345
345
Toggle between public and secret key listing.
348
Cleans keys by removing unusable pieces. This command can be
349
used to keep keys neat and clean, and it has no effect aside
353
Remove any signatures that are not usable by the trust
354
calculations. For example, this removes any signature
355
that does not validate. It also removes any signature
356
that is superceded by a later signature, or signatures
360
Compact (by removing all signatures except the selfsig)
361
any user ID that is no longer usable (e.g. revoked, or
364
If invoked with no arguments, both `sigs' and `uids' are
348
368
Save all changes to the key rings and quit.
378
398
Ultimately trusted.
401
Present a menu to work with a smartcard. The subcommand "help"
402
provides an overview on available commands. For a detailed
403
description, please see the Card HOWTO at
404
http://www.gnupg.org/documentation/howtos.html#GnuPG-cardHOWTO .
407
Show the content of the smart card.
410
Present a menu to allow changing the PIN of a smartcard. This
411
functionality is also available as the subcommand "passwd" with the
381
415
Signs a public key with your secret key. This is a shortcut
382
416
version of the subcommand "sign" from -edit.
573
607
Note that -u or -local-user overrides this option.
575
609
-r, -recipient `name'
577
610
Encrypt for user id `name'. If this option or -hidden-recipient is
578
611
not specified, GnuPG asks for the user-id unless
579
612
-default-recipient is given.
581
614
-R, -hidden-recipient `name'
583
Encrypt for user id `name', but hide the keyid of the key. This
584
option hides the receiver of the message and is a countermeasure
585
against traffic analysis. If this option or -recipient is not
586
specified, GnuPG asks for the user-id unless -default-recipient is
615
Encrypt for user ID `name', but hide the key ID of this user's
616
key. This option helps to hide the receiver of the message and is a
617
limited countermeasure against traffic analysis. If this option or
618
-recipient is not specified, GnuPG asks for the user ID unless
619
-default-recipient is given.
589
621
-default-recipient `name'
590
622
Use `name' as default recipient if option -recipient is not used
720
752
This option defaults to 0 (no particular claim).
723
When building the trust database, disregard any signatures with a
724
certification level below this. Defaults to 2, which disregards
725
level 1 signatures. Note that level 0 "no particular claim"
726
signatures are always accepted.
755
When building the trust database, treat any signatures with a
756
certification level below this as invalid. Defaults to 2, which
757
disregards level 1 signatures. Note that level 0 "no particular
758
claim" signatures are always accepted.
728
760
-trusted-key `long key ID'
729
761
Assume that the specified key (which must be given as a full 8
879
911
During import, allow key updates to existing keys, but do not
880
912
allow any new keys to be imported. Defaults to no.
915
After import, remove any signatures from the new key that are
916
not usable. This is the same as running the -edit-key command
917
"clean sigs" after import. Defaults to no.
920
After import, compact (remove all signatures from) any user
921
IDs from the new key that are not usable. This is the same as
922
running the -edit-key command "clean uids" after import.
882
925
-export-options `parameters'
883
926
This is a space or comma delimited string that gives options for
884
927
exporting keys. Options can be prepended with a `no-' to give the
904
947
leaving out any signatures that are not self-signatures.
951
Do not export any signatures that are not usable. This is the
952
same as running the -edit-key command "clean sigs" before
953
export. Defaults to no.
956
Compact (remove all signatures from) user IDs on the key being
957
exported if the user IDs are not usable. This is the same as
958
running the -edit-key command "clean uids" before export.
961
export-reset-subkey-passwd
962
When using the "-export-secret-subkeys" command, this option
963
resets the passphrases for all exported subkeys to empty.
964
This is useful when the exported subkey is to be used on an
965
unattended amchine where a passphrase won't make sense.
907
968
-list-options `parameters'
908
969
This is a space or comma delimited string that gives options used
909
970
when listing keys and signatures (that is, -list-keys, -list-sigs,
1015
1076
Sets a list of directories to search for photo viewers and
1016
1077
keyserver helpers. If not provided, keyserver helpers use the
1017
1078
compiled-in default directory, and photo viewers use the $PATH
1018
environment variable.
1079
environment variable. Note, that on W32 system this value is
1080
ignored when searching for keyserver helpers.
1021
1083
Display the keyring name at the head of key listings to show which
1054
1116
use this in a options file. This also overrides the environment
1055
1117
variable $GNUPGHOME.
1120
Use `file' to access the smartcard reader. The current default is
1121
`libpcsclite.so'. Instead of using this option you might also want
1122
to install a symbolic link to the default file name (e.g. from
1123
`libpcsclite.so.1').
1125
-ctapi-driver `file'
1126
Use `file' to access the smartcard reader. The current default is
1127
`libtowitoko.so'. Note that the use of this interface is
1128
deprecated; it may be removed in future releases.
1131
Disable the integrated support for CCID compliant readers. This
1132
allows to fall back to one of the other drivers even if the
1133
internal CCID driver can handle the reader. Note, that CCID
1134
support is only available if libusb was available at build time.
1136
-reader-port `number_or_string'
1137
This option may be used to specify the port of the card terminal. A
1138
value of 0 refers to the first serial device; add 32768 to access
1139
USB devices. The default is 32768 (first USB device). PC/SC or CCID
1140
readers might need a string here; run the program in verbose mode
1141
to get a list of available readers. The default is then the first
1057
1144
-display-charset `name'
1058
1145
Set the name of the native character set. This is used to convert
1059
1146
some informational strings like user IDs to the proper UTF-8
1130
1217
needed to separate out the various subpackets from the stream
1131
1218
delivered to the file descriptor.
1135
Include secret key comment packets when exporting secret keys. This
1136
is a GnuPG extension to the OpenPGP standard, and is off by
1137
default. Please note that this has nothing to do with the
1138
comments in clear text signatures or armor headers.
1139
-no-sk-comments disables this option.
1141
1220
-comment `string'
1143
1222
Use `string' as a comment string in clear text signatures and
1146
1225
times to get multiple comment strings. -no-comments removes all
1147
1226
comments. It is a good idea to keep the length of a single
1148
1227
comment below 60 characters to avoid problems with mail programs
1149
wrapping such lines. Note, that those comment lines, like all
1150
other header lines, are not protected by the signature.
1228
wrapping such lines. Note that comment lines, like all other
1229
header lines, are not protected by the signature.
1153
1232
-no-emit-version
1159
1238
-N, -set-notation `name=value'
1160
1239
Put the name value pair into the signature as notation data.
1161
1240
`name' must consist only of printable characters or spaces, and
1162
must contain a '@' character. This is to help prevent pollution of
1163
the IETF reserved notation namespace. The -expert flag overrides
1164
the '@' check. `value' may be any printable string; it will be
1165
encoded in UTF8, so you should check that your -display-charset is
1166
set correctly. If you prefix `name' with an exclamation mark (!),
1167
the notation data will be flagged as critical (rfc2440:5.2.3.15).
1168
-sig-notation sets a notation for data signatures. -cert-notation
1169
sets a notation for key signatures (certifications). -set-notation
1241
must contain a '@' character in the form keyname@domain.example.com
1242
(substituting the appropriate keyname and domain name, of course).
1243
This is to help prevent pollution of the IETF reserved notation
1244
namespace. The -expert flag overrides the '@' check. `value' may
1245
be any printable string; it will be encoded in UTF8, so you should
1246
check that your -display-charset is set correctly. If you prefix
1247
`name' with an exclamation mark (!), the notation data will be
1248
flagged as critical (rfc2440:5.2.3.15). -sig-notation sets a
1249
notation for data signatures. -cert-notation sets a notation for
1250
key signatures (certifications). -set-notation sets both.
1172
1252
There are special codes that may be used in notation names. "%k"
1173
1253
will be expanded into the key ID of the key being signed, "%K"
1351
1431
-no-throw-keyids
1352
Do not put the recipient keyid into encrypted packets. This option
1353
hides the receiver of the message and is a countermeasure against
1354
traffic analysis. It may slow down the decryption process because
1355
all available secret keys are tried. -no-throw-keyids disables this
1432
Do not put the recipient key IDs into encrypted messages. This
1433
helps to hide the receivers of the message and is a limited
1434
countermeasure against traffic analysis. On the receiving side, it
1435
may slow down the decryption process because all available secret
1436
keys must be tried. -no-throw-keyids disables this option. This
1437
option is essentially the same as using -hidden-recipient for all
1358
1440
-not-dash-escaped
1359
1441
This option changes the behavior of cleartext signatures so that
1547
1629
encryption system will probably use this. Improper usage of this
1548
1630
option may lead to data and key corruption.
1632
-exit-on-status-write-error
1633
This option will cause write errors on the status FD to immediately
1634
terminate the process. That should in fact be the default but it
1635
never worked this way and thus we need an option to enable this, so
1636
that the change won't break applications which close their end of a
1637
status fd connected pipe too early. Using this option along with
1638
-enable-progress-filter may be used to cleanly cancel long running
1641
-limit-card-insert-tries `n'
1642
With `n' greater than 0 the number of prompts asking to insert a
1643
smartcard gets limited to N-1. Thus with a value of 1 gpg won't at
1644
all ask to insert a card if none has been inserted at startup. This
1645
option is useful in the configuration file in case an application
1646
does not know about the smartcard support and waits ad infinitum
1647
for an inserted card.
1550
1649
-no-random-seed-file
1551
1650
GnuPG uses a file to store its internal random pool over
1552
1651
invocations. This makes random generation faster; however
1660
1759
-ask-sig-expire
1661
1760
-no-ask-sig-expire
1662
1761
When making a data signature, prompt for an expiration time. If
1663
this option is not specified, the expiration time is "never".
1664
-no-ask-sig-expire disables this option.
1762
this option is not specified, the expiration time set via
1763
-default-sig-expire is used. -no-ask-sig-expire disables this
1767
The default expiration time to use for signature expiration. Valid
1768
values are "0" for no expiration, a number followed by the letter d
1769
(for days), w (for weeks), m (for months), or y (for years) (for
1770
example "2m" for two months, or "5y" for five years), or an
1771
absolute date in the form YYYY-MM-DD. Defaults to "0".
1666
1773
-ask-cert-expire
1667
1774
-no-ask-cert-expire
1668
1775
When making a key signature, prompt for an expiration time. If this
1669
option is not specified, the expiration time is "never".
1670
-no-ask-cert-expire disables this option.
1776
option is not specified, the expiration time set via
1777
-default-cert-expire is used. -no-ask-cert-expire disables this
1780
-default-cert-expire
1781
The default expiration time to use for key signature expiration.
1782
Valid values are "0" for no expiration, a number followed by the
1783
letter d (for days), w (for weeks), m (for months), or y (for
1784
years) (for example "2m" for two months, or "5y" for five years),
1785
or an absolute date in the form YYYY-MM-DD. Defaults to "0".
added
removed
doc/gpg.info
