43
46
@mansect description
44
Most of the main utilities are able to write their log files to a
45
Unix Domain socket if configured that way. @command{watchgnupg} is a simple
46
listener for such a socket. It ameliorates the output with a time
47
stamp and makes sure that long lines are not interspersed with log
48
output from other utilities.
47
Most of the main utilities are able to write their log files to a Unix
48
Domain socket if configured that way. @command{watchgnupg} is a simple
49
listener for such a socket. It ameliorates the output with a time stamp
50
and makes sure that long lines are not interspersed with log output from
51
other utilities. This tool is not available for Windows.
51
55
@command{watchgnupg} is commonly invoked as
100
$ watchgnupg --force /home/foo/.gnupg/S.log
103
This waits for connections on the local socket
104
@file{/home/foo/.gnupg/S.log} and shows all log entries. To make this
105
work the option @option{log-file} needs to be used with all modules
106
which logs are to be shown. The value for that option must be given
107
with a special prefix (e.g. in the conf file):
110
log-file socket:///home/foo/.gnupg/S.log
113
For debugging purposes it is also possible to do remote logging. Take
114
care if you use this feature because the information is send in the
115
clear over the network. Use this syntax in the conf files:
118
log-file tcp://192.168.1.1:4711
121
You may use any port and not just 4711 as shown above; only IP addresses
122
are supported (v4 and v6) and no host names. You need to start
123
@command{watchgnupg} with the @option{tcp} option. Note that under
124
Windows the registry entry @var{HKCU\Software\GNU\GnuPG:DefaultLogFile}
125
can be used to change the default log output from @code{stderr} to
126
whatever is given by that entry. However the only useful entry is a TCP
127
name for remote debugging.
1381
1436
@include see-also-note.texi
1443
@node dirmngr-client
1444
@section The Dirmngr Client Tool
1446
@manpage dirmngr-client.1
1449
\- Tool to access the Dirmngr services
1456
.RI [ certfile | pattern ]
1459
@mansect description
1460
The @command{dirmngr-client} is a simple tool to contact a running
1461
dirmngr and test whether a certificate has been revoked --- either by
1462
being listed in the corresponding CRL or by running the OCSP protocol.
1463
If no dirmngr is running, a new instances will be started but this is
1464
in general not a good idea due to the huge performance overhead.
1467
The usual way to run this tool is either:
1470
dirmngr-client @var{acert}
1477
dirmngr-client <@var{acert}
1480
Where @var{acert} is one DER encoded (binary) X.509 certificates to be
1483
The return value of this command is
1486
@mansect return value
1488
@command{dirmngr-client} returns these values:
1493
The certificate under question is valid; i.e. there is a valid CRL
1494
available and it is not listed tehre or teh OCSP request returned that
1495
that certificate is valid.
1498
The certificate has been revoked
1500
@item 2 (and other values)
1501
There was a problem checking the revocation state of the certificate.
1502
A message to stderr has given more detailed information. Most likely
1503
this is due to a missing or expired CRL or due to a network problem.
1509
@command{dirmngr-client} may be called with the following options:
1515
Print the program version and licensing information. Note that you cannot
1516
abbreviate this command.
1520
Print a usage message summarizing the most useful command-line options.
1521
Note that you cannot abbreviate this command.
1525
Make the output extra brief by suppressing any informational messages.
1531
Outputs additional information while running.
1532
You can increase the verbosity by giving several
1533
verbose commands to @sc{dirmngr}, such as @samp{-vv}.
1537
Assume that the given certificate is in PEM (armored) format.
1541
Do the check using the OCSP protocol and ignore any CRLs.
1543
@item --force-default-responder
1544
@opindex force-default-responder
1545
When checking using the OCSP protocl, force the use of the default OCSP
1546
responder. That is not to use the Reponder as given by the certificate.
1550
Check whether the dirmngr daemon is up and running.
1554
Put the given certificate into the cache of a running dirmngr. This is
1555
mainly useful for debugging.
1559
Validate the given certificate using dirmngr's internal validation code.
1560
This is mainly useful for debugging.
1564
This command expects a list of filenames with DER encoded CRL files.
1565
With the option @option{--url} URLs are expected in place of filenames
1566
and they are loaded directly from the given location. All CRLs will be
1567
validated and then loaded into dirmngr's cache.
1571
Take the remaining arguments and run a lookup command on each of them.
1572
The results are Base-64 encoded outputs (without header lines). This
1573
may be used to retrieve certificates from a server. However the output
1574
format is not very well suited if more than one certificate is returned.
1579
Modify the @command{lookup} and @command{load-crl} commands to take an URL.
1584
Let the @command{lookup} command only search the local cache.
1588
Run @sc{dirmngr-client} in a mode suitable as a helper program for
1589
Squid's @option{external_acl_type} option.
1596
@command{dirmngr}(8),
1598
@include see-also-note.texi
1386
1603
@c GPGPARSEMAIL