1 This is gnupg.info, produced by makeinfo version 6.3 from gnupg.texi.
3 This is the 'The GNU Privacy Guard Manual' (version 2.1.18, January
6 (C) 2002, 2004, 2005, 2006, 2007, 2010 Free Software Foundation, Inc.
7 (C) 2013, 2014, 2015 Werner Koch.
8 (C) 2015 g10 Code GmbH.
10 Permission is granted to copy, distribute and/or modify this
11 document under the terms of the GNU General Public License as
12 published by the Free Software Foundation; either version 3 of the
13 License, or (at your option) any later version. The text of the
14 license can be found in the section entitled "Copying".
15 INFO-DIR-SECTION GNU Utilities
17 * gpg2: (gnupg). OpenPGP encryption and signing tool.
18 * gpgsm: (gnupg). S/MIME encryption and signing tool.
19 * gpg-agent: (gnupg). The secret key daemon.
20 * dirmngr: (gnupg). X.509 CRL and OCSP server.
21 * dirmngr-client: (gnupg). X.509 CRL and OCSP client.
25 File: gnupg.info, Node: SmartCard-HSM, Next: Undefined Card, Prev: Geldkarte Card, Up: Card applications
27 6.3.6 The SmartCard-HSM card application "sc-hsm"
28 -------------------------------------------------
30 This application adds read-only support for keys and certificates stored
31 on a SmartCard-HSM (http://www.smartcard-hsm.com).
33 To generate keys and store certifiates you may use OpenSC
34 (https://github.com/OpenSC/OpenSC/wiki/SmartCardHSM) or the tools from
35 OpenSCDP (http://www.openscdp.org).
37 The SmartCard-HSM cards requires a card reader that supports Extended
41 File: gnupg.info, Node: Undefined Card, Prev: SmartCard-HSM, Up: Card applications
43 6.3.7 The Undefined card application "undefined"
44 ------------------------------------------------
46 This is a stub application to allow the use of the APDU command even if
47 no supported application is found on the card. This application is not
48 used automatically but must be explicitly requested using the SERIALNO
52 File: gnupg.info, Node: Scdaemon Configuration, Next: Scdaemon Examples, Prev: Card applications, Up: Invoking SCDAEMON
54 6.4 Configuration files
55 =======================
57 There are a few configuration files to control certain aspects of
58 'scdaemons''s operation. Unless noted, they are expected in the current
59 home directory (*note option --homedir::).
62 This is the standard configuration file read by 'scdaemon' on
63 startup. It may contain any valid long option; the leading two
64 dashes may not be entered and the option may not be abbreviated.
65 This default name may be changed on the command line (*note option
69 If this file is present and executable, it will be called on every
70 card reader's status change. An example of this script is provided
74 This file is created by 'scdaemon' to let other applications now
75 about reader status changes. Its use is now deprecated in favor of
79 File: gnupg.info, Node: Scdaemon Examples, Next: Scdaemon Protocol, Prev: Scdaemon Configuration, Up: Invoking SCDAEMON
84 $ scdaemon --server -v
87 File: gnupg.info, Node: Scdaemon Protocol, Prev: Scdaemon Examples, Up: Invoking SCDAEMON
89 6.6 Scdaemon's Assuan Protocol
90 ==============================
92 The SC-Daemon should be started by the system to provide access to
93 external tokens. Using Smartcards on a multi-user system does not make
94 much sense except for system services, but in this case no regular user
95 accounts are hosted on the machine.
97 A client connects to the SC-Daemon by connecting to the socket named
98 '/usr/local/var/run/gnupg/scdaemon/socket', configuration information is
99 read from /ETC/GNUPG/SCDAEMON.CONF
101 Each connection acts as one session, SC-Daemon takes care of
102 synchronizing access to a token between sessions.
106 * Scdaemon SERIALNO:: Return the serial number.
107 * Scdaemon LEARN:: Read all useful information from the card.
108 * Scdaemon READCERT:: Return a certificate.
109 * Scdaemon READKEY:: Return a public key.
110 * Scdaemon PKSIGN:: Signing data with a Smartcard.
111 * Scdaemon PKDECRYPT:: Decrypting data with a Smartcard.
112 * Scdaemon GETATTR:: Read an attribute's value.
113 * Scdaemon SETATTR:: Update an attribute's value.
114 * Scdaemon WRITEKEY:: Write a key to a card.
115 * Scdaemon GENKEY:: Generate a new key on-card.
116 * Scdaemon RANDOM:: Return random bytes generated on-card.
117 * Scdaemon PASSWD:: Change PINs.
118 * Scdaemon CHECKPIN:: Perform a VERIFY operation.
119 * Scdaemon RESTART:: Restart connection
120 * Scdaemon APDU:: Send a verbatim APDU to the card
123 File: gnupg.info, Node: Scdaemon SERIALNO, Next: Scdaemon LEARN, Up: Scdaemon Protocol
125 6.6.1 Return the serial number
126 ------------------------------
128 This command should be used to check for the presence of a card. It is
129 special in that it can be used to reset the card. Most other commands
130 will return an error when a card change has been detected and the use of
131 this function is therefore required.
133 Background: We want to keep the client clear of handling card changes
134 between operations; i.e. the client can assume that all operations are
135 done on the same card unless he call this function.
139 Return the serial number of the card using a status response like:
141 S SERIALNO D27600000000000000000000
143 The serial number is the hex encoded value identified by the '0x5A'
144 tag in the GDO file (FIX=0x2F02).
147 File: gnupg.info, Node: Scdaemon LEARN, Next: Scdaemon READCERT, Prev: Scdaemon SERIALNO, Up: Scdaemon Protocol
149 6.6.2 Read all useful information from the card
150 -----------------------------------------------
154 Learn all useful information of the currently inserted card. When
155 used without the '--force' option, the command might do an INQUIRE like
158 INQUIRE KNOWNCARDP <hexstring_with_serialNumber>
160 The client should just send an 'END' if the processing should go on
161 or a 'CANCEL' to force the function to terminate with a cancel error
162 message. The response of this command is a list of status lines
165 S KEYPAIRINFO HEXSTRING_WITH_KEYGRIP HEXSTRING_WITH_ID
167 If there is no certificate yet stored on the card a single "X" is
168 returned in HEXSTRING_WITH_KEYGRIP.
171 File: gnupg.info, Node: Scdaemon READCERT, Next: Scdaemon READKEY, Prev: Scdaemon LEARN, Up: Scdaemon Protocol
173 6.6.3 Return a certificate
174 --------------------------
176 READCERT HEXIFIED_CERTID|KEYID
178 This function is used to read a certificate identified by
179 HEXIFIED_CERTID from the card. With OpenPGP cards the keyid 'OpenPGP.3'
180 may be used to read the certificate of version 2 cards.
183 File: gnupg.info, Node: Scdaemon READKEY, Next: Scdaemon PKSIGN, Prev: Scdaemon READCERT, Up: Scdaemon Protocol
185 6.6.4 Return a public key
186 -------------------------
188 READKEY HEXIFIED_CERTID
190 Return the public key for the given cert or key ID as an standard
194 File: gnupg.info, Node: Scdaemon PKSIGN, Next: Scdaemon PKDECRYPT, Prev: Scdaemon READKEY, Up: Scdaemon Protocol
196 6.6.5 Signing data with a Smartcard
197 -----------------------------------
199 To sign some data the caller should use the command
203 to tell 'scdaemon' about the data to be signed. The data must be
204 given in hex notation. The actual signing is done using the command
208 where KEYID is the hexified ID of the key to be used. The key id may
209 have been retrieved using the command 'LEARN'. If another hash
210 algorithm than SHA-1 is used, that algorithm may be given like:
212 PKSIGN --hash=ALGONAME KEYID
214 With ALGONAME are one of 'sha1', 'rmd160' or 'md5'.
217 File: gnupg.info, Node: Scdaemon PKDECRYPT, Next: Scdaemon GETATTR, Prev: Scdaemon PKSIGN, Up: Scdaemon Protocol
219 6.6.6 Decrypting data with a Smartcard
220 --------------------------------------
222 To decrypt some data the caller should use the command
226 to tell 'scdaemon' about the data to be decrypted. The data must be
227 given in hex notation. The actual decryption is then done using the
232 where KEYID is the hexified ID of the key to be used.
234 If the card is aware of the apdding format a status line with padding
235 information is send before the plaintext data. The key for this status
236 line is 'PADDING' with the only defined value being 0 and meaning
237 padding has been removed.
240 File: gnupg.info, Node: Scdaemon GETATTR, Next: Scdaemon SETATTR, Prev: Scdaemon PKDECRYPT, Up: Scdaemon Protocol
242 6.6.7 Read an attribute's value
243 -------------------------------
248 File: gnupg.info, Node: Scdaemon SETATTR, Next: Scdaemon WRITEKEY, Prev: Scdaemon GETATTR, Up: Scdaemon Protocol
250 6.6.8 Update an attribute's value
251 ---------------------------------
256 File: gnupg.info, Node: Scdaemon WRITEKEY, Next: Scdaemon GENKEY, Prev: Scdaemon SETATTR, Up: Scdaemon Protocol
258 6.6.9 Write a key to a card
259 ---------------------------
261 WRITEKEY [--force] KEYID
263 This command is used to store a secret key on a smartcard. The
264 allowed keyids depend on the currently selected smartcard application.
265 The actual keydata is requested using the inquiry 'KEYDATA' and need to
266 be provided without any protection. With '--force' set an existing key
267 under this KEYID will get overwritten. The key data is expected to be
268 the usual canonical encoded S-expression.
270 A PIN will be requested in most cases. This however depends on the
271 actual card application.
274 File: gnupg.info, Node: Scdaemon GENKEY, Next: Scdaemon RANDOM, Prev: Scdaemon WRITEKEY, Up: Scdaemon Protocol
276 6.6.10 Generate a new key on-card
277 ---------------------------------
282 File: gnupg.info, Node: Scdaemon RANDOM, Next: Scdaemon PASSWD, Prev: Scdaemon GENKEY, Up: Scdaemon Protocol
284 6.6.11 Return random bytes generated on-card
285 --------------------------------------------
290 File: gnupg.info, Node: Scdaemon PASSWD, Next: Scdaemon CHECKPIN, Prev: Scdaemon RANDOM, Up: Scdaemon Protocol
295 PASSWD [--reset] [--nullpin] CHVNO
297 Change the PIN or reset the retry counter of the card holder
298 verification vector number CHVNO. The option '--nullpin' is used to
299 initialize the PIN of TCOS cards (6 byte NullPIN only).
302 File: gnupg.info, Node: Scdaemon CHECKPIN, Next: Scdaemon RESTART, Prev: Scdaemon PASSWD, Up: Scdaemon Protocol
304 6.6.13 Perform a VERIFY operation
305 ---------------------------------
309 Perform a VERIFY operation without doing anything else. This may be
310 used to initialize a the PIN cache earlier to long lasting operations.
311 Its use is highly application dependent:
315 Perform a simple verify operation for CHV1 and CHV2, so that
316 further operations won't ask for CHV2 and it is possible to do a
317 cheap check on the PIN: If there is something wrong with the PIN
318 entry system, only the regular CHV will get blocked and not the
319 dangerous CHV3. IDSTR is the usual card's serial number in hex
320 notation; an optional fingerprint part will get ignored.
322 There is however a special mode if IDSTR is suffixed with the
323 literal string '[CHV3]': In this case the Admin PIN is checked if
324 and only if the retry counter is still at 3.
327 File: gnupg.info, Node: Scdaemon RESTART, Next: Scdaemon APDU, Prev: Scdaemon CHECKPIN, Up: Scdaemon Protocol
329 6.6.14 Perform a RESTART operation
330 ----------------------------------
334 Restart the current connection; this is a kind of warm reset. It
335 deletes the context used by this connection but does not actually reset
338 This is used by gpg-agent to reuse a primary pipe connection and may
339 be used by clients to backup from a conflict in the serial command; i.e.
340 to select another application.
343 File: gnupg.info, Node: Scdaemon APDU, Prev: Scdaemon RESTART, Up: Scdaemon Protocol
345 6.6.15 Send a verbatim APDU to the card
346 ---------------------------------------
348 APDU [--atr] [--more] [--exlen[=N]] [HEXSTRING]
350 Send an APDU to the current reader. This command bypasses the high
351 level functions and sends the data directly to the card. HEXSTRING is
352 expected to be a proper APDU. If HEXSTRING is not given no commands are
353 send to the card; However the command will implicitly check whether the
354 card is ready for use.
356 Using the option '--atr' returns the ATR of the card as a status
357 message before any data like this:
358 S CARD-ATR 3BFA1300FF813180450031C173C00100009000B1
360 Using the option '--more' handles the card status word MORE_DATA
361 (61xx) and concatenate all responses to one block.
363 Using the option '--exlen' the returned APDU may use extended length
364 up to N bytes. If N is not given a default value is used (currently
368 File: gnupg.info, Node: Specify a User ID, Next: Helper Tools, Prev: Invoking SCDAEMON, Up: Top
370 7 How to Specify a User Id
371 **************************
373 There are different ways to specify a user ID to GnuPG. Some of them are
374 only valid for 'gpg' others are only good for 'gpgsm'. Here is the
375 entire list of ways to specify a key:
377 * By key Id. This format is deduced from the length of the string
378 and its content or '0x' prefix. The key Id of an X.509 certificate
379 are the low 64 bits of its SHA-1 fingerprint. The use of key Ids
380 is just a shortcut, for all automated processing the fingerprint
383 When using 'gpg' an exclamation mark (!) may be appended to force
384 using the specified primary or secondary key and not to try and
385 calculate which primary or secondary key to use.
387 The last four lines of the example give the key ID in their long
388 form as internally used by the OpenPGP protocol. You can see the
389 long key ID using the option '--with-colons'.
401 * By fingerprint. This format is deduced from the length of the
402 string and its content or the '0x' prefix. Note, that only the 20
403 byte version fingerprint is available with 'gpgsm' (i.e. the SHA-1
404 hash of the certificate).
406 When using 'gpg' an exclamation mark (!) may be appended to force
407 using the specified primary or secondary key and not to try and
408 calculate which primary or secondary key to use.
410 The best way to specify a key Id is by using the fingerprint. This
411 avoids any ambiguities in case that there are duplicated key IDs.
413 1234343434343434C434343434343434
414 123434343434343C3434343434343734349A3434
415 0E12343434343434343434EAB3484343434343434
416 0xE12343434343434343434EAB3484343434343434
418 'gpgsm' also accepts colons between each pair of hexadecimal digits
419 because this is the de-facto standard on how to present X.509
420 fingerprints. 'gpg' also allows the use of the space separated
421 SHA-1 fingerprint as printed by the key listing commands.
423 * By exact match on OpenPGP user ID. This is denoted by a leading
424 equal sign. It does not make sense for X.509 certificates.
426 =Heinrich Heine <heinrichh@uni-duesseldorf.de>
428 * By exact match on an email address. This is indicated by enclosing
429 the email address in the usual way with left and right angles.
431 <heinrichh@uni-duesseldorf.de>
433 * By partial match on an email address. This is indicated by
434 prefixing the search string with an '@'. This uses a substring
435 search but considers only the mail address (i.e. inside the angle
440 * By exact match on the subject's DN. This is indicated by a leading
441 slash, directly followed by the RFC-2253 encoded DN of the subject.
442 Note that you can't use the string printed by 'gpgsm --list-keys'
443 because that one has been reordered and modified for better
444 readability; use '--with-colons' to print the raw (but standard
445 escaped) RFC-2253 string.
447 /CN=Heinrich Heine,O=Poets,L=Paris,C=FR
449 * By exact match on the issuer's DN. This is indicated by a leading
450 hash mark, directly followed by a slash and then directly followed
451 by the RFC-2253 encoded DN of the issuer. This should return the
452 Root cert of the issuer. See note above.
454 #/CN=Root Cert,O=Poets,L=Paris,C=FR
456 * By exact match on serial number and issuer's DN. This is indicated
457 by a hash mark, followed by the hexadecimal representation of the
458 serial number, then followed by a slash and the RFC-2253 encoded DN
459 of the issuer. See note above.
461 #4F03/CN=Root Cert,O=Poets,L=Paris,C=FR
463 * By keygrip. This is indicated by an ampersand followed by the 40
464 hex digits of a keygrip. 'gpgsm' prints the keygrip when using the
465 command '--dump-cert'. It does not yet work for OpenPGP keys.
467 &D75F22C3F86E355877348498CDC92BD21010A480
469 * By substring match. This is the default mode but applications may
470 want to explicitly indicate this by putting the asterisk in front.
471 Match is not case sensitive.
476 * . and + prefixes These prefixes are reserved for looking up mails
477 anchored at the end and for a word search mode. They are not yet
478 implemented and using them is undefined.
480 Please note that we have reused the hash mark identifier which was
481 used in old GnuPG versions to indicate the so called local-id. It is
482 not anymore used and there should be no conflict when used with X.509
485 Using the RFC-2253 format of DNs has the drawback that it is not
486 possible to map them back to the original encoding, however we don't
487 have to do this because our key database stores this encoding as meta
491 File: gnupg.info, Node: Helper Tools, Next: Howtos, Prev: Specify a User ID, Up: Top
496 GnuPG comes with a couple of smaller tools:
500 * watchgnupg:: Read logs from a socket.
501 * gpgv:: Verify OpenPGP signatures.
502 * addgnupghome:: Create .gnupg home directories.
503 * gpgconf:: Modify .gnupg home directories.
504 * applygnupgdefaults:: Run gpgconf for all users.
505 * gpg-preset-passphrase:: Put a passphrase into the cache.
506 * gpg-connect-agent:: Communicate with a running agent.
507 * dirmngr-client:: How to use the Dirmngr client tool.
508 * gpgparsemail:: Parse a mail message into an annotated format
509 * symcryptrun:: Call a simple symmetric encryption tool.
510 * gpg-zip:: Encrypt or sign files into an archive.
513 File: gnupg.info, Node: watchgnupg, Next: gpgv, Up: Helper Tools
515 8.1 Read logs from a socket
516 ===========================
518 Most of the main utilities are able to write their log files to a Unix
519 Domain socket if configured that way. 'watchgnupg' is a simple listener
520 for such a socket. It ameliorates the output with a time stamp and
521 makes sure that long lines are not interspersed with log output from
522 other utilities. This tool is not available for Windows.
524 'watchgnupg' is commonly invoked as
526 watchgnupg --force $(gpgconf --list-dirs socketdir)/S.log
528 This starts it on the current terminal for listening on the standard
529 logging socket (which is either '~/.gnupg/S.log' or
530 '/var/run/user/UID/gnupg/S.log').
532 'watchgnupg' understands these options:
535 Delete an already existing socket file.
538 Instead of reading from a local socket, listen for connects on TCP
542 Do not print the date part of the timestamp.
545 Enable extra informational output.
548 Print version of the program and exit.
551 Display a brief help page and exit.
557 $ watchgnupg --force --time-only $(gpgconf --list-dirs socketdir)/S.log
559 This waits for connections on the local socket (e.g.
560 '/home/foo/.gnupg/S.log') and shows all log entries. To make this work
561 the option 'log-file' needs to be used with all modules which logs are
562 to be shown. The suggested entry for the configuration files is:
566 If the default socket as given above and returned by "echo $(gpgconf
567 -list-dirs socketdir)/S.log" is not desired an arbitrary socket name can
568 be specified, for example 'socket:///home/foo/bar/mysocket'. For
569 debugging purposes it is also possible to do remote logging. Take care
570 if you use this feature because the information is send in the clear
571 over the network. Use this syntax in the conf files:
573 log-file tcp://192.168.1.1:4711
575 You may use any port and not just 4711 as shown above; only IP
576 addresses are supported (v4 and v6) and no host names. You need to
577 start 'watchgnupg' with the 'tcp' option. Note that under Windows the
578 registry entry HKCU\SOFTWARE\GNU\GNUPG:DEFAULTLOGFILE can be used to
579 change the default log output from 'stderr' to whatever is given by that
580 entry. However the only useful entry is a TCP name for remote
584 File: gnupg.info, Node: gpgv, Next: addgnupghome, Prev: watchgnupg, Up: Helper Tools
586 8.2 Verify OpenPGP signatures
587 =============================
589 'gpgv' is an OpenPGP signature verification tool.
591 This program is actually a stripped-down version of 'gpg' which is
592 only able to check signatures. It is somewhat smaller than the
593 fully-blown 'gpg' and uses a different (and simpler) way to check that
594 the public keys used to make the signature are valid. There are no
595 configuration files and only a few options are implemented.
597 'gpgv' assumes that all keys in the keyring are trustworthy. That
598 does also mean that it does not check for expired or revoked keys.
600 By default a keyring named 'trustedkeys.kbx' is used; if that does
601 not exist a keyring named 'trustedkeys.gpg' is used. The default
602 keyring is assumed to be in the home directory of GnuPG, either the
603 default home directory or the one set by an option or an environment
604 variable. The option '--keyring' may be used to specify a different
605 keyring or even multiple keyrings.
608 'gpgv' recognizes these options:
612 Gives more information during processing. If used twice, the input
613 data is listed in detail.
617 Try to be as quiet as possible.
620 Add FILE to the list of keyrings. If FILE begins with a tilde and
621 a slash, these are replaced by the HOME directory. If the filename
622 does not contain a slash, it is assumed to be in the home-directory
623 ("~/.gnupg" if -homedir is not used).
627 Write output to FILE; to write to stdout use '-'. This option can
628 be used to get the signed text from a cleartext or binary
629 signature; it also works for detached signatures, but in that case
630 this option is in general not useful. Note that an existing file
634 Write special status strings to the file descriptor N. See the
635 file DETAILS in the documentation for a listing of them.
638 Write log output to file descriptor 'n' and not to stderr.
640 '--ignore-time-conflict'
641 GnuPG normally checks that the timestamps associated with keys and
642 signatures have plausible values. However, sometimes a signature
643 seems to be older than the key due to clock problems. This option
644 turns these checks into warnings.
647 Set the name of the home directory to DIR. If this option is not
648 used, the home directory defaults to '~/.gnupg'. It is only
649 recognized when given on the command line. It also overrides any
650 home directory stated through the environment variable 'GNUPGHOME'
651 or (on Windows systems) by means of the Registry entry
652 HKCU\SOFTWARE\GNU\GNUPG:HOMEDIR.
654 On Windows systems it is possible to install GnuPG as a portable
655 application. In this case only this command line option is
656 considered, all other ways to set a home directory are ignored.
658 To install GnuPG as a portable application under Windows, create an
659 empty file named 'gpgconf.ctl' in the same directory as the tool
660 'gpgconf.exe'. The root of the installation is then that
661 directory; or, if 'gpgconf.exe' has been installed directly below a
662 directory named 'bin', its parent directory. You also need to make
663 sure that the following directories exist and are writable:
664 'ROOT/home' for the GnuPG home and 'ROOT/usr/local/var/cache/gnupg'
665 for internal cache files.
668 Treat the specified digest algorithm as weak. Signatures made over
669 weak digests algorithms are normally rejected. This option can be
670 supplied multiple times if multiple algorithms should be considered
671 weak. MD5 is always considered weak, and does not need to be
674 '--enable-special-filenames'
675 This option enables a mode in which filenames of the form '-&n',
676 where n is a non-negative decimal number, refer to the file
677 descriptor n and not to a file with that name.
679 The program returns 0 if everything is fine, 1 if at least one
680 signature was bad, and other error codes for fatal errors.
686 gpgv 'sigfile' ['datafile']
687 Verify the signature of the file. The second form is used for
688 detached signatures, where 'sigfile' is the detached signature
689 (either ASCII-armored or binary) and 'datafile' contains the signed
690 data; if 'datafile' is "-" the signed data is expected on 'stdin';
691 if 'datafile' is not given the name of the file holding the signed
692 data is constructed by cutting off the extension (".asc", ".sig" or
693 ".sign") from 'sigfile'.
699 Used to locate the default home directory.
702 If set directory used instead of "~/.gnupg".
707 ~/.gnupg/trustedkeys.gpg
708 The default keyring with the allowed keys.
713 File: gnupg.info, Node: addgnupghome, Next: gpgconf, Prev: gpgv, Up: Helper Tools
715 8.3 Create .gnupg home directories
716 ==================================
718 If GnuPG is installed on a system with existing user accounts, it is
719 sometimes required to populate the GnuPG home directory with existing
720 files. Especially a 'trustlist.txt' and a keybox with some initial
721 certificates are often desired. This script helps to do this by copying
722 all files from '/etc/skel/.gnupg' to the home directories of the
723 accounts given on the command line. It takes care not to overwrite
724 existing GnuPG home directories.
726 'addgnupghome' is invoked by root as:
728 addgnupghome account1 account2 ... accountn
731 File: gnupg.info, Node: gpgconf, Next: applygnupgdefaults, Prev: addgnupghome, Up: Helper Tools
733 8.4 Modify .gnupg home directories
734 ==================================
736 The 'gpgconf' is a utility to automatically and reasonable safely query
737 and modify configuration files in the '.gnupg' home directory. It is
738 designed not to be invoked manually by the user, but automatically by
739 graphical user interfaces (GUI).(1)
741 'gpgconf' provides access to the configuration of one or more
742 components of the GnuPG system. These components correspond more or
743 less to the programs that exist in the GnuPG framework, like GPG, GPGSM,
744 DirMngr, etc. But this is not a strict one-to-one relationship. Not
745 all configuration options are available through 'gpgconf'. 'gpgconf'
746 provides a generic and abstract method to access the most important
747 configuration options that can feasibly be controlled via such a
750 'gpgconf' can be used to gather and change the options available in
751 each component, and can also provide their default values. 'gpgconf'
752 will give detailed type information that can be used to restrict the
753 user's input without making an attempt to commit the changes.
755 'gpgconf' provides the backend of a configuration editor. The
756 configuration editor would usually be a graphical user interface program
757 that displays the current options, their default values, and allows the
758 user to make changes to the options. These changes can then be made
759 active with 'gpgconf' again. Such a program that uses 'gpgconf' in this
760 way will be called GUI throughout this section.
764 * Invoking gpgconf:: List of all commands and options.
765 * Format conventions:: Formatting conventions relevant for all commands.
766 * Listing components:: List all gpgconf components.
767 * Checking programs:: Check all programs known to gpgconf.
768 * Listing options:: List all options of a component.
769 * Changing options:: Changing options of a component.
770 * Listing global options:: List all global options.
771 * Querying versions:: Get and compare software versions.
772 * Files used by gpgconf:: What files are used by gpgconf.
774 ---------- Footnotes ----------
776 (1) Please note that currently no locking is done, so concurrent
777 access should be avoided. There are some precautions to avoid
778 corruption with concurrent usage, but results may be inconsistent and
779 some changes may get lost. The stateless design makes it difficult to
780 provide more guarantees.
783 File: gnupg.info, Node: Invoking gpgconf, Next: Format conventions, Up: gpgconf
785 8.4.1 Invoking gpgconf
786 ----------------------
788 One of the following commands must be given:
791 List all components. This is the default command used if none is
795 List all available backend programs and test whether they are
798 '--list-options COMPONENT'
799 List all options of the component COMPONENT.
801 '--change-options COMPONENT'
802 Change the options of the component COMPONENT.
804 '--check-options COMPONENT'
805 Check the options for the component COMPONENT.
807 '--apply-profile FILE'
808 Apply the configuration settings listed in FILE to the
809 configuration files. If FILE has no suffix and no slashes the
810 command first tries to read a file with the suffix '.prf' from the
811 the data directory ('gpgconf --list-dirs datadir') before it reads
812 the file verbatim. A profile is divided into sections using the
813 bracketed component name. Each section then lists the option which
814 shall go into the respective configuration file.
817 Update all configuration files with values taken from the global
818 configuration file (usually '/etc/gnupg/gpgconf.conf').
820 '--list-dirs [NAMES]'
821 Lists the directories used by 'gpgconf'. One directory is listed
822 per line, and each line consists of a colon-separated list where
823 the first field names the directory type (for example 'sysconfdir')
824 and the second field contains the percent-escaped directory.
825 Although they are not directories, the socket file names used by
826 'gpg-agent' and 'dirmngr' are printed as well. Note that the
827 socket file names and the 'homedir' lines are the default names and
828 they may be overridden by command line switches. If NAMES are
829 given only the directories or file names specified by the list
830 names are printed without any escaping.
832 '--list-config [FILENAME]'
833 List the global configuration file in a colon separated format. If
834 FILENAME is given, check that file instead.
836 '--check-config [FILENAME]'
837 Run a syntax check on the global configuration file. If FILENAME
838 is given, check that file instead.
840 '--query-swdb PACKAGE_NAME [VERSION_STRING]'
841 Returns the current version for PACKAGE_NAME and if VERSION_STRING
842 is given also an indicator on whether an update is available. The
843 actual file with the software version is automatically downloaded
844 and checked by 'dirmngr'. 'dirmngr' uses a thresholds to avoid
845 download the file too often and it does this by default only if it
846 can be done via Tor. To force an update of that file this command
849 gpg-connect-agent --dirmngr 'loadswdb --force' /bye
851 '--reload [COMPONENT]'
852 Reload all or the given component. This is basically the same as
853 sending a SIGHUP to the component. Components which don't support
854 reloading are ignored. Without COMPONENT or by using "all" for
855 COMPONENT all components which are daemons are reloaded.
857 '--launch [COMPONENT]'
858 If the COMPONENT is not already running, start it. 'component'
859 must be a daemon. This is in general not required because the
860 system starts these daemons as needed. However, external software
861 making direct use of 'gpg-agent' or 'dirmngr' may use this command
862 to ensure that they are started. Using "all" for COMPONENT
863 launches all components which are daemons.
866 Kill the given component. Components which support killing are
867 'gpg-agent' and 'scdaemon'. Components which don't support
868 reloading are ignored. Using "all" for COMPONENT kills all
869 components running as daemons. Note that as of now reload and kill
870 have the same effect for 'scdaemon'.
873 Create a directory for sockets below /run/user or /var/run/user.
874 This is command is only required if a non default home directory is
875 used and the /run based sockets shall be used. For the default
876 home directory GnUPG creates a directory on the fly.
879 Remove a directory created with command '--create-socketdir'.
881 The following options may be used:
885 Write output to FILE. Default is to write to stdout.
889 Outputs additional information while running. Specifically, this
890 extends numerical field values by human-readable descriptions.
894 Try to be as quiet as possible.
898 Do not actually change anything. This is currently only
899 implemented for '--change-options' and can be used for testing
904 Only used together with '--change-options'. If one of the modified
905 options can be changed in a running daemon process, signal the
906 running daemon to ask it to reparse its configuration file after
909 This means that the changes will take effect at run-time, as far as
910 this is possible. Otherwise, they will take effect at the next
911 start of the respective backend programs.
914 File: gnupg.info, Node: Format conventions, Next: Listing components, Prev: Invoking gpgconf, Up: gpgconf
916 8.4.2 Format conventions
917 ------------------------
919 Some lines in the output of 'gpgconf' contain a list of colon-separated
920 fields. The following conventions apply:
922 * The GUI program is required to strip off trailing newline and/or
923 carriage return characters from the output.
925 * 'gpgconf' will never leave out fields. If a certain version
926 provides a certain field, this field will always be present in all
927 'gpgconf' versions from that time on.
929 * Future versions of 'gpgconf' might append fields to the list. New
930 fields will always be separated from the previously last field by a
931 colon separator. The GUI should be prepared to parse the last
932 field it knows about up until a colon or end of line.
934 * Not all fields are defined under all conditions. You are required
935 to ignore the content of undefined fields.
937 There are several standard types for the content of a field:
940 Some fields contain strings that are not escaped in any way. Such
941 fields are described to be used _verbatim_. These fields will
942 never contain a colon character (for obvious reasons). No
943 de-escaping or other formatting is required to use the field
944 content. This is for easy parsing of the output, when it is known
945 that the content can never contain any special characters.
948 Some fields contain strings that are described to be
949 _percent-escaped_. Such strings need to be de-escaped before their
950 content can be presented to the user. A percent-escaped string is
951 de-escaped by replacing all occurrences of '%XY' by the byte that
952 has the hexadecimal value 'XY'. 'X' and 'Y' are from the set
956 Some fields contain strings that are described to be _localized_.
957 Such strings are translated to the active language and formatted in
958 the active character set.
961 Some fields contain an _unsigned number_. This number will always
962 fit into a 32-bit unsigned integer variable. The number may be
963 followed by a space, followed by a human readable description of
964 that value (if the verbose option is used). You should ignore
965 everything in the field that follows the number.
968 Some fields contain a _signed number_. This number will always fit
969 into a 32-bit signed integer variable. The number may be followed
970 by a space, followed by a human readable description of that value
971 (if the verbose option is used). You should ignore everything in
972 the field that follows the number.
975 Some fields contain a _boolean value_. This is a number with
976 either the value 0 or 1. The number may be followed by a space,
977 followed by a human readable description of that value (if the
978 verbose option is used). You should ignore everything in the field
979 that follows the number; checking just the first character is
980 sufficient in this case.
983 Some fields contain an _option_ argument. The format of an option
984 argument depends on the type of the option and on some flags:
987 The simplest case is that the option does not take an argument
988 at all (TYPE '0'). Then the option argument is an unsigned
989 number that specifies how often the option occurs. If the
990 'list' flag is not set, then the only valid number is '1'.
991 Options that do not take an argument never have the 'default'
992 or 'optional arg' flag set.
995 If the option takes a number argument (ALT-TYPE is '2' or
996 '3'), and it can only occur once ('list' flag is not set),
997 then the option argument is either empty (only allowed if the
998 argument is optional), or it is a number. A number is a
999 string that begins with an optional minus character, followed
1000 by one or more digits. The number must fit into an integer
1001 variable (unsigned or signed, depending on ALT-TYPE).
1004 If the option takes a number argument and it can occur more
1005 than once, then the option argument is either empty, or it is
1006 a comma-separated list of numbers as described above.
1009 If the option takes a string argument (ALT-TYPE is 1), and it
1010 can only occur once ('list' flag is not set) then the option
1011 argument is either empty (only allowed if the argument is
1012 optional), or it starts with a double quote character ('"')
1013 followed by a percent-escaped string that is the argument
1014 value. Note that there is only a leading double quote
1015 character, no trailing one. The double quote character is
1016 only needed to be able to differentiate between no value and
1017 the empty string as value.
1020 If the option takes a string argument and it can occur more
1021 than once, then the option argument is either empty, or it is
1022 a comma-separated list of string arguments as described above.
1024 The active language and character set are currently determined from
1025 the locale environment of the 'gpgconf' program.
1028 File: gnupg.info, Node: Listing components, Next: Checking programs, Prev: Format conventions, Up: gpgconf
1030 8.4.3 Listing components
1031 ------------------------
1033 The command '--list-components' will list all components that can be
1034 configured with 'gpgconf'. Usually, one component will correspond to
1035 one GnuPG-related program and contain the options of that program's
1036 configuration file that can be modified using 'gpgconf'. However, this
1037 is not necessarily the case. A component might also be a group of
1038 selected options from several programs, or contain entirely virtual
1039 options that have a special effect rather than changing exactly one
1040 option in one configuration file.
1042 A component is a set of configuration options that semantically
1043 belong together. Furthermore, several changes to a component can be
1044 made in an atomic way with a single operation. The GUI could for
1045 example provide a menu with one entry for each component, or a window
1046 with one tabulator sheet per component.
1048 The command '--list-components' lists all available components, one
1049 per line. The format of each line is:
1051 'NAME:DESCRIPTION:PGMNAME:'
1054 This field contains a name tag of the component. The name tag is
1055 used to specify the component in all communication with 'gpgconf'.
1056 The name tag is to be used _verbatim_. It is thus not in any
1060 The _string_ in this field contains a human-readable description of
1061 the component. It can be displayed to the user of the GUI for
1062 informational purposes. It is _percent-escaped_ and _localized_.
1065 The _string_ in this field contains the absolute name of the
1066 program's file. It can be used to unambiguously invoke that
1067 program. It is _percent-escaped_.
1070 $ gpgconf --list-components
1071 gpg:GPG for OpenPGP:/usr/local/bin/gpg2:
1072 gpg-agent:GPG Agent:/usr/local/bin/gpg-agent:
1073 scdaemon:Smartcard Daemon:/usr/local/bin/scdaemon:
1074 gpgsm:GPG for S/MIME:/usr/local/bin/gpgsm:
1075 dirmngr:Directory Manager:/usr/local/bin/dirmngr:
1078 File: gnupg.info, Node: Checking programs, Next: Listing options, Prev: Listing components, Up: gpgconf
1080 8.4.4 Checking programs
1081 -----------------------
1083 The command '--check-programs' is similar to '--list-components' but
1084 works on backend programs and not on components. It runs each program
1085 to test whether it is installed and runnable. This also includes a
1086 syntax check of all config file options of the program.
1088 The command '--check-programs' lists all available programs, one per
1089 line. The format of each line is:
1091 'NAME:DESCRIPTION:PGMNAME:AVAIL:OKAY:CFGFILE:LINE:ERROR:'
1094 This field contains a name tag of the program which is identical to
1095 the name of the component. The name tag is to be used _verbatim_.
1096 It is thus not in any escaped format. This field may be empty to
1097 indicate a continuation of error descriptions for the last name.
1098 The description and pgmname fields are then also empty.
1101 The _string_ in this field contains a human-readable description of
1102 the component. It can be displayed to the user of the GUI for
1103 informational purposes. It is _percent-escaped_ and _localized_.
1106 The _string_ in this field contains the absolute name of the
1107 program's file. It can be used to unambiguously invoke that
1108 program. It is _percent-escaped_.
1111 The _boolean value_ in this field indicates whether the program is
1112 installed and runnable.
1115 The _boolean value_ in this field indicates whether the program's
1116 config file is syntactically okay.
1119 If an error occurred in the configuration file (as indicated by a
1120 false value in the field 'okay'), this field has the name of the
1121 failing configuration file. It is _percent-escaped_.
1124 If an error occurred in the configuration file, this field has the
1125 line number of the failing statement in the configuration file. It
1126 is an _unsigned number_.
1129 If an error occurred in the configuration file, this field has the
1130 error text of the failing statement in the configuration file. It
1131 is _percent-escaped_ and _localized_.
1133 In the following example the 'dirmngr' is not runnable and the
1134 configuration file of 'scdaemon' is not okay.
1136 $ gpgconf --check-programs
1137 gpg:GPG for OpenPGP:/usr/local/bin/gpg2:1:1:
1138 gpg-agent:GPG Agent:/usr/local/bin/gpg-agent:1:1:
1139 scdaemon:Smartcard Daemon:/usr/local/bin/scdaemon:1:0:
1140 gpgsm:GPG for S/MIME:/usr/local/bin/gpgsm:1:1:
1141 dirmngr:Directory Manager:/usr/local/bin/dirmngr:0:0:
1143 The command '--check-options COMPONENT' will verify the configuration
1144 file in the same manner as '--check-programs', but only for the
1145 component COMPONENT.
1148 File: gnupg.info, Node: Listing options, Next: Changing options, Prev: Checking programs, Up: gpgconf
1150 8.4.5 Listing options
1151 ---------------------
1153 Every component contains one or more options. Options may be gathered
1154 into option groups to allow the GUI to give visual hints to the user
1155 about which options are related.
1157 The command '--list-options COMPONENT' lists all options (and the
1158 groups they belong to) in the component COMPONENT, one per line.
1159 COMPONENT must be the string in the field NAME in the output of the
1160 '--list-components' command.
1162 There is one line for each option and each group. First come all
1163 options that are not in any group. Then comes a line describing a
1164 group. Then come all options that belong into each group. Then comes
1165 the next group and so on. There does not need to be any group (and in
1166 this case the output will stop after the last non-grouped option).
1168 The format of each line is:
1170 'NAME:FLAGS:LEVEL:DESCRIPTION:TYPE:ALT-TYPE:ARGNAME:DEFAULT:ARGDEF:VALUE'
1173 This field contains a name tag for the group or option. The name
1174 tag is used to specify the group or option in all communication
1175 with 'gpgconf'. The name tag is to be used _verbatim_. It is thus
1176 not in any escaped format.
1179 The flags field contains an _unsigned number_. Its value is the
1180 OR-wise combination of the following flag values:
1183 If this flag is set, this is a line describing a group and not
1186 The following flag values are only defined for options (that is, if
1187 the 'group' flag is not used).
1190 If this flag is set, the argument is optional. This is never
1191 set for TYPE '0' (none) options.
1194 If this flag is set, the option can be given multiple times.
1197 If this flag is set, the option can be changed at runtime.
1200 If this flag is set, a default value is available.
1203 If this flag is set, a (runtime) default is available. This
1204 and the 'default' flag are mutually exclusive.
1207 If this flag is set, and the 'optional arg' flag is set, then
1208 the option has a special meaning if no argument is given.
1211 If this flag is set, 'gpgconf' ignores requests to change the
1212 value. GUI frontends should grey out this option. Note, that
1213 manual changes of the configuration files are still possible.
1216 This field is defined for options and for groups. It contains an
1217 _unsigned number_ that specifies the expert level under which this
1218 group or option should be displayed. The following expert levels
1219 are defined for options (they have analogous meaning for groups):
1222 This option should always be offered to the user.
1225 This option may be offered to advanced users.
1228 This option should only be offered to expert users.
1231 This option should normally never be displayed, not even to
1235 This option is for internal use only. Ignore it.
1237 The level of a group will always be the lowest level of all options
1241 This field is defined for options and groups. The _string_ in this
1242 field contains a human-readable description of the option or group.
1243 It can be displayed to the user of the GUI for informational
1244 purposes. It is _percent-escaped_ and _localized_.
1247 This field is only defined for options. It contains an _unsigned
1248 number_ that specifies the type of the option's argument, if any.
1249 The following types are defined:
1254 No argument allowed.
1257 An _unformatted string_.
1263 An _unsigned number_.
1268 A _string_ that describes the pathname of a file. The file
1269 does not necessarily need to exist.
1272 A _string_ that describes an LDAP server in the format:
1274 'HOSTNAME:PORT:USERNAME:PASSWORD:BASE_DN'
1276 'key fingerprint (34)'
1277 A _string_ with a 40 digit fingerprint specifying a
1281 A _string_ that describes a certificate by user ID, key ID or
1285 A _string_ that describes a certificate with a key by user ID,
1286 key ID or fingerprint.
1289 A _string_ that describes an alias list, like the one used
1290 with gpg's group option. The list consists of a key, an equal
1291 sign and space separated values.
1293 More types will be added in the future. Please see the ALT-TYPE
1294 field for information on how to cope with unknown types.
1297 This field is identical to TYPE, except that only the types '0' to
1298 '31' are allowed. The GUI is expected to present the user the
1299 option in the format specified by TYPE. But if the argument type
1300 TYPE is not supported by the GUI, it can still display the option
1301 in the more generic basic type ALT-TYPE. The GUI must support all
1302 the defined basic types to be able to display all options. More
1303 basic types may be added in future versions. If the GUI encounters
1304 a basic type it doesn't support, it should report an error and
1305 abort the operation.
1308 This field is only defined for options with an argument type TYPE
1309 that is not '0'. In this case it may contain a _percent-escaped_
1310 and _localized string_ that gives a short name for the argument.
1311 The field may also be empty, though, in which case a short name is
1315 This field is defined only for options for which the 'default' or
1316 'default desc' flag is set. If the 'default' flag is set, its
1317 format is that of an _option argument_ (*note Format conventions::,
1318 for details). If the default value is empty, then no default is
1319 known. Otherwise, the value specifies the default value for this
1320 option. If the 'default desc' flag is set, the field is either
1321 empty or contains a description of the effect if the option is not
1325 This field is defined only for options for which the 'optional arg'
1326 flag is set. If the 'no arg desc' flag is not set, its format is
1327 that of an _option argument_ (*note Format conventions::, for
1328 details). If the default value is empty, then no default is known.
1329 Otherwise, the value specifies the default argument for this
1330 option. If the 'no arg desc' flag is set, the field is either
1331 empty or contains a description of the effect of this option if no
1335 This field is defined only for options. Its format is that of an
1336 _option argument_. If it is empty, then the option is not
1337 explicitly set in the current configuration, and the default
1338 applies (if any). Otherwise, it contains the current value of the
1339 option. Note that this field is also meaningful if the option
1340 itself does not take a real argument (in this case, it contains the
1341 number of times the option appears).
1344 File: gnupg.info, Node: Changing options, Next: Listing global options, Prev: Listing options, Up: gpgconf
1346 8.4.6 Changing options
1347 ----------------------
1349 The command '--change-options COMPONENT' will attempt to change the
1350 options of the component COMPONENT to the specified values. COMPONENT
1351 must be the string in the field NAME in the output of the
1352 '--list-components' command. You have to provide the options that shall
1353 be changed in the following format on standard input:
1355 'NAME:FLAGS:NEW-VALUE'
1358 This is the name of the option to change. NAME must be the string
1359 in the field NAME in the output of the '--list-options' command.
1362 The flags field contains an _unsigned number_. Its value is the
1363 OR-wise combination of the following flag values:
1366 If this flag is set, the option is deleted and the default
1367 value is used instead (if applicable).
1370 The new value for the option. This field is only defined if the
1371 'default' flag is not set. The format is that of an _option
1372 argument_. If it is empty (or the field is omitted), the default
1373 argument is used (only allowed if the argument is optional for this
1374 option). Otherwise, the option will be set to the specified value.
1376 The output of the command is the same as that of '--check-options' for
1377 the modified configuration file.
1381 To set the force option, which is of basic type 'none (0)':
1383 $ echo 'force:0:1' | gpgconf --change-options dirmngr
1385 To delete the force option:
1387 $ echo 'force:16:' | gpgconf --change-options dirmngr
1389 The '--runtime' option can influence when the changes take effect.
1392 File: gnupg.info, Node: Listing global options, Next: Querying versions, Prev: Changing options, Up: gpgconf
1394 8.4.7 Listing global options
1395 ----------------------------
1397 Sometimes it is useful for applications to look at the global options
1398 file 'gpgconf.conf'. The colon separated listing format is record
1399 oriented and uses the first field to identify the record type:
1402 This describes a key record to start the definition of a new
1403 ruleset for a user/group. The format of a key record is:
1408 This is the user field of the key. It is percent escaped.
1409 See the definition of the gpgconf.conf format for details.
1412 This is the group field of the key. It is percent escaped.
1415 This describes a rule record. All rule records up to the next key
1416 record make up a rule set for that key. The format of a rule
1419 'r:::COMPONENT:OPTION:FLAG:VALUE:'
1422 This is the component part of a rule. It is a plain string.
1425 This is the option part of a rule. It is a plain string.
1428 This is the flags part of a rule. There may be only one flag
1429 per rule but by using the same component and option, several
1430 flags may be assigned to an option. It is a plain string.
1433 This is the optional value for the option. It is a percent
1434 escaped string with a single quotation mark to indicate a
1435 string. The quotation mark is only required to distinguish
1436 between no value specified and an empty string.
1438 Unknown record types should be ignored. Note that there is
1439 intentionally no feature to change the global option file through
1443 File: gnupg.info, Node: Querying versions, Next: Files used by gpgconf, Prev: Listing global options, Up: gpgconf
1445 8.4.8 Get and compare software versions.
1446 ----------------------------------------
1448 The GnuPG Project operates a server to query the current versions of
1449 software packages related to GnuPG. 'gpgconf' can be used to access this
1450 online database. To allow for offline operations, this feature works by
1451 having 'dirmngr' download a file from 'https://versions.gnupg.org',
1452 checking the signature of that file and storing the file in the GnuPG
1453 home directory. If 'gpgconf' is used and 'dirmngr' is running, it may
1454 ask 'dirmngr' to refresh that file before itself uses the file.
1456 The command '--query-swdb' returns information for the given package
1457 in a colon delimited format:
1460 This is the name of the package as requested. Note that "gnupg" is
1461 a special name which is replaced by the actual package implementing
1462 this version of GnuPG. For this name it is also not required to
1463 specify a version because 'gpgconf' takes its own version in this
1467 The currently installed version or an empty string. The value is
1468 taken from the command line argument but may be provided by gpg if
1472 The status of the software package according to this table:
1474 No information available. This is either because no current
1475 version has been specified or due to an error.
1477 The given name is not known in the online database.
1479 An update of the software is available.
1481 The installed version of the software is current.
1483 The installed version is already newer than the released
1487 If the value (the empty string should be considered as zero) is
1488 greater than zero an important update is available.
1491 This returns an 'gpg-error' error code to distinguish between
1492 various failure modes.
1495 This gives the date of the file with the version numbers in
1496 standard ISO format ('yyyymmddThhmmss'). The date has been
1497 extracted by 'dirmngr' from the signature of the file.
1500 This gives the date in ISO format the file was downloaded. This
1501 value can be used to evaluate the freshness of the information.
1504 This returns the version string for the requested software from the
1508 This returns the release date in ISO format.
1511 This returns the size of the package as decimal number of bytes.
1514 This returns a hexified SHA-2 hash of the package.
1516 More fields may be added in future to the output.
1519 File: gnupg.info, Node: Files used by gpgconf, Prev: Querying versions, Up: gpgconf
1521 8.4.9 Files used by gpgconf
1522 ---------------------------
1524 '/etc/gnupg/gpgconf.conf'
1525 If this file exists, it is processed as a global configuration
1526 file. A commented example can be found in the 'examples' directory
1527 of the distribution.
1529 'GNUPGHOME/swdb.lst'
1530 A file with current software versions. 'dirmngr' creates this file
1531 on demand from an online resource.
1534 File: gnupg.info, Node: applygnupgdefaults, Next: gpg-preset-passphrase, Prev: gpgconf, Up: Helper Tools
1536 8.5 Run gpgconf for all users
1537 =============================
1539 This script is a wrapper around 'gpgconf' to run it with the command
1540 '--apply-defaults' for all real users with an existing GnuPG home
1541 directory. Admins might want to use this script to update he GnuPG
1542 configuration files for all users after '/etc/gnupg/gpgconf.conf' has
1543 been changed. This allows enforcing certain policies for all users.
1544 Note, that this is not a bulletproof way to force a user to use certain
1545 options. A user may always directly edit the configuration files and
1548 'applygnupgdefaults' is invoked by root as:
1553 File: gnupg.info, Node: gpg-preset-passphrase, Next: gpg-connect-agent, Prev: applygnupgdefaults, Up: Helper Tools
1555 8.6 Put a passphrase into the cache
1556 ===================================
1558 The 'gpg-preset-passphrase' is a utility to seed the internal cache of a
1559 running 'gpg-agent' with passphrases. It is mainly useful for
1560 unattended machines, where the usual 'pinentry' tool may not be used and
1561 the passphrases for the to be used keys are given at machine startup.
1563 Passphrases set with this utility don't expire unless the '--forget'
1564 option is used to explicitly clear them from the cache -- or 'gpg-agent'
1565 is either restarted or reloaded (by sending a SIGHUP to it). Note that
1566 the maximum cache time as set with '--max-cache-ttl' is still honored.
1567 It is necessary to allow this passphrase presetting by starting
1568 'gpg-agent' with the '--allow-preset-passphrase'.
1572 * Invoking gpg-preset-passphrase:: List of all commands and options.
1575 File: gnupg.info, Node: Invoking gpg-preset-passphrase, Up: gpg-preset-passphrase
1577 8.6.1 List of all commands and options
1578 --------------------------------------
1580 'gpg-preset-passphrase' is invoked this way:
1582 gpg-preset-passphrase [options] [command] CACHEID
1584 CACHEID is either a 40 character keygrip of hexadecimal characters
1585 identifying the key for which the passphrase should be set or cleared.
1586 The keygrip is listed along with the key when running the command:
1587 'gpgsm --dump-secret-keys'. Alternatively an arbitrary string may be
1588 used to identify a passphrase; it is suggested that such a string is
1589 prefixed with the name of the application (e.g 'foo:12346').
1591 One of the following command options must be given:
1594 Preset a passphrase. This is what you usually will use.
1595 'gpg-preset-passphrase' will then read the passphrase from 'stdin'.
1598 Flush the passphrase for the given cache ID from the cache.
1600 The following additional options may be used:
1604 Output additional information while running.
1607 '--passphrase STRING'
1608 Instead of reading the passphrase from 'stdin', use the supplied
1609 STRING as passphrase. Note that this makes the passphrase visible
1613 File: gnupg.info, Node: gpg-connect-agent, Next: dirmngr-client, Prev: gpg-preset-passphrase, Up: Helper Tools
1615 8.7 Communicate with a running agent
1616 ====================================
1618 The 'gpg-connect-agent' is a utility to communicate with a running
1619 'gpg-agent'. It is useful to check out the commands 'gpg-agent'
1620 provides using the Assuan interface. It might also be useful for
1621 scripting simple applications. Input is expected at stdin and output
1622 gets printed to stdout.
1624 It is very similar to running 'gpg-agent' in server mode; but here we
1625 connect to a running instance.
1629 * Invoking gpg-connect-agent:: List of all options.
1630 * Controlling gpg-connect-agent:: Control commands.
1633 File: gnupg.info, Node: Invoking gpg-connect-agent, Next: Controlling gpg-connect-agent, Up: gpg-connect-agent
1635 8.7.1 List of all options
1636 -------------------------
1638 'gpg-connect-agent' is invoked this way:
1640 gpg-connect-agent [options] [commands]
1642 The following options may be used:
1646 Output additional information while running.
1650 Try to be as quiet as possible.
1653 Set the name of the home directory to DIR. If this option is not
1654 used, the home directory defaults to '~/.gnupg'. It is only
1655 recognized when given on the command line. It also overrides any
1656 home directory stated through the environment variable 'GNUPGHOME'
1657 or (on Windows systems) by means of the Registry entry
1658 HKCU\SOFTWARE\GNU\GNUPG:HOMEDIR.
1660 On Windows systems it is possible to install GnuPG as a portable
1661 application. In this case only this command line option is
1662 considered, all other ways to set a home directory are ignored.
1664 To install GnuPG as a portable application under Windows, create an
1665 empty file named 'gpgconf.ctl' in the same directory as the tool
1666 'gpgconf.exe'. The root of the installation is then that
1667 directory; or, if 'gpgconf.exe' has been installed directly below a
1668 directory named 'bin', its parent directory. You also need to make
1669 sure that the following directories exist and are writable:
1670 'ROOT/home' for the GnuPG home and 'ROOT/usr/local/var/cache/gnupg'
1671 for internal cache files.
1673 '--agent-program FILE'
1674 Specify the agent program to be started if none is running. The
1675 default value is determined by running 'gpgconf' with the option
1676 '--list-dirs'. Note that the pipe symbol ('|') is used for a
1677 regression test suite hack and may thus not be used in the file
1680 '--dirmngr-program FILE'
1681 Specify the directory manager (keyserver client) program to be
1682 started if none is running. This has only an effect if used
1683 together with the option '--dirmngr'.
1686 Connect to a running directory manager (keyserver client) instead
1687 of to the gpg-agent. If a dirmngr is not running, start it.
1691 Connect to socket NAME assuming this is an Assuan style server. Do
1692 not run any special initializations or environment checks. This
1693 may be used to directly connect to any Assuan style socket server.
1697 Take the rest of the command line as a program and it's arguments
1698 and execute it as an Assuan server. Here is how you would run
1700 gpg-connect-agent --exec gpgsm --server
1701 Note that you may not use options on the command line in this case.
1704 When using '-S' or '--exec', 'gpg-connect-agent' connects to the
1705 Assuan server in extended mode to allow descriptor passing. This
1706 option makes it use the old mode.
1709 Do not start the gpg-agent or the dirmngr if it has not yet been
1714 Run the commands from FILE at startup and then continue with the
1715 regular input method. Note, that commands given on the command
1716 line are executed after this file.
1720 Run the command '/subst' at startup.
1723 Print data lines in a hex format and the ASCII representation of
1724 non-control characters.
1727 Decode data lines. That is to remove percent escapes but make sure
1728 that a new line always starts with a D and a space.
1731 File: gnupg.info, Node: Controlling gpg-connect-agent, Prev: Invoking gpg-connect-agent, Up: gpg-connect-agent
1733 8.7.2 Control commands
1734 ----------------------
1736 While reading Assuan commands, gpg-agent also allows a few special
1737 commands to control its operation. These control commands all start
1744 Set the variable NAME to VALUE. Variables are only substituted on
1745 the input if the '/subst' has been used. Variables are referenced
1746 by prefixing the name with a dollar sign and optionally include the
1747 name in curly braces. The rules for a valid name are identically
1748 to those of the standard bourne shell. This is not yet enforced
1749 but may be in the future. When used with curly braces no leading
1750 or trailing white space is allowed.
1752 If a variable is not found, it is searched in the environment and
1753 if found copied to the table of variables.
1755 Variable functions are available: The name of the function must be
1756 followed by at least one space and the at least one argument. The
1757 following functions are available:
1760 Return a value described by the argument. Available arguments
1764 The current working directory.
1768 GnuPG's system configuration directory.
1770 GnuPG's binary directory.
1772 GnuPG's library directory.
1774 GnuPG's library directory for executable files.
1776 GnuPG's data directory.
1778 The PID of the current server. Command '/serverpid' must
1779 have been given to return a useful value.
1782 Remove C-style escapes from ARGS. Note that '\0' and '\x00'
1783 terminate the returned string implicitly. The string to be
1784 converted are the entire arguments right behind the delimiting
1785 space of the function name.
1789 Remove percent style escaping from ARGS. Note that '%00'
1790 terminates the string implicitly. The string to be converted
1791 are the entire arguments right behind the delimiting space of
1792 the function name. 'unpercent+' also maps plus signs to a
1797 Escape the ARGS using percent style escaping. Tabs,
1798 formfeeds, linefeeds, carriage returns and colons are escaped.
1799 'percent+' also maps spaces to plus signs.
1804 Assume ARG is an integer and evaluate it using 'strtol'.
1805 Return the gpg-error error code, error source or a formatted
1806 string with the error code and error source.
1813 Evaluate all arguments as long integers using 'strtol' and
1814 apply this operator. A division by zero yields an empty
1820 Evaluate all arguments as long integers using 'strtol' and
1821 apply the logical operators NOT, OR or AND. The NOT operator
1822 works on the last argument only.
1825 Use content of the variable VAR for inquiries with NAME. NAME may
1826 be an asterisk ('*') to match any inquiry.
1828 '/definqfile NAME FILE'
1829 Use content of FILE for inquiries with NAME. NAME may be an
1830 asterisk ('*') to match any inquiry.
1832 '/definqprog NAME PROG'
1833 Run PROG for inquiries matching NAME and pass the entire line to it
1834 as command line arguments.
1837 Write all data lines from the server to the file NAME. The file is
1838 opened for writing and created if it does not exists. An existing
1839 file is first truncated to 0. The data written to the file fully
1840 decoded. Using a single dash for NAME writes to stdout. The file
1841 is kept open until a new file is set using this command or this
1842 command is used without an argument.
1845 Print all definitions
1848 Delete all definitions
1851 Open FILE in MODE (which needs to be a valid 'fopen' mode string)
1852 and send the file descriptor to the server. This is usually
1853 followed by a command like 'INPUT FD' to set the input source for
1857 Not yet implemented.
1859 '/open VAR FILE [MODE]'
1860 Open FILE and assign the file descriptor to VAR. Warning: This
1861 command is experimental and might change in future versions.
1864 Close the file descriptor FD. Warning: This command is
1865 experimental and might change in future versions.
1868 Show a list of open files.
1871 Send the Assuan command 'GETINFO pid' to the server and store the
1872 returned PID for internal purposes.
1879 Same as the command line option '--hex'.
1883 Same as the command line option '--decode'.
1887 Enable and disable variable substitution. It defaults to disabled
1888 unless the command line option '--subst' has been used. If /subst
1889 as been enabled once, leading whitespace is removed from input
1890 lines which makes scripts easier to read.
1894 These commands provide a way for executing loops. All lines
1895 between the 'while' and the corresponding 'end' are executed as
1896 long as the evaluation of CONDITION yields a non-zero value or is
1897 the string 'true' or 'yes'. The evaluation is done by passing
1898 CONDITION to the 'strtol' function. Example:
1903 /echo loop couter is $i
1909 These commands provide a way for conditional execution. All lines
1910 between the 'if' and the corresponding 'end' are executed only if
1911 the evaluation of CONDITION yields a non-zero value or is the
1912 string 'true' or 'yes'. The evaluation is done by passing
1913 CONDITION to the 'strtol' function.
1916 Run commands from FILE.
1919 Terminate the connection and the program.
1922 Print a list of available control commands.
1925 File: gnupg.info, Node: dirmngr-client, Next: gpgparsemail, Prev: gpg-connect-agent, Up: Helper Tools
1927 8.8 The Dirmngr Client Tool
1928 ===========================
1930 The 'dirmngr-client' is a simple tool to contact a running dirmngr and
1931 test whether a certificate has been revoked -- either by being listed in
1932 the corresponding CRL or by running the OCSP protocol. If no dirmngr is
1933 running, a new instances will be started but this is in general not a
1934 good idea due to the huge performance overhead.
1936 The usual way to run this tool is either:
1938 dirmngr-client ACERT
1942 dirmngr-client <ACERT
1944 Where ACERT is one DER encoded (binary) X.509 certificates to be
1945 tested. The return value of this command is
1948 The certificate under question is valid; i.e. there is a valid CRL
1949 available and it is not listed there or the OCSP request returned
1950 that that certificate is valid.
1953 The certificate has been revoked
1955 '2 (and other values)'
1956 There was a problem checking the revocation state of the
1957 certificate. A message to stderr has given more detailed
1958 information. Most likely this is due to a missing or expired CRL
1959 or due to a network problem.
1961 'dirmngr-client' may be called with the following options:
1964 Print the program version and licensing information. Note that you
1965 cannot abbreviate this command.
1968 Print a usage message summarizing the most useful command-line
1969 options. Note that you cannot abbreviate this command.
1972 Make the output extra brief by suppressing any informational
1977 Outputs additional information while running. You can increase the
1978 verbosity by giving several verbose commands to DIRMNGR, such as
1982 Assume that the given certificate is in PEM (armored) format.
1985 Do the check using the OCSP protocol and ignore any CRLs.
1987 '--force-default-responder'
1988 When checking using the OCSP protocol, force the use of the default
1989 OCSP responder. That is not to use the Reponder as given by the
1993 Check whether the dirmngr daemon is up and running.
1996 Put the given certificate into the cache of a running dirmngr.
1997 This is mainly useful for debugging.
2000 Validate the given certificate using dirmngr's internal validation
2001 code. This is mainly useful for debugging.
2004 This command expects a list of filenames with DER encoded CRL
2005 files. With the option '--url' URLs are expected in place of
2006 filenames and they are loaded directly from the given location.
2007 All CRLs will be validated and then loaded into dirmngr's cache.
2010 Take the remaining arguments and run a lookup command on each of
2011 them. The results are Base-64 encoded outputs (without header
2012 lines). This may be used to retrieve certificates from a server.
2013 However the output format is not very well suited if more than one
2014 certificate is returned.
2018 Modify the 'lookup' and 'load-crl' commands to take an URL.
2022 Let the 'lookup' command only search the local cache.
2025 Run DIRMNGR-CLIENT in a mode suitable as a helper program for
2026 Squid's 'external_acl_type' option.
2029 File: gnupg.info, Node: gpgparsemail, Next: symcryptrun, Prev: dirmngr-client, Up: Helper Tools
2031 8.9 Parse a mail message into an annotated format
2032 =================================================
2034 The 'gpgparsemail' is a utility currently only useful for debugging.
2035 Run it with '--help' for usage information.
2038 File: gnupg.info, Node: symcryptrun, Next: gpg-zip, Prev: gpgparsemail, Up: Helper Tools
2040 8.10 Call a simple symmetric encryption tool
2041 ============================================
2043 Sometimes simple encryption tools are already in use for a long time and
2044 there might be a desire to integrate them into the GnuPG framework. The
2045 protocols and encryption methods might be non-standard or not even
2046 properly documented, so that a full-fledged encryption tool with an
2047 interface like 'gpg' is not doable. 'symcryptrun' provides a solution:
2048 It operates by calling the external encryption/decryption module and
2049 provides a passphrase for a key using the standard 'pinentry' based
2050 mechanism through 'gpg-agent'.
2052 Note, that 'symcryptrun' is only available if GnuPG has been
2053 configured with '--enable-symcryptrun' at build time.
2057 * Invoking symcryptrun:: List of all commands and options.
2060 File: gnupg.info, Node: Invoking symcryptrun, Up: symcryptrun
2062 8.10.1 List of all commands and options
2063 ---------------------------------------
2065 'symcryptrun' is invoked this way:
2067 symcryptrun --class CLASS --program PROGRAM --keyfile KEYFILE
2068 [--decrypt | --encrypt] [inputfile]
2070 For encryption, the plain text must be provided on STDIN or as the
2071 argument INPUTFILE, and the ciphertext will be output to STDOUT. For
2072 decryption vice versa.
2074 CLASS describes the calling conventions of the external tool.
2075 Currently it must be given as 'confucius'. PROGRAM is the full filename
2076 of that external tool.
2078 For the class 'confucius' the option '--keyfile' is required; KEYFILE
2079 is the name of a file containing the secret key, which may be protected
2080 by a passphrase. For detailed calling conventions, see the source code.
2082 Note, that 'gpg-agent' must be running before starting 'symcryptrun'.
2084 The following additional options may be used:
2088 Output additional information while running.
2092 Try to be as quiet as possible.
2095 Set the name of the home directory to DIR. If this option is not
2096 used, the home directory defaults to '~/.gnupg'. It is only
2097 recognized when given on the command line. It also overrides any
2098 home directory stated through the environment variable 'GNUPGHOME'
2099 or (on Windows systems) by means of the Registry entry
2100 HKCU\SOFTWARE\GNU\GNUPG:HOMEDIR.
2102 On Windows systems it is possible to install GnuPG as a portable
2103 application. In this case only this command line option is
2104 considered, all other ways to set a home directory are ignored.
2106 To install GnuPG as a portable application under Windows, create an
2107 empty file named 'gpgconf.ctl' in the same directory as the tool
2108 'gpgconf.exe'. The root of the installation is then that
2109 directory; or, if 'gpgconf.exe' has been installed directly below a
2110 directory named 'bin', its parent directory. You also need to make
2111 sure that the following directories exist and are writable:
2112 'ROOT/home' for the GnuPG home and 'ROOT/usr/local/var/cache/gnupg'
2113 for internal cache files.
2116 Append all logging output to FILE. Use 'socket://' to log to
2117 socket. Default is to write logging information to STDERR.
2119 The possible exit status codes of 'symcryptrun' are:
2124 Some error occurred.
2126 No valid passphrase was provided.
2128 The operation was canceled by the user.
2131 File: gnupg.info, Node: gpg-zip, Prev: symcryptrun, Up: Helper Tools
2133 8.11 Encrypt or sign files into an archive
2134 ==========================================
2136 'gpg-zip' encrypts or signs files into an archive. It is an gpg-ized
2137 tar using the same format as used by PGP's PGP Zip.
2139 'gpg-zip' is invoked this way:
2141 gpg-zip [options] FILENAME1 [FILENAME2, ...] DIRECTORY [DIRECTORY2, ...]
2143 'gpg-zip' understands these options:
2147 Encrypt data. This option may be combined with '--symmetric' (for
2148 output that may be decrypted via a secret key or a passphrase).
2156 Encrypt with a symmetric cipher using a passphrase. The default
2157 symmetric cipher used is CAST5, but may be chosen with the
2158 '--cipher-algo' option to 'gpg'.
2162 Make a signature. See 'gpg'.
2166 Encrypt for user id USER. See 'gpg'.
2170 Use USER as the key to sign with. See 'gpg'.
2173 List the contents of the specified archive.
2177 Write output to specified file FILE.
2180 Use the specified command GPGCMD instead of 'gpg'.
2183 Pass the specified options to 'gpg'.
2186 Use the specified command TARCMD instead of 'tar'.
2189 Pass the specified options to 'tar'.
2192 Print version of the program and exit.
2195 Display a brief help page and exit.
2197 The program returns 0 if everything was fine, 1 otherwise.
2201 Encrypt the contents of directory 'mydocs' for user Bob to file 'test1':
2203 gpg-zip --encrypt --output test1 --gpg-args -r Bob mydocs
2205 List the contents of archive 'test1':
2207 gpg-zip --list-archive test1
2210 File: gnupg.info, Node: Howtos, Next: System Notes, Prev: Helper Tools, Up: Top
2212 9 How to do certain things
2213 **************************
2215 This is a collection of small howto documents.
2219 * Howto Create a Server Cert:: Creating a TLS server certificate.
2222 File: gnupg.info, Node: Howto Create a Server Cert, Up: Howtos
2224 9.1 Creating a TLS server certificate
2225 =====================================
2227 Here is a brief run up on how to create a server certificate. It has
2228 actually been done this way to get a certificate from CAcert to be used
2229 on a real server. It has only been tested with this CA, but there
2230 shouldn't be any problem to run this against any other CA.
2232 We start by generating an X.509 certificate signing request. As
2233 there is no need for a configuration file, you may simply enter:
2235 $ gpgsm --generate-key >example.com.cert-req.pem
2236 Please select what kind of key you want:
2239 (3) Existing key from card
2242 I opted for creating a new RSA key. The other option is to use an
2243 already existing key, by selecting '2' and entering the so-called
2244 keygrip. Running the command 'gpgsm --dump-secret-key USERID' shows you
2245 this keygrip. Using '3' offers another menu to create a certificate
2246 directly from a smart card based key.
2250 What keysize do you want? (2048)
2251 Requested keysize is 2048 bits
2253 Hitting enter chooses the default RSA key size of 2048 bits. Smaller
2254 keys are too weak on the modern Internet. If you choose a larger
2255 (stronger) key, your server will need to do more work.
2257 Possible actions for a RSA key:
2263 Selecting "sign" enables use of the key for Diffie-Hellman key
2264 exchange mechanisms (DHE and ECDHE) in TLS, which are preferred because
2265 they offer forward secrecy. Selecting "encrypt" enables RSA key
2266 exchange mechanisms, which are still common in some places. Selecting
2267 both enables both key exchange mechanisms.
2269 Now for some real data:
2271 Enter the X.509 subject name: CN=example.com
2273 This is the most important value for a server certificate. Enter
2274 here the canonical name of your server machine. You may add other
2275 virtual server names later.
2277 E-Mail addresses (end with an empty line):
2280 We don't need email addresses in a TLS server certificate and CAcert
2281 would anyway ignore such a request. Thus just hit enter.
2283 If you want to create a client certificate for email encryption, this
2284 would be the place to enter your mail address (e.g. <joe@example.org>).
2285 You may enter as many addresses as you like, however the CA may not
2286 accept them all or reject the entire request.
2288 Enter DNS names (optional; end with an empty line):
2293 Here I entered the names of the services which the machine actually
2294 provides. You almost always want to include the canonical name here
2295 too. The browser will accept a certificate for any of these names. As
2296 usual the CA must approve all of these names.
2298 URIs (optional; end with an empty line):
2301 It is possible to insert arbitrary URIs into a certificate; for a
2302 server certificate this does not make sense.
2304 Create self-signed certificate? (y/N)
2306 Since we are creating a certificate signing request, and not a full
2307 certificate, we answer no here, or just hit enter for the default.
2309 We have now entered all required information and 'gpgsm' will display
2310 what it has gathered and ask whether to create the certificate request:
2312 These parameters are used:
2315 Key-Usage: sign, encrypt
2316 Name-DN: CN=example.com
2317 Name-DNS: example.com
2318 Name-DNS: www.example.com
2320 Proceed with creation? (y/N) y
2322 'gpgsm' will now start working on creating the request. As this
2323 includes the creation of an RSA key it may take a while. During this
2324 time you will be asked 3 times for a passphrase to protect the created
2325 private key on your system. A pop up window will appear to ask for it.
2326 The first two prompts are for the new passphrase and for re-entering it;
2327 the third one is required to actually create the certificate signing
2330 When it is ready, you should see the final notice:
2332 Ready. You should now send this request to your CA.
2334 Now, you may look at the created request:
2336 $ cat example.com.cert-req.pem
2337 -----BEGIN CERTIFICATE REQUEST-----
2338 MIIClTCCAX0CAQAwFjEUMBIGA1UEAxMLZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3
2339 DQEBAQUAA4IBDwAwggEKAoIBAQDP1QEcbTvOLLCX4gAoOzH9AW7jNOMj7OSOL0uW
2340 h2bCdkK5YVpnX212Z6COTC3ZG0pJiCeGt1TbbDJUlTa4syQ6JXavjK66N8ASZsyC
2341 Rwcl0m6hbXp541t1dbgt2VgeGk25okWw3j+brw6zxLD2TnthJxOatID0lDIG47HW
2342 GqzZmA6WHbIBIONmGnReIHTpPAPCDm92vUkpKG1xLPszuRmsQbwEl870W/FHrsvm
2343 DPvVUUSdIvTV9NuRt7/WY6G4nPp9QlIuTf1ESPzIuIE91gKPdrRCAx0yuT708S1n
2344 xCv3ETQ/bKPoAQ67eE3mPBqkcVwv9SE/2/36Lz06kAizRgs5AgMBAAGgOjA4Bgkq
2345 hkiG9w0BCQ4xKzApMCcGA1UdEQQgMB6CC2V4YW1wbGUuY29tgg93d3cuZXhhbXBs
2346 ZS5jb20wDQYJKoZIhvcNAQELBQADggEBAEWD0Qqz4OENLYp6yyO/KqF0ig9FDsLN
2347 b5/R+qhms5qlhdB5+Dh+j693Sj0UgbcNKc6JT86IuBqEBZmRCJuXRoKoo5aMS1cJ
2348 hXga7N9IA3qb4VBUzBWvlL92U2Iptr/cEbikFlYZF2Zv3PBv8RfopVlI3OLbKV9D
2349 bJJTt/6kuoydXKo/Vx4G0DFzIKNdFdJk86o/Ziz8NOs9JjZxw9H9VY5sHKFM5LKk
2350 VcLwnnLRlNjBGB+9VK/Tze575eG0cJomTp7UGIB+1xzIQVAhUZOizRDv9tHDeaK3
2351 k+tUhV0kuJcYHucpJycDSrP/uAY5zuVJ0rs2QSjdnav62YrRgEsxJrU=
2352 -----END CERTIFICATE REQUEST-----
2355 You may now proceed by logging into your account at the CAcert
2356 website, choose 'Server Certificates - New', check 'sign by class 3 root
2357 certificate', paste the above request block into the text field and
2360 If everything works out fine, a certificate will be shown. Now run
2364 and paste the certificate from the CAcert page into your terminal
2365 followed by a Ctrl-D
2367 -----BEGIN CERTIFICATE-----
2368 MIIEIjCCAgqgAwIBAgIBTDANBgkqhkiG9w0BAQQFADBUMRQwEgYDVQQKEwtDQWNl
2370 rUTFlNElRXCwIl0YcJkIaYYqWf7+A/aqYJCi8+51usZwMy3Jsq3hJ6MA3h1BgwZs
2372 -----END CERTIFICATE-----
2373 gpgsm: issuer certificate (#/CN=CAcert Class 3 Ro[...]) not found
2374 gpgsm: certificate imported
2376 gpgsm: total number processed: 1
2379 'gpgsm' tells you that it has imported the certificate. It is now
2380 associated with the key you used when creating the request. The root
2381 certificate has not been found, so you may want to import it from the
2384 To see the content of your certificate, you may now enter:
2386 $ gpgsm -K example.com
2387 /home/foo/.gnupg/pubring.kbx
2388 ---------------------------
2390 Issuer: /CN=CAcert Class 3 Root/OU=http:\x2f\x2fwww.[...]
2391 Subject: /CN=example.com
2392 aka: (dns-name example.com)
2393 aka: (dns-name www.example.com)
2394 validity: 2015-07-01 16:20:51 through 2016-07-01 16:20:51
2395 key type: 2048 bit RSA
2396 key usage: digitalSignature keyEncipherment
2397 ext key usage: clientAuth (suggested), serverAuth (suggested), [...]
2398 fingerprint: 0F:9C:27:B2:DA:05:5F:CB:33:D8:19:E9:65:B9:4F:BD:B1:98:CC:57
2400 I used '-K' above because this will only list certificates for which
2401 a private key is available. To see more details, you may use
2402 '--dump-secret-keys' instead of '-K'.
2404 To make actual use of the certificate you need to install it on your
2405 server. Server software usually expects a PKCS\#12 file with key and
2406 certificate. To create such a file, run:
2408 $ gpgsm --export-secret-key-p12 -a >example.com-cert.pem
2410 You will be asked for the passphrase as well as for a new passphrase
2411 to be used to protect the PKCS\#12 file. The file now contains the
2412 certificate as well as the private key:
2414 $ cat example-cert.pem
2415 Issuer ...: /CN=CAcert Class 3 Root/OU=http:\x2f\x2fwww.CA[...]
2417 Subject ..: /CN=example.com
2418 aka ..: (dns-name example.com)
2419 aka ..: (dns-name www.example.com)
2421 -----BEGIN PKCS12-----
2422 MIIHlwIBAzCCB5AGCSqGSIb37QdHAaCCB4EEggd9MIIHeTk1BJ8GCSqGSIb3DQEu
2423 [...many more lines...]
2424 -----END PKCS12-----
2427 Copy this file in a secure way to the server, install it there and
2428 delete the file then. You may export the file again at any time as long
2429 as it is available in GnuPG's private key database.
2432 File: gnupg.info, Node: System Notes, Next: Debugging, Prev: Howtos, Up: Top
2434 10 Notes pertaining to certain OSes
2435 ***********************************
2437 GnuPG has been developed on GNU/Linux systems and is know to work on
2438 almost all Free OSes. All modern POSIX systems should be supported
2439 right now, however there are probably a lot of smaller glitches we need
2440 to fix first. The major problem areas are:
2442 * We are planning to use file descriptor passing for interprocess
2443 communication. This will allow us save a lot of resources and
2444 improve performance of certain operations a lot. Systems not
2445 supporting this won't gain these benefits but we try to keep them
2446 working the standard way as it is done today.
2448 * We require more or less full POSIX compatibility. This has been
2449 around for 15 years now and thus we don't believe it makes sense to
2450 support non POSIX systems anymore. Well, we of course the usual
2451 workarounds for near POSIX systems well be applied.
2453 There is one exception of this rule: Systems based the Microsoft
2454 Windows API (called here _W32_) will be supported to some extend.
2458 * W32 Notes:: Microsoft Windows Notes
2461 File: gnupg.info, Node: W32 Notes, Up: System Notes
2463 10.1 Microsoft Windows Notes
2464 ============================
2466 Current limitations are:
2468 * 'gpgconf' does not create backup files, so in case of trouble your
2469 configuration file might get lost.
2471 * 'watchgnupg' is not available. Logging to sockets is not possible.
2473 * The periodical smartcard status checking done by 'scdaemon' is not
2477 File: gnupg.info, Node: Debugging, Next: Copying, Prev: System Notes, Up: Top
2479 11 How to solve problems
2480 ************************
2482 Everyone knows that software often does not do what it should do and
2483 thus there is a need to track down problems. We call this debugging in
2484 a reminiscent to the moth jamming a relay in a Mark II box back in 1947.
2486 Most of the problems a merely configuration and user problems but
2487 nevertheless they are the most annoying ones and responsible for many
2488 gray hairs. We try to give some guidelines here on how to identify and
2489 solve the problem at hand.
2493 * Debugging Tools:: Description of some useful tools.
2494 * Debugging Hints:: Various hints on debugging.
2495 * Common Problems:: Commonly seen problems.
2496 * Architecture Details:: How the whole thing works internally.
2499 File: gnupg.info, Node: Debugging Tools, Next: Debugging Hints, Up: Debugging
2501 11.1 Debugging Tools
2502 ====================
2504 The GnuPG distribution comes with a couple of tools, useful to help find
2505 and solving problems.
2509 * kbxutil:: Scrutinizing a keybox file.
2512 File: gnupg.info, Node: kbxutil, Up: Debugging Tools
2514 11.1.1 Scrutinizing a keybox file
2515 ---------------------------------
2517 A keybox is a file format used to store public keys along with meta
2518 information and indices. The commonly used one is the file
2519 'pubring.kbx' in the '.gnupg' directory. It contains all X.509
2520 certificates as well as OpenPGP keys(1).
2522 When called the standard way, e.g.:
2524 'kbxutil ~/.gnupg/pubring.kbx'
2526 it lists all records (called blobs) with there meta-information in a
2527 human readable format.
2529 To see statistics on the keybox in question, run it using
2531 'kbxutil --stats ~/.gnupg/pubring.kbx'
2533 and you get an output like:
2535 Total number of blobs: 99
2542 ephemeral flagged: 17
2544 In this example you see that the keybox does not have any OpenPGP
2545 keys but contains 98 X.509 certificates and a total of 17 keys or
2546 certificates are flagged as ephemeral, meaning that they are only
2547 temporary stored (cached) in the keybox and won't get listed using the
2548 usual commands provided by 'gpgsm' or 'gpg'. 81 certificates are stored
2549 in a standard way and directly available from 'gpgsm'.
2551 To find duplicated certificates and keyblocks in a keybox file (this
2552 should not occur but sometimes things go wrong), run it using
2554 'kbxutil --find-dups ~/.gnupg/pubring.kbx'
2556 ---------- Footnotes ----------
2558 (1) Well, OpenPGP keys are not implemented, 'gpg' still used the
2559 keyring file 'pubring.gpg'.
2562 File: gnupg.info, Node: Debugging Hints, Next: Common Problems, Prev: Debugging Tools, Up: Debugging
2564 11.2 Various hints on debugging
2565 ===============================
2567 * How to find the IP address of a keyserver
2569 If a round robin URL of is used for a keyserver (e.g.
2570 subkeys.gnupg.org); it is not easy to see what server is actually
2571 used. Using the keyserver debug option as in
2573 gpg --keyserver-options debug=1 -v --refresh-key 1E42B367
2575 is thus often helpful. Note that the actual output depends on the
2576 backend and may change from release to release.
2578 * Logging on WindowsCE
2580 For development, the best logging method on WindowsCE is the use of
2581 remote debugging using a log file name of 'tcp://<ip-addr>:<port>'.
2582 The command 'watchgnupg' may be used on the remote host to listen
2583 on the given port (*note option watchgnupg --tcp::). For in the
2584 field tests it is better to make use of the logging facility
2585 provided by the 'gpgcedev' driver (part of libassuan); this is
2586 enabled by using a log file name of 'GPG2:' (*note option
2590 File: gnupg.info, Node: Common Problems, Next: Architecture Details, Prev: Debugging Hints, Up: Debugging
2592 11.3 Commonly Seen Problems
2593 ===========================
2595 * Error code 'Not supported' from Dirmngr
2597 Most likely the option 'enable-ocsp' is active for gpgsm but
2598 Dirmngr's OCSP feature has not been enabled using 'allow-ocsp' in
2601 * The Curses based Pinentry does not work
2603 The far most common reason for this is that the environment
2604 variable 'GPG_TTY' has not been set correctly. Make sure that it
2605 has been set to a real tty device and not just to '/dev/tty'; i.e.
2606 'GPG_TTY=tty' is plainly wrong; what you want is 'GPG_TTY=`tty`' --
2607 note the back ticks. Also make sure that this environment variable
2608 gets exported, that is you should follow up the setting with an
2609 'export GPG_TTY' (assuming a Bourne style shell). Even for GUI
2610 based Pinentries; you should have set 'GPG_TTY'. See the section
2611 on installing the 'gpg-agent' on how to do it.
2613 * SSH hangs while a popping up pinentry was expected
2615 SSH has no way to tell the gpg-agent what terminal or X display it
2616 is running on. So when remotely logging into a box where a
2617 gpg-agent with SSH support is running, the pinentry will get popped
2618 up on whatever display the gpg-agent has been started. To solve
2619 this problem you may issue the command
2621 echo UPDATESTARTUPTTY | gpg-connect-agent
2623 and the next pinentry will pop up on your display or screen.
2624 However, you need to kill the running pinentry first because only
2625 one pinentry may be running at once. If you plan to use ssh on a
2626 new display you should issue the above command before invoking ssh
2627 or any other service making use of ssh.
2629 * Exporting a secret key without a certificate
2631 It may happen that you have created a certificate request using
2632 'gpgsm' but not yet received and imported the certificate from the
2633 CA. However, you want to export the secret key to another machine
2634 right now to import the certificate over there then. You can do
2635 this with a little trick but it requires that you know the
2636 approximate time you created the signing request. By running the
2639 ls -ltr ~/.gnupg/private-keys-v1.d
2641 you get a listing of all private keys under control of 'gpg-agent'.
2642 Pick the key which best matches the creation time and run the
2645 /usr/local/libexec/gpg-protect-tool --p12-export \
2646 ~/.gnupg/private-keys-v1.d/FOO >FOO.p12
2648 (Please adjust the path to 'gpg-protect-tool' to the appropriate
2649 location). FOO is the name of the key file you picked (it should
2650 have the suffix '.key'). A Pinentry box will pop up and ask you
2651 for the current passphrase of the key and a new passphrase to
2652 protect it in the pkcs#12 file.
2654 To import the created file on the machine you use this command:
2656 /usr/local/libexec/gpg-protect-tool --p12-import --store FOO.p12
2658 You will be asked for the pkcs#12 passphrase and a new passphrase
2659 to protect the imported private key at its new location.
2661 Note that there is no easy way to match existing certificates with
2662 stored private keys because some private keys are used for Secure
2663 Shell or other purposes and don't have a corresponding certificate.
2665 * A root certificate does not verify
2667 A common problem is that the root certificate misses the required
2668 basicConstraints attribute and thus 'gpgsm' rejects this
2669 certificate. An error message indicating "no value" is a sign for
2670 such a certificate. You may use the 'relax' flag in
2671 'trustlist.txt' to accept the certificate anyway. Note that the
2672 fingerprint and this flag may only be added manually to
2675 * Error message: "digest algorithm N has not been enabled"
2677 The signature is broken. You may try the option
2678 '--extra-digest-algo SHA256' to workaround the problem. The number
2679 N is the internal algorithm identifier; for example 8 refers to
2682 * The Windows version does not work under Wine
2684 When running the W32 version of 'gpg' under Wine you may get an
2685 error messages like:
2687 gpg: fatal: WriteConsole failed: Access denied
2689 The solution is to use the command 'wineconsole'.
2691 Some operations like '--generate-key' really want to talk to the
2692 console directly for increased security (for example to prevent the
2693 passphrase from appearing on the screen). So, you should use
2694 'wineconsole' instead of 'wine', which will launch a windows
2695 console that implements those additional features.
2697 * Why does GPG's -search-key list weird keys?
2699 For performance reasons the keyservers do not check the keys the
2700 same way 'gpg' does. It may happen that the listing of keys
2701 available on the keyservers shows keys with wrong user IDs or with
2702 user Ids from other keys. If you try to import this key, the bad
2703 keys or bad user ids won't get imported, though. This is a bit
2704 unfortunate but we can't do anything about it without actually
2705 downloading the keys.
2708 File: gnupg.info, Node: Architecture Details, Prev: Common Problems, Up: Debugging
2710 11.4 How the whole thing works internally
2711 =========================================
2715 * Component interaction:: How the components work together.
2716 * GnuPG-1 and GnuPG-2:: Relationship between GnuPG 1.4 and 2.x.
2719 File: gnupg.info, Node: Component interaction, Next: GnuPG-1 and GnuPG-2, Up: Architecture Details
2721 11.4.1 How the components work together
2722 ---------------------------------------
2724 \0\b[image src="gnupg-module-overview.png" alt="GnuPG modules"
\0\b]
2726 Figure 11.1: GnuPG module overview
2729 File: gnupg.info, Node: GnuPG-1 and GnuPG-2, Prev: Component interaction, Up: Architecture Details
2731 11.4.2 Relationship between GnuPG 1.4 and 2.x
2732 ---------------------------------------------
2734 Here is a little picture showing how the different GnuPG versions make
2737 \0\b[image src="gnupg-card-architecture.png" alt="GnuPG card architecture"
\0\b]
2739 Figure 11.2: GnuPG card architecture
2742 File: gnupg.info, Node: Copying, Next: Contributors, Prev: Debugging, Up: Top
2744 GNU General Public License
2745 **************************
2747 Version 3, 29 June 2007
2749 Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
2751 Everyone is permitted to copy and distribute verbatim copies of this
2752 license document, but changing it is not allowed.
2757 The GNU General Public License is a free, copyleft license for software
2758 and other kinds of works.
2760 The licenses for most software and other practical works are designed
2761 to take away your freedom to share and change the works. By contrast,
2762 the GNU General Public License is intended to guarantee your freedom to
2763 share and change all versions of a program-to make sure it remains free
2764 software for all its users. We, the Free Software Foundation, use the
2765 GNU General Public License for most of our software; it applies also to
2766 any other work released this way by its authors. You can apply it to
2769 When we speak of free software, we are referring to freedom, not
2770 price. Our General Public Licenses are designed to make sure that you
2771 have the freedom to distribute copies of free software (and charge for
2772 them if you wish), that you receive source code or can get it if you
2773 want it, that you can change the software or use pieces of it in new
2774 free programs, and that you know you can do these things.
2776 To protect your rights, we need to prevent others from denying you
2777 these rights or asking you to surrender the rights. Therefore, you have
2778 certain responsibilities if you distribute copies of the software, or if
2779 you modify it: responsibilities to respect the freedom of others.
2781 For example, if you distribute copies of such a program, whether
2782 gratis or for a fee, you must pass on to the recipients the same
2783 freedoms that you received. You must make sure that they, too, receive
2784 or can get the source code. And you must show them these terms so they
2787 Developers that use the GNU GPL protect your rights with two steps:
2788 (1) assert copyright on the software, and (2) offer you this License
2789 giving you legal permission to copy, distribute and/or modify it.
2791 For the developers' and authors' protection, the GPL clearly explains
2792 that there is no warranty for this free software. For both users' and
2793 authors' sake, the GPL requires that modified versions be marked as
2794 changed, so that their problems will not be attributed erroneously to
2795 authors of previous versions.
2797 Some devices are designed to deny users access to install or run
2798 modified versions of the software inside them, although the manufacturer
2799 can do so. This is fundamentally incompatible with the aim of
2800 protecting users' freedom to change the software. The systematic
2801 pattern of such abuse occurs in the area of products for individuals to
2802 use, which is precisely where it is most unacceptable. Therefore, we
2803 have designed this version of the GPL to prohibit the practice for those
2804 products. If such problems arise substantially in other domains, we
2805 stand ready to extend this provision to those domains in future versions
2806 of the GPL, as needed to protect the freedom of users.
2808 Finally, every program is threatened constantly by software patents.
2809 States should not allow patents to restrict development and use of
2810 software on general-purpose computers, but in those that do, we wish to
2811 avoid the special danger that patents applied to a free program could
2812 make it effectively proprietary. To prevent this, the GPL assures that
2813 patents cannot be used to render the program non-free.
2815 The precise terms and conditions for copying, distribution and
2816 modification follow.
2818 TERMS AND CONDITIONS
2822 "This License" refers to version 3 of the GNU General Public
2825 "Copyright" also means copyright-like laws that apply to other
2826 kinds of works, such as semiconductor masks.
2828 "The Program" refers to any copyrightable work licensed under this
2829 License. Each licensee is addressed as "you". "Licensees" and
2830 "recipients" may be individuals or organizations.
2832 To "modify" a work means to copy from or adapt all or part of the
2833 work in a fashion requiring copyright permission, other than the
2834 making of an exact copy. The resulting work is called a "modified
2835 version" of the earlier work or a work "based on" the earlier work.
2837 A "covered work" means either the unmodified Program or a work
2838 based on the Program.
2840 To "propagate" a work means to do anything with it that, without
2841 permission, would make you directly or secondarily liable for
2842 infringement under applicable copyright law, except executing it on
2843 a computer or modifying a private copy. Propagation includes
2844 copying, distribution (with or without modification), making
2845 available to the public, and in some countries other activities as
2848 To "convey" a work means any kind of propagation that enables other
2849 parties to make or receive copies. Mere interaction with a user
2850 through a computer network, with no transfer of a copy, is not
2853 An interactive user interface displays "Appropriate Legal Notices"
2854 to the extent that it includes a convenient and prominently visible
2855 feature that (1) displays an appropriate copyright notice, and (2)
2856 tells the user that there is no warranty for the work (except to
2857 the extent that warranties are provided), that licensees may convey
2858 the work under this License, and how to view a copy of this
2859 License. If the interface presents a list of user commands or
2860 options, such as a menu, a prominent item in the list meets this
2865 The "source code" for a work means the preferred form of the work
2866 for making modifications to it. "Object code" means any non-source
2869 A "Standard Interface" means an interface that either is an
2870 official standard defined by a recognized standards body, or, in
2871 the case of interfaces specified for a particular programming
2872 language, one that is widely used among developers working in that
2875 The "System Libraries" of an executable work include anything,
2876 other than the work as a whole, that (a) is included in the normal
2877 form of packaging a Major Component, but which is not part of that
2878 Major Component, and (b) serves only to enable use of the work with
2879 that Major Component, or to implement a Standard Interface for
2880 which an implementation is available to the public in source code
2881 form. A "Major Component", in this context, means a major
2882 essential component (kernel, window system, and so on) of the
2883 specific operating system (if any) on which the executable work
2884 runs, or a compiler used to produce the work, or an object code
2885 interpreter used to run it.
2887 The "Corresponding Source" for a work in object code form means all
2888 the source code needed to generate, install, and (for an executable
2889 work) run the object code and to modify the work, including scripts
2890 to control those activities. However, it does not include the
2891 work's System Libraries, or general-purpose tools or generally
2892 available free programs which are used unmodified in performing
2893 those activities but which are not part of the work. For example,
2894 Corresponding Source includes interface definition files associated
2895 with source files for the work, and the source code for shared
2896 libraries and dynamically linked subprograms that the work is
2897 specifically designed to require, such as by intimate data
2898 communication or control flow between those subprograms and other
2901 The Corresponding Source need not include anything that users can
2902 regenerate automatically from other parts of the Corresponding
2905 The Corresponding Source for a work in source code form is that
2908 2. Basic Permissions.
2910 All rights granted under this License are granted for the term of
2911 copyright on the Program, and are irrevocable provided the stated
2912 conditions are met. This License explicitly affirms your unlimited
2913 permission to run the unmodified Program. The output from running
2914 a covered work is covered by this License only if the output, given
2915 its content, constitutes a covered work. This License acknowledges
2916 your rights of fair use or other equivalent, as provided by
2919 You may make, run and propagate covered works that you do not
2920 convey, without conditions so long as your license otherwise
2921 remains in force. You may convey covered works to others for the
2922 sole purpose of having them make modifications exclusively for you,
2923 or provide you with facilities for running those works, provided
2924 that you comply with the terms of this License in conveying all
2925 material for which you do not control copyright. Those thus making
2926 or running the covered works for you must do so exclusively on your
2927 behalf, under your direction and control, on terms that prohibit
2928 them from making any copies of your copyrighted material outside
2929 their relationship with you.
2931 Conveying under any other circumstances is permitted solely under
2932 the conditions stated below. Sublicensing is not allowed; section
2933 10 makes it unnecessary.
2935 3. Protecting Users' Legal Rights From Anti-Circumvention Law.
2937 No covered work shall be deemed part of an effective technological
2938 measure under any applicable law fulfilling obligations under
2939 article 11 of the WIPO copyright treaty adopted on 20 December
2940 1996, or similar laws prohibiting or restricting circumvention of
2943 When you convey a covered work, you waive any legal power to forbid
2944 circumvention of technological measures to the extent such
2945 circumvention is effected by exercising rights under this License
2946 with respect to the covered work, and you disclaim any intention to
2947 limit operation or modification of the work as a means of
2948 enforcing, against the work's users, your or third parties' legal
2949 rights to forbid circumvention of technological measures.
2951 4. Conveying Verbatim Copies.
2953 You may convey verbatim copies of the Program's source code as you
2954 receive it, in any medium, provided that you conspicuously and
2955 appropriately publish on each copy an appropriate copyright notice;
2956 keep intact all notices stating that this License and any
2957 non-permissive terms added in accord with section 7 apply to the
2958 code; keep intact all notices of the absence of any warranty; and
2959 give all recipients a copy of this License along with the Program.
2961 You may charge any price or no price for each copy that you convey,
2962 and you may offer support or warranty protection for a fee.
2964 5. Conveying Modified Source Versions.
2966 You may convey a work based on the Program, or the modifications to
2967 produce it from the Program, in the form of source code under the
2968 terms of section 4, provided that you also meet all of these
2971 a. The work must carry prominent notices stating that you
2972 modified it, and giving a relevant date.
2974 b. The work must carry prominent notices stating that it is
2975 released under this License and any conditions added under
2976 section 7. This requirement modifies the requirement in
2977 section 4 to "keep intact all notices".
2979 c. You must license the entire work, as a whole, under this
2980 License to anyone who comes into possession of a copy. This
2981 License will therefore apply, along with any applicable
2982 section 7 additional terms, to the whole of the work, and all
2983 its parts, regardless of how they are packaged. This License
2984 gives no permission to license the work in any other way, but
2985 it does not invalidate such permission if you have separately
2988 d. If the work has interactive user interfaces, each must display
2989 Appropriate Legal Notices; however, if the Program has
2990 interactive interfaces that do not display Appropriate Legal
2991 Notices, your work need not make them do so.
2993 A compilation of a covered work with other separate and independent
2994 works, which are not by their nature extensions of the covered
2995 work, and which are not combined with it such as to form a larger
2996 program, in or on a volume of a storage or distribution medium, is
2997 called an "aggregate" if the compilation and its resulting
2998 copyright are not used to limit the access or legal rights of the
2999 compilation's users beyond what the individual works permit.
3000 Inclusion of a covered work in an aggregate does not cause this
3001 License to apply to the other parts of the aggregate.
3003 6. Conveying Non-Source Forms.
3005 You may convey a covered work in object code form under the terms
3006 of sections 4 and 5, provided that you also convey the
3007 machine-readable Corresponding Source under the terms of this
3008 License, in one of these ways:
3010 a. Convey the object code in, or embodied in, a physical product
3011 (including a physical distribution medium), accompanied by the
3012 Corresponding Source fixed on a durable physical medium
3013 customarily used for software interchange.
3015 b. Convey the object code in, or embodied in, a physical product
3016 (including a physical distribution medium), accompanied by a
3017 written offer, valid for at least three years and valid for as
3018 long as you offer spare parts or customer support for that
3019 product model, to give anyone who possesses the object code
3020 either (1) a copy of the Corresponding Source for all the
3021 software in the product that is covered by this License, on a
3022 durable physical medium customarily used for software
3023 interchange, for a price no more than your reasonable cost of
3024 physically performing this conveying of source, or (2) access
3025 to copy the Corresponding Source from a network server at no
3028 c. Convey individual copies of the object code with a copy of the
3029 written offer to provide the Corresponding Source. This
3030 alternative is allowed only occasionally and noncommercially,
3031 and only if you received the object code with such an offer,
3032 in accord with subsection 6b.
3034 d. Convey the object code by offering access from a designated
3035 place (gratis or for a charge), and offer equivalent access to
3036 the Corresponding Source in the same way through the same
3037 place at no further charge. You need not require recipients
3038 to copy the Corresponding Source along with the object code.
3039 If the place to copy the object code is a network server, the
3040 Corresponding Source may be on a different server (operated by
3041 you or a third party) that supports equivalent copying
3042 facilities, provided you maintain clear directions next to the
3043 object code saying where to find the Corresponding Source.
3044 Regardless of what server hosts the Corresponding Source, you
3045 remain obligated to ensure that it is available for as long as
3046 needed to satisfy these requirements.
3048 e. Convey the object code using peer-to-peer transmission,
3049 provided you inform other peers where the object code and
3050 Corresponding Source of the work are being offered to the
3051 general public at no charge under subsection 6d.
3053 A separable portion of the object code, whose source code is
3054 excluded from the Corresponding Source as a System Library, need
3055 not be included in conveying the object code work.
3057 A "User Product" is either (1) a "consumer product", which means
3058 any tangible personal property which is normally used for personal,
3059 family, or household purposes, or (2) anything designed or sold for
3060 incorporation into a dwelling. In determining whether a product is
3061 a consumer product, doubtful cases shall be resolved in favor of
3062 coverage. For a particular product received by a particular user,
3063 "normally used" refers to a typical or common use of that class of
3064 product, regardless of the status of the particular user or of the
3065 way in which the particular user actually uses, or expects or is
3066 expected to use, the product. A product is a consumer product
3067 regardless of whether the product has substantial commercial,
3068 industrial or non-consumer uses, unless such uses represent the
3069 only significant mode of use of the product.
3071 "Installation Information" for a User Product means any methods,
3072 procedures, authorization keys, or other information required to
3073 install and execute modified versions of a covered work in that
3074 User Product from a modified version of its Corresponding Source.
3075 The information must suffice to ensure that the continued
3076 functioning of the modified object code is in no case prevented or
3077 interfered with solely because modification has been made.
3079 If you convey an object code work under this section in, or with,
3080 or specifically for use in, a User Product, and the conveying
3081 occurs as part of a transaction in which the right of possession
3082 and use of the User Product is transferred to the recipient in
3083 perpetuity or for a fixed term (regardless of how the transaction
3084 is characterized), the Corresponding Source conveyed under this
3085 section must be accompanied by the Installation Information. But
3086 this requirement does not apply if neither you nor any third party
3087 retains the ability to install modified object code on the User
3088 Product (for example, the work has been installed in ROM).
3090 The requirement to provide Installation Information does not
3091 include a requirement to continue to provide support service,
3092 warranty, or updates for a work that has been modified or installed
3093 by the recipient, or for the User Product in which it has been
3094 modified or installed. Access to a network may be denied when the
3095 modification itself materially and adversely affects the operation
3096 of the network or violates the rules and protocols for
3097 communication across the network.
3099 Corresponding Source conveyed, and Installation Information
3100 provided, in accord with this section must be in a format that is
3101 publicly documented (and with an implementation available to the
3102 public in source code form), and must require no special password
3103 or key for unpacking, reading or copying.
3105 7. Additional Terms.
3107 "Additional permissions" are terms that supplement the terms of
3108 this License by making exceptions from one or more of its
3109 conditions. Additional permissions that are applicable to the
3110 entire Program shall be treated as though they were included in
3111 this License, to the extent that they are valid under applicable
3112 law. If additional permissions apply only to part of the Program,
3113 that part may be used separately under those permissions, but the
3114 entire Program remains governed by this License without regard to
3115 the additional permissions.
3117 When you convey a copy of a covered work, you may at your option
3118 remove any additional permissions from that copy, or from any part
3119 of it. (Additional permissions may be written to require their own
3120 removal in certain cases when you modify the work.) You may place
3121 additional permissions on material, added by you to a covered work,
3122 for which you have or can give appropriate copyright permission.
3124 Notwithstanding any other provision of this License, for material
3125 you add to a covered work, you may (if authorized by the copyright
3126 holders of that material) supplement the terms of this License with
3129 a. Disclaiming warranty or limiting liability differently from
3130 the terms of sections 15 and 16 of this License; or
3132 b. Requiring preservation of specified reasonable legal notices
3133 or author attributions in that material or in the Appropriate
3134 Legal Notices displayed by works containing it; or
3136 c. Prohibiting misrepresentation of the origin of that material,
3137 or requiring that modified versions of such material be marked
3138 in reasonable ways as different from the original version; or
3140 d. Limiting the use for publicity purposes of names of licensors
3141 or authors of the material; or
3143 e. Declining to grant rights under trademark law for use of some
3144 trade names, trademarks, or service marks; or
3146 f. Requiring indemnification of licensors and authors of that
3147 material by anyone who conveys the material (or modified
3148 versions of it) with contractual assumptions of liability to
3149 the recipient, for any liability that these contractual
3150 assumptions directly impose on those licensors and authors.
3152 All other non-permissive additional terms are considered "further
3153 restrictions" within the meaning of section 10. If the Program as
3154 you received it, or any part of it, contains a notice stating that
3155 it is governed by this License along with a term that is a further
3156 restriction, you may remove that term. If a license document
3157 contains a further restriction but permits relicensing or conveying
3158 under this License, you may add to a covered work material governed
3159 by the terms of that license document, provided that the further
3160 restriction does not survive such relicensing or conveying.
3162 If you add terms to a covered work in accord with this section, you
3163 must place, in the relevant source files, a statement of the
3164 additional terms that apply to those files, or a notice indicating
3165 where to find the applicable terms.
3167 Additional terms, permissive or non-permissive, may be stated in
3168 the form of a separately written license, or stated as exceptions;
3169 the above requirements apply either way.
3173 You may not propagate or modify a covered work except as expressly
3174 provided under this License. Any attempt otherwise to propagate or
3175 modify it is void, and will automatically terminate your rights
3176 under this License (including any patent licenses granted under the
3177 third paragraph of section 11).
3179 However, if you cease all violation of this License, then your
3180 license from a particular copyright holder is reinstated (a)
3181 provisionally, unless and until the copyright holder explicitly and
3182 finally terminates your license, and (b) permanently, if the
3183 copyright holder fails to notify you of the violation by some
3184 reasonable means prior to 60 days after the cessation.
3186 Moreover, your license from a particular copyright holder is
3187 reinstated permanently if the copyright holder notifies you of the
3188 violation by some reasonable means, this is the first time you have
3189 received notice of violation of this License (for any work) from
3190 that copyright holder, and you cure the violation prior to 30 days
3191 after your receipt of the notice.
3193 Termination of your rights under this section does not terminate
3194 the licenses of parties who have received copies or rights from you
3195 under this License. If your rights have been terminated and not
3196 permanently reinstated, you do not qualify to receive new licenses
3197 for the same material under section 10.
3199 9. Acceptance Not Required for Having Copies.
3201 You are not required to accept this License in order to receive or
3202 run a copy of the Program. Ancillary propagation of a covered work
3203 occurring solely as a consequence of using peer-to-peer
3204 transmission to receive a copy likewise does not require
3205 acceptance. However, nothing other than this License grants you
3206 permission to propagate or modify any covered work. These actions
3207 infringe copyright if you do not accept this License. Therefore,
3208 by modifying or propagating a covered work, you indicate your
3209 acceptance of this License to do so.
3211 10. Automatic Licensing of Downstream Recipients.
3213 Each time you convey a covered work, the recipient automatically
3214 receives a license from the original licensors, to run, modify and
3215 propagate that work, subject to this License. You are not
3216 responsible for enforcing compliance by third parties with this
3219 An "entity transaction" is a transaction transferring control of an
3220 organization, or substantially all assets of one, or subdividing an
3221 organization, or merging organizations. If propagation of a
3222 covered work results from an entity transaction, each party to that
3223 transaction who receives a copy of the work also receives whatever
3224 licenses to the work the party's predecessor in interest had or
3225 could give under the previous paragraph, plus a right to possession
3226 of the Corresponding Source of the work from the predecessor in
3227 interest, if the predecessor has it or can get it with reasonable
3230 You may not impose any further restrictions on the exercise of the
3231 rights granted or affirmed under this License. For example, you
3232 may not impose a license fee, royalty, or other charge for exercise
3233 of rights granted under this License, and you may not initiate
3234 litigation (including a cross-claim or counterclaim in a lawsuit)
3235 alleging that any patent claim is infringed by making, using,
3236 selling, offering for sale, or importing the Program or any portion
3241 A "contributor" is a copyright holder who authorizes use under this
3242 License of the Program or a work on which the Program is based.
3243 The work thus licensed is called the contributor's "contributor
3246 A contributor's "essential patent claims" are all patent claims
3247 owned or controlled by the contributor, whether already acquired or
3248 hereafter acquired, that would be infringed by some manner,
3249 permitted by this License, of making, using, or selling its
3250 contributor version, but do not include claims that would be
3251 infringed only as a consequence of further modification of the
3252 contributor version. For purposes of this definition, "control"
3253 includes the right to grant patent sublicenses in a manner
3254 consistent with the requirements of this License.
3256 Each contributor grants you a non-exclusive, worldwide,
3257 royalty-free patent license under the contributor's essential
3258 patent claims, to make, use, sell, offer for sale, import and
3259 otherwise run, modify and propagate the contents of its contributor
3262 In the following three paragraphs, a "patent license" is any
3263 express agreement or commitment, however denominated, not to
3264 enforce a patent (such as an express permission to practice a
3265 patent or covenant not to sue for patent infringement). To "grant"
3266 such a patent license to a party means to make such an agreement or
3267 commitment not to enforce a patent against the party.
3269 If you convey a covered work, knowingly relying on a patent
3270 license, and the Corresponding Source of the work is not available
3271 for anyone to copy, free of charge and under the terms of this
3272 License, through a publicly available network server or other
3273 readily accessible means, then you must either (1) cause the
3274 Corresponding Source to be so available, or (2) arrange to deprive
3275 yourself of the benefit of the patent license for this particular
3276 work, or (3) arrange, in a manner consistent with the requirements
3277 of this License, to extend the patent license to downstream
3278 recipients. "Knowingly relying" means you have actual knowledge
3279 that, but for the patent license, your conveying the covered work
3280 in a country, or your recipient's use of the covered work in a
3281 country, would infringe one or more identifiable patents in that
3282 country that you have reason to believe are valid.
3284 If, pursuant to or in connection with a single transaction or
3285 arrangement, you convey, or propagate by procuring conveyance of, a
3286 covered work, and grant a patent license to some of the parties
3287 receiving the covered work authorizing them to use, propagate,
3288 modify or convey a specific copy of the covered work, then the
3289 patent license you grant is automatically extended to all
3290 recipients of the covered work and works based on it.
3292 A patent license is "discriminatory" if it does not include within
3293 the scope of its coverage, prohibits the exercise of, or is
3294 conditioned on the non-exercise of one or more of the rights that
3295 are specifically granted under this License. You may not convey a
3296 covered work if you are a party to an arrangement with a third
3297 party that is in the business of distributing software, under which
3298 you make payment to the third party based on the extent of your
3299 activity of conveying the work, and under which the third party
3300 grants, to any of the parties who would receive the covered work
3301 from you, a discriminatory patent license (a) in connection with
3302 copies of the covered work conveyed by you (or copies made from
3303 those copies), or (b) primarily for and in connection with specific
3304 products or compilations that contain the covered work, unless you
3305 entered into that arrangement, or that patent license was granted,
3306 prior to 28 March 2007.
3308 Nothing in this License shall be construed as excluding or limiting
3309 any implied license or other defenses to infringement that may
3310 otherwise be available to you under applicable patent law.
3312 12. No Surrender of Others' Freedom.
3314 If conditions are imposed on you (whether by court order, agreement
3315 or otherwise) that contradict the conditions of this License, they
3316 do not excuse you from the conditions of this License. If you
3317 cannot convey a covered work so as to satisfy simultaneously your
3318 obligations under this License and any other pertinent obligations,
3319 then as a consequence you may not convey it at all. For example,
3320 if you agree to terms that obligate you to collect a royalty for
3321 further conveying from those to whom you convey the Program, the
3322 only way you could satisfy both those terms and this License would
3323 be to refrain entirely from conveying the Program.
3325 13. Use with the GNU Affero General Public License.
3327 Notwithstanding any other provision of this License, you have
3328 permission to link or combine any covered work with a work licensed
3329 under version 3 of the GNU Affero General Public License into a
3330 single combined work, and to convey the resulting work. The terms
3331 of this License will continue to apply to the part which is the
3332 covered work, but the special requirements of the GNU Affero
3333 General Public License, section 13, concerning interaction through
3334 a network will apply to the combination as such.
3336 14. Revised Versions of this License.
3338 The Free Software Foundation may publish revised and/or new
3339 versions of the GNU General Public License from time to time. Such
3340 new versions will be similar in spirit to the present version, but
3341 may differ in detail to address new problems or concerns.
3343 Each version is given a distinguishing version number. If the
3344 Program specifies that a certain numbered version of the GNU
3345 General Public License "or any later version" applies to it, you
3346 have the option of following the terms and conditions either of
3347 that numbered version or of any later version published by the Free
3348 Software Foundation. If the Program does not specify a version
3349 number of the GNU General Public License, you may choose any
3350 version ever published by the Free Software Foundation.
3352 If the Program specifies that a proxy can decide which future
3353 versions of the GNU General Public License can be used, that
3354 proxy's public statement of acceptance of a version permanently
3355 authorizes you to choose that version for the Program.
3357 Later license versions may give you additional or different
3358 permissions. However, no additional obligations are imposed on any
3359 author or copyright holder as a result of your choosing to follow a
3362 15. Disclaimer of Warranty.
3364 THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
3365 APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE
3366 COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS"
3367 WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED,
3368 INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
3369 MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE
3370 RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.
3371 SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL
3372 NECESSARY SERVICING, REPAIR OR CORRECTION.
3374 16. Limitation of Liability.
3376 IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN
3377 WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES
3378 AND/OR CONVEYS THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR
3379 DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR
3380 CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE
3381 THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA
3382 BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
3383 PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
3384 PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF
3385 THE POSSIBILITY OF SUCH DAMAGES.
3387 17. Interpretation of Sections 15 and 16.
3389 If the disclaimer of warranty and limitation of liability provided
3390 above cannot be given local legal effect according to their terms,
3391 reviewing courts shall apply local law that most closely
3392 approximates an absolute waiver of all civil liability in
3393 connection with the Program, unless a warranty or assumption of
3394 liability accompanies a copy of the Program in return for a fee.
3396 END OF TERMS AND CONDITIONS
3398 How to Apply These Terms to Your New Programs
3399 =============================================
3401 If you develop a new program, and you want it to be of the greatest
3402 possible use to the public, the best way to achieve this is to make it
3403 free software which everyone can redistribute and change under these
3406 To do so, attach the following notices to the program. It is safest
3407 to attach them to the start of each source file to most effectively
3408 state the exclusion of warranty; and each file should have at least the
3409 "copyright" line and a pointer to where the full notice is found.
3411 ONE LINE TO GIVE THE PROGRAM'S NAME AND A BRIEF IDEA OF WHAT IT DOES.
3412 Copyright (C) YEAR NAME OF AUTHOR
3414 This program is free software: you can redistribute it and/or modify
3415 it under the terms of the GNU General Public License as published by
3416 the Free Software Foundation, either version 3 of the License, or (at
3417 your option) any later version.
3419 This program is distributed in the hope that it will be useful, but
3420 WITHOUT ANY WARRANTY; without even the implied warranty of
3421 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
3422 General Public License for more details.
3424 You should have received a copy of the GNU General Public License
3425 along with this program. If not, see <https://www.gnu.org/licenses/>.
3427 Also add information on how to contact you by electronic and paper mail.
3429 If the program does terminal interaction, make it output a short notice
3430 like this when it starts in an interactive mode:
3432 PROGRAM Copyright (C) YEAR NAME OF AUTHOR
3433 This program comes with ABSOLUTELY NO WARRANTY; for details
3434 type 'show w'. This is free software, and you are
3435 welcome to redistribute it under certain conditions;
3436 type 'show c' for details.
3438 The hypothetical commands 'show w' and 'show c' should show the
3439 appropriate parts of the General Public License. Of course, your
3440 program's commands might be different; for a GUI interface, you would
3443 You should also get your employer (if you work as a programmer) or
3444 school, if any, to sign a "copyright disclaimer" for the program, if
3445 necessary. For more information on this, and how to apply and follow
3446 the GNU GPL, see <https://www.gnu.org/licenses/>.
3448 The GNU General Public License does not permit incorporating your
3449 program into proprietary programs. If your program is a subroutine
3450 library, you may consider it more useful to permit linking proprietary
3451 applications with the library. If this is what you want to do, use the
3452 GNU Lesser General Public License instead of this License. But first,
3453 please read <https://www.gnu.org/philosophy/why-not-lgpl.html>.
3456 File: gnupg.info, Node: Contributors, Next: Glossary, Prev: Copying, Up: Top
3458 Contributors to GnuPG
3459 *********************
3461 The GnuPG project would like to thank its many contributors. Without
3462 them the project would not have been nearly as successful as it has
3463 been. Any omissions in this list are accidental. Feel free to contact
3464 the maintainer if you have been left out or some of your contributions
3467 David Shaw, Matthew Skala, Michael Roth, Niklas Hernaeus, Nils
3468 Ellmenreich, Rémi Guyomarch, Stefan Bellon, Timo Schulz and Werner Koch
3469 wrote the code. Birger Langkjer, Daniel Resare, Dokianakis Theofanis,
3470 Edmund GRIMLEY EVANS, Gaël Quéri, Gregory Steuck, Nagy Ferenc
3471 László, Ivo Timmermans, Jacobo Tarri'o Barreiro, Janusz Aleksander
3472 Urbanowicz, Jedi Lin, Jouni Hiltunen, Laurentiu Buzdugan, Magda
3473 Procha'zkova', Michael Anckaert, Michal Majer, Marco d'Itri, Nilgun
3474 Belma Buguner, Pedro Morais, Tedi Heriyanto, Thiago Jung Bauermann,
3475 Rafael Caetano dos Santos, Toomas Soome, Urko Lusa, Walter Koch, Yosiaki
3476 IIDA did the official translations. Mike Ashley wrote and maintains the
3477 GNU Privacy Handbook. David Scribner is the current FAQ editor.
3478 Lorenzo Cappelletti maintains the web site.
3480 The new modularized architecture of gnupg 1.9 as well as the
3481 X.509/CMS part has been developed as part of the Ägypten project.
3482 Direct contributors to this project are: Bernhard Herzog, who did
3483 extensive testing and tracked down a lot of bugs. Bernhard Reiter, who
3484 made sure that we met the specifications and the deadlines. He did
3485 extensive testing and came up with a lot of suggestions. Jan-Oliver
3486 Wagner made sure that we met the specifications and the deadlines. He
3487 also did extensive testing and came up with a lot of suggestions.
3488 Karl-Heinz Zimmer and Marc Mutz had to struggle with all the bugs and
3489 misconceptions while working on KDE integration. Marcus Brinkman
3490 extended GPGME, cleaned up the Assuan code and fixed bugs all over the
3491 place. Moritz Schulte took over Libgcrypt maintenance and developed it
3492 into a stable an useful library. Steffen Hansen had a hard time to
3493 write the dirmngr due to underspecified interfaces. Thomas Koester did
3494 extensive testing and tracked down a lot of bugs. Werner Koch designed
3495 the system and wrote most of the code.
3497 The following people helped greatly by suggesting improvements,
3498 testing, fixing bugs, providing resources and doing other important
3499 tasks: Adam Mitchell, Albert Chin, Alec Habig, Allan Clark, Anand
3500 Kumria, Andreas Haumer, Anthony Mulcahy, Ariel T Glenn, Bob Mathews,
3501 Bodo Moeller, Brendan O'Dea, Brenno de Winter, Brian M. Carlson, Brian
3502 Moore, Brian Warner, Bryan Fullerton, Caskey L. Dickson, Cees van de
3503 Griend, Charles Levert, Chip Salzenberg, Chris Adams, Christian Biere,
3504 Christian Kurz, Christian von Roques, Christopher Oliver, Christian
3505 Recktenwald, Dan Winship, Daniel Eisenbud, Daniel Koening, Dave Dykstra,
3506 David C Niemi, David Champion, David Ellement, David Hallinan, David
3507 Hollenberg, David Mathog, David R. Bergstein, Detlef Lannert, Dimitri,
3508 Dirk Lattermann, Dirk Meyer, Disastry, Douglas Calvert, Ed Boraas,
3509 Edmund GRIMLEY EVANS, Edwin Woudt, Enzo Michelangeli, Ernst Molitor,
3510 Fabio Coatti, Felix von Leitner, fish stiqz, Florian Weimer, Francesco
3511 Potorti, Frank Donahoe, Frank Heckenbach, Frank Stajano, Frank Tobin,
3512 Gabriel Rosenkoetter, Gaël Quéri, Gene Carter, Geoff Keating, Georg
3513 Schwarz, Giampaolo Tomassoni, Gilbert Fernandes, Greg Louis, Greg
3514 Troxel, Gregory Steuck, Gregery Barton, Harald Denker, Holger Baust,
3515 Hendrik Buschkamp, Holger Schurig, Holger Smolinski, Holger Trapp, Hugh
3516 Daniel, Huy Le, Ian McKellar, Ivo Timmermans, Jan Krueger, Jan
3517 Niehusmann, Janusz A. Urbanowicz, James Troup, Jean-loup Gailly, Jeff
3518 Long, Jeffery Von Ronne, Jens Bachem, Jeroen C. van Gelderen, J Horacio
3519 MG, J. Michael Ashley, Jim Bauer, Jim Small, Joachim Backes, Joe Rhett,
3520 John A. Martin, Johnny Teveßen, Jörg Schilling, Jos Backus, Joseph
3521 Walton, Juan F. Codagnone, Jun Kuriyama, Kahil D. Jallad, Karl Fogel,
3522 Karsten Thygesen, Katsuhiro Kondou, Kazu Yamamoto, Keith Clayton, Kevin
3523 Ryde, Klaus Singvogel, Kurt Garloff, Lars Kellogg-Stedman, L. Sassaman,
3524 M Taylor, Marcel Waldvogel, Marco d'Itri, Marco Parrone, Marcus
3525 Brinkmann, Mark Adler, Mark Elbrecht, Mark Pettit, Markus Friedl, Martin
3526 Kahlert, Martin Hamilton, Martin Schulte, Matt Kraai, Matthew Skala,
3527 Matthew Wilcox, Matthias Urlichs, Max Valianskiy, Michael Engels,
3528 Michael Fischer v. Mollard, Michael Roth, Michael Sobolev, Michael
3529 Tokarev, Nicolas Graner, Mike McEwan, Neal H Walfield, Nelson H. F.
3530 Beebe, NIIBE Yutaka, Niklas Hernaeus, Nimrod Zimerman, N J Doye, Oliver
3531 Haakert, Oskari Jääskeläinen, Pascal Scheffers, Paul D. Smith, Per
3532 Cederqvist, Phil Blundell, Philippe Laliberte, Peter Fales, Peter
3533 Gutmann, Peter Marschall, Peter Valchev, Piotr Krukowiecki, QingLong,
3534 Ralph Gillen, Rat, Reinhard Wobst, Rémi Guyomarch, Reuben Sumner,
3535 Richard Outerbridge, Robert Joop, Roddy Strachan, Roger Sondermann,
3536 Roland Rosenfeld, Roman Pavlik, Ross Golder, Ryan Malayter, Sam Roberts,
3537 Sami Tolvanen, Sean MacLennan, Sebastian Klemke, Serge Munhoven, SL
3538 Baur, Stefan Bellon, Dr.Stefan.Dalibor, Stefan Karrmann, Stefan Keller,
3539 Steffen Ullrich, Steffen Zahn, Steven Bakker, Steven Murdoch, Susanne
3540 Schultz, Ted Cabeen, Thiago Jung Bauermann, Thijmen Klok, Thomas
3541 Roessler, Tim Mooney, Timo Schulz, Todd Vierling, TOGAWA Satoshi, Tom
3542 Spindler, Tom Zerucha, Tomas Fasth, Tommi Komulainen, Thomas Klausner,
3543 Tomasz Kozlowski, Thomas Mikkelsen, Ulf Möller, Urko Lusa, Vincent P.
3544 Broman, Volker Quetschke, W Lewis, Walter Hofmann, Walter Koch, Wayne
3545 Chapeskie, Wim Vandeputte, Winona Brown, Yosiaki IIDA, Yoshihiro Kajiki
3548 This software has been made possible by the previous work of Chris
3549 Wedgwood, Jean-loup Gailly, Jon Callas, Mark Adler, Martin Hellman, Paul
3550 Kendall, Philip R. Zimmermann, Peter Gutmann, Philip A. Nelson, Taher
3551 Elgamal, Torbjorn Granlund, Whitfield Diffie, some unknown NSA
3552 mathematicians and all the folks who have worked hard to create complete
3553 and free operating systems.
3555 And finally we'd like to thank everyone who uses these tools, submits
3556 bug reports and generally reminds us why we're doing this work in the
3560 File: gnupg.info, Node: Glossary, Next: Option Index, Prev: Contributors, Up: Top
3566 The _Authority Revocation List_ is technical identical to a CRL but
3567 used for CAs and not for end user certificates.
3570 Verification model for X.509 which uses the creation date of a
3571 signature as the date the validation starts and in turn checks that
3572 each certificate has been issued within the time frame, the issuing
3573 certificate was valid. This allows the verification of signatures
3574 after the CA's certificate expired. The validation test also
3575 required an online check of the certificate status. The chain
3576 model is required by the German signature law. See also _Shell
3580 The _Cryptographic Message Standard_ describes a message format for
3581 encryption and digital signing. It is closely related to the X.509
3582 certificate format. CMS was formerly known under the name 'PKCS#7'
3583 and is described by 'RFC3369'.
3586 The _Certificate Revocation List_ is a list containing certificates
3587 revoked by the issuer.
3590 The _Certificate Signing Request_ is a message send to a CA to ask
3591 them to issue a new certificate. The data format of such a signing
3592 request is called PCKS#10.
3595 A data format used to build a PKI and to exchange encrypted or
3596 signed messages. In contrast to X.509, OpenPGP also includes the
3597 message format but does not explicitly demand a specific PKI.
3598 However any kind of PKI may be build upon the OpenPGP protocol.
3601 This term is used by GnuPG to describe a 20 byte hash value used to
3602 identify a certain key without referencing to a concrete protocol.
3603 It is used internally to access a private key. Usually it is shown
3604 and entered as a 40 character hexadecimal formatted string.
3607 The _Online Certificate Status Protocol_ is used as an alternative
3608 to a CRL. It is described in 'RFC 2560'.
3611 The _Personal Security Environment_ describes a database to store
3612 private keys. This is either a smartcard or a collection of files
3613 on a disk; the latter is often called a Soft-PSE.
3616 The standard model for validation of certificates under X.509. At
3617 the time of the verification all certificates must be valid and not
3618 expired. See also _Chain model_.
3621 Description of a PKI used with CMS. It is for example defined by
3625 File: gnupg.info, Node: Option Index, Next: Environment Index, Prev: Glossary, Up: Top
3633 * add-servers: Dirmngr Options. (line 222)
3634 * agent-program: GPG Configuration Options.
3636 * agent-program <1>: Configuration Options.
3638 * agent-program <2>: Invoking gpg-connect-agent.
3640 * allow-admin: Scdaemon Options. (line 192)
3641 * allow-emacs-pinentry: Agent Options. (line 180)
3642 * allow-freeform-uid: GPG Esoteric Options.
3644 * allow-loopback-pinentry: Agent Options. (line 162)
3645 * allow-multiple-messages: GPG Esoteric Options.
3647 * allow-non-selfsigned-uid: GPG Esoteric Options.
3649 * allow-ocsp: Dirmngr Options. (line 239)
3650 * allow-preset-passphrase: Agent Options. (line 157)
3651 * allow-secret-key-import: GPG Esoteric Options.
3653 * allow-version-check: Dirmngr Options. (line 113)
3654 * allow-weak-digest-algos: GPG Esoteric Options.
3656 * always-trust: Deprecated Options. (line 21)
3657 * armor: GPG Input and Output.
3659 * armor <1>: Input and Output. (line 8)
3660 * ask-cert-expire: GPG Esoteric Options.
3662 * ask-cert-level: GPG Configuration Options.
3664 * ask-sig-expire: GPG Esoteric Options.
3666 * assume-armor: Input and Output. (line 14)
3667 * assume-base64: Input and Output. (line 18)
3668 * assume-binary: Input and Output. (line 21)
3669 * attribute-fd: GPG Esoteric Options.
3671 * attribute-file: GPG Esoteric Options.
3673 * auto-check-trustdb: GPG Configuration Options.
3675 * auto-issuer-key-retrieve: Certificate Options. (line 50)
3676 * auto-key-locate: GPG Configuration Options.
3678 * auto-key-retrieve: GPG Configuration Options.
3680 * base64: Input and Output. (line 11)
3681 * batch: Agent Options. (line 44)
3682 * batch <1>: GPG Configuration Options.
3684 * bzip2-compress-level: GPG Configuration Options.
3686 * bzip2-decompress-lowmem: GPG Configuration Options.
3688 * c: Dirmngr Options. (line 85)
3689 * cache-cert: dirmngr-client. (line 72)
3690 * call-dirmngr: Operational GPGSM Commands.
3692 * call-protect-tool: Operational GPGSM Commands.
3694 * card-edit: Operational GPG Commands.
3696 * card-status: Operational GPG Commands.
3698 * card-timeout: Scdaemon Options. (line 168)
3699 * cert-digest-algo: GPG Esoteric Options.
3701 * cert-notation: GPG Esoteric Options.
3703 * cert-policy-url: GPG Esoteric Options.
3705 * change-passphrase: OpenPGP Key Management.
3707 * change-passphrase <1>: Certificate Management.
3709 * change-pin: Operational GPG Commands.
3711 * check-passphrase-pattern: Agent Options. (line 230)
3712 * check-signatures: Operational GPG Commands.
3714 * check-sigs: Operational GPG Commands.
3716 * check-trustdb: Operational GPG Commands.
3718 * cipher-algo: GPG Esoteric Options.
3720 * cipher-algo <1>: CMS Options. (line 13)
3721 * clear-sign: Operational GPG Commands.
3723 * clearsign: Operational GPG Commands.
3725 * command-fd: GPG Esoteric Options.
3727 * command-file: GPG Esoteric Options.
3729 * comment: GPG Esoteric Options.
3731 * compliance: Compliance Options. (line 64)
3732 * compliant-needed: GPG Configuration Options.
3734 * compress-algo: GPG Esoteric Options.
3736 * compress-level: GPG Configuration Options.
3738 * create-socketdir: Invoking gpgconf. (line 91)
3739 * csh: Agent Options. (line 134)
3740 * csh <1>: Dirmngr Options. (line 85)
3741 * ctapi-driver: Scdaemon Options. (line 145)
3742 * daemon: Agent Commands. (line 27)
3743 * daemon <1>: Dirmngr Commands. (line 27)
3744 * daemon <2>: Scdaemon Commands. (line 31)
3745 * dearmor: Operational GPG Commands.
3747 * debug: Agent Options. (line 78)
3748 * debug <1>: Dirmngr Options. (line 59)
3749 * debug <2>: GPG Esoteric Options.
3751 * debug <3>: Esoteric Options. (line 54)
3752 * debug <4>: Scdaemon Options. (line 69)
3753 * debug-all: Agent Options. (line 102)
3754 * debug-all <1>: Dirmngr Options. (line 66)
3755 * debug-all <2>: GPG Esoteric Options.
3757 * debug-all <3>: Esoteric Options. (line 81)
3758 * debug-all <4>: Scdaemon Options. (line 96)
3759 * debug-allow-core-dump: Esoteric Options. (line 84)
3760 * debug-allow-core-dump <1>: Scdaemon Options. (line 113)
3761 * debug-assuan-log-cats: Scdaemon Options. (line 122)
3762 * debug-disable-ticker: Scdaemon Options. (line 109)
3763 * debug-ignore-expiration: Esoteric Options. (line 95)
3764 * debug-iolbf: GPG Esoteric Options.
3766 * debug-level: Agent Options. (line 53)
3767 * debug-level <1>: Dirmngr Options. (line 34)
3768 * debug-level <2>: GPG Esoteric Options.
3770 * debug-level <3>: Esoteric Options. (line 29)
3771 * debug-level <4>: Scdaemon Options. (line 40)
3772 * debug-log-tid: Scdaemon Options. (line 119)
3773 * debug-no-chain-validation: Esoteric Options. (line 91)
3774 * debug-pinentry: Agent Options. (line 122)
3775 * debug-quick-random: Agent Options. (line 110)
3776 * debug-wait: Agent Options. (line 105)
3777 * debug-wait <1>: Dirmngr Options. (line 72)
3778 * debug-wait <2>: Scdaemon Options. (line 99)
3779 * debug-wait <3>: Scdaemon Options. (line 104)
3780 * decode: Invoking gpg-connect-agent.
3782 * decrypt: Operational GPG Commands.
3784 * decrypt <1>: Operational GPGSM Commands.
3786 * decrypt <2>: gpg-zip. (line 22)
3787 * decrypt-files: Operational GPG Commands.
3789 * default-cache-ttl: Agent Options. (line 191)
3790 * default-cache-ttl <1>: Agent Options. (line 197)
3791 * default-cert-expire: GPG Esoteric Options.
3793 * default-cert-level: GPG Configuration Options.
3795 * default-key: GPG Configuration Options.
3797 * default-key <1>: Input and Output. (line 34)
3798 * default-keyserver-url: GPG Esoteric Options.
3800 * default-new-key-algo STRING: GPG Esoteric Options.
3802 * default-preference-list: GPG Esoteric Options.
3804 * default-recipient: GPG Configuration Options.
3806 * default-recipient-self: GPG Configuration Options.
3808 * default-sig-expire: GPG Esoteric Options.
3810 * delete-keys: Certificate Management.
3812 * delete-secret-and-public-key: Operational GPG Commands.
3814 * delete-secret-keys: Operational GPG Commands.
3816 * deny-admin: Scdaemon Options. (line 192)
3817 * desig-revoke: OpenPGP Key Management.
3819 * detach-sign: Operational GPG Commands.
3821 * digest-algo: GPG Esoteric Options.
3823 * dirmngr: Invoking gpg-connect-agent.
3825 * dirmngr-program: GPG Configuration Options.
3827 * dirmngr-program <1>: Configuration Options.
3829 * dirmngr-program <2>: Invoking gpg-connect-agent.
3831 * disable-application: Scdaemon Options. (line 202)
3832 * disable-ccid: Scdaemon Options. (line 150)
3833 * disable-check-own-socket: Agent Options. (line 295)
3834 * disable-check-own-socket <1>: Dirmngr Options. (line 77)
3835 * disable-cipher-algo: GPG Esoteric Options.
3837 * disable-crl-checks: Certificate Options. (line 13)
3838 * disable-dsa2: GPG Configuration Options.
3840 * disable-http: Dirmngr Options. (line 160)
3841 * disable-large-rsa: GPG Configuration Options.
3843 * disable-ldap: Dirmngr Options. (line 157)
3844 * disable-mdc: OpenPGP Options. (line 30)
3845 * disable-ocsp: Certificate Options. (line 41)
3846 * disable-pinpad: Scdaemon Options. (line 189)
3847 * disable-policy-checks: Certificate Options. (line 8)
3848 * disable-pubkey-algo: GPG Esoteric Options.
3850 * disable-scdaemon: Agent Options. (line 289)
3851 * disable-signer-uid: OpenPGP Options. (line 35)
3852 * disable-trusted-cert-crl-check: Certificate Options. (line 19)
3853 * display: Agent Options. (line 313)
3854 * display-charset: GPG Configuration Options.
3856 * display-charset:iso-8859-1: GPG Configuration Options.
3858 * display-charset:iso-8859-15: GPG Configuration Options.
3860 * display-charset:iso-8859-2: GPG Configuration Options.
3862 * display-charset:koi8-r: GPG Configuration Options.
3864 * display-charset:utf-8: GPG Configuration Options.
3866 * dry-run: GPG Esoteric Options.
3868 * dump-cert: Certificate Management.
3870 * dump-chain: Certificate Management.
3872 * dump-external-keys: Certificate Management.
3874 * dump-keys: Certificate Management.
3876 * dump-options: Agent Commands. (line 19)
3877 * dump-options <1>: Dirmngr Commands. (line 18)
3878 * dump-options <2>: General GPG Commands.
3880 * dump-options <3>: General GPGSM Commands.
3882 * dump-options <4>: Scdaemon Commands. (line 18)
3883 * dump-secret-keys: Certificate Management.
3885 * edit-card: Operational GPG Commands.
3887 * edit-key: OpenPGP Key Management.
3889 * emit-version: GPG Esoteric Options.
3891 * enable-crl-checks: Certificate Options. (line 13)
3892 * enable-dsa2: GPG Configuration Options.
3894 * enable-large-rsa: GPG Configuration Options.
3896 * enable-ocsp: Certificate Options. (line 41)
3897 * enable-passphrase-history: Agent Options. (line 249)
3898 * enable-pinpad-varlen: Scdaemon Options. (line 181)
3899 * enable-policy-checks: Certificate Options. (line 8)
3900 * enable-progress-filter: GPG Esoteric Options.
3902 * enable-putty-support: Agent Options. (line 337)
3903 * enable-special-filenames: GPG Esoteric Options.
3905 * enable-special-filenames <1>: gpgv. (line 92)
3906 * enable-ssh-support: Agent Options. (line 337)
3907 * enable-trusted-cert-crl-check: Certificate Options. (line 19)
3908 * enarmor: Operational GPG Commands.
3910 * encrypt: Operational GPG Commands.
3912 * encrypt <1>: Operational GPGSM Commands.
3914 * encrypt <2>: gpg-zip. (line 17)
3915 * encrypt-files: Operational GPG Commands.
3917 * encrypt-to: GPG Key related Options.
3919 * enforce-passphrase-constraints: Agent Options. (line 215)
3920 * escape-from-lines: GPG Esoteric Options.
3922 * exec: Invoking gpg-connect-agent.
3924 * exec-path: GPG Configuration Options.
3926 * exit-on-status-write-error: GPG Configuration Options.
3928 * expert: GPG Configuration Options.
3930 * export: Operational GPG Commands.
3932 * export <1>: Certificate Management.
3934 * export-filter: GPG Input and Output.
3936 * export-options: GPG Input and Output.
3938 * export-ownertrust: Operational GPG Commands.
3940 * export-secret-key-p12: Certificate Management.
3942 * export-secret-key-p8: Certificate Management.
3944 * export-secret-key-raw: Certificate Management.
3946 * export-secret-keys: Operational GPG Commands.
3948 * export-secret-subkeys: Operational GPG Commands.
3950 * export-ssh-key: Operational GPG Commands.
3952 * extra-digest-algo: Esoteric Options. (line 7)
3953 * extra-socket: Agent Options. (line 323)
3954 * faked-system-time: Agent Options. (line 48)
3955 * faked-system-time <1>: GPG Esoteric Options.
3957 * faked-system-time <2>: Esoteric Options. (line 18)
3958 * fast-list-mode: GPG Esoteric Options.
3960 * fetch-crl: Dirmngr Commands. (line 52)
3961 * fetch-keys: Operational GPG Commands.
3963 * fingerprint: Operational GPG Commands.
3965 * fixed-list-mode: GPG Input and Output.
3967 * flush: Dirmngr Commands. (line 62)
3968 * for-your-eyes-only: GPG Esoteric Options.
3970 * force: Dirmngr Options. (line 91)
3971 * force <1>: watchgnupg. (line 23)
3972 * force-crl-refresh: Certificate Options. (line 30)
3973 * force-default-responder: dirmngr-client. (line 64)
3974 * force-mdc: OpenPGP Options. (line 24)
3975 * forget: Invoking gpg-preset-passphrase.
3977 * full-gen-key: OpenPGP Key Management.
3979 * full-generate-key: OpenPGP Key Management.
3981 * gen-key: OpenPGP Key Management.
3983 * gen-key <1>: Certificate Management.
3985 * gen-prime: Operational GPG Commands.
3987 * gen-random: Operational GPG Commands.
3989 * gen-revoke: OpenPGP Key Management.
3991 * generate-designated-revocation: OpenPGP Key Management.
3993 * generate-key: OpenPGP Key Management.
3995 * generate-key <1>: Certificate Management.
3997 * generate-revocation: OpenPGP Key Management.
3999 * gnupg: Compliance Options. (line 12)
4000 * gnutls-debug: Dirmngr Options. (line 69)
4001 * gpg: gpg-zip. (line 50)
4002 * gpg-agent-info: GPG Configuration Options.
4004 * gpg-args: gpg-zip. (line 53)
4005 * gpgconf-list: GPG Esoteric Options.
4007 * gpgconf-test: GPG Esoteric Options.
4009 * group: GPG Key related Options.
4011 * help: Agent Commands. (line 15)
4012 * help <1>: Dirmngr Commands. (line 14)
4013 * help <2>: General GPG Commands.
4015 * help <3>: General GPGSM Commands.
4017 * help <4>: Scdaemon Commands. (line 14)
4018 * help <5>: watchgnupg. (line 39)
4019 * help <6>: dirmngr-client. (line 44)
4020 * help <7>: gpg-zip. (line 65)
4021 * hex: Invoking gpg-connect-agent.
4023 * hidden-encrypt-to: GPG Key related Options.
4025 * hidden-recipient: GPG Key related Options.
4027 * hidden-recipient-file: GPG Key related Options.
4029 * homedir: Agent Options. (line 13)
4030 * homedir <1>: GPG Configuration Options.
4032 * homedir <2>: Configuration Options.
4034 * homedir <3>: Scdaemon Options. (line 13)
4035 * homedir <4>: gpgv. (line 64)
4036 * homedir <5>: Invoking gpg-connect-agent.
4038 * homedir <6>: Invoking symcryptrun.
4040 * honor-http-proxy: Dirmngr Options. (line 179)
4041 * http-proxy: Dirmngr Options. (line 183)
4042 * ignore-cache-for-signing: Agent Options. (line 185)
4043 * ignore-cert-extension: Dirmngr Options. (line 288)
4044 * ignore-cert-extension <1>: Certificate Options. (line 70)
4045 * ignore-crc-error: GPG Esoteric Options.
4047 * ignore-http-dp: Dirmngr Options. (line 163)
4048 * ignore-ldap-dp: Dirmngr Options. (line 170)
4049 * ignore-mdc-error: GPG Esoteric Options.
4051 * ignore-ocsp-service-url: Dirmngr Options. (line 175)
4052 * ignore-time-conflict: GPG Esoteric Options.
4054 * ignore-time-conflict <1>: gpgv. (line 58)
4055 * ignore-valid-from: GPG Esoteric Options.
4057 * import: Operational GPG Commands.
4059 * import <1>: Certificate Management.
4061 * import-filter: GPG Input and Output.
4063 * import-options: GPG Input and Output.
4065 * import-ownertrust: Operational GPG Commands.
4067 * include-certs: CMS Options. (line 7)
4068 * input-size-hint: GPG Input and Output.
4070 * interactive: GPG Esoteric Options.
4072 * keep-display: Agent Options. (line 318)
4073 * keep-tty: Agent Options. (line 318)
4074 * keydb-clear-some-cert-flags: Certificate Management.
4076 * keyedit:addcardkey: OpenPGP Key Management.
4078 * keyedit:addkey: OpenPGP Key Management.
4080 * keyedit:addphoto: OpenPGP Key Management.
4082 * keyedit:addrevoker: OpenPGP Key Management.
4084 * keyedit:adduid: OpenPGP Key Management.
4086 * keyedit:bkuptocard: OpenPGP Key Management.
4088 * keyedit:check: OpenPGP Key Management.
4090 * keyedit:clean: OpenPGP Key Management.
4092 * keyedit:cross-certify: OpenPGP Key Management.
4094 * keyedit:delkey: OpenPGP Key Management.
4096 * keyedit:delsig: OpenPGP Key Management.
4098 * keyedit:deluid: OpenPGP Key Management.
4100 * keyedit:disable: OpenPGP Key Management.
4102 * keyedit:enable: OpenPGP Key Management.
4104 * keyedit:expire: OpenPGP Key Management.
4106 * keyedit:key: OpenPGP Key Management.
4108 * keyedit:keyserver: OpenPGP Key Management.
4110 * keyedit:keytocard: OpenPGP Key Management.
4112 * keyedit:lsign: OpenPGP Key Management.
4114 * keyedit:minimize: OpenPGP Key Management.
4116 * keyedit:notation: OpenPGP Key Management.
4118 * keyedit:nrsign: OpenPGP Key Management.
4120 * keyedit:passwd: OpenPGP Key Management.
4122 * keyedit:pref: OpenPGP Key Management.
4124 * keyedit:primary: OpenPGP Key Management.
4126 * keyedit:quit: OpenPGP Key Management.
4128 * keyedit:revkey: OpenPGP Key Management.
4130 * keyedit:revsig: OpenPGP Key Management.
4132 * keyedit:revuid: OpenPGP Key Management.
4134 * keyedit:save: OpenPGP Key Management.
4136 * keyedit:setpref: OpenPGP Key Management.
4138 * keyedit:showphoto: OpenPGP Key Management.
4140 * keyedit:showpref: OpenPGP Key Management.
4142 * keyedit:sign: OpenPGP Key Management.
4144 * keyedit:toggle: OpenPGP Key Management.
4146 * keyedit:trust: OpenPGP Key Management.
4148 * keyedit:tsign: OpenPGP Key Management.
4150 * keyedit:uid: OpenPGP Key Management.
4152 * keyid-format: GPG Configuration Options.
4154 * keyring: GPG Configuration Options.
4156 * keyring <1>: gpgv. (line 37)
4157 * keyserver: Dirmngr Options. (line 124)
4158 * keyserver <1>: GPG Configuration Options.
4160 * keyserver-options: GPG Configuration Options.
4162 * kill: Invoking gpgconf. (line 84)
4163 * launch: Invoking gpgconf. (line 76)
4164 * lc-ctype: Agent Options. (line 313)
4165 * lc-messages: Agent Options. (line 313)
4166 * ldap-proxy: Dirmngr Options. (line 188)
4167 * ldapserverlist-file: Dirmngr Options. (line 199)
4168 * ldaptimeout: Dirmngr Options. (line 217)
4169 * learn-card: Certificate Management.
4171 * legacy-list-mode: GPG Input and Output.
4173 * limit-card-insert-tries: GPG Configuration Options.
4175 * list-archive: gpg-zip. (line 43)
4176 * list-chain: Certificate Management.
4178 * list-config: GPG Esoteric Options.
4180 * list-crls: Dirmngr Commands. (line 40)
4181 * list-gcrypt-config: GPG Esoteric Options.
4183 * list-keys: Operational GPG Commands.
4185 * list-keys <1>: Certificate Management.
4187 * list-keys <2>: Certificate Management.
4189 * list-only: GPG Esoteric Options.
4191 * list-options: GPG Configuration Options.
4193 * list-options:show-keyring: GPG Configuration Options.
4195 * list-options:show-keyserver-urls: GPG Configuration Options.
4197 * list-options:show-notations: GPG Configuration Options.
4199 * list-options:show-photos: GPG Configuration Options.
4201 * list-options:show-policy-urls: GPG Configuration Options.
4203 * list-options:show-sig-expire: GPG Configuration Options.
4205 * list-options:show-sig-subpackets: GPG Configuration Options.
4207 * list-options:show-std-notations: GPG Configuration Options.
4209 * list-options:show-uid-validity: GPG Configuration Options.
4211 * list-options:show-unusable-subkeys: GPG Configuration Options.
4213 * list-options:show-unusable-uids: GPG Configuration Options.
4215 * list-options:show-usage: GPG Configuration Options.
4217 * list-options:show-user-notations: GPG Configuration Options.
4219 * list-packets: Operational GPG Commands.
4221 * list-secret-keys: Operational GPG Commands.
4223 * list-secret-keys <1>: Certificate Management.
4225 * list-signatures: Operational GPG Commands.
4227 * list-sigs: Operational GPG Commands.
4229 * load-crl: Dirmngr Commands. (line 44)
4230 * load-crl <1>: dirmngr-client. (line 80)
4231 * local-user: GPG Key related Options.
4233 * local-user <1>: Input and Output. (line 41)
4234 * local-user <2>: gpg-zip. (line 40)
4235 * locate-keys: Operational GPG Commands.
4237 * lock-multiple: GPG Configuration Options.
4239 * lock-never: GPG Configuration Options.
4241 * lock-once: GPG Configuration Options.
4243 * log-file: Agent Options. (line 144)
4244 * log-file <1>: Dirmngr Options. (line 30)
4245 * log-file <2>: GPG Esoteric Options.
4247 * log-file <3>: Configuration Options.
4249 * log-file <4>: Scdaemon Options. (line 135)
4250 * log-file <5>: Invoking symcryptrun.
4252 * logger-fd: GPG Esoteric Options.
4254 * logger-fd <1>: gpgv. (line 55)
4255 * lookup: dirmngr-client. (line 86)
4256 * lsign-key: OpenPGP Key Management.
4258 * mangle-dos-filenames: GPG Configuration Options.
4260 * marginals-needed: GPG Configuration Options.
4262 * max-cache-ttl: Agent Options. (line 203)
4263 * max-cache-ttl-ssh: Agent Options. (line 209)
4264 * max-cert-depth: GPG Configuration Options.
4266 * max-output: GPG Input and Output.
4268 * max-passphrase-days: Agent Options. (line 244)
4269 * max-replies: Dirmngr Options. (line 285)
4270 * min-cert-level: GPG Configuration Options.
4272 * min-passphrase-len: Agent Options. (line 219)
4273 * min-passphrase-nonalpha: Agent Options. (line 224)
4274 * multi-server: Scdaemon Commands. (line 26)
4275 * multifile: Operational GPG Commands.
4277 * nameserver: Dirmngr Options. (line 150)
4278 * no: GPG Configuration Options.
4280 * no-allow-external-cache: Agent Options. (line 170)
4281 * no-allow-loopback-pinentry: Agent Options. (line 162)
4282 * no-allow-mark-trusted: Agent Options. (line 152)
4283 * no-armor: GPG Input and Output.
4285 * no-auto-key-retrieve: GPG Configuration Options.
4287 * no-autostart: GPG Configuration Options.
4289 * no-autostart <1>: Configuration Options.
4291 * no-autostart <2>: Invoking gpg-connect-agent.
4293 * no-batch: GPG Configuration Options.
4295 * no-common-certs-import: Esoteric Options. (line 124)
4296 * no-default-keyring: GPG Esoteric Options.
4298 * no-default-recipient: GPG Configuration Options.
4300 * no-detach: Agent Options. (line 127)
4301 * no-detach <1>: Scdaemon Options. (line 131)
4302 * no-encrypt-to: GPG Key related Options.
4304 * no-expensive-trust-checks: GPG Esoteric Options.
4306 * no-ext-connect: Invoking gpg-connect-agent.
4308 * no-grab: Agent Options. (line 140)
4309 * no-greeting: GPG Configuration Options.
4311 * no-groups: GPG Key related Options.
4313 * no-keyring: GPG Esoteric Options.
4315 * no-literal: GPG Esoteric Options.
4317 * no-mangle-dos-filenames: GPG Configuration Options.
4319 * no-mdc-warning: GPG Configuration Options.
4321 * no-options: GPG Configuration Options.
4323 * no-random-seed-file: GPG Configuration Options.
4325 * no-secmem-warning: GPG Configuration Options.
4327 * no-secmem-warning <1>: Configuration Options.
4329 * no-sig-cache: GPG Configuration Options.
4331 * no-skip-hidden-recipients: GPG Key related Options.
4333 * no-tty: GPG Configuration Options.
4335 * no-use-standard-socket: Agent Options. (line 303)
4336 * no-verbose: GPG Configuration Options.
4338 * not-dash-escaped: GPG Esoteric Options.
4340 * ocsp: dirmngr-client. (line 61)
4341 * ocsp-current-period: Dirmngr Options. (line 280)
4342 * ocsp-max-clock-skew: Dirmngr Options. (line 272)
4343 * ocsp-max-period: Dirmngr Options. (line 276)
4344 * ocsp-responder: Dirmngr Options. (line 246)
4345 * ocsp-signer: Dirmngr Options. (line 251)
4346 * only-ldap-proxy: Dirmngr Options. (line 194)
4347 * openpgp: Compliance Options. (line 19)
4348 * options: Agent Options. (line 7)
4349 * options <1>: Dirmngr Options. (line 11)
4350 * options <2>: Dirmngr Options. (line 16)
4351 * options <3>: GPG Configuration Options.
4353 * options <4>: Configuration Options.
4355 * options <5>: Scdaemon Options. (line 7)
4356 * output: GPG Input and Output.
4358 * output <1>: Input and Output. (line 51)
4359 * output <2>: gpgv. (line 44)
4360 * output <3>: gpg-zip. (line 47)
4361 * override-session-key: GPG Esoteric Options.
4363 * p12-charset: Input and Output. (line 24)
4364 * passphrase: GPG Esoteric Options.
4366 * passphrase <1>: Invoking gpg-preset-passphrase.
4368 * passphrase-fd: GPG Esoteric Options.
4370 * passphrase-fd <1>: Esoteric Options. (line 100)
4371 * passphrase-file: GPG Esoteric Options.
4373 * passphrase-repeat: GPG Esoteric Options.
4375 * passwd: OpenPGP Key Management.
4377 * passwd <1>: Certificate Management.
4379 * pcsc-driver: Scdaemon Options. (line 139)
4380 * pem: dirmngr-client. (line 58)
4381 * permission-warning: GPG Configuration Options.
4383 * personal-cipher-preferences: OpenPGP Options. (line 42)
4384 * personal-compress-preferences: OpenPGP Options. (line 60)
4385 * personal-digest-preferences: OpenPGP Options. (line 51)
4386 * pgp6: Compliance Options. (line 41)
4387 * pgp7: Compliance Options. (line 51)
4388 * pgp8: Compliance Options. (line 57)
4389 * photo-viewer: GPG Configuration Options.
4391 * pinentry-invisible-char: Agent Options. (line 252)
4392 * pinentry-mode: GPG Esoteric Options.
4394 * pinentry-mode <1>: Esoteric Options. (line 109)
4395 * pinentry-program: Agent Options. (line 263)
4396 * pinentry-timeout: Agent Options. (line 257)
4397 * pinentry-touch-file: Agent Options. (line 276)
4398 * ping: dirmngr-client. (line 69)
4399 * policy-file: Configuration Options.
4401 * prefer-system-dirmngr: Configuration Options.
4403 * preserve-permissions: GPG Esoteric Options.
4405 * preset: Invoking gpg-preset-passphrase.
4407 * primary-keyring: GPG Configuration Options.
4409 * print-md: Operational GPG Commands.
4411 * q: Invoking gpg-connect-agent.
4413 * q <1>: Invoking symcryptrun.
4415 * quick-add-key: OpenPGP Key Management.
4417 * quick-add-uid: OpenPGP Key Management.
4419 * quick-generate-key: OpenPGP Key Management.
4421 * quick-lsign-key: OpenPGP Key Management.
4423 * quick-revoke-uid: OpenPGP Key Management.
4425 * quick-set-expire: OpenPGP Key Management.
4427 * quick-sign-key: OpenPGP Key Management.
4429 * quiet: Agent Options. (line 41)
4430 * quiet <1>: GPG Configuration Options.
4432 * quiet <2>: gpgv. (line 34)
4433 * quiet <3>: Invoking gpgconf. (line 112)
4434 * quiet <4>: Invoking gpg-connect-agent.
4436 * quiet <5>: dirmngr-client. (line 48)
4437 * quiet <6>: Invoking symcryptrun.
4439 * raw-socket: Invoking gpg-connect-agent.
4441 * reader-port: Scdaemon Options. (line 156)
4442 * rebuild-keydb-caches: Operational GPG Commands.
4444 * receive-keys: Operational GPG Commands.
4446 * recipient: GPG Key related Options.
4448 * recipient <1>: Input and Output. (line 46)
4449 * recipient <2>: gpg-zip. (line 36)
4450 * recipient-file: GPG Key related Options.
4452 * recursive-resolver: Dirmngr Options. (line 106)
4453 * recv-keys: Operational GPG Commands.
4455 * refresh-keys: Operational GPG Commands.
4457 * reload: Invoking gpgconf. (line 70)
4458 * remove-socketdir: Invoking gpgconf. (line 97)
4459 * require-cross-certification: GPG Configuration Options.
4461 * require-secmem: GPG Configuration Options.
4463 * rfc2440: Compliance Options. (line 37)
4464 * rfc4880: Compliance Options. (line 25)
4465 * rfc4880bis: Compliance Options. (line 30)
4466 * run: Invoking gpg-connect-agent.
4468 * s: Dirmngr Options. (line 85)
4469 * s2k-cipher-algo: OpenPGP Options. (line 70)
4470 * s2k-count: OpenPGP Options. (line 86)
4471 * s2k-digest-algo: OpenPGP Options. (line 75)
4472 * s2k-mode: OpenPGP Options. (line 79)
4473 * scdaemon-program: Agent Options. (line 285)
4474 * search-keys: Operational GPG Commands.
4476 * secret-keyring: GPG Configuration Options.
4478 * send-keys: Operational GPG Commands.
4480 * sender: GPG Key related Options.
4482 * server: Agent Commands. (line 23)
4483 * server <1>: Dirmngr Commands. (line 22)
4484 * server <2>: Operational GPGSM Commands.
4486 * server <3>: Scdaemon Commands. (line 22)
4487 * set-filename: GPG Esoteric Options.
4489 * set-filesize: GPG Esoteric Options.
4491 * set-notation: GPG Esoteric Options.
4493 * set-policy-url: GPG Esoteric Options.
4495 * sh: Agent Options. (line 134)
4496 * sh <1>: Dirmngr Options. (line 85)
4497 * show-keyring: Deprecated Options. (line 16)
4498 * show-notation: Deprecated Options. (line 25)
4499 * show-photos: Deprecated Options. (line 8)
4500 * show-policy-url: Deprecated Options. (line 33)
4501 * show-session-key: GPG Esoteric Options.
4503 * shutdown: Dirmngr Commands. (line 58)
4504 * sig-keyserver-url: GPG Esoteric Options.
4506 * sig-notation: GPG Esoteric Options.
4508 * sig-policy-url: GPG Esoteric Options.
4510 * sign: Operational GPG Commands.
4512 * sign <1>: Operational GPGSM Commands.
4514 * sign-key: OpenPGP Key Management.
4516 * skip-hidden-recipients: GPG Key related Options.
4518 * skip-verify: GPG Esoteric Options.
4520 * squid-mode: dirmngr-client. (line 101)
4521 * standard-resolver: Dirmngr Options. (line 100)
4522 * status-fd: GPG Esoteric Options.
4524 * status-fd <1>: gpgv. (line 51)
4525 * status-file: GPG Esoteric Options.
4527 * store: Operational GPG Commands.
4529 * subst: Invoking gpg-connect-agent.
4531 * supervised: Agent Commands. (line 36)
4532 * supervised <1>: Dirmngr Commands. (line 33)
4533 * symmetric: Operational GPG Commands.
4535 * tar: gpg-zip. (line 56)
4536 * tar-args: gpg-zip. (line 59)
4537 * textmode: OpenPGP Options. (line 8)
4538 * throw-keyids: GPG Esoteric Options.
4540 * time-only: watchgnupg. (line 30)
4541 * tofu-default-policy: GPG Configuration Options.
4543 * tofu-policy: Operational GPG Commands.
4545 * trust-mode:always: GPG Configuration Options.
4547 * trust-mode:auto: GPG Configuration Options.
4549 * trust-mode:classic: GPG Configuration Options.
4551 * trust-mode:direct: GPG Configuration Options.
4553 * trust-mode:pgp: GPG Configuration Options.
4555 * trust-mode:tofu: GPG Configuration Options.
4557 * trust-mode:tofu+pgp: GPG Configuration Options.
4559 * trust-model: GPG Configuration Options.
4561 * trustdb-name: GPG Configuration Options.
4563 * trusted-key: GPG Configuration Options.
4565 * try-all-secrets: GPG Key related Options.
4567 * try-secret-key: GPG Key related Options.
4569 * ttyname: Agent Options. (line 313)
4570 * ttytype: Agent Options. (line 313)
4571 * ungroup: GPG Key related Options.
4573 * update-trustdb: Operational GPG Commands.
4575 * url: dirmngr-client. (line 94)
4576 * url <1>: dirmngr-client. (line 98)
4577 * use-agent: GPG Configuration Options.
4579 * use-embedded-filename: GPG Esoteric Options.
4581 * use-standard-socket: Agent Options. (line 303)
4582 * use-standard-socket-p: Agent Options. (line 303)
4583 * use-tor: Dirmngr Options. (line 95)
4584 * utf8-strings: GPG Configuration Options.
4586 * v: Dirmngr Options. (line 25)
4587 * v <1>: Configuration Options.
4589 * v <2>: Scdaemon Options. (line 35)
4590 * v <3>: dirmngr-client. (line 53)
4591 * validate: dirmngr-client. (line 76)
4592 * validation-model: Certificate Options. (line 61)
4593 * verbose: Agent Options. (line 35)
4594 * verbose <1>: Dirmngr Options. (line 25)
4595 * verbose <2>: GPG Configuration Options.
4597 * verbose <3>: Configuration Options.
4599 * verbose <4>: Scdaemon Options. (line 35)
4600 * verbose <5>: watchgnupg. (line 33)
4601 * verbose <6>: gpgv. (line 29)
4602 * verbose <7>: Invoking gpg-preset-passphrase.
4604 * verbose <8>: Invoking gpg-connect-agent.
4606 * verbose <9>: dirmngr-client. (line 53)
4607 * verbose <10>: Invoking symcryptrun.
4609 * verify: Operational GPG Commands.
4611 * verify <1>: Operational GPGSM Commands.
4613 * verify-files: Operational GPG Commands.
4615 * verify-options: GPG Configuration Options.
4617 * verify-options:pka-lookups: GPG Configuration Options.
4619 * verify-options:pka-trust-increase: GPG Configuration Options.
4621 * verify-options:show-keyserver-urls: GPG Configuration Options.
4623 * verify-options:show-notations: GPG Configuration Options.
4625 * verify-options:show-photos: GPG Configuration Options.
4627 * verify-options:show-policy-urls: GPG Configuration Options.
4629 * verify-options:show-primary-uid-only: GPG Configuration Options.
4631 * verify-options:show-std-notations: GPG Configuration Options.
4633 * verify-options:show-uid-validity: GPG Configuration Options.
4635 * verify-options:show-unusable-uids: GPG Configuration Options.
4637 * verify-options:show-user-notations: GPG Configuration Options.
4639 * version: Agent Commands. (line 10)
4640 * version <1>: Dirmngr Commands. (line 10)
4641 * version <2>: General GPG Commands.
4643 * version <3>: General GPGSM Commands.
4645 * version <4>: Scdaemon Commands. (line 10)
4646 * version <5>: watchgnupg. (line 36)
4647 * version <6>: dirmngr-client. (line 40)
4648 * version <7>: gpg-zip. (line 62)
4649 * warranty: General GPG Commands.
4651 * warranty <1>: General GPGSM Commands.
4653 * weak-digest: GPG Esoteric Options.
4655 * weak-digest <1>: gpgv. (line 85)
4656 * with-colons: GPG Input and Output.
4658 * with-ephemeral-keys: Esoteric Options. (line 24)
4659 * with-fingerprint: GPG Input and Output.
4661 * with-icao-spelling: GPG Input and Output.
4663 * with-key-data: GPG Esoteric Options.
4665 * with-key-data <1>: Input and Output. (line 54)
4666 * with-keygrip: GPG Input and Output.
4668 * with-secret: GPG Input and Output.
4670 * with-secret <1>: Input and Output. (line 78)
4671 * with-subkey-fingerprint: GPG Input and Output.
4673 * with-validation: Input and Output. (line 60)
4674 * with-wkd-hash: GPG Input and Output.
4676 * xauthority: Agent Options. (line 313)
4677 * yes: GPG Configuration Options.
4681 File: gnupg.info, Node: Environment Index, Next: Index, Prev: Option Index, Up: Top
4683 Environment Variable and File Index
4684 ***********************************
4689 * .gpg-v21-migrated: GPG Configuration. (line 52)
4690 * ~/.gnupg: GPG Configuration. (line 27)
4691 * ASSUAN_DEBUG: Scdaemon Options. (line 122)
4692 * COLUMNS: GPG Configuration. (line 96)
4693 * com-certs.pem: GPGSM Configuration. (line 84)
4694 * dirmngr.conf: Dirmngr Configuration.
4696 * DISPLAY: GPGSM OPTION. (line 21)
4697 * GNUPGHOME: Agent Options. (line 13)
4698 * GNUPGHOME <1>: GPG Configuration Options.
4700 * GNUPGHOME <2>: GPG Configuration. (line 84)
4701 * GNUPGHOME <3>: Configuration Options.
4703 * GNUPGHOME <4>: Scdaemon Options. (line 13)
4704 * GNUPGHOME <5>: gpgv. (line 64)
4705 * GNUPGHOME <6>: Invoking gpg-connect-agent.
4707 * GNUPGHOME <7>: Invoking symcryptrun.
4709 * gpg-agent.conf: Agent Configuration. (line 11)
4710 * gpg.conf: GPG Configuration. (line 11)
4711 * gpgconf.ctl: Agent Options. (line 24)
4712 * gpgconf.ctl <1>: GPG Configuration Options.
4714 * gpgconf.ctl <2>: Configuration Options.
4716 * gpgconf.ctl <3>: Scdaemon Options. (line 24)
4717 * gpgconf.ctl <4>: gpgv. (line 75)
4718 * gpgconf.ctl <5>: Invoking gpg-connect-agent.
4720 * gpgconf.ctl <6>: Invoking symcryptrun.
4722 * gpgsm.conf: GPGSM Configuration. (line 11)
4723 * GPG_TTY: Invoking GPG-AGENT. (line 22)
4724 * GPG_TTY <1>: GPGSM OPTION. (line 23)
4725 * help.txt: GPGSM Configuration. (line 72)
4726 * HKCU\Software\GNU\GnuPG:DefaultLogFile: Agent Options. (line 144)
4727 * HKCU\Software\GNU\GnuPG:HomeDir: Agent Options. (line 13)
4728 * HKCU\Software\GNU\GnuPG:HomeDir <1>: GPG Configuration Options.
4730 * HKCU\Software\GNU\GnuPG:HomeDir <2>: Configuration Options.
4732 * HKCU\Software\GNU\GnuPG:HomeDir <3>: Scdaemon Options. (line 13)
4733 * HKCU\Software\GNU\GnuPG:HomeDir <4>: gpgv. (line 64)
4734 * HKCU\Software\GNU\GnuPG:HomeDir <5>: Invoking gpg-connect-agent.
4736 * HKCU\Software\GNU\GnuPG:HomeDir <6>: Invoking symcryptrun.
4738 * HOME: GPG Configuration. (line 81)
4739 * http_proxy: Dirmngr Options. (line 183)
4740 * LANGUAGE: GPG Configuration. (line 99)
4741 * LC_CTYPE: GPGSM OPTION. (line 27)
4742 * LC_MESSAGES: GPGSM OPTION. (line 29)
4743 * LINES: GPG Configuration. (line 96)
4744 * openpgp-revocs.d: GPG Configuration. (line 66)
4745 * options.skel: GPG Configuration. (line 76)
4746 * PATH: GPG Configuration Options.
4748 * PINENTRY_USER_DATA: GPG Configuration. (line 91)
4749 * PINENTRY_USER_DATA <1>: GPGSM OPTION. (line 33)
4750 * policies.txt: GPGSM Configuration. (line 18)
4751 * private-keys-v1.d: Agent Configuration. (line 105)
4752 * pubring.gpg: GPG Configuration. (line 32)
4753 * pubring.kbx: GPG Configuration. (line 38)
4754 * pubring.kbx <1>: GPGSM Configuration. (line 100)
4755 * qualified.txt: GPGSM Configuration. (line 33)
4756 * random_seed: GPG Configuration. (line 63)
4757 * random_seed <1>: GPGSM Configuration. (line 106)
4758 * S.gpg-agent: GPGSM Configuration. (line 111)
4759 * secring.gpg: GPG Configuration. (line 45)
4760 * SHELL: Agent Options. (line 134)
4761 * sshcontrol: Agent Configuration. (line 75)
4762 * TERM: GPGSM OPTION. (line 25)
4763 * trustdb.gpg: GPG Configuration. (line 55)
4764 * trustlist.txt: Agent Configuration. (line 20)
4765 * XAUTHORITY: GPGSM OPTION. (line 31)
4768 File: gnupg.info, Node: Index, Prev: Environment Index, Up: Top
4776 * command options: Invoking GPG-AGENT. (line 6)
4777 * command options <1>: Invoking DIRMNGR. (line 6)
4778 * command options <2>: Invoking GPG. (line 6)
4779 * command options <3>: Invoking GPGSM. (line 6)
4780 * command options <4>: Invoking SCDAEMON. (line 6)
4781 * contributors: Contributors. (line 6)
4782 * DIRMNGR command options: Invoking DIRMNGR. (line 6)
4783 * GPG command options: Invoking GPG. (line 6)
4784 * GPG-AGENT command options: Invoking GPG-AGENT. (line 6)
4785 * gpgconf.conf: Files used by gpgconf.
4787 * GPGSM command options: Invoking GPGSM. (line 6)
4788 * options, DIRMNGR command: Invoking DIRMNGR. (line 6)
4789 * options, GPG command: Invoking GPG. (line 6)
4790 * options, GPG-AGENT command: Invoking GPG-AGENT. (line 6)
4791 * options, GPGSM command: Invoking GPGSM. (line 6)
4792 * options, SCDAEMON command: Invoking SCDAEMON. (line 6)
4793 * relax: Agent Configuration. (line 63)
4794 * scd-event: Scdaemon Configuration.
4796 * SCDAEMON command options: Invoking SCDAEMON. (line 6)
4797 * scdaemon.conf: Scdaemon Configuration.
4799 * SIGHUP: Agent Signals. (line 12)
4800 * SIGHUP <1>: Dirmngr Signals. (line 12)
4801 * SIGINT: Agent Signals. (line 31)
4802 * SIGINT <1>: Dirmngr Signals. (line 26)
4803 * SIGTERM: Agent Signals. (line 26)
4804 * SIGTERM <1>: Dirmngr Signals. (line 19)
4805 * SIGUSR1: Agent Signals. (line 34)
4806 * SIGUSR1 <1>: Dirmngr Signals. (line 29)
4807 * SIGUSR2: Agent Signals. (line 37)
4808 * swdb.lst: Files used by gpgconf.