1
@c Copyright (C) 2004 Free Software Foundation, Inc.
2
@c This is part of the GnuPG manual.
3
@c For copying conditions, see the file GnuPG.texi.
8
GnuPG comes with a couple of smaller tools:
11
* watchgnupg:: Read logs from a socket.
12
* addgnupghome:: Create .gnupg home directories.
13
* gpgconf:: Modify .gnupg home directories.
14
* gpgsm-gencert.sh:: Generate an X.509 certificate request.
15
* gpg-preset-passphrase:: Put a passphrase into the cache.
22
@section Read logs from a socket
24
Most of the main utilities are able to write there log files to a
25
Unix Domain socket if configured that way. @command{watchgnupg} is a simple
26
listener for such a socket. It ameliorates the output with a time
27
stamp and makes sure that long lines are not interspersed with log
28
output from other utilities.
31
@command{watchgnupg} is commonly invoked as
33
@samp{watchgnupg --force ~/.gnupg/S.log}
36
This starts it on the current terminal for listening on the socket
37
@file{~/.gnupg/S.log}.
40
@command{watchgnupg} understands these options:
46
Delete an already existing socket file.
50
Enable extra informational output.
54
print version of the program and exit
58
Display a brief help page and exit
67
@section Create .gnupg home directories.
69
If GnuPG is installed on a system with existing user accounts, it is
70
sometimes required to populate the GnuPG home directory with existing
71
files. Especially a @file{trustlist.txt} and a keybox with some
72
initial certificates are often desired. This scripts help to do this
73
by copying all files from @file{/etc/skel/.gnupg} to the home
74
directories of the accounts given on the command line. It takes care
75
not to overwrite existing GnuPG home directories.
78
@command{addgnupghome} is invoked by root as:
80
@samp{addgnupghome account1 account2 ... accountn}
87
@section Modify .gnupg home directories.
89
The @command{gpgconf} is a utility to automatically and reasonable
90
safely query and modify configuration files in the @file{.gnupg} home
91
directory. It is designed not to be invoked manually by the user, but
92
automatically by graphical user interfaces (GUI).@footnote{Please note
93
that currently no locking is done, so concurrent access should be
94
avoided. There are some precautions to avoid corruption with
95
concurrent usage, but results may be inconsistent and some changes may
96
get lost. The stateless design makes it difficult to provide more
99
@command{gpgconf} provides access to the configuration of one or more
100
components of the GnuPG system. These components correspond more or
101
less to the programs that exist in the GnuPG framework, like GnuPG,
102
GPGSM, DirMngr, etc. But this is not a strict one-to-one
103
relationship. Not all configuration options are available through
104
@command{gpgconf}. @command{gpgconf} provides a generic and abstract
105
method to access the most important configuration options that can
106
feasibly be controlled via such a mechanism.
108
@command{gpgconf} can be used to gather and change the options
109
available in each component, and can also provide their default
110
values. @command{gpgconf} will give detailed type information that
111
can be used to restrict the user's input without making an attempt to
114
@command{gpgconf} provides the backend of a configuration editor. The
115
configuration editor would usually be a graphical user interface
116
program, that allows to display the current options, their default
117
values, and allows the user to make changes to the options. These
118
changes can then be made active with @command{gpgconf} again. Such a
119
program that uses @command{gpgconf} in this way will be called GUI
120
throughout this section.
123
* Invoking gpgconf:: List of all commands and options.
124
* Format conventions:: Formatting conventions relevant for all commands.
125
* Listing components:: List all gpgconf components.
126
* Listing options:: List all options of a component.
127
* Changing options:: Changing options of a component.
131
@node Invoking gpgconf
132
@subsection Invoking gpgconf
134
One of the following commands must be given:
137
@item --list-components
138
List all components. This is the default command used if none is
141
@item --list-options @var{component}
142
List all options of the component @var{component}.
144
@item --change-options @var{component}
145
Change the options of the component @var{component}.
148
The following options may be used:
151
@c FIXME: Not yet supported.
152
@c @item -o @var{file}
153
@c @itemx --output @var{file}
154
@c Use @var{file} as output file.
158
Outputs additional information while running. Specifically, this
159
extends numerical field values by human-readable descriptions.
161
@c FIXME: Not yet supported.
164
@c Do not actually change anything. Useful together with
165
@c @code{--change-options} for testing purposes.
169
Only used together with @code{--change-options}. If one of the
170
modified options can be changed in a running daemon process, signal
171
the running daemon to ask it to reparse its configuration file after
174
This means that the changes will take effect at run-time, as far as
175
this is possible. Otherwise, they will take effect at the next start
176
of the respective backend programs.
180
@node Format conventions
181
@subsection Format conventions
183
Some lines in the output of @command{gpgconf} contain a list of
184
colon-separated fields. The following conventions apply:
188
The GUI program is required to strip off trailing newline and/or
189
carriage return characters from the output.
192
@command{gpgconf} will never leave out fields. If a certain version
193
provides a certain field, this field will always be present in all
194
@command{gpgconf} versions from that time on.
197
Future versions of @command{gpgconf} might append fields to the list.
198
New fields will always be separated from the previously last field by
199
a colon separator. The GUI should be prepared to parse the last field
200
it knows about up until a colon or end of line.
203
Not all fields are defined under all conditions. You are required to
204
ignore the content of undefined fields.
207
There are several standard types for the content of a field:
211
Some fields contain strings that are not escaped in any way. Such
212
fields are described to be used @emph{verbatim}. These fields will
213
never contain a colon character (for obvious reasons). No de-escaping
214
or other formatting is required to use the field content. This is for
215
easy parsing of the output, when it is known that the content can
216
never contain any special characters.
218
@item percent-escaped
219
Some fields contain strings that are described to be
220
@emph{percent-escaped}. Such strings need to be de-escaped before
221
their content can be presented to the user. A percent-escaped string
222
is de-escaped by replacing all occurences of @code{%XY} by the byte
223
that has the hexadecimal value @code{XY}. @code{X} and @code{Y} are
224
from the set @code{0-9a-f}.
227
Some fields contain strings that are described to be @emph{localised}.
228
Such strings are translated to the active language and formatted in
229
the active character set.
231
@item @w{unsigned number}
232
Some fields contain an @emph{unsigned number}. This number will
233
always fit into a 32-bit unsigned integer variable. The number may be
234
followed by a space, followed by a human readable description of that
235
value (if the verbose option is used). You should ignore everything
236
in the field that follows the number.
238
@item @w{signed number}
239
Some fields contain a @emph{signed number}. This number will always
240
fit into a 32-bit signed integer variable. The number may be followed
241
by a space, followed by a human readable description of that value (if
242
the verbose option is used). You should ignore everything in the
243
field that follows the number.
246
Some fields contain an @emph{option} argument. The format of an
247
option argument depends on the type of the option and on some flags:
251
The simplest case is that the option does not take an argument at all
252
(@var{type} @code{0}). Then the option argument is an unsigned number
253
that specifies how often the option occurs. If the @code{list} flag
254
is not set, then the only valid number is @code{1}. Options that do
255
not take an argument never have the @code{default} or @code{optional
259
If the option takes a number argument (@var{alt-type} is @code{2} or
260
@code{3}), and it can only occur once (@code{list} flag is not set),
261
then the option argument is either empty (only allowed if the argument
262
is optional), or it is a number. A number is a string that begins
263
with an optional minus character, followed by one or more digits. The
264
number must fit into an integer variable (unsigned or signed,
265
depending on @var{alt-type}).
268
If the option takes a number argument and it can occur more than once,
269
then the option argument is either empty, or it is a comma-separated
270
list of numbers as described above.
273
If the option takes a string argument (@var{alt-type} is 1), and it
274
can only occur once (@code{list} flag is not set) then the option
275
argument is either empty (only allowed if the argument is optional),
276
or it starts with a double quote character (@code{"}) followed by a
277
percent-escaped string that is the argument value. Note that there is
278
only a leading double quote character, no trailing one. The double
279
quote character is only needed to be able to differentiate between no
280
value and the empty string as value.
283
If the option takes a number argument and it can occur more than once,
284
then the option argument is either empty, or it is a comma-separated
285
list of string arguments as described above.
289
The active language and character set are currently determined from
290
the locale environment of the @command{gpgconf} program.
292
@c FIXME: Document the active language and active character set. Allow
293
@c to change it via the command line?
296
@node Listing components
297
@subsection Listing components
299
The command @code{--list-components} will list all components that can
300
be configured with @command{gpgconf}. Usually, one component will
301
correspond to one GnuPG-related program and contain the options of
302
that programs configuration file that can be modified using
303
@command{gpgconf}. However, this is not necessarily the case. A
304
component might also be a group of selected options from several
305
programs, or contain entirely virtual options that have a special
306
effect rather than changing exactly one option in one configuration
309
A component is a set of configuration options that semantically belong
310
together. Furthermore, several changes to a component can be made in
311
an atomic way with a single operation. The GUI could for example
312
provide a menu with one entry for each component, or a window with one
313
tabulator sheet per component.
315
The command argument @code{--list-components} lists all available
316
components, one per line. The format of each line is:
318
@code{@var{name}:@var{description}}
322
This field contains a name tag of the component. The name tag is used
323
to specify the component in all communication with @command{gpgconf}.
324
The name tag is to be used @emph{verbatim}. It is thus not in any
328
The @emph{string} in this field contains a human-readable description
329
of the component. It can be displayed to the user of the GUI for
330
informational purposes. It is @emph{percent-escaped} and
336
$ gpgconf --list-components
339
scdaemon:Smartcard Daemon
341
dirmngr:Directory Manager
345
@node Listing options
346
@subsection Listing options
348
Every component contains one or more options. Options may be gathered
349
into option groups to allow the GUI to give visual hints to the user
350
about which options are related.
352
The command argument @code{@w{--list-options @var{component}}} lists
353
all options (and the groups they belong to) in the component
354
@var{component}, one per line. @var{component} must be the string in
355
the field @var{name} in the output of the @code{--list-components}
358
There is one line for each option and each group. First come all
359
options that are not in any group. Then comes a line describing a
360
group. Then come all options that belong into each group. Then comes
361
the next group and so on. There does not need to be any group (and in
362
this case the output will stop after the last non-grouped option).
364
The format of each line is:
366
@code{@var{name}:@var{flags}:@var{level}:@var{description}:@var{type}:@var{alt-type}:@var{argname}:@var{default}:@var{argdef}:@var{value}}
370
This field contains a name tag for the group or option. The name tag
371
is used to specify the group or option in all communication with
372
@command{gpgconf}. The name tag is to be used @emph{verbatim}. It is
373
thus not in any escaped format.
376
The flags field contains an @emph{unsigned number}. Its value is the
377
OR-wise combination of the following flag values:
381
If this flag is set, this is a line describing a group and not an
385
The following flag values are only defined for options (that is, if
386
the @code{group} flag is not used).
389
@item optional arg (2)
390
If this flag is set, the argument is optional. This is never set for
391
@var{type} @code{0} (none) options.
394
If this flag is set, the option can be given multiple times.
397
If this flag is set, the option can be changed at runtime.
400
If this flag is set, a default value is available.
402
@item default desc (32)
403
If this flag is set, a (runtime) default is available. This and the
404
@code{default} flag are mutually exclusive.
406
@item no arg desc (64)
407
If this flag is set, and the @code{optional arg} flag is set, then the
408
option has a special meaning if no argument is given.
412
This field is defined for options and for groups. It contains an
413
@emph{unsigned number} that specifies the expert level under which
414
this group or option should be displayed. The following expert levels
415
are defined for options (they have analogous meaning for groups):
419
This option should always be offered to the user.
422
This option may be offered to advanced users.
425
This option should only be offered to expert users.
428
This option should normally never be displayed, not even to expert
432
This option is for internal use only. Ignore it.
435
The level of a group will always be the lowest level of all options it
439
This field is defined for options and groups. The @emph{string} in
440
this field contains a human-readable description of the option or
441
group. It can be displayed to the user of the GUI for informational
442
purposes. It is @emph{percent-escaped} and @emph{localized}.
445
This field is only defined for options. It contains an @emph{unsigned
446
number} that specifies the type of the option's argument, if any. The
447
following types are defined:
456
An @emph{unformatted string}.
459
A @emph{signed number}.
462
An @emph{unsigned number}.
469
A @emph{string} that describes the pathname of a file. The file does
470
not necessarily need to exist.
472
@item ldap server (33)
473
A @emph{string} that describes an LDAP server in the format:
475
@code{@var{hostname}:@var{port}:@var{username}:@var{password}:@var{base_dn}}
478
More types will be added in the future. Please see the @var{alt-type}
479
field for information on how to cope with unknown types.
482
This field is identical to @var{type}, except that only the types
483
@code{0} to @code{31} are allowed. The GUI is expected to present the
484
user the option in the format specified by @var{type}. But if the
485
argument type @var{type} is not supported by the GUI, it can still
486
display the option in the more generic basic type @var{alt-type}. The
487
GUI must support all the defined basic types to be able to display all
488
options. More basic types may be added in future versions. If the
489
GUI encounters a basic type it doesn't support, it should report an
490
error and abort the operation.
493
This field is only defined for options with an argument type
494
@var{type} that is not @code{0}. In this case it may contain a
495
@emph{percent-escaped} and @emph{localised string} that gives a short
496
name for the argument. The field may also be empty, though, in which
497
case a short name is not known.
500
This field is defined only for options. Its format is that of an
501
@emph{option argument} (@xref{Format conventions}, for details). If
502
the default value is empty, then no default is known. Otherwise, the
503
value specifies the default value for this option. Note that this
504
field is also meaningful if the option itself does not take a real
508
This field is defined only for options for which the @code{optional
509
arg} flag is set. If the @code{no arg desc} flag is not set, its
510
format is that of an @emph{option argument} (@xref{Format
511
conventions}, for details). If the default value is empty, then no
512
default is known. Otherwise, the value specifies the default value
513
for this option. If the @code{no arg desc} flag is set, the field is
514
either empty or contains a description of the effect of this option if
515
no argument is given. Note that this field is also meaningful if the
516
option itself does not take a real argument.
519
This field is defined only for options. Its format is that of an
520
@emph{option argument}. If it is empty, then the option is not
521
explicitely set in the current configuration, and the default applies
522
(if any). Otherwise, it contains the current value of the option.
523
Note that this field is also meaningful if the option itself does not
524
take a real argument.
528
@node Changing options
529
@subsection Changing options
531
The command @w{@code{--change-options @var{component}}} will attempt
532
to change the options of the component @var{component} to the
533
specified values. @var{component} must be the string in the field
534
@var{name} in the output of the @code{--list-components} command. You
535
have to provide the options that shall be changed in the following
536
format on standard input:
538
@code{@var{name}:@var{flags}:@var{new-value}}
542
This is the name of the option to change. @var{name} must be the
543
string in the field @var{name} in the output of the
544
@code{--list-options} command.
547
The flags field contains an @emph{unsigned number}. Its value is the
548
OR-wise combination of the following flag values:
552
If this flag is set, the option is deleted and the default value is
553
used instead (if applicable).
557
The new value for the option. This field is only defined if the
558
@code{default} flag is not set. The format is that of an @emph{option
559
argument}. If it is empty (or the field is omitted), the default
560
argument is used (only allowed if the argument is optional for this
561
option). Otherwise, the option will be set to the specified value.
566
To set the force option, which is of basic type @code{none (0)}:
569
$ echo 'force:0:1' | gpgconf --change-options dirmngr
572
To delete the force option:
575
$ echo 'force:16:' | gpgconf --change-options dirmngr
578
The @code{--runtime} option can influence when the changes take
584
@node gpgsm-gencert.sh
585
@section Generate an X.509 certificate request
587
This is a simple tool to interactivly generate a certificate request
588
whicl will be printed to stdout.
591
@command{gpgsm-gencert.sh} is invoked as:
593
@samp{gpgsm-cencert.sh}
598
@c GPG-PRESET-PASSPHRASE
600
@node gpg-preset-passphrase
601
@section Put a passphrase into the cache.
603
The @command{gpg-preset-passphrase} is a utility to seed the internal
604
cache of a running @command{gpg-agent} with passphrases. It is mainly
605
useful for unattended machines, where the usual @command{pinentry} tool
606
may not be used and the passphrases for the to be used keys are given at
609
Passphrases set with this utility don't expire unless the
610
@option{--forget} option is used to explicitly clear them from the cache
611
--- or @command{gpg-agent} is either restarted or reloaded (by sending a
612
SIGHUP to it). It is necessary to allow this passphrase presetting by
613
starting @command{gpg-agent} with the
614
@option{--allow-preset-passphrase}.
617
* Invoking gpg-preset-passphrase:: List of all commands and options.
621
@node Invoking gpg-preset-passphrase
622
@subsection List of all commands and options.
625
@command{gpg-preset-passphrase} is invoked this way:
628
gpg-preset-passphrase [options] [command] @var{keygrip}
631
@var{keygrip} is a 40 character string of hexadecimal characters
632
identifying the key for which the passphrase should be set or cleared.
633
This keygrip is listed along with the key when running the command:
634
@code{gpgsm --dump-secret-keys}. One of the following command options
639
Preset a passphrase. This is what you usually will
640
use. @command{gpg-preset-passphrase} will then read the passphrase from
644
Flush the passphrase for the given keygrip from the cache.
649
The following additional options may be used:
655
Output additional information while running.
657
@item -P @var{string}
658
@itemx --passphrase @var{string}
660
Instead of reading the passphrase from @code{stdin}, use the supplied
661
@var{string} as passphrase. Note that this makes the passphrase visible