diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-18 21:21:03 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-18 21:21:03 +0000 |
commit | 69349561bf941cc67f1afcbbc115af8dbd624f94 (patch) | |
tree | 49d5db9fac516d5de488244d4cffd2e9d74220e7 /doc/gpgsm.texi | |
parent | Adding debian version 2.2.40-3. (diff) | |
download | gnupg2-69349561bf941cc67f1afcbbc115af8dbd624f94.tar.xz gnupg2-69349561bf941cc67f1afcbbc115af8dbd624f94.zip |
Merging upstream version 2.2.43.
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'doc/gpgsm.texi')
-rw-r--r-- | doc/gpgsm.texi | 56 |
1 files changed, 52 insertions, 4 deletions
diff --git a/doc/gpgsm.texi b/doc/gpgsm.texi index ba91aed..03fe1c9 100644 --- a/doc/gpgsm.texi +++ b/doc/gpgsm.texi @@ -480,8 +480,10 @@ This usually means that Dirmngr is employed to search for the certificate. Note that this option makes a "web bug" like behavior possible. LDAP server operators can see which keys you request, so by sending you a message signed by a brand new key (which you naturally -will not have on your local keybox), the operator can tell both your IP -address and the time when you verified the signature. +will not have on your local keybox), the operator can tell both your +IP address and the time when you verified the signature. Note that if +CRL checking is not disabled issuer certificates are retrieved in any +case using the caIssuers authorityInfoAccess method. @anchor{gpgsm-option --validation-model} @@ -536,6 +538,13 @@ Assume the input data is plain base-64 encoded. @opindex assume-binary Assume the input data is binary encoded. +@item --input-size-hint @var{n} +@opindex input-size-hint +This option can be used to tell GPGSM the size of the input data in +bytes. @var{n} must be a positive base-10 number. It is used by the +@option{--status-fd} line ``PROGRESS'' to provide a value for +``total'' if that is not available by other means. + @anchor{option --p12-charset} @item --p12-charset @var{name} @opindex p12-charset @@ -687,6 +696,13 @@ instead to make sure that the gpgsm process exits with a failure if the compliance rules are not fulfilled. Note that this option has currently an effect only in "de-vs" mode. +@item --always-trust +@opindex always-trust +Force encryption to the specified certificates without any validation +of the certificate chain. The only requirement is that the +certificate is capable of encryption. Note that this option is +ineffective if @option{--require-compliance} is used. + @item --ignore-cert-with-oid @var{oid} @opindex ignore-cert-with-oid Add @var{oid} to the list of OIDs to be checked while reading @@ -1140,10 +1156,12 @@ General Parameters: @item Key-Type: @var{algo} Starts a new parameter block by giving the type of the primary key. The algorithm must be capable of signing. This is a required -parameter. The only supported value for @var{algo} is @samp{rsa}. +parameter. The supported values for @var{algo} are @samp{rsa}, +@samp{ecdsa}, and @samp{eddsa}. @item Key-Length: @var{nbits} -The requested length of a generated key in bits. Defaults to 3072. +The requested length of a generated key in bits. Defaults to +3072. The value is ignored for ECC algorithms. @item Key-Grip: @var{hexstring} This is optional and used to generate a CSR or certificate for an @@ -1216,6 +1234,20 @@ algorithms are: @samp{sha1}, @samp{sha256}, @samp{sha384} and @samp{sha512}; they may also be specified with uppercase letters. The default is @samp{sha256}. +@item Authority-Key-Id: @var{hexstring} +Insert the decoded value of @var{hexstring} as authorityKeyIdentifier. +If this is not given and an ECC algorithm is used the public part of +the certified public key is used as authorityKeyIdentifier. To +inhibit any authorityKeyIdentifier use the special value @code{none} +for @var{hexstring}. + +@item Subject-Key-Id: @var{hexstring} +Insert the decoded value of @var{hexstring} as subjectKeyIdentifier. +If this is not given and an ECC algorithm is used the public part of +the signing key is used as authorityKeyIdentifier. To inhibit any +subjectKeyIdentifier use the special value @code{none} for +@var{hexstring}. + @end table @c ******************************************* @@ -1580,6 +1612,10 @@ The leading two dashes usually used with @var{opt} shall not be given. Return OK if the connection is in offline mode. This may be either due to a @code{OPTION offline=1} or due to @command{gpgsm} being started with option @option{--disable-dirmngr}. +@item always-trust +Returns OK of the connection is in always-trust mode. That is either +@option{--always-trust} or @option{GPGSM OPTION always-trust} are +active. @end table @node GPGSM OPTION @@ -1686,6 +1722,18 @@ If @var{value} is true or @var{value} is not given all network access is disabled for this session. This is the same as the command line option @option{--disable-dirmngr}. +@item always-trust +If @var{value} is true or @var{value} is not given encryption to the +specified certificates is forced without any validation of the +certificate chain. The only requirement is that the certificates are +capable of encryption. If set to false the standard behaviour is +re-established. This option is cleared by a RESET and after each +encrypt operation. Note that this option is ignored if +@option{--always-trust} or @option{--require-compliance} are used. + +@item input-size-hint +This is the same as the @option{--input-size-hint} command line option. + @end table @mansect see also |