1 This is gnupg.info, produced by makeinfo version 6.3 from gnupg.texi.
3 This is the 'The GNU Privacy Guard Manual' (version 2.1.17, December
6 (C) 2002, 2004, 2005, 2006, 2007, 2010 Free Software Foundation, Inc.
7 (C) 2013, 2014, 2015 Werner Koch.
8 (C) 2015 g10 Code GmbH.
10 Permission is granted to copy, distribute and/or modify this
11 document under the terms of the GNU General Public License as
12 published by the Free Software Foundation; either version 3 of the
13 License, or (at your option) any later version. The text of the
14 license can be found in the section entitled "Copying".
15 INFO-DIR-SECTION GNU Utilities
17 * gpg2: (gnupg). OpenPGP encryption and signing tool.
18 * gpgsm: (gnupg). S/MIME encryption and signing tool.
19 * gpg-agent: (gnupg). The secret key daemon.
20 * dirmngr: (gnupg). X.509 CRL and OCSP server.
21 * dirmngr-client: (gnupg). X.509 CRL and OCSP client.
25 File: gnupg.info, Node: Scdaemon Examples, Next: Scdaemon Protocol, Prev: Scdaemon Configuration, Up: Invoking SCDAEMON
30 $ scdaemon --server -v
33 File: gnupg.info, Node: Scdaemon Protocol, Prev: Scdaemon Examples, Up: Invoking SCDAEMON
35 6.6 Scdaemon's Assuan Protocol
36 ==============================
38 The SC-Daemon should be started by the system to provide access to
39 external tokens. Using Smartcards on a multi-user system does not make
40 much sense except for system services, but in this case no regular user
41 accounts are hosted on the machine.
43 A client connects to the SC-Daemon by connecting to the socket named
44 '/usr/local/var/run/gnupg/scdaemon/socket', configuration information is
45 read from /ETC/GNUPG/SCDAEMON.CONF
47 Each connection acts as one session, SC-Daemon takes care of
48 synchronizing access to a token between sessions.
52 * Scdaemon SERIALNO:: Return the serial number.
53 * Scdaemon LEARN:: Read all useful information from the card.
54 * Scdaemon READCERT:: Return a certificate.
55 * Scdaemon READKEY:: Return a public key.
56 * Scdaemon PKSIGN:: Signing data with a Smartcard.
57 * Scdaemon PKDECRYPT:: Decrypting data with a Smartcard.
58 * Scdaemon GETATTR:: Read an attribute's value.
59 * Scdaemon SETATTR:: Update an attribute's value.
60 * Scdaemon WRITEKEY:: Write a key to a card.
61 * Scdaemon GENKEY:: Generate a new key on-card.
62 * Scdaemon RANDOM:: Return random bytes generated on-card.
63 * Scdaemon PASSWD:: Change PINs.
64 * Scdaemon CHECKPIN:: Perform a VERIFY operation.
65 * Scdaemon RESTART:: Restart connection
66 * Scdaemon APDU:: Send a verbatim APDU to the card
69 File: gnupg.info, Node: Scdaemon SERIALNO, Next: Scdaemon LEARN, Up: Scdaemon Protocol
71 6.6.1 Return the serial number
72 ------------------------------
74 This command should be used to check for the presence of a card. It is
75 special in that it can be used to reset the card. Most other commands
76 will return an error when a card change has been detected and the use of
77 this function is therefore required.
79 Background: We want to keep the client clear of handling card changes
80 between operations; i.e. the client can assume that all operations are
81 done on the same card unless he call this function.
85 Return the serial number of the card using a status response like:
87 S SERIALNO D27600000000000000000000 0
89 The trailing 0 should be ignored for now, it is reserved for a future
90 extension. The serial number is the hex encoded value identified by the
91 '0x5A' tag in the GDO file (FIX=0x2F02).
94 File: gnupg.info, Node: Scdaemon LEARN, Next: Scdaemon READCERT, Prev: Scdaemon SERIALNO, Up: Scdaemon Protocol
96 6.6.2 Read all useful information from the card
97 -----------------------------------------------
101 Learn all useful information of the currently inserted card. When
102 used without the '--force' option, the command might do an INQUIRE like
105 INQUIRE KNOWNCARDP <hexstring_with_serialNumber> <timestamp>
107 The client should just send an 'END' if the processing should go on
108 or a 'CANCEL' to force the function to terminate with a cancel error
109 message. The response of this command is a list of status lines
112 S KEYPAIRINFO HEXSTRING_WITH_KEYGRIP HEXSTRING_WITH_ID
114 If there is no certificate yet stored on the card a single "X" is
115 returned in HEXSTRING_WITH_KEYGRIP.
118 File: gnupg.info, Node: Scdaemon READCERT, Next: Scdaemon READKEY, Prev: Scdaemon LEARN, Up: Scdaemon Protocol
120 6.6.3 Return a certificate
121 --------------------------
123 READCERT HEXIFIED_CERTID|KEYID
125 This function is used to read a certificate identified by
126 HEXIFIED_CERTID from the card. With OpenPGP cards the keyid 'OpenPGP.3'
127 may be used to read the certificate of version 2 cards.
130 File: gnupg.info, Node: Scdaemon READKEY, Next: Scdaemon PKSIGN, Prev: Scdaemon READCERT, Up: Scdaemon Protocol
132 6.6.4 Return a public key
133 -------------------------
135 READKEY HEXIFIED_CERTID
137 Return the public key for the given cert or key ID as an standard
141 File: gnupg.info, Node: Scdaemon PKSIGN, Next: Scdaemon PKDECRYPT, Prev: Scdaemon READKEY, Up: Scdaemon Protocol
143 6.6.5 Signing data with a Smartcard
144 -----------------------------------
146 To sign some data the caller should use the command
150 to tell 'scdaemon' about the data to be signed. The data must be
151 given in hex notation. The actual signing is done using the command
155 where KEYID is the hexified ID of the key to be used. The key id may
156 have been retrieved using the command 'LEARN'. If another hash
157 algorithm than SHA-1 is used, that algorithm may be given like:
159 PKSIGN --hash=ALGONAME KEYID
161 With ALGONAME are one of 'sha1', 'rmd160' or 'md5'.
164 File: gnupg.info, Node: Scdaemon PKDECRYPT, Next: Scdaemon GETATTR, Prev: Scdaemon PKSIGN, Up: Scdaemon Protocol
166 6.6.6 Decrypting data with a Smartcard
167 --------------------------------------
169 To decrypt some data the caller should use the command
173 to tell 'scdaemon' about the data to be decrypted. The data must be
174 given in hex notation. The actual decryption is then done using the
179 where KEYID is the hexified ID of the key to be used.
181 If the card is aware of the apdding format a status line with padding
182 information is send before the plaintext data. The key for this status
183 line is 'PADDING' with the only defined value being 0 and meaning
184 padding has been removed.
187 File: gnupg.info, Node: Scdaemon GETATTR, Next: Scdaemon SETATTR, Prev: Scdaemon PKDECRYPT, Up: Scdaemon Protocol
189 6.6.7 Read an attribute's value
190 -------------------------------
195 File: gnupg.info, Node: Scdaemon SETATTR, Next: Scdaemon WRITEKEY, Prev: Scdaemon GETATTR, Up: Scdaemon Protocol
197 6.6.8 Update an attribute's value
198 ---------------------------------
203 File: gnupg.info, Node: Scdaemon WRITEKEY, Next: Scdaemon GENKEY, Prev: Scdaemon SETATTR, Up: Scdaemon Protocol
205 6.6.9 Write a key to a card
206 ---------------------------
208 WRITEKEY [--force] KEYID
210 This command is used to store a secret key on a smartcard. The
211 allowed keyids depend on the currently selected smartcard application.
212 The actual keydata is requested using the inquiry 'KEYDATA' and need to
213 be provided without any protection. With '--force' set an existing key
214 under this KEYID will get overwritten. The key data is expected to be
215 the usual canonical encoded S-expression.
217 A PIN will be requested in most cases. This however depends on the
218 actual card application.
221 File: gnupg.info, Node: Scdaemon GENKEY, Next: Scdaemon RANDOM, Prev: Scdaemon WRITEKEY, Up: Scdaemon Protocol
223 6.6.10 Generate a new key on-card
224 ---------------------------------
229 File: gnupg.info, Node: Scdaemon RANDOM, Next: Scdaemon PASSWD, Prev: Scdaemon GENKEY, Up: Scdaemon Protocol
231 6.6.11 Return random bytes generated on-card
232 --------------------------------------------
237 File: gnupg.info, Node: Scdaemon PASSWD, Next: Scdaemon CHECKPIN, Prev: Scdaemon RANDOM, Up: Scdaemon Protocol
242 PASSWD [--reset] [--nullpin] CHVNO
244 Change the PIN or reset the retry counter of the card holder
245 verification vector number CHVNO. The option '--nullpin' is used to
246 initialize the PIN of TCOS cards (6 byte NullPIN only).
249 File: gnupg.info, Node: Scdaemon CHECKPIN, Next: Scdaemon RESTART, Prev: Scdaemon PASSWD, Up: Scdaemon Protocol
251 6.6.13 Perform a VERIFY operation
252 ---------------------------------
256 Perform a VERIFY operation without doing anything else. This may be
257 used to initialize a the PIN cache earlier to long lasting operations.
258 Its use is highly application dependent:
262 Perform a simple verify operation for CHV1 and CHV2, so that
263 further operations won't ask for CHV2 and it is possible to do a
264 cheap check on the PIN: If there is something wrong with the PIN
265 entry system, only the regular CHV will get blocked and not the
266 dangerous CHV3. IDSTR is the usual card's serial number in hex
267 notation; an optional fingerprint part will get ignored.
269 There is however a special mode if IDSTR is suffixed with the
270 literal string '[CHV3]': In this case the Admin PIN is checked if
271 and only if the retry counter is still at 3.
274 File: gnupg.info, Node: Scdaemon RESTART, Next: Scdaemon APDU, Prev: Scdaemon CHECKPIN, Up: Scdaemon Protocol
276 6.6.14 Perform a RESTART operation
277 ----------------------------------
281 Restart the current connection; this is a kind of warm reset. It
282 deletes the context used by this connection but does not actually reset
285 This is used by gpg-agent to reuse a primary pipe connection and may
286 be used by clients to backup from a conflict in the serial command; i.e.
287 to select another application.
290 File: gnupg.info, Node: Scdaemon APDU, Prev: Scdaemon RESTART, Up: Scdaemon Protocol
292 6.6.15 Send a verbatim APDU to the card
293 ---------------------------------------
295 APDU [--atr] [--more] [--exlen[=N]] [HEXSTRING]
297 Send an APDU to the current reader. This command bypasses the high
298 level functions and sends the data directly to the card. HEXSTRING is
299 expected to be a proper APDU. If HEXSTRING is not given no commands are
300 send to the card; However the command will implicitly check whether the
301 card is ready for use.
303 Using the option '--atr' returns the ATR of the card as a status
304 message before any data like this:
305 S CARD-ATR 3BFA1300FF813180450031C173C00100009000B1
307 Using the option '--more' handles the card status word MORE_DATA
308 (61xx) and concatenate all responses to one block.
310 Using the option '--exlen' the returned APDU may use extended length
311 up to N bytes. If N is not given a default value is used (currently
315 File: gnupg.info, Node: Specify a User ID, Next: Helper Tools, Prev: Invoking SCDAEMON, Up: Top
317 7 How to Specify a User Id
318 **************************
320 There are different ways to specify a user ID to GnuPG. Some of them are
321 only valid for 'gpg' others are only good for 'gpgsm'. Here is the
322 entire list of ways to specify a key:
324 * By key Id. This format is deduced from the length of the string
325 and its content or '0x' prefix. The key Id of an X.509 certificate
326 are the low 64 bits of its SHA-1 fingerprint. The use of key Ids
327 is just a shortcut, for all automated processing the fingerprint
330 When using 'gpg' an exclamation mark (!) may be appended to force
331 using the specified primary or secondary key and not to try and
332 calculate which primary or secondary key to use.
334 The last four lines of the example give the key ID in their long
335 form as internally used by the OpenPGP protocol. You can see the
336 long key ID using the option '--with-colons'.
348 * By fingerprint. This format is deduced from the length of the
349 string and its content or the '0x' prefix. Note, that only the 20
350 byte version fingerprint is available with 'gpgsm' (i.e. the SHA-1
351 hash of the certificate).
353 When using 'gpg' an exclamation mark (!) may be appended to force
354 using the specified primary or secondary key and not to try and
355 calculate which primary or secondary key to use.
357 The best way to specify a key Id is by using the fingerprint. This
358 avoids any ambiguities in case that there are duplicated key IDs.
360 1234343434343434C434343434343434
361 123434343434343C3434343434343734349A3434
362 0E12343434343434343434EAB3484343434343434
363 0xE12343434343434343434EAB3484343434343434
365 'gpgsm' also accepts colons between each pair of hexadecimal digits
366 because this is the de-facto standard on how to present X.509
367 fingerprints. 'gpg' also allows the use of the space separated
368 SHA-1 fingerprint as printed by the key listing commands.
370 * By exact match on OpenPGP user ID. This is denoted by a leading
371 equal sign. It does not make sense for X.509 certificates.
373 =Heinrich Heine <heinrichh@uni-duesseldorf.de>
375 * By exact match on an email address. This is indicated by enclosing
376 the email address in the usual way with left and right angles.
378 <heinrichh@uni-duesseldorf.de>
380 * By partial match on an email address. This is indicated by
381 prefixing the search string with an '@'. This uses a substring
382 search but considers only the mail address (i.e. inside the angle
387 * By exact match on the subject's DN. This is indicated by a leading
388 slash, directly followed by the RFC-2253 encoded DN of the subject.
389 Note that you can't use the string printed by 'gpgsm --list-keys'
390 because that one has been reordered and modified for better
391 readability; use '--with-colons' to print the raw (but standard
392 escaped) RFC-2253 string.
394 /CN=Heinrich Heine,O=Poets,L=Paris,C=FR
396 * By exact match on the issuer's DN. This is indicated by a leading
397 hash mark, directly followed by a slash and then directly followed
398 by the RFC-2253 encoded DN of the issuer. This should return the
399 Root cert of the issuer. See note above.
401 #/CN=Root Cert,O=Poets,L=Paris,C=FR
403 * By exact match on serial number and issuer's DN. This is indicated
404 by a hash mark, followed by the hexadecimal representation of the
405 serial number, then followed by a slash and the RFC-2253 encoded DN
406 of the issuer. See note above.
408 #4F03/CN=Root Cert,O=Poets,L=Paris,C=FR
410 * By keygrip. This is indicated by an ampersand followed by the 40
411 hex digits of a keygrip. 'gpgsm' prints the keygrip when using the
412 command '--dump-cert'. It does not yet work for OpenPGP keys.
414 &D75F22C3F86E355877348498CDC92BD21010A480
416 * By substring match. This is the default mode but applications may
417 want to explicitly indicate this by putting the asterisk in front.
418 Match is not case sensitive.
423 * . and + prefixes These prefixes are reserved for looking up mails
424 anchored at the end and for a word search mode. They are not yet
425 implemented and using them is undefined.
427 Please note that we have reused the hash mark identifier which was
428 used in old GnuPG versions to indicate the so called local-id. It is
429 not anymore used and there should be no conflict when used with X.509
432 Using the RFC-2253 format of DNs has the drawback that it is not
433 possible to map them back to the original encoding, however we don't
434 have to do this because our key database stores this encoding as meta
438 File: gnupg.info, Node: Helper Tools, Next: Howtos, Prev: Specify a User ID, Up: Top
443 GnuPG comes with a couple of smaller tools:
447 * watchgnupg:: Read logs from a socket.
448 * gpgv:: Verify OpenPGP signatures.
449 * addgnupghome:: Create .gnupg home directories.
450 * gpgconf:: Modify .gnupg home directories.
451 * applygnupgdefaults:: Run gpgconf for all users.
452 * gpg-preset-passphrase:: Put a passphrase into the cache.
453 * gpg-connect-agent:: Communicate with a running agent.
454 * dirmngr-client:: How to use the Dirmngr client tool.
455 * gpgparsemail:: Parse a mail message into an annotated format
456 * symcryptrun:: Call a simple symmetric encryption tool.
457 * gpg-zip:: Encrypt or sign files into an archive.
460 File: gnupg.info, Node: watchgnupg, Next: gpgv, Up: Helper Tools
462 8.1 Read logs from a socket
463 ===========================
465 Most of the main utilities are able to write their log files to a Unix
466 Domain socket if configured that way. 'watchgnupg' is a simple listener
467 for such a socket. It ameliorates the output with a time stamp and
468 makes sure that long lines are not interspersed with log output from
469 other utilities. This tool is not available for Windows.
471 'watchgnupg' is commonly invoked as
473 watchgnupg --force ~/.gnupg/S.log
475 This starts it on the current terminal for listening on the socket
478 'watchgnupg' understands these options:
481 Delete an already existing socket file.
484 Instead of reading from a local socket, listen for connects on TCP
488 Enable extra informational output.
491 Print version of the program and exit.
494 Display a brief help page and exit.
500 $ watchgnupg --force /home/foo/.gnupg/S.log
502 This waits for connections on the local socket
503 '/home/foo/.gnupg/S.log' and shows all log entries. To make this work
504 the option 'log-file' needs to be used with all modules which logs are
505 to be shown. The value for that option must be given with a special
506 prefix (e.g. in the conf files):
508 log-file socket:///home/foo/.gnupg/S.log
510 If only 'socket://' is used a default socket file named 'S.log' in
511 the standard socket directory is used. For debugging purposes it is
512 also possible to do remote logging. Take care if you use this feature
513 because the information is send in the clear over the network. Use this
514 syntax in the conf files:
516 log-file tcp://192.168.1.1:4711
518 You may use any port and not just 4711 as shown above; only IP
519 addresses are supported (v4 and v6) and no host names. You need to
520 start 'watchgnupg' with the 'tcp' option. Note that under Windows the
521 registry entry HKCU\SOFTWARE\GNU\GNUPG:DEFAULTLOGFILE can be used to
522 change the default log output from 'stderr' to whatever is given by that
523 entry. However the only useful entry is a TCP name for remote
527 File: gnupg.info, Node: gpgv, Next: addgnupghome, Prev: watchgnupg, Up: Helper Tools
529 8.2 Verify OpenPGP signatures
530 =============================
532 'gpgv' is an OpenPGP signature verification tool.
534 This program is actually a stripped-down version of 'gpg' which is
535 only able to check signatures. It is somewhat smaller than the
536 fully-blown 'gpg' and uses a different (and simpler) way to check that
537 the public keys used to make the signature are valid. There are no
538 configuration files and only a few options are implemented.
540 'gpgv' assumes that all keys in the keyring are trustworthy. That
541 does also mean that it does not check for expired or revoked keys.
543 By default a keyring named 'trustedkeys.kbx' is used; if that does
544 not exist a keyring named 'trustedkeys.gpg' is used. The default
545 keyring is assumed to be in the home directory of GnuPG, either the
546 default home directory or the one set by an option or an environment
547 variable. The option '--keyring' may be used to specify a different
548 keyring or even multiple keyrings.
551 'gpgv' recognizes these options:
555 Gives more information during processing. If used twice, the input
556 data is listed in detail.
560 Try to be as quiet as possible.
563 Add FILE to the list of keyrings. If FILE begins with a tilde and
564 a slash, these are replaced by the HOME directory. If the filename
565 does not contain a slash, it is assumed to be in the home-directory
566 ("~/.gnupg" if -homedir is not used).
570 Write output to FILE; to write to stdout use '-'. This option can
571 be used to get the signed text from a cleartext or binary
572 signature; it also works for detached signatures, but in that case
573 this option is in general not useful. Note that an existing file
577 Write special status strings to the file descriptor N. See the
578 file DETAILS in the documentation for a listing of them.
581 Write log output to file descriptor 'n' and not to stderr.
583 '--ignore-time-conflict'
584 GnuPG normally checks that the timestamps associated with keys and
585 signatures have plausible values. However, sometimes a signature
586 seems to be older than the key due to clock problems. This option
587 turns these checks into warnings.
590 Set the name of the home directory to DIR. If this option is not
591 used, the home directory defaults to '~/.gnupg'. It is only
592 recognized when given on the command line. It also overrides any
593 home directory stated through the environment variable 'GNUPGHOME'
594 or (on Windows systems) by means of the Registry entry
595 HKCU\SOFTWARE\GNU\GNUPG:HOMEDIR.
597 On Windows systems it is possible to install GnuPG as a portable
598 application. In this case only this command line option is
599 considered, all other ways to set a home directory are ignored.
601 To install GnuPG as a portable application under Windows, create an
602 empty file named 'gpgconf.ctl' in the same directory as the tool
603 'gpgconf.exe'. The root of the installation is then that
604 directory; or, if 'gpgconf.exe' has been installed directly below a
605 directory named 'bin', its parent directory. You also need to make
606 sure that the following directories exist and are writable:
607 'ROOT/home' for the GnuPG home and 'ROOT/usr/local/var/cache/gnupg'
608 for internal cache files.
611 Treat the specified digest algorithm as weak. Signatures made over
612 weak digests algorithms are normally rejected. This option can be
613 supplied multiple times if multiple algorithms should be considered
614 weak. MD5 is always considered weak, and does not need to be
617 '--enable-special-filenames'
618 This option enables a mode in which filenames of the form '-&n',
619 where n is a non-negative decimal number, refer to the file
620 descriptor n and not to a file with that name.
622 The program returns 0 if everything is fine, 1 if at least one
623 signature was bad, and other error codes for fatal errors.
629 gpgv 'sigfile' ['datafile']
630 Verify the signature of the file. The second form is used for
631 detached signatures, where 'sigfile' is the detached signature
632 (either ASCII-armored or binary) and 'datafile' contains the signed
633 data; if 'datafile' is "-" the signed data is expected on 'stdin';
634 if 'datafile' is not given the name of the file holding the signed
635 data is constructed by cutting off the extension (".asc", ".sig" or
636 ".sign") from 'sigfile'.
642 Used to locate the default home directory.
645 If set directory used instead of "~/.gnupg".
650 ~/.gnupg/trustedkeys.gpg
651 The default keyring with the allowed keys.
656 File: gnupg.info, Node: addgnupghome, Next: gpgconf, Prev: gpgv, Up: Helper Tools
658 8.3 Create .gnupg home directories
659 ==================================
661 If GnuPG is installed on a system with existing user accounts, it is
662 sometimes required to populate the GnuPG home directory with existing
663 files. Especially a 'trustlist.txt' and a keybox with some initial
664 certificates are often desired. This script helps to do this by copying
665 all files from '/etc/skel/.gnupg' to the home directories of the
666 accounts given on the command line. It takes care not to overwrite
667 existing GnuPG home directories.
669 'addgnupghome' is invoked by root as:
671 addgnupghome account1 account2 ... accountn
674 File: gnupg.info, Node: gpgconf, Next: applygnupgdefaults, Prev: addgnupghome, Up: Helper Tools
676 8.4 Modify .gnupg home directories
677 ==================================
679 The 'gpgconf' is a utility to automatically and reasonable safely query
680 and modify configuration files in the '.gnupg' home directory. It is
681 designed not to be invoked manually by the user, but automatically by
682 graphical user interfaces (GUI).(1)
684 'gpgconf' provides access to the configuration of one or more
685 components of the GnuPG system. These components correspond more or
686 less to the programs that exist in the GnuPG framework, like GPG, GPGSM,
687 DirMngr, etc. But this is not a strict one-to-one relationship. Not
688 all configuration options are available through 'gpgconf'. 'gpgconf'
689 provides a generic and abstract method to access the most important
690 configuration options that can feasibly be controlled via such a
693 'gpgconf' can be used to gather and change the options available in
694 each component, and can also provide their default values. 'gpgconf'
695 will give detailed type information that can be used to restrict the
696 user's input without making an attempt to commit the changes.
698 'gpgconf' provides the backend of a configuration editor. The
699 configuration editor would usually be a graphical user interface program
700 that displays the current options, their default values, and allows the
701 user to make changes to the options. These changes can then be made
702 active with 'gpgconf' again. Such a program that uses 'gpgconf' in this
703 way will be called GUI throughout this section.
707 * Invoking gpgconf:: List of all commands and options.
708 * Format conventions:: Formatting conventions relevant for all commands.
709 * Listing components:: List all gpgconf components.
710 * Checking programs:: Check all programs known to gpgconf.
711 * Listing options:: List all options of a component.
712 * Changing options:: Changing options of a component.
713 * Listing global options:: List all global options.
714 * Querying versions:: Get and compare software versions.
715 * Files used by gpgconf:: What files are used by gpgconf.
717 ---------- Footnotes ----------
719 (1) Please note that currently no locking is done, so concurrent
720 access should be avoided. There are some precautions to avoid
721 corruption with concurrent usage, but results may be inconsistent and
722 some changes may get lost. The stateless design makes it difficult to
723 provide more guarantees.
726 File: gnupg.info, Node: Invoking gpgconf, Next: Format conventions, Up: gpgconf
728 8.4.1 Invoking gpgconf
729 ----------------------
731 One of the following commands must be given:
734 List all components. This is the default command used if none is
738 List all available backend programs and test whether they are
741 '--list-options COMPONENT'
742 List all options of the component COMPONENT.
744 '--change-options COMPONENT'
745 Change the options of the component COMPONENT.
747 '--check-options COMPONENT'
748 Check the options for the component COMPONENT.
750 '--apply-profile FILE'
751 Apply the configuration settings listed in FILE to the
752 configuration files. If FILE has no suffix and no slashes the
753 command first tries to read a file with the suffix '.prf' from the
754 the data directory ('gpgconf --list-dirs datadir') before it reads
755 the file verbatim. A profile is divided into sections using the
756 bracketed component name. Each section then lists the option which
757 shall go into the respective configuration file.
760 Update all configuration files with values taken from the global
761 configuration file (usually '/etc/gnupg/gpgconf.conf').
763 '--list-dirs [NAMES]'
764 Lists the directories used by 'gpgconf'. One directory is listed
765 per line, and each line consists of a colon-separated list where
766 the first field names the directory type (for example 'sysconfdir')
767 and the second field contains the percent-escaped directory.
768 Although they are not directories, the socket file names used by
769 'gpg-agent' and 'dirmngr' are printed as well. Note that the
770 socket file names and the 'homedir' lines are the default names and
771 they may be overridden by command line switches. If NAMES are
772 given only the directories or file names specified by the list
773 names are printed without any escaping.
775 '--list-config [FILENAME]'
776 List the global configuration file in a colon separated format. If
777 FILENAME is given, check that file instead.
779 '--check-config [FILENAME]'
780 Run a syntax check on the global configuration file. If FILENAME
781 is given, check that file instead.
783 '--query-swdb PACKAGE_NAME [VERSION_STRING]'
784 Returns the current version for PACKAGE_NAME and if VERSION_STRING
785 is given also an indicator on whether an update is available. The
786 actual file with the software version is automatically downloaded
787 and checked by 'dirmngr'. 'dirmngr' uses a thresholds to avoid
788 download the file too often and it does this by default only if it
789 can be done via Tor. To force an update of that file this command
792 gpg-connect-agent --dirmngr 'loadswdb --force' /bye
794 '--reload [COMPONENT]'
795 Reload all or the given component. This is basically the same as
796 sending a SIGHUP to the component. Components which don't support
797 reloading are ignored.
799 '--launch [COMPONENT]'
800 If the COMPONENT is not already running, start it. 'component'
801 must be a daemon. This is in general not required because the
802 system starts these daemons as needed. However, external software
803 making direct use of 'gpg-agent' or 'dirmngr' may use this command
804 to ensure that they are started.
807 Kill the given component. Components which support killing are
808 'gpg-agent' and 'scdaemon'. Components which don't support
809 reloading are ignored. Note that as of now reload and kill have
810 the same effect for 'scdaemon'.
813 Create a directory for sockets below /run/user or /var/run/user.
814 This is command is only required if a non default home directory is
815 used and the /run based sockets shall be used. For the default
816 home directory GnUPG creates a directory on the fly.
819 Remove a directory created with command '--create-socketdir'.
821 The following options may be used:
825 Write output to FILE. Default is to write to stdout.
829 Outputs additional information while running. Specifically, this
830 extends numerical field values by human-readable descriptions.
834 Try to be as quiet as possible.
838 Do not actually change anything. This is currently only
839 implemented for '--change-options' and can be used for testing
844 Only used together with '--change-options'. If one of the modified
845 options can be changed in a running daemon process, signal the
846 running daemon to ask it to reparse its configuration file after
849 This means that the changes will take effect at run-time, as far as
850 this is possible. Otherwise, they will take effect at the next
851 start of the respective backend programs.
854 File: gnupg.info, Node: Format conventions, Next: Listing components, Prev: Invoking gpgconf, Up: gpgconf
856 8.4.2 Format conventions
857 ------------------------
859 Some lines in the output of 'gpgconf' contain a list of colon-separated
860 fields. The following conventions apply:
862 * The GUI program is required to strip off trailing newline and/or
863 carriage return characters from the output.
865 * 'gpgconf' will never leave out fields. If a certain version
866 provides a certain field, this field will always be present in all
867 'gpgconf' versions from that time on.
869 * Future versions of 'gpgconf' might append fields to the list. New
870 fields will always be separated from the previously last field by a
871 colon separator. The GUI should be prepared to parse the last
872 field it knows about up until a colon or end of line.
874 * Not all fields are defined under all conditions. You are required
875 to ignore the content of undefined fields.
877 There are several standard types for the content of a field:
880 Some fields contain strings that are not escaped in any way. Such
881 fields are described to be used _verbatim_. These fields will
882 never contain a colon character (for obvious reasons). No
883 de-escaping or other formatting is required to use the field
884 content. This is for easy parsing of the output, when it is known
885 that the content can never contain any special characters.
888 Some fields contain strings that are described to be
889 _percent-escaped_. Such strings need to be de-escaped before their
890 content can be presented to the user. A percent-escaped string is
891 de-escaped by replacing all occurrences of '%XY' by the byte that
892 has the hexadecimal value 'XY'. 'X' and 'Y' are from the set
896 Some fields contain strings that are described to be _localized_.
897 Such strings are translated to the active language and formatted in
898 the active character set.
901 Some fields contain an _unsigned number_. This number will always
902 fit into a 32-bit unsigned integer variable. The number may be
903 followed by a space, followed by a human readable description of
904 that value (if the verbose option is used). You should ignore
905 everything in the field that follows the number.
908 Some fields contain a _signed number_. This number will always fit
909 into a 32-bit signed integer variable. The number may be followed
910 by a space, followed by a human readable description of that value
911 (if the verbose option is used). You should ignore everything in
912 the field that follows the number.
915 Some fields contain a _boolean value_. This is a number with
916 either the value 0 or 1. The number may be followed by a space,
917 followed by a human readable description of that value (if the
918 verbose option is used). You should ignore everything in the field
919 that follows the number; checking just the first character is
920 sufficient in this case.
923 Some fields contain an _option_ argument. The format of an option
924 argument depends on the type of the option and on some flags:
927 The simplest case is that the option does not take an argument
928 at all (TYPE '0'). Then the option argument is an unsigned
929 number that specifies how often the option occurs. If the
930 'list' flag is not set, then the only valid number is '1'.
931 Options that do not take an argument never have the 'default'
932 or 'optional arg' flag set.
935 If the option takes a number argument (ALT-TYPE is '2' or
936 '3'), and it can only occur once ('list' flag is not set),
937 then the option argument is either empty (only allowed if the
938 argument is optional), or it is a number. A number is a
939 string that begins with an optional minus character, followed
940 by one or more digits. The number must fit into an integer
941 variable (unsigned or signed, depending on ALT-TYPE).
944 If the option takes a number argument and it can occur more
945 than once, then the option argument is either empty, or it is
946 a comma-separated list of numbers as described above.
949 If the option takes a string argument (ALT-TYPE is 1), and it
950 can only occur once ('list' flag is not set) then the option
951 argument is either empty (only allowed if the argument is
952 optional), or it starts with a double quote character ('"')
953 followed by a percent-escaped string that is the argument
954 value. Note that there is only a leading double quote
955 character, no trailing one. The double quote character is
956 only needed to be able to differentiate between no value and
957 the empty string as value.
960 If the option takes a string argument and it can occur more
961 than once, then the option argument is either empty, or it is
962 a comma-separated list of string arguments as described above.
964 The active language and character set are currently determined from
965 the locale environment of the 'gpgconf' program.
968 File: gnupg.info, Node: Listing components, Next: Checking programs, Prev: Format conventions, Up: gpgconf
970 8.4.3 Listing components
971 ------------------------
973 The command '--list-components' will list all components that can be
974 configured with 'gpgconf'. Usually, one component will correspond to
975 one GnuPG-related program and contain the options of that program's
976 configuration file that can be modified using 'gpgconf'. However, this
977 is not necessarily the case. A component might also be a group of
978 selected options from several programs, or contain entirely virtual
979 options that have a special effect rather than changing exactly one
980 option in one configuration file.
982 A component is a set of configuration options that semantically
983 belong together. Furthermore, several changes to a component can be
984 made in an atomic way with a single operation. The GUI could for
985 example provide a menu with one entry for each component, or a window
986 with one tabulator sheet per component.
988 The command '--list-components' lists all available components, one
989 per line. The format of each line is:
991 'NAME:DESCRIPTION:PGMNAME:'
994 This field contains a name tag of the component. The name tag is
995 used to specify the component in all communication with 'gpgconf'.
996 The name tag is to be used _verbatim_. It is thus not in any
1000 The _string_ in this field contains a human-readable description of
1001 the component. It can be displayed to the user of the GUI for
1002 informational purposes. It is _percent-escaped_ and _localized_.
1005 The _string_ in this field contains the absolute name of the
1006 program's file. It can be used to unambiguously invoke that
1007 program. It is _percent-escaped_.
1010 $ gpgconf --list-components
1011 gpg:GPG for OpenPGP:/usr/local/bin/gpg2:
1012 gpg-agent:GPG Agent:/usr/local/bin/gpg-agent:
1013 scdaemon:Smartcard Daemon:/usr/local/bin/scdaemon:
1014 gpgsm:GPG for S/MIME:/usr/local/bin/gpgsm:
1015 dirmngr:Directory Manager:/usr/local/bin/dirmngr:
1018 File: gnupg.info, Node: Checking programs, Next: Listing options, Prev: Listing components, Up: gpgconf
1020 8.4.4 Checking programs
1021 -----------------------
1023 The command '--check-programs' is similar to '--list-components' but
1024 works on backend programs and not on components. It runs each program
1025 to test whether it is installed and runnable. This also includes a
1026 syntax check of all config file options of the program.
1028 The command '--check-programs' lists all available programs, one per
1029 line. The format of each line is:
1031 'NAME:DESCRIPTION:PGMNAME:AVAIL:OKAY:CFGFILE:LINE:ERROR:'
1034 This field contains a name tag of the program which is identical to
1035 the name of the component. The name tag is to be used _verbatim_.
1036 It is thus not in any escaped format. This field may be empty to
1037 indicate a continuation of error descriptions for the last name.
1038 The description and pgmname fields are then also empty.
1041 The _string_ in this field contains a human-readable description of
1042 the component. It can be displayed to the user of the GUI for
1043 informational purposes. It is _percent-escaped_ and _localized_.
1046 The _string_ in this field contains the absolute name of the
1047 program's file. It can be used to unambiguously invoke that
1048 program. It is _percent-escaped_.
1051 The _boolean value_ in this field indicates whether the program is
1052 installed and runnable.
1055 The _boolean value_ in this field indicates whether the program's
1056 config file is syntactically okay.
1059 If an error occurred in the configuration file (as indicated by a
1060 false value in the field 'okay'), this field has the name of the
1061 failing configuration file. It is _percent-escaped_.
1064 If an error occurred in the configuration file, this field has the
1065 line number of the failing statement in the configuration file. It
1066 is an _unsigned number_.
1069 If an error occurred in the configuration file, this field has the
1070 error text of the failing statement in the configuration file. It
1071 is _percent-escaped_ and _localized_.
1073 In the following example the 'dirmngr' is not runnable and the
1074 configuration file of 'scdaemon' is not okay.
1076 $ gpgconf --check-programs
1077 gpg:GPG for OpenPGP:/usr/local/bin/gpg2:1:1:
1078 gpg-agent:GPG Agent:/usr/local/bin/gpg-agent:1:1:
1079 scdaemon:Smartcard Daemon:/usr/local/bin/scdaemon:1:0:
1080 gpgsm:GPG for S/MIME:/usr/local/bin/gpgsm:1:1:
1081 dirmngr:Directory Manager:/usr/local/bin/dirmngr:0:0:
1083 The command '--check-options COMPONENT' will verify the configuration
1084 file in the same manner as '--check-programs', but only for the
1085 component COMPONENT.
1088 File: gnupg.info, Node: Listing options, Next: Changing options, Prev: Checking programs, Up: gpgconf
1090 8.4.5 Listing options
1091 ---------------------
1093 Every component contains one or more options. Options may be gathered
1094 into option groups to allow the GUI to give visual hints to the user
1095 about which options are related.
1097 The command '--list-options COMPONENT' lists all options (and the
1098 groups they belong to) in the component COMPONENT, one per line.
1099 COMPONENT must be the string in the field NAME in the output of the
1100 '--list-components' command.
1102 There is one line for each option and each group. First come all
1103 options that are not in any group. Then comes a line describing a
1104 group. Then come all options that belong into each group. Then comes
1105 the next group and so on. There does not need to be any group (and in
1106 this case the output will stop after the last non-grouped option).
1108 The format of each line is:
1110 'NAME:FLAGS:LEVEL:DESCRIPTION:TYPE:ALT-TYPE:ARGNAME:DEFAULT:ARGDEF:VALUE'
1113 This field contains a name tag for the group or option. The name
1114 tag is used to specify the group or option in all communication
1115 with 'gpgconf'. The name tag is to be used _verbatim_. It is thus
1116 not in any escaped format.
1119 The flags field contains an _unsigned number_. Its value is the
1120 OR-wise combination of the following flag values:
1123 If this flag is set, this is a line describing a group and not
1126 The following flag values are only defined for options (that is, if
1127 the 'group' flag is not used).
1130 If this flag is set, the argument is optional. This is never
1131 set for TYPE '0' (none) options.
1134 If this flag is set, the option can be given multiple times.
1137 If this flag is set, the option can be changed at runtime.
1140 If this flag is set, a default value is available.
1143 If this flag is set, a (runtime) default is available. This
1144 and the 'default' flag are mutually exclusive.
1147 If this flag is set, and the 'optional arg' flag is set, then
1148 the option has a special meaning if no argument is given.
1151 If this flag is set, 'gpgconf' ignores requests to change the
1152 value. GUI frontends should grey out this option. Note, that
1153 manual changes of the configuration files are still possible.
1156 This field is defined for options and for groups. It contains an
1157 _unsigned number_ that specifies the expert level under which this
1158 group or option should be displayed. The following expert levels
1159 are defined for options (they have analogous meaning for groups):
1162 This option should always be offered to the user.
1165 This option may be offered to advanced users.
1168 This option should only be offered to expert users.
1171 This option should normally never be displayed, not even to
1175 This option is for internal use only. Ignore it.
1177 The level of a group will always be the lowest level of all options
1181 This field is defined for options and groups. The _string_ in this
1182 field contains a human-readable description of the option or group.
1183 It can be displayed to the user of the GUI for informational
1184 purposes. It is _percent-escaped_ and _localized_.
1187 This field is only defined for options. It contains an _unsigned
1188 number_ that specifies the type of the option's argument, if any.
1189 The following types are defined:
1194 No argument allowed.
1197 An _unformatted string_.
1203 An _unsigned number_.
1208 A _string_ that describes the pathname of a file. The file
1209 does not necessarily need to exist.
1212 A _string_ that describes an LDAP server in the format:
1214 'HOSTNAME:PORT:USERNAME:PASSWORD:BASE_DN'
1216 'key fingerprint (34)'
1217 A _string_ with a 40 digit fingerprint specifying a
1221 A _string_ that describes a certificate by user ID, key ID or
1225 A _string_ that describes a certificate with a key by user ID,
1226 key ID or fingerprint.
1229 A _string_ that describes an alias list, like the one used
1230 with gpg's group option. The list consists of a key, an equal
1231 sign and space separated values.
1233 More types will be added in the future. Please see the ALT-TYPE
1234 field for information on how to cope with unknown types.
1237 This field is identical to TYPE, except that only the types '0' to
1238 '31' are allowed. The GUI is expected to present the user the
1239 option in the format specified by TYPE. But if the argument type
1240 TYPE is not supported by the GUI, it can still display the option
1241 in the more generic basic type ALT-TYPE. The GUI must support all
1242 the defined basic types to be able to display all options. More
1243 basic types may be added in future versions. If the GUI encounters
1244 a basic type it doesn't support, it should report an error and
1245 abort the operation.
1248 This field is only defined for options with an argument type TYPE
1249 that is not '0'. In this case it may contain a _percent-escaped_
1250 and _localized string_ that gives a short name for the argument.
1251 The field may also be empty, though, in which case a short name is
1255 This field is defined only for options for which the 'default' or
1256 'default desc' flag is set. If the 'default' flag is set, its
1257 format is that of an _option argument_ (*note Format conventions::,
1258 for details). If the default value is empty, then no default is
1259 known. Otherwise, the value specifies the default value for this
1260 option. If the 'default desc' flag is set, the field is either
1261 empty or contains a description of the effect if the option is not
1265 This field is defined only for options for which the 'optional arg'
1266 flag is set. If the 'no arg desc' flag is not set, its format is
1267 that of an _option argument_ (*note Format conventions::, for
1268 details). If the default value is empty, then no default is known.
1269 Otherwise, the value specifies the default argument for this
1270 option. If the 'no arg desc' flag is set, the field is either
1271 empty or contains a description of the effect of this option if no
1275 This field is defined only for options. Its format is that of an
1276 _option argument_. If it is empty, then the option is not
1277 explicitly set in the current configuration, and the default
1278 applies (if any). Otherwise, it contains the current value of the
1279 option. Note that this field is also meaningful if the option
1280 itself does not take a real argument (in this case, it contains the
1281 number of times the option appears).
1284 File: gnupg.info, Node: Changing options, Next: Listing global options, Prev: Listing options, Up: gpgconf
1286 8.4.6 Changing options
1287 ----------------------
1289 The command '--change-options COMPONENT' will attempt to change the
1290 options of the component COMPONENT to the specified values. COMPONENT
1291 must be the string in the field NAME in the output of the
1292 '--list-components' command. You have to provide the options that shall
1293 be changed in the following format on standard input:
1295 'NAME:FLAGS:NEW-VALUE'
1298 This is the name of the option to change. NAME must be the string
1299 in the field NAME in the output of the '--list-options' command.
1302 The flags field contains an _unsigned number_. Its value is the
1303 OR-wise combination of the following flag values:
1306 If this flag is set, the option is deleted and the default
1307 value is used instead (if applicable).
1310 The new value for the option. This field is only defined if the
1311 'default' flag is not set. The format is that of an _option
1312 argument_. If it is empty (or the field is omitted), the default
1313 argument is used (only allowed if the argument is optional for this
1314 option). Otherwise, the option will be set to the specified value.
1316 The output of the command is the same as that of '--check-options' for
1317 the modified configuration file.
1321 To set the force option, which is of basic type 'none (0)':
1323 $ echo 'force:0:1' | gpgconf --change-options dirmngr
1325 To delete the force option:
1327 $ echo 'force:16:' | gpgconf --change-options dirmngr
1329 The '--runtime' option can influence when the changes take effect.
1332 File: gnupg.info, Node: Listing global options, Next: Querying versions, Prev: Changing options, Up: gpgconf
1334 8.4.7 Listing global options
1335 ----------------------------
1337 Sometimes it is useful for applications to look at the global options
1338 file 'gpgconf.conf'. The colon separated listing format is record
1339 oriented and uses the first field to identify the record type:
1342 This describes a key record to start the definition of a new
1343 ruleset for a user/group. The format of a key record is:
1348 This is the user field of the key. It is percent escaped.
1349 See the definition of the gpgconf.conf format for details.
1352 This is the group field of the key. It is percent escaped.
1355 This describes a rule record. All rule records up to the next key
1356 record make up a rule set for that key. The format of a rule
1359 'r:::COMPONENT:OPTION:FLAG:VALUE:'
1362 This is the component part of a rule. It is a plain string.
1365 This is the option part of a rule. It is a plain string.
1368 This is the flags part of a rule. There may be only one flag
1369 per rule but by using the same component and option, several
1370 flags may be assigned to an option. It is a plain string.
1373 This is the optional value for the option. It is a percent
1374 escaped string with a single quotation mark to indicate a
1375 string. The quotation mark is only required to distinguish
1376 between no value specified and an empty string.
1378 Unknown record types should be ignored. Note that there is
1379 intentionally no feature to change the global option file through
1383 File: gnupg.info, Node: Querying versions, Next: Files used by gpgconf, Prev: Listing global options, Up: gpgconf
1385 8.4.8 Get and compare software versions.
1386 ----------------------------------------
1388 The GnuPG Project operates a server to query the current versions of
1389 software packages related to GnuPG. 'gpgconf' can be used to access this
1390 online database. To allow for offline operations, this feature works by
1391 having 'dirmngr' download a file from 'https://versions.gnupg.org',
1392 checking the signature of that file and storing the file in the GnuPG
1393 home directory. If 'gpgconf' is used and 'dirmngr' is running, it may
1394 ask 'dirmngr' to refresh that file before itself uses the file.
1396 The command '--query-swdb' returns information for the given package
1397 in a colon delimited format:
1400 This is the name of the package as requested. Note that "gnupg" is
1401 a special name which is replaced by the actual package implementing
1402 this version of GnuPG. For this name it is also not required to
1403 specify a version because 'gpgconf' takes its own version in this
1407 The currently installed version or an empty string. The value is
1408 taken from the command line argument but may be provided by gpg if
1412 The status of the software package according to this table:
1414 No information available. This is either because no current
1415 version has been specified or due to an error.
1417 The given name is not known in the online database.
1419 An update of the software is available.
1421 The installed version of the software is current.
1423 The installed version is already newer than the released
1427 If the value (the empty string should be considered as zero) is
1428 greater than zero an important update is available.
1431 This returns an 'gpg-error' error code to distinguish between
1432 various failure modes.
1435 This gives the date of the file with the version numbers in
1436 standard ISO format ('yyyymmddThhmmss'). The date has been
1437 extracted by 'dirmngr' from the signature of the file.
1440 This gives the date in ISO format the file was downloaded. This
1441 value can be used to evaluate the freshness of the information.
1444 This returns the version string for the requested software from the
1448 This returns the release date in ISO format.
1451 This returns the size of the package as decimal number of bytes.
1454 This returns a hexified SHA-2 hash of the package.
1456 More fields may be added in future to the output.
1459 File: gnupg.info, Node: Files used by gpgconf, Prev: Querying versions, Up: gpgconf
1461 8.4.9 Files used by gpgconf
1462 ---------------------------
1464 '/etc/gnupg/gpgconf.conf'
1465 If this file exists, it is processed as a global configuration
1466 file. A commented example can be found in the 'examples' directory
1467 of the distribution.
1469 'GNUPGHOME/swdb.lst'
1470 A file with current software versions. 'dirmngr' creates this file
1471 on demand from an online resource.
1474 File: gnupg.info, Node: applygnupgdefaults, Next: gpg-preset-passphrase, Prev: gpgconf, Up: Helper Tools
1476 8.5 Run gpgconf for all users
1477 =============================
1479 This script is a wrapper around 'gpgconf' to run it with the command
1480 '--apply-defaults' for all real users with an existing GnuPG home
1481 directory. Admins might want to use this script to update he GnuPG
1482 configuration files for all users after '/etc/gnupg/gpgconf.conf' has
1483 been changed. This allows enforcing certain policies for all users.
1484 Note, that this is not a bulletproof way to force a user to use certain
1485 options. A user may always directly edit the configuration files and
1488 'applygnupgdefaults' is invoked by root as:
1493 File: gnupg.info, Node: gpg-preset-passphrase, Next: gpg-connect-agent, Prev: applygnupgdefaults, Up: Helper Tools
1495 8.6 Put a passphrase into the cache
1496 ===================================
1498 The 'gpg-preset-passphrase' is a utility to seed the internal cache of a
1499 running 'gpg-agent' with passphrases. It is mainly useful for
1500 unattended machines, where the usual 'pinentry' tool may not be used and
1501 the passphrases for the to be used keys are given at machine startup.
1503 Passphrases set with this utility don't expire unless the '--forget'
1504 option is used to explicitly clear them from the cache -- or 'gpg-agent'
1505 is either restarted or reloaded (by sending a SIGHUP to it). Note that
1506 the maximum cache time as set with '--max-cache-ttl' is still honored.
1507 It is necessary to allow this passphrase presetting by starting
1508 'gpg-agent' with the '--allow-preset-passphrase'.
1512 * Invoking gpg-preset-passphrase:: List of all commands and options.
1515 File: gnupg.info, Node: Invoking gpg-preset-passphrase, Up: gpg-preset-passphrase
1517 8.6.1 List of all commands and options
1518 --------------------------------------
1520 'gpg-preset-passphrase' is invoked this way:
1522 gpg-preset-passphrase [options] [command] CACHEID
1524 CACHEID is either a 40 character keygrip of hexadecimal characters
1525 identifying the key for which the passphrase should be set or cleared.
1526 The keygrip is listed along with the key when running the command:
1527 'gpgsm --dump-secret-keys'. Alternatively an arbitrary string may be
1528 used to identify a passphrase; it is suggested that such a string is
1529 prefixed with the name of the application (e.g 'foo:12346').
1531 One of the following command options must be given:
1534 Preset a passphrase. This is what you usually will use.
1535 'gpg-preset-passphrase' will then read the passphrase from 'stdin'.
1538 Flush the passphrase for the given cache ID from the cache.
1540 The following additional options may be used:
1544 Output additional information while running.
1547 '--passphrase STRING'
1548 Instead of reading the passphrase from 'stdin', use the supplied
1549 STRING as passphrase. Note that this makes the passphrase visible
1553 File: gnupg.info, Node: gpg-connect-agent, Next: dirmngr-client, Prev: gpg-preset-passphrase, Up: Helper Tools
1555 8.7 Communicate with a running agent
1556 ====================================
1558 The 'gpg-connect-agent' is a utility to communicate with a running
1559 'gpg-agent'. It is useful to check out the commands 'gpg-agent'
1560 provides using the Assuan interface. It might also be useful for
1561 scripting simple applications. Input is expected at stdin and output
1562 gets printed to stdout.
1564 It is very similar to running 'gpg-agent' in server mode; but here we
1565 connect to a running instance.
1569 * Invoking gpg-connect-agent:: List of all options.
1570 * Controlling gpg-connect-agent:: Control commands.
1573 File: gnupg.info, Node: Invoking gpg-connect-agent, Next: Controlling gpg-connect-agent, Up: gpg-connect-agent
1575 8.7.1 List of all options
1576 -------------------------
1578 'gpg-connect-agent' is invoked this way:
1580 gpg-connect-agent [options] [commands]
1582 The following options may be used:
1586 Output additional information while running.
1590 Try to be as quiet as possible.
1593 Set the name of the home directory to DIR. If this option is not
1594 used, the home directory defaults to '~/.gnupg'. It is only
1595 recognized when given on the command line. It also overrides any
1596 home directory stated through the environment variable 'GNUPGHOME'
1597 or (on Windows systems) by means of the Registry entry
1598 HKCU\SOFTWARE\GNU\GNUPG:HOMEDIR.
1600 On Windows systems it is possible to install GnuPG as a portable
1601 application. In this case only this command line option is
1602 considered, all other ways to set a home directory are ignored.
1604 To install GnuPG as a portable application under Windows, create an
1605 empty file named 'gpgconf.ctl' in the same directory as the tool
1606 'gpgconf.exe'. The root of the installation is then that
1607 directory; or, if 'gpgconf.exe' has been installed directly below a
1608 directory named 'bin', its parent directory. You also need to make
1609 sure that the following directories exist and are writable:
1610 'ROOT/home' for the GnuPG home and 'ROOT/usr/local/var/cache/gnupg'
1611 for internal cache files.
1613 '--agent-program FILE'
1614 Specify the agent program to be started if none is running. The
1615 default value is determined by running 'gpgconf' with the option
1616 '--list-dirs'. Note that the pipe symbol ('|') is used for a
1617 regression test suite hack and may thus not be used in the file
1620 '--dirmngr-program FILE'
1621 Specify the directory manager (keyserver client) program to be
1622 started if none is running. This has only an effect if used
1623 together with the option '--dirmngr'.
1626 Connect to a running directory manager (keyserver client) instead
1627 of to the gpg-agent. If a dirmngr is not running, start it.
1631 Connect to socket NAME assuming this is an Assuan style server. Do
1632 not run any special initializations or environment checks. This
1633 may be used to directly connect to any Assuan style socket server.
1637 Take the rest of the command line as a program and it's arguments
1638 and execute it as an Assuan server. Here is how you would run
1640 gpg-connect-agent --exec gpgsm --server
1641 Note that you may not use options on the command line in this case.
1644 When using '-S' or '--exec', 'gpg-connect-agent' connects to the
1645 Assuan server in extended mode to allow descriptor passing. This
1646 option makes it use the old mode.
1649 Do not start the gpg-agent or the dirmngr if it has not yet been
1654 Run the commands from FILE at startup and then continue with the
1655 regular input method. Note, that commands given on the command
1656 line are executed after this file.
1660 Run the command '/subst' at startup.
1663 Print data lines in a hex format and the ASCII representation of
1664 non-control characters.
1667 Decode data lines. That is to remove percent escapes but make sure
1668 that a new line always starts with a D and a space.
1671 File: gnupg.info, Node: Controlling gpg-connect-agent, Prev: Invoking gpg-connect-agent, Up: gpg-connect-agent
1673 8.7.2 Control commands
1674 ----------------------
1676 While reading Assuan commands, gpg-agent also allows a few special
1677 commands to control its operation. These control commands all start
1684 Set the variable NAME to VALUE. Variables are only substituted on
1685 the input if the '/subst' has been used. Variables are referenced
1686 by prefixing the name with a dollar sign and optionally include the
1687 name in curly braces. The rules for a valid name are identically
1688 to those of the standard bourne shell. This is not yet enforced
1689 but may be in the future. When used with curly braces no leading
1690 or trailing white space is allowed.
1692 If a variable is not found, it is searched in the environment and
1693 if found copied to the table of variables.
1695 Variable functions are available: The name of the function must be
1696 followed by at least one space and the at least one argument. The
1697 following functions are available:
1700 Return a value described by the argument. Available arguments
1704 The current working directory.
1708 GnuPG's system configuration directory.
1710 GnuPG's binary directory.
1712 GnuPG's library directory.
1714 GnuPG's library directory for executable files.
1716 GnuPG's data directory.
1718 The PID of the current server. Command '/serverpid' must
1719 have been given to return a useful value.
1722 Remove C-style escapes from ARGS. Note that '\0' and '\x00'
1723 terminate the returned string implicitly. The string to be
1724 converted are the entire arguments right behind the delimiting
1725 space of the function name.
1729 Remove percent style escaping from ARGS. Note that '%00'
1730 terminates the string implicitly. The string to be converted
1731 are the entire arguments right behind the delimiting space of
1732 the function name. 'unpercent+' also maps plus signs to a
1737 Escape the ARGS using percent style escaping. Tabs,
1738 formfeeds, linefeeds, carriage returns and colons are escaped.
1739 'percent+' also maps spaces to plus signs.
1744 Assume ARG is an integer and evaluate it using 'strtol'.
1745 Return the gpg-error error code, error source or a formatted
1746 string with the error code and error source.
1753 Evaluate all arguments as long integers using 'strtol' and
1754 apply this operator. A division by zero yields an empty
1760 Evaluate all arguments as long integers using 'strtol' and
1761 apply the logical operators NOT, OR or AND. The NOT operator
1762 works on the last argument only.
1765 Use content of the variable VAR for inquiries with NAME. NAME may
1766 be an asterisk ('*') to match any inquiry.
1768 '/definqfile NAME FILE'
1769 Use content of FILE for inquiries with NAME. NAME may be an
1770 asterisk ('*') to match any inquiry.
1772 '/definqprog NAME PROG'
1773 Run PROG for inquiries matching NAME and pass the entire line to it
1774 as command line arguments.
1777 Write all data lines from the server to the file NAME. The file is
1778 opened for writing and created if it does not exists. An existing
1779 file is first truncated to 0. The data written to the file fully
1780 decoded. Using a single dash for NAME writes to stdout. The file
1781 is kept open until a new file is set using this command or this
1782 command is used without an argument.
1785 Print all definitions
1788 Delete all definitions
1791 Open FILE in MODE (which needs to be a valid 'fopen' mode string)
1792 and send the file descriptor to the server. This is usually
1793 followed by a command like 'INPUT FD' to set the input source for
1797 Not yet implemented.
1799 '/open VAR FILE [MODE]'
1800 Open FILE and assign the file descriptor to VAR. Warning: This
1801 command is experimental and might change in future versions.
1804 Close the file descriptor FD. Warning: This command is
1805 experimental and might change in future versions.
1808 Show a list of open files.
1811 Send the Assuan command 'GETINFO pid' to the server and store the
1812 returned PID for internal purposes.
1819 Same as the command line option '--hex'.
1823 Same as the command line option '--decode'.
1827 Enable and disable variable substitution. It defaults to disabled
1828 unless the command line option '--subst' has been used. If /subst
1829 as been enabled once, leading whitespace is removed from input
1830 lines which makes scripts easier to read.
1834 These commands provide a way for executing loops. All lines
1835 between the 'while' and the corresponding 'end' are executed as
1836 long as the evaluation of CONDITION yields a non-zero value or is
1837 the string 'true' or 'yes'. The evaluation is done by passing
1838 CONDITION to the 'strtol' function. Example:
1843 /echo loop couter is $i
1849 These commands provide a way for conditional execution. All lines
1850 between the 'if' and the corresponding 'end' are executed only if
1851 the evaluation of CONDITION yields a non-zero value or is the
1852 string 'true' or 'yes'. The evaluation is done by passing
1853 CONDITION to the 'strtol' function.
1856 Run commands from FILE.
1859 Terminate the connection and the program.
1862 Print a list of available control commands.
1865 File: gnupg.info, Node: dirmngr-client, Next: gpgparsemail, Prev: gpg-connect-agent, Up: Helper Tools
1867 8.8 The Dirmngr Client Tool
1868 ===========================
1870 The 'dirmngr-client' is a simple tool to contact a running dirmngr and
1871 test whether a certificate has been revoked -- either by being listed in
1872 the corresponding CRL or by running the OCSP protocol. If no dirmngr is
1873 running, a new instances will be started but this is in general not a
1874 good idea due to the huge performance overhead.
1876 The usual way to run this tool is either:
1878 dirmngr-client ACERT
1882 dirmngr-client <ACERT
1884 Where ACERT is one DER encoded (binary) X.509 certificates to be
1885 tested. The return value of this command is
1888 The certificate under question is valid; i.e. there is a valid CRL
1889 available and it is not listed there or the OCSP request returned
1890 that that certificate is valid.
1893 The certificate has been revoked
1895 '2 (and other values)'
1896 There was a problem checking the revocation state of the
1897 certificate. A message to stderr has given more detailed
1898 information. Most likely this is due to a missing or expired CRL
1899 or due to a network problem.
1901 'dirmngr-client' may be called with the following options:
1904 Print the program version and licensing information. Note that you
1905 cannot abbreviate this command.
1908 Print a usage message summarizing the most useful command-line
1909 options. Note that you cannot abbreviate this command.
1912 Make the output extra brief by suppressing any informational
1917 Outputs additional information while running. You can increase the
1918 verbosity by giving several verbose commands to DIRMNGR, such as
1922 Assume that the given certificate is in PEM (armored) format.
1925 Do the check using the OCSP protocol and ignore any CRLs.
1927 '--force-default-responder'
1928 When checking using the OCSP protocol, force the use of the default
1929 OCSP responder. That is not to use the Reponder as given by the
1933 Check whether the dirmngr daemon is up and running.
1936 Put the given certificate into the cache of a running dirmngr.
1937 This is mainly useful for debugging.
1940 Validate the given certificate using dirmngr's internal validation
1941 code. This is mainly useful for debugging.
1944 This command expects a list of filenames with DER encoded CRL
1945 files. With the option '--url' URLs are expected in place of
1946 filenames and they are loaded directly from the given location.
1947 All CRLs will be validated and then loaded into dirmngr's cache.
1950 Take the remaining arguments and run a lookup command on each of
1951 them. The results are Base-64 encoded outputs (without header
1952 lines). This may be used to retrieve certificates from a server.
1953 However the output format is not very well suited if more than one
1954 certificate is returned.
1958 Modify the 'lookup' and 'load-crl' commands to take an URL.
1962 Let the 'lookup' command only search the local cache.
1965 Run DIRMNGR-CLIENT in a mode suitable as a helper program for
1966 Squid's 'external_acl_type' option.
1969 File: gnupg.info, Node: gpgparsemail, Next: symcryptrun, Prev: dirmngr-client, Up: Helper Tools
1971 8.9 Parse a mail message into an annotated format
1972 =================================================
1974 The 'gpgparsemail' is a utility currently only useful for debugging.
1975 Run it with '--help' for usage information.
1978 File: gnupg.info, Node: symcryptrun, Next: gpg-zip, Prev: gpgparsemail, Up: Helper Tools
1980 8.10 Call a simple symmetric encryption tool
1981 ============================================
1983 Sometimes simple encryption tools are already in use for a long time and
1984 there might be a desire to integrate them into the GnuPG framework. The
1985 protocols and encryption methods might be non-standard or not even
1986 properly documented, so that a full-fledged encryption tool with an
1987 interface like 'gpg' is not doable. 'symcryptrun' provides a solution:
1988 It operates by calling the external encryption/decryption module and
1989 provides a passphrase for a key using the standard 'pinentry' based
1990 mechanism through 'gpg-agent'.
1992 Note, that 'symcryptrun' is only available if GnuPG has been
1993 configured with '--enable-symcryptrun' at build time.
1997 * Invoking symcryptrun:: List of all commands and options.
2000 File: gnupg.info, Node: Invoking symcryptrun, Up: symcryptrun
2002 8.10.1 List of all commands and options
2003 ---------------------------------------
2005 'symcryptrun' is invoked this way:
2007 symcryptrun --class CLASS --program PROGRAM --keyfile KEYFILE
2008 [--decrypt | --encrypt] [inputfile]
2010 For encryption, the plain text must be provided on STDIN or as the
2011 argument INPUTFILE, and the ciphertext will be output to STDOUT. For
2012 decryption vice versa.
2014 CLASS describes the calling conventions of the external tool.
2015 Currently it must be given as 'confucius'. PROGRAM is the full filename
2016 of that external tool.
2018 For the class 'confucius' the option '--keyfile' is required; KEYFILE
2019 is the name of a file containing the secret key, which may be protected
2020 by a passphrase. For detailed calling conventions, see the source code.
2022 Note, that 'gpg-agent' must be running before starting 'symcryptrun'.
2024 The following additional options may be used:
2028 Output additional information while running.
2032 Try to be as quiet as possible.
2035 Set the name of the home directory to DIR. If this option is not
2036 used, the home directory defaults to '~/.gnupg'. It is only
2037 recognized when given on the command line. It also overrides any
2038 home directory stated through the environment variable 'GNUPGHOME'
2039 or (on Windows systems) by means of the Registry entry
2040 HKCU\SOFTWARE\GNU\GNUPG:HOMEDIR.
2042 On Windows systems it is possible to install GnuPG as a portable
2043 application. In this case only this command line option is
2044 considered, all other ways to set a home directory are ignored.
2046 To install GnuPG as a portable application under Windows, create an
2047 empty file named 'gpgconf.ctl' in the same directory as the tool
2048 'gpgconf.exe'. The root of the installation is then that
2049 directory; or, if 'gpgconf.exe' has been installed directly below a
2050 directory named 'bin', its parent directory. You also need to make
2051 sure that the following directories exist and are writable:
2052 'ROOT/home' for the GnuPG home and 'ROOT/usr/local/var/cache/gnupg'
2053 for internal cache files.
2056 Append all logging output to FILE. Use 'socket://' to log to
2057 socket. Default is to write logging information to STDERR.
2059 The possible exit status codes of 'symcryptrun' are:
2064 Some error occurred.
2066 No valid passphrase was provided.
2068 The operation was canceled by the user.
2071 File: gnupg.info, Node: gpg-zip, Prev: symcryptrun, Up: Helper Tools
2073 8.11 Encrypt or sign files into an archive
2074 ==========================================
2076 'gpg-zip' encrypts or signs files into an archive. It is an gpg-ized
2077 tar using the same format as used by PGP's PGP Zip.
2079 'gpg-zip' is invoked this way:
2081 gpg-zip [options] FILENAME1 [FILENAME2, ...] DIRECTORY [DIRECTORY2, ...]
2083 'gpg-zip' understands these options:
2087 Encrypt data. This option may be combined with '--symmetric' (for
2088 output that may be decrypted via a secret key or a passphrase).
2096 Encrypt with a symmetric cipher using a passphrase. The default
2097 symmetric cipher used is CAST5, but may be chosen with the
2098 '--cipher-algo' option to 'gpg'.
2102 Make a signature. See 'gpg'.
2106 Encrypt for user id USER. See 'gpg'.
2110 Use USER as the key to sign with. See 'gpg'.
2113 List the contents of the specified archive.
2117 Write output to specified file FILE.
2120 Use the specified command GPGCMD instead of 'gpg'.
2123 Pass the specified options to 'gpg'.
2126 Use the specified command TARCMD instead of 'tar'.
2129 Pass the specified options to 'tar'.
2132 Print version of the program and exit.
2135 Display a brief help page and exit.
2137 The program returns 0 if everything was fine, 1 otherwise.
2141 Encrypt the contents of directory 'mydocs' for user Bob to file 'test1':
2143 gpg-zip --encrypt --output test1 --gpg-args -r Bob mydocs
2145 List the contents of archive 'test1':
2147 gpg-zip --list-archive test1
2150 File: gnupg.info, Node: Howtos, Next: System Notes, Prev: Helper Tools, Up: Top
2152 9 How to do certain things
2153 **************************
2155 This is a collection of small howto documents.
2159 * Howto Create a Server Cert:: Creating a TLS server certificate.
2162 File: gnupg.info, Node: Howto Create a Server Cert, Up: Howtos
2164 9.1 Creating a TLS server certificate
2165 =====================================
2167 Here is a brief run up on how to create a server certificate. It has
2168 actually been done this way to get a certificate from CAcert to be used
2169 on a real server. It has only been tested with this CA, but there
2170 shouldn't be any problem to run this against any other CA.
2172 We start by generating an X.509 certificate signing request. As
2173 there is no need for a configuration file, you may simply enter:
2175 $ gpgsm --generate-key >example.com.cert-req.pem
2176 Please select what kind of key you want:
2179 (3) Existing key from card
2182 I opted for creating a new RSA key. The other option is to use an
2183 already existing key, by selecting '2' and entering the so-called
2184 keygrip. Running the command 'gpgsm --dump-secret-key USERID' shows you
2185 this keygrip. Using '3' offers another menu to create a certificate
2186 directly from a smart card based key.
2190 What keysize do you want? (2048)
2191 Requested keysize is 2048 bits
2193 Hitting enter chooses the default RSA key size of 2048 bits. Smaller
2194 keys are too weak on the modern Internet. If you choose a larger
2195 (stronger) key, your server will need to do more work.
2197 Possible actions for a RSA key:
2203 Selecting "sign" enables use of the key for Diffie-Hellman key
2204 exchange mechanisms (DHE and ECDHE) in TLS, which are preferred because
2205 they offer forward secrecy. Selecting "encrypt" enables RSA key
2206 exchange mechanisms, which are still common in some places. Selecting
2207 both enables both key exchange mechanisms.
2209 Now for some real data:
2211 Enter the X.509 subject name: CN=example.com
2213 This is the most important value for a server certificate. Enter
2214 here the canonical name of your server machine. You may add other
2215 virtual server names later.
2217 E-Mail addresses (end with an empty line):
2220 We don't need email addresses in a TLS server certificate and CAcert
2221 would anyway ignore such a request. Thus just hit enter.
2223 If you want to create a client certificate for email encryption, this
2224 would be the place to enter your mail address (e.g. <joe@example.org>).
2225 You may enter as many addresses as you like, however the CA may not
2226 accept them all or reject the entire request.
2228 Enter DNS names (optional; end with an empty line):
2233 Here I entered the names of the services which the machine actually
2234 provides. You almost always want to include the canonical name here
2235 too. The browser will accept a certificate for any of these names. As
2236 usual the CA must approve all of these names.
2238 URIs (optional; end with an empty line):
2241 It is possible to insert arbitrary URIs into a certificate; for a
2242 server certificate this does not make sense.
2244 Create self-signed certificate? (y/N)
2246 Since we are creating a certificate signing request, and not a full
2247 certificate, we answer no here, or just hit enter for the default.
2249 We have now entered all required information and 'gpgsm' will display
2250 what it has gathered and ask whether to create the certificate request:
2252 These parameters are used:
2255 Key-Usage: sign, encrypt
2256 Name-DN: CN=example.com
2257 Name-DNS: example.com
2258 Name-DNS: www.example.com
2260 Proceed with creation? (y/N) y
2262 'gpgsm' will now start working on creating the request. As this
2263 includes the creation of an RSA key it may take a while. During this
2264 time you will be asked 3 times for a passphrase to protect the created
2265 private key on your system. A pop up window will appear to ask for it.
2266 The first two prompts are for the new passphrase and for re-entering it;
2267 the third one is required to actually create the certificate signing
2270 When it is ready, you should see the final notice:
2272 Ready. You should now send this request to your CA.
2274 Now, you may look at the created request:
2276 $ cat example.com.cert-req.pem
2277 -----BEGIN CERTIFICATE REQUEST-----
2278 MIIClTCCAX0CAQAwFjEUMBIGA1UEAxMLZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3
2279 DQEBAQUAA4IBDwAwggEKAoIBAQDP1QEcbTvOLLCX4gAoOzH9AW7jNOMj7OSOL0uW
2280 h2bCdkK5YVpnX212Z6COTC3ZG0pJiCeGt1TbbDJUlTa4syQ6JXavjK66N8ASZsyC
2281 Rwcl0m6hbXp541t1dbgt2VgeGk25okWw3j+brw6zxLD2TnthJxOatID0lDIG47HW
2282 GqzZmA6WHbIBIONmGnReIHTpPAPCDm92vUkpKG1xLPszuRmsQbwEl870W/FHrsvm
2283 DPvVUUSdIvTV9NuRt7/WY6G4nPp9QlIuTf1ESPzIuIE91gKPdrRCAx0yuT708S1n
2284 xCv3ETQ/bKPoAQ67eE3mPBqkcVwv9SE/2/36Lz06kAizRgs5AgMBAAGgOjA4Bgkq
2285 hkiG9w0BCQ4xKzApMCcGA1UdEQQgMB6CC2V4YW1wbGUuY29tgg93d3cuZXhhbXBs
2286 ZS5jb20wDQYJKoZIhvcNAQELBQADggEBAEWD0Qqz4OENLYp6yyO/KqF0ig9FDsLN
2287 b5/R+qhms5qlhdB5+Dh+j693Sj0UgbcNKc6JT86IuBqEBZmRCJuXRoKoo5aMS1cJ
2288 hXga7N9IA3qb4VBUzBWvlL92U2Iptr/cEbikFlYZF2Zv3PBv8RfopVlI3OLbKV9D
2289 bJJTt/6kuoydXKo/Vx4G0DFzIKNdFdJk86o/Ziz8NOs9JjZxw9H9VY5sHKFM5LKk
2290 VcLwnnLRlNjBGB+9VK/Tze575eG0cJomTp7UGIB+1xzIQVAhUZOizRDv9tHDeaK3
2291 k+tUhV0kuJcYHucpJycDSrP/uAY5zuVJ0rs2QSjdnav62YrRgEsxJrU=
2292 -----END CERTIFICATE REQUEST-----
2295 You may now proceed by logging into your account at the CAcert
2296 website, choose 'Server Certificates - New', check 'sign by class 3 root
2297 certificate', paste the above request block into the text field and
2300 If everything works out fine, a certificate will be shown. Now run
2304 and paste the certificate from the CAcert page into your terminal
2305 followed by a Ctrl-D
2307 -----BEGIN CERTIFICATE-----
2308 MIIEIjCCAgqgAwIBAgIBTDANBgkqhkiG9w0BAQQFADBUMRQwEgYDVQQKEwtDQWNl
2310 rUTFlNElRXCwIl0YcJkIaYYqWf7+A/aqYJCi8+51usZwMy3Jsq3hJ6MA3h1BgwZs
2312 -----END CERTIFICATE-----
2313 gpgsm: issuer certificate (#/CN=CAcert Class 3 Ro[...]) not found
2314 gpgsm: certificate imported
2316 gpgsm: total number processed: 1
2319 'gpgsm' tells you that it has imported the certificate. It is now
2320 associated with the key you used when creating the request. The root
2321 certificate has not been found, so you may want to import it from the
2324 To see the content of your certificate, you may now enter:
2326 $ gpgsm -K example.com
2327 /home/foo/.gnupg/pubring.kbx
2328 ---------------------------
2330 Issuer: /CN=CAcert Class 3 Root/OU=http:\x2f\x2fwww.[...]
2331 Subject: /CN=example.com
2332 aka: (dns-name example.com)
2333 aka: (dns-name www.example.com)
2334 validity: 2015-07-01 16:20:51 through 2016-07-01 16:20:51
2335 key type: 2048 bit RSA
2336 key usage: digitalSignature keyEncipherment
2337 ext key usage: clientAuth (suggested), serverAuth (suggested), [...]
2338 fingerprint: 0F:9C:27:B2:DA:05:5F:CB:33:D8:19:E9:65:B9:4F:BD:B1:98:CC:57
2340 I used '-K' above because this will only list certificates for which
2341 a private key is available. To see more details, you may use
2342 '--dump-secret-keys' instead of '-K'.
2344 To make actual use of the certificate you need to install it on your
2345 server. Server software usually expects a PKCS\#12 file with key and
2346 certificate. To create such a file, run:
2348 $ gpgsm --export-secret-key-p12 -a >example.com-cert.pem
2350 You will be asked for the passphrase as well as for a new passphrase
2351 to be used to protect the PKCS\#12 file. The file now contains the
2352 certificate as well as the private key:
2354 $ cat example-cert.pem
2355 Issuer ...: /CN=CAcert Class 3 Root/OU=http:\x2f\x2fwww.CA[...]
2357 Subject ..: /CN=example.com
2358 aka ..: (dns-name example.com)
2359 aka ..: (dns-name www.example.com)
2361 -----BEGIN PKCS12-----
2362 MIIHlwIBAzCCB5AGCSqGSIb37QdHAaCCB4EEggd9MIIHeTk1BJ8GCSqGSIb3DQEu
2363 [...many more lines...]
2364 -----END PKCS12-----
2367 Copy this file in a secure way to the server, install it there and
2368 delete the file then. You may export the file again at any time as long
2369 as it is available in GnuPG's private key database.
2372 File: gnupg.info, Node: System Notes, Next: Debugging, Prev: Howtos, Up: Top
2374 10 Notes pertaining to certain OSes
2375 ***********************************
2377 GnuPG has been developed on GNU/Linux systems and is know to work on
2378 almost all Free OSes. All modern POSIX systems should be supported
2379 right now, however there are probably a lot of smaller glitches we need
2380 to fix first. The major problem areas are:
2382 * We are planning to use file descriptor passing for interprocess
2383 communication. This will allow us save a lot of resources and
2384 improve performance of certain operations a lot. Systems not
2385 supporting this won't gain these benefits but we try to keep them
2386 working the standard way as it is done today.
2388 * We require more or less full POSIX compatibility. This has been
2389 around for 15 years now and thus we don't believe it makes sense to
2390 support non POSIX systems anymore. Well, we of course the usual
2391 workarounds for near POSIX systems well be applied.
2393 There is one exception of this rule: Systems based the Microsoft
2394 Windows API (called here _W32_) will be supported to some extend.
2398 * W32 Notes:: Microsoft Windows Notes
2401 File: gnupg.info, Node: W32 Notes, Up: System Notes
2403 10.1 Microsoft Windows Notes
2404 ============================
2406 Current limitations are:
2408 * 'gpgconf' does not create backup files, so in case of trouble your
2409 configuration file might get lost.
2411 * 'watchgnupg' is not available. Logging to sockets is not possible.
2413 * The periodical smartcard status checking done by 'scdaemon' is not
2417 File: gnupg.info, Node: Debugging, Next: Copying, Prev: System Notes, Up: Top
2419 11 How to solve problems
2420 ************************
2422 Everyone knows that software often does not do what it should do and
2423 thus there is a need to track down problems. We call this debugging in
2424 a reminiscent to the moth jamming a relay in a Mark II box back in 1947.
2426 Most of the problems a merely configuration and user problems but
2427 nevertheless they are the most annoying ones and responsible for many
2428 gray hairs. We try to give some guidelines here on how to identify and
2429 solve the problem at hand.
2433 * Debugging Tools:: Description of some useful tools.
2434 * Debugging Hints:: Various hints on debugging.
2435 * Common Problems:: Commonly seen problems.
2436 * Architecture Details:: How the whole thing works internally.
2439 File: gnupg.info, Node: Debugging Tools, Next: Debugging Hints, Up: Debugging
2441 11.1 Debugging Tools
2442 ====================
2444 The GnuPG distribution comes with a couple of tools, useful to help find
2445 and solving problems.
2449 * kbxutil:: Scrutinizing a keybox file.
2452 File: gnupg.info, Node: kbxutil, Up: Debugging Tools
2454 11.1.1 Scrutinizing a keybox file
2455 ---------------------------------
2457 A keybox is a file format used to store public keys along with meta
2458 information and indices. The commonly used one is the file
2459 'pubring.kbx' in the '.gnupg' directory. It contains all X.509
2460 certificates as well as OpenPGP keys(1).
2462 When called the standard way, e.g.:
2464 'kbxutil ~/.gnupg/pubring.kbx'
2466 it lists all records (called blobs) with there meta-information in a
2467 human readable format.
2469 To see statistics on the keybox in question, run it using
2471 'kbxutil --stats ~/.gnupg/pubring.kbx'
2473 and you get an output like:
2475 Total number of blobs: 99
2482 ephemeral flagged: 17
2484 In this example you see that the keybox does not have any OpenPGP
2485 keys but contains 98 X.509 certificates and a total of 17 keys or
2486 certificates are flagged as ephemeral, meaning that they are only
2487 temporary stored (cached) in the keybox and won't get listed using the
2488 usual commands provided by 'gpgsm' or 'gpg'. 81 certificates are stored
2489 in a standard way and directly available from 'gpgsm'.
2491 To find duplicated certificates and keyblocks in a keybox file (this
2492 should not occur but sometimes things go wrong), run it using
2494 'kbxutil --find-dups ~/.gnupg/pubring.kbx'
2496 ---------- Footnotes ----------
2498 (1) Well, OpenPGP keys are not implemented, 'gpg' still used the
2499 keyring file 'pubring.gpg'.
2502 File: gnupg.info, Node: Debugging Hints, Next: Common Problems, Prev: Debugging Tools, Up: Debugging
2504 11.2 Various hints on debugging
2505 ===============================
2507 * How to find the IP address of a keyserver
2509 If a round robin URL of is used for a keyserver (e.g.
2510 subkeys.gnupg.org); it is not easy to see what server is actually
2511 used. Using the keyserver debug option as in
2513 gpg --keyserver-options debug=1 -v --refresh-key 1E42B367
2515 is thus often helpful. Note that the actual output depends on the
2516 backend and may change from release to release.
2518 * Logging on WindowsCE
2520 For development, the best logging method on WindowsCE is the use of
2521 remote debugging using a log file name of 'tcp://<ip-addr>:<port>'.
2522 The command 'watchgnupg' may be used on the remote host to listen
2523 on the given port (*note option watchgnupg --tcp::). For in the
2524 field tests it is better to make use of the logging facility
2525 provided by the 'gpgcedev' driver (part of libassuan); this is
2526 enabled by using a log file name of 'GPG2:' (*note option
2530 File: gnupg.info, Node: Common Problems, Next: Architecture Details, Prev: Debugging Hints, Up: Debugging
2532 11.3 Commonly Seen Problems
2533 ===========================
2535 * Error code 'Not supported' from Dirmngr
2537 Most likely the option 'enable-ocsp' is active for gpgsm but
2538 Dirmngr's OCSP feature has not been enabled using 'allow-ocsp' in
2541 * The Curses based Pinentry does not work
2543 The far most common reason for this is that the environment
2544 variable 'GPG_TTY' has not been set correctly. Make sure that it
2545 has been set to a real tty device and not just to '/dev/tty'; i.e.
2546 'GPG_TTY=tty' is plainly wrong; what you want is 'GPG_TTY=`tty`' --
2547 note the back ticks. Also make sure that this environment variable
2548 gets exported, that is you should follow up the setting with an
2549 'export GPG_TTY' (assuming a Bourne style shell). Even for GUI
2550 based Pinentries; you should have set 'GPG_TTY'. See the section
2551 on installing the 'gpg-agent' on how to do it.
2553 * SSH hangs while a popping up pinentry was expected
2555 SSH has no way to tell the gpg-agent what terminal or X display it
2556 is running on. So when remotely logging into a box where a
2557 gpg-agent with SSH support is running, the pinentry will get popped
2558 up on whatever display the gpg-agent has been started. To solve
2559 this problem you may issue the command
2561 echo UPDATESTARTUPTTY | gpg-connect-agent
2563 and the next pinentry will pop up on your display or screen.
2564 However, you need to kill the running pinentry first because only
2565 one pinentry may be running at once. If you plan to use ssh on a
2566 new display you should issue the above command before invoking ssh
2567 or any other service making use of ssh.
2569 * Exporting a secret key without a certificate
2571 It may happen that you have created a certificate request using
2572 'gpgsm' but not yet received and imported the certificate from the
2573 CA. However, you want to export the secret key to another machine
2574 right now to import the certificate over there then. You can do
2575 this with a little trick but it requires that you know the
2576 approximate time you created the signing request. By running the
2579 ls -ltr ~/.gnupg/private-keys-v1.d
2581 you get a listing of all private keys under control of 'gpg-agent'.
2582 Pick the key which best matches the creation time and run the
2585 /usr/local/libexec/gpg-protect-tool --p12-export \
2586 ~/.gnupg/private-keys-v1.d/FOO >FOO.p12
2588 (Please adjust the path to 'gpg-protect-tool' to the appropriate
2589 location). FOO is the name of the key file you picked (it should
2590 have the suffix '.key'). A Pinentry box will pop up and ask you
2591 for the current passphrase of the key and a new passphrase to
2592 protect it in the pkcs#12 file.
2594 To import the created file on the machine you use this command:
2596 /usr/local/libexec/gpg-protect-tool --p12-import --store FOO.p12
2598 You will be asked for the pkcs#12 passphrase and a new passphrase
2599 to protect the imported private key at its new location.
2601 Note that there is no easy way to match existing certificates with
2602 stored private keys because some private keys are used for Secure
2603 Shell or other purposes and don't have a corresponding certificate.
2605 * A root certificate does not verify
2607 A common problem is that the root certificate misses the required
2608 basicConstraints attribute and thus 'gpgsm' rejects this
2609 certificate. An error message indicating "no value" is a sign for
2610 such a certificate. You may use the 'relax' flag in
2611 'trustlist.txt' to accept the certificate anyway. Note that the
2612 fingerprint and this flag may only be added manually to
2615 * Error message: "digest algorithm N has not been enabled"
2617 The signature is broken. You may try the option
2618 '--extra-digest-algo SHA256' to workaround the problem. The number
2619 N is the internal algorithm identifier; for example 8 refers to
2622 * The Windows version does not work under Wine
2624 When running the W32 version of 'gpg' under Wine you may get an
2625 error messages like:
2627 gpg: fatal: WriteConsole failed: Access denied
2629 The solution is to use the command 'wineconsole'.
2631 Some operations like '--generate-key' really want to talk to the
2632 console directly for increased security (for example to prevent the
2633 passphrase from appearing on the screen). So, you should use
2634 'wineconsole' instead of 'wine', which will launch a windows
2635 console that implements those additional features.
2637 * Why does GPG's -search-key list weird keys?
2639 For performance reasons the keyservers do not check the keys the
2640 same way 'gpg' does. It may happen that the listing of keys
2641 available on the keyservers shows keys with wrong user IDs or with
2642 user Ids from other keys. If you try to import this key, the bad
2643 keys or bad user ids won't get imported, though. This is a bit
2644 unfortunate but we can't do anything about it without actually
2645 downloading the keys.
2648 File: gnupg.info, Node: Architecture Details, Prev: Common Problems, Up: Debugging
2650 11.4 How the whole thing works internally
2651 =========================================
2655 * Component interaction:: How the components work together.
2656 * GnuPG-1 and GnuPG-2:: Relationship between GnuPG 1.4 and 2.x.
2659 File: gnupg.info, Node: Component interaction, Next: GnuPG-1 and GnuPG-2, Up: Architecture Details
2661 11.4.1 How the components work together
2662 ---------------------------------------
2664 \0\b[image src="gnupg-module-overview.png" alt="GnuPG modules"
\0\b]
2666 Figure 11.1: GnuPG module overview
2669 File: gnupg.info, Node: GnuPG-1 and GnuPG-2, Prev: Component interaction, Up: Architecture Details
2671 11.4.2 Relationship between GnuPG 1.4 and 2.x
2672 ---------------------------------------------
2674 Here is a little picture showing how the different GnuPG versions make
2677 \0\b[image src="gnupg-card-architecture.png" alt="GnuPG card architecture"
\0\b]
2679 Figure 11.2: GnuPG card architecture
2682 File: gnupg.info, Node: Copying, Next: Contributors, Prev: Debugging, Up: Top
2684 GNU General Public License
2685 **************************
2687 Version 3, 29 June 2007
2689 Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
2691 Everyone is permitted to copy and distribute verbatim copies of this
2692 license document, but changing it is not allowed.
2697 The GNU General Public License is a free, copyleft license for software
2698 and other kinds of works.
2700 The licenses for most software and other practical works are designed
2701 to take away your freedom to share and change the works. By contrast,
2702 the GNU General Public License is intended to guarantee your freedom to
2703 share and change all versions of a program-to make sure it remains free
2704 software for all its users. We, the Free Software Foundation, use the
2705 GNU General Public License for most of our software; it applies also to
2706 any other work released this way by its authors. You can apply it to
2709 When we speak of free software, we are referring to freedom, not
2710 price. Our General Public Licenses are designed to make sure that you
2711 have the freedom to distribute copies of free software (and charge for
2712 them if you wish), that you receive source code or can get it if you
2713 want it, that you can change the software or use pieces of it in new
2714 free programs, and that you know you can do these things.
2716 To protect your rights, we need to prevent others from denying you
2717 these rights or asking you to surrender the rights. Therefore, you have
2718 certain responsibilities if you distribute copies of the software, or if
2719 you modify it: responsibilities to respect the freedom of others.
2721 For example, if you distribute copies of such a program, whether
2722 gratis or for a fee, you must pass on to the recipients the same
2723 freedoms that you received. You must make sure that they, too, receive
2724 or can get the source code. And you must show them these terms so they
2727 Developers that use the GNU GPL protect your rights with two steps:
2728 (1) assert copyright on the software, and (2) offer you this License
2729 giving you legal permission to copy, distribute and/or modify it.
2731 For the developers' and authors' protection, the GPL clearly explains
2732 that there is no warranty for this free software. For both users' and
2733 authors' sake, the GPL requires that modified versions be marked as
2734 changed, so that their problems will not be attributed erroneously to
2735 authors of previous versions.
2737 Some devices are designed to deny users access to install or run
2738 modified versions of the software inside them, although the manufacturer
2739 can do so. This is fundamentally incompatible with the aim of
2740 protecting users' freedom to change the software. The systematic
2741 pattern of such abuse occurs in the area of products for individuals to
2742 use, which is precisely where it is most unacceptable. Therefore, we
2743 have designed this version of the GPL to prohibit the practice for those
2744 products. If such problems arise substantially in other domains, we
2745 stand ready to extend this provision to those domains in future versions
2746 of the GPL, as needed to protect the freedom of users.
2748 Finally, every program is threatened constantly by software patents.
2749 States should not allow patents to restrict development and use of
2750 software on general-purpose computers, but in those that do, we wish to
2751 avoid the special danger that patents applied to a free program could
2752 make it effectively proprietary. To prevent this, the GPL assures that
2753 patents cannot be used to render the program non-free.
2755 The precise terms and conditions for copying, distribution and
2756 modification follow.
2758 TERMS AND CONDITIONS
2762 "This License" refers to version 3 of the GNU General Public
2765 "Copyright" also means copyright-like laws that apply to other
2766 kinds of works, such as semiconductor masks.
2768 "The Program" refers to any copyrightable work licensed under this
2769 License. Each licensee is addressed as "you". "Licensees" and
2770 "recipients" may be individuals or organizations.
2772 To "modify" a work means to copy from or adapt all or part of the
2773 work in a fashion requiring copyright permission, other than the
2774 making of an exact copy. The resulting work is called a "modified
2775 version" of the earlier work or a work "based on" the earlier work.
2777 A "covered work" means either the unmodified Program or a work
2778 based on the Program.
2780 To "propagate" a work means to do anything with it that, without
2781 permission, would make you directly or secondarily liable for
2782 infringement under applicable copyright law, except executing it on
2783 a computer or modifying a private copy. Propagation includes
2784 copying, distribution (with or without modification), making
2785 available to the public, and in some countries other activities as
2788 To "convey" a work means any kind of propagation that enables other
2789 parties to make or receive copies. Mere interaction with a user
2790 through a computer network, with no transfer of a copy, is not
2793 An interactive user interface displays "Appropriate Legal Notices"
2794 to the extent that it includes a convenient and prominently visible
2795 feature that (1) displays an appropriate copyright notice, and (2)
2796 tells the user that there is no warranty for the work (except to
2797 the extent that warranties are provided), that licensees may convey
2798 the work under this License, and how to view a copy of this
2799 License. If the interface presents a list of user commands or
2800 options, such as a menu, a prominent item in the list meets this
2805 The "source code" for a work means the preferred form of the work
2806 for making modifications to it. "Object code" means any non-source
2809 A "Standard Interface" means an interface that either is an
2810 official standard defined by a recognized standards body, or, in
2811 the case of interfaces specified for a particular programming
2812 language, one that is widely used among developers working in that
2815 The "System Libraries" of an executable work include anything,
2816 other than the work as a whole, that (a) is included in the normal
2817 form of packaging a Major Component, but which is not part of that
2818 Major Component, and (b) serves only to enable use of the work with
2819 that Major Component, or to implement a Standard Interface for
2820 which an implementation is available to the public in source code
2821 form. A "Major Component", in this context, means a major
2822 essential component (kernel, window system, and so on) of the
2823 specific operating system (if any) on which the executable work
2824 runs, or a compiler used to produce the work, or an object code
2825 interpreter used to run it.
2827 The "Corresponding Source" for a work in object code form means all
2828 the source code needed to generate, install, and (for an executable
2829 work) run the object code and to modify the work, including scripts
2830 to control those activities. However, it does not include the
2831 work's System Libraries, or general-purpose tools or generally
2832 available free programs which are used unmodified in performing
2833 those activities but which are not part of the work. For example,
2834 Corresponding Source includes interface definition files associated
2835 with source files for the work, and the source code for shared
2836 libraries and dynamically linked subprograms that the work is
2837 specifically designed to require, such as by intimate data
2838 communication or control flow between those subprograms and other
2841 The Corresponding Source need not include anything that users can
2842 regenerate automatically from other parts of the Corresponding
2845 The Corresponding Source for a work in source code form is that
2848 2. Basic Permissions.
2850 All rights granted under this License are granted for the term of
2851 copyright on the Program, and are irrevocable provided the stated
2852 conditions are met. This License explicitly affirms your unlimited
2853 permission to run the unmodified Program. The output from running
2854 a covered work is covered by this License only if the output, given
2855 its content, constitutes a covered work. This License acknowledges
2856 your rights of fair use or other equivalent, as provided by
2859 You may make, run and propagate covered works that you do not
2860 convey, without conditions so long as your license otherwise
2861 remains in force. You may convey covered works to others for the
2862 sole purpose of having them make modifications exclusively for you,
2863 or provide you with facilities for running those works, provided
2864 that you comply with the terms of this License in conveying all
2865 material for which you do not control copyright. Those thus making
2866 or running the covered works for you must do so exclusively on your
2867 behalf, under your direction and control, on terms that prohibit
2868 them from making any copies of your copyrighted material outside
2869 their relationship with you.
2871 Conveying under any other circumstances is permitted solely under
2872 the conditions stated below. Sublicensing is not allowed; section
2873 10 makes it unnecessary.
2875 3. Protecting Users' Legal Rights From Anti-Circumvention Law.
2877 No covered work shall be deemed part of an effective technological
2878 measure under any applicable law fulfilling obligations under
2879 article 11 of the WIPO copyright treaty adopted on 20 December
2880 1996, or similar laws prohibiting or restricting circumvention of
2883 When you convey a covered work, you waive any legal power to forbid
2884 circumvention of technological measures to the extent such
2885 circumvention is effected by exercising rights under this License
2886 with respect to the covered work, and you disclaim any intention to
2887 limit operation or modification of the work as a means of
2888 enforcing, against the work's users, your or third parties' legal
2889 rights to forbid circumvention of technological measures.
2891 4. Conveying Verbatim Copies.
2893 You may convey verbatim copies of the Program's source code as you
2894 receive it, in any medium, provided that you conspicuously and
2895 appropriately publish on each copy an appropriate copyright notice;
2896 keep intact all notices stating that this License and any
2897 non-permissive terms added in accord with section 7 apply to the
2898 code; keep intact all notices of the absence of any warranty; and
2899 give all recipients a copy of this License along with the Program.
2901 You may charge any price or no price for each copy that you convey,
2902 and you may offer support or warranty protection for a fee.
2904 5. Conveying Modified Source Versions.
2906 You may convey a work based on the Program, or the modifications to
2907 produce it from the Program, in the form of source code under the
2908 terms of section 4, provided that you also meet all of these
2911 a. The work must carry prominent notices stating that you
2912 modified it, and giving a relevant date.
2914 b. The work must carry prominent notices stating that it is
2915 released under this License and any conditions added under
2916 section 7. This requirement modifies the requirement in
2917 section 4 to "keep intact all notices".
2919 c. You must license the entire work, as a whole, under this
2920 License to anyone who comes into possession of a copy. This
2921 License will therefore apply, along with any applicable
2922 section 7 additional terms, to the whole of the work, and all
2923 its parts, regardless of how they are packaged. This License
2924 gives no permission to license the work in any other way, but
2925 it does not invalidate such permission if you have separately
2928 d. If the work has interactive user interfaces, each must display
2929 Appropriate Legal Notices; however, if the Program has
2930 interactive interfaces that do not display Appropriate Legal
2931 Notices, your work need not make them do so.
2933 A compilation of a covered work with other separate and independent
2934 works, which are not by their nature extensions of the covered
2935 work, and which are not combined with it such as to form a larger
2936 program, in or on a volume of a storage or distribution medium, is
2937 called an "aggregate" if the compilation and its resulting
2938 copyright are not used to limit the access or legal rights of the
2939 compilation's users beyond what the individual works permit.
2940 Inclusion of a covered work in an aggregate does not cause this
2941 License to apply to the other parts of the aggregate.
2943 6. Conveying Non-Source Forms.
2945 You may convey a covered work in object code form under the terms
2946 of sections 4 and 5, provided that you also convey the
2947 machine-readable Corresponding Source under the terms of this
2948 License, in one of these ways:
2950 a. Convey the object code in, or embodied in, a physical product
2951 (including a physical distribution medium), accompanied by the
2952 Corresponding Source fixed on a durable physical medium
2953 customarily used for software interchange.
2955 b. Convey the object code in, or embodied in, a physical product
2956 (including a physical distribution medium), accompanied by a
2957 written offer, valid for at least three years and valid for as
2958 long as you offer spare parts or customer support for that
2959 product model, to give anyone who possesses the object code
2960 either (1) a copy of the Corresponding Source for all the
2961 software in the product that is covered by this License, on a
2962 durable physical medium customarily used for software
2963 interchange, for a price no more than your reasonable cost of
2964 physically performing this conveying of source, or (2) access
2965 to copy the Corresponding Source from a network server at no
2968 c. Convey individual copies of the object code with a copy of the
2969 written offer to provide the Corresponding Source. This
2970 alternative is allowed only occasionally and noncommercially,
2971 and only if you received the object code with such an offer,
2972 in accord with subsection 6b.
2974 d. Convey the object code by offering access from a designated
2975 place (gratis or for a charge), and offer equivalent access to
2976 the Corresponding Source in the same way through the same
2977 place at no further charge. You need not require recipients
2978 to copy the Corresponding Source along with the object code.
2979 If the place to copy the object code is a network server, the
2980 Corresponding Source may be on a different server (operated by
2981 you or a third party) that supports equivalent copying
2982 facilities, provided you maintain clear directions next to the
2983 object code saying where to find the Corresponding Source.
2984 Regardless of what server hosts the Corresponding Source, you
2985 remain obligated to ensure that it is available for as long as
2986 needed to satisfy these requirements.
2988 e. Convey the object code using peer-to-peer transmission,
2989 provided you inform other peers where the object code and
2990 Corresponding Source of the work are being offered to the
2991 general public at no charge under subsection 6d.
2993 A separable portion of the object code, whose source code is
2994 excluded from the Corresponding Source as a System Library, need
2995 not be included in conveying the object code work.
2997 A "User Product" is either (1) a "consumer product", which means
2998 any tangible personal property which is normally used for personal,
2999 family, or household purposes, or (2) anything designed or sold for
3000 incorporation into a dwelling. In determining whether a product is
3001 a consumer product, doubtful cases shall be resolved in favor of
3002 coverage. For a particular product received by a particular user,
3003 "normally used" refers to a typical or common use of that class of
3004 product, regardless of the status of the particular user or of the
3005 way in which the particular user actually uses, or expects or is
3006 expected to use, the product. A product is a consumer product
3007 regardless of whether the product has substantial commercial,
3008 industrial or non-consumer uses, unless such uses represent the
3009 only significant mode of use of the product.
3011 "Installation Information" for a User Product means any methods,
3012 procedures, authorization keys, or other information required to
3013 install and execute modified versions of a covered work in that
3014 User Product from a modified version of its Corresponding Source.
3015 The information must suffice to ensure that the continued
3016 functioning of the modified object code is in no case prevented or
3017 interfered with solely because modification has been made.
3019 If you convey an object code work under this section in, or with,
3020 or specifically for use in, a User Product, and the conveying
3021 occurs as part of a transaction in which the right of possession
3022 and use of the User Product is transferred to the recipient in
3023 perpetuity or for a fixed term (regardless of how the transaction
3024 is characterized), the Corresponding Source conveyed under this
3025 section must be accompanied by the Installation Information. But
3026 this requirement does not apply if neither you nor any third party
3027 retains the ability to install modified object code on the User
3028 Product (for example, the work has been installed in ROM).
3030 The requirement to provide Installation Information does not
3031 include a requirement to continue to provide support service,
3032 warranty, or updates for a work that has been modified or installed
3033 by the recipient, or for the User Product in which it has been
3034 modified or installed. Access to a network may be denied when the
3035 modification itself materially and adversely affects the operation
3036 of the network or violates the rules and protocols for
3037 communication across the network.
3039 Corresponding Source conveyed, and Installation Information
3040 provided, in accord with this section must be in a format that is
3041 publicly documented (and with an implementation available to the
3042 public in source code form), and must require no special password
3043 or key for unpacking, reading or copying.
3045 7. Additional Terms.
3047 "Additional permissions" are terms that supplement the terms of
3048 this License by making exceptions from one or more of its
3049 conditions. Additional permissions that are applicable to the
3050 entire Program shall be treated as though they were included in
3051 this License, to the extent that they are valid under applicable
3052 law. If additional permissions apply only to part of the Program,
3053 that part may be used separately under those permissions, but the
3054 entire Program remains governed by this License without regard to
3055 the additional permissions.
3057 When you convey a copy of a covered work, you may at your option
3058 remove any additional permissions from that copy, or from any part
3059 of it. (Additional permissions may be written to require their own
3060 removal in certain cases when you modify the work.) You may place
3061 additional permissions on material, added by you to a covered work,
3062 for which you have or can give appropriate copyright permission.
3064 Notwithstanding any other provision of this License, for material
3065 you add to a covered work, you may (if authorized by the copyright
3066 holders of that material) supplement the terms of this License with
3069 a. Disclaiming warranty or limiting liability differently from
3070 the terms of sections 15 and 16 of this License; or
3072 b. Requiring preservation of specified reasonable legal notices
3073 or author attributions in that material or in the Appropriate
3074 Legal Notices displayed by works containing it; or
3076 c. Prohibiting misrepresentation of the origin of that material,
3077 or requiring that modified versions of such material be marked
3078 in reasonable ways as different from the original version; or
3080 d. Limiting the use for publicity purposes of names of licensors
3081 or authors of the material; or
3083 e. Declining to grant rights under trademark law for use of some
3084 trade names, trademarks, or service marks; or
3086 f. Requiring indemnification of licensors and authors of that
3087 material by anyone who conveys the material (or modified
3088 versions of it) with contractual assumptions of liability to
3089 the recipient, for any liability that these contractual
3090 assumptions directly impose on those licensors and authors.
3092 All other non-permissive additional terms are considered "further
3093 restrictions" within the meaning of section 10. If the Program as
3094 you received it, or any part of it, contains a notice stating that
3095 it is governed by this License along with a term that is a further
3096 restriction, you may remove that term. If a license document
3097 contains a further restriction but permits relicensing or conveying
3098 under this License, you may add to a covered work material governed
3099 by the terms of that license document, provided that the further
3100 restriction does not survive such relicensing or conveying.
3102 If you add terms to a covered work in accord with this section, you
3103 must place, in the relevant source files, a statement of the
3104 additional terms that apply to those files, or a notice indicating
3105 where to find the applicable terms.
3107 Additional terms, permissive or non-permissive, may be stated in
3108 the form of a separately written license, or stated as exceptions;
3109 the above requirements apply either way.
3113 You may not propagate or modify a covered work except as expressly
3114 provided under this License. Any attempt otherwise to propagate or
3115 modify it is void, and will automatically terminate your rights
3116 under this License (including any patent licenses granted under the
3117 third paragraph of section 11).
3119 However, if you cease all violation of this License, then your
3120 license from a particular copyright holder is reinstated (a)
3121 provisionally, unless and until the copyright holder explicitly and
3122 finally terminates your license, and (b) permanently, if the
3123 copyright holder fails to notify you of the violation by some
3124 reasonable means prior to 60 days after the cessation.
3126 Moreover, your license from a particular copyright holder is
3127 reinstated permanently if the copyright holder notifies you of the
3128 violation by some reasonable means, this is the first time you have
3129 received notice of violation of this License (for any work) from
3130 that copyright holder, and you cure the violation prior to 30 days
3131 after your receipt of the notice.
3133 Termination of your rights under this section does not terminate
3134 the licenses of parties who have received copies or rights from you
3135 under this License. If your rights have been terminated and not
3136 permanently reinstated, you do not qualify to receive new licenses
3137 for the same material under section 10.
3139 9. Acceptance Not Required for Having Copies.
3141 You are not required to accept this License in order to receive or
3142 run a copy of the Program. Ancillary propagation of a covered work
3143 occurring solely as a consequence of using peer-to-peer
3144 transmission to receive a copy likewise does not require
3145 acceptance. However, nothing other than this License grants you
3146 permission to propagate or modify any covered work. These actions
3147 infringe copyright if you do not accept this License. Therefore,
3148 by modifying or propagating a covered work, you indicate your
3149 acceptance of this License to do so.
3151 10. Automatic Licensing of Downstream Recipients.
3153 Each time you convey a covered work, the recipient automatically
3154 receives a license from the original licensors, to run, modify and
3155 propagate that work, subject to this License. You are not
3156 responsible for enforcing compliance by third parties with this
3159 An "entity transaction" is a transaction transferring control of an
3160 organization, or substantially all assets of one, or subdividing an
3161 organization, or merging organizations. If propagation of a
3162 covered work results from an entity transaction, each party to that
3163 transaction who receives a copy of the work also receives whatever
3164 licenses to the work the party's predecessor in interest had or
3165 could give under the previous paragraph, plus a right to possession
3166 of the Corresponding Source of the work from the predecessor in
3167 interest, if the predecessor has it or can get it with reasonable
3170 You may not impose any further restrictions on the exercise of the
3171 rights granted or affirmed under this License. For example, you
3172 may not impose a license fee, royalty, or other charge for exercise
3173 of rights granted under this License, and you may not initiate
3174 litigation (including a cross-claim or counterclaim in a lawsuit)
3175 alleging that any patent claim is infringed by making, using,
3176 selling, offering for sale, or importing the Program or any portion
3181 A "contributor" is a copyright holder who authorizes use under this
3182 License of the Program or a work on which the Program is based.
3183 The work thus licensed is called the contributor's "contributor
3186 A contributor's "essential patent claims" are all patent claims
3187 owned or controlled by the contributor, whether already acquired or
3188 hereafter acquired, that would be infringed by some manner,
3189 permitted by this License, of making, using, or selling its
3190 contributor version, but do not include claims that would be
3191 infringed only as a consequence of further modification of the
3192 contributor version. For purposes of this definition, "control"
3193 includes the right to grant patent sublicenses in a manner
3194 consistent with the requirements of this License.
3196 Each contributor grants you a non-exclusive, worldwide,
3197 royalty-free patent license under the contributor's essential
3198 patent claims, to make, use, sell, offer for sale, import and
3199 otherwise run, modify and propagate the contents of its contributor
3202 In the following three paragraphs, a "patent license" is any
3203 express agreement or commitment, however denominated, not to
3204 enforce a patent (such as an express permission to practice a
3205 patent or covenant not to sue for patent infringement). To "grant"
3206 such a patent license to a party means to make such an agreement or
3207 commitment not to enforce a patent against the party.
3209 If you convey a covered work, knowingly relying on a patent
3210 license, and the Corresponding Source of the work is not available
3211 for anyone to copy, free of charge and under the terms of this
3212 License, through a publicly available network server or other
3213 readily accessible means, then you must either (1) cause the
3214 Corresponding Source to be so available, or (2) arrange to deprive
3215 yourself of the benefit of the patent license for this particular
3216 work, or (3) arrange, in a manner consistent with the requirements
3217 of this License, to extend the patent license to downstream
3218 recipients. "Knowingly relying" means you have actual knowledge
3219 that, but for the patent license, your conveying the covered work
3220 in a country, or your recipient's use of the covered work in a
3221 country, would infringe one or more identifiable patents in that
3222 country that you have reason to believe are valid.
3224 If, pursuant to or in connection with a single transaction or
3225 arrangement, you convey, or propagate by procuring conveyance of, a
3226 covered work, and grant a patent license to some of the parties
3227 receiving the covered work authorizing them to use, propagate,
3228 modify or convey a specific copy of the covered work, then the
3229 patent license you grant is automatically extended to all
3230 recipients of the covered work and works based on it.
3232 A patent license is "discriminatory" if it does not include within
3233 the scope of its coverage, prohibits the exercise of, or is
3234 conditioned on the non-exercise of one or more of the rights that
3235 are specifically granted under this License. You may not convey a
3236 covered work if you are a party to an arrangement with a third
3237 party that is in the business of distributing software, under which
3238 you make payment to the third party based on the extent of your
3239 activity of conveying the work, and under which the third party
3240 grants, to any of the parties who would receive the covered work
3241 from you, a discriminatory patent license (a) in connection with
3242 copies of the covered work conveyed by you (or copies made from
3243 those copies), or (b) primarily for and in connection with specific
3244 products or compilations that contain the covered work, unless you
3245 entered into that arrangement, or that patent license was granted,
3246 prior to 28 March 2007.
3248 Nothing in this License shall be construed as excluding or limiting
3249 any implied license or other defenses to infringement that may
3250 otherwise be available to you under applicable patent law.
3252 12. No Surrender of Others' Freedom.
3254 If conditions are imposed on you (whether by court order, agreement
3255 or otherwise) that contradict the conditions of this License, they
3256 do not excuse you from the conditions of this License. If you
3257 cannot convey a covered work so as to satisfy simultaneously your
3258 obligations under this License and any other pertinent obligations,
3259 then as a consequence you may not convey it at all. For example,
3260 if you agree to terms that obligate you to collect a royalty for
3261 further conveying from those to whom you convey the Program, the
3262 only way you could satisfy both those terms and this License would
3263 be to refrain entirely from conveying the Program.
3265 13. Use with the GNU Affero General Public License.
3267 Notwithstanding any other provision of this License, you have
3268 permission to link or combine any covered work with a work licensed
3269 under version 3 of the GNU Affero General Public License into a
3270 single combined work, and to convey the resulting work. The terms
3271 of this License will continue to apply to the part which is the
3272 covered work, but the special requirements of the GNU Affero
3273 General Public License, section 13, concerning interaction through
3274 a network will apply to the combination as such.
3276 14. Revised Versions of this License.
3278 The Free Software Foundation may publish revised and/or new
3279 versions of the GNU General Public License from time to time. Such
3280 new versions will be similar in spirit to the present version, but
3281 may differ in detail to address new problems or concerns.
3283 Each version is given a distinguishing version number. If the
3284 Program specifies that a certain numbered version of the GNU
3285 General Public License "or any later version" applies to it, you
3286 have the option of following the terms and conditions either of
3287 that numbered version or of any later version published by the Free
3288 Software Foundation. If the Program does not specify a version
3289 number of the GNU General Public License, you may choose any
3290 version ever published by the Free Software Foundation.
3292 If the Program specifies that a proxy can decide which future
3293 versions of the GNU General Public License can be used, that
3294 proxy's public statement of acceptance of a version permanently
3295 authorizes you to choose that version for the Program.
3297 Later license versions may give you additional or different
3298 permissions. However, no additional obligations are imposed on any
3299 author or copyright holder as a result of your choosing to follow a
3302 15. Disclaimer of Warranty.
3304 THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
3305 APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE
3306 COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS"
3307 WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED,
3308 INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
3309 MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE
3310 RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.
3311 SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL
3312 NECESSARY SERVICING, REPAIR OR CORRECTION.
3314 16. Limitation of Liability.
3316 IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN
3317 WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES
3318 AND/OR CONVEYS THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR
3319 DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR
3320 CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE
3321 THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA
3322 BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
3323 PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
3324 PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF
3325 THE POSSIBILITY OF SUCH DAMAGES.
3327 17. Interpretation of Sections 15 and 16.
3329 If the disclaimer of warranty and limitation of liability provided
3330 above cannot be given local legal effect according to their terms,
3331 reviewing courts shall apply local law that most closely
3332 approximates an absolute waiver of all civil liability in
3333 connection with the Program, unless a warranty or assumption of
3334 liability accompanies a copy of the Program in return for a fee.
3336 END OF TERMS AND CONDITIONS
3338 How to Apply These Terms to Your New Programs
3339 =============================================
3341 If you develop a new program, and you want it to be of the greatest
3342 possible use to the public, the best way to achieve this is to make it
3343 free software which everyone can redistribute and change under these
3346 To do so, attach the following notices to the program. It is safest
3347 to attach them to the start of each source file to most effectively
3348 state the exclusion of warranty; and each file should have at least the
3349 "copyright" line and a pointer to where the full notice is found.
3351 ONE LINE TO GIVE THE PROGRAM'S NAME AND A BRIEF IDEA OF WHAT IT DOES.
3352 Copyright (C) YEAR NAME OF AUTHOR
3354 This program is free software: you can redistribute it and/or modify
3355 it under the terms of the GNU General Public License as published by
3356 the Free Software Foundation, either version 3 of the License, or (at
3357 your option) any later version.
3359 This program is distributed in the hope that it will be useful, but
3360 WITHOUT ANY WARRANTY; without even the implied warranty of
3361 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
3362 General Public License for more details.
3364 You should have received a copy of the GNU General Public License
3365 along with this program. If not, see <https://www.gnu.org/licenses/>.
3367 Also add information on how to contact you by electronic and paper mail.
3369 If the program does terminal interaction, make it output a short notice
3370 like this when it starts in an interactive mode:
3372 PROGRAM Copyright (C) YEAR NAME OF AUTHOR
3373 This program comes with ABSOLUTELY NO WARRANTY; for details
3374 type 'show w'. This is free software, and you are
3375 welcome to redistribute it under certain conditions;
3376 type 'show c' for details.
3378 The hypothetical commands 'show w' and 'show c' should show the
3379 appropriate parts of the General Public License. Of course, your
3380 program's commands might be different; for a GUI interface, you would
3383 You should also get your employer (if you work as a programmer) or
3384 school, if any, to sign a "copyright disclaimer" for the program, if
3385 necessary. For more information on this, and how to apply and follow
3386 the GNU GPL, see <https://www.gnu.org/licenses/>.
3388 The GNU General Public License does not permit incorporating your
3389 program into proprietary programs. If your program is a subroutine
3390 library, you may consider it more useful to permit linking proprietary
3391 applications with the library. If this is what you want to do, use the
3392 GNU Lesser General Public License instead of this License. But first,
3393 please read <https://www.gnu.org/philosophy/why-not-lgpl.html>.
3396 File: gnupg.info, Node: Contributors, Next: Glossary, Prev: Copying, Up: Top
3398 Contributors to GnuPG
3399 *********************
3401 The GnuPG project would like to thank its many contributors. Without
3402 them the project would not have been nearly as successful as it has
3403 been. Any omissions in this list are accidental. Feel free to contact
3404 the maintainer if you have been left out or some of your contributions
3407 David Shaw, Matthew Skala, Michael Roth, Niklas Hernaeus, Nils
3408 Ellmenreich, Rémi Guyomarch, Stefan Bellon, Timo Schulz and Werner Koch
3409 wrote the code. Birger Langkjer, Daniel Resare, Dokianakis Theofanis,
3410 Edmund GRIMLEY EVANS, Gaël Quéri, Gregory Steuck, Nagy Ferenc
3411 László, Ivo Timmermans, Jacobo Tarri'o Barreiro, Janusz Aleksander
3412 Urbanowicz, Jedi Lin, Jouni Hiltunen, Laurentiu Buzdugan, Magda
3413 Procha'zkova', Michael Anckaert, Michal Majer, Marco d'Itri, Nilgun
3414 Belma Buguner, Pedro Morais, Tedi Heriyanto, Thiago Jung Bauermann,
3415 Rafael Caetano dos Santos, Toomas Soome, Urko Lusa, Walter Koch, Yosiaki
3416 IIDA did the official translations. Mike Ashley wrote and maintains the
3417 GNU Privacy Handbook. David Scribner is the current FAQ editor.
3418 Lorenzo Cappelletti maintains the web site.
3420 The new modularized architecture of gnupg 1.9 as well as the
3421 X.509/CMS part has been developed as part of the Ägypten project.
3422 Direct contributors to this project are: Bernhard Herzog, who did
3423 extensive testing and tracked down a lot of bugs. Bernhard Reiter, who
3424 made sure that we met the specifications and the deadlines. He did
3425 extensive testing and came up with a lot of suggestions. Jan-Oliver
3426 Wagner made sure that we met the specifications and the deadlines. He
3427 also did extensive testing and came up with a lot of suggestions.
3428 Karl-Heinz Zimmer and Marc Mutz had to struggle with all the bugs and
3429 misconceptions while working on KDE integration. Marcus Brinkman
3430 extended GPGME, cleaned up the Assuan code and fixed bugs all over the
3431 place. Moritz Schulte took over Libgcrypt maintenance and developed it
3432 into a stable an useful library. Steffen Hansen had a hard time to
3433 write the dirmngr due to underspecified interfaces. Thomas Koester did
3434 extensive testing and tracked down a lot of bugs. Werner Koch designed
3435 the system and wrote most of the code.
3437 The following people helped greatly by suggesting improvements,
3438 testing, fixing bugs, providing resources and doing other important
3439 tasks: Adam Mitchell, Albert Chin, Alec Habig, Allan Clark, Anand
3440 Kumria, Andreas Haumer, Anthony Mulcahy, Ariel T Glenn, Bob Mathews,
3441 Bodo Moeller, Brendan O'Dea, Brenno de Winter, Brian M. Carlson, Brian
3442 Moore, Brian Warner, Bryan Fullerton, Caskey L. Dickson, Cees van de
3443 Griend, Charles Levert, Chip Salzenberg, Chris Adams, Christian Biere,
3444 Christian Kurz, Christian von Roques, Christopher Oliver, Christian
3445 Recktenwald, Dan Winship, Daniel Eisenbud, Daniel Koening, Dave Dykstra,
3446 David C Niemi, David Champion, David Ellement, David Hallinan, David
3447 Hollenberg, David Mathog, David R. Bergstein, Detlef Lannert, Dimitri,
3448 Dirk Lattermann, Dirk Meyer, Disastry, Douglas Calvert, Ed Boraas,
3449 Edmund GRIMLEY EVANS, Edwin Woudt, Enzo Michelangeli, Ernst Molitor,
3450 Fabio Coatti, Felix von Leitner, fish stiqz, Florian Weimer, Francesco
3451 Potorti, Frank Donahoe, Frank Heckenbach, Frank Stajano, Frank Tobin,
3452 Gabriel Rosenkoetter, Gaël Quéri, Gene Carter, Geoff Keating, Georg
3453 Schwarz, Giampaolo Tomassoni, Gilbert Fernandes, Greg Louis, Greg
3454 Troxel, Gregory Steuck, Gregery Barton, Harald Denker, Holger Baust,
3455 Hendrik Buschkamp, Holger Schurig, Holger Smolinski, Holger Trapp, Hugh
3456 Daniel, Huy Le, Ian McKellar, Ivo Timmermans, Jan Krueger, Jan
3457 Niehusmann, Janusz A. Urbanowicz, James Troup, Jean-loup Gailly, Jeff
3458 Long, Jeffery Von Ronne, Jens Bachem, Jeroen C. van Gelderen, J Horacio
3459 MG, J. Michael Ashley, Jim Bauer, Jim Small, Joachim Backes, Joe Rhett,
3460 John A. Martin, Johnny Teveßen, Jörg Schilling, Jos Backus, Joseph
3461 Walton, Juan F. Codagnone, Jun Kuriyama, Kahil D. Jallad, Karl Fogel,
3462 Karsten Thygesen, Katsuhiro Kondou, Kazu Yamamoto, Keith Clayton, Kevin
3463 Ryde, Klaus Singvogel, Kurt Garloff, Lars Kellogg-Stedman, L. Sassaman,
3464 M Taylor, Marcel Waldvogel, Marco d'Itri, Marco Parrone, Marcus
3465 Brinkmann, Mark Adler, Mark Elbrecht, Mark Pettit, Markus Friedl, Martin
3466 Kahlert, Martin Hamilton, Martin Schulte, Matt Kraai, Matthew Skala,
3467 Matthew Wilcox, Matthias Urlichs, Max Valianskiy, Michael Engels,
3468 Michael Fischer v. Mollard, Michael Roth, Michael Sobolev, Michael
3469 Tokarev, Nicolas Graner, Mike McEwan, Neal H Walfield, Nelson H. F.
3470 Beebe, NIIBE Yutaka, Niklas Hernaeus, Nimrod Zimerman, N J Doye, Oliver
3471 Haakert, Oskari Jääskeläinen, Pascal Scheffers, Paul D. Smith, Per
3472 Cederqvist, Phil Blundell, Philippe Laliberte, Peter Fales, Peter
3473 Gutmann, Peter Marschall, Peter Valchev, Piotr Krukowiecki, QingLong,
3474 Ralph Gillen, Rat, Reinhard Wobst, Rémi Guyomarch, Reuben Sumner,
3475 Richard Outerbridge, Robert Joop, Roddy Strachan, Roger Sondermann,
3476 Roland Rosenfeld, Roman Pavlik, Ross Golder, Ryan Malayter, Sam Roberts,
3477 Sami Tolvanen, Sean MacLennan, Sebastian Klemke, Serge Munhoven, SL
3478 Baur, Stefan Bellon, Dr.Stefan.Dalibor, Stefan Karrmann, Stefan Keller,
3479 Steffen Ullrich, Steffen Zahn, Steven Bakker, Steven Murdoch, Susanne
3480 Schultz, Ted Cabeen, Thiago Jung Bauermann, Thijmen Klok, Thomas
3481 Roessler, Tim Mooney, Timo Schulz, Todd Vierling, TOGAWA Satoshi, Tom
3482 Spindler, Tom Zerucha, Tomas Fasth, Tommi Komulainen, Thomas Klausner,
3483 Tomasz Kozlowski, Thomas Mikkelsen, Ulf Möller, Urko Lusa, Vincent P.
3484 Broman, Volker Quetschke, W Lewis, Walter Hofmann, Walter Koch, Wayne
3485 Chapeskie, Wim Vandeputte, Winona Brown, Yosiaki IIDA, Yoshihiro Kajiki
3488 This software has been made possible by the previous work of Chris
3489 Wedgwood, Jean-loup Gailly, Jon Callas, Mark Adler, Martin Hellman, Paul
3490 Kendall, Philip R. Zimmermann, Peter Gutmann, Philip A. Nelson, Taher
3491 Elgamal, Torbjorn Granlund, Whitfield Diffie, some unknown NSA
3492 mathematicians and all the folks who have worked hard to create complete
3493 and free operating systems.
3495 And finally we'd like to thank everyone who uses these tools, submits
3496 bug reports and generally reminds us why we're doing this work in the
3500 File: gnupg.info, Node: Glossary, Next: Option Index, Prev: Contributors, Up: Top
3506 The _Authority Revocation List_ is technical identical to a CRL but
3507 used for CAs and not for end user certificates.
3510 Verification model for X.509 which uses the creation date of a
3511 signature as the date the validation starts and in turn checks that
3512 each certificate has been issued within the time frame, the issuing
3513 certificate was valid. This allows the verification of signatures
3514 after the CA's certificate expired. The validation test also
3515 required an online check of the certificate status. The chain
3516 model is required by the German signature law. See also _Shell
3520 The _Cryptographic Message Standard_ describes a message format for
3521 encryption and digital signing. It is closely related to the X.509
3522 certificate format. CMS was formerly known under the name 'PKCS#7'
3523 and is described by 'RFC3369'.
3526 The _Certificate Revocation List_ is a list containing certificates
3527 revoked by the issuer.
3530 The _Certificate Signing Request_ is a message send to a CA to ask
3531 them to issue a new certificate. The data format of such a signing
3532 request is called PCKS#10.
3535 A data format used to build a PKI and to exchange encrypted or
3536 signed messages. In contrast to X.509, OpenPGP also includes the
3537 message format but does not explicitly demand a specific PKI.
3538 However any kind of PKI may be build upon the OpenPGP protocol.
3541 This term is used by GnuPG to describe a 20 byte hash value used to
3542 identify a certain key without referencing to a concrete protocol.
3543 It is used internally to access a private key. Usually it is shown
3544 and entered as a 40 character hexadecimal formatted string.
3547 The _Online Certificate Status Protocol_ is used as an alternative
3548 to a CRL. It is described in 'RFC 2560'.
3551 The _Personal Security Environment_ describes a database to store
3552 private keys. This is either a smartcard or a collection of files
3553 on a disk; the latter is often called a Soft-PSE.
3556 The standard model for validation of certificates under X.509. At
3557 the time of the verification all certificates must be valid and not
3558 expired. See also _Chain model_.
3561 Description of a PKI used with CMS. It is for example defined by
3565 File: gnupg.info, Node: Option Index, Next: Environment Index, Prev: Glossary, Up: Top
3573 * add-servers: Dirmngr Options. (line 214)
3574 * agent-program: GPG Configuration Options.
3576 * agent-program <1>: Configuration Options.
3578 * agent-program <2>: Invoking gpg-connect-agent.
3580 * allow-admin: Scdaemon Options. (line 192)
3581 * allow-emacs-pinentry: Agent Options. (line 180)
3582 * allow-freeform-uid: GPG Esoteric Options.
3584 * allow-loopback-pinentry: Agent Options. (line 162)
3585 * allow-multiple-messages: GPG Esoteric Options.
3587 * allow-non-selfsigned-uid: GPG Esoteric Options.
3589 * allow-ocsp: Dirmngr Options. (line 231)
3590 * allow-preset-passphrase: Agent Options. (line 157)
3591 * allow-secret-key-import: GPG Esoteric Options.
3593 * allow-version-check: Dirmngr Options. (line 109)
3594 * allow-weak-digest-algos: GPG Esoteric Options.
3596 * always-trust: Deprecated Options. (line 21)
3597 * armor: GPG Input and Output.
3599 * armor <1>: Input and Output. (line 8)
3600 * ask-cert-expire: GPG Esoteric Options.
3602 * ask-cert-level: GPG Configuration Options.
3604 * ask-sig-expire: GPG Esoteric Options.
3606 * assume-armor: Input and Output. (line 14)
3607 * assume-base64: Input and Output. (line 18)
3608 * assume-binary: Input and Output. (line 21)
3609 * attribute-fd: GPG Esoteric Options.
3611 * attribute-file: GPG Esoteric Options.
3613 * auto-check-trustdb: GPG Configuration Options.
3615 * auto-issuer-key-retrieve: Certificate Options. (line 50)
3616 * auto-key-locate: GPG Configuration Options.
3618 * auto-key-retrieve: GPG Configuration Options.
3620 * base64: Input and Output. (line 11)
3621 * batch: Agent Options. (line 44)
3622 * batch <1>: GPG Configuration Options.
3624 * bzip2-compress-level: GPG Configuration Options.
3626 * bzip2-decompress-lowmem: GPG Configuration Options.
3628 * c: Dirmngr Options. (line 79)
3629 * cache-cert: dirmngr-client. (line 72)
3630 * call-dirmngr: Operational GPGSM Commands.
3632 * call-protect-tool: Operational GPGSM Commands.
3634 * card-edit: Operational GPG Commands.
3636 * card-status: Operational GPG Commands.
3638 * card-timeout: Scdaemon Options. (line 168)
3639 * cert-digest-algo: GPG Esoteric Options.
3641 * cert-notation: GPG Esoteric Options.
3643 * cert-policy-url: GPG Esoteric Options.
3645 * change-passphrase: OpenPGP Key Management.
3647 * change-passphrase <1>: Certificate Management.
3649 * change-pin: Operational GPG Commands.
3651 * check-passphrase-pattern: Agent Options. (line 230)
3652 * check-signatures: Operational GPG Commands.
3654 * check-sigs: Operational GPG Commands.
3656 * check-trustdb: Operational GPG Commands.
3658 * cipher-algo: GPG Esoteric Options.
3660 * cipher-algo <1>: CMS Options. (line 13)
3661 * clear-sign: Operational GPG Commands.
3663 * clearsign: Operational GPG Commands.
3665 * command-fd: GPG Esoteric Options.
3667 * command-file: GPG Esoteric Options.
3669 * comment: GPG Esoteric Options.
3671 * compliance: Compliance Options. (line 64)
3672 * compliant-needed: GPG Configuration Options.
3674 * compress-algo: GPG Esoteric Options.
3676 * compress-level: GPG Configuration Options.
3678 * create-socketdir: Invoking gpgconf. (line 88)
3679 * csh: Agent Options. (line 134)
3680 * csh <1>: Dirmngr Options. (line 79)
3681 * ctapi-driver: Scdaemon Options. (line 145)
3682 * daemon: Agent Commands. (line 27)
3683 * daemon <1>: Dirmngr Commands. (line 27)
3684 * daemon <2>: Scdaemon Commands. (line 31)
3685 * dearmor: Operational GPG Commands.
3687 * debug: Agent Options. (line 78)
3688 * debug <1>: Dirmngr Options. (line 55)
3689 * debug <2>: GPG Esoteric Options.
3691 * debug <3>: Esoteric Options. (line 54)
3692 * debug <4>: Scdaemon Options. (line 69)
3693 * debug-all: Agent Options. (line 102)
3694 * debug-all <1>: Dirmngr Options. (line 60)
3695 * debug-all <2>: GPG Esoteric Options.
3697 * debug-all <3>: Esoteric Options. (line 81)
3698 * debug-all <4>: Scdaemon Options. (line 96)
3699 * debug-allow-core-dump: Esoteric Options. (line 84)
3700 * debug-allow-core-dump <1>: Scdaemon Options. (line 113)
3701 * debug-assuan-log-cats: Scdaemon Options. (line 122)
3702 * debug-disable-ticker: Scdaemon Options. (line 109)
3703 * debug-ignore-expiration: Esoteric Options. (line 95)
3704 * debug-iolbf: GPG Esoteric Options.
3706 * debug-level: Agent Options. (line 53)
3707 * debug-level <1>: Dirmngr Options. (line 30)
3708 * debug-level <2>: GPG Esoteric Options.
3710 * debug-level <3>: Esoteric Options. (line 29)
3711 * debug-level <4>: Scdaemon Options. (line 40)
3712 * debug-log-tid: Scdaemon Options. (line 119)
3713 * debug-no-chain-validation: Esoteric Options. (line 91)
3714 * debug-pinentry: Agent Options. (line 122)
3715 * debug-quick-random: Agent Options. (line 110)
3716 * debug-wait: Agent Options. (line 105)
3717 * debug-wait <1>: Dirmngr Options. (line 66)
3718 * debug-wait <2>: Scdaemon Options. (line 99)
3719 * debug-wait <3>: Scdaemon Options. (line 104)
3720 * decode: Invoking gpg-connect-agent.
3722 * decrypt: Operational GPG Commands.
3724 * decrypt <1>: Operational GPGSM Commands.
3726 * decrypt <2>: gpg-zip. (line 22)
3727 * decrypt-files: Operational GPG Commands.
3729 * default-cache-ttl: Agent Options. (line 191)
3730 * default-cache-ttl <1>: Agent Options. (line 197)
3731 * default-cert-expire: GPG Esoteric Options.
3733 * default-cert-level: GPG Configuration Options.
3735 * default-key: GPG Configuration Options.
3737 * default-key <1>: Input and Output. (line 34)
3738 * default-keyserver-url: GPG Esoteric Options.
3740 * default-new-key-algo STRING: GPG Esoteric Options.
3742 * default-preference-list: GPG Esoteric Options.
3744 * default-recipient: GPG Configuration Options.
3746 * default-recipient-self: GPG Configuration Options.
3748 * default-sig-expire: GPG Esoteric Options.
3750 * delete-keys: Certificate Management.
3752 * delete-secret-and-public-key: Operational GPG Commands.
3754 * delete-secret-keys: Operational GPG Commands.
3756 * deny-admin: Scdaemon Options. (line 192)
3757 * desig-revoke: OpenPGP Key Management.
3759 * detach-sign: Operational GPG Commands.
3761 * digest-algo: GPG Esoteric Options.
3763 * dirmngr: Invoking gpg-connect-agent.
3765 * dirmngr-program: GPG Configuration Options.
3767 * dirmngr-program <1>: Configuration Options.
3769 * dirmngr-program <2>: Invoking gpg-connect-agent.
3771 * disable-application: Scdaemon Options. (line 202)
3772 * disable-ccid: Scdaemon Options. (line 150)
3773 * disable-check-own-socket: Agent Options. (line 295)
3774 * disable-check-own-socket <1>: Dirmngr Options. (line 71)
3775 * disable-cipher-algo: GPG Esoteric Options.
3777 * disable-crl-checks: Certificate Options. (line 13)
3778 * disable-dsa2: GPG Configuration Options.
3780 * disable-http: Dirmngr Options. (line 152)
3781 * disable-large-rsa: GPG Configuration Options.
3783 * disable-ldap: Dirmngr Options. (line 149)
3784 * disable-mdc: OpenPGP Options. (line 30)
3785 * disable-ocsp: Certificate Options. (line 41)
3786 * disable-pinpad: Scdaemon Options. (line 189)
3787 * disable-policy-checks: Certificate Options. (line 8)
3788 * disable-pubkey-algo: GPG Esoteric Options.
3790 * disable-scdaemon: Agent Options. (line 289)
3791 * disable-signer-uid: OpenPGP Options. (line 35)
3792 * disable-trusted-cert-crl-check: Certificate Options. (line 19)
3793 * display: Agent Options. (line 313)
3794 * display-charset: GPG Configuration Options.
3796 * display-charset:iso-8859-1: GPG Configuration Options.
3798 * display-charset:iso-8859-15: GPG Configuration Options.
3800 * display-charset:iso-8859-2: GPG Configuration Options.
3802 * display-charset:koi8-r: GPG Configuration Options.
3804 * display-charset:utf-8: GPG Configuration Options.
3806 * dry-run: GPG Esoteric Options.
3808 * dump-cert: Certificate Management.
3810 * dump-chain: Certificate Management.
3812 * dump-external-keys: Certificate Management.
3814 * dump-keys: Certificate Management.
3816 * dump-options: Agent Commands. (line 19)
3817 * dump-options <1>: Dirmngr Commands. (line 18)
3818 * dump-options <2>: General GPG Commands.
3820 * dump-options <3>: General GPGSM Commands.
3822 * dump-options <4>: Scdaemon Commands. (line 18)
3823 * dump-secret-keys: Certificate Management.
3825 * edit-card: Operational GPG Commands.
3827 * edit-key: OpenPGP Key Management.
3829 * emit-version: GPG Esoteric Options.
3831 * enable-crl-checks: Certificate Options. (line 13)
3832 * enable-dsa2: GPG Configuration Options.
3834 * enable-large-rsa: GPG Configuration Options.
3836 * enable-ocsp: Certificate Options. (line 41)
3837 * enable-passphrase-history: Agent Options. (line 249)
3838 * enable-pinpad-varlen: Scdaemon Options. (line 181)
3839 * enable-policy-checks: Certificate Options. (line 8)
3840 * enable-progress-filter: GPG Esoteric Options.
3842 * enable-putty-support: Agent Options. (line 337)
3843 * enable-special-filenames: GPG Esoteric Options.
3845 * enable-special-filenames <1>: gpgv. (line 92)
3846 * enable-ssh-support: Agent Options. (line 337)
3847 * enable-trusted-cert-crl-check: Certificate Options. (line 19)
3848 * enarmor: Operational GPG Commands.
3850 * encrypt: Operational GPG Commands.
3852 * encrypt <1>: Operational GPGSM Commands.
3854 * encrypt <2>: gpg-zip. (line 17)
3855 * encrypt-files: Operational GPG Commands.
3857 * encrypt-to: GPG Key related Options.
3859 * enforce-passphrase-constraints: Agent Options. (line 215)
3860 * escape-from-lines: GPG Esoteric Options.
3862 * exec: Invoking gpg-connect-agent.
3864 * exec-path: GPG Configuration Options.
3866 * exit-on-status-write-error: GPG Configuration Options.
3868 * expert: GPG Configuration Options.
3870 * export: Operational GPG Commands.
3872 * export <1>: Certificate Management.
3874 * export-filter: GPG Input and Output.
3876 * export-options: GPG Input and Output.
3878 * export-ownertrust: Operational GPG Commands.
3880 * export-secret-key-p12: Certificate Management.
3882 * export-secret-key-p8: Certificate Management.
3884 * export-secret-key-raw: Certificate Management.
3886 * export-secret-keys: Operational GPG Commands.
3888 * export-secret-subkeys: Operational GPG Commands.
3890 * export-ssh-key: Operational GPG Commands.
3892 * extra-digest-algo: Esoteric Options. (line 7)
3893 * extra-socket: Agent Options. (line 323)
3894 * faked-system-time: Agent Options. (line 48)
3895 * faked-system-time <1>: GPG Esoteric Options.
3897 * faked-system-time <2>: Esoteric Options. (line 18)
3898 * fast-list-mode: GPG Esoteric Options.
3900 * fetch-crl: Dirmngr Commands. (line 52)
3901 * fetch-keys: Operational GPG Commands.
3903 * fingerprint: Operational GPG Commands.
3905 * fixed-list-mode: GPG Input and Output.
3907 * flush: Dirmngr Commands. (line 62)
3908 * for-your-eyes-only: GPG Esoteric Options.
3910 * force: Dirmngr Options. (line 85)
3911 * force <1>: watchgnupg. (line 22)
3912 * force-crl-refresh: Certificate Options. (line 30)
3913 * force-default-responder: dirmngr-client. (line 64)
3914 * force-mdc: OpenPGP Options. (line 24)
3915 * forget: Invoking gpg-preset-passphrase.
3917 * full-gen-key: OpenPGP Key Management.
3919 * full-generate-key: OpenPGP Key Management.
3921 * gen-key: OpenPGP Key Management.
3923 * gen-key <1>: Certificate Management.
3925 * gen-prime: Operational GPG Commands.
3927 * gen-random: Operational GPG Commands.
3929 * gen-revoke: OpenPGP Key Management.
3931 * generate-designated-revocation: OpenPGP Key Management.
3933 * generate-key: OpenPGP Key Management.
3935 * generate-key <1>: Certificate Management.
3937 * generate-revocation: OpenPGP Key Management.
3939 * gnupg: Compliance Options. (line 12)
3940 * gnutls-debug: Dirmngr Options. (line 63)
3941 * gpg: gpg-zip. (line 50)
3942 * gpg-agent-info: GPG Configuration Options.
3944 * gpg-args: gpg-zip. (line 53)
3945 * gpgconf-list: GPG Esoteric Options.
3947 * gpgconf-test: GPG Esoteric Options.
3949 * group: GPG Key related Options.
3951 * help: Agent Commands. (line 15)
3952 * help <1>: Dirmngr Commands. (line 14)
3953 * help <2>: General GPG Commands.
3955 * help <3>: General GPGSM Commands.
3957 * help <4>: Scdaemon Commands. (line 14)
3958 * help <5>: watchgnupg. (line 35)
3959 * help <6>: dirmngr-client. (line 44)
3960 * help <7>: gpg-zip. (line 65)
3961 * hex: Invoking gpg-connect-agent.
3963 * hidden-encrypt-to: GPG Key related Options.
3965 * hidden-recipient: GPG Key related Options.
3967 * hidden-recipient-file: GPG Key related Options.
3969 * homedir: Agent Options. (line 13)
3970 * homedir <1>: GPG Configuration Options.
3972 * homedir <2>: Configuration Options.
3974 * homedir <3>: Scdaemon Options. (line 13)
3975 * homedir <4>: gpgv. (line 64)
3976 * homedir <5>: Invoking gpg-connect-agent.
3978 * homedir <6>: Invoking symcryptrun.
3980 * honor-http-proxy: Dirmngr Options. (line 171)
3981 * http-proxy: Dirmngr Options. (line 175)
3982 * ignore-cache-for-signing: Agent Options. (line 185)
3983 * ignore-cert-extension: Dirmngr Options. (line 280)
3984 * ignore-cert-extension <1>: Certificate Options. (line 70)
3985 * ignore-crc-error: GPG Esoteric Options.
3987 * ignore-http-dp: Dirmngr Options. (line 155)
3988 * ignore-ldap-dp: Dirmngr Options. (line 162)
3989 * ignore-mdc-error: GPG Esoteric Options.
3991 * ignore-ocsp-service-url: Dirmngr Options. (line 167)
3992 * ignore-time-conflict: GPG Esoteric Options.
3994 * ignore-time-conflict <1>: gpgv. (line 58)
3995 * ignore-valid-from: GPG Esoteric Options.
3997 * import: Operational GPG Commands.
3999 * import <1>: Certificate Management.
4001 * import-filter: GPG Input and Output.
4003 * import-options: GPG Input and Output.
4005 * import-ownertrust: Operational GPG Commands.
4007 * include-certs: CMS Options. (line 7)
4008 * input-size-hint: GPG Input and Output.
4010 * interactive: GPG Esoteric Options.
4012 * keep-display: Agent Options. (line 318)
4013 * keep-tty: Agent Options. (line 318)
4014 * keydb-clear-some-cert-flags: Certificate Management.
4016 * keyedit:addcardkey: OpenPGP Key Management.
4018 * keyedit:addkey: OpenPGP Key Management.
4020 * keyedit:addphoto: OpenPGP Key Management.
4022 * keyedit:addrevoker: OpenPGP Key Management.
4024 * keyedit:adduid: OpenPGP Key Management.
4026 * keyedit:bkuptocard: OpenPGP Key Management.
4028 * keyedit:check: OpenPGP Key Management.
4030 * keyedit:clean: OpenPGP Key Management.
4032 * keyedit:cross-certify: OpenPGP Key Management.
4034 * keyedit:delkey: OpenPGP Key Management.
4036 * keyedit:delsig: OpenPGP Key Management.
4038 * keyedit:deluid: OpenPGP Key Management.
4040 * keyedit:disable: OpenPGP Key Management.
4042 * keyedit:enable: OpenPGP Key Management.
4044 * keyedit:expire: OpenPGP Key Management.
4046 * keyedit:key: OpenPGP Key Management.
4048 * keyedit:keyserver: OpenPGP Key Management.
4050 * keyedit:keytocard: OpenPGP Key Management.
4052 * keyedit:lsign: OpenPGP Key Management.
4054 * keyedit:minimize: OpenPGP Key Management.
4056 * keyedit:notation: OpenPGP Key Management.
4058 * keyedit:nrsign: OpenPGP Key Management.
4060 * keyedit:passwd: OpenPGP Key Management.
4062 * keyedit:pref: OpenPGP Key Management.
4064 * keyedit:primary: OpenPGP Key Management.
4066 * keyedit:quit: OpenPGP Key Management.
4068 * keyedit:revkey: OpenPGP Key Management.
4070 * keyedit:revsig: OpenPGP Key Management.
4072 * keyedit:revuid: OpenPGP Key Management.
4074 * keyedit:save: OpenPGP Key Management.
4076 * keyedit:setpref: OpenPGP Key Management.
4078 * keyedit:showphoto: OpenPGP Key Management.
4080 * keyedit:showpref: OpenPGP Key Management.
4082 * keyedit:sign: OpenPGP Key Management.
4084 * keyedit:toggle: OpenPGP Key Management.
4086 * keyedit:trust: OpenPGP Key Management.
4088 * keyedit:tsign: OpenPGP Key Management.
4090 * keyedit:uid: OpenPGP Key Management.
4092 * keyid-format: GPG Configuration Options.
4094 * keyring: GPG Configuration Options.
4096 * keyring <1>: gpgv. (line 37)
4097 * keyserver: Dirmngr Options. (line 116)
4098 * keyserver <1>: GPG Configuration Options.
4100 * keyserver-options: GPG Configuration Options.
4102 * kill: Invoking gpgconf. (line 82)
4103 * launch: Invoking gpgconf. (line 75)
4104 * lc-ctype: Agent Options. (line 313)
4105 * lc-messages: Agent Options. (line 313)
4106 * ldap-proxy: Dirmngr Options. (line 180)
4107 * ldapserverlist-file: Dirmngr Options. (line 191)
4108 * ldaptimeout: Dirmngr Options. (line 209)
4109 * learn-card: Certificate Management.
4111 * legacy-list-mode: GPG Input and Output.
4113 * limit-card-insert-tries: GPG Configuration Options.
4115 * list-archive: gpg-zip. (line 43)
4116 * list-chain: Certificate Management.
4118 * list-config: GPG Esoteric Options.
4120 * list-crls: Dirmngr Commands. (line 40)
4121 * list-gcrypt-config: GPG Esoteric Options.
4123 * list-keys: Operational GPG Commands.
4125 * list-keys <1>: Certificate Management.
4127 * list-keys <2>: Certificate Management.
4129 * list-only: GPG Esoteric Options.
4131 * list-options: GPG Configuration Options.
4133 * list-options:show-keyring: GPG Configuration Options.
4135 * list-options:show-keyserver-urls: GPG Configuration Options.
4137 * list-options:show-notations: GPG Configuration Options.
4139 * list-options:show-photos: GPG Configuration Options.
4141 * list-options:show-policy-urls: GPG Configuration Options.
4143 * list-options:show-sig-expire: GPG Configuration Options.
4145 * list-options:show-sig-subpackets: GPG Configuration Options.
4147 * list-options:show-std-notations: GPG Configuration Options.
4149 * list-options:show-uid-validity: GPG Configuration Options.
4151 * list-options:show-unusable-subkeys: GPG Configuration Options.
4153 * list-options:show-unusable-uids: GPG Configuration Options.
4155 * list-options:show-usage: GPG Configuration Options.
4157 * list-options:show-user-notations: GPG Configuration Options.
4159 * list-packets: Operational GPG Commands.
4161 * list-secret-keys: Operational GPG Commands.
4163 * list-secret-keys <1>: Certificate Management.
4165 * list-signatures: Operational GPG Commands.
4167 * list-sigs: Operational GPG Commands.
4169 * load-crl: Dirmngr Commands. (line 44)
4170 * load-crl <1>: dirmngr-client. (line 80)
4171 * local-user: GPG Key related Options.
4173 * local-user <1>: Input and Output. (line 41)
4174 * local-user <2>: gpg-zip. (line 40)
4175 * locate-keys: Operational GPG Commands.
4177 * lock-multiple: GPG Configuration Options.
4179 * lock-never: GPG Configuration Options.
4181 * lock-once: GPG Configuration Options.
4183 * log-file: Agent Options. (line 144)
4184 * log-file <1>: Dirmngr Options. (line 26)
4185 * log-file <2>: GPG Esoteric Options.
4187 * log-file <3>: Configuration Options.
4189 * log-file <4>: Scdaemon Options. (line 135)
4190 * log-file <5>: Invoking symcryptrun.
4192 * logger-fd: GPG Esoteric Options.
4194 * logger-fd <1>: gpgv. (line 55)
4195 * lookup: dirmngr-client. (line 86)
4196 * lsign-key: OpenPGP Key Management.
4198 * mangle-dos-filenames: GPG Configuration Options.
4200 * marginals-needed: GPG Configuration Options.
4202 * max-cache-ttl: Agent Options. (line 203)
4203 * max-cache-ttl-ssh: Agent Options. (line 209)
4204 * max-cert-depth: GPG Configuration Options.
4206 * max-output: GPG Input and Output.
4208 * max-passphrase-days: Agent Options. (line 244)
4209 * max-replies: Dirmngr Options. (line 277)
4210 * min-cert-level: GPG Configuration Options.
4212 * min-passphrase-len: Agent Options. (line 219)
4213 * min-passphrase-nonalpha: Agent Options. (line 224)
4214 * multi-server: Scdaemon Commands. (line 26)
4215 * multifile: Operational GPG Commands.
4217 * nameserver: Dirmngr Options. (line 142)
4218 * no: GPG Configuration Options.
4220 * no-allow-external-cache: Agent Options. (line 170)
4221 * no-allow-loopback-pinentry: Agent Options. (line 162)
4222 * no-allow-mark-trusted: Agent Options. (line 152)
4223 * no-armor: GPG Input and Output.
4225 * no-auto-key-retrieve: GPG Configuration Options.
4227 * no-autostart: GPG Configuration Options.
4229 * no-autostart <1>: Configuration Options.
4231 * no-autostart <2>: Invoking gpg-connect-agent.
4233 * no-batch: GPG Configuration Options.
4235 * no-common-certs-import: Esoteric Options. (line 124)
4236 * no-default-keyring: GPG Esoteric Options.
4238 * no-default-recipient: GPG Configuration Options.
4240 * no-detach: Agent Options. (line 127)
4241 * no-detach <1>: Scdaemon Options. (line 131)
4242 * no-encrypt-to: GPG Key related Options.
4244 * no-expensive-trust-checks: GPG Esoteric Options.
4246 * no-ext-connect: Invoking gpg-connect-agent.
4248 * no-grab: Agent Options. (line 140)
4249 * no-greeting: GPG Configuration Options.
4251 * no-groups: GPG Key related Options.
4253 * no-keyring: GPG Esoteric Options.
4255 * no-literal: GPG Esoteric Options.
4257 * no-mangle-dos-filenames: GPG Configuration Options.
4259 * no-mdc-warning: GPG Configuration Options.
4261 * no-options: GPG Configuration Options.
4263 * no-random-seed-file: GPG Configuration Options.
4265 * no-secmem-warning: GPG Configuration Options.
4267 * no-secmem-warning <1>: Configuration Options.
4269 * no-sig-cache: GPG Configuration Options.
4271 * no-skip-hidden-recipients: GPG Key related Options.
4273 * no-tty: GPG Configuration Options.
4275 * no-use-standard-socket: Agent Options. (line 303)
4276 * no-verbose: GPG Configuration Options.
4278 * not-dash-escaped: GPG Esoteric Options.
4280 * ocsp: dirmngr-client. (line 61)
4281 * ocsp-current-period: Dirmngr Options. (line 272)
4282 * ocsp-max-clock-skew: Dirmngr Options. (line 264)
4283 * ocsp-max-period: Dirmngr Options. (line 268)
4284 * ocsp-responder: Dirmngr Options. (line 238)
4285 * ocsp-signer: Dirmngr Options. (line 243)
4286 * only-ldap-proxy: Dirmngr Options. (line 186)
4287 * openpgp: Compliance Options. (line 19)
4288 * options: Agent Options. (line 7)
4289 * options <1>: Dirmngr Options. (line 7)
4290 * options <2>: Dirmngr Options. (line 12)
4291 * options <3>: GPG Configuration Options.
4293 * options <4>: Configuration Options.
4295 * options <5>: Scdaemon Options. (line 7)
4296 * output: GPG Input and Output.
4298 * output <1>: Input and Output. (line 51)
4299 * output <2>: gpgv. (line 44)
4300 * output <3>: gpg-zip. (line 47)
4301 * override-session-key: GPG Esoteric Options.
4303 * p12-charset: Input and Output. (line 24)
4304 * passphrase: GPG Esoteric Options.
4306 * passphrase <1>: Invoking gpg-preset-passphrase.
4308 * passphrase-fd: GPG Esoteric Options.
4310 * passphrase-fd <1>: Esoteric Options. (line 100)
4311 * passphrase-file: GPG Esoteric Options.
4313 * passphrase-repeat: GPG Esoteric Options.
4315 * passwd: OpenPGP Key Management.
4317 * passwd <1>: Certificate Management.
4319 * pcsc-driver: Scdaemon Options. (line 139)
4320 * pem: dirmngr-client. (line 58)
4321 * permission-warning: GPG Configuration Options.
4323 * personal-cipher-preferences: OpenPGP Options. (line 42)
4324 * personal-compress-preferences: OpenPGP Options. (line 60)
4325 * personal-digest-preferences: OpenPGP Options. (line 51)
4326 * pgp6: Compliance Options. (line 41)
4327 * pgp7: Compliance Options. (line 51)
4328 * pgp8: Compliance Options. (line 57)
4329 * photo-viewer: GPG Configuration Options.
4331 * pinentry-invisible-char: Agent Options. (line 252)
4332 * pinentry-mode: GPG Esoteric Options.
4334 * pinentry-mode <1>: Esoteric Options. (line 109)
4335 * pinentry-program: Agent Options. (line 263)
4336 * pinentry-timeout: Agent Options. (line 257)
4337 * pinentry-touch-file: Agent Options. (line 276)
4338 * ping: dirmngr-client. (line 69)
4339 * policy-file: Configuration Options.
4341 * prefer-system-dirmngr: Configuration Options.
4343 * preserve-permissions: GPG Esoteric Options.
4345 * preset: Invoking gpg-preset-passphrase.
4347 * primary-keyring: GPG Configuration Options.
4349 * print-md: Operational GPG Commands.
4351 * q: Invoking gpg-connect-agent.
4353 * q <1>: Invoking symcryptrun.
4355 * quick-add-key: OpenPGP Key Management.
4357 * quick-add-uid: OpenPGP Key Management.
4359 * quick-generate-key: OpenPGP Key Management.
4361 * quick-lsign-key: OpenPGP Key Management.
4363 * quick-revoke-uid: OpenPGP Key Management.
4365 * quick-set-expire: OpenPGP Key Management.
4367 * quick-sign-key: OpenPGP Key Management.
4369 * quiet: Agent Options. (line 41)
4370 * quiet <1>: GPG Configuration Options.
4372 * quiet <2>: gpgv. (line 34)
4373 * quiet <3>: Invoking gpgconf. (line 109)
4374 * quiet <4>: Invoking gpg-connect-agent.
4376 * quiet <5>: dirmngr-client. (line 48)
4377 * quiet <6>: Invoking symcryptrun.
4379 * raw-socket: Invoking gpg-connect-agent.
4381 * reader-port: Scdaemon Options. (line 156)
4382 * rebuild-keydb-caches: Operational GPG Commands.
4384 * receive-keys: Operational GPG Commands.
4386 * recipient: GPG Key related Options.
4388 * recipient <1>: Input and Output. (line 46)
4389 * recipient <2>: gpg-zip. (line 36)
4390 * recipient-file: GPG Key related Options.
4392 * recursive-resolver: Dirmngr Options. (line 102)
4393 * recv-keys: Operational GPG Commands.
4395 * refresh-keys: Operational GPG Commands.
4397 * reload: Invoking gpgconf. (line 70)
4398 * remove-socketdir: Invoking gpgconf. (line 94)
4399 * require-cross-certification: GPG Configuration Options.
4401 * require-secmem: GPG Configuration Options.
4403 * rfc2440: Compliance Options. (line 37)
4404 * rfc4880: Compliance Options. (line 25)
4405 * rfc4880bis: Compliance Options. (line 30)
4406 * run: Invoking gpg-connect-agent.
4408 * s: Dirmngr Options. (line 79)
4409 * s2k-cipher-algo: OpenPGP Options. (line 70)
4410 * s2k-count: OpenPGP Options. (line 86)
4411 * s2k-digest-algo: OpenPGP Options. (line 75)
4412 * s2k-mode: OpenPGP Options. (line 79)
4413 * scdaemon-program: Agent Options. (line 285)
4414 * search-keys: Operational GPG Commands.
4416 * secret-keyring: GPG Configuration Options.
4418 * send-keys: Operational GPG Commands.
4420 * sender: GPG Key related Options.
4422 * server: Agent Commands. (line 23)
4423 * server <1>: Dirmngr Commands. (line 22)
4424 * server <2>: Operational GPGSM Commands.
4426 * server <3>: Scdaemon Commands. (line 22)
4427 * set-filename: GPG Esoteric Options.
4429 * set-filesize: GPG Esoteric Options.
4431 * set-notation: GPG Esoteric Options.
4433 * set-policy-url: GPG Esoteric Options.
4435 * sh: Agent Options. (line 134)
4436 * sh <1>: Dirmngr Options. (line 79)
4437 * show-keyring: Deprecated Options. (line 16)
4438 * show-notation: Deprecated Options. (line 25)
4439 * show-photos: Deprecated Options. (line 8)
4440 * show-policy-url: Deprecated Options. (line 33)
4441 * show-session-key: GPG Esoteric Options.
4443 * shutdown: Dirmngr Commands. (line 58)
4444 * sig-keyserver-url: GPG Esoteric Options.
4446 * sig-notation: GPG Esoteric Options.
4448 * sig-policy-url: GPG Esoteric Options.
4450 * sign: Operational GPG Commands.
4452 * sign <1>: Operational GPGSM Commands.
4454 * sign-key: OpenPGP Key Management.
4456 * skip-hidden-recipients: GPG Key related Options.
4458 * skip-verify: GPG Esoteric Options.
4460 * squid-mode: dirmngr-client. (line 101)
4461 * standard-resolver: Dirmngr Options. (line 96)
4462 * status-fd: GPG Esoteric Options.
4464 * status-fd <1>: gpgv. (line 51)
4465 * status-file: GPG Esoteric Options.
4467 * store: Operational GPG Commands.
4469 * subst: Invoking gpg-connect-agent.
4471 * supervised: Agent Commands. (line 36)
4472 * supervised <1>: Dirmngr Commands. (line 33)
4473 * symmetric: Operational GPG Commands.
4475 * tar: gpg-zip. (line 56)
4476 * tar-args: gpg-zip. (line 59)
4477 * textmode: OpenPGP Options. (line 8)
4478 * throw-keyids: GPG Esoteric Options.
4480 * tofu-default-policy: GPG Configuration Options.
4482 * tofu-policy: Operational GPG Commands.
4484 * trust-mode:always: GPG Configuration Options.
4486 * trust-mode:auto: GPG Configuration Options.
4488 * trust-mode:classic: GPG Configuration Options.
4490 * trust-mode:direct: GPG Configuration Options.
4492 * trust-mode:pgp: GPG Configuration Options.
4494 * trust-mode:tofu: GPG Configuration Options.
4496 * trust-mode:tofu+pgp: GPG Configuration Options.
4498 * trust-model: GPG Configuration Options.
4500 * trustdb-name: GPG Configuration Options.
4502 * trusted-key: GPG Configuration Options.
4504 * try-all-secrets: GPG Key related Options.
4506 * try-secret-key: GPG Key related Options.
4508 * ttyname: Agent Options. (line 313)
4509 * ttytype: Agent Options. (line 313)
4510 * ungroup: GPG Key related Options.
4512 * update-trustdb: Operational GPG Commands.
4514 * url: dirmngr-client. (line 94)
4515 * url <1>: dirmngr-client. (line 98)
4516 * use-agent: GPG Configuration Options.
4518 * use-embedded-filename: GPG Esoteric Options.
4520 * use-standard-socket: Agent Options. (line 303)
4521 * use-standard-socket-p: Agent Options. (line 303)
4522 * use-tor: Dirmngr Options. (line 89)
4523 * utf8-strings: GPG Configuration Options.
4525 * v: Dirmngr Options. (line 21)
4526 * v <1>: Configuration Options.
4528 * v <2>: Scdaemon Options. (line 35)
4529 * v <3>: dirmngr-client. (line 53)
4530 * validate: dirmngr-client. (line 76)
4531 * validation-model: Certificate Options. (line 61)
4532 * verbose: Agent Options. (line 35)
4533 * verbose <1>: Dirmngr Options. (line 21)
4534 * verbose <2>: GPG Configuration Options.
4536 * verbose <3>: Configuration Options.
4538 * verbose <4>: Scdaemon Options. (line 35)
4539 * verbose <5>: watchgnupg. (line 29)
4540 * verbose <6>: gpgv. (line 29)
4541 * verbose <7>: Invoking gpg-preset-passphrase.
4543 * verbose <8>: Invoking gpg-connect-agent.
4545 * verbose <9>: dirmngr-client. (line 53)
4546 * verbose <10>: Invoking symcryptrun.
4548 * verify: Operational GPG Commands.
4550 * verify <1>: Operational GPGSM Commands.
4552 * verify-files: Operational GPG Commands.
4554 * verify-options: GPG Configuration Options.
4556 * verify-options:pka-lookups: GPG Configuration Options.
4558 * verify-options:pka-trust-increase: GPG Configuration Options.
4560 * verify-options:show-keyserver-urls: GPG Configuration Options.
4562 * verify-options:show-notations: GPG Configuration Options.
4564 * verify-options:show-photos: GPG Configuration Options.
4566 * verify-options:show-policy-urls: GPG Configuration Options.
4568 * verify-options:show-primary-uid-only: GPG Configuration Options.
4570 * verify-options:show-std-notations: GPG Configuration Options.
4572 * verify-options:show-uid-validity: GPG Configuration Options.
4574 * verify-options:show-unusable-uids: GPG Configuration Options.
4576 * verify-options:show-user-notations: GPG Configuration Options.
4578 * version: Agent Commands. (line 10)
4579 * version <1>: Dirmngr Commands. (line 10)
4580 * version <2>: General GPG Commands.
4582 * version <3>: General GPGSM Commands.
4584 * version <4>: Scdaemon Commands. (line 10)
4585 * version <5>: watchgnupg. (line 32)
4586 * version <6>: dirmngr-client. (line 40)
4587 * version <7>: gpg-zip. (line 62)
4588 * warranty: General GPG Commands.
4590 * warranty <1>: General GPGSM Commands.
4592 * weak-digest: GPG Esoteric Options.
4594 * weak-digest <1>: gpgv. (line 85)
4595 * with-colons: GPG Input and Output.
4597 * with-ephemeral-keys: Esoteric Options. (line 24)
4598 * with-fingerprint: GPG Input and Output.
4600 * with-icao-spelling: GPG Input and Output.
4602 * with-key-data: GPG Esoteric Options.
4604 * with-key-data <1>: Input and Output. (line 54)
4605 * with-keygrip: GPG Input and Output.
4607 * with-secret: GPG Input and Output.
4609 * with-secret <1>: Input and Output. (line 78)
4610 * with-subkey-fingerprint: GPG Input and Output.
4612 * with-validation: Input and Output. (line 60)
4613 * with-wkd-hash: GPG Input and Output.
4615 * xauthority: Agent Options. (line 313)
4616 * yes: GPG Configuration Options.
4620 File: gnupg.info, Node: Environment Index, Next: Index, Prev: Option Index, Up: Top
4622 Environment Variable and File Index
4623 ***********************************
4628 * .gpg-v21-migrated: GPG Configuration. (line 52)
4629 * ~/.gnupg: GPG Configuration. (line 27)
4630 * ASSUAN_DEBUG: Scdaemon Options. (line 122)
4631 * COLUMNS: GPG Configuration. (line 96)
4632 * com-certs.pem: GPGSM Configuration. (line 84)
4633 * DISPLAY: GPGSM OPTION. (line 21)
4634 * GNUPGHOME: Agent Options. (line 13)
4635 * GNUPGHOME <1>: GPG Configuration Options.
4637 * GNUPGHOME <2>: GPG Configuration. (line 84)
4638 * GNUPGHOME <3>: Configuration Options.
4640 * GNUPGHOME <4>: Scdaemon Options. (line 13)
4641 * GNUPGHOME <5>: gpgv. (line 64)
4642 * GNUPGHOME <6>: Invoking gpg-connect-agent.
4644 * GNUPGHOME <7>: Invoking symcryptrun.
4646 * gpg-agent.conf: Agent Configuration. (line 11)
4647 * gpg.conf: GPG Configuration. (line 11)
4648 * gpgconf.ctl: Agent Options. (line 24)
4649 * gpgconf.ctl <1>: GPG Configuration Options.
4651 * gpgconf.ctl <2>: Configuration Options.
4653 * gpgconf.ctl <3>: Scdaemon Options. (line 24)
4654 * gpgconf.ctl <4>: gpgv. (line 75)
4655 * gpgconf.ctl <5>: Invoking gpg-connect-agent.
4657 * gpgconf.ctl <6>: Invoking symcryptrun.
4659 * gpgsm.conf: GPGSM Configuration. (line 11)
4660 * GPG_TTY: Invoking GPG-AGENT. (line 22)
4661 * GPG_TTY <1>: GPGSM OPTION. (line 23)
4662 * help.txt: GPGSM Configuration. (line 72)
4663 * HKCU\Software\GNU\GnuPG:DefaultLogFile: Agent Options. (line 144)
4664 * HKCU\Software\GNU\GnuPG:HomeDir: Agent Options. (line 13)
4665 * HKCU\Software\GNU\GnuPG:HomeDir <1>: GPG Configuration Options.
4667 * HKCU\Software\GNU\GnuPG:HomeDir <2>: Configuration Options.
4669 * HKCU\Software\GNU\GnuPG:HomeDir <3>: Scdaemon Options. (line 13)
4670 * HKCU\Software\GNU\GnuPG:HomeDir <4>: gpgv. (line 64)
4671 * HKCU\Software\GNU\GnuPG:HomeDir <5>: Invoking gpg-connect-agent.
4673 * HKCU\Software\GNU\GnuPG:HomeDir <6>: Invoking symcryptrun.
4675 * HOME: GPG Configuration. (line 81)
4676 * http_proxy: Dirmngr Options. (line 175)
4677 * LANGUAGE: GPG Configuration. (line 99)
4678 * LC_CTYPE: GPGSM OPTION. (line 27)
4679 * LC_MESSAGES: GPGSM OPTION. (line 29)
4680 * LINES: GPG Configuration. (line 96)
4681 * openpgp-revocs.d: GPG Configuration. (line 66)
4682 * options.skel: GPG Configuration. (line 76)
4683 * PATH: GPG Configuration Options.
4685 * PINENTRY_USER_DATA: GPG Configuration. (line 91)
4686 * PINENTRY_USER_DATA <1>: GPGSM OPTION. (line 33)
4687 * policies.txt: GPGSM Configuration. (line 18)
4688 * private-keys-v1.d: Agent Configuration. (line 105)
4689 * pubring.gpg: GPG Configuration. (line 32)
4690 * pubring.kbx: GPG Configuration. (line 38)
4691 * pubring.kbx <1>: GPGSM Configuration. (line 100)
4692 * qualified.txt: GPGSM Configuration. (line 33)
4693 * random_seed: GPG Configuration. (line 63)
4694 * random_seed <1>: GPGSM Configuration. (line 106)
4695 * S.gpg-agent: GPGSM Configuration. (line 111)
4696 * secring.gpg: GPG Configuration. (line 45)
4697 * SHELL: Agent Options. (line 134)
4698 * sshcontrol: Agent Configuration. (line 75)
4699 * TERM: GPGSM OPTION. (line 25)
4700 * trustdb.gpg: GPG Configuration. (line 55)
4701 * trustlist.txt: Agent Configuration. (line 20)
4702 * XAUTHORITY: GPGSM OPTION. (line 31)
4705 File: gnupg.info, Node: Index, Prev: Environment Index, Up: Top
4713 * command options: Invoking GPG-AGENT. (line 6)
4714 * command options <1>: Invoking DIRMNGR. (line 6)
4715 * command options <2>: Invoking GPG. (line 6)
4716 * command options <3>: Invoking GPGSM. (line 6)
4717 * command options <4>: Invoking SCDAEMON. (line 6)
4718 * contributors: Contributors. (line 6)
4719 * DIRMNGR command options: Invoking DIRMNGR. (line 6)
4720 * GPG command options: Invoking GPG. (line 6)
4721 * GPG-AGENT command options: Invoking GPG-AGENT. (line 6)
4722 * gpgconf.conf: Files used by gpgconf.
4724 * GPGSM command options: Invoking GPGSM. (line 6)
4725 * options, DIRMNGR command: Invoking DIRMNGR. (line 6)
4726 * options, GPG command: Invoking GPG. (line 6)
4727 * options, GPG-AGENT command: Invoking GPG-AGENT. (line 6)
4728 * options, GPGSM command: Invoking GPGSM. (line 6)
4729 * options, SCDAEMON command: Invoking SCDAEMON. (line 6)
4730 * relax: Agent Configuration. (line 63)
4731 * scd-event: Scdaemon Configuration.
4733 * SCDAEMON command options: Invoking SCDAEMON. (line 6)
4734 * scdaemon.conf: Scdaemon Configuration.
4736 * SIGHUP: Agent Signals. (line 12)
4737 * SIGHUP <1>: Dirmngr Signals. (line 12)
4738 * SIGINT: Agent Signals. (line 31)
4739 * SIGINT <1>: Dirmngr Signals. (line 26)
4740 * SIGTERM: Agent Signals. (line 26)
4741 * SIGTERM <1>: Dirmngr Signals. (line 19)
4742 * SIGUSR1: Agent Signals. (line 34)
4743 * SIGUSR1 <1>: Dirmngr Signals. (line 29)
4744 * SIGUSR2: Agent Signals. (line 37)
4745 * swdb.lst: Files used by gpgconf.