYPT, Up: GPGSM Protocol
-
-5.6.1 Encrypting a Message
---------------------------
-
-Before encryption can be done the recipient must be set using the
-command:
-
- RECIPIENT USERID
-
- Set the recipient for the encryption. USERID should be the internal
-representation of the key; the server may accept any other way of
-specification. If this is a valid and trusted recipient the server does
-respond with OK, otherwise the return is an ERR with the reason why the
-recipient cannot be used, the encryption will then not be done for this
-recipient. If the policy is not to encrypt at all if not all recipients
-are valid, the client has to take care of this. All 'RECIPIENT'
-commands are cumulative until a 'RESET' or an successful 'ENCRYPT'
-command.
-
- INPUT FD[=N] [--armor|--base64|--binary]
-
- Set the file descriptor for the message to be encrypted to N.
-Obviously the pipe must be open at that point, the server establishes
-its own end. If the server returns an error the client should consider
-this session failed. If N is not given, this commands uses the last
-file descriptor passed to the application. *Note the assuan_sendfd
-function: (assuan)fun-assuan_sendfd, on how to do descriptor passing.
-
- The '--armor' option may be used to advise the server that the input
-data is in PEM format, '--base64' advises that a raw base-64 encoding is
-used, '--binary' advises of raw binary input (BER). If none of these
-options is used, the server tries to figure out the used encoding, but
-this may not always be correct.
-
- OUTPUT FD[=N] [--armor|--base64]
-
- Set the file descriptor to be used for the output (i.e. the
-encrypted message). Obviously the pipe must be open at that point, the
-server establishes its own end. If the server returns an error the
-client should consider this session failed.
-
- The option '--armor' encodes the output in PEM format, the '--base64'
-option applies just a base-64 encoding. No option creates binary output
-(BER).
-
- The actual encryption is done using the command
-
- ENCRYPT
-
- It takes the plaintext from the 'INPUT' command, writes to the
-ciphertext to the file descriptor set with the 'OUTPUT' command, take
-the recipients from all the recipients set so far. If this command
-fails the clients should try to delete all output currently done or
-otherwise mark it as invalid. 'GPGSM' does ensure that there will not
-be any security problem with leftover data on the output in this case.
-
- This command should in general not fail, as all necessary checks have
-been done while setting the recipients. The input and output pipes are
-closed.
-
-\1f
-File: gnupg.info, Node: GPGSM DECRYPT, Next: GPGSM SIGN, Prev: GPGSM ENCRYPT, Up: GPGSM Protocol
-
-5.6.2 Decrypting a message
---------------------------
-
-Input and output FDs are set the same way as in encryption, but 'INPUT'
-refers to the ciphertext and 'OUTPUT' to the plaintext. There is no
-need to set recipients. 'GPGSM' automatically strips any S/MIME headers
-from the input, so it is valid to pass an entire MIME part to the INPUT
-pipe.
-
- The decryption is done by using the command
-
- DECRYPT
-
- It performs the decrypt operation after doing some check on the
-internal state (e.g. that all needed data has been set). Because it
-utilizes the GPG-Agent for the session key decryption, there is no need
-to ask the client for a protecting passphrase - GpgAgent takes care of
-this by requesting this from the user.
-
-\1f
-File: gnupg.info, Node: GPGSM SIGN, Next: GPGSM VERIFY, Prev: GPGSM DECRYPT, Up: GPGSM Protocol
-
-5.6.3 Signing a Message
------------------------
-
-Signing is usually done with these commands:
-
- INPUT FD[=N] [--armor|--base64|--binary]
-
- This tells 'GPGSM' to read the data to sign from file descriptor N.
-
- OUTPUT FD[=M] [--armor|--base64]
-
- Write the output to file descriptor M. If a detached signature is
-requested, only the signature is written.
-
- SIGN [--detached]
-
- Sign the data set with the 'INPUT' command and write it to the sink
-set by 'OUTPUT'. With '--detached', a detached signature is created
-(surprise).
-
- The key used for signing is the default one or the one specified in
-the configuration file. To get finer control over the keys, it is
-possible to use the command
-
- SIGNER USERID
-
- to set the signer's key. USERID should be the internal
-representation of the key; the server may accept any other way of
-specification. If this is a valid and trusted recipient the server does
-respond with OK, otherwise the return is an ERR with the reason why the
-key cannot be used, the signature will then not be created using this
-key. If the policy is not to sign at all if not all keys are valid, the
-client has to take care of this. All 'SIGNER' commands are cumulative
-until a 'RESET' is done. Note that a 'SIGN' does not reset this list of
-signers which is in contrast to the 'RECIPIENT' command.
-
-\1f
-File: gnupg.info, Node: GPGSM VERIFY, Next: GPGSM GENKEY, Prev: GPGSM SIGN, Up: GPGSM Protocol
-
-5.6.4 Verifying a Message
--------------------------
-
-To verify a message the command:
-
- VERIFY
-
- is used. It does a verify operation on the message send to the input
-FD. The result is written out using status lines. If an output FD was
-given, the signed text will be written to that. If the signature is a
-detached one, the server will inquire about the signed material and the
-client must provide it.
-
projects / platform / upstream / gpg2.git / blobdiff