648
@opindex keyedit:delsig
649
Delete a signature. Note that it is not possible to retract a signature,
650
once it has been send to the public (i.e. to a keyserver). In that case
651
you better use @code{revsig}.
654
@opindex keyedit:revsig
655
Revoke a signature. For every signature which has been generated by
656
one of the secret keys, GnuPG asks whether a revocation certificate
660
@opindex keyedit:check
661
Check the signatures on all selected user IDs.
664
@opindex keyedit:adduid
665
Create an additional user ID.
668
@opindex keyedit:addphoto
669
Create a photographic user ID. This will prompt for a JPEG file that
670
will be embedded into the user ID. Note that a very large JPEG will make
671
for a very large key. Also note that some programs will display your
672
JPEG unchanged (GnuPG), and some programs will scale it to fit in a
676
@opindex keyedit:showphoto
677
Display the selected photographic user ID.
680
@opindex keyedit:deluid
681
Delete a user ID or photographic user ID. Note that it is not
682
possible to retract a user id, once it has been send to the public
683
(i.e. to a keyserver). In that case you better use @code{revuid}.
686
@opindex keyedit:revuid
687
Revoke a user ID or photographic user ID.
690
@opindex keyedit:primary
691
Flag the current user id as the primary one, removes the primary user
692
id flag from all other user ids and sets the timestamp of all affected
693
self-signatures one second ahead. Note that setting a photo user ID
694
as primary makes it primary over other photo user IDs, and setting a
695
regular user ID as primary makes it primary over other regular user
699
@opindex keyedit:keyserver
700
Set a preferred keyserver for the specified user ID(s). This allows
701
other users to know where you prefer they get your key from. See
702
@option{--keyserver-options honor-keyserver-url} for more on how this
703
works. Setting a value of "none" removes an existing preferred
707
@opindex keyedit:notation
708
Set a name=value notation for the specified user ID(s). See
709
@option{--cert-notation} for more on how this works. Setting a value of
710
"none" removes all notations, setting a notation prefixed with a minus
711
sign (-) removes that notation, and setting a notation name (without the
712
=value) prefixed with a minus sign removes all notations with that name.
715
@opindex keyedit:pref
716
List preferences from the selected user ID. This shows the actual
717
preferences, without including any implied preferences.
720
@opindex keyedit:showpref
721
More verbose preferences listing for the selected user ID. This shows
722
the preferences in effect by including the implied preferences of 3DES
723
(cipher), SHA-1 (digest), and Uncompressed (compression) if they are
724
not already included in the preference list. In addition, the
725
preferred keyserver and signature notations (if any) are shown.
727
@item setpref @code{string}
728
@opindex keyedit:setpref
729
Set the list of user ID preferences to @code{string} for all (or just
730
the selected) user IDs. Calling setpref with no arguments sets the
731
preference list to the default (either built-in or set via
732
@option{--default-preference-list}), and calling setpref with "none"
733
as the argument sets an empty preference list. Use @command{@gpgname
734
--version} to get a list of available algorithms. Note that while you
735
can change the preferences on an attribute user ID (aka "photo ID"),
736
GnuPG does not select keys via attribute user IDs so these preferences
737
will not be used by GnuPG.
739
When setting preferences, you should list the algorithms in the order
740
which you'd like to see them used by someone else when encrypting a
741
message to your key. If you don't include 3DES, it will be
742
automatically added at the end. Note that there are many factors that
743
go into choosing an algorithm (for example, your key may not be the
744
only recipient), and so the remote OpenPGP application being used to
745
send to you may or may not follow your exact chosen order for a given
746
message. It will, however, only choose an algorithm that is present
747
on the preference list of every recipient key. See also the
748
INTEROPERABILITY WITH OTHER OPENPGP PROGRAMS section below.
751
@opindex keyedit:addkey
752
Add a subkey to this key.
755
@opindex keyedit:addcardkey
756
Generate a subkey on a card and add it to this key.
759
@opindex keyedit:keytocard
760
Transfer the selected secret subkey (or the primary key if no subkey
761
has been selected) to a smartcard. The secret key in the keyring will
762
be replaced by a stub if the key could be stored successfully on the
763
card and you use the save command later. Only certain key types may be
764
transferred to the card. A sub menu allows you to select on what card
765
to store the key. Note that it is not possible to get that key back
766
from the card - if the card gets broken your secret key will be lost
767
unless you have a backup somewhere.
769
@item bkuptocard @code{file}
770
@opindex keyedit:bkuptocard
771
Restore the given file to a card. This command may be used to restore a
772
backup key (as generated during card initialization) to a new card. In
773
almost all cases this will be the encryption key. You should use this
774
command only with the corresponding public key and make sure that the
775
file given as argument is indeed the backup to restore. You should then
776
select 2 to restore as encryption key. You will first be asked to enter
777
the passphrase of the backup key and then for the Admin PIN of the card.
780
@opindex keyedit:delkey
781
Remove a subkey (secondart key). Note that it is not possible to retract
782
a subkey, once it has been send to the public (i.e. to a keyserver). In
783
that case you better use @code{revkey}.
786
@opindex keyedit:revkey
790
@opindex keyedit:expire
791
Change the key or subkey expiration time. If a subkey is selected, the
792
expiration time of this subkey will be changed. With no selection, the
793
key expiration of the primary key is changed.
796
@opindex keyedit:trust
797
Change the owner trust value for the key. This updates the trust-db
798
immediately and no save is required.
802
@opindex keyedit:disable
803
@opindex keyedit:enable
804
Disable or enable an entire key. A disabled key can not normally be
808
@opindex keyedit:addrevoker
809
Add a designated revoker to the key. This takes one optional argument:
810
"sensitive". If a designated revoker is marked as sensitive, it will
811
not be exported by default (see export-options).
814
@opindex keyedit:passwd
815
Change the passphrase of the secret key.
818
@opindex keyedit:toggle
819
Toggle between public and secret key listing.
822
@opindex keyedit:clean
823
Compact (by removing all signatures except the selfsig) any user ID
824
that is no longer usable (e.g. revoked, or expired). Then, remove any
825
signatures that are not usable by the trust calculations.
826
Specifically, this removes any signature that does not validate, any
827
signature that is superseded by a later signature, revoked signatures,
828
and signatures issued by keys that are not present on the keyring.
831
@opindex keyedit:minimize
832
Make the key as small as possible. This removes all signatures from
833
each user ID except for the most recent self-signature.
836
@opindex keyedit:cross-certify
837
Add cross-certification signatures to signing subkeys that may not
838
currently have them. Cross-certification signatures protect against a
839
subtle attack against signing subkeys. See
840
@option{--require-cross-certification}. All new keys generated have
841
this signature by default, so this option is only useful to bring
842
older keys up to date.
845
@opindex keyedit:save
846
Save all changes to the key rings and quit.
849
@opindex keyedit:quit
850
Quit the program without updating the
648
@opindex keyedit:delsig
649
Delete a signature. Note that it is not possible to retract a signature,
650
once it has been send to the public (i.e. to a keyserver). In that case
651
you better use @code{revsig}.
654
@opindex keyedit:revsig
655
Revoke a signature. For every signature which has been generated by
656
one of the secret keys, GnuPG asks whether a revocation certificate
660
@opindex keyedit:check
661
Check the signatures on all selected user IDs.
664
@opindex keyedit:adduid
665
Create an additional user ID.
668
@opindex keyedit:addphoto
669
Create a photographic user ID. This will prompt for a JPEG file that
670
will be embedded into the user ID. Note that a very large JPEG will make
671
for a very large key. Also note that some programs will display your
672
JPEG unchanged (GnuPG), and some programs will scale it to fit in a
676
@opindex keyedit:showphoto
677
Display the selected photographic user ID.
680
@opindex keyedit:deluid
681
Delete a user ID or photographic user ID. Note that it is not
682
possible to retract a user id, once it has been send to the public
683
(i.e. to a keyserver). In that case you better use @code{revuid}.
686
@opindex keyedit:revuid
687
Revoke a user ID or photographic user ID.
690
@opindex keyedit:primary
691
Flag the current user id as the primary one, removes the primary user
692
id flag from all other user ids and sets the timestamp of all affected
693
self-signatures one second ahead. Note that setting a photo user ID
694
as primary makes it primary over other photo user IDs, and setting a
695
regular user ID as primary makes it primary over other regular user
699
@opindex keyedit:keyserver
700
Set a preferred keyserver for the specified user ID(s). This allows
701
other users to know where you prefer they get your key from. See
702
@option{--keyserver-options honor-keyserver-url} for more on how this
703
works. Setting a value of "none" removes an existing preferred
707
@opindex keyedit:notation
708
Set a name=value notation for the specified user ID(s). See
709
@option{--cert-notation} for more on how this works. Setting a value of
710
"none" removes all notations, setting a notation prefixed with a minus
711
sign (-) removes that notation, and setting a notation name (without the
712
=value) prefixed with a minus sign removes all notations with that name.
715
@opindex keyedit:pref
716
List preferences from the selected user ID. This shows the actual
717
preferences, without including any implied preferences.
720
@opindex keyedit:showpref
721
More verbose preferences listing for the selected user ID. This shows
722
the preferences in effect by including the implied preferences of 3DES
723
(cipher), SHA-1 (digest), and Uncompressed (compression) if they are
724
not already included in the preference list. In addition, the
725
preferred keyserver and signature notations (if any) are shown.
727
@item setpref @code{string}
728
@opindex keyedit:setpref
729
Set the list of user ID preferences to @code{string} for all (or just
730
the selected) user IDs. Calling setpref with no arguments sets the
731
preference list to the default (either built-in or set via
732
@option{--default-preference-list}), and calling setpref with "none"
733
as the argument sets an empty preference list. Use @command{@gpgname
734
--version} to get a list of available algorithms. Note that while you
735
can change the preferences on an attribute user ID (aka "photo ID"),
736
GnuPG does not select keys via attribute user IDs so these preferences
737
will not be used by GnuPG.
739
When setting preferences, you should list the algorithms in the order
740
which you'd like to see them used by someone else when encrypting a
741
message to your key. If you don't include 3DES, it will be
742
automatically added at the end. Note that there are many factors that
743
go into choosing an algorithm (for example, your key may not be the
744
only recipient), and so the remote OpenPGP application being used to
745
send to you may or may not follow your exact chosen order for a given
746
message. It will, however, only choose an algorithm that is present
747
on the preference list of every recipient key. See also the
748
INTEROPERABILITY WITH OTHER OPENPGP PROGRAMS section below.
751
@opindex keyedit:addkey
752
Add a subkey to this key.
755
@opindex keyedit:addcardkey
756
Generate a subkey on a card and add it to this key.
759
@opindex keyedit:keytocard
760
Transfer the selected secret subkey (or the primary key if no subkey
761
has been selected) to a smartcard. The secret key in the keyring will
762
be replaced by a stub if the key could be stored successfully on the
763
card and you use the save command later. Only certain key types may be
764
transferred to the card. A sub menu allows you to select on what card
765
to store the key. Note that it is not possible to get that key back
766
from the card - if the card gets broken your secret key will be lost
767
unless you have a backup somewhere.
769
@item bkuptocard @code{file}
770
@opindex keyedit:bkuptocard
771
Restore the given file to a card. This command may be used to restore a
772
backup key (as generated during card initialization) to a new card. In
773
almost all cases this will be the encryption key. You should use this
774
command only with the corresponding public key and make sure that the
775
file given as argument is indeed the backup to restore. You should then
776
select 2 to restore as encryption key. You will first be asked to enter
777
the passphrase of the backup key and then for the Admin PIN of the card.
780
@opindex keyedit:delkey
781
Remove a subkey (secondart key). Note that it is not possible to retract
782
a subkey, once it has been send to the public (i.e. to a keyserver). In
783
that case you better use @code{revkey}.
786
@opindex keyedit:revkey
790
@opindex keyedit:expire
791
Change the key or subkey expiration time. If a subkey is selected, the
792
expiration time of this subkey will be changed. With no selection, the
793
key expiration of the primary key is changed.
796
@opindex keyedit:trust
797
Change the owner trust value for the key. This updates the trust-db
798
immediately and no save is required.
802
@opindex keyedit:disable
803
@opindex keyedit:enable
804
Disable or enable an entire key. A disabled key can not normally be
808
@opindex keyedit:addrevoker
809
Add a designated revoker to the key. This takes one optional argument:
810
"sensitive". If a designated revoker is marked as sensitive, it will
811
not be exported by default (see export-options).
814
@opindex keyedit:passwd
815
Change the passphrase of the secret key.
818
@opindex keyedit:toggle
819
Toggle between public and secret key listing.
822
@opindex keyedit:clean
823
Compact (by removing all signatures except the selfsig) any user ID
824
that is no longer usable (e.g. revoked, or expired). Then, remove any
825
signatures that are not usable by the trust calculations.
826
Specifically, this removes any signature that does not validate, any
827
signature that is superseded by a later signature, revoked signatures,
828
and signatures issued by keys that are not present on the keyring.
831
@opindex keyedit:minimize
832
Make the key as small as possible. This removes all signatures from
833
each user ID except for the most recent self-signature.
836
@opindex keyedit:cross-certify
837
Add cross-certification signatures to signing subkeys that may not
838
currently have them. Cross-certification signatures protect against a
839
subtle attack against signing subkeys. See
840
@option{--require-cross-certification}. All new keys generated have
841
this signature by default, so this option is only useful to bring
842
older keys up to date.
845
@opindex keyedit:save
846
Save all changes to the key rings and quit.
849
@opindex keyedit:quit
850
Quit the program without updating the
1030
@opindex list-options:show-photos
1031
Causes @option{--list-keys}, @option{--list-sigs},
1032
@option{--list-public-keys}, and @option{--list-secret-keys} to display
1033
any photo IDs attached to the key. Defaults to no. See also
1034
@option{--photo-viewer}.
1036
@item show-policy-urls
1037
@opindex list-options:show-policy-urls
1038
Show policy URLs in the @option{--list-sigs} or @option{--check-sigs}
1039
listings. Defaults to no.
1041
@item show-notations
1042
@itemx show-std-notations
1043
@itemx show-user-notations
1044
@opindex list-options:show-notations
1045
@opindex list-options:show-std-notations
1046
@opindex list-options:show-user-notations
1047
Show all, IETF standard, or user-defined signature notations in the
1048
@option{--list-sigs} or @option{--check-sigs} listings. Defaults to no.
1050
@item show-keyserver-urls
1052
Show any preferred keyserver URL in the @option{--list-sigs} or
1053
@option{--check-sigs} listings. Defaults to no.
1055
@item show-uid-validity
1056
Display the calculated validity of user IDs during key listings.
1059
@item show-unusable-uids
1060
Show revoked and expired user IDs in key listings. Defaults to no.
1062
@item show-unusable-subkeys
1063
Show revoked and expired subkeys in key listings. Defaults to no.
1066
Display the keyring name at the head of key listings to show which
1067
keyring a given key resides on. Defaults to no.
1069
@item show-sig-expire
1070
Show signature expiration dates (if any) during @option{--list-sigs} or
1071
@option{--check-sigs} listings. Defaults to no.
1073
@item show-sig-subpackets
1074
Include signature subpackets in the key listing. This option can take an
1075
optional argument list of the subpackets to list. If no argument is
1076
passed, list all subpackets. Defaults to no. This option is only
1077
meaningful when using @option{--with-colons} along with
1078
@option{--list-sigs} or @option{--check-sigs}.
1030
@opindex list-options:show-photos
1031
Causes @option{--list-keys}, @option{--list-sigs},
1032
@option{--list-public-keys}, and @option{--list-secret-keys} to
1033
display any photo IDs attached to the key. Defaults to no. See also
1034
@option{--photo-viewer}. Does not work with @option{--with-colons}:
1035
see @option{--attribute-fd} for the appropriate way to get photo data
1036
for scripts and other frontends.
1038
@item show-policy-urls
1039
@opindex list-options:show-policy-urls
1040
Show policy URLs in the @option{--list-sigs} or @option{--check-sigs}
1041
listings. Defaults to no.
1043
@item show-notations
1044
@itemx show-std-notations
1045
@itemx show-user-notations
1046
@opindex list-options:show-notations
1047
@opindex list-options:show-std-notations
1048
@opindex list-options:show-user-notations
1049
Show all, IETF standard, or user-defined signature notations in the
1050
@option{--list-sigs} or @option{--check-sigs} listings. Defaults to no.
1052
@item show-keyserver-urls
1053
@opindex list-options:show-keyserver-urls
1054
Show any preferred keyserver URL in the @option{--list-sigs} or
1055
@option{--check-sigs} listings. Defaults to no.
1057
@item show-uid-validity
1058
@opindex list-options:show-uid-validity
1059
Display the calculated validity of user IDs during key listings.
1062
@item show-unusable-uids
1063
@opindex list-options:show-unusable-uids
1064
Show revoked and expired user IDs in key listings. Defaults to no.
1066
@item show-unusable-subkeys
1067
@opindex list-options:show-unusable-subkeys
1068
Show revoked and expired subkeys in key listings. Defaults to no.
1071
@opindex list-options:show-keyring
1072
Display the keyring name at the head of key listings to show which
1073
keyring a given key resides on. Defaults to no.
1075
@item show-sig-expire
1076
@opindex list-options:show-sig-expire
1077
Show signature expiration dates (if any) during @option{--list-sigs} or
1078
@option{--check-sigs} listings. Defaults to no.
1080
@item show-sig-subpackets
1081
@opindex list-options:show-sig-subpackets
1082
Include signature subpackets in the key listing. This option can take an
1083
optional argument list of the subpackets to list. If no argument is
1084
passed, list all subpackets. Defaults to no. This option is only
1085
meaningful when using @option{--with-colons} along with
1086
@option{--list-sigs} or @option{--check-sigs}.
1081
1090
@item --verify-options @code{parameters}
1091
@opindex verify-options
1082
1092
This is a space or comma delimited string that gives options used when
1083
1093
verifying signatures. Options can be prepended with a `no-' to give
1084
1094
the opposite meaning. The options are:
1089
Display any photo IDs present on the key that issued the signature.
1090
Defaults to no. See also @option{--photo-viewer}.
1092
@item show-policy-urls
1093
Show policy URLs in the signature being verified. Defaults to no.
1095
@item show-notations
1096
@itemx show-std-notations
1097
@itemx show-user-notations
1098
Show all, IETF standard, or user-defined signature notations in the
1099
signature being verified. Defaults to IETF standard.
1101
@item show-keyserver-urls
1102
Show any preferred keyserver URL in the signature being verified.
1105
@item show-uid-validity
1106
Display the calculated validity of the user IDs on the key that issued
1107
the signature. Defaults to no.
1109
@item show-unusable-uids
1110
Show revoked and expired user IDs during signature verification.
1113
@item show-primary-uid-only
1114
Show only the primary user ID during signature verification. That is
1115
all the AKA lines as well as photo Ids are not shown with the signature
1116
verification status.
1119
Enable PKA lookups to verify sender addresses. Note that PKA is based
1120
on DNS, and so enabling this option may disclose information on when
1121
and what signatures are verified or to whom data is encrypted. This
1122
is similar to the "web bug" described for the auto-key-retrieve
1125
@item pka-trust-increase
1126
Raise the trust in a signature to full if the signature passes PKA
1127
validation. This option is only meaningful if pka-lookups is set.
1099
@opindex verify-options:show-photos
1100
Display any photo IDs present on the key that issued the signature.
1101
Defaults to no. See also @option{--photo-viewer}.
1103
@item show-policy-urls
1104
@opindex verify-options:show-policy-urls
1105
Show policy URLs in the signature being verified. Defaults to no.
1107
@item show-notations
1108
@itemx show-std-notations
1109
@itemx show-user-notations
1110
@opindex verify-options:show-notations
1111
@opindex verify-options:show-std-notations
1112
@opindex verify-options:show-user-notations
1113
Show all, IETF standard, or user-defined signature notations in the
1114
signature being verified. Defaults to IETF standard.
1116
@item show-keyserver-urls
1117
@opindex verify-options:show-keyserver-urls
1118
Show any preferred keyserver URL in the signature being verified.
1121
@item show-uid-validity
1122
@opindex verify-options:show-uid-validity
1123
Display the calculated validity of the user IDs on the key that issued
1124
the signature. Defaults to no.
1126
@item show-unusable-uids
1127
@opindex verify-options:show-unusable-uids
1128
Show revoked and expired user IDs during signature verification.
1131
@item show-primary-uid-only
1132
@opindex verify-options:show-primary-uid-only
1133
Show only the primary user ID during signature verification. That is
1134
all the AKA lines as well as photo Ids are not shown with the signature
1135
verification status.
1138
@opindex verify-options:pka-lookups
1139
Enable PKA lookups to verify sender addresses. Note that PKA is based
1140
on DNS, and so enabling this option may disclose information on when
1141
and what signatures are verified or to whom data is encrypted. This
1142
is similar to the "web bug" described for the auto-key-retrieve
1145
@item pka-trust-increase
1146
@opindex verify-options:pka-trust-increase
1147
Raise the trust in a signature to full if the signature passes PKA
1148
validation. This option is only meaningful if pka-lookups is set.
1130
1151
@item --enable-dsa2
1131
1152
@itemx --disable-dsa2
1153
@opindex enable-dsa2
1154
@opindex disable-dsa2
1132
1155
Enable hash truncation for all DSA keys even for old DSA Keys up to
1133
1156
1024 bit. This is also the default with @option{--openpgp}. Note
1134
1157
that older versions of GnuPG also required this flag to allow the
1135
1158
generation of DSA larger than 1024 bit.
1137
1160
@item --photo-viewer @code{string}
1161
@opindex photo-viewer
1138
1162
This is the command line that should be run to view a photo ID. "%i"
1139
1163
will be expanded to a filename containing the photo. "%I" does the
1140
1164
same, except the file will not be deleted once the viewer exits.
1394
Locate a key using DNS CERT, as specified in rfc4398.
1397
Locate a key using DNS PKA.
1400
Using DNS Service Discovery, check the domain in question for any LDAP
1401
keyservers to use. If this fails, attempt to locate the key using the
1402
PGP Universal method of checking @samp{ldap://keys.(thedomain)}.
1405
Locate a key using whatever keyserver is defined using the
1406
@option{--keyserver} option.
1409
In addition, a keyserver URL as used in the @option{--keyserver} option
1410
may be used here to query that particular keyserver.
1413
Locate the key using the local keyrings. This mechanism allows to
1414
select the order a local key lookup is done. Thus using
1415
@samp{--auto-key-locate local} is identical to
1416
@option{--no-auto-key-locate}.
1419
This flag disables the standard local key lookup, done before any of the
1420
mechanisms defined by the @option{--auto-key-locate} are tried. The
1421
position of this mechanism in the list does not matter. It is not
1422
required if @code{local} is also used.
1447
Locate a key using DNS CERT, as specified in rfc4398.
1450
Locate a key using DNS PKA.
1453
Using DNS Service Discovery, check the domain in question for any LDAP
1454
keyservers to use. If this fails, attempt to locate the key using the
1455
PGP Universal method of checking @samp{ldap://keys.(thedomain)}.
1458
Locate a key using whatever keyserver is defined using the
1459
@option{--keyserver} option.
1462
In addition, a keyserver URL as used in the @option{--keyserver} option
1463
may be used here to query that particular keyserver.
1466
Locate the key using the local keyrings. This mechanism allows to
1467
select the order a local key lookup is done. Thus using
1468
@samp{--auto-key-locate local} is identical to
1469
@option{--no-auto-key-locate}.
1472
This flag disables the standard local key lookup, done before any of the
1473
mechanisms defined by the @option{--auto-key-locate} are tried. The
1474
position of this mechanism in the list does not matter. It is not
1475
required if @code{local} is also used.
1426
1479
@item --keyid-format @code{short|0xshort|long|0xlong}
1480
@opindex keyid-format
1427
1481
Select how to display key IDs. "short" is the traditional 8-character
1428
1482
key ID. "long" is the more accurate (but less convenient)
1429
1483
16-character key ID. Add an "0x" to either to include an "0x" at the
1430
beginning of the key ID, as in 0x99242560.
1484
beginning of the key ID, as in 0x99242560. Note that this option is
1485
ignored if the option --with-colons is used.
1432
1487
@item --keyserver @code{name}
1433
1489
Use @code{name} as your keyserver. This is the server that
1434
1490
@option{--recv-keys}, @option{--send-keys}, and @option{--search-keys}
1435
1491
will communicate with to receive keys from, send keys to, and search for
1461
@item include-revoked
1462
When searching for a key with @option{--search-keys}, include keys that
1463
are marked on the keyserver as revoked. Note that not all keyservers
1464
differentiate between revoked and unrevoked keys, and for such
1465
keyservers this option is meaningless. Note also that most keyservers do
1466
not have cryptographic verification of key revocations, and so turning
1467
this option off may result in skipping keys that are incorrectly marked
1470
@item include-disabled
1471
When searching for a key with @option{--search-keys}, include keys that
1472
are marked on the keyserver as disabled. Note that this option is not
1473
used with HKP keyservers.
1475
@item auto-key-retrieve
1476
This option enables the automatic retrieving of keys from a keyserver
1477
when verifying signatures made by keys that are not on the local
1480
Note that this option makes a "web bug" like behavior possible.
1481
Keyserver operators can see which keys you request, so by sending you
1482
a message signed by a brand new key (which you naturally will not have
1483
on your local keyring), the operator can tell both your IP address and
1484
the time when you verified the signature.
1486
@item honor-keyserver-url
1487
When using @option{--refresh-keys}, if the key in question has a preferred
1488
keyserver URL, then use that preferred keyserver to refresh the key
1489
from. In addition, if auto-key-retrieve is set, and the signature
1490
being verified has a preferred keyserver URL, then use that preferred
1491
keyserver to fetch the key from. Defaults to yes.
1493
@item honor-pka-record
1494
If auto-key-retrieve is set, and the signature being verified has a
1495
PKA record, then use the PKA information to fetch the key. Defaults
1498
@item include-subkeys
1499
When receiving a key, include subkeys as potential targets. Note that
1500
this option is not used with HKP keyservers, as they do not support
1501
retrieving keys by subkey id.
1503
@item use-temp-files
1504
On most Unix-like platforms, GnuPG communicates with the keyserver
1505
helper program via pipes, which is the most efficient method. This
1506
option forces GnuPG to use temporary files to communicate. On some
1507
platforms (such as Win32 and RISC OS), this option is always enabled.
1509
@item keep-temp-files
1510
If using `use-temp-files', do not delete the temp files after using
1511
them. This option is useful to learn the keyserver communication
1512
protocol by reading the temporary files.
1515
Tell the keyserver helper program to be more verbose. This option can
1516
be repeated multiple times to increase the verbosity level.
1519
Tell the keyserver helper program how long (in seconds) to try and
1520
perform a keyserver action before giving up. Note that performing
1521
multiple actions at the same time uses this timeout value per action.
1522
For example, when retrieving multiple keys via @option{--recv-keys}, the
1523
timeout applies separately to each key retrieval, and not to the
1524
@option{--recv-keys} command as a whole. Defaults to 30 seconds.
1526
@item http-proxy=@code{value}
1527
Set the proxy to use for HTTP and HKP keyservers. This overrides the
1528
"http_proxy" environment variable, if any.
1531
When retrieving a key via DNS CERT, only accept keys up to this size.
1532
Defaults to 16384 bytes.
1535
Turn on debug output in the keyserver helper program. Note that the
1536
details of debug output depends on which keyserver helper program is
1537
being used, and in turn, on any libraries that the keyserver helper
1538
program uses internally (libcurl, openldap, etc).
1541
Enable certificate checking if the keyserver presents one (for hkps or
1542
ldaps). Defaults to on.
1545
Provide a certificate store to override the system default. Only
1546
necessary if check-cert is enabled, and the keyserver is using a
1547
certificate that is not present in a system default certificate list.
1549
Note that depending on the SSL library that the keyserver helper is
1550
built with, this may actually be a directory or a file.
1518
@item include-revoked
1519
When searching for a key with @option{--search-keys}, include keys that
1520
are marked on the keyserver as revoked. Note that not all keyservers
1521
differentiate between revoked and unrevoked keys, and for such
1522
keyservers this option is meaningless. Note also that most keyservers do
1523
not have cryptographic verification of key revocations, and so turning
1524
this option off may result in skipping keys that are incorrectly marked
1527
@item include-disabled
1528
When searching for a key with @option{--search-keys}, include keys that
1529
are marked on the keyserver as disabled. Note that this option is not
1530
used with HKP keyservers.
1532
@item auto-key-retrieve
1533
This option enables the automatic retrieving of keys from a keyserver
1534
when verifying signatures made by keys that are not on the local
1537
Note that this option makes a "web bug" like behavior possible.
1538
Keyserver operators can see which keys you request, so by sending you
1539
a message signed by a brand new key (which you naturally will not have
1540
on your local keyring), the operator can tell both your IP address and
1541
the time when you verified the signature.
1543
@item honor-keyserver-url
1544
When using @option{--refresh-keys}, if the key in question has a preferred
1545
keyserver URL, then use that preferred keyserver to refresh the key
1546
from. In addition, if auto-key-retrieve is set, and the signature
1547
being verified has a preferred keyserver URL, then use that preferred
1548
keyserver to fetch the key from. Defaults to yes.
1550
@item honor-pka-record
1551
If auto-key-retrieve is set, and the signature being verified has a
1552
PKA record, then use the PKA information to fetch the key. Defaults
1555
@item include-subkeys
1556
When receiving a key, include subkeys as potential targets. Note that
1557
this option is not used with HKP keyservers, as they do not support
1558
retrieving keys by subkey id.
1560
@item use-temp-files
1561
On most Unix-like platforms, GnuPG communicates with the keyserver
1562
helper program via pipes, which is the most efficient method. This
1563
option forces GnuPG to use temporary files to communicate. On some
1564
platforms (such as Win32 and RISC OS), this option is always enabled.
1566
@item keep-temp-files
1567
If using `use-temp-files', do not delete the temp files after using
1568
them. This option is useful to learn the keyserver communication
1569
protocol by reading the temporary files.
1572
Tell the keyserver helper program to be more verbose. This option can
1573
be repeated multiple times to increase the verbosity level.
1576
Tell the keyserver helper program how long (in seconds) to try and
1577
perform a keyserver action before giving up. Note that performing
1578
multiple actions at the same time uses this timeout value per action.
1579
For example, when retrieving multiple keys via @option{--recv-keys}, the
1580
timeout applies separately to each key retrieval, and not to the
1581
@option{--recv-keys} command as a whole. Defaults to 30 seconds.
1583
@item http-proxy=@code{value}
1584
Set the proxy to use for HTTP and HKP keyservers. This overrides the
1585
"http_proxy" environment variable, if any.
1590
When retrieving a key via DNS CERT, only accept keys up to this size.
1591
Defaults to 16384 bytes.
1595
Turn on debug output in the keyserver helper program. Note that the
1596
details of debug output depends on which keyserver helper program is
1597
being used, and in turn, on any libraries that the keyserver helper
1598
program uses internally (libcurl, openldap, etc).
1601
Enable certificate checking if the keyserver presents one (for hkps or
1602
ldaps). Defaults to on.
1605
Provide a certificate store to override the system default. Only
1606
necessary if check-cert is enabled, and the keyserver is using a
1607
certificate that is not present in a system default certificate list.
1609
Note that depending on the SSL library that the keyserver helper is
1610
built with, this may actually be a directory or a file.
1553
1613
@item --completes-needed @code{n}
1614
@opindex compliant-needed
1554
1615
Number of completely trusted users to introduce a new
1555
1616
key signer (defaults to 1).
1557
1618
@item --marginals-needed @code{n}
1619
@opindex marginals-needed
1558
1620
Number of marginally trusted users to introduce a new
1559
1621
key signer (defaults to 3)
1561
1623
@item --max-cert-depth @code{n}
1624
@opindex max-cert-depth
1562
1625
Maximum depth of a certification chain (default is 5).
1564
1627
@ifclear gpgtwoone
1565
1628
@item --simple-sk-checksum
1629
@opindex simple-sk-checksum
1566
1630
Secret keys are integrity protected by using a SHA-1 checksum. This
1567
1631
method is part of the upcoming enhanced OpenPGP specification but
1568
1632
GnuPG already uses it as a countermeasure against certain attacks.
1852
1938
stop by the OS limits. Defaults to 0, which means "no limit".
1854
1940
@item --import-options @code{parameters}
1941
@opindex import-options
1855
1942
This is a space or comma delimited string that gives options for
1856
1943
importing keys. Options can be prepended with a `no-' to give the
1857
1944
opposite meaning. The options are:
1861
@item import-local-sigs
1862
Allow importing key signatures marked as "local". This is not
1863
generally useful unless a shared keyring scheme is being used.
1866
@item repair-pks-subkey-bug
1867
During import, attempt to repair the damage caused by the PKS keyserver
1868
bug (pre version 0.9.6) that mangles keys with multiple subkeys. Note
1869
that this cannot completely repair the damaged key as some crucial data
1870
is removed by the keyserver, but it does at least give you back one
1871
subkey. Defaults to no for regular @option{--import} and to yes for
1872
keyserver @option{--recv-keys}.
1875
During import, allow key updates to existing keys, but do not allow
1876
any new keys to be imported. Defaults to no.
1879
After import, compact (remove all signatures except the
1880
self-signature) any user IDs from the new key that are not usable.
1881
Then, remove any signatures from the new key that are not usable.
1882
This includes signatures that were issued by keys that are not present
1883
on the keyring. This option is the same as running the @option{--edit-key}
1884
command "clean" after import. Defaults to no.
1886
@item import-minimal
1887
Import the smallest key possible. This removes all signatures except
1888
the most recent self-signature on each user ID. This option is the
1889
same as running the @option{--edit-key} command "minimize" after import.
1948
@item import-local-sigs
1949
Allow importing key signatures marked as "local". This is not
1950
generally useful unless a shared keyring scheme is being used.
1953
@item repair-pks-subkey-bug
1954
During import, attempt to repair the damage caused by the PKS keyserver
1955
bug (pre version 0.9.6) that mangles keys with multiple subkeys. Note
1956
that this cannot completely repair the damaged key as some crucial data
1957
is removed by the keyserver, but it does at least give you back one
1958
subkey. Defaults to no for regular @option{--import} and to yes for
1959
keyserver @option{--recv-keys}.
1962
During import, allow key updates to existing keys, but do not allow
1963
any new keys to be imported. Defaults to no.
1966
After import, compact (remove all signatures except the
1967
self-signature) any user IDs from the new key that are not usable.
1968
Then, remove any signatures from the new key that are not usable.
1969
This includes signatures that were issued by keys that are not present
1970
on the keyring. This option is the same as running the @option{--edit-key}
1971
command "clean" after import. Defaults to no.
1973
@item import-minimal
1974
Import the smallest key possible. This removes all signatures except
1975
the most recent self-signature on each user ID. This option is the
1976
same as running the @option{--edit-key} command "minimize" after import.
1893
1980
@item --export-options @code{parameters}
1981
@opindex export-options
1894
1982
This is a space or comma delimited string that gives options for
1895
1983
exporting keys. Options can be prepended with a `no-' to give the
1896
1984
opposite meaning. The options are:
1900
@item export-local-sigs
1901
Allow exporting key signatures marked as "local". This is not
1902
generally useful unless a shared keyring scheme is being used.
1905
@item export-attributes
1906
Include attribute user IDs (photo IDs) while exporting. This is
1907
useful to export keys if they are going to be used by an OpenPGP
1908
program that does not accept attribute user IDs. Defaults to yes.
1910
@item export-sensitive-revkeys
1911
Include designated revoker information that was marked as
1912
"sensitive". Defaults to no.
1914
@c Since GnuPG 2.1 gpg-agent manages the secret key and thus the
1915
@c export-reset-subkey-passwd hack is not anymore justified. Such use
1916
@c cases need to be implemented using a specialized secret key export
1988
@item export-local-sigs
1989
Allow exporting key signatures marked as "local". This is not
1990
generally useful unless a shared keyring scheme is being used.
1993
@item export-attributes
1994
Include attribute user IDs (photo IDs) while exporting. This is
1995
useful to export keys if they are going to be used by an OpenPGP
1996
program that does not accept attribute user IDs. Defaults to yes.
1998
@item export-sensitive-revkeys
1999
Include designated revoker information that was marked as
2000
"sensitive". Defaults to no.
2002
@c Since GnuPG 2.1 gpg-agent manages the secret key and thus the
2003
@c export-reset-subkey-passwd hack is not anymore justified. Such use
2004
@c cases need to be implemented using a specialized secret key export
1918
2006
@ifclear gpgtwoone
1919
@item export-reset-subkey-passwd
1920
When using the @option{--export-secret-subkeys} command, this option resets
1921
the passphrases for all exported subkeys to empty. This is useful
1922
when the exported subkey is to be used on an unattended machine where
1923
a passphrase doesn't necessarily make sense. Defaults to no.
2007
@item export-reset-subkey-passwd
2008
When using the @option{--export-secret-subkeys} command, this option resets
2009
the passphrases for all exported subkeys to empty. This is useful
2010
when the exported subkey is to be used on an unattended machine where
2011
a passphrase doesn't necessarily make sense. Defaults to no.
1927
Compact (remove all signatures from) user IDs on the key being
1928
exported if the user IDs are not usable. Also, do not export any
1929
signatures that are not usable. This includes signatures that were
1930
issued by keys that are not present on the keyring. This option is
1931
the same as running the @option{--edit-key} command "clean" before export
1932
except that the local copy of the key is not modified. Defaults to
2015
Compact (remove all signatures from) user IDs on the key being
2016
exported if the user IDs are not usable. Also, do not export any
2017
signatures that are not usable. This includes signatures that were
2018
issued by keys that are not present on the keyring. This option is
2019
the same as running the @option{--edit-key} command "clean" before export
2020
except that the local copy of the key is not modified. Defaults to
1935
@item export-minimal
1936
Export the smallest key possible. This removes all signatures except the
1937
most recent self-signature on each user ID. This option is the same as
1938
running the @option{--edit-key} command "minimize" before export except
1939
that the local copy of the key is not modified. Defaults to no.
2023
@item export-minimal
2024
Export the smallest key possible. This removes all signatures except the
2025
most recent self-signature on each user ID. This option is the same as
2026
running the @option{--edit-key} command "minimize" before export except
2027
that the local copy of the key is not modified. Defaults to no.
1942
2030
@item --with-colons
2963
3130
archives for similar problems and second check whether such a bug has
2964
3131
already been reported to our bug tracker at http://bugs.gnupg.org .
3133
@c *******************************************
3134
@c *************** **************
3135
@c *************** UNATTENDED **************
3136
@c *************** **************
3137
@c *******************************************
3139
@node Unattended Usage of GPG
3140
@section Unattended Usage
3142
@command{gpg} is often used as a backend engine by other software. To help
3143
with this a machine interface has been defined to have an unambiguous
3144
way to do this. The options @option{--status-fd} and @option{--batch}
3145
are almost always required for this.
3148
* Unattended GPG key generation:: Unattended key generation
3152
@node Unattended GPG key generation,,,Unattended Usage of GPG
3153
@section Unattended key generation
3155
The command @option{--gen-key} may be used along with the option
3156
@option{--batch} for unattended key generation. The parameters are
3157
either read from stdin or given as a file on the command line.
3158
The format of the parameter file is as follows:
3161
@item Text only, line length is limited to about 1000 characters.
3162
@item UTF-8 encoding must be used to specify non-ASCII characters.
3163
@item Empty lines are ignored.
3164
@item Leading and trailing while space is ignored.
3165
@item A hash sign as the first non white space character indicates
3167
@item Control statements are indicated by a leading percent sign, the
3168
arguments are separated by white space from the keyword.
3169
@item Parameters are specified by a keyword, followed by a colon. Arguments
3170
are separated by white space.
3172
The first parameter must be @samp{Key-Type}; control statements may be
3175
The order of the parameters does not matter except for @samp{Key-Type}
3176
which must be the first parameter. The parameters are only used for
3177
the generated keyblock (primary and subkeys); parameters from previous
3178
sets are not used. Some syntactically checks may be performed.
3180
Key generation takes place when either the end of the parameter file
3181
is reached, the next @samp{Key-Type} parameter is encountered or at the
3182
control statement @samp{%commit} is encountered.
3190
@item %echo @var{text}
3191
Print @var{text} as diagnostic.
3194
Suppress actual key generation (useful for syntax checking).
3197
Perform the key generation. Note that an implicit commit is done at
3198
the next @asis{Key-Type} parameter.
3200
@item %pubring @var{filename}
3201
@itemx %secring @var{filename}
3202
Do not write the key to the default or commandline given keyring but
3203
to @var{filename}. This must be given before the first commit to take
3204
place, duplicate specification of the same filename is ignored, the
3205
last filename before a commit is used. The filename is used until a
3206
new filename is used (at commit points) and all keys are written to
3207
that file. If a new filename is given, this file is created (and
3208
overwrites an existing one). For GnuPG versions prior to 2.1, both
3209
control statements must be given. For GnuPG 2.1 and later
3210
@samp{%secring} is a no-op.
3212
@item %ask-passphrase
3213
@itemx %no-ask-passphrase
3214
Enable (or disable) a mode where the command @option{passphrase} is
3215
ignored and instead the usual passphrase dialog is used. This does
3216
not make sense for batch key generation; however the unattended key
3217
generation feature is also used by GUIs and this feature relinquishes
3218
the GUI from implementing its own passphrase entry code. These are
3219
global control statements and affect all future key genrations.
3221
@item %no-protection
3222
Since GnuPG version 2.1 it is not anymore possible to specify a
3223
passphrase for unattended key generation. The passphrase command is
3224
simply ignored and @samp{%ask-passpharse} is thus implicitly enabled.
3225
Using this option allows the creation of keys without any passphrase
3226
protection. This option is mainly intended for regression tests.
3228
@item %transient-key
3229
If given the keys are created using a faster and a somewhat less
3230
secure random number generator. This option may be used for keys
3231
which are only used for a short time and do not require full
3232
cryptographic strength. It takes only effect if used together with
3233
the control statement @samp{%no-protection}.
3242
@item Key-Type: @var{algo}
3243
Starts a new parameter block by giving the type of the primary
3244
key. The algorithm must be capable of signing. This is a required
3245
parameter. @var{algo} may either be an OpenPGP algorithm number or a
3246
string with the algorithm name. The special value @samp{default} may
3247
be used for @var{algo} to create the default key type; in this case a
3248
@samp{Key-Usage} shall not be given and @samp{default} also be used
3249
for @samp{Subkey-Type}.
3251
@item Key-Length: @var{nbits}
3252
The requested length of the generated key in bits. The default is
3253
returned by running the command @samp{gpg2 --gpgconf-list}.
3255
@item Key-Grip: @var{hexstring}
3256
This is optional and used to generate a CSR or certificate for an
3257
already existing key. Key-Length will be ignored when given.
3259
@item Key-Usage: @var{usage-list}
3260
Space or comma delimited list of key usages. Allowed values are
3261
@samp{encrypt}, @samp{sign}, and @samp{auth}. This is used to
3262
generate the key flags. Please make sure that the algorithm is
3263
capable of this usage. Note that OpenPGP requires that all primary
3264
keys are capable of certification, so no matter what usage is given
3265
here, the @samp{cert} flag will be on. If no @samp{Key-Usage} is
3266
specified and the @samp{Key-Type} is not @samp{default}, all allowed
3267
usages for that particular algorithm are used; if it is not given but
3268
@samp{default} is used the usage will be @samp{sign}.
3270
@item Subkey-Type: @var{algo}
3271
This generates a secondary key (subkey). Currently only one subkey
3272
can be handled. See also @samp{Key-Type} above.
3274
@item Subkey-Length: @var{nbits}
3275
Length of the secondary key (subkey) in bits. The default is returned
3276
by running the command @samp{gpg2 --gpgconf-list}".
3278
@item Subkey-Usage: @var{usage-list}
3279
Key usage lists for a subkey; similar to @samp{Key-Usage}.
3281
@item Passphrase: @var{string}
3282
If you want to specify a passphrase for the secret key,
3283
enter it here. Default is not to use any passphrase.
3285
@item Name-Real: @var{name}
3286
@itemx Name-Comment: @var{comment}
3287
@itemx Name-Email: @var{email}
3288
The three parts of a user name. Remember to use UTF-8 encoding here.
3289
If you don't give any of them, no user ID is created.
3291
@item Expire-Date: @var{iso-date}|(@var{number}[d|w|m|y])
3292
Set the expiration date for the key (and the subkey). It may either
3293
be entered in ISO date format (2000-08-15) or as number of days,
3294
weeks, month or years. The special notation "seconds=N" is also
3295
allowed to directly give an Epoch value. Without a letter days are
3296
assumed. Note that there is no check done on the overflow of the type
3297
used by OpenPGP for timestamps. Thus you better make sure that the
3298
given value make sense. Although OpenPGP works with time intervals,
3299
GnuPG uses an absolute value internally and thus the last year we can
3302
@item Ceation-Date: @var{iso-date}
3303
Set the creation date of the key as stored in the key information and
3304
which is also part of the fingerprint calculation. Either a date like
3305
"1986-04-26" or a full timestamp like "19860426T042640" may be used.
3306
The time is considered to be UTC. If it is not given the current time
3309
@item Preferences: @var{string}
3310
Set the cipher, hash, and compression preference values for this key.
3311
This expects the same type of string as the sub-command @samp{setpref}
3312
in the @option{--edit-key} menu.
3314
@item Revoker: @var{algo}:@var{fpr} [sensitive]
3315
Add a designated revoker to the generated key. Algo is the public key
3316
algorithm of the designated revoker (i.e. RSA=1, DSA=17, etc.)
3317
@var{fpr} is the fingerprint of the designated revoker. The optional
3318
@samp{sensitive} flag marks the designated revoker as sensitive
3319
information. Only v4 keys may be designated revokers.
3321
@item Keyserver: @var{string}
3322
This is an optional parameter that specifies the preferred keyserver
3325
@item Handle: @var{string}
3326
This is an optional parameter only used with the status lines
3327
KEY_CREATED and KEY_NOT_CREATED. @var{string} may be up to 100
3328
characters and should not contain spaces. It is useful for batch key
3329
generation to associate a key parameter block with a status line.
3334
Here is an example on how to create a key:
3337
%echo Generating a basic OpenPGP key
3342
Name-Real: Joe Tester
3343
Name-Comment: with stupid passphrase
3344
Name-Email: joe@@foo.bar
3349
# Do a commit here, so that we can later print "done" :-)
3353
$ gpg2 --batch --gen-key foo
3355
$ gpg2 --no-default-keyring --secret-keyring ./foo.sec \
3356
--keyring ./foo.pub --list-secret-keys
3357
/home/wk/work/gnupg-stable/scratch/foo.sec
3358
------------------------------------------
3359
sec 1024D/915A878D 2000-03-09 Joe Tester (with stupid passphrase) <joe@@foo.bar>
3360
ssb 1024g/8F70E2C0 2000-03-09
3365
If you want to create a key with the default algorithms you would use
3368
%echo Generating a default key
3370
Subkey-Type: default
3371
Name-Real: Joe Tester
3372
Name-Comment: with stupid passphrase
3373
Name-Email: joe@@foo.bar
3378
# Do a commit here, so that we can later print "done" :-)
2966
3386
@mansect see also
2969
3389
@ifclear gpgone
2971
3391
@command{gpg-agent}(1)