2
2
@c This is part of the GnuPG manual.
3
3
@c For copying conditions, see the file gnupg.texi.
5
@c Note that we use this texinfo file for all versions of GnuPG:
5
@c Note that we use this texinfo file for all versions of GnuPG:
6
6
@c 2.0 and 2.1. The macro "gpgtwoone" controls parts which are only
7
7
@c valid for GnuPG 2.1 and later.
348
344
@file{trustlist.txt} file. This is by default not allowed to make it
349
345
harder for users to inadvertently accept Root-CA keys.
348
@anchor{option --allow-loopback-pinentry}
349
@item --allow-loopback-pinentry
350
@opindex allow-loopback-pinentry
351
Allow clients to use the loopback pinentry features; see the option
352
@option{pinentry-mode} for details.
351
355
@item --ignore-cache-for-signing
352
356
@opindex ignore-cache-for-signing
353
357
This option will let @command{gpg-agent} bypass the passphrase cache for all
398
402
Check the passphrase against the pattern given in @var{file}. When
399
403
entering a new passphrase matching one of these pattern a warning will
400
404
be displayed. @var{file} should be an absolute filename. The default is
401
not to use any pattern file.
405
not to use any pattern file.
403
407
Security note: It is known that checking a passphrase against a list of
404
408
pattern or even against a complete dictionary is not very effective to
408
412
users passphrases to catch the very simple ones.
410
414
@item --max-passphrase-days @var{n}
411
@opindex max-passphrase-days
415
@opindex max-passphrase-days
412
416
Ask the user to change the passphrase if @var{n} days have passed since
413
417
the last change. With @option{--enforce-passphrase-constraints} set the
414
418
user may not bypass this check.
563
567
two dashes may not be entered and the option may not be abbreviated.
564
568
This file is also read after a @code{SIGHUP} however only a few
565
569
options will actually have an effect. This default name may be
566
changed on the command line (@pxref{option --options}).
570
changed on the command line (@pxref{option --options}).
567
571
You should backup this file.
569
573
@item trustlist.txt
576
580
allows to cut and paste the fingerprint from a key listing output. If
577
581
the line is prefixed with a @code{!} the key is explicitly marked as
580
584
Here is an example where two keys are marked as ultimately trusted
581
585
and one as not trusted:
584
588
# CN=Wurzel ZS 3,O=Intevation GmbH,C=DE
585
589
A6935DD34EF3087973C706FC311AA2CCF733765B S
587
591
# CN=PCA-1-Verwaltung-02/O=PKI-1-Verwaltung/C=DE
588
DC:BD:69:25:48:BD:BB:7E:31:6E:BB:80:D3:00:80:35:D4:F8:A6:CD S
592
DC:BD:69:25:48:BD:BB:7E:31:6E:BB:80:D3:00:80:35:D4:F8:A6:CD S
590
594
# CN=Root-CA/O=Schlapphuete/L=Pullach/C=DE
591
595
!14:56:98:D3:FE:9C:CA:5A:31:6E:BC:81:D3:11:4E:00:90:A3:44:C2 S
594
598
Before entering a key into this file, you need to ensure its
595
599
authenticity. How to do this depends on your organisation; your
596
600
administrator might have already entered those keys which are deemed
640
644
optional field for arbitrary flags. A non-zero TTL overrides the global
641
645
default as set by @option{--default-cache-ttl-ssh}.
647
The only flag support is @code{confirm}. If this flag is found for a
648
key, each use of the key will pop up a pinentry to confirm the use of
649
that key. The flag is automatically set if a new key was loaded into
650
@code{gpg-agent} using the option @option{-c} of the @code{ssh-add}
643
653
The keygrip may be prefixed with a @code{!} to disable an entry entry.
645
655
The following example lists exactly one key. Note that keys available
646
656
through a OpenPGP smartcard in the active smartcard reader are
647
657
implicitly added to this list; i.e. there is no need to list them.
650
# Key added on 2005-02-25 15:08:29
651
5A6592BF45DC73BD876874A28FD4639282E29B52 0
660
# Key added on: 2011-07-20 20:38:46
661
# Fingerprint: 5e:8d:c4:ad:e7:af:6e:27:8a:d6:13:e4:79:ad:0b:81
662
34B62F25E277CF13D3C6BCEBFD3F85D08F0A864B 0 confirm
654
665
@item private-keys-v1.d/
675
686
@node Agent Signals
676
687
@section Use of some signals.
677
688
A running @command{gpg-agent} may be controlled by signals, i.e. using
678
the @command{kill} command to send a signal to the process.
689
the @command{kill} command to send a signal to the process.
680
691
Here is a list of supported signals:
850
862
if there is an inconsistency.
852
864
If the decryption was successful the decrypted data is returned by
855
867
Here is an example session:
859
871
S: INQUIRE CIPHERTEXT
860
C: D (enc-val elg (a 349324324)
872
C: D (enc-val elg (a 349324324)
861
873
C: D (b 3F444677CA)))
863
875
S: # session key follows
864
876
S: D (value 1234567890ABCDEF0)
865
877
S: OK descryption successful
869
881
@node Agent PKSIGN
1123
1135
convention either the hexified fingerprint of the key shall be used for
1124
1136
@var{cache_id} or an arbitrary string prefixed with the name of the
1125
1137
calling application and a colon: Like @code{gpg:somestring}.
1127
1139
@var{error_message} is either a single @code{X} for no error message or
1128
1140
a string to be shown as an error message like (e.g. "invalid
1129
1141
passphrase"). Blanks must be percent escaped or replaced by @code{+}'.
1148
1160
If the option @option{--no-ask} is used and the passphrase is not in the
1149
1161
cache the user will not be asked to enter a passphrase but the error
1150
code @code{GPG_ERR_NO_DATA} is returned.
1162
code @code{GPG_ERR_NO_DATA} is returned.
1152
1164
If the option @option{--qualitybar} is used and a minimum passphrase
1153
1165
length has been configured, a visual indication of the entered
1279
1291
has not been enabled the error @code{GPG_ERR_NO_DATA} will be returned.
1295
@subsection Set options for the session
1297
Here is a list of session options which are not yet described with
1298
other commands. The general syntax for an Assuan option is:
1301
OPTION @var{key}=@var{value}
1305
Supported @var{key}s are:
1308
@item agent-awareness
1309
This may be used to tell gpg-agent of which gpg-agent version the
1310
client is aware of. gpg-agent uses this information to enable
1311
features which might break older clients.
1314
Change the session's environment to be used for the
1315
Pinentry. Valid values are:
1319
Delete envvar @var{name}
1321
Set envvar @var{name} to the empty string
1322
@item @var{name}=@var{value}
1323
Set envvar @var{name} to the string @var{value}.
1326
@item use-cache-for-signing
1327
See Assuan command @code{PKSIGN}.
1329
@item allow-pinentry-notify
1330
This does not need any value. It is used to enable the
1331
PINENTRY_LAUNCHED inquiry.
1335
This option is used to change the operation mode of the pinentry. The
1336
following values are defined:
1340
This is the default mode which pops up a pinentry as needed.
1343
Instead of popping up a pinentry, return the error code
1344
@code{GPG_ERR_CANCELED}.
1347
Instead of popping up a pinentry, return the error code
1348
@code{GPG_ERR_NO_PIN_ENTRY}.
1351
Use a loopback pinentry. This fakes a pinentry by using inquiries
1352
back to the caller to ask for a passphrase. This option may only be
1353
set if the agent has been configured for that.
1354
Use the @xref{option --allow-loopback-pinentry}.
1360
@item cache-ttl-opt-preset
1361
This option sets the cache TTL for new entries created by GENKEY and
1362
PASSWD commands when using the @option{--preset} option. It it is not
1363
used a default value is used.
1368
Instead of using the standard S2K count (which is computed on the
1369
fly), the given S2K count is used for new keys or when changing the
1370
passphrase of a key. Values below 65536 are considered to be 0. This
1371
option is valid for the entire session or until reset to 0. This
1372
option is useful if the key is later used on boxes which are either
1373
much slower or faster than the actual box.
1283
1379
@mansect see also
1287
1383
@command{gpg-connect-agent}(1),
1288
1384
@command{scdaemon}(1)