277
277
value of "none" removes a existing preferred keyserver.
279
279
Toggle between public and secret key listing.
281
Cleans keys by removing unusable pieces. This command can be used to
282
keep keys neat and clean, and it has no effect aside from that.
286
Remove any signatures that are not usable by the trust calculations.
287
For example, this removes any signature that does not validate. It
288
also removes any signature that is superceded by a later signature, or
289
signatures that were revoked.
291
Compact (by removing all signatures except the selfsig) any user ID
292
that is no longer usable (e.g. revoked, or expired).
295
If invoked with no arguments, both `sigs' and `uids' are cleaned.
281
297
Save all changes to the key rings and quit.
308
324
Ultimately trusted.
326
.IP "\-\-card-edit" 10
327
Present a menu to work with a smartcard. The subcommand "help" provides
328
an overview on available commands. For a detailed description, please
329
see the Card HOWTO at
330
http://www.gnupg.org/documentation/howtos.html#GnuPG-cardHOWTO .
331
.IP "\-\-card-status" 10
332
Show the content of the smart card.
333
.IP "\-\-change-pin" 10
334
Present a menu to allow changing the PIN of a smartcard. This
335
functionality is also available as the subcommand "passwd" with the
336
\-\-card-edit command.
310
337
.IP "\-\-sign-key \fBname\fR" 10
311
338
Signs a public key with your secret key. This is a shortcut version of
312
the subcommand "sign" from \-\-edit.
339
the subcommand "sign" from \-\-edit.
313
340
.IP "\-\-lsign-key \fBname\fR" 10
314
341
Signs a public key with your secret key but marks it as
315
342
non-exportable. This is a shortcut version of the subcommand "lsign"
470
497
used, the default key is the first key found in the secret keyring.
471
498
Note that \-u or \-\-local-user overrides this option.
472
499
.IP "\-r, \-\-recipient \fBname\fR" 10
474
500
Encrypt for user id \fBname\fR. If this option or \-\-hidden-recipient
475
501
is not specified, GnuPG asks for the user-id unless
476
502
\-\-default-recipient is given.
477
503
.IP "\-R, \-\-hidden-recipient \fBname\fR" 10
479
Encrypt for user id \fBname\fR, but hide the keyid of the key. This
480
option hides the receiver of the message and is a countermeasure
481
against traffic analysis. If this option or \-\-recipient is not
482
specified, GnuPG asks for the user-id unless \-\-default-recipient is
504
Encrypt for user ID \fBname\fR, but hide the key ID of this user's
505
key. This option helps to hide the receiver of the message and is a
506
limited countermeasure against traffic analysis. If this option or
507
\-\-recipient is not specified, GnuPG asks for the user ID unless
508
\-\-default-recipient is given.
484
509
.IP "\-\-default-recipient \fBname\fR" 10
485
510
Use \fBname\fR as default recipient if option \-\-recipient is not used and
486
511
don't ask if this is a valid one. \fBname\fR must be non-empty.
597
622
This option defaults to 0 (no particular claim).
598
623
.IP "\-\-min-cert-level" 10
599
When building the trust database, disregard any signatures with a
600
certification level below this. Defaults to 2, which disregards level
601
1 signatures. Note that level 0 "no particular claim" signatures are
624
When building the trust database, treat any signatures with a
625
certification level below this as invalid. Defaults to 2, which
626
disregards level 1 signatures. Note that level 0 "no particular
627
claim" signatures are always accepted.
603
628
.IP "\-\-trusted-key \fBlong key ID\fR" 10
604
629
Assume that the specified key (which must be given
605
630
as a full 8 byte key ID) is as trustworthy as one of
731
756
.IP "merge-only" 10
732
757
During import, allow key updates to existing keys, but do not allow
733
758
any new keys to be imported. Defaults to no.
759
.IP "import-clean-sigs" 10
760
After import, remove any signatures from the new key that are not
761
usable. This is the same as running the \-\-edit-key command "clean
762
sigs" after import. Defaults to no.
763
.IP "import-clean-uids" 10
764
After import, compact (remove all signatures from) any user IDs from
765
the new key that are not usable. This is the same as running the
766
\-\-edit-key command "clean uids" after import. Defaults to no.
735
768
.IP "\-\-export-options \fBparameters\fR" 10
736
769
This is a space or comma delimited string that gives options for
751
784
.IP "export-minimal" 10
752
785
Export the smallest key possible. Currently this is done by leaving
753
786
out any signatures that are not self-signatures. Defaults to no.
787
.IP "export-clean-sigs" 10
788
Do not export any signatures that are not usable. This is the same as
789
running the \-\-edit-key command "clean sigs" before export. Defaults
791
.IP "export-clean-uids" 10
792
Compact (remove all signatures from) user IDs on the key being
793
exported if the user IDs are not usable. This is the same as running
794
the \-\-edit-key command "clean uids" before export. Defaults to no.
795
.IP "export-reset-subkey-passwd" 10
796
When using the "\-\-export-secret-subkeys" command, this option resets
797
the passphrases for all exported subkeys to empty. This is useful
798
when the exported subkey is to be used on an unattended amchine where
799
a passphrase won't make sense. Defaults to no.
755
801
.IP "\-\-list-options \fBparameters\fR" 10
756
802
This is a space or comma delimited string that gives options used when
844
890
helpers. If not provided, keyserver helpers use the compiled-in
845
891
default directory, and photo viewers use the $PATH environment
893
Note, that on W32 system this value is ignored when searching for
847
895
.IP "\-\-show-keyring" 10
848
896
Display the keyring name at the head of key listings to show which
849
897
keyring a given key resides on. This option is deprecated: use
875
923
used it defaults to "~/.gnupg". It does not make sense to use this in
876
924
a options file. This also overrides the environment variable
926
.IP "\-\-pcsc-driver \fBfile\fR" 10
927
Use \fBfile\fR to access the smartcard reader. The current default
928
is `libpcsclite.so'. Instead of using this option you might also
929
want to install a symbolic link to the default file name
930
(e.g. from `libpcsclite.so.1').
931
.IP "\-\-ctapi-driver \fBfile\fR" 10
932
Use \fBfile\fR to access the smartcard reader. The current default
933
is `libtowitoko.so'. Note that the use of this interface is
934
deprecated; it may be removed in future releases.
935
.IP "\-\-disable-ccid" 10
936
Disable the integrated support for CCID compliant readers. This
937
allows to fall back to one of the other drivers even if the internal
938
CCID driver can handle the reader. Note, that CCID support is only
939
available if libusb was available at build time.
940
.IP "\-\-reader-port \fBnumber_or_string\fR" 10
941
This option may be used to specify the port of the card terminal. A
942
value of 0 refers to the first serial device; add 32768 to access USB
943
devices. The default is 32768 (first USB device). PC/SC or CCID
944
readers might need a string here; run the program in verbose mode to get
945
a list of available readers. The default is then the first reader
878
947
.IP "\-\-display-charset \fBname\fR" 10
879
948
Set the name of the native character set. This is used to convert
880
949
some informational strings like user IDs to the proper UTF-8
939
1008
most useful for use with \-\-status-fd, since the status messages are
940
1009
needed to separate out the various subpackets from the stream
941
1010
delivered to the file descriptor.
942
.IP "\-\-sk-comments" 10
943
.IP "\-\-no-sk-comments" 10
944
Include secret key comment packets when exporting secret keys. This
945
is a GnuPG extension to the OpenPGP standard, and is off by default.
946
Please note that this has nothing to do with the comments in clear
947
text signatures or armor headers. \-\-no-sk-comments disables this
949
1011
.IP "\-\-comment \fBstring\fR" 10
950
1012
.IP "\-\-no-comments" 10
951
1013
Use \fBstring\fR as a comment string in clear text signatures and
954
1016
to get multiple comment strings. \-\-no-comments removes all comments.
955
1017
It is a good idea to keep the length of a single comment below 60
956
1018
characters to avoid problems with mail programs wrapping such lines.
957
Note, that those comment lines, like all other header lines, are not
1019
Note that comment lines, like all other header lines, are not
958
1020
protected by the signature.
959
1021
.IP "\-\-emit-version" 10
960
1022
.IP "\-\-no-emit-version" 10
965
1027
.IP "\-N, \-\-set-notation \fBname=value\fR" 10
966
1028
Put the name value pair into the signature as notation data.
967
1029
\fBname\fR must consist only of printable characters or spaces, and
968
must contain a '@' character. This is to help prevent pollution of
969
the IETF reserved notation namespace. The \-\-expert flag overrides the
970
'@' check. \fBvalue\fR may be any printable string; it will be
971
encoded in UTF8, so you should check that your \-\-display-charset is
972
set correctly. If you prefix \fBname\fR with an exclamation mark (!),
973
the notation data will be flagged as critical (rfc2440:5.2.3.15).
974
\-\-sig-notation sets a notation for data signatures. \-\-cert-notation
975
sets a notation for key signatures (certifications). \-\-set-notation
1030
must contain a '@' character in the form keyname@domain.example.com
1031
(substituting the appropriate keyname and domain name, of course).
1032
This is to help prevent pollution of the IETF reserved notation
1033
namespace. The \-\-expert flag overrides the '@' check. \fBvalue\fR may be any printable string; it will be encoded in UTF8, so you should
1034
check that your \-\-display-charset is set correctly. If you prefix
1035
\fBname\fR with an exclamation mark (!), the notation data will be
1036
flagged as critical (rfc2440:5.2.3.15). \-\-sig-notation sets a
1037
notation for data signatures. \-\-cert-notation sets a notation for key
1038
signatures (certifications). \-\-set-notation sets both.
978
1040
There are special codes that may be used in notation names. "%k" will
979
1041
be expanded into the key ID of the key being signed, "%K" into the
1124
1186
disables this option.
1125
1187
.IP "\-\-throw-keyids" 10
1126
1188
.IP "\-\-no-throw-keyids" 10
1127
Do not put the recipient keyid into encrypted packets. This option
1128
hides the receiver of the message and is a countermeasure against
1129
traffic analysis. It may slow down the decryption process because all
1130
available secret keys are tried. \-\-no-throw-keyids disables this
1189
Do not put the recipient key IDs into encrypted messages. This helps
1190
to hide the receivers of the message and is a limited countermeasure
1191
against traffic analysis. On the receiving side, it may slow down the
1192
decryption process because all available secret keys must be tried.
1193
\-\-no-throw-keyids disables this option. This option is essentially
1194
the same as using \-\-hidden-recipient for all recipients.
1132
1195
.IP "\-\-not-dash-escaped" 10
1133
1196
This option changes the behavior of cleartext signatures
1134
1197
so that they can be used for patch files. You should not
1290
1353
is accessing those files. A bootable floppy with a stand-alone
1291
1354
encryption system will probably use this. Improper usage of this
1292
1355
option may lead to data and key corruption.
1356
.IP "\-\-exit-on-status-write-error" 10
1357
This option will cause write errors on the status FD to immediately
1358
terminate the process. That should in fact be the default but it
1359
never worked this way and thus we need an option to enable this, so
1360
that the change won't break applications which close their end of a
1361
status fd connected pipe too early. Using this option along with
1362
\-\-enable-progress-filter may be used to cleanly cancel long running
1364
.IP "\-\-limit-card-insert-tries \fBn\fR" 10
1365
With \fBn\fR greater than 0 the number of prompts asking to insert a
1366
smartcard gets limited to N-1. Thus with a value of 1 gpg won't at
1367
all ask to insert a card if none has been inserted at startup. This
1368
option is useful in the configuration file in case an application does
1369
not know about the smartcard support and waits ad infinitum for an
1293
1371
.IP "\-\-no-random-seed-file" 10
1294
1372
GnuPG uses a file to store its internal random pool over invocations.
1295
1373
This makes random generation faster; however sometimes write operations
1379
1457
.IP "\-\-ask-sig-expire" 10
1380
1458
.IP "\-\-no-ask-sig-expire" 10
1381
1459
When making a data signature, prompt for an expiration time. If this
1382
option is not specified, the expiration time is "never".
1383
\-\-no-ask-sig-expire disables this option.
1460
option is not specified, the expiration time set via
1461
\-\-default-sig-expire is used. \-\-no-ask-sig-expire disables this
1463
.IP "\-\-default-sig-expire" 10
1464
The default expiration time to use for signature expiration. Valid
1465
values are "0" for no expiration, a number followed by the letter d
1466
(for days), w (for weeks), m (for months), or y (for years) (for
1467
example "2m" for two months, or "5y" for five years), or an absolute
1468
date in the form YYYY-MM-DD. Defaults to "0".
1384
1469
.IP "\-\-ask-cert-expire" 10
1385
1470
.IP "\-\-no-ask-cert-expire" 10
1386
1471
When making a key signature, prompt for an expiration time. If this
1387
option is not specified, the expiration time is "never".
1388
\-\-no-ask-cert-expire disables this option.
1472
option is not specified, the expiration time set via
1473
\-\-default-cert-expire is used. \-\-no-ask-cert-expire disables this
1475
.IP "\-\-default-cert-expire" 10
1476
The default expiration time to use for key signature expiration.
1477
Valid values are "0" for no expiration, a number followed by the
1478
letter d (for days), w (for weeks), m (for months), or y (for years)
1479
(for example "2m" for two months, or "5y" for five years), or an
1480
absolute date in the form YYYY-MM-DD. Defaults to "0".
1389
1481
.IP "\-\-expert" 10
1390
1482
.IP "\-\-no-expert" 10
1391
1483
Allow the user to do certain nonsensical or "silly" things like
1625
1717
warning message about insecure memory your operating system supports
1626
1718
locking without being root. The program drops root privileges as soon
1627
1719
as locked memory is allocated.
1628
.\" created by instant / docbook-to-man, Mon 07 Mar 2005, 19:26
1720
.\" created by instant / docbook-to-man, Fri 22 Jul 2005, 22:30