summaryrefslogtreecommitdiffstats
path: root/doc/gnupg.info-2
diff options
context:
space:
mode:
Diffstat (limited to 'doc/gnupg.info-2')
-rw-r--r--doc/gnupg.info-26144
1 files changed, 6144 insertions, 0 deletions
diff --git a/doc/gnupg.info-2 b/doc/gnupg.info-2
new file mode 100644
index 0000000..7895f56
--- /dev/null
+++ b/doc/gnupg.info-2
@@ -0,0 +1,6144 @@
+This is gnupg.info, produced by makeinfo version 6.5 from gnupg.texi.
+
+This is the 'The GNU Privacy Guard Manual' (version 2.2.40-beta3,
+October 2022).
+
+ (C) 2002, 2004, 2005, 2006, 2007, 2010 Free Software Foundation, Inc.
+(C) 2013, 2014, 2015 Werner Koch.
+(C) 2015, 2016, 2017 g10 Code GmbH.
+
+ Permission is granted to copy, distribute and/or modify this
+ document under the terms of the GNU General Public License as
+ published by the Free Software Foundation; either version 3 of the
+ License, or (at your option) any later version. The text of the
+ license can be found in the section entitled "Copying".
+INFO-DIR-SECTION GNU Utilities
+START-INFO-DIR-ENTRY
+* gpg2: (gnupg). OpenPGP encryption and signing tool.
+* gpgsm: (gnupg). S/MIME encryption and signing tool.
+* gpg-agent: (gnupg). The secret key daemon.
+* dirmngr: (gnupg). X.509 CRL and OCSP server.
+* dirmngr-client: (gnupg). X.509 CRL and OCSP client.
+END-INFO-DIR-ENTRY
+
+
+File: gnupg.info, Node: GPGSM Protocol, Prev: Unattended Usage, Up: Invoking GPGSM
+
+5.6 The Protocol the Server Mode Uses
+=====================================
+
+Description of the protocol used to access 'GPGSM'. 'GPGSM' does
+implement the Assuan protocol and in addition provides a regular command
+line interface which exhibits a full client to this protocol (but uses
+internal linking). To start 'gpgsm' as a server the command line the
+option '--server' must be used. Additional options are provided to
+select the communication method (i.e. the name of the socket).
+
+ We assume that the connection has already been established; see the
+Assuan manual for details.
+
+* Menu:
+
+* GPGSM ENCRYPT:: Encrypting a message.
+* GPGSM DECRYPT:: Decrypting a message.
+* GPGSM SIGN:: Signing a message.
+* GPGSM VERIFY:: Verifying a message.
+* GPGSM GENKEY:: Generating a key.
+* GPGSM LISTKEYS:: List available keys.
+* GPGSM EXPORT:: Export certificates.
+* GPGSM IMPORT:: Import certificates.
+* GPGSM DELETE:: Delete certificates.
+* GPGSM GETAUDITLOG:: Retrieve an audit log.
+* GPGSM GETINFO:: Information about the process
+* GPGSM OPTION:: Session options.
+
+
+File: gnupg.info, Node: GPGSM ENCRYPT, Next: GPGSM DECRYPT, Up: GPGSM Protocol
+
+5.6.1 Encrypting a Message
+--------------------------
+
+Before encryption can be done the recipient must be set using the
+command:
+
+ RECIPIENT USERID
+
+ Set the recipient for the encryption. USERID should be the internal
+representation of the key; the server may accept any other way of
+specification. If this is a valid and trusted recipient the server does
+respond with OK, otherwise the return is an ERR with the reason why the
+recipient cannot be used, the encryption will then not be done for this
+recipient. If the policy is not to encrypt at all if not all recipients
+are valid, the client has to take care of this. All 'RECIPIENT'
+commands are cumulative until a 'RESET' or an successful 'ENCRYPT'
+command.
+
+ INPUT FD[=N] [--armor|--base64|--binary]
+
+ Set the file descriptor for the message to be encrypted to N.
+Obviously the pipe must be open at that point, the server establishes
+its own end. If the server returns an error the client should consider
+this session failed. If N is not given, this commands uses the last
+file descriptor passed to the application. *Note the assuan_sendfd
+function: (assuan)fun-assuan_sendfd, on how to do descriptor passing.
+
+ The '--armor' option may be used to advise the server that the input
+data is in PEM format, '--base64' advises that a raw base-64 encoding is
+used, '--binary' advises of raw binary input (BER). If none of these
+options is used, the server tries to figure out the used encoding, but
+this may not always be correct.
+
+ OUTPUT FD[=N] [--armor|--base64]
+
+ Set the file descriptor to be used for the output (i.e. the
+encrypted message). Obviously the pipe must be open at that point, the
+server establishes its own end. If the server returns an error the
+client should consider this session failed.
+
+ The option '--armor' encodes the output in PEM format, the '--base64'
+option applies just a base-64 encoding. No option creates binary output
+(BER).
+
+ The actual encryption is done using the command
+
+ ENCRYPT
+
+ It takes the plaintext from the 'INPUT' command, writes to the
+ciphertext to the file descriptor set with the 'OUTPUT' command, take
+the recipients from all the recipients set so far. If this command
+fails the clients should try to delete all output currently done or
+otherwise mark it as invalid. 'GPGSM' does ensure that there will not
+be any security problem with leftover data on the output in this case.
+
+ This command should in general not fail, as all necessary checks have
+been done while setting the recipients. The input and output pipes are
+closed.
+
+
+File: gnupg.info, Node: GPGSM DECRYPT, Next: GPGSM SIGN, Prev: GPGSM ENCRYPT, Up: GPGSM Protocol
+
+5.6.2 Decrypting a message
+--------------------------
+
+Input and output FDs are set the same way as in encryption, but 'INPUT'
+refers to the ciphertext and 'OUTPUT' to the plaintext. There is no
+need to set recipients. 'GPGSM' automatically strips any S/MIME headers
+from the input, so it is valid to pass an entire MIME part to the INPUT
+pipe.
+
+ The decryption is done by using the command
+
+ DECRYPT
+
+ It performs the decrypt operation after doing some check on the
+internal state (e.g. that all needed data has been set). Because it
+utilizes the GPG-Agent for the session key decryption, there is no need
+to ask the client for a protecting passphrase - GpgAgent takes care of
+this by requesting this from the user.
+
+
+File: gnupg.info, Node: GPGSM SIGN, Next: GPGSM VERIFY, Prev: GPGSM DECRYPT, Up: GPGSM Protocol
+
+5.6.3 Signing a Message
+-----------------------
+
+Signing is usually done with these commands:
+
+ INPUT FD[=N] [--armor|--base64|--binary]
+
+ This tells 'GPGSM' to read the data to sign from file descriptor N.
+
+ OUTPUT FD[=M] [--armor|--base64]
+
+ Write the output to file descriptor M. If a detached signature is
+requested, only the signature is written.
+
+ SIGN [--detached]
+
+ Sign the data set with the 'INPUT' command and write it to the sink
+set by 'OUTPUT'. With '--detached', a detached signature is created
+(surprise).
+
+ The key used for signing is the default one or the one specified in
+the configuration file. To get finer control over the keys, it is
+possible to use the command
+
+ SIGNER USERID
+
+ to set the signer's key. USERID should be the internal
+representation of the key; the server may accept any other way of
+specification. If this is a valid and trusted recipient the server does
+respond with OK, otherwise the return is an ERR with the reason why the
+key cannot be used, the signature will then not be created using this
+key. If the policy is not to sign at all if not all keys are valid, the
+client has to take care of this. All 'SIGNER' commands are cumulative
+until a 'RESET' is done. Note that a 'SIGN' does not reset this list of
+signers which is in contrast to the 'RECIPIENT' command.
+
+
+File: gnupg.info, Node: GPGSM VERIFY, Next: GPGSM GENKEY, Prev: GPGSM SIGN, Up: GPGSM Protocol
+
+5.6.4 Verifying a Message
+-------------------------
+
+To verify a message the command:
+
+ VERIFY
+
+ is used. It does a verify operation on the message send to the input
+FD. The result is written out using status lines. If an output FD was
+given, the signed text will be written to that. If the signature is a
+detached one, the server will inquire about the signed material and the
+client must provide it.
+
+
+File: gnupg.info, Node: GPGSM GENKEY, Next: GPGSM LISTKEYS, Prev: GPGSM VERIFY, Up: GPGSM Protocol
+
+5.6.5 Generating a Key
+----------------------
+
+This is used to generate a new keypair, store the secret part in the PSE
+and the public key in the key database. We will probably add optional
+commands to allow the client to select whether a hardware token is used
+to store the key. Configuration options to 'GPGSM' can be used to
+restrict the use of this command.
+
+ GENKEY
+
+ 'GPGSM' checks whether this command is allowed and then does an
+INQUIRY to get the key parameters, the client should then send the key
+parameters in the native format:
+
+ S: INQUIRE KEY_PARAM native
+ C: D foo:fgfgfg
+ C: D bar
+ C: END
+
+ Please note that the server may send Status info lines while reading
+the data lines from the client. After this the key generation takes
+place and the server eventually does send an ERR or OK response. Status
+lines may be issued as a progress indicator.
+
+
+File: gnupg.info, Node: GPGSM LISTKEYS, Next: GPGSM EXPORT, Prev: GPGSM GENKEY, Up: GPGSM Protocol
+
+5.6.6 List available keys
+-------------------------
+
+To list the keys in the internal database or using an external key
+provider, the command:
+
+ LISTKEYS PATTERN
+
+ is used. To allow multiple patterns (which are ORed during the
+search) quoting is required: Spaces are to be translated into "+" or
+into "%20"; in turn this requires that the usual escape quoting rules
+are done.
+
+ LISTSECRETKEYS PATTERN
+
+ Lists only the keys where a secret key is available.
+
+ The list commands are affected by the option
+
+ OPTION list-mode=MODE
+
+ where mode may be:
+'0'
+ Use default (which is usually the same as 1).
+'1'
+ List only the internal keys.
+'2'
+ List only the external keys.
+'3'
+ List internal and external keys.
+
+ Note that options are valid for the entire session.
+
+
+File: gnupg.info, Node: GPGSM EXPORT, Next: GPGSM IMPORT, Prev: GPGSM LISTKEYS, Up: GPGSM Protocol
+
+5.6.7 Export certificates
+-------------------------
+
+To export certificate from the internal key database the command:
+
+ EXPORT [--data [--armor] [--base64]] [--] PATTERN
+
+ is used. To allow multiple patterns (which are ORed) quoting is
+required: Spaces are to be translated into "+" or into "%20"; in turn
+this requires that the usual escape quoting rules are done.
+
+ If the '--data' option has not been given, the format of the output
+depends on what was set with the 'OUTPUT' command. When using PEM
+encoding a few informational lines are prepended.
+
+ If the '--data' has been given, a target set via 'OUTPUT' is ignored
+and the data is returned inline using standard 'D'-lines. This avoids
+the need for an extra file descriptor. In this case the options
+'--armor' and '--base64' may be used in the same way as with the
+'OUTPUT' command.
+
+
+File: gnupg.info, Node: GPGSM IMPORT, Next: GPGSM DELETE, Prev: GPGSM EXPORT, Up: GPGSM Protocol
+
+5.6.8 Import certificates
+-------------------------
+
+To import certificates into the internal key database, the command
+
+ IMPORT [--re-import]
+
+ is used. The data is expected on the file descriptor set with the
+'INPUT' command. Certain checks are performed on the certificate. Note
+that the code will also handle PKCS#12 files and import private keys; a
+helper program is used for that.
+
+ With the option '--re-import' the input data is expected to a be a
+linefeed separated list of fingerprints. The command will re-import the
+corresponding certificates; that is they are made permanent by removing
+their ephemeral flag.
+
+
+File: gnupg.info, Node: GPGSM DELETE, Next: GPGSM GETAUDITLOG, Prev: GPGSM IMPORT, Up: GPGSM Protocol
+
+5.6.9 Delete certificates
+-------------------------
+
+To delete a certificate the command
+
+ DELKEYS PATTERN
+
+ is used. To allow multiple patterns (which are ORed) quoting is
+required: Spaces are to be translated into "+" or into "%20"; in turn
+this requires that the usual escape quoting rules are done.
+
+ The certificates must be specified unambiguously otherwise an error
+is returned.
+
+
+File: gnupg.info, Node: GPGSM GETAUDITLOG, Next: GPGSM GETINFO, Prev: GPGSM DELETE, Up: GPGSM Protocol
+
+5.6.10 Retrieve an audit log
+----------------------------
+
+This command is used to retrieve an audit log.
+
+ GETAUDITLOG [--data] [--html]
+
+ If '--data' is used, the audit log is send using D-lines instead of
+being sent to the file descriptor given by an 'OUTPUT' command. If
+'--html' is used, the output is formatted as an XHTML block. This is
+designed to be incorporated into a HTML document.
+
+
+File: gnupg.info, Node: GPGSM GETINFO, Next: GPGSM OPTION, Prev: GPGSM GETAUDITLOG, Up: GPGSM Protocol
+
+5.6.11 Return information about the process
+-------------------------------------------
+
+This is a multipurpose function to return a variety of information.
+
+ GETINFO WHAT
+
+ The value of WHAT specifies the kind of information returned:
+'version'
+ Return the version of the program.
+'pid'
+ Return the process id of the process.
+'agent-check'
+ Return OK if the agent is running.
+'cmd_has_option CMD OPT'
+ Return OK if the command CMD implements the option OPT. The
+ leading two dashes usually used with OPT shall not be given.
+'offline'
+ Return OK if the connection is in offline mode. This may be either
+ due to a 'OPTION offline=1' or due to 'gpgsm' being started with
+ option '--disable-dirmngr'.
+
+
+File: gnupg.info, Node: GPGSM OPTION, Prev: GPGSM GETINFO, Up: GPGSM Protocol
+
+5.6.12 Session options
+----------------------
+
+The standard Assuan option handler supports these options.
+
+ OPTION NAME[=VALUE]
+
+ These NAMEs are recognized:
+
+'putenv'
+ Change the session's environment to be passed via gpg-agent to
+ Pinentry. VALUE is a string of the form '<KEY>[=[<STRING>]]'. If
+ only '<KEY>' is given the environment variable '<KEY>' is removed
+ from the session environment, if '<KEY>=' is given that environment
+ variable is set to the empty string, and if '<STRING>' is given it
+ is set to that string.
+
+'display'
+ Set the session environment variable 'DISPLAY' is set to VALUE.
+'ttyname'
+ Set the session environment variable 'GPG_TTY' is set to VALUE.
+'ttytype'
+ Set the session environment variable 'TERM' is set to VALUE.
+'lc-ctype'
+ Set the session environment variable 'LC_CTYPE' is set to VALUE.
+'lc-messages'
+ Set the session environment variable 'LC_MESSAGES' is set to VALUE.
+'xauthority'
+ Set the session environment variable 'XAUTHORITY' is set to VALUE.
+'pinentry-user-data'
+ Set the session environment variable 'PINENTRY_USER_DATA' is set to
+ VALUE.
+
+'include-certs'
+ This option overrides the command line option '--include-certs'. A
+ VALUE of -2 includes all certificates except for the root
+ certificate, -1 includes all certificates, 0 does not include any
+ certificates, 1 includes only the signers certificate and all other
+ positive values include up to VALUE certificates starting with the
+ signer cert.
+
+'list-mode'
+ *Note gpgsm-cmd listkeys::.
+
+'list-to-output'
+ If VALUE is true the output of the list commands (*note gpgsm-cmd
+ listkeys::) is written to the file descriptor set with the last
+ 'OUTPUT' command. If VALUE is false the output is written via data
+ lines; this is the default.
+
+'with-validation'
+ If VALUE is true for each listed certificate the validation status
+ is printed. This may result in the download of a CRL or the user
+ being asked about the trustworthiness of a root certificate. The
+ default is given by a command line option (*note gpgsm-option
+ --with-validation::).
+
+'with-secret'
+ If VALUE is true certificates with a corresponding private key are
+ marked by the list commands.
+
+'validation-model'
+ This option overrides the command line option 'validation-model'
+ for the session. (*Note gpgsm-option --validation-model::.)
+
+'with-key-data'
+ This option globally enables the command line option
+ '--with-key-data'. (*Note gpgsm-option --with-key-data::.)
+
+'enable-audit-log'
+ If VALUE is true data to write an audit log is gathered. (*Note
+ gpgsm-cmd getauditlog::.)
+
+'allow-pinentry-notify'
+ If this option is used notifications about the launch of a Pinentry
+ are passed back to the client.
+
+'with-ephemeral-keys'
+ If VALUE is true ephemeral certificates are included in the output
+ of the list commands.
+
+'no-encrypt-to'
+ If this option is used all keys set by the command line option
+ '--encrypt-to' are ignored.
+
+'offline'
+ If VALUE is true or VALUE is not given all network access is
+ disabled for this session. This is the same as the command line
+ option '--disable-dirmngr'.
+
+
+File: gnupg.info, Node: Invoking SCDAEMON, Next: Specify a User ID, Prev: Invoking GPGSM, Up: Top
+
+6 Invoking the SCDAEMON
+***********************
+
+The 'scdaemon' is a daemon to manage smartcards. It is usually invoked
+by 'gpg-agent' and in general not used directly.
+
+ *Note Option Index::, for an index to 'scdaemon''s commands and
+options.
+
+* Menu:
+
+* Scdaemon Commands:: List of all commands.
+* Scdaemon Options:: List of all options.
+* Card applications:: Description of card applications.
+* Scdaemon Configuration:: Configuration files.
+* Scdaemon Examples:: Some usage examples.
+* Scdaemon Protocol:: The protocol the daemon uses.
+
+
+File: gnupg.info, Node: Scdaemon Commands, Next: Scdaemon Options, Up: Invoking SCDAEMON
+
+6.1 Commands
+============
+
+Commands are not distinguished from options except for the fact that
+only one command is allowed.
+
+'--version'
+ Print the program version and licensing information. Note that you
+ cannot abbreviate this command.
+
+'--help, -h'
+ Print a usage message summarizing the most useful command-line
+ options. Note that you cannot abbreviate this command.
+
+'--dump-options'
+ Print a list of all available options and commands. Note that you
+ cannot abbreviate this command.
+
+'--server'
+ Run in server mode and wait for commands on the 'stdin'. The
+ default mode is to create a socket and listen for commands there.
+
+'--multi-server'
+ Run in server mode and wait for commands on the 'stdin' as well as
+ on an additional Unix Domain socket. The server command 'GETINFO'
+ may be used to get the name of that extra socket.
+
+'--daemon'
+ Run the program in the background. This option is required to
+ prevent it from being accidentally running in the background.
+
+
+File: gnupg.info, Node: Scdaemon Options, Next: Card applications, Prev: Scdaemon Commands, Up: Invoking SCDAEMON
+
+6.2 Option Summary
+==================
+
+'--options FILE'
+ Reads configuration from FILE instead of from the default per-user
+ configuration file. The default configuration file is named
+ 'scdaemon.conf' and expected in the '.gnupg' directory directly
+ below the home directory of the user.
+
+'--homedir DIR'
+ Set the name of the home directory to DIR. If this option is not
+ used, the home directory defaults to '~/.gnupg'. It is only
+ recognized when given on the command line. It also overrides any
+ home directory stated through the environment variable 'GNUPGHOME'
+ or (on Windows systems) by means of the Registry entry
+ HKCU\SOFTWARE\GNU\GNUPG:HOMEDIR.
+
+ On Windows systems it is possible to install GnuPG as a portable
+ application. In this case only this command line option is
+ considered, all other ways to set a home directory are ignored.
+
+ To install GnuPG as a portable application under Windows, create an
+ empty file named 'gpgconf.ctl' in the same directory as the tool
+ 'gpgconf.exe'. The root of the installation is then that
+ directory; or, if 'gpgconf.exe' has been installed directly below a
+ directory named 'bin', its parent directory. You also need to make
+ sure that the following directories exist and are writable:
+ 'ROOT/home' for the GnuPG home and 'ROOT/usr/local/var/cache/gnupg'
+ for internal cache files.
+
+'-v'
+'--verbose'
+ Outputs additional information while running. You can increase the
+ verbosity by giving several verbose commands to 'gpgsm', such as
+ '-vv'.
+
+'--debug-level LEVEL'
+ Select the debug level for investigating problems. LEVEL may be a
+ numeric value or a keyword:
+
+ 'none'
+ No debugging at all. A value of less than 1 may be used
+ instead of the keyword.
+ 'basic'
+ Some basic debug messages. A value between 1 and 2 may be
+ used instead of the keyword.
+ 'advanced'
+ More verbose debug messages. A value between 3 and 5 may be
+ used instead of the keyword.
+ 'expert'
+ Even more detailed messages. A value between 6 and 8 may be
+ used instead of the keyword.
+ 'guru'
+ All of the debug messages you can get. A value greater than 8
+ may be used instead of the keyword. The creation of hash
+ tracing files is only enabled if the keyword is used.
+
+ How these messages are mapped to the actual debugging flags is not
+ specified and may change with newer releases of this program. They
+ are however carefully selected to best aid in debugging.
+
+ Note: All debugging options are subject to change and thus
+ should not be used by any application program. As the name
+ says, they are only used as helpers to debug problems.
+
+'--debug FLAGS'
+ This option is only useful for debugging and the behavior may
+ change at any time without notice. FLAGS are bit encoded and may
+ be given in usual C-Syntax. The currently defined bits are:
+
+ '0 (1)'
+ command I/O
+ '1 (2)'
+ values of big number integers
+ '2 (4)'
+ low level crypto operations
+ '5 (32)'
+ memory allocation
+ '6 (64)'
+ caching
+ '7 (128)'
+ show memory statistics
+ '9 (512)'
+ write hashed data to files named 'dbgmd-000*'
+ '10 (1024)'
+ trace Assuan protocol. See also option
+ '--debug-assuan-log-cats'.
+ '11 (2048)'
+ trace APDU I/O to the card. This may reveal sensitive data.
+ '12 (4096)'
+ trace some card reader related function calls.
+
+'--debug-all'
+ Same as '--debug=0xffffffff'
+
+'--debug-wait N'
+ When running in server mode, wait N seconds before entering the
+ actual processing loop and print the pid. This gives time to
+ attach a debugger.
+
+'--debug-ccid-driver'
+ Enable debug output from the included CCID driver for smartcards.
+ Using this option twice will also enable some tracing of the T=1
+ protocol. Note that this option may reveal sensitive data.
+
+'--debug-disable-ticker'
+ This option disables all ticker functions like checking for card
+ insertions.
+
+'--debug-allow-core-dump'
+ For security reasons we won't create a core dump when the process
+ aborts. For debugging purposes it is sometimes better to allow
+ core dump. This option enables it and also changes the working
+ directory to '/tmp' when running in '--server' mode.
+
+'--debug-log-tid'
+ This option appends a thread ID to the PID in the log output.
+
+'--debug-assuan-log-cats CATS'
+ Changes the active Libassuan logging categories to CATS. The value
+ for CATS is an unsigned integer given in usual C-Syntax. A value
+ of 0 switches to a default category. If this option is not used
+ the categories are taken from the environment variable
+ 'ASSUAN_DEBUG'. Note that this option has only an effect if the
+ Assuan debug flag has also been with the option '--debug'. For a
+ list of categories see the Libassuan manual.
+
+'--no-detach'
+ Don't detach the process from the console. This is mainly useful
+ for debugging.
+
+'--listen-backlog N'
+ Set the size of the queue for pending connections. The default is
+ 64. This option has an effect only if '--multi-server' is also
+ used.
+
+'--log-file FILE'
+ Append all logging output to FILE. This is very helpful in seeing
+ what the agent actually does. Use 'socket://' to log to socket.
+
+'--pcsc-shared'
+ Use shared mode to access the card via PC/SC. This is a somewhat
+ dangerous option because Scdaemon assumes exclusivbe access to teh
+ card and for example caches certain information from the card. Use
+ this option only if you know what you are doing.
+
+'--pcsc-driver LIBRARY'
+ Use LIBRARY to access the smartcard reader. The current default on
+ Unix is 'libpcsclite.so' and on Windows 'winscard.dll'. Instead of
+ using this option you might also want to install a symbolic link to
+ the default file name (e.g. from 'libpcsclite.so.1'). A Unicode
+ file name may not be used on Windows.
+
+'--ctapi-driver LIBRARY'
+ Use LIBRARY to access the smartcard reader. The current default is
+ 'libtowitoko.so'. Note that the use of this interface is
+ deprecated; it may be removed in future releases.
+
+'--disable-ccid'
+ Disable the integrated support for CCID compliant readers. This
+ allows falling back to one of the other drivers even if the
+ internal CCID driver can handle the reader. Note, that CCID
+ support is only available if libusb was available at build time.
+
+'--reader-port NUMBER_OR_STRING'
+ This option may be used to specify the port of the card terminal.
+ A value of 0 refers to the first serial device; add 32768 to access
+ USB devices. The default is 32768 (first USB device). PC/SC or
+ CCID readers might need a string here; run the program in verbose
+ mode to get a list of available readers. The default is then the
+ first reader found.
+
+ To get a list of available CCID readers you may use this command:
+ echo scd getinfo reader_list \
+ | gpg-connect-agent --decode | awk '/^D/ {print $2}'
+
+'--card-timeout N'
+ If N is not 0 and no client is actively using the card, the card
+ will be powered down after N seconds. Powering down the card
+ avoids a potential risk of damaging a card when used with certain
+ cheap readers. This also allows applications that are not aware of
+ Scdaemon to access the card. The disadvantage of using a card
+ timeout is that accessing the card takes longer and that the user
+ needs to enter the PIN again after the next power up.
+
+ Note that with the current version of Scdaemon the card is powered
+ down immediately at the next timer tick for any value of N other
+ than 0.
+
+'--enable-pinpad-varlen'
+ Please specify this option when the card reader supports variable
+ length input for pinpad (default is no). For known readers (listed
+ in ccid-driver.c and apdu.c), this option is not needed. Note that
+ if your card reader doesn't supports variable length input but you
+ want to use it, you need to specify your pinpad request on your
+ card.
+
+'--disable-pinpad'
+ Even if a card reader features a pinpad, do not try to use it.
+
+'--deny-admin'
+ This option disables the use of admin class commands for card
+ applications where this is supported. Currently we support it for
+ the OpenPGP card. This option is useful to inhibit accidental
+ access to admin class command which could ultimately lock the card
+ through wrong PIN numbers. Note that GnuPG versions older than
+ 2.0.11 featured an '--allow-admin' option which was required to use
+ such admin commands. This option has no more effect today because
+ the default is now to allow admin commands.
+
+'--disable-application NAME'
+ This option disables the use of the card application named NAME.
+ This is mainly useful for debugging or if a application with lower
+ priority should be used by default.
+
+ All the long options may also be given in the configuration file
+after stripping off the two leading dashes.
+
+
+File: gnupg.info, Node: Card applications, Next: Scdaemon Configuration, Prev: Scdaemon Options, Up: Invoking SCDAEMON
+
+6.3 Description of card applications
+====================================
+
+'scdaemon' supports the card applications as described below.
+
+* Menu:
+
+* OpenPGP Card:: The OpenPGP card application
+* NKS Card:: The Telesec NetKey card application
+* DINSIG Card:: The DINSIG card application
+* PKCS#15 Card:: The PKCS#15 card application
+* Geldkarte Card:: The Geldkarte application
+* SmartCard-HSM:: The SmartCard-HSM application
+* Undefined Card:: The Undefined stub application
+
+
+File: gnupg.info, Node: OpenPGP Card, Next: NKS Card, Up: Card applications
+
+6.3.1 The OpenPGP card application "openpgp"
+--------------------------------------------
+
+This application is currently only used by 'gpg' but may in future also
+be useful with 'gpgsm'. Version 1 and version 2 of the card is
+supported.
+
+The specifications for these cards are available at
+<http://g10code.com/docs/openpgp-card-1.0.pdf> and
+<http://g10code.com/docs/openpgp-card-2.0.pdf>.
+
+
+File: gnupg.info, Node: NKS Card, Next: DINSIG Card, Prev: OpenPGP Card, Up: Card applications
+
+6.3.2 The Telesec NetKey card "nks"
+-----------------------------------
+
+This is the main application of the Telesec cards as available in
+Germany. It is a superset of the German DINSIG card. The card is used
+by 'gpgsm'.
+
+
+File: gnupg.info, Node: DINSIG Card, Next: PKCS#15 Card, Prev: NKS Card, Up: Card applications
+
+6.3.3 The DINSIG card application "dinsig"
+------------------------------------------
+
+This is an application as described in the German draft standard _DIN V
+66291-1_. It is intended to be used by cards supporting the German
+signature law and its bylaws (SigG and SigV).
+
+
+File: gnupg.info, Node: PKCS#15 Card, Next: Geldkarte Card, Prev: DINSIG Card, Up: Card applications
+
+6.3.4 The PKCS#15 card application "p15"
+----------------------------------------
+
+This is common framework for smart card applications. It is used by
+'gpgsm'.
+
+
+File: gnupg.info, Node: Geldkarte Card, Next: SmartCard-HSM, Prev: PKCS#15 Card, Up: Card applications
+
+6.3.5 The Geldkarte card application "geldkarte"
+------------------------------------------------
+
+This is a simple application to display information of a German
+Geldkarte. The Geldkarte is a small amount debit card application which
+comes with almost all German banking cards.
+
+
+File: gnupg.info, Node: SmartCard-HSM, Next: Undefined Card, Prev: Geldkarte Card, Up: Card applications
+
+6.3.6 The SmartCard-HSM card application "sc-hsm"
+-------------------------------------------------
+
+This application adds read-only support for keys and certificates stored
+on a SmartCard-HSM (http://www.smartcard-hsm.com).
+
+ To generate keys and store certificates you may use OpenSC
+(https://github.com/OpenSC/OpenSC/wiki/SmartCardHSM) or the tools from
+OpenSCDP (http://www.openscdp.org).
+
+ The SmartCard-HSM cards requires a card reader that supports Extended
+Length APDUs.
+
+
+File: gnupg.info, Node: Undefined Card, Prev: SmartCard-HSM, Up: Card applications
+
+6.3.7 The Undefined card application "undefined"
+------------------------------------------------
+
+This is a stub application to allow the use of the APDU command even if
+no supported application is found on the card. This application is not
+used automatically but must be explicitly requested using the SERIALNO
+command.
+
+
+File: gnupg.info, Node: Scdaemon Configuration, Next: Scdaemon Examples, Prev: Card applications, Up: Invoking SCDAEMON
+
+6.4 Configuration files
+=======================
+
+There are a few configuration files to control certain aspects of
+'scdaemons''s operation. Unless noted, they are expected in the current
+home directory (*note option --homedir::).
+
+'scdaemon.conf'
+ This is the standard configuration file read by 'scdaemon' on
+ startup. It may contain any valid long option; the leading two
+ dashes may not be entered and the option may not be abbreviated.
+ This default name may be changed on the command line (*note option
+ --options::).
+
+'scd-event'
+ If this file is present and executable, it will be called on every
+ card reader's status change. An example of this script is provided
+ with the distribution
+
+'reader_N.status'
+ This file is created by 'scdaemon' to let other applications now
+ about reader status changes. Its use is now deprecated in favor of
+ 'scd-event'.
+
+
+File: gnupg.info, Node: Scdaemon Examples, Next: Scdaemon Protocol, Prev: Scdaemon Configuration, Up: Invoking SCDAEMON
+
+6.5 Examples
+============
+
+ $ scdaemon --server -v
+
+
+File: gnupg.info, Node: Scdaemon Protocol, Prev: Scdaemon Examples, Up: Invoking SCDAEMON
+
+6.6 Scdaemon's Assuan Protocol
+==============================
+
+The SC-Daemon should be started by the system to provide access to
+external tokens. Using Smartcards on a multi-user system does not make
+much sense except for system services, but in this case no regular user
+accounts are hosted on the machine.
+
+ A client connects to the SC-Daemon by connecting to the socket named
+'/usr/local/var/run/gnupg/scdaemon/socket', configuration information is
+read from /ETC/GNUPG/SCDAEMON.CONF
+
+ Each connection acts as one session, SC-Daemon takes care of
+synchronizing access to a token between sessions.
+
+* Menu:
+
+* Scdaemon SERIALNO:: Return the serial number.
+* Scdaemon LEARN:: Read all useful information from the card.
+* Scdaemon READCERT:: Return a certificate.
+* Scdaemon READKEY:: Return a public key.
+* Scdaemon PKSIGN:: Signing data with a Smartcard.
+* Scdaemon PKDECRYPT:: Decrypting data with a Smartcard.
+* Scdaemon GETATTR:: Read an attribute's value.
+* Scdaemon SETATTR:: Update an attribute's value.
+* Scdaemon WRITEKEY:: Write a key to a card.
+* Scdaemon GENKEY:: Generate a new key on-card.
+* Scdaemon RANDOM:: Return random bytes generated on-card.
+* Scdaemon PASSWD:: Change PINs.
+* Scdaemon CHECKPIN:: Perform a VERIFY operation.
+* Scdaemon RESTART:: Restart connection
+* Scdaemon APDU:: Send a verbatim APDU to the card
+
+
+File: gnupg.info, Node: Scdaemon SERIALNO, Next: Scdaemon LEARN, Up: Scdaemon Protocol
+
+6.6.1 Return the serial number
+------------------------------
+
+This command should be used to check for the presence of a card. It is
+special in that it can be used to reset the card. Most other commands
+will return an error when a card change has been detected and the use of
+this function is therefore required.
+
+ Background: We want to keep the client clear of handling card changes
+between operations; i.e. the client can assume that all operations are
+done on the same card unless he call this function.
+
+ SERIALNO
+
+ Return the serial number of the card using a status response like:
+
+ S SERIALNO D27600000000000000000000
+
+ The serial number is the hex encoded value identified by the '0x5A'
+tag in the GDO file (FIX=0x2F02).
+
+
+File: gnupg.info, Node: Scdaemon LEARN, Next: Scdaemon READCERT, Prev: Scdaemon SERIALNO, Up: Scdaemon Protocol
+
+6.6.2 Read all useful information from the card
+-----------------------------------------------
+
+ LEARN [--force]
+
+ Learn all useful information of the currently inserted card. When
+used without the '--force' option, the command might do an INQUIRE like
+this:
+
+ INQUIRE KNOWNCARDP <hexstring_with_serialNumber>
+
+ The client should just send an 'END' if the processing should go on
+or a 'CANCEL' to force the function to terminate with a cancel error
+message. The response of this command is a list of status lines
+formatted as this:
+
+ S KEYPAIRINFO HEXSTRING_WITH_KEYGRIP HEXSTRING_WITH_ID
+
+ If there is no certificate yet stored on the card a single "X" is
+returned in HEXSTRING_WITH_KEYGRIP.
+
+
+File: gnupg.info, Node: Scdaemon READCERT, Next: Scdaemon READKEY, Prev: Scdaemon LEARN, Up: Scdaemon Protocol
+
+6.6.3 Return a certificate
+--------------------------
+
+ READCERT HEXIFIED_CERTID|KEYID
+
+ This function is used to read a certificate identified by
+HEXIFIED_CERTID from the card. With OpenPGP cards the keyid 'OpenPGP.3'
+may be used to read the certificate of version 2 cards.
+
+
+File: gnupg.info, Node: Scdaemon READKEY, Next: Scdaemon PKSIGN, Prev: Scdaemon READCERT, Up: Scdaemon Protocol
+
+6.6.4 Return a public key
+-------------------------
+
+ READKEY HEXIFIED_CERTID
+
+ Return the public key for the given cert or key ID as an standard
+S-Expression.
+
+
+File: gnupg.info, Node: Scdaemon PKSIGN, Next: Scdaemon PKDECRYPT, Prev: Scdaemon READKEY, Up: Scdaemon Protocol
+
+6.6.5 Signing data with a Smartcard
+-----------------------------------
+
+To sign some data the caller should use the command
+
+ SETDATA HEXSTRING
+
+ to tell 'scdaemon' about the data to be signed. The data must be
+given in hex notation. The actual signing is done using the command
+
+ PKSIGN KEYID
+
+ where KEYID is the hexified ID of the key to be used. The key id may
+have been retrieved using the command 'LEARN'. If another hash
+algorithm than SHA-1 is used, that algorithm may be given like:
+
+ PKSIGN --hash=ALGONAME KEYID
+
+ With ALGONAME are one of 'sha1', 'rmd160' or 'md5'.
+
+
+File: gnupg.info, Node: Scdaemon PKDECRYPT, Next: Scdaemon GETATTR, Prev: Scdaemon PKSIGN, Up: Scdaemon Protocol
+
+6.6.6 Decrypting data with a Smartcard
+--------------------------------------
+
+To decrypt some data the caller should use the command
+
+ SETDATA HEXSTRING
+
+ to tell 'scdaemon' about the data to be decrypted. The data must be
+given in hex notation. The actual decryption is then done using the
+command
+
+ PKDECRYPT KEYID
+
+ where KEYID is the hexified ID of the key to be used.
+
+ If the card is aware of the apdding format a status line with padding
+information is send before the plaintext data. The key for this status
+line is 'PADDING' with the only defined value being 0 and meaning
+padding has been removed.
+
+
+File: gnupg.info, Node: Scdaemon GETATTR, Next: Scdaemon SETATTR, Prev: Scdaemon PKDECRYPT, Up: Scdaemon Protocol
+
+6.6.7 Read an attribute's value
+-------------------------------
+
+TO BE WRITTEN.
+
+
+File: gnupg.info, Node: Scdaemon SETATTR, Next: Scdaemon WRITEKEY, Prev: Scdaemon GETATTR, Up: Scdaemon Protocol
+
+6.6.8 Update an attribute's value
+---------------------------------
+
+TO BE WRITTEN.
+
+
+File: gnupg.info, Node: Scdaemon WRITEKEY, Next: Scdaemon GENKEY, Prev: Scdaemon SETATTR, Up: Scdaemon Protocol
+
+6.6.9 Write a key to a card
+---------------------------
+
+ WRITEKEY [--force] KEYID
+
+ This command is used to store a secret key on a smartcard. The
+allowed keyids depend on the currently selected smartcard application.
+The actual keydata is requested using the inquiry 'KEYDATA' and need to
+be provided without any protection. With '--force' set an existing key
+under this KEYID will get overwritten. The key data is expected to be
+the usual canonical encoded S-expression.
+
+ A PIN will be requested in most cases. This however depends on the
+actual card application.
+
+
+File: gnupg.info, Node: Scdaemon GENKEY, Next: Scdaemon RANDOM, Prev: Scdaemon WRITEKEY, Up: Scdaemon Protocol
+
+6.6.10 Generate a new key on-card
+---------------------------------
+
+TO BE WRITTEN.
+
+
+File: gnupg.info, Node: Scdaemon RANDOM, Next: Scdaemon PASSWD, Prev: Scdaemon GENKEY, Up: Scdaemon Protocol
+
+6.6.11 Return random bytes generated on-card
+--------------------------------------------
+
+TO BE WRITTEN.
+
+
+File: gnupg.info, Node: Scdaemon PASSWD, Next: Scdaemon CHECKPIN, Prev: Scdaemon RANDOM, Up: Scdaemon Protocol
+
+6.6.12 Change PINs
+------------------
+
+ PASSWD [--reset] [--nullpin] CHVNO
+
+ Change the PIN or reset the retry counter of the card holder
+verification vector number CHVNO. The option '--nullpin' is used to
+initialize the PIN of TCOS cards (6 byte NullPIN only).
+
+
+File: gnupg.info, Node: Scdaemon CHECKPIN, Next: Scdaemon RESTART, Prev: Scdaemon PASSWD, Up: Scdaemon Protocol
+
+6.6.13 Perform a VERIFY operation
+---------------------------------
+
+ CHECKPIN IDSTR
+
+ Perform a VERIFY operation without doing anything else. This may be
+used to initialize a the PIN cache earlier to long lasting operations.
+Its use is highly application dependent:
+
+*OpenPGP*
+
+ Perform a simple verify operation for CHV1 and CHV2, so that
+ further operations won't ask for CHV2 and it is possible to do a
+ cheap check on the PIN: If there is something wrong with the PIN
+ entry system, only the regular CHV will get blocked and not the
+ dangerous CHV3. IDSTR is the usual card's serial number in hex
+ notation; an optional fingerprint part will get ignored.
+
+ There is however a special mode if IDSTR is suffixed with the
+ literal string '[CHV3]': In this case the Admin PIN is checked if
+ and only if the retry counter is still at 3.
+
+
+File: gnupg.info, Node: Scdaemon RESTART, Next: Scdaemon APDU, Prev: Scdaemon CHECKPIN, Up: Scdaemon Protocol
+
+6.6.14 Perform a RESTART operation
+----------------------------------
+
+ RESTART
+
+ Restart the current connection; this is a kind of warm reset. It
+deletes the context used by this connection but does not actually reset
+the card.
+
+ This is used by gpg-agent to reuse a primary pipe connection and may
+be used by clients to backup from a conflict in the serial command; i.e.
+to select another application.
+
+
+File: gnupg.info, Node: Scdaemon APDU, Prev: Scdaemon RESTART, Up: Scdaemon Protocol
+
+6.6.15 Send a verbatim APDU to the card
+---------------------------------------
+
+ APDU [--atr] [--more] [--exlen[=N]] [HEXSTRING]
+
+ Send an APDU to the current reader. This command bypasses the high
+level functions and sends the data directly to the card. HEXSTRING is
+expected to be a proper APDU. If HEXSTRING is not given no commands are
+send to the card; However the command will implicitly check whether the
+card is ready for use.
+
+ Using the option '--atr' returns the ATR of the card as a status
+message before any data like this:
+ S CARD-ATR 3BFA1300FF813180450031C173C00100009000B1
+
+ Using the option '--more' handles the card status word MORE_DATA
+(61xx) and concatenate all responses to one block.
+
+ Using the option '--exlen' the returned APDU may use extended length
+up to N bytes. If N is not given a default value is used (currently
+4096).
+
+
+File: gnupg.info, Node: Specify a User ID, Next: Trust Values, Prev: Invoking SCDAEMON, Up: Top
+
+7 How to Specify a User Id
+**************************
+
+There are different ways to specify a user ID to GnuPG. Some of them are
+only valid for 'gpg' others are only good for 'gpgsm'. Here is the
+entire list of ways to specify a key:
+
+ * By key Id. This format is deduced from the length of the string
+ and its content or '0x' prefix. The key Id of an X.509 certificate
+ are the low 64 bits of its SHA-1 fingerprint. The use of key Ids
+ is just a shortcut, for all automated processing the fingerprint
+ should be used.
+
+ When using 'gpg' an exclamation mark (!) may be appended to force
+ using the specified primary or secondary key and not to try and
+ calculate which primary or secondary key to use.
+
+ The last four lines of the example give the key ID in their long
+ form as internally used by the OpenPGP protocol. You can see the
+ long key ID using the option '--with-colons'.
+
+ 234567C4
+ 0F34E556E
+ 01347A56A
+ 0xAB123456
+
+ 234AABBCC34567C4
+ 0F323456784E56EAB
+ 01AB3FED1347A5612
+ 0x234AABBCC34567C4
+
+ * By fingerprint. This format is deduced from the length of the
+ string and its content or the '0x' prefix. Note, that only the 20
+ byte version fingerprint is available with 'gpgsm' (i.e. the SHA-1
+ hash of the certificate).
+
+ When using 'gpg' an exclamation mark (!) may be appended to force
+ using the specified primary or secondary key and not to try and
+ calculate which primary or secondary key to use.
+
+ The best way to specify a key Id is by using the fingerprint. This
+ avoids any ambiguities in case that there are duplicated key IDs.
+
+ 1234343434343434C434343434343434
+ 123434343434343C3434343434343734349A3434
+ 0E12343434343434343434EAB3484343434343434
+ 0xE12343434343434343434EAB3484343434343434
+
+ 'gpgsm' also accepts colons between each pair of hexadecimal digits
+ because this is the de-facto standard on how to present X.509
+ fingerprints. 'gpg' also allows the use of the space separated
+ SHA-1 fingerprint as printed by the key listing commands.
+
+ * By exact match on OpenPGP user ID. This is denoted by a leading
+ equal sign. It does not make sense for X.509 certificates.
+
+ =Heinrich Heine <heinrichh@uni-duesseldorf.de>
+
+ * By exact match on an email address. This is indicated by enclosing
+ the email address in the usual way with left and right angles.
+
+ <heinrichh@uni-duesseldorf.de>
+
+ * By partial match on an email address. This is indicated by
+ prefixing the search string with an '@'. This uses a substring
+ search but considers only the mail address (i.e. inside the angle
+ brackets).
+
+ @heinrichh
+
+ * By exact match on the subject's DN. This is indicated by a leading
+ slash, directly followed by the RFC-2253 encoded DN of the subject.
+ Note that you can't use the string printed by 'gpgsm --list-keys'
+ because that one has been reordered and modified for better
+ readability; use '--with-colons' to print the raw (but standard
+ escaped) RFC-2253 string.
+
+ /CN=Heinrich Heine,O=Poets,L=Paris,C=FR
+
+ * By exact match on the issuer's DN. This is indicated by a leading
+ hash mark, directly followed by a slash and then directly followed
+ by the RFC-2253 encoded DN of the issuer. This should return the
+ Root cert of the issuer. See note above.
+
+ #/CN=Root Cert,O=Poets,L=Paris,C=FR
+
+ * By exact match on serial number and issuer's DN. This is indicated
+ by a hash mark, followed by the hexadecimal representation of the
+ serial number, then followed by a slash and the RFC-2253 encoded DN
+ of the issuer. See note above.
+
+ #4F03/CN=Root Cert,O=Poets,L=Paris,C=FR
+
+ * By keygrip. This is indicated by an ampersand followed by the 40
+ hex digits of a keygrip. 'gpgsm' prints the keygrip when using the
+ command '--dump-cert'.
+
+ &D75F22C3F86E355877348498CDC92BD21010A480
+
+ * By substring match. This is the default mode but applications may
+ want to explicitly indicate this by putting the asterisk in front.
+ Match is not case sensitive.
+
+ Heine
+ *Heine
+
+ * . and + prefixes These prefixes are reserved for looking up mails
+ anchored at the end and for a word search mode. They are not yet
+ implemented and using them is undefined.
+
+ Please note that we have reused the hash mark identifier which was
+used in old GnuPG versions to indicate the so called local-id. It is
+not anymore used and there should be no conflict when used with X.509
+stuff.
+
+ Using the RFC-2253 format of DNs has the drawback that it is not
+possible to map them back to the original encoding, however we don't
+have to do this because our key database stores this encoding as meta
+data.
+
+
+File: gnupg.info, Node: Trust Values, Next: Helper Tools, Prev: Specify a User ID, Up: Top
+
+8 Trust Values
+**************
+
+Trust values are used to indicate ownertrust and validity of keys and
+user IDs. They are displayed with letters or strings:
+
+-
+unknown
+ No ownertrust assigned / not yet calculated.
+
+e
+expired
+
+ Trust calculation has failed; probably due to an expired key.
+
+q
+undefined, undef
+ Not enough information for calculation.
+
+n
+never
+ Never trust this key.
+
+m
+marginal
+ Marginally trusted.
+
+f
+full
+ Fully trusted.
+
+u
+ultimate
+ Ultimately trusted.
+
+r
+revoked
+ For validity only: the key or the user ID has been revoked.
+
+?
+err
+ The program encountered an unknown trust value.
+
+
+File: gnupg.info, Node: Helper Tools, Next: Web Key Service, Prev: Trust Values, Up: Top
+
+9 Helper Tools
+**************
+
+GnuPG comes with a couple of smaller tools:
+
+* Menu:
+
+* watchgnupg:: Read logs from a socket.
+* gpgv:: Verify OpenPGP signatures.
+* addgnupghome:: Create .gnupg home directories.
+* gpgconf:: Modify .gnupg home directories.
+* applygnupgdefaults:: Run gpgconf for all users.
+* gpg-preset-passphrase:: Put a passphrase into the cache.
+* gpg-connect-agent:: Communicate with a running agent.
+* dirmngr-client:: How to use the Dirmngr client tool.
+* gpgparsemail:: Parse a mail message into an annotated format
+* gpgtar:: Encrypt or sign files into an archive.
+* gpg-check-pattern:: Check a passphrase on stdin against the patternfile.
+
+
+File: gnupg.info, Node: watchgnupg, Next: gpgv, Up: Helper Tools
+
+9.1 Read logs from a socket
+===========================
+
+Most of the main utilities are able to write their log files to a Unix
+Domain socket if configured that way. 'watchgnupg' is a simple listener
+for such a socket. It ameliorates the output with a time stamp and
+makes sure that long lines are not interspersed with log output from
+other utilities. This tool is not available for Windows.
+
+'watchgnupg' is commonly invoked as
+
+ watchgnupg --force $(gpgconf --list-dirs socketdir)/S.log
+
+This starts it on the current terminal for listening on the standard
+logging socket (which is either '~/.gnupg/S.log' or
+'/var/run/user/UID/gnupg/S.log').
+
+'watchgnupg' understands these options:
+
+'--force'
+ Delete an already existing socket file.
+
+'--tcp N'
+ Instead of reading from a local socket, listen for connects on TCP
+ port N.
+
+'--time-only'
+ Do not print the date part of the timestamp.
+
+'--verbose'
+ Enable extra informational output.
+
+'--version'
+ Print version of the program and exit.
+
+'--help'
+ Display a brief help page and exit.
+
+
+Examples
+********
+
+ $ watchgnupg --force --time-only $(gpgconf --list-dirs socketdir)/S.log
+
+ This waits for connections on the local socket (e.g.
+'/home/foo/.gnupg/S.log') and shows all log entries. To make this work
+the option 'log-file' needs to be used with all modules which logs are
+to be shown. The suggested entry for the configuration files is:
+
+ log-file socket://
+
+ If the default socket as given above and returned by "echo $(gpgconf
+-list-dirs socketdir)/S.log" is not desired an arbitrary socket name can
+be specified, for example 'socket:///home/foo/bar/mysocket'. For
+debugging purposes it is also possible to do remote logging. Take care
+if you use this feature because the information is send in the clear
+over the network. Use this syntax in the conf files:
+
+ log-file tcp://192.168.1.1:4711
+
+ You may use any port and not just 4711 as shown above; only IP
+addresses are supported (v4 and v6) and no host names. You need to
+start 'watchgnupg' with the 'tcp' option. Note that under Windows the
+registry entry HKCU\SOFTWARE\GNU\GNUPG:DEFAULTLOGFILE can be used to
+change the default log output from 'stderr' to whatever is given by that
+entry. However the only useful entry is a TCP name for remote
+debugging.
+
+
+File: gnupg.info, Node: gpgv, Next: addgnupghome, Prev: watchgnupg, Up: Helper Tools
+
+9.2 Verify OpenPGP signatures
+=============================
+
+'gpgv' is an OpenPGP signature verification tool.
+
+ This program is actually a stripped-down version of 'gpg' which is
+only able to check signatures. It is somewhat smaller than the
+fully-blown 'gpg' and uses a different (and simpler) way to check that
+the public keys used to make the signature are valid. There are no
+configuration files and only a few options are implemented.
+
+ 'gpgv' assumes that all keys in the keyring are trustworthy. That
+does also mean that it does not check for expired or revoked keys.
+
+ If no '--keyring' option is given, 'gpgv' looks for a "default"
+keyring named 'trustedkeys.kbx' (preferred) or 'trustedkeys.gpg' in the
+home directory of GnuPG, either the default home directory or the one
+set by the '--homedir' option or the 'GNUPGHOME' environment variable.
+If any '--keyring' option is used, 'gpgv' will not look for the default
+keyring. The '--keyring' option may be used multiple times and all
+specified keyrings will be used together.
+
+
+ 'gpgv' recognizes these options:
+
+'--verbose'
+'-v'
+ Gives more information during processing. If used twice, the input
+ data is listed in detail.
+
+'--quiet'
+'-q'
+ Try to be as quiet as possible.
+
+'--keyring FILE'
+ Add FILE to the list of keyrings. If FILE begins with a tilde and
+ a slash, these are replaced by the HOME directory. If the filename
+ does not contain a slash, it is assumed to be in the home-directory
+ ("~/.gnupg" if -homedir is not used).
+
+'--output FILE'
+'-o FILE'
+ Write output to FILE; to write to stdout use '-'. This option can
+ be used to get the signed text from a cleartext or binary
+ signature; it also works for detached signatures, but in that case
+ this option is in general not useful. Note that an existing file
+ will be overwritten.
+
+'--status-fd N'
+ Write special status strings to the file descriptor N. See the
+ file DETAILS in the documentation for a listing of them.
+
+'--logger-fd n'
+ Write log output to file descriptor 'n' and not to stderr.
+
+'--log-file file'
+ Same as '--logger-fd', except the logger data is written to file
+ 'file'. Use 'socket://' to log to socket.
+
+'--ignore-time-conflict'
+ GnuPG normally checks that the timestamps associated with keys and
+ signatures have plausible values. However, sometimes a signature
+ seems to be older than the key due to clock problems. This option
+ turns these checks into warnings.
+
+'--homedir DIR'
+ Set the name of the home directory to DIR. If this option is not
+ used, the home directory defaults to '~/.gnupg'. It is only
+ recognized when given on the command line. It also overrides any
+ home directory stated through the environment variable 'GNUPGHOME'
+ or (on Windows systems) by means of the Registry entry
+ HKCU\SOFTWARE\GNU\GNUPG:HOMEDIR.
+
+ On Windows systems it is possible to install GnuPG as a portable
+ application. In this case only this command line option is
+ considered, all other ways to set a home directory are ignored.
+
+ To install GnuPG as a portable application under Windows, create an
+ empty file named 'gpgconf.ctl' in the same directory as the tool
+ 'gpgconf.exe'. The root of the installation is then that
+ directory; or, if 'gpgconf.exe' has been installed directly below a
+ directory named 'bin', its parent directory. You also need to make
+ sure that the following directories exist and are writable:
+ 'ROOT/home' for the GnuPG home and 'ROOT/usr/local/var/cache/gnupg'
+ for internal cache files.
+
+'--weak-digest name'
+ Treat the specified digest algorithm as weak. Signatures made over
+ weak digests algorithms are normally rejected. This option can be
+ supplied multiple times if multiple algorithms should be considered
+ weak. MD5 is always considered weak, and does not need to be
+ listed explicitly.
+
+'--enable-special-filenames'
+ This option enables a mode in which filenames of the form '-&n',
+ where n is a non-negative decimal number, refer to the file
+ descriptor n and not to a file with that name.
+
+ The program returns 0 if everything is fine, 1 if at least one
+signature was bad, and other error codes for fatal errors.
+
+9.2.1 Examples
+--------------
+
+gpgv 'pgpfile'
+gpgv 'sigfile' ['datafile']
+ Verify the signature of the file. The second form is used for
+ detached signatures, where 'sigfile' is the detached signature
+ (either ASCII-armored or binary) and 'datafile' contains the signed
+ data; if 'datafile' is "-" the signed data is expected on 'stdin';
+ if 'datafile' is not given the name of the file holding the signed
+ data is constructed by cutting off the extension (".asc", ".sig" or
+ ".sign") from 'sigfile'.
+
+9.2.2 Environment
+-----------------
+
+HOME
+ Used to locate the default home directory.
+
+GNUPGHOME
+ If set directory used instead of "~/.gnupg".
+
+9.2.3 FILES
+-----------
+
+~/.gnupg/trustedkeys.gpg
+ The default keyring with the allowed keys.
+
+ 'gpg'(1)
+
+
+File: gnupg.info, Node: addgnupghome, Next: gpgconf, Prev: gpgv, Up: Helper Tools
+
+9.3 Create .gnupg home directories
+==================================
+
+If GnuPG is installed on a system with existing user accounts, it is
+sometimes required to populate the GnuPG home directory with existing
+files. Especially a 'trustlist.txt' and a keybox with some initial
+certificates are often desired. This script helps to do this by copying
+all files from '/etc/skel/.gnupg' to the home directories of the
+accounts given on the command line. It takes care not to overwrite
+existing GnuPG home directories.
+
+'addgnupghome' is invoked by root as:
+
+ addgnupghome account1 account2 ... accountn
+
+
+File: gnupg.info, Node: gpgconf, Next: applygnupgdefaults, Prev: addgnupghome, Up: Helper Tools
+
+9.4 Modify .gnupg home directories
+==================================
+
+The 'gpgconf' is a utility to automatically and reasonable safely query
+and modify configuration files in the '.gnupg' home directory. It is
+designed not to be invoked manually by the user, but automatically by
+graphical user interfaces (GUI).(1)
+
+ 'gpgconf' provides access to the configuration of one or more
+components of the GnuPG system. These components correspond more or
+less to the programs that exist in the GnuPG framework, like GPG, GPGSM,
+DirMngr, etc. But this is not a strict one-to-one relationship. Not
+all configuration options are available through 'gpgconf'. 'gpgconf'
+provides a generic and abstract method to access the most important
+configuration options that can feasibly be controlled via such a
+mechanism.
+
+ 'gpgconf' can be used to gather and change the options available in
+each component, and can also provide their default values. 'gpgconf'
+will give detailed type information that can be used to restrict the
+user's input without making an attempt to commit the changes.
+
+ 'gpgconf' provides the backend of a configuration editor. The
+configuration editor would usually be a graphical user interface program
+that displays the current options, their default values, and allows the
+user to make changes to the options. These changes can then be made
+active with 'gpgconf' again. Such a program that uses 'gpgconf' in this
+way will be called GUI throughout this section.
+
+* Menu:
+
+* Invoking gpgconf:: List of all commands and options.
+* Format conventions:: Formatting conventions relevant for all commands.
+* Listing components:: List all gpgconf components.
+* Checking programs:: Check all programs known to gpgconf.
+* Listing options:: List all options of a component.
+* Changing options:: Changing options of a component.
+* Listing global options:: List all global options.
+* Querying versions:: Get and compare software versions.
+* Files used by gpgconf:: What files are used by gpgconf.
+
+ ---------- Footnotes ----------
+
+ (1) Please note that currently no locking is done, so concurrent
+access should be avoided. There are some precautions to avoid
+corruption with concurrent usage, but results may be inconsistent and
+some changes may get lost. The stateless design makes it difficult to
+provide more guarantees.
+
+
+File: gnupg.info, Node: Invoking gpgconf, Next: Format conventions, Up: gpgconf
+
+9.4.1 Invoking gpgconf
+----------------------
+
+One of the following commands must be given:
+
+'--list-components'
+ List all components. This is the default command used if none is
+ specified.
+
+'--check-programs'
+ List all available backend programs and test whether they are
+ runnable.
+
+'--list-options COMPONENT'
+ List all options of the component COMPONENT.
+
+'--change-options COMPONENT'
+ Change the options of the component COMPONENT.
+
+'--check-options COMPONENT'
+ Check the options for the component COMPONENT.
+
+'--apply-profile FILE'
+ Apply the configuration settings listed in FILE to the
+ configuration files. If FILE has no suffix and no slashes the
+ command first tries to read a file with the suffix '.prf' from the
+ data directory ('gpgconf --list-dirs datadir') before it reads the
+ file verbatim. A profile is divided into sections using the
+ bracketed component name. Each section then lists the option which
+ shall go into the respective configuration file.
+
+'--apply-defaults'
+ Update all configuration files with values taken from the global
+ configuration file (usually '/etc/gnupg/gpgconf.conf'). Note: This
+ is a legacy mechanism. Please use global configuraion files
+ instead.
+
+'--list-dirs [NAMES]'
+'-L'
+ Lists the directories used by 'gpgconf'. One directory is listed
+ per line, and each line consists of a colon-separated list where
+ the first field names the directory type (for example 'sysconfdir')
+ and the second field contains the percent-escaped directory.
+ Although they are not directories, the socket file names used by
+ 'gpg-agent' and 'dirmngr' are printed as well. Note that the
+ socket file names and the 'homedir' lines are the default names and
+ they may be overridden by command line switches. If NAMES are
+ given only the directories or file names specified by the list
+ names are printed without any escaping.
+
+'--list-config [FILENAME]'
+ List the global configuration file in a colon separated format. If
+ FILENAME is given, check that file instead.
+
+'--check-config [FILENAME]'
+ Run a syntax check on the global configuration file. If FILENAME
+ is given, check that file instead.
+
+'--query-swdb PACKAGE_NAME [VERSION_STRING]'
+ Returns the current version for PACKAGE_NAME and if VERSION_STRING
+ is given also an indicator on whether an update is available. The
+ actual file with the software version is automatically downloaded
+ and checked by 'dirmngr'. 'dirmngr' uses a thresholds to avoid
+ download the file too often and it does this by default only if it
+ can be done via Tor. To force an update of that file this command
+ can be used:
+
+ gpg-connect-agent --dirmngr 'loadswdb --force' /bye
+
+'--reload [COMPONENT]'
+'-R'
+ Reload all or the given component. This is basically the same as
+ sending a SIGHUP to the component. Components which don't support
+ reloading are ignored. Without COMPONENT or by using "all" for
+ COMPONENT all components which are daemons are reloaded.
+
+'--launch [COMPONENT]'
+ If the COMPONENT is not already running, start it. 'component'
+ must be a daemon. This is in general not required because the
+ system starts these daemons as needed. However, external software
+ making direct use of 'gpg-agent' or 'dirmngr' may use this command
+ to ensure that they are started. Using "all" for COMPONENT
+ launches all components which are daemons.
+
+'--kill [COMPONENT]'
+'-K'
+ Kill the given component that runs as a daemon, including
+ 'gpg-agent', 'dirmngr', and 'scdaemon'. A 'component' which does
+ not run as a daemon will be ignored. Using "all" for COMPONENT
+ kills all components running as daemons. Note that as of now
+ reload and kill have the same effect for 'scdaemon'.
+
+'--create-socketdir'
+ Create a directory for sockets below /run/user or /var/run/user.
+ This is command is only required if a non default home directory is
+ used and the /run based sockets shall be used. For the default
+ home directory GnUPG creates a directory on the fly.
+
+'--remove-socketdir'
+ Remove a directory created with command '--create-socketdir'.
+
+ The following options may be used:
+
+'-o FILE'
+'--output FILE'
+ Write output to FILE. Default is to write to stdout.
+
+'-v'
+'--verbose'
+ Outputs additional information while running. Specifically, this
+ extends numerical field values by human-readable descriptions.
+
+'-q'
+'--quiet'
+ Try to be as quiet as possible.
+
+'--homedir DIR'
+ Set the name of the home directory to DIR. If this option is not
+ used, the home directory defaults to '~/.gnupg'. It is only
+ recognized when given on the command line. It also overrides any
+ home directory stated through the environment variable 'GNUPGHOME'
+ or (on Windows systems) by means of the Registry entry
+ HKCU\SOFTWARE\GNU\GNUPG:HOMEDIR.
+
+ On Windows systems it is possible to install GnuPG as a portable
+ application. In this case only this command line option is
+ considered, all other ways to set a home directory are ignored.
+
+ To install GnuPG as a portable application under Windows, create an
+ empty file named 'gpgconf.ctl' in the same directory as the tool
+ 'gpgconf.exe'. The root of the installation is then that
+ directory; or, if 'gpgconf.exe' has been installed directly below a
+ directory named 'bin', its parent directory. You also need to make
+ sure that the following directories exist and are writable:
+ 'ROOT/home' for the GnuPG home and 'ROOT/usr/local/var/cache/gnupg'
+ for internal cache files.
+
+'-n'
+'--dry-run'
+ Do not actually change anything. This is currently only
+ implemented for '--change-options' and can be used for testing
+ purposes.
+
+'-r'
+'--runtime'
+ Only used together with '--change-options'. If one of the modified
+ options can be changed in a running daemon process, signal the
+ running daemon to ask it to reparse its configuration file after
+ changing.
+
+ This means that the changes will take effect at run-time, as far as
+ this is possible. Otherwise, they will take effect at the next
+ start of the respective backend programs.
+
+'--status-fd N'
+ Write special status strings to the file descriptor N. This
+ program returns the status messages SUCCESS or FAILURE which are
+ helpful when the caller uses a double fork approach and can't
+ easily get the return code of the process.
+
+
+File: gnupg.info, Node: Format conventions, Next: Listing components, Prev: Invoking gpgconf, Up: gpgconf
+
+9.4.2 Format conventions
+------------------------
+
+Some lines in the output of 'gpgconf' contain a list of colon-separated
+fields. The following conventions apply:
+
+ * The GUI program is required to strip off trailing newline and/or
+ carriage return characters from the output.
+
+ * 'gpgconf' will never leave out fields. If a certain version
+ provides a certain field, this field will always be present in all
+ 'gpgconf' versions from that time on.
+
+ * Future versions of 'gpgconf' might append fields to the list. New
+ fields will always be separated from the previously last field by a
+ colon separator. The GUI should be prepared to parse the last
+ field it knows about up until a colon or end of line.
+
+ * Not all fields are defined under all conditions. You are required
+ to ignore the content of undefined fields.
+
+ There are several standard types for the content of a field:
+
+verbatim
+ Some fields contain strings that are not escaped in any way. Such
+ fields are described to be used _verbatim_. These fields will
+ never contain a colon character (for obvious reasons). No
+ de-escaping or other formatting is required to use the field
+ content. This is for easy parsing of the output, when it is known
+ that the content can never contain any special characters.
+
+percent-escaped
+ Some fields contain strings that are described to be
+ _percent-escaped_. Such strings need to be de-escaped before their
+ content can be presented to the user. A percent-escaped string is
+ de-escaped by replacing all occurrences of '%XY' by the byte that
+ has the hexadecimal value 'XY'. 'X' and 'Y' are from the set
+ '0-9a-f'.
+
+localized
+ Some fields contain strings that are described to be _localized_.
+ Such strings are translated to the active language and formatted in
+ the active character set.
+
+unsigned number
+ Some fields contain an _unsigned number_. This number will always
+ fit into a 32-bit unsigned integer variable. The number may be
+ followed by a space, followed by a human readable description of
+ that value (if the verbose option is used). You should ignore
+ everything in the field that follows the number.
+
+signed number
+ Some fields contain a _signed number_. This number will always fit
+ into a 32-bit signed integer variable. The number may be followed
+ by a space, followed by a human readable description of that value
+ (if the verbose option is used). You should ignore everything in
+ the field that follows the number.
+
+boolean value
+ Some fields contain a _boolean value_. This is a number with
+ either the value 0 or 1. The number may be followed by a space,
+ followed by a human readable description of that value (if the
+ verbose option is used). You should ignore everything in the field
+ that follows the number; checking just the first character is
+ sufficient in this case.
+
+option
+ Some fields contain an _option_ argument. The format of an option
+ argument depends on the type of the option and on some flags:
+
+ no argument
+ The simplest case is that the option does not take an argument
+ at all (TYPE '0'). Then the option argument is an unsigned
+ number that specifies how often the option occurs. If the
+ 'list' flag is not set, then the only valid number is '1'.
+ Options that do not take an argument never have the 'default'
+ or 'optional arg' flag set.
+
+ number
+ If the option takes a number argument (ALT-TYPE is '2' or
+ '3'), and it can only occur once ('list' flag is not set),
+ then the option argument is either empty (only allowed if the
+ argument is optional), or it is a number. A number is a
+ string that begins with an optional minus character, followed
+ by one or more digits. The number must fit into an integer
+ variable (unsigned or signed, depending on ALT-TYPE).
+
+ number list
+ If the option takes a number argument and it can occur more
+ than once, then the option argument is either empty, or it is
+ a comma-separated list of numbers as described above.
+
+ string
+ If the option takes a string argument (ALT-TYPE is 1), and it
+ can only occur once ('list' flag is not set) then the option
+ argument is either empty (only allowed if the argument is
+ optional), or it starts with a double quote character ('"')
+ followed by a percent-escaped string that is the argument
+ value. Note that there is only a leading double quote
+ character, no trailing one. The double quote character is
+ only needed to be able to differentiate between no value and
+ the empty string as value.
+
+ string list
+ If the option takes a string argument and it can occur more
+ than once, then the option argument is either empty, or it is
+ a comma-separated list of string arguments as described above.
+
+ The active language and character set are currently determined from
+the locale environment of the 'gpgconf' program.
+
+
+File: gnupg.info, Node: Listing components, Next: Checking programs, Prev: Format conventions, Up: gpgconf
+
+9.4.3 Listing components
+------------------------
+
+The command '--list-components' will list all components that can be
+configured with 'gpgconf'. Usually, one component will correspond to
+one GnuPG-related program and contain the options of that program's
+configuration file that can be modified using 'gpgconf'. However, this
+is not necessarily the case. A component might also be a group of
+selected options from several programs, or contain entirely virtual
+options that have a special effect rather than changing exactly one
+option in one configuration file.
+
+ A component is a set of configuration options that semantically
+belong together. Furthermore, several changes to a component can be
+made in an atomic way with a single operation. The GUI could for
+example provide a menu with one entry for each component, or a window
+with one tabulator sheet per component.
+
+ The command '--list-components' lists all available components, one
+per line. The format of each line is:
+
+ 'NAME:DESCRIPTION:PGMNAME:'
+
+NAME
+ This field contains a name tag of the component. The name tag is
+ used to specify the component in all communication with 'gpgconf'.
+ The name tag is to be used _verbatim_. It is thus not in any
+ escaped format.
+
+DESCRIPTION
+ The _string_ in this field contains a human-readable description of
+ the component. It can be displayed to the user of the GUI for
+ informational purposes. It is _percent-escaped_ and _localized_.
+
+PGMNAME
+ The _string_ in this field contains the absolute name of the
+ program's file. It can be used to unambiguously invoke that
+ program. It is _percent-escaped_.
+
+ Example:
+ $ gpgconf --list-components
+ gpg:GPG for OpenPGP:/usr/local/bin/gpg2:
+ gpg-agent:GPG Agent:/usr/local/bin/gpg-agent:
+ scdaemon:Smartcard Daemon:/usr/local/bin/scdaemon:
+ gpgsm:GPG for S/MIME:/usr/local/bin/gpgsm:
+ dirmngr:Directory Manager:/usr/local/bin/dirmngr:
+
+
+File: gnupg.info, Node: Checking programs, Next: Listing options, Prev: Listing components, Up: gpgconf
+
+9.4.4 Checking programs
+-----------------------
+
+The command '--check-programs' is similar to '--list-components' but
+works on backend programs and not on components. It runs each program
+to test whether it is installed and runnable. This also includes a
+syntax check of all config file options of the program.
+
+ The command '--check-programs' lists all available programs, one per
+line. The format of each line is:
+
+ 'NAME:DESCRIPTION:PGMNAME:AVAIL:OKAY:CFGFILE:LINE:ERROR:'
+
+NAME
+ This field contains a name tag of the program which is identical to
+ the name of the component. The name tag is to be used _verbatim_.
+ It is thus not in any escaped format. This field may be empty to
+ indicate a continuation of error descriptions for the last name.
+ The description and pgmname fields are then also empty.
+
+DESCRIPTION
+ The _string_ in this field contains a human-readable description of
+ the component. It can be displayed to the user of the GUI for
+ informational purposes. It is _percent-escaped_ and _localized_.
+
+PGMNAME
+ The _string_ in this field contains the absolute name of the
+ program's file. It can be used to unambiguously invoke that
+ program. It is _percent-escaped_.
+
+AVAIL
+ The _boolean value_ in this field indicates whether the program is
+ installed and runnable.
+
+OKAY
+ The _boolean value_ in this field indicates whether the program's
+ config file is syntactically okay.
+
+CFGFILE
+ If an error occurred in the configuration file (as indicated by a
+ false value in the field 'okay'), this field has the name of the
+ failing configuration file. It is _percent-escaped_.
+
+LINE
+ If an error occurred in the configuration file, this field has the
+ line number of the failing statement in the configuration file. It
+ is an _unsigned number_.
+
+ERROR
+ If an error occurred in the configuration file, this field has the
+ error text of the failing statement in the configuration file. It
+ is _percent-escaped_ and _localized_.
+
+In the following example the 'dirmngr' is not runnable and the
+configuration file of 'scdaemon' is not okay.
+
+ $ gpgconf --check-programs
+ gpg:GPG for OpenPGP:/usr/local/bin/gpg2:1:1:
+ gpg-agent:GPG Agent:/usr/local/bin/gpg-agent:1:1:
+ scdaemon:Smartcard Daemon:/usr/local/bin/scdaemon:1:0:
+ gpgsm:GPG for S/MIME:/usr/local/bin/gpgsm:1:1:
+ dirmngr:Directory Manager:/usr/local/bin/dirmngr:0:0:
+
+The command '--check-options COMPONENT' will verify the configuration
+file in the same manner as '--check-programs', but only for the
+component COMPONENT.
+
+
+File: gnupg.info, Node: Listing options, Next: Changing options, Prev: Checking programs, Up: gpgconf
+
+9.4.5 Listing options
+---------------------
+
+Every component contains one or more options. Options may be gathered
+into option groups to allow the GUI to give visual hints to the user
+about which options are related.
+
+ The command '--list-options COMPONENT' lists all options (and the
+groups they belong to) in the component COMPONENT, one per line.
+COMPONENT must be the string in the field NAME in the output of the
+'--list-components' command.
+
+ Take care if system-wide options are used: gpgconf may not be able to
+properly show the options and the listed options may have no actual
+effect in case the system-wide options enforced their own settings.
+
+ There is one line for each option and each group. First come all
+options that are not in any group. Then comes a line describing a
+group. Then come all options that belong into each group. Then comes
+the next group and so on. There does not need to be any group (and in
+this case the output will stop after the last non-grouped option).
+
+ The format of each line is:
+
+ 'NAME:FLAGS:LEVEL:DESCRIPTION:TYPE:ALT-TYPE:ARGNAME:DEFAULT:ARGDEF:VALUE'
+
+NAME
+ This field contains a name tag for the group or option. The name
+ tag is used to specify the group or option in all communication
+ with 'gpgconf'. The name tag is to be used _verbatim_. It is thus
+ not in any escaped format.
+
+FLAGS
+ The flags field contains an _unsigned number_. Its value is the
+ OR-wise combination of the following flag values:
+
+ 'group (1)'
+ If this flag is set, this is a line describing a group and not
+ an option.
+
+ The following flag values are only defined for options (that is, if
+ the 'group' flag is not used).
+
+ 'optional arg (2)'
+ If this flag is set, the argument is optional. This is never
+ set for TYPE '0' (none) options.
+
+ 'list (4)'
+ If this flag is set, the option can be given multiple times.
+
+ 'runtime (8)'
+ If this flag is set, the option can be changed at runtime.
+
+ 'default (16)'
+ If this flag is set, a default value is available.
+
+ 'default desc (32)'
+ If this flag is set, a (runtime) default is available. This
+ and the 'default' flag are mutually exclusive.
+
+ 'no arg desc (64)'
+ If this flag is set, and the 'optional arg' flag is set, then
+ the option has a special meaning if no argument is given.
+
+ 'no change (128)'
+ If this flag is set, 'gpgconf' ignores requests to change the
+ value. GUI frontends should grey out this option. Note, that
+ manual changes of the configuration files are still possible.
+
+LEVEL
+ This field is defined for options and for groups. It contains an
+ _unsigned number_ that specifies the expert level under which this
+ group or option should be displayed. The following expert levels
+ are defined for options (they have analogous meaning for groups):
+
+ 'basic (0)'
+ This option should always be offered to the user.
+
+ 'advanced (1)'
+ This option may be offered to advanced users.
+
+ 'expert (2)'
+ This option should only be offered to expert users.
+
+ 'invisible (3)'
+ This option should normally never be displayed, not even to
+ expert users.
+
+ 'internal (4)'
+ This option is for internal use only. Ignore it.
+
+ The level of a group will always be the lowest level of all options
+ it contains.
+
+DESCRIPTION
+ This field is defined for options and groups. The _string_ in this
+ field contains a human-readable description of the option or group.
+ It can be displayed to the user of the GUI for informational
+ purposes. It is _percent-escaped_ and _localized_.
+
+TYPE
+ This field is only defined for options. It contains an _unsigned
+ number_ that specifies the type of the option's argument, if any.
+ The following types are defined:
+
+ Basic types:
+
+ 'none (0)'
+ No argument allowed.
+
+ 'string (1)'
+ An _unformatted string_.
+
+ 'int32 (2)'
+ A _signed number_.
+
+ 'uint32 (3)'
+ An _unsigned number_.
+
+ Complex types:
+
+ 'pathname (32)'
+ A _string_ that describes the pathname of a file. The file
+ does not necessarily need to exist.
+
+ 'ldap server (33)'
+ A _string_ that describes an LDAP server in the format:
+
+ 'HOSTNAME:PORT:USERNAME:PASSWORD:BASE_DN'
+
+ 'key fingerprint (34)'
+ A _string_ with a 40 digit fingerprint specifying a
+ certificate.
+
+ 'pub key (35)'
+ A _string_ that describes a certificate by user ID, key ID or
+ fingerprint.
+
+ 'sec key (36)'
+ A _string_ that describes a certificate with a key by user ID,
+ key ID or fingerprint.
+
+ 'alias list (37)'
+ A _string_ that describes an alias list, like the one used
+ with gpg's group option. The list consists of a key, an equal
+ sign and space separated values.
+
+ More types will be added in the future. Please see the ALT-TYPE
+ field for information on how to cope with unknown types.
+
+ALT-TYPE
+ This field is identical to TYPE, except that only the types '0' to
+ '31' are allowed. The GUI is expected to present the user the
+ option in the format specified by TYPE. But if the argument type
+ TYPE is not supported by the GUI, it can still display the option
+ in the more generic basic type ALT-TYPE. The GUI must support all
+ the defined basic types to be able to display all options. More
+ basic types may be added in future versions. If the GUI encounters
+ a basic type it doesn't support, it should report an error and
+ abort the operation.
+
+ARGNAME
+ This field is only defined for options with an argument type TYPE
+ that is not '0'. In this case it may contain a _percent-escaped_
+ and _localized string_ that gives a short name for the argument.
+ The field may also be empty, though, in which case a short name is
+ not known.
+
+DEFAULT
+ This field is defined only for options for which the 'default' or
+ 'default desc' flag is set. If the 'default' flag is set, its
+ format is that of an _option argument_ (*note Format conventions::,
+ for details). If the default value is empty, then no default is
+ known. Otherwise, the value specifies the default value for this
+ option. If the 'default desc' flag is set, the field is either
+ empty or contains a description of the effect if the option is not
+ given.
+
+ARGDEF
+ This field is defined only for options for which the 'optional arg'
+ flag is set. If the 'no arg desc' flag is not set, its format is
+ that of an _option argument_ (*note Format conventions::, for
+ details). If the default value is empty, then no default is known.
+ Otherwise, the value specifies the default argument for this
+ option. If the 'no arg desc' flag is set, the field is either
+ empty or contains a description of the effect of this option if no
+ argument is given.
+
+VALUE
+ This field is defined only for options. Its format is that of an
+ _option argument_. If it is empty, then the option is not
+ explicitly set in the current configuration, and the default
+ applies (if any). Otherwise, it contains the current value of the
+ option. Note that this field is also meaningful if the option
+ itself does not take a real argument (in this case, it contains the
+ number of times the option appears).
+
+
+File: gnupg.info, Node: Changing options, Next: Listing global options, Prev: Listing options, Up: gpgconf
+
+9.4.6 Changing options
+----------------------
+
+The command '--change-options COMPONENT' will attempt to change the
+options of the component COMPONENT to the specified values. COMPONENT
+must be the string in the field NAME in the output of the
+'--list-components' command. You have to provide the options that shall
+be changed in the following format on standard input:
+
+ 'NAME:FLAGS:NEW-VALUE'
+
+NAME
+ This is the name of the option to change. NAME must be the string
+ in the field NAME in the output of the '--list-options' command.
+
+FLAGS
+ The flags field contains an _unsigned number_. Its value is the
+ OR-wise combination of the following flag values:
+
+ 'default (16)'
+ If this flag is set, the option is deleted and the default
+ value is used instead (if applicable).
+
+NEW-VALUE
+ The new value for the option. This field is only defined if the
+ 'default' flag is not set. The format is that of an _option
+ argument_. If it is empty (or the field is omitted), the default
+ argument is used (only allowed if the argument is optional for this
+ option). Otherwise, the option will be set to the specified value.
+
+The output of the command is the same as that of '--check-options' for
+the modified configuration file.
+
+ Examples:
+
+ To set the force option, which is of basic type 'none (0)':
+
+ $ echo 'force:0:1' | gpgconf --change-options dirmngr
+
+ To delete the force option:
+
+ $ echo 'force:16:' | gpgconf --change-options dirmngr
+
+ The '--runtime' option can influence when the changes take effect.
+
+
+File: gnupg.info, Node: Listing global options, Next: Querying versions, Prev: Changing options, Up: gpgconf
+
+9.4.7 Listing global options
+----------------------------
+
+Some legacy applications look at the global configuration file for the
+gpgconf tool itself; this is the file 'gpgconf.conf'. Modern
+applications should not use it but use per component global
+configuration files which are more flexible than the 'gpgconf.conf'.
+Using both files is not suggested.
+
+ The colon separated listing format is record oriented and uses the
+first field to identify the record type:
+
+'k'
+ This describes a key record to start the definition of a new
+ ruleset for a user/group. The format of a key record is:
+
+ 'k:USER:GROUP:'
+
+ USER
+ This is the user field of the key. It is percent escaped.
+ See the definition of the gpgconf.conf format for details.
+
+ GROUP
+ This is the group field of the key. It is percent escaped.
+
+'r'
+ This describes a rule record. All rule records up to the next key
+ record make up a rule set for that key. The format of a rule
+ record is:
+
+ 'r:::COMPONENT:OPTION:FLAG:VALUE:'
+
+ COMPONENT
+ This is the component part of a rule. It is a plain string.
+
+ OPTION
+ This is the option part of a rule. It is a plain string.
+
+ FLAG
+ This is the flags part of a rule. There may be only one flag
+ per rule but by using the same component and option, several
+ flags may be assigned to an option. It is a plain string.
+
+ VALUE
+ This is the optional value for the option. It is a percent
+ escaped string with a single quotation mark to indicate a
+ string. The quotation mark is only required to distinguish
+ between no value specified and an empty string.
+
+Unknown record types should be ignored. Note that there is
+intentionally no feature to change the global option file through
+'gpgconf'.
+
+
+File: gnupg.info, Node: Querying versions, Next: Files used by gpgconf, Prev: Listing global options, Up: gpgconf
+
+9.4.8 Get and compare software versions.
+----------------------------------------
+
+The GnuPG Project operates a server to query the current versions of
+software packages related to GnuPG. 'gpgconf' can be used to access this
+online database. To allow for offline operations, this feature works by
+having 'dirmngr' download a file from 'https://versions.gnupg.org',
+checking the signature of that file and storing the file in the GnuPG
+home directory. If 'gpgconf' is used and 'dirmngr' is running, it may
+ask 'dirmngr' to refresh that file before itself uses the file.
+
+ The command '--query-swdb' returns information for the given package
+in a colon delimited format:
+
+NAME
+ This is the name of the package as requested. Note that "gnupg" is
+ a special name which is replaced by the actual package implementing
+ this version of GnuPG. For this name it is also not required to
+ specify a version because 'gpgconf' takes its own version in this
+ case.
+
+IVERSION
+ The currently installed version or an empty string. The value is
+ taken from the command line argument but may be provided by gpg if
+ not given.
+
+STATUS
+ The status of the software package according to this table:
+ '-'
+ No information available. This is either because no current
+ version has been specified or due to an error.
+ '?'
+ The given name is not known in the online database.
+ 'u'
+ An update of the software is available.
+ 'c'
+ The installed version of the software is current.
+ 'n'
+ The installed version is already newer than the released
+ version.
+
+URGENCY
+ If the value (the empty string should be considered as zero) is
+ greater than zero an important update is available.
+
+ERROR
+ This returns an 'gpg-error' error code to distinguish between
+ various failure modes.
+
+FILEDATE
+ This gives the date of the file with the version numbers in
+ standard ISO format ('yyyymmddThhmmss'). The date has been
+ extracted by 'dirmngr' from the signature of the file.
+
+VERIFIED
+ This gives the date in ISO format the file was downloaded. This
+ value can be used to evaluate the freshness of the information.
+
+VERSION
+ This returns the version string for the requested software from the
+ file.
+
+RELDATE
+ This returns the release date in ISO format.
+
+SIZE
+ This returns the size of the package as decimal number of bytes.
+
+HASH
+ This returns a hexified SHA-2 hash of the package.
+
+More fields may be added in future to the output.
+
+
+File: gnupg.info, Node: Files used by gpgconf, Prev: Querying versions, Up: gpgconf
+
+9.4.9 Files used by gpgconf
+---------------------------
+
+'/etc/gnupg/gpgconf.conf'
+ If this file exists, it is processed as a global configuration
+ file. This is a legacy mechanism which should not be used tigether
+ with the modern global per component configuration files. A
+ commented example can be found in the 'examples' directory of the
+ distribution.
+
+'GNUPGHOME/swdb.lst'
+ A file with current software versions. 'dirmngr' creates this file
+ on demand from an online resource.
+
+
+File: gnupg.info, Node: applygnupgdefaults, Next: gpg-preset-passphrase, Prev: gpgconf, Up: Helper Tools
+
+9.5 Run gpgconf for all users
+=============================
+
+This is a legacy script. Modern application should use the per
+component global configuration files under '/etc/gnupg/'.
+
+ This script is a wrapper around 'gpgconf' to run it with the command
+'--apply-defaults' for all real users with an existing GnuPG home
+directory. Admins might want to use this script to update he GnuPG
+configuration files for all users after '/etc/gnupg/gpgconf.conf' has
+been changed. This allows enforcing certain policies for all users.
+Note, that this is not a bulletproof way to force a user to use certain
+options. A user may always directly edit the configuration files and
+bypass gpgconf.
+
+'applygnupgdefaults' is invoked by root as:
+
+ applygnupgdefaults
+
+
+File: gnupg.info, Node: gpg-preset-passphrase, Next: gpg-connect-agent, Prev: applygnupgdefaults, Up: Helper Tools
+
+9.6 Put a passphrase into the cache
+===================================
+
+The 'gpg-preset-passphrase' is a utility to seed the internal cache of a
+running 'gpg-agent' with passphrases. It is mainly useful for
+unattended machines, where the usual 'pinentry' tool may not be used and
+the passphrases for the to be used keys are given at machine startup.
+
+ This program works with GnuPG 2 and later. GnuPG 1.x is not
+supported.
+
+ Passphrases set with this utility don't expire unless the '--forget'
+option is used to explicitly clear them from the cache -- or 'gpg-agent'
+is either restarted or reloaded (by sending a SIGHUP to it). Note that
+the maximum cache time as set with '--max-cache-ttl' is still honored.
+It is necessary to allow this passphrase presetting by starting
+'gpg-agent' with the '--allow-preset-passphrase'.
+
+* Menu:
+
+* Invoking gpg-preset-passphrase:: List of all commands and options.
+
+
+File: gnupg.info, Node: Invoking gpg-preset-passphrase, Up: gpg-preset-passphrase
+
+9.6.1 List of all commands and options
+--------------------------------------
+
+'gpg-preset-passphrase' is invoked this way:
+
+ gpg-preset-passphrase [options] [command] CACHEID
+
+ CACHEID is either a 40 character keygrip of hexadecimal characters
+identifying the key for which the passphrase should be set or cleared.
+The keygrip is listed along with the key when running the command:
+'gpgsm --with-keygrip --list-secret-keys'. Alternatively an arbitrary
+string may be used to identify a passphrase; it is suggested that such a
+string is prefixed with the name of the application (e.g 'foo:12346').
+Scripts should always use the option '--with-colons', which provides the
+keygrip in a "grp" line (cf. 'doc/DETAILS')/
+
+One of the following command options must be given:
+
+'--preset'
+ Preset a passphrase. This is what you usually will use.
+ 'gpg-preset-passphrase' will then read the passphrase from 'stdin'.
+
+'--forget'
+ Flush the passphrase for the given cache ID from the cache.
+
+The following additional options may be used:
+
+'-v'
+'--verbose'
+ Output additional information while running.
+
+'-P STRING'
+'--passphrase STRING'
+ Instead of reading the passphrase from 'stdin', use the supplied
+ STRING as passphrase. Note that this makes the passphrase visible
+ for other users.
+
+
+File: gnupg.info, Node: gpg-connect-agent, Next: dirmngr-client, Prev: gpg-preset-passphrase, Up: Helper Tools
+
+9.7 Communicate with a running agent
+====================================
+
+The 'gpg-connect-agent' is a utility to communicate with a running
+'gpg-agent'. It is useful to check out the commands 'gpg-agent'
+provides using the Assuan interface. It might also be useful for
+scripting simple applications. Input is expected at stdin and output
+gets printed to stdout.
+
+ It is very similar to running 'gpg-agent' in server mode; but here we
+connect to a running instance.
+
+* Menu:
+
+* Invoking gpg-connect-agent:: List of all options.
+* Controlling gpg-connect-agent:: Control commands.
+
+
+File: gnupg.info, Node: Invoking gpg-connect-agent, Next: Controlling gpg-connect-agent, Up: gpg-connect-agent
+
+9.7.1 List of all options
+-------------------------
+
+'gpg-connect-agent' is invoked this way:
+
+ gpg-connect-agent [options] [commands]
+
+The following options may be used:
+
+'-v'
+'--verbose'
+ Output additional information while running.
+
+'-q'
+'--quiet'
+ Try to be as quiet as possible.
+
+'--homedir DIR'
+ Set the name of the home directory to DIR. If this option is not
+ used, the home directory defaults to '~/.gnupg'. It is only
+ recognized when given on the command line. It also overrides any
+ home directory stated through the environment variable 'GNUPGHOME'
+ or (on Windows systems) by means of the Registry entry
+ HKCU\SOFTWARE\GNU\GNUPG:HOMEDIR.
+
+ On Windows systems it is possible to install GnuPG as a portable
+ application. In this case only this command line option is
+ considered, all other ways to set a home directory are ignored.
+
+ To install GnuPG as a portable application under Windows, create an
+ empty file named 'gpgconf.ctl' in the same directory as the tool
+ 'gpgconf.exe'. The root of the installation is then that
+ directory; or, if 'gpgconf.exe' has been installed directly below a
+ directory named 'bin', its parent directory. You also need to make
+ sure that the following directories exist and are writable:
+ 'ROOT/home' for the GnuPG home and 'ROOT/usr/local/var/cache/gnupg'
+ for internal cache files.
+
+'--agent-program FILE'
+ Specify the agent program to be started if none is running. The
+ default value is determined by running 'gpgconf' with the option
+ '--list-dirs'. Note that the pipe symbol ('|') is used for a
+ regression test suite hack and may thus not be used in the file
+ name.
+
+'--dirmngr-program FILE'
+ Specify the directory manager (keyserver client) program to be
+ started if none is running. This has only an effect if used
+ together with the option '--dirmngr'.
+
+'--dirmngr'
+ Connect to a running directory manager (keyserver client) instead
+ of to the gpg-agent. If a dirmngr is not running, start it.
+
+'-S'
+'--raw-socket NAME'
+ Connect to socket NAME assuming this is an Assuan style server. Do
+ not run any special initializations or environment checks. This
+ may be used to directly connect to any Assuan style socket server.
+
+'-E'
+'--exec'
+ Take the rest of the command line as a program and it's arguments
+ and execute it as an Assuan server. Here is how you would run
+ 'gpgsm':
+ gpg-connect-agent --exec gpgsm --server
+ Note that you may not use options on the command line in this case.
+
+'--no-ext-connect'
+ When using '-S' or '--exec', 'gpg-connect-agent' connects to the
+ Assuan server in extended mode to allow descriptor passing. This
+ option makes it use the old mode.
+
+'--no-autostart'
+ Do not start the gpg-agent or the dirmngr if it has not yet been
+ started.
+
+'-r FILE'
+'--run FILE'
+ Run the commands from FILE at startup and then continue with the
+ regular input method. Note, that commands given on the command
+ line are executed after this file.
+
+'-s'
+'--subst'
+ Run the command '/subst' at startup.
+
+'--hex'
+ Print data lines in a hex format and the ASCII representation of
+ non-control characters.
+
+'--decode'
+ Decode data lines. That is to remove percent escapes but make sure
+ that a new line always starts with a D and a space.
+
+
+File: gnupg.info, Node: Controlling gpg-connect-agent, Prev: Invoking gpg-connect-agent, Up: gpg-connect-agent
+
+9.7.2 Control commands
+----------------------
+
+While reading Assuan commands, gpg-agent also allows a few special
+commands to control its operation. These control commands all start
+with a slash ('/').
+
+'/echo ARGS'
+ Just print ARGS.
+
+'/let NAME VALUE'
+ Set the variable NAME to VALUE. Variables are only substituted on
+ the input if the '/subst' has been used. Variables are referenced
+ by prefixing the name with a dollar sign and optionally include the
+ name in curly braces. The rules for a valid name are identically
+ to those of the standard bourne shell. This is not yet enforced
+ but may be in the future. When used with curly braces no leading
+ or trailing white space is allowed.
+
+ If a variable is not found, it is searched in the environment and
+ if found copied to the table of variables.
+
+ Variable functions are available: The name of the function must be
+ followed by at least one space and the at least one argument. The
+ following functions are available:
+
+ 'get'
+ Return a value described by the argument. Available arguments
+ are:
+
+ 'cwd'
+ The current working directory.
+ 'homedir'
+ The gnupg homedir.
+ 'sysconfdir'
+ GnuPG's system configuration directory.
+ 'bindir'
+ GnuPG's binary directory.
+ 'libdir'
+ GnuPG's library directory.
+ 'libexecdir'
+ GnuPG's library directory for executable files.
+ 'datadir'
+ GnuPG's data directory.
+ 'serverpid'
+ The PID of the current server. Command '/serverpid' must
+ have been given to return a useful value.
+
+ 'unescape ARGS'
+ Remove C-style escapes from ARGS. Note that '\0' and '\x00'
+ terminate the returned string implicitly. The string to be
+ converted are the entire arguments right behind the delimiting
+ space of the function name.
+
+ 'unpercent ARGS'
+ 'unpercent+ ARGS'
+ Remove percent style escaping from ARGS. Note that '%00'
+ terminates the string implicitly. The string to be converted
+ are the entire arguments right behind the delimiting space of
+ the function name. 'unpercent+' also maps plus signs to a
+ spaces.
+
+ 'percent ARGS'
+ 'percent+ ARGS'
+ Escape the ARGS using percent style escaping. Tabs,
+ formfeeds, linefeeds, carriage returns and colons are escaped.
+ 'percent+' also maps spaces to plus signs.
+
+ 'errcode ARG'
+ 'errsource ARG'
+ 'errstring ARG'
+ Assume ARG is an integer and evaluate it using 'strtol'.
+ Return the gpg-error error code, error source or a formatted
+ string with the error code and error source.
+
+ '+'
+ '-'
+ '*'
+ '/'
+ '%'
+ Evaluate all arguments as long integers using 'strtol' and
+ apply this operator. A division by zero yields an empty
+ string.
+
+ '!'
+ '|'
+ '&'
+ Evaluate all arguments as long integers using 'strtol' and
+ apply the logical operators NOT, OR or AND. The NOT operator
+ works on the last argument only.
+
+'/definq NAME VAR'
+ Use content of the variable VAR for inquiries with NAME. NAME may
+ be an asterisk ('*') to match any inquiry.
+
+'/definqfile NAME FILE'
+ Use content of FILE for inquiries with NAME. NAME may be an
+ asterisk ('*') to match any inquiry.
+
+'/definqprog NAME PROG'
+ Run PROG for inquiries matching NAME and pass the entire line to it
+ as command line arguments.
+
+'/datafile NAME'
+ Write all data lines from the server to the file NAME. The file is
+ opened for writing and created if it does not exists. An existing
+ file is first truncated to 0. The data written to the file fully
+ decoded. Using a single dash for NAME writes to stdout. The file
+ is kept open until a new file is set using this command or this
+ command is used without an argument.
+
+'/showdef'
+ Print all definitions
+
+'/cleardef'
+ Delete all definitions
+
+'/sendfd FILE MODE'
+ Open FILE in MODE (which needs to be a valid 'fopen' mode string)
+ and send the file descriptor to the server. This is usually
+ followed by a command like 'INPUT FD' to set the input source for
+ other commands.
+
+'/recvfd'
+ Not yet implemented.
+
+'/open VAR FILE [MODE]'
+ Open FILE and assign the file descriptor to VAR. Warning: This
+ command is experimental and might change in future versions.
+
+'/close FD'
+ Close the file descriptor FD. Warning: This command is
+ experimental and might change in future versions.
+
+'/showopen'
+ Show a list of open files.
+
+'/serverpid'
+ Send the Assuan command 'GETINFO pid' to the server and store the
+ returned PID for internal purposes.
+
+'/sleep'
+ Sleep for a second.
+
+'/hex'
+'/nohex'
+ Same as the command line option '--hex'.
+
+'/decode'
+'/nodecode'
+ Same as the command line option '--decode'.
+
+'/subst'
+'/nosubst'
+ Enable and disable variable substitution. It defaults to disabled
+ unless the command line option '--subst' has been used. If /subst
+ as been enabled once, leading whitespace is removed from input
+ lines which makes scripts easier to read.
+
+'/while CONDITION'
+'/end'
+ These commands provide a way for executing loops. All lines
+ between the 'while' and the corresponding 'end' are executed as
+ long as the evaluation of CONDITION yields a non-zero value or is
+ the string 'true' or 'yes'. The evaluation is done by passing
+ CONDITION to the 'strtol' function. Example:
+
+ /subst
+ /let i 3
+ /while $i
+ /echo loop counter is $i
+ /let i ${- $i 1}
+ /end
+
+'/if CONDITION'
+'/end'
+ These commands provide a way for conditional execution. All lines
+ between the 'if' and the corresponding 'end' are executed only if
+ the evaluation of CONDITION yields a non-zero value or is the
+ string 'true' or 'yes'. The evaluation is done by passing
+ CONDITION to the 'strtol' function.
+
+'/run FILE'
+ Run commands from FILE.
+
+'/bye'
+ Terminate the connection and the program.
+
+'/help'
+ Print a list of available control commands.
+
+
+File: gnupg.info, Node: dirmngr-client, Next: gpgparsemail, Prev: gpg-connect-agent, Up: Helper Tools
+
+9.8 The Dirmngr Client Tool
+===========================
+
+The 'dirmngr-client' is a simple tool to contact a running dirmngr and
+test whether a certificate has been revoked -- either by being listed in
+the corresponding CRL or by running the OCSP protocol. If no dirmngr is
+running, a new instances will be started but this is in general not a
+good idea due to the huge performance overhead.
+
+The usual way to run this tool is either:
+
+ dirmngr-client ACERT
+
+or
+
+ dirmngr-client <ACERT
+
+ Where ACERT is one DER encoded (binary) X.509 certificates to be
+tested. The return value of this command is
+
+'0'
+ The certificate under question is valid; i.e. there is a valid CRL
+ available and it is not listed there or the OCSP request returned
+ that that certificate is valid.
+
+'1'
+ The certificate has been revoked
+
+'2 (and other values)'
+ There was a problem checking the revocation state of the
+ certificate. A message to stderr has given more detailed
+ information. Most likely this is due to a missing or expired CRL
+ or due to a network problem.
+
+'dirmngr-client' may be called with the following options:
+
+'--version'
+ Print the program version and licensing information. Note that you
+ cannot abbreviate this command.
+
+'--help, -h'
+ Print a usage message summarizing the most useful command-line
+ options. Note that you cannot abbreviate this command.
+
+'--quiet, -q'
+ Make the output extra brief by suppressing any informational
+ messages.
+
+'-v'
+'--verbose'
+ Outputs additional information while running. You can increase the
+ verbosity by giving several verbose commands to DIRMNGR, such as
+ '-vv'.
+
+'--pem'
+ Assume that the given certificate is in PEM (armored) format.
+
+'--ocsp'
+ Do the check using the OCSP protocol and ignore any CRLs.
+
+'--force-default-responder'
+ When checking using the OCSP protocol, force the use of the default
+ OCSP responder. That is not to use the Reponder as given by the
+ certificate.
+
+'--ping'
+ Check whether the dirmngr daemon is up and running.
+
+'--cache-cert'
+ Put the given certificate into the cache of a running dirmngr.
+ This is mainly useful for debugging.
+
+'--validate'
+ Validate the given certificate using dirmngr's internal validation
+ code. This is mainly useful for debugging.
+
+'--load-crl'
+ This command expects a list of filenames with DER encoded CRL
+ files. With the option '--url' URLs are expected in place of
+ filenames and they are loaded directly from the given location.
+ All CRLs will be validated and then loaded into dirmngr's cache.
+
+'--lookup'
+ Take the remaining arguments and run a lookup command on each of
+ them. The results are Base-64 encoded outputs (without header
+ lines). This may be used to retrieve certificates from a server.
+ However the output format is not very well suited if more than one
+ certificate is returned.
+
+'--url'
+'-u'
+ Modify the 'lookup' and 'load-crl' commands to take an URL.
+
+'--local'
+'-l'
+ Let the 'lookup' command only search the local cache.
+
+'--squid-mode'
+ Run DIRMNGR-CLIENT in a mode suitable as a helper program for
+ Squid's 'external_acl_type' option.
+
+
+File: gnupg.info, Node: gpgparsemail, Next: gpgtar, Prev: dirmngr-client, Up: Helper Tools
+
+9.9 Parse a mail message into an annotated format
+=================================================
+
+The 'gpgparsemail' is a utility currently only useful for debugging.
+Run it with '--help' for usage information.
+
+
+File: gnupg.info, Node: gpgtar, Next: gpg-check-pattern, Prev: gpgparsemail, Up: Helper Tools
+
+9.10 Encrypt or sign files into an archive
+==========================================
+
+'gpgtar' encrypts or signs files into an archive. It is an gpg-ized tar
+using the same format as used by PGP's PGP Zip.
+
+'gpgtar' is invoked this way:
+
+ gpgtar [options] FILENAME1 [FILENAME2, ...] DIRECTORY [DIRECTORY2, ...]
+
+'gpgtar' understands these options:
+
+'--create'
+ Put given files and directories into a vanilla "ustar" archive.
+
+'--extract'
+ Extract all files from a vanilla "ustar" archive.
+
+'--encrypt'
+'-e'
+ Encrypt given files and directories into an archive. This option
+ may be combined with option '--symmetric' for an archive that may
+ be decrypted via a secret key or a passphrase.
+
+'--decrypt'
+'-d'
+ Extract all files from an encrypted archive.
+
+'--sign'
+'-s'
+ Make a signed archive from the given files and directories. This
+ can be combined with option '--encrypt' to create a signed and then
+ encrypted archive.
+
+'--list-archive'
+'-t'
+ List the contents of the specified archive.
+
+'--symmetric'
+'-c'
+ Encrypt with a symmetric cipher using a passphrase. The default
+ symmetric cipher used is AES-128, but may be chosen with the
+ '--cipher-algo' option to 'gpg'.
+
+'--recipient USER'
+'-r USER'
+ Encrypt for user id USER. For details see 'gpg'.
+
+'--local-user USER'
+'-u USER'
+ Use USER as the key to sign with. For details see 'gpg'.
+
+'--output FILE'
+'-o FILE'
+ Write the archive to the specified file FILE.
+
+'--verbose'
+'-v'
+ Enable extra informational output.
+
+'--quiet'
+'-q'
+ Try to be as quiet as possible.
+
+'--skip-crypto'
+ Skip all crypto operations and create or extract vanilla "ustar"
+ archives.
+
+'--dry-run'
+ Do not actually output the extracted files.
+
+'--directory DIR'
+'-C DIR'
+ Extract the files into the directory DIR. The default is to take
+ the directory name from the input filename. If no input filename
+ is known a directory named 'GPGARCH' is used. For tarball
+ creation, switch to directory DIR before performing any operations.
+
+'--files-from FILE'
+'-T FILE'
+ Take the file names to work from the file FILE; one file per line.
+
+'--null'
+ Modify option '--files-from' to use a binary nul instead of a
+ linefeed to separate file names.
+
+'--utf8-strings'
+ Assume that the file names read by '--files-from' are UTF-8
+ encoded. This option has an effect only on Windows where the
+ active code page is otherwise assumed.
+
+'--openpgp'
+ This option has no effect because OpenPGP encryption and signing is
+ the default.
+
+'--cms'
+ This option is reserved and shall not be used. It will eventually
+ be used to encrypt or sign using the CMS protocol; but that is not
+ yet implemented.
+
+'--batch'
+ Use batch mode. Never ask but use the default action. This option
+ is passed directly to 'gpg'.
+
+'--yes'
+ Assume "yes" on most questions. Often used together with '--batch'
+ to overwrite existing files. This option is passed directly to
+ 'gpg'.
+
+'--no'
+ Assume "no" on most questions. This option is passed directly to
+ 'gpg'.
+
+'--require-compliance'
+ This option is passed directly to 'gpg'.
+
+'--status-fd N'
+ Write special status strings to the file descriptor N. See the
+ file DETAILS in the documentation for a listing of them.
+
+'--with-log'
+ When extracting an encrypted tarball also write a log file with the
+ gpg output to a file named after the extraction directory with the
+ suffix ".log".
+
+'--set-filename FILE'
+ Use the last component of FILE as the output directory. The
+ default is to take the directory name from the input filename. If
+ no input filename is known a directory named 'GPGARCH' is used.
+ This option is deprecated in favor of option '--directory'.
+
+'--gpg GPGCMD'
+ Use the specified command GPGCMD instead of 'gpg'.
+
+'--gpg-args ARGS'
+ Pass the specified extra options to 'gpg'.
+
+'--tar-args ARGS'
+ Assume ARGS are standard options of the command 'tar' and parse
+ them. The only supported tar options are "-directory",
+ "-files-from", and "-null" This is an obsolete options because
+ those supported tar options can also be given directly.
+
+'--version'
+ Print version of the program and exit.
+
+'--help'
+ Display a brief help page and exit.
+
+The program returns 0 if everything was fine, 1 otherwise.
+
+Some examples:
+
+Encrypt the contents of directory 'mydocs' for user Bob to file 'test1':
+
+ gpgtar --encrypt --output test1 -r Bob mydocs
+
+List the contents of archive 'test1':
+
+ gpgtar --list-archive test1
+
+
+File: gnupg.info, Node: gpg-check-pattern, Prev: gpgtar, Up: Helper Tools
+
+9.11 Check a passphrase on stdin against the patternfile
+========================================================
+
+'gpg-check-pattern' checks a passphrase given on stdin against a
+specified pattern file.
+
+ The pattern file is line based with comment lines beginning on the
+_first_ position with a '#'. Empty lines and lines with only white
+spaces are ignored. The actual pattern lines may either be verbatim
+string pattern and match as they are (trailing spaces are ignored) or
+extended regular expressions indicated by a '/' or '!/' in the first
+column and terminated by another '/' or end of line. If a regular
+expression starts with '!/' the match result is reversed. By default
+all comparisons are case insensitive.
+
+ Tag lines may be used to further control the operation of this tool.
+The currently defined tags are:
+
+'[icase]'
+ Switch to case insensitive comparison for all further patterns.
+ This is the default.
+
+'[case]'
+ Switch to case sensitive comparison for all further patterns.
+
+'[reject]'
+ Switch to reject mode. This is the default mode.
+
+'[accept]'
+ Switch to accept mode.
+
+ In the future more tags may be introduced and thus it is advisable
+not to start a plain pattern string with an open bracket. The tags must
+be given verbatim on the line with no spaces to the left or any non
+white space characters to the right.
+
+ In reject mode the program exits on the first match with an exit code
+of 1 (failure). If at the end of the pattern list the reject mode is
+still active the program exits with code 0 (success).
+
+ In accept mode blocks of patterns are used. A block starts at the
+next pattern after an "accept" tag and ends with the last pattern before
+the next "accept" or "reject" tag or at the end of the pattern list. If
+all patterns in a block match the program exits with an exit code of 0
+(success). If any pattern in a block do not match the next pattern
+block is evaluated. If at the end of the pattern list the accept mode
+is still active the program exits with code 1 (failure).
+
+
+'--verbose'
+ Enable extra informational output.
+
+'--check'
+ Run only a syntax check on the patternfile.
+
+'--null'
+ Input is expected to be null delimited.
+
+
+File: gnupg.info, Node: Web Key Service, Next: Howtos, Prev: Helper Tools, Up: Top
+
+10 Web Key Service
+******************
+
+GnuPG comes with tools used to maintain and access a Web Key Directory.
+
+* Menu:
+
+* gpg-wks-client:: Send requests via WKS
+* gpg-wks-server:: Server to provide the WKS.
+
+
+File: gnupg.info, Node: gpg-wks-client, Next: gpg-wks-server, Up: Web Key Service
+
+10.1 Send requests via WKS
+==========================
+
+The 'gpg-wks-client' is used to send requests to a Web Key Service
+provider. This is usually done to upload a key into a Web Key
+Directory.
+
+ With the '--supported' command the caller can test whether a site
+supports the Web Key Service. The argument is an arbitrary address in
+the to be tested domain. For example 'foo@example.net'. The command
+returns success if the Web Key Service is supported. The operation is
+silent; to get diagnostic output use the option '--verbose'. See option
+'--with-colons' for a variant of this command.
+
+ With the '--check' command the caller can test whether a key exists
+for a supplied mail address. The command returns success if a key is
+available.
+
+ The '--create' command is used to send a request for publication in
+the Web Key Directory. The arguments are the fingerprint of the key and
+the user id to publish. The output from the command is a properly
+formatted mail with all standard headers. This mail can be fed to
+'sendmail(8)' or any other tool to actually send that mail. If
+'sendmail(8)' is installed the option '--send' can be used to directly
+send the created request. If the provider request a 'mailbox-only' user
+id and no such user id is found, 'gpg-wks-client' will try an additional
+user id.
+
+ The '--receive' and '--read' commands are used to process
+confirmation mails as send from the service provider. The former
+expects an encrypted MIME messages, the latter an already decrypted MIME
+message. The result of these commands are another mail which can be
+send in the same way as the mail created with '--create'.
+
+ The command '--install-key' manually installs a key into a local
+directory (see option '-C') reflecting the structure of a WKD. The
+arguments are a file with the keyblock and the user-id to install. If
+the first argument resembles a fingerprint the key is taken from the
+current keyring; to force the use of a file, prefix the first argument
+with "./". If no arguments are given the parameters are read from
+stdin; the expected format are lines with the fingerprint and the
+mailbox separated by a space. The command '--remove-key' removes a key
+from that directory, its only argument is a user-id.
+
+ The command '--mirror' is similar to '--install-key' but takes the
+keys from the the LDAP server configured for Dirmngr. If no arguments
+are given all keys and user ids are installed. If arguments are given
+they are taken as domain names to limit the to be installed keys. The
+option '--blacklist' may be used to further limit the to be installed
+keys.
+
+ The command '--print-wkd-hash' prints the WKD user-id identifiers and
+the corresponding mailboxes from the user-ids given on the command line
+or via stdin (one user-id per line).
+
+ The command '--print-wkd-url' prints the URLs used to fetch the key
+for the given user-ids from WKD. The meanwhile preferred format with
+sub-domains is used here.
+
+ 'gpg-wks-client' is not commonly invoked directly and thus it is not
+installed in the bin directory. Here is an example how it can be
+invoked manually to check for a Web Key Directory entry for
+'foo@example.org':
+
+ $(gpgconf --list-dirs libexecdir)/gpg-wks-client --check foo@example.net
+
+'gpg-wks-client' understands these options:
+
+'--send'
+ Directly send created mails using the 'sendmail' command. Requires
+ installation of that command.
+
+'--with-colons'
+ This option has currently only an effect on the '--supported'
+ command. If it is used all arguments on the command line are taken
+ as domain names and tested for WKD support. The output format is
+ one line per domain with colon delimited fields. The currently
+ specified fields are (future versions may specify additional
+ fields):
+
+ 1 - domain
+ This is the domain name. Although quoting is not required for
+ valid domain names this field is specified to be quoted in
+ standard C manner.
+
+ 2 - WKD
+ If the value is true the domain supports the Web Key
+ Directory.
+
+ 3 - WKS
+ If the value is true the domain supports the Web Key Service
+ protocol to upload keys to the directory.
+
+ 4 - error-code
+ This may contain an gpg-error code to describe certain
+ failures. Use 'gpg-error CODE' to explain the code.
+
+ 5 - protocol-version
+ The minimum protocol version supported by the server.
+
+ 6 - auth-submit
+ The auth-submit flag from the policy file of the server.
+
+ 7 - mailbox-only
+ The mailbox-only flag from the policy file of the server.
+
+'--output FILE'
+'-o'
+ Write the created mail to FILE instead of stdout. Note that the
+ value '-' for FILE is the same as writing to stdout.
+
+'--status-fd N'
+ Write special status strings to the file descriptor N. This
+ program returns only the status messages SUCCESS or FAILURE which
+ are helpful when the caller uses a double fork approach and can't
+ easily get the return code of the process.
+
+'-C DIR'
+'--directory DIR'
+ Use DIR as top level directory for the commands '--mirror',
+ '--install-key' and '--remove-key'. The default is 'openpgpkey'.
+
+'--blacklist FILE'
+ This option is used to exclude certain mail addresses from a mirror
+ operation. The format of FILE is one mail address (just the
+ addrspec, e.g. "postel@isi.edu") per line. Empty lines and lines
+ starting with a '#' are ignored.
+
+'--verbose'
+ Enable extra informational output.
+
+'--quiet'
+ Disable almost all informational output.
+
+'--version'
+ Print version of the program and exit.
+
+'--help'
+ Display a brief help page and exit.
+
+
+File: gnupg.info, Node: gpg-wks-server, Prev: gpg-wks-client, Up: Web Key Service
+
+10.2 Provide the Web Key Service
+================================
+
+The 'gpg-wks-server' is a server site implementation of the Web Key
+Service. It receives requests for publication, sends confirmation
+requests, receives confirmations, and published the key. It also has
+features to ease the setup and maintenance of a Web Key Directory.
+
+ When used with the command '--receive' a single Web Key Service mail
+is processed. Commonly this command is used with the option '--send' to
+directly send the crerated mails back. See below for an installation
+example.
+
+ The command '--cron' is used for regualr cleanup tasks. For example
+non-confirmed requested should be removed after their expire time. It
+is best to run this command once a day from a cronjob.
+
+ The command '--list-domains' prints all configured domains. Further
+it creates missing directories for the configuration and prints warnings
+pertaining to problems in the configuration.
+
+ The command '--check-key' (or just '--check') checks whether a key
+with the given user-id is installed. The process returns success in
+this case; to also print a diagnostic use the option '-v'. If the key
+is not installed a diagnostic is printed and the process returns
+failure; to suppress the diagnostic, use option '-q'. More than one
+user-id can be given; see also option 'with-file'.
+
+ The command '--install-key' manually installs a key into the WKD. The
+arguments are a file with the keyblock and the user-id to install. If
+the first argument resembles a fingerprint the key is taken from the
+current keyring; to force the use of a file, prefix the first argument
+with "./". If no arguments are given the parameters are read from
+stdin; the expected format are lines with the fingerprint and the
+mailbox separated by a space.
+
+ The command '--remove-key' uninstalls a key from the WKD. The process
+returns success in this case; to also print a diagnostic, use option
+'-v'. If the key is not installed a diagnostic is printed and the
+process returns failure; to suppress the diagnostic, use option '-q'.
+
+ The command '--revoke-key' is not yet functional.
+
+'gpg-wks-server' understands these options:
+
+'-C DIR'
+'--directory DIR'
+ Use DIR as top level directory for domains. The default is
+ '/var/lib/gnupg/wks'.
+
+'--from MAILADDR'
+ Use MAILADDR as the default sender address.
+
+'--header NAME=VALUE'
+ Add the mail header "NAME: VALUE" to all outgoing mails.
+
+'--send'
+ Directly send created mails using the 'sendmail' command. Requires
+ installation of that command.
+
+'-o FILE'
+'--output FILE'
+ Write the created mail also to FILE. Note that the value '-' for
+ FILE would write it to stdout.
+
+'--with-dir'
+ When used with the command '--list-domains' print for each
+ installed domain the domain name and its directory name.
+
+'--with-file'
+ When used with the command '--check-key' print for each user-id,
+ the address, 'i' for installed key or 'n' for not installed key,
+ and the filename.
+
+'--verbose'
+ Enable extra informational output.
+
+'--quiet'
+ Disable almost all informational output.
+
+'--version'
+ Print version of the program and exit.
+
+'--help'
+ Display a brief help page and exit.
+
+
+Examples
+********
+
+The Web Key Service requires a working directory to store keys pending
+for publication. As root create a working directory:
+
+ # mkdir /var/lib/gnupg/wks
+ # chown webkey:webkey /var/lib/gnupg/wks
+ # chmod 2750 /var/lib/gnupg/wks
+
+ Then under your webkey account create directories for all your
+domains. Here we do it for "example.net":
+
+ $ mkdir /var/lib/gnupg/wks/example.net
+
+ Finally run
+
+ $ gpg-wks-server --list-domains
+
+ to create the required sub-directories with the permissions set
+correctly. For each domain a submission address needs to be configured.
+All service mails are directed to that address. It can be the same
+address for all configured domains, for example:
+
+ $ cd /var/lib/gnupg/wks/example.net
+ $ echo key-submission@example.net >submission-address
+
+ The protocol requires that the key to be published is send with an
+encrypted mail to the service. Thus you need to create a key for the
+submission address:
+
+ $ gpg --batch --passphrase '' --quick-gen-key key-submission@example.net
+ $ gpg -K key-submission@example.net
+
+ The output of the last command looks similar to this:
+
+ sec rsa2048 2016-08-30 [SC]
+ C0FCF8642D830C53246211400346653590B3795B
+ uid [ultimate] key-submission@example.net
+ ssb rsa2048 2016-08-30 [E]
+
+ Take the fingerprint from that output and manually publish the key:
+
+ $ gpg-wks-server --install-key C0FCF8642D830C53246211400346653590B3795B \
+ > key-submission@example.net
+
+ Finally that submission address needs to be redirected to a script
+running 'gpg-wks-server'. The 'procmail' command can be used for this:
+Redirect the submission address to the user "webkey" and put this into
+webkey's '.procmailrc':
+
+ :0
+ * !^From: webkey@example.net
+ * !^X-WKS-Loop: webkey.example.net
+ |gpg-wks-server -v --receive \
+ --header X-WKS-Loop=webkey.example.net \
+ --from webkey@example.net --send
+
+
+File: gnupg.info, Node: Howtos, Next: System Notes, Prev: Web Key Service, Up: Top
+
+11 How to do certain things
+***************************
+
+This is a collection of small howto documents.
+
+* Menu:
+
+* Howto Create a Server Cert:: Creating a TLS server certificate.
+
+
+File: gnupg.info, Node: Howto Create a Server Cert, Up: Howtos
+
+11.1 Creating a TLS server certificate
+======================================
+
+Here is a brief run up on how to create a server certificate. It has
+actually been done this way to get a certificate from CAcert to be used
+on a real server. It has only been tested with this CA, but there
+shouldn't be any problem to run this against any other CA.
+
+ We start by generating an X.509 certificate signing request. As
+there is no need for a configuration file, you may simply enter:
+
+ $ gpgsm --generate-key >example.com.cert-req.pem
+ Please select what kind of key you want:
+ (1) RSA
+ (2) Existing key
+ (3) Existing key from card
+ Your selection? 1
+
+ I opted for creating a new RSA key. The other option is to use an
+already existing key, by selecting '2' and entering the so-called
+keygrip. Running the command 'gpgsm --dump-secret-key USERID' shows you
+this keygrip. Using '3' offers another menu to create a certificate
+directly from a smart card based key.
+
+ Let's continue:
+
+ What keysize do you want? (3072)
+ Requested keysize is 3072 bits
+
+ Hitting enter chooses the default RSA key size of 3072 bits. Keys
+smaller than 2048 bits are too weak on the modern Internet. If you
+choose a larger (stronger) key, your server will need to do more work.
+
+ Possible actions for a RSA key:
+ (1) sign, encrypt
+ (2) sign
+ (3) encrypt
+ Your selection? 1
+
+ Selecting "sign" enables use of the key for Diffie-Hellman key
+exchange mechanisms (DHE and ECDHE) in TLS, which are preferred because
+they offer forward secrecy. Selecting "encrypt" enables RSA key
+exchange mechanisms, which are still common in some places. Selecting
+both enables both key exchange mechanisms.
+
+ Now for some real data:
+
+ Enter the X.509 subject name: CN=example.com
+
+ This is the most important value for a server certificate. Enter
+here the canonical name of your server machine. You may add other
+virtual server names later.
+
+ E-Mail addresses (end with an empty line):
+ >
+
+ We don't need email addresses in a TLS server certificate and CAcert
+would anyway ignore such a request. Thus just hit enter.
+
+ If you want to create a client certificate for email encryption, this
+would be the place to enter your mail address (e.g. <joe@example.org>).
+You may enter as many addresses as you like, however the CA may not
+accept them all or reject the entire request.
+
+ Enter DNS names (optional; end with an empty line):
+ > example.com
+ > www.example.com
+ >
+
+ Here I entered the names of the services which the machine actually
+provides. You almost always want to include the canonical name here
+too. The browser will accept a certificate for any of these names. As
+usual the CA must approve all of these names.
+
+ URIs (optional; end with an empty line):
+ >
+
+ It is possible to insert arbitrary URIs into a certificate; for a
+server certificate this does not make sense.
+
+ Create self-signed certificate? (y/N)
+
+ Since we are creating a certificate signing request, and not a full
+certificate, we answer no here, or just hit enter for the default.
+
+ We have now entered all required information and 'gpgsm' will display
+what it has gathered and ask whether to create the certificate request:
+
+ These parameters are used:
+ Key-Type: RSA
+ Key-Length: 3072
+ Key-Usage: sign, encrypt
+ Name-DN: CN=example.com
+ Name-DNS: example.com
+ Name-DNS: www.example.com
+
+ Proceed with creation? (y/N) y
+
+ 'gpgsm' will now start working on creating the request. As this
+includes the creation of an RSA key it may take a while. During this
+time you will be asked 3 times for a passphrase to protect the created
+private key on your system. A pop up window will appear to ask for it.
+The first two prompts are for the new passphrase and for re-entering it;
+the third one is required to actually create the certificate signing
+request.
+
+ When it is ready, you should see the final notice:
+
+ Ready. You should now send this request to your CA.
+
+ Now, you may look at the created request:
+
+ $ cat example.com.cert-req.pem
+ -----BEGIN CERTIFICATE REQUEST-----
+ MIIClTCCAX0CAQAwFjEUMBIGA1UEAxMLZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3
+ DQEBAQUAA4IBDwAwggEKAoIBAQDP1QEcbTvOLLCX4gAoOzH9AW7jNOMj7OSOL0uW
+ h2bCdkK5YVpnX212Z6COTC3ZG0pJiCeGt1TbbDJUlTa4syQ6JXavjK66N8ASZsyC
+ Rwcl0m6hbXp541t1dbgt2VgeGk25okWw3j+brw6zxLD2TnthJxOatID0lDIG47HW
+ GqzZmA6WHbIBIONmGnReIHTpPAPCDm92vUkpKG1xLPszuRmsQbwEl870W/FHrsvm
+ DPvVUUSdIvTV9NuRt7/WY6G4nPp9QlIuTf1ESPzIuIE91gKPdrRCAx0yuT708S1n
+ xCv3ETQ/bKPoAQ67eE3mPBqkcVwv9SE/2/36Lz06kAizRgs5AgMBAAGgOjA4Bgkq
+ hkiG9w0BCQ4xKzApMCcGA1UdEQQgMB6CC2V4YW1wbGUuY29tgg93d3cuZXhhbXBs
+ ZS5jb20wDQYJKoZIhvcNAQELBQADggEBAEWD0Qqz4OENLYp6yyO/KqF0ig9FDsLN
+ b5/R+qhms5qlhdB5+Dh+j693Sj0UgbcNKc6JT86IuBqEBZmRCJuXRoKoo5aMS1cJ
+ hXga7N9IA3qb4VBUzBWvlL92U2Iptr/cEbikFlYZF2Zv3PBv8RfopVlI3OLbKV9D
+ bJJTt/6kuoydXKo/Vx4G0DFzIKNdFdJk86o/Ziz8NOs9JjZxw9H9VY5sHKFM5LKk
+ VcLwnnLRlNjBGB+9VK/Tze575eG0cJomTp7UGIB+1xzIQVAhUZOizRDv9tHDeaK3
+ k+tUhV0kuJcYHucpJycDSrP/uAY5zuVJ0rs2QSjdnav62YrRgEsxJrU=
+ -----END CERTIFICATE REQUEST-----
+ $
+
+ You may now proceed by logging into your account at the CAcert
+website, choose 'Server Certificates - New', check 'sign by class 3 root
+certificate', paste the above request block into the text field and
+click on 'Submit'.
+
+ If everything works out fine, a certificate will be shown. Now run
+
+ $ gpgsm --import
+
+ and paste the certificate from the CAcert page into your terminal
+followed by a Ctrl-D
+
+ -----BEGIN CERTIFICATE-----
+ MIIEIjCCAgqgAwIBAgIBTDANBgkqhkiG9w0BAQQFADBUMRQwEgYDVQQKEwtDQWNl
+ [...]
+ rUTFlNElRXCwIl0YcJkIaYYqWf7+A/aqYJCi8+51usZwMy3Jsq3hJ6MA3h1BgwZs
+ Rtct3tIX
+ -----END CERTIFICATE-----
+ gpgsm: issuer certificate (#/CN=CAcert Class 3 Ro[...]) not found
+ gpgsm: certificate imported
+
+ gpgsm: total number processed: 1
+ gpgsm: imported: 1
+
+ 'gpgsm' tells you that it has imported the certificate. It is now
+associated with the key you used when creating the request. The root
+certificate has not been found, so you may want to import it from the
+CACert website.
+
+ To see the content of your certificate, you may now enter:
+
+ $ gpgsm -K example.com
+ /home/foo/.gnupg/pubring.kbx
+ ---------------------------
+ Serial number: 4C
+ Issuer: /CN=CAcert Class 3 Root/OU=http:\x2f\x2fwww.[...]
+ Subject: /CN=example.com
+ aka: (dns-name example.com)
+ aka: (dns-name www.example.com)
+ validity: 2015-07-01 16:20:51 through 2016-07-01 16:20:51
+ key type: 3072 bit RSA
+ key usage: digitalSignature keyEncipherment
+ ext key usage: clientAuth (suggested), serverAuth (suggested), [...]
+ fingerprint: 0F:9C:27:B2:DA:05:5F:CB:33:D8:19:E9:65:B9:4F:BD:B1:98:CC:57
+
+ I used '-K' above because this will only list certificates for which
+a private key is available. To see more details, you may use
+'--dump-secret-keys' instead of '-K'.
+
+ To make actual use of the certificate you need to install it on your
+server. Server software usually expects a PKCS\#12 file with key and
+certificate. To create such a file, run:
+
+ $ gpgsm --export-secret-key-p12 -a >example.com-cert.pem
+
+ You will be asked for the passphrase as well as for a new passphrase
+to be used to protect the PKCS\#12 file. The file now contains the
+certificate as well as the private key:
+
+ $ cat example-cert.pem
+ Issuer ...: /CN=CAcert Class 3 Root/OU=http:\x2f\x2fwww.CA[...]
+ Serial ...: 4C
+ Subject ..: /CN=example.com
+ aka ..: (dns-name example.com)
+ aka ..: (dns-name www.example.com)
+
+ -----BEGIN PKCS12-----
+ MIIHlwIBAzCCB5AGCSqGSIb37QdHAaCCB4EEggd9MIIHeTk1BJ8GCSqGSIb3DQEu
+ [...many more lines...]
+ -----END PKCS12-----
+ $
+
+ Copy this file in a secure way to the server, install it there and
+delete the file then. You may export the file again at any time as long
+as it is available in GnuPG's private key database.
+
+
+File: gnupg.info, Node: System Notes, Next: Debugging, Prev: Howtos, Up: Top
+
+12 Notes pertaining to certain OSes
+***********************************
+
+GnuPG has been developed on GNU/Linux systems and is know to work on
+almost all Free OSes. All modern POSIX systems should be supported
+right now, however there are probably a lot of smaller glitches we need
+to fix first. The major problem areas are:
+
+ * We are planning to use file descriptor passing for interprocess
+ communication. This will allow us save a lot of resources and
+ improve performance of certain operations a lot. Systems not
+ supporting this won't gain these benefits but we try to keep them
+ working the standard way as it is done today.
+
+ * We require more or less full POSIX compatibility. This has been
+ around for 15 years now and thus we don't believe it makes sense to
+ support non POSIX systems anymore. Well, we of course the usual
+ workarounds for near POSIX systems well be applied.
+
+ There is one exception of this rule: Systems based the Microsoft
+ Windows API (called here _W32_) will be supported to some extend.
+
+* Menu:
+
+* W32 Notes:: Microsoft Windows Notes
+
+
+File: gnupg.info, Node: W32 Notes, Up: System Notes
+
+12.1 Microsoft Windows Notes
+============================
+
+Current limitations are:
+
+ * 'gpgconf' does not create backup files, so in case of trouble your
+ configuration file might get lost.
+
+ * 'watchgnupg' is not available. Logging to sockets is not possible.
+
+ * The periodical smartcard status checking done by 'scdaemon' is not
+ yet supported.
+
+
+File: gnupg.info, Node: Debugging, Next: Copying, Prev: System Notes, Up: Top
+
+13 How to solve problems
+************************
+
+Everyone knows that software often does not do what it should do and
+thus there is a need to track down problems. We call this debugging in
+a reminiscent to the moth jamming a relay in a Mark II box back in 1947.
+
+ Most of the problems a merely configuration and user problems but
+nevertheless they are the most annoying ones and responsible for many
+gray hairs. We try to give some guidelines here on how to identify and
+solve the problem at hand.
+
+* Menu:
+
+* Debugging Tools:: Description of some useful tools.
+* Debugging Hints:: Various hints on debugging.
+* Common Problems:: Commonly seen problems.
+* Architecture Details:: How the whole thing works internally.
+
+
+File: gnupg.info, Node: Debugging Tools, Next: Debugging Hints, Up: Debugging
+
+13.1 Debugging Tools
+====================
+
+The GnuPG distribution comes with a couple of tools, useful to help find
+and solving problems.
+
+* Menu:
+
+* kbxutil:: Scrutinizing a keybox file.
+
+
+File: gnupg.info, Node: kbxutil, Up: Debugging Tools
+
+13.1.1 Scrutinizing a keybox file
+---------------------------------
+
+A keybox is a file format used to store public keys along with meta
+information and indices. The commonly used one is the file
+'pubring.kbx' in the '.gnupg' directory. It contains all X.509
+certificates as well as OpenPGP keys.
+
+When called the standard way, e.g.:
+
+ 'kbxutil ~/.gnupg/pubring.kbx'
+
+it lists all records (called blobs) with there meta-information in a
+human readable format.
+
+To see statistics on the keybox in question, run it using
+
+ 'kbxutil --stats ~/.gnupg/pubring.kbx'
+
+and you get an output like:
+
+ Total number of blobs: 99
+ header: 1
+ empty: 0
+ openpgp: 0
+ x509: 98
+ non flagged: 81
+ secret flagged: 0
+ ephemeral flagged: 17
+
+ In this example you see that the keybox does not have any OpenPGP
+keys but contains 98 X.509 certificates and a total of 17 keys or
+certificates are flagged as ephemeral, meaning that they are only
+temporary stored (cached) in the keybox and won't get listed using the
+usual commands provided by 'gpgsm' or 'gpg'. 81 certificates are stored
+in a standard way and directly available from 'gpgsm'.
+
+To find duplicated certificates and keyblocks in a keybox file (this
+should not occur but sometimes things go wrong), run it using
+
+ 'kbxutil --find-dups ~/.gnupg/pubring.kbx'
+
+
+File: gnupg.info, Node: Debugging Hints, Next: Common Problems, Prev: Debugging Tools, Up: Debugging
+
+13.2 Various hints on debugging
+===============================
+
+ * How to find the IP address of a keyserver
+
+ If a round robin URL of is used for a keyserver (e.g.
+ subkeys.gnupg.org); it is not easy to see what server is actually
+ used. Using the keyserver debug option as in
+
+ gpg --keyserver-options debug=1 -v --refresh-key 1E42B367
+
+ is thus often helpful. Note that the actual output depends on the
+ backend and may change from release to release.
+
+ * Logging on WindowsCE
+
+ For development, the best logging method on WindowsCE is the use of
+ remote debugging using a log file name of 'tcp://<ip-addr>:<port>'.
+ The command 'watchgnupg' may be used on the remote host to listen
+ on the given port (*note option watchgnupg --tcp::). For in the
+ field tests it is better to make use of the logging facility
+ provided by the 'gpgcedev' driver (part of libassuan); this is
+ enabled by using a log file name of 'GPG2:' (*note option
+ --log-file::).
+
+
+File: gnupg.info, Node: Common Problems, Next: Architecture Details, Prev: Debugging Hints, Up: Debugging
+
+13.3 Commonly Seen Problems
+===========================
+
+ * Error code 'Not supported' from Dirmngr
+
+ Most likely the option 'enable-ocsp' is active for gpgsm but
+ Dirmngr's OCSP feature has not been enabled using 'allow-ocsp' in
+ 'dirmngr.conf'.
+
+ * The Curses based Pinentry does not work
+
+ The far most common reason for this is that the environment
+ variable 'GPG_TTY' has not been set correctly. Make sure that it
+ has been set to a real tty device and not just to '/dev/tty'; i.e.
+ 'GPG_TTY=tty' is plainly wrong; what you want is 'GPG_TTY=`tty`' --
+ note the back ticks. Also make sure that this environment variable
+ gets exported, that is you should follow up the setting with an
+ 'export GPG_TTY' (assuming a Bourne style shell). Even for GUI
+ based Pinentries; you should have set 'GPG_TTY'. See the section
+ on installing the 'gpg-agent' on how to do it.
+
+ * SSH hangs while a popping up pinentry was expected
+
+ SSH has no way to tell the gpg-agent what terminal or X display it
+ is running on. So when remotely logging into a box where a
+ gpg-agent with SSH support is running, the pinentry will get popped
+ up on whatever display the gpg-agent has been started. To solve
+ this problem you may issue the command
+
+ echo UPDATESTARTUPTTY | gpg-connect-agent
+
+ and the next pinentry will pop up on your display or screen.
+ However, you need to kill the running pinentry first because only
+ one pinentry may be running at once. If you plan to use ssh on a
+ new display you should issue the above command before invoking ssh
+ or any other service making use of ssh.
+
+ * Exporting a secret key without a certificate
+
+ It may happen that you have created a certificate request using
+ 'gpgsm' but not yet received and imported the certificate from the
+ CA. However, you want to export the secret key to another machine
+ right now to import the certificate over there then. You can do
+ this with a little trick but it requires that you know the
+ approximate time you created the signing request. By running the
+ command
+
+ ls -ltr ~/.gnupg/private-keys-v1.d
+
+ you get a listing of all private keys under control of 'gpg-agent'.
+ Pick the key which best matches the creation time and run the
+ command
+
+ /usr/local/libexec/gpg-protect-tool --p12-export \
+ ~/.gnupg/private-keys-v1.d/FOO >FOO.p12
+
+ (Please adjust the path to 'gpg-protect-tool' to the appropriate
+ location). FOO is the name of the key file you picked (it should
+ have the suffix '.key'). A Pinentry box will pop up and ask you
+ for the current passphrase of the key and a new passphrase to
+ protect it in the pkcs#12 file.
+
+ To import the created file on the machine you use this command:
+
+ /usr/local/libexec/gpg-protect-tool --p12-import --store FOO.p12
+
+ You will be asked for the pkcs#12 passphrase and a new passphrase
+ to protect the imported private key at its new location.
+
+ Note that there is no easy way to match existing certificates with
+ stored private keys because some private keys are used for Secure
+ Shell or other purposes and don't have a corresponding certificate.
+
+ * A root certificate does not verify
+
+ A common problem is that the root certificate misses the required
+ basicConstraints attribute and thus 'gpgsm' rejects this
+ certificate. An error message indicating "no value" is a sign for
+ such a certificate. You may use the 'relax' flag in
+ 'trustlist.txt' to accept the certificate anyway. Note that the
+ fingerprint and this flag may only be added manually to
+ 'trustlist.txt'.
+
+ * Error message: "digest algorithm N has not been enabled"
+
+ The signature is broken. You may try the option
+ '--extra-digest-algo SHA256' to workaround the problem. The number
+ N is the internal algorithm identifier; for example 8 refers to
+ SHA-256.
+
+ * The Windows version does not work under Wine
+
+ When running the W32 version of 'gpg' under Wine you may get an
+ error messages like:
+
+ gpg: fatal: WriteConsole failed: Access denied
+
+ The solution is to use the command 'wineconsole'.
+
+ Some operations like '--generate-key' really want to talk to the
+ console directly for increased security (for example to prevent the
+ passphrase from appearing on the screen). So, you should use
+ 'wineconsole' instead of 'wine', which will launch a windows
+ console that implements those additional features.
+
+ * Why does GPG's -search-key list weird keys?
+
+ For performance reasons the keyservers do not check the keys the
+ same way 'gpg' does. It may happen that the listing of keys
+ available on the keyservers shows keys with wrong user IDs or with
+ user Ids from other keys. If you try to import this key, the bad
+ keys or bad user ids won't get imported, though. This is a bit
+ unfortunate but we can't do anything about it without actually
+ downloading the keys.
+
+
+File: gnupg.info, Node: Architecture Details, Prev: Common Problems, Up: Debugging
+
+13.4 How the whole thing works internally
+=========================================
+
+* Menu:
+
+* Component interaction:: How the components work together.
+* GnuPG-1 and GnuPG-2:: Relationship between GnuPG 1.4 and 2.x.
+
+
+File: gnupg.info, Node: Component interaction, Next: GnuPG-1 and GnuPG-2, Up: Architecture Details
+
+13.4.1 How the components work together
+---------------------------------------
+
+
+
+Figure 13.1: GnuPG module overview
+
+
+File: gnupg.info, Node: GnuPG-1 and GnuPG-2, Prev: Component interaction, Up: Architecture Details
+
+13.4.2 Relationship between GnuPG 1.4 and 2.x
+---------------------------------------------
+
+Here is a little picture showing how the different GnuPG versions make
+use of a smartcard:
+
+
+
+Figure 13.2: GnuPG card architecture
+
+
+File: gnupg.info, Node: Copying, Next: Contributors, Prev: Debugging, Up: Top
+
+GNU General Public License
+**************************
+
+ Version 3, 29 June 2007
+
+ Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
+
+ Everyone is permitted to copy and distribute verbatim copies of this
+ license document, but changing it is not allowed.
+
+Preamble
+========
+
+The GNU General Public License is a free, copyleft license for software
+and other kinds of works.
+
+ The licenses for most software and other practical works are designed
+to take away your freedom to share and change the works. By contrast,
+the GNU General Public License is intended to guarantee your freedom to
+share and change all versions of a program-to make sure it remains free
+software for all its users. We, the Free Software Foundation, use the
+GNU General Public License for most of our software; it applies also to
+any other work released this way by its authors. You can apply it to
+your programs, too.
+
+ When we speak of free software, we are referring to freedom, not
+price. Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+them if you wish), that you receive source code or can get it if you
+want it, that you can change the software or use pieces of it in new
+free programs, and that you know you can do these things.
+
+ To protect your rights, we need to prevent others from denying you
+these rights or asking you to surrender the rights. Therefore, you have
+certain responsibilities if you distribute copies of the software, or if
+you modify it: responsibilities to respect the freedom of others.
+
+ For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must pass on to the recipients the same
+freedoms that you received. You must make sure that they, too, receive
+or can get the source code. And you must show them these terms so they
+know their rights.
+
+ Developers that use the GNU GPL protect your rights with two steps:
+(1) assert copyright on the software, and (2) offer you this License
+giving you legal permission to copy, distribute and/or modify it.
+
+ For the developers' and authors' protection, the GPL clearly explains
+that there is no warranty for this free software. For both users' and
+authors' sake, the GPL requires that modified versions be marked as
+changed, so that their problems will not be attributed erroneously to
+authors of previous versions.
+
+ Some devices are designed to deny users access to install or run
+modified versions of the software inside them, although the manufacturer
+can do so. This is fundamentally incompatible with the aim of
+protecting users' freedom to change the software. The systematic
+pattern of such abuse occurs in the area of products for individuals to
+use, which is precisely where it is most unacceptable. Therefore, we
+have designed this version of the GPL to prohibit the practice for those
+products. If such problems arise substantially in other domains, we
+stand ready to extend this provision to those domains in future versions
+of the GPL, as needed to protect the freedom of users.
+
+ Finally, every program is threatened constantly by software patents.
+States should not allow patents to restrict development and use of
+software on general-purpose computers, but in those that do, we wish to
+avoid the special danger that patents applied to a free program could
+make it effectively proprietary. To prevent this, the GPL assures that
+patents cannot be used to render the program non-free.
+
+ The precise terms and conditions for copying, distribution and
+modification follow.
+
+ TERMS AND CONDITIONS
+
+ 0. Definitions.
+
+ "This License" refers to version 3 of the GNU General Public
+ License.
+
+ "Copyright" also means copyright-like laws that apply to other
+ kinds of works, such as semiconductor masks.
+
+ "The Program" refers to any copyrightable work licensed under this
+ License. Each licensee is addressed as "you". "Licensees" and
+ "recipients" may be individuals or organizations.
+
+ To "modify" a work means to copy from or adapt all or part of the
+ work in a fashion requiring copyright permission, other than the
+ making of an exact copy. The resulting work is called a "modified
+ version" of the earlier work or a work "based on" the earlier work.
+
+ A "covered work" means either the unmodified Program or a work
+ based on the Program.
+
+ To "propagate" a work means to do anything with it that, without
+ permission, would make you directly or secondarily liable for
+ infringement under applicable copyright law, except executing it on
+ a computer or modifying a private copy. Propagation includes
+ copying, distribution (with or without modification), making
+ available to the public, and in some countries other activities as
+ well.
+
+ To "convey" a work means any kind of propagation that enables other
+ parties to make or receive copies. Mere interaction with a user
+ through a computer network, with no transfer of a copy, is not
+ conveying.
+
+ An interactive user interface displays "Appropriate Legal Notices"
+ to the extent that it includes a convenient and prominently visible
+ feature that (1) displays an appropriate copyright notice, and (2)
+ tells the user that there is no warranty for the work (except to
+ the extent that warranties are provided), that licensees may convey
+ the work under this License, and how to view a copy of this
+ License. If the interface presents a list of user commands or
+ options, such as a menu, a prominent item in the list meets this
+ criterion.
+
+ 1. Source Code.
+
+ The "source code" for a work means the preferred form of the work
+ for making modifications to it. "Object code" means any non-source
+ form of a work.
+
+ A "Standard Interface" means an interface that either is an
+ official standard defined by a recognized standards body, or, in
+ the case of interfaces specified for a particular programming
+ language, one that is widely used among developers working in that
+ language.
+
+ The "System Libraries" of an executable work include anything,
+ other than the work as a whole, that (a) is included in the normal
+ form of packaging a Major Component, but which is not part of that
+ Major Component, and (b) serves only to enable use of the work with
+ that Major Component, or to implement a Standard Interface for
+ which an implementation is available to the public in source code
+ form. A "Major Component", in this context, means a major
+ essential component (kernel, window system, and so on) of the
+ specific operating system (if any) on which the executable work
+ runs, or a compiler used to produce the work, or an object code
+ interpreter used to run it.
+
+ The "Corresponding Source" for a work in object code form means all
+ the source code needed to generate, install, and (for an executable
+ work) run the object code and to modify the work, including scripts
+ to control those activities. However, it does not include the
+ work's System Libraries, or general-purpose tools or generally
+ available free programs which are used unmodified in performing
+ those activities but which are not part of the work. For example,
+ Corresponding Source includes interface definition files associated
+ with source files for the work, and the source code for shared
+ libraries and dynamically linked subprograms that the work is
+ specifically designed to require, such as by intimate data
+ communication or control flow between those subprograms and other
+ parts of the work.
+
+ The Corresponding Source need not include anything that users can
+ regenerate automatically from other parts of the Corresponding
+ Source.
+
+ The Corresponding Source for a work in source code form is that
+ same work.
+
+ 2. Basic Permissions.
+
+ All rights granted under this License are granted for the term of
+ copyright on the Program, and are irrevocable provided the stated
+ conditions are met. This License explicitly affirms your unlimited
+ permission to run the unmodified Program. The output from running
+ a covered work is covered by this License only if the output, given
+ its content, constitutes a covered work. This License acknowledges
+ your rights of fair use or other equivalent, as provided by
+ copyright law.
+
+ You may make, run and propagate covered works that you do not
+ convey, without conditions so long as your license otherwise
+ remains in force. You may convey covered works to others for the
+ sole purpose of having them make modifications exclusively for you,
+ or provide you with facilities for running those works, provided
+ that you comply with the terms of this License in conveying all
+ material for which you do not control copyright. Those thus making
+ or running the covered works for you must do so exclusively on your
+ behalf, under your direction and control, on terms that prohibit
+ them from making any copies of your copyrighted material outside
+ their relationship with you.
+
+ Conveying under any other circumstances is permitted solely under
+ the conditions stated below. Sublicensing is not allowed; section
+ 10 makes it unnecessary.
+
+ 3. Protecting Users' Legal Rights From Anti-Circumvention Law.
+
+ No covered work shall be deemed part of an effective technological
+ measure under any applicable law fulfilling obligations under
+ article 11 of the WIPO copyright treaty adopted on 20 December
+ 1996, or similar laws prohibiting or restricting circumvention of
+ such measures.
+
+ When you convey a covered work, you waive any legal power to forbid
+ circumvention of technological measures to the extent such
+ circumvention is effected by exercising rights under this License
+ with respect to the covered work, and you disclaim any intention to
+ limit operation or modification of the work as a means of
+ enforcing, against the work's users, your or third parties' legal
+ rights to forbid circumvention of technological measures.
+
+ 4. Conveying Verbatim Copies.
+
+ You may convey verbatim copies of the Program's source code as you
+ receive it, in any medium, provided that you conspicuously and
+ appropriately publish on each copy an appropriate copyright notice;
+ keep intact all notices stating that this License and any
+ non-permissive terms added in accord with section 7 apply to the
+ code; keep intact all notices of the absence of any warranty; and
+ give all recipients a copy of this License along with the Program.
+
+ You may charge any price or no price for each copy that you convey,
+ and you may offer support or warranty protection for a fee.
+
+ 5. Conveying Modified Source Versions.
+
+ You may convey a work based on the Program, or the modifications to
+ produce it from the Program, in the form of source code under the
+ terms of section 4, provided that you also meet all of these
+ conditions:
+
+ a. The work must carry prominent notices stating that you
+ modified it, and giving a relevant date.
+
+ b. The work must carry prominent notices stating that it is
+ released under this License and any conditions added under
+ section 7. This requirement modifies the requirement in
+ section 4 to "keep intact all notices".
+
+ c. You must license the entire work, as a whole, under this
+ License to anyone who comes into possession of a copy. This
+ License will therefore apply, along with any applicable
+ section 7 additional terms, to the whole of the work, and all
+ its parts, regardless of how they are packaged. This License
+ gives no permission to license the work in any other way, but
+ it does not invalidate such permission if you have separately
+ received it.
+
+ d. If the work has interactive user interfaces, each must display
+ Appropriate Legal Notices; however, if the Program has
+ interactive interfaces that do not display Appropriate Legal
+ Notices, your work need not make them do so.
+
+ A compilation of a covered work with other separate and independent
+ works, which are not by their nature extensions of the covered
+ work, and which are not combined with it such as to form a larger
+ program, in or on a volume of a storage or distribution medium, is
+ called an "aggregate" if the compilation and its resulting
+ copyright are not used to limit the access or legal rights of the
+ compilation's users beyond what the individual works permit.
+ Inclusion of a covered work in an aggregate does not cause this
+ License to apply to the other parts of the aggregate.
+
+ 6. Conveying Non-Source Forms.
+
+ You may convey a covered work in object code form under the terms
+ of sections 4 and 5, provided that you also convey the
+ machine-readable Corresponding Source under the terms of this
+ License, in one of these ways:
+
+ a. Convey the object code in, or embodied in, a physical product
+ (including a physical distribution medium), accompanied by the
+ Corresponding Source fixed on a durable physical medium
+ customarily used for software interchange.
+
+ b. Convey the object code in, or embodied in, a physical product
+ (including a physical distribution medium), accompanied by a
+ written offer, valid for at least three years and valid for as
+ long as you offer spare parts or customer support for that
+ product model, to give anyone who possesses the object code
+ either (1) a copy of the Corresponding Source for all the
+ software in the product that is covered by this License, on a
+ durable physical medium customarily used for software
+ interchange, for a price no more than your reasonable cost of
+ physically performing this conveying of source, or (2) access
+ to copy the Corresponding Source from a network server at no
+ charge.
+
+ c. Convey individual copies of the object code with a copy of the
+ written offer to provide the Corresponding Source. This
+ alternative is allowed only occasionally and noncommercially,
+ and only if you received the object code with such an offer,
+ in accord with subsection 6b.
+
+ d. Convey the object code by offering access from a designated
+ place (gratis or for a charge), and offer equivalent access to
+ the Corresponding Source in the same way through the same
+ place at no further charge. You need not require recipients
+ to copy the Corresponding Source along with the object code.
+ If the place to copy the object code is a network server, the
+ Corresponding Source may be on a different server (operated by
+ you or a third party) that supports equivalent copying
+ facilities, provided you maintain clear directions next to the
+ object code saying where to find the Corresponding Source.
+ Regardless of what server hosts the Corresponding Source, you
+ remain obligated to ensure that it is available for as long as
+ needed to satisfy these requirements.
+
+ e. Convey the object code using peer-to-peer transmission,
+ provided you inform other peers where the object code and
+ Corresponding Source of the work are being offered to the
+ general public at no charge under subsection 6d.
+
+ A separable portion of the object code, whose source code is
+ excluded from the Corresponding Source as a System Library, need
+ not be included in conveying the object code work.
+
+ A "User Product" is either (1) a "consumer product", which means
+ any tangible personal property which is normally used for personal,
+ family, or household purposes, or (2) anything designed or sold for
+ incorporation into a dwelling. In determining whether a product is
+ a consumer product, doubtful cases shall be resolved in favor of
+ coverage. For a particular product received by a particular user,
+ "normally used" refers to a typical or common use of that class of
+ product, regardless of the status of the particular user or of the
+ way in which the particular user actually uses, or expects or is
+ expected to use, the product. A product is a consumer product
+ regardless of whether the product has substantial commercial,
+ industrial or non-consumer uses, unless such uses represent the
+ only significant mode of use of the product.
+
+ "Installation Information" for a User Product means any methods,
+ procedures, authorization keys, or other information required to
+ install and execute modified versions of a covered work in that
+ User Product from a modified version of its Corresponding Source.
+ The information must suffice to ensure that the continued
+ functioning of the modified object code is in no case prevented or
+ interfered with solely because modification has been made.
+
+ If you convey an object code work under this section in, or with,
+ or specifically for use in, a User Product, and the conveying
+ occurs as part of a transaction in which the right of possession
+ and use of the User Product is transferred to the recipient in
+ perpetuity or for a fixed term (regardless of how the transaction
+ is characterized), the Corresponding Source conveyed under this
+ section must be accompanied by the Installation Information. But
+ this requirement does not apply if neither you nor any third party
+ retains the ability to install modified object code on the User
+ Product (for example, the work has been installed in ROM).
+
+ The requirement to provide Installation Information does not
+ include a requirement to continue to provide support service,
+ warranty, or updates for a work that has been modified or installed
+ by the recipient, or for the User Product in which it has been
+ modified or installed. Access to a network may be denied when the
+ modification itself materially and adversely affects the operation
+ of the network or violates the rules and protocols for
+ communication across the network.
+
+ Corresponding Source conveyed, and Installation Information
+ provided, in accord with this section must be in a format that is
+ publicly documented (and with an implementation available to the
+ public in source code form), and must require no special password
+ or key for unpacking, reading or copying.
+
+ 7. Additional Terms.
+
+ "Additional permissions" are terms that supplement the terms of
+ this License by making exceptions from one or more of its
+ conditions. Additional permissions that are applicable to the
+ entire Program shall be treated as though they were included in
+ this License, to the extent that they are valid under applicable
+ law. If additional permissions apply only to part of the Program,
+ that part may be used separately under those permissions, but the
+ entire Program remains governed by this License without regard to
+ the additional permissions.
+
+ When you convey a copy of a covered work, you may at your option
+ remove any additional permissions from that copy, or from any part
+ of it. (Additional permissions may be written to require their own
+ removal in certain cases when you modify the work.) You may place
+ additional permissions on material, added by you to a covered work,
+ for which you have or can give appropriate copyright permission.
+
+ Notwithstanding any other provision of this License, for material
+ you add to a covered work, you may (if authorized by the copyright
+ holders of that material) supplement the terms of this License with
+ terms:
+
+ a. Disclaiming warranty or limiting liability differently from
+ the terms of sections 15 and 16 of this License; or
+
+ b. Requiring preservation of specified reasonable legal notices
+ or author attributions in that material or in the Appropriate
+ Legal Notices displayed by works containing it; or
+
+ c. Prohibiting misrepresentation of the origin of that material,
+ or requiring that modified versions of such material be marked
+ in reasonable ways as different from the original version; or
+
+ d. Limiting the use for publicity purposes of names of licensors
+ or authors of the material; or
+
+ e. Declining to grant rights under trademark law for use of some
+ trade names, trademarks, or service marks; or
+
+ f. Requiring indemnification of licensors and authors of that
+ material by anyone who conveys the material (or modified
+ versions of it) with contractual assumptions of liability to
+ the recipient, for any liability that these contractual
+ assumptions directly impose on those licensors and authors.
+
+ All other non-permissive additional terms are considered "further
+ restrictions" within the meaning of section 10. If the Program as
+ you received it, or any part of it, contains a notice stating that
+ it is governed by this License along with a term that is a further
+ restriction, you may remove that term. If a license document
+ contains a further restriction but permits relicensing or conveying
+ under this License, you may add to a covered work material governed
+ by the terms of that license document, provided that the further
+ restriction does not survive such relicensing or conveying.
+
+ If you add terms to a covered work in accord with this section, you
+ must place, in the relevant source files, a statement of the
+ additional terms that apply to those files, or a notice indicating
+ where to find the applicable terms.
+
+ Additional terms, permissive or non-permissive, may be stated in
+ the form of a separately written license, or stated as exceptions;
+ the above requirements apply either way.
+
+ 8. Termination.
+
+ You may not propagate or modify a covered work except as expressly
+ provided under this License. Any attempt otherwise to propagate or
+ modify it is void, and will automatically terminate your rights
+ under this License (including any patent licenses granted under the
+ third paragraph of section 11).
+
+ However, if you cease all violation of this License, then your
+ license from a particular copyright holder is reinstated (a)
+ provisionally, unless and until the copyright holder explicitly and
+ finally terminates your license, and (b) permanently, if the
+ copyright holder fails to notify you of the violation by some
+ reasonable means prior to 60 days after the cessation.
+
+ Moreover, your license from a particular copyright holder is
+ reinstated permanently if the copyright holder notifies you of the
+ violation by some reasonable means, this is the first time you have
+ received notice of violation of this License (for any work) from
+ that copyright holder, and you cure the violation prior to 30 days
+ after your receipt of the notice.
+
+ Termination of your rights under this section does not terminate
+ the licenses of parties who have received copies or rights from you
+ under this License. If your rights have been terminated and not
+ permanently reinstated, you do not qualify to receive new licenses
+ for the same material under section 10.
+
+ 9. Acceptance Not Required for Having Copies.
+
+ You are not required to accept this License in order to receive or
+ run a copy of the Program. Ancillary propagation of a covered work
+ occurring solely as a consequence of using peer-to-peer
+ transmission to receive a copy likewise does not require
+ acceptance. However, nothing other than this License grants you
+ permission to propagate or modify any covered work. These actions
+ infringe copyright if you do not accept this License. Therefore,
+ by modifying or propagating a covered work, you indicate your
+ acceptance of this License to do so.
+
+ 10. Automatic Licensing of Downstream Recipients.
+
+ Each time you convey a covered work, the recipient automatically
+ receives a license from the original licensors, to run, modify and
+ propagate that work, subject to this License. You are not
+ responsible for enforcing compliance by third parties with this
+ License.
+
+ An "entity transaction" is a transaction transferring control of an
+ organization, or substantially all assets of one, or subdividing an
+ organization, or merging organizations. If propagation of a
+ covered work results from an entity transaction, each party to that
+ transaction who receives a copy of the work also receives whatever
+ licenses to the work the party's predecessor in interest had or
+ could give under the previous paragraph, plus a right to possession
+ of the Corresponding Source of the work from the predecessor in
+ interest, if the predecessor has it or can get it with reasonable
+ efforts.
+
+ You may not impose any further restrictions on the exercise of the
+ rights granted or affirmed under this License. For example, you
+ may not impose a license fee, royalty, or other charge for exercise
+ of rights granted under this License, and you may not initiate
+ litigation (including a cross-claim or counterclaim in a lawsuit)
+ alleging that any patent claim is infringed by making, using,
+ selling, offering for sale, or importing the Program or any portion
+ of it.
+
+ 11. Patents.
+
+ A "contributor" is a copyright holder who authorizes use under this
+ License of the Program or a work on which the Program is based.
+ The work thus licensed is called the contributor's "contributor
+ version".
+
+ A contributor's "essential patent claims" are all patent claims
+ owned or controlled by the contributor, whether already acquired or
+ hereafter acquired, that would be infringed by some manner,
+ permitted by this License, of making, using, or selling its
+ contributor version, but do not include claims that would be
+ infringed only as a consequence of further modification of the
+ contributor version. For purposes of this definition, "control"
+ includes the right to grant patent sublicenses in a manner
+ consistent with the requirements of this License.
+
+ Each contributor grants you a non-exclusive, worldwide,
+ royalty-free patent license under the contributor's essential
+ patent claims, to make, use, sell, offer for sale, import and
+ otherwise run, modify and propagate the contents of its contributor
+ version.
+
+ In the following three paragraphs, a "patent license" is any
+ express agreement or commitment, however denominated, not to
+ enforce a patent (such as an express permission to practice a
+ patent or covenant not to sue for patent infringement). To "grant"
+ such a patent license to a party means to make such an agreement or
+ commitment not to enforce a patent against the party.
+
+ If you convey a covered work, knowingly relying on a patent
+ license, and the Corresponding Source of the work is not available
+ for anyone to copy, free of charge and under the terms of this
+ License, through a publicly available network server or other
+ readily accessible means, then you must either (1) cause the
+ Corresponding Source to be so available, or (2) arrange to deprive
+ yourself of the benefit of the patent license for this particular
+ work, or (3) arrange, in a manner consistent with the requirements
+ of this License, to extend the patent license to downstream
+ recipients. "Knowingly relying" means you have actual knowledge
+ that, but for the patent license, your conveying the covered work
+ in a country, or your recipient's use of the covered work in a
+ country, would infringe one or more identifiable patents in that
+ country that you have reason to believe are valid.
+
+ If, pursuant to or in connection with a single transaction or
+ arrangement, you convey, or propagate by procuring conveyance of, a
+ covered work, and grant a patent license to some of the parties
+ receiving the covered work authorizing them to use, propagate,
+ modify or convey a specific copy of the covered work, then the
+ patent license you grant is automatically extended to all
+ recipients of the covered work and works based on it.
+
+ A patent license is "discriminatory" if it does not include within
+ the scope of its coverage, prohibits the exercise of, or is
+ conditioned on the non-exercise of one or more of the rights that
+ are specifically granted under this License. You may not convey a
+ covered work if you are a party to an arrangement with a third
+ party that is in the business of distributing software, under which
+ you make payment to the third party based on the extent of your
+ activity of conveying the work, and under which the third party
+ grants, to any of the parties who would receive the covered work
+ from you, a discriminatory patent license (a) in connection with
+ copies of the covered work conveyed by you (or copies made from
+ those copies), or (b) primarily for and in connection with specific
+ products or compilations that contain the covered work, unless you
+ entered into that arrangement, or that patent license was granted,
+ prior to 28 March 2007.
+
+ Nothing in this License shall be construed as excluding or limiting
+ any implied license or other defenses to infringement that may
+ otherwise be available to you under applicable patent law.
+
+ 12. No Surrender of Others' Freedom.
+
+ If conditions are imposed on you (whether by court order, agreement
+ or otherwise) that contradict the conditions of this License, they
+ do not excuse you from the conditions of this License. If you
+ cannot convey a covered work so as to satisfy simultaneously your
+ obligations under this License and any other pertinent obligations,
+ then as a consequence you may not convey it at all. For example,
+ if you agree to terms that obligate you to collect a royalty for
+ further conveying from those to whom you convey the Program, the
+ only way you could satisfy both those terms and this License would
+ be to refrain entirely from conveying the Program.
+
+ 13. Use with the GNU Affero General Public License.
+
+ Notwithstanding any other provision of this License, you have
+ permission to link or combine any covered work with a work licensed
+ under version 3 of the GNU Affero General Public License into a
+ single combined work, and to convey the resulting work. The terms
+ of this License will continue to apply to the part which is the
+ covered work, but the special requirements of the GNU Affero
+ General Public License, section 13, concerning interaction through
+ a network will apply to the combination as such.
+
+ 14. Revised Versions of this License.
+
+ The Free Software Foundation may publish revised and/or new
+ versions of the GNU General Public License from time to time. Such
+ new versions will be similar in spirit to the present version, but
+ may differ in detail to address new problems or concerns.
+
+ Each version is given a distinguishing version number. If the
+ Program specifies that a certain numbered version of the GNU
+ General Public License "or any later version" applies to it, you
+ have the option of following the terms and conditions either of
+ that numbered version or of any later version published by the Free
+ Software Foundation. If the Program does not specify a version
+ number of the GNU General Public License, you may choose any
+ version ever published by the Free Software Foundation.
+
+ If the Program specifies that a proxy can decide which future
+ versions of the GNU General Public License can be used, that
+ proxy's public statement of acceptance of a version permanently
+ authorizes you to choose that version for the Program.
+
+ Later license versions may give you additional or different
+ permissions. However, no additional obligations are imposed on any
+ author or copyright holder as a result of your choosing to follow a
+ later version.
+
+ 15. Disclaimer of Warranty.
+
+ THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
+ APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE
+ COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS"
+ WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+ MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE
+ RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.
+ SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL
+ NECESSARY SERVICING, REPAIR OR CORRECTION.
+
+ 16. Limitation of Liability.
+
+ IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN
+ WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES
+ AND/OR CONVEYS THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR
+ DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR
+ CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE
+ THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA
+ BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
+ PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
+ PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF
+ THE POSSIBILITY OF SUCH DAMAGES.
+
+ 17. Interpretation of Sections 15 and 16.
+
+ If the disclaimer of warranty and limitation of liability provided
+ above cannot be given local legal effect according to their terms,
+ reviewing courts shall apply local law that most closely
+ approximates an absolute waiver of all civil liability in
+ connection with the Program, unless a warranty or assumption of
+ liability accompanies a copy of the Program in return for a fee.
+
+ END OF TERMS AND CONDITIONS
+
+How to Apply These Terms to Your New Programs
+=============================================
+
+If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these
+terms.
+
+ To do so, attach the following notices to the program. It is safest
+to attach them to the start of each source file to most effectively
+state the exclusion of warranty; and each file should have at least the
+"copyright" line and a pointer to where the full notice is found.
+
+ ONE LINE TO GIVE THE PROGRAM'S NAME AND A BRIEF IDEA OF WHAT IT DOES.
+ Copyright (C) YEAR NAME OF AUTHOR
+
+ This program is free software: you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation, either version 3 of the License, or (at
+ your option) any later version.
+
+ This program is distributed in the hope that it will be useful, but
+ WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <https://www.gnu.org/licenses/>.
+
+Also add information on how to contact you by electronic and paper mail.
+
+If the program does terminal interaction, make it output a short notice
+like this when it starts in an interactive mode:
+
+ PROGRAM Copyright (C) YEAR NAME OF AUTHOR
+ This program comes with ABSOLUTELY NO WARRANTY; for details
+ type 'show w'. This is free software, and you are
+ welcome to redistribute it under certain conditions;
+ type 'show c' for details.
+
+ The hypothetical commands 'show w' and 'show c' should show the
+appropriate parts of the General Public License. Of course, your
+program's commands might be different; for a GUI interface, you would
+use an "about box".
+
+ You should also get your employer (if you work as a programmer) or
+school, if any, to sign a "copyright disclaimer" for the program, if
+necessary. For more information on this, and how to apply and follow
+the GNU GPL, see <https://www.gnu.org/licenses/>.
+
+ The GNU General Public License does not permit incorporating your
+program into proprietary programs. If your program is a subroutine
+library, you may consider it more useful to permit linking proprietary
+applications with the library. If this is what you want to do, use the
+GNU Lesser General Public License instead of this License. But first,
+please read <https://www.gnu.org/philosophy/why-not-lgpl.html>.
+
+
+File: gnupg.info, Node: Contributors, Next: Glossary, Prev: Copying, Up: Top
+
+Contributors to GnuPG
+*********************
+
+The GnuPG project would like to thank its many contributors. Without
+them the project would not have been nearly as successful as it has
+been. Any omissions in this list are accidental. Feel free to contact
+the maintainer if you have been left out or some of your contributions
+are not listed.
+
+ David Shaw, Matthew Skala, Michael Roth, Niklas Hernaeus, Nils
+Ellmenreich, Rémi Guyomarch, Stefan Bellon, Timo Schulz and Werner Koch
+wrote the code. Birger Langkjer, Daniel Resare, Dokianakis Theofanis,
+Edmund GRIMLEY EVANS, Gaël Quéri, Gregory Steuck, Nagy Ferenc
+László, Ivo Timmermans, Jacobo Tarri'o Barreiro, Janusz Aleksander
+Urbanowicz, Jedi Lin, Jouni Hiltunen, Laurentiu Buzdugan, Magda
+Procha'zkova', Michael Anckaert, Michal Majer, Marco d'Itri, Nilgun
+Belma Buguner, Pedro Morais, Tedi Heriyanto, Thiago Jung Bauermann,
+Rafael Caetano dos Santos, Toomas Soome, Urko Lusa, Walter Koch, Yosiaki
+IIDA did the official translations. Mike Ashley wrote and maintains the
+GNU Privacy Handbook. David Scribner is the current FAQ editor.
+Lorenzo Cappelletti maintains the web site.
+
+ The new modularized architecture of gnupg 1.9 as well as the
+X.509/CMS part has been developed as part of the Ägypten project.
+Direct contributors to this project are: Bernhard Herzog, who did
+extensive testing and tracked down a lot of bugs. Bernhard Reiter, who
+made sure that we met the specifications and the deadlines. He did
+extensive testing and came up with a lot of suggestions. Jan-Oliver
+Wagner made sure that we met the specifications and the deadlines. He
+also did extensive testing and came up with a lot of suggestions.
+Karl-Heinz Zimmer and Marc Mutz had to struggle with all the bugs and
+misconceptions while working on KDE integration. Marcus Brinkman
+extended GPGME, cleaned up the Assuan code and fixed bugs all over the
+place. Moritz Schulte took over Libgcrypt maintenance and developed it
+into a stable an useful library. Steffen Hansen had a hard time to
+write the dirmngr due to underspecified interfaces. Thomas Koester did
+extensive testing and tracked down a lot of bugs. Werner Koch designed
+the system and wrote most of the code.
+
+ The following people helped greatly by suggesting improvements,
+testing, fixing bugs, providing resources and doing other important
+tasks: Adam Mitchell, Albert Chin, Alec Habig, Allan Clark, Anand
+Kumria, Andreas Haumer, Anthony Mulcahy, Ariel T Glenn, Bob Mathews,
+Bodo Moeller, Brendan O'Dea, Brenno de Winter, Brian M. Carlson, Brian
+Moore, Brian Warner, Bryan Fullerton, Caskey L. Dickson, Cees van de
+Griend, Charles Levert, Chip Salzenberg, Chris Adams, Christian Biere,
+Christian Kurz, Christian von Roques, Christopher Oliver, Christian
+Recktenwald, Dan Winship, Daniel Eisenbud, Daniel Koening, Dave Dykstra,
+David C Niemi, David Champion, David Ellement, David Hallinan, David
+Hollenberg, David Mathog, David R. Bergstein, Detlef Lannert, Dimitri,
+Dirk Lattermann, Dirk Meyer, Disastry, Douglas Calvert, Ed Boraas,
+Edmund GRIMLEY EVANS, Edwin Woudt, Enzo Michelangeli, Ernst Molitor,
+Fabio Coatti, Felix von Leitner, fish stiqz, Florian Weimer, Francesco
+Potorti, Frank Donahoe, Frank Heckenbach, Frank Stajano, Frank Tobin,
+Gabriel Rosenkoetter, Gaël Quéri, Gene Carter, Geoff Keating, Georg
+Schwarz, Giampaolo Tomassoni, Gilbert Fernandes, Greg Louis, Greg
+Troxel, Gregory Steuck, Gregery Barton, Harald Denker, Holger Baust,
+Hendrik Buschkamp, Holger Schurig, Holger Smolinski, Holger Trapp, Hugh
+Daniel, Huy Le, Ian McKellar, Ivo Timmermans, Jan Krueger, Jan
+Niehusmann, Janusz A. Urbanowicz, James Troup, Jean-loup Gailly, Jeff
+Long, Jeffery Von Ronne, Jens Bachem, Jeroen C. van Gelderen, J Horacio
+MG, J. Michael Ashley, Jim Bauer, Jim Small, Joachim Backes, Joe Rhett,
+John A. Martin, Johnny Teveßen, Jörg Schilling, Jos Backus, Joseph
+Walton, Juan F. Codagnone, Jun Kuriyama, Kahil D. Jallad, Karl Fogel,
+Karsten Thygesen, Katsuhiro Kondou, Kazu Yamamoto, Keith Clayton, Kevin
+Ryde, Klaus Singvogel, Kurt Garloff, Lars Kellogg-Stedman, L. Sassaman,
+M Taylor, Marcel Waldvogel, Marco d'Itri, Marco Parrone, Marcus
+Brinkmann, Mark Adler, Mark Elbrecht, Mark Pettit, Markus Friedl, Martin
+Kahlert, Martin Hamilton, Martin Schulte, Matt Kraai, Matthew Skala,
+Matthew Wilcox, Matthias Urlichs, Max Valianskiy, Michael Engels,
+Michael Fischer v. Mollard, Michael Roth, Michael Sobolev, Michael
+Tokarev, Nicolas Graner, Mike McEwan, Neal H Walfield, Nelson H. F.
+Beebe, NIIBE Yutaka, Niklas Hernaeus, Nimrod Zimerman, N J Doye, Oliver
+Haakert, Oskari Jääskeläinen, Pascal Scheffers, Paul D. Smith, Per
+Cederqvist, Phil Blundell, Philippe Laliberte, Peter Fales, Peter
+Gutmann, Peter Marschall, Peter Valchev, Piotr Krukowiecki, QingLong,
+Ralph Gillen, Rat, Reinhard Wobst, Rémi Guyomarch, Reuben Sumner,
+Richard Outerbridge, Robert Joop, Roddy Strachan, Roger Sondermann,
+Roland Rosenfeld, Roman Pavlik, Ross Golder, Ryan Malayter, Sam Roberts,
+Sami Tolvanen, Sean MacLennan, Sebastian Klemke, Serge Munhoven, SL
+Baur, Stefan Bellon, Dr.Stefan.Dalibor, Stefan Karrmann, Stefan Keller,
+Steffen Ullrich, Steffen Zahn, Steven Bakker, Steven Murdoch, Susanne
+Schultz, Ted Cabeen, Thiago Jung Bauermann, Thijmen Klok, Thomas
+Roessler, Tim Mooney, Timo Schulz, Todd Vierling, TOGAWA Satoshi, Tom
+Spindler, Tom Zerucha, Tomas Fasth, Tommi Komulainen, Thomas Klausner,
+Tomasz Kozlowski, Thomas Mikkelsen, Ulf Möller, Urko Lusa, Vincent P.
+Broman, Volker Quetschke, W Lewis, Walter Hofmann, Walter Koch, Wayne
+Chapeskie, Wim Vandeputte, Winona Brown, Yosiaki IIDA, Yoshihiro Kajiki
+and Gerlinde Klaes.
+
+ This software has been made possible by the previous work of Chris
+Wedgwood, Jean-loup Gailly, Jon Callas, Mark Adler, Martin Hellman, Paul
+Kendall, Philip R. Zimmermann, Peter Gutmann, Philip A. Nelson, Taher
+Elgamal, Torbjorn Granlund, Whitfield Diffie, some unknown NSA
+mathematicians and all the folks who have worked hard to create complete
+and free operating systems.
+
+ And finally we'd like to thank everyone who uses these tools, submits
+bug reports and generally reminds us why we're doing this work in the
+first place.
+
+
+File: gnupg.info, Node: Glossary, Next: Option Index, Prev: Contributors, Up: Top
+
+Glossary
+********
+
+'ARL'
+ The _Authority Revocation List_ is technical identical to a CRL but
+ used for CAs and not for end user certificates.
+
+'Chain model'
+ Verification model for X.509 which uses the creation date of a
+ signature as the date the validation starts and in turn checks that
+ each certificate has been issued within the time frame, the issuing
+ certificate was valid. This allows the verification of signatures
+ after the CA's certificate expired. The validation test also
+ required an online check of the certificate status. The chain
+ model is required by the German signature law. See also _Shell
+ model_.
+
+'CMS'
+ The _Cryptographic Message Standard_ describes a message format for
+ encryption and digital signing. It is closely related to the X.509
+ certificate format. CMS was formerly known under the name 'PKCS#7'
+ and is described by 'RFC3369'.
+
+'CRL'
+ The _Certificate Revocation List_ is a list containing certificates
+ revoked by the issuer.
+
+'CSR'
+ The _Certificate Signing Request_ is a message send to a CA to ask
+ them to issue a new certificate. The data format of such a signing
+ request is called PCKS#10.
+
+'OpenPGP'
+ A data format used to build a PKI and to exchange encrypted or
+ signed messages. In contrast to X.509, OpenPGP also includes the
+ message format but does not explicitly demand a specific PKI.
+ However any kind of PKI may be build upon the OpenPGP protocol.
+
+'Keygrip'
+ This term is used by GnuPG to describe a 20 byte hash value used to
+ identify a certain key without referencing to a concrete protocol.
+ It is used internally to access a private key. Usually it is shown
+ and entered as a 40 character hexadecimal formatted string.
+
+'OCSP'
+ The _Online Certificate Status Protocol_ is used as an alternative
+ to a CRL. It is described in 'RFC 2560'.
+
+'PSE'
+ The _Personal Security Environment_ describes a database to store
+ private keys. This is either a smartcard or a collection of files
+ on a disk; the latter is often called a Soft-PSE.
+
+'Shell model'
+ The standard model for validation of certificates under X.509. At
+ the time of the verification all certificates must be valid and not
+ expired. See also _Chain model_.
+
+'X.509'
+ Description of a PKI used with CMS. It is for example defined by
+ 'RFC3280'.
+
+
+File: gnupg.info, Node: Option Index, Next: Environment Index, Prev: Glossary, Up: Top
+
+Option Index
+************
+
+
+* Menu:
+
+* --override-compliance-check: GPG Esoteric Options.
+ (line 424)
+* add-servers: Dirmngr Options. (line 313)
+* agent-program: GPG Configuration Options.
+ (line 755)
+* agent-program <1>: Configuration Options.
+ (line 53)
+* agent-program <2>: Invoking gpg-connect-agent.
+ (line 42)
+* allow-admin: Scdaemon Options. (line 204)
+* allow-emacs-pinentry: Agent Options. (line 206)
+* allow-freeform-uid: GPG Esoteric Options.
+ (line 367)
+* allow-loopback-pinentry: Agent Options. (line 188)
+* allow-multiple-messages: GPG Esoteric Options.
+ (line 560)
+* allow-non-selfsigned-uid: GPG Esoteric Options.
+ (line 362)
+* allow-ocsp: Dirmngr Options. (line 330)
+* allow-preset-passphrase: Agent Options. (line 183)
+* allow-secret-key-import: GPG Esoteric Options.
+ (line 556)
+* allow-version-check: Dirmngr Options. (line 138)
+* allow-weak-digest-algos: GPG Esoteric Options.
+ (line 403)
+* allow-weak-key-signatures: GPG Esoteric Options.
+ (line 419)
+* always-trust: Deprecated Options. (line 21)
+* armor: GPG Input and Output.
+ (line 8)
+* armor <1>: Input and Output. (line 8)
+* ask-cert-expire: GPG Esoteric Options.
+ (line 521)
+* ask-cert-level: GPG Configuration Options.
+ (line 360)
+* ask-sig-expire: GPG Esoteric Options.
+ (line 507)
+* assume-armor: Input and Output. (line 14)
+* assume-base64: Input and Output. (line 18)
+* assume-binary: Input and Output. (line 21)
+* attribute-fd: GPG Esoteric Options.
+ (line 92)
+* attribute-file: GPG Esoteric Options.
+ (line 98)
+* auto-check-trustdb: GPG Configuration Options.
+ (line 742)
+* auto-expand-secmem: Agent Options. (line 456)
+* auto-issuer-key-retrieve: Certificate Options. (line 62)
+* auto-key-import: GPG Configuration Options.
+ (line 578)
+* auto-key-locate: GPG Configuration Options.
+ (line 509)
+* auto-key-retrieve: GPG Configuration Options.
+ (line 590)
+* base64: Input and Output. (line 11)
+* batch: Agent Options. (line 48)
+* batch <1>: GPG Configuration Options.
+ (line 45)
+* batch <2>: gpgtar. (line 104)
+* blacklist: gpg-wks-client. (line 126)
+* bzip2-compress-level: GPG Configuration Options.
+ (line 334)
+* bzip2-decompress-lowmem: GPG Configuration Options.
+ (line 344)
+* c: Dirmngr Options. (line 87)
+* cache-cert: dirmngr-client. (line 72)
+* call-dirmngr: Operational GPGSM Commands.
+ (line 27)
+* call-protect-tool: Operational GPGSM Commands.
+ (line 41)
+* card-edit: Operational GPG Commands.
+ (line 210)
+* card-status: Operational GPG Commands.
+ (line 216)
+* card-timeout: Scdaemon Options. (line 180)
+* cert-digest-algo: GPG Esoteric Options.
+ (line 238)
+* cert-notation: GPG Esoteric Options.
+ (line 124)
+* cert-policy-url: GPG Esoteric Options.
+ (line 160)
+* change-passphrase: OpenPGP Key Management.
+ (line 452)
+* change-passphrase <1>: Certificate Management.
+ (line 109)
+* change-pin: Operational GPG Commands.
+ (line 219)
+* check: gpg-check-pattern. (line 56)
+* check-passphrase-pattern: Agent Options. (line 260)
+* check-signatures: Operational GPG Commands.
+ (line 140)
+* check-sigs: Operational GPG Commands.
+ (line 141)
+* check-sym-passphrase-pattern: Agent Options. (line 260)
+* check-trustdb: Operational GPG Commands.
+ (line 349)
+* cipher-algo: GPG Esoteric Options.
+ (line 199)
+* cipher-algo <1>: CMS Options. (line 13)
+* clear-sign: Operational GPG Commands.
+ (line 17)
+* clearsign: Operational GPG Commands.
+ (line 18)
+* cms: gpgtar. (line 99)
+* command-fd: GPG Esoteric Options.
+ (line 350)
+* command-file: GPG Esoteric Options.
+ (line 357)
+* comment: GPG Esoteric Options.
+ (line 103)
+* compatibility-flags: Esoteric Options. (line 57)
+* compliance: Compliance Options. (line 67)
+* compliance <1>: Esoteric Options. (line 18)
+* compliant-needed: GPG Configuration Options.
+ (line 717)
+* compress-algo: GPG Esoteric Options.
+ (line 215)
+* compress-level: GPG Configuration Options.
+ (line 334)
+* connect-quick-timeout: Dirmngr Options. (line 125)
+* connect-timeout: Dirmngr Options. (line 125)
+* create: gpgtar. (line 16)
+* create-socketdir: Invoking gpgconf. (line 96)
+* csh: Agent Options. (line 146)
+* csh <1>: Dirmngr Options. (line 87)
+* ctapi-driver: Scdaemon Options. (line 157)
+* daemon: Agent Commands. (line 27)
+* daemon <1>: Dirmngr Commands. (line 27)
+* daemon <2>: Scdaemon Commands. (line 31)
+* dearmor: Operational GPG Commands.
+ (line 403)
+* debug: Agent Options. (line 82)
+* debug <1>: Dirmngr Options. (line 59)
+* debug <2>: GPG Esoteric Options.
+ (line 47)
+* debug <3>: Esoteric Options. (line 90)
+* debug <4>: Scdaemon Options. (line 69)
+* debug-all: Agent Options. (line 106)
+* debug-all <1>: Dirmngr Options. (line 66)
+* debug-all <2>: GPG Esoteric Options.
+ (line 53)
+* debug-all <3>: Esoteric Options. (line 117)
+* debug-all <4>: Scdaemon Options. (line 96)
+* debug-allow-core-dump: Esoteric Options. (line 120)
+* debug-allow-core-dump <1>: Scdaemon Options. (line 113)
+* debug-assuan-log-cats: Scdaemon Options. (line 122)
+* debug-disable-ticker: Scdaemon Options. (line 109)
+* debug-ignore-expiration: Esoteric Options. (line 131)
+* debug-iolbf: GPG Esoteric Options.
+ (line 56)
+* debug-level: Agent Options. (line 57)
+* debug-level <1>: Dirmngr Options. (line 34)
+* debug-level <2>: GPG Esoteric Options.
+ (line 22)
+* debug-level <3>: Esoteric Options. (line 65)
+* debug-level <4>: Scdaemon Options. (line 40)
+* debug-log-tid: Scdaemon Options. (line 119)
+* debug-no-chain-validation: Esoteric Options. (line 127)
+* debug-pinentry: Agent Options. (line 126)
+* debug-quick-random: Agent Options. (line 114)
+* debug-wait: Agent Options. (line 109)
+* debug-wait <1>: Dirmngr Options. (line 74)
+* debug-wait <2>: Scdaemon Options. (line 99)
+* debug-wait <3>: Scdaemon Options. (line 104)
+* decode: Invoking gpg-connect-agent.
+ (line 95)
+* decrypt: Operational GPG Commands.
+ (line 59)
+* decrypt <1>: Operational GPGSM Commands.
+ (line 11)
+* decrypt <2>: gpgtar. (line 29)
+* decrypt-files: Operational GPG Commands.
+ (line 114)
+* default-cache-ttl: Agent Options. (line 217)
+* default-cache-ttl <1>: Agent Options. (line 226)
+* default-cert-expire: GPG Esoteric Options.
+ (line 527)
+* default-cert-level: GPG Configuration Options.
+ (line 368)
+* default-key: GPG Configuration Options.
+ (line 10)
+* default-key <1>: Input and Output. (line 34)
+* default-keyserver-url: GPG Esoteric Options.
+ (line 589)
+* default-new-key-algo STRING: GPG Esoteric Options.
+ (line 534)
+* default-preference-list: GPG Esoteric Options.
+ (line 584)
+* default-recipient: GPG Configuration Options.
+ (line 19)
+* default-recipient-self: GPG Configuration Options.
+ (line 23)
+* default-sig-expire: GPG Esoteric Options.
+ (line 513)
+* delete-keys: Operational GPG Commands.
+ (line 224)
+* delete-keys <1>: Certificate Management.
+ (line 60)
+* delete-secret-and-public-key: Operational GPG Commands.
+ (line 244)
+* delete-secret-keys: Operational GPG Commands.
+ (line 233)
+* deny-admin: Scdaemon Options. (line 204)
+* desig-revoke: OpenPGP Key Management.
+ (line 134)
+* detach-sign: Operational GPG Commands.
+ (line 28)
+* digest-algo: GPG Esoteric Options.
+ (line 208)
+* directory: gpgtar. (line 76)
+* directory <1>: gpg-wks-client. (line 122)
+* directory <2>: gpg-wks-server. (line 50)
+* dirmngr: Invoking gpg-connect-agent.
+ (line 54)
+* dirmngr-program: GPG Configuration Options.
+ (line 762)
+* dirmngr-program <1>: Configuration Options.
+ (line 59)
+* dirmngr-program <2>: Invoking gpg-connect-agent.
+ (line 49)
+* disable-application: Scdaemon Options. (line 214)
+* disable-ccid: Scdaemon Options. (line 162)
+* disable-check-own-socket: Agent Options. (line 342)
+* disable-check-own-socket <1>: Dirmngr Options. (line 79)
+* disable-cipher-algo: GPG Esoteric Options.
+ (line 246)
+* disable-crl-checks: Certificate Options. (line 13)
+* disable-dsa2: GPG Configuration Options.
+ (line 196)
+* disable-extended-key-format: Agent Options. (line 388)
+* disable-http: Dirmngr Options. (line 217)
+* disable-ipv4: Dirmngr Options. (line 211)
+* disable-ipv6: Dirmngr Options. (line 211)
+* disable-large-rsa: GPG Configuration Options.
+ (line 187)
+* disable-ldap: Dirmngr Options. (line 214)
+* disable-mdc: OpenPGP Options. (line 25)
+* disable-ocsp: Certificate Options. (line 53)
+* disable-pinpad: Scdaemon Options. (line 201)
+* disable-policy-checks: Certificate Options. (line 8)
+* disable-pubkey-algo: GPG Esoteric Options.
+ (line 251)
+* disable-scdaemon: Agent Options. (line 336)
+* disable-signer-uid: OpenPGP Options. (line 31)
+* disable-trusted-cert-crl-check: Certificate Options. (line 24)
+* display: Agent Options. (line 360)
+* display-charset: GPG Configuration Options.
+ (line 281)
+* display-charset:iso-8859-1: GPG Configuration Options.
+ (line 291)
+* display-charset:iso-8859-15: GPG Configuration Options.
+ (line 297)
+* display-charset:iso-8859-2: GPG Configuration Options.
+ (line 294)
+* display-charset:koi8-r: GPG Configuration Options.
+ (line 300)
+* display-charset:utf-8: GPG Configuration Options.
+ (line 303)
+* dry-run: GPG Esoteric Options.
+ (line 8)
+* dry-run <1>: gpgtar. (line 72)
+* dump-cert: Certificate Management.
+ (line 36)
+* dump-chain: Certificate Management.
+ (line 40)
+* dump-external-keys: Certificate Management.
+ (line 47)
+* dump-keys: Certificate Management.
+ (line 36)
+* dump-options: Agent Commands. (line 19)
+* dump-options <1>: Dirmngr Commands. (line 18)
+* dump-options <2>: General GPG Commands.
+ (line 20)
+* dump-options <3>: General GPGSM Commands.
+ (line 19)
+* dump-options <4>: Scdaemon Commands. (line 18)
+* dump-secret-keys: Certificate Management.
+ (line 43)
+* edit-card: Operational GPG Commands.
+ (line 209)
+* edit-key: OpenPGP Key Management.
+ (line 139)
+* emit-version: GPG Esoteric Options.
+ (line 114)
+* enable-crl-checks: Certificate Options. (line 13)
+* enable-dsa2: GPG Configuration Options.
+ (line 196)
+* enable-extended-key-format: Agent Options. (line 388)
+* enable-issuer-based-crl-check: Certificate Options. (line 45)
+* enable-large-rsa: GPG Configuration Options.
+ (line 187)
+* enable-ocsp: Certificate Options. (line 53)
+* enable-passphrase-history: Agent Options. (line 283)
+* enable-pinpad-varlen: Scdaemon Options. (line 193)
+* enable-policy-checks: Certificate Options. (line 8)
+* enable-progress-filter: GPG Esoteric Options.
+ (line 69)
+* enable-putty-support: Agent Options. (line 402)
+* enable-special-filenames: GPG Esoteric Options.
+ (line 571)
+* enable-special-filenames <1>: gpgv. (line 97)
+* enable-ssh-support: Agent Options. (line 402)
+* enable-trusted-cert-crl-check: Certificate Options. (line 24)
+* enarmor: Operational GPG Commands.
+ (line 403)
+* encrypt: Operational GPG Commands.
+ (line 32)
+* encrypt <1>: Operational GPGSM Commands.
+ (line 7)
+* encrypt <2>: gpgtar. (line 23)
+* encrypt-files: Operational GPG Commands.
+ (line 111)
+* encrypt-to: GPG Key related Options.
+ (line 35)
+* enforce-passphrase-constraints: Agent Options. (line 244)
+* escape-from-lines: GPG Esoteric Options.
+ (line 276)
+* exec: Invoking gpg-connect-agent.
+ (line 65)
+* exec-path: GPG Configuration Options.
+ (line 225)
+* exit-on-status-write-error: GPG Configuration Options.
+ (line 791)
+* expert: GPG Configuration Options.
+ (line 846)
+* export: Operational GPG Commands.
+ (line 250)
+* export <1>: Certificate Management.
+ (line 69)
+* export-filter: GPG Input and Output.
+ (line 131)
+* export-options: GPG Input and Output.
+ (line 220)
+* export-ownertrust: Operational GPG Commands.
+ (line 364)
+* export-secret-key-p12: Certificate Management.
+ (line 82)
+* export-secret-key-p8: Certificate Management.
+ (line 91)
+* export-secret-key-raw: Certificate Management.
+ (line 91)
+* export-secret-keys: Operational GPG Commands.
+ (line 268)
+* export-secret-subkeys: Operational GPG Commands.
+ (line 268)
+* export-ssh-key: Operational GPG Commands.
+ (line 290)
+* extra-digest-algo: Esoteric Options. (line 7)
+* extra-socket: Agent Options. (line 374)
+* extract: gpgtar. (line 19)
+* faked-system-time: Agent Options. (line 52)
+* faked-system-time <1>: GPG Esoteric Options.
+ (line 60)
+* faked-system-time <2>: Esoteric Options. (line 46)
+* fast-list-mode: GPG Esoteric Options.
+ (line 462)
+* fetch-crl: Dirmngr Commands. (line 52)
+* fetch-keys: Operational GPG Commands.
+ (line 333)
+* fingerprint: Operational GPG Commands.
+ (line 194)
+* fixed-list-mode: GPG Input and Output.
+ (line 284)
+* flush: Dirmngr Commands. (line 62)
+* for-your-eyes-only: GPG Esoteric Options.
+ (line 185)
+* forbid-gen-key: GPG Esoteric Options.
+ (line 551)
+* force: Dirmngr Options. (line 93)
+* force <1>: watchgnupg. (line 23)
+* force-crl-refresh: Certificate Options. (line 35)
+* force-default-responder: dirmngr-client. (line 64)
+* force-mdc: OpenPGP Options. (line 25)
+* force-sign-key: GPG Esoteric Options.
+ (line 545)
+* forget: Invoking gpg-preset-passphrase.
+ (line 26)
+* from: gpg-wks-server. (line 54)
+* full-gen-key: OpenPGP Key Management.
+ (line 111)
+* full-generate-key: OpenPGP Key Management.
+ (line 110)
+* gen-key: OpenPGP Key Management.
+ (line 104)
+* gen-key <1>: Certificate Management.
+ (line 8)
+* gen-prime: Operational GPG Commands.
+ (line 398)
+* gen-random: Operational GPG Commands.
+ (line 391)
+* gen-revoke: OpenPGP Key Management.
+ (line 120)
+* generate-designated-revocation: OpenPGP Key Management.
+ (line 133)
+* generate-key: OpenPGP Key Management.
+ (line 103)
+* generate-key <1>: Certificate Management.
+ (line 7)
+* generate-revocation: OpenPGP Key Management.
+ (line 119)
+* gnupg: Compliance Options. (line 12)
+* gpg: gpgtar. (line 135)
+* gpg-agent-info: GPG Configuration Options.
+ (line 752)
+* gpg-args: gpgtar. (line 138)
+* gpgconf-list: GPG Esoteric Options.
+ (line 605)
+* gpgconf-test: GPG Esoteric Options.
+ (line 609)
+* grab: Agent Options. (line 153)
+* group: GPG Key related Options.
+ (line 55)
+* header: gpg-wks-server. (line 57)
+* help: Agent Commands. (line 15)
+* help <1>: Dirmngr Commands. (line 14)
+* help <2>: General GPG Commands.
+ (line 12)
+* help <3>: General GPGSM Commands.
+ (line 11)
+* help <4>: Scdaemon Commands. (line 14)
+* help <5>: watchgnupg. (line 39)
+* help <6>: dirmngr-client. (line 44)
+* help <7>: gpgtar. (line 150)
+* help <8>: gpg-wks-client. (line 141)
+* help <9>: gpg-wks-server. (line 87)
+* hex: Invoking gpg-connect-agent.
+ (line 91)
+* hidden-encrypt-to: GPG Key related Options.
+ (line 43)
+* hidden-recipient: GPG Key related Options.
+ (line 14)
+* hidden-recipient-file: GPG Key related Options.
+ (line 29)
+* homedir: Agent Options. (line 17)
+* homedir <1>: GPG Configuration Options.
+ (line 260)
+* homedir <2>: Configuration Options.
+ (line 16)
+* homedir <3>: Scdaemon Options. (line 13)
+* homedir <4>: gpgv. (line 69)
+* homedir <5>: Invoking gpgconf. (line 120)
+* homedir <6>: Invoking gpg-connect-agent.
+ (line 21)
+* honor-http-proxy: Dirmngr Options. (line 236)
+* http-proxy: Dirmngr Options. (line 240)
+* ignore-cache-for-signing: Agent Options. (line 211)
+* ignore-cert: Dirmngr Options. (line 389)
+* ignore-cert-extension: Dirmngr Options. (line 379)
+* ignore-cert-extension <1>: Certificate Options. (line 82)
+* ignore-cert-with-oid: Esoteric Options. (line 37)
+* ignore-crc-error: GPG Esoteric Options.
+ (line 387)
+* ignore-http-dp: Dirmngr Options. (line 220)
+* ignore-ldap-dp: Dirmngr Options. (line 227)
+* ignore-mdc-error: GPG Esoteric Options.
+ (line 394)
+* ignore-ocsp-service-url: Dirmngr Options. (line 232)
+* ignore-time-conflict: GPG Esoteric Options.
+ (line 373)
+* ignore-time-conflict <1>: gpgv. (line 63)
+* ignore-valid-from: GPG Esoteric Options.
+ (line 380)
+* import: Operational GPG Commands.
+ (line 304)
+* import <1>: Certificate Management.
+ (line 99)
+* import-filter: GPG Input and Output.
+ (line 131)
+* import-options: GPG Input and Output.
+ (line 45)
+* import-ownertrust: Operational GPG Commands.
+ (line 370)
+* include-certs: CMS Options. (line 7)
+* include-key-block: OpenPGP Options. (line 38)
+* input-size-hint: GPG Input and Output.
+ (line 29)
+* interactive: GPG Esoteric Options.
+ (line 19)
+* keep-display: Agent Options. (line 365)
+* keep-tty: Agent Options. (line 365)
+* key-origin: GPG Input and Output.
+ (line 37)
+* keydb-clear-some-cert-flags: Certificate Management.
+ (line 52)
+* keyedit:addcardkey: OpenPGP Key Management.
+ (line 281)
+* keyedit:addkey: OpenPGP Key Management.
+ (line 278)
+* keyedit:addphoto: OpenPGP Key Management.
+ (line 201)
+* keyedit:addrevoker: OpenPGP Key Management.
+ (line 330)
+* keyedit:adduid: OpenPGP Key Management.
+ (line 198)
+* keyedit:bkuptocard: OpenPGP Key Management.
+ (line 295)
+* keyedit:change-usage: OpenPGP Key Management.
+ (line 357)
+* keyedit:check: OpenPGP Key Management.
+ (line 194)
+* keyedit:clean: OpenPGP Key Management.
+ (line 343)
+* keyedit:cross-certify: OpenPGP Key Management.
+ (line 366)
+* keyedit:delkey: OpenPGP Key Management.
+ (line 306)
+* keyedit:delsig: OpenPGP Key Management.
+ (line 184)
+* keyedit:deluid: OpenPGP Key Management.
+ (line 211)
+* keyedit:disable: OpenPGP Key Management.
+ (line 326)
+* keyedit:enable: OpenPGP Key Management.
+ (line 326)
+* keyedit:expire: OpenPGP Key Management.
+ (line 315)
+* keyedit:key: OpenPGP Key Management.
+ (line 148)
+* keyedit:keyserver: OpenPGP Key Management.
+ (line 228)
+* keyedit:keytocard: OpenPGP Key Management.
+ (line 284)
+* keyedit:lsign: OpenPGP Key Management.
+ (line 159)
+* keyedit:minimize: OpenPGP Key Management.
+ (line 352)
+* keyedit:notation: OpenPGP Key Management.
+ (line 235)
+* keyedit:nrsign: OpenPGP Key Management.
+ (line 164)
+* keyedit:passwd: OpenPGP Key Management.
+ (line 336)
+* keyedit:pref: OpenPGP Key Management.
+ (line 243)
+* keyedit:primary: OpenPGP Key Management.
+ (line 220)
+* keyedit:quit: OpenPGP Key Management.
+ (line 377)
+* keyedit:revkey: OpenPGP Key Management.
+ (line 312)
+* keyedit:revsig: OpenPGP Key Management.
+ (line 189)
+* keyedit:revuid: OpenPGP Key Management.
+ (line 217)
+* keyedit:save: OpenPGP Key Management.
+ (line 374)
+* keyedit:setpref: OpenPGP Key Management.
+ (line 255)
+* keyedit:showphoto: OpenPGP Key Management.
+ (line 208)
+* keyedit:showpref: OpenPGP Key Management.
+ (line 247)
+* keyedit:sign: OpenPGP Key Management.
+ (line 152)
+* keyedit:toggle: OpenPGP Key Management.
+ (line 339)
+* keyedit:trust: OpenPGP Key Management.
+ (line 321)
+* keyedit:tsign: OpenPGP Key Management.
+ (line 168)
+* keyedit:uid: OpenPGP Key Management.
+ (line 144)
+* keyid-format: GPG Configuration Options.
+ (line 627)
+* keyring: GPG Configuration Options.
+ (line 229)
+* keyring <1>: gpgv. (line 38)
+* keyserver: Dirmngr Options. (line 148)
+* keyserver <1>: GPG Configuration Options.
+ (line 636)
+* keyserver <2>: Configuration Options.
+ (line 43)
+* keyserver-options: GPG Configuration Options.
+ (line 655)
+* kill: Invoking gpgconf. (line 89)
+* known-notation: GPG Esoteric Options.
+ (line 151)
+* launch: Invoking gpgconf. (line 80)
+* lc-ctype: Agent Options. (line 360)
+* lc-messages: Agent Options. (line 360)
+* ldap-proxy: Dirmngr Options. (line 245)
+* ldapserver: Dirmngr Options. (line 275)
+* ldapserverlist-file: Dirmngr Options. (line 256)
+* ldaptimeout: Dirmngr Options. (line 309)
+* learn-card: Certificate Management.
+ (line 104)
+* legacy-list-mode: GPG Input and Output.
+ (line 290)
+* limit-card-insert-tries: GPG Configuration Options.
+ (line 800)
+* list-archive: gpgtar. (line 39)
+* list-chain: Certificate Management.
+ (line 32)
+* list-config: GPG Esoteric Options.
+ (line 594)
+* list-crls: Dirmngr Commands. (line 40)
+* list-gcrypt-config: GPG Esoteric Options.
+ (line 602)
+* list-keys: Operational GPG Commands.
+ (line 119)
+* list-keys <1>: Certificate Management.
+ (line 17)
+* list-keys <2>: Certificate Management.
+ (line 28)
+* list-only: GPG Esoteric Options.
+ (line 11)
+* list-options: GPG Configuration Options.
+ (line 71)
+* list-options:show-keyring: GPG Configuration Options.
+ (line 119)
+* list-options:show-keyserver-urls: GPG Configuration Options.
+ (line 103)
+* list-options:show-notations: GPG Configuration Options.
+ (line 99)
+* list-options:show-only-fpr-mbox: GPG Configuration Options.
+ (line 134)
+* list-options:show-photos: GPG Configuration Options.
+ (line 79)
+* list-options:show-policy-urls: GPG Configuration Options.
+ (line 93)
+* list-options:show-sig-expire: GPG Configuration Options.
+ (line 123)
+* list-options:show-sig-subpackets: GPG Configuration Options.
+ (line 127)
+* list-options:show-std-notations: GPG Configuration Options.
+ (line 99)
+* list-options:show-uid-validity: GPG Configuration Options.
+ (line 107)
+* list-options:show-unusable-subkeys: GPG Configuration Options.
+ (line 115)
+* list-options:show-unusable-uids: GPG Configuration Options.
+ (line 111)
+* list-options:show-usage: GPG Configuration Options.
+ (line 87)
+* list-options:show-user-notations: GPG Configuration Options.
+ (line 99)
+* list-packets: Operational GPG Commands.
+ (line 203)
+* list-secret-keys: Operational GPG Commands.
+ (line 130)
+* list-secret-keys <1>: Certificate Management.
+ (line 24)
+* list-signatures: GPG Esoteric Options.
+ (line 450)
+* list-sigs: GPG Esoteric Options.
+ (line 451)
+* listen-backlog: Agent Options. (line 370)
+* listen-backlog <1>: Dirmngr Options. (line 134)
+* listen-backlog <2>: Scdaemon Options. (line 135)
+* load-crl: Dirmngr Commands. (line 44)
+* load-crl <1>: dirmngr-client. (line 80)
+* local-user: GPG Key related Options.
+ (line 77)
+* local-user <1>: Input and Output. (line 41)
+* local-user <2>: gpgtar. (line 53)
+* locate-external-keys: Operational GPG Commands.
+ (line 170)
+* locate-keys: Operational GPG Commands.
+ (line 170)
+* lock-multiple: GPG Configuration Options.
+ (line 780)
+* lock-never: GPG Configuration Options.
+ (line 784)
+* lock-once: GPG Configuration Options.
+ (line 776)
+* log-file: Agent Options. (line 159)
+* log-file <1>: Dirmngr Options. (line 30)
+* log-file <2>: GPG Esoteric Options.
+ (line 86)
+* log-file <3>: Configuration Options.
+ (line 80)
+* log-file <4>: Scdaemon Options. (line 140)
+* log-file <5>: gpgv. (line 59)
+* logger-fd: GPG Esoteric Options.
+ (line 82)
+* logger-fd <1>: gpgv. (line 56)
+* lookup: dirmngr-client. (line 86)
+* lsign-key: OpenPGP Key Management.
+ (line 392)
+* mangle-dos-filenames: GPG Configuration Options.
+ (line 352)
+* marginals-needed: GPG Configuration Options.
+ (line 721)
+* max-cache-ttl: Agent Options. (line 232)
+* max-cache-ttl-ssh: Agent Options. (line 238)
+* max-cert-depth: GPG Configuration Options.
+ (line 729)
+* max-output: GPG Input and Output.
+ (line 19)
+* max-passphrase-days: Agent Options. (line 278)
+* max-replies: Dirmngr Options. (line 376)
+* min-cert-level: GPG Configuration Options.
+ (line 397)
+* min-passphrase-len: Agent Options. (line 248)
+* min-passphrase-nonalpha: Agent Options. (line 253)
+* min-rsa-length: Compliance Options. (line 72)
+* min-rsa-length <1>: Esoteric Options. (line 22)
+* multi-server: Scdaemon Commands. (line 26)
+* multifile: Operational GPG Commands.
+ (line 100)
+* nameserver: Dirmngr Options. (line 203)
+* no: GPG Configuration Options.
+ (line 67)
+* no <1>: gpgtar. (line 113)
+* no-allow-external-cache: Agent Options. (line 196)
+* no-allow-loopback-pinentry: Agent Options. (line 188)
+* no-allow-mark-trusted: Agent Options. (line 167)
+* no-armor: GPG Input and Output.
+ (line 12)
+* no-auto-key-import: GPG Configuration Options.
+ (line 578)
+* no-auto-key-retrieve: GPG Configuration Options.
+ (line 590)
+* no-autostart: GPG Configuration Options.
+ (line 769)
+* no-autostart <1>: Configuration Options.
+ (line 69)
+* no-autostart <2>: Invoking gpg-connect-agent.
+ (line 77)
+* no-batch: GPG Configuration Options.
+ (line 45)
+* no-common-certs-import: Esoteric Options. (line 168)
+* no-default-keyring: GPG Esoteric Options.
+ (line 432)
+* no-default-recipient: GPG Configuration Options.
+ (line 29)
+* no-detach: Agent Options. (line 131)
+* no-detach <1>: Scdaemon Options. (line 131)
+* no-encrypt-to: GPG Key related Options.
+ (line 51)
+* no-expensive-trust-checks: GPG Esoteric Options.
+ (line 576)
+* no-ext-connect: Invoking gpg-connect-agent.
+ (line 72)
+* no-grab: Agent Options. (line 153)
+* no-greeting: GPG Configuration Options.
+ (line 814)
+* no-groups: GPG Key related Options.
+ (line 73)
+* no-keyring: GPG Esoteric Options.
+ (line 438)
+* no-literal: GPG Esoteric Options.
+ (line 470)
+* no-mangle-dos-filenames: GPG Configuration Options.
+ (line 352)
+* no-options: GPG Configuration Options.
+ (line 327)
+* no-random-seed-file: GPG Configuration Options.
+ (line 808)
+* no-secmem-warning: GPG Configuration Options.
+ (line 817)
+* no-secmem-warning <1>: Configuration Options.
+ (line 76)
+* no-sig-cache: GPG Configuration Options.
+ (line 732)
+* no-skip-hidden-recipients: GPG Key related Options.
+ (line 108)
+* no-symkey-cache: GPG Esoteric Options.
+ (line 337)
+* no-tty: GPG Configuration Options.
+ (line 58)
+* no-use-standard-socket: Agent Options. (line 350)
+* no-use-tor: Dirmngr Options. (line 98)
+* no-user-trustlist: Agent Options. (line 172)
+* no-verbose: GPG Configuration Options.
+ (line 37)
+* not-dash-escaped: GPG Esoteric Options.
+ (line 266)
+* null: gpgtar. (line 86)
+* null <1>: gpg-check-pattern. (line 59)
+* ocsp: dirmngr-client. (line 61)
+* ocsp-current-period: Dirmngr Options. (line 371)
+* ocsp-max-clock-skew: Dirmngr Options. (line 363)
+* ocsp-max-period: Dirmngr Options. (line 367)
+* ocsp-responder: Dirmngr Options. (line 337)
+* ocsp-signer: Dirmngr Options. (line 342)
+* only-ldap-proxy: Dirmngr Options. (line 251)
+* openpgp: Compliance Options. (line 19)
+* openpgp <1>: gpgtar. (line 95)
+* options: Agent Options. (line 10)
+* options <1>: Dirmngr Options. (line 11)
+* options <2>: Dirmngr Options. (line 16)
+* options <3>: GPG Configuration Options.
+ (line 322)
+* options <4>: Configuration Options.
+ (line 10)
+* options <5>: Scdaemon Options. (line 7)
+* output: GPG Input and Output.
+ (line 16)
+* output <1>: Input and Output. (line 51)
+* output <2>: gpgv. (line 45)
+* output <3>: gpgtar. (line 57)
+* output <4>: gpg-wks-client. (line 111)
+* output <5>: gpg-wks-server. (line 65)
+* override-session-key: GPG Esoteric Options.
+ (line 494)
+* p12-charset: Input and Output. (line 24)
+* passphrase: GPG Esoteric Options.
+ (line 312)
+* passphrase <1>: Invoking gpg-preset-passphrase.
+ (line 36)
+* passphrase-fd: GPG Esoteric Options.
+ (line 291)
+* passphrase-fd <1>: Esoteric Options. (line 136)
+* passphrase-file: GPG Esoteric Options.
+ (line 301)
+* passphrase-repeat: GPG Esoteric Options.
+ (line 283)
+* passwd: OpenPGP Key Management.
+ (line 453)
+* passwd <1>: Certificate Management.
+ (line 110)
+* pcsc-driver: Scdaemon Options. (line 150)
+* pcsc-shared: Scdaemon Options. (line 144)
+* pem: dirmngr-client. (line 58)
+* permission-warning: GPG Configuration Options.
+ (line 820)
+* personal-cipher-preferences: OpenPGP Options. (line 46)
+* personal-compress-preferences: OpenPGP Options. (line 64)
+* personal-digest-preferences: OpenPGP Options. (line 55)
+* pgp6: Compliance Options. (line 44)
+* pgp7: Compliance Options. (line 54)
+* pgp8: Compliance Options. (line 60)
+* photo-viewer: GPG Configuration Options.
+ (line 202)
+* pinentry-formatted-passphrase: Agent Options. (line 297)
+* pinentry-invisible-char: Agent Options. (line 286)
+* pinentry-mode: GPG Esoteric Options.
+ (line 322)
+* pinentry-mode <1>: Esoteric Options. (line 145)
+* pinentry-program: Agent Options. (line 310)
+* pinentry-timeout: Agent Options. (line 291)
+* pinentry-touch-file: Agent Options. (line 323)
+* ping: dirmngr-client. (line 69)
+* policy-file: Configuration Options.
+ (line 50)
+* prefer-system-dirmngr: Configuration Options.
+ (line 63)
+* preserve-permissions: GPG Esoteric Options.
+ (line 579)
+* preset: Invoking gpg-preset-passphrase.
+ (line 22)
+* primary-keyring: GPG Configuration Options.
+ (line 243)
+* print-md: Operational GPG Commands.
+ (line 386)
+* q: Invoking gpg-connect-agent.
+ (line 18)
+* quick-add-key: OpenPGP Key Management.
+ (line 69)
+* quick-add-uid: OpenPGP Key Management.
+ (line 420)
+* quick-gen-key: OpenPGP Key Management.
+ (line 10)
+* quick-generate-key: OpenPGP Key Management.
+ (line 10)
+* quick-lsign-key: OpenPGP Key Management.
+ (line 398)
+* quick-revoke-sig: OpenPGP Key Management.
+ (line 435)
+* quick-revoke-uid: OpenPGP Key Management.
+ (line 427)
+* quick-set-expire: OpenPGP Key Management.
+ (line 60)
+* quick-set-primary-uid: OpenPGP Key Management.
+ (line 445)
+* quick-sign-key: OpenPGP Key Management.
+ (line 398)
+* quiet: Agent Options. (line 45)
+* quiet <1>: GPG Configuration Options.
+ (line 40)
+* quiet <2>: gpgv. (line 35)
+* quiet <3>: Invoking gpgconf. (line 117)
+* quiet <4>: Invoking gpg-connect-agent.
+ (line 18)
+* quiet <5>: dirmngr-client. (line 48)
+* quiet <6>: gpgtar. (line 65)
+* quiet <7>: gpg-wks-client. (line 135)
+* quiet <8>: gpg-wks-server. (line 81)
+* raw-socket: Invoking gpg-connect-agent.
+ (line 59)
+* reader-port: Scdaemon Options. (line 168)
+* rebuild-keydb-caches: Operational GPG Commands.
+ (line 380)
+* receive-keys: Operational GPG Commands.
+ (line 313)
+* recipient: GPG Key related Options.
+ (line 8)
+* recipient <1>: Input and Output. (line 46)
+* recipient <2>: gpgtar. (line 49)
+* recipient-file: GPG Key related Options.
+ (line 22)
+* recursive-resolver: Dirmngr Options. (line 117)
+* recv-keys: Operational GPG Commands.
+ (line 314)
+* refresh-keys: Operational GPG Commands.
+ (line 317)
+* reload: Invoking gpgconf. (line 74)
+* remove-socketdir: Invoking gpgconf. (line 102)
+* request-origin: GPG Esoteric Options.
+ (line 342)
+* request-origin <1>: Esoteric Options. (line 160)
+* require-compliance: Compliance Options. (line 77)
+* require-compliance <1>: Esoteric Options. (line 27)
+* require-compliance <2>: gpgtar. (line 117)
+* require-cross-certification: GPG Configuration Options.
+ (line 839)
+* require-secmem: GPG Configuration Options.
+ (line 834)
+* resolver-timeout: Dirmngr Options. (line 120)
+* rfc2440: Compliance Options. (line 37)
+* rfc4880: Compliance Options. (line 25)
+* rfc4880bis: Compliance Options. (line 30)
+* run: Invoking gpg-connect-agent.
+ (line 82)
+* s: Dirmngr Options. (line 87)
+* s2k-calibration: Agent Options. (line 465)
+* s2k-cipher-algo: OpenPGP Options. (line 74)
+* s2k-count: Agent Options. (line 472)
+* s2k-count <1>: OpenPGP Options. (line 90)
+* s2k-digest-algo: OpenPGP Options. (line 79)
+* s2k-mode: OpenPGP Options. (line 83)
+* scdaemon-program: Agent Options. (line 332)
+* search-keys: Operational GPG Commands.
+ (line 323)
+* secret-keyring: GPG Configuration Options.
+ (line 248)
+* send: gpg-wks-client. (line 72)
+* send <1>: gpg-wks-server. (line 60)
+* send-keys: Operational GPG Commands.
+ (line 257)
+* sender: GPG Key related Options.
+ (line 81)
+* server: Agent Commands. (line 23)
+* server <1>: Dirmngr Commands. (line 22)
+* server <2>: Operational GPGSM Commands.
+ (line 24)
+* server <3>: Scdaemon Commands. (line 22)
+* set-filename: GPG Esoteric Options.
+ (line 178)
+* set-filename <1>: gpgtar. (line 129)
+* set-filesize: GPG Esoteric Options.
+ (line 474)
+* set-notation: GPG Esoteric Options.
+ (line 124)
+* set-policy-url: GPG Esoteric Options.
+ (line 160)
+* sh: Agent Options. (line 146)
+* sh <1>: Dirmngr Options. (line 87)
+* show-keyring: Deprecated Options. (line 16)
+* show-keys: Operational GPG Commands.
+ (line 185)
+* show-notation: Deprecated Options. (line 25)
+* show-photos: Deprecated Options. (line 8)
+* show-policy-url: Deprecated Options. (line 33)
+* show-session-key: GPG Esoteric Options.
+ (line 478)
+* shutdown: Dirmngr Commands. (line 58)
+* sig-keyserver-url: GPG Esoteric Options.
+ (line 170)
+* sig-notation: GPG Esoteric Options.
+ (line 124)
+* sig-policy-url: GPG Esoteric Options.
+ (line 160)
+* sign: Operational GPG Commands.
+ (line 8)
+* sign <1>: Operational GPGSM Commands.
+ (line 16)
+* sign-key: OpenPGP Key Management.
+ (line 388)
+* skip-crypto: gpgtar. (line 68)
+* skip-hidden-recipients: GPG Key related Options.
+ (line 108)
+* skip-verify: GPG Esoteric Options.
+ (line 442)
+* squid-mode: dirmngr-client. (line 101)
+* ssh-fingerprint-digest: Agent Options. (line 450)
+* standard-resolver: Dirmngr Options. (line 110)
+* status-fd: GPG Esoteric Options.
+ (line 74)
+* status-fd <1>: gpgv. (line 52)
+* status-fd <2>: Invoking gpgconf. (line 158)
+* status-fd <3>: gpgtar. (line 120)
+* status-fd <4>: gpg-wks-client. (line 115)
+* status-file: GPG Esoteric Options.
+ (line 78)
+* steal-socket: Agent Options. (line 135)
+* store: Operational GPG Commands.
+ (line 55)
+* subst: Invoking gpg-connect-agent.
+ (line 88)
+* supervised: Agent Commands. (line 36)
+* supervised <1>: Dirmngr Commands. (line 33)
+* symmetric: Operational GPG Commands.
+ (line 42)
+* sys-trustlist-name: Agent Options. (line 177)
+* tar-args: gpgtar. (line 141)
+* textmode: OpenPGP Options. (line 8)
+* throw-keyids: GPG Esoteric Options.
+ (line 257)
+* time-only: watchgnupg. (line 30)
+* tls-debug: Dirmngr Options. (line 69)
+* tofu-default-policy: GPG Configuration Options.
+ (line 725)
+* tofu-policy: Operational GPG Commands.
+ (line 408)
+* trust-model: GPG Configuration Options.
+ (line 412)
+* trust-model:always: GPG Configuration Options.
+ (line 493)
+* trust-model:auto: GPG Configuration Options.
+ (line 502)
+* trust-model:classic: GPG Configuration Options.
+ (line 420)
+* trust-model:direct: GPG Configuration Options.
+ (line 485)
+* trust-model:pgp: GPG Configuration Options.
+ (line 415)
+* trust-model:tofu: GPG Configuration Options.
+ (line 423)
+* trust-model:tofu+pgp: GPG Configuration Options.
+ (line 473)
+* trustdb-name: GPG Configuration Options.
+ (line 253)
+* trusted-key: GPG Configuration Options.
+ (line 403)
+* try-all-secrets: GPG Key related Options.
+ (line 100)
+* try-secret-key: GPG Key related Options.
+ (line 89)
+* ttyname: Agent Options. (line 360)
+* ttytype: Agent Options. (line 360)
+* ungroup: GPG Key related Options.
+ (line 70)
+* update-trustdb: Operational GPG Commands.
+ (line 339)
+* url: dirmngr-client. (line 94)
+* url <1>: dirmngr-client. (line 98)
+* use-agent: GPG Configuration Options.
+ (line 749)
+* use-embedded-filename: GPG Esoteric Options.
+ (line 194)
+* use-standard-socket: Agent Options. (line 350)
+* use-standard-socket-p: Agent Options. (line 350)
+* use-tor: Dirmngr Options. (line 98)
+* utf8-strings: GPG Configuration Options.
+ (line 308)
+* utf8-strings <1>: gpgtar. (line 90)
+* v: Dirmngr Options. (line 25)
+* v <1>: Configuration Options.
+ (line 38)
+* v <2>: Scdaemon Options. (line 35)
+* v <3>: dirmngr-client. (line 53)
+* validate: dirmngr-client. (line 76)
+* validation-model: Certificate Options. (line 73)
+* verbose: Agent Options. (line 39)
+* verbose <1>: Dirmngr Options. (line 25)
+* verbose <2>: GPG Configuration Options.
+ (line 33)
+* verbose <3>: Configuration Options.
+ (line 38)
+* verbose <4>: Scdaemon Options. (line 35)
+* verbose <5>: watchgnupg. (line 33)
+* verbose <6>: gpgv. (line 30)
+* verbose <7>: Invoking gpg-preset-passphrase.
+ (line 32)
+* verbose <8>: Invoking gpg-connect-agent.
+ (line 14)
+* verbose <9>: dirmngr-client. (line 53)
+* verbose <10>: gpgtar. (line 61)
+* verbose <11>: gpg-check-pattern. (line 53)
+* verbose <12>: gpg-wks-client. (line 132)
+* verbose <13>: gpg-wks-server. (line 78)
+* verify: Operational GPG Commands.
+ (line 67)
+* verify <1>: Operational GPGSM Commands.
+ (line 20)
+* verify-files: Operational GPG Commands.
+ (line 108)
+* verify-options: GPG Configuration Options.
+ (line 138)
+* verify-options:pka-lookups: GPG Configuration Options.
+ (line 174)
+* verify-options:pka-trust-increase: GPG Configuration Options.
+ (line 181)
+* verify-options:show-keyserver-urls: GPG Configuration Options.
+ (line 157)
+* verify-options:show-notations: GPG Configuration Options.
+ (line 153)
+* verify-options:show-photos: GPG Configuration Options.
+ (line 143)
+* verify-options:show-policy-urls: GPG Configuration Options.
+ (line 147)
+* verify-options:show-primary-uid-only: GPG Configuration Options.
+ (line 169)
+* verify-options:show-std-notations: GPG Configuration Options.
+ (line 153)
+* verify-options:show-uid-validity: GPG Configuration Options.
+ (line 161)
+* verify-options:show-unusable-uids: GPG Configuration Options.
+ (line 165)
+* verify-options:show-user-notations: GPG Configuration Options.
+ (line 153)
+* version: Agent Commands. (line 10)
+* version <1>: Dirmngr Commands. (line 10)
+* version <2>: General GPG Commands.
+ (line 7)
+* version <3>: General GPGSM Commands.
+ (line 7)
+* version <4>: Scdaemon Commands. (line 10)
+* version <5>: watchgnupg. (line 36)
+* version <6>: dirmngr-client. (line 40)
+* version <7>: gpgtar. (line 147)
+* version <8>: gpg-wks-client. (line 138)
+* version <9>: gpg-wks-server. (line 84)
+* warranty: General GPG Commands.
+ (line 17)
+* warranty <1>: General GPGSM Commands.
+ (line 15)
+* weak-digest: GPG Esoteric Options.
+ (line 411)
+* weak-digest <1>: gpgv. (line 90)
+* with-colons: GPG Input and Output.
+ (line 276)
+* with-colons <1>: gpg-wks-client. (line 76)
+* with-dir: gpg-wks-server. (line 69)
+* with-ephemeral-keys: Esoteric Options. (line 52)
+* with-file: gpg-wks-server. (line 73)
+* with-fingerprint: GPG Input and Output.
+ (line 296)
+* with-icao-spelling: GPG Input and Output.
+ (line 307)
+* with-key-data: GPG Esoteric Options.
+ (line 446)
+* with-key-data <1>: Input and Output. (line 54)
+* with-key-origin: GPG Input and Output.
+ (line 315)
+* with-keygrip: GPG Input and Output.
+ (line 311)
+* with-log: gpgtar. (line 124)
+* with-secret: GPG Input and Output.
+ (line 326)
+* with-secret <1>: Input and Output. (line 78)
+* with-subkey-fingerprint: GPG Input and Output.
+ (line 300)
+* with-validation: Input and Output. (line 60)
+* with-wkd-hash: GPG Input and Output.
+ (line 321)
+* xauthority: Agent Options. (line 360)
+* yes: GPG Configuration Options.
+ (line 63)
+* yes <1>: gpgtar. (line 108)
+
+
+File: gnupg.info, Node: Environment Index, Next: Index, Prev: Option Index, Up: Top
+
+Environment Variable and File Index
+***********************************
+
+
+* Menu:
+
+* .gpg-v21-migrated: GPG Configuration. (line 77)
+* ~/.gnupg: GPG Configuration. (line 27)
+* ASSUAN_DEBUG: Scdaemon Options. (line 122)
+* COLUMNS: GPG Configuration. (line 118)
+* com-certs.pem: GPGSM Configuration. (line 84)
+* dirmngr.conf: Dirmngr Configuration.
+ (line 12)
+* DISPLAY: GPGSM OPTION. (line 21)
+* GNUPGHOME: Agent Options. (line 17)
+* GNUPGHOME <1>: GPG Configuration Options.
+ (line 260)
+* GNUPGHOME <2>: GPG Configuration. (line 106)
+* GNUPGHOME <3>: Configuration Options.
+ (line 16)
+* GNUPGHOME <4>: Scdaemon Options. (line 13)
+* GNUPGHOME <5>: gpgv. (line 69)
+* GNUPGHOME <6>: Invoking gpgconf. (line 120)
+* GNUPGHOME <7>: Invoking gpg-connect-agent.
+ (line 21)
+* GNUPG_BUILD_ROOT: GPG Configuration. (line 130)
+* GNUPG_EXEC_DEBUG_FLAGS: GPG Configuration. (line 135)
+* gpg-agent.conf: Agent Configuration. (line 11)
+* gpg.conf: GPG Configuration. (line 11)
+* gpgconf.ctl: Agent Options. (line 28)
+* gpgconf.ctl <1>: GPG Configuration Options.
+ (line 271)
+* gpgconf.ctl <2>: Configuration Options.
+ (line 27)
+* gpgconf.ctl <3>: Scdaemon Options. (line 24)
+* gpgconf.ctl <4>: gpgv. (line 80)
+* gpgconf.ctl <5>: Invoking gpgconf. (line 131)
+* gpgconf.ctl <6>: Invoking gpg-connect-agent.
+ (line 32)
+* gpgsm.conf: GPGSM Configuration. (line 11)
+* GPG_TTY: Invoking GPG-AGENT. (line 22)
+* GPG_TTY <1>: GPGSM OPTION. (line 23)
+* help.txt: GPGSM Configuration. (line 72)
+* HKCU\Software\GNU\GnuPG:DefaultLogFile: Agent Options. (line 159)
+* HKCU\Software\GNU\GnuPG:HomeDir: Agent Options. (line 17)
+* HKCU\Software\GNU\GnuPG:HomeDir <1>: GPG Configuration Options.
+ (line 260)
+* HKCU\Software\GNU\GnuPG:HomeDir <2>: Configuration Options.
+ (line 16)
+* HKCU\Software\GNU\GnuPG:HomeDir <3>: Scdaemon Options. (line 13)
+* HKCU\Software\GNU\GnuPG:HomeDir <4>: gpgv. (line 69)
+* HKCU\Software\GNU\GnuPG:HomeDir <5>: Invoking gpgconf. (line 120)
+* HKCU\Software\GNU\GnuPG:HomeDir <6>: Invoking gpg-connect-agent.
+ (line 21)
+* HOME: GPG Configuration. (line 103)
+* http_proxy: Dirmngr Options. (line 240)
+* LANGUAGE: GPG Configuration. (line 121)
+* LC_CTYPE: GPGSM OPTION. (line 27)
+* LC_MESSAGES: GPGSM OPTION. (line 29)
+* LINES: GPG Configuration. (line 118)
+* openpgp-revocs.d: GPG Configuration. (line 91)
+* PATH: GPG Configuration Options.
+ (line 225)
+* PINENTRY_USER_DATA: GPG Configuration. (line 113)
+* PINENTRY_USER_DATA <1>: GPGSM OPTION. (line 33)
+* policies.txt: GPGSM Configuration. (line 18)
+* private-keys-v1.d: Agent Configuration. (line 106)
+* pubring.gpg: GPG Configuration. (line 32)
+* pubring.kbx: GPG Configuration. (line 50)
+* pubring.kbx <1>: GPGSM Configuration. (line 100)
+* qualified.txt: GPGSM Configuration. (line 33)
+* random_seed: GPG Configuration. (line 88)
+* random_seed <1>: GPGSM Configuration. (line 106)
+* S.gpg-agent: GPGSM Configuration. (line 111)
+* secring.gpg: GPG Configuration. (line 69)
+* SHELL: Agent Options. (line 146)
+* sshcontrol: Agent Configuration. (line 76)
+* TERM: GPGSM OPTION. (line 25)
+* trustdb.gpg: GPG Configuration. (line 80)
+* trustlist.txt: Agent Configuration. (line 20)
+* XAUTHORITY: GPGSM OPTION. (line 31)
+
+
+File: gnupg.info, Node: Index, Prev: Environment Index, Up: Top
+
+Index
+*****
+
+
+* Menu:
+
+* command options: Invoking GPG-AGENT. (line 6)
+* command options <1>: Invoking DIRMNGR. (line 6)
+* command options <2>: Invoking GPG. (line 6)
+* command options <3>: Invoking GPGSM. (line 6)
+* command options <4>: Invoking SCDAEMON. (line 6)
+* contributors: Contributors. (line 6)
+* DIRMNGR command options: Invoking DIRMNGR. (line 6)
+* GPG command options: Invoking GPG. (line 6)
+* GPG-AGENT command options: Invoking GPG-AGENT. (line 6)
+* gpgconf.conf: Files used by gpgconf.
+ (line 7)
+* GPGSM command options: Invoking GPGSM. (line 6)
+* options, DIRMNGR command: Invoking DIRMNGR. (line 6)
+* options, GPG command: Invoking GPG. (line 6)
+* options, GPG-AGENT command: Invoking GPG-AGENT. (line 6)
+* options, GPGSM command: Invoking GPGSM. (line 6)
+* options, SCDAEMON command: Invoking SCDAEMON. (line 6)
+* relax: Agent Configuration. (line 64)
+* scd-event: Scdaemon Configuration.
+ (line 18)
+* SCDAEMON command options: Invoking SCDAEMON. (line 6)
+* scdaemon.conf: Scdaemon Configuration.
+ (line 11)
+* SIGHUP: Agent Signals. (line 12)
+* SIGHUP <1>: Dirmngr Signals. (line 12)
+* SIGINT: Agent Signals. (line 31)
+* SIGINT <1>: Dirmngr Signals. (line 26)
+* SIGTERM: Agent Signals. (line 26)
+* SIGTERM <1>: Dirmngr Signals. (line 19)
+* SIGUSR1: Agent Signals. (line 34)
+* SIGUSR1 <1>: Dirmngr Signals. (line 29)
+* SIGUSR2: Agent Signals. (line 37)
+* swdb.lst: Files used by gpgconf.
+ (line 14)
+* trust values: Trust Values. (line 6)
+