1
1
This is gnupg.info, produced by makeinfo version 4.8 from gnupg.texi.
3
This is the `The GNU Privacy Guard Manual' (version 2.0.2, 8
3
This is the `The GNU Privacy Guard Manual' (version 2.0.3, 8
6
6
Copyright (C) 2002, 2004, 2005, 2006 Free Software Foundation, Inc.
23
23
Using the GNU Privacy Guard
24
24
***************************
26
This is the `The GNU Privacy Guard Manual' (version 2.0.2, 8 December
26
This is the `The GNU Privacy Guard Manual' (version 2.0.3, 8 December
29
29
Copyright (C) 2002, 2004, 2005, 2006 Free Software Foundation, Inc.
387
387
Use program FILENAME as the PIN entry. The default is installation
388
388
dependend and can be shown with the `--version' command.
390
`--pinentry-touch-file FILENAME'
391
By default the file name of the socket gpg-agent is listening for
392
requests is passed to Pinentry, so that it can touch that file
393
before exiting (it does this only in curses mode). This option
394
changes the file passed to Pinentry to FILENAME. The special name
395
`/dev/null' may be used to completely disable this feature. Note
396
that Pinentry will not create that file, it will only change the
397
modification and access time.
390
399
`--scdaemon-program FILENAME'
391
400
Use program FILENAME as the Smartcard daemon. The default is
392
401
installation dependend and can be shown with the `--version'
1853
1862
Show revoked and expired user IDs during signature
1854
1863
verification. Defaults to no.
1865
show-primary-uid-only
1866
Show only the primary user ID during signature verification.
1867
That is all the AKA lines as well as photo Ids are not shown
1868
with the signature verification status.
1857
1871
Enable PKA lookups to verify sender addresses. Note that PKA
1858
1872
is based on DNS, and so enabling this option may disclose
1928
1942
or (on W32 systems) by means on the Registry entry
1929
1943
HKCU\SOFTWARE\GNU\GNUPG:HOMEDIR.
1931
`--pcsc-driver `file''
1932
Use `file' to access the smartcard reader. The current default is
1933
`libpcsclite.so.1' for GLIBC based systems,
1934
`/System/Library/Frameworks/PCSC.framework/PCSC' for MAC OS X,
1935
`winscard.dll' for Windows and `libpcsclite.so' for other systems.
1938
Disable the integrated support for CCID compliant readers. This
1939
allows to fall back to one of the other drivers even if the
1940
internal CCID driver can handle the reader. Note, that CCID
1941
support is only available if libusb was available at build time.
1943
`--reader-port `number_or_string''
1944
This option may be used to specify the port of the card terminal. A
1945
value of 0 refers to the first serial device; add 32768 to access
1946
USB devices. The default is 32768 (first USB device). PC/SC or CCID
1947
readers might need a string here; run the program in verbose mode
1948
to get a list of available readers. The default is then the first
1951
1945
`--display-charset `name''
1952
1946
Set the name of the native character set. This is used to convert
1953
1947
some informational strings like user IDs to the proper UTF-8
2742
2736
File: gnupg.info, Node: GPG Esoteric Options, Prev: OpenPGP Options, Up: GPG Options
2744
3.2.6 Doing things one usually don't want to do.
2745
------------------------------------------------
2738
3.2.6 Doing things one usually doesn't want to do.
2739
--------------------------------------------------
3130
3124
`--allow-secret-key-import'
3131
3125
This is an obsolete option and is not used anywhere.
3133
`--allow-multisig-verification'
3134
Allow verification of concatenated signed messages. This will run a
3135
signature verification for each data+signature block. There are
3136
some security issues with this option and thus it is off by
3137
default. Note that versions of GPG prior to version 1.4.3
3138
implicitly allowed this.
3127
`--allow-multiple-messages'
3129
`--no-allow-multiple-messages'
3130
Allow processing of multiple OpenPGP messages contained in a single
3131
file or stream. Some programs that call GPG are not prepared to
3132
deal with multiple messages being processed together, so this
3133
option defaults to no. Note that versions of GPG prior to 1.4.7
3134
always allowed multiple messages.
3140
3136
`--enable-special-filenames'
3141
3137
This options enables a mode in which filenames of the form `-&n',
3196
3192
keyring a given key resides on. This option is deprecated: use
3197
3193
`--list-options [no-]show-keyring' instead.
3199
`--ctapi-driver `file''
3200
Use `file' to access the smartcard reader. The current default is
3201
`libtowitoko.so'. Note that the use of this interface is
3202
deprecated; it may be removed in future releases.
3204
3195
`--always-trust'
3205
3196
Identical to `--trust-model always'. This option is deprecated.
3296
3287
Used to size some displays to the full size of the screen.
3290
Apart from its use by GNU, it is used in the W32 version to
3291
override the language selection done through the Registry. If
3292
used and set to a a valid and available language name (LANGID),
3293
the file with the translation is loaded from
3294
`GPGDIR/gnupg.nls/LANGID.mo'. Here GPGDIR is the directory out of
3295
which the gpg binary has been laoded. If it can't be loaded the
3296
Registry is tried as a fallback.
3300
3300
File: gnupg.info, Node: GPG Examples, Prev: GPG Configuration, Up: Invoking GPG
4611
4611
------------------------------------------
4613
4613
This is an application as described in the German draft standard _DIN V
4614
66291-1_. It is intended to be used by cards supporteing the German
4614
66291-1_. It is intended to be used by cards supporting the German
4615
4615
signature law and its bylaws (SigG and SigV).
5064
5064
* gpgv:: Verify OpenPGP signatures.
5065
5065
* addgnupghome:: Create .gnupg home directories.
5066
5066
* gpgconf:: Modify .gnupg home directories.
5067
* applygnupgdefaults:: Run gpgconf for all users.
5067
5068
* gpgsm-gencert.sh:: Generate an X.509 certificate request.
5068
5069
* gpg-preset-passphrase:: Put a passphrase into the cache.
5069
5070
* gpg-connect-agent:: Communicate with a running agent.
5104
5105
Display a brief help page and exit
5107
`gpg'(1), `gpgsm'(1), `gpg-agent'(1), `scdaemon'(1)
5110
5109
File: gnupg.info, Node: gpgv, Next: addgnupghome, Prev: watchgnupg, Up: Helper Tools
5221
5220
addgnupghome account1 account2 ... accountn
5224
File: gnupg.info, Node: gpgconf, Next: gpgsm-gencert.sh, Prev: addgnupghome, Up: Helper Tools
5223
File: gnupg.info, Node: gpgconf, Next: applygnupgdefaults, Prev: addgnupghome, Up: Helper Tools
5226
5225
7.4 Modify .gnupg home directories.
5227
5226
===================================
5260
5259
* Listing components:: List all gpgconf components.
5261
5260
* Listing options:: List all options of a component.
5262
5261
* Changing options:: Changing options of a component.
5262
* Files used by gpgconf:: What files are used by gpgconf.
5264
5264
---------- Footnotes ----------
5287
5287
`--change-options COMPONENT'
5288
5288
Change the options of the component COMPONENT.
5291
Update all configuration files with values taken from the global
5292
configuration file (usually `/etc/gnupg/gpgconf.conf').
5294
`--check-config [FILENAME]'
5295
Run a syntax check ion the global configuration file. If FILENAME
5296
is given, check that file instead.
5290
5299
The following options may be used:
5520
5529
If this flag is set, and the `optional arg' flag is set, then
5521
5530
the option has a special meaning if no argument is given.
5533
If this flag is set, gpgconf ignores requests to change the
5534
value. GUI frontends should grey out this option. Note,
5535
that manual changes of the configuration files are still
5524
5539
This field is defined for options and for groups. It contains an
5525
5540
_unsigned number_ that specifies the expert level under which this
5630
5645
itself does not take a real argument.
5633
File: gnupg.info, Node: Changing options, Prev: Listing options, Up: gpgconf
5648
File: gnupg.info, Node: Changing options, Next: Files used by gpgconf, Prev: Listing options, Up: gpgconf
5635
5650
7.4.5 Changing options
5636
5651
----------------------
5675
5690
The `--runtime' option can influence when the changes take effect.
5677
`gpg'(1), `gpgsm'(1), `gpg-agent'(1), `scdaemon'(1), `dirmngr'(1)
5680
File: gnupg.info, Node: gpgsm-gencert.sh, Next: gpg-preset-passphrase, Prev: gpgconf, Up: Helper Tools
5682
7.5 Generate an X.509 certificate request
5693
File: gnupg.info, Node: Files used by gpgconf, Prev: Changing options, Up: gpgconf
5695
7.4.6 Files used by gpgconf
5696
---------------------------
5698
`/etc/gnupg/gpgconf.conf'
5699
If this file exists, it is processed as a global configuration
5700
file. A commented example can be found in the `examples'
5701
directory of the distribution.
5704
File: gnupg.info, Node: applygnupgdefaults, Next: gpgsm-gencert.sh, Prev: gpgconf, Up: Helper Tools
5706
7.5 Run gpgconf for all users.
5707
==============================
5709
This script is a wrapper around `gpgconf' to run it with the command
5710
`--apply-defaults' for all real users with an existing GnuPG home
5711
directory. Admins might want to use this script to update he GnuPG
5712
configuration files for all users after `/etc/gnupg/gpgconf.conf' has
5713
been changed. This allows to enforce certain policies for all users.
5714
Note, that this is not a bulletproof of forcing a user to use certain
5715
options. A user may always directly edit the configuration files and
5718
`applygnupgdefaults' is invoked by root as:
5723
File: gnupg.info, Node: gpgsm-gencert.sh, Next: gpg-preset-passphrase, Prev: applygnupgdefaults, Up: Helper Tools
5725
7.6 Generate an X.509 certificate request
5683
5726
=========================================
5685
5728
This is a simple tool to interactivly generate a certificate request
5690
5733
`gpgsm-cencert.sh'
5692
`gpgsm'(1), `gpg-agent'(1), `scdaemon'(1)
5695
5736
File: gnupg.info, Node: gpg-preset-passphrase, Next: gpg-connect-agent, Prev: gpgsm-gencert.sh, Up: Helper Tools
5697
7.6 Put a passphrase into the cache.
5738
7.7 Put a passphrase into the cache.
5698
5739
====================================
5700
5741
The `gpg-preset-passphrase' is a utility to seed the internal cache of
5717
5758
File: gnupg.info, Node: Invoking gpg-preset-passphrase, Up: gpg-preset-passphrase
5719
7.6.1 List of all commands and options.
5760
7.7.1 List of all commands and options.
5720
5761
---------------------------------------
5722
5763
`gpg-preset-passphrase' is invoked this way:
5749
5790
STRING as passphrase. Note that this makes the passphrase visible
5750
5791
for other users.
5752
`gpg'(1), `gpgsm'(1), `gpg-agent'(1), `scdaemon'(1)
5755
5794
File: gnupg.info, Node: gpg-connect-agent, Next: gpgparsemail, Prev: gpg-preset-passphrase, Up: Helper Tools
5757
7.7 Communicate with a running agent.
5796
7.8 Communicate with a running agent.
5758
5797
=====================================
5760
5799
The `gpg-connect-agent' is a utility to communicate with a running
5775
5814
File: gnupg.info, Node: Invoking gpg-connect-agent, Next: Controlling gpg-connect-agent, Up: gpg-connect-agent
5777
7.7.1 List of all options.
5816
7.8.1 List of all options.
5778
5817
--------------------------
5780
5819
`gpg-connect-agent' is invoked this way:
5864
5903
File: gnupg.info, Node: gpgparsemail, Next: symcryptrun, Prev: gpg-connect-agent, Up: Helper Tools
5866
7.8 Parse a mail message into an annotated format
5905
7.9 Parse a mail message into an annotated format
5867
5906
=================================================
5869
5908
The `gpgparsemail' is a utility currently only useful for debugging.
5873
5912
File: gnupg.info, Node: symcryptrun, Prev: gpgparsemail, Up: Helper Tools
5875
7.9 Call a simple symmetric encryption tool.
5876
============================================
5914
7.10 Call a simple symmetric encryption tool.
5915
=============================================
5878
5917
Sometimes simple encryption tools are already in use for a long time and
5879
5918
there might be a desire to integrate them into the GnuPG framework. The
5895
5934
File: gnupg.info, Node: Invoking symcryptrun, Up: symcryptrun
5897
7.9.1 List of all commands and options.
5898
---------------------------------------
5936
7.10.1 List of all commands and options.
5937
----------------------------------------
5900
5939
`symcryptrun' is invoked this way:
5956
5995
The operation was canceled by the user.
5959
`gpg'(1), `gpgsm'(1), `gpg-agent'(1),
5962
5999
File: gnupg.info, Node: System Notes, Next: Debugging, Prev: Helper Tools, Up: Top
6168
6205
new display you should issue the above command before invoking ssh
6169
6206
or any other service making use of ssh.
6208
* Exporting a secret key without a certificate
6210
I may happen that you have created a certificate request using
6211
`gpgsm' but not yet received and imported the certificate from the
6212
CA. However, you want to export the secret key to another machine
6213
right now to import the certificate over there then. You can do
6214
this with a little trick but it requires that you know the
6215
approximate time you created the signing request. By running the
6218
ls -ltr ~/.gnupg/private-keys-v1.d
6220
you get a listing of all private keys under control of `gpg-agent'.
6221
Pick the key which best matches the creation time and run the
6224
/usr/local/libexec/gpg-protect-tool --p12-export ~/.gnupg/private-keys-v1.d/FOO >FOO.p12
6226
(Please adjust the path to `gpg-protect-tool' to the approriate
6227
location). FOO is the name of the key file you picked (it should
6228
have the suffix `.key'). A Pinentry box will pop up and ask you
6229
for the current passphrase of the key and a new passphrase to
6230
protect it in the pkcs#12 file.
6232
To import the created file on the machine you use this command:
6234
/usr/local/libexec/gpg-protect-tool --p12-import --store FOO.p12
6236
You will be asked for the pkcs#12 passphrase and a new passphrase
6237
to protect the imported private key at its new location.
6239
Note that there is no easy way to match existing certificates with
6240
stored private keys because some private keys are used for Secure
6241
Shell or other purposes and don't have a corresponding certificate.
6173
6245
File: gnupg.info, Node: Architecture Details, Prev: Common Problems, Up: Debugging
6760
6832
* default-key: GPG Configuration Options.
6762
6834
* default-keyserver-url: GPG Esoteric Options.
6764
6836
* default-preference-list: GPG Esoteric Options.
6766
6838
* default-recipient: GPG Configuration Options.
6768
6840
* default-recipient-self: GPG Configuration Options.
6788
6860
* disable-keypad: Scdaemon Options. (line 143)
6789
6861
* disable-ocsp: Certificate Options. (line 41)
6790
6862
* disable-policy-checks: Certificate Options. (line 8)
6791
* disable-scdaemon: Agent Options. (line 182)
6863
* disable-scdaemon: Agent Options. (line 191)
6792
6864
* disable-trusted-cert-crl-check: Certificate Options. (line 19)
6793
* display: Agent Options. (line 204)
6865
* display: Agent Options. (line 213)
6794
6866
* dry-run: GPG Esoteric Options.
6796
6868
* dump-cert: Certificate Management.
6814
6886
* enable-crl-checks: Certificate Options. (line 13)
6815
6887
* enable-ocsp: Certificate Options. (line 41)
6816
6888
* enable-policy-checks: Certificate Options. (line 8)
6817
* enable-ssh-support: Agent Options. (line 214)
6889
* enable-ssh-support: Agent Options. (line 223)
6818
6890
* enable-trusted-cert-crl-check: Certificate Options. (line 19)
6819
6891
* enarmor: Operational GPG Commands.
6862
6934
* gnupg: OpenPGP Options. (line 104)
6863
6935
* gpgconf-list: GPG Esoteric Options.
6865
6937
* gpgconf-test: GPG Esoteric Options.
6867
6939
* help <1>: watchgnupg. (line 31)
6868
6940
* help <2>: Scdaemon Commands. (line 14)
6869
6941
* help <3>: General GPGSM Commands.
6882
6954
* homedir <5>: Configuration Options.
6884
6956
* homedir <6>: GPG Configuration Options.
6886
6958
* homedir: Agent Options. (line 13)
6887
6959
* ignore-cache-for-signing: Agent Options. (line 143)
6888
6960
* ignore-time-conflict: gpgv. (line 47)
6895
6967
* include-certs: CMS Options. (line 7)
6896
6968
* interactive: GPG Esoteric Options.
6898
* keep-display: Agent Options. (line 209)
6899
* keep-tty: Agent Options. (line 209)
6970
* keep-display: Agent Options. (line 218)
6971
* keep-tty: Agent Options. (line 218)
6900
6972
* keydb-clear-some-cert-flags: Certificate Management.
6902
6974
* keyedit:addcardkey: OpenPGP Key Management.
6976
7048
* keyedit:uid: OpenPGP Key Management.
6978
7050
* keyring: gpgv. (line 34)
6979
* lc-messages: Agent Options. (line 204)
6980
* lc-type: Agent Options. (line 204)
7051
* lc-messages: Agent Options. (line 213)
7052
* lc-type: Agent Options. (line 213)
6981
7053
* learn-card: Certificate Management.
6983
7055
* list-chain: Certificate Management.
6985
7057
* list-config: GPG Esoteric Options.
6987
7059
* list-keys <1>: Certificate Management.
6989
7061
* list-keys: Operational GPG Commands.
7021
7093
* lsign-key: OpenPGP Key Management.
7023
7095
* mangle-dos-filenames: GPG Configuration Options.
7025
7097
* max-cache-ttl: Agent Options. (line 157)
7026
7098
* max-cache-ttl-ssh: Agent Options. (line 162)
7027
7099
* max-output: GPG Input and Output.
7039
7111
* no-grab: Agent Options. (line 130)
7040
7112
* no-mangle-dos-filenames: GPG Configuration Options.
7042
7114
* no-secmem-warning: Configuration Options.
7044
* no-use-standard-socket: Agent Options. (line 189)
7116
* no-use-standard-socket: Agent Options. (line 198)
7045
7117
* no-verbose: GPG Configuration Options.
7047
7119
* openpgp: OpenPGP Options. (line 112)
7062
7134
* pgp7: OpenPGP Options. (line 152)
7063
7135
* pgp8: OpenPGP Options. (line 158)
7064
7136
* pinentry-program: Agent Options. (line 173)
7137
* pinentry-touch-file: Agent Options. (line 177)
7065
7138
* policy-file: Configuration Options.
7067
7140
* prefer-system-dirmngr: Configuration Options.
7101
7174
* S: Invoking gpg-connect-agent.
7103
7176
* s: Agent Options. (line 112)
7104
* scdaemon-program: Agent Options. (line 177)
7177
* scdaemon-program: Agent Options. (line 186)
7105
7178
* search-keys: Operational GPG Commands.
7107
7180
* send-keys: Operational GPG Commands.
7123
7196
* symmetric: Operational GPG Commands.
7125
* ttyname: Agent Options. (line 204)
7126
* ttytype: Agent Options. (line 204)
7198
* ttyname: Agent Options. (line 213)
7199
* ttytype: Agent Options. (line 213)
7127
7200
* update-trustdb: Operational GPG Commands.
7129
* use-standard-socket: Agent Options. (line 189)
7202
* use-standard-socket: Agent Options. (line 198)
7130
7203
* v <1>: Scdaemon Options. (line 23)
7131
7204
* v <2>: Configuration Options.
7171
7244
* with-validation: Input and Output. (line 45)
7172
7245
* write-env-file: Agent Options. (line 118)
7175
File: gnupg.info, Node: Index, Prev: Option Index, Up: Top