1
1
<!-- gpg.sgml - the man page for GnuPG
2
Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003,
3
2004, 2005 Free Software Foundation, Inc.
2
Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003, 2004,
3
2005 Free Software Foundation, Inc.
5
5
This file is part of GnuPG.
17
17
You should have received a copy of the GNU General Public License
18
18
along with this program; if not, write to the Free Software
19
Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
19
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
21
22
<!-- This file should be processed by docbook-to-man to
22
23
create a manual page. This program has currently the bug
542
543
<term>toggle</term>
544
545
Toggle between public and secret key listing.</para></listitem></varlistentry>
550
Cleans keys by removing unusable pieces. This command can be used to
551
keep keys neat and clean, and it has no effect aside from that.
558
Remove any signatures that are not usable by the trust calculations.
559
For example, this removes any signature that does not validate. It
560
also removes any signature that is superceded by a later signature, or
561
signatures that were revoked.
562
</para></listitem></varlistentry>
567
Compact (by removing all signatures except the selfsig) any user ID
568
that is no longer usable (e.g. revoked, or expired).
569
</para></listitem></varlistentry>
573
If invoked with no arguments, both `sigs' and `uids' are cleaned.
574
</para></listitem></varlistentry>
546
577
<term>save</term>
572
603
</listitem></varlistentry>
607
<term>--card-edit</term>
609
Present a menu to work with a smartcard. The subcommand "help" provides
610
an overview on available commands. For a detailed description, please
611
see the Card HOWTO at
612
http://www.gnupg.org/documentation/howtos.html#GnuPG-cardHOWTO .
613
</para></listitem></varlistentry>
616
<term>--card-status</term>
618
Show the content of the smart card.
619
</para></listitem></varlistentry>
622
<term>--change-pin</term>
624
Present a menu to allow changing the PIN of a smartcard. This
625
functionality is also available as the subcommand "passwd" with the
627
</para></listitem></varlistentry>
575
631
<term>--sign-key &ParmName;</term>
577
633
Signs a public key with your secret key. This is a shortcut version of
578
the subcommand "sign" from --edit.
634
the subcommand "sign" from --edit.
579
635
</para></listitem></varlistentry>
897
952
<term>-R, --hidden-recipient &ParmName;</term>
900
Encrypt for user id &ParmName;, but hide the keyid of the key. This
901
option hides the receiver of the message and is a countermeasure
902
against traffic analysis. If this option or --recipient is not
903
specified, GnuPG asks for the user-id unless --default-recipient is
954
Encrypt for user ID &ParmName;, but hide the key ID of this user's
955
key. This option helps to hide the receiver of the message and is a
956
limited countermeasure against traffic analysis. If this option or
957
--recipient is not specified, GnuPG asks for the user ID unless
958
--default-recipient is given.
905
959
</para></listitem></varlistentry>
1113
1166
<term>--min-cert-level</term>
1114
1167
<listitem><para>
1115
When building the trust database, disregard any signatures with a
1116
certification level below this. Defaults to 2, which disregards level
1117
1 signatures. Note that level 0 "no particular claim" signatures are
1168
When building the trust database, treat any signatures with a
1169
certification level below this as invalid. Defaults to 2, which
1170
disregards level 1 signatures. Note that level 0 "no particular
1171
claim" signatures are always accepted.
1119
1172
</para></listitem></varlistentry>
1341
1394
any new keys to be imported. Defaults to no.
1342
1395
</para></listitem></varlistentry>
1398
<term>import-clean-sigs</term>
1400
After import, remove any signatures from the new key that are not
1401
usable. This is the same as running the --edit-key command "clean
1402
sigs" after import. Defaults to no.
1403
</para></listitem></varlistentry>
1406
<term>import-clean-uids</term>
1408
After import, compact (remove all signatures from) any user IDs from
1409
the new key that are not usable. This is the same as running the
1410
--edit-key command "clean uids" after import. Defaults to no.
1411
</para></listitem></varlistentry>
1344
1413
</variablelist>
1345
1414
</para></listitem></varlistentry>
1382
1451
out any signatures that are not self-signatures. Defaults to no.
1383
1452
</para></listitem></varlistentry>
1455
<term>export-clean-sigs</term>
1457
Do not export any signatures that are not usable. This is the same as
1458
running the --edit-key command "clean sigs" before export. Defaults
1460
</para></listitem></varlistentry>
1463
<term>export-clean-uids</term>
1465
Compact (remove all signatures from) user IDs on the key being
1466
exported if the user IDs are not usable. This is the same as running
1467
the --edit-key command "clean uids" before export. Defaults to no.
1468
</para></listitem></varlistentry>
1471
<term>export-reset-subkey-passwd</term>
1473
When using the "--export-secret-subkeys" command, this option resets
1474
the passphrases for all exported subkeys to empty. This is useful
1475
when the exported subkey is to be used on an unattended amchine where
1476
a passphrase won't make sense. Defaults to no.
1477
</para></listitem></varlistentry>
1385
1479
</variablelist>
1386
1480
</para></listitem></varlistentry>
1561
1655
helpers. If not provided, keyserver helpers use the compiled-in
1562
1656
default directory, and photo viewers use the $PATH environment
1658
Note, that on W32 system this value is ignored when searching for
1564
1660
</para></listitem></varlistentry>
1621
1717
</para></listitem></varlistentry>
1720
<term>--pcsc-driver &ParmFile;</term>
1722
Use &ParmFile; to access the smartcard reader. The current default
1723
is `libpcsclite.so'. Instead of using this option you might also
1724
want to install a symbolic link to the default file name
1725
(e.g. from `libpcsclite.so.1').
1726
</para></listitem></varlistentry>
1729
<term>--ctapi-driver &ParmFile;</term>
1731
Use &ParmFile; to access the smartcard reader. The current default
1732
is `libtowitoko.so'. Note that the use of this interface is
1733
deprecated; it may be removed in future releases.
1734
</para></listitem></varlistentry>
1737
<term>--disable-ccid</term>
1739
Disable the integrated support for CCID compliant readers. This
1740
allows to fall back to one of the other drivers even if the internal
1741
CCID driver can handle the reader. Note, that CCID support is only
1742
available if libusb was available at build time.
1743
</para></listitem></varlistentry>
1746
<term>--reader-port <parameter>number_or_string</parameter></term>
1748
This option may be used to specify the port of the card terminal. A
1749
value of 0 refers to the first serial device; add 32768 to access USB
1750
devices. The default is 32768 (first USB device). PC/SC or CCID
1751
readers might need a string here; run the program in verbose mode to get
1752
a list of available readers. The default is then the first reader
1754
</para></listitem></varlistentry>
1625
1758
<term>--display-charset &ParmName;</term>
1753
<term>--sk-comments</term>
1754
<term>--no-sk-comments</term>
1756
Include secret key comment packets when exporting secret keys. This
1757
is a GnuPG extension to the OpenPGP standard, and is off by default.
1758
Please note that this has nothing to do with the comments in clear
1759
text signatures or armor headers. --no-sk-comments disables this
1761
</para></listitem></varlistentry>
1765
1886
<term>--comment &ParmString;</term>
1766
1887
<term>--no-comments</term>
1767
1888
<listitem><para>
1771
1892
to get multiple comment strings. --no-comments removes all comments.
1772
1893
It is a good idea to keep the length of a single comment below 60
1773
1894
characters to avoid problems with mail programs wrapping such lines.
1774
Note, that those comment lines, like all other header lines, are not
1895
Note that comment lines, like all other header lines, are not
1775
1896
protected by the signature.
1776
1897
</para></listitem></varlistentry>
1790
1911
<term>--cert-notation &ParmNameValue;</term>
1791
1912
<term>-N, --set-notation &ParmNameValue;</term>
1792
1913
<listitem><para>
1793
1915
Put the name value pair into the signature as notation data.
1794
1916
&ParmName; must consist only of printable characters or spaces, and
1795
must contain a '@' character. This is to help prevent pollution of
1796
the IETF reserved notation namespace. The --expert flag overrides the
1797
'@' check. &ParmValue; may be any printable string; it will be
1798
encoded in UTF8, so you should check that your --display-charset is
1799
set correctly. If you prefix &ParmName; with an exclamation mark (!),
1800
the notation data will be flagged as critical (rfc2440:5.2.3.15).
1801
--sig-notation sets a notation for data signatures. --cert-notation
1802
sets a notation for key signatures (certifications). --set-notation
1917
must contain a '@' character in the form keyname@domain.example.com
1918
(substituting the appropriate keyname and domain name, of course).
1919
This is to help prevent pollution of the IETF reserved notation
1920
namespace. The --expert flag overrides the '@' check. &ParmValue;
1921
may be any printable string; it will be encoded in UTF8, so you should
1922
check that your --display-charset is set correctly. If you prefix
1923
&ParmName; with an exclamation mark (!), the notation data will be
1924
flagged as critical (rfc2440:5.2.3.15). --sig-notation sets a
1925
notation for data signatures. --cert-notation sets a notation for key
1926
signatures (certifications). --set-notation sets both.
2064
2188
<term>--throw-keyids</term>
2065
2189
<term>--no-throw-keyids</term>
2066
2190
<listitem><para>
2067
Do not put the recipient keyid into encrypted packets. This option
2068
hides the receiver of the message and is a countermeasure against
2069
traffic analysis. It may slow down the decryption process because all
2070
available secret keys are tried. --no-throw-keyids disables this
2191
Do not put the recipient key IDs into encrypted messages. This helps
2192
to hide the receivers of the message and is a limited countermeasure
2193
against traffic analysis. On the receiving side, it may slow down the
2194
decryption process because all available secret keys must be tried.
2195
--no-throw-keyids disables this option. This option is essentially
2196
the same as using --hidden-recipient for all recipients.
2072
2197
</para></listitem></varlistentry>
2347
2472
</para></listitem></varlistentry>
2475
<term>--exit-on-status-write-error</term>
2477
This option will cause write errors on the status FD to immediately
2478
terminate the process. That should in fact be the default but it
2479
never worked this way and thus we need an option to enable this, so
2480
that the change won't break applications which close their end of a
2481
status fd connected pipe too early. Using this option along with
2482
--enable-progress-filter may be used to cleanly cancel long running
2484
</para></listitem></varlistentry>
2487
<term>--limit-card-insert-tries &ParmN;</term>
2489
With &ParmN; greater than 0 the number of prompts asking to insert a
2490
smartcard gets limited to N-1. Thus with a value of 1 gpg won't at
2491
all ask to insert a card if none has been inserted at startup. This
2492
option is useful in the configuration file in case an application does
2493
not know about the smartcard support and waits ad infinitum for an
2495
</para></listitem></varlistentry>
2350
2498
<term>--no-random-seed-file</term>
2351
2499
<listitem><para>
2352
2500
GnuPG uses a file to store its internal random pool over invocations.
2522
2670
<term>--no-ask-sig-expire</term>
2523
2671
<listitem><para>
2524
2672
When making a data signature, prompt for an expiration time. If this
2525
option is not specified, the expiration time is "never".
2526
--no-ask-sig-expire disables this option.
2673
option is not specified, the expiration time set via
2674
--default-sig-expire is used. --no-ask-sig-expire disables this
2676
</para></listitem></varlistentry>
2679
<term>--default-sig-expire</term>
2681
The default expiration time to use for signature expiration. Valid
2682
values are "0" for no expiration, a number followed by the letter d
2683
(for days), w (for weeks), m (for months), or y (for years) (for
2684
example "2m" for two months, or "5y" for five years), or an absolute
2685
date in the form YYYY-MM-DD. Defaults to "0".
2527
2686
</para></listitem></varlistentry>
2531
2690
<term>--no-ask-cert-expire</term>
2532
2691
<listitem><para>
2533
2692
When making a key signature, prompt for an expiration time. If this
2534
option is not specified, the expiration time is "never".
2535
--no-ask-cert-expire disables this option.
2693
option is not specified, the expiration time set via
2694
--default-cert-expire is used. --no-ask-cert-expire disables this
2696
</para></listitem></varlistentry>
2699
<term>--default-cert-expire</term>
2701
The default expiration time to use for key signature expiration.
2702
Valid values are "0" for no expiration, a number followed by the
2703
letter d (for days), w (for weeks), m (for months), or y (for years)
2704
(for example "2m" for two months, or "5y" for five years), or an
2705
absolute date in the form YYYY-MM-DD. Defaults to "0".
2536
2706
</para></listitem></varlistentry>