1 This is gnupg.info, produced by makeinfo version 6.5 from gnupg.texi.
3 This is the 'The GNU Privacy Guard Manual' (version 2.2.33-beta28,
6 (C) 2002, 2004, 2005, 2006, 2007, 2010 Free Software Foundation, Inc.
7 (C) 2013, 2014, 2015 Werner Koch.
8 (C) 2015, 2016, 2017 g10 Code GmbH.
10 Permission is granted to copy, distribute and/or modify this
11 document under the terms of the GNU General Public License as
12 published by the Free Software Foundation; either version 3 of the
13 License, or (at your option) any later version. The text of the
14 license can be found in the section entitled "Copying".
15 INFO-DIR-SECTION GNU Utilities
17 * gpg2: (gnupg). OpenPGP encryption and signing tool.
18 * gpgsm: (gnupg). S/MIME encryption and signing tool.
19 * gpg-agent: (gnupg). The secret key daemon.
20 * dirmngr: (gnupg). X.509 CRL and OCSP server.
21 * dirmngr-client: (gnupg). X.509 CRL and OCSP client.
25 File: gnupg.info, Node: GPGSM Protocol, Prev: Unattended Usage, Up: Invoking GPGSM
27 5.6 The Protocol the Server Mode Uses
28 =====================================
30 Description of the protocol used to access 'GPGSM'. 'GPGSM' does
31 implement the Assuan protocol and in addition provides a regular command
32 line interface which exhibits a full client to this protocol (but uses
33 internal linking). To start 'gpgsm' as a server the command line the
34 option '--server' must be used. Additional options are provided to
35 select the communication method (i.e. the name of the socket).
37 We assume that the connection has already been established; see the
38 Assuan manual for details.
42 * GPGSM ENCRYPT:: Encrypting a message.
43 * GPGSM DECRYPT:: Decrypting a message.
44 * GPGSM SIGN:: Signing a message.
45 * GPGSM VERIFY:: Verifying a message.
46 * GPGSM GENKEY:: Generating a key.
47 * GPGSM LISTKEYS:: List available keys.
48 * GPGSM EXPORT:: Export certificates.
49 * GPGSM IMPORT:: Import certificates.
50 * GPGSM DELETE:: Delete certificates.
51 * GPGSM GETAUDITLOG:: Retrieve an audit log.
52 * GPGSM GETINFO:: Information about the process
53 * GPGSM OPTION:: Session options.
56 File: gnupg.info, Node: GPGSM ENCRYPT, Next: GPGSM DECRYPT, Up: GPGSM Protocol
58 5.6.1 Encrypting a Message
59 --------------------------
61 Before encryption can be done the recipient must be set using the
66 Set the recipient for the encryption. USERID should be the internal
67 representation of the key; the server may accept any other way of
68 specification. If this is a valid and trusted recipient the server does
69 respond with OK, otherwise the return is an ERR with the reason why the
70 recipient cannot be used, the encryption will then not be done for this
71 recipient. If the policy is not to encrypt at all if not all recipients
72 are valid, the client has to take care of this. All 'RECIPIENT'
73 commands are cumulative until a 'RESET' or an successful 'ENCRYPT'
76 INPUT FD[=N] [--armor|--base64|--binary]
78 Set the file descriptor for the message to be encrypted to N.
79 Obviously the pipe must be open at that point, the server establishes
80 its own end. If the server returns an error the client should consider
81 this session failed. If N is not given, this commands uses the last
82 file descriptor passed to the application. *Note the assuan_sendfd
83 function: (assuan)fun-assuan_sendfd, on how to do descriptor passing.
85 The '--armor' option may be used to advise the server that the input
86 data is in PEM format, '--base64' advises that a raw base-64 encoding is
87 used, '--binary' advises of raw binary input (BER). If none of these
88 options is used, the server tries to figure out the used encoding, but
89 this may not always be correct.
91 OUTPUT FD[=N] [--armor|--base64]
93 Set the file descriptor to be used for the output (i.e. the
94 encrypted message). Obviously the pipe must be open at that point, the
95 server establishes its own end. If the server returns an error the
96 client should consider this session failed.
98 The option '--armor' encodes the output in PEM format, the '--base64'
99 option applies just a base-64 encoding. No option creates binary output
102 The actual encryption is done using the command
106 It takes the plaintext from the 'INPUT' command, writes to the
107 ciphertext to the file descriptor set with the 'OUTPUT' command, take
108 the recipients from all the recipients set so far. If this command
109 fails the clients should try to delete all output currently done or
110 otherwise mark it as invalid. 'GPGSM' does ensure that there will not
111 be any security problem with leftover data on the output in this case.
113 This command should in general not fail, as all necessary checks have
114 been done while setting the recipients. The input and output pipes are
118 File: gnupg.info, Node: GPGSM DECRYPT, Next: GPGSM SIGN, Prev: GPGSM ENCRYPT, Up: GPGSM Protocol
120 5.6.2 Decrypting a message
121 --------------------------
123 Input and output FDs are set the same way as in encryption, but 'INPUT'
124 refers to the ciphertext and 'OUTPUT' to the plaintext. There is no
125 need to set recipients. 'GPGSM' automatically strips any S/MIME headers
126 from the input, so it is valid to pass an entire MIME part to the INPUT
129 The decryption is done by using the command
133 It performs the decrypt operation after doing some check on the
134 internal state (e.g. that all needed data has been set). Because it
135 utilizes the GPG-Agent for the session key decryption, there is no need
136 to ask the client for a protecting passphrase - GpgAgent takes care of
137 this by requesting this from the user.
140 File: gnupg.info, Node: GPGSM SIGN, Next: GPGSM VERIFY, Prev: GPGSM DECRYPT, Up: GPGSM Protocol
142 5.6.3 Signing a Message
143 -----------------------
145 Signing is usually done with these commands:
147 INPUT FD[=N] [--armor|--base64|--binary]
149 This tells 'GPGSM' to read the data to sign from file descriptor N.
151 OUTPUT FD[=M] [--armor|--base64]
153 Write the output to file descriptor M. If a detached signature is
154 requested, only the signature is written.
158 Sign the data set with the 'INPUT' command and write it to the sink
159 set by 'OUTPUT'. With '--detached', a detached signature is created
162 The key used for signing is the default one or the one specified in
163 the configuration file. To get finer control over the keys, it is
164 possible to use the command
168 to set the signer's key. USERID should be the internal
169 representation of the key; the server may accept any other way of
170 specification. If this is a valid and trusted recipient the server does
171 respond with OK, otherwise the return is an ERR with the reason why the
172 key cannot be used, the signature will then not be created using this
173 key. If the policy is not to sign at all if not all keys are valid, the
174 client has to take care of this. All 'SIGNER' commands are cumulative
175 until a 'RESET' is done. Note that a 'SIGN' does not reset this list of
176 signers which is in contrast to the 'RECIPIENT' command.
179 File: gnupg.info, Node: GPGSM VERIFY, Next: GPGSM GENKEY, Prev: GPGSM SIGN, Up: GPGSM Protocol
181 5.6.4 Verifying a Message
182 -------------------------
184 To verify a message the command:
188 is used. It does a verify operation on the message send to the input
189 FD. The result is written out using status lines. If an output FD was
190 given, the signed text will be written to that. If the signature is a
191 detached one, the server will inquire about the signed material and the
192 client must provide it.
195 File: gnupg.info, Node: GPGSM GENKEY, Next: GPGSM LISTKEYS, Prev: GPGSM VERIFY, Up: GPGSM Protocol
197 5.6.5 Generating a Key
198 ----------------------
200 This is used to generate a new keypair, store the secret part in the PSE
201 and the public key in the key database. We will probably add optional
202 commands to allow the client to select whether a hardware token is used
203 to store the key. Configuration options to 'GPGSM' can be used to
204 restrict the use of this command.
208 'GPGSM' checks whether this command is allowed and then does an
209 INQUIRY to get the key parameters, the client should then send the key
210 parameters in the native format:
212 S: INQUIRE KEY_PARAM native
217 Please note that the server may send Status info lines while reading
218 the data lines from the client. After this the key generation takes
219 place and the server eventually does send an ERR or OK response. Status
220 lines may be issued as a progress indicator.
223 File: gnupg.info, Node: GPGSM LISTKEYS, Next: GPGSM EXPORT, Prev: GPGSM GENKEY, Up: GPGSM Protocol
225 5.6.6 List available keys
226 -------------------------
228 To list the keys in the internal database or using an external key
229 provider, the command:
233 is used. To allow multiple patterns (which are ORed during the
234 search) quoting is required: Spaces are to be translated into "+" or
235 into "%20"; in turn this requires that the usual escape quoting rules
238 LISTSECRETKEYS PATTERN
240 Lists only the keys where a secret key is available.
242 The list commands are affected by the option
244 OPTION list-mode=MODE
248 Use default (which is usually the same as 1).
250 List only the internal keys.
252 List only the external keys.
254 List internal and external keys.
256 Note that options are valid for the entire session.
259 File: gnupg.info, Node: GPGSM EXPORT, Next: GPGSM IMPORT, Prev: GPGSM LISTKEYS, Up: GPGSM Protocol
261 5.6.7 Export certificates
262 -------------------------
264 To export certificate from the internal key database the command:
266 EXPORT [--data [--armor] [--base64]] [--] PATTERN
268 is used. To allow multiple patterns (which are ORed) quoting is
269 required: Spaces are to be translated into "+" or into "%20"; in turn
270 this requires that the usual escape quoting rules are done.
272 If the '--data' option has not been given, the format of the output
273 depends on what was set with the 'OUTPUT' command. When using PEM
274 encoding a few informational lines are prepended.
276 If the '--data' has been given, a target set via 'OUTPUT' is ignored
277 and the data is returned inline using standard 'D'-lines. This avoids
278 the need for an extra file descriptor. In this case the options
279 '--armor' and '--base64' may be used in the same way as with the
283 File: gnupg.info, Node: GPGSM IMPORT, Next: GPGSM DELETE, Prev: GPGSM EXPORT, Up: GPGSM Protocol
285 5.6.8 Import certificates
286 -------------------------
288 To import certificates into the internal key database, the command
292 is used. The data is expected on the file descriptor set with the
293 'INPUT' command. Certain checks are performed on the certificate. Note
294 that the code will also handle PKCS#12 files and import private keys; a
295 helper program is used for that.
297 With the option '--re-import' the input data is expected to a be a
298 linefeed separated list of fingerprints. The command will re-import the
299 corresponding certificates; that is they are made permanent by removing
300 their ephemeral flag.
303 File: gnupg.info, Node: GPGSM DELETE, Next: GPGSM GETAUDITLOG, Prev: GPGSM IMPORT, Up: GPGSM Protocol
305 5.6.9 Delete certificates
306 -------------------------
308 To delete a certificate the command
312 is used. To allow multiple patterns (which are ORed) quoting is
313 required: Spaces are to be translated into "+" or into "%20"; in turn
314 this requires that the usual escape quoting rules are done.
316 The certificates must be specified unambiguously otherwise an error
320 File: gnupg.info, Node: GPGSM GETAUDITLOG, Next: GPGSM GETINFO, Prev: GPGSM DELETE, Up: GPGSM Protocol
322 5.6.10 Retrieve an audit log
323 ----------------------------
325 This command is used to retrieve an audit log.
327 GETAUDITLOG [--data] [--html]
329 If '--data' is used, the audit log is send using D-lines instead of
330 being sent to the file descriptor given by an 'OUTPUT' command. If
331 '--html' is used, the output is formatted as an XHTML block. This is
332 designed to be incorporated into a HTML document.
335 File: gnupg.info, Node: GPGSM GETINFO, Next: GPGSM OPTION, Prev: GPGSM GETAUDITLOG, Up: GPGSM Protocol
337 5.6.11 Return information about the process
338 -------------------------------------------
340 This is a multipurpose function to return a variety of information.
344 The value of WHAT specifies the kind of information returned:
346 Return the version of the program.
348 Return the process id of the process.
350 Return OK if the agent is running.
351 'cmd_has_option CMD OPT'
352 Return OK if the command CMD implements the option OPT. The
353 leading two dashes usually used with OPT shall not be given.
355 Return OK if the connection is in offline mode. This may be either
356 due to a 'OPTION offline=1' or due to 'gpgsm' being started with
357 option '--disable-dirmngr'.
360 File: gnupg.info, Node: GPGSM OPTION, Prev: GPGSM GETINFO, Up: GPGSM Protocol
362 5.6.12 Session options
363 ----------------------
365 The standard Assuan option handler supports these options.
369 These NAMEs are recognized:
372 Change the session's environment to be passed via gpg-agent to
373 Pinentry. VALUE is a string of the form '<KEY>[=[<STRING>]]'. If
374 only '<KEY>' is given the environment variable '<KEY>' is removed
375 from the session environment, if '<KEY>=' is given that environment
376 variable is set to the empty string, and if '<STRING>' is given it
377 is set to that string.
380 Set the session environment variable 'DISPLAY' is set to VALUE.
382 Set the session environment variable 'GPG_TTY' is set to VALUE.
384 Set the session environment variable 'TERM' is set to VALUE.
386 Set the session environment variable 'LC_CTYPE' is set to VALUE.
388 Set the session environment variable 'LC_MESSAGES' is set to VALUE.
390 Set the session environment variable 'XAUTHORITY' is set to VALUE.
392 Set the session environment variable 'PINENTRY_USER_DATA' is set to
396 This option overrides the command line option '--include-certs'. A
397 VALUE of -2 includes all certificates except for the root
398 certificate, -1 includes all certificates, 0 does not include any
399 certificates, 1 includes only the signers certificate and all other
400 positive values include up to VALUE certificates starting with the
404 *Note gpgsm-cmd listkeys::.
407 If VALUE is true the output of the list commands (*note gpgsm-cmd
408 listkeys::) is written to the file descriptor set with the last
409 'OUTPUT' command. If VALUE is false the output is written via data
410 lines; this is the default.
413 If VALUE is true for each listed certificate the validation status
414 is printed. This may result in the download of a CRL or the user
415 being asked about the trustworthiness of a root certificate. The
416 default is given by a command line option (*note gpgsm-option
417 --with-validation::).
420 If VALUE is true certificates with a corresponding private key are
421 marked by the list commands.
424 This option overrides the command line option 'validation-model'
425 for the session. (*Note gpgsm-option --validation-model::.)
428 This option globally enables the command line option
429 '--with-key-data'. (*Note gpgsm-option --with-key-data::.)
432 If VALUE is true data to write an audit log is gathered. (*Note
433 gpgsm-cmd getauditlog::.)
435 'allow-pinentry-notify'
436 If this option is used notifications about the launch of a Pinentry
437 are passed back to the client.
439 'with-ephemeral-keys'
440 If VALUE is true ephemeral certificates are included in the output
441 of the list commands.
444 If this option is used all keys set by the command line option
445 '--encrypt-to' are ignored.
448 If VALUE is true or VALUE is not given all network access is
449 disabled for this session. This is the same as the command line
450 option '--disable-dirmngr'.
453 File: gnupg.info, Node: Invoking SCDAEMON, Next: Specify a User ID, Prev: Invoking GPGSM, Up: Top
455 6 Invoking the SCDAEMON
456 ***********************
458 The 'scdaemon' is a daemon to manage smartcards. It is usually invoked
459 by 'gpg-agent' and in general not used directly.
461 *Note Option Index::, for an index to 'scdaemon''s commands and
466 * Scdaemon Commands:: List of all commands.
467 * Scdaemon Options:: List of all options.
468 * Card applications:: Description of card applications.
469 * Scdaemon Configuration:: Configuration files.
470 * Scdaemon Examples:: Some usage examples.
471 * Scdaemon Protocol:: The protocol the daemon uses.
474 File: gnupg.info, Node: Scdaemon Commands, Next: Scdaemon Options, Up: Invoking SCDAEMON
479 Commands are not distinguished from options except for the fact that
480 only one command is allowed.
483 Print the program version and licensing information. Note that you
484 cannot abbreviate this command.
487 Print a usage message summarizing the most useful command-line
488 options. Note that you cannot abbreviate this command.
491 Print a list of all available options and commands. Note that you
492 cannot abbreviate this command.
495 Run in server mode and wait for commands on the 'stdin'. The
496 default mode is to create a socket and listen for commands there.
499 Run in server mode and wait for commands on the 'stdin' as well as
500 on an additional Unix Domain socket. The server command 'GETINFO'
501 may be used to get the name of that extra socket.
504 Run the program in the background. This option is required to
505 prevent it from being accidentally running in the background.
508 File: gnupg.info, Node: Scdaemon Options, Next: Card applications, Prev: Scdaemon Commands, Up: Invoking SCDAEMON
514 Reads configuration from FILE instead of from the default per-user
515 configuration file. The default configuration file is named
516 'scdaemon.conf' and expected in the '.gnupg' directory directly
517 below the home directory of the user.
520 Set the name of the home directory to DIR. If this option is not
521 used, the home directory defaults to '~/.gnupg'. It is only
522 recognized when given on the command line. It also overrides any
523 home directory stated through the environment variable 'GNUPGHOME'
524 or (on Windows systems) by means of the Registry entry
525 HKCU\SOFTWARE\GNU\GNUPG:HOMEDIR.
527 On Windows systems it is possible to install GnuPG as a portable
528 application. In this case only this command line option is
529 considered, all other ways to set a home directory are ignored.
531 To install GnuPG as a portable application under Windows, create an
532 empty file named 'gpgconf.ctl' in the same directory as the tool
533 'gpgconf.exe'. The root of the installation is then that
534 directory; or, if 'gpgconf.exe' has been installed directly below a
535 directory named 'bin', its parent directory. You also need to make
536 sure that the following directories exist and are writable:
537 'ROOT/home' for the GnuPG home and 'ROOT/usr/local/var/cache/gnupg'
538 for internal cache files.
542 Outputs additional information while running. You can increase the
543 verbosity by giving several verbose commands to 'gpgsm', such as
546 '--debug-level LEVEL'
547 Select the debug level for investigating problems. LEVEL may be a
548 numeric value or a keyword:
551 No debugging at all. A value of less than 1 may be used
552 instead of the keyword.
554 Some basic debug messages. A value between 1 and 2 may be
555 used instead of the keyword.
557 More verbose debug messages. A value between 3 and 5 may be
558 used instead of the keyword.
560 Even more detailed messages. A value between 6 and 8 may be
561 used instead of the keyword.
563 All of the debug messages you can get. A value greater than 8
564 may be used instead of the keyword. The creation of hash
565 tracing files is only enabled if the keyword is used.
567 How these messages are mapped to the actual debugging flags is not
568 specified and may change with newer releases of this program. They
569 are however carefully selected to best aid in debugging.
571 Note: All debugging options are subject to change and thus
572 should not be used by any application program. As the name
573 says, they are only used as helpers to debug problems.
576 This option is only useful for debugging and the behavior may
577 change at any time without notice. FLAGS are bit encoded and may
578 be given in usual C-Syntax. The currently defined bits are:
583 values of big number integers
585 low level crypto operations
591 show memory statistics
593 write hashed data to files named 'dbgmd-000*'
595 trace Assuan protocol. See also option
596 '--debug-assuan-log-cats'.
598 trace APDU I/O to the card. This may reveal sensitive data.
600 trace some card reader related function calls.
603 Same as '--debug=0xffffffff'
606 When running in server mode, wait N seconds before entering the
607 actual processing loop and print the pid. This gives time to
610 '--debug-ccid-driver'
611 Enable debug output from the included CCID driver for smartcards.
612 Using this option twice will also enable some tracing of the T=1
613 protocol. Note that this option may reveal sensitive data.
615 '--debug-disable-ticker'
616 This option disables all ticker functions like checking for card
619 '--debug-allow-core-dump'
620 For security reasons we won't create a core dump when the process
621 aborts. For debugging purposes it is sometimes better to allow
622 core dump. This option enables it and also changes the working
623 directory to '/tmp' when running in '--server' mode.
626 This option appends a thread ID to the PID in the log output.
628 '--debug-assuan-log-cats CATS'
629 Changes the active Libassuan logging categories to CATS. The value
630 for CATS is an unsigned integer given in usual C-Syntax. A value
631 of 0 switches to a default category. If this option is not used
632 the categories are taken from the environment variable
633 'ASSUAN_DEBUG'. Note that this option has only an effect if the
634 Assuan debug flag has also been with the option '--debug'. For a
635 list of categories see the Libassuan manual.
638 Don't detach the process from the console. This is mainly useful
642 Set the size of the queue for pending connections. The default is
643 64. This option has an effect only if '--multi-server' is also
647 Append all logging output to FILE. This is very helpful in seeing
648 what the agent actually does. Use 'socket://' to log to socket.
651 Use shared mode to access the card via PC/SC. This is a somewhat
652 dangerous option because Scdaemon assumes exclusivbe access to teh
653 card and for example caches certain information from the card. Use
654 this option only if you know what you are doing.
656 '--pcsc-driver LIBRARY'
657 Use LIBRARY to access the smartcard reader. The current default is
658 'libpcsclite.so'. Instead of using this option you might also want
659 to install a symbolic link to the default file name (e.g. from
662 '--ctapi-driver LIBRARY'
663 Use LIBRARY to access the smartcard reader. The current default is
664 'libtowitoko.so'. Note that the use of this interface is
665 deprecated; it may be removed in future releases.
668 Disable the integrated support for CCID compliant readers. This
669 allows falling back to one of the other drivers even if the
670 internal CCID driver can handle the reader. Note, that CCID
671 support is only available if libusb was available at build time.
673 '--reader-port NUMBER_OR_STRING'
674 This option may be used to specify the port of the card terminal.
675 A value of 0 refers to the first serial device; add 32768 to access
676 USB devices. The default is 32768 (first USB device). PC/SC or
677 CCID readers might need a string here; run the program in verbose
678 mode to get a list of available readers. The default is then the
681 To get a list of available CCID readers you may use this command:
682 echo scd getinfo reader_list \
683 | gpg-connect-agent --decode | awk '/^D/ {print $2}'
686 If N is not 0 and no client is actively using the card, the card
687 will be powered down after N seconds. Powering down the card
688 avoids a potential risk of damaging a card when used with certain
689 cheap readers. This also allows applications that are not aware of
690 Scdaemon to access the card. The disadvantage of using a card
691 timeout is that accessing the card takes longer and that the user
692 needs to enter the PIN again after the next power up.
694 Note that with the current version of Scdaemon the card is powered
695 down immediately at the next timer tick for any value of N other
698 '--enable-pinpad-varlen'
699 Please specify this option when the card reader supports variable
700 length input for pinpad (default is no). For known readers (listed
701 in ccid-driver.c and apdu.c), this option is not needed. Note that
702 if your card reader doesn't supports variable length input but you
703 want to use it, you need to specify your pinpad request on your
707 Even if a card reader features a pinpad, do not try to use it.
710 This option disables the use of admin class commands for card
711 applications where this is supported. Currently we support it for
712 the OpenPGP card. This option is useful to inhibit accidental
713 access to admin class command which could ultimately lock the card
714 through wrong PIN numbers. Note that GnuPG versions older than
715 2.0.11 featured an '--allow-admin' option which was required to use
716 such admin commands. This option has no more effect today because
717 the default is now to allow admin commands.
719 '--disable-application NAME'
720 This option disables the use of the card application named NAME.
721 This is mainly useful for debugging or if a application with lower
722 priority should be used by default.
724 All the long options may also be given in the configuration file
725 after stripping off the two leading dashes.
728 File: gnupg.info, Node: Card applications, Next: Scdaemon Configuration, Prev: Scdaemon Options, Up: Invoking SCDAEMON
730 6.3 Description of card applications
731 ====================================
733 'scdaemon' supports the card applications as described below.
737 * OpenPGP Card:: The OpenPGP card application
738 * NKS Card:: The Telesec NetKey card application
739 * DINSIG Card:: The DINSIG card application
740 * PKCS#15 Card:: The PKCS#15 card application
741 * Geldkarte Card:: The Geldkarte application
742 * SmartCard-HSM:: The SmartCard-HSM application
743 * Undefined Card:: The Undefined stub application
746 File: gnupg.info, Node: OpenPGP Card, Next: NKS Card, Up: Card applications
748 6.3.1 The OpenPGP card application "openpgp"
749 --------------------------------------------
751 This application is currently only used by 'gpg' but may in future also
752 be useful with 'gpgsm'. Version 1 and version 2 of the card is
755 The specifications for these cards are available at
756 <http://g10code.com/docs/openpgp-card-1.0.pdf> and
757 <http://g10code.com/docs/openpgp-card-2.0.pdf>.
760 File: gnupg.info, Node: NKS Card, Next: DINSIG Card, Prev: OpenPGP Card, Up: Card applications
762 6.3.2 The Telesec NetKey card "nks"
763 -----------------------------------
765 This is the main application of the Telesec cards as available in
766 Germany. It is a superset of the German DINSIG card. The card is used
770 File: gnupg.info, Node: DINSIG Card, Next: PKCS#15 Card, Prev: NKS Card, Up: Card applications
772 6.3.3 The DINSIG card application "dinsig"
773 ------------------------------------------
775 This is an application as described in the German draft standard _DIN V
776 66291-1_. It is intended to be used by cards supporting the German
777 signature law and its bylaws (SigG and SigV).
780 File: gnupg.info, Node: PKCS#15 Card, Next: Geldkarte Card, Prev: DINSIG Card, Up: Card applications
782 6.3.4 The PKCS#15 card application "p15"
783 ----------------------------------------
785 This is common framework for smart card applications. It is used by
789 File: gnupg.info, Node: Geldkarte Card, Next: SmartCard-HSM, Prev: PKCS#15 Card, Up: Card applications
791 6.3.5 The Geldkarte card application "geldkarte"
792 ------------------------------------------------
794 This is a simple application to display information of a German
795 Geldkarte. The Geldkarte is a small amount debit card application which
796 comes with almost all German banking cards.
799 File: gnupg.info, Node: SmartCard-HSM, Next: Undefined Card, Prev: Geldkarte Card, Up: Card applications
801 6.3.6 The SmartCard-HSM card application "sc-hsm"
802 -------------------------------------------------
804 This application adds read-only support for keys and certificates stored
805 on a SmartCard-HSM (http://www.smartcard-hsm.com).
807 To generate keys and store certificates you may use OpenSC
808 (https://github.com/OpenSC/OpenSC/wiki/SmartCardHSM) or the tools from
809 OpenSCDP (http://www.openscdp.org).
811 The SmartCard-HSM cards requires a card reader that supports Extended
815 File: gnupg.info, Node: Undefined Card, Prev: SmartCard-HSM, Up: Card applications
817 6.3.7 The Undefined card application "undefined"
818 ------------------------------------------------
820 This is a stub application to allow the use of the APDU command even if
821 no supported application is found on the card. This application is not
822 used automatically but must be explicitly requested using the SERIALNO
826 File: gnupg.info, Node: Scdaemon Configuration, Next: Scdaemon Examples, Prev: Card applications, Up: Invoking SCDAEMON
828 6.4 Configuration files
829 =======================
831 There are a few configuration files to control certain aspects of
832 'scdaemons''s operation. Unless noted, they are expected in the current
833 home directory (*note option --homedir::).
836 This is the standard configuration file read by 'scdaemon' on
837 startup. It may contain any valid long option; the leading two
838 dashes may not be entered and the option may not be abbreviated.
839 This default name may be changed on the command line (*note option
843 If this file is present and executable, it will be called on every
844 card reader's status change. An example of this script is provided
845 with the distribution
848 This file is created by 'scdaemon' to let other applications now
849 about reader status changes. Its use is now deprecated in favor of
853 File: gnupg.info, Node: Scdaemon Examples, Next: Scdaemon Protocol, Prev: Scdaemon Configuration, Up: Invoking SCDAEMON
858 $ scdaemon --server -v
861 File: gnupg.info, Node: Scdaemon Protocol, Prev: Scdaemon Examples, Up: Invoking SCDAEMON
863 6.6 Scdaemon's Assuan Protocol
864 ==============================
866 The SC-Daemon should be started by the system to provide access to
867 external tokens. Using Smartcards on a multi-user system does not make
868 much sense except for system services, but in this case no regular user
869 accounts are hosted on the machine.
871 A client connects to the SC-Daemon by connecting to the socket named
872 '/usr/local/var/run/gnupg/scdaemon/socket', configuration information is
873 read from /ETC/GNUPG/SCDAEMON.CONF
875 Each connection acts as one session, SC-Daemon takes care of
876 synchronizing access to a token between sessions.
880 * Scdaemon SERIALNO:: Return the serial number.
881 * Scdaemon LEARN:: Read all useful information from the card.
882 * Scdaemon READCERT:: Return a certificate.
883 * Scdaemon READKEY:: Return a public key.
884 * Scdaemon PKSIGN:: Signing data with a Smartcard.
885 * Scdaemon PKDECRYPT:: Decrypting data with a Smartcard.
886 * Scdaemon GETATTR:: Read an attribute's value.
887 * Scdaemon SETATTR:: Update an attribute's value.
888 * Scdaemon WRITEKEY:: Write a key to a card.
889 * Scdaemon GENKEY:: Generate a new key on-card.
890 * Scdaemon RANDOM:: Return random bytes generated on-card.
891 * Scdaemon PASSWD:: Change PINs.
892 * Scdaemon CHECKPIN:: Perform a VERIFY operation.
893 * Scdaemon RESTART:: Restart connection
894 * Scdaemon APDU:: Send a verbatim APDU to the card
897 File: gnupg.info, Node: Scdaemon SERIALNO, Next: Scdaemon LEARN, Up: Scdaemon Protocol
899 6.6.1 Return the serial number
900 ------------------------------
902 This command should be used to check for the presence of a card. It is
903 special in that it can be used to reset the card. Most other commands
904 will return an error when a card change has been detected and the use of
905 this function is therefore required.
907 Background: We want to keep the client clear of handling card changes
908 between operations; i.e. the client can assume that all operations are
909 done on the same card unless he call this function.
913 Return the serial number of the card using a status response like:
915 S SERIALNO D27600000000000000000000
917 The serial number is the hex encoded value identified by the '0x5A'
918 tag in the GDO file (FIX=0x2F02).
921 File: gnupg.info, Node: Scdaemon LEARN, Next: Scdaemon READCERT, Prev: Scdaemon SERIALNO, Up: Scdaemon Protocol
923 6.6.2 Read all useful information from the card
924 -----------------------------------------------
928 Learn all useful information of the currently inserted card. When
929 used without the '--force' option, the command might do an INQUIRE like
932 INQUIRE KNOWNCARDP <hexstring_with_serialNumber>
934 The client should just send an 'END' if the processing should go on
935 or a 'CANCEL' to force the function to terminate with a cancel error
936 message. The response of this command is a list of status lines
939 S KEYPAIRINFO HEXSTRING_WITH_KEYGRIP HEXSTRING_WITH_ID
941 If there is no certificate yet stored on the card a single "X" is
942 returned in HEXSTRING_WITH_KEYGRIP.
945 File: gnupg.info, Node: Scdaemon READCERT, Next: Scdaemon READKEY, Prev: Scdaemon LEARN, Up: Scdaemon Protocol
947 6.6.3 Return a certificate
948 --------------------------
950 READCERT HEXIFIED_CERTID|KEYID
952 This function is used to read a certificate identified by
953 HEXIFIED_CERTID from the card. With OpenPGP cards the keyid 'OpenPGP.3'
954 may be used to read the certificate of version 2 cards.
957 File: gnupg.info, Node: Scdaemon READKEY, Next: Scdaemon PKSIGN, Prev: Scdaemon READCERT, Up: Scdaemon Protocol
959 6.6.4 Return a public key
960 -------------------------
962 READKEY HEXIFIED_CERTID
964 Return the public key for the given cert or key ID as an standard
968 File: gnupg.info, Node: Scdaemon PKSIGN, Next: Scdaemon PKDECRYPT, Prev: Scdaemon READKEY, Up: Scdaemon Protocol
970 6.6.5 Signing data with a Smartcard
971 -----------------------------------
973 To sign some data the caller should use the command
977 to tell 'scdaemon' about the data to be signed. The data must be
978 given in hex notation. The actual signing is done using the command
982 where KEYID is the hexified ID of the key to be used. The key id may
983 have been retrieved using the command 'LEARN'. If another hash
984 algorithm than SHA-1 is used, that algorithm may be given like:
986 PKSIGN --hash=ALGONAME KEYID
988 With ALGONAME are one of 'sha1', 'rmd160' or 'md5'.
991 File: gnupg.info, Node: Scdaemon PKDECRYPT, Next: Scdaemon GETATTR, Prev: Scdaemon PKSIGN, Up: Scdaemon Protocol
993 6.6.6 Decrypting data with a Smartcard
994 --------------------------------------
996 To decrypt some data the caller should use the command
1000 to tell 'scdaemon' about the data to be decrypted. The data must be
1001 given in hex notation. The actual decryption is then done using the
1006 where KEYID is the hexified ID of the key to be used.
1008 If the card is aware of the apdding format a status line with padding
1009 information is send before the plaintext data. The key for this status
1010 line is 'PADDING' with the only defined value being 0 and meaning
1011 padding has been removed.
1014 File: gnupg.info, Node: Scdaemon GETATTR, Next: Scdaemon SETATTR, Prev: Scdaemon PKDECRYPT, Up: Scdaemon Protocol
1016 6.6.7 Read an attribute's value
1017 -------------------------------
1022 File: gnupg.info, Node: Scdaemon SETATTR, Next: Scdaemon WRITEKEY, Prev: Scdaemon GETATTR, Up: Scdaemon Protocol
1024 6.6.8 Update an attribute's value
1025 ---------------------------------
1030 File: gnupg.info, Node: Scdaemon WRITEKEY, Next: Scdaemon GENKEY, Prev: Scdaemon SETATTR, Up: Scdaemon Protocol
1032 6.6.9 Write a key to a card
1033 ---------------------------
1035 WRITEKEY [--force] KEYID
1037 This command is used to store a secret key on a smartcard. The
1038 allowed keyids depend on the currently selected smartcard application.
1039 The actual keydata is requested using the inquiry 'KEYDATA' and need to
1040 be provided without any protection. With '--force' set an existing key
1041 under this KEYID will get overwritten. The key data is expected to be
1042 the usual canonical encoded S-expression.
1044 A PIN will be requested in most cases. This however depends on the
1045 actual card application.
1048 File: gnupg.info, Node: Scdaemon GENKEY, Next: Scdaemon RANDOM, Prev: Scdaemon WRITEKEY, Up: Scdaemon Protocol
1050 6.6.10 Generate a new key on-card
1051 ---------------------------------
1056 File: gnupg.info, Node: Scdaemon RANDOM, Next: Scdaemon PASSWD, Prev: Scdaemon GENKEY, Up: Scdaemon Protocol
1058 6.6.11 Return random bytes generated on-card
1059 --------------------------------------------
1064 File: gnupg.info, Node: Scdaemon PASSWD, Next: Scdaemon CHECKPIN, Prev: Scdaemon RANDOM, Up: Scdaemon Protocol
1069 PASSWD [--reset] [--nullpin] CHVNO
1071 Change the PIN or reset the retry counter of the card holder
1072 verification vector number CHVNO. The option '--nullpin' is used to
1073 initialize the PIN of TCOS cards (6 byte NullPIN only).
1076 File: gnupg.info, Node: Scdaemon CHECKPIN, Next: Scdaemon RESTART, Prev: Scdaemon PASSWD, Up: Scdaemon Protocol
1078 6.6.13 Perform a VERIFY operation
1079 ---------------------------------
1083 Perform a VERIFY operation without doing anything else. This may be
1084 used to initialize a the PIN cache earlier to long lasting operations.
1085 Its use is highly application dependent:
1089 Perform a simple verify operation for CHV1 and CHV2, so that
1090 further operations won't ask for CHV2 and it is possible to do a
1091 cheap check on the PIN: If there is something wrong with the PIN
1092 entry system, only the regular CHV will get blocked and not the
1093 dangerous CHV3. IDSTR is the usual card's serial number in hex
1094 notation; an optional fingerprint part will get ignored.
1096 There is however a special mode if IDSTR is suffixed with the
1097 literal string '[CHV3]': In this case the Admin PIN is checked if
1098 and only if the retry counter is still at 3.
1101 File: gnupg.info, Node: Scdaemon RESTART, Next: Scdaemon APDU, Prev: Scdaemon CHECKPIN, Up: Scdaemon Protocol
1103 6.6.14 Perform a RESTART operation
1104 ----------------------------------
1108 Restart the current connection; this is a kind of warm reset. It
1109 deletes the context used by this connection but does not actually reset
1112 This is used by gpg-agent to reuse a primary pipe connection and may
1113 be used by clients to backup from a conflict in the serial command; i.e.
1114 to select another application.
1117 File: gnupg.info, Node: Scdaemon APDU, Prev: Scdaemon RESTART, Up: Scdaemon Protocol
1119 6.6.15 Send a verbatim APDU to the card
1120 ---------------------------------------
1122 APDU [--atr] [--more] [--exlen[=N]] [HEXSTRING]
1124 Send an APDU to the current reader. This command bypasses the high
1125 level functions and sends the data directly to the card. HEXSTRING is
1126 expected to be a proper APDU. If HEXSTRING is not given no commands are
1127 send to the card; However the command will implicitly check whether the
1128 card is ready for use.
1130 Using the option '--atr' returns the ATR of the card as a status
1131 message before any data like this:
1132 S CARD-ATR 3BFA1300FF813180450031C173C00100009000B1
1134 Using the option '--more' handles the card status word MORE_DATA
1135 (61xx) and concatenate all responses to one block.
1137 Using the option '--exlen' the returned APDU may use extended length
1138 up to N bytes. If N is not given a default value is used (currently
1142 File: gnupg.info, Node: Specify a User ID, Next: Trust Values, Prev: Invoking SCDAEMON, Up: Top
1144 7 How to Specify a User Id
1145 **************************
1147 There are different ways to specify a user ID to GnuPG. Some of them are
1148 only valid for 'gpg' others are only good for 'gpgsm'. Here is the
1149 entire list of ways to specify a key:
1151 * By key Id. This format is deduced from the length of the string
1152 and its content or '0x' prefix. The key Id of an X.509 certificate
1153 are the low 64 bits of its SHA-1 fingerprint. The use of key Ids
1154 is just a shortcut, for all automated processing the fingerprint
1157 When using 'gpg' an exclamation mark (!) may be appended to force
1158 using the specified primary or secondary key and not to try and
1159 calculate which primary or secondary key to use.
1161 The last four lines of the example give the key ID in their long
1162 form as internally used by the OpenPGP protocol. You can see the
1163 long key ID using the option '--with-colons'.
1175 * By fingerprint. This format is deduced from the length of the
1176 string and its content or the '0x' prefix. Note, that only the 20
1177 byte version fingerprint is available with 'gpgsm' (i.e. the SHA-1
1178 hash of the certificate).
1180 When using 'gpg' an exclamation mark (!) may be appended to force
1181 using the specified primary or secondary key and not to try and
1182 calculate which primary or secondary key to use.
1184 The best way to specify a key Id is by using the fingerprint. This
1185 avoids any ambiguities in case that there are duplicated key IDs.
1187 1234343434343434C434343434343434
1188 123434343434343C3434343434343734349A3434
1189 0E12343434343434343434EAB3484343434343434
1190 0xE12343434343434343434EAB3484343434343434
1192 'gpgsm' also accepts colons between each pair of hexadecimal digits
1193 because this is the de-facto standard on how to present X.509
1194 fingerprints. 'gpg' also allows the use of the space separated
1195 SHA-1 fingerprint as printed by the key listing commands.
1197 * By exact match on OpenPGP user ID. This is denoted by a leading
1198 equal sign. It does not make sense for X.509 certificates.
1200 =Heinrich Heine <heinrichh@uni-duesseldorf.de>
1202 * By exact match on an email address. This is indicated by enclosing
1203 the email address in the usual way with left and right angles.
1205 <heinrichh@uni-duesseldorf.de>
1207 * By partial match on an email address. This is indicated by
1208 prefixing the search string with an '@'. This uses a substring
1209 search but considers only the mail address (i.e. inside the angle
1214 * By exact match on the subject's DN. This is indicated by a leading
1215 slash, directly followed by the RFC-2253 encoded DN of the subject.
1216 Note that you can't use the string printed by 'gpgsm --list-keys'
1217 because that one has been reordered and modified for better
1218 readability; use '--with-colons' to print the raw (but standard
1219 escaped) RFC-2253 string.
1221 /CN=Heinrich Heine,O=Poets,L=Paris,C=FR
1223 * By exact match on the issuer's DN. This is indicated by a leading
1224 hash mark, directly followed by a slash and then directly followed
1225 by the RFC-2253 encoded DN of the issuer. This should return the
1226 Root cert of the issuer. See note above.
1228 #/CN=Root Cert,O=Poets,L=Paris,C=FR
1230 * By exact match on serial number and issuer's DN. This is indicated
1231 by a hash mark, followed by the hexadecimal representation of the
1232 serial number, then followed by a slash and the RFC-2253 encoded DN
1233 of the issuer. See note above.
1235 #4F03/CN=Root Cert,O=Poets,L=Paris,C=FR
1237 * By keygrip. This is indicated by an ampersand followed by the 40
1238 hex digits of a keygrip. 'gpgsm' prints the keygrip when using the
1239 command '--dump-cert'.
1241 &D75F22C3F86E355877348498CDC92BD21010A480
1243 * By substring match. This is the default mode but applications may
1244 want to explicitly indicate this by putting the asterisk in front.
1245 Match is not case sensitive.
1250 * . and + prefixes These prefixes are reserved for looking up mails
1251 anchored at the end and for a word search mode. They are not yet
1252 implemented and using them is undefined.
1254 Please note that we have reused the hash mark identifier which was
1255 used in old GnuPG versions to indicate the so called local-id. It is
1256 not anymore used and there should be no conflict when used with X.509
1259 Using the RFC-2253 format of DNs has the drawback that it is not
1260 possible to map them back to the original encoding, however we don't
1261 have to do this because our key database stores this encoding as meta
1265 File: gnupg.info, Node: Trust Values, Next: Helper Tools, Prev: Specify a User ID, Up: Top
1270 Trust values are used to indicate ownertrust and validity of keys and
1271 user IDs. They are displayed with letters or strings:
1275 No ownertrust assigned / not yet calculated.
1280 Trust calculation has failed; probably due to an expired key.
1284 Not enough information for calculation.
1288 Never trust this key.
1304 For validity only: the key or the user ID has been revoked.
1308 The program encountered an unknown trust value.
1311 File: gnupg.info, Node: Helper Tools, Next: Web Key Service, Prev: Trust Values, Up: Top
1316 GnuPG comes with a couple of smaller tools:
1320 * watchgnupg:: Read logs from a socket.
1321 * gpgv:: Verify OpenPGP signatures.
1322 * addgnupghome:: Create .gnupg home directories.
1323 * gpgconf:: Modify .gnupg home directories.
1324 * applygnupgdefaults:: Run gpgconf for all users.
1325 * gpg-preset-passphrase:: Put a passphrase into the cache.
1326 * gpg-connect-agent:: Communicate with a running agent.
1327 * dirmngr-client:: How to use the Dirmngr client tool.
1328 * gpgparsemail:: Parse a mail message into an annotated format
1329 * gpgtar:: Encrypt or sign files into an archive.
1330 * gpg-check-pattern:: Check a passphrase on stdin against the patternfile.
1333 File: gnupg.info, Node: watchgnupg, Next: gpgv, Up: Helper Tools
1335 9.1 Read logs from a socket
1336 ===========================
1338 Most of the main utilities are able to write their log files to a Unix
1339 Domain socket if configured that way. 'watchgnupg' is a simple listener
1340 for such a socket. It ameliorates the output with a time stamp and
1341 makes sure that long lines are not interspersed with log output from
1342 other utilities. This tool is not available for Windows.
1344 'watchgnupg' is commonly invoked as
1346 watchgnupg --force $(gpgconf --list-dirs socketdir)/S.log
1348 This starts it on the current terminal for listening on the standard
1349 logging socket (which is either '~/.gnupg/S.log' or
1350 '/var/run/user/UID/gnupg/S.log').
1352 'watchgnupg' understands these options:
1355 Delete an already existing socket file.
1358 Instead of reading from a local socket, listen for connects on TCP
1362 Do not print the date part of the timestamp.
1365 Enable extra informational output.
1368 Print version of the program and exit.
1371 Display a brief help page and exit.
1377 $ watchgnupg --force --time-only $(gpgconf --list-dirs socketdir)/S.log
1379 This waits for connections on the local socket (e.g.
1380 '/home/foo/.gnupg/S.log') and shows all log entries. To make this work
1381 the option 'log-file' needs to be used with all modules which logs are
1382 to be shown. The suggested entry for the configuration files is:
1386 If the default socket as given above and returned by "echo $(gpgconf
1387 -list-dirs socketdir)/S.log" is not desired an arbitrary socket name can
1388 be specified, for example 'socket:///home/foo/bar/mysocket'. For
1389 debugging purposes it is also possible to do remote logging. Take care
1390 if you use this feature because the information is send in the clear
1391 over the network. Use this syntax in the conf files:
1393 log-file tcp://192.168.1.1:4711
1395 You may use any port and not just 4711 as shown above; only IP
1396 addresses are supported (v4 and v6) and no host names. You need to
1397 start 'watchgnupg' with the 'tcp' option. Note that under Windows the
1398 registry entry HKCU\SOFTWARE\GNU\GNUPG:DEFAULTLOGFILE can be used to
1399 change the default log output from 'stderr' to whatever is given by that
1400 entry. However the only useful entry is a TCP name for remote
1404 File: gnupg.info, Node: gpgv, Next: addgnupghome, Prev: watchgnupg, Up: Helper Tools
1406 9.2 Verify OpenPGP signatures
1407 =============================
1409 'gpgv' is an OpenPGP signature verification tool.
1411 This program is actually a stripped-down version of 'gpg' which is
1412 only able to check signatures. It is somewhat smaller than the
1413 fully-blown 'gpg' and uses a different (and simpler) way to check that
1414 the public keys used to make the signature are valid. There are no
1415 configuration files and only a few options are implemented.
1417 'gpgv' assumes that all keys in the keyring are trustworthy. That
1418 does also mean that it does not check for expired or revoked keys.
1420 If no '--keyring' option is given, 'gpgv' looks for a "default"
1421 keyring named 'trustedkeys.kbx' (preferred) or 'trustedkeys.gpg' in the
1422 home directory of GnuPG, either the default home directory or the one
1423 set by the '--homedir' option or the 'GNUPGHOME' environment variable.
1424 If any '--keyring' option is used, 'gpgv' will not look for the default
1425 keyring. The '--keyring' option may be used multiple times and all
1426 specified keyrings will be used together.
1429 'gpgv' recognizes these options:
1433 Gives more information during processing. If used twice, the input
1434 data is listed in detail.
1438 Try to be as quiet as possible.
1441 Add FILE to the list of keyrings. If FILE begins with a tilde and
1442 a slash, these are replaced by the HOME directory. If the filename
1443 does not contain a slash, it is assumed to be in the home-directory
1444 ("~/.gnupg" if -homedir is not used).
1448 Write output to FILE; to write to stdout use '-'. This option can
1449 be used to get the signed text from a cleartext or binary
1450 signature; it also works for detached signatures, but in that case
1451 this option is in general not useful. Note that an existing file
1452 will be overwritten.
1455 Write special status strings to the file descriptor N. See the
1456 file DETAILS in the documentation for a listing of them.
1459 Write log output to file descriptor 'n' and not to stderr.
1462 Same as '--logger-fd', except the logger data is written to file
1463 'file'. Use 'socket://' to log to socket.
1465 '--ignore-time-conflict'
1466 GnuPG normally checks that the timestamps associated with keys and
1467 signatures have plausible values. However, sometimes a signature
1468 seems to be older than the key due to clock problems. This option
1469 turns these checks into warnings.
1472 Set the name of the home directory to DIR. If this option is not
1473 used, the home directory defaults to '~/.gnupg'. It is only
1474 recognized when given on the command line. It also overrides any
1475 home directory stated through the environment variable 'GNUPGHOME'
1476 or (on Windows systems) by means of the Registry entry
1477 HKCU\SOFTWARE\GNU\GNUPG:HOMEDIR.
1479 On Windows systems it is possible to install GnuPG as a portable
1480 application. In this case only this command line option is
1481 considered, all other ways to set a home directory are ignored.
1483 To install GnuPG as a portable application under Windows, create an
1484 empty file named 'gpgconf.ctl' in the same directory as the tool
1485 'gpgconf.exe'. The root of the installation is then that
1486 directory; or, if 'gpgconf.exe' has been installed directly below a
1487 directory named 'bin', its parent directory. You also need to make
1488 sure that the following directories exist and are writable:
1489 'ROOT/home' for the GnuPG home and 'ROOT/usr/local/var/cache/gnupg'
1490 for internal cache files.
1492 '--weak-digest name'
1493 Treat the specified digest algorithm as weak. Signatures made over
1494 weak digests algorithms are normally rejected. This option can be
1495 supplied multiple times if multiple algorithms should be considered
1496 weak. MD5 is always considered weak, and does not need to be
1499 '--enable-special-filenames'
1500 This option enables a mode in which filenames of the form '-&n',
1501 where n is a non-negative decimal number, refer to the file
1502 descriptor n and not to a file with that name.
1504 The program returns 0 if everything is fine, 1 if at least one
1505 signature was bad, and other error codes for fatal errors.
1511 gpgv 'sigfile' ['datafile']
1512 Verify the signature of the file. The second form is used for
1513 detached signatures, where 'sigfile' is the detached signature
1514 (either ASCII-armored or binary) and 'datafile' contains the signed
1515 data; if 'datafile' is "-" the signed data is expected on 'stdin';
1516 if 'datafile' is not given the name of the file holding the signed
1517 data is constructed by cutting off the extension (".asc", ".sig" or
1518 ".sign") from 'sigfile'.
1524 Used to locate the default home directory.
1527 If set directory used instead of "~/.gnupg".
1532 ~/.gnupg/trustedkeys.gpg
1533 The default keyring with the allowed keys.
1538 File: gnupg.info, Node: addgnupghome, Next: gpgconf, Prev: gpgv, Up: Helper Tools
1540 9.3 Create .gnupg home directories
1541 ==================================
1543 If GnuPG is installed on a system with existing user accounts, it is
1544 sometimes required to populate the GnuPG home directory with existing
1545 files. Especially a 'trustlist.txt' and a keybox with some initial
1546 certificates are often desired. This script helps to do this by copying
1547 all files from '/etc/skel/.gnupg' to the home directories of the
1548 accounts given on the command line. It takes care not to overwrite
1549 existing GnuPG home directories.
1551 'addgnupghome' is invoked by root as:
1553 addgnupghome account1 account2 ... accountn
1556 File: gnupg.info, Node: gpgconf, Next: applygnupgdefaults, Prev: addgnupghome, Up: Helper Tools
1558 9.4 Modify .gnupg home directories
1559 ==================================
1561 The 'gpgconf' is a utility to automatically and reasonable safely query
1562 and modify configuration files in the '.gnupg' home directory. It is
1563 designed not to be invoked manually by the user, but automatically by
1564 graphical user interfaces (GUI).(1)
1566 'gpgconf' provides access to the configuration of one or more
1567 components of the GnuPG system. These components correspond more or
1568 less to the programs that exist in the GnuPG framework, like GPG, GPGSM,
1569 DirMngr, etc. But this is not a strict one-to-one relationship. Not
1570 all configuration options are available through 'gpgconf'. 'gpgconf'
1571 provides a generic and abstract method to access the most important
1572 configuration options that can feasibly be controlled via such a
1575 'gpgconf' can be used to gather and change the options available in
1576 each component, and can also provide their default values. 'gpgconf'
1577 will give detailed type information that can be used to restrict the
1578 user's input without making an attempt to commit the changes.
1580 'gpgconf' provides the backend of a configuration editor. The
1581 configuration editor would usually be a graphical user interface program
1582 that displays the current options, their default values, and allows the
1583 user to make changes to the options. These changes can then be made
1584 active with 'gpgconf' again. Such a program that uses 'gpgconf' in this
1585 way will be called GUI throughout this section.
1589 * Invoking gpgconf:: List of all commands and options.
1590 * Format conventions:: Formatting conventions relevant for all commands.
1591 * Listing components:: List all gpgconf components.
1592 * Checking programs:: Check all programs known to gpgconf.
1593 * Listing options:: List all options of a component.
1594 * Changing options:: Changing options of a component.
1595 * Listing global options:: List all global options.
1596 * Querying versions:: Get and compare software versions.
1597 * Files used by gpgconf:: What files are used by gpgconf.
1599 ---------- Footnotes ----------
1601 (1) Please note that currently no locking is done, so concurrent
1602 access should be avoided. There are some precautions to avoid
1603 corruption with concurrent usage, but results may be inconsistent and
1604 some changes may get lost. The stateless design makes it difficult to
1605 provide more guarantees.
1608 File: gnupg.info, Node: Invoking gpgconf, Next: Format conventions, Up: gpgconf
1610 9.4.1 Invoking gpgconf
1611 ----------------------
1613 One of the following commands must be given:
1616 List all components. This is the default command used if none is
1620 List all available backend programs and test whether they are
1623 '--list-options COMPONENT'
1624 List all options of the component COMPONENT.
1626 '--change-options COMPONENT'
1627 Change the options of the component COMPONENT.
1629 '--check-options COMPONENT'
1630 Check the options for the component COMPONENT.
1632 '--apply-profile FILE'
1633 Apply the configuration settings listed in FILE to the
1634 configuration files. If FILE has no suffix and no slashes the
1635 command first tries to read a file with the suffix '.prf' from the
1636 data directory ('gpgconf --list-dirs datadir') before it reads the
1637 file verbatim. A profile is divided into sections using the
1638 bracketed component name. Each section then lists the option which
1639 shall go into the respective configuration file.
1642 Update all configuration files with values taken from the global
1643 configuration file (usually '/etc/gnupg/gpgconf.conf').
1645 '--list-dirs [NAMES]'
1646 Lists the directories used by 'gpgconf'. One directory is listed
1647 per line, and each line consists of a colon-separated list where
1648 the first field names the directory type (for example 'sysconfdir')
1649 and the second field contains the percent-escaped directory.
1650 Although they are not directories, the socket file names used by
1651 'gpg-agent' and 'dirmngr' are printed as well. Note that the
1652 socket file names and the 'homedir' lines are the default names and
1653 they may be overridden by command line switches. If NAMES are
1654 given only the directories or file names specified by the list
1655 names are printed without any escaping.
1657 '--list-config [FILENAME]'
1658 List the global configuration file in a colon separated format. If
1659 FILENAME is given, check that file instead.
1661 '--check-config [FILENAME]'
1662 Run a syntax check on the global configuration file. If FILENAME
1663 is given, check that file instead.
1665 '--query-swdb PACKAGE_NAME [VERSION_STRING]'
1666 Returns the current version for PACKAGE_NAME and if VERSION_STRING
1667 is given also an indicator on whether an update is available. The
1668 actual file with the software version is automatically downloaded
1669 and checked by 'dirmngr'. 'dirmngr' uses a thresholds to avoid
1670 download the file too often and it does this by default only if it
1671 can be done via Tor. To force an update of that file this command
1674 gpg-connect-agent --dirmngr 'loadswdb --force' /bye
1676 '--reload [COMPONENT]'
1677 Reload all or the given component. This is basically the same as
1678 sending a SIGHUP to the component. Components which don't support
1679 reloading are ignored. Without COMPONENT or by using "all" for
1680 COMPONENT all components which are daemons are reloaded.
1682 '--launch [COMPONENT]'
1683 If the COMPONENT is not already running, start it. 'component'
1684 must be a daemon. This is in general not required because the
1685 system starts these daemons as needed. However, external software
1686 making direct use of 'gpg-agent' or 'dirmngr' may use this command
1687 to ensure that they are started. Using "all" for COMPONENT
1688 launches all components which are daemons.
1690 '--kill [COMPONENT]'
1691 Kill the given component that runs as a daemon, including
1692 'gpg-agent', 'dirmngr', and 'scdaemon'. A 'component' which does
1693 not run as a daemon will be ignored. Using "all" for COMPONENT
1694 kills all components running as daemons. Note that as of now
1695 reload and kill have the same effect for 'scdaemon'.
1697 '--create-socketdir'
1698 Create a directory for sockets below /run/user or /var/run/user.
1699 This is command is only required if a non default home directory is
1700 used and the /run based sockets shall be used. For the default
1701 home directory GnUPG creates a directory on the fly.
1703 '--remove-socketdir'
1704 Remove a directory created with command '--create-socketdir'.
1706 The following options may be used:
1710 Write output to FILE. Default is to write to stdout.
1714 Outputs additional information while running. Specifically, this
1715 extends numerical field values by human-readable descriptions.
1719 Try to be as quiet as possible.
1722 Set the name of the home directory to DIR. If this option is not
1723 used, the home directory defaults to '~/.gnupg'. It is only
1724 recognized when given on the command line. It also overrides any
1725 home directory stated through the environment variable 'GNUPGHOME'
1726 or (on Windows systems) by means of the Registry entry
1727 HKCU\SOFTWARE\GNU\GNUPG:HOMEDIR.
1729 On Windows systems it is possible to install GnuPG as a portable
1730 application. In this case only this command line option is
1731 considered, all other ways to set a home directory are ignored.
1733 To install GnuPG as a portable application under Windows, create an
1734 empty file named 'gpgconf.ctl' in the same directory as the tool
1735 'gpgconf.exe'. The root of the installation is then that
1736 directory; or, if 'gpgconf.exe' has been installed directly below a
1737 directory named 'bin', its parent directory. You also need to make
1738 sure that the following directories exist and are writable:
1739 'ROOT/home' for the GnuPG home and 'ROOT/usr/local/var/cache/gnupg'
1740 for internal cache files.
1744 Do not actually change anything. This is currently only
1745 implemented for '--change-options' and can be used for testing
1750 Only used together with '--change-options'. If one of the modified
1751 options can be changed in a running daemon process, signal the
1752 running daemon to ask it to reparse its configuration file after
1755 This means that the changes will take effect at run-time, as far as
1756 this is possible. Otherwise, they will take effect at the next
1757 start of the respective backend programs.
1760 Write special status strings to the file descriptor N. This
1761 program returns the status messages SUCCESS or FAILURE which are
1762 helpful when the caller uses a double fork approach and can't
1763 easily get the return code of the process.
1766 File: gnupg.info, Node: Format conventions, Next: Listing components, Prev: Invoking gpgconf, Up: gpgconf
1768 9.4.2 Format conventions
1769 ------------------------
1771 Some lines in the output of 'gpgconf' contain a list of colon-separated
1772 fields. The following conventions apply:
1774 * The GUI program is required to strip off trailing newline and/or
1775 carriage return characters from the output.
1777 * 'gpgconf' will never leave out fields. If a certain version
1778 provides a certain field, this field will always be present in all
1779 'gpgconf' versions from that time on.
1781 * Future versions of 'gpgconf' might append fields to the list. New
1782 fields will always be separated from the previously last field by a
1783 colon separator. The GUI should be prepared to parse the last
1784 field it knows about up until a colon or end of line.
1786 * Not all fields are defined under all conditions. You are required
1787 to ignore the content of undefined fields.
1789 There are several standard types for the content of a field:
1792 Some fields contain strings that are not escaped in any way. Such
1793 fields are described to be used _verbatim_. These fields will
1794 never contain a colon character (for obvious reasons). No
1795 de-escaping or other formatting is required to use the field
1796 content. This is for easy parsing of the output, when it is known
1797 that the content can never contain any special characters.
1800 Some fields contain strings that are described to be
1801 _percent-escaped_. Such strings need to be de-escaped before their
1802 content can be presented to the user. A percent-escaped string is
1803 de-escaped by replacing all occurrences of '%XY' by the byte that
1804 has the hexadecimal value 'XY'. 'X' and 'Y' are from the set
1808 Some fields contain strings that are described to be _localized_.
1809 Such strings are translated to the active language and formatted in
1810 the active character set.
1813 Some fields contain an _unsigned number_. This number will always
1814 fit into a 32-bit unsigned integer variable. The number may be
1815 followed by a space, followed by a human readable description of
1816 that value (if the verbose option is used). You should ignore
1817 everything in the field that follows the number.
1820 Some fields contain a _signed number_. This number will always fit
1821 into a 32-bit signed integer variable. The number may be followed
1822 by a space, followed by a human readable description of that value
1823 (if the verbose option is used). You should ignore everything in
1824 the field that follows the number.
1827 Some fields contain a _boolean value_. This is a number with
1828 either the value 0 or 1. The number may be followed by a space,
1829 followed by a human readable description of that value (if the
1830 verbose option is used). You should ignore everything in the field
1831 that follows the number; checking just the first character is
1832 sufficient in this case.
1835 Some fields contain an _option_ argument. The format of an option
1836 argument depends on the type of the option and on some flags:
1839 The simplest case is that the option does not take an argument
1840 at all (TYPE '0'). Then the option argument is an unsigned
1841 number that specifies how often the option occurs. If the
1842 'list' flag is not set, then the only valid number is '1'.
1843 Options that do not take an argument never have the 'default'
1844 or 'optional arg' flag set.
1847 If the option takes a number argument (ALT-TYPE is '2' or
1848 '3'), and it can only occur once ('list' flag is not set),
1849 then the option argument is either empty (only allowed if the
1850 argument is optional), or it is a number. A number is a
1851 string that begins with an optional minus character, followed
1852 by one or more digits. The number must fit into an integer
1853 variable (unsigned or signed, depending on ALT-TYPE).
1856 If the option takes a number argument and it can occur more
1857 than once, then the option argument is either empty, or it is
1858 a comma-separated list of numbers as described above.
1861 If the option takes a string argument (ALT-TYPE is 1), and it
1862 can only occur once ('list' flag is not set) then the option
1863 argument is either empty (only allowed if the argument is
1864 optional), or it starts with a double quote character ('"')
1865 followed by a percent-escaped string that is the argument
1866 value. Note that there is only a leading double quote
1867 character, no trailing one. The double quote character is
1868 only needed to be able to differentiate between no value and
1869 the empty string as value.
1872 If the option takes a string argument and it can occur more
1873 than once, then the option argument is either empty, or it is
1874 a comma-separated list of string arguments as described above.
1876 The active language and character set are currently determined from
1877 the locale environment of the 'gpgconf' program.
1880 File: gnupg.info, Node: Listing components, Next: Checking programs, Prev: Format conventions, Up: gpgconf
1882 9.4.3 Listing components
1883 ------------------------
1885 The command '--list-components' will list all components that can be
1886 configured with 'gpgconf'. Usually, one component will correspond to
1887 one GnuPG-related program and contain the options of that program's
1888 configuration file that can be modified using 'gpgconf'. However, this
1889 is not necessarily the case. A component might also be a group of
1890 selected options from several programs, or contain entirely virtual
1891 options that have a special effect rather than changing exactly one
1892 option in one configuration file.
1894 A component is a set of configuration options that semantically
1895 belong together. Furthermore, several changes to a component can be
1896 made in an atomic way with a single operation. The GUI could for
1897 example provide a menu with one entry for each component, or a window
1898 with one tabulator sheet per component.
1900 The command '--list-components' lists all available components, one
1901 per line. The format of each line is:
1903 'NAME:DESCRIPTION:PGMNAME:'
1906 This field contains a name tag of the component. The name tag is
1907 used to specify the component in all communication with 'gpgconf'.
1908 The name tag is to be used _verbatim_. It is thus not in any
1912 The _string_ in this field contains a human-readable description of
1913 the component. It can be displayed to the user of the GUI for
1914 informational purposes. It is _percent-escaped_ and _localized_.
1917 The _string_ in this field contains the absolute name of the
1918 program's file. It can be used to unambiguously invoke that
1919 program. It is _percent-escaped_.
1922 $ gpgconf --list-components
1923 gpg:GPG for OpenPGP:/usr/local/bin/gpg2:
1924 gpg-agent:GPG Agent:/usr/local/bin/gpg-agent:
1925 scdaemon:Smartcard Daemon:/usr/local/bin/scdaemon:
1926 gpgsm:GPG for S/MIME:/usr/local/bin/gpgsm:
1927 dirmngr:Directory Manager:/usr/local/bin/dirmngr:
1930 File: gnupg.info, Node: Checking programs, Next: Listing options, Prev: Listing components, Up: gpgconf
1932 9.4.4 Checking programs
1933 -----------------------
1935 The command '--check-programs' is similar to '--list-components' but
1936 works on backend programs and not on components. It runs each program
1937 to test whether it is installed and runnable. This also includes a
1938 syntax check of all config file options of the program.
1940 The command '--check-programs' lists all available programs, one per
1941 line. The format of each line is:
1943 'NAME:DESCRIPTION:PGMNAME:AVAIL:OKAY:CFGFILE:LINE:ERROR:'
1946 This field contains a name tag of the program which is identical to
1947 the name of the component. The name tag is to be used _verbatim_.
1948 It is thus not in any escaped format. This field may be empty to
1949 indicate a continuation of error descriptions for the last name.
1950 The description and pgmname fields are then also empty.
1953 The _string_ in this field contains a human-readable description of
1954 the component. It can be displayed to the user of the GUI for
1955 informational purposes. It is _percent-escaped_ and _localized_.
1958 The _string_ in this field contains the absolute name of the
1959 program's file. It can be used to unambiguously invoke that
1960 program. It is _percent-escaped_.
1963 The _boolean value_ in this field indicates whether the program is
1964 installed and runnable.
1967 The _boolean value_ in this field indicates whether the program's
1968 config file is syntactically okay.
1971 If an error occurred in the configuration file (as indicated by a
1972 false value in the field 'okay'), this field has the name of the
1973 failing configuration file. It is _percent-escaped_.
1976 If an error occurred in the configuration file, this field has the
1977 line number of the failing statement in the configuration file. It
1978 is an _unsigned number_.
1981 If an error occurred in the configuration file, this field has the
1982 error text of the failing statement in the configuration file. It
1983 is _percent-escaped_ and _localized_.
1985 In the following example the 'dirmngr' is not runnable and the
1986 configuration file of 'scdaemon' is not okay.
1988 $ gpgconf --check-programs
1989 gpg:GPG for OpenPGP:/usr/local/bin/gpg2:1:1:
1990 gpg-agent:GPG Agent:/usr/local/bin/gpg-agent:1:1:
1991 scdaemon:Smartcard Daemon:/usr/local/bin/scdaemon:1:0:
1992 gpgsm:GPG for S/MIME:/usr/local/bin/gpgsm:1:1:
1993 dirmngr:Directory Manager:/usr/local/bin/dirmngr:0:0:
1995 The command '--check-options COMPONENT' will verify the configuration
1996 file in the same manner as '--check-programs', but only for the
1997 component COMPONENT.
2000 File: gnupg.info, Node: Listing options, Next: Changing options, Prev: Checking programs, Up: gpgconf
2002 9.4.5 Listing options
2003 ---------------------
2005 Every component contains one or more options. Options may be gathered
2006 into option groups to allow the GUI to give visual hints to the user
2007 about which options are related.
2009 The command '--list-options COMPONENT' lists all options (and the
2010 groups they belong to) in the component COMPONENT, one per line.
2011 COMPONENT must be the string in the field NAME in the output of the
2012 '--list-components' command.
2014 Take care if system-wide options are used: gpgconf may not be able to
2015 properly show the options and the listed options may have no actual
2016 effect in case the system-wide options enforced their own settings.
2018 There is one line for each option and each group. First come all
2019 options that are not in any group. Then comes a line describing a
2020 group. Then come all options that belong into each group. Then comes
2021 the next group and so on. There does not need to be any group (and in
2022 this case the output will stop after the last non-grouped option).
2024 The format of each line is:
2026 'NAME:FLAGS:LEVEL:DESCRIPTION:TYPE:ALT-TYPE:ARGNAME:DEFAULT:ARGDEF:VALUE'
2029 This field contains a name tag for the group or option. The name
2030 tag is used to specify the group or option in all communication
2031 with 'gpgconf'. The name tag is to be used _verbatim_. It is thus
2032 not in any escaped format.
2035 The flags field contains an _unsigned number_. Its value is the
2036 OR-wise combination of the following flag values:
2039 If this flag is set, this is a line describing a group and not
2042 The following flag values are only defined for options (that is, if
2043 the 'group' flag is not used).
2046 If this flag is set, the argument is optional. This is never
2047 set for TYPE '0' (none) options.
2050 If this flag is set, the option can be given multiple times.
2053 If this flag is set, the option can be changed at runtime.
2056 If this flag is set, a default value is available.
2059 If this flag is set, a (runtime) default is available. This
2060 and the 'default' flag are mutually exclusive.
2063 If this flag is set, and the 'optional arg' flag is set, then
2064 the option has a special meaning if no argument is given.
2067 If this flag is set, 'gpgconf' ignores requests to change the
2068 value. GUI frontends should grey out this option. Note, that
2069 manual changes of the configuration files are still possible.
2072 This field is defined for options and for groups. It contains an
2073 _unsigned number_ that specifies the expert level under which this
2074 group or option should be displayed. The following expert levels
2075 are defined for options (they have analogous meaning for groups):
2078 This option should always be offered to the user.
2081 This option may be offered to advanced users.
2084 This option should only be offered to expert users.
2087 This option should normally never be displayed, not even to
2091 This option is for internal use only. Ignore it.
2093 The level of a group will always be the lowest level of all options
2097 This field is defined for options and groups. The _string_ in this
2098 field contains a human-readable description of the option or group.
2099 It can be displayed to the user of the GUI for informational
2100 purposes. It is _percent-escaped_ and _localized_.
2103 This field is only defined for options. It contains an _unsigned
2104 number_ that specifies the type of the option's argument, if any.
2105 The following types are defined:
2110 No argument allowed.
2113 An _unformatted string_.
2119 An _unsigned number_.
2124 A _string_ that describes the pathname of a file. The file
2125 does not necessarily need to exist.
2128 A _string_ that describes an LDAP server in the format:
2130 'HOSTNAME:PORT:USERNAME:PASSWORD:BASE_DN'
2132 'key fingerprint (34)'
2133 A _string_ with a 40 digit fingerprint specifying a
2137 A _string_ that describes a certificate by user ID, key ID or
2141 A _string_ that describes a certificate with a key by user ID,
2142 key ID or fingerprint.
2145 A _string_ that describes an alias list, like the one used
2146 with gpg's group option. The list consists of a key, an equal
2147 sign and space separated values.
2149 More types will be added in the future. Please see the ALT-TYPE
2150 field for information on how to cope with unknown types.
2153 This field is identical to TYPE, except that only the types '0' to
2154 '31' are allowed. The GUI is expected to present the user the
2155 option in the format specified by TYPE. But if the argument type
2156 TYPE is not supported by the GUI, it can still display the option
2157 in the more generic basic type ALT-TYPE. The GUI must support all
2158 the defined basic types to be able to display all options. More
2159 basic types may be added in future versions. If the GUI encounters
2160 a basic type it doesn't support, it should report an error and
2161 abort the operation.
2164 This field is only defined for options with an argument type TYPE
2165 that is not '0'. In this case it may contain a _percent-escaped_
2166 and _localized string_ that gives a short name for the argument.
2167 The field may also be empty, though, in which case a short name is
2171 This field is defined only for options for which the 'default' or
2172 'default desc' flag is set. If the 'default' flag is set, its
2173 format is that of an _option argument_ (*note Format conventions::,
2174 for details). If the default value is empty, then no default is
2175 known. Otherwise, the value specifies the default value for this
2176 option. If the 'default desc' flag is set, the field is either
2177 empty or contains a description of the effect if the option is not
2181 This field is defined only for options for which the 'optional arg'
2182 flag is set. If the 'no arg desc' flag is not set, its format is
2183 that of an _option argument_ (*note Format conventions::, for
2184 details). If the default value is empty, then no default is known.
2185 Otherwise, the value specifies the default argument for this
2186 option. If the 'no arg desc' flag is set, the field is either
2187 empty or contains a description of the effect of this option if no
2191 This field is defined only for options. Its format is that of an
2192 _option argument_. If it is empty, then the option is not
2193 explicitly set in the current configuration, and the default
2194 applies (if any). Otherwise, it contains the current value of the
2195 option. Note that this field is also meaningful if the option
2196 itself does not take a real argument (in this case, it contains the
2197 number of times the option appears).
2200 File: gnupg.info, Node: Changing options, Next: Listing global options, Prev: Listing options, Up: gpgconf
2202 9.4.6 Changing options
2203 ----------------------
2205 The command '--change-options COMPONENT' will attempt to change the
2206 options of the component COMPONENT to the specified values. COMPONENT
2207 must be the string in the field NAME in the output of the
2208 '--list-components' command. You have to provide the options that shall
2209 be changed in the following format on standard input:
2211 'NAME:FLAGS:NEW-VALUE'
2214 This is the name of the option to change. NAME must be the string
2215 in the field NAME in the output of the '--list-options' command.
2218 The flags field contains an _unsigned number_. Its value is the
2219 OR-wise combination of the following flag values:
2222 If this flag is set, the option is deleted and the default
2223 value is used instead (if applicable).
2226 The new value for the option. This field is only defined if the
2227 'default' flag is not set. The format is that of an _option
2228 argument_. If it is empty (or the field is omitted), the default
2229 argument is used (only allowed if the argument is optional for this
2230 option). Otherwise, the option will be set to the specified value.
2232 The output of the command is the same as that of '--check-options' for
2233 the modified configuration file.
2237 To set the force option, which is of basic type 'none (0)':
2239 $ echo 'force:0:1' | gpgconf --change-options dirmngr
2241 To delete the force option:
2243 $ echo 'force:16:' | gpgconf --change-options dirmngr
2245 The '--runtime' option can influence when the changes take effect.
2248 File: gnupg.info, Node: Listing global options, Next: Querying versions, Prev: Changing options, Up: gpgconf
2250 9.4.7 Listing global options
2251 ----------------------------
2253 Sometimes it is useful for applications to look at the global options
2254 file 'gpgconf.conf'. The colon separated listing format is record
2255 oriented and uses the first field to identify the record type:
2258 This describes a key record to start the definition of a new
2259 ruleset for a user/group. The format of a key record is:
2264 This is the user field of the key. It is percent escaped.
2265 See the definition of the gpgconf.conf format for details.
2268 This is the group field of the key. It is percent escaped.
2271 This describes a rule record. All rule records up to the next key
2272 record make up a rule set for that key. The format of a rule
2275 'r:::COMPONENT:OPTION:FLAG:VALUE:'
2278 This is the component part of a rule. It is a plain string.
2281 This is the option part of a rule. It is a plain string.
2284 This is the flags part of a rule. There may be only one flag
2285 per rule but by using the same component and option, several
2286 flags may be assigned to an option. It is a plain string.
2289 This is the optional value for the option. It is a percent
2290 escaped string with a single quotation mark to indicate a
2291 string. The quotation mark is only required to distinguish
2292 between no value specified and an empty string.
2294 Unknown record types should be ignored. Note that there is
2295 intentionally no feature to change the global option file through
2299 File: gnupg.info, Node: Querying versions, Next: Files used by gpgconf, Prev: Listing global options, Up: gpgconf
2301 9.4.8 Get and compare software versions.
2302 ----------------------------------------
2304 The GnuPG Project operates a server to query the current versions of
2305 software packages related to GnuPG. 'gpgconf' can be used to access this
2306 online database. To allow for offline operations, this feature works by
2307 having 'dirmngr' download a file from 'https://versions.gnupg.org',
2308 checking the signature of that file and storing the file in the GnuPG
2309 home directory. If 'gpgconf' is used and 'dirmngr' is running, it may
2310 ask 'dirmngr' to refresh that file before itself uses the file.
2312 The command '--query-swdb' returns information for the given package
2313 in a colon delimited format:
2316 This is the name of the package as requested. Note that "gnupg" is
2317 a special name which is replaced by the actual package implementing
2318 this version of GnuPG. For this name it is also not required to
2319 specify a version because 'gpgconf' takes its own version in this
2323 The currently installed version or an empty string. The value is
2324 taken from the command line argument but may be provided by gpg if
2328 The status of the software package according to this table:
2330 No information available. This is either because no current
2331 version has been specified or due to an error.
2333 The given name is not known in the online database.
2335 An update of the software is available.
2337 The installed version of the software is current.
2339 The installed version is already newer than the released
2343 If the value (the empty string should be considered as zero) is
2344 greater than zero an important update is available.
2347 This returns an 'gpg-error' error code to distinguish between
2348 various failure modes.
2351 This gives the date of the file with the version numbers in
2352 standard ISO format ('yyyymmddThhmmss'). The date has been
2353 extracted by 'dirmngr' from the signature of the file.
2356 This gives the date in ISO format the file was downloaded. This
2357 value can be used to evaluate the freshness of the information.
2360 This returns the version string for the requested software from the
2364 This returns the release date in ISO format.
2367 This returns the size of the package as decimal number of bytes.
2370 This returns a hexified SHA-2 hash of the package.
2372 More fields may be added in future to the output.
2375 File: gnupg.info, Node: Files used by gpgconf, Prev: Querying versions, Up: gpgconf
2377 9.4.9 Files used by gpgconf
2378 ---------------------------
2380 '/etc/gnupg/gpgconf.conf'
2381 If this file exists, it is processed as a global configuration
2382 file. A commented example can be found in the 'examples' directory
2383 of the distribution.
2385 'GNUPGHOME/swdb.lst'
2386 A file with current software versions. 'dirmngr' creates this file
2387 on demand from an online resource.
2390 File: gnupg.info, Node: applygnupgdefaults, Next: gpg-preset-passphrase, Prev: gpgconf, Up: Helper Tools
2392 9.5 Run gpgconf for all users
2393 =============================
2395 This script is a wrapper around 'gpgconf' to run it with the command
2396 '--apply-defaults' for all real users with an existing GnuPG home
2397 directory. Admins might want to use this script to update he GnuPG
2398 configuration files for all users after '/etc/gnupg/gpgconf.conf' has
2399 been changed. This allows enforcing certain policies for all users.
2400 Note, that this is not a bulletproof way to force a user to use certain
2401 options. A user may always directly edit the configuration files and
2404 'applygnupgdefaults' is invoked by root as:
2409 File: gnupg.info, Node: gpg-preset-passphrase, Next: gpg-connect-agent, Prev: applygnupgdefaults, Up: Helper Tools
2411 9.6 Put a passphrase into the cache
2412 ===================================
2414 The 'gpg-preset-passphrase' is a utility to seed the internal cache of a
2415 running 'gpg-agent' with passphrases. It is mainly useful for
2416 unattended machines, where the usual 'pinentry' tool may not be used and
2417 the passphrases for the to be used keys are given at machine startup.
2419 This program works with GnuPG 2 and later. GnuPG 1.x is not
2422 Passphrases set with this utility don't expire unless the '--forget'
2423 option is used to explicitly clear them from the cache -- or 'gpg-agent'
2424 is either restarted or reloaded (by sending a SIGHUP to it). Note that
2425 the maximum cache time as set with '--max-cache-ttl' is still honored.
2426 It is necessary to allow this passphrase presetting by starting
2427 'gpg-agent' with the '--allow-preset-passphrase'.
2431 * Invoking gpg-preset-passphrase:: List of all commands and options.
2434 File: gnupg.info, Node: Invoking gpg-preset-passphrase, Up: gpg-preset-passphrase
2436 9.6.1 List of all commands and options
2437 --------------------------------------
2439 'gpg-preset-passphrase' is invoked this way:
2441 gpg-preset-passphrase [options] [command] CACHEID
2443 CACHEID is either a 40 character keygrip of hexadecimal characters
2444 identifying the key for which the passphrase should be set or cleared.
2445 The keygrip is listed along with the key when running the command:
2446 'gpgsm --with-keygrip --list-secret-keys'. Alternatively an arbitrary
2447 string may be used to identify a passphrase; it is suggested that such a
2448 string is prefixed with the name of the application (e.g 'foo:12346').
2449 Scripts should always use the option '--with-colons', which provides the
2450 keygrip in a "grp" line (cf. 'doc/DETAILS')/
2452 One of the following command options must be given:
2455 Preset a passphrase. This is what you usually will use.
2456 'gpg-preset-passphrase' will then read the passphrase from 'stdin'.
2459 Flush the passphrase for the given cache ID from the cache.
2461 The following additional options may be used:
2465 Output additional information while running.
2468 '--passphrase STRING'
2469 Instead of reading the passphrase from 'stdin', use the supplied
2470 STRING as passphrase. Note that this makes the passphrase visible
2474 File: gnupg.info, Node: gpg-connect-agent, Next: dirmngr-client, Prev: gpg-preset-passphrase, Up: Helper Tools
2476 9.7 Communicate with a running agent
2477 ====================================
2479 The 'gpg-connect-agent' is a utility to communicate with a running
2480 'gpg-agent'. It is useful to check out the commands 'gpg-agent'
2481 provides using the Assuan interface. It might also be useful for
2482 scripting simple applications. Input is expected at stdin and output
2483 gets printed to stdout.
2485 It is very similar to running 'gpg-agent' in server mode; but here we
2486 connect to a running instance.
2490 * Invoking gpg-connect-agent:: List of all options.
2491 * Controlling gpg-connect-agent:: Control commands.
2494 File: gnupg.info, Node: Invoking gpg-connect-agent, Next: Controlling gpg-connect-agent, Up: gpg-connect-agent
2496 9.7.1 List of all options
2497 -------------------------
2499 'gpg-connect-agent' is invoked this way:
2501 gpg-connect-agent [options] [commands]
2503 The following options may be used:
2507 Output additional information while running.
2511 Try to be as quiet as possible.
2514 Set the name of the home directory to DIR. If this option is not
2515 used, the home directory defaults to '~/.gnupg'. It is only
2516 recognized when given on the command line. It also overrides any
2517 home directory stated through the environment variable 'GNUPGHOME'
2518 or (on Windows systems) by means of the Registry entry
2519 HKCU\SOFTWARE\GNU\GNUPG:HOMEDIR.
2521 On Windows systems it is possible to install GnuPG as a portable
2522 application. In this case only this command line option is
2523 considered, all other ways to set a home directory are ignored.
2525 To install GnuPG as a portable application under Windows, create an
2526 empty file named 'gpgconf.ctl' in the same directory as the tool
2527 'gpgconf.exe'. The root of the installation is then that
2528 directory; or, if 'gpgconf.exe' has been installed directly below a
2529 directory named 'bin', its parent directory. You also need to make
2530 sure that the following directories exist and are writable:
2531 'ROOT/home' for the GnuPG home and 'ROOT/usr/local/var/cache/gnupg'
2532 for internal cache files.
2534 '--agent-program FILE'
2535 Specify the agent program to be started if none is running. The
2536 default value is determined by running 'gpgconf' with the option
2537 '--list-dirs'. Note that the pipe symbol ('|') is used for a
2538 regression test suite hack and may thus not be used in the file
2541 '--dirmngr-program FILE'
2542 Specify the directory manager (keyserver client) program to be
2543 started if none is running. This has only an effect if used
2544 together with the option '--dirmngr'.
2547 Connect to a running directory manager (keyserver client) instead
2548 of to the gpg-agent. If a dirmngr is not running, start it.
2552 Connect to socket NAME assuming this is an Assuan style server. Do
2553 not run any special initializations or environment checks. This
2554 may be used to directly connect to any Assuan style socket server.
2558 Take the rest of the command line as a program and it's arguments
2559 and execute it as an Assuan server. Here is how you would run
2561 gpg-connect-agent --exec gpgsm --server
2562 Note that you may not use options on the command line in this case.
2565 When using '-S' or '--exec', 'gpg-connect-agent' connects to the
2566 Assuan server in extended mode to allow descriptor passing. This
2567 option makes it use the old mode.
2570 Do not start the gpg-agent or the dirmngr if it has not yet been
2575 Run the commands from FILE at startup and then continue with the
2576 regular input method. Note, that commands given on the command
2577 line are executed after this file.
2581 Run the command '/subst' at startup.
2584 Print data lines in a hex format and the ASCII representation of
2585 non-control characters.
2588 Decode data lines. That is to remove percent escapes but make sure
2589 that a new line always starts with a D and a space.
2592 File: gnupg.info, Node: Controlling gpg-connect-agent, Prev: Invoking gpg-connect-agent, Up: gpg-connect-agent
2594 9.7.2 Control commands
2595 ----------------------
2597 While reading Assuan commands, gpg-agent also allows a few special
2598 commands to control its operation. These control commands all start
2605 Set the variable NAME to VALUE. Variables are only substituted on
2606 the input if the '/subst' has been used. Variables are referenced
2607 by prefixing the name with a dollar sign and optionally include the
2608 name in curly braces. The rules for a valid name are identically
2609 to those of the standard bourne shell. This is not yet enforced
2610 but may be in the future. When used with curly braces no leading
2611 or trailing white space is allowed.
2613 If a variable is not found, it is searched in the environment and
2614 if found copied to the table of variables.
2616 Variable functions are available: The name of the function must be
2617 followed by at least one space and the at least one argument. The
2618 following functions are available:
2621 Return a value described by the argument. Available arguments
2625 The current working directory.
2629 GnuPG's system configuration directory.
2631 GnuPG's binary directory.
2633 GnuPG's library directory.
2635 GnuPG's library directory for executable files.
2637 GnuPG's data directory.
2639 The PID of the current server. Command '/serverpid' must
2640 have been given to return a useful value.
2643 Remove C-style escapes from ARGS. Note that '\0' and '\x00'
2644 terminate the returned string implicitly. The string to be
2645 converted are the entire arguments right behind the delimiting
2646 space of the function name.
2650 Remove percent style escaping from ARGS. Note that '%00'
2651 terminates the string implicitly. The string to be converted
2652 are the entire arguments right behind the delimiting space of
2653 the function name. 'unpercent+' also maps plus signs to a
2658 Escape the ARGS using percent style escaping. Tabs,
2659 formfeeds, linefeeds, carriage returns and colons are escaped.
2660 'percent+' also maps spaces to plus signs.
2665 Assume ARG is an integer and evaluate it using 'strtol'.
2666 Return the gpg-error error code, error source or a formatted
2667 string with the error code and error source.
2674 Evaluate all arguments as long integers using 'strtol' and
2675 apply this operator. A division by zero yields an empty
2681 Evaluate all arguments as long integers using 'strtol' and
2682 apply the logical operators NOT, OR or AND. The NOT operator
2683 works on the last argument only.
2686 Use content of the variable VAR for inquiries with NAME. NAME may
2687 be an asterisk ('*') to match any inquiry.
2689 '/definqfile NAME FILE'
2690 Use content of FILE for inquiries with NAME. NAME may be an
2691 asterisk ('*') to match any inquiry.
2693 '/definqprog NAME PROG'
2694 Run PROG for inquiries matching NAME and pass the entire line to it
2695 as command line arguments.
2698 Write all data lines from the server to the file NAME. The file is
2699 opened for writing and created if it does not exists. An existing
2700 file is first truncated to 0. The data written to the file fully
2701 decoded. Using a single dash for NAME writes to stdout. The file
2702 is kept open until a new file is set using this command or this
2703 command is used without an argument.
2706 Print all definitions
2709 Delete all definitions
2712 Open FILE in MODE (which needs to be a valid 'fopen' mode string)
2713 and send the file descriptor to the server. This is usually
2714 followed by a command like 'INPUT FD' to set the input source for
2718 Not yet implemented.
2720 '/open VAR FILE [MODE]'
2721 Open FILE and assign the file descriptor to VAR. Warning: This
2722 command is experimental and might change in future versions.
2725 Close the file descriptor FD. Warning: This command is
2726 experimental and might change in future versions.
2729 Show a list of open files.
2732 Send the Assuan command 'GETINFO pid' to the server and store the
2733 returned PID for internal purposes.
2740 Same as the command line option '--hex'.
2744 Same as the command line option '--decode'.
2748 Enable and disable variable substitution. It defaults to disabled
2749 unless the command line option '--subst' has been used. If /subst
2750 as been enabled once, leading whitespace is removed from input
2751 lines which makes scripts easier to read.
2755 These commands provide a way for executing loops. All lines
2756 between the 'while' and the corresponding 'end' are executed as
2757 long as the evaluation of CONDITION yields a non-zero value or is
2758 the string 'true' or 'yes'. The evaluation is done by passing
2759 CONDITION to the 'strtol' function. Example:
2764 /echo loop counter is $i
2770 These commands provide a way for conditional execution. All lines
2771 between the 'if' and the corresponding 'end' are executed only if
2772 the evaluation of CONDITION yields a non-zero value or is the
2773 string 'true' or 'yes'. The evaluation is done by passing
2774 CONDITION to the 'strtol' function.
2777 Run commands from FILE.
2780 Terminate the connection and the program.
2783 Print a list of available control commands.
2786 File: gnupg.info, Node: dirmngr-client, Next: gpgparsemail, Prev: gpg-connect-agent, Up: Helper Tools
2788 9.8 The Dirmngr Client Tool
2789 ===========================
2791 The 'dirmngr-client' is a simple tool to contact a running dirmngr and
2792 test whether a certificate has been revoked -- either by being listed in
2793 the corresponding CRL or by running the OCSP protocol. If no dirmngr is
2794 running, a new instances will be started but this is in general not a
2795 good idea due to the huge performance overhead.
2797 The usual way to run this tool is either:
2799 dirmngr-client ACERT
2803 dirmngr-client <ACERT
2805 Where ACERT is one DER encoded (binary) X.509 certificates to be
2806 tested. The return value of this command is
2809 The certificate under question is valid; i.e. there is a valid CRL
2810 available and it is not listed there or the OCSP request returned
2811 that that certificate is valid.
2814 The certificate has been revoked
2816 '2 (and other values)'
2817 There was a problem checking the revocation state of the
2818 certificate. A message to stderr has given more detailed
2819 information. Most likely this is due to a missing or expired CRL
2820 or due to a network problem.
2822 'dirmngr-client' may be called with the following options:
2825 Print the program version and licensing information. Note that you
2826 cannot abbreviate this command.
2829 Print a usage message summarizing the most useful command-line
2830 options. Note that you cannot abbreviate this command.
2833 Make the output extra brief by suppressing any informational
2838 Outputs additional information while running. You can increase the
2839 verbosity by giving several verbose commands to DIRMNGR, such as
2843 Assume that the given certificate is in PEM (armored) format.
2846 Do the check using the OCSP protocol and ignore any CRLs.
2848 '--force-default-responder'
2849 When checking using the OCSP protocol, force the use of the default
2850 OCSP responder. That is not to use the Reponder as given by the
2854 Check whether the dirmngr daemon is up and running.
2857 Put the given certificate into the cache of a running dirmngr.
2858 This is mainly useful for debugging.
2861 Validate the given certificate using dirmngr's internal validation
2862 code. This is mainly useful for debugging.
2865 This command expects a list of filenames with DER encoded CRL
2866 files. With the option '--url' URLs are expected in place of
2867 filenames and they are loaded directly from the given location.
2868 All CRLs will be validated and then loaded into dirmngr's cache.
2871 Take the remaining arguments and run a lookup command on each of
2872 them. The results are Base-64 encoded outputs (without header
2873 lines). This may be used to retrieve certificates from a server.
2874 However the output format is not very well suited if more than one
2875 certificate is returned.
2879 Modify the 'lookup' and 'load-crl' commands to take an URL.
2883 Let the 'lookup' command only search the local cache.
2886 Run DIRMNGR-CLIENT in a mode suitable as a helper program for
2887 Squid's 'external_acl_type' option.
2890 File: gnupg.info, Node: gpgparsemail, Next: gpgtar, Prev: dirmngr-client, Up: Helper Tools
2892 9.9 Parse a mail message into an annotated format
2893 =================================================
2895 The 'gpgparsemail' is a utility currently only useful for debugging.
2896 Run it with '--help' for usage information.
2899 File: gnupg.info, Node: gpgtar, Next: gpg-check-pattern, Prev: gpgparsemail, Up: Helper Tools
2901 9.10 Encrypt or sign files into an archive
2902 ==========================================
2904 'gpgtar' encrypts or signs files into an archive. It is an gpg-ized tar
2905 using the same format as used by PGP's PGP Zip.
2907 'gpgtar' is invoked this way:
2909 gpgtar [options] FILENAME1 [FILENAME2, ...] DIRECTORY [DIRECTORY2, ...]
2911 'gpgtar' understands these options:
2914 Put given files and directories into a vanilla "ustar" archive.
2917 Extract all files from a vanilla "ustar" archive.
2921 Encrypt given files and directories into an archive. This option
2922 may be combined with option '--symmetric' for an archive that may
2923 be decrypted via a secret key or a passphrase.
2927 Extract all files from an encrypted archive.
2931 Make a signed archive from the given files and directories. This
2932 can be combined with option '--encrypt' to create a signed and then
2937 List the contents of the specified archive.
2941 Encrypt with a symmetric cipher using a passphrase. The default
2942 symmetric cipher used is AES-128, but may be chosen with the
2943 '--cipher-algo' option to 'gpg'.
2947 Encrypt for user id USER. For details see 'gpg'.
2951 Use USER as the key to sign with. For details see 'gpg'.
2955 Write the archive to the specified file FILE.
2959 Enable extra informational output.
2963 Try to be as quiet as possible.
2966 Skip all crypto operations and create or extract vanilla "ustar"
2970 Do not actually output the extracted files.
2974 Extract the files into the directory DIR. The default is to take
2975 the directory name from the input filename. If no input filename
2976 is known a directory named 'GPGARCH' is used. For tarball
2977 creation, switch to directory DIR before performing any operations.
2981 Take the file names to work from the file FILE; one file per line.
2984 Modify option '--files-from' to use a binary nul instead of a
2985 linefeed to separate file names.
2988 Assume that the file names read by '--files-from' are UTF-8
2989 encoded. This option has an effect only on Windows where the
2990 active code page is otherwise assumed.
2993 This option has no effect because OpenPGP encryption and signing is
2997 This option is reserved and shall not be used. It will eventually
2998 be used to encrypt or sign using the CMS protocol; but that is not
3001 '--set-filename FILE'
3002 Use the last component of FILE as the output directory. The
3003 default is to take the directory name from the input filename. If
3004 no input filename is known a directory named 'GPGARCH' is used.
3005 This option is deprecated in favor of option '--directory'.
3008 Use the specified command GPGCMD instead of 'gpg'.
3011 Pass the specified extra options to 'gpg'.
3014 Assume ARGS are standard options of the command 'tar' and parse
3015 them. The only supported tar options are "-directory",
3016 "-files-from", and "-null" This is an obsolete options because
3017 those supported tar options can also be given directly.
3020 Print version of the program and exit.
3023 Display a brief help page and exit.
3025 The program returns 0 if everything was fine, 1 otherwise.
3029 Encrypt the contents of directory 'mydocs' for user Bob to file 'test1':
3031 gpgtar --encrypt --output test1 -r Bob mydocs
3033 List the contents of archive 'test1':
3035 gpgtar --list-archive test1
3038 File: gnupg.info, Node: gpg-check-pattern, Prev: gpgtar, Up: Helper Tools
3040 9.11 Check a passphrase on stdin against the patternfile
3041 ========================================================
3043 'gpg-check-pattern' checks a passphrase given on stdin against a
3044 specified pattern file.
3046 The pattern file is line based with comment lines beginning on the
3047 _first_ position with a '#'. Empty lines and lines with only white
3048 spaces are ignored. The actual pattern lines may either be verbatim
3049 string pattern and match as they are (trailing spaces are ignored) or
3050 extended regular expressions indicated by a '/' or '!/' in the first
3051 column and terminated by another '/' or end of line. If a regular
3052 expression starts with '!/' the match result is reversed. By default
3053 all comparisons are case insensitive.
3055 Tag lines may be used to further control the operation of this tool.
3056 The currently defined tags are:
3059 Switch to case insensitive comparison for all further patterns.
3060 This is the default.
3063 Switch to case sensitive comparison for all further patterns.
3066 Switch to reject mode. This is the default mode.
3069 Switch to accept mode.
3071 In the future more tags may be introduced and thus it is advisable
3072 not to start a plain pattern string with an open bracket. The tags must
3073 be given verbatim on the line with no spaces to the left or any non
3074 white space characters to the right.
3076 In reject mode the program exits on the first match with an exit code
3077 of 1 (failure). If at the end of the pattern list the reject mode is
3078 still active the program exits with code 0 (success).
3080 In accept mode blocks of patterns are used. A block starts at the
3081 next pattern after an "accept" tag and ends with the last pattern before
3082 the next "accept" or "reject" tag or at the end of the pattern list. If
3083 all patterns in a block match the program exits with an exit code of 0
3084 (success). If any pattern in a block do not match the next pattern
3085 block is evaluated. If at the end of the pattern list the accept mode
3086 is still active the program exits with code 1 (failure).
3090 Enable extra informational output.
3093 Run only a syntax check on the patternfile.
3096 Input is expected to be null delimited.
3099 File: gnupg.info, Node: Web Key Service, Next: Howtos, Prev: Helper Tools, Up: Top
3104 GnuPG comes with tools used to maintain and access a Web Key Directory.
3108 * gpg-wks-client:: Send requests via WKS
3109 * gpg-wks-server:: Server to provide the WKS.
3112 File: gnupg.info, Node: gpg-wks-client, Next: gpg-wks-server, Up: Web Key Service
3114 10.1 Send requests via WKS
3115 ==========================
3117 The 'gpg-wks-client' is used to send requests to a Web Key Service
3118 provider. This is usually done to upload a key into a Web Key
3121 With the '--supported' command the caller can test whether a site
3122 supports the Web Key Service. The argument is an arbitrary address in
3123 the to be tested domain. For example 'foo@example.net'. The command
3124 returns success if the Web Key Service is supported. The operation is
3125 silent; to get diagnostic output use the option '--verbose'. See option
3126 '--with-colons' for a variant of this command.
3128 With the '--check' command the caller can test whether a key exists
3129 for a supplied mail address. The command returns success if a key is
3132 The '--create' command is used to send a request for publication in
3133 the Web Key Directory. The arguments are the fingerprint of the key and
3134 the user id to publish. The output from the command is a properly
3135 formatted mail with all standard headers. This mail can be fed to
3136 'sendmail(8)' or any other tool to actually send that mail. If
3137 'sendmail(8)' is installed the option '--send' can be used to directly
3138 send the created request. If the provider request a 'mailbox-only' user
3139 id and no such user id is found, 'gpg-wks-client' will try an additional
3142 The '--receive' and '--read' commands are used to process
3143 confirmation mails as send from the service provider. The former
3144 expects an encrypted MIME messages, the latter an already decrypted MIME
3145 message. The result of these commands are another mail which can be
3146 send in the same way as the mail created with '--create'.
3148 The command '--install-key' manually installs a key into a local
3149 directory (see option '-C') reflecting the structure of a WKD. The
3150 arguments are a file with the keyblock and the user-id to install. If
3151 the first argument resembles a fingerprint the key is taken from the
3152 current keyring; to force the use of a file, prefix the first argument
3153 with "./". If no arguments are given the parameters are read from
3154 stdin; the expected format are lines with the fingerprint and the
3155 mailbox separated by a space. The command '--remove-key' removes a key
3156 from that directory, its only argument is a user-id.
3158 The command '--print-wkd-hash' prints the WKD user-id identifiers and
3159 the corresponding mailboxes from the user-ids given on the command line
3160 or via stdin (one user-id per line).
3162 The command '--print-wkd-url' prints the URLs used to fetch the key
3163 for the given user-ids from WKD. The meanwhile preferred format with
3164 sub-domains is used here.
3166 'gpg-wks-client' is not commonly invoked directly and thus it is not
3167 installed in the bin directory. Here is an example how it can be
3168 invoked manually to check for a Web Key Directory entry for
3171 $(gpgconf --list-dirs libexecdir)/gpg-wks-client --check foo@example.net
3173 'gpg-wks-client' understands these options:
3176 Directly send created mails using the 'sendmail' command. Requires
3177 installation of that command.
3180 This option has currently only an effect on the '--supported'
3181 command. If it is used all arguments on the command line are taken
3182 as domain names and tested for WKD support. The output format is
3183 one line per domain with colon delimited fields. The currently
3184 specified fields are (future versions may specify additional
3188 This is the domain name. Although quoting is not required for
3189 valid domain names this field is specified to be quoted in
3193 If the value is true the domain supports the Web Key
3197 If the value is true the domain supports the Web Key Service
3198 protocol to upload keys to the directory.
3201 This may contain an gpg-error code to describe certain
3202 failures. Use 'gpg-error CODE' to explain the code.
3204 5 - protocol-version
3205 The minimum protocol version supported by the server.
3208 The auth-submit flag from the policy file of the server.
3211 The mailbox-only flag from the policy file of the server.
3215 Write the created mail to FILE instead of stdout. Note that the
3216 value '-' for FILE is the same as writing to stdout.
3219 Write special status strings to the file descriptor N. This
3220 program returns only the status messages SUCCESS or FAILURE which
3221 are helpful when the caller uses a double fork approach and can't
3222 easily get the return code of the process.
3226 Use DIR as top level directory for the commands '--install-key' and
3227 '--remove-key'. The default is 'openpgpkey'.
3230 Enable extra informational output.
3233 Disable almost all informational output.
3236 Print version of the program and exit.
3239 Display a brief help page and exit.
3242 File: gnupg.info, Node: gpg-wks-server, Prev: gpg-wks-client, Up: Web Key Service
3244 10.2 Provide the Web Key Service
3245 ================================
3247 The 'gpg-wks-server' is a server site implementation of the Web Key
3248 Service. It receives requests for publication, sends confirmation
3249 requests, receives confirmations, and published the key. It also has
3250 features to ease the setup and maintenance of a Web Key Directory.
3252 When used with the command '--receive' a single Web Key Service mail
3253 is processed. Commonly this command is used with the option '--send' to
3254 directly send the crerated mails back. See below for an installation
3257 The command '--cron' is used for regualr cleanup tasks. For example
3258 non-confirmed requested should be removed after their expire time. It
3259 is best to run this command once a day from a cronjob.
3261 The command '--list-domains' prints all configured domains. Further
3262 it creates missing directories for the configuration and prints warnings
3263 pertaining to problems in the configuration.
3265 The command '--check-key' (or just '--check') checks whether a key
3266 with the given user-id is installed. The process returns success in
3267 this case; to also print a diagnostic use the option '-v'. If the key
3268 is not installed a diagnostic is printed and the process returns
3269 failure; to suppress the diagnostic, use option '-q'. More than one
3270 user-id can be given; see also option 'with-file'.
3272 The command '--install-key' manually installs a key into the WKD. The
3273 arguments are a file with the keyblock and the user-id to install. If
3274 the first argument resembles a fingerprint the key is taken from the
3275 current keyring; to force the use of a file, prefix the first argument
3276 with "./". If no arguments are given the parameters are read from
3277 stdin; the expected format are lines with the fingerprint and the
3278 mailbox separated by a space.
3280 The command '--remove-key' uninstalls a key from the WKD. The process
3281 returns success in this case; to also print a diagnostic, use option
3282 '-v'. If the key is not installed a diagnostic is printed and the
3283 process returns failure; to suppress the diagnostic, use option '-q'.
3285 The command '--revoke-key' is not yet functional.
3287 'gpg-wks-server' understands these options:
3291 Use DIR as top level directory for domains. The default is
3292 '/var/lib/gnupg/wks'.
3295 Use MAILADDR as the default sender address.
3297 '--header NAME=VALUE'
3298 Add the mail header "NAME: VALUE" to all outgoing mails.
3301 Directly send created mails using the 'sendmail' command. Requires
3302 installation of that command.
3306 Write the created mail also to FILE. Note that the value '-' for
3307 FILE would write it to stdout.
3310 When used with the command '--list-domains' print for each
3311 installed domain the domain name and its directory name.
3314 When used with the command '--check-key' print for each user-id,
3315 the address, 'i' for installed key or 'n' for not installed key,
3319 Enable extra informational output.
3322 Disable almost all informational output.
3325 Print version of the program and exit.
3328 Display a brief help page and exit.
3334 The Web Key Service requires a working directory to store keys pending
3335 for publication. As root create a working directory:
3337 # mkdir /var/lib/gnupg/wks
3338 # chown webkey:webkey /var/lib/gnupg/wks
3339 # chmod 2750 /var/lib/gnupg/wks
3341 Then under your webkey account create directories for all your
3342 domains. Here we do it for "example.net":
3344 $ mkdir /var/lib/gnupg/wks/example.net
3348 $ gpg-wks-server --list-domains
3350 to create the required sub-directories with the permissions set
3351 correctly. For each domain a submission address needs to be configured.
3352 All service mails are directed to that address. It can be the same
3353 address for all configured domains, for example:
3355 $ cd /var/lib/gnupg/wks/example.net
3356 $ echo key-submission@example.net >submission-address
3358 The protocol requires that the key to be published is send with an
3359 encrypted mail to the service. Thus you need to create a key for the
3362 $ gpg --batch --passphrase '' --quick-gen-key key-submission@example.net
3363 $ gpg -K key-submission@example.net
3365 The output of the last command looks similar to this:
3367 sec rsa2048 2016-08-30 [SC]
3368 C0FCF8642D830C53246211400346653590B3795B
3369 uid [ultimate] key-submission@example.net
3370 ssb rsa2048 2016-08-30 [E]
3372 Take the fingerprint from that output and manually publish the key:
3374 $ gpg-wks-server --install-key C0FCF8642D830C53246211400346653590B3795B \
3375 > key-submission@example.net
3377 Finally that submission address needs to be redirected to a script
3378 running 'gpg-wks-server'. The 'procmail' command can be used for this:
3379 Redirect the submission address to the user "webkey" and put this into
3380 webkey's '.procmailrc':
3383 * !^From: webkey@example.net
3384 * !^X-WKS-Loop: webkey.example.net
3385 |gpg-wks-server -v --receive \
3386 --header X-WKS-Loop=webkey.example.net \
3387 --from webkey@example.net --send
3390 File: gnupg.info, Node: Howtos, Next: System Notes, Prev: Web Key Service, Up: Top
3392 11 How to do certain things
3393 ***************************
3395 This is a collection of small howto documents.
3399 * Howto Create a Server Cert:: Creating a TLS server certificate.
3402 File: gnupg.info, Node: Howto Create a Server Cert, Up: Howtos
3404 11.1 Creating a TLS server certificate
3405 ======================================
3407 Here is a brief run up on how to create a server certificate. It has
3408 actually been done this way to get a certificate from CAcert to be used
3409 on a real server. It has only been tested with this CA, but there
3410 shouldn't be any problem to run this against any other CA.
3412 We start by generating an X.509 certificate signing request. As
3413 there is no need for a configuration file, you may simply enter:
3415 $ gpgsm --generate-key >example.com.cert-req.pem
3416 Please select what kind of key you want:
3419 (3) Existing key from card
3422 I opted for creating a new RSA key. The other option is to use an
3423 already existing key, by selecting '2' and entering the so-called
3424 keygrip. Running the command 'gpgsm --dump-secret-key USERID' shows you
3425 this keygrip. Using '3' offers another menu to create a certificate
3426 directly from a smart card based key.
3430 What keysize do you want? (3072)
3431 Requested keysize is 3072 bits
3433 Hitting enter chooses the default RSA key size of 3072 bits. Keys
3434 smaller than 2048 bits are too weak on the modern Internet. If you
3435 choose a larger (stronger) key, your server will need to do more work.
3437 Possible actions for a RSA key:
3443 Selecting "sign" enables use of the key for Diffie-Hellman key
3444 exchange mechanisms (DHE and ECDHE) in TLS, which are preferred because
3445 they offer forward secrecy. Selecting "encrypt" enables RSA key
3446 exchange mechanisms, which are still common in some places. Selecting
3447 both enables both key exchange mechanisms.
3449 Now for some real data:
3451 Enter the X.509 subject name: CN=example.com
3453 This is the most important value for a server certificate. Enter
3454 here the canonical name of your server machine. You may add other
3455 virtual server names later.
3457 E-Mail addresses (end with an empty line):
3460 We don't need email addresses in a TLS server certificate and CAcert
3461 would anyway ignore such a request. Thus just hit enter.
3463 If you want to create a client certificate for email encryption, this
3464 would be the place to enter your mail address (e.g. <joe@example.org>).
3465 You may enter as many addresses as you like, however the CA may not
3466 accept them all or reject the entire request.
3468 Enter DNS names (optional; end with an empty line):
3473 Here I entered the names of the services which the machine actually
3474 provides. You almost always want to include the canonical name here
3475 too. The browser will accept a certificate for any of these names. As
3476 usual the CA must approve all of these names.
3478 URIs (optional; end with an empty line):
3481 It is possible to insert arbitrary URIs into a certificate; for a
3482 server certificate this does not make sense.
3484 Create self-signed certificate? (y/N)
3486 Since we are creating a certificate signing request, and not a full
3487 certificate, we answer no here, or just hit enter for the default.
3489 We have now entered all required information and 'gpgsm' will display
3490 what it has gathered and ask whether to create the certificate request:
3492 These parameters are used:
3495 Key-Usage: sign, encrypt
3496 Name-DN: CN=example.com
3497 Name-DNS: example.com
3498 Name-DNS: www.example.com
3500 Proceed with creation? (y/N) y
3502 'gpgsm' will now start working on creating the request. As this
3503 includes the creation of an RSA key it may take a while. During this
3504 time you will be asked 3 times for a passphrase to protect the created
3505 private key on your system. A pop up window will appear to ask for it.
3506 The first two prompts are for the new passphrase and for re-entering it;
3507 the third one is required to actually create the certificate signing
3510 When it is ready, you should see the final notice:
3512 Ready. You should now send this request to your CA.
3514 Now, you may look at the created request:
3516 $ cat example.com.cert-req.pem
3517 -----BEGIN CERTIFICATE REQUEST-----
3518 MIIClTCCAX0CAQAwFjEUMBIGA1UEAxMLZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3
3519 DQEBAQUAA4IBDwAwggEKAoIBAQDP1QEcbTvOLLCX4gAoOzH9AW7jNOMj7OSOL0uW
3520 h2bCdkK5YVpnX212Z6COTC3ZG0pJiCeGt1TbbDJUlTa4syQ6JXavjK66N8ASZsyC
3521 Rwcl0m6hbXp541t1dbgt2VgeGk25okWw3j+brw6zxLD2TnthJxOatID0lDIG47HW
3522 GqzZmA6WHbIBIONmGnReIHTpPAPCDm92vUkpKG1xLPszuRmsQbwEl870W/FHrsvm
3523 DPvVUUSdIvTV9NuRt7/WY6G4nPp9QlIuTf1ESPzIuIE91gKPdrRCAx0yuT708S1n
3524 xCv3ETQ/bKPoAQ67eE3mPBqkcVwv9SE/2/36Lz06kAizRgs5AgMBAAGgOjA4Bgkq
3525 hkiG9w0BCQ4xKzApMCcGA1UdEQQgMB6CC2V4YW1wbGUuY29tgg93d3cuZXhhbXBs
3526 ZS5jb20wDQYJKoZIhvcNAQELBQADggEBAEWD0Qqz4OENLYp6yyO/KqF0ig9FDsLN
3527 b5/R+qhms5qlhdB5+Dh+j693Sj0UgbcNKc6JT86IuBqEBZmRCJuXRoKoo5aMS1cJ
3528 hXga7N9IA3qb4VBUzBWvlL92U2Iptr/cEbikFlYZF2Zv3PBv8RfopVlI3OLbKV9D
3529 bJJTt/6kuoydXKo/Vx4G0DFzIKNdFdJk86o/Ziz8NOs9JjZxw9H9VY5sHKFM5LKk
3530 VcLwnnLRlNjBGB+9VK/Tze575eG0cJomTp7UGIB+1xzIQVAhUZOizRDv9tHDeaK3
3531 k+tUhV0kuJcYHucpJycDSrP/uAY5zuVJ0rs2QSjdnav62YrRgEsxJrU=
3532 -----END CERTIFICATE REQUEST-----
3535 You may now proceed by logging into your account at the CAcert
3536 website, choose 'Server Certificates - New', check 'sign by class 3 root
3537 certificate', paste the above request block into the text field and
3540 If everything works out fine, a certificate will be shown. Now run
3544 and paste the certificate from the CAcert page into your terminal
3545 followed by a Ctrl-D
3547 -----BEGIN CERTIFICATE-----
3548 MIIEIjCCAgqgAwIBAgIBTDANBgkqhkiG9w0BAQQFADBUMRQwEgYDVQQKEwtDQWNl
3550 rUTFlNElRXCwIl0YcJkIaYYqWf7+A/aqYJCi8+51usZwMy3Jsq3hJ6MA3h1BgwZs
3552 -----END CERTIFICATE-----
3553 gpgsm: issuer certificate (#/CN=CAcert Class 3 Ro[...]) not found
3554 gpgsm: certificate imported
3556 gpgsm: total number processed: 1
3559 'gpgsm' tells you that it has imported the certificate. It is now
3560 associated with the key you used when creating the request. The root
3561 certificate has not been found, so you may want to import it from the
3564 To see the content of your certificate, you may now enter:
3566 $ gpgsm -K example.com
3567 /home/foo/.gnupg/pubring.kbx
3568 ---------------------------
3570 Issuer: /CN=CAcert Class 3 Root/OU=http:\x2f\x2fwww.[...]
3571 Subject: /CN=example.com
3572 aka: (dns-name example.com)
3573 aka: (dns-name www.example.com)
3574 validity: 2015-07-01 16:20:51 through 2016-07-01 16:20:51
3575 key type: 3072 bit RSA
3576 key usage: digitalSignature keyEncipherment
3577 ext key usage: clientAuth (suggested), serverAuth (suggested), [...]
3578 fingerprint: 0F:9C:27:B2:DA:05:5F:CB:33:D8:19:E9:65:B9:4F:BD:B1:98:CC:57
3580 I used '-K' above because this will only list certificates for which
3581 a private key is available. To see more details, you may use
3582 '--dump-secret-keys' instead of '-K'.
3584 To make actual use of the certificate you need to install it on your
3585 server. Server software usually expects a PKCS\#12 file with key and
3586 certificate. To create such a file, run:
3588 $ gpgsm --export-secret-key-p12 -a >example.com-cert.pem
3590 You will be asked for the passphrase as well as for a new passphrase
3591 to be used to protect the PKCS\#12 file. The file now contains the
3592 certificate as well as the private key:
3594 $ cat example-cert.pem
3595 Issuer ...: /CN=CAcert Class 3 Root/OU=http:\x2f\x2fwww.CA[...]
3597 Subject ..: /CN=example.com
3598 aka ..: (dns-name example.com)
3599 aka ..: (dns-name www.example.com)
3601 -----BEGIN PKCS12-----
3602 MIIHlwIBAzCCB5AGCSqGSIb37QdHAaCCB4EEggd9MIIHeTk1BJ8GCSqGSIb3DQEu
3603 [...many more lines...]
3604 -----END PKCS12-----
3607 Copy this file in a secure way to the server, install it there and
3608 delete the file then. You may export the file again at any time as long
3609 as it is available in GnuPG's private key database.
3612 File: gnupg.info, Node: System Notes, Next: Debugging, Prev: Howtos, Up: Top
3614 12 Notes pertaining to certain OSes
3615 ***********************************
3617 GnuPG has been developed on GNU/Linux systems and is know to work on
3618 almost all Free OSes. All modern POSIX systems should be supported
3619 right now, however there are probably a lot of smaller glitches we need
3620 to fix first. The major problem areas are:
3622 * We are planning to use file descriptor passing for interprocess
3623 communication. This will allow us save a lot of resources and
3624 improve performance of certain operations a lot. Systems not
3625 supporting this won't gain these benefits but we try to keep them
3626 working the standard way as it is done today.
3628 * We require more or less full POSIX compatibility. This has been
3629 around for 15 years now and thus we don't believe it makes sense to
3630 support non POSIX systems anymore. Well, we of course the usual
3631 workarounds for near POSIX systems well be applied.
3633 There is one exception of this rule: Systems based the Microsoft
3634 Windows API (called here _W32_) will be supported to some extend.
3638 * W32 Notes:: Microsoft Windows Notes
3641 File: gnupg.info, Node: W32 Notes, Up: System Notes
3643 12.1 Microsoft Windows Notes
3644 ============================
3646 Current limitations are:
3648 * 'gpgconf' does not create backup files, so in case of trouble your
3649 configuration file might get lost.
3651 * 'watchgnupg' is not available. Logging to sockets is not possible.
3653 * The periodical smartcard status checking done by 'scdaemon' is not
3657 File: gnupg.info, Node: Debugging, Next: Copying, Prev: System Notes, Up: Top
3659 13 How to solve problems
3660 ************************
3662 Everyone knows that software often does not do what it should do and
3663 thus there is a need to track down problems. We call this debugging in
3664 a reminiscent to the moth jamming a relay in a Mark II box back in 1947.
3666 Most of the problems a merely configuration and user problems but
3667 nevertheless they are the most annoying ones and responsible for many
3668 gray hairs. We try to give some guidelines here on how to identify and
3669 solve the problem at hand.
3673 * Debugging Tools:: Description of some useful tools.
3674 * Debugging Hints:: Various hints on debugging.
3675 * Common Problems:: Commonly seen problems.
3676 * Architecture Details:: How the whole thing works internally.
3679 File: gnupg.info, Node: Debugging Tools, Next: Debugging Hints, Up: Debugging
3681 13.1 Debugging Tools
3682 ====================
3684 The GnuPG distribution comes with a couple of tools, useful to help find
3685 and solving problems.
3689 * kbxutil:: Scrutinizing a keybox file.
3692 File: gnupg.info, Node: kbxutil, Up: Debugging Tools
3694 13.1.1 Scrutinizing a keybox file
3695 ---------------------------------
3697 A keybox is a file format used to store public keys along with meta
3698 information and indices. The commonly used one is the file
3699 'pubring.kbx' in the '.gnupg' directory. It contains all X.509
3700 certificates as well as OpenPGP keys.
3702 When called the standard way, e.g.:
3704 'kbxutil ~/.gnupg/pubring.kbx'
3706 it lists all records (called blobs) with there meta-information in a
3707 human readable format.
3709 To see statistics on the keybox in question, run it using
3711 'kbxutil --stats ~/.gnupg/pubring.kbx'
3713 and you get an output like:
3715 Total number of blobs: 99
3722 ephemeral flagged: 17
3724 In this example you see that the keybox does not have any OpenPGP
3725 keys but contains 98 X.509 certificates and a total of 17 keys or
3726 certificates are flagged as ephemeral, meaning that they are only
3727 temporary stored (cached) in the keybox and won't get listed using the
3728 usual commands provided by 'gpgsm' or 'gpg'. 81 certificates are stored
3729 in a standard way and directly available from 'gpgsm'.
3731 To find duplicated certificates and keyblocks in a keybox file (this
3732 should not occur but sometimes things go wrong), run it using
3734 'kbxutil --find-dups ~/.gnupg/pubring.kbx'
3737 File: gnupg.info, Node: Debugging Hints, Next: Common Problems, Prev: Debugging Tools, Up: Debugging
3739 13.2 Various hints on debugging
3740 ===============================
3742 * How to find the IP address of a keyserver
3744 If a round robin URL of is used for a keyserver (e.g.
3745 subkeys.gnupg.org); it is not easy to see what server is actually
3746 used. Using the keyserver debug option as in
3748 gpg --keyserver-options debug=1 -v --refresh-key 1E42B367
3750 is thus often helpful. Note that the actual output depends on the
3751 backend and may change from release to release.
3753 * Logging on WindowsCE
3755 For development, the best logging method on WindowsCE is the use of
3756 remote debugging using a log file name of 'tcp://<ip-addr>:<port>'.
3757 The command 'watchgnupg' may be used on the remote host to listen
3758 on the given port (*note option watchgnupg --tcp::). For in the
3759 field tests it is better to make use of the logging facility
3760 provided by the 'gpgcedev' driver (part of libassuan); this is
3761 enabled by using a log file name of 'GPG2:' (*note option
3765 File: gnupg.info, Node: Common Problems, Next: Architecture Details, Prev: Debugging Hints, Up: Debugging
3767 13.3 Commonly Seen Problems
3768 ===========================
3770 * Error code 'Not supported' from Dirmngr
3772 Most likely the option 'enable-ocsp' is active for gpgsm but
3773 Dirmngr's OCSP feature has not been enabled using 'allow-ocsp' in
3776 * The Curses based Pinentry does not work
3778 The far most common reason for this is that the environment
3779 variable 'GPG_TTY' has not been set correctly. Make sure that it
3780 has been set to a real tty device and not just to '/dev/tty'; i.e.
3781 'GPG_TTY=tty' is plainly wrong; what you want is 'GPG_TTY=`tty`' --
3782 note the back ticks. Also make sure that this environment variable
3783 gets exported, that is you should follow up the setting with an
3784 'export GPG_TTY' (assuming a Bourne style shell). Even for GUI
3785 based Pinentries; you should have set 'GPG_TTY'. See the section
3786 on installing the 'gpg-agent' on how to do it.
3788 * SSH hangs while a popping up pinentry was expected
3790 SSH has no way to tell the gpg-agent what terminal or X display it
3791 is running on. So when remotely logging into a box where a
3792 gpg-agent with SSH support is running, the pinentry will get popped
3793 up on whatever display the gpg-agent has been started. To solve
3794 this problem you may issue the command
3796 echo UPDATESTARTUPTTY | gpg-connect-agent
3798 and the next pinentry will pop up on your display or screen.
3799 However, you need to kill the running pinentry first because only
3800 one pinentry may be running at once. If you plan to use ssh on a
3801 new display you should issue the above command before invoking ssh
3802 or any other service making use of ssh.
3804 * Exporting a secret key without a certificate
3806 It may happen that you have created a certificate request using
3807 'gpgsm' but not yet received and imported the certificate from the
3808 CA. However, you want to export the secret key to another machine
3809 right now to import the certificate over there then. You can do
3810 this with a little trick but it requires that you know the
3811 approximate time you created the signing request. By running the
3814 ls -ltr ~/.gnupg/private-keys-v1.d
3816 you get a listing of all private keys under control of 'gpg-agent'.
3817 Pick the key which best matches the creation time and run the
3820 /usr/local/libexec/gpg-protect-tool --p12-export \
3821 ~/.gnupg/private-keys-v1.d/FOO >FOO.p12
3823 (Please adjust the path to 'gpg-protect-tool' to the appropriate
3824 location). FOO is the name of the key file you picked (it should
3825 have the suffix '.key'). A Pinentry box will pop up and ask you
3826 for the current passphrase of the key and a new passphrase to
3827 protect it in the pkcs#12 file.
3829 To import the created file on the machine you use this command:
3831 /usr/local/libexec/gpg-protect-tool --p12-import --store FOO.p12
3833 You will be asked for the pkcs#12 passphrase and a new passphrase
3834 to protect the imported private key at its new location.
3836 Note that there is no easy way to match existing certificates with
3837 stored private keys because some private keys are used for Secure
3838 Shell or other purposes and don't have a corresponding certificate.
3840 * A root certificate does not verify
3842 A common problem is that the root certificate misses the required
3843 basicConstraints attribute and thus 'gpgsm' rejects this
3844 certificate. An error message indicating "no value" is a sign for
3845 such a certificate. You may use the 'relax' flag in
3846 'trustlist.txt' to accept the certificate anyway. Note that the
3847 fingerprint and this flag may only be added manually to
3850 * Error message: "digest algorithm N has not been enabled"
3852 The signature is broken. You may try the option
3853 '--extra-digest-algo SHA256' to workaround the problem. The number
3854 N is the internal algorithm identifier; for example 8 refers to
3857 * The Windows version does not work under Wine
3859 When running the W32 version of 'gpg' under Wine you may get an
3860 error messages like:
3862 gpg: fatal: WriteConsole failed: Access denied
3864 The solution is to use the command 'wineconsole'.
3866 Some operations like '--generate-key' really want to talk to the
3867 console directly for increased security (for example to prevent the
3868 passphrase from appearing on the screen). So, you should use
3869 'wineconsole' instead of 'wine', which will launch a windows
3870 console that implements those additional features.
3872 * Why does GPG's -search-key list weird keys?
3874 For performance reasons the keyservers do not check the keys the
3875 same way 'gpg' does. It may happen that the listing of keys
3876 available on the keyservers shows keys with wrong user IDs or with
3877 user Ids from other keys. If you try to import this key, the bad
3878 keys or bad user ids won't get imported, though. This is a bit
3879 unfortunate but we can't do anything about it without actually
3880 downloading the keys.
3883 File: gnupg.info, Node: Architecture Details, Prev: Common Problems, Up: Debugging
3885 13.4 How the whole thing works internally
3886 =========================================
3890 * Component interaction:: How the components work together.
3891 * GnuPG-1 and GnuPG-2:: Relationship between GnuPG 1.4 and 2.x.
3894 File: gnupg.info, Node: Component interaction, Next: GnuPG-1 and GnuPG-2, Up: Architecture Details
3896 13.4.1 How the components work together
3897 ---------------------------------------
3899 \0\b[image src="gnupg-module-overview.png" alt="GnuPG modules"
\0\b]
3901 Figure 13.1: GnuPG module overview
3904 File: gnupg.info, Node: GnuPG-1 and GnuPG-2, Prev: Component interaction, Up: Architecture Details
3906 13.4.2 Relationship between GnuPG 1.4 and 2.x
3907 ---------------------------------------------
3909 Here is a little picture showing how the different GnuPG versions make
3912 \0\b[image src="gnupg-card-architecture.png" alt="GnuPG card architecture"
\0\b]
3914 Figure 13.2: GnuPG card architecture
3917 File: gnupg.info, Node: Copying, Next: Contributors, Prev: Debugging, Up: Top
3919 GNU General Public License
3920 **************************
3922 Version 3, 29 June 2007
3924 Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
3926 Everyone is permitted to copy and distribute verbatim copies of this
3927 license document, but changing it is not allowed.
3932 The GNU General Public License is a free, copyleft license for software
3933 and other kinds of works.
3935 The licenses for most software and other practical works are designed
3936 to take away your freedom to share and change the works. By contrast,
3937 the GNU General Public License is intended to guarantee your freedom to
3938 share and change all versions of a program-to make sure it remains free
3939 software for all its users. We, the Free Software Foundation, use the
3940 GNU General Public License for most of our software; it applies also to
3941 any other work released this way by its authors. You can apply it to
3944 When we speak of free software, we are referring to freedom, not
3945 price. Our General Public Licenses are designed to make sure that you
3946 have the freedom to distribute copies of free software (and charge for
3947 them if you wish), that you receive source code or can get it if you
3948 want it, that you can change the software or use pieces of it in new
3949 free programs, and that you know you can do these things.
3951 To protect your rights, we need to prevent others from denying you
3952 these rights or asking you to surrender the rights. Therefore, you have
3953 certain responsibilities if you distribute copies of the software, or if
3954 you modify it: responsibilities to respect the freedom of others.
3956 For example, if you distribute copies of such a program, whether
3957 gratis or for a fee, you must pass on to the recipients the same
3958 freedoms that you received. You must make sure that they, too, receive
3959 or can get the source code. And you must show them these terms so they
3962 Developers that use the GNU GPL protect your rights with two steps:
3963 (1) assert copyright on the software, and (2) offer you this License
3964 giving you legal permission to copy, distribute and/or modify it.
3966 For the developers' and authors' protection, the GPL clearly explains
3967 that there is no warranty for this free software. For both users' and
3968 authors' sake, the GPL requires that modified versions be marked as
3969 changed, so that their problems will not be attributed erroneously to
3970 authors of previous versions.
3972 Some devices are designed to deny users access to install or run
3973 modified versions of the software inside them, although the manufacturer
3974 can do so. This is fundamentally incompatible with the aim of
3975 protecting users' freedom to change the software. The systematic
3976 pattern of such abuse occurs in the area of products for individuals to
3977 use, which is precisely where it is most unacceptable. Therefore, we
3978 have designed this version of the GPL to prohibit the practice for those
3979 products. If such problems arise substantially in other domains, we
3980 stand ready to extend this provision to those domains in future versions
3981 of the GPL, as needed to protect the freedom of users.
3983 Finally, every program is threatened constantly by software patents.
3984 States should not allow patents to restrict development and use of
3985 software on general-purpose computers, but in those that do, we wish to
3986 avoid the special danger that patents applied to a free program could
3987 make it effectively proprietary. To prevent this, the GPL assures that
3988 patents cannot be used to render the program non-free.
3990 The precise terms and conditions for copying, distribution and
3991 modification follow.
3993 TERMS AND CONDITIONS
3997 "This License" refers to version 3 of the GNU General Public
4000 "Copyright" also means copyright-like laws that apply to other
4001 kinds of works, such as semiconductor masks.
4003 "The Program" refers to any copyrightable work licensed under this
4004 License. Each licensee is addressed as "you". "Licensees" and
4005 "recipients" may be individuals or organizations.
4007 To "modify" a work means to copy from or adapt all or part of the
4008 work in a fashion requiring copyright permission, other than the
4009 making of an exact copy. The resulting work is called a "modified
4010 version" of the earlier work or a work "based on" the earlier work.
4012 A "covered work" means either the unmodified Program or a work
4013 based on the Program.
4015 To "propagate" a work means to do anything with it that, without
4016 permission, would make you directly or secondarily liable for
4017 infringement under applicable copyright law, except executing it on
4018 a computer or modifying a private copy. Propagation includes
4019 copying, distribution (with or without modification), making
4020 available to the public, and in some countries other activities as
4023 To "convey" a work means any kind of propagation that enables other
4024 parties to make or receive copies. Mere interaction with a user
4025 through a computer network, with no transfer of a copy, is not
4028 An interactive user interface displays "Appropriate Legal Notices"
4029 to the extent that it includes a convenient and prominently visible
4030 feature that (1) displays an appropriate copyright notice, and (2)
4031 tells the user that there is no warranty for the work (except to
4032 the extent that warranties are provided), that licensees may convey
4033 the work under this License, and how to view a copy of this
4034 License. If the interface presents a list of user commands or
4035 options, such as a menu, a prominent item in the list meets this
4040 The "source code" for a work means the preferred form of the work
4041 for making modifications to it. "Object code" means any non-source
4044 A "Standard Interface" means an interface that either is an
4045 official standard defined by a recognized standards body, or, in
4046 the case of interfaces specified for a particular programming
4047 language, one that is widely used among developers working in that
4050 The "System Libraries" of an executable work include anything,
4051 other than the work as a whole, that (a) is included in the normal
4052 form of packaging a Major Component, but which is not part of that
4053 Major Component, and (b) serves only to enable use of the work with
4054 that Major Component, or to implement a Standard Interface for
4055 which an implementation is available to the public in source code
4056 form. A "Major Component", in this context, means a major
4057 essential component (kernel, window system, and so on) of the
4058 specific operating system (if any) on which the executable work
4059 runs, or a compiler used to produce the work, or an object code
4060 interpreter used to run it.
4062 The "Corresponding Source" for a work in object code form means all
4063 the source code needed to generate, install, and (for an executable
4064 work) run the object code and to modify the work, including scripts
4065 to control those activities. However, it does not include the
4066 work's System Libraries, or general-purpose tools or generally
4067 available free programs which are used unmodified in performing
4068 those activities but which are not part of the work. For example,
4069 Corresponding Source includes interface definition files associated
4070 with source files for the work, and the source code for shared
4071 libraries and dynamically linked subprograms that the work is
4072 specifically designed to require, such as by intimate data
4073 communication or control flow between those subprograms and other
4076 The Corresponding Source need not include anything that users can
4077 regenerate automatically from other parts of the Corresponding
4080 The Corresponding Source for a work in source code form is that
4083 2. Basic Permissions.
4085 All rights granted under this License are granted for the term of
4086 copyright on the Program, and are irrevocable provided the stated
4087 conditions are met. This License explicitly affirms your unlimited
4088 permission to run the unmodified Program. The output from running
4089 a covered work is covered by this License only if the output, given
4090 its content, constitutes a covered work. This License acknowledges
4091 your rights of fair use or other equivalent, as provided by
4094 You may make, run and propagate covered works that you do not
4095 convey, without conditions so long as your license otherwise
4096 remains in force. You may convey covered works to others for the
4097 sole purpose of having them make modifications exclusively for you,
4098 or provide you with facilities for running those works, provided
4099 that you comply with the terms of this License in conveying all
4100 material for which you do not control copyright. Those thus making
4101 or running the covered works for you must do so exclusively on your
4102 behalf, under your direction and control, on terms that prohibit
4103 them from making any copies of your copyrighted material outside
4104 their relationship with you.
4106 Conveying under any other circumstances is permitted solely under
4107 the conditions stated below. Sublicensing is not allowed; section
4108 10 makes it unnecessary.
4110 3. Protecting Users' Legal Rights From Anti-Circumvention Law.
4112 No covered work shall be deemed part of an effective technological
4113 measure under any applicable law fulfilling obligations under
4114 article 11 of the WIPO copyright treaty adopted on 20 December
4115 1996, or similar laws prohibiting or restricting circumvention of
4118 When you convey a covered work, you waive any legal power to forbid
4119 circumvention of technological measures to the extent such
4120 circumvention is effected by exercising rights under this License
4121 with respect to the covered work, and you disclaim any intention to
4122 limit operation or modification of the work as a means of
4123 enforcing, against the work's users, your or third parties' legal
4124 rights to forbid circumvention of technological measures.
4126 4. Conveying Verbatim Copies.
4128 You may convey verbatim copies of the Program's source code as you
4129 receive it, in any medium, provided that you conspicuously and
4130 appropriately publish on each copy an appropriate copyright notice;
4131 keep intact all notices stating that this License and any
4132 non-permissive terms added in accord with section 7 apply to the
4133 code; keep intact all notices of the absence of any warranty; and
4134 give all recipients a copy of this License along with the Program.
4136 You may charge any price or no price for each copy that you convey,
4137 and you may offer support or warranty protection for a fee.
4139 5. Conveying Modified Source Versions.
4141 You may convey a work based on the Program, or the modifications to
4142 produce it from the Program, in the form of source code under the
4143 terms of section 4, provided that you also meet all of these
4146 a. The work must carry prominent notices stating that you
4147 modified it, and giving a relevant date.
4149 b. The work must carry prominent notices stating that it is
4150 released under this License and any conditions added under
4151 section 7. This requirement modifies the requirement in
4152 section 4 to "keep intact all notices".
4154 c. You must license the entire work, as a whole, under this
4155 License to anyone who comes into possession of a copy. This
4156 License will therefore apply, along with any applicable
4157 section 7 additional terms, to the whole of the work, and all
4158 its parts, regardless of how they are packaged. This License
4159 gives no permission to license the work in any other way, but
4160 it does not invalidate such permission if you have separately
4163 d. If the work has interactive user interfaces, each must display
4164 Appropriate Legal Notices; however, if the Program has
4165 interactive interfaces that do not display Appropriate Legal
4166 Notices, your work need not make them do so.
4168 A compilation of a covered work with other separate and independent
4169 works, which are not by their nature extensions of the covered
4170 work, and which are not combined with it such as to form a larger
4171 program, in or on a volume of a storage or distribution medium, is
4172 called an "aggregate" if the compilation and its resulting
4173 copyright are not used to limit the access or legal rights of the
4174 compilation's users beyond what the individual works permit.
4175 Inclusion of a covered work in an aggregate does not cause this
4176 License to apply to the other parts of the aggregate.
4178 6. Conveying Non-Source Forms.
4180 You may convey a covered work in object code form under the terms
4181 of sections 4 and 5, provided that you also convey the
4182 machine-readable Corresponding Source under the terms of this
4183 License, in one of these ways:
4185 a. Convey the object code in, or embodied in, a physical product
4186 (including a physical distribution medium), accompanied by the
4187 Corresponding Source fixed on a durable physical medium
4188 customarily used for software interchange.
4190 b. Convey the object code in, or embodied in, a physical product
4191 (including a physical distribution medium), accompanied by a
4192 written offer, valid for at least three years and valid for as
4193 long as you offer spare parts or customer support for that
4194 product model, to give anyone who possesses the object code
4195 either (1) a copy of the Corresponding Source for all the
4196 software in the product that is covered by this License, on a
4197 durable physical medium customarily used for software
4198 interchange, for a price no more than your reasonable cost of
4199 physically performing this conveying of source, or (2) access
4200 to copy the Corresponding Source from a network server at no
4203 c. Convey individual copies of the object code with a copy of the
4204 written offer to provide the Corresponding Source. This
4205 alternative is allowed only occasionally and noncommercially,
4206 and only if you received the object code with such an offer,
4207 in accord with subsection 6b.
4209 d. Convey the object code by offering access from a designated
4210 place (gratis or for a charge), and offer equivalent access to
4211 the Corresponding Source in the same way through the same
4212 place at no further charge. You need not require recipients
4213 to copy the Corresponding Source along with the object code.
4214 If the place to copy the object code is a network server, the
4215 Corresponding Source may be on a different server (operated by
4216 you or a third party) that supports equivalent copying
4217 facilities, provided you maintain clear directions next to the
4218 object code saying where to find the Corresponding Source.
4219 Regardless of what server hosts the Corresponding Source, you
4220 remain obligated to ensure that it is available for as long as
4221 needed to satisfy these requirements.
4223 e. Convey the object code using peer-to-peer transmission,
4224 provided you inform other peers where the object code and
4225 Corresponding Source of the work are being offered to the
4226 general public at no charge under subsection 6d.
4228 A separable portion of the object code, whose source code is
4229 excluded from the Corresponding Source as a System Library, need
4230 not be included in conveying the object code work.
4232 A "User Product" is either (1) a "consumer product", which means
4233 any tangible personal property which is normally used for personal,
4234 family, or household purposes, or (2) anything designed or sold for
4235 incorporation into a dwelling. In determining whether a product is
4236 a consumer product, doubtful cases shall be resolved in favor of
4237 coverage. For a particular product received by a particular user,
4238 "normally used" refers to a typical or common use of that class of
4239 product, regardless of the status of the particular user or of the
4240 way in which the particular user actually uses, or expects or is
4241 expected to use, the product. A product is a consumer product
4242 regardless of whether the product has substantial commercial,
4243 industrial or non-consumer uses, unless such uses represent the
4244 only significant mode of use of the product.
4246 "Installation Information" for a User Product means any methods,
4247 procedures, authorization keys, or other information required to
4248 install and execute modified versions of a covered work in that
4249 User Product from a modified version of its Corresponding Source.
4250 The information must suffice to ensure that the continued
4251 functioning of the modified object code is in no case prevented or
4252 interfered with solely because modification has been made.
4254 If you convey an object code work under this section in, or with,
4255 or specifically for use in, a User Product, and the conveying
4256 occurs as part of a transaction in which the right of possession
4257 and use of the User Product is transferred to the recipient in
4258 perpetuity or for a fixed term (regardless of how the transaction
4259 is characterized), the Corresponding Source conveyed under this
4260 section must be accompanied by the Installation Information. But
4261 this requirement does not apply if neither you nor any third party
4262 retains the ability to install modified object code on the User
4263 Product (for example, the work has been installed in ROM).
4265 The requirement to provide Installation Information does not
4266 include a requirement to continue to provide support service,
4267 warranty, or updates for a work that has been modified or installed
4268 by the recipient, or for the User Product in which it has been
4269 modified or installed. Access to a network may be denied when the
4270 modification itself materially and adversely affects the operation
4271 of the network or violates the rules and protocols for
4272 communication across the network.
4274 Corresponding Source conveyed, and Installation Information
4275 provided, in accord with this section must be in a format that is
4276 publicly documented (and with an implementation available to the
4277 public in source code form), and must require no special password
4278 or key for unpacking, reading or copying.
4280 7. Additional Terms.
4282 "Additional permissions" are terms that supplement the terms of
4283 this License by making exceptions from one or more of its
4284 conditions. Additional permissions that are applicable to the
4285 entire Program shall be treated as though they were included in
4286 this License, to the extent that they are valid under applicable
4287 law. If additional permissions apply only to part of the Program,
4288 that part may be used separately under those permissions, but the
4289 entire Program remains governed by this License without regard to
4290 the additional permissions.
4292 When you convey a copy of a covered work, you may at your option
4293 remove any additional permissions from that copy, or from any part
4294 of it. (Additional permissions may be written to require their own
4295 removal in certain cases when you modify the work.) You may place
4296 additional permissions on material, added by you to a covered work,
4297 for which you have or can give appropriate copyright permission.
4299 Notwithstanding any other provision of this License, for material
4300 you add to a covered work, you may (if authorized by the copyright
4301 holders of that material) supplement the terms of this License with
4304 a. Disclaiming warranty or limiting liability differently from
4305 the terms of sections 15 and 16 of this License; or
4307 b. Requiring preservation of specified reasonable legal notices
4308 or author attributions in that material or in the Appropriate
4309 Legal Notices displayed by works containing it; or
4311 c. Prohibiting misrepresentation of the origin of that material,
4312 or requiring that modified versions of such material be marked
4313 in reasonable ways as different from the original version; or
4315 d. Limiting the use for publicity purposes of names of licensors
4316 or authors of the material; or
4318 e. Declining to grant rights under trademark law for use of some
4319 trade names, trademarks, or service marks; or
4321 f. Requiring indemnification of licensors and authors of that
4322 material by anyone who conveys the material (or modified
4323 versions of it) with contractual assumptions of liability to
4324 the recipient, for any liability that these contractual
4325 assumptions directly impose on those licensors and authors.
4327 All other non-permissive additional terms are considered "further
4328 restrictions" within the meaning of section 10. If the Program as
4329 you received it, or any part of it, contains a notice stating that
4330 it is governed by this License along with a term that is a further
4331 restriction, you may remove that term. If a license document
4332 contains a further restriction but permits relicensing or conveying
4333 under this License, you may add to a covered work material governed
4334 by the terms of that license document, provided that the further
4335 restriction does not survive such relicensing or conveying.
4337 If you add terms to a covered work in accord with this section, you
4338 must place, in the relevant source files, a statement of the
4339 additional terms that apply to those files, or a notice indicating
4340 where to find the applicable terms.
4342 Additional terms, permissive or non-permissive, may be stated in
4343 the form of a separately written license, or stated as exceptions;
4344 the above requirements apply either way.
4348 You may not propagate or modify a covered work except as expressly
4349 provided under this License. Any attempt otherwise to propagate or
4350 modify it is void, and will automatically terminate your rights
4351 under this License (including any patent licenses granted under the
4352 third paragraph of section 11).
4354 However, if you cease all violation of this License, then your
4355 license from a particular copyright holder is reinstated (a)
4356 provisionally, unless and until the copyright holder explicitly and
4357 finally terminates your license, and (b) permanently, if the
4358 copyright holder fails to notify you of the violation by some
4359 reasonable means prior to 60 days after the cessation.
4361 Moreover, your license from a particular copyright holder is
4362 reinstated permanently if the copyright holder notifies you of the
4363 violation by some reasonable means, this is the first time you have
4364 received notice of violation of this License (for any work) from
4365 that copyright holder, and you cure the violation prior to 30 days
4366 after your receipt of the notice.
4368 Termination of your rights under this section does not terminate
4369 the licenses of parties who have received copies or rights from you
4370 under this License. If your rights have been terminated and not
4371 permanently reinstated, you do not qualify to receive new licenses
4372 for the same material under section 10.
4374 9. Acceptance Not Required for Having Copies.
4376 You are not required to accept this License in order to receive or
4377 run a copy of the Program. Ancillary propagation of a covered work
4378 occurring solely as a consequence of using peer-to-peer
4379 transmission to receive a copy likewise does not require
4380 acceptance. However, nothing other than this License grants you
4381 permission to propagate or modify any covered work. These actions
4382 infringe copyright if you do not accept this License. Therefore,
4383 by modifying or propagating a covered work, you indicate your
4384 acceptance of this License to do so.
4386 10. Automatic Licensing of Downstream Recipients.
4388 Each time you convey a covered work, the recipient automatically
4389 receives a license from the original licensors, to run, modify and
4390 propagate that work, subject to this License. You are not
4391 responsible for enforcing compliance by third parties with this
4394 An "entity transaction" is a transaction transferring control of an
4395 organization, or substantially all assets of one, or subdividing an
4396 organization, or merging organizations. If propagation of a
4397 covered work results from an entity transaction, each party to that
4398 transaction who receives a copy of the work also receives whatever
4399 licenses to the work the party's predecessor in interest had or
4400 could give under the previous paragraph, plus a right to possession
4401 of the Corresponding Source of the work from the predecessor in
4402 interest, if the predecessor has it or can get it with reasonable
4405 You may not impose any further restrictions on the exercise of the
4406 rights granted or affirmed under this License. For example, you
4407 may not impose a license fee, royalty, or other charge for exercise
4408 of rights granted under this License, and you may not initiate
4409 litigation (including a cross-claim or counterclaim in a lawsuit)
4410 alleging that any patent claim is infringed by making, using,
4411 selling, offering for sale, or importing the Program or any portion
4416 A "contributor" is a copyright holder who authorizes use under this
4417 License of the Program or a work on which the Program is based.
4418 The work thus licensed is called the contributor's "contributor
4421 A contributor's "essential patent claims" are all patent claims
4422 owned or controlled by the contributor, whether already acquired or
4423 hereafter acquired, that would be infringed by some manner,
4424 permitted by this License, of making, using, or selling its
4425 contributor version, but do not include claims that would be
4426 infringed only as a consequence of further modification of the
4427 contributor version. For purposes of this definition, "control"
4428 includes the right to grant patent sublicenses in a manner
4429 consistent with the requirements of this License.
4431 Each contributor grants you a non-exclusive, worldwide,
4432 royalty-free patent license under the contributor's essential
4433 patent claims, to make, use, sell, offer for sale, import and
4434 otherwise run, modify and propagate the contents of its contributor
4437 In the following three paragraphs, a "patent license" is any
4438 express agreement or commitment, however denominated, not to
4439 enforce a patent (such as an express permission to practice a
4440 patent or covenant not to sue for patent infringement). To "grant"
4441 such a patent license to a party means to make such an agreement or
4442 commitment not to enforce a patent against the party.
4444 If you convey a covered work, knowingly relying on a patent
4445 license, and the Corresponding Source of the work is not available
4446 for anyone to copy, free of charge and under the terms of this
4447 License, through a publicly available network server or other
4448 readily accessible means, then you must either (1) cause the
4449 Corresponding Source to be so available, or (2) arrange to deprive
4450 yourself of the benefit of the patent license for this particular
4451 work, or (3) arrange, in a manner consistent with the requirements
4452 of this License, to extend the patent license to downstream
4453 recipients. "Knowingly relying" means you have actual knowledge
4454 that, but for the patent license, your conveying the covered work
4455 in a country, or your recipient's use of the covered work in a
4456 country, would infringe one or more identifiable patents in that
4457 country that you have reason to believe are valid.
4459 If, pursuant to or in connection with a single transaction or
4460 arrangement, you convey, or propagate by procuring conveyance of, a
4461 covered work, and grant a patent license to some of the parties
4462 receiving the covered work authorizing them to use, propagate,
4463 modify or convey a specific copy of the covered work, then the
4464 patent license you grant is automatically extended to all
4465 recipients of the covered work and works based on it.
4467 A patent license is "discriminatory" if it does not include within
4468 the scope of its coverage, prohibits the exercise of, or is
4469 conditioned on the non-exercise of one or more of the rights that
4470 are specifically granted under this License. You may not convey a
4471 covered work if you are a party to an arrangement with a third
4472 party that is in the business of distributing software, under which
4473 you make payment to the third party based on the extent of your
4474 activity of conveying the work, and under which the third party
4475 grants, to any of the parties who would receive the covered work
4476 from you, a discriminatory patent license (a) in connection with
4477 copies of the covered work conveyed by you (or copies made from
4478 those copies), or (b) primarily for and in connection with specific
4479 products or compilations that contain the covered work, unless you
4480 entered into that arrangement, or that patent license was granted,
4481 prior to 28 March 2007.
4483 Nothing in this License shall be construed as excluding or limiting
4484 any implied license or other defenses to infringement that may
4485 otherwise be available to you under applicable patent law.
4487 12. No Surrender of Others' Freedom.
4489 If conditions are imposed on you (whether by court order, agreement
4490 or otherwise) that contradict the conditions of this License, they
4491 do not excuse you from the conditions of this License. If you
4492 cannot convey a covered work so as to satisfy simultaneously your
4493 obligations under this License and any other pertinent obligations,
4494 then as a consequence you may not convey it at all. For example,
4495 if you agree to terms that obligate you to collect a royalty for
4496 further conveying from those to whom you convey the Program, the
4497 only way you could satisfy both those terms and this License would
4498 be to refrain entirely from conveying the Program.
4500 13. Use with the GNU Affero General Public License.
4502 Notwithstanding any other provision of this License, you have
4503 permission to link or combine any covered work with a work licensed
4504 under version 3 of the GNU Affero General Public License into a
4505 single combined work, and to convey the resulting work. The terms
4506 of this License will continue to apply to the part which is the
4507 covered work, but the special requirements of the GNU Affero
4508 General Public License, section 13, concerning interaction through
4509 a network will apply to the combination as such.
4511 14. Revised Versions of this License.
4513 The Free Software Foundation may publish revised and/or new
4514 versions of the GNU General Public License from time to time. Such
4515 new versions will be similar in spirit to the present version, but
4516 may differ in detail to address new problems or concerns.
4518 Each version is given a distinguishing version number. If the
4519 Program specifies that a certain numbered version of the GNU
4520 General Public License "or any later version" applies to it, you
4521 have the option of following the terms and conditions either of
4522 that numbered version or of any later version published by the Free
4523 Software Foundation. If the Program does not specify a version
4524 number of the GNU General Public License, you may choose any
4525 version ever published by the Free Software Foundation.
4527 If the Program specifies that a proxy can decide which future
4528 versions of the GNU General Public License can be used, that
4529 proxy's public statement of acceptance of a version permanently
4530 authorizes you to choose that version for the Program.
4532 Later license versions may give you additional or different
4533 permissions. However, no additional obligations are imposed on any
4534 author or copyright holder as a result of your choosing to follow a
4537 15. Disclaimer of Warranty.
4539 THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
4540 APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE
4541 COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS"
4542 WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED,
4543 INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
4544 MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE
4545 RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.
4546 SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL
4547 NECESSARY SERVICING, REPAIR OR CORRECTION.
4549 16. Limitation of Liability.
4551 IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN
4552 WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES
4553 AND/OR CONVEYS THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR
4554 DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR
4555 CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE
4556 THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA
4557 BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
4558 PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
4559 PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF
4560 THE POSSIBILITY OF SUCH DAMAGES.
4562 17. Interpretation of Sections 15 and 16.
4564 If the disclaimer of warranty and limitation of liability provided
4565 above cannot be given local legal effect according to their terms,
4566 reviewing courts shall apply local law that most closely
4567 approximates an absolute waiver of all civil liability in
4568 connection with the Program, unless a warranty or assumption of
4569 liability accompanies a copy of the Program in return for a fee.
4571 END OF TERMS AND CONDITIONS
4573 How to Apply These Terms to Your New Programs
4574 =============================================
4576 If you develop a new program, and you want it to be of the greatest
4577 possible use to the public, the best way to achieve this is to make it
4578 free software which everyone can redistribute and change under these
4581 To do so, attach the following notices to the program. It is safest
4582 to attach them to the start of each source file to most effectively
4583 state the exclusion of warranty; and each file should have at least the
4584 "copyright" line and a pointer to where the full notice is found.
4586 ONE LINE TO GIVE THE PROGRAM'S NAME AND A BRIEF IDEA OF WHAT IT DOES.
4587 Copyright (C) YEAR NAME OF AUTHOR
4589 This program is free software: you can redistribute it and/or modify
4590 it under the terms of the GNU General Public License as published by
4591 the Free Software Foundation, either version 3 of the License, or (at
4592 your option) any later version.
4594 This program is distributed in the hope that it will be useful, but
4595 WITHOUT ANY WARRANTY; without even the implied warranty of
4596 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
4597 General Public License for more details.
4599 You should have received a copy of the GNU General Public License
4600 along with this program. If not, see <https://www.gnu.org/licenses/>.
4602 Also add information on how to contact you by electronic and paper mail.
4604 If the program does terminal interaction, make it output a short notice
4605 like this when it starts in an interactive mode:
4607 PROGRAM Copyright (C) YEAR NAME OF AUTHOR
4608 This program comes with ABSOLUTELY NO WARRANTY; for details
4609 type 'show w'. This is free software, and you are
4610 welcome to redistribute it under certain conditions;
4611 type 'show c' for details.
4613 The hypothetical commands 'show w' and 'show c' should show the
4614 appropriate parts of the General Public License. Of course, your
4615 program's commands might be different; for a GUI interface, you would
4618 You should also get your employer (if you work as a programmer) or
4619 school, if any, to sign a "copyright disclaimer" for the program, if
4620 necessary. For more information on this, and how to apply and follow
4621 the GNU GPL, see <https://www.gnu.org/licenses/>.
4623 The GNU General Public License does not permit incorporating your
4624 program into proprietary programs. If your program is a subroutine
4625 library, you may consider it more useful to permit linking proprietary
4626 applications with the library. If this is what you want to do, use the
4627 GNU Lesser General Public License instead of this License. But first,
4628 please read <https://www.gnu.org/philosophy/why-not-lgpl.html>.
4631 File: gnupg.info, Node: Contributors, Next: Glossary, Prev: Copying, Up: Top
4633 Contributors to GnuPG
4634 *********************
4636 The GnuPG project would like to thank its many contributors. Without
4637 them the project would not have been nearly as successful as it has
4638 been. Any omissions in this list are accidental. Feel free to contact
4639 the maintainer if you have been left out or some of your contributions
4642 David Shaw, Matthew Skala, Michael Roth, Niklas Hernaeus, Nils
4643 Ellmenreich, Rémi Guyomarch, Stefan Bellon, Timo Schulz and Werner Koch
4644 wrote the code. Birger Langkjer, Daniel Resare, Dokianakis Theofanis,
4645 Edmund GRIMLEY EVANS, Gaël Quéri, Gregory Steuck, Nagy Ferenc
4646 László, Ivo Timmermans, Jacobo Tarri'o Barreiro, Janusz Aleksander
4647 Urbanowicz, Jedi Lin, Jouni Hiltunen, Laurentiu Buzdugan, Magda
4648 Procha'zkova', Michael Anckaert, Michal Majer, Marco d'Itri, Nilgun
4649 Belma Buguner, Pedro Morais, Tedi Heriyanto, Thiago Jung Bauermann,
4650 Rafael Caetano dos Santos, Toomas Soome, Urko Lusa, Walter Koch, Yosiaki
4651 IIDA did the official translations. Mike Ashley wrote and maintains the
4652 GNU Privacy Handbook. David Scribner is the current FAQ editor.
4653 Lorenzo Cappelletti maintains the web site.
4655 The new modularized architecture of gnupg 1.9 as well as the
4656 X.509/CMS part has been developed as part of the Ägypten project.
4657 Direct contributors to this project are: Bernhard Herzog, who did
4658 extensive testing and tracked down a lot of bugs. Bernhard Reiter, who
4659 made sure that we met the specifications and the deadlines. He did
4660 extensive testing and came up with a lot of suggestions. Jan-Oliver
4661 Wagner made sure that we met the specifications and the deadlines. He
4662 also did extensive testing and came up with a lot of suggestions.
4663 Karl-Heinz Zimmer and Marc Mutz had to struggle with all the bugs and
4664 misconceptions while working on KDE integration. Marcus Brinkman
4665 extended GPGME, cleaned up the Assuan code and fixed bugs all over the
4666 place. Moritz Schulte took over Libgcrypt maintenance and developed it
4667 into a stable an useful library. Steffen Hansen had a hard time to
4668 write the dirmngr due to underspecified interfaces. Thomas Koester did
4669 extensive testing and tracked down a lot of bugs. Werner Koch designed
4670 the system and wrote most of the code.
4672 The following people helped greatly by suggesting improvements,
4673 testing, fixing bugs, providing resources and doing other important
4674 tasks: Adam Mitchell, Albert Chin, Alec Habig, Allan Clark, Anand
4675 Kumria, Andreas Haumer, Anthony Mulcahy, Ariel T Glenn, Bob Mathews,
4676 Bodo Moeller, Brendan O'Dea, Brenno de Winter, Brian M. Carlson, Brian
4677 Moore, Brian Warner, Bryan Fullerton, Caskey L. Dickson, Cees van de
4678 Griend, Charles Levert, Chip Salzenberg, Chris Adams, Christian Biere,
4679 Christian Kurz, Christian von Roques, Christopher Oliver, Christian
4680 Recktenwald, Dan Winship, Daniel Eisenbud, Daniel Koening, Dave Dykstra,
4681 David C Niemi, David Champion, David Ellement, David Hallinan, David
4682 Hollenberg, David Mathog, David R. Bergstein, Detlef Lannert, Dimitri,
4683 Dirk Lattermann, Dirk Meyer, Disastry, Douglas Calvert, Ed Boraas,
4684 Edmund GRIMLEY EVANS, Edwin Woudt, Enzo Michelangeli, Ernst Molitor,
4685 Fabio Coatti, Felix von Leitner, fish stiqz, Florian Weimer, Francesco
4686 Potorti, Frank Donahoe, Frank Heckenbach, Frank Stajano, Frank Tobin,
4687 Gabriel Rosenkoetter, Gaël Quéri, Gene Carter, Geoff Keating, Georg
4688 Schwarz, Giampaolo Tomassoni, Gilbert Fernandes, Greg Louis, Greg
4689 Troxel, Gregory Steuck, Gregery Barton, Harald Denker, Holger Baust,
4690 Hendrik Buschkamp, Holger Schurig, Holger Smolinski, Holger Trapp, Hugh
4691 Daniel, Huy Le, Ian McKellar, Ivo Timmermans, Jan Krueger, Jan
4692 Niehusmann, Janusz A. Urbanowicz, James Troup, Jean-loup Gailly, Jeff
4693 Long, Jeffery Von Ronne, Jens Bachem, Jeroen C. van Gelderen, J Horacio
4694 MG, J. Michael Ashley, Jim Bauer, Jim Small, Joachim Backes, Joe Rhett,
4695 John A. Martin, Johnny Teveßen, Jörg Schilling, Jos Backus, Joseph
4696 Walton, Juan F. Codagnone, Jun Kuriyama, Kahil D. Jallad, Karl Fogel,
4697 Karsten Thygesen, Katsuhiro Kondou, Kazu Yamamoto, Keith Clayton, Kevin
4698 Ryde, Klaus Singvogel, Kurt Garloff, Lars Kellogg-Stedman, L. Sassaman,
4699 M Taylor, Marcel Waldvogel, Marco d'Itri, Marco Parrone, Marcus
4700 Brinkmann, Mark Adler, Mark Elbrecht, Mark Pettit, Markus Friedl, Martin
4701 Kahlert, Martin Hamilton, Martin Schulte, Matt Kraai, Matthew Skala,
4702 Matthew Wilcox, Matthias Urlichs, Max Valianskiy, Michael Engels,
4703 Michael Fischer v. Mollard, Michael Roth, Michael Sobolev, Michael
4704 Tokarev, Nicolas Graner, Mike McEwan, Neal H Walfield, Nelson H. F.
4705 Beebe, NIIBE Yutaka, Niklas Hernaeus, Nimrod Zimerman, N J Doye, Oliver
4706 Haakert, Oskari Jääskeläinen, Pascal Scheffers, Paul D. Smith, Per
4707 Cederqvist, Phil Blundell, Philippe Laliberte, Peter Fales, Peter
4708 Gutmann, Peter Marschall, Peter Valchev, Piotr Krukowiecki, QingLong,
4709 Ralph Gillen, Rat, Reinhard Wobst, Rémi Guyomarch, Reuben Sumner,
4710 Richard Outerbridge, Robert Joop, Roddy Strachan, Roger Sondermann,
4711 Roland Rosenfeld, Roman Pavlik, Ross Golder, Ryan Malayter, Sam Roberts,
4712 Sami Tolvanen, Sean MacLennan, Sebastian Klemke, Serge Munhoven, SL
4713 Baur, Stefan Bellon, Dr.Stefan.Dalibor, Stefan Karrmann, Stefan Keller,
4714 Steffen Ullrich, Steffen Zahn, Steven Bakker, Steven Murdoch, Susanne
4715 Schultz, Ted Cabeen, Thiago Jung Bauermann, Thijmen Klok, Thomas
4716 Roessler, Tim Mooney, Timo Schulz, Todd Vierling, TOGAWA Satoshi, Tom
4717 Spindler, Tom Zerucha, Tomas Fasth, Tommi Komulainen, Thomas Klausner,
4718 Tomasz Kozlowski, Thomas Mikkelsen, Ulf Möller, Urko Lusa, Vincent P.
4719 Broman, Volker Quetschke, W Lewis, Walter Hofmann, Walter Koch, Wayne
4720 Chapeskie, Wim Vandeputte, Winona Brown, Yosiaki IIDA, Yoshihiro Kajiki
4723 This software has been made possible by the previous work of Chris
4724 Wedgwood, Jean-loup Gailly, Jon Callas, Mark Adler, Martin Hellman, Paul
4725 Kendall, Philip R. Zimmermann, Peter Gutmann, Philip A. Nelson, Taher
4726 Elgamal, Torbjorn Granlund, Whitfield Diffie, some unknown NSA
4727 mathematicians and all the folks who have worked hard to create complete
4728 and free operating systems.
4730 And finally we'd like to thank everyone who uses these tools, submits
4731 bug reports and generally reminds us why we're doing this work in the
4735 File: gnupg.info, Node: Glossary, Next: Option Index, Prev: Contributors, Up: Top
4741 The _Authority Revocation List_ is technical identical to a CRL but
4742 used for CAs and not for end user certificates.
4745 Verification model for X.509 which uses the creation date of a
4746 signature as the date the validation starts and in turn checks that
4747 each certificate has been issued within the time frame, the issuing
4748 certificate was valid. This allows the verification of signatures
4749 after the CA's certificate expired. The validation test also
4750 required an online check of the certificate status. The chain
4751 model is required by the German signature law. See also _Shell
4755 The _Cryptographic Message Standard_ describes a message format for
4756 encryption and digital signing. It is closely related to the X.509
4757 certificate format. CMS was formerly known under the name 'PKCS#7'
4758 and is described by 'RFC3369'.
4761 The _Certificate Revocation List_ is a list containing certificates
4762 revoked by the issuer.
4765 The _Certificate Signing Request_ is a message send to a CA to ask
4766 them to issue a new certificate. The data format of such a signing
4767 request is called PCKS#10.
4770 A data format used to build a PKI and to exchange encrypted or
4771 signed messages. In contrast to X.509, OpenPGP also includes the
4772 message format but does not explicitly demand a specific PKI.
4773 However any kind of PKI may be build upon the OpenPGP protocol.
4776 This term is used by GnuPG to describe a 20 byte hash value used to
4777 identify a certain key without referencing to a concrete protocol.
4778 It is used internally to access a private key. Usually it is shown
4779 and entered as a 40 character hexadecimal formatted string.
4782 The _Online Certificate Status Protocol_ is used as an alternative
4783 to a CRL. It is described in 'RFC 2560'.
4786 The _Personal Security Environment_ describes a database to store
4787 private keys. This is either a smartcard or a collection of files
4788 on a disk; the latter is often called a Soft-PSE.
4791 The standard model for validation of certificates under X.509. At
4792 the time of the verification all certificates must be valid and not
4793 expired. See also _Chain model_.
4796 Description of a PKI used with CMS. It is for example defined by
4800 File: gnupg.info, Node: Option Index, Next: Environment Index, Prev: Glossary, Up: Top
4808 * --override-compliance-check: GPG Esoteric Options.
4810 * add-servers: Dirmngr Options. (line 310)
4811 * agent-program: GPG Configuration Options.
4813 * agent-program <1>: Configuration Options.
4815 * agent-program <2>: Invoking gpg-connect-agent.
4817 * allow-admin: Scdaemon Options. (line 203)
4818 * allow-emacs-pinentry: Agent Options. (line 195)
4819 * allow-freeform-uid: GPG Esoteric Options.
4821 * allow-loopback-pinentry: Agent Options. (line 177)
4822 * allow-multiple-messages: GPG Esoteric Options.
4824 * allow-non-selfsigned-uid: GPG Esoteric Options.
4826 * allow-ocsp: Dirmngr Options. (line 327)
4827 * allow-preset-passphrase: Agent Options. (line 172)
4828 * allow-secret-key-import: GPG Esoteric Options.
4830 * allow-version-check: Dirmngr Options. (line 138)
4831 * allow-weak-digest-algos: GPG Esoteric Options.
4833 * allow-weak-key-signatures: GPG Esoteric Options.
4835 * always-trust: Deprecated Options. (line 21)
4836 * armor: GPG Input and Output.
4838 * armor <1>: Input and Output. (line 8)
4839 * ask-cert-expire: GPG Esoteric Options.
4841 * ask-cert-level: GPG Configuration Options.
4843 * ask-sig-expire: GPG Esoteric Options.
4845 * assume-armor: Input and Output. (line 14)
4846 * assume-base64: Input and Output. (line 18)
4847 * assume-binary: Input and Output. (line 21)
4848 * attribute-fd: GPG Esoteric Options.
4850 * attribute-file: GPG Esoteric Options.
4852 * auto-check-trustdb: GPG Configuration Options.
4854 * auto-expand-secmem: Agent Options. (line 445)
4855 * auto-issuer-key-retrieve: Certificate Options. (line 62)
4856 * auto-key-import: GPG Configuration Options.
4858 * auto-key-locate: GPG Configuration Options.
4860 * auto-key-retrieve: GPG Configuration Options.
4862 * base64: Input and Output. (line 11)
4863 * batch: Agent Options. (line 48)
4864 * batch <1>: GPG Configuration Options.
4866 * bzip2-compress-level: GPG Configuration Options.
4868 * bzip2-decompress-lowmem: GPG Configuration Options.
4870 * c: Dirmngr Options. (line 87)
4871 * cache-cert: dirmngr-client. (line 72)
4872 * call-dirmngr: Operational GPGSM Commands.
4874 * call-protect-tool: Operational GPGSM Commands.
4876 * card-edit: Operational GPG Commands.
4878 * card-status: Operational GPG Commands.
4880 * card-timeout: Scdaemon Options. (line 179)
4881 * cert-digest-algo: GPG Esoteric Options.
4883 * cert-notation: GPG Esoteric Options.
4885 * cert-policy-url: GPG Esoteric Options.
4887 * change-passphrase: OpenPGP Key Management.
4889 * change-passphrase <1>: Certificate Management.
4891 * change-pin: Operational GPG Commands.
4893 * check: gpg-check-pattern. (line 56)
4894 * check-passphrase-pattern: Agent Options. (line 249)
4895 * check-signatures: Operational GPG Commands.
4897 * check-sigs: Operational GPG Commands.
4899 * check-sym-passphrase-pattern: Agent Options. (line 249)
4900 * check-trustdb: Operational GPG Commands.
4902 * cipher-algo: GPG Esoteric Options.
4904 * cipher-algo <1>: CMS Options. (line 13)
4905 * clear-sign: Operational GPG Commands.
4907 * clearsign: Operational GPG Commands.
4909 * cms: gpgtar. (line 99)
4910 * command-fd: GPG Esoteric Options.
4912 * command-file: GPG Esoteric Options.
4914 * comment: GPG Esoteric Options.
4916 * compliance: Compliance Options. (line 67)
4917 * compliance <1>: Esoteric Options. (line 18)
4918 * compliant-needed: GPG Configuration Options.
4920 * compress-algo: GPG Esoteric Options.
4922 * compress-level: GPG Configuration Options.
4924 * connect-quick-timeout: Dirmngr Options. (line 125)
4925 * connect-timeout: Dirmngr Options. (line 125)
4926 * create: gpgtar. (line 16)
4927 * create-socketdir: Invoking gpgconf. (line 91)
4928 * csh: Agent Options. (line 146)
4929 * csh <1>: Dirmngr Options. (line 87)
4930 * ctapi-driver: Scdaemon Options. (line 156)
4931 * daemon: Agent Commands. (line 27)
4932 * daemon <1>: Dirmngr Commands. (line 27)
4933 * daemon <2>: Scdaemon Commands. (line 31)
4934 * dearmor: Operational GPG Commands.
4936 * debug: Agent Options. (line 82)
4937 * debug <1>: Dirmngr Options. (line 59)
4938 * debug <2>: GPG Esoteric Options.
4940 * debug <3>: Esoteric Options. (line 63)
4941 * debug <4>: Scdaemon Options. (line 69)
4942 * debug-all: Agent Options. (line 106)
4943 * debug-all <1>: Dirmngr Options. (line 66)
4944 * debug-all <2>: GPG Esoteric Options.
4946 * debug-all <3>: Esoteric Options. (line 90)
4947 * debug-all <4>: Scdaemon Options. (line 96)
4948 * debug-allow-core-dump: Esoteric Options. (line 93)
4949 * debug-allow-core-dump <1>: Scdaemon Options. (line 113)
4950 * debug-assuan-log-cats: Scdaemon Options. (line 122)
4951 * debug-disable-ticker: Scdaemon Options. (line 109)
4952 * debug-ignore-expiration: Esoteric Options. (line 104)
4953 * debug-iolbf: GPG Esoteric Options.
4955 * debug-level: Agent Options. (line 57)
4956 * debug-level <1>: Dirmngr Options. (line 34)
4957 * debug-level <2>: GPG Esoteric Options.
4959 * debug-level <3>: Esoteric Options. (line 38)
4960 * debug-level <4>: Scdaemon Options. (line 40)
4961 * debug-log-tid: Scdaemon Options. (line 119)
4962 * debug-no-chain-validation: Esoteric Options. (line 100)
4963 * debug-pinentry: Agent Options. (line 126)
4964 * debug-quick-random: Agent Options. (line 114)
4965 * debug-wait: Agent Options. (line 109)
4966 * debug-wait <1>: Dirmngr Options. (line 74)
4967 * debug-wait <2>: Scdaemon Options. (line 99)
4968 * debug-wait <3>: Scdaemon Options. (line 104)
4969 * decode: Invoking gpg-connect-agent.
4971 * decrypt: Operational GPG Commands.
4973 * decrypt <1>: Operational GPGSM Commands.
4975 * decrypt <2>: gpgtar. (line 29)
4976 * decrypt-files: Operational GPG Commands.
4978 * default-cache-ttl: Agent Options. (line 206)
4979 * default-cache-ttl <1>: Agent Options. (line 215)
4980 * default-cert-expire: GPG Esoteric Options.
4982 * default-cert-level: GPG Configuration Options.
4984 * default-key: GPG Configuration Options.
4986 * default-key <1>: Input and Output. (line 34)
4987 * default-keyserver-url: GPG Esoteric Options.
4989 * default-new-key-algo STRING: GPG Esoteric Options.
4991 * default-preference-list: GPG Esoteric Options.
4993 * default-recipient: GPG Configuration Options.
4995 * default-recipient-self: GPG Configuration Options.
4997 * default-sig-expire: GPG Esoteric Options.
4999 * delete-keys: Operational GPG Commands.
5001 * delete-keys <1>: Certificate Management.
5003 * delete-secret-and-public-key: Operational GPG Commands.
5005 * delete-secret-keys: Operational GPG Commands.
5007 * deny-admin: Scdaemon Options. (line 203)
5008 * desig-revoke: OpenPGP Key Management.
5010 * detach-sign: Operational GPG Commands.
5012 * digest-algo: GPG Esoteric Options.
5014 * directory: gpgtar. (line 76)
5015 * directory <1>: gpg-wks-client. (line 115)
5016 * directory <2>: gpg-wks-server. (line 50)
5017 * dirmngr: Invoking gpg-connect-agent.
5019 * dirmngr-program: GPG Configuration Options.
5021 * dirmngr-program <1>: Configuration Options.
5023 * dirmngr-program <2>: Invoking gpg-connect-agent.
5025 * disable-application: Scdaemon Options. (line 213)
5026 * disable-ccid: Scdaemon Options. (line 161)
5027 * disable-check-own-socket: Agent Options. (line 331)
5028 * disable-check-own-socket <1>: Dirmngr Options. (line 79)
5029 * disable-cipher-algo: GPG Esoteric Options.
5031 * disable-crl-checks: Certificate Options. (line 13)
5032 * disable-dsa2: GPG Configuration Options.
5034 * disable-extended-key-format: Agent Options. (line 377)
5035 * disable-http: Dirmngr Options. (line 217)
5036 * disable-ipv4: Dirmngr Options. (line 211)
5037 * disable-ipv6: Dirmngr Options. (line 211)
5038 * disable-large-rsa: GPG Configuration Options.
5040 * disable-ldap: Dirmngr Options. (line 214)
5041 * disable-mdc: OpenPGP Options. (line 25)
5042 * disable-ocsp: Certificate Options. (line 53)
5043 * disable-pinpad: Scdaemon Options. (line 200)
5044 * disable-policy-checks: Certificate Options. (line 8)
5045 * disable-pubkey-algo: GPG Esoteric Options.
5047 * disable-scdaemon: Agent Options. (line 325)
5048 * disable-signer-uid: OpenPGP Options. (line 31)
5049 * disable-trusted-cert-crl-check: Certificate Options. (line 24)
5050 * display: Agent Options. (line 349)
5051 * display-charset: GPG Configuration Options.
5053 * display-charset:iso-8859-1: GPG Configuration Options.
5055 * display-charset:iso-8859-15: GPG Configuration Options.
5057 * display-charset:iso-8859-2: GPG Configuration Options.
5059 * display-charset:koi8-r: GPG Configuration Options.
5061 * display-charset:utf-8: GPG Configuration Options.
5063 * dry-run: GPG Esoteric Options.
5065 * dry-run <1>: gpgtar. (line 72)
5066 * dump-cert: Certificate Management.
5068 * dump-chain: Certificate Management.
5070 * dump-external-keys: Certificate Management.
5072 * dump-keys: Certificate Management.
5074 * dump-options: Agent Commands. (line 19)
5075 * dump-options <1>: Dirmngr Commands. (line 18)
5076 * dump-options <2>: General GPG Commands.
5078 * dump-options <3>: General GPGSM Commands.
5080 * dump-options <4>: Scdaemon Commands. (line 18)
5081 * dump-secret-keys: Certificate Management.
5083 * edit-card: Operational GPG Commands.
5085 * edit-key: OpenPGP Key Management.
5087 * emit-version: GPG Esoteric Options.
5089 * enable-crl-checks: Certificate Options. (line 13)
5090 * enable-dsa2: GPG Configuration Options.
5092 * enable-extended-key-format: Agent Options. (line 377)
5093 * enable-issuer-based-crl-check: Certificate Options. (line 45)
5094 * enable-large-rsa: GPG Configuration Options.
5096 * enable-ocsp: Certificate Options. (line 53)
5097 * enable-passphrase-history: Agent Options. (line 272)
5098 * enable-pinpad-varlen: Scdaemon Options. (line 192)
5099 * enable-policy-checks: Certificate Options. (line 8)
5100 * enable-progress-filter: GPG Esoteric Options.
5102 * enable-putty-support: Agent Options. (line 391)
5103 * enable-special-filenames: GPG Esoteric Options.
5105 * enable-special-filenames <1>: gpgv. (line 97)
5106 * enable-ssh-support: Agent Options. (line 391)
5107 * enable-trusted-cert-crl-check: Certificate Options. (line 24)
5108 * enarmor: Operational GPG Commands.
5110 * encrypt: Operational GPG Commands.
5112 * encrypt <1>: Operational GPGSM Commands.
5114 * encrypt <2>: gpgtar. (line 23)
5115 * encrypt-files: Operational GPG Commands.
5117 * encrypt-to: GPG Key related Options.
5119 * enforce-passphrase-constraints: Agent Options. (line 233)
5120 * escape-from-lines: GPG Esoteric Options.
5122 * exec: Invoking gpg-connect-agent.
5124 * exec-path: GPG Configuration Options.
5126 * exit-on-status-write-error: GPG Configuration Options.
5128 * expert: GPG Configuration Options.
5130 * export: Operational GPG Commands.
5132 * export <1>: Certificate Management.
5134 * export-filter: GPG Input and Output.
5136 * export-options: GPG Input and Output.
5138 * export-ownertrust: Operational GPG Commands.
5140 * export-secret-key-p12: Certificate Management.
5142 * export-secret-key-p8: Certificate Management.
5144 * export-secret-key-raw: Certificate Management.
5146 * export-secret-keys: Operational GPG Commands.
5148 * export-secret-subkeys: Operational GPG Commands.
5150 * export-ssh-key: Operational GPG Commands.
5152 * extra-digest-algo: Esoteric Options. (line 7)
5153 * extra-socket: Agent Options. (line 363)
5154 * extract: gpgtar. (line 19)
5155 * faked-system-time: Agent Options. (line 52)
5156 * faked-system-time <1>: GPG Esoteric Options.
5158 * faked-system-time <2>: Esoteric Options. (line 27)
5159 * fast-list-mode: GPG Esoteric Options.
5161 * fetch-crl: Dirmngr Commands. (line 52)
5162 * fetch-keys: Operational GPG Commands.
5164 * fingerprint: Operational GPG Commands.
5166 * fixed-list-mode: GPG Input and Output.
5168 * flush: Dirmngr Commands. (line 62)
5169 * for-your-eyes-only: GPG Esoteric Options.
5171 * forbid-gen-key: GPG Esoteric Options.
5173 * force: Dirmngr Options. (line 93)
5174 * force <1>: watchgnupg. (line 23)
5175 * force-crl-refresh: Certificate Options. (line 35)
5176 * force-default-responder: dirmngr-client. (line 64)
5177 * force-mdc: OpenPGP Options. (line 25)
5178 * force-sign-key: GPG Esoteric Options.
5180 * forget: Invoking gpg-preset-passphrase.
5182 * from: gpg-wks-server. (line 54)
5183 * full-gen-key: OpenPGP Key Management.
5185 * full-generate-key: OpenPGP Key Management.
5187 * gen-key: OpenPGP Key Management.
5189 * gen-key <1>: Certificate Management.
5191 * gen-prime: Operational GPG Commands.
5193 * gen-random: Operational GPG Commands.
5195 * gen-revoke: OpenPGP Key Management.
5197 * generate-designated-revocation: OpenPGP Key Management.
5199 * generate-key: OpenPGP Key Management.
5201 * generate-key <1>: Certificate Management.
5203 * generate-revocation: OpenPGP Key Management.
5205 * gnupg: Compliance Options. (line 12)
5206 * gpg: gpgtar. (line 110)
5207 * gpg-agent-info: GPG Configuration Options.
5209 * gpg-args: gpgtar. (line 113)
5210 * gpgconf-list: GPG Esoteric Options.
5212 * gpgconf-test: GPG Esoteric Options.
5214 * grab: Agent Options. (line 153)
5215 * group: GPG Key related Options.
5217 * header: gpg-wks-server. (line 57)
5218 * help: Agent Commands. (line 15)
5219 * help <1>: Dirmngr Commands. (line 14)
5220 * help <2>: General GPG Commands.
5222 * help <3>: General GPGSM Commands.
5224 * help <4>: Scdaemon Commands. (line 14)
5225 * help <5>: watchgnupg. (line 39)
5226 * help <6>: dirmngr-client. (line 44)
5227 * help <7>: gpgtar. (line 125)
5228 * help <8>: gpg-wks-client. (line 128)
5229 * help <9>: gpg-wks-server. (line 87)
5230 * hex: Invoking gpg-connect-agent.
5232 * hidden-encrypt-to: GPG Key related Options.
5234 * hidden-recipient: GPG Key related Options.
5236 * hidden-recipient-file: GPG Key related Options.
5238 * homedir: Agent Options. (line 17)
5239 * homedir <1>: GPG Configuration Options.
5241 * homedir <2>: Configuration Options.
5243 * homedir <3>: Scdaemon Options. (line 13)
5244 * homedir <4>: gpgv. (line 69)
5245 * homedir <5>: Invoking gpgconf. (line 115)
5246 * homedir <6>: Invoking gpg-connect-agent.
5248 * honor-http-proxy: Dirmngr Options. (line 236)
5249 * http-proxy: Dirmngr Options. (line 240)
5250 * ignore-cache-for-signing: Agent Options. (line 200)
5251 * ignore-cert: Dirmngr Options. (line 386)
5252 * ignore-cert-extension: Dirmngr Options. (line 376)
5253 * ignore-cert-extension <1>: Certificate Options. (line 82)
5254 * ignore-crc-error: GPG Esoteric Options.
5256 * ignore-http-dp: Dirmngr Options. (line 220)
5257 * ignore-ldap-dp: Dirmngr Options. (line 227)
5258 * ignore-mdc-error: GPG Esoteric Options.
5260 * ignore-ocsp-service-url: Dirmngr Options. (line 232)
5261 * ignore-time-conflict: GPG Esoteric Options.
5263 * ignore-time-conflict <1>: gpgv. (line 63)
5264 * ignore-valid-from: GPG Esoteric Options.
5266 * import: Operational GPG Commands.
5268 * import <1>: Certificate Management.
5270 * import-filter: GPG Input and Output.
5272 * import-options: GPG Input and Output.
5274 * import-ownertrust: Operational GPG Commands.
5276 * include-certs: CMS Options. (line 7)
5277 * include-key-block: OpenPGP Options. (line 38)
5278 * input-size-hint: GPG Input and Output.
5280 * interactive: GPG Esoteric Options.
5282 * keep-display: Agent Options. (line 354)
5283 * keep-tty: Agent Options. (line 354)
5284 * key-origin: GPG Input and Output.
5286 * keydb-clear-some-cert-flags: Certificate Management.
5288 * keyedit:addcardkey: OpenPGP Key Management.
5290 * keyedit:addkey: OpenPGP Key Management.
5292 * keyedit:addphoto: OpenPGP Key Management.
5294 * keyedit:addrevoker: OpenPGP Key Management.
5296 * keyedit:adduid: OpenPGP Key Management.
5298 * keyedit:bkuptocard: OpenPGP Key Management.
5300 * keyedit:change-usage: OpenPGP Key Management.
5302 * keyedit:check: OpenPGP Key Management.
5304 * keyedit:clean: OpenPGP Key Management.
5306 * keyedit:cross-certify: OpenPGP Key Management.
5308 * keyedit:delkey: OpenPGP Key Management.
5310 * keyedit:delsig: OpenPGP Key Management.
5312 * keyedit:deluid: OpenPGP Key Management.
5314 * keyedit:disable: OpenPGP Key Management.
5316 * keyedit:enable: OpenPGP Key Management.
5318 * keyedit:expire: OpenPGP Key Management.
5320 * keyedit:key: OpenPGP Key Management.
5322 * keyedit:keyserver: OpenPGP Key Management.
5324 * keyedit:keytocard: OpenPGP Key Management.
5326 * keyedit:lsign: OpenPGP Key Management.
5328 * keyedit:minimize: OpenPGP Key Management.
5330 * keyedit:notation: OpenPGP Key Management.
5332 * keyedit:nrsign: OpenPGP Key Management.
5334 * keyedit:passwd: OpenPGP Key Management.
5336 * keyedit:pref: OpenPGP Key Management.
5338 * keyedit:primary: OpenPGP Key Management.
5340 * keyedit:quit: OpenPGP Key Management.
5342 * keyedit:revkey: OpenPGP Key Management.
5344 * keyedit:revsig: OpenPGP Key Management.
5346 * keyedit:revuid: OpenPGP Key Management.
5348 * keyedit:save: OpenPGP Key Management.
5350 * keyedit:setpref: OpenPGP Key Management.
5352 * keyedit:showphoto: OpenPGP Key Management.
5354 * keyedit:showpref: OpenPGP Key Management.
5356 * keyedit:sign: OpenPGP Key Management.
5358 * keyedit:toggle: OpenPGP Key Management.
5360 * keyedit:trust: OpenPGP Key Management.
5362 * keyedit:tsign: OpenPGP Key Management.
5364 * keyedit:uid: OpenPGP Key Management.
5366 * keyid-format: GPG Configuration Options.
5368 * keyring: GPG Configuration Options.
5370 * keyring <1>: gpgv. (line 38)
5371 * keyserver: Dirmngr Options. (line 148)
5372 * keyserver <1>: GPG Configuration Options.
5374 * keyserver <2>: Configuration Options.
5376 * keyserver-options: GPG Configuration Options.
5378 * kill: Invoking gpgconf. (line 84)
5379 * known-notation: GPG Esoteric Options.
5381 * launch: Invoking gpgconf. (line 76)
5382 * lc-ctype: Agent Options. (line 349)
5383 * lc-messages: Agent Options. (line 349)
5384 * ldap-proxy: Dirmngr Options. (line 245)
5385 * ldapserver: Dirmngr Options. (line 275)
5386 * ldapserver <1>: Configuration Options.
5388 * ldapserverlist-file: Dirmngr Options. (line 256)
5389 * ldaptimeout: Dirmngr Options. (line 306)
5390 * learn-card: Certificate Management.
5392 * legacy-list-mode: GPG Input and Output.
5394 * limit-card-insert-tries: GPG Configuration Options.
5396 * list-archive: gpgtar. (line 39)
5397 * list-chain: Certificate Management.
5399 * list-config: GPG Esoteric Options.
5401 * list-crls: Dirmngr Commands. (line 40)
5402 * list-gcrypt-config: GPG Esoteric Options.
5404 * list-keys: Operational GPG Commands.
5406 * list-keys <1>: Certificate Management.
5408 * list-keys <2>: Certificate Management.
5410 * list-only: GPG Esoteric Options.
5412 * list-options: GPG Configuration Options.
5414 * list-options:show-keyring: GPG Configuration Options.
5416 * list-options:show-keyserver-urls: GPG Configuration Options.
5418 * list-options:show-notations: GPG Configuration Options.
5420 * list-options:show-only-fpr-mbox: GPG Configuration Options.
5422 * list-options:show-photos: GPG Configuration Options.
5424 * list-options:show-policy-urls: GPG Configuration Options.
5426 * list-options:show-sig-expire: GPG Configuration Options.
5428 * list-options:show-sig-subpackets: GPG Configuration Options.
5430 * list-options:show-std-notations: GPG Configuration Options.
5432 * list-options:show-uid-validity: GPG Configuration Options.
5434 * list-options:show-unusable-subkeys: GPG Configuration Options.
5436 * list-options:show-unusable-uids: GPG Configuration Options.
5438 * list-options:show-usage: GPG Configuration Options.
5440 * list-options:show-user-notations: GPG Configuration Options.
5442 * list-packets: Operational GPG Commands.
5444 * list-secret-keys: Operational GPG Commands.
5446 * list-secret-keys <1>: Certificate Management.
5448 * list-signatures: GPG Esoteric Options.
5450 * list-sigs: GPG Esoteric Options.
5452 * listen-backlog: Agent Options. (line 359)
5453 * listen-backlog <1>: Dirmngr Options. (line 134)
5454 * listen-backlog <2>: Scdaemon Options. (line 135)
5455 * load-crl: Dirmngr Commands. (line 44)
5456 * load-crl <1>: dirmngr-client. (line 80)
5457 * local-user: GPG Key related Options.
5459 * local-user <1>: Input and Output. (line 41)
5460 * local-user <2>: gpgtar. (line 53)
5461 * locate-external-keys: Operational GPG Commands.
5463 * locate-keys: Operational GPG Commands.
5465 * lock-multiple: GPG Configuration Options.
5467 * lock-never: GPG Configuration Options.
5469 * lock-once: GPG Configuration Options.
5471 * log-file: Agent Options. (line 159)
5472 * log-file <1>: Dirmngr Options. (line 30)
5473 * log-file <2>: GPG Esoteric Options.
5475 * log-file <3>: Configuration Options.
5477 * log-file <4>: Scdaemon Options. (line 140)
5478 * log-file <5>: gpgv. (line 59)
5479 * logger-fd: GPG Esoteric Options.
5481 * logger-fd <1>: gpgv. (line 56)
5482 * lookup: dirmngr-client. (line 86)
5483 * lsign-key: OpenPGP Key Management.
5485 * mangle-dos-filenames: GPG Configuration Options.
5487 * marginals-needed: GPG Configuration Options.
5489 * max-cache-ttl: Agent Options. (line 221)
5490 * max-cache-ttl-ssh: Agent Options. (line 227)
5491 * max-cert-depth: GPG Configuration Options.
5493 * max-output: GPG Input and Output.
5495 * max-passphrase-days: Agent Options. (line 267)
5496 * max-replies: Dirmngr Options. (line 373)
5497 * min-cert-level: GPG Configuration Options.
5499 * min-passphrase-len: Agent Options. (line 237)
5500 * min-passphrase-nonalpha: Agent Options. (line 242)
5501 * min-rsa-length: Compliance Options. (line 72)
5502 * min-rsa-length <1>: Esoteric Options. (line 22)
5503 * multi-server: Scdaemon Commands. (line 26)
5504 * multifile: Operational GPG Commands.
5506 * nameserver: Dirmngr Options. (line 203)
5507 * no: GPG Configuration Options.
5509 * no-allow-external-cache: Agent Options. (line 185)
5510 * no-allow-loopback-pinentry: Agent Options. (line 177)
5511 * no-allow-mark-trusted: Agent Options. (line 167)
5512 * no-armor: GPG Input and Output.
5514 * no-auto-key-import: GPG Configuration Options.
5516 * no-auto-key-retrieve: GPG Configuration Options.
5518 * no-autostart: GPG Configuration Options.
5520 * no-autostart <1>: Configuration Options.
5522 * no-autostart <2>: Invoking gpg-connect-agent.
5524 * no-batch: GPG Configuration Options.
5526 * no-common-certs-import: Esoteric Options. (line 141)
5527 * no-default-keyring: GPG Esoteric Options.
5529 * no-default-recipient: GPG Configuration Options.
5531 * no-detach: Agent Options. (line 131)
5532 * no-detach <1>: Scdaemon Options. (line 131)
5533 * no-encrypt-to: GPG Key related Options.
5535 * no-expensive-trust-checks: GPG Esoteric Options.
5537 * no-ext-connect: Invoking gpg-connect-agent.
5539 * no-grab: Agent Options. (line 153)
5540 * no-greeting: GPG Configuration Options.
5542 * no-groups: GPG Key related Options.
5544 * no-keyring: GPG Esoteric Options.
5546 * no-literal: GPG Esoteric Options.
5548 * no-mangle-dos-filenames: GPG Configuration Options.
5550 * no-options: GPG Configuration Options.
5552 * no-random-seed-file: GPG Configuration Options.
5554 * no-secmem-warning: GPG Configuration Options.
5556 * no-secmem-warning <1>: Configuration Options.
5558 * no-sig-cache: GPG Configuration Options.
5560 * no-skip-hidden-recipients: GPG Key related Options.
5562 * no-symkey-cache: GPG Esoteric Options.
5564 * no-tty: GPG Configuration Options.
5566 * no-use-standard-socket: Agent Options. (line 339)
5567 * no-use-tor: Dirmngr Options. (line 98)
5568 * no-verbose: GPG Configuration Options.
5570 * not-dash-escaped: GPG Esoteric Options.
5572 * null: gpgtar. (line 86)
5573 * null <1>: gpg-check-pattern. (line 59)
5574 * ocsp: dirmngr-client. (line 61)
5575 * ocsp-current-period: Dirmngr Options. (line 368)
5576 * ocsp-max-clock-skew: Dirmngr Options. (line 360)
5577 * ocsp-max-period: Dirmngr Options. (line 364)
5578 * ocsp-responder: Dirmngr Options. (line 334)
5579 * ocsp-signer: Dirmngr Options. (line 339)
5580 * only-ldap-proxy: Dirmngr Options. (line 251)
5581 * openpgp: Compliance Options. (line 19)
5582 * openpgp <1>: gpgtar. (line 95)
5583 * options: Agent Options. (line 10)
5584 * options <1>: Dirmngr Options. (line 11)
5585 * options <2>: Dirmngr Options. (line 16)
5586 * options <3>: GPG Configuration Options.
5588 * options <4>: Configuration Options.
5590 * options <5>: Scdaemon Options. (line 7)
5591 * output: GPG Input and Output.
5593 * output <1>: Input and Output. (line 51)
5594 * output <2>: gpgv. (line 45)
5595 * output <3>: gpgtar. (line 57)
5596 * output <4>: gpg-wks-client. (line 104)
5597 * output <5>: gpg-wks-server. (line 65)
5598 * override-session-key: GPG Esoteric Options.
5600 * p12-charset: Input and Output. (line 24)
5601 * passphrase: GPG Esoteric Options.
5603 * passphrase <1>: Invoking gpg-preset-passphrase.
5605 * passphrase-fd: GPG Esoteric Options.
5607 * passphrase-fd <1>: Esoteric Options. (line 109)
5608 * passphrase-file: GPG Esoteric Options.
5610 * passphrase-repeat: GPG Esoteric Options.
5612 * passwd: OpenPGP Key Management.
5614 * passwd <1>: Certificate Management.
5616 * pcsc-driver: Scdaemon Options. (line 150)
5617 * pcsc-shared: Scdaemon Options. (line 144)
5618 * pem: dirmngr-client. (line 58)
5619 * permission-warning: GPG Configuration Options.
5621 * personal-cipher-preferences: OpenPGP Options. (line 46)
5622 * personal-compress-preferences: OpenPGP Options. (line 64)
5623 * personal-digest-preferences: OpenPGP Options. (line 55)
5624 * pgp6: Compliance Options. (line 44)
5625 * pgp7: Compliance Options. (line 54)
5626 * pgp8: Compliance Options. (line 60)
5627 * photo-viewer: GPG Configuration Options.
5629 * pinentry-formatted-passphrase: Agent Options. (line 286)
5630 * pinentry-invisible-char: Agent Options. (line 275)
5631 * pinentry-mode: GPG Esoteric Options.
5633 * pinentry-mode <1>: Esoteric Options. (line 118)
5634 * pinentry-program: Agent Options. (line 299)
5635 * pinentry-timeout: Agent Options. (line 280)
5636 * pinentry-touch-file: Agent Options. (line 312)
5637 * ping: dirmngr-client. (line 69)
5638 * policy-file: Configuration Options.
5640 * prefer-system-dirmngr: Configuration Options.
5642 * preserve-permissions: GPG Esoteric Options.
5644 * preset: Invoking gpg-preset-passphrase.
5646 * primary-keyring: GPG Configuration Options.
5648 * print-md: Operational GPG Commands.
5650 * q: Invoking gpg-connect-agent.
5652 * quick-add-key: OpenPGP Key Management.
5654 * quick-add-uid: OpenPGP Key Management.
5656 * quick-gen-key: OpenPGP Key Management.
5658 * quick-generate-key: OpenPGP Key Management.
5660 * quick-lsign-key: OpenPGP Key Management.
5662 * quick-revoke-sig: OpenPGP Key Management.
5664 * quick-revoke-uid: OpenPGP Key Management.
5666 * quick-set-expire: OpenPGP Key Management.
5668 * quick-set-primary-uid: OpenPGP Key Management.
5670 * quick-sign-key: OpenPGP Key Management.
5672 * quiet: Agent Options. (line 45)
5673 * quiet <1>: GPG Configuration Options.
5675 * quiet <2>: gpgv. (line 35)
5676 * quiet <3>: Invoking gpgconf. (line 112)
5677 * quiet <4>: Invoking gpg-connect-agent.
5679 * quiet <5>: dirmngr-client. (line 48)
5680 * quiet <6>: gpgtar. (line 65)
5681 * quiet <7>: gpg-wks-client. (line 122)
5682 * quiet <8>: gpg-wks-server. (line 81)
5683 * raw-socket: Invoking gpg-connect-agent.
5685 * reader-port: Scdaemon Options. (line 167)
5686 * rebuild-keydb-caches: Operational GPG Commands.
5688 * receive-keys: Operational GPG Commands.
5690 * recipient: GPG Key related Options.
5692 * recipient <1>: Input and Output. (line 46)
5693 * recipient <2>: gpgtar. (line 49)
5694 * recipient-file: GPG Key related Options.
5696 * recursive-resolver: Dirmngr Options. (line 117)
5697 * recv-keys: Operational GPG Commands.
5699 * refresh-keys: Operational GPG Commands.
5701 * reload: Invoking gpgconf. (line 70)
5702 * remove-socketdir: Invoking gpgconf. (line 97)
5703 * request-origin: GPG Esoteric Options.
5705 * request-origin <1>: Esoteric Options. (line 133)
5706 * require-cross-certification: GPG Configuration Options.
5708 * require-secmem: GPG Configuration Options.
5710 * resolver-timeout: Dirmngr Options. (line 120)
5711 * rfc2440: Compliance Options. (line 37)
5712 * rfc4880: Compliance Options. (line 25)
5713 * rfc4880bis: Compliance Options. (line 30)
5714 * run: Invoking gpg-connect-agent.
5716 * s: Dirmngr Options. (line 87)
5717 * s2k-calibration: Agent Options. (line 454)
5718 * s2k-cipher-algo: OpenPGP Options. (line 74)
5719 * s2k-count: Agent Options. (line 461)
5720 * s2k-count <1>: OpenPGP Options. (line 90)
5721 * s2k-digest-algo: OpenPGP Options. (line 79)
5722 * s2k-mode: OpenPGP Options. (line 83)
5723 * scdaemon-program: Agent Options. (line 321)
5724 * search-keys: Operational GPG Commands.
5726 * secret-keyring: GPG Configuration Options.
5728 * send: gpg-wks-client. (line 65)
5729 * send <1>: gpg-wks-server. (line 60)
5730 * send-keys: Operational GPG Commands.
5732 * sender: GPG Key related Options.
5734 * server: Agent Commands. (line 23)
5735 * server <1>: Dirmngr Commands. (line 22)
5736 * server <2>: Operational GPGSM Commands.
5738 * server <3>: Scdaemon Commands. (line 22)
5739 * set-filename: GPG Esoteric Options.
5741 * set-filename <1>: gpgtar. (line 104)
5742 * set-filesize: GPG Esoteric Options.
5744 * set-notation: GPG Esoteric Options.
5746 * set-policy-url: GPG Esoteric Options.
5748 * sh: Agent Options. (line 146)
5749 * sh <1>: Dirmngr Options. (line 87)
5750 * show-keyring: Deprecated Options. (line 16)
5751 * show-keys: Operational GPG Commands.
5753 * show-notation: Deprecated Options. (line 25)
5754 * show-photos: Deprecated Options. (line 8)
5755 * show-policy-url: Deprecated Options. (line 33)
5756 * show-session-key: GPG Esoteric Options.
5758 * shutdown: Dirmngr Commands. (line 58)
5759 * sig-keyserver-url: GPG Esoteric Options.
5761 * sig-notation: GPG Esoteric Options.
5763 * sig-policy-url: GPG Esoteric Options.
5765 * sign: Operational GPG Commands.
5767 * sign <1>: Operational GPGSM Commands.
5769 * sign-key: OpenPGP Key Management.
5771 * skip-crypto: gpgtar. (line 68)
5772 * skip-hidden-recipients: GPG Key related Options.
5774 * skip-verify: GPG Esoteric Options.
5776 * squid-mode: dirmngr-client. (line 101)
5777 * ssh-fingerprint-digest: Agent Options. (line 439)
5778 * standard-resolver: Dirmngr Options. (line 110)
5779 * status-fd: GPG Esoteric Options.
5781 * status-fd <1>: gpgv. (line 52)
5782 * status-fd <2>: Invoking gpgconf. (line 153)
5783 * status-fd <3>: gpg-wks-client. (line 108)
5784 * status-file: GPG Esoteric Options.
5786 * steal-socket: Agent Options. (line 135)
5787 * store: Operational GPG Commands.
5789 * subst: Invoking gpg-connect-agent.
5791 * supervised: Agent Commands. (line 36)
5792 * supervised <1>: Dirmngr Commands. (line 33)
5793 * symmetric: Operational GPG Commands.
5795 * tar-args: gpgtar. (line 116)
5796 * textmode: OpenPGP Options. (line 8)
5797 * throw-keyids: GPG Esoteric Options.
5799 * time-only: watchgnupg. (line 30)
5800 * tls-debug: Dirmngr Options. (line 69)
5801 * tofu-default-policy: GPG Configuration Options.
5803 * tofu-policy: Operational GPG Commands.
5805 * trust-model: GPG Configuration Options.
5807 * trust-model:always: GPG Configuration Options.
5809 * trust-model:auto: GPG Configuration Options.
5811 * trust-model:classic: GPG Configuration Options.
5813 * trust-model:direct: GPG Configuration Options.
5815 * trust-model:pgp: GPG Configuration Options.
5817 * trust-model:tofu: GPG Configuration Options.
5819 * trust-model:tofu+pgp: GPG Configuration Options.
5821 * trustdb-name: GPG Configuration Options.
5823 * trusted-key: GPG Configuration Options.
5825 * try-all-secrets: GPG Key related Options.
5827 * try-secret-key: GPG Key related Options.
5829 * ttyname: Agent Options. (line 349)
5830 * ttytype: Agent Options. (line 349)
5831 * ungroup: GPG Key related Options.
5833 * update-trustdb: Operational GPG Commands.
5835 * url: dirmngr-client. (line 94)
5836 * url <1>: dirmngr-client. (line 98)
5837 * use-agent: GPG Configuration Options.
5839 * use-embedded-filename: GPG Esoteric Options.
5841 * use-standard-socket: Agent Options. (line 339)
5842 * use-standard-socket-p: Agent Options. (line 339)
5843 * use-tor: Dirmngr Options. (line 98)
5844 * utf8-strings: GPG Configuration Options.
5846 * utf8-strings <1>: gpgtar. (line 90)
5847 * v: Dirmngr Options. (line 25)
5848 * v <1>: Configuration Options.
5850 * v <2>: Scdaemon Options. (line 35)
5851 * v <3>: dirmngr-client. (line 53)
5852 * validate: dirmngr-client. (line 76)
5853 * validation-model: Certificate Options. (line 73)
5854 * verbose: Agent Options. (line 39)
5855 * verbose <1>: Dirmngr Options. (line 25)
5856 * verbose <2>: GPG Configuration Options.
5858 * verbose <3>: Configuration Options.
5860 * verbose <4>: Scdaemon Options. (line 35)
5861 * verbose <5>: watchgnupg. (line 33)
5862 * verbose <6>: gpgv. (line 30)
5863 * verbose <7>: Invoking gpg-preset-passphrase.
5865 * verbose <8>: Invoking gpg-connect-agent.
5867 * verbose <9>: dirmngr-client. (line 53)
5868 * verbose <10>: gpgtar. (line 61)
5869 * verbose <11>: gpg-check-pattern. (line 53)
5870 * verbose <12>: gpg-wks-client. (line 119)
5871 * verbose <13>: gpg-wks-server. (line 78)
5872 * verify: Operational GPG Commands.
5874 * verify <1>: Operational GPGSM Commands.
5876 * verify-files: Operational GPG Commands.
5878 * verify-options: GPG Configuration Options.
5880 * verify-options:pka-lookups: GPG Configuration Options.
5882 * verify-options:pka-trust-increase: GPG Configuration Options.
5884 * verify-options:show-keyserver-urls: GPG Configuration Options.
5886 * verify-options:show-notations: GPG Configuration Options.
5888 * verify-options:show-photos: GPG Configuration Options.
5890 * verify-options:show-policy-urls: GPG Configuration Options.
5892 * verify-options:show-primary-uid-only: GPG Configuration Options.
5894 * verify-options:show-std-notations: GPG Configuration Options.
5896 * verify-options:show-uid-validity: GPG Configuration Options.
5898 * verify-options:show-unusable-uids: GPG Configuration Options.
5900 * verify-options:show-user-notations: GPG Configuration Options.
5902 * version: Agent Commands. (line 10)
5903 * version <1>: Dirmngr Commands. (line 10)
5904 * version <2>: General GPG Commands.
5906 * version <3>: General GPGSM Commands.
5908 * version <4>: Scdaemon Commands. (line 10)
5909 * version <5>: watchgnupg. (line 36)
5910 * version <6>: dirmngr-client. (line 40)
5911 * version <7>: gpgtar. (line 122)
5912 * version <8>: gpg-wks-client. (line 125)
5913 * version <9>: gpg-wks-server. (line 84)
5914 * warranty: General GPG Commands.
5916 * warranty <1>: General GPGSM Commands.
5918 * weak-digest: GPG Esoteric Options.
5920 * weak-digest <1>: gpgv. (line 90)
5921 * with-colons: GPG Input and Output.
5923 * with-colons <1>: gpg-wks-client. (line 69)
5924 * with-dir: gpg-wks-server. (line 69)
5925 * with-ephemeral-keys: Esoteric Options. (line 33)
5926 * with-file: gpg-wks-server. (line 73)
5927 * with-fingerprint: GPG Input and Output.
5929 * with-icao-spelling: GPG Input and Output.
5931 * with-key-data: GPG Esoteric Options.
5933 * with-key-data <1>: Input and Output. (line 54)
5934 * with-key-origin: GPG Input and Output.
5936 * with-keygrip: GPG Input and Output.
5938 * with-secret: GPG Input and Output.
5940 * with-secret <1>: Input and Output. (line 78)
5941 * with-subkey-fingerprint: GPG Input and Output.
5943 * with-validation: Input and Output. (line 60)
5944 * with-wkd-hash: GPG Input and Output.
5946 * xauthority: Agent Options. (line 349)
5947 * yes: GPG Configuration Options.
5951 File: gnupg.info, Node: Environment Index, Next: Index, Prev: Option Index, Up: Top
5953 Environment Variable and File Index
5954 ***********************************
5959 * .gpg-v21-migrated: GPG Configuration. (line 77)
5960 * ~/.gnupg: GPG Configuration. (line 27)
5961 * ASSUAN_DEBUG: Scdaemon Options. (line 122)
5962 * COLUMNS: GPG Configuration. (line 118)
5963 * com-certs.pem: GPGSM Configuration. (line 84)
5964 * dirmngr.conf: Dirmngr Configuration.
5966 * DISPLAY: GPGSM OPTION. (line 21)
5967 * GNUPGHOME: Agent Options. (line 17)
5968 * GNUPGHOME <1>: GPG Configuration Options.
5970 * GNUPGHOME <2>: GPG Configuration. (line 106)
5971 * GNUPGHOME <3>: Configuration Options.
5973 * GNUPGHOME <4>: Scdaemon Options. (line 13)
5974 * GNUPGHOME <5>: gpgv. (line 69)
5975 * GNUPGHOME <6>: Invoking gpgconf. (line 115)
5976 * GNUPGHOME <7>: Invoking gpg-connect-agent.
5978 * GNUPG_BUILD_ROOT: GPG Configuration. (line 130)
5979 * gpg-agent.conf: Agent Configuration. (line 11)
5980 * gpg.conf: GPG Configuration. (line 11)
5981 * gpgconf.ctl: Agent Options. (line 28)
5982 * gpgconf.ctl <1>: GPG Configuration Options.
5984 * gpgconf.ctl <2>: Configuration Options.
5986 * gpgconf.ctl <3>: Scdaemon Options. (line 24)
5987 * gpgconf.ctl <4>: gpgv. (line 80)
5988 * gpgconf.ctl <5>: Invoking gpgconf. (line 126)
5989 * gpgconf.ctl <6>: Invoking gpg-connect-agent.
5991 * gpgsm.conf: GPGSM Configuration. (line 11)
5992 * GPG_TTY: Invoking GPG-AGENT. (line 22)
5993 * GPG_TTY <1>: GPGSM OPTION. (line 23)
5994 * help.txt: GPGSM Configuration. (line 72)
5995 * HKCU\Software\GNU\GnuPG:DefaultLogFile: Agent Options. (line 159)
5996 * HKCU\Software\GNU\GnuPG:HomeDir: Agent Options. (line 17)
5997 * HKCU\Software\GNU\GnuPG:HomeDir <1>: GPG Configuration Options.
5999 * HKCU\Software\GNU\GnuPG:HomeDir <2>: Configuration Options.
6001 * HKCU\Software\GNU\GnuPG:HomeDir <3>: Scdaemon Options. (line 13)
6002 * HKCU\Software\GNU\GnuPG:HomeDir <4>: gpgv. (line 69)
6003 * HKCU\Software\GNU\GnuPG:HomeDir <5>: Invoking gpgconf. (line 115)
6004 * HKCU\Software\GNU\GnuPG:HomeDir <6>: Invoking gpg-connect-agent.
6006 * HOME: GPG Configuration. (line 103)
6007 * http_proxy: Dirmngr Options. (line 240)
6008 * LANGUAGE: GPG Configuration. (line 121)
6009 * LC_CTYPE: GPGSM OPTION. (line 27)
6010 * LC_MESSAGES: GPGSM OPTION. (line 29)
6011 * LINES: GPG Configuration. (line 118)
6012 * openpgp-revocs.d: GPG Configuration. (line 91)
6013 * PATH: GPG Configuration Options.
6015 * PINENTRY_USER_DATA: GPG Configuration. (line 113)
6016 * PINENTRY_USER_DATA <1>: GPGSM OPTION. (line 33)
6017 * policies.txt: GPGSM Configuration. (line 18)
6018 * private-keys-v1.d: Agent Configuration. (line 104)
6019 * pubring.gpg: GPG Configuration. (line 32)
6020 * pubring.kbx: GPG Configuration. (line 50)
6021 * pubring.kbx <1>: GPGSM Configuration. (line 100)
6022 * qualified.txt: GPGSM Configuration. (line 33)
6023 * random_seed: GPG Configuration. (line 88)
6024 * random_seed <1>: GPGSM Configuration. (line 106)
6025 * S.gpg-agent: GPGSM Configuration. (line 111)
6026 * secring.gpg: GPG Configuration. (line 69)
6027 * SHELL: Agent Options. (line 146)
6028 * sshcontrol: Agent Configuration. (line 74)
6029 * TERM: GPGSM OPTION. (line 25)
6030 * trustdb.gpg: GPG Configuration. (line 80)
6031 * trustlist.txt: Agent Configuration. (line 20)
6032 * XAUTHORITY: GPGSM OPTION. (line 31)
6035 File: gnupg.info, Node: Index, Prev: Environment Index, Up: Top
6043 * command options: Invoking GPG-AGENT. (line 6)
6044 * command options <1>: Invoking DIRMNGR. (line 6)
6045 * command options <2>: Invoking GPG. (line 6)
6046 * command options <3>: Invoking GPGSM. (line 6)
6047 * command options <4>: Invoking SCDAEMON. (line 6)
6048 * contributors: Contributors. (line 6)
6049 * DIRMNGR command options: Invoking DIRMNGR. (line 6)
6050 * GPG command options: Invoking GPG. (line 6)
6051 * GPG-AGENT command options: Invoking GPG-AGENT. (line 6)
6052 * gpgconf.conf: Files used by gpgconf.
6054 * GPGSM command options: Invoking GPGSM. (line 6)
6055 * options, DIRMNGR command: Invoking DIRMNGR. (line 6)
6056 * options, GPG command: Invoking GPG. (line 6)
6057 * options, GPG-AGENT command: Invoking GPG-AGENT. (line 6)
6058 * options, GPGSM command: Invoking GPGSM. (line 6)
6059 * options, SCDAEMON command: Invoking SCDAEMON. (line 6)
6060 * relax: Agent Configuration. (line 62)
6061 * scd-event: Scdaemon Configuration.
6063 * SCDAEMON command options: Invoking SCDAEMON. (line 6)
6064 * scdaemon.conf: Scdaemon Configuration.
6066 * SIGHUP: Agent Signals. (line 12)
6067 * SIGHUP <1>: Dirmngr Signals. (line 12)
6068 * SIGINT: Agent Signals. (line 31)
6069 * SIGINT <1>: Dirmngr Signals. (line 26)
6070 * SIGTERM: Agent Signals. (line 26)
6071 * SIGTERM <1>: Dirmngr Signals. (line 19)
6072 * SIGUSR1: Agent Signals. (line 34)
6073 * SIGUSR1 <1>: Dirmngr Signals. (line 29)
6074 * SIGUSR2: Agent Signals. (line 37)
6075 * swdb.lst: Files used by gpgconf.
6077 * trust values: Trust Values. (line 6)