1
This is gnupg.info, produced by makeinfo version 4.8 from gnupg.texi.
3
This is the `The GNU Privacy Guard Manual' (version 2.0.9,
6
Copyright (C) 2002, 2004, 2005, 2006, 2007 Free Software Foundation,
9
Permission is granted to copy, distribute and/or modify this
10
document under the terms of the GNU General Public License as
11
published by the Free Software Foundation; either version 3 of the
12
License, or (at your option) any later version. The text of the
13
license can be found in the section entitled "Copying".
15
INFO-DIR-SECTION GNU Utilities
17
* gpg2: (gnupg). OpenPGP encryption and signing tool.
18
* gpgsm: (gnupg). S/MIME encryption and signing tool.
22
File: gnupg.info, Node: Top, Next: Installation, Up: (dir)
24
Using the GNU Privacy Guard
25
***************************
27
This is the `The GNU Privacy Guard Manual' (version 2.0.9, March 2008).
29
Copyright (C) 2002, 2004, 2005, 2006, 2007 Free Software Foundation,
32
Permission is granted to copy, distribute and/or modify this
33
document under the terms of the GNU General Public License as
34
published by the Free Software Foundation; either version 3 of the
35
License, or (at your option) any later version. The text of the
36
license can be found in the section entitled "Copying".
38
This manual documents how to use the GNU Privacy Guard system as
39
well as the administration and the architecture.
43
* Installation:: A short installation guide.
45
* Invoking GPG-AGENT:: How to launch the secret key daemon.
46
* Invoking GPG:: Using the OpenPGP protocol.
47
* Invoking GPGSM:: Using the S/MIME protocol.
48
* Invoking SCDAEMON:: How to handle Smartcards.
49
* Specify a User ID:: How to Specify a User Id.
51
* Helper Tools:: Description of small helper tools
53
* Howtos:: How to do certain things.
54
* System Notes:: Notes pertaining to certain OSes.
55
* Debugging:: How to solve problems
57
* Copying:: GNU General Public License says
58
how you can copy and share GnuPG
59
* Contributors:: People who have contributed to GnuPG.
61
* Glossary:: Short description of terms used.
62
* Option Index:: Index to command line options.
63
* Index:: Index of concepts and symbol names.
66
File: gnupg.info, Node: Installation, Next: Invoking GPG-AGENT, Prev: Top, Up: Top
68
1 A short installation guide.
69
*****************************
71
Unfortunately the installation guide has not been finished in time.
72
Instead of delaying the release of GnuPG 2.0 even further, I decided to
73
release without that guide. The chapter on gpg-agent and gpgsm do
74
include brief information on how to set up the whole thing. Please
75
watch the GnuPG website for updates of the documentation. In the
76
meantime you may search the GnuPG mailing list archives or ask on the
77
gnupg-users mailing listsfor advise on how to solve problems or how to
78
get that whole thing up and running.
80
Such questions may also help to write a proper installation guide.
84
XXX Tell how to setup the system, install certificates, how dirmngr
87
** Explain how to setup a root CA key as trusted
89
X.509 is based on a hierarchical key infrastructure. At the root of
90
the tree a trusted anchor (root certificate) is required. There are
91
usually no other means of verifying whether this root certificate is
92
trustworthy than looking it up in a list. GnuPG uses a file
93
(`trustlist.txt') to keep track of all root certificates it knows
94
about. There are 3 ways to get certificates into this list:
96
* Use the list which comes with GnuPG. However this list only
97
contains a few root certifciates. Most installations will need
100
* Let `gpgsm' ask you whether you want to insert a new root
101
certificate. To enable this feature you need to set the option
102
`allow-mark-trusted' into `gpg-agent.conf'. In general it is not
103
a good idea to do it this way. Checking whether a root
104
certificate is really trustworthy requires a decsions, which casual
105
usuers are not up to. Thus, by default this option is not enabled.
107
* Manually maintain the list of trusted root certificates. For a
108
multi user installation this can be done once for all users on a
109
machine. Specific changes on a per-user base are also possible.
111
XXX decribe how to maintain trustlist.txt and
112
/etc/gnupg/trustlist.txt.
114
** How to get the ssh support running
116
XXX How to use the ssh support.
118
1.1 Installation Overview
119
=========================
124
File: gnupg.info, Node: Invoking GPG-AGENT, Next: Invoking GPG, Prev: Installation, Up: Top
129
`gpg-agent' is a daemon to manage secret (private) keys independently
130
from any protocol. It is used as a backend for `gpg' and `gpgsm' as
131
well as for a couple of other utilities.
133
The usual way to run the agent is from the `~/.xsession' file:
135
eval `gpg-agent --daemon`
137
If you don't use an X server, you can also put this into your regular
138
startup file `~/.profile' or `.bash_profile'. It is best not to run
139
multiple instance of the `gpg-agent', so you should make sure that only
140
one is running: `gpg-agent' uses an environment variable to inform
141
clients about the communication parameters. You can write the content
142
of this environment variable to a file so that you can test for a
143
running agent. This short script may do the job:
145
if test -f $HOME/.gpg-agent-info && \
146
kill -0 `cut -d: -f 2 $HOME/.gpg-agent-info` 2>/dev/null; then
147
GPG_AGENT_INFO=`cat $HOME/.gpg-agent-info`
148
export GPG_AGENT_INFO
150
eval `gpg-agent --daemon`
151
echo $GPG_AGENT_INFO >$HOME/.gpg-agent-info
154
Note that the new option `--write-env-file' may be used instead.
156
You should always add the following lines to your `.bashrc' or whatever
157
initialization file is used for all shell invocations:
162
It is important that this environment variable always reflects the
163
output of the `tty' command. For W32 systems this option is not
166
Please make sure that a proper pinentry program has been installed
167
under the default filename (which is system dependant) or use the
168
option `pinentry-program' to specify the full name of that program. It
169
is often useful to install a symbolic link from the actual used
170
pinentry (e.g. `/usr/bin/pinentry-gtk') to the expected one (e.g.
171
`/usr/bin/pinentry').
173
*Note Option Index::,for an index to `GPG-AGENT''s commands and options.
177
* Agent Commands:: List of all commands.
178
* Agent Options:: List of all options.
179
* Agent Configuration:: Configuration files.
180
* Agent Signals:: Use of some signals.
181
* Agent Examples:: Some usage examples.
182
* Agent Protocol:: The protocol the agent uses.
185
File: gnupg.info, Node: Agent Commands, Next: Agent Options, Up: Invoking GPG-AGENT
190
Commands are not distinguished from options except for the fact that
191
only one command is allowed.
194
Print the program version and licensing information. Not that you
195
can abbreviate this command.
199
Print a usage message summarizing the most useful command-line
200
options. Not that you can abbreviate this command.
203
Print a list of all available options and commands. Not that you
204
can abbreviate this command.
207
Run in server mode and wait for commands on the `stdin'. The
208
default mode is to create a socket and listen for commands there.
210
`--daemon [COMMAND LINE]'
211
Run the program in the background. This option is required to
212
prevent it from being accidently running in the background. A
213
common way to do this is:
214
$ eval `gpg-agent -daemon`
217
File: gnupg.info, Node: Agent Options, Next: Agent Configuration, Prev: Agent Commands, Up: Invoking GPG-AGENT
223
Reads configuration from FILE instead of from the default per-user
224
configuration file. The default configuration file is named
225
`gpg-agent.conf' and expected in the `.gnupg' directory directly
226
below the home directory of the user.
229
Set the name of the home directory to DIR. If his option is not
230
used, the home directory defaults to `~/.gnupg'. It is only
231
recognized when given on the command line. It also overrides any
232
home directory stated through the environment variable `GNUPGHOME'
233
or (on W32 systems) by means on the Registry entry
234
HKCU\SOFTWARE\GNU\GNUPG:HOMEDIR.
239
Outputs additional information while running. You can increase
240
the verbosity by giving several verbose commands to `gpgsm', such
246
Try to be as quiet as possible.
249
Don't invoke a pinentry or do any other thing requiring human
252
`--faked-system-time EPOCH'
253
This option is only useful for testing; it sets the system time
254
back or forth to EPOCH which is the number of seconds elapsed
257
`--debug-level LEVEL'
258
Select the debug level for investigating problems. LEVEL may be
265
some basic debug messages
268
more verbose debug messages
271
even more detailed messages
274
all of the debug messages you can get
276
How these messages are mapped to the actual debugging flags is not
277
specified and may change with newer releases of this program. They
278
are however carefully selected to best aid in debugging.
281
This option is only useful for debugging and the behaviour may
282
change at any time without notice. FLAGS are bit encoded and may
283
be given in usual C-Syntax. The currently defined bits are:
286
X.509 or OpenPGP protocol related data
289
values of big number integers
292
low level crypto operations
301
show memory statistics.
304
write hashed data to files named `dbgmd-000*'
307
trace Assuan protocol
310
bypass all certificate validation
313
Same as `--debug=0xffffffff'
316
When running in server mode, wait N seconds before entering the
317
actual processing loop and print the pid. This gives time to
321
Don't detach the process from the console. This is mainly useful
328
Format the info output in daemon mode for use with the standard
329
Bourne shell or the C-shell respectively. The default is to guess
330
it based on the environment variable `SHELL' which is correct in
333
`--write-env-file FILE'
334
Often it is required to connect to the agent from a process not
335
being an inferior of `gpg-agent' and thus the environment variable
336
with the socket name is not available. To help setting up those
337
variables in other sessions, this option may be used to write the
338
information into FILE. If FILE is not specified the default name
339
`${HOME}/.gpg-agent-info' will be used. The format is suitable to
340
be evaluated by a Bourne shell like in this simple example:
343
eval `cut -d= -f 1 < FILE | xargs echo export`
346
Tell the pinentry not to grab the keyboard and mouse. This option
347
should in general not be used to avoid X-sniffing attacks.
350
Append all logging output to FILE. This is very helpful in seeing
351
what the agent actually does.
353
`--allow-mark-trusted'
354
Allow clients to mark keys as trusted, i.e. put them into the
355
`trustlist.txt' file. This is by default not allowed to make it
356
harder for users to inadvertently accept Root-CA keys.
358
`--ignore-cache-for-signing'
359
This option will let `gpg-agent' bypass the passphrase cache for
360
all signing operation. Note that there is also a per-session
361
option to control this behaviour but this command line option
364
`--default-cache-ttl N'
365
Set the time a cache entry is valid to N seconds. The default is
368
`--default-cache-ttl-ssh N'
369
Set the time a cache entry used for SSH keys is valid to N
370
seconds. The default is 1800 seconds.
373
Set the maximum time a cache entry is valid to N seconds. After
374
this time a cache entry will be expired even if it has been
375
accessed recently. The default is 2 hours (7200 seconds).
377
`--max-cache-ttl-ssh N'
378
Set the maximum time a cache entry used for SSH keys is valid to N
379
seconds. After this time a cache entry will be expired even if it
380
has been accessed recently. The default is 2 hours (7200 seconds).
382
`--enforce-passphrase-constraints'
383
Enforce the passphrase constraints by not allowing the user to
384
bypass them using the "Take it anyway" button.
386
`--min-passphrase-len N'
387
Set the minimal length of a passphrase. When entering a new
388
passphrase shorter than this value a warning will be displayed.
391
`--min-passphrase-nonalpha N'
392
Set the minimal number of digits or special characters required in
393
a passphrase. When entering a new passphrase with less than this
394
number of digits or special characters a warning will be
395
displayed. Defaults to 1.
397
`--check-passphrase-pattern FILE'
398
Check the passphrase against the pattern given in FILE. When
399
entering a new passphrase matching one of these pattern a warning
400
will be displayed. FILE should be an absolute filename. The
401
default is not to use any pattern file.
403
Security note: It is known that checking a passphrase against a
404
list of pattern or even against a complete dictionary is not very
405
effective to enforce good passphrases. Users will soon figure up
406
ways to bypass such a policy. A better policy is to educate users
407
on good security behavior and optionally to run a passphrase
408
cracker regularly on all users passphrases to catch the very
411
`--max-passphrase-days N'
412
Ask the user to change the passphrase if N days have passed since
413
the last change. With `--enforce-passphrase-constraints' set the
414
user may not bypass this check.
416
`--enable-passphrase-history'
417
This option does nothing yet.
419
`--pinentry-program FILENAME'
420
Use program FILENAME as the PIN entry. The default is installation
421
dependent and can be shown with the `--version' command.
423
`--pinentry-touch-file FILENAME'
424
By default the filename of the socket gpg-agent is listening for
425
requests is passed to Pinentry, so that it can touch that file
426
before exiting (it does this only in curses mode). This option
427
changes the file passed to Pinentry to FILENAME. The special name
428
`/dev/null' may be used to completely disable this feature. Note
429
that Pinentry will not create that file, it will only change the
430
modification and access time.
432
`--scdaemon-program FILENAME'
433
Use program FILENAME as the Smartcard daemon. The default is
434
installation dependent and can be shown with the `--version'
438
Do not make use of the scdaemon tool. This option has the effect
439
of disabling the ability to do smartcard operations. Note, that
440
enabling this option at runtime does not kill an already forked
443
`--use-standard-socket'
444
`--no-use-standard-socket'
445
By enabling this option `gpg-agent' will listen on the socket
446
named `S.gpg-agent', located in the home directory, and not create
447
a random socket below a temporary directory. Tools connecting to
448
`gpg-agent' should first try to connect to the socket given in
449
environment variable GPG_AGENT_INFO and then fall back to this
450
socket. This option may not be used if the home directory is
451
mounted as a remote file system. Note, that
452
`--use-standard-socket' is the default on Windows systems.
458
`--lc-messages STRING'
459
`--xauthority STRING'
460
These options are used with the server mode to pass localization
465
Ignore requests to change the current `tty' or X window system's
466
`DISPLAY' variable respectively. This is useful to lock the
467
pinentry to pop up at the `tty' or display you started the agent.
469
`--enable-ssh-support'
470
Enable emulation of the OpenSSH Agent protocol.
472
In this mode of operation, the agent does not only implement the
473
gpg-agent protocol, but also the agent protocol used by OpenSSH
474
(through a separate socket). Consequently, it should be possible
475
to use the gpg-agent as a drop-in replacement for the well known
478
SSH Keys, which are to be used through the agent, need to be added
479
to the gpg-agent initially through the ssh-add utility. When a
480
key is added, ssh-add will ask for the password of the provided
481
key file and send the unprotected key material to the agent; this
482
causes the gpg-agent to ask for a passphrase, which is to be used
483
for encrypting the newly received key and storing it in a
484
gpg-agent specific directory.
486
Once a key has been added to the gpg-agent this way, the gpg-agent
487
will be ready to use the key.
489
Note: in case the gpg-agent receives a signature request, the user
490
might need to be prompted for a passphrase, which is necessary for
491
decrypting the stored key. Since the ssh-agent protocol does not
492
contain a mechanism for telling the agent on which
493
display/terminal it is running, gpg-agent's ssh-support will use
494
the TTY or X display where gpg-agent has been started. To switch
495
this display to the current one, the following command may be used:
497
echo UPDATESTARTUPTTY | gpg-connect-agent
500
All the long options may also be given in the configuration file
501
after stripping off the two leading dashes.
504
File: gnupg.info, Node: Agent Configuration, Next: Agent Signals, Prev: Agent Options, Up: Invoking GPG-AGENT
509
There are a few configuration files needed for the operation of the
510
agent. By default they may all be found in the current home directory
511
(*note option --homedir::).
514
This is the standard configuration file read by `gpg-agent' on
515
startup. It may contain any valid long option; the leading two
516
dashes may not be entered and the option may not be abbreviated.
517
This file is also read after a `SIGHUP' however only a few
518
options will actually have an effect. This default name may be
519
changed on the command line (*note option --options::).
522
This is the list of trusted keys. Comment lines, indicated by a
523
leading hash mark, as well as empty lines are ignored. To mark
524
a key as trusted you need to enter its fingerprint followed by a
525
space and a capital letter `S'. Colons may optionally be used
526
to separate the bytes of a fingerprint; this allows to cut and
527
paste the fingerprint from a key listing output.
529
Here is an example where two keys are marked as ultimately trusted:
531
# CN=Wurzel ZS 3,O=Intevation GmbH,C=DE
532
A6935DD34EF3087973C706FC311AA2CCF733765B S
534
# CN=PCA-1-Verwaltung-02/O=PKI-1-Verwaltung/C=DE
535
DC:BD:69:25:48:BD:BB:7E:31:6E:BB:80:D3:00:80:35:D4:F8:A6:CD S
537
Before entering a key into this file, you need to ensure its
538
authenticity. How to do this depends on your organisation; your
539
administrator might have already entered those keys which are
540
deemed trustworthy enough into this file. Places where to look
541
for the fingerprint of a root certificate are letters received
542
from the CA or the website of the CA (after making 100% sure that
543
this is indeed the website of that CA). You may want to consider
544
allowing interactive updates of this file by using the *Note
545
option --allow-mark-trusted::. This is however not as secure as
546
maintaining this file manually. It is even advisable to change
547
the permissions to read-only so that this file can't be changed
550
As a special feature a line `include-default' will include a global
551
list of trusted certificates (e.g. `/etc/gnupg/trustlist.txt').
552
This global list is also used if the local list is not available.
554
It is possible to add further flags after the `S' for use by the
558
Relax checking of some root certificate requirements. This
559
is for example required if the certificate is missing the
560
basicConstraints attribute (despite that it is a MUST for CA
564
If validation of a certificate finally issued by a CA with
565
this flag set fails, try again using the chain validation
570
This file is used when support for the secure shell agent protocol
571
has been enabled (*note option --enable-ssh-support::). Only keys
572
present in this file are used in the SSH protocol. The `ssh-add'
573
tool may be used to add new entries to this file; you may also add
574
them manually. Comment lines, indicated by a leading hash mark,
575
as well as empty lines are ignored. An entry starts with optional
576
whitespace, followed by the keygrip of the key given as 40 hex
577
digits, optionally followed by the caching TTL in seconds and
578
another optional field for arbitrary flags. The keygrip may be
579
prefixed with a `!' to disable this entry.
581
The following example lists exactly one key. Note that keys
582
available through a OpenPGP smartcard in the active smartcard
583
reader are implicitly added to this list; i.e. there is no need to
586
# Key added on 2005-02-25 15:08:29
587
5A6592BF45DC73BD876874A28FD4639282E29B52 0
590
This is the directory where gpg-agent stores the private keys.
591
Each key is stored in a file with the name made up of the
592
keygrip and the suffix `key'.
595
Note that on larger installations, it is useful to put predefined
596
files into the directory `/etc/skel/.gnupg/' so that newly created
597
users start up with a working configuration. For existing users the a
598
small helper script is provided to create these files (*note
602
File: gnupg.info, Node: Agent Signals, Next: Agent Examples, Prev: Agent Configuration, Up: Invoking GPG-AGENT
604
2.4 Use of some signals.
605
========================
607
A running `gpg-agent' may be controlled by signals, i.e. using the
608
`kill' command to send a signal to the process.
610
Here is a list of supported signals:
613
This signal flushes all cached passphrases and if the program has
614
been started with a configuration file, the configuration file is
615
read again. Only certain options are honored: `quiet', `verbose',
616
`debug', `debug-all', `debug-level', `no-grab',
617
`pinentry-program', `default-cache-ttl', `max-cache-ttl',
618
`ignore-cache-for-signing', `allow-mark-trusted' and
619
`disable-scdaemon'. `scdaemon-program' is also supported but due
620
to the current implementation, which calls the scdaemon only once,
621
it is not of much use unless you manually kill the scdaemon.
624
Shuts down the process but waits until all current requests are
625
fulfilled. If the process has received 3 of these signals and
626
requests are still pending, a shutdown is forced.
629
Shuts down the process immediately.
632
Dump internal information to the log file.
635
This signal is used for internal purposes.
639
File: gnupg.info, Node: Agent Examples, Next: Agent Protocol, Prev: Agent Signals, Up: Invoking GPG-AGENT
644
The usual way to invoke `gpg-agent' is
646
$ eval `gpg-agent --daemon`
648
An alternative way is by replacing `ssh-agent' with `gpg-agent'. If
649
for example `ssh-agent' is started as part of the Xsession
650
initialization, you may simply replace `ssh-agent' by a script like:
654
exec /usr/local/bin/gpg-agent --enable-ssh-support --daemon \
655
--write-env-file ${HOME}/.gpg-agent-info "$@"
657
and add something like (for Bourne shells)
659
if [ -f "${HOME}/.gpg-agent-info" ]; then
660
. "${HOME}/.gpg-agent-info"
661
export GPG_AGENT_INFO
666
to your shell initialization file (e.g. `~/.bashrc').
669
File: gnupg.info, Node: Agent Protocol, Prev: Agent Examples, Up: Invoking GPG-AGENT
671
2.6 Agent's Assuan Protocol
672
===========================
674
Note: this section does only document the protocol, which is used by
675
GnuPG components; it does not deal with the ssh-agent protocol.
677
The `gpg-agent' should be started by the login shell and set an
678
environment variable to tell clients about the socket to be used.
679
Clients should deny to access an agent with a socket name which does
680
not match its own configuration. An application may choose to start an
681
instance of the gpgagent if it does not figure that any has been
682
started; it should not do this if a gpgagent is running but not usable.
683
Because `gpg-agent' can only be used in background mode, no special
684
command line option is required to activate the use of the protocol.
686
To identify a key we use a thing called keygrip which is the SHA-1
687
hash of an canoncical encoded S-Expression of the the public key as
688
used in Libgcrypt. For the purpose of this interface the keygrip is
689
given as a hex string. The advantage of using this and not the hash of
690
a certificate is that it will be possible to use the same keypair for
691
different protocols, thereby saving space on the token used to keep the
696
* Agent PKDECRYPT:: Decrypting a session key
697
* Agent PKSIGN:: Signing a Hash
698
* Agent GENKEY:: Generating a Key
699
* Agent IMPORT:: Importing a Secret Key
700
* Agent EXPORT:: Exporting a Secret Key
701
* Agent ISTRUSTED:: Importing a Root Certificate
702
* Agent GET_PASSPHRASE:: Ask for a passphrase
703
* Agent GET_CONFIRMATION:: Ask for confirmation
704
* Agent HAVEKEY:: Check whether a key is available
705
* Agent LEARN:: Register a smartcard
706
* Agent PASSWD:: Change a Passphrase
707
* Agent UPDATESTARTUPTTY:: Change the Standard Display
708
* Agent GETEVENTCOUNTER:: Get the Event Counters
709
* Agent GETINFO:: Return information about the process
712
File: gnupg.info, Node: Agent PKDECRYPT, Next: Agent PKSIGN, Up: Agent Protocol
714
2.6.1 Decrypting a session key
715
------------------------------
717
The client asks the server to decrypt a session key. The encrypted
718
session key should have all information needed to select the
719
appropriate secret key or to delegate it to a smartcard.
723
Tell the server about the key to be used for decryption. If this is
724
not used, `gpg-agent' may try to figure out the key by trying to
725
decrypt the message with each key available.
729
The agent checks whether this command is allowed and then does an
730
INQUIRY to get the ciphertext the client should then send the cipher
733
S: INQUIRE CIPHERTEXT
738
Please note that the server may send status info lines while reading
739
the data lines from the client. The data send is a SPKI like S-Exp with
744
(<param_name1> <mpi>)
746
(<param_namen> <mpi>)))
748
Where algo is a string with the name of the algorithm; see the
749
libgcrypt documentation for a list of valid algorithms. The number and
750
names of the parameters depend on the algorithm. The agent does return
751
an error if there is an inconsistency.
753
If the decryption was successful the decrypted data is returned by
756
Here is an example session:
759
S: INQUIRE CIPHERTEXT
760
C: D (enc-val elg (a 349324324)
761
C: D (b 3F444677CA)))
763
S: # session key follows
764
S: D (value 1234567890ABCDEF0)
765
S: OK descryption successful
768
File: gnupg.info, Node: Agent PKSIGN, Next: Agent GENKEY, Prev: Agent PKDECRYPT, Up: Agent Protocol
773
The client ask the agent to sign a given hash value. A default key
774
will be chosen if no key has been set. To set a key a client first
779
This can be used multiple times to create multiple signature, the
780
list of keys is reset with the next PKSIGN command or a RESET. The
781
server test whether the key is a valid key to sign something and
784
SETHASH --hash=<name>|<algo> <hexstring>
786
The client can use this command to tell the server about the data
787
<hexstring> (which usually is a hash) to be signed. <algo> is the
788
decimal encoded hash algorithm number as used by Libgcrypt. Either
789
<algo> or -hash=<name> must be given. Valid names for <name> are:
801
The actual signing is done using
805
Options are not yet defined, but my later be used to choosen among
806
different algorithms. The agent does then some checks, asks for the
807
passphrase and as a result the server returns the signature as an SPKI
808
like S-expression in "D" lines:
812
(<param_name1> <mpi>)
814
(<param_namen> <mpi>)))
816
The operation is affected by the option
818
OPTION use-cache-for-signing=0|1
820
The default of `1' uses the cache. Setting this option to `0' will
821
lead `gpg-agent' to ignore the passphrase cache. Note, that there is
822
also a global command line option for `gpg-agent' to globally disable
825
Here is an example session:
832
S: # I did ask the user whether he really wants to sign
833
S: # I did ask the user for the passphrase
835
C: D ABCDEF012345678901234
837
S: # signature follows
838
S: D (sig-val rsa (s 45435453654612121212))
842
File: gnupg.info, Node: Agent GENKEY, Next: Agent IMPORT, Prev: Agent PKSIGN, Up: Agent Protocol
844
2.6.3 Generating a Key
845
----------------------
847
This is used to create a new keypair and store the secret key inside the
848
active PSE -- which is in most cases a Soft-PSE. An not yet defined
849
option allows to choose the storage location. To get the secret key out
850
of the PSE, a special export tool has to be used.
854
Invokes the key generation process and the server will then inquire
855
on the generation parameters, like:
858
C: D (genkey (rsa (nbits 1024)))
861
The format of the key parameters which depends on the algorithm is of
866
(parameter_name_1 ....)
868
(parameter_name_n ....)))
870
If everything succeeds, the server returns the *public key* in a SPKI
871
like S-Expression like this:
878
Here is an example session:
882
C: D (genkey (rsa (nbits 1024)))
885
S: D (rsa (n 326487324683264) (e 10001)))
889
File: gnupg.info, Node: Agent IMPORT, Next: Agent EXPORT, Prev: Agent GENKEY, Up: Agent Protocol
891
2.6.4 Importing a Secret Key
892
----------------------------
894
This operation is not yet supportted by GpgAgent. Specialized tools
895
are to be used for this.
897
There is no actual need because we can expect that secret keys
898
created by a 3rd party are stored on a smartcard. If we have generated
899
the key ourself, we do not need to import it.
902
File: gnupg.info, Node: Agent EXPORT, Next: Agent ISTRUSTED, Prev: Agent IMPORT, Up: Agent Protocol
904
2.6.5 Export a Secret Key
905
-------------------------
909
Should be done by an extra tool.
912
File: gnupg.info, Node: Agent ISTRUSTED, Next: Agent GET_PASSPHRASE, Prev: Agent EXPORT, Up: Agent Protocol
914
2.6.6 Importing a Root Certificate
915
----------------------------------
917
Actually we do not import a Root Cert but provide a way to validate any
918
piece of data by storing its Hash along with a description and an
919
identifier in the PSE. Here is the interface desription:
921
ISTRUSTED <fingerprint>
923
Check whether the OpenPGP primary key or the X.509 certificate with
924
the given fingerprint is an ultimately trusted key or a trusted Root CA
925
certificate. The fingerprint should be given as a hexstring (without
926
any blanks or colons or whatever in between) and may be left padded with
927
00 in case of an MD5 fingerprint. GPGAgent will answer with:
931
The key is in the table of trusted keys.
933
ERR 304 (Not Trusted)
935
The key is not in this table.
937
Gpg needs the entire list of trusted keys to maintain the web of
938
trust; the following command is therefore quite helpful:
942
GpgAgent returns a list of trusted keys line by line:
944
S: D 000000001234454556565656677878AF2F1ECCFF P
945
S: D 340387563485634856435645634856438576457A P
946
S: D FEDC6532453745367FD83474357495743757435D S
949
The first item on a line is the hexified fingerprint where MD5
950
ingerprints are `00' padded to the left and the second item is a flag
951
to indicate the type of key (so that gpg is able to only take care of
952
PGP keys). P = OpenPGP, S = S/MIME. A client should ignore the rest
953
of the line, so that we can extend the format in the future.
955
Finally a client should be able to mark a key as trusted:
957
MARKTRUSTED FINGERPRINT "P"|"S"
959
The server will then pop up a window to ask the user whether she
960
really trusts this key. For this it will probably ask for a text to be
964
C: D Do you trust the key with the fingerprint @FPR@
965
C: D bla fasel blurb.
969
Known sequences with the pattern @foo@ are replaced according to this
973
Format the fingerprint according to gpg rules for a v3 keys.
976
Format the fingerprint according to gpg rules for a v4 keys.
979
Choose an appropriate format to format the fingerprint.
982
Replaced by a single `@'
985
File: gnupg.info, Node: Agent GET_PASSPHRASE, Next: Agent GET_CONFIRMATION, Prev: Agent ISTRUSTED, Up: Agent Protocol
987
2.6.7 Ask for a passphrase
988
--------------------------
990
This function is usually used to ask for a passphrase to be used for
991
conventional encryption, but may also be used by programs which need
992
special handling of passphrases. This command uses a syntax which helps
993
clients to use the agent with minimum effort.
995
GET_PASSPHRASE [--data] [--check] CACHE_ID [ERROR_MESSAGE PROMPT DESCRIPTION]
997
CACHE_ID is expected to be a string used to identify a cached
998
passphrase. Use a `X' to bypass the cache. With no other arguments
999
the agent returns a cached passphrase or an error. By convention
1000
either the hexified fingerprint of the key shall be used for CACHE_ID
1001
or an arbitrary string prefixed with the name of the calling
1002
application and a colon: Like `gpg:somestring'.
1004
ERROR_MESSAGE is either a single `X' for no error message or a
1005
string to be shown as an error message like (e.g. "invalid
1006
passphrase"). Blanks must be percent escaped or replaced by `+''.
1008
PROMPT is either a single `X' for a default prompt or the text to be
1009
shown as the prompt. Blanks must be percent escaped or replaced by `+'.
1011
DESCRIPTION is a text shown above the entry field. Blanks must be
1012
percent escaped or replaced by `+'.
1014
The agent either returns with an error or with a OK followed by the
1015
hex encoded passphrase. Note that the length of the strings is
1016
implicitly limited by the maximum length of a command. If the option
1017
`--data' is used, the passphrase is not returned on the OK line but by
1018
regular data lines; this is the preferred method.
1020
If the option `--check' is used, the standard passphrase constraints
1021
checks are applied. A check is not done if the passphrase has been
1024
CLEAR_PASSPHRASE CACHE_ID
1026
may be used to invalidate the cache entry for a passphrase. The
1027
function returns with OK even when there is no cached passphrase.
1030
File: gnupg.info, Node: Agent GET_CONFIRMATION, Next: Agent HAVEKEY, Prev: Agent GET_PASSPHRASE, Up: Agent Protocol
1032
2.6.8 Ask for confirmation
1033
--------------------------
1035
This command may be used to ask for a simple confirmation by presenting
1036
a text and 2 bottonts: Okay and Cancel.
1038
GET_CONFIRMATION DESCRIPTION
1040
DESCRIPTIONis displayed along with a Okay and Cancel button. Blanks
1041
must be percent escaped or replaced by `+'. A `X' may be used to
1042
display confirmation dialog with a default text.
1044
The agent either returns with an error or with a OK. Note, that the
1045
length of DESCRIPTION is implicitly limited by the maximum length of a
1049
File: gnupg.info, Node: Agent HAVEKEY, Next: Agent LEARN, Prev: Agent GET_CONFIRMATION, Up: Agent Protocol
1051
2.6.9 Check whether a key is available
1052
--------------------------------------
1054
This can be used to see whether a secret key is available. It does not
1055
return any information on whether the key is somehow protected.
1059
The Agent answers either with OK or `No_Secret_Key' (208). The
1060
caller may want to check for other error codes as well.
1063
File: gnupg.info, Node: Agent LEARN, Next: Agent PASSWD, Prev: Agent HAVEKEY, Up: Agent Protocol
1065
2.6.10 Register a smartcard
1066
---------------------------
1070
This command is used to register a smartcard. With the -send option
1071
given the certificates are send back.
1074
File: gnupg.info, Node: Agent PASSWD, Next: Agent UPDATESTARTUPTTY, Prev: Agent LEARN, Up: Agent Protocol
1076
2.6.11 Change a Passphrase
1077
--------------------------
1081
This command is used to interactively change the passphrase of the
1082
key indentified by the hex string KEYGRIP.
1085
File: gnupg.info, Node: Agent UPDATESTARTUPTTY, Next: Agent GETEVENTCOUNTER, Prev: Agent PASSWD, Up: Agent Protocol
1087
2.6.12 Change the standard display
1088
----------------------------------
1092
Set the startup TTY and X-DISPLAY variables to the values of this
1093
session. This command is useful to direct future pinentry invocations
1094
to another screen. It is only required because there is no way in the
1095
ssh-agent protocol to convey this information.
1098
File: gnupg.info, Node: Agent GETEVENTCOUNTER, Next: Agent GETINFO, Prev: Agent UPDATESTARTUPTTY, Up: Agent Protocol
1100
2.6.13 Get the Event Counters
1101
-----------------------------
1105
This function return one status line with the current values of the
1106
event counters. The event counters are useful to avoid polling by
1107
delaying a poll until something has changed. The values are decimal
1108
numbers in the range `0' to `UINT_MAX' and wrapping around to 0. The
1109
actual values should not be relied upon; they shall only be used to
1112
The currently defined counters are are:
1114
Incremented with any change of any of the other counters.
1117
Incremented for added or removed private keys.
1120
Incremented for changes of the card readers stati.
1123
File: gnupg.info, Node: Agent GETINFO, Prev: Agent GETEVENTCOUNTER, Up: Agent Protocol
1125
2.6.14 Return information about the process
1126
-------------------------------------------
1128
This is a multipurpose function to return a variety of information.
1132
The value of WHAT specifies the kind of information returned:
1134
Return the version of the program.
1137
Return the process id of the process.
1140
Return the name of the socket used to connect the agent.
1143
Return the name of the socket used for SSH connections. If SSH
1144
support has not been enabled the error `GPG_ERR_NO_DATA' will be
1148
File: gnupg.info, Node: Invoking GPG, Next: Invoking GPGSM, Prev: Invoking GPG-AGENT, Up: Top
1153
`gpg2' is the OpenPGP part of the GNU Privacy Guard (GnuPG). It is a
1154
tool to provide digital encryption and signing services using the
1155
OpenPGP standard. `gpg2' features complete key management and all bells
1156
and whistles you can expect from a decent OpenPGP implementation.
1158
In contrast to the standalone version `gpg', which is more suited
1159
for server and embedded platforms, this version is installed under the
1160
name `gpg2' and more targeted to the desktop as it requires several
1161
other modules to be installed. The standalone version will be kept
1162
maintained and it is possible to install both versions on the same
1163
system. If you need to use different configuration files, you should
1164
make use of something like `gpg.conf-2' instead of just `gpg.conf'.
1166
Documentation for the old standard `gpg' is available as a man page
1167
and at *note GnuPG 1: (gpg)Top.
1169
*Note Option Index::, for an index to `gpg2''s commands and options.
1173
* GPG Commands:: List of all commands.
1174
* GPG Options:: List of all options.
1175
* GPG Configuration:: Configuration files.
1176
* GPG Examples:: Some usage examples.
1178
Developer information:
1181
File: gnupg.info, Node: GPG Commands, Next: GPG Options, Up: Invoking GPG
1186
Commands are not distinguished from options except for the fact that
1187
only one command is allowed.
1189
`gpg2' may be run with no commands, in which case it will perform a
1190
reasonable action depending on the type of file it is given as input
1191
(an encrypted message is decrypted, a signature is verified, a file
1192
containing keys is listed).
1194
Please remember that option as well as command parsing stops as soon
1195
as a non-option is encountered, you can explicitly stop parsing by
1196
using the special option `--'.
1200
* General GPG Commands:: Commands not specific to the functionality.
1201
* Operational GPG Commands:: Commands to select the type of operation.
1202
* OpenPGP Key Management:: How to manage your keys.
1205
File: gnupg.info, Node: General GPG Commands, Next: Operational GPG Commands, Up: GPG Commands
1207
3.1.1 Commands not specific to the function
1208
-------------------------------------------
1211
Print the program version and licensing information. Note that you
1212
cannot abbreviate this command.
1216
Print a usage message summarizing the most useful command line
1217
options. Not that you cannot abbreviate this command.
1220
Print warranty information.
1223
Print a list of all available options and commands. Note that you
1224
cannot abbreviate this command.
1227
File: gnupg.info, Node: Operational GPG Commands, Next: OpenPGP Key Management, Prev: General GPG Commands, Up: GPG Commands
1229
3.1.2 Commands to select the type of operation
1230
----------------------------------------------
1234
Make a signature. This command may be combined with `--encrypt'
1235
(for a signed and encrypted message), `--symmetric' (for a signed
1236
and symmetrically encrypted message), or `--encrypt' and
1237
`--symmetric' together (for a signed message that may be decrypted
1238
via a secret key or a passphrase).
1241
Make a clear text signature. The content in a clear text signature
1242
is readable without any special software. OpenPGP software is only
1243
needed to verify the signature. Clear text signatures may modify
1244
end-of-line whitespace for platform independence and are not
1245
intended to be reversible.
1249
Make a detached signature.
1253
Encrypt data. This option may be combined with `--sign' (for a
1254
signed and encrypted message), `--symmetric' (for a message that
1255
may be decrypted via a secret key or a passphrase), or `--sign'
1256
and `--symmetric' together (for a signed message that may be
1257
decrypted via a secret key or a passphrase).
1261
Encrypt with a symmetric cipher using a passphrase. The default
1262
symmetric cipher used is CAST5, but may be chosen with the
1263
`--cipher-algo' option. This option may be combined with `--sign'
1264
(for a signed and symmetrically encrypted message), `--encrypt'
1265
(for a message that may be decrypted via a secret key or a
1266
passphrase), or `--sign' and `--encrypt' together (for a signed
1267
message that may be decrypted via a secret key or a passphrase).
1270
Store only (make a simple RFC1991 literal data packet).
1274
Decrypt the file given on the command line (or `stdin' if no file
1275
is specified) and write it to stdout (or the file specified with
1276
`--output'). If the decrypted file is signed, the signature is also
1277
verified. This command differs from the default operation, as it
1278
never writes to the filename which is included in the file and it
1279
rejects files which don't begin with an encrypted message.
1282
Assume that the first argument is a signed file or a detached
1283
signature and verify it without generating any output. With no
1284
arguments, the signature packet is read from stdin. If only a
1285
sigfile is given, it may be a complete signature or a detached
1286
signature, in which case the signed stuff is expected in a file
1287
without the ".sig" or ".asc" extension. With more than 1
1288
argument, the first should be a detached signature and the
1289
remaining files are the signed stuff. To read the signed stuff
1290
from stdin, use `-' as the second filename. For security reasons
1291
a detached signature cannot read the signed material from stdin
1292
without denoting it in the above way.
1295
This modifies certain other commands to accept multiple files for
1296
processing on the command line or read from stdin with each
1297
filename on a separate line. This allows for many files to be
1298
processed at once. `--multifile' may currently be used along with
1299
`--verify', `--encrypt', and `--decrypt'. Note that `--multifile
1300
--verify' may not be used with detached signatures.
1303
Identical to `--multifile --verify'.
1306
Identical to `--multifile --encrypt'.
1309
Identical to `--multifile --decrypt'.
1313
`--list-public-keys'
1314
List all keys from the public keyrings, or just the keys given on
1317
Avoid using the output of this command in scripts or other
1318
programs as it is likely to change as GnuPG changes. See
1319
`--with-colons' for a machine-parseable key listing command that
1320
is appropriate for use in scripts and other programs.
1322
`--list-secret-keys'
1324
List all keys from the secret keyrings, or just the ones given on
1325
the command line. A `#' after the letters `sec' means that the
1326
secret key is not usable (for example, if it was created via
1327
`--export-secret-subkeys').
1330
Same as `--list-keys', but the signatures are listed too.
1332
For each signature listed, there are several flags in between the
1333
"sig" tag and keyid. These flags give additional information about
1334
each signature. From left to right, they are the numbers 1-3 for
1335
certificate check level (see `--ask-cert-level'), "L" for a local
1336
or non-exportable signature (see `--lsign-key'), "R" for a
1337
nonRevocable signature (see the `--edit-key' command "nrsign"),
1338
"P" for a signature that contains a policy URL (see
1339
`--cert-policy-url'), "N" for a signature that contains a notation
1340
(see `--cert-notation'), "X" for an eXpired signature (see
1341
`--ask-cert-expire'), and the numbers 1-9 or "T" for 10 and above
1342
to indicate trust signature levels (see the `--edit-key' command
1346
Same as `--list-sigs', but the signatures are verified.
1348
The status of the verification is indicated by a flag directly
1349
following the "sig" tag (and thus before the flags described above
1350
for `--list-sigs'). A "!" indicates that the signature has been
1351
successfully verified, a "-" denotes a bad signature and a "%" is
1352
used if an error occured while checking the signature (e.g. a non
1353
supported algorithm).
1356
List all keys (or the specified ones) along with their
1357
fingerprints. This is the same output as `--list-keys' but with
1358
the additional output of a line with the fingerprint. May also be
1359
combined with `--list-sigs' or `--check-sigs'. If this command is
1360
given twice, the fingerprints of all secondary keys are listed too.
1363
List only the sequence of packets. This is mainly useful for
1367
Present a menu to work with a smartcard. The subcommand "help"
1368
provides an overview on available commands. For a detailed
1369
description, please see the Card HOWTO at
1370
http://www.gnupg.org/documentation/howtos.html#GnuPG-cardHOWTO .
1373
Show the content of the smart card.
1376
Present a menu to allow changing the PIN of a smartcard. This
1377
functionality is also available as the subcommand "passwd" with the
1378
`--card-edit' command.
1380
`--delete-key `name''
1381
Remove key from the public keyring. In batch mode either `--yes' is
1382
required or the key must be specified by fingerprint. This is a
1383
safeguard against accidental deletion of multiple keys.
1385
`--delete-secret-key `name''
1386
Remove key from the secret and public keyring. In batch mode the
1387
key must be specified by fingerprint.
1389
`--delete-secret-and-public-key `name''
1390
Same as `--delete-key', but if a secret key exists, it will be
1391
removed first. In batch mode the key must be specified by
1395
Either export all keys from all keyrings (default keyrings and
1396
those registered via option `--keyring'), or if at least one name
1397
is given, those of the given name. The new keyring is written to
1398
stdout or to the file given with option `--output'. Use together
1399
with `--armor' to mail those keys.
1401
`--send-keys `key IDs''
1402
Similar to `--export' but sends the keys to a keyserver.
1403
Fingerprints may be used instead of key IDs. Option `--keyserver'
1404
must be used to give the name of this keyserver. Don't send your
1405
complete keyring to a keyserver -- select only those keys which
1406
are new or changed by you.
1408
`--export-secret-keys'
1409
`--export-secret-subkeys'
1410
Same as `--export', but exports the secret keys instead. This is
1411
normally not very useful and a security risk. The second form of
1412
the command has the special property to render the secret part of
1413
the primary key useless; this is a GNU extension to OpenPGP and
1414
other implementations can not be expected to successfully import
1415
such a key. See the option `--simple-sk-checksum' if you want to
1416
import such an exported key with an older OpenPGP implementation.
1420
Import/merge keys. This adds the given keys to the keyring. The
1421
fast version is currently just a synonym.
1423
There are a few other options which control how this command works.
1424
Most notable here is the `--keyserver-options merge-only' option
1425
which does not insert new keys but does only the merging of new
1426
signatures, user-IDs and subkeys.
1428
`--recv-keys `key IDs''
1429
Import the keys with the given key IDs from a keyserver. Option
1430
`--keyserver' must be used to give the name of this keyserver.
1433
Request updates from a keyserver for keys that already exist on the
1434
local keyring. This is useful for updating a key with the latest
1435
signatures, user IDs, etc. Calling this with no arguments will
1436
refresh the entire keyring. Option `--keyserver' must be used to
1437
give the name of the keyserver for all keys that do not have
1438
preferred keyservers set (see `--keyserver-options
1439
honor-keyserver-url').
1441
`--search-keys `names''
1442
Search the keyserver for the given names. Multiple names given
1443
here will be joined together to create the search string for the
1444
keyserver. Option `--keyserver' must be used to give the name of
1445
this keyserver. Keyservers that support different search methods
1446
allow using the syntax specified in "How to specify a user ID"
1447
below. Note that different keyserver types support different
1448
search methods. Currently only LDAP supports them all.
1450
`--fetch-keys `URIs''
1451
Retrieve keys located at the specified URIs. Note that different
1452
installations of GnuPG may support different protocols (HTTP, FTP,
1456
Do trust database maintenance. This command iterates over all keys
1457
and builds the Web of Trust. This is an interactive command
1458
because it may have to ask for the "ownertrust" values for keys.
1459
The user has to give an estimation of how far she trusts the owner
1460
of the displayed key to correctly certify (sign) other keys. GnuPG
1461
only asks for the ownertrust value if it has not yet been assigned
1462
to a key. Using the `--edit-key' menu, the assigned value can be
1463
changed at any time.
1466
Do trust database maintenance without user interaction. From time
1467
to time the trust database must be updated so that expired keys or
1468
signatures and the resulting changes in the Web of Trust can be
1469
tracked. Normally, GnuPG will calculate when this is required and
1470
do it automatically unless `--no-auto-check-trustdb' is set. This
1471
command can be used to force a trust database check at any time.
1472
The processing is identical to that of `--update-trustdb' but it
1473
skips keys with a not yet defined "ownertrust".
1475
For use with cron jobs, this command can be used together with
1476
`--batch' in which case the trust database check is done only if a
1477
check is needed. To force a run even in batch mode add the option
1480
`--export-ownertrust'
1481
Send the ownertrust values to stdout. This is useful for backup
1482
purposes as these values are the only ones which can't be
1483
re-created from a corrupted trust DB.
1485
`--import-ownertrust'
1486
Update the trustdb with the ownertrust values stored in `files' (or
1487
stdin if not given); existing values will be overwritten.
1489
`--rebuild-keydb-caches'
1490
When updating from version 1.0.6 to 1.0.7 this command should be
1491
used to create signature caches in the keyring. It might be handy
1492
in other situations too.
1496
Print message digest of algorithm ALGO for all given files or
1497
stdin. With the second form (or a deprecated "*" as algo) digests
1498
for all available algorithms are printed.
1500
`--gen-random `0|1|2''
1501
Emit COUNT random bytes of the given quality level. If count is
1502
not given or zero, an endless sequence of random bytes will be
1503
emitted. PLEASE, don't use this command unless you know what you
1504
are doing; it may remove precious entropy from the system!
1506
`--gen-prime `mode' `bits''
1507
Use the source, Luke :-). The output format is still subject to
1513
Pack or unpack an arbitrary input into/from an OpenPGP ASCII armor.
1514
This is a GnuPG extension to OpenPGP and in general not very
1519
File: gnupg.info, Node: OpenPGP Key Management, Prev: Operational GPG Commands, Up: GPG Commands
1521
3.1.3 How to manage your keys
1522
-----------------------------
1524
This section explains the main commands for key management
1527
Generate a new key pair. This command is normally only used
1530
There is an experimental feature which allows you to create keys in
1531
batch mode. See the file `doc/DETAILS' in the source distribution
1534
`--gen-revoke `name''
1535
Generate a revocation certificate for the complete key. To revoke
1536
a subkey or a signature, use the `--edit' command.
1538
`--desig-revoke `name''
1539
Generate a designated revocation certificate for a key. This
1540
allows a user (with the permission of the keyholder) to revoke
1544
Present a menu which enables you to do most of the key management
1545
related tasks. It expects the specification of a key on the
1549
Make a signature on key of user `name' If the key is not yet
1550
signed by the default user (or the users given with -u), the
1551
program displays the information of the key again, together
1552
with its fingerprint and asks whether it should be signed.
1553
This question is repeated for all users specified with -u.
1556
Same as "sign" but the signature is marked as non-exportable
1557
and will therefore never be used by others. This may be used
1558
to make keys valid only in the local environment.
1561
Same as "sign" but the signature is marked as non-revocable
1562
and can therefore never be revoked.
1565
Make a trust signature. This is a signature that combines the
1566
notions of certification (like a regular signature), and
1567
trust (like the "trust" command). It is generally only useful
1568
in distinct communities or groups.
1570
Note that "l" (for local / non-exportable), "nr" (for
1571
non-revocable, and "t" (for trust) may be freely mixed and
1572
prefixed to "sign" to create a signature of any type desired.
1575
Revoke a signature. For every signature which has been
1576
generated by one of the secret keys, GnuPG asks whether a
1577
revocation certificate should be generated.
1580
Change the owner trust value. This updates the trust-db
1581
immediately and no save is required.
1585
Disable or enable an entire key. A disabled key can not
1586
normally be used for encryption.
1589
Create an alternate user id.
1592
Create a photographic user id. This will prompt for a JPEG
1593
file that will be embedded into the user ID. Note that a very
1594
large JPEG will make for a very large key. Also note that
1595
some programs will display your JPEG unchanged (GnuPG), and
1596
some programs will scale it to fit in a dialog box (PGP).
1599
Delete a user id. Note that it is not possible to retract a
1600
user id, once it has been send to the public (i.e. to a
1601
keyserver). In that case you better use `revuid'.
1604
Delete a signature. Note that it is not possible to retract a
1605
signature, once it has been send to the public (i.e. to a
1606
keyserver). In that case you better use `revsig'.
1612
Add a subkey to this key.
1615
Generate a key on a card and add it to this key.
1618
Transfer the selected secret key (or the primary key if no
1619
key has been selected) to a smartcard. The secret key in the
1620
keyring will be replaced by a stub if the key could be stored
1621
successfully on the card and you use the save command later.
1622
Only certain key types may be transferred to the card. A sub
1623
menu allows you to select on what card to store the key. Note
1624
that it is not possible to get that key back from the card -
1625
if the card gets broken your secret key will be lost unless
1626
you have a backup somewhere.
1629
Restore the given file to a card. This command may be used to
1630
restore a backup key (as generated during card
1631
initialization) to a new card. In almost all cases this will
1632
be the encryption key. You should use this command only with
1633
the corresponding public key and make sure that the file
1634
given as argument is indeed the backup to restore. You should
1635
then select 2 to restore as encryption key. You will first
1636
be asked to enter the passphrase of the backup key and then
1637
for the Admin PIN of the card.
1640
Remove a subkey (secondart key). Note that it is not possible
1641
to retract a subkey, once it has been send to the public
1642
(i.e. to a keyserver). In that case you better use `revkey'.
1645
Add a designated revoker. This takes one optional argument:
1646
"sensitive". If a designated revoker is marked as sensitive,
1647
it will not be exported by default (see export-options).
1653
Change the key expiration time. If a subkey is selected, the
1654
expiration time of this subkey will be changed. With no
1655
selection, the key expiration of the primary key is changed.
1658
Change the passphrase of the secret key.
1661
Flag the current user id as the primary one, removes the
1662
primary user id flag from all other user ids and sets the
1663
timestamp of all affected self-signatures one second ahead.
1664
Note that setting a photo user ID as primary makes it primary
1665
over other photo user IDs, and setting a regular user ID as
1666
primary makes it primary over other regular user IDs.
1669
Toggle selection of user id with index `n'. Use 0 to
1673
Toggle selection of subkey with index `n'. Use 0 to deselect
1677
Check all selected user ids.
1680
Display the selected photographic user id.
1683
List preferences from the selected user ID. This shows the
1684
actual preferences, without including any implied preferences.
1687
More verbose preferences listing for the selected user ID.
1688
This shows the preferences in effect by including the implied
1689
preferences of 3DES (cipher), SHA-1 (digest), and
1690
Uncompressed (compression) if they are not already included
1691
in the preference list. In addition, the preferred keyserver
1692
and signature notations (if any) are shown.
1695
Set the list of user ID preferences to `string' for all (or
1696
just the selected) user IDs. Calling setpref with no
1697
arguments sets the preference list to the default (either
1698
built-in or set via `--default-preference-list'), and calling
1699
setpref with "none" as the argument sets an empty preference
1700
list. Use `gpg2 --version' to get a list of available
1701
algorithms. Note that while you can change the preferences on
1702
an attribute user ID (aka "photo ID"), GnuPG does not select
1703
keys via attribute user IDs so these preferences will not be
1707
Set a preferred keyserver for the specified user ID(s). This
1708
allows other users to know where you prefer they get your key
1709
from. See `--keyserver-options honor-keyserver-url' for more
1710
on how this works. Setting a value of "none" removes an
1711
existing preferred keyserver.
1714
Set a name=value notation for the specified user ID(s). See
1715
`--cert-notation' for more on how this works. Setting a value
1716
of "none" removes all notations, setting a notation prefixed
1717
with a minus sign (-) removes that notation, and setting a
1718
notation name (without the =value) prefixed with a minus sign
1719
removes all notations with that name.
1722
Toggle between public and secret key listing.
1725
Compact (by removing all signatures except the selfsig) any
1726
user ID that is no longer usable (e.g. revoked, or expired).
1727
Then, remove any signatures that are not usable by the trust
1728
calculations. Specifically, this removes any signature that
1729
does not validate, any signature that is superseded by a
1730
later signature, revoked signatures, and signatures issued by
1731
keys that are not present on the keyring.
1734
Make the key as small as possible. This removes all
1735
signatures from each user ID except for the most recent
1739
Add cross-certification signatures to signing subkeys that
1740
may not currently have them. Cross-certification signatures
1741
protect against a subtle attack against signing subkeys. See
1742
`--require-cross-certification'.
1745
Save all changes to the key rings and quit.
1748
Quit the program without updating the key rings.
1751
The listing shows you the key with its secondary keys and all user
1752
ids. Selected keys or user ids are indicated by an asterisk. The
1753
trust value is displayed with the primary key: the first is the
1754
assigned owner trust and the second is the calculated trust value.
1755
Letters are used for the values:
1758
No ownertrust assigned / not yet calculated.
1761
Trust calculation has failed; probably due to an expired key.
1764
Not enough information for calculation.
1767
Never trust this key.
1779
Signs a public key with your secret key. This is a shortcut
1780
version of the subcommand "sign" from `--edit'.
1782
`--lsign-key `name''
1783
Signs a public key with your secret key but marks it as
1784
non-exportable. This is a shortcut version of the subcommand
1785
"lsign" from `--edit-key'.
1789
File: gnupg.info, Node: GPG Options, Next: GPG Configuration, Prev: GPG Commands, Up: Invoking GPG
1794
`gpg2' comes features a bunch of options to control the exact behaviour
1795
and to change the default configuration.
1799
* GPG Configuration Options:: How to change the configuration.
1800
* GPG Key related Options:: Key related options.
1801
* GPG Input and Output:: Input and Output.
1802
* OpenPGP Options:: OpenPGP protocol specific options.
1803
* GPG Esoteric Options:: Doing things one usually don't want to do.
1805
Long options can be put in an options file (default
1806
"~/.gnupg/gpg.conf"). Short option names will not work - for example,
1807
"armor" is a valid option for the options file, while "a" is not. Do not
1808
write the 2 dashes, but simply the name of the option and any required
1809
arguments. Lines with a hash ('#') as the first non-white-space
1810
character are ignored. Commands may be put in this file too, but that is
1811
not generally useful as the command will execute automatically with
1812
every execution of gpg.
1814
Please remember that option parsing stops as soon as a non-option is
1815
encountered, you can explicitly stop parsing by using the special option
1819
File: gnupg.info, Node: GPG Configuration Options, Next: GPG Key related Options, Up: GPG Options
1821
3.2.1 How to change the configuration
1822
-------------------------------------
1824
These options are used to change the configuration and are usually found
1827
`--default-key NAME'
1828
Use NAME as the default key to sign with. If this option is not
1829
used, the default key is the first key found in the secret keyring.
1830
Note that `-u' or `--local-user' overrides this option.
1832
`--default-recipient NAME'
1833
Use NAME as default recipient if option `--recipient' is not used
1834
and don't ask if this is a valid one. NAME must be non-empty.
1836
`--default-recipient-self'
1837
Use the default key as default recipient if option `--recipient'
1838
is not used and don't ask if this is a valid one. The default key
1839
is the first one from the secret keyring or the one set with
1842
`--no-default-recipient'
1843
Reset `--default-recipient' and `--default-recipient-self'.
1846
Give more information during processing. If used twice, the input
1847
data is listed in detail.
1850
Reset verbose level to 0.
1853
Try to be as quiet as possible.
1857
Use batch mode. Never ask, do not allow interactive commands.
1858
`--no-batch' disables this option.
1861
Make sure that the TTY (terminal) is never used for any output.
1862
This option is needed in some cases because GnuPG sometimes prints
1863
warnings to the TTY even if `--batch' is used.
1866
Assume "yes" on most questions.
1869
Assume "no" on most questions.
1871
`--list-options `parameters''
1872
This is a space or comma delimited string that gives options used
1873
when listing keys and signatures (that is, `--list-keys',
1874
`--list-sigs', `--list-public-keys', `--list-secret-keys', and the
1875
`--edit-key' functions). Options can be prepended with a `no-'
1876
(after the two dashes) to give the opposite meaning. The options
1880
Causes `--list-keys', `--list-sigs', `--list-public-keys',
1881
and `--list-secret-keys' to display any photo IDs attached to
1882
the key. Defaults to no. See also `--photo-viewer'.
1885
Show policy URLs in the `--list-sigs' or `--check-sigs'
1886
listings. Defaults to no.
1891
Show all, IETF standard, or user-defined signature notations
1892
in the `--list-sigs' or `--check-sigs' listings. Defaults to
1896
Show any preferred keyserver URL in the `--list-sigs' or
1897
`--check-sigs' listings. Defaults to no.
1900
Display the calculated validity of user IDs during key
1901
listings. Defaults to no.
1904
Show revoked and expired user IDs in key listings. Defaults
1907
show-unusable-subkeys
1908
Show revoked and expired subkeys in key listings. Defaults to
1912
Display the keyring name at the head of key listings to show
1913
which keyring a given key resides on. Defaults to no.
1916
Show signature expiration dates (if any) during `--list-sigs'
1917
or `--check-sigs' listings. Defaults to no.
1920
Include signature subpackets in the key listing. This option
1921
can take an optional argument list of the subpackets to list.
1922
If no argument is passed, list all subpackets. Defaults to
1923
no. This option is only meaningful when using `--with-colons'
1924
along with `--list-sigs' or `--check-sigs'.
1926
`--verify-options `parameters''
1927
This is a space or comma delimited string that gives options used
1928
when verifying signatures. Options can be prepended with a `no-'
1929
to give the opposite meaning. The options are:
1932
Display any photo IDs present on the key that issued the
1933
signature. Defaults to no. See also `--photo-viewer'.
1936
Show policy URLs in the signature being verified. Defaults to
1942
Show all, IETF standard, or user-defined signature notations
1943
in the signature being verified. Defaults to IETF standard.
1946
Show any preferred keyserver URL in the signature being
1947
verified. Defaults to no.
1950
Display the calculated validity of the user IDs on the key
1951
that issued the signature. Defaults to no.
1954
Show revoked and expired user IDs during signature
1955
verification. Defaults to no.
1957
show-primary-uid-only
1958
Show only the primary user ID during signature verification.
1959
That is all the AKA lines as well as photo Ids are not shown
1960
with the signature verification status.
1963
Enable PKA lookups to verify sender addresses. Note that PKA
1964
is based on DNS, and so enabling this option may disclose
1965
information on when and what signatures are verified or to
1966
whom data is encrypted. This is similar to the "web bug"
1967
described for the auto-key-retrieve feature.
1970
Raise the trust in a signature to full if the signature
1971
passes PKA validation. This option is only meaningful if
1976
Enables new-style DSA keys which (unlike the old style) may be
1977
larger than 1024 bit and use hashes other than SHA-1 and
1978
RIPEMD/160. Note that very few programs currently support these
1979
keys and signatures from them.
1981
`--photo-viewer `string''
1982
This is the command line that should be run to view a photo ID.
1983
"%i" will be expanded to a filename containing the photo. "%I"
1984
does the same, except the file will not be deleted once the viewer
1985
exits. Other flags are "%k" for the key ID, "%K" for the long key
1986
ID, "%f" for the key fingerprint, "%t" for the extension of the
1987
image type (e.g. "jpg"), "%T" for the MIME type of the image (e.g.
1988
"image/jpeg"), and "%%" for an actual percent sign. If neither %i
1989
or %I are present, then the photo will be supplied to the viewer
1992
The default viewer is "xloadimage -fork -quiet -title 'KeyID 0x%k'
1993
stdin". Note that if your image viewer program is not secure, then
1994
executing it from GnuPG does not make it secure.
1996
`--exec-path `string''
1997
Sets a list of directories to search for photo viewers and
1998
keyserver helpers. If not provided, keyserver helpers use the
1999
compiled-in default directory, and photo viewers use the $PATH
2000
environment variable. Note, that on W32 system this value is
2001
ignored when searching for keyserver helpers.
2004
Add `file' to the current list of keyrings. If `file' begins with
2005
a tilde and a slash, these are replaced by the $HOME directory. If
2006
the filename does not contain a slash, it is assumed to be in the
2007
GnuPG home directory ("~/.gnupg" if `--homedir' or $GNUPGHOME is
2010
Note that this adds a keyring to the current list. If the intent
2011
is to use the specified keyring alone, use `--keyring' along with
2012
`--no-default-keyring'.
2014
`--secret-keyring `file''
2015
Same as `--keyring' but for the secret keyrings.
2017
`--primary-keyring `file''
2018
Designate `file' as the primary public keyring. This means that
2019
newly imported keys (via `--import' or keyserver `--recv-from')
2020
will go to this keyring.
2022
`--trustdb-name `file''
2023
Use `file' instead of the default trustdb. If `file' begins with a
2024
tilde and a slash, these are replaced by the $HOME directory. If
2025
the filename does not contain a slash, it is assumed to be in the
2026
GnuPG home directory (`~/.gnupg' if `--homedir' or $GNUPGHOME is
2030
Set the name of the home directory to DIR. If his option is not
2031
used, the home directory defaults to `~/.gnupg'. It is only
2032
recognized when given on the command line. It also overrides any
2033
home directory stated through the environment variable `GNUPGHOME'
2034
or (on W32 systems) by means on the Registry entry
2035
HKCU\SOFTWARE\GNU\GNUPG:HOMEDIR.
2037
`--display-charset `name''
2038
Set the name of the native character set. This is used to convert
2039
some informational strings like user IDs to the proper UTF-8
2040
encoding. Note that this has nothing to do with the character set
2041
of data to be encrypted or signed; GnuPG does not recode
2042
user-supplied data. If this option is not used, the default
2043
character set is determined from the current locale. A verbosity
2044
level of 3 shows the chosen set. Valid values for `name' are:
2047
This is the Latin 1 set.
2053
This is currently an alias for the Latin 1 set.
2056
The usual Russian set (rfc1489).
2059
Bypass all translations and assume that the OS uses native
2064
Assume that command line arguments are given as UTF8 strings. The
2065
default (`--no-utf8-strings') is to assume that arguments are
2066
encoded in the character set as specified by `--display-charset'.
2067
These options affect all following arguments. Both options may be
2068
used multiple times.
2071
Read options from `file' and do not try to read them from the
2072
default options file in the homedir (see `--homedir'). This option
2073
is ignored if used in an options file.
2076
Shortcut for `--options /dev/null'. This option is detected before
2077
an attempt to open an option file. Using this option will also
2078
prevent the creation of a `~/.gnupg' homedir.
2081
`--compress-level `n''
2082
`--bzip2-compress-level `n''
2083
Set compression level to `n' for the ZIP and ZLIB compression
2084
algorithms. The default is to use the default compression level of
2085
zlib (normally 6). `--bzip2-compress-level' sets the compression
2086
level for the BZIP2 compression algorithm (defaulting to 6 as
2087
well). This is a different option from `--compress-level' since
2088
BZIP2 uses a significant amount of memory for each additional
2089
compression level. `-z' sets both. A value of 0 for `n' disables
2092
`--bzip2-decompress-lowmem'
2093
Use a different decompression method for BZIP2 compressed files.
2094
This alternate method uses a bit more than half the memory, but
2095
also runs at half the speed. This is useful under extreme low
2096
memory circumstances when the file was originally compressed at a
2097
high `--bzip2-compress-level'.
2099
`--mangle-dos-filenames'
2100
`--no-mangle-dos-filenames'
2101
Older version of Windows cannot handle filenames with more than one
2102
dot. `--mangle-dos-filenames' causes GnuPG to replace (rather than
2103
add to) the extension of an output filename to avoid this problem.
2104
This option is off by default and has no effect on non-Windows
2108
`--no-ask-cert-level'
2109
When making a key signature, prompt for a certification level. If
2110
this option is not specified, the certification level used is set
2111
via `--default-cert-level'. See `--default-cert-level' for
2112
information on the specific levels and how they are used.
2113
`--no-ask-cert-level' disables this option. This option defaults
2116
`--default-cert-level `n''
2117
The default to use for the check level when signing a key.
2119
0 means you make no particular claim as to how carefully you
2122
1 means you believe the key is owned by the person who claims to
2123
own it but you could not, or did not verify the key at all. This is
2124
useful for a "persona" verification, where you sign the key of a
2127
2 means you did casual verification of the key. For example, this
2128
could mean that you verified that the key fingerprint and checked
2129
the user ID on the key against a photo ID.
2131
3 means you did extensive verification of the key. For example,
2132
this could mean that you verified the key fingerprint with the
2133
owner of the key in person, and that you checked, by means of a
2134
hard to forge document with a photo ID (such as a passport) that
2135
the name of the key owner matches the name in the user ID on the
2136
key, and finally that you verified (by exchange of email) that the
2137
email address on the key belongs to the key owner.
2139
Note that the examples given above for levels 2 and 3 are just
2140
that: examples. In the end, it is up to you to decide just what
2141
"casual" and "extensive" mean to you.
2143
This option defaults to 0 (no particular claim).
2146
When building the trust database, treat any signatures with a
2147
certification level below this as invalid. Defaults to 2, which
2148
disregards level 1 signatures. Note that level 0 "no particular
2149
claim" signatures are always accepted.
2151
`--trusted-key `long key ID''
2152
Assume that the specified key (which must be given as a full 8
2153
byte key ID) is as trustworthy as one of your own secret keys.
2154
This option is useful if you don't want to keep your secret keys
2155
(or one of them) online but still want to be able to check the
2156
validity of a given recipient's or signator's key.
2158
`--trust-model `pgp|classic|direct|always|auto''
2159
Set what trust model GnuPG should follow. The models are:
2162
This is the Web of Trust combined with trust signatures as
2163
used in PGP 5.x and later. This is the default trust model
2164
when creating a new trust database.
2167
This is the standard Web of Trust as used in PGP 2.x and
2171
Key validity is set directly by the user and not calculated
2172
via the Web of Trust.
2175
Skip key validation and assume that used keys are always fully
2176
trusted. You generally won't use this unless you are using
2177
some external validation scheme. This option also suppresses
2178
the "[uncertain]" tag printed with signature checks when
2179
there is no evidence that the user ID is bound to the key.
2182
Select the trust model depending on whatever the internal
2183
trust database says. This is the default model if such a
2184
database already exists.
2186
`--auto-key-locate `parameters''
2187
`--no-auto-key-locate'
2188
GnuPG can automatically locate and retrieve keys as needed using
2189
this option. This happens when encrypting to an email address (in
2190
the "user@example.com" form), and there are no user@example.com
2191
keys on the local keyring. This option takes any number of the
2192
following arguments, in the order they are to be tried:
2195
locate a key using DNS CERT, as specified in rfc4398.
2198
locate a key using DNS PKA.
2201
locate a key using the PGP Universal method of checking
2202
"ldap://keys.(thedomain)".
2205
locate a key using whatever keyserver is defined using the
2206
`--keyserver' option.
2209
In addition, a keyserver URL as used in the `--keyserver'
2210
option may be used here to query that particular keyserver.
2212
`--keyid-format `short|0xshort|long|0xlong''
2213
Select how to display key IDs. "short" is the traditional
2214
8-character key ID. "long" is the more accurate (but less
2215
convenient) 16-character key ID. Add an "0x" to either to include
2216
an "0x" at the beginning of the key ID, as in 0x99242560.
2218
`--keyserver `name''
2219
Use `name' as your keyserver. This is the server that
2220
`--recv-keys', `--send-keys', and `--search-keys' will communicate
2221
with to receive keys from, send keys to, and search for keys on.
2222
The format of the `name' is a URI:
2223
`scheme:[//]keyservername[:port]' The scheme is the type of
2224
keyserver: "hkp" for the HTTP (or compatible) keyservers, "ldap"
2225
for the LDAP keyservers, or "mailto" for the Graff email
2226
keyserver. Note that your particular installation of GnuPG may
2227
have other keyserver types available as well. Keyserver schemes
2228
are case-insensitive. After the keyserver name, optional keyserver
2229
configuration options may be provided. These are the same as the
2230
global `--keyserver-options' from below, but apply only to this
2231
particular keyserver.
2233
Most keyservers synchronize with each other, so there is generally
2234
no need to send keys to more than one server. The keyserver
2235
`hkp://subkeys.pgp.net' uses round robin DNS to give a different
2236
keyserver each time you use it.
2238
`--keyserver-options `name=value1 ''
2239
This is a space or comma delimited string that gives options for
2240
the keyserver. Options can be prepended with a `no-' to give the
2241
opposite meaning. Valid import-options or export-options may be
2242
used here as well to apply to importing (`--recv-key') or exporting
2243
(`--send-key') a key from a keyserver. While not all options are
2244
available for all keyserver types, some common options are:
2247
When searching for a key with `--search-keys', include keys
2248
that are marked on the keyserver as revoked. Note that not
2249
all keyservers differentiate between revoked and unrevoked
2250
keys, and for such keyservers this option is meaningless.
2251
Note also that most keyservers do not have cryptographic
2252
verification of key revocations, and so turning this option
2253
off may result in skipping keys that are incorrectly marked
2257
When searching for a key with `--search-keys', include keys
2258
that are marked on the keyserver as disabled. Note that this
2259
option is not used with HKP keyservers.
2262
This option enables the automatic retrieving of keys from a
2263
keyserver when verifying signatures made by keys that are not
2264
on the local keyring.
2266
Note that this option makes a "web bug" like behavior
2267
possible. Keyserver operators can see which keys you
2268
request, so by sending you a message signed by a brand new
2269
key (which you naturally will not have on your local
2270
keyring), the operator can tell both your IP address and the
2271
time when you verified the signature.
2274
When using `--refresh-keys', if the key in question has a
2275
preferred keyserver URL, then use that preferred keyserver to
2276
refresh the key from. In addition, if auto-key-retrieve is
2277
set, and the signature being verified has a preferred
2278
keyserver URL, then use that preferred keyserver to fetch the
2279
key from. Defaults to yes.
2282
If auto-key-retrieve is set, and the signature being verified
2283
has a PKA record, then use the PKA information to fetch the
2284
key. Defaults to yes.
2287
When receiving a key, include subkeys as potential targets.
2288
Note that this option is not used with HKP keyservers, as
2289
they do not support retrieving keys by subkey id.
2292
On most Unix-like platforms, GnuPG communicates with the
2293
keyserver helper program via pipes, which is the most
2294
efficient method. This option forces GnuPG to use temporary
2295
files to communicate. On some platforms (such as Win32 and
2296
RISC OS), this option is always enabled.
2299
If using `use-temp-files', do not delete the temp files after
2300
using them. This option is useful to learn the keyserver
2301
communication protocol by reading the temporary files.
2304
Tell the keyserver helper program to be more verbose. This
2305
option can be repeated multiple times to increase the
2309
Tell the keyserver helper program how long (in seconds) to
2310
try and perform a keyserver action before giving up. Note
2311
that performing multiple actions at the same time uses this
2312
timeout value per action. For example, when retrieving
2313
multiple keys via `--recv-keys', the timeout applies
2314
separately to each key retrieval, and not to the
2315
`--recv-keys' command as a whole. Defaults to 30 seconds.
2318
Set the proxy to use for HTTP and HKP keyservers. This
2319
overrides the "http_proxy" environment variable, if any.
2322
When retrieving a key via DNS CERT, only accept keys up to
2323
this size. Defaults to 16384 bytes.
2325
`--completes-needed `n''
2326
Number of completely trusted users to introduce a new key signer
2329
`--marginals-needed `n''
2330
Number of marginally trusted users to introduce a new key signer
2333
`--max-cert-depth `n''
2334
Maximum depth of a certification chain (default is 5).
2336
`--simple-sk-checksum'
2337
Secret keys are integrity protected by using a SHA-1 checksum. This
2338
method is part of the upcoming enhanced OpenPGP specification but
2339
GnuPG already uses it as a countermeasure against certain attacks.
2340
Old applications don't understand this new format, so this option
2341
may be used to switch back to the old behaviour. Using this option
2342
bears a security risk. Note that using this option only takes
2343
effect when the secret key is encrypted - the simplest way to make
2344
this happen is to change the passphrase on the key (even changing
2345
it to the same value is acceptable).
2348
Do not cache the verification status of key signatures. Caching
2349
gives a much better performance in key listings. However, if you
2350
suspect that your public keyring is not save against write
2351
modifications, you can use this option to disable the caching. It
2352
probably does not make sense to disable it because all kind of
2353
damage can be done if someone else has write access to your public
2356
`--no-sig-create-check'
2357
GnuPG normally verifies each signature right after creation to
2358
protect against bugs and hardware malfunctions which could leak
2359
out bits from the secret key. This extra verification needs some
2360
time (about 115% for DSA keys), and so this option can be used to
2361
disable it. However, due to the fact that the signature creation
2362
needs manual interaction, this performance penalty does not matter
2365
`--auto-check-trustdb'
2366
`--no-auto-check-trustdb'
2367
If GnuPG feels that its information about the Web of Trust has to
2368
be updated, it automatically runs the `--check-trustdb' command
2369
internally. This may be a time consuming process.
2370
`--no-auto-check-trustdb' disables this option.
2374
This is dummy option. `gpg2' always requires the agent.
2377
This is dummy option. It has no effect when used with `gpg2'.
2380
Lock the databases the first time a lock is requested and do not
2381
release the lock until the process terminates.
2384
Release the locks every time a lock is no longer needed. Use this
2385
to override a previous `--lock-once' from a config file.
2388
Disable locking entirely. This option should be used only in very
2389
special environments, where it can be assured that only one process
2390
is accessing those files. A bootable floppy with a stand-alone
2391
encryption system will probably use this. Improper usage of this
2392
option may lead to data and key corruption.
2394
`--exit-on-status-write-error'
2395
This option will cause write errors on the status FD to immediately
2396
terminate the process. That should in fact be the default but it
2397
never worked this way and thus we need an option to enable this,
2398
so that the change won't break applications which close their end
2399
of a status fd connected pipe too early. Using this option along
2400
with `--enable-progress-filter' may be used to cleanly cancel long
2401
running gpg operations.
2403
`--limit-card-insert-tries `n''
2404
With `n' greater than 0 the number of prompts asking to insert a
2405
smartcard gets limited to N-1. Thus with a value of 1 gpg won't at
2406
all ask to insert a card if none has been inserted at startup. This
2407
option is useful in the configuration file in case an application
2408
does not know about the smartcard support and waits ad infinitum
2409
for an inserted card.
2411
`--no-random-seed-file'
2412
GnuPG uses a file to store its internal random pool over
2413
invocations. This makes random generation faster; however
2414
sometimes write operations are not desired. This option can be
2415
used to achieve that with the cost of slower random generation.
2418
Suppress the initial copyright message.
2420
`--no-secmem-warning'
2421
Suppress the warning about "using insecure memory".
2423
`--no-permission-warning'
2424
Suppress the warning about unsafe file and home directory
2425
(`--homedir') permissions. Note that the permission checks that
2426
GnuPG performs are not intended to be authoritative, but rather
2427
they simply warn about certain common permission problems. Do not
2428
assume that the lack of a warning means that your system is secure.
2430
Note that the warning for unsafe `--homedir' permissions cannot be
2431
suppressed in the gpg.conf file, as this would allow an attacker to
2432
place an unsafe gpg.conf file in place, and use this file to
2433
suppress warnings about itself. The `--homedir' permissions
2434
warning may only be suppressed on the command line.
2437
Suppress the warning about missing MDC integrity protection.
2440
`--no-require-secmem'
2441
Refuse to run if GnuPG cannot get secure memory. Defaults to no
2442
(i.e. run, but give a warning).
2444
`--require-cross-certification'
2445
`--no-require-cross-certification'
2446
When verifying a signature made from a subkey, ensure that the
2447
cross certification "back signature" on the subkey is present and
2448
valid. This protects against a subtle attack against subkeys that
2449
can sign. Defaults to `--require-cross-certification' for `gpg2'.
2453
Allow the user to do certain nonsensical or "silly" things like
2454
signing an expired or revoked key, or certain potentially
2455
incompatible things like generating unusual key types. This also
2456
disables certain warning messages about potentially incompatible
2457
actions. As the name implies, this option is for experts only. If
2458
you don't fully understand the implications of what it allows you
2459
to do, leave this off. `--no-expert' disables this option.
2463
File: gnupg.info, Node: GPG Key related Options, Next: GPG Input and Output, Prev: GPG Configuration Options, Up: GPG Options
2465
3.2.2 Key related options
2466
-------------------------
2470
Encrypt for user id NAME. If this option or `--hidden-recipient'
2471
is not specified, GnuPG asks for the user-id unless
2472
`--default-recipient' is given.
2474
`--hidden-recipient NAME'
2476
Encrypt for user ID NAME, but hide the key ID of this user's key.
2477
This option helps to hide the receiver of the message and is a
2478
limited countermeasure against traffic analysis. If this option or
2479
`--recipient' is not specified, GnuPG asks for the user ID unless
2480
`--default-recipient' is given.
2482
`--encrypt-to `name''
2483
Same as `--recipient' but this one is intended for use in the
2484
options file and may be used with your own user-id as an
2485
"encrypt-to-self". These keys are only used when there are other
2486
recipients given either by use of `--recipient' or by the asked
2487
user id. No trust checking is performed for these user ids and
2488
even disabled keys can be used.
2490
`--hidden-encrypt-to `name''
2491
Same as `--hidden-recipient' but this one is intended for use in
2492
the options file and may be used with your own user-id as a hidden
2493
"encrypt-to-self". These keys are only used when there are other
2494
recipients given either by use of `--recipient' or by the asked
2495
user id. No trust checking is performed for these user ids and
2496
even disabled keys can be used.
2499
Disable the use of all `--encrypt-to' and `--hidden-encrypt-to'
2502
`--group `name=value1 ''
2503
Sets up a named group, which is similar to aliases in email
2504
programs. Any time the group name is a recipient (`-r' or
2505
`--recipient'), it will be expanded to the values specified.
2506
Multiple groups with the same name are automatically merged into a
2509
The values are `key IDs' or fingerprints, but any key description
2510
is accepted. Note that a value with spaces in it will be treated as
2511
two different values. Note also there is only one level of
2512
expansion -- you cannot make an group that points to another
2513
group. When used from the command line, it may be necessary to
2514
quote the argument to this option to prevent the shell from
2515
treating it as multiple arguments.
2518
Remove a given entry from the `--group' list.
2521
Remove all entries from the `--group' list.
2525
Use NAME as the key to sign with. Note that this option overrides
2529
Don't look at the key ID as stored in the message but try all
2530
secret keys in turn to find the right decryption key. This option
2531
forces the behaviour as used by anonymous recipients (created by
2532
using `--throw-keyids') and might come handy in case where an
2533
encrypted message contains a bogus key ID.
2537
File: gnupg.info, Node: GPG Input and Output, Next: OpenPGP Options, Prev: GPG Key related Options, Up: GPG Options
2539
3.2.3 Input and Output
2540
----------------------
2544
Create ASCII armored output. The default is to create the binary
2548
Assume the input data is not in ASCII armored format.
2552
Write output to FILE.
2555
This option sets a limit on the number of bytes that will be
2556
generated when processing a file. Since OpenPGP supports various
2557
levels of compression, it is possible that the plaintext of a
2558
given message may be significantly larger than the original
2559
OpenPGP message. While GnuPG works properly with such messages,
2560
there is often a desire to set a maximum file size that will be
2561
generated before processing is forced to stop by the OS limits.
2562
Defaults to 0, which means "no limit".
2564
`--import-options `parameters''
2565
This is a space or comma delimited string that gives options for
2566
importing keys. Options can be prepended with a `no-' to give the
2567
opposite meaning. The options are:
2570
Allow importing key signatures marked as "local". This is not
2571
generally useful unless a shared keyring scheme is being used.
2574
repair-pks-subkey-bug
2575
During import, attempt to repair the damage caused by the PKS
2576
keyserver bug (pre version 0.9.6) that mangles keys with
2577
multiple subkeys. Note that this cannot completely repair the
2578
damaged key as some crucial data is removed by the keyserver,
2579
but it does at least give you back one subkey. Defaults to no
2580
for regular `--import' and to yes for keyserver `--recv-keys'.
2583
During import, allow key updates to existing keys, but do not
2584
allow any new keys to be imported. Defaults to no.
2587
After import, compact (remove all signatures except the
2588
self-signature) any user IDs from the new key that are not
2589
usable. Then, remove any signatures from the new key that
2590
are not usable. This includes signatures that were issued by
2591
keys that are not present on the keyring. This option is the
2592
same as running the `--edit-key' command "clean" after
2593
import. Defaults to no.
2596
Import the smallest key possible. This removes all signatures
2597
except the most recent self-signature on each user ID. This
2598
option is the same as running the `--edit-key' command
2599
"minimize" after import. Defaults to no.
2601
`--export-options `parameters''
2602
This is a space or comma delimited string that gives options for
2603
exporting keys. Options can be prepended with a `no-' to give the
2604
opposite meaning. The options are:
2607
Allow exporting key signatures marked as "local". This is not
2608
generally useful unless a shared keyring scheme is being used.
2612
Include attribute user IDs (photo IDs) while exporting. This
2613
is useful to export keys if they are going to be used by an
2614
OpenPGP program that does not accept attribute user IDs.
2617
export-sensitive-revkeys
2618
Include designated revoker information that was marked as
2619
"sensitive". Defaults to no.
2621
export-reset-subkey-passwd
2622
When using the `--export-secret-subkeys' command, this option
2623
resets the passphrases for all exported subkeys to empty.
2624
This is useful when the exported subkey is to be used on an
2625
unattended machine where a passphrase doesn't necessarily
2626
make sense. Defaults to no.
2629
Compact (remove all signatures from) user IDs on the key being
2630
exported if the user IDs are not usable. Also, do not export
2631
any signatures that are not usable. This includes signatures
2632
that were issued by keys that are not present on the keyring.
2633
This option is the same as running the `--edit-key' command
2634
"clean" before export except that the local copy of the key
2635
is not modified. Defaults to no.
2638
Export the smallest key possible. This removes all signatures
2639
except the most recent self-signature on each user ID. This
2640
option is the same as running the `--edit-key' command
2641
"minimize" before export except that the local copy of the
2642
key is not modified. Defaults to no.
2645
Print key listings delimited by colons. Note that the output will
2646
be encoded in UTF-8 regardless of any `--display-charset' setting.
2647
This format is useful when GnuPG is called from scripts and other
2648
programs as it is easily machine parsed. The details of this
2649
format are documented in the file `doc/DETAILS', which is included
2650
in the GnuPG source distribution.
2653
Do not merge primary user ID and primary key in `--with-colon'
2654
listing mode and print all timestamps as seconds since 1970-01-01.
2656
`--with-fingerprint'
2657
Same as the command `--fingerprint' but changes only the format of
2658
the output and may be used together with another command.
2662
File: gnupg.info, Node: OpenPGP Options, Next: GPG Esoteric Options, Prev: GPG Input and Output, Up: GPG Options
2664
3.2.4 OpenPGP protocol specific options.
2665
----------------------------------------
2669
Treat input files as text and store them in the OpenPGP canonical
2670
text form with standard "CRLF" line endings. This also sets the
2671
necessary flags to inform the recipient that the encrypted or
2672
signed data is text and may need its line endings converted back
2673
to whatever the local system uses. This option is useful when
2674
communicating between two platforms that have different line
2675
ending conventions (UNIX-like to Mac, Mac to Windows, etc).
2676
`--no-textmode' disables this option, and is the default.
2679
`--no-force-v3-sigs'
2680
OpenPGP states that an implementation should generate v4 signatures
2681
but PGP versions 5 through 7 only recognize v4 signatures on key
2682
material. This option forces v3 signatures for signatures on data.
2683
Note that this option implies `--ask-sig-expire',
2684
`--sig-policy-url', `--sig-notation', and `--sig-keyserver-url',
2685
as these features cannot be used with v3 signatures.
2686
`--no-force-v3-sigs' disables this option.
2689
`--no-force-v4-certs'
2690
Always use v4 key signatures even on v3 keys. This option also
2691
changes the default hash algorithm for v3 RSA keys from MD5 to
2692
SHA-1. `--no-force-v4-certs' disables this option.
2695
Force the use of encryption with a modification detection code.
2696
This is always used with the newer ciphers (those with a blocksize
2697
greater than 64 bits), or if all of the recipient keys indicate
2698
MDC support in their feature flags.
2701
Disable the use of the modification detection code. Note that by
2702
using this option, the encrypted message becomes vulnerable to a
2703
message modification attack.
2705
`--personal-cipher-preferences `string''
2706
Set the list of personal cipher preferences to `string'. Use
2707
`gpg2 --version' to get a list of available algorithms, and use
2708
`none' to set no preference at all. This allows the user to
2709
factor in their own preferred algorithms when algorithms are chosen
2710
via recipient key preferences. The most highly ranked cipher in
2711
this list is also used for the `--symmetric' encryption command.
2713
`--personal-digest-preferences `string''
2714
Set the list of personal digest preferences to `string'. Use
2715
`gpg2 --version' to get a list of available algorithms, and use
2716
`none' to set no preference at all. This allows the user to
2717
factor in their own preferred algorithms when algorithms are chosen
2718
via recipient key preferences. The most highly ranked digest
2719
algorithm in this list is algo used when signing without encryption
2720
(e.g. `--clearsign' or `--sign'). The default value is SHA-1.
2722
`--personal-compress-preferences `string''
2723
Set the list of personal compression preferences to `string'. Use
2724
`gpg2 --version' to get a list of available algorithms, and use
2725
`none' to set no preference at all. This allows the user to
2726
factor in their own preferred algorithms when algorithms are
2727
chosen via recipient key preferences. The most highly ranked
2728
compression algorithm in this list is algo used when there are no
2729
recipient keys to consider (e.g. `--symmetric').
2731
`--s2k-cipher-algo `name''
2732
Use `name' as the cipher algorithm used to protect secret keys.
2733
The default cipher is CAST5. This cipher is also used for
2734
conventional encryption if `--personal-cipher-preferences' and
2735
`--cipher-algo' is not given.
2737
`--s2k-digest-algo `name''
2738
Use `name' as the digest algorithm used to mangle the passphrases.
2739
The default algorithm is SHA-1.
2742
Selects how passphrases are mangled. If `n' is 0 a plain
2743
passphrase (which is not recommended) will be used, a 1 adds a
2744
salt to the passphrase and a 3 (the default) iterates the whole
2745
process a number of times (see -s2k-count). Unless `--rfc1991' is
2746
used, this mode is also used for conventional encryption.
2749
Specify how many times the passphrase mangling is repeated. This
2750
value may range between 1024 and 65011712 inclusive, and the
2751
default is 65536. Note that not all values in the 1024-65011712
2752
range are legal and if an illegal value is selected, GnuPG will
2753
round up to the nearest legal value. This option is only
2754
meaningful if `--s2k-mode' is 3.
2757
3.2.5 Compliance options
2758
------------------------
2760
These options control what GnuPG is compliant to. Only one of these
2761
options may be active at a time. Note that the default setting of this
2762
is nearly always the correct one. See the INTEROPERABILITY WITH OTHER
2763
OPENPGP PROGRAMS section below before using one of these options.
2766
Use standard GnuPG behavior. This is essentially OpenPGP behavior
2767
(see `--openpgp'), but with some additional workarounds for common
2768
compatibility problems in different versions of PGP. This is the
2769
default option, so it is not generally needed, but it may be
2770
useful to override a different compliance option in the gpg.conf
2774
Reset all packet, cipher and digest options to strict OpenPGP
2775
behavior. Use this option to reset all previous options like
2776
`--s2k-*', `--cipher-algo', `--digest-algo' and `--compress-algo'
2777
to OpenPGP compliant values. All PGP workarounds are disabled.
2780
Reset all packet, cipher and digest options to strict RFC-4880
2781
behavior. Note that this is currently the same thing as
2785
Reset all packet, cipher and digest options to strict RFC-2440
2789
Try to be more RFC-1991 (PGP 2.x) compliant.
2792
Set up all options to be as PGP 2.x compliant as possible, and
2793
warn if an action is taken (e.g. encrypting to a non-RSA key) that
2794
will create a message that PGP 2.x will not be able to handle.
2795
Note that `PGP 2.x' here means `MIT PGP 2.6.2'. There are other
2796
versions of PGP 2.x available, but the MIT release is a good
2799
This option implies `--rfc1991 --disable-mdc --no-force-v4-certs
2800
--no-sk-comment --escape-from-lines --force-v3-sigs --cipher-algo
2801
IDEA --digest-algo MD5 --compress-algo ZIP'. It also disables
2802
`--textmode' when encrypting.
2805
Set up all options to be as PGP 6 compliant as possible. This
2806
restricts you to the ciphers IDEA (if the IDEA plugin is
2807
installed), 3DES, and CAST5, the hashes MD5, SHA1 and RIPEMD160,
2808
and the compression algorithms none and ZIP. This also disables
2809
-throw-keyids, and making signatures with signing subkeys as PGP 6
2810
does not understand signatures made by signing subkeys.
2812
This option implies `--disable-mdc --no-sk-comment
2813
--escape-from-lines --force-v3-sigs'.
2816
Set up all options to be as PGP 7 compliant as possible. This is
2817
identical to `--pgp6' except that MDCs are not disabled, and the
2818
list of allowable ciphers is expanded to add AES128, AES192,
2819
AES256, and TWOFISH.
2822
Set up all options to be as PGP 8 compliant as possible. PGP 8 is
2823
a lot closer to the OpenPGP standard than previous versions of
2824
PGP, so all this does is disable `--throw-keyids' and set
2825
`--escape-from-lines'. All algorithms are allowed except for the
2826
SHA224, SHA384, and SHA512 digests.
2830
File: gnupg.info, Node: GPG Esoteric Options, Prev: OpenPGP Options, Up: GPG Options
2832
3.2.6 Doing things one usually doesn't want to do.
2833
--------------------------------------------------
2837
Don't make any changes (this is not completely implemented).
2840
Changes the behaviour of some commands. This is like `--dry-run'
2841
but different in some cases. The semantic of this command may be
2842
extended in the future. Currently it only skips the actual
2843
decryption pass and therefore enables a fast listing of the
2848
Prompt before overwriting any files.
2851
Set debugging flags. All flags are or-ed and FLAGS may be given in
2852
C syntax (e.g. 0x0042).
2855
Set all useful debugging flags.
2857
`--enable-progress-filter'
2858
Enable certain PROGRESS status outputs. This option allows
2859
frontends to display a progress indicator while gpg is processing
2860
larger files. There is a slight performance overhead using it.
2863
Write special status strings to the file descriptor `n'. See the
2864
file DETAILS in the documentation for a listing of them.
2866
`--status-file `file''
2867
Same as `--status-fd', except the status data is written to file
2871
Write log output to file descriptor `n' and not to stderr.
2874
`--logger-file `file''
2875
Same as `--logger-fd', except the logger data is written to file
2876
`file'. Note that `--log-file' is only implemented for GnuPG-2.
2878
`--attribute-fd `n''
2879
Write attribute subpackets to the file descriptor `n'. This is most
2880
useful for use with `--status-fd', since the status messages are
2881
needed to separate out the various subpackets from the stream
2882
delivered to the file descriptor.
2884
`--attribute-file `file''
2885
Same as `--attribute-fd', except the attribute data is written to
2888
`--comment `string''
2890
Use `string' as a comment string in clear text signatures and ASCII
2891
armored messages or keys (see `--armor'). The default behavior is
2892
not to use a comment string. `--comment' may be repeated multiple
2893
times to get multiple comment strings. `--no-comments' removes all
2894
comments. It is a good idea to keep the length of a single comment
2895
below 60 characters to avoid problems with mail programs wrapping
2896
such lines. Note that comment lines, like all other header lines,
2897
are not protected by the signature.
2901
Force inclusion of the version string in ASCII armored output.
2902
`--no-emit-version' disables this option.
2904
`--sig-notation `name=value''
2905
`--cert-notation `name=value''
2906
`-N, --set-notation `name=value''
2907
Put the name value pair into the signature as notation data.
2908
`name' must consist only of printable characters or spaces, and
2909
must contain a '@' character in the form keyname@domain.example.com
2910
(substituting the appropriate keyname and domain name, of course).
2911
This is to help prevent pollution of the IETF reserved notation
2912
namespace. The `--expert' flag overrides the '@' check. `value'
2913
may be any printable string; it will be encoded in UTF8, so you
2914
should check that your `--display-charset' is set correctly. If
2915
you prefix `name' with an exclamation mark (!), the notation data
2916
will be flagged as critical (rfc2440:5.2.3.15). `--sig-notation'
2917
sets a notation for data signatures. `--cert-notation' sets a
2918
notation for key signatures (certifications). `--set-notation'
2921
There are special codes that may be used in notation names. "%k"
2922
will be expanded into the key ID of the key being signed, "%K"
2923
into the long key ID of the key being signed, "%f" into the
2924
fingerprint of the key being signed, "%s" into the key ID of the
2925
key making the signature, "%S" into the long key ID of the key
2926
making the signature, "%g" into the fingerprint of the key making
2927
the signature (which might be a subkey), "%p" into the fingerprint
2928
of the primary key of the key making the signature, "%c" into the
2929
signature count from the OpenPGP smartcard, and "%%" results in a
2930
single "%". %k, %K, and %f are only meaningful when making a key
2931
signature (certification), and %c is only meaningful when using
2932
the OpenPGP smartcard.
2934
`--sig-policy-url `string''
2935
`--cert-policy-url `string''
2936
`--set-policy-url `string''
2937
Use `string' as a Policy URL for signatures (rfc2440:5.2.3.19). If
2938
you prefix it with an exclamation mark (!), the policy URL packet
2939
will be flagged as critical. `--sig-policy-url' sets a policy url
2940
for data signatures. `--cert-policy-url' sets a policy url for key
2941
signatures (certifications). `--set-policy-url' sets both.
2943
The same %-expandos used for notation data are available here as
2946
`--sig-keyserver-url `string''
2947
Use `string' as a preferred keyserver URL for data signatures. If
2948
you prefix it with an exclamation mark (!), the keyserver URL
2949
packet will be flagged as critical.
2951
The same %-expandos used for notation data are available here as
2954
`--set-filename `string''
2955
Use `string' as the filename which is stored inside messages.
2956
This overrides the default, which is to use the actual filename of
2957
the file being encrypted.
2959
`--for-your-eyes-only'
2960
`--no-for-your-eyes-only'
2961
Set the `for your eyes only' flag in the message. This causes
2962
GnuPG to refuse to save the file unless the `--output' option is
2963
given, and PGP to use a "secure viewer" with a claimed
2964
Tempest-resistant font to display the message. This option
2965
overrides `--set-filename'. `--no-for-your-eyes-only' disables
2968
`--use-embedded-filename'
2969
`--no-use-embedded-filename'
2970
Try to create a file with a name as embedded in the data. This can
2971
be a dangerous option as it allows to overwrite files. Defaults to
2974
`--cipher-algo `name''
2975
Use `name' as cipher algorithm. Running the program with the
2976
command `--version' yields a list of supported algorithms. If this
2977
is not used the cipher algorithm is selected from the preferences
2978
stored with the key. In general, you do not want to use this
2979
option as it allows you to violate the OpenPGP standard.
2980
`--personal-cipher-preferences' is the safe way to accomplish the
2983
`--digest-algo `name''
2984
Use `name' as the message digest algorithm. Running the program
2985
with the command `--version' yields a list of supported
2986
algorithms. In general, you do not want to use this option as it
2987
allows you to violate the OpenPGP standard.
2988
`--personal-digest-preferences' is the safe way to accomplish the
2991
`--compress-algo `name''
2992
Use compression algorithm `name'. "zlib" is RFC-1950 ZLIB
2993
compression. "zip" is RFC-1951 ZIP compression which is used by
2994
PGP. "bzip2" is a more modern compression scheme that can
2995
compress some things better than zip or zlib, but at the cost of
2996
more memory used during compression and decompression.
2997
"uncompressed" or "none" disables compression. If this option is
2998
not used, the default behavior is to examine the recipient key
2999
preferences to see which algorithms the recipient supports. If all
3000
else fails, ZIP is used for maximum compatibility.
3002
ZLIB may give better compression results than ZIP, as the
3003
compression window size is not limited to 8k. BZIP2 may give even
3004
better compression results than that, but will use a significantly
3005
larger amount of memory while compressing and decompressing. This
3006
may be significant in low memory situations. Note, however, that
3007
PGP (all versions) only supports ZIP compression. Using any
3008
algorithm other than ZIP or "none" will make the message
3009
unreadable with PGP. In general, you do not want to use this
3010
option as it allows you to violate the OpenPGP standard.
3011
`--personal-compress-preferences' is the safe way to accomplish
3014
`--cert-digest-algo `name''
3015
Use `name' as the message digest algorithm used when signing a
3016
key. Running the program with the command `--version' yields a
3017
list of supported algorithms. Be aware that if you choose an
3018
algorithm that GnuPG supports but other OpenPGP implementations do
3019
not, then some users will not be able to use the key signatures
3020
you make, or quite possibly your entire key.
3022
`--disable-cipher-algo `name''
3023
Never allow the use of `name' as cipher algorithm. The given name
3024
will not be checked so that a later loaded algorithm will still
3027
`--disable-pubkey-algo `name''
3028
Never allow the use of `name' as public key algorithm. The given
3029
name will not be checked so that a later loaded algorithm will
3034
Do not put the recipient key IDs into encrypted messages. This
3035
helps to hide the receivers of the message and is a limited
3036
countermeasure against traffic analysis. On the receiving side, it
3037
may slow down the decryption process because all available secret
3038
keys must be tried. `--no-throw-keyids' disables this option.
3039
This option is essentially the same as using `--hidden-recipient'
3042
`--not-dash-escaped'
3043
This option changes the behavior of cleartext signatures so that
3044
they can be used for patch files. You should not send such an
3045
armored file via email because all spaces and line endings are
3046
hashed too. You can not use this option for data which has 5
3047
dashes at the beginning of a line, patch files don't have this. A
3048
special armor header line tells GnuPG about this cleartext
3051
`--escape-from-lines'
3052
`--no-escape-from-lines'
3053
Because some mailers change lines starting with "From " to ">From
3054
" it is good to handle such lines in a special way when creating
3055
cleartext signatures to prevent the mail system from breaking the
3056
signature. Note that all other PGP versions do it this way too.
3057
Enabled by default. `--no-escape-from-lines' disables this option.
3059
`--passphrase-repeat `n''
3060
Specify how many times `gpg2' will request a new passphrase be
3061
repeated. This is useful for helping memorize a passphrase.
3062
Defaults to 1 repetition.
3064
`--passphrase-fd `n''
3065
Read the passphrase from file descriptor `n'. Only the first line
3066
will be read from file descriptor `n'. If you use 0 for `n', the
3067
passphrase will be read from stdin. This can only be used if only
3068
one passphrase is supplied. Note that this passphrase is only
3069
used if the option `--batch' has also been given. This is
3070
different from `gpg'.
3072
`--passphrase-file `file''
3073
Read the passphrase from file `file'. Only the first line will be
3074
read from file `file'. This can only be used if only one
3075
passphrase is supplied. Obviously, a passphrase stored in a file is
3076
of questionable security if other users can read this file. Don't
3077
use this option if you can avoid it. Note that this passphrase is
3078
only used if the option `--batch' has also been given. This is
3079
different from `gpg'.
3081
`--passphrase `string''
3082
Use `string' as the passphrase. This can only be used if only one
3083
passphrase is supplied. Obviously, this is of very questionable
3084
security on a multi-user system. Don't use this option if you can
3085
avoid it. Note that this passphrase is only used if the option
3086
`--batch' has also been given. This is different from `gpg'.
3089
This is a replacement for the deprecated shared-memory IPC mode.
3090
If this option is enabled, user input on questions is not expected
3091
from the TTY but from the given file descriptor. It should be used
3092
together with `--status-fd'. See the file doc/DETAILS in the source
3093
distribution for details on how to use it.
3095
`--command-file `file''
3096
Same as `--command-fd', except the commands are read out of file
3099
`--allow-non-selfsigned-uid'
3100
`--no-allow-non-selfsigned-uid'
3101
Allow the import and use of keys with user IDs which are not
3102
self-signed. This is not recommended, as a non self-signed user ID
3103
is trivial to forge. `--no-allow-non-selfsigned-uid' disables.
3105
`--allow-freeform-uid'
3106
Disable all checks on the form of the user ID while generating a
3107
new one. This option should only be used in very special
3108
environments as it does not ensure the de-facto standard format of
3111
`--ignore-time-conflict'
3112
GnuPG normally checks that the timestamps associated with keys and
3113
signatures have plausible values. However, sometimes a signature
3114
seems to be older than the key due to clock problems. This option
3115
makes these checks just a warning. See also `--ignore-valid-from'
3116
for timestamp issues on subkeys.
3118
`--ignore-valid-from'
3119
GnuPG normally does not select and use subkeys created in the
3120
future. This option allows the use of such keys and thus exhibits
3121
the pre-1.0.7 behaviour. You should not use this option unless you
3122
there is some clock problem. See also `--ignore-time-conflict' for
3123
timestamp issues with signatures.
3125
`--ignore-crc-error'
3126
The ASCII armor used by OpenPGP is protected by a CRC checksum
3127
against transmission errors. Occasionally the CRC gets mangled
3128
somewhere on the transmission channel but the actual content
3129
(which is protected by the OpenPGP protocol anyway) is still okay.
3130
This option allows GnuPG to ignore CRC errors.
3132
`--ignore-mdc-error'
3133
This option changes a MDC integrity protection failure into a
3134
warning. This can be useful if a message is partially corrupt,
3135
but it is necessary to get as much data as possible out of the
3136
corrupt message. However, be aware that a MDC protection failure
3137
may also mean that the message was tampered with intentionally by
3140
`--no-default-keyring'
3141
Do not add the default keyrings to the list of keyrings. Note that
3142
GnuPG will not operate without any keyrings, so if you use this
3143
option and do not provide alternate keyrings via `--keyring' or
3144
`--secret-keyring', then GnuPG will still use the default public or
3148
Skip the signature verification step. This may be used to make the
3149
decryption faster if the signature verification is not needed.
3152
Print key listings delimited by colons (like `--with-colons') and
3153
print the public key data.
3156
Changes the output of the list commands to work faster; this is
3157
achieved by leaving some parts empty. Some applications don't need
3158
the user ID and the trust information given in the listings. By
3159
using this options they can get a faster listing. The exact
3160
behaviour of this option may change in future versions. If you
3161
are missing some information, don't use this option.
3164
This is not for normal use. Use the source to see for what it
3168
This is not for normal use. Use the source to see for what it
3171
`--show-session-key'
3172
Display the session key used for one message. See
3173
`--override-session-key' for the counterpart of this option.
3175
We think that Key Escrow is a Bad Thing; however the user should
3176
have the freedom to decide whether to go to prison or to reveal
3177
the content of one specific message without compromising all
3178
messages ever encrypted for one secret key. DON'T USE IT UNLESS
3179
YOU ARE REALLY FORCED TO DO SO.
3181
`--override-session-key `string''
3182
Don't use the public key but the session key `string'. The format
3183
of this string is the same as the one printed by
3184
`--show-session-key'. This option is normally not used but comes
3185
handy in case someone forces you to reveal the content of an
3186
encrypted message; using this option you can do this without
3187
handing out the secret key.
3190
`--no-ask-sig-expire'
3191
When making a data signature, prompt for an expiration time. If
3192
this option is not specified, the expiration time set via
3193
`--default-sig-expire' is used. `--no-ask-sig-expire' disables
3194
this option. Note that by default, `--force-v3-sigs' is set which
3195
also disables this option. If you want signature expiration, you
3196
must set `--no-force-v3-sigs' as well as turning
3197
`--ask-sig-expire' on.
3199
`--default-sig-expire'
3200
The default expiration time to use for signature expiration. Valid
3201
values are "0" for no expiration, a number followed by the letter d
3202
(for days), w (for weeks), m (for months), or y (for years) (for
3203
example "2m" for two months, or "5y" for five years), or an
3204
absolute date in the form YYYY-MM-DD. Defaults to "0".
3207
`--no-ask-cert-expire'
3208
When making a key signature, prompt for an expiration time. If this
3209
option is not specified, the expiration time set via
3210
`--default-cert-expire' is used. `--no-ask-cert-expire' disables
3213
`--default-cert-expire'
3214
The default expiration time to use for key signature expiration.
3215
Valid values are "0" for no expiration, a number followed by the
3216
letter d (for days), w (for weeks), m (for months), or y (for
3217
years) (for example "2m" for two months, or "5y" for five years),
3218
or an absolute date in the form YYYY-MM-DD. Defaults to "0".
3220
`--allow-secret-key-import'
3221
This is an obsolete option and is not used anywhere.
3223
`--allow-multiple-messages'
3225
`--no-allow-multiple-messages'
3226
Allow processing of multiple OpenPGP messages contained in a single
3227
file or stream. Some programs that call GPG are not prepared to
3228
deal with multiple messages being processed together, so this
3229
option defaults to no. Note that versions of GPG prior to 1.4.7
3230
always allowed multiple messages.
3232
`--enable-special-filenames'
3233
This options enables a mode in which filenames of the form `-&n',
3234
where n is a non-negative decimal number, refer to the file
3235
descriptor n and not to a file with that name.
3237
`--no-expensive-trust-checks'
3238
Experimental use only.
3240
`--preserve-permissions'
3241
Don't change the permissions of a secret keyring back to user
3242
read/write only. Use this option only if you really know what you
3245
`--default-preference-list `string''
3246
Set the list of default preferences to `string'. This preference
3247
list is used for new keys and becomes the default for "setpref" in
3250
`--default-keyserver-url `name''
3251
Set the default keyserver URL to `name'. This keyserver will be
3252
used as the keyserver URL when writing a new self-signature on a
3253
key, which includes key generation and changing preferences.
3256
Display various internal configuration parameters of GnuPG. This
3257
option is intended for external programs that call GnuPG to
3258
perform tasks, and is thus not generally useful. See the file
3259
`doc/DETAILS' in the source distribution for the details of which
3260
configuration items may be listed. `--list-config' is only usable
3261
with `--with-colons' set.
3264
This command is similar to `--list-config' but in general only
3265
internally used by the `gpgconf' tool.
3268
This is more or less dummy action. However it parses the
3269
configuration file and returns with failure if the configuration
3270
file would prevent `gpg' from startup. Thus it may be used to run
3271
a syntax check on the configuration file.
3274
3.2.7 Deprecated options
3275
------------------------
3279
Causes `--list-keys', `--list-sigs', `--list-public-keys',
3280
`--list-secret-keys', and verifying a signature to also display
3281
the photo ID attached to the key, if any. See also
3282
`--photo-viewer'. These options are deprecated. Use
3283
`--list-options [no-]show-photos' and/or `--verify-options
3284
[no-]show-photos' instead.
3287
Display the keyring name at the head of key listings to show which
3288
keyring a given key resides on. This option is deprecated: use
3289
`--list-options [no-]show-keyring' instead.
3292
Identical to `--trust-model always'. This option is deprecated.
3295
`--no-show-notation'
3296
Show signature notations in the `--list-sigs' or `--check-sigs'
3297
listings as well as when verifying a signature with a notation in
3298
it. These options are deprecated. Use `--list-options
3299
[no-]show-notation' and/or `--verify-options [no-]show-notation'
3303
`--no-show-policy-url'
3304
Show policy URLs in the `--list-sigs' or `--check-sigs' listings
3305
as well as when verifying a signature with a policy URL in it.
3306
These options are deprecated. Use `--list-options
3307
[no-]show-policy-url' and/or `--verify-options
3308
[no-]show-policy-url' instead.
3312
File: gnupg.info, Node: GPG Configuration, Next: GPG Examples, Prev: GPG Options, Up: Invoking GPG
3314
3.3 Configuration files
3315
=======================
3317
There are a few configuration files to control certain aspects of
3318
`gpg2''s operation. Unless noted, they are expected in the current home
3319
directory (*note option --homedir::).
3322
This is the standard configuration file read by `gpg2' on startup.
3323
It may contain any valid long option; the leading two dashes may
3324
not be entered and the option may not be abbreviated. This default
3325
name may be changed on the command line (*note option --options::).
3328
Note that on larger installations, it is useful to put predefined
3329
files into the directory `/etc/skel/.gnupg/' so that newly created users
3330
start up with a working configuration. For existing users the a small
3331
helper script is provided to create these files (*note addgnupghome::).
3333
For internal purposes `gpg2' creates and maintains a few other
3334
files; They all live in in the current home directory (*note option
3335
--homedir::). Only the `gpg2' may modify these files.
3337
`~/.gnupg/secring.gpg'
3340
`~/.gnupg/secring.gpg.lock'
3343
`~/.gnupg/pubring.gpg'
3346
`~/.gnupg/pubring.gpg.lock'
3349
`~/.gnupg/trustdb.gpg'
3352
`~/.gnupg/trustdb.gpg.lock'
3355
`~/.gnupg/random_seed'
3356
used to preserve the internal random pool
3358
`/usr[/local]/share/gnupg/options.skel'
3359
Skeleton options file
3361
`/usr[/local]/lib/gnupg/'
3362
Default location for extensions
3365
Operation is further controlled by a few environment variables:
3368
Used to locate the default home directory.
3371
If set directory used instead of "~/.gnupg".
3374
Used to locate the gpg-agent. The value consists of 3 colon
3375
delimited fields: The first is the path to the Unix Domain Socket,
3376
the second the PID of the gpg-agent and the protocol version which
3377
should be set to 1. When starting the gpg-agent as described in
3378
its documentation, this variable is set to the correct value. The
3379
option `--gpg-agent-info' can be used to override it.
3382
This value is passed via gpg-agent to pinentry. It is useful to
3383
convey extra information to a custom pinentry
3387
Used to size some displays to the full size of the screen.
3390
Apart from its use by GNU, it is used in the W32 version to
3391
override the language selection done through the Registry. If
3392
used and set to a a valid and available language name (LANGID),
3393
the file with the translation is loaded from
3394
`GPGDIR/gnupg.nls/LANGID.mo'. Here GPGDIR is the directory out of
3395
which the gpg binary has been laoded. If it can't be loaded the
3396
Registry is tried and as last resort the native Windows locale
3401
File: gnupg.info, Node: GPG Examples, Prev: GPG Configuration, Up: Invoking GPG
3406
gpg -se -r `Bob' `file'
3407
sign and encrypt for user Bob
3409
gpg -clearsign `file'
3410
make a clear text signature
3413
make a detached signature
3415
gpg -list-keys `user_ID'
3418
gpg -fingerprint `user_ID'
3421
gpg -verify `pgpfile'
3422
gpg -verify `sigfile'
3423
Verify the signature of the file but do not output the data. The
3424
second form is used for detached signatures, where `sigfile' is
3425
the detached signature (either ASCII armored or binary) and are
3426
the signed data; if this is not given, the name of the file
3427
holding the signed data is constructed by cutting off the
3428
extension (".asc" or ".sig") of `sigfile' or by asking the user
3434
The program returns 0 if everything was fine, 1 if at least a signature
3435
was bad, and other error codes for fatal errors.
3440
Use a *good* password for your user account and a *good* passphrase to
3441
protect your secret key. This passphrase is the weakest part of the
3442
whole system. Programs to do dictionary attacks on your secret keyring
3443
are very easy to write and so you should protect your "~/.gnupg/"
3444
directory very well.
3446
Keep in mind that, if this program is used over a network (telnet),
3447
it is *very* easy to spy out your passphrase!
3449
If you are going to verify detached signatures, make sure that the
3450
program knows about it; either give both filenames on the command line
3451
or use `-' to specify stdin.
3453
INTEROPERABILITY WITH OTHER OPENPGP PROGRAMS
3454
********************************************
3456
GnuPG tries to be a very flexible implementation of the OpenPGP
3457
standard. In particular, GnuPG implements many of the optional parts of
3458
the standard, such as the SHA-512 hash, and the ZLIB and BZIP2
3459
compression algorithms. It is important to be aware that not all
3460
OpenPGP programs implement these optional algorithms and that by
3461
forcing their use via the `--cipher-algo', `--digest-algo',
3462
`--cert-digest-algo', or `--compress-algo' options in GnuPG, it is
3463
possible to create a perfectly valid OpenPGP message, but one that
3464
cannot be read by the intended recipient.
3466
There are dozens of variations of OpenPGP programs available, and
3467
each supports a slightly different subset of these optional algorithms.
3468
For example, until recently, no (unhacked) version of PGP supported the
3469
BLOWFISH cipher algorithm. A message using BLOWFISH simply could not be
3470
read by a PGP user. By default, GnuPG uses the standard OpenPGP
3471
preferences system that will always do the right thing and create
3472
messages that are usable by all recipients, regardless of which OpenPGP
3473
program they use. Only override this safe default if you really know
3476
If you absolutely must override the safe default, or if the
3477
preferences on a given key are invalid for some reason, you are far
3478
better off using the `--pgp6', `--pgp7', or `--pgp8' options. These
3479
options are safe as they do not force any particular algorithms in
3480
violation of OpenPGP, but rather reduce the available algorithms to a
3486
On many systems this program should be installed as setuid(root). This
3487
is necessary to lock memory pages. Locking memory pages prevents the
3488
operating system from writing memory pages (which may contain
3489
passphrases or other sensitive material) to disk. If you get no warning
3490
message about insecure memory your operating system supports locking
3491
without being root. The program drops root privileges as soon as locked
3492
memory is allocated.
3494
Note also that some systems (especially laptops) have the ability to
3495
"suspend to disk" (also known as "safe sleep" or "hibernate"). This
3496
writes all memory to disk before going into a low power or even powered
3497
off mode. Unless measures are taken in the operating system to protect
3498
the saved memory, passphrases or other sensitive material may be
3499
recoverable from it later.
3502
File: gnupg.info, Node: Invoking GPGSM, Next: Invoking SCDAEMON, Prev: Invoking GPG, Up: Top
3507
`gpgsm' is a tool similar to `gpg' to provide digital encryption and
3508
signing servicesd on X.509 certificates and the CMS protocol. It is
3509
mainly used as a backend for S/MIME mail processing. `gpgsm' includes
3510
a full features certificate management and complies with all rules
3511
defined for the German Sphinx project.
3513
*Note Option Index::, for an index to `GPGSM''s commands and options.
3517
* GPGSM Commands:: List of all commands.
3518
* GPGSM Options:: List of all options.
3519
* GPGSM Configuration:: Configuration files.
3520
* GPGSM Examples:: Some usage examples.
3522
Developer information:
3523
* Unattended Usage:: Using `gpgsm' from other programs.
3524
* GPGSM Protocol:: The protocol the server mode uses.
3527
File: gnupg.info, Node: GPGSM Commands, Next: GPGSM Options, Up: Invoking GPGSM
3532
Commands are not distinguished from options except for the fact that
3533
only one command is allowed.
3537
* General GPGSM Commands:: Commands not specific to the functionality.
3538
* Operational GPGSM Commands:: Commands to select the type of operation.
3539
* Certificate Management:: How to manage certificates.
3542
File: gnupg.info, Node: General GPGSM Commands, Next: Operational GPGSM Commands, Up: GPGSM Commands
3544
4.1.1 Commands not specific to the function
3545
-------------------------------------------
3548
Print the program version and licensing information. Not that you
3549
can abbreviate this command.
3552
Print a usage message summarizing the most usefule command-line
3553
options. Not that you can abbreviate this command.
3556
Print warranty information.
3559
Print a list of all available options and commands. Not that you
3560
can abbreviate this command.
3563
File: gnupg.info, Node: Operational GPGSM Commands, Next: Certificate Management, Prev: General GPGSM Commands, Up: GPGSM Commands
3565
4.1.2 Commands to select the type of operation
3566
----------------------------------------------
3569
Perform an encryption. The keys the data is encrypted too must be
3570
set using the option `--recipient'.
3573
Perform a decryption; the type of input is automatically
3574
determined. It may either be in binary form or PEM encoded;
3575
automatic determination of base-64 encoding is not done.
3578
Create a digital signature. The key used is either the fist one
3579
found in the keybox or those set with the `--local-user' option.
3582
Check a signature file for validity. Depending on the arguments a
3583
detached signatrue may also be checked.
3586
Run in server mode and wait for commands on the `stdin'.
3588
`--call-dirmngr COMMAND [ARGS]'
3589
Behave as a Dirmngr client issuing the request COMMAND with the
3590
optional list of ARGS. The output of the Dirmngr is printed
3591
stdout. Please note that file names given as arguments should
3592
have an absulte file name (i.e. commencing with `/' because they
3593
are passed verbatim to the Dirmngr and the working directory of the
3594
Dirmngr might not be the same as the one of this client.
3595
Currently it is not possible to pass data via stdin to the
3596
Dirmngr. COMMAND should not contain spaces.
3598
This is command is required for certain maintaining tasks of the
3599
dirmngr where a dirmngr must be able to call back to `gpgsm'. See
3600
the Dirmngr manual for details.
3602
`--call-protect-tool ARGUMENTS'
3603
Certain maintenance operations are done by an external program call
3604
`gpg-protect-tool'; this is usually not installed in a directory
3605
listed in the PATH variable. This command provides a simple
3606
wrapper to access this tool. ARGUMENTS are passed verbatim to
3607
this command; use `--help' to get a list of supported operations.
3611
File: gnupg.info, Node: Certificate Management, Prev: Operational GPGSM Commands, Up: GPGSM Commands
3613
4.1.3 How to manage the certificates and keys
3614
---------------------------------------------
3617
This command allows the interactive creation of a certifcate
3618
signing request. It is commonly used along with the `--output'
3619
option to save the created CSR into a file.
3623
List all available certificates stored in the local key database.
3624
Note that the displayed data might be reformatted for better human
3625
readability and illegal characters are replaced by safe
3628
`--list-secret-keys'
3630
List all available certificates for which a corresponding a secret
3633
`--list-external-keys PATTERN'
3634
List certificates matching PATTERN using an external server. This
3635
utilizes the `dirmngr' service.
3638
Same as `--list-keys' but also prints all keys making up the chain.
3642
List all available certificates stored in the local key database
3643
using a format useful mainly for debugging.
3646
Same as `--dump-keys' but also prints all keys making up the chain.
3648
`--dump-secret-keys'
3649
List all available certificates for which a corresponding a secret
3650
key is available using a format useful mainly for debugging.
3652
`--dump-external-keys PATTERN'
3653
List certificates matching PATTERN using an external server. This
3654
utilizes the `dirmngr' service. It uses a format useful mainly
3657
`--keydb-clear-some-cert-flags'
3658
This is a debugging aid to reset certain flags in the key database
3659
which are used to cache certain certificate stati. It is
3660
especially useful if a bad CRL or a weird running OCSP reponder
3661
did accidently revoke certificate. There is no security issue
3662
with this command because `gpgsm' always make sure that the
3663
validity of a certificate is checked right before it is used.
3665
`--delete-keys PATTERN'
3666
Delete the keys matching PATTERN.
3668
`--export [PATTERN]'
3669
Export all certificates stored in the Keybox or those specified by
3670
the optional PATTERN. Those pattern consist of a list of user ids
3671
(*note how-to-specify-a-user-id::). When used along with the
3672
`--armor' option a few informational lines are prepended before
3673
each block. There is one limitation: As there is no commonly
3674
agreed upon way to pack more than one certificate into an ASN.1
3675
structure, the binary export (i.e. without using `armor') works
3676
only for the export of one certificate. Thus it is required to
3677
specify a PATTERN which yields exactly one certificate.
3679
`--export-secret-key-p12 KEY-ID'
3680
Export the private key and the certificate identified by KEY-ID in
3681
a PKCS#12 format. When using along with the `--armor' option a few
3682
informational lines are prepended to the output. Note, that the
3683
PKCS#12 format is not very secure and this command is only
3684
provided if there is no other way to exchange the private key.
3685
(*note option --p12-charset::)
3688
Import the certificates from the PEM or binary encoded files as
3689
well as from signed-only messages. This command may also be used
3690
to import a secret key from a PKCS#12 file.
3693
Read information about the private keys from the smartcard and
3694
import the certificates from there. This command utilizes the
3695
`gpg-agent' and in turn the `scdaemon'.
3698
Change the passphrase of the private key belonging to the
3699
certificate specified as USER_ID. Note, that changing the
3700
passphrase/PIN of a smartcard is not yet supported.
3704
File: gnupg.info, Node: GPGSM Options, Next: GPGSM Configuration, Prev: GPGSM Commands, Up: Invoking GPGSM
3709
`GPGSM' comes features a bunch ofoptions to control the exact behaviour
3710
and to change the default configuration.
3714
* Configuration Options:: How to change the configuration.
3715
* Certificate Options:: Certificate related options.
3716
* Input and Output:: Input and Output.
3717
* CMS Options:: How to change how the CMS is created.
3718
* Esoteric Options:: Doing things one usually don't want to do.
3721
File: gnupg.info, Node: Configuration Options, Next: Certificate Options, Up: GPGSM Options
3723
4.2.1 How to change the configuration
3724
-------------------------------------
3726
These options are used to change the configuraton and are usually found
3730
Reads configuration from FILE instead of from the default per-user
3731
configuration file. The default configuration file is named
3732
`gpgsm.conf' and expected in the `.gnupg' directory directly below
3733
the home directory of the user.
3736
Set the name of the home directory to DIR. If his option is not
3737
used, the home directory defaults to `~/.gnupg'. It is only
3738
recognized when given on the command line. It also overrides any
3739
home directory stated through the environment variable `GNUPGHOME'
3740
or (on W32 systems) by means on the Registry entry
3741
HKCU\SOFTWARE\GNU\GNUPG:HOMEDIR.
3746
Outputs additional information while running. You can increase
3747
the verbosity by giving several verbose commands to `gpgsm', such
3750
`--policy-file FILENAME'
3751
Change the default name of the policy file to FILENAME.
3753
`--agent-program FILE'
3754
Specify an agent program to be used for secret key operations. The
3755
default value is the `/usr/local/bin/gpg-agent'. This is only used
3756
as a fallback when the envrionment variable `GPG_AGENT_INFO' is not
3757
set or a running agent can't be connected.
3759
`--dirmngr-program FILE'
3760
Specify a dirmngr program to be used for CRL checks. The default
3761
value is `/usr/sbin/dirmngr'. This is only used as a fallback
3762
when the environment variable `DIRMNGR_INFO' is not set or a
3763
running dirmngr can't be connected.
3765
`--prefer-system-dirmngr'
3766
If a system wide `dirmngr' is running in daemon mode, first try to
3767
connect to this one. Fallback to a pipe based server if this does
3768
not work. Under Windows this option is ignored because the system
3769
dirmngr is always used.
3772
Entirely disable the use of the Dirmngr.
3774
`--no-secmem-warning'
3775
Don't print a warning when the so called "secure memory" can't be
3779
When running in server mode, append all logging output to FILE.
3783
File: gnupg.info, Node: Certificate Options, Next: Input and Output, Prev: Configuration Options, Up: GPGSM Options
3785
4.2.2 Certificate related options
3786
---------------------------------
3788
`--enable-policy-checks'
3789
`--disable-policy-checks'
3790
By default policy checks are enabled. These options may be used to
3793
`--enable-crl-checks'
3794
`--disable-crl-checks'
3795
By default the CRL checks are enabled and the DirMngr is used to
3796
check for revoked certificates. The disable option is most useful
3797
with an off-line network connection to suppress this check.
3799
`--enable-trusted-cert-crl-check'
3800
`--disable-trusted-cert-crl-check'
3801
By default the CRL for trusted root certificates are checked like
3802
for any other certificates. This allows a CA to revoke its own
3803
certificates voluntary without the need of putting all ever issued
3804
certificates into a CRL. The disable option may be used to switch
3805
this extra check off. Due to the caching done by the Dirmngr,
3806
there won't be any noticeable performance gain. Note, that this
3807
also disables possible OCSP checks for trusted root certificates.
3808
A more specific way of disabling this check is by adding the
3809
"relax" keyword to the root CA line of the `trustlist.txt'
3811
`--force-crl-refresh'
3812
Tell the dirmngr to reload the CRL for each request. For better
3813
performance, the dirmngr will actually optimize this by suppressing
3814
the loading for short time intervalls (e.g. 30 minutes). This
3815
option is useful to make sure that a fresh CRL is available for
3816
certificates hold in the keybox. The suggested way of doing this
3817
is by using it along with the option `--with-validation' for a key
3818
listing command. This option should not be used in a
3823
Be default OCSP checks are disabled. The enable option may be
3824
used to enable OCSP checks via Dirmngr. If CRL checks are also
3825
enabled, CRLs will be used as a fallback if for some reason an
3826
OCSP request won't succeed. Note, that you have to allow OCSP
3827
requests in Dirmngr's configuration too (option `--allow-ocsp' and
3828
configure dirmngr properly. If you don't do so you will get the
3829
error code `Not supported'.
3831
`--auto-issuer-key-retrieve'
3832
If a required certificate is missing while validating the chain of
3833
certificates, try to load that certificate from an external
3834
location. This usually means that Dirmngr is employed t search
3835
for the certificate. Note that this option makes a "web bug" like
3836
behavior possible. LDAP server operators can see which keys you
3837
request, so by sending you a message signed by a brand new key
3838
(which you naturally will not have on your local keybox), the
3839
operator can tell both your IP address and the time when you
3840
verified the signature.
3842
`--validation-model NAME'
3843
This option changes the default validation model. The only
3844
possible values are "shell" (which is the default) and "chain"
3845
which forces the use of the chain model. The chain model is also
3846
used if an option in the `trustlist.txt' or an attribute of the
3847
certificate requests it. However the standard model (shell) is in
3848
that case always tried first.
3852
File: gnupg.info, Node: Input and Output, Next: CMS Options, Prev: Certificate Options, Up: GPGSM Options
3854
4.2.3 Input and Output
3855
----------------------
3859
Create PEM encoded output. Default is binary output.
3862
Create Base-64 encoded output; i.e. PEM without the header lines.
3865
Assume the input data is PEM encoded. Default is to autodetect the
3866
encoding but this is may fail.
3869
Assume the input data is plain base-64 encoded.
3872
Assume the input data is binary encoded.
3874
`--p12-charset NAME'
3875
`gpgsm' uses the UTF-8 encoding when encoding passphrases for
3876
PKCS#12 files. This option may be used to force the passphrase to
3877
be encoded in the specified encoding NAME. This is useful if the
3878
application used to import the key uses a different encoding and
3879
thus won't be able to import a file generated by `gpgsm'. Commonly
3880
used values for NAME are `Latin1' and `CP850'. Note that `gpgsm'
3881
itself automagically imports any file with a passphrase encoded to
3882
the most commonly used encodings.
3884
`--default-key USER_ID'
3885
Use USER_ID as the standard key for signing. This key is used if
3886
no other key has been defined as a signing key. Note, that the
3887
first `--local-users' option also sets this key if it has not yet
3888
been set; however `--default-key' always overrides this.
3890
`--local-user USER_ID'
3893
Set the user(s) to be used for signing. The default is the first
3894
secret key found in the database.
3898
Encrypt to the user id NAME. There are several ways a user id may
3899
be given (*note how-to-specify-a-user-id::).
3903
Write output to FILE. The default is to write it to stdout.
3906
Displays extra information with the `--list-keys' commands.
3907
Especially a line tagged `grp' is printed which tells you the
3908
keygrip of a key. This string is for example used as the file
3909
name of the secret key.
3912
When doing a key listing, do a full validation check for each key
3913
and print the result. This is usually a slow operation because it
3914
requires a CRL lookup and other operations.
3916
When used along with -import, a validation of the certificate to
3917
import is done and only imported if it succeeds the test. Note
3918
that this does not affect an already available cwertificate in the
3919
DB. This option is therefore useful to simply verify a
3922
`--with-md5-fingerprint'
3923
For standard key listings, also print the MD5 fingerprint of the
3928
File: gnupg.info, Node: CMS Options, Next: Esoteric Options, Prev: Input and Output, Up: GPGSM Options
3930
4.2.4 How to change how the CMS is created.
3931
-------------------------------------------
3934
Using N of -2 includes all certificate except for the root cert,
3935
-1 includes all certs, 0 does not include any certs, 1 includes
3936
only the signers cert (this is the default) and all other positive
3937
values include up to N certificates starting with the signer cert.
3940
Use the cipher algorithm with the ASN.1 object identifier OID for
3941
encryption. For convenience the strings `3DES', `AES' and
3942
`AES256' may be used instead of their OIDs. The default is `3DES'
3943
(1.2.840.113549.3.7).
3947
File: gnupg.info, Node: Esoteric Options, Prev: CMS Options, Up: GPGSM Options
3949
4.2.5 Doing things one usually don't want to do.
3950
------------------------------------------------
3952
`--extra-digest-algo NAME'
3953
Sometimes signatures are broken in that they announce a different
3954
digest algorithm than actually used. `gpgsm' uses a one-pass data
3955
processing model and thus needs to rely on the announcde digest
3956
algorithms to properly hash the data. As a workaround this option
3957
may be used to tell gpg to also hash the data using the algorithm
3958
NAME; this slows processing down a little bit but allows to verify
3959
such broken signatures. If `gpgsm' prints an error like "digest
3960
algo 8 has not been enabled" you may want to try this option, with
3963
`--faked-system-time EPOCH'
3964
This option is only useful for testing; it sets the system time
3965
back or forth to EPOCH which is the number of seconds elapsed
3966
since the year 1970. Alternativly EPOCH may be given as a full
3967
ISO time string (e.g. "20070924T154812").
3969
`--with-ephemeral-keys'
3970
Include ephemeral flagged keys in the output of key listings.
3972
`--debug-level LEVEL'
3973
Select the debug level for investigating problems. LEVEL may be
3977
no debugging at all.
3980
some basic debug messages
3983
more verbose debug messages
3986
even more detailed messages
3989
all of the debug messages you can get
3991
How these messages are mapped to the actual debugging flags is not
3992
specified and may change with newer releases of this program. They
3993
are however carefully selected to best aid in debugging.
3996
This option is only useful for debugging and the behaviour may
3997
change at any time without notice; using `--debug-levels' is the
3998
preferred method to select the debug verbosity. FLAGS are bit
3999
encoded and may be given in usual C-Syntax. The currently defined
4003
X.509 or OpenPGP protocol related data
4006
values of big number integers
4009
low level crypto operations
4018
show memory statistics.
4021
write hashed data to files named `dbgmd-000*'
4024
trace Assuan protocol
4026
Note, that all flags set using this option may get overriden by
4030
Same as `--debug=0xffffffff'
4032
`--debug-allow-core-dump'
4033
Usually `gpgsm' tries to avoid dumping core by well written code
4034
and by disabling core dumps for security reasons. However, bugs
4035
are pretty durable beasts and to squash them it is sometimes
4036
useful to have a core dump. This option enables core dumps unless
4037
the Bad Thing happened before the option parsing.
4039
`--debug-no-chain-validation'
4040
This is actually not a debugging option but only useful as such.
4041
It lets `gpgsm' bypass all certificate chain validation checks.
4043
`--debug-ignore-expiration'
4044
This is actually not a debugging option but only useful as such.
4045
It lets `gpgsm' ignore all notAfter dates, this is used by the
4048
`--fixed-passphrase STRING'
4049
Supply the passphrase STRING to the gpg-protect-tool. This option
4050
is only useful for the regression tests included with this package
4051
and may be revised or removed at any time without notice.
4053
`--no-common-certs-import'
4054
Suppress the import of common certificates on keybox creation.
4057
All the long options may also be given in the configuration file
4058
after stripping off the two leading dashes.
4061
File: gnupg.info, Node: GPGSM Configuration, Next: GPGSM Examples, Prev: GPGSM Options, Up: Invoking GPGSM
4063
4.3 Configuration files
4064
=======================
4066
There are a few configuration files to control certain aspects of
4067
`gpgsm''s operation. Unless noted, they are expected in the current
4068
home directory (*note option --homedir::).
4071
This is the standard configuration file read by `gpgsm' on
4072
startup. It may contain any valid long option; the leading two
4073
dashes may not be entered and the option may not be abbreviated.
4074
This default name may be changed on the command line (*note option
4078
This is a list of allowed CA policies. This file should list the
4079
object identifiers of the policies line by line. Empty lines and
4080
lines starting with a hash mark are ignored. Policies missing in
4081
this file and not marked as critical in the certificate will print
4082
only a warning; certificates with policies marked as critical and
4083
not listed in this file will fail the signature verification.
4085
For example, to allow only the policy 2.289.9.9, the file should
4092
This is the list of root certificates used for qualified
4093
certificates. They are defined as certificates capable of
4094
creating legally binding signatures in the same way as handwritten
4095
signatures are. Comments start with a hash mark and empty lines
4096
are ignored. Lines do have a length limit but this is not a
4097
serious limitation as the format of the entries is fixed and
4098
checked by gpgsm: A non-comment line starts with optional
4099
whitespace, followed by exactly 40 hex character, white space and
4100
a lowercased 2 letter country code. Additional data delimited with
4101
by a white space is current ignored but might late be used for
4104
Note that even if a certificate is listed in this file, this does
4105
not mean that the certificate is trusted; in general the
4106
certificates listed in this file need to be listed also in
4109
This is a global file an installed in the data directory (e.g.
4110
`/usr/share/gnupg/qualified.txt'). GnuPG installs a suitable file
4111
with root certificates as used in Germany. As new Root-CA
4112
certificates may be issued over time, these entries may need to be
4113
updated; new distributions of this software should come with an
4114
updated list but it is still the responsibility of the
4115
Administrator to check that this list is correct.
4117
Everytime `gpgsm' uses a certificate for signing or verification
4118
this file will be consulted to check whether the certificate under
4119
question has ultimately been issued by one of these CAs. If this
4120
is the case the user will be informed that the verified signature
4121
represents a legally binding ("qualified") signature. When
4122
creating a signature using such a certificate an extra prompt will
4123
be issued to let the user confirm that such a legally binding
4124
signature shall really be created.
4126
Because this software has not yet been approved for use with such
4127
certificates, appropriate notices will be shown to indicate this
4131
This is plain text file with a few help entries used with
4132
`pinentry' as well as a large list of help items for `gpg' and
4133
`gpgsm'. The standard file has English help texts; to install
4134
localized versions use filenames like `help.LL.txt' with LL
4135
denoting the locale. GnuPG comes with a set of predefined help
4136
files in the data directory (e.g. `/usr/share/gnupg/help.de.txt')
4137
and allows overriding of any help item by help files stored in the
4138
system configuration directory (e.g. `/etc/gnupg/help.de.txt').
4139
For a reference of the help file's syntax, please see the installed
4143
Note that on larger installations, it is useful to put predefined
4144
files into the directory `/etc/skel/.gnupg/' so that newly created users
4145
start up with a working configuration. For existing users the a small
4146
helper script is provided to create these files (*note addgnupghome::).
4148
For internal purposes gpgsm creates and maintaines a few other files;
4149
They all live in in the current home directory (*note option
4150
--homedir::). Only `gpgsm' may modify these files.
4153
This a database file storing the certificates as well as meta
4154
information. For debugging purposes the tool `kbxutil' may be
4155
used to show the internal structure of this file.
4158
This content of this file is used to maintain the internal state
4159
of the random number generator accross invocations. The same file
4160
is used by other programs of this software too.
4163
If this file exists and the environment variable `GPG_AGENT_INFO'
4164
is not set, `gpgsm' will first try to connect to this socket for
4165
accessing `gpg-agent' before starting a new `gpg-agent' instance.
4166
Under Windows this socket (which in reality be a plain file
4167
describing a regular TCP litening port) is the standard way of
4168
connecting the `gpg-agent'.
4172
File: gnupg.info, Node: GPGSM Examples, Next: Unattended Usage, Prev: GPGSM Configuration, Up: Invoking GPGSM
4177
$ gpgsm -er goo@bar.net <plaintext >ciphertext
4180
File: gnupg.info, Node: Unattended Usage, Next: GPGSM Protocol, Prev: GPGSM Examples, Up: Invoking GPGSM
4182
4.5 Unattended Usage
4183
====================
4185
`gpgsm' is often used as a backend engine by other software. To help
4186
with this a machine interface has been defined to have an unambiguous
4187
way to do this. This is most likely used with the `--server' command
4188
but may also be used in the standard operation mode by using the
4189
`--status-fd' option.
4193
* Automated signature checking:: Automated signature checking.
4196
File: gnupg.info, Node: Automated signature checking, Up: Unattended Usage
4198
4.6 Automated signature checking
4199
================================
4201
It is very important to understand the semantics used with signature
4202
verification. Checking a signature is not as simple as it may sound and
4203
so the ooperation si a bit complicated. In mosted cases it is required
4204
to look at several status lines. Here is a table of all cases a signed
4207
The signature is valid
4208
This does mean that the signature has been successfully verified,
4209
the certificates are all sane. However there are two subcases with
4210
important information: One of the certificates may have expired
4211
or a signature of a message itself as expired. It is a sound
4212
practise to consider such a signature still as valid but
4213
additional information should be displayed. Depending on the
4214
subcase `gpgsm' will issue these status codes:
4215
signature valid and nothing did expire
4216
`GOODSIG', `VALIDSIG', `TRUST_FULLY'
4218
signature valid but at least one certificate has expired
4219
`EXPKEYSIG', `VALIDSIG', `TRUST_FULLY'
4221
signature valid but expired
4222
`EXPSIG', `VALIDSIG', `TRUST_FULLY' Note, that this case is
4223
currently not implemented.
4225
The signature is invalid
4226
This means that the signature verification failed (this is an
4227
indication of af a transfer error, a programm error or tampering
4228
with the message). `gpgsm' issues one of these status codes
4232
``GOODSIG', `VALIDSIG' `TRUST_NEVER''
4234
Error verifying a signature
4235
For some reason the signature could not be verified, i.e. it can't
4236
be decided whether the signature is valid or invalid. A common
4237
reason for this is a missing certificate.
4241
File: gnupg.info, Node: GPGSM Protocol, Prev: Unattended Usage, Up: Invoking GPGSM
4243
4.7 The Protocol the Server Mode Uses.
4244
======================================
4246
Description of the protocol used to access `GPGSM'. `GPGSM' does
4247
implement the Assuan protocol and in addition provides a regular
4248
command line interface which exhibits a full client to this protocol
4249
(but uses internal linking). To start `gpgsm' as a server the command
4250
line the option `--server' must be used. Additional options are
4251
provided to select the communication method (i.e. the name of the
4254
We assume that the connection has already been established; see the
4255
Assuan manual for details.
4259
* GPGSM ENCRYPT:: Encrypting a message.
4260
* GPGSM DECRYPT:: Decrypting a message.
4261
* GPGSM SIGN:: Signing a message.
4262
* GPGSM VERIFY:: Verifying a message.
4263
* GPGSM GENKEY:: Generating a key.
4264
* GPGSM LISTKEYS:: List available keys.
4265
* GPGSM EXPORT:: Export certificates.
4266
* GPGSM IMPORT:: Import certificates.
4267
* GPGSM DELETE:: Delete certificates.
4268
* GPGSM GETINFO:: Information about the process
4271
File: gnupg.info, Node: GPGSM ENCRYPT, Next: GPGSM DECRYPT, Up: GPGSM Protocol
4273
4.7.1 Encrypting a Message
4274
--------------------------
4276
Before encrytion can be done the recipient must be set using the
4281
Set the recipient for the encryption. USERID should be the internal
4282
representation of the key; the server may accept any other way of
4283
specification. If this is a valid and trusted recipient the server
4284
does respond with OK, otherwise the return is an ERR with the reason why
4285
the recipient can't be used, the encryption will then not be done for
4286
this recipient. If the policy is not to encrypt at all if not all
4287
recipients are valid, the client has to take care of this. All
4288
`RECIPIENT' commands are cumulative until a `RESET' or an successful
4291
INPUT FD[=N] [--armor|--base64|--binary]
4293
Set the file descriptor for the message to be encrypted to N.
4294
Obviously the pipe must be open at that point, the server establishes
4295
its own end. If the server returns an error the client should consider
4296
this session failed. If N is not given, this commands uses the last
4297
file descriptor passed to the application. *Note the assuan_sendfd
4298
function: (assuan)fun-assuan_sendfd, on how to do descriptor passing.
4300
The `--armor' option may be used to advice the server that the input
4301
data is in PEM format, `--base64' advices that a raw base-64 encoding
4302
is used, `--binary' advices of raw binary input (BER). If none of
4303
these options is used, the server tries to figure out the used
4304
encoding, but this may not always be correct.
4306
OUTPUT FD[=N] [--armor|--base64]
4308
Set the file descriptor to be used for the output (i.e. the encrypted
4309
message). Obviously the pipe must be open at that point, the server
4310
establishes its own end. If the server returns an error he client
4311
should consider this session failed.
4313
The option armor encodes the output in PEM format, the `--base64'
4314
option applies just a base 64 encoding. No option creates binary
4317
The actual encryption is done using the command
4321
It takes the plaintext from the `INPUT' command, writes to the
4322
ciphertext to the file descriptor set with the `OUTPUT' command, take
4323
the recipients from all the recipients set so far. If this command
4324
fails the clients should try to delete all output currently done or
4325
otherwise mark it as invalid. `GPGSM' does ensure that there won't be
4326
any security problem with leftover data on the output in this case.
4328
This command should in general not fail, as all necessary checks have
4329
been done while setting the recipients. The input and output pipes are
4333
File: gnupg.info, Node: GPGSM DECRYPT, Next: GPGSM SIGN, Prev: GPGSM ENCRYPT, Up: GPGSM Protocol
4335
4.7.2 Decrypting a message
4336
--------------------------
4338
Input and output FDs are set the same way as in encryption, but `INPUT'
4339
refers to the ciphertext and output to the plaintext. There is no need
4340
to set recipients. `GPGSM' automatically strips any S/MIME headers
4341
from the input, so it is valid to pass an entire MIME part to the INPUT
4344
The encryption is done by using the command
4348
It performs the decrypt operation after doing some check on the
4349
internal state. (e.g. that all needed data has been set). Because it
4350
utilizes the GPG-Agent for the session key decryption, there is no need
4351
to ask the client for a protecting passphrase - GpgAgent takes care of
4352
this by requesting this from the user.
4355
File: gnupg.info, Node: GPGSM SIGN, Next: GPGSM VERIFY, Prev: GPGSM DECRYPT, Up: GPGSM Protocol
4357
4.7.3 Signing a Message
4358
-----------------------
4360
Signing is usually done with these commands:
4362
INPUT FD[=N] [--armor|--base64|--binary]
4364
This tells `GPGSM' to read the data to sign from file descriptor N.
4366
OUTPUT FD[=M] [--armor|--base64]
4368
Write the output to file descriptor M. If a detached signature is
4369
requested, only the signature is written.
4373
Sign the data set with the INPUT command and write it to the sink
4374
set by OUTPUT. With `--detached', a detached signature is created
4377
The key used for signining is the default one or the one specified in
4378
the configuration file. To get finer control over the keys, it is
4379
possible to use the command
4383
to the signer's key. USERID should be the internal representation
4384
of the key; the server may accept any other way of specification. If
4385
this is a valid and trusted recipient the server does respond with OK,
4386
otherwise the return is an ERR with the reason why the key can't be
4387
used, the signature will then not be created using this key. If the
4388
policy is not to sign at all if not all keys are valid, the client has
4389
to take care of this. All `SIGNER' commands are cumulative until a
4390
`RESET' is done. Note that a `SIGN' does not reset this list of
4391
signers which is in contrats to the `RECIPIENT' command.
4394
File: gnupg.info, Node: GPGSM VERIFY, Next: GPGSM GENKEY, Prev: GPGSM SIGN, Up: GPGSM Protocol
4396
4.7.4 Verifying a Message
4397
-------------------------
4399
To verify a mesage the command:
4403
is used. It does a verify operation on the message send to the input
4404
FD. The result is written out using status lines. If an output FD was
4405
given, the signed text will be written to that. If the signature is a
4406
detached one, the server will inquire about the signed material and the
4407
client must provide it.
4410
File: gnupg.info, Node: GPGSM GENKEY, Next: GPGSM LISTKEYS, Prev: GPGSM VERIFY, Up: GPGSM Protocol
4412
4.7.5 Generating a Key
4413
----------------------
4415
This is used to generate a new keypair, store the secret part in the
4416
PSE and the public key in the key database. We will probably add
4417
optional commands to allow the client to select whether a hardware
4418
token is used to store the key. Configuration options to `GPGSM' can
4419
be used to restrict the use of this command.
4423
`GPGSM' checks whether this command is allowed and then does an
4424
INQUIRY to get the key parameters, the client should then send the key
4425
parameters in the native format:
4427
S: INQUIRE KEY_PARAM native
4432
Please note that the server may send Status info lines while reading
4433
the data lines from the client. After this the key generation takes
4434
place and the server eventually does send an ERR or OK response.
4435
Status lines may be issued as a progress indicator.
4438
File: gnupg.info, Node: GPGSM LISTKEYS, Next: GPGSM EXPORT, Prev: GPGSM GENKEY, Up: GPGSM Protocol
4440
4.7.6 List available keys
4441
-------------------------
4443
To list the keys in the internal database or using an external key
4444
provider, the command:
4448
is used. To allow multiple patterns (which are ORed during the
4449
search) quoting is required: Spaces are to be translated into "+" or
4450
into "%20"; in turn this requires that the usual escape quoting rules
4453
LISTSECRETKEYS PATTERN
4455
Lists only the keys where a secret key is available.
4457
The list commands commands are affected by the option
4459
OPTION list-mode=MODE
4463
Use default (which is usually the same as 1).
4466
List only the internal keys.
4469
List only the external keys.
4472
List internal and external keys.
4474
Note that options are valid for the entire session.
4477
File: gnupg.info, Node: GPGSM EXPORT, Next: GPGSM IMPORT, Prev: GPGSM LISTKEYS, Up: GPGSM Protocol
4479
4.7.7 Export certificates
4480
-------------------------
4482
To export certificate from the internal key database the command:
4484
EXPORT [--data [--armor] [--base64]] [--] PATTERN
4486
is used. To allow multiple patterns (which are ORed) quoting is
4487
required: Spaces are to be translated into "+" or into "%20"; in turn
4488
this requires that the usual escape quoting rules are done.
4490
If the `--data' option has not been given, the format of the output
4491
depends on what was set with the OUTPUT command. When using PEM
4492
encoding a few informational lines are prepended.
4494
If the `--data' has been given, a target set via OUTPUT is ignored
4495
and the data is returned inline using standard `D'-lines. This avoids
4496
the need for an extra file descriptor. In this case the options
4497
`--armor' and `--base64' may be used in the same way as with the OUTPUT
4501
File: gnupg.info, Node: GPGSM IMPORT, Next: GPGSM DELETE, Prev: GPGSM EXPORT, Up: GPGSM Protocol
4503
4.7.8 Import certificates
4504
-------------------------
4506
To import certificates into the internal key database, the command
4510
is used. The data is expected on the file descriptor set with the
4511
`INPUT' command. Certain checks are performend on the certificate.
4512
Note that the code will also handle PKCS\#12 files and import private
4513
keys; a helper program is used for that.
4516
File: gnupg.info, Node: GPGSM DELETE, Next: GPGSM GETINFO, Prev: GPGSM IMPORT, Up: GPGSM Protocol
4518
4.7.9 Delete certificates
4519
-------------------------
4521
To delete a certificate the command
4525
is used. To allow multiple patterns (which are ORed) quoting is
4526
required: Spaces are to be translated into "+" or into "%20"; in turn
4527
this requires that the usual escape quoting rules are done.
4529
The certificates must be specified unambiguously otherwise an error
4533
File: gnupg.info, Node: GPGSM GETINFO, Prev: GPGSM DELETE, Up: GPGSM Protocol
4535
4.7.10 Return information about the process
4536
-------------------------------------------
4538
This is a multipurpose function to return a variety of information.
4542
The value of WHAT specifies the kind of information returned:
4544
Return the version of the program.
4547
Return the process id of the process.
4550
File: gnupg.info, Node: Invoking SCDAEMON, Next: Specify a User ID, Prev: Invoking GPGSM, Up: Top
4552
5 Invoking the SCDAEMON
4553
***********************
4555
The `scdaemon' is a daemon to manage smartcards. It is usually invoked
4556
by `gpg-agent' and in general not used directly.
4558
*Note Option Index::, for an index to `scdaemon''s commands and
4563
* Scdaemon Commands:: List of all commands.
4564
* Scdaemon Options:: List of all options.
4565
* Card applications:: Description of card applications.
4566
* Scdaemon Configuration:: Configuration files.
4567
* Scdaemon Examples:: Some usage examples.
4568
* Scdaemon Protocol:: The protocol the daemon uses.
4571
File: gnupg.info, Node: Scdaemon Commands, Next: Scdaemon Options, Up: Invoking SCDAEMON
4576
Commands are not distinguished from options except for the fact that
4577
only one command is allowed.
4580
Print the program version and licensing information. Not that you
4581
can abbreviate this command.
4584
Print a usage message summarizing the most usefule command-line
4585
options. Not that you can abbreviate this command.
4588
Print a list of all available options and commands. Not that you
4589
can abbreviate this command.
4592
Run in server mode and wait for commands on the `stdin'. This is
4593
default mode is to create a socket and listen for commands there.
4596
Run in server mode and wait for commands on the `stdin' as well as
4597
on an additional Unix Domain socket. The server command `GETINFO'
4598
may be used to get the name of that extra socket.
4601
Run the program in the background. This option is required to
4602
prevent it from being accidently running in the background.
4606
File: gnupg.info, Node: Scdaemon Options, Next: Card applications, Prev: Scdaemon Commands, Up: Invoking SCDAEMON
4612
Reads configuration from FILE instead of from the default per-user
4613
configuration file. The default configuration file is named
4614
`scdaemon.conf' and expected in the `.gnupg' directory directly
4615
below the home directory of the user.
4618
Set the name of the home directory to DIR. If his option is not
4619
used, the home directory defaults to `~/.gnupg'. It is only
4620
recognized when given on the command line. It also overrides any
4621
home directory stated through the environment variable `GNUPGHOME'
4622
or (on W32 systems) by means on the Registry entry
4623
HKCU\SOFTWARE\GNU\GNUPG:HOMEDIR.
4628
Outputs additional information while running. You can increase
4629
the verbosity by giving several verbose commands to `gpgsm', such
4632
`--debug-level LEVEL'
4633
Select the debug level for investigating problems. LEVEL may be
4637
no debugging at all.
4640
some basic debug messages
4643
more verbose debug messages
4646
even more detailed messages
4649
all of the debug messages you can get
4651
How these messages are mapped to the actual debugging flags is not
4652
specified and may change with newer releases of this program. They
4653
are however carefully selected to best aid in debugging.
4655
Note: All debugging options are subject to change and thus
4656
should not be used by any application program. As the name
4657
says, they are only used as helpers to debug problems.
4660
This option is only useful for debugging and the behaviour may
4661
change at any time without notice. FLAGS are bit encoded and may
4662
be given in usual C-Syntax. The currently defined bits are:
4668
values of big number integers
4671
low level crypto operations
4680
show memory statistics.
4683
write hashed data to files named `dbgmd-000*'
4686
trace Assuan protocol
4689
trace APDU I/O to the card. This may reveal sensitive data.
4692
Same as `--debug=0xffffffff'
4695
When running in server mode, wait N seconds before entering the
4696
actual processing loop and print the pid. This gives time to
4699
`--debug-ccid-driver'
4700
Enable debug output from the included CCID driver for smartcards.
4701
Using this option twice will also enable some tracing of the T=1
4702
protocol. Note that this option may reveal sensitive data.
4704
`--debug-disable-ticker'
4705
This option disables all ticker functions like checking for card
4708
`--debug-allow-core-dump'
4709
For security reasons we won't create a core dump when the process
4710
aborts. For debugging purposes it is sometimes better to allow
4711
core dump. This options enables it and also changes the working
4712
directory to `/tmp' when running in `--server' mode.
4715
Don't detach the process from the console. This is mainly useful
4719
Append all logging output to FILE. This is very helpful in seeing
4720
what the agent actually does.
4722
`--pcsc-driver LIBRARY'
4723
Use LIBRARY to access the smartcard reader. The current default
4724
is `libpcsclite.so'. Instead of using this option you might also
4725
want to install a symbolic link to the default file name (e.g.
4726
from `libpcsclite.so.1').
4728
`--ctapi-driver LIBRARY'
4729
Use LIBRARY to access the smartcard reader. The current default
4730
is `libtowitoko.so'. Note that the use of this interface is
4731
deprecated; it may be removed in future releases.
4734
Disable the integrated support for CCID compliant readers. This
4735
allows to fall back to one of the other drivers even if the
4736
internal CCID driver can handle the reader. Note, that CCID
4737
support is only available if libusb was available at build time.
4739
`--reader-port NUMBER_OR_STRING'
4740
This option may be used to specify the port of the card terminal.
4741
A value of 0 refers to the first serial device; add 32768 to
4742
access USB devices. The default is 32768 (first USB device).
4743
PC/SC or CCID readers might need a string here; run the program in
4744
verbose mode to get a list of available readers. The default is
4745
then the first reader found.
4747
To get a list of available CCID readers you may use this command:
4748
echo scd getinfo reader_list | gpg-connect-agent --decode | awk '/^D/ {print $2}'
4751
Even if a card reader features a keypad, do not try to use it.
4755
This enables the use of Admin class commands for card applications
4756
where this is supported. Currently we support it for the OpenPGP
4757
card. Deny is the default. This commands is useful to inhibit
4758
accidental access to admin class command which could ultimately
4759
lock the card through worng PIN numbers.
4761
`--disable-application NAME'
4762
This option disables the use of the card application named NAME.
4763
This is mainly useful for debugging or if a application with lower
4764
priority should be used by default.
4767
All the long options may also be given in the configuration file
4768
after stripping off the two leading dashes.
4771
File: gnupg.info, Node: Card applications, Next: Scdaemon Configuration, Prev: Scdaemon Options, Up: Invoking SCDAEMON
4773
5.3 Description of card applications
4774
====================================
4776
`scdaemon' supports the card applications as described below.
4780
* OpenPGP Card:: The OpenPGP card application
4781
* NKS Card:: The Telesec NetKey card application
4782
* DINSIG Card:: The DINSIG card application
4783
* PKCS#15 Card:: The PKCS#15 card application
4786
File: gnupg.info, Node: OpenPGP Card, Next: NKS Card, Up: Card applications
4788
5.3.1 The OpenPGP card application "openpgp"
4789
--------------------------------------------
4791
This application is currently only used by `gpg' but may in future also
4792
be useful with `gpgsm'.
4794
The specification for such a card is available at
4795
`http://g10code.com/docs/openpgp-card-1.0.pdf'.
4798
File: gnupg.info, Node: NKS Card, Next: DINSIG Card, Prev: OpenPGP Card, Up: Card applications
4800
5.3.2 The Telesec NetKey card "nks"
4801
-----------------------------------
4803
This is the main application of the Telesec cards as available in
4804
Germany. It is a superset of the German DINSIG card. The card is used
4808
File: gnupg.info, Node: DINSIG Card, Next: PKCS#15 Card, Prev: NKS Card, Up: Card applications
4810
5.3.3 The DINSIG card application "dinsig"
4811
------------------------------------------
4813
This is an application as described in the German draft standard _DIN V
4814
66291-1_. It is intended to be used by cards supporting the German
4815
signature law and its bylaws (SigG and SigV).
4818
File: gnupg.info, Node: PKCS#15 Card, Prev: DINSIG Card, Up: Card applications
4820
5.3.4 The PKCS#15 card application "p15"
4821
----------------------------------------
4823
This is common fraqmework for smart card applications. It is used by
4827
File: gnupg.info, Node: Scdaemon Configuration, Next: Scdaemon Examples, Prev: Card applications, Up: Invoking SCDAEMON
4829
5.4 Configuration files
4830
=======================
4832
There are a few configuration files to control certain aspects of
4833
`scdaemons''s operation. Unless noted, they are expected in the current
4834
home directory (*note option --homedir::).
4837
This is the standard configuration file read by `scdaemon' on
4838
startup. It may contain any valid long option; the leading two
4839
dashes may not be entered and the option may not be abbreviated.
4840
This default name may be changed on the command line (*note option
4844
If this file is present and executable, it will be called on veyer
4845
card reader's status changed. An example of this script is
4846
provided with the distribution
4849
This file is created by `sdaemon' to let other applications now
4850
about reader status changes. Its use is now deprecated in favor of
4855
File: gnupg.info, Node: Scdaemon Examples, Next: Scdaemon Protocol, Prev: Scdaemon Configuration, Up: Invoking SCDAEMON
4860
$ scdaemon --server -v
4863
File: gnupg.info, Node: Scdaemon Protocol, Prev: Scdaemon Examples, Up: Invoking SCDAEMON
4865
5.6 Scdaemon's Assuan Protocol
4866
==============================
4868
The SC-Daemon should be started by the system to provide access to
4869
external tokens. Using Smartcards on a multi-user system does not make
4870
much sense expcet for system services, but in this case no regular user
4871
accounts are hosted on the machine.
4873
A client connects to the SC-Daemon by connecting to the socket named
4874
`/var/run/scdaemon/socket', configuration information is read from
4877
Each connection acts as one session, SC-Daemon takes care of
4878
syncronizing access to a token between sessions.
4882
* Scdaemon SERIALNO:: Return the serial number.
4883
* Scdaemon LEARN:: Read all useful information from the card.
4884
* Scdaemon READCERT:: Return a certificate.
4885
* Scdaemon READKEY:: Return a public key.
4886
* Scdaemon PKSIGN:: Signing data with a Smartcard.
4887
* Scdaemon PKDECRYPT:: Decrypting data with a Smartcard.
4888
* Scdaemon GETATTR:: Read an attribute's value.
4889
* Scdaemon SETATTR:: Update an attribute's value.
4890
* Scdaemon WRITEKEY:: Write a key to a card.
4891
* Scdaemon GENKEY:: Generate a new key on-card.
4892
* Scdaemon RANDOM:: Return random bytes generate on-card.
4893
* Scdaemon PASSWD:: Change PINs.
4894
* Scdaemon CHECKPIN:: Perform a VERIFY operation.
4895
* Scdaemon RESTART:: Restart connection
4896
* Scdaemon APDU:: Send a verbatim APDU to the card
4899
File: gnupg.info, Node: Scdaemon SERIALNO, Next: Scdaemon LEARN, Up: Scdaemon Protocol
4901
5.6.1 Return the serial number
4902
------------------------------
4904
This command should be used to check for the presence of a card. It is
4905
special in that it can be used to reset the card. Most other commands
4906
will return an error when a card change has been detected and the use of
4907
this function is therefore required.
4909
Background: We want to keep the client clear of handling card changes
4910
between operations; i.e. the client can assume that all operations are
4911
done on the same card unless he call this function.
4915
Return the serial number of the card using a status reponse like:
4917
S SERIALNO D27600000000000000000000 0
4919
The trailing 0 should be ignored for now, it is reserved for a future
4920
extension. The serial number is the hex encoded value identified by
4921
the `0x5A' tag in the GDO file (FIX=0x2F02).
4924
File: gnupg.info, Node: Scdaemon LEARN, Next: Scdaemon READCERT, Prev: Scdaemon SERIALNO, Up: Scdaemon Protocol
4926
5.6.2 Read all useful information from the card
4927
-----------------------------------------------
4931
Learn all useful information of the currently inserted card. When
4932
used without the force options, the command might do an INQUIRE like
4935
INQUIRE KNOWNCARDP <hexstring_with_serialNumber> <timestamp>
4937
The client should just send an `END' if the processing should go on
4938
or a `CANCEL' to force the function to terminate with a cancel error
4939
message. The response of this command is a list of status lines
4942
S KEYPAIRINFO HEXSTRING_WITH_KEYGRIP HEXSTRING_WITH_ID
4944
If there is no certificate yet stored on the card a single "X" is
4945
returned in HEXSTRING_WITH_KEYGRIP.
4948
File: gnupg.info, Node: Scdaemon READCERT, Next: Scdaemon READKEY, Prev: Scdaemon LEARN, Up: Scdaemon Protocol
4950
5.6.3 Return a certificate
4951
--------------------------
4953
READCERT HEXIFIED_CERTID
4955
This function is used to read a certificate identified by
4956
HEXIFIED_CERTID from the card.
4959
File: gnupg.info, Node: Scdaemon READKEY, Next: Scdaemon PKSIGN, Prev: Scdaemon READCERT, Up: Scdaemon Protocol
4961
5.6.4 Return a public key
4962
-------------------------
4964
READKEY HEXIFIED_CERTID
4966
Return the public key for the given cert or key ID as an standard
4970
File: gnupg.info, Node: Scdaemon PKSIGN, Next: Scdaemon PKDECRYPT, Prev: Scdaemon READKEY, Up: Scdaemon Protocol
4972
5.6.5 Signing data with a Smartcard
4973
-----------------------------------
4975
To sign some data the caller should use the command
4979
to tell `scdaemon' about the data to be signed. The data must be
4980
given in hex notation. The actual signing is done using the command
4984
where KEYID is the hexified ID of the key to be used. The key id
4985
may have been retrieved using the command `LEARN'. If another hash
4986
algorithm than SHA-1 is used, that algorithm may be given like:
4988
PKSIGN --hash=ALGONAME KEYID
4990
With ALGONAME are one of `sha1', `rmd160' or `md5'.
4993
File: gnupg.info, Node: Scdaemon PKDECRYPT, Next: Scdaemon GETATTR, Prev: Scdaemon PKSIGN, Up: Scdaemon Protocol
4995
5.6.6 Decrypting data with a Smartcard
4996
--------------------------------------
4998
To decrypt some data the caller should use the command
5002
to tell `scdaemon' about the data to be decrypted. The data must be
5003
given in hex notation. The actual decryption is then done using the
5008
where KEYID is the hexified ID of the key to be used.
5011
File: gnupg.info, Node: Scdaemon GETATTR, Next: Scdaemon SETATTR, Prev: Scdaemon PKDECRYPT, Up: Scdaemon Protocol
5013
5.6.7 Read an attribute's value.
5014
--------------------------------
5019
File: gnupg.info, Node: Scdaemon SETATTR, Next: Scdaemon WRITEKEY, Prev: Scdaemon GETATTR, Up: Scdaemon Protocol
5021
5.6.8 Update an attribute's value.
5022
----------------------------------
5027
File: gnupg.info, Node: Scdaemon WRITEKEY, Next: Scdaemon GENKEY, Prev: Scdaemon SETATTR, Up: Scdaemon Protocol
5029
5.6.9 Write a key to a card.
5030
----------------------------
5032
WRITEKEY [--force] KEYID
5034
This command is used to store a secret key on a a smartcard. The
5035
allowed keyids depend on the currently selected smartcard application.
5036
The actual keydata is requested using the inquiry `KEYDATA' and need to
5037
be provided without any protection. With `--force' set an existing key
5038
under this KEYID will get overwritten. The key data is expected to be
5039
the usual canonical encoded S-expression.
5041
A PIN will be requested in most saes. This however depends on the
5042
actual card application.
5045
File: gnupg.info, Node: Scdaemon GENKEY, Next: Scdaemon RANDOM, Prev: Scdaemon WRITEKEY, Up: Scdaemon Protocol
5047
5.6.10 Generate a new key on-card.
5048
----------------------------------
5053
File: gnupg.info, Node: Scdaemon RANDOM, Next: Scdaemon PASSWD, Prev: Scdaemon GENKEY, Up: Scdaemon Protocol
5055
5.6.11 Return random bytes generate on-card.
5056
--------------------------------------------
5061
File: gnupg.info, Node: Scdaemon PASSWD, Next: Scdaemon CHECKPIN, Prev: Scdaemon RANDOM, Up: Scdaemon Protocol
5066
PASSWD [--reset] CHVNO
5068
Change the PIN or reset the retry counter of the card holder
5069
verification vector number CHVNO.
5072
File: gnupg.info, Node: Scdaemon CHECKPIN, Next: Scdaemon RESTART, Prev: Scdaemon PASSWD, Up: Scdaemon Protocol
5074
5.6.13 Perform a VERIFY operation.
5075
----------------------------------
5079
Perform a VERIFY operation without doing anything else. This may be
5080
used to initialize a the PIN cache earlier to long lasting operations.
5081
Its use is highly application dependent:
5084
Perform a simple verify operation for CHV1 and CHV2, so that
5085
further operations won't ask for CHV2 and it is possible to do a
5086
cheap check on the PIN: If there is something wrong with the PIN
5087
entry system, only the regular CHV will get blocked and not the
5088
dangerous CHV3. IDSTR is the usual card's serial number in hex
5089
notation; an optional fingerprint part will get ignored.
5091
There is however a special mode if IDSTR is suffixed with the
5092
literal string `[CHV3]': In this case the Admin PIN is checked if
5093
and only if the retry counter is still at 3.
5097
File: gnupg.info, Node: Scdaemon RESTART, Next: Scdaemon APDU, Prev: Scdaemon CHECKPIN, Up: Scdaemon Protocol
5099
5.6.14 Perform a RESTART operation.
5100
-----------------------------------
5104
Restart the current connection; this is a kind of warm reset. It
5105
deletes the context used by this connection but does not actually reset
5108
This is used by gpg-agent to reuse a primary pipe connection and may
5109
be used by clients to backup from a conflict in the serial command;
5110
i.e. to select another application.
5113
File: gnupg.info, Node: Scdaemon APDU, Prev: Scdaemon RESTART, Up: Scdaemon Protocol
5115
5.6.15 Send a verbatim APDU to the card.
5116
----------------------------------------
5118
APDU [--atr] [--more] [HEXSTRING]
5120
Send an APDU to the current reader. This command bypasses the high
5121
level functions and sends the data directly to the card. HEXSTRING is
5122
expected to be a proper APDU. If HEXSTRING is not given no commands
5123
are send to the card; However the command will implicitly check whether
5124
the card is ready for use.
5126
Using the option `--atr' returns the ATR of the card as a status
5127
message before any data like this:
5128
S CARD-ATR 3BFA1300FF813180450031C173C00100009000B1
5130
Using the option `--more' handles the card status word MORE_DATA
5131
(61xx) and concatenate all reponses to one block.
5134
File: gnupg.info, Node: Specify a User ID, Next: Helper Tools, Prev: Invoking SCDAEMON, Up: Top
5136
6 How to Specify a User Id
5137
**************************
5139
There are different ways to specify a user ID to GnuPG. Some of them
5140
are only valid for `gpg' others are only good for `gpgsm'. Here is the
5141
entire list of ways to specify a key:
5143
* By key Id. This format is deduced from the length of the string
5144
and its content or `0x' prefix. The key Id of an X.509 certificate
5145
are the low 64 bits of its SHA-1 fingerprint. The use of key Ids
5146
is just a shortcut, for all automated processing the fingerprint
5149
When using `gpg' an exclamation mark (!) may be appended to force
5150
using the specified primary or secondary key and not to try and
5151
calculate which primary or secondary key to use.
5153
The last four lines of the example give the key ID in their long
5154
form as internally used by the OpenPGP protocol. You can see the
5155
long key ID using the option `--with-colons'.
5167
* By fingerprint. This format is deduced from the length of the
5168
string and its content or the `0x' prefix. Note, that only the 20
5169
byte version fingerprint is available with `gpgsm' (i.e. the SHA-1
5170
hash of the certificate).
5172
When using `gpg' an exclamation mark (!) may be appended to force
5173
using the specified primary or secondary key and not to try and
5174
calculate which primary or secondary key to use.
5176
The best way to specify a key Id is by using the fingerprint. This
5177
avoids any ambiguities in case that there are duplicated key IDs.
5179
1234343434343434C434343434343434
5180
123434343434343C3434343434343734349A3434
5181
0E12343434343434343434EAB3484343434343434
5182
0xE12343434343434343434EAB3484343434343434
5184
(`gpgsm' also accepts colons between each pair of hexadecimal
5185
digits because this is the de-facto standard on how to present
5186
X.509 fingerprints.)
5188
* By exact match on OpenPGP user ID. This is denoted by a leading
5189
equal sign. It does not make sense for X.509 certificates.
5191
=Heinrich Heine <heinrichh@uni-duesseldorf.de>
5193
* By exact match on an email address. This is indicated by
5194
enclosing the email address in the usual way with left and right
5197
<heinrichh@uni-duesseldorf.de>
5199
* By word match. All words must match exactly (not case sensitive)
5200
but can appear in any order in the user ID or a subjects name.
5201
Words are any sequences of letters, digits, the underscore and all
5202
characters with bit 7 set.
5204
+Heinrich Heine duesseldorf
5206
* By exact match on the subject's DN. This is indicated by a
5207
leading slash, directly followed by the RFC-2253 encoded DN of the
5208
subject. Note that you can't use the string printed by "gpgsm
5209
-list-keys" because that one as been reordered and modified for
5210
better readability; use -with-colons to print the raw (but standard
5211
escaped) RFC-2253 string
5213
/CN=Heinrich Heine,O=Poets,L=Paris,C=FR
5215
* By exact match on the issuer's DN. This is indicated by a leading
5216
hash mark, directly followed by a slash and then directly followed
5217
by the rfc2253 encoded DN of the issuer. This should return the
5218
Root cert of the issuer. See note above.
5220
#/CN=Root Cert,O=Poets,L=Paris,C=FR
5222
* By exact match on serial number and issuer's DN. This is
5223
indicated by a hash mark, followed by the hexadecimal
5224
representation of the serial number, then followed by a slash and
5225
the RFC-2253 encoded DN of the issuer. See note above.
5227
#4F03/CN=Root Cert,O=Poets,L=Paris,C=FR
5229
* By keygrip This is indicated by an ampersand followed by the 40
5230
hex digits of a keygrip. `gpgsm' prints the keygrip when using
5231
the command `--dump-cert'. It does not yet work for OpenPGP keys.
5233
&D75F22C3F86E355877348498CDC92BD21010A480
5235
* By substring match. This is the default mode but applications may
5236
want to explicitly indicate this by putting the asterisk in front.
5237
Match is not case sensitive.
5243
Please note that we have reused the hash mark identifier which was
5244
used in old GnuPG versions to indicate the so called local-id. It is
5245
not anymore used and there should be no conflict when used with X.509
5248
Using the RFC-2253 format of DNs has the drawback that it is not
5249
possible to map them back to the original encoding, however we don't
5250
have to do this because our key database stores this encoding as meta
5254
File: gnupg.info, Node: Helper Tools, Next: Howtos, Prev: Specify a User ID, Up: Top
5259
GnuPG comes with a couple of smaller tools:
5263
* watchgnupg:: Read logs from a socket.
5264
* gpgv:: Verify OpenPGP signatures.
5265
* addgnupghome:: Create .gnupg home directories.
5266
* gpgconf:: Modify .gnupg home directories.
5267
* applygnupgdefaults:: Run gpgconf for all users.
5268
* gpgsm-gencert.sh:: Generate an X.509 certificate request.
5269
* gpg-preset-passphrase:: Put a passphrase into the cache.
5270
* gpg-connect-agent:: Communicate with a running agent.
5271
* gpgparsemail:: Parse a mail message into an annotated format
5272
* symcryptrun:: Call a simple symmetric encryption tool.
5275
File: gnupg.info, Node: watchgnupg, Next: gpgv, Up: Helper Tools
5277
7.1 Read logs from a socket
5278
===========================
5280
Most of the main utilities are able to write there log files to a Unix
5281
Domain socket if configured that way. `watchgnupg' is a simple
5282
listener for such a socket. It ameliorates the output with a time
5283
stamp and makes sure that long lines are not interspersed with log
5284
output from other utilities.
5286
`watchgnupg' is commonly invoked as
5288
watchgnupg --force ~/.gnupg/S.log
5290
This starts it on the current terminal for listening on the socket
5293
`watchgnupg' understands these options:
5296
Delete an already existing socket file.
5299
Enable extra informational output.
5302
print version of the program and exit
5305
Display a brief help page and exit
5309
File: gnupg.info, Node: gpgv, Next: addgnupghome, Prev: watchgnupg, Up: Helper Tools
5311
7.2 Verify OpenPGP signatures
5312
=============================
5314
`gpgv2' is an OpenPGP signature verification tool.
5316
This program is actually a stripped down version of `gpg' which is
5317
only able to check signatures. It is somewhat smaller than the fully
5318
blown `gpg' and uses a different (and simpler) way to check that the
5319
public keys used to make the signature are valid. There are no
5320
configuration files and only a few options are implemented.
5322
`gpgv2' assumes that all keys in the keyring are trustworthy. By
5323
default it uses a keyring named `trustedkeys.gpg' which is assumed to
5324
be in the home directory as defined by GnuPG or set by an option or an
5325
environment variable. An option may be used to specify another keyring
5326
or even multiple keyrings.
5330
`gpgv2' recognizes these options:
5334
Gives more information during processing. If used twice, the input
5335
data is listed in detail.
5339
Try to be as quiet as possible.
5342
Add FILE to the list of keyrings. If FILE begins with a tilde and
5343
a slash, these are replaced by the HOME directory. If the filename
5344
does not contain a slash, it is assumed to be in the
5345
home-directory ("~/.gnupg" if -homedir is not used).
5348
Write special status strings to the file descriptor N. See the
5349
file DETAILS in the documentation for a listing of them.
5352
Write log output to file descriptor `n' and not to stderr.
5354
`--ignore-time-conflict'
5355
GnuPG normally checks that the timestamps associated with keys and
5356
signatures have plausible values. However, sometimes a signature
5357
seems to be older than the key due to clock problems. This option
5358
turns these checks into warnings.
5361
Set the name of the home directory to DIR. If his option is not
5362
used, the home directory defaults to `~/.gnupg'. It is only
5363
recognized when given on the command line. It also overrides any
5364
home directory stated through the environment variable `GNUPGHOME'
5365
or (on W32 systems) by means on the Registry entry
5366
HKCU\SOFTWARE\GNU\GNUPG:HOMEDIR.
5369
The program returns 0 if everything was fine, 1 if at least one
5370
signature was bad, and other error codes for fatal errors.
5377
Verify the signature of the file. The second form is used for
5378
detached signatures, where `sigfile' is the detached signature
5379
(either ASCII armored or binary) and are the signed data; if this
5380
is not given the name of the file holding the signed data is
5381
constructed by cutting off the extension (".asc", ".sig" or
5382
".sign") from `sigfile'.
5389
Used to locate the default home directory.
5392
If set directory used instead of "~/.gnupg".
5398
~/.gnupg/trustedkeys.gpg
5399
The default keyring with the allowed keys
5405
File: gnupg.info, Node: addgnupghome, Next: gpgconf, Prev: gpgv, Up: Helper Tools
5407
7.3 Create .gnupg home directories.
5408
===================================
5410
If GnuPG is installed on a system with existing user accounts, it is
5411
sometimes required to populate the GnuPG home directory with existing
5412
files. Especially a `trustlist.txt' and a keybox with some initial
5413
certificates are often desired. This scripts help to do this by
5414
copying all files from `/etc/skel/.gnupg' to the home directories of
5415
the accounts given on the command line. It takes care not to overwrite
5416
existing GnuPG home directories.
5418
`addgnupghome' is invoked by root as:
5420
addgnupghome account1 account2 ... accountn
5423
File: gnupg.info, Node: gpgconf, Next: applygnupgdefaults, Prev: addgnupghome, Up: Helper Tools
5425
7.4 Modify .gnupg home directories.
5426
===================================
5428
The `gpgconf' is a utility to automatically and reasonable safely query
5429
and modify configuration files in the `.gnupg' home directory. It is
5430
designed not to be invoked manually by the user, but automatically by
5431
graphical user interfaces (GUI).(1)
5433
`gpgconf' provides access to the configuration of one or more
5434
components of the GnuPG system. These components correspond more or
5435
less to the programs that exist in the GnuPG framework, like GnuPG,
5436
GPGSM, DirMngr, etc. But this is not a strict one-to-one relationship.
5437
Not all configuration options are available through `gpgconf'.
5438
`gpgconf' provides a generic and abstract method to access the most
5439
important configuration options that can feasibly be controlled via
5442
`gpgconf' can be used to gather and change the options available in
5443
each component, and can also provide their default values. `gpgconf'
5444
will give detailed type information that can be used to restrict the
5445
user's input without making an attempt to commit the changes.
5447
`gpgconf' provides the backend of a configuration editor. The
5448
configuration editor would usually be a graphical user interface
5449
program, that allows to display the current options, their default
5450
values, and allows the user to make changes to the options. These
5451
changes can then be made active with `gpgconf' again. Such a program
5452
that uses `gpgconf' in this way will be called GUI throughout this
5457
* Invoking gpgconf:: List of all commands and options.
5458
* Format conventions:: Formatting conventions relevant for all commands.
5459
* Listing components:: List all gpgconf components.
5460
* Checking programs:: Check all programs know to gpgconf.
5461
* Listing options:: List all options of a component.
5462
* Changing options:: Changing options of a component.
5463
* Listing global options:: List all global options.
5464
* Files used by gpgconf:: What files are used by gpgconf.
5466
---------- Footnotes ----------
5468
(1) Please note that currently no locking is done, so concurrent
5469
access should be avoided. There are some precautions to avoid
5470
corruption with concurrent usage, but results may be inconsistent and
5471
some changes may get lost. The stateless design makes it difficult to
5472
provide more guarantees.
5475
File: gnupg.info, Node: Invoking gpgconf, Next: Format conventions, Up: gpgconf
5477
7.4.1 Invoking gpgconf
5478
----------------------
5480
One of the following commands must be given:
5483
List all components. This is the default command used if none is
5487
List all available backend programs and test whether they are
5490
`--list-options COMPONENT'
5491
List all options of the component COMPONENT.
5493
`--change-options COMPONENT'
5494
Change the options of the component COMPONENT.
5497
Update all configuration files with values taken from the global
5498
configuration file (usually `/etc/gnupg/gpgconf.conf').
5500
`--list-config [FILENAME]'
5501
List the global configuration file in a colon separated format. If
5502
FILENAME is given, check that file instead.
5504
`--check-config [FILENAME]'
5505
Run a syntax check on the global configuration file. If FILENAME
5506
is given, check that file instead.
5509
The following options may be used:
5513
Outputs additional information while running. Specifically, this
5514
extends numerical field values by human-readable descriptions.
5518
Only used together with `--change-options'. If one of the
5519
modified options can be changed in a running daemon process, signal
5520
the running daemon to ask it to reparse its configuration file
5523
This means that the changes will take effect at run-time, as far as
5524
this is possible. Otherwise, they will take effect at the next
5525
start of the respective backend programs.
5529
File: gnupg.info, Node: Format conventions, Next: Listing components, Prev: Invoking gpgconf, Up: gpgconf
5531
7.4.2 Format conventions
5532
------------------------
5534
Some lines in the output of `gpgconf' contain a list of colon-separated
5535
fields. The following conventions apply:
5537
* The GUI program is required to strip off trailing newline and/or
5538
carriage return characters from the output.
5540
* `gpgconf' will never leave out fields. If a certain version
5541
provides a certain field, this field will always be present in all
5542
`gpgconf' versions from that time on.
5544
* Future versions of `gpgconf' might append fields to the list. New
5545
fields will always be separated from the previously last field by
5546
a colon separator. The GUI should be prepared to parse the last
5547
field it knows about up until a colon or end of line.
5549
* Not all fields are defined under all conditions. You are required
5550
to ignore the content of undefined fields.
5552
There are several standard types for the content of a field:
5555
Some fields contain strings that are not escaped in any way. Such
5556
fields are described to be used _verbatim_. These fields will
5557
never contain a colon character (for obvious reasons). No
5558
de-escaping or other formatting is required to use the field
5559
content. This is for easy parsing of the output, when it is known
5560
that the content can never contain any special characters.
5563
Some fields contain strings that are described to be
5564
_percent-escaped_. Such strings need to be de-escaped before
5565
their content can be presented to the user. A percent-escaped
5566
string is de-escaped by replacing all occurences of `%XY' by the
5567
byte that has the hexadecimal value `XY'. `X' and `Y' are from
5571
Some fields contain strings that are described to be _localised_.
5572
Such strings are translated to the active language and formatted in
5573
the active character set.
5576
Some fields contain an _unsigned number_. This number will always
5577
fit into a 32-bit unsigned integer variable. The number may be
5578
followed by a space, followed by a human readable description of
5579
that value (if the verbose option is used). You should ignore
5580
everything in the field that follows the number.
5583
Some fields contain a _signed number_. This number will always
5584
fit into a 32-bit signed integer variable. The number may be
5585
followed by a space, followed by a human readable description of
5586
that value (if the verbose option is used). You should ignore
5587
everything in the field that follows the number.
5590
Some fields contain a _boolean value_. This is a number with
5591
either the value 0 or 1. The number may be followed by a space,
5592
followed by a human readable description of that value (if the
5593
verbose option is used). You should ignore everything in the
5594
field that follows the number; checking just the first character
5595
is sufficient in this case.
5598
Some fields contain an _option_ argument. The format of an option
5599
argument depends on the type of the option and on some flags:
5602
The simplest case is that the option does not take an
5603
argument at all (TYPE `0'). Then the option argument is an
5604
unsigned number that specifies how often the option occurs.
5605
If the `list' flag is not set, then the only valid number is
5606
`1'. Options that do not take an argument never have the
5607
`default' or `optional arg' flag set.
5610
If the option takes a number argument (ALT-TYPE is `2' or
5611
`3'), and it can only occur once (`list' flag is not set),
5612
then the option argument is either empty (only allowed if the
5613
argument is optional), or it is a number. A number is a
5614
string that begins with an optional minus character, followed
5615
by one or more digits. The number must fit into an integer
5616
variable (unsigned or signed, depending on ALT-TYPE).
5619
If the option takes a number argument and it can occur more
5620
than once, then the option argument is either empty, or it is
5621
a comma-separated list of numbers as described above.
5624
If the option takes a string argument (ALT-TYPE is 1), and it
5625
can only occur once (`list' flag is not set) then the option
5626
argument is either empty (only allowed if the argument is
5627
optional), or it starts with a double quote character (`"')
5628
followed by a percent-escaped string that is the argument
5629
value. Note that there is only a leading double quote
5630
character, no trailing one. The double quote character is
5631
only needed to be able to differentiate between no value and
5632
the empty string as value.
5635
If the option takes a number argument and it can occur more
5636
than once, then the option argument is either empty, or it is
5637
a comma-separated list of string arguments as described above.
5639
The active language and character set are currently determined from
5640
the locale environment of the `gpgconf' program.
5643
File: gnupg.info, Node: Listing components, Next: Checking programs, Prev: Format conventions, Up: gpgconf
5645
7.4.3 Listing components
5646
------------------------
5648
The command `--list-components' will list all components that can be
5649
configured with `gpgconf'. Usually, one component will correspond to
5650
one GnuPG-related program and contain the options of that programs
5651
configuration file that can be modified using `gpgconf'. However, this
5652
is not necessarily the case. A component might also be a group of
5653
selected options from several programs, or contain entirely virtual
5654
options that have a special effect rather than changing exactly one
5655
option in one configuration file.
5657
A component is a set of configuration options that semantically
5658
belong together. Furthermore, several changes to a component can be
5659
made in an atomic way with a single operation. The GUI could for
5660
example provide a menu with one entry for each component, or a window
5661
with one tabulator sheet per component.
5663
The command argument `--list-components' lists all available
5664
components, one per line. The format of each line is:
5666
`NAME:DESCRIPTION:PGMNAME:'
5669
This field contains a name tag of the component. The name tag is
5670
used to specify the component in all communication with `gpgconf'.
5671
The name tag is to be used _verbatim_. It is thus not in any
5675
The _string_ in this field contains a human-readable description
5676
of the component. It can be displayed to the user of the GUI for
5677
informational purposes. It is _percent-escaped_ and _localized_.
5680
The _string_ in this field contains the absolute name of the
5681
program's file. It can be used to unambiguously invoke that
5682
program. It is _percent-escaped_.
5685
$ gpgconf --list-components
5686
gpg:GPG for OpenPGP:/usr/local/bin/gpg2:
5687
gpg-agent:GPG Agent:/usr/local/bin/gpg-agent:
5688
scdaemon:Smartcard Daemon:/usr/local/bin/scdaemon:
5689
gpgsm:GPG for S/MIME:/usr/local/bin/gpgsm:
5690
dirmngr:Directory Manager:/usr/local/bin/dirmngr:
5693
File: gnupg.info, Node: Checking programs, Next: Listing options, Prev: Listing components, Up: gpgconf
5695
7.4.4 Checking programs
5696
-----------------------
5698
The command `--check-programs' is similar to `--list-components' but
5699
works on backend programs and not on components. It runs each program
5700
to test wether it is installed and runnable. This also includes a
5701
syntax check of all config file options of the program.
5703
The command argument `--check-programs' lists all available
5704
programs, one per line. The format of each line is:
5706
`NAME:DESCRIPTION:PGMNAME:AVAIL:OKAY:CFGFILE:LINE:ERROR:'
5709
This field contains a name tag of the program which is identical
5710
to the name of the component. The name tag is to be used
5711
_verbatim_. It is thus not in any escaped format. This field may
5712
be empty to indicate a continuation of error descriptions for the
5713
last name. The description and pgmname fields are then also empty.
5716
The _string_ in this field contains a human-readable description
5717
of the component. It can be displayed to the user of the GUI for
5718
informational purposes. It is _percent-escaped_ and _localized_.
5721
The _string_ in this field contains the absolute name of the
5722
program's file. It can be used to unambiguously invoke that
5723
program. It is _percent-escaped_.
5726
The _boolean value_ in this field indicates whether the program is
5727
installed and runnable.
5730
The _boolean value_ in this field indicates whether the program's
5731
config file is syntactically okay.
5734
If an error occured in the configuraion file (as indicated by a
5735
false value in the field `okay'), this field has the name of the
5736
failing configuration file. It is _percent-escaped_.
5739
If an error occured in the configuration file, this field has the
5740
line number of the failing statement in the configuration file.
5741
It is an _unsigned number_.
5744
If an error occured in the configuration file, this field has the
5745
error text of the failing statement in the configuration file. It
5746
is _percent-escaped_ and _localized_.
5749
In the following example the `dirmngr' is not runnable and the
5750
configuration file of `scdaemon' is not okay.
5752
$ gpgconf --check-programs
5753
gpg:GPG for OpenPGP:/usr/local/bin/gpg2:1:1:
5754
gpg-agent:GPG Agent:/usr/local/bin/gpg-agent:1:1:
5755
scdaemon:Smartcard Daemon:/usr/local/bin/scdaemon:1:0:
5756
gpgsm:GPG for S/MIME:/usr/local/bin/gpgsm:1:1:
5757
dirmngr:Directory Manager:/usr/local/bin/dirmngr:0:0:
5760
File: gnupg.info, Node: Listing options, Next: Changing options, Prev: Checking programs, Up: gpgconf
5762
7.4.5 Listing options
5763
---------------------
5765
Every component contains one or more options. Options may be gathered
5766
into option groups to allow the GUI to give visual hints to the user
5767
about which options are related.
5769
The command argument `--list-options COMPONENT' lists all options
5770
(and the groups they belong to) in the component COMPONENT, one per
5771
line. COMPONENT must be the string in the field NAME in the output of
5772
the `--list-components' command.
5774
There is one line for each option and each group. First come all
5775
options that are not in any group. Then comes a line describing a
5776
group. Then come all options that belong into each group. Then comes
5777
the next group and so on. There does not need to be any group (and in
5778
this case the output will stop after the last non-grouped option).
5780
The format of each line is:
5782
`NAME:FLAGS:LEVEL:DESCRIPTION:TYPE:ALT-TYPE:ARGNAME:DEFAULT:ARGDEF:VALUE'
5785
This field contains a name tag for the group or option. The name
5786
tag is used to specify the group or option in all communication
5787
with `gpgconf'. The name tag is to be used _verbatim_. It is
5788
thus not in any escaped format.
5791
The flags field contains an _unsigned number_. Its value is the
5792
OR-wise combination of the following flag values:
5795
If this flag is set, this is a line describing a group and
5798
The following flag values are only defined for options (that is, if
5799
the `group' flag is not used).
5802
If this flag is set, the argument is optional. This is never
5803
set for TYPE `0' (none) options.
5806
If this flag is set, the option can be given multiple times.
5809
If this flag is set, the option can be changed at runtime.
5812
If this flag is set, a default value is available.
5815
If this flag is set, a (runtime) default is available. This
5816
and the `default' flag are mutually exclusive.
5819
If this flag is set, and the `optional arg' flag is set, then
5820
the option has a special meaning if no argument is given.
5823
If this flag is set, gpgconf ignores requests to change the
5824
value. GUI frontends should grey out this option. Note,
5825
that manual changes of the configuration files are still
5829
This field is defined for options and for groups. It contains an
5830
_unsigned number_ that specifies the expert level under which this
5831
group or option should be displayed. The following expert levels
5832
are defined for options (they have analogous meaning for groups):
5835
This option should always be offered to the user.
5838
This option may be offered to advanced users.
5841
This option should only be offered to expert users.
5844
This option should normally never be displayed, not even to
5848
This option is for internal use only. Ignore it.
5850
The level of a group will always be the lowest level of all
5851
options it contains.
5854
This field is defined for options and groups. The _string_ in
5855
this field contains a human-readable description of the option or
5856
group. It can be displayed to the user of the GUI for
5857
informational purposes. It is _percent-escaped_ and _localized_.
5860
This field is only defined for options. It contains an _unsigned
5861
number_ that specifies the type of the option's argument, if any.
5862
The following types are defined:
5867
No argument allowed.
5870
An _unformatted string_.
5876
An _unsigned number_.
5881
A _string_ that describes the pathname of a file. The file
5882
does not necessarily need to exist.
5885
A _string_ that describes an LDAP server in the format:
5887
`HOSTNAME:PORT:USERNAME:PASSWORD:BASE_DN'
5889
`key fingerprint (34)'
5890
A _string_ with a 40 digit fingerprint specifying a
5894
A _string_ that describes a certificate by user ID, key ID or
5898
A _string_ that describes a certificate with a key by user ID,
5899
key ID or fingerprint.
5901
More types will be added in the future. Please see the ALT-TYPE
5902
field for information on how to cope with unknown types.
5905
This field is identical to TYPE, except that only the types `0' to
5906
`31' are allowed. The GUI is expected to present the user the
5907
option in the format specified by TYPE. But if the argument type
5908
TYPE is not supported by the GUI, it can still display the option
5909
in the more generic basic type ALT-TYPE. The GUI must support all
5910
the defined basic types to be able to display all options. More
5911
basic types may be added in future versions. If the GUI
5912
encounters a basic type it doesn't support, it should report an
5913
error and abort the operation.
5916
This field is only defined for options with an argument type TYPE
5917
that is not `0'. In this case it may contain a _percent-escaped_
5918
and _localised string_ that gives a short name for the argument.
5919
The field may also be empty, though, in which case a short name is
5923
This field is defined only for options for which the `default' or
5924
`default desc' flag is set. If the `default' flag is set, its
5925
format is that of an _option argument_ (*Note Format
5926
conventions::, for details). If the default value is empty, then
5927
no default is known. Otherwise, the value specifies the default
5928
value for this option. If the `default desc' flag is set, the
5929
field is either empty or contains a description of the effect if
5930
the option is not given.
5933
This field is defined only for options for which the `optional
5934
arg' flag is set. If the `no arg desc' flag is not set, its
5935
format is that of an _option argument_ (*Note Format
5936
conventions::, for details). If the default value is empty, then
5937
no default is known. Otherwise, the value specifies the default
5938
argument for this option. If the `no arg desc' flag is set, the
5939
field is either empty or contains a description of the effect of
5940
this option if no argument is given.
5943
This field is defined only for options. Its format is that of an
5944
_option argument_. If it is empty, then the option is not
5945
explicitely set in the current configuration, and the default
5946
applies (if any). Otherwise, it contains the current value of the
5947
option. Note that this field is also meaningful if the option
5948
itself does not take a real argument (in this case, it contains
5949
the number of times the option appears).
5952
File: gnupg.info, Node: Changing options, Next: Listing global options, Prev: Listing options, Up: gpgconf
5954
7.4.6 Changing options
5955
----------------------
5957
The command `--change-options COMPONENT' will attempt to change the
5958
options of the component COMPONENT to the specified values. COMPONENT
5959
must be the string in the field NAME in the output of the
5960
`--list-components' command. You have to provide the options that
5961
shall be changed in the following format on standard input:
5963
`NAME:FLAGS:NEW-VALUE'
5966
This is the name of the option to change. NAME must be the string
5967
in the field NAME in the output of the `--list-options' command.
5970
The flags field contains an _unsigned number_. Its value is the
5971
OR-wise combination of the following flag values:
5974
If this flag is set, the option is deleted and the default
5975
value is used instead (if applicable).
5978
The new value for the option. This field is only defined if the
5979
`default' flag is not set. The format is that of an _option
5980
argument_. If it is empty (or the field is omitted), the default
5981
argument is used (only allowed if the argument is optional for this
5982
option). Otherwise, the option will be set to the specified value.
5986
To set the force option, which is of basic type `none (0)':
5988
$ echo 'force:0:1' | gpgconf --change-options dirmngr
5990
To delete the force option:
5992
$ echo 'force:16:' | gpgconf --change-options dirmngr
5994
The `--runtime' option can influence when the changes take effect.
5997
File: gnupg.info, Node: Listing global options, Next: Files used by gpgconf, Prev: Changing options, Up: gpgconf
5999
7.4.7 Listing global options
6000
----------------------------
6002
Sometimes it is useful for applications to look at the global options
6003
file `gpgconf.conf'. The colon separated listing format is record
6004
oriented and uses the first field to identify the record type:
6007
This describes a key record to start the definition of a new
6008
ruleset for a user/group. The format of a key record is:
6013
This is the user field of the key. It is percent escaped.
6014
See the definition of the gpgconf.conf format for details.
6017
This is the group field of the key. It is percent escaped.
6020
This describes a rule record. All rule records up to the next key
6021
record make up a rule set for that key. The format of a rule
6024
`r:::COMPONENT:OPTION:FLAGS:VALUE:'
6027
This is the component part of a rule. It is a plain string.
6030
This is the option part of a rule. It is a plain string.
6033
This is the flags part of a rule. There may be only one flag
6034
per rule but by using the same component and option, several
6035
flags may be assigned to an option. It is a plain string.
6038
This is the optional value for the option. It is a percent
6039
escaped string with a single quotation mark to indicate a
6040
string. The quotation mark is only required to distinguish
6041
between no value specified and an empty string.
6044
Unknown record typs should be ignored. Note that there is intentionally
6045
no feature to change the global option file through `gpgconf'.
6048
File: gnupg.info, Node: Files used by gpgconf, Prev: Listing global options, Up: gpgconf
6050
7.4.8 Files used by gpgconf
6051
---------------------------
6053
`/etc/gnupg/gpgconf.conf'
6054
If this file exists, it is processed as a global configuration
6055
file. A commented example can be found in the `examples'
6056
directory of the distribution.
6059
File: gnupg.info, Node: applygnupgdefaults, Next: gpgsm-gencert.sh, Prev: gpgconf, Up: Helper Tools
6061
7.5 Run gpgconf for all users.
6062
==============================
6064
This script is a wrapper around `gpgconf' to run it with the command
6065
`--apply-defaults' for all real users with an existing GnuPG home
6066
directory. Admins might want to use this script to update he GnuPG
6067
configuration files for all users after `/etc/gnupg/gpgconf.conf' has
6068
been changed. This allows to enforce certain policies for all users.
6069
Note, that this is not a bulletproof of forcing a user to use certain
6070
options. A user may always directly edit the configuration files and
6073
`applygnupgdefaults' is invoked by root as:
6078
File: gnupg.info, Node: gpgsm-gencert.sh, Next: gpg-preset-passphrase, Prev: applygnupgdefaults, Up: Helper Tools
6080
7.6 Generate an X.509 certificate request
6081
=========================================
6083
This is a simple tool to interactivly generate a certificate request
6084
which will be printed to stdout.
6086
`gpgsm-gencert.sh' is invoked as:
6091
File: gnupg.info, Node: gpg-preset-passphrase, Next: gpg-connect-agent, Prev: gpgsm-gencert.sh, Up: Helper Tools
6093
7.7 Put a passphrase into the cache.
6094
====================================
6096
The `gpg-preset-passphrase' is a utility to seed the internal cache of
6097
a running `gpg-agent' with passphrases. It is mainly useful for
6098
unattended machines, where the usual `pinentry' tool may not be used
6099
and the passphrases for the to be used keys are given at machine
6102
Passphrases set with this utility don't expire unless the `--forget'
6103
option is used to explicitly clear them from the cache -- or
6104
`gpg-agent' is either restarted or reloaded (by sending a SIGHUP to
6105
it). It is necessary to allow this passphrase presetting by starting
6106
`gpg-agent' with the `--allow-preset-passphrase'.
6110
* Invoking gpg-preset-passphrase:: List of all commands and options.
6113
File: gnupg.info, Node: Invoking gpg-preset-passphrase, Up: gpg-preset-passphrase
6115
7.7.1 List of all commands and options.
6116
---------------------------------------
6118
`gpg-preset-passphrase' is invoked this way:
6120
gpg-preset-passphrase [options] [command] KEYGRIP
6122
KEYGRIP is a 40 character string of hexadecimal characters
6123
identifying the key for which the passphrase should be set or cleared.
6124
This keygrip is listed along with the key when running the command:
6125
`gpgsm --dump-secret-keys'. One of the following command options must
6129
Preset a passphrase. This is what you usually will use.
6130
`gpg-preset-passphrase' will then read the passphrase from `stdin'.
6133
Flush the passphrase for the given keygrip from the cache.
6136
The following additional options may be used:
6140
Output additional information while running.
6143
`--passphrase STRING'
6144
Instead of reading the passphrase from `stdin', use the supplied
6145
STRING as passphrase. Note that this makes the passphrase visible
6149
File: gnupg.info, Node: gpg-connect-agent, Next: gpgparsemail, Prev: gpg-preset-passphrase, Up: Helper Tools
6151
7.8 Communicate with a running agent.
6152
=====================================
6154
The `gpg-connect-agent' is a utility to communicate with a running
6155
`gpg-agent'. It is useful to check out the commands gpg-agent provides
6156
using the Assuan interface. It might also be useful for scripting
6157
simple applications. Inputis expected at stdin and out put gets
6160
It is very similar to running `gpg-agent' in server mode; but here
6161
we connect to a running instance.
6165
* Invoking gpg-connect-agent:: List of all options.
6166
* Controlling gpg-connect-agent:: Control commands.
6169
File: gnupg.info, Node: Invoking gpg-connect-agent, Next: Controlling gpg-connect-agent, Up: gpg-connect-agent
6171
7.8.1 List of all options.
6172
--------------------------
6174
`gpg-connect-agent' is invoked this way:
6176
gpg-connect-agent [options]
6178
The following options may be used:
6182
Output additional information while running.
6187
Try to be as quiet as possible.
6190
Set the name of the home directory to DIR. If his option is not
6191
used, the home directory defaults to `~/.gnupg'. It is only
6192
recognized when given on the command line. It also overrides any
6193
home directory stated through the environment variable `GNUPGHOME'
6194
or (on W32 systems) by means on the Registry entry
6195
HKCU\SOFTWARE\GNU\GNUPG:HOMEDIR.
6199
Connect to socket NAME assuming this is an Assuan style server.
6200
Do not run any special initializations or environment checks.
6201
This may be used to directly connect to any Assuan style socket
6206
Take the rest of the command line as a program and it's arguments
6207
and execute it as an assuan server. Here is how you would run
6209
gpg-connect-agent --exec gpgsm --server
6212
When using `-S' or `--exec', `gpg-connect-agent' connects to the
6213
assuan server in extended mode to allow descriptor passing. This
6214
option makes it use the old mode.
6217
Run the commands from FILE at startup and then continue with the
6218
regular input method.
6222
Run the command `/subst' at startup.
6225
Print data lines in a hex format and the ASCII representation of
6226
non-control characters.
6229
Decode data lines. That is to remove percent escapes but make
6230
sure that a new line always starts with a D and a space.
6234
File: gnupg.info, Node: Controlling gpg-connect-agent, Prev: Invoking gpg-connect-agent, Up: gpg-connect-agent
6236
7.8.2 Control commands.
6237
-----------------------
6239
While reading Assuan commands, gpg-agent also allows a few special
6240
commands to control its operation. These control commands all start
6247
Set the variable NAME to VALUE. Variables are only substituted on
6248
the input if the `/subst' has been used. Variables are referenced
6249
by prefixing the name with a dollr sign and optionally include the
6250
name in curly braces. The rules for a valid name are idnetically
6251
to those of the standard bourne shell. This is not yet enforced
6252
but may be in the future. When used with curly braces no leading
6253
or trailing white space is allowed.
6255
If a variable is not found, it is searched in the environment and
6256
if found copied to the table of variables.
6258
Variable functions are available: The name of the function must be
6259
followed by at least one space and the at least one argument. The
6260
following functions are available:
6263
Return a value described by the argument. Available
6267
The current working directory.
6273
GnuPG's system configuration directory.
6276
GnuPG's binary directory.
6279
GnuPG's library directory.
6282
GnuPG's library directory for executable files.
6285
GnuPG's data directory.
6288
The PID of the current server. Command `/serverpid' must
6289
have been given to return a useful value.
6292
Remove C-style escapes from ARGS. Note that `\0' and `\x00'
6293
terminate the returned string implicitly. The string to be
6294
converted are the entire arguments right behind the
6295
delimiting space of the function name.
6299
Remove percent style ecaping from ARGS. Note that `%00'
6300
terminates the string implicitly. The string to be converted
6301
are the entire arguments right behind the delimiting space of
6302
the function name. `unpercent+' also maps plus signs to a
6307
Escape the ARGS using percent style ecaping. Tabs, formfeeds,
6308
linefeeds, carriage returns and colons are escaped.
6309
`percent+' also maps spaces to plus signs.
6314
Assume ARG is an integer and evaluate it using `strtol'.
6315
Return the gpg-error error code, error source or a formatted
6316
string with the error code and error source.
6323
Evaluate all arguments as long integers using `strtol' and
6324
apply this operator. A division by zero yields an empty
6330
Evaluate all arguments as long integers using `strtol' and
6331
apply the logical oeprators NOT, OR or AND. The NOT operator
6332
works on the last argument only.
6336
Use content of the variable VAR for inquiries with NAME. NAME may
6337
be an asterisk (`*') to match any inquiry.
6339
`/definqfile NAME FILE'
6340
Use content of FILE for inquiries with NAME. NAME may be an
6341
asterisk (`*') to match any inquiry.
6343
`/definqprog NAME PROG'
6344
Run PROG for inquiries matching NAME and pass the entire line to
6345
it as command line arguments.
6348
Print all definitions
6351
Delete all definitions
6354
Open FILE in MODE (which needs to be a valid `fopen' mode string)
6355
and send the file descriptor to the server. This is usually
6356
followed by a command like `INPUT FD' to set the input source for
6360
Not yet implemented.
6362
`/open VAR FILE [MODE]'
6363
Open FILE and assign the file descriptor to VAR. Warning: This
6364
command is experimental and might change in future versions.
6367
Close the file descriptor FD. Warning: This command is
6368
experimental and might change in future versions.
6371
Show a listy of open files.
6374
Send the Assuan command `GETINFO pid' to the server and store the
6375
returned PID for internal purposes.
6382
Same as the command line option `--hex'.
6386
Same as the command line option `--decode'.
6390
Enable and disable variable substitution. It defaults to disabled
6391
unless the command line option `--subst' has been used. If /subst
6392
as been enabled once, leading whitespace is removed from input
6393
lines which makes scripts easier to read.
6397
These commands provide a way for executing loops. All lines
6398
between the `while' and the corresponding `end' are executed as
6399
long as the evaluation of CONDITION yields a non-zero value. The
6400
evaluation is done by passing CONDITION to the `strtol' function.
6406
/echo loop couter is $i
6411
Run commands from FILE.
6414
Terminate the connection and the program
6417
Print a list of available control commands.
6421
File: gnupg.info, Node: gpgparsemail, Next: symcryptrun, Prev: gpg-connect-agent, Up: Helper Tools
6423
7.9 Parse a mail message into an annotated format
6424
=================================================
6426
The `gpgparsemail' is a utility currently only useful for debugging.
6427
Run it with `--help' for usage information.
6430
File: gnupg.info, Node: symcryptrun, Prev: gpgparsemail, Up: Helper Tools
6432
7.10 Call a simple symmetric encryption tool.
6433
=============================================
6435
Sometimes simple encryption tools are already in use for a long time and
6436
there might be a desire to integrate them into the GnuPG framework. The
6437
protocols and encryption methods might be non-standard or not even
6438
properly documented, so that a full-fledged encryption tool with an
6439
interface like gpg is not doable. `symcryptrun' provides a solution:
6440
It operates by calling the external encryption/decryption module and
6441
provides a passphrase for a key using the standard `pinentry' based
6442
mechanism through `gpg-agent'.
6444
Note, that `symcryptrun' is only available if GnuPG has been
6445
configured with `--enable-symcryptrun' at build time.
6449
* Invoking symcryptrun:: List of all commands and options.
6452
File: gnupg.info, Node: Invoking symcryptrun, Up: symcryptrun
6454
7.10.1 List of all commands and options.
6455
----------------------------------------
6457
`symcryptrun' is invoked this way:
6459
symcryptrun --class CLASS --program PROGRAM --keyfile KEYFILE
6460
[--decrypt | --encrypt] [inputfile]
6462
For encryption, the plain text must be provided on STDIN or as the
6463
argument INPUTFILE, and the ciphertext will be output to STDOUT. For
6464
decryption vice versa.
6466
CLASS describes the calling conventions of the external tool.
6467
Currently it must be given as `confucius'. PROGRAM is the the full
6468
filename of that external tool.
6470
For the class `confucius' the option `--keyfile' is required;
6471
KEYFILE is the name of a file containing the secret key, which may be
6472
protected by a passphrase. For detailed calling conventions, see the
6475
Note, that `gpg-agent' must be running before starting `symcryptrun'.
6477
The following additional options may be used:
6481
Output additional information while running.
6486
Try to be as quiet as possible.
6489
Set the name of the home directory to DIR. If his option is not
6490
used, the home directory defaults to `~/.gnupg'. It is only
6491
recognized when given on the command line. It also overrides any
6492
home directory stated through the environment variable `GNUPGHOME'
6493
or (on W32 systems) by means on the Registry entry
6494
HKCU\SOFTWARE\GNU\GNUPG:HOMEDIR.
6497
Append all logging output to FILE. Default is to write logging
6498
informaton to STDERR.
6501
The possible exit status codes of `symcryptrun' are:
6510
No valid passphrase was provided.
6513
The operation was canceled by the user.
6517
File: gnupg.info, Node: Howtos, Next: System Notes, Prev: Helper Tools, Up: Top
6519
8 How to do certain things
6520
**************************
6522
This is a collection of small howto documents.
6526
* Howto Create a Server Cert:: Creating a TLS server certificate.
6529
File: gnupg.info, Node: Howto Create a Server Cert, Up: Howtos
6531
8.1 Creating a TLS server certificate
6532
=====================================
6534
Here is a brief run up on how to create a server certificate. It has
6535
actually been done this way to get a certificate from CAcert to be used
6536
on a real server. It has only been tested with this CA, but there
6537
shouldn't be any problem to run this against any other CA.
6539
Before you start, make sure that gpg-agent is running. As there is
6540
no need for a configuration file, you may simply enter:
6542
$ gpgsm-gencert.sh >a.p10
6546
[3] Direct from card
6550
I opted for creating a new RSA key. The other option is to use an
6551
already existing key, by selecting `2' and entering the so-called
6552
keygrip. Running the command `gpgsm --dump-secret-key USERID' shows
6553
you this keygrip. Using `3' offers another menu to create a
6554
certificate directly from a smart card based key.
6564
The script offers two common key sizes. With the current setup of
6565
CAcert, it does not make much sense to use a 2k key; their policies need
6566
to be revised anyway (a CA root key valid for 30 years is not really
6574
You selected: sign, encrypt
6576
We want to sign and encrypt using this key. This is just a suggestion
6577
and the CA may actually assign other key capabilities.
6579
Now for some real data:
6582
> CN=kerckhoffs.g10code.com
6584
This is the most important value for a server certificate. Enter here
6585
the canonical name of your server machine. You may add other virtual
6588
E-Mail addresses (end with an empty line)
6591
We don't need email addresses in a server certificate and CAcert
6592
would anyway ignore such a request. Thus just hit enter.
6594
If you want to create a client certificate for email encryption, this
6595
would be the place to enter your mail address (e.g. <joe@example.org>).
6596
You may enter as many addresses as you like, however the CA may not
6597
accept them all or reject the entire request.
6599
DNS Names (optional; end with an empty line)
6601
DNS Names (optional; end with an empty line)
6603
DNS Names (optional; end with an empty line)
6606
Here I entered the names of the servers which actually run on the
6607
machine given in the DN above. The browser will accept a certificate for
6608
any of these names. As usual the CA must approve all of these names.
6610
URIs (optional; end with an empty line)
6613
It is possible to insert arbitrary URIs into a certificate; for a
6614
server certificate this does not make sense.
6616
We have now entered all required information and `gpgsm' will
6617
display what it has gathered and ask whether to create the certificate
6620
Parameters for certificate request to create:
6623
3 Key-Usage: sign, encrypt
6624
4 Name-DN: CN=kerckhoffs.g10code.com
6625
5 Name-DNS: www.g10code.com
6626
6 Name-DNS: ftp.g10code.com
6628
Really create such a CSR?
6634
`gpgsm' will now start working on creating the request. As this
6635
includes the creation of an RSA key it may take a while. During this
6636
time you will be asked 3 times for a passphrase to protect the created
6637
private key on your system. A pop up window will appear to ask for it.
6638
The first two prompts are for the new passphrase and for re-entering it;
6639
the third one is required to actually create the certificate signing
6642
When it is ready, you should see the final notice:
6644
gpgsm: certificate request created
6646
Now, you may look at the created request:
6649
-----BEGIN CERTIFICATE REQUEST-----
6650
MIIBnzCCAQgCAQAwITEfMB0GA1UEAxMWa2VyY2tob2Zmcy5nMTBjb2RlLmNvbTCB
6651
nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA5h+uKRenpvbe+BnMY6siPO50LVyg
6652
HtB7kr+YISlPJ5JAFO12yQFz9Y0sBLHbjR+V+TOawwP1dZhGjlgnEBkMdWKuEBlS
6653
wFTALLX78GAyvAYAmPqSPDEYXkMECyUXVX/bbGI1bY8Y2OGy4w4D+v7e+xD2NBkm
6654
Bj5cNy+YMbGVldECAwEAAaA+MDwGCSqGSIb3DQEJDjEvMC0wKwYDVR0RBCQwIoIP
6655
d3d3LmcxMGNvZGUuY29tgg9mdHAuZzEwY29kZS5jb20wDQYJKoZIhvcNAQEFBQAD
6656
gYEAzBRIi8KTfKyebOlMtDN6oDYBOv+r9A4w3u/Z1ikjffaiN1Bmd2o9Ez9KXKHA
6657
IezLeSEA/rGUPN5Ur5qIJnRNQ8xrS+iLftr8msWQSZppVnA/vnqMrtqBUpitqAr0
6658
eYBmt1Uem2Y3UFABrKPglv2xzgGkrKX6AqmFoOnJWQ0QcTw=
6659
-----END CERTIFICATE REQUEST-----
6662
You may now proceed by logging into your account at the CAcert
6663
website, choose `Server Certificates - New', check `sign by class 3 root
6664
certificate', paste the above request block into the text field and
6667
If everything works out fine, a certificate will be shown. Now run
6671
and paste the certificate from the CAcert page into your terminal
6672
followed by a Ctrl-D
6674
-----BEGIN CERTIFICATE-----
6675
MIIEIjCCAgqgAwIBAgIBTDANBgkqhkiG9w0BAQQFADBUMRQwEgYDVQQKEwtDQWNl
6676
cnQgSW5jLjEeMBwGA1UECxMVaHR0cDovL3d3dy5DQWNlcnQub3JnMRwwGgYDVQQD
6677
ExNDQWNlcnQgQ2xhc3MgMyBSb290MB4XDTA1MTAyODE2MjA1MVoXDTA3MTAyODE2
6678
MjA1MVowITEfMB0GA1UEAxMWa2VyY2tob2Zmcy5nMTBjb2RlLmNvbTCBnzANBgkq
6679
hkiG9w0BAQEFAAOBjQAwgYkCgYEA5h+uKRenpvbe+BnMY6siPO50LVygHtB7kr+Y
6680
ISlPJ5JAFO12yQFz9Y0sBLHbjR+V+TOawwP1dZhGjlgnEBkMdWKuEBlSwFTALLX7
6681
8GAyvAYAmPqSPDEYXkMECyUXVX/bbGI1bY8Y2OGy4w4D+v7e+xD2NBkmBj5cNy+Y
6682
MbGVldECAwEAAaOBtTCBsjAMBgNVHRMBAf8EAjAAMDQGA1UdJQQtMCsGCCsGAQUF
6683
BwMCBggrBgEFBQcDAQYJYIZIAYb4QgQBBgorBgEEAYI3CgMDMAsGA1UdDwQEAwIF
6684
oDAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9vY3NwLmNhY2Vy
6685
dC5vcmcwKwYDVR0RBCQwIoIPd3d3LmcxMGNvZGUuY29tgg9mdHAuZzEwY29kZS5j
6686
b20wDQYJKoZIhvcNAQEEBQADggIBAAj5XAHCtzQR8PV6PkQBgZqUCbcfxGO/ZIp9
6687
aIT6J2z0Jo1OZI6KmConbqnZG9WyDlV5P7msQXW/Z9nBfoj4KSmNR8G/wtb8ClJn
6688
W8s75+K3ZLq1UgEyxBDrS7GjtbVaj7gsfZsuiQzxmk9lbl1gbkpJ3VEMjwVCTMlM
6689
fpjp8etyPhUZqOZaoKVaq//KTOsjhPMwz7TcfOkHvXketPrWTcefJQU7NKLH16D3
6690
mZAwnBxp3P51H6E6VG8AoJO8xCBuVwsbXKEf/FW+tmKG9pog6CaZQ9WibROTtnKj
6691
NJjSBsrUk5C+JowO/EyZRGm6R1tlok8iFXj+2aimyeBqDcxozNmFgh9F3S5u0wK0
6692
6cfYgkPVMHxgwV3f3Qh+tJkgLExN7KfO9hvpZqAh+CLQtxVmvpxEVEXKR6nwBI5U
6693
BaseulvVy3wUfg2daPkG17kDDBzQlsWC0BRF8anH+FWSrvseC3nS0a9g3sXF1Ic3
6694
gIqeAMhkant1Ac3RR6YCWtJKr2rcQNdDAxXK35/gUSQNCi9dclEzoOgjziuA1Mha
6695
94jYcvGKcwThn0iITVS5hOsCfaySBLxTzfIruLbPxXlpWuCW/6I/7YyivppKgEZU
6696
rUTFlNElRXCwIl0YcJkIaYYqWf7+A/aqYJCi8+51usZwMy3Jsq3hJ6MA3h1BgwZs
6698
-----END CERTIFICATE-----
6699
gpgsm: issuer certificate (#/CN=CAcert Class 3 Ro[...]) not found
6700
gpgsm: certificate imported
6702
gpgsm: total number processed: 1
6705
gpgsm tells you that it has imported the certificate. It is now
6706
associated with the key you used when creating the request. The root
6707
certificate has not been found, so you may want to import it from the
6710
To see the content of your certificate, you may now enter:
6712
$ gpgsm -K kerckhoffs.g10code.com
6713
/home/foo/.gnupg/pubring.kbx
6714
---------------------------
6716
Issuer: /CN=CAcert Class 3 Root/OU=http:\x2f\x2fwww.[...]
6717
Subject: /CN=kerckhoffs.g10code.com
6718
aka: (dns-name www.g10code.com)
6719
aka: (dns-name ftp.g10code.com)
6720
validity: 2005-10-28 16:20:51 through 2007-10-28 16:20:51
6721
key type: 1024 bit RSA
6722
key usage: digitalSignature keyEncipherment
6723
ext key usage: clientAuth (suggested), serverAuth (suggested), [...]
6724
fingerprint: 0F:9C:27:B2:DA:05:5F:CB:33:19:D8:E9:65:B9:BD:4F:B1:98:CC:57
6726
I used `-K' above because this will only list certificates for which
6727
a private key is available. To see more details, you may use
6728
`--dump-secret-keys' instead of `-K'.
6730
To make actual use of the certificate you need to install it on your
6731
server. Server software usally expects a PKCS\#12 file with key and
6732
certificate. To create such a file, run:
6734
$ gpgsm --export-secret-key-p12 -a >kerckhoffs-cert.pem
6736
You will be asked for the passphrase as well as for a new passphrase
6737
to be used to protect the PKCS\#12 file. The file now contains the
6738
certificate as well as the private key:
6740
$ cat kerckhoffs-cert.pem
6741
Issuer ...: /CN=CAcert Class 3 Root/OU=http:\x2f\x2fwww.CA[...]
6743
Subject ..: /CN=kerckhoffs.g10code.com
6744
aka ..: (dns-name www.g10code.com)
6745
aka ..: (dns-name ftp.g10code.com)
6747
-----BEGIN PKCS12-----
6748
MIIHlwIBAzCCB5AGCSqGSIb37QdHAaCCB4EEggd9MIIHeTk1BJ8GCSqGSIb3DQEu
6749
[...many more lines...]
6750
-----END PKCS12-----
6753
Copy this file in a secure way to the server, install it there and
6754
delete the file then. You may export the file again at any time as long
6755
as it is available in GnuPG's private key database.
6758
File: gnupg.info, Node: System Notes, Next: Debugging, Prev: Howtos, Up: Top
6760
9 Notes pertaining to certain OSes.
6761
***********************************
6763
GnuPG has been developed on GNU/Linux systems and is know to work on
6764
almost all Free OSes. All modern POSIX systems should be supproted
6765
right now, however there are probably a lot of smaller glitches we need
6766
to fix first. The major problem areas are:
6768
* For logging to sockets and other internal operations the
6769
`fopencookie' function (`funopen' under *BSD) is used. This is a
6770
very convient function which makes it possible to create outputs in
6771
a structures and easy maintainable way. The drawback however is
6772
that most proprietary OSes don't support this function. At
6773
g10 Code we have looked into several ways on how to overcome this
6774
limitation but no sufficiently easy and maintainable way has been
6775
found. Porting _glibc_ to a general POSIX system is of course an
6776
option and would make writing portable software much easier; this
6777
it has not yet been done and the system administrator wouldneed to
6778
cope with the GNU specific admin things in addition to the generic
6781
We have now settled to use explicit stdio wrappers with a
6782
functionality similar to funopen. Although the code for this has
6783
already been written (_libestream_), we have not yet changed GnuPG
6786
This means that on systems not supporting either `funopen' or
6787
`fopencookie', logging to a socket won't work, prompts are not
6788
formatted as pretty as theyshould be and `gpgsm''s `LISTKEYS'
6789
Assuan command does not work.
6791
* We are planning to use file descriptor passing for interprocess
6792
communication. This will allow us save a lot of resources and
6793
improve performance of certain operations a lot. Systems not
6794
supporting this won't gain these benefits but we try to keep them
6795
working the satndard way as it is done today.
6797
* We require more or less full POSIX compatibility. This has been
6798
arround for 15 years now and thus we don't believe it makes sense
6799
to support non POSIX systems anymore. Well, we of course the usual
6800
workarounds for near POSIX systems well be applied.
6802
There is one exception of this rule: Systems based the Microsoft
6803
Windows API (called here _W32_) will be supported to some extend.
6808
* W32 Notes:: Microsoft Windows Notes
6811
File: gnupg.info, Node: W32 Notes, Up: System Notes
6813
9.1 Microsoft Windows Notes
6814
===========================
6816
The port to Microsoft Windows based OSes is pretty new and has some
6817
limitations we might remove over time. Note, that we have not yet done
6818
any security audit and you should not use any valuable private key. In
6819
particular, *using it on a box with more than one user, might lead to a
6822
*It is quite possible that the current version does not even build.*
6824
Current limitations are:
6826
* The `LISTKEYS' Assuan command of `gpgsm' is not supported. Using
6827
the command line options `--list-keys' or `--list-secret-keys'
6830
* No support for CRL checks. By default the option
6831
`--disable-crl-checks' has been turned on and the log will show an
6832
appropriate warning message. The reason for this is that the
6833
separate CRL checking daemin (`dirmngr') has not been ported to
6836
* `gpgconf' does not create backup files, so in case of trouble your
6837
configuration file might get lost.
6839
* `watchgnupg' is not available. Logging to sockets is not possible.
6841
* The periodical smartcard status checking done by `scdaemon' is not
6844
* Detached running of the gpg-agent is not directly supported. It
6845
needs to be started in a console and left alone then.
6849
File: gnupg.info, Node: Debugging, Next: Copying, Prev: System Notes, Up: Top
6851
10 How to solve problems
6852
************************
6854
Everyone knows that software often does not do what it should do and
6855
thus there is a need to track down problems. We call this debugging in
6856
a reminiscent to the moth jamming a relay in a Mark II box back in 1947.
6858
Most of the problems a merely configuration and user problems but
6859
nevertheless there are the most annoying ones and reponsible for many
6860
gray hairs. We try to give some guidelines here on how to identify and
6861
solve the problem at hand.
6865
* Debugging Tools:: Description of some useful tools.
6866
* Debugging Hints:: Various hints on debugging.
6867
* Common Problems:: Commonly seen problems.
6868
* Architecture Details:: How the whole thing works internally.
6871
File: gnupg.info, Node: Debugging Tools, Next: Debugging Hints, Up: Debugging
6873
10.1 Debugging Tools
6874
====================
6876
The GnuPG distribution comes with a couple of tools, useful to help find
6877
and solving problems.
6881
* kbxutil:: Scrutinizing a keybox file.
6884
File: gnupg.info, Node: kbxutil, Up: Debugging Tools
6886
10.1.1 Scrutinizing a keybox file
6887
---------------------------------
6889
A keybox is a file fomat used to store public keys along with meta
6890
information and indices. The commonly used one is the file
6891
`pubring.kbx' in the `.gnupg' directory. It contains all X.509
6892
certificates as well as OpenPGP keys(1) .
6894
When called the standard way, e.g.:
6896
`kbxutil ~/.gnupg/pubring.kbx'
6898
it lists all records (called blobs) with there meta-information in a
6899
human readable format.
6901
To see statistics on the keybox in question, run it using
6903
`kbxutil --stats ~/.gnupg/pubring.kbx'
6905
and you get an output like:
6907
Total number of blobs: 99
6914
ephemeral flagged: 17
6916
In this example you see that the keybox does not have any OpenPGP
6917
keys but contains 98 X.509 cerificates and a total of 17 keys or
6918
certificates are flagges as ephemeral, meaning that they are only
6919
temporary stored (cached) in the keybox and won't get listed using the
6920
usual commands provided by `gpgsm' or `gpg'. 81 certifcates are stored
6921
in a standard way and directly available from `gpgsm'.
6923
To find duplicated certificates and keyblocks in a keybox file (this
6924
should not occur but sometimes things go wrong), run it using
6926
`kbxutil --find-dups ~/.gnupg/pubring.kbx'
6928
---------- Footnotes ----------
6930
(1) Well, OpenPGP keys are not implemented, `gpg' still used the
6931
keyring file `pubring.gpg'
6934
File: gnupg.info, Node: Debugging Hints, Next: Common Problems, Prev: Debugging Tools, Up: Debugging
6936
10.2 Various hints on debugging.
6937
================================
6939
* How to find the IP address of a keyserver
6941
If a round robin URL of is used for a keyserver (e.g.
6942
subkeys.gnupg.org); it is not easy to see what server is actually
6943
used. Using the keyserver debug option as in
6945
gpg --keyserver-options debug=1 -v --refresh-key 1E42B367
6947
is thus often helpful. Note that the actual output depends on the
6948
backend and may change from release to release.
6952
File: gnupg.info, Node: Common Problems, Next: Architecture Details, Prev: Debugging Hints, Up: Debugging
6954
10.3 Commonly Seen Problems
6955
===========================
6957
* Error code `Not supported' from Dirmngr
6959
Most likely the option `enable-ocsp' is active for gpgsm but
6960
Dirmngr's OCSP feature has not been enabled using `allow-ocsp' in
6963
* The Curses based Pinentry does not work
6965
The far most common reason for this is that the environment
6966
variable `GPG_TTY' has not been set correctly. Make sure that it
6967
has been set to a real tty devce and not just to `/dev/tty'; i.e.
6968
`GPG_TTY=tty' is plainly wrong; what you want is `GPG_TTY=`tty`'
6969
-- note the back ticks. Also make sure that this environment
6970
variable gets exported, that is you should follow up the setting
6971
with an `export GPG_TTY' (assuming a Bourne style shell). Even for
6972
GUI based Pinentries; you should have set `GPG_TTY'. See the
6973
section on installing the `gpg-agent' on how to do it.
6975
* SSH hangs while a popping up pinentry was expected
6977
SSH has no way to tell the gpg-agent what terminal or X display it
6978
is running on. So when remotely logging into a box where a
6979
gpg-agent with SSH support is running, the pinentry will get
6980
popped up on whatever display t he gpg-agent has been started. To
6981
solve this problem you may issue the command
6983
echo UPDATESTARTUPTTY | gpg-connect-agent
6985
and the next pinentry will pop up on your display or screen.
6986
However, you need to kill the running pinentry first because only
6987
one pinentry may be running at once. If you plan to use ssh on a
6988
new display you should issue the above command before invoking ssh
6989
or any other service making use of ssh.
6991
* Exporting a secret key without a certificate
6993
I may happen that you have created a certificate request using
6994
`gpgsm' but not yet received and imported the certificate from the
6995
CA. However, you want to export the secret key to another machine
6996
right now to import the certificate over there then. You can do
6997
this with a little trick but it requires that you know the
6998
approximate time you created the signing request. By running the
7001
ls -ltr ~/.gnupg/private-keys-v1.d
7003
you get a listing of all private keys under control of `gpg-agent'.
7004
Pick the key which best matches the creation time and run the
7007
/usr/local/libexec/gpg-protect-tool --p12-export ~/.gnupg/private-keys-v1.d/FOO >FOO.p12
7009
(Please adjust the path to `gpg-protect-tool' to the approriate
7010
location). FOO is the name of the key file you picked (it should
7011
have the suffix `.key'). A Pinentry box will pop up and ask you
7012
for the current passphrase of the key and a new passphrase to
7013
protect it in the pkcs#12 file.
7015
To import the created file on the machine you use this command:
7017
/usr/local/libexec/gpg-protect-tool --p12-import --store FOO.p12
7019
You will be asked for the pkcs#12 passphrase and a new passphrase
7020
to protect the imported private key at its new location.
7022
Note that there is no easy way to match existing certificates with
7023
stored private keys because some private keys are used for Secure
7024
Shell or other purposes and don't have a corresponding certificate.
7026
* A root certificate does not verify
7028
A common problem is that the root certificate misses the required
7029
basicConstrains attribute and thus `gpgsm' rejects this
7030
certificate. An error message indicating "no value" is a sign for
7031
such a certificate. You may use the `relax' flag in
7032
`trustlist.txt' to accept the certificate anyway. Note that the
7033
fingerprint and this flag may only be added manually to
7036
* Error message: "digest algorithm N has not been enabled"
7038
The signature is broken. You may try the option
7039
`--extra-digest-algo SHA256' to workaround the problem. The
7040
number N is the internal algorighm indentifier; for example 8
7045
File: gnupg.info, Node: Architecture Details, Prev: Common Problems, Up: Debugging
7047
10.4 How the whole thing works internally.
7048
==========================================
7052
* GnuPG-1 and GnuPG-2:: Relationship between the two branches.
7055
File: gnupg.info, Node: GnuPG-1 and GnuPG-2, Up: Architecture Details
7057
10.4.1 Relationship between the two branches.
7058
---------------------------------------------
7060
Here is a little picture showing how the components work together: