1
This is gnupg1.info, produced by makeinfo version 4.8 from gnupg1.texi.
3
This is the `The GNU Privacy Guard Manual' (1.4.6, 4 December 2006).
5
Copyright (C) 1998, 1999, 2000, 2001, 2002, 2004, 2005, 2006 Free
6
Software Foundation, Inc.
8
Permission is granted to copy, distribute and/or modify this
9
document under the terms of the GNU General Public License as
10
published by the Free Software Foundation; either version 2 of the
11
License, or (at your option) any later version. The text of the
12
license can be found in the section entitled "Copying".
14
INFO-DIR-SECTION GNU Utilities
16
* gpg: (gpg). OpenPGP encryption and signing tool (v1).
20
File: gnupg1.info, Node: Top, Next: Invoking GPG, Up: (dir)
22
Using the GnuPG Version 1.4
23
***************************
25
This is the `The GNU Privacy Guard Manual' (1.4.6, 4 December 2006).
27
Copyright (C) 1998, 1999, 2000, 2001, 2002, 2004, 2005, 2006 Free
28
Software Foundation, Inc.
30
Permission is granted to copy, distribute and/or modify this
31
document under the terms of the GNU General Public License as
32
published by the Free Software Foundation; either version 2 of the
33
License, or (at your option) any later version. The text of the
34
license can be found in the section entitled "Copying".
36
This manual documents how to use the standalone version of GNU Privacy
41
* Invoking GPG:: Using the classic GPG protocol.
42
* Specify a User ID:: How to Specify a User Id.
44
* Copying:: GNU General Public License says
45
how you can copy and share GnuPG
46
* Option Index:: Index to command line options.
47
* Index:: Index of concepts and symbol names.
50
File: gnupg1.info, Node: Invoking GPG, Next: Specify a User ID, Prev: Top, Up: Top
55
`gpg' is the OpenPGP part of the GNU Privacy Guard (GnuPG). It is a
56
tool to provide digital encryption and signing services using the
57
OpenPGP standard. `gpg' features complete key management and all bells
58
and whistles you can expect from a decent OpenPGP implementation.
60
This is the standalone version of `gpg'. For desktop use you should
61
consider using `gpg2'.
63
*Note Option Index::, for an index to `gpg''s commands and options.
67
* GPG Commands:: List of all commands.
68
* GPG Options:: List of all options.
69
* GPG Configuration:: Configuration files.
70
* GPG Examples:: Some usage examples.
72
Developer information:
75
File: gnupg1.info, Node: GPG Commands, Next: GPG Options, Up: Invoking GPG
80
Commands are not distinguished from options execpt for the fact that
81
only one command is allowed.
83
`gpg' may be run with no commands, in which case it will perform a
84
reasonable action depending on the type of file it is given as input
85
(an encrypted message is decrypted, a signature is verified, a file
86
containing keys is listed).
88
Please remember that option as well as command parsing stops as soon
89
as a non-option is encountered, you can explicitly stop parsing by
90
using the special option `--'.
94
* General GPG Commands:: Commands not specific to the functionality.
95
* Operational GPG Commands:: Commands to select the type of operation.
96
* OpenPGP Key Management:: How to manage your keys.
99
File: gnupg1.info, Node: General GPG Commands, Next: Operational GPG Commands, Up: GPG Commands
101
1.1.1 Commands not specific to the function
102
-------------------------------------------
105
Print the program version and licensing information. Note that you
106
cannot abbreviate this command.
110
Print a usage message summarizing the most useful command line
111
options. Not that you cannot abbreviate this command.
114
Print warranty information.
117
Print a list of all available options and commands. Note that you
118
cannot abbreviate this command.
121
File: gnupg1.info, Node: Operational GPG Commands, Next: OpenPGP Key Management, Prev: General GPG Commands, Up: GPG Commands
123
1.1.2 Commands to select the type of operation
124
----------------------------------------------
128
Make a signature. This command may be combined with `--encrypt'
129
(for a signed and encrypted message), `--symmetric' (for a signed
130
and symmetrically encrypted message), or `--encrypt' and
131
`--symmetric' together (for a signed message that may be decrypted
132
via a secret key or a passphrase).
135
Make a clear text signature. The content in a clear text signature
136
is readable without any special software. OpenPGP software is only
137
needed to verify the signature. Clear text signatures may modify
138
end-of-line whitespace for platform independence and are not
139
intended to be reversible.
143
Make a detached signature.
147
Encrypt data. This option may be combined with `--sign' (for a
148
signed and encrypted message), `--symmetric' (for a message that
149
may be decrypted via a secret key or a passphrase), or `--sign'
150
and `--symmetric' together (for a signed message that may be
151
decrypted via a secret key or a passphrase).
155
Encrypt with a symmetric cipher using a passphrase. The default
156
symmetric cipher used is CAST5, but may be chosen with the
157
`--cipher-algo' option. This option may be combined with `--sign'
158
(for a signed and symmetrically encrypted message), `--encrypt'
159
(for a message that may be decrypted via a secret key or a
160
passphrase), or `--sign' and `--encrypt' together (for a signed
161
message that may be decrypted via a secret key or a passphrase).
164
Store only (make a simple RFC1991 literal data packet).
168
Decrypt the file given on the command line (or `stdin' if no file
169
is specified) and write it to stdout (or the file specified with
170
`--output'). If the decrypted file is signed, the signature is also
171
verified. This command differs from the default operation, as it
172
never writes to the filename which is included in the file and it
173
rejects files which don't begin with an encrypted message.
176
Assume that the first argument is a signed file or a detached
177
signature and verify it without generating any output. With no
178
arguments, the signature packet is read from stdin. If only a
179
sigfile is given, it may be a complete signature or a detached
180
signature, in which case the signed stuff is expected in a file
181
without the ".sig" or ".asc" extension. With more than 1
182
argument, the first should be a detached signature and the
183
remaining files are the signed stuff. To read the signed stuff
184
from stdin, use `-' as the second filename. For security reasons
185
a detached signature cannot read the signed material from stdin
186
without denoting it in the above way.
189
This modifies certain other commands to accept multiple files for
190
processing on the command line or read from stdin with each
191
filename on a separate line. This allows for many files to be
192
processed at once. `--multifile' may currently be used along with
193
`--verify', `--encrypt', and `--decrypt'. Note that `--multifile
194
--verify' may not be used with detached signatures.
197
Identical to `--multifile --verify'.
200
Identical to `--multifile --encrypt'.
203
Identical to `--multifile --decrypt'.
208
List all keys from the public keyrings, or just the keys given on
209
the command line. `-k' is slightly different from `--list-keys'
210
in that it allows only for one argument and takes the second
211
argument as the keyring to search. This is for command line
212
compatibility with PGP 2 and has been removed in `gpg2'.
214
Avoid using the output of this command in scripts or other
215
programs as it is likely to change as GnuPG changes. See
216
`--with-colons' for a machine-parseable key listing command that
217
is appropriate for use in scripts and other programs.
221
List all keys from the secret keyrings, or just the ones given on
222
the command line. A `#' after the letters `sec' means that the
223
secret key is not usable (for example, if it was created via
224
`--export-secret-subkeys').
227
Same as `--list-keys', but the signatures are listed too.
229
For each signature listed, there are several flags in between the
230
"sig" tag and keyid. These flags give additional information about
231
each signature. From left to right, they are the numbers 1-3 for
232
certificate check level (see `--ask-cert-level'), "L" for a local
233
or non-exportable signature (see `--lsign-key'), "R" for a
234
nonRevocable signature (see the `--edit-key' command "nrsign"),
235
"P" for a signature that contains a policy URL (see
236
`--cert-policy-url'), "N" for a signature that contains a notation
237
(see `--cert-notation'), "X" for an eXpired signature (see
238
`--ask-cert-expire'), and the numbers 1-9 or "T" for 10 and above
239
to indicate trust signature levels (see the `--edit-key' command
243
Same as `--list-sigs', but the signatures are verified.
246
List all keys (or the specified ones) along with their
247
fingerprints. This is the same output as `--list-keys' but with
248
the additional output of a line with the fingerprint. May also be
249
combined with `--list-sigs' or `--check-sigs'. If this command is
250
given twice, the fingerprints of all secondary keys are listed too.
253
List only the sequence of packets. This is mainly useful for
257
Present a menu to work with a smartcard. The subcommand "help"
258
provides an overview on available commands. For a detailed
259
description, please see the Card HOWTO at
260
http://www.gnupg.org/documentation/howtos.html#GnuPG-cardHOWTO .
263
Show the content of the smart card.
266
Present a menu to allow changing the PIN of a smartcard. This
267
functionality is also available as the subcommand "passwd" with the
268
`--card-edit' command.
270
`--delete-key `name''
271
Remove key from the public keyring. In batch mode either `--yes' is
272
required or the key must be specified by fingerprint. This is a
273
safeguard against accidental deletion of multiple keys.
275
`--delete-secret-key `name''
276
Remove key from the secret and public keyring. In batch mode the
277
key must be specified by fingerprint.
279
`--delete-secret-and-public-key `name''
280
Same as `--delete-key', but if a secret key exists, it will be
281
removed first. In batch mode the key must be specified by
285
Either export all keys from all keyrings (default keyrings and
286
those registered via option `--keyring'), or if at least one name
287
is given, those of the given name. The new keyring is written to
288
stdout or to the file given with option `--output'. Use together
289
with `--armor' to mail those keys.
291
`--send-keys `key IDs''
292
Similar to `--export' but sends the keys to a keyserver.
293
Fingerprints may be used instead of key IDs. Option `--keyserver'
294
must be used to give the name of this keyserver. Don't send your
295
complete keyring to a keyserver -- select only those keys which
296
are new or changed by you.
298
`--export-secret-keys'
299
`--export-secret-subkeys'
300
Same as `--export', but exports the secret keys instead. This is
301
normally not very useful and a security risk. The second form of
302
the command has the special property to render the secret part of
303
the primary key useless; this is a GNU extension to OpenPGP and
304
other implementations can not be expected to successfully import
305
such a key. See the option `--simple-sk-checksum' if you want to
306
import such an exported key with an older OpenPGP implementation.
310
Import/merge keys. This adds the given keys to the keyring. The
311
fast version is currently just a synonym.
313
There are a few other options which control how this command works.
314
Most notable here is the `--keyserver-options merge-only' option
315
which does not insert new keys but does only the merging of new
316
signatures, user-IDs and subkeys.
318
`--recv-keys `key IDs''
319
Import the keys with the given key IDs from a keyserver. Option
320
`--keyserver' must be used to give the name of this keyserver.
323
Request updates from a keyserver for keys that already exist on the
324
local keyring. This is useful for updating a key with the latest
325
signatures, user IDs, etc. Calling this with no arguments will
326
refresh the entire keyring. Option `--keyserver' must be used to
327
give the name of the keyserver for all keys that do not have
328
preferred keyservers set (see `--keyserver-options
329
honor-keyserver-url').
331
`--search-keys `names''
332
Search the keyserver for the given names. Multiple names given
333
here will be joined together to create the search string for the
334
keyserver. Option `--keyserver' must be used to give the name of
335
this keyserver. Keyservers that support different search methods
336
allow using the syntax specified in "How to specify a user ID"
337
below. Note that different keyserver types support different
338
search methods. Currently only LDAP supports them all.
340
`--fetch-keys `URIs''
341
Retrieve keys located at the specified URIs. Note that different
342
installations of GnuPG may support different protocols (HTTP, FTP,
346
Do trust database maintenance. This command iterates over all keys
347
and builds the Web of Trust. This is an interactive command
348
because it may have to ask for the "ownertrust" values for keys.
349
The user has to give an estimation of how far she trusts the owner
350
of the displayed key to correctly certify (sign) other keys. GnuPG
351
only asks for the ownertrust value if it has not yet been assigned
352
to a key. Using the `--edit-key' menu, the assigned value can be
356
Do trust database maintenance without user interaction. From time
357
to time the trust database must be updated so that expired keys or
358
signatures and the resulting changes in the Web of Trust can be
359
tracked. Normally, GnuPG will calculate when this is required and
360
do it automatically unless `--no-auto-check-trustdb' is set. This
361
command can be used to force a trust database check at any time.
362
The processing is identical to that of `--update-trustdb' but it
363
skips keys with a not yet defined "ownertrust".
365
For use with cron jobs, this command can be used together with
366
`--batch' in which case the trust database check is done only if a
367
check is needed. To force a run even in batch mode add the option
370
`--export-ownertrust'
371
Send the ownertrust values to stdout. This is useful for backup
372
purposes as these values are the only ones which can't be
373
re-created from a corrupted trust DB.
375
`--import-ownertrust'
376
Update the trustdb with the ownertrust values stored in `files' (or
377
stdin if not given); existing values will be overwritten.
379
`--rebuild-keydb-caches'
380
When updating from version 1.0.6 to 1.0.7 this command should be
381
used to create signature caches in the keyring. It might be handy
382
in other situations too.
386
Print message digest of algorithm ALGO for all given files or
387
stdin. With the second form (or a deprecated "*" as algo) digests
388
for all available algorithms are printed.
390
`--gen-random `0|1|2''
391
Emit COUNT random bytes of the given quality level. If count is
392
not given or zero, an endless sequence of random bytes will be
393
emitted. PLEASE, don't use this command unless you know what you
394
are doing; it may remove precious entropy from the system!
396
`--gen-prime `mode' `bits''
397
Use the source, Luke :-). The output format is still subject to
403
Pack or unpack an arbitrary input into/from an OpenPGP ASCII armor.
404
This is a GnuPG extension to OpenPGP and in general not very
409
File: gnupg1.info, Node: OpenPGP Key Management, Prev: Operational GPG Commands, Up: GPG Commands
411
1.1.3 How to manage your keys
412
-----------------------------
414
This section explains the main commands for key management
417
Generate a new key pair. This command is normally only used
420
There is an experimental feature which allows you to create keys in
421
batch mode. See the file `doc/DETAILS' in the source distribution
424
`--gen-revoke `name''
425
Generate a revocation certificate for the complete key. To revoke
426
a subkey or a signature, use the `--edit' command.
428
`--desig-revoke `name''
429
Generate a designated revocation certificate for a key. This
430
allows a user (with the permission of the keyholder) to revoke
434
Present a menu which enables you to do most of the key management
435
related tasks. It expects the specification of a key on the
439
Make a signature on key of user `name' If the key is not yet
440
signed by the default user (or the users given with -u), the
441
program displays the information of the key again, together
442
with its fingerprint and asks whether it should be signed.
443
This question is repeated for all users specified with -u.
446
Same as "sign" but the signature is marked as non-exportable
447
and will therefore never be used by others. This may be used
448
to make keys valid only in the local environment.
451
Same as "sign" but the signature is marked as non-revocable
452
and can therefore never be revoked.
455
Make a trust signature. This is a signature that combines the
456
notions of certification (like a regular signature), and
457
trust (like the "trust" command). It is generally only useful
458
in distinct communities or groups.
460
Note that "l" (for local / non-exportable), "nr" (for
461
non-revocable, and "t" (for trust) may be freely mixed and
462
prefixed to "sign" to create a signature of any type desired.
465
Revoke a signature. For every signature which has been
466
generated by one of the secret keys, GnuPG asks whether a
467
revocation certificate should be generated.
470
Change the owner trust value. This updates the trust-db
471
immediately and no save is required.
475
Disable or enable an entire key. A disabled key can not
476
normally be used for encryption.
479
Create an alternate user id.
482
Create a photographic user id. This will prompt for a JPEG
483
file that will be embedded into the user ID. Note that a very
484
large JPEG will make for a very large key. Also note that
485
some programs will display your JPEG unchanged (GnuPG), and
486
some programs will scale it to fit in a dialog box (PGP).
489
Delete a user id. Note that it is not possible to retract a
490
user id, once it has been send to the public (i.e. to a
491
keyserver). In that case you better use `revuid'.
494
Delete a signature. Note that it is not possible to retract a
495
signature, once it has been send to the public (i.e. to a
496
keyserver). In that case you better use `revsig'.
502
Add a subkey to this key.
505
Generate a key on a card and add it to this key.
508
Transfer the selected secret key (or the primary key if no
509
key has been selected) to a smartcard. The secret key in the
510
keyring will be replaced by a stub if the key could be stored
511
successfully on the card and you use the save command later.
512
Only certain key types may be transferred to the card. A sub
513
menu allows you to select on what card to store the key. Note
514
that it is not possible to get that key back from the card -
515
if the card gets broken your secret key will be lost unless
516
you have a backup somewhere.
519
Restore the given file to a card. This command may be used to
520
restore a backup key (as generated during card
521
initialization) to a new card. In almost all cases this will
522
be the encryption key. You should use this command only with
523
the corresponding public key and make sure that the file
524
given as argument is indeed the backup to restore. You should
525
then select 2 to restore as encryption key. You will first
526
be asked to enter the passphrase of the backup key and then
527
for the Admin PIN of the card.
530
Remove a subkey (secondart key). Note that it is not possible
531
to retract a subkey, once it has been send to the public
532
(i.e. to a keyserver). In that case you better use `revkey'.
535
Add a designated revoker. This takes one optional argument:
536
"sensitive". If a designated revoker is marked as sensitive,
537
it will not be exported by default (see export-options).
543
Change the key expiration time. If a subkey is selected, the
544
expiration time of this subkey will be changed. With no
545
selection, the key expiration of the primary key is changed.
548
Change the passphrase of the secret key.
551
Flag the current user id as the primary one, removes the
552
primary user id flag from all other user ids and sets the
553
timestamp of all affected self-signatures one second ahead.
554
Note that setting a photo user ID as primary makes it primary
555
over other photo user IDs, and setting a regular user ID as
556
primary makes it primary over other regular user IDs.
559
Toggle selection of user id with index `n'. Use 0 to
563
Toggle selection of subkey with index `n'. Use 0 to deselect
567
Check all selected user ids.
570
Display the selected photographic user id.
573
List preferences from the selected user ID. This shows the
574
actual preferences, without including any implied preferences.
577
More verbose preferences listing for the selected user ID.
578
This shows the preferences in effect by including the implied
579
preferences of 3DES (cipher), SHA-1 (digest), and
580
Uncompressed (compression) if they are not already included
581
in the preference list. In addition, the preferred keyserver
582
and signature notations (if any) are shown.
585
Set the list of user ID preferences to `string' for all (or
586
just the selected) user IDs. Calling setpref with no
587
arguments sets the preference list to the default (either
588
built-in or set via `--default-preference-list'), and calling
589
setpref with "none" as the argument sets an empty preference
590
list. Use `gpg --version' to get a list of available
591
algorithms. Note that while you can change the preferences on
592
an attribute user ID (aka "photo ID"), GnuPG does not select
593
keys via attribute user IDs so these preferences will not be
597
Set a preferred keyserver for the specified user ID(s). This
598
allows other users to know where you prefer they get your key
599
from. See `--keyserver-options honor-keyserver-url' for more
600
on how this works. Setting a value of "none" removes an
601
existing preferred keyserver.
604
Set a name=value notation for the specified user ID(s). See
605
`--cert-notation' for more on how this works. Setting a value
606
of "none" removes all notations, setting a notation prefixed
607
with a minus sign (-) removes that notation, and setting a
608
notation name (without the =value) prefixed with a minus sign
609
removes all notations with that name.
612
Toggle between public and secret key listing.
615
Compact (by removing all signatures except the selfsig) any
616
user ID that is no longer usable (e.g. revoked, or expired).
617
Then, remove any signatures that are not usable by the trust
618
calculations. Specifically, this removes any signature that
619
does not validate, any signature that is superseded by a
620
later signature, revoked signatures, and signatures issued by
621
keys that are not present on the keyring.
624
Make the key as small as possible. This removes all
625
signatures from each user ID except for the most recent
629
Add cross-certification signatures to signing subkeys that
630
may not currently have them. Cross-certification signatures
631
protect against a subtle attack against signing subkeys. See
632
`--require-cross-certification'.
635
Save all changes to the key rings and quit.
638
Quit the program without updating the key rings.
641
The listing shows you the key with its secondary keys and all user
642
ids. Selected keys or user ids are indicated by an asterisk. The
643
trust value is displayed with the primary key: the first is the
644
assigned owner trust and the second is the calculated trust value.
645
Letters are used for the values:
648
No ownertrust assigned / not yet calculated.
651
Trust calculation has failed; probably due to an expired key.
654
Not enough information for calculation.
657
Never trust this key.
669
Signs a public key with your secret key. This is a shortcut
670
version of the subcommand "sign" from `--edit'.
673
Signs a public key with your secret key but marks it as
674
non-exportable. This is a shortcut version of the subcommand
675
"lsign" from `--edit-key'.
679
File: gnupg1.info, Node: GPG Options, Next: GPG Configuration, Prev: GPG Commands, Up: Invoking GPG
684
`gpg' comes features a bunch of options to control the exact behaviour
685
and to change the default configuration.
689
* GPG Configuration Options:: How to change the configuration.
690
* GPG Key related Options:: Key related options.
691
* GPG Input and Output:: Input and Output.
692
* OpenPGP Options:: OpenPGP protocol specific options.
693
* GPG Esoteric Options:: Doing things one usually don't want to do.
695
Long options can be put in an options file (default
696
"~/.gnupg/gpg.conf"). Short option names will not work - for example,
697
"armor" is a valid option for the options file, while "a" is not. Do not
698
write the 2 dashes, but simply the name of the option and any required
699
arguments. Lines with a hash ('#') as the first non-white-space
700
character are ignored. Commands may be put in this file too, but that is
701
not generally useful as the command will execute automatically with
702
every execution of gpg.
704
Please remember that option parsing stops as soon as a non-option is
705
encountered, you can explicitly stop parsing by using the special option
709
File: gnupg1.info, Node: GPG Configuration Options, Next: GPG Key related Options, Up: GPG Options
711
1.2.1 How to change the configuration
712
-------------------------------------
714
These options are used to change the configuraton and are usually found
718
Use NAME as the default key to sign with. If this option is not
719
used, the default key is the first key found in the secret keyring.
720
Note that `-u' or `--local-user' overrides this option.
722
`--default-recipient NAME'
723
Use NAME as default recipient if option `--recipient' is not used
724
and don't ask if this is a valid one. NAME must be non-empty.
726
`--default-recipient-self'
727
Use the default key as default recipient if option `--recipient'
728
is not used and don't ask if this is a valid one. The default key
729
is the first one from the secret keyring or the one set with
732
`--no-default-recipient'
733
Reset `--default-recipient' and `--default-recipient-self'.
736
Give more information during processing. If used twice, the input
737
data is listed in detail.
740
Reset verbose level to 0.
743
Try to be as quiet as possible.
745
`--list-options `parameters''
746
This is a space or comma delimited string that gives options used
747
when listing keys and signatures (that is, `--list-keys',
748
`--list-sigs', `--list-public-keys', `--list-secret-keys', and the
749
`--edit-key' functions). Options can be prepended with a `no-'
750
(after the two dashes) to give the opposite meaning. The options
754
Causes `--list-keys', `--list-sigs', `--list-public-keys',
755
and `--list-secret-keys' to display any photo IDs attached to
756
the key. Defaults to no. See also `--photo-viewer'.
759
Show policy URLs in the `--list-sigs' or `--check-sigs'
760
listings. Defaults to no.
765
Show all, IETF standard, or user-defined signature notations
766
in the `--list-sigs' or `--check-sigs' listings. Defaults to
770
Show any preferred keyserver URL in the `--list-sigs' or
771
`--check-sigs' listings. Defaults to no.
774
Display the calculated validity of user IDs during key
775
listings. Defaults to no.
778
Show revoked and expired user IDs in key listings. Defaults
781
show-unusable-subkeys
782
Show revoked and expired subkeys in key listings. Defaults to
786
Display the keyring name at the head of key listings to show
787
which keyring a given key resides on. Defaults to no.
790
Show signature expiration dates (if any) during `--list-sigs'
791
or `--check-sigs' listings. Defaults to no.
794
Include signature subpackets in the key listing. This option
795
can take an optional argument list of the subpackets to list.
796
If no argument is passed, list all subpackets. Defaults to
797
no. This option is only meaningful when using `--with-colons'
798
along with `--list-sigs' or `--check-sigs'.
800
`--verify-options `parameters''
801
This is a space or comma delimited string that gives options used
802
when verifying signatures. Options can be prepended with a `no-'
803
to give the opposite meaning. The options are:
806
Display any photo IDs present on the key that issued the
807
signature. Defaults to no. See also `--photo-viewer'.
810
Show policy URLs in the signature being verified. Defaults to
816
Show all, IETF standard, or user-defined signature notations
817
in the signature being verified. Defaults to IETF standard.
820
Show any preferred keyserver URL in the signature being
821
verified. Defaults to no.
824
Display the calculated validity of the user IDs on the key
825
that issued the signature. Defaults to no.
828
Show revoked and expired user IDs during signature
829
verification. Defaults to no.
832
Enable PKA lookups to verify sender addresses. Note that PKA
833
is based on DNS, and so enabling this option may disclose
834
information on when and what signatures are verified or to
835
whom data is encrypted. This is similar to the "web bug"
836
described for the auto-key-retrieve feature.
839
Raise the trust in a signature to full if the signature
840
passes PKA validation. This option is only meaningful if
845
Enables new-style DSA keys which (unlike the old style) may be
846
larger than 1024 bit and use hashes other than SHA-1 and
847
RIPEMD/160. Note that very few programs currently support these
848
keys and signatures from them.
850
`--photo-viewer `string''
851
This is the command line that should be run to view a photo ID.
852
"%i" will be expanded to a filename containing the photo. "%I"
853
does the same, except the file will not be deleted once the viewer
854
exits. Other flags are "%k" for the key ID, "%K" for the long key
855
ID, "%f" for the key fingerprint, "%t" for the extension of the
856
image type (e.g. "jpg"), "%T" for the MIME type of the image (e.g.
857
"image/jpeg"), and "%%" for an actual percent sign. If neither %i
858
or %I are present, then the photo will be supplied to the viewer
861
The default viewer is "xloadimage -fork -quiet -title 'KeyID 0x%k'
862
stdin". Note that if your image viewer program is not secure, then
863
executing it from GnuPG does not make it secure.
865
`--exec-path `string''
866
Sets a list of directories to search for photo viewers and
867
keyserver helpers. If not provided, keyserver helpers use the
868
compiled-in default directory, and photo viewers use the $PATH
869
environment variable. Note, that on W32 system this value is
870
ignored when searching for keyserver helpers.
873
Add `file' to the current list of keyrings. If `file' begins with
874
a tilde and a slash, these are replaced by the $HOME directory. If
875
the filename does not contain a slash, it is assumed to be in the
876
GnuPG home directory ("~/.gnupg" if `--homedir' or $GNUPGHOME is
879
Note that this adds a keyring to the current list. If the intent
880
is to use the specified keyring alone, use `--keyring' along with
881
`--no-default-keyring'.
883
`--secret-keyring `file''
884
Same as `--keyring' but for the secret keyrings.
886
`--primary-keyring `file''
887
Designate `file' as the primary public keyring. This means that
888
newly imported keys (via `--import' or keyserver `--recv-from')
889
will go to this keyring.
891
`--trustdb-name `file''
892
Use `file' instead of the default trustdb. If `file' begins with a
893
tilde and a slash, these are replaced by the $HOME directory. If
894
the filename does not contain a slash, it is assumed to be in the
895
GnuPG home directory (`~/.gnupg' if `--homedir' or $GNUPGHOME is
899
Set the name of the home directory to DIR. If his option is not
900
used, the home directory defaults to `~/.gnupg'. It is only
901
recognized when given on the command line. It also overrides any
902
home directory stated through the environment variable `GNUPGHOME'
903
or (on W32 systems) by means on the Registry entry
904
HKCU\SOFTWARE\GNU\GNUPG:HOMEDIR.
906
`--pcsc-driver `file''
907
Use `file' to access the smartcard reader. The current default is
908
`libpcsclite.so.1' for GLIBC based systems,
909
`/System/Library/Frameworks/PCSC.framework/PCSC' for MAC OS X,
910
`winscard.dll' for Windows and `libpcsclite.so' for other systems.
913
Disable the integrated support for CCID compliant readers. This
914
allows to fall back to one of the other drivers even if the
915
internal CCID driver can handle the reader. Note, that CCID
916
support is only available if libusb was available at build time.
918
`--reader-port `number_or_string''
919
This option may be used to specify the port of the card terminal. A
920
value of 0 refers to the first serial device; add 32768 to access
921
USB devices. The default is 32768 (first USB device). PC/SC or CCID
922
readers might need a string here; run the program in verbose mode
923
to get a list of available readers. The default is then the first
926
`--display-charset `name''
927
Set the name of the native character set. This is used to convert
928
some informational strings like user IDs to the proper UTF-8
929
encoding. Note that this has nothing to do with the character set
930
of data to be encrypted or signed; GnuPG does not recode user
931
supplied data. If this option is not used, the default character
932
set is determined from the current locale. A verbosity level of 3
933
shows the chosen set. Valid values for `name' are:
936
This is the Latin 1 set.
942
This is currently an alias for the Latin 1 set.
945
The usual Russian set (rfc1489).
948
Bypass all translations and assume that the OS uses native
953
Assume that command line arguments are given as UTF8 strings. The
954
default (`--no-utf8-strings') is to assume that arguments are
955
encoded in the character set as specified by `--display-charset'.
956
These options affect all following arguments. Both options may be
960
Read options from `file' and do not try to read them from the
961
default options file in the homedir (see `--homedir'). This option
962
is ignored if used in an options file.
965
Shortcut for `--options /dev/null'. This option is detected before
966
an attempt to open an option file. Using this option will also
967
prevent the creation of a `~/.gnupg' homedir.
970
`--compress-level `n''
971
`--bzip2-compress-level `n''
972
Set compression level to `n' for the ZIP and ZLIB compression
973
algorithms. The default is to use the default compression level of
974
zlib (normally 6). `--bzip2-compress-level' sets the compression
975
level for the BZIP2 compression algorithm (defaulting to 6 as
976
well). This is a different option from `--compress-level' since
977
BZIP2 uses a significant amount of memory for each additional
978
compression level. `-z' sets both. A value of 0 for `n' disables
981
`--bzip2-decompress-lowmem'
982
Use a different decompression method for BZIP2 compressed files.
983
This alternate method uses a bit more than half the memory, but
984
also runs at half the speed. This is useful under extreme low
985
memory circumstances when the file was originally compressed at a
986
high `--bzip2-compress-level'.
988
`--mangle-dos-filenames'
989
`--no-mangle-dos-filenames'
990
Older version of Windows cannot handle filenames with more than one
991
dot. `--mangle-dos-filenames' causes GnuPG to replace (rather than
992
add to) the extension of an output filename to avoid this problem.
993
This option is off by default and has no effect on non-Windows
997
`--no-ask-cert-level'
998
When making a key signature, prompt for a certification level. If
999
this option is not specified, the certification level used is set
1000
via `--default-cert-level'. See `--default-cert-level' for
1001
information on the specific levels and how they are used.
1002
`--no-ask-cert-level' disables this option. This option defaults
1005
`--default-cert-level `n''
1006
The default to use for the check level when signing a key.
1008
0 means you make no particular claim as to how carefully you
1011
1 means you believe the key is owned by the person who claims to
1012
own it but you could not, or did not verify the key at all. This is
1013
useful for a "persona" verification, where you sign the key of a
1016
2 means you did casual verification of the key. For example, this
1017
could mean that you verified that the key fingerprint and checked
1018
the user ID on the key against a photo ID.
1020
3 means you did extensive verification of the key. For example,
1021
this could mean that you verified the key fingerprint with the
1022
owner of the key in person, and that you checked, by means of a
1023
hard to forge document with a photo ID (such as a passport) that
1024
the name of the key owner matches the name in the user ID on the
1025
key, and finally that you verified (by exchange of email) that the
1026
email address on the key belongs to the key owner.
1028
Note that the examples given above for levels 2 and 3 are just
1029
that: examples. In the end, it is up to you to decide just what
1030
"casual" and "extensive" mean to you.
1032
This option defaults to 0 (no particular claim).
1035
When building the trust database, treat any signatures with a
1036
certification level below this as invalid. Defaults to 2, which
1037
disregards level 1 signatures. Note that level 0 "no particular
1038
claim" signatures are always accepted.
1040
`--trusted-key `long key ID''
1041
Assume that the specified key (which must be given as a full 8
1042
byte key ID) is as trustworthy as one of your own secret keys.
1043
This option is useful if you don't want to keep your secret keys
1044
(or one of them) online but still want to be able to check the
1045
validity of a given recipient's or signator's key.
1047
`--trust-model `pgp|classic|direct|always|auto''
1048
Set what trust model GnuPG should follow. The models are:
1051
This is the Web of Trust combined with trust signatures as
1052
used in PGP 5.x and later. This is the default trust model
1053
when creating a new trust database.
1056
This is the standard Web of Trust as used in PGP 2.x and
1060
Key validity is set directly by the user and not calculated
1061
via the Web of Trust.
1064
Skip key validation and assume that used keys are always fully
1065
trusted. You generally won't use this unless you are using
1066
some external validation scheme. This option also suppresses
1067
the "[uncertain]" tag printed with signature checks when
1068
there is no evidence that the user ID is bound to the key.
1071
Select the trust model depending on whatever the internal
1072
trust database says. This is the default model if such a
1073
database already exists.
1075
`--auto-key-locate `parameters''
1076
`--no-auto-key-locate'
1077
GnuPG can automatically locate and retrieve keys as needed using
1078
this option. This happens when encrypting to an email address (in
1079
the "user@example.com" form), and there are no user@example.com
1080
keys on the local keyring. This option takes any number of the
1081
following arguments, in the order they are to be tried:
1084
locate a key using DNS CERT, as specified in 2538bis
1085
(currently in draft): http://www.josefsson.org/rfc2538bis/
1088
locate a key using DNS PKA.
1091
locate a key using the PGP Universal method of checking
1092
"ldap://keys.(thedomain)".
1095
locate a key using whatever keyserver is defined using the
1096
`--keyserver' option.
1099
In addition, a keyserver URL as used in the `--keyserver'
1100
option may be used here to query that particular keyserver.
1102
`--keyid-format `short|0xshort|long|0xlong''
1103
Select how to display key IDs. "short" is the traditional
1104
8-character key ID. "long" is the more accurate (but less
1105
convenient) 16-character key ID. Add an "0x" to either to include
1106
an "0x" at the beginning of the key ID, as in 0x99242560.
1108
`--keyserver `name''
1109
Use `name' as your keyserver. This is the server that
1110
`--recv-keys', `--send-keys', and `--search-keys' will communicate
1111
with to receive keys from, send keys to, and search for keys on.
1112
The format of the `name' is a URI:
1113
`scheme:[//]keyservername[:port]' The scheme is the type of
1114
keyserver: "hkp" for the HTTP (or compatible) keyservers, "ldap"
1115
for the LDAP keyservers, or "mailto" for the Graff email
1116
keyserver. Note that your particular installation of GnuPG may
1117
have other keyserver types available as well. Keyserver schemes
1118
are case-insensitive. After the keyserver name, optional keyserver
1119
configuration options may be provided. These are the same as the
1120
global `--keyserver-options' from below, but apply only to this
1121
particular keyserver.
1123
Most keyservers synchronize with each other, so there is generally
1124
no need to send keys to more than one server. The keyserver
1125
`hkp://subkeys.pgp.net' uses round robin DNS to give a different
1126
keyserver each time you use it.
1128
`--keyserver-options `name=value1 ''
1129
This is a space or comma delimited string that gives options for
1130
the keyserver. Options can be prepended with a `no-' to give the
1131
opposite meaning. Valid import-options or export-options may be
1132
used here as well to apply to importing (`--recv-key') or exporting
1133
(`--send-key') a key from a keyserver. While not all options are
1134
available for all keyserver types, some common options are:
1137
When searching for a key with `--search-keys', include keys
1138
that are marked on the keyserver as revoked. Note that not
1139
all keyservers differentiate between revoked and unrevoked
1140
keys, and for such keyservers this option is meaningless.
1141
Note also that most keyservers do not have cryptographic
1142
verification of key revocations, and so turning this option
1143
off may result in skipping keys that are incorrectly marked
1147
When searching for a key with `--search-keys', include keys
1148
that are marked on the keyserver as disabled. Note that this
1149
option is not used with HKP keyservers.
1152
This option enables the automatic retrieving of keys from a
1153
keyserver when verifying signatures made by keys that are not
1154
on the local keyring.
1156
Note that this option makes a "web bug" like behavior
1157
possible. Keyserver operators can see which keys you
1158
request, so by sending you a message signed by a brand new
1159
key (which you naturally will not have on your local
1160
keyring), the operator can tell both your IP address and the
1161
time when you verified the signature.
1164
When using `--refresh-keys', if the key in question has a
1165
preferred keyserver URL, then use that preferred keyserver to
1166
refresh the key from. In addition, if auto-key-retrieve is
1167
set, and the signature being verified has a preferred
1168
keyserver URL, then use that preferred keyserver to fetch the
1169
key from. Defaults to yes.
1172
If auto-key-retrieve is set, and the signature being verified
1173
has a PKA record, then use the PKA information to fetch the
1174
key. Defaults to yes.
1177
When receiving a key, include subkeys as potential targets.
1178
Note that this option is not used with HKP keyservers, as
1179
they do not support retrieving keys by subkey id.
1182
On most Unix-like platforms, GnuPG communicates with the
1183
keyserver helper program via pipes, which is the most
1184
efficient method. This option forces GnuPG to use temporary
1185
files to communicate. On some platforms (such as Win32 and
1186
RISC OS), this option is always enabled.
1189
If using `use-temp-files', do not delete the temp files after
1190
using them. This option is useful to learn the keyserver
1191
communication protocol by reading the temporary files.
1194
Tell the keyserver helper program to be more verbose. This
1195
option can be repeated multiple times to increase the
1199
Tell the keyserver helper program how long (in seconds) to
1200
try and perform a keyserver action before giving up. Note
1201
that performing multiple actions at the same time uses this
1202
timeout value per action. For example, when retrieving
1203
multiple keys via `--recv-keys', the timeout applies
1204
separately to each key retrieval, and not to the
1205
`--recv-keys' command as a whole. Defaults to 30 seconds.
1208
For HTTP-like keyserver schemes that (such as HKP and HTTP
1209
itself), try to access the keyserver over a proxy. If a
1210
`value' is specified, use this as the HTTP proxy. If no
1211
`value' is specified, the value of the environment variable
1212
"http_proxy", if any, will be used.
1215
When retrieving a key via DNS CERT, only accept keys up to
1216
this size. Defaults to 16384 bytes.
1218
`--completes-needed `n''
1219
Number of completely trusted users to introduce a new key signer
1222
`--marginals-needed `n''
1223
Number of marginally trusted users to introduce a new key signer
1226
`--max-cert-depth `n''
1227
Maximum depth of a certification chain (default is 5).
1229
`--simple-sk-checksum'
1230
Secret keys are integrity protected by using a SHA-1 checksum. This
1231
method is part of the upcoming enhanced OpenPGP specification but
1232
GnuPG already uses it as a countermeasure against certain attacks.
1233
Old applications don't understand this new format, so this option
1234
may be used to switch back to the old behaviour. Using this option
1235
bears a security risk. Note that using this option only takes
1236
effect when the secret key is encrypted - the simplest way to make
1237
this happen is to change the passphrase on the key (even changing
1238
it to the same value is acceptable).
1241
Do not cache the verification status of key signatures. Caching
1242
gives a much better performance in key listings. However, if you
1243
suspect that your public keyring is not save against write
1244
modifications, you can use this option to disable the caching. It
1245
probably does not make sense to disable it because all kind of
1246
damage can be done if someone else has write access to your public
1249
`--no-sig-create-check'
1250
GnuPG normally verifies each signature right after creation to
1251
protect against bugs and hardware malfunctions which could leak
1252
out bits from the secret key. This extra verification needs some
1253
time (about 115% for DSA keys), and so this option can be used to
1254
disable it. However, due to the fact that the signature creation
1255
needs manual interaction, this performance penalty does not matter
1258
`--auto-check-trustdb'
1259
`--no-auto-check-trustdb'
1260
If GnuPG feels that its information about the Web of Trust has to
1261
be updated, it automatically runs the `--check-trustdb' command
1262
internally. This may be a time consuming process.
1263
`--no-auto-check-trustdb' disables this option.
1267
Try to use the GnuPG-Agent. With this option, GnuPG first tries to
1268
connect to the agent before it asks for a passphrase.
1269
`--no-use-agent' disables this option.
1272
Override the value of the environment variable `GPG_AGENT_INFO'.
1273
This is only used when `--use-agent' has been given
1276
Lock the databases the first time a lock is requested and do not
1277
release the lock until the process terminates.
1280
Release the locks every time a lock is no longer needed. Use this
1281
to override a previous `--lock-once' from a config file.
1284
Disable locking entirely. This option should be used only in very
1285
special environments, where it can be assured that only one process
1286
is accessing those files. A bootable floppy with a stand-alone
1287
encryption system will probably use this. Improper usage of this
1288
option may lead to data and key corruption.
1290
`--exit-on-status-write-error'
1291
This option will cause write errors on the status FD to immediately
1292
terminate the process. That should in fact be the default but it
1293
never worked this way and thus we need an option to enable this,
1294
so that the change won't break applications which close their end
1295
of a status fd connected pipe too early. Using this option along
1296
with `--enable-progress-filter' may be used to cleanly cancel long
1297
running gpg operations.
1299
`--limit-card-insert-tries `n''
1300
With `n' greater than 0 the number of prompts asking to insert a
1301
smartcard gets limited to N-1. Thus with a value of 1 gpg won't at
1302
all ask to insert a card if none has been inserted at startup. This
1303
option is useful in the configuration file in case an application
1304
does not know about the smartcard support and waits ad infinitum
1305
for an inserted card.
1307
`--no-random-seed-file'
1308
GnuPG uses a file to store its internal random pool over
1309
invocations. This makes random generation faster; however
1310
sometimes write operations are not desired. This option can be
1311
used to achieve that with the cost of slower random generation.
1314
Suppress the initial copyright message.
1316
`--no-secmem-warning'
1317
Suppress the warning about "using insecure memory".
1319
`--no-permission-warning'
1320
Suppress the warning about unsafe file and home directory
1321
(`--homedir') permissions. Note that the permission checks that
1322
GnuPG performs are not intended to be authoritative, but rather
1323
they simply warn about certain common permission problems. Do not
1324
assume that the lack of a warning means that your system is secure.
1326
Note that the warning for unsafe `--homedir' permissions cannot be
1327
suppressed in the gpg.conf file, as this would allow an attacker to
1328
place an unsafe gpg.conf file in place, and use this file to
1329
suppress warnings about itself. The `--homedir' permissions
1330
warning may only be suppressed on the command line.
1333
Suppress the warning about missing MDC integrity protection.
1336
`--no-require-secmem'
1337
Refuse to run if GnuPG cannot get secure memory. Defaults to no
1338
(i.e. run, but give a warning).
1340
`--require-cross-certification'
1341
`--no-require-cross-certification'
1342
When verifying a signature made from a subkey, ensure that the
1343
cross certification "back signature" on the subkey is present and
1344
valid. This protects against a subtle attack against subkeys that
1345
can sign. Defaults to `--require-cross-certification' for `gpg'.
1349
Allow the user to do certain nonsensical or "silly" things like
1350
signing an expired or revoked key, or certain potentially
1351
incompatible things like generating unusual key types. This also
1352
disables certain warning messages about potentially incompatible
1353
actions. As the name implies, this option is for experts only. If
1354
you don't fully understand the implications of what it allows you
1355
to do, leave this off. `--no-expert' disables this option.
1359
File: gnupg1.info, Node: GPG Key related Options, Next: GPG Input and Output, Prev: GPG Configuration Options, Up: GPG Options
1361
1.2.2 Key related options
1362
-------------------------
1366
Encrypt for user id NAME. If this option or `--hidden-recipient'
1367
is not specified, GnuPG asks for the user-id unless
1368
`--default-recipient' is given.
1370
`--hidden-recipient NAME'
1372
Encrypt for user ID NAME, but hide the key ID of this user's key.
1373
This option helps to hide the receiver of the message and is a
1374
limited countermeasure against traffic analysis. If this option or
1375
`--recipient' is not specified, GnuPG asks for the user ID unless
1376
`--default-recipient' is given.
1378
`--encrypt-to `name''
1379
Same as `--recipient' but this one is intended for use in the
1380
options file and may be used with your own user-id as an
1381
"encrypt-to-self". These keys are only used when there are other
1382
recipients given either by use of `--recipient' or by the asked
1383
user id. No trust checking is performed for these user ids and
1384
even disabled keys can be used.
1386
`--hidden-encrypt-to `name''
1387
Same as `--hidden-recipient' but this one is intended for use in
1388
the options file and may be used with your own user-id as a hidden
1389
"encrypt-to-self". These keys are only used when there are other
1390
recipients given either by use of `--recipient' or by the asked
1391
user id. No trust checking is performed for these user ids and
1392
even disabled keys can be used.
1395
Disable the use of all `--encrypt-to' and `--hidden-encrypt-to'
1398
`--group `name=value1 ''
1399
Sets up a named group, which is similar to aliases in email
1400
programs. Any time the group name is a recipient (`-r' or
1401
`--recipient'), it will be expanded to the values specified.
1402
Multiple groups with the same name are automatically merged into a
1405
The values are `key IDs' or fingerprints, but any key description
1406
is accepted. Note that a value with spaces in it will be treated as
1407
two different values. Note also there is only one level of
1408
expansion -- you cannot make an group that points to another
1409
group. When used from the command line, it may be necessary to
1410
quote the argument to this option to prevent the shell from
1411
treating it as multiple arguments.
1414
Remove a given entry from the `--group' list.
1417
Remove all entries from the `--group' list.
1421
Use NAME as the key to sign with. Note that this option overrides
1425
Don't look at the key ID as stored in the message but try all
1426
secret keys in turn to find the right decryption key. This option
1427
forces the behaviour as used by anonymous recipients (created by
1428
using `--throw-keyids') and might come handy in case where an
1429
encrypted message contains a bogus key ID.
1433
File: gnupg1.info, Node: GPG Input and Output, Next: OpenPGP Options, Prev: GPG Key related Options, Up: GPG Options
1435
1.2.3 Input and Output
1436
----------------------
1440
Create ASCII armored output. The default is to create the binary
1444
Assume the input data is not in ASCII armored format.
1448
Write output to FILE.
1451
This option sets a limit on the number of bytes that will be
1452
generated when processing a file. Since OpenPGP supports various
1453
levels of compression, it is possible that the plaintext of a
1454
given message may be significantly larger than the original
1455
OpenPGP message. While GnuPG works properly with such messages,
1456
there is often a desire to set a maximum file size that will be
1457
generated before processing is forced to stop by the OS limits.
1458
Defaults to 0, which means "no limit".
1460
`--import-options `parameters''
1461
This is a space or comma delimited string that gives options for
1462
importing keys. Options can be prepended with a `no-' to give the
1463
opposite meaning. The options are:
1466
Allow importing key signatures marked as "local". This is not
1467
generally useful unless a shared keyring scheme is being used.
1470
repair-pks-subkey-bug
1471
During import, attempt to repair the damage caused by the PKS
1472
keyserver bug (pre version 0.9.6) that mangles keys with
1473
multiple subkeys. Note that this cannot completely repair the
1474
damaged key as some crucial data is removed by the keyserver,
1475
but it does at least give you back one subkey. Defaults to no
1476
for regular `--import' and to yes for keyserver `--recv-keys'.
1479
During import, allow key updates to existing keys, but do not
1480
allow any new keys to be imported. Defaults to no.
1483
After import, compact (remove all signatures except the
1484
self-signature) any user IDs from the new key that are not
1485
usable. Then, remove any signatures from the new key that
1486
are not usable. This includes signatures that were issued by
1487
keys that are not present on the keyring. This option is the
1488
same as running the `--edit-key' command "clean" after
1489
import. Defaults to no.
1492
Import the smallest key possible. This removes all signatures
1493
except the most recent self-signature on each user ID. This
1494
option is the same as running the `--edit-key' command
1495
"minimize" after import. Defaults to no.
1497
`--export-options `parameters''
1498
This is a space or comma delimited string that gives options for
1499
exporting keys. Options can be prepended with a `no-' to give the
1500
opposite meaning. The options are:
1503
Allow exporting key signatures marked as "local". This is not
1504
generally useful unless a shared keyring scheme is being used.
1508
Include attribute user IDs (photo IDs) while exporting. This
1509
is useful to export keys if they are going to be used by an
1510
OpenPGP program that does not accept attribute user IDs.
1513
export-sensitive-revkeys
1514
Include designated revoker information that was marked as
1515
"sensitive". Defaults to no.
1517
export-reset-subkey-passwd
1518
When using the `--export-secret-subkeys' command, this option
1519
resets the passphrases for all exported subkeys to empty.
1520
This is useful when the exported subkey is to be used on an
1521
unattended machine where a passphrase doesn't necessarily
1522
make sense. Defaults to no.
1525
Compact (remove all signatures from) user IDs on the key being
1526
exported if the user IDs are not usable. Also, do not export
1527
any signatures that are not usable. This includes signatures
1528
that were issued by keys that are not present on the keyring.
1529
This option is the same as running the `--edit-key' command
1530
"clean" before export except that the local copy of the key
1531
is not modified. Defaults to no.
1534
Export the smallest key possible. This removes all signatures
1535
except the most recent self-signature on each user ID. This
1536
option is the same as running the `--edit-key' command
1537
"minimize" before export except that the local copy of the
1538
key is not modified. Defaults to no.
1541
Print key listings delimited by colons. Note that the output will
1542
be encoded in UTF-8 regardless of any `--display-charset' setting.
1543
This format is useful when GnuPG is called from scripts and other
1544
programs as it is easily machine parsed. The details of this
1545
format are documented in the file `doc/DETAILS', which is included
1546
in the GnuPG source distribution.
1549
Do not merge primary user ID and primary key in `--with-colon'
1550
listing mode and print all timestamps as seconds since 1970-01-01.
1552
`--with-fingerprint'
1553
Same as the command `--fingerprint' but changes only the format of
1554
the output and may be used together with another command.
1558
File: gnupg1.info, Node: OpenPGP Options, Next: GPG Esoteric Options, Prev: GPG Input and Output, Up: GPG Options
1560
1.2.4 OpenPGP protocol specific options.
1561
----------------------------------------
1565
Treat input files as text and store them in the OpenPGP canonical
1566
text form with standard "CRLF" line endings. This also sets the
1567
necessary flags to inform the recipient that the encrypted or
1568
signed data is text and may need its line endings converted back
1569
to whatever the local system uses. This option is useful when
1570
communicating between two platforms that have different line
1571
ending conventions (UNIX-like to Mac, Mac to Windows, etc).
1572
`--no-textmode' disables this option, and is the default.
1574
If `-t' (but not `--textmode') is used together with armoring and
1575
signing, this enables clearsigned messages. This kludge is needed
1576
for command-line compatibility with command-line versions of PGP;
1577
normally you would use `--sign' or `--clearsign' to select the
1578
type of the signature.
1581
`--no-force-v3-sigs'
1582
OpenPGP states that an implementation should generate v4 signatures
1583
but PGP versions 5 through 7 only recognize v4 signatures on key
1584
material. This option forces v3 signatures for signatures on data.
1585
Note that this option overrides `--ask-sig-expire', as v3
1586
signatures cannot have expiration dates. `--no-force-v3-sigs'
1587
disables this option.
1590
`--no-force-v4-certs'
1591
Always use v4 key signatures even on v3 keys. This option also
1592
changes the default hash algorithm for v3 RSA keys from MD5 to
1593
SHA-1. `--no-force-v4-certs' disables this option.
1596
Force the use of encryption with a modification detection code.
1597
This is always used with the newer ciphers (those with a blocksize
1598
greater than 64 bits), or if all of the recipient keys indicate
1599
MDC support in their feature flags.
1602
Disable the use of the modification detection code. Note that by
1603
using this option, the encrypted message becomes vulnerable to a
1604
message modification attack.
1606
`--personal-cipher-preferences `string''
1607
Set the list of personal cipher preferences to `string', this list
1608
should be a string similar to the one printed by the command
1609
"pref" in the edit menu. This allows the user to factor in their
1610
own preferred algorithms when algorithms are chosen via recipient
1611
key preferences. The most highly ranked cipher in this list is
1612
also used for the `--symmetric' encryption command.
1614
`--personal-digest-preferences `string''
1615
Set the list of personal digest preferences to `string', this list
1616
should be a string similar to the one printed by the command
1617
"pref" in the edit menu. This allows the user to factor in their
1618
own preferred algorithms when algorithms are chosen via recipient
1619
key preferences. The most highly ranked digest algorithm in this
1620
list is algo used when signing without encryption (e.g.
1621
`--clearsign' or `--sign'). The default value is SHA-1.
1623
`--personal-compress-preferences `string''
1624
Set the list of personal compression preferences to `string', this
1625
list should be a string similar to the one printed by the command
1626
"pref" in the edit menu. This allows the user to factor in their
1627
own preferred algorithms when algorithms are chosen via recipient
1628
key preferences. The most highly ranked algorithm in this list is
1629
also used when there are no recipient keys to consider (e.g.
1632
`--s2k-cipher-algo `name''
1633
Use `name' as the cipher algorithm used to protect secret keys.
1634
The default cipher is CAST5. This cipher is also used for
1635
conventional encryption if `--personal-cipher-preferences' and
1636
`--cipher-algo' is not given.
1638
`--s2k-digest-algo `name''
1639
Use `name' as the digest algorithm used to mangle the passphrases.
1640
The default algorithm is SHA-1.
1643
Selects how passphrases are mangled. If `n' is 0 a plain
1644
passphrase (which is not recommended) will be used, a 1 adds a
1645
salt to the passphrase and a 3 (the default) iterates the whole
1646
process a number of times (see -s2k-count). Unless `--rfc1991' is
1647
used, this mode is also used for conventional encryption.
1650
Specify how many times the passphrase mangling is repeated. This
1651
value may range between 1024 and 65011712 inclusive, and the
1652
default is 65536. Note that not all values in the 1024-65011712
1653
range are legal and if an illegal value is selected, GnuPG will
1654
round up to the nearest legal value. This option is only
1655
meaningful if `--s2k-mode' is 3.
1658
1.2.5 Compliance options
1659
------------------------
1661
These options control what GnuPG is compliant to. Only one of these
1662
options may be active at a time. Note that the default setting of this
1663
is nearly always the correct one. See the INTEROPERABILITY WITH OTHER
1664
OPENPGP PROGRAMS section below before using one of these options.
1667
Use standard GnuPG behavior. This is essentially OpenPGP behavior
1668
(see `--openpgp'), but with some additional workarounds for common
1669
compatibility problems in different versions of PGP. This is the
1670
default option, so it is not generally needed, but it may be
1671
useful to override a different compliance option in the gpg.conf
1675
Reset all packet, cipher and digest options to strict OpenPGP
1676
behavior. Use this option to reset all previous options like
1677
`--rfc1991', `--force-v3-sigs', `--s2k-*', `--cipher-algo',
1678
`--digest-algo' and `--compress-algo' to OpenPGP compliant values.
1679
All PGP workarounds are disabled.
1682
Reset all packet, cipher and digest options to strict RFC-2440
1683
behavior. Note that this is currently the same thing as
1687
Try to be more RFC-1991 (PGP 2.x) compliant.
1690
Set up all options to be as PGP 2.x compliant as possible, and
1691
warn if an action is taken (e.g. encrypting to a non-RSA key) that
1692
will create a message that PGP 2.x will not be able to handle.
1693
Note that `PGP 2.x' here means `MIT PGP 2.6.2'. There are other
1694
versions of PGP 2.x available, but the MIT release is a good
1697
This option implies `--rfc1991 --disable-mdc --no-force-v4-certs
1698
--no-sk-comment --escape-from-lines --force-v3-sigs
1699
--no-ask-sig-expire --no-ask-cert-expire --cipher-algo IDEA
1700
--digest-algo MD5 --compress-algo 1'. It also disables
1701
`--textmode' when encrypting.
1704
Set up all options to be as PGP 6 compliant as possible. This
1705
restricts you to the ciphers IDEA (if the IDEA plugin is
1706
installed), 3DES, and CAST5, the hashes MD5, SHA1 and RIPEMD160,
1707
and the compression algorithms none and ZIP. This also disables
1708
-throw-keyids, and making signatures with signing subkeys as PGP 6
1709
does not understand signatures made by signing subkeys.
1711
This option implies `--disable-mdc --no-sk-comment
1712
--escape-from-lines --force-v3-sigs --no-ask-sig-expire'.
1715
Set up all options to be as PGP 7 compliant as possible. This is
1716
identical to `--pgp6' except that MDCs are not disabled, and the
1717
list of allowable ciphers is expanded to add AES128, AES192,
1718
AES256, and TWOFISH.
1721
Set up all options to be as PGP 8 compliant as possible. PGP 8 is
1722
a lot closer to the OpenPGP standard than previous versions of
1723
PGP, so all this does is disable `--throw-keyids' and set
1724
`--escape-from-lines'. All algorithms are allowed except for the
1725
SHA224, SHA384, and SHA512 digests.
1729
File: gnupg1.info, Node: GPG Esoteric Options, Prev: OpenPGP Options, Up: GPG Options
1731
1.2.6 Doing things one usually don't want to do.
1732
------------------------------------------------
1736
Don't make any changes (this is not completely implemented).
1739
Changes the behaviour of some commands. This is like `--dry-run'
1740
but different in some cases. The semantic of this command may be
1741
extended in the future. Currently it only skips the actual
1742
decryption pass and therefore enables a fast listing of the
1747
Prompt before overwriting any files.
1750
Set debugging flags. All flags are or-ed and FLAGS may be given in
1751
C syntax (e.g. 0x0042).
1754
Set all useful debugging flags.
1756
`--debug-ccid-driver'
1757
Enable debug output from the included CCID driver for smartcards.
1758
Note that this option is only available on some system.
1760
`--enable-progress-filter'
1761
Enable certain PROGRESS status outputs. This option allows
1762
frontends to display a progress indicator while gpg is processing
1763
larger files. There is a slight performance overhead using it.
1766
Write special status strings to the file descriptor `n'. See the
1767
file DETAILS in the documentation for a listing of them.
1769
`--status-file `file''
1770
Same as `--status-fd', except the status data is written to file
1774
Write log output to file descriptor `n' and not to stderr.
1776
`--logger-file `file''
1777
Same as `--logger-fd', except the logger data is written to file
1780
`--attribute-fd `n''
1781
Write attribute subpackets to the file descriptor `n'. This is most
1782
useful for use with `--status-fd', since the status messages are
1783
needed to separate out the various subpackets from the stream
1784
delivered to the file descriptor.
1786
`--attribute-file `file''
1787
Same as `--attribute-fd', except the attribute data is written to
1790
`--comment `string''
1792
Use `string' as a comment string in clear text signatures and ASCII
1793
armored messages or keys (see `--armor'). The default behavior is
1794
not to use a comment string. `--comment' may be repeated multiple
1795
times to get multiple comment strings. `--no-comments' removes all
1796
comments. It is a good idea to keep the length of a single comment
1797
below 60 characters to avoid problems with mail programs wrapping
1798
such lines. Note that comment lines, like all other header lines,
1799
are not protected by the signature.
1803
Force inclusion of the version string in ASCII armored output.
1804
`--no-emit-version' disables this option.
1806
`--sig-notation `name=value''
1807
`--cert-notation `name=value''
1808
`-N, --set-notation `name=value''
1809
Put the name value pair into the signature as notation data.
1810
`name' must consist only of printable characters or spaces, and
1811
must contain a '@' character in the form keyname@domain.example.com
1812
(substituting the appropriate keyname and domain name, of course).
1813
This is to help prevent pollution of the IETF reserved notation
1814
namespace. The `--expert' flag overrides the '@' check. `value'
1815
may be any printable string; it will be encoded in UTF8, so you
1816
should check that your `--display-charset' is set correctly. If
1817
you prefix `name' with an exclamation mark (!), the notation data
1818
will be flagged as critical (rfc2440:5.2.3.15). `--sig-notation'
1819
sets a notation for data signatures. `--cert-notation' sets a
1820
notation for key signatures (certifications). `--set-notation'
1823
There are special codes that may be used in notation names. "%k"
1824
will be expanded into the key ID of the key being signed, "%K"
1825
into the long key ID of the key being signed, "%f" into the
1826
fingerprint of the key being signed, "%s" into the key ID of the
1827
key making the signature, "%S" into the long key ID of the key
1828
making the signature, "%g" into the fingerprint of the key making
1829
the signature (which might be a subkey), "%p" into the fingerprint
1830
of the primary key of the key making the signature, "%c" into the
1831
signature count from the OpenPGP smartcard, and "%%" results in a
1832
single "%". %k, %K, and %f are only meaningful when making a key
1833
signature (certification), and %c is only meaningful when using
1834
the OpenPGP smartcard.
1836
`--sig-policy-url `string''
1837
`--cert-policy-url `string''
1838
`--set-policy-url `string''
1839
Use `string' as a Policy URL for signatures (rfc2440:5.2.3.19). If
1840
you prefix it with an exclamation mark (!), the policy URL packet
1841
will be flagged as critical. `--sig-policy-url' sets a policy url
1842
for data signatures. `--cert-policy-url' sets a policy url for key
1843
signatures (certifications). `--set-policy-url' sets both.
1845
The same %-expandos used for notation data are available here as
1848
`--sig-keyserver-url `string''
1849
Use `string' as a preferred keyserver URL for data signatures. If
1850
you prefix it with an exclamation mark, the keyserver URL packet
1851
will be flagged as critical.
1853
The same %-expandos used for notation data are available here as
1856
`--set-filename `string''
1857
Use `string' as the filename which is stored inside messages.
1858
This overrides the default, which is to use the actual filename of
1859
the file being encrypted.
1861
`--for-your-eyes-only'
1862
`--no-for-your-eyes-only'
1863
Set the `for your eyes only' flag in the message. This causes GnuPG
1864
to refuse to save the file unless the `--output' option is given,
1865
and PGP to use the "secure viewer" with a Tempest-resistant font to
1866
display the message. This option overrides `--set-filename'.
1867
`--no-for-your-eyes-only' disables this option.
1869
`--use-embedded-filename'
1870
`--no-use-embedded-filename'
1871
Try to create a file with a name as embedded in the data. This can
1872
be a dangerous option as it allows to overwrite files. Defaults to
1875
`--cipher-algo `name''
1876
Use `name' as cipher algorithm. Running the program with the
1877
command `--version' yields a list of supported algorithms. If this
1878
is not used the cipher algorithm is selected from the preferences
1879
stored with the key. In general, you do not want to use this
1880
option as it allows you to violate the OpenPGP standard.
1881
`--personal-cipher-preferences' is the safe way to accomplish the
1884
`--digest-algo `name''
1885
Use `name' as the message digest algorithm. Running the program
1886
with the command `--version' yields a list of supported
1887
algorithms. In general, you do not want to use this option as it
1888
allows you to violate the OpenPGP standard.
1889
`--personal-digest-preferences' is the safe way to accomplish the
1892
`--compress-algo `name''
1893
Use compression algorithm `name'. "zlib" is RFC-1950 ZLIB
1894
compression. "zip" is RFC-1951 ZIP compression which is used by
1895
PGP. "bzip2" is a more modern compression scheme that can
1896
compress some things better than zip or zlib, but at the cost of
1897
more memory used during compression and decompression.
1898
"uncompressed" or "none" disables compression. If this option is
1899
not used, the default behavior is to examine the recipient key
1900
preferences to see which algorithms the recipient supports. If all
1901
else fails, ZIP is used for maximum compatibility.
1903
ZLIB may give better compression results than ZIP, as the
1904
compression window size is not limited to 8k. BZIP2 may give even
1905
better compression results than that, but will use a significantly
1906
larger amount of memory while compressing and decompressing. This
1907
may be significant in low memory situations. Note, however, that
1908
PGP (all versions) only supports ZIP compression. Using any
1909
algorithm other than ZIP or "none" will make the message
1910
unreadable with PGP. In general, you do not want to use this
1911
option as it allows you to violate the OpenPGP standard.
1912
`--personal-compress-preferences' is the safe way to accomplish
1915
`--cert-digest-algo `name''
1916
Use `name' as the message digest algorithm used when signing a
1917
key. Running the program with the command `--version' yields a
1918
list of supported algorithms. Be aware that if you choose an
1919
algorithm that GnuPG supports but other OpenPGP implementations do
1920
not, then some users will not be able to use the key signatures
1921
you make, or quite possibly your entire key.
1923
`--disable-cipher-algo `name''
1924
Never allow the use of `name' as cipher algorithm. The given name
1925
will not be checked so that a later loaded algorithm will still
1928
`--disable-pubkey-algo `name''
1929
Never allow the use of `name' as public key algorithm. The given
1930
name will not be checked so that a later loaded algorithm will
1935
Do not put the recipient key IDs into encrypted messages. This
1936
helps to hide the receivers of the message and is a limited
1937
countermeasure against traffic analysis. On the receiving side, it
1938
may slow down the decryption process because all available secret
1939
keys must be tried. `--no-throw-keyids' disables this option.
1940
This option is essentially the same as using `--hidden-recipient'
1943
`--not-dash-escaped'
1944
This option changes the behavior of cleartext signatures so that
1945
they can be used for patch files. You should not send such an
1946
armored file via email because all spaces and line endings are
1947
hashed too. You can not use this option for data which has 5
1948
dashes at the beginning of a line, patch files don't have this. A
1949
special armor header line tells GnuPG about this cleartext
1952
`--escape-from-lines'
1953
`--no-escape-from-lines'
1954
Because some mailers change lines starting with "From " to ">From
1955
" it is good to handle such lines in a special way when creating
1956
cleartext signatures to prevent the mail system from breaking the
1957
signature. Note that all other PGP versions do it this way too.
1958
Enabled by default. `--no-escape-from-lines' disables this option.
1960
`--passphrase-repeat `n''
1961
Specify how many times `gpg' will request a new passphrase be
1962
repeated. This is useful for helping memorize a passphrase.
1963
Defaults to 1 repetition.
1965
`--passphrase-fd `n''
1966
Read the passphrase from file descriptor `n'. Only the first line
1967
will be read from file descriptor `n'. If you use 0 for `n', the
1968
passphrase will be read from stdin. This can only be used if only
1969
one passphrase is supplied.
1971
`--passphrase-file `file''
1972
Read the passphrase from file `file'. Only the first line will be
1973
read from file `file'. This can only be used if only one
1974
passphrase is supplied. Obviously, a passphrase stored in a file is
1975
of questionable security if other users can read this file. Don't
1976
use this option if you can avoid it.
1978
`--passphrase `string''
1979
Use `string' as the passphrase. This can only be used if only one
1980
passphrase is supplied. Obviously, this is of very questionable
1981
security on a multi-user system. Don't use this option if you can
1985
This is a replacement for the deprecated shared-memory IPC mode.
1986
If this option is enabled, user input on questions is not expected
1987
from the TTY but from the given file descriptor. It should be used
1988
together with `--status-fd'. See the file doc/DETAILS in the source
1989
distribution for details on how to use it.
1991
`--command-file `file''
1992
Same as `--command-fd', except the commands are read out of file
1995
`--allow-non-selfsigned-uid'
1996
`--no-allow-non-selfsigned-uid'
1997
Allow the import and use of keys with user IDs which are not
1998
self-signed. This is not recommended, as a non self-signed user ID
1999
is trivial to forge. `--no-allow-non-selfsigned-uid' disables.
2001
`--allow-freeform-uid'
2002
Disable all checks on the form of the user ID while generating a
2003
new one. This option should only be used in very special
2004
environments as it does not ensure the de-facto standard format of
2007
`--ignore-time-conflict'
2008
GnuPG normally checks that the timestamps associated with keys and
2009
signatures have plausible values. However, sometimes a signature
2010
seems to be older than the key due to clock problems. This option
2011
makes these checks just a warning. See also `--ignore-valid-from'
2012
for timestamp issues on subkeys.
2014
`--ignore-valid-from'
2015
GnuPG normally does not select and use subkeys created in the
2016
future. This option allows the use of such keys and thus exhibits
2017
the pre-1.0.7 behaviour. You should not use this option unless you
2018
there is some clock problem. See also `--ignore-time-conflict' for
2019
timestamp issues with signatures.
2021
`--ignore-crc-error'
2022
The ASCII armor used by OpenPGP is protected by a CRC checksum
2023
against transmission errors. Occasionally the CRC gets mangled
2024
somewhere on the transmission channel but the actual content
2025
(which is protected by the OpenPGP protocol anyway) is still okay.
2026
This option allows GnuPG to ignore CRC errors.
2028
`--ignore-mdc-error'
2029
This option changes a MDC integrity protection failure into a
2030
warning. This can be useful if a message is partially corrupt,
2031
but it is necessary to get as much data as possible out of the
2032
corrupt message. However, be aware that a MDC protection failure
2033
may also mean that the message was tampered with intentionally by
2036
`--no-default-keyring'
2037
Do not add the default keyrings to the list of keyrings. Note that
2038
GnuPG will not operate without any keyrings, so if you use this
2039
option and do not provide alternate keyrings via `--keyring' or
2040
`--secret-keyring', then GnuPG will still use the default public or
2044
Skip the signature verification step. This may be used to make the
2045
decryption faster if the signature verification is not needed.
2048
Print key listings delimited by colons (like `--with-colons') and
2049
print the public key data.
2052
Changes the output of the list commands to work faster; this is
2053
achieved by leaving some parts empty. Some applications don't need
2054
the user ID and the trust information given in the listings. By
2055
using this options they can get a faster listing. The exact
2056
behaviour of this option may change in future versions. If you
2057
are missing some information, don't use this option.
2060
This is not for normal use. Use the source to see for what it
2064
This is not for normal use. Use the source to see for what it
2067
`--show-session-key'
2068
Display the session key used for one message. See
2069
`--override-session-key' for the counterpart of this option.
2071
We think that Key Escrow is a Bad Thing; however the user should
2072
have the freedom to decide whether to go to prison or to reveal
2073
the content of one specific message without compromising all
2074
messages ever encrypted for one secret key. DON'T USE IT UNLESS
2075
YOU ARE REALLY FORCED TO DO SO.
2077
`--override-session-key `string''
2078
Don't use the public key but the session key `string'. The format
2079
of this string is the same as the one printed by
2080
`--show-session-key'. This option is normally not used but comes
2081
handy in case someone forces you to reveal the content of an
2082
encrypted message; using this option you can do this without
2083
handing out the secret key.
2086
`--no-ask-sig-expire'
2087
When making a data signature, prompt for an expiration time. If
2088
this option is not specified, the expiration time set via
2089
`--default-sig-expire' is used. `--no-ask-sig-expire' disables
2090
this option. Note that by default, `--force-v3-sigs' is set which
2091
also disables this option. If you want signature expiration, you
2092
must set `--no-force-v3-sigs' as well as turning
2093
`--ask-sig-expire' on.
2095
`--default-sig-expire'
2096
The default expiration time to use for signature expiration. Valid
2097
values are "0" for no expiration, a number followed by the letter d
2098
(for days), w (for weeks), m (for months), or y (for years) (for
2099
example "2m" for two months, or "5y" for five years), or an
2100
absolute date in the form YYYY-MM-DD. Defaults to "0".
2103
`--no-ask-cert-expire'
2104
When making a key signature, prompt for an expiration time. If this
2105
option is not specified, the expiration time set via
2106
`--default-cert-expire' is used. `--no-ask-cert-expire' disables
2109
`--default-cert-expire'
2110
The default expiration time to use for key signature expiration.
2111
Valid values are "0" for no expiration, a number followed by the
2112
letter d (for days), w (for weeks), m (for months), or y (for
2113
years) (for example "2m" for two months, or "5y" for five years),
2114
or an absolute date in the form YYYY-MM-DD. Defaults to "0".
2116
`--allow-secret-key-import'
2117
This is an obsolete option and is not used anywhere.
2119
`--allow-multisig-verification'
2120
Allow verification of concatenated signed messages. This will run a
2121
signature verification for each data+signature block. There are
2122
some security issues with this option and thus it is off by
2123
default. Note that versions of GPG prior to version 1.4.3
2124
implicitly allowed this.
2126
`--enable-special-filenames'
2127
This options enables a mode in which filenames of the form `-&n',
2128
where n is a non-negative decimal number, refer to the file
2129
descriptor n and not to a file with that name.
2131
`--no-expensive-trust-checks'
2132
Experimental use only.
2134
`--preserve-permissions'
2135
Don't change the permissions of a secret keyring back to user
2136
read/write only. Use this option only if you really know what you
2139
`--default-preference-list `string''
2140
Set the list of default preferences to `string'. This preference
2141
list is used for new keys and becomes the default for "setpref" in
2144
`--default-keyserver-url `name''
2145
Set the default keyserver URL to `name'. This keyserver will be
2146
used as the keyserver URL when writing a new self-signature on a
2147
key, which includes key generation and changing preferences.
2150
Display various internal configuration parameters of GnuPG. This
2151
option is intended for external programs that call GnuPG to
2152
perform tasks, and is thus not generally useful. See the file
2153
`doc/DETAILS' in the source distribution for the details of which
2154
configuration items may be listed. `--list-config' is only usable
2155
with `--with-colons' set.
2158
This command is simliar to `--list-config' but in general only
2159
internally used by the `gpgconf' tool.
2162
This is more or less dummy action. However it parses the
2163
configuration file and returns with failure if the configuraion
2164
file would prevent `gpg' from startup. Thus it may be used to run
2165
a syntax check on the configuration file.
2168
1.2.7 Deprecated options
2169
------------------------
2171
`--load-extension `name''
2172
Load an extension module. If `name' does not contain a slash it is
2173
searched for in the directory configured when GnuPG was built
2174
(generally "/usr/local/lib/gnupg"). Extensions are not generally
2175
useful anymore, and the use of this option is deprecated.
2179
Causes `--list-keys', `--list-sigs', `--list-public-keys',
2180
`--list-secret-keys', and verifying a signature to also display
2181
the photo ID attached to the key, if any. See also
2182
`--photo-viewer'. These options are deprecated. Use
2183
`--list-options [no-]show-photos' and/or `--verify-options
2184
[no-]show-photos' instead.
2187
Display the keyring name at the head of key listings to show which
2188
keyring a given key resides on. This option is deprecated: use
2189
`--list-options [no-]show-keyring' instead.
2191
`--ctapi-driver `file''
2192
Use `file' to access the smartcard reader. The current default is
2193
`libtowitoko.so'. Note that the use of this interface is
2194
deprecated; it may be removed in future releases.
2197
Identical to `--trust-model always'. This option is deprecated.
2200
`--no-show-notation'
2201
Show signature notations in the `--list-sigs' or `--check-sigs'
2202
listings as well as when verifying a signature with a notation in
2203
it. These options are deprecated. Use `--list-options
2204
[no-]show-notation' and/or `--verify-options [no-]show-notation'
2208
`--no-show-policy-url'
2209
Show policy URLs in the `--list-sigs' or `--check-sigs' listings
2210
as well as when verifying a signature with a policy URL in it.
2211
These options are deprecated. Use `--list-options
2212
[no-]show-policy-url' and/or `--verify-options
2213
[no-]show-policy-url' instead.
2217
File: gnupg1.info, Node: GPG Configuration, Next: GPG Examples, Prev: GPG Options, Up: Invoking GPG
2219
1.3 Configuration files
2220
=======================
2222
There are a few configuration files to control certain aspects of
2223
`gpg''s operation. Unless noted, they are expected in the current home
2224
directory (*note option --homedir::).
2227
This is the standard configuration file read by `gpg' on startup.
2228
It may contain any valid long option; the leading two dashes may
2229
not be entered and the option may not be abbreviated. This default
2230
name may be changed on the command line (*note option --options::).
2233
Note that on larger installations, it is useful to put predefined
2234
files into the directory `/etc/skel/.gnupg/' so that newly created users
2235
start up with a working configuration.
2237
For internal purposes `gpg' creates and maintaines a few other
2238
files; They all live in in the current home directory (*note option
2239
--homedir::). Only the `gpg' may modify these files.
2241
`~/.gnupg/secring.gpg'
2244
`~/.gnupg/secring.gpg.lock'
2247
`~/.gnupg/pubring.gpg'
2250
`~/.gnupg/pubring.gpg.lock'
2253
`~/.gnupg/trustdb.gpg'
2256
`~/.gnupg/trustdb.gpg.lock'
2259
`~/.gnupg/random_seed'
2260
used to preserve the internal random pool
2262
`/usr[/local]/share/gnupg/options.skel'
2263
Skeleton options file
2265
`/usr[/local]/lib/gnupg/'
2266
Default location for extensions
2269
Operation is further controlled by a few environment variables:
2272
Used to locate the default home directory.
2275
If set directory used instead of "~/.gnupg".
2278
Used to locate the gpg-agent. This is only honored when
2279
`--use-agent' is set. The value consists of 3 colon delimited
2280
fields: The first is the path to the Unix Domain Socket, the
2281
second the PID of the gpg-agent and the protocol version which
2282
should be set to 1. When starting the gpg-agent as described in
2283
its documentation, this variable is set to the correct value. The
2284
option `--gpg-agent-info' can be used to override it.
2288
Used to size some displays to the full size of the screen.
2292
File: gnupg1.info, Node: GPG Examples, Prev: GPG Configuration, Up: Invoking GPG
2297
gpg -se -r `Bob' `file'
2298
sign and encrypt for user Bob
2300
gpg -clearsign `file'
2301
make a clear text signature
2304
make a detached signature
2306
gpg -list-keys `user_ID'
2309
gpg -fingerprint `user_ID'
2312
gpg -verify `pgpfile'
2313
gpg -verify `sigfile'
2314
Verify the signature of the file but do not output the data. The
2315
second form is used for detached signatures, where `sigfile' is
2316
the detached signature (either ASCII armored or binary) and are
2317
the signed data; if this is not given, the name of the file
2318
holding the signed data is constructed by cutting off the
2319
extension (".asc" or ".sig") of `sigfile' or by asking the user
2325
The program returns 0 if everything was fine, 1 if at least a signature
2326
was bad, and other error codes for fatal errors.
2331
Use a *good* password for your user account and a *good* passphrase to
2332
protect your secret key. This passphrase is the weakest part of the
2333
whole system. Programs to do dictionary attacks on your secret keyring
2334
are very easy to write and so you should protect your "~/.gnupg/"
2335
directory very well.
2337
Keep in mind that, if this program is used over a network (telnet),
2338
it is *very* easy to spy out your passphrase!
2340
If you are going to verify detached signatures, make sure that the
2341
program knows about it; either give both filenames on the command line
2342
or use `-' to specify stdin.
2344
INTEROPERABILITY WITH OTHER OPENPGP PROGRAMS
2345
********************************************
2347
GnuPG tries to be a very flexible implementation of the OpenPGP
2348
standard. In particular, GnuPG implements many of the optional parts of
2349
the standard, such as the SHA-512 hash, and the ZLIB and BZIP2
2350
compression algorithms. It is important to be aware that not all
2351
OpenPGP programs implement these optional algorithms and that by
2352
forcing their use via the `--cipher-algo', `--digest-algo',
2353
`--cert-digest-algo', or `--compress-algo' options in GnuPG, it is
2354
possible to create a perfectly valid OpenPGP message, but one that
2355
cannot be read by the intended recipient.
2357
There are dozens of variations of OpenPGP programs available, and
2358
each supports a slightly different subset of these optional algorithms.
2359
For example, until recently, no (unhacked) version of PGP supported the
2360
BLOWFISH cipher algorithm. A message using BLOWFISH simply could not be
2361
read by a PGP user. By default, GnuPG uses the standard OpenPGP
2362
preferences system that will always do the right thing and create
2363
messages that are usable by all recipients, regardless of which OpenPGP
2364
program they use. Only override this safe default if you really know
2367
If you absolutely must override the safe default, or if the
2368
preferences on a given key are invalid for some reason, you are far
2369
better off using the `--pgp6', `--pgp7', or `--pgp8' options. These
2370
options are safe as they do not force any particular algorithms in
2371
violation of OpenPGP, but rather reduce the available algorithms to a
2377
On many systems this program should be installed as setuid(root). This
2378
is necessary to lock memory pages. Locking memory pages prevents the
2379
operating system from writing memory pages (which may contain
2380
passphrases or other sensitive material) to disk. If you get no warning
2381
message about insecure memory your operating system supports locking
2382
without being root. The program drops root privileges as soon as locked
2383
memory is allocated.
2386
File: gnupg1.info, Node: Specify a User ID, Next: Copying, Prev: Invoking GPG, Up: Top
2388
2 How to Specify a User Id
2389
**************************
2391
There are different ways to specify a user ID to GnuPG. Some of them
2392
are only valid for `gpg' others are only good for `gpgsm'. Here is the
2393
entire list of ways to specify a key:
2395
* By key Id. This format is deduced from the length of the string
2396
and its content or `0x' prefix. The key Id of an X.509 certificate
2397
are the low 64 bits of its SHA-1 fingerprint. The use of key Ids
2398
is just a shortcut, for all automated processing the fingerprint
2401
When using `gpg' an exclamation mark may be appended to force
2402
using the specified primary or secondary key and not to try and
2403
calculate which primary or secondary key to use.
2405
The last four lines of the example give the key ID in their long
2406
form as internally used by the OpenPGP protocol. You can see the
2407
long key ID using the option `--with-colons'.
2419
* By fingerprint. This format is deduced from the length of the
2420
string and its content or the `0x' prefix. Note, that only the 20
2421
byte version fingerprint is available with `gpgsm' (i.e. the SHA-1
2422
hash of the certificate).
2424
When using `gpg' an exclamation mark may be appended to force
2425
using the specified primary or secondary key and not to try and
2426
calculate which primary or secondary key to use.
2428
The best way to specify a key Id is by using the fingerprint. This
2429
avoids any ambiguities in case that there are duplicated key IDs.
2431
1234343434343434C434343434343434
2432
123434343434343C3434343434343734349A3434
2433
0E12343434343434343434EAB3484343434343434
2434
0xE12343434343434343434EAB3484343434343434
2436
(`gpgsm' also accepts colons between each pair of hexadecimal
2437
digits because this is the de-facto standard on how to present
2438
X.509 fingerprints.)
2440
* By exact match on OpenPGP user ID. This is denoted by a leading
2441
equal sign. It does not make sense for X.509 certificates.
2443
=Heinrich Heine <heinrichh@uni-duesseldorf.de>
2445
* By exact match on an email address. This is indicated by
2446
enclosing the email address in the usual way with left and right
2449
<heinrichh@uni-duesseldorf.de>
2451
* By word match. All words must match exactly (not case sensitive)
2452
but can appear in any order in the user ID or a subjects name.
2453
Words are any sequences of letters, digits, the underscore and all
2454
characters with bit 7 set.
2456
+Heinrich Heine duesseldorf
2458
* By exact match on the subject's DN. This is indicated by a
2459
leading slash, directly followed by the RFC-2253 encoded DN of the
2460
subject. Note that you can't use the string printed by "gpgsm
2461
-list-keys" because that one as been reordered and modified for
2462
better readability; use -with-colons to print the raw (but standard
2463
escaped) RFC-2253 string
2465
/CN=Heinrich Heine,O=Poets,L=Paris,C=FR
2467
* By exact match on the issuer's DN. This is indicated by a leading
2468
hash mark, directly followed by a slash and then directly followed
2469
by the rfc2253 encoded DN of the issuer. This should return the
2470
Root cert of the issuer. See note above.
2472
#/CN=Root Cert,O=Poets,L=Paris,C=FR
2474
* By exact match on serial number and issuer's DN. This is
2475
indicated by a hash mark, followed by the hexadecmal
2476
representation of the serial number, the followed by a slash and
2477
the RFC-2253 encoded DN of the issuer. See note above.
2479
#4F03/CN=Root Cert,O=Poets,L=Paris,C=FR
2481
* By keygrip This is indicated by an ampersand followed by the 40
2482
hex digits of a keygrip. `gpgsm' prints the keygrip when using
2483
the command `--dump-cert'. It does not yet work for OpenPGP keys.
2485
&D75F22C3F86E355877348498CDC92BD21010A480
2487
* By substring match. This is the default mode but applications may
2488
want to explicitly indicate this by putting the asterisk in front.
2489
Match is not case sensitive.
2495
Please note that we have reused the hash mark identifier which was
2496
used in old GnuPG versions to indicate the so called local-id. It is
2497
not anymore used and there should be no conflict when used with X.509
2500
Using the RFC-2253 format of DNs has the drawback that it is not
2501
possible to map them back to the original encoding, however we don't
2502
have to do this because our key database stores this encoding as meta
2506
File: gnupg1.info, Node: Copying, Next: Option Index, Prev: Specify a User ID, Up: Top
2508
Appendix A GNU GENERAL PUBLIC LICENSE
2509
*************************************
2511
Version 2, June 1991
2513
Copyright (C) 1989, 1991 Free Software Foundation, Inc.
2514
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
2516
Everyone is permitted to copy and distribute verbatim copies
2517
of this license document, but changing it is not allowed.
2522
The licenses for most software are designed to take away your freedom
2523
to share and change it. By contrast, the GNU General Public License is
2524
intended to guarantee your freedom to share and change free
2525
software--to make sure the software is free for all its users. This
2526
General Public License applies to most of the Free Software
2527
Foundation's software and to any other program whose authors commit to
2528
using it. (Some other Free Software Foundation software is covered by
2529
the GNU Library General Public License instead.) You can apply it to
2532
When we speak of free software, we are referring to freedom, not
2533
price. Our General Public Licenses are designed to make sure that you
2534
have the freedom to distribute copies of free software (and charge for
2535
this service if you wish), that you receive source code or can get it
2536
if you want it, that you can change the software or use pieces of it in
2537
new free programs; and that you know you can do these things.
2539
To protect your rights, we need to make restrictions that forbid
2540
anyone to deny you these rights or to ask you to surrender the rights.
2541
These restrictions translate to certain responsibilities for you if you
2542
distribute copies of the software, or if you modify it.
2544
For example, if you distribute copies of such a program, whether
2545
gratis or for a fee, you must give the recipients all the rights that
2546
you have. You must make sure that they, too, receive or can get the
2547
source code. And you must show them these terms so they know their
2550
We protect your rights with two steps: (1) copyright the software,
2551
and (2) offer you this license which gives you legal permission to copy,
2552
distribute and/or modify the software.
2554
Also, for each author's protection and ours, we want to make certain
2555
that everyone understands that there is no warranty for this free
2556
software. If the software is modified by someone else and passed on, we
2557
want its recipients to know that what they have is not the original, so
2558
that any problems introduced by others will not reflect on the original
2559
authors' reputations.
2561
Finally, any free program is threatened constantly by software
2562
patents. We wish to avoid the danger that redistributors of a free
2563
program will individually obtain patent licenses, in effect making the
2564
program proprietary. To prevent this, we have made it clear that any
2565
patent must be licensed for everyone's free use or not licensed at all.
2567
The precise terms and conditions for copying, distribution and
2568
modification follow.
2570
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
2571
1. This License applies to any program or other work which contains a
2572
notice placed by the copyright holder saying it may be distributed
2573
under the terms of this General Public License. The "Program",
2574
below, refers to any such program or work, and a "work based on
2575
the Program" means either the Program or any derivative work under
2576
copyright law: that is to say, a work containing the Program or a
2577
portion of it, either verbatim or with modifications and/or
2578
translated into another language. (Hereinafter, translation is
2579
included without limitation in the term "modification".) Each
2580
licensee is addressed as "you".
2582
Activities other than copying, distribution and modification are
2583
not covered by this License; they are outside its scope. The act
2584
of running the Program is not restricted, and the output from the
2585
Program is covered only if its contents constitute a work based on
2586
the Program (independent of having been made by running the
2587
Program). Whether that is true depends on what the Program does.
2589
2. You may copy and distribute verbatim copies of the Program's
2590
source code as you receive it, in any medium, provided that you
2591
conspicuously and appropriately publish on each copy an appropriate
2592
copyright notice and disclaimer of warranty; keep intact all the
2593
notices that refer to this License and to the absence of any
2594
warranty; and give any other recipients of the Program a copy of
2595
this License along with the Program.
2597
You may charge a fee for the physical act of transferring a copy,
2598
and you may at your option offer warranty protection in exchange
2601
3. You may modify your copy or copies of the Program or any portion
2602
of it, thus forming a work based on the Program, and copy and
2603
distribute such modifications or work under the terms of Section 1
2604
above, provided that you also meet all of these conditions:
2606
a. You must cause the modified files to carry prominent notices
2607
stating that you changed the files and the date of any change.
2609
b. You must cause any work that you distribute or publish, that
2610
in whole or in part contains or is derived from the Program
2611
or any part thereof, to be licensed as a whole at no charge
2612
to all third parties under the terms of this License.
2614
c. If the modified program normally reads commands interactively
2615
when run, you must cause it, when started running for such
2616
interactive use in the most ordinary way, to print or display
2617
an announcement including an appropriate copyright notice and
2618
a notice that there is no warranty (or else, saying that you
2619
provide a warranty) and that users may redistribute the
2620
program under these conditions, and telling the user how to
2621
view a copy of this License. (Exception: if the Program
2622
itself is interactive but does not normally print such an
2623
announcement, your work based on the Program is not required
2624
to print an announcement.)
2626
These requirements apply to the modified work as a whole. If
2627
identifiable sections of that work are not derived from the
2628
Program, and can be reasonably considered independent and separate
2629
works in themselves, then this License, and its terms, do not
2630
apply to those sections when you distribute them as separate
2631
works. But when you distribute the same sections as part of a
2632
whole which is a work based on the Program, the distribution of
2633
the whole must be on the terms of this License, whose permissions
2634
for other licensees extend to the entire whole, and thus to each
2635
and every part regardless of who wrote it.
2637
Thus, it is not the intent of this section to claim rights or
2638
contest your rights to work written entirely by you; rather, the
2639
intent is to exercise the right to control the distribution of
2640
derivative or collective works based on the Program.
2642
In addition, mere aggregation of another work not based on the
2643
Program with the Program (or with a work based on the Program) on
2644
a volume of a storage or distribution medium does not bring the
2645
other work under the scope of this License.
2647
4. You may copy and distribute the Program (or a work based on it,
2648
under Section 2) in object code or executable form under the terms
2649
of Sections 1 and 2 above provided that you also do one of the
2652
a. Accompany it with the complete corresponding machine-readable
2653
source code, which must be distributed under the terms of
2654
Sections 1 and 2 above on a medium customarily used for
2655
software interchange; or,
2657
b. Accompany it with a written offer, valid for at least three
2658
years, to give any third party, for a charge no more than your
2659
cost of physically performing source distribution, a complete
2660
machine-readable copy of the corresponding source code, to be
2661
distributed under the terms of Sections 1 and 2 above on a
2662
medium customarily used for software interchange; or,
2664
c. Accompany it with the information you received as to the offer
2665
to distribute corresponding source code. (This alternative is
2666
allowed only for noncommercial distribution and only if you
2667
received the program in object code or executable form with
2668
such an offer, in accord with Subsection b above.)
2670
The source code for a work means the preferred form of the work for
2671
making modifications to it. For an executable work, complete
2672
source code means all the source code for all modules it contains,
2673
plus any associated interface definition files, plus the scripts
2674
used to control compilation and installation of the executable.
2675
However, as a special exception, the source code distributed need
2676
not include anything that is normally distributed (in either
2677
source or binary form) with the major components (compiler,
2678
kernel, and so on) of the operating system on which the executable
2679
runs, unless that component itself accompanies the executable.
2681
If distribution of executable or object code is made by offering
2682
access to copy from a designated place, then offering equivalent
2683
access to copy the source code from the same place counts as
2684
distribution of the source code, even though third parties are not
2685
compelled to copy the source along with the object code.
2687
5. You may not copy, modify, sublicense, or distribute the Program
2688
except as expressly provided under this License. Any attempt
2689
otherwise to copy, modify, sublicense or distribute the Program is
2690
void, and will automatically terminate your rights under this
2691
License. However, parties who have received copies, or rights,
2692
from you under this License will not have their licenses
2693
terminated so long as such parties remain in full compliance.
2695
6. You are not required to accept this License, since you have not
2696
signed it. However, nothing else grants you permission to modify
2697
or distribute the Program or its derivative works. These actions
2698
are prohibited by law if you do not accept this License.
2699
Therefore, by modifying or distributing the Program (or any work
2700
based on the Program), you indicate your acceptance of this
2701
License to do so, and all its terms and conditions for copying,
2702
distributing or modifying the Program or works based on it.
2704
7. Each time you redistribute the Program (or any work based on the
2705
Program), the recipient automatically receives a license from the
2706
original licensor to copy, distribute or modify the Program
2707
subject to these terms and conditions. You may not impose any
2708
further restrictions on the recipients' exercise of the rights
2709
granted herein. You are not responsible for enforcing compliance
2710
by third parties to this License.
2712
8. If, as a consequence of a court judgment or allegation of patent
2713
infringement or for any other reason (not limited to patent
2714
issues), conditions are imposed on you (whether by court order,
2715
agreement or otherwise) that contradict the conditions of this
2716
License, they do not excuse you from the conditions of this
2717
License. If you cannot distribute so as to satisfy simultaneously
2718
your obligations under this License and any other pertinent
2719
obligations, then as a consequence you may not distribute the
2720
Program at all. For example, if a patent license would not permit
2721
royalty-free redistribution of the Program by all those who
2722
receive copies directly or indirectly through you, then the only
2723
way you could satisfy both it and this License would be to refrain
2724
entirely from distribution of the Program.
2726
If any portion of this section is held invalid or unenforceable
2727
under any particular circumstance, the balance of the section is
2728
intended to apply and the section as a whole is intended to apply
2729
in other circumstances.
2731
It is not the purpose of this section to induce you to infringe any
2732
patents or other property right claims or to contest validity of
2733
any such claims; this section has the sole purpose of protecting
2734
the integrity of the free software distribution system, which is
2735
implemented by public license practices. Many people have made
2736
generous contributions to the wide range of software distributed
2737
through that system in reliance on consistent application of that
2738
system; it is up to the author/donor to decide if he or she is
2739
willing to distribute software through any other system and a
2740
licensee cannot impose that choice.
2742
This section is intended to make thoroughly clear what is believed
2743
to be a consequence of the rest of this License.
2745
9. If the distribution and/or use of the Program is restricted in
2746
certain countries either by patents or by copyrighted interfaces,
2747
the original copyright holder who places the Program under this
2748
License may add an explicit geographical distribution limitation
2749
excluding those countries, so that distribution is permitted only
2750
in or among countries not thus excluded. In such case, this
2751
License incorporates the limitation as if written in the body of
2754
10. The Free Software Foundation may publish revised and/or new
2755
versions of the General Public License from time to time. Such
2756
new versions will be similar in spirit to the present version, but
2757
may differ in detail to address new problems or concerns.
2759
Each version is given a distinguishing version number. If the
2760
Program specifies a version number of this License which applies
2761
to it and "any later version", you have the option of following
2762
the terms and conditions either of that version or of any later
2763
version published by the Free Software Foundation. If the Program
2764
does not specify a version number of this License, you may choose
2765
any version ever published by the Free Software Foundation.
2767
11. If you wish to incorporate parts of the Program into other free
2768
programs whose distribution conditions are different, write to the
2769
author to ask for permission. For software which is copyrighted
2770
by the Free Software Foundation, write to the Free Software
2771
Foundation; we sometimes make exceptions for this. Our decision
2772
will be guided by the two goals of preserving the free status of
2773
all derivatives of our free software and of promoting the sharing
2774
and reuse of software generally.
2777
12. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO
2778
WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE
2779
LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
2780
HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT
2781
WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT
2782
NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
2783
FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE
2784
QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
2785
PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY
2786
SERVICING, REPAIR OR CORRECTION.
2788
13. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN
2789
WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY
2790
MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE
2791
LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL,
2792
INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR
2793
INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
2794
DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU
2795
OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY
2796
OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN
2797
ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
2799
END OF TERMS AND CONDITIONS
2800
How to Apply These Terms to Your New Programs
2801
=============================================
2803
If you develop a new program, and you want it to be of the greatest
2804
possible use to the public, the best way to achieve this is to make it
2805
free software which everyone can redistribute and change under these
2808
To do so, attach the following notices to the program. It is safest
2809
to attach them to the start of each source file to most effectively
2810
convey the exclusion of warranty; and each file should have at least
2811
the "copyright" line and a pointer to where the full notice is found.
2813
ONE LINE TO GIVE THE PROGRAM'S NAME AND AN IDEA OF WHAT IT DOES.
2814
Copyright (C) 19YY NAME OF AUTHOR
2816
This program is free software; you can redistribute it and/or
2817
modify it under the terms of the GNU General Public License
2818
as published by the Free Software Foundation; either version 2
2819
of the License, or (at your option) any later version.
2821
This program is distributed in the hope that it will be useful,
2822
but WITHOUT ANY WARRANTY; without even the implied warranty of
2823
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
2824
GNU General Public License for more details.
2826
You should have received a copy of the GNU General Public License along
2827
with this program; if not, write to the Free Software Foundation, Inc.,
2828
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
2830
Also add information on how to contact you by electronic and paper
2833
If the program is interactive, make it output a short notice like
2834
this when it starts in an interactive mode:
2836
Gnomovision version 69, Copyright (C) 19YY NAME OF AUTHOR
2837
Gnomovision comes with ABSOLUTELY NO WARRANTY; for details
2838
type `show w'. This is free software, and you are welcome
2839
to redistribute it under certain conditions; type `show c'
2842
The hypothetical commands `show w' and `show c' should show the
2843
appropriate parts of the General Public License. Of course, the
2844
commands you use may be called something other than `show w' and `show
2845
c'; they could even be mouse-clicks or menu items--whatever suits your
2848
You should also get your employer (if you work as a programmer) or
2849
your school, if any, to sign a "copyright disclaimer" for the program,
2850
if necessary. Here is a sample; alter the names:
2852
Yoyodyne, Inc., hereby disclaims all copyright
2853
interest in the program `Gnomovision'
2854
(which makes passes at compilers) written
2857
SIGNATURE OF TY COON, 1 April 1989
2858
Ty Coon, President of Vice
2860
This General Public License does not permit incorporating your
2861
program into proprietary programs. If your program is a subroutine
2862
library, you may consider it more useful to permit linking proprietary
2863
applications with the library. If this is what you want to do, use the
2864
GNU Library General Public License instead of this License.
2867
File: gnupg1.info, Node: Option Index, Next: Index, Prev: Copying, Up: Top