diff options
Diffstat (limited to 'doc/gnupg.info-2')
-rw-r--r-- | doc/gnupg.info-2 | 6144 |
1 files changed, 6144 insertions, 0 deletions
diff --git a/doc/gnupg.info-2 b/doc/gnupg.info-2 new file mode 100644 index 0000000..7895f56 --- /dev/null +++ b/doc/gnupg.info-2 @@ -0,0 +1,6144 @@ +This is gnupg.info, produced by makeinfo version 6.5 from gnupg.texi. + +This is the 'The GNU Privacy Guard Manual' (version 2.2.40-beta3, +October 2022). + + (C) 2002, 2004, 2005, 2006, 2007, 2010 Free Software Foundation, Inc. +(C) 2013, 2014, 2015 Werner Koch. +(C) 2015, 2016, 2017 g10 Code GmbH. + + Permission is granted to copy, distribute and/or modify this + document under the terms of the GNU General Public License as + published by the Free Software Foundation; either version 3 of the + License, or (at your option) any later version. The text of the + license can be found in the section entitled "Copying". +INFO-DIR-SECTION GNU Utilities +START-INFO-DIR-ENTRY +* gpg2: (gnupg). OpenPGP encryption and signing tool. +* gpgsm: (gnupg). S/MIME encryption and signing tool. +* gpg-agent: (gnupg). The secret key daemon. +* dirmngr: (gnupg). X.509 CRL and OCSP server. +* dirmngr-client: (gnupg). X.509 CRL and OCSP client. +END-INFO-DIR-ENTRY + + +File: gnupg.info, Node: GPGSM Protocol, Prev: Unattended Usage, Up: Invoking GPGSM + +5.6 The Protocol the Server Mode Uses +===================================== + +Description of the protocol used to access 'GPGSM'. 'GPGSM' does +implement the Assuan protocol and in addition provides a regular command +line interface which exhibits a full client to this protocol (but uses +internal linking). To start 'gpgsm' as a server the command line the +option '--server' must be used. Additional options are provided to +select the communication method (i.e. the name of the socket). + + We assume that the connection has already been established; see the +Assuan manual for details. + +* Menu: + +* GPGSM ENCRYPT:: Encrypting a message. +* GPGSM DECRYPT:: Decrypting a message. +* GPGSM SIGN:: Signing a message. +* GPGSM VERIFY:: Verifying a message. +* GPGSM GENKEY:: Generating a key. +* GPGSM LISTKEYS:: List available keys. +* GPGSM EXPORT:: Export certificates. +* GPGSM IMPORT:: Import certificates. +* GPGSM DELETE:: Delete certificates. +* GPGSM GETAUDITLOG:: Retrieve an audit log. +* GPGSM GETINFO:: Information about the process +* GPGSM OPTION:: Session options. + + +File: gnupg.info, Node: GPGSM ENCRYPT, Next: GPGSM DECRYPT, Up: GPGSM Protocol + +5.6.1 Encrypting a Message +-------------------------- + +Before encryption can be done the recipient must be set using the +command: + + RECIPIENT USERID + + Set the recipient for the encryption. USERID should be the internal +representation of the key; the server may accept any other way of +specification. If this is a valid and trusted recipient the server does +respond with OK, otherwise the return is an ERR with the reason why the +recipient cannot be used, the encryption will then not be done for this +recipient. If the policy is not to encrypt at all if not all recipients +are valid, the client has to take care of this. All 'RECIPIENT' +commands are cumulative until a 'RESET' or an successful 'ENCRYPT' +command. + + INPUT FD[=N] [--armor|--base64|--binary] + + Set the file descriptor for the message to be encrypted to N. +Obviously the pipe must be open at that point, the server establishes +its own end. If the server returns an error the client should consider +this session failed. If N is not given, this commands uses the last +file descriptor passed to the application. *Note the assuan_sendfd +function: (assuan)fun-assuan_sendfd, on how to do descriptor passing. + + The '--armor' option may be used to advise the server that the input +data is in PEM format, '--base64' advises that a raw base-64 encoding is +used, '--binary' advises of raw binary input (BER). If none of these +options is used, the server tries to figure out the used encoding, but +this may not always be correct. + + OUTPUT FD[=N] [--armor|--base64] + + Set the file descriptor to be used for the output (i.e. the +encrypted message). Obviously the pipe must be open at that point, the +server establishes its own end. If the server returns an error the +client should consider this session failed. + + The option '--armor' encodes the output in PEM format, the '--base64' +option applies just a base-64 encoding. No option creates binary output +(BER). + + The actual encryption is done using the command + + ENCRYPT + + It takes the plaintext from the 'INPUT' command, writes to the +ciphertext to the file descriptor set with the 'OUTPUT' command, take +the recipients from all the recipients set so far. If this command +fails the clients should try to delete all output currently done or +otherwise mark it as invalid. 'GPGSM' does ensure that there will not +be any security problem with leftover data on the output in this case. + + This command should in general not fail, as all necessary checks have +been done while setting the recipients. The input and output pipes are +closed. + + +File: gnupg.info, Node: GPGSM DECRYPT, Next: GPGSM SIGN, Prev: GPGSM ENCRYPT, Up: GPGSM Protocol + +5.6.2 Decrypting a message +-------------------------- + +Input and output FDs are set the same way as in encryption, but 'INPUT' +refers to the ciphertext and 'OUTPUT' to the plaintext. There is no +need to set recipients. 'GPGSM' automatically strips any S/MIME headers +from the input, so it is valid to pass an entire MIME part to the INPUT +pipe. + + The decryption is done by using the command + + DECRYPT + + It performs the decrypt operation after doing some check on the +internal state (e.g. that all needed data has been set). Because it +utilizes the GPG-Agent for the session key decryption, there is no need +to ask the client for a protecting passphrase - GpgAgent takes care of +this by requesting this from the user. + + +File: gnupg.info, Node: GPGSM SIGN, Next: GPGSM VERIFY, Prev: GPGSM DECRYPT, Up: GPGSM Protocol + +5.6.3 Signing a Message +----------------------- + +Signing is usually done with these commands: + + INPUT FD[=N] [--armor|--base64|--binary] + + This tells 'GPGSM' to read the data to sign from file descriptor N. + + OUTPUT FD[=M] [--armor|--base64] + + Write the output to file descriptor M. If a detached signature is +requested, only the signature is written. + + SIGN [--detached] + + Sign the data set with the 'INPUT' command and write it to the sink +set by 'OUTPUT'. With '--detached', a detached signature is created +(surprise). + + The key used for signing is the default one or the one specified in +the configuration file. To get finer control over the keys, it is +possible to use the command + + SIGNER USERID + + to set the signer's key. USERID should be the internal +representation of the key; the server may accept any other way of +specification. If this is a valid and trusted recipient the server does +respond with OK, otherwise the return is an ERR with the reason why the +key cannot be used, the signature will then not be created using this +key. If the policy is not to sign at all if not all keys are valid, the +client has to take care of this. All 'SIGNER' commands are cumulative +until a 'RESET' is done. Note that a 'SIGN' does not reset this list of +signers which is in contrast to the 'RECIPIENT' command. + + +File: gnupg.info, Node: GPGSM VERIFY, Next: GPGSM GENKEY, Prev: GPGSM SIGN, Up: GPGSM Protocol + +5.6.4 Verifying a Message +------------------------- + +To verify a message the command: + + VERIFY + + is used. It does a verify operation on the message send to the input +FD. The result is written out using status lines. If an output FD was +given, the signed text will be written to that. If the signature is a +detached one, the server will inquire about the signed material and the +client must provide it. + + +File: gnupg.info, Node: GPGSM GENKEY, Next: GPGSM LISTKEYS, Prev: GPGSM VERIFY, Up: GPGSM Protocol + +5.6.5 Generating a Key +---------------------- + +This is used to generate a new keypair, store the secret part in the PSE +and the public key in the key database. We will probably add optional +commands to allow the client to select whether a hardware token is used +to store the key. Configuration options to 'GPGSM' can be used to +restrict the use of this command. + + GENKEY + + 'GPGSM' checks whether this command is allowed and then does an +INQUIRY to get the key parameters, the client should then send the key +parameters in the native format: + + S: INQUIRE KEY_PARAM native + C: D foo:fgfgfg + C: D bar + C: END + + Please note that the server may send Status info lines while reading +the data lines from the client. After this the key generation takes +place and the server eventually does send an ERR or OK response. Status +lines may be issued as a progress indicator. + + +File: gnupg.info, Node: GPGSM LISTKEYS, Next: GPGSM EXPORT, Prev: GPGSM GENKEY, Up: GPGSM Protocol + +5.6.6 List available keys +------------------------- + +To list the keys in the internal database or using an external key +provider, the command: + + LISTKEYS PATTERN + + is used. To allow multiple patterns (which are ORed during the +search) quoting is required: Spaces are to be translated into "+" or +into "%20"; in turn this requires that the usual escape quoting rules +are done. + + LISTSECRETKEYS PATTERN + + Lists only the keys where a secret key is available. + + The list commands are affected by the option + + OPTION list-mode=MODE + + where mode may be: +'0' + Use default (which is usually the same as 1). +'1' + List only the internal keys. +'2' + List only the external keys. +'3' + List internal and external keys. + + Note that options are valid for the entire session. + + +File: gnupg.info, Node: GPGSM EXPORT, Next: GPGSM IMPORT, Prev: GPGSM LISTKEYS, Up: GPGSM Protocol + +5.6.7 Export certificates +------------------------- + +To export certificate from the internal key database the command: + + EXPORT [--data [--armor] [--base64]] [--] PATTERN + + is used. To allow multiple patterns (which are ORed) quoting is +required: Spaces are to be translated into "+" or into "%20"; in turn +this requires that the usual escape quoting rules are done. + + If the '--data' option has not been given, the format of the output +depends on what was set with the 'OUTPUT' command. When using PEM +encoding a few informational lines are prepended. + + If the '--data' has been given, a target set via 'OUTPUT' is ignored +and the data is returned inline using standard 'D'-lines. This avoids +the need for an extra file descriptor. In this case the options +'--armor' and '--base64' may be used in the same way as with the +'OUTPUT' command. + + +File: gnupg.info, Node: GPGSM IMPORT, Next: GPGSM DELETE, Prev: GPGSM EXPORT, Up: GPGSM Protocol + +5.6.8 Import certificates +------------------------- + +To import certificates into the internal key database, the command + + IMPORT [--re-import] + + is used. The data is expected on the file descriptor set with the +'INPUT' command. Certain checks are performed on the certificate. Note +that the code will also handle PKCS#12 files and import private keys; a +helper program is used for that. + + With the option '--re-import' the input data is expected to a be a +linefeed separated list of fingerprints. The command will re-import the +corresponding certificates; that is they are made permanent by removing +their ephemeral flag. + + +File: gnupg.info, Node: GPGSM DELETE, Next: GPGSM GETAUDITLOG, Prev: GPGSM IMPORT, Up: GPGSM Protocol + +5.6.9 Delete certificates +------------------------- + +To delete a certificate the command + + DELKEYS PATTERN + + is used. To allow multiple patterns (which are ORed) quoting is +required: Spaces are to be translated into "+" or into "%20"; in turn +this requires that the usual escape quoting rules are done. + + The certificates must be specified unambiguously otherwise an error +is returned. + + +File: gnupg.info, Node: GPGSM GETAUDITLOG, Next: GPGSM GETINFO, Prev: GPGSM DELETE, Up: GPGSM Protocol + +5.6.10 Retrieve an audit log +---------------------------- + +This command is used to retrieve an audit log. + + GETAUDITLOG [--data] [--html] + + If '--data' is used, the audit log is send using D-lines instead of +being sent to the file descriptor given by an 'OUTPUT' command. If +'--html' is used, the output is formatted as an XHTML block. This is +designed to be incorporated into a HTML document. + + +File: gnupg.info, Node: GPGSM GETINFO, Next: GPGSM OPTION, Prev: GPGSM GETAUDITLOG, Up: GPGSM Protocol + +5.6.11 Return information about the process +------------------------------------------- + +This is a multipurpose function to return a variety of information. + + GETINFO WHAT + + The value of WHAT specifies the kind of information returned: +'version' + Return the version of the program. +'pid' + Return the process id of the process. +'agent-check' + Return OK if the agent is running. +'cmd_has_option CMD OPT' + Return OK if the command CMD implements the option OPT. The + leading two dashes usually used with OPT shall not be given. +'offline' + Return OK if the connection is in offline mode. This may be either + due to a 'OPTION offline=1' or due to 'gpgsm' being started with + option '--disable-dirmngr'. + + +File: gnupg.info, Node: GPGSM OPTION, Prev: GPGSM GETINFO, Up: GPGSM Protocol + +5.6.12 Session options +---------------------- + +The standard Assuan option handler supports these options. + + OPTION NAME[=VALUE] + + These NAMEs are recognized: + +'putenv' + Change the session's environment to be passed via gpg-agent to + Pinentry. VALUE is a string of the form '<KEY>[=[<STRING>]]'. If + only '<KEY>' is given the environment variable '<KEY>' is removed + from the session environment, if '<KEY>=' is given that environment + variable is set to the empty string, and if '<STRING>' is given it + is set to that string. + +'display' + Set the session environment variable 'DISPLAY' is set to VALUE. +'ttyname' + Set the session environment variable 'GPG_TTY' is set to VALUE. +'ttytype' + Set the session environment variable 'TERM' is set to VALUE. +'lc-ctype' + Set the session environment variable 'LC_CTYPE' is set to VALUE. +'lc-messages' + Set the session environment variable 'LC_MESSAGES' is set to VALUE. +'xauthority' + Set the session environment variable 'XAUTHORITY' is set to VALUE. +'pinentry-user-data' + Set the session environment variable 'PINENTRY_USER_DATA' is set to + VALUE. + +'include-certs' + This option overrides the command line option '--include-certs'. A + VALUE of -2 includes all certificates except for the root + certificate, -1 includes all certificates, 0 does not include any + certificates, 1 includes only the signers certificate and all other + positive values include up to VALUE certificates starting with the + signer cert. + +'list-mode' + *Note gpgsm-cmd listkeys::. + +'list-to-output' + If VALUE is true the output of the list commands (*note gpgsm-cmd + listkeys::) is written to the file descriptor set with the last + 'OUTPUT' command. If VALUE is false the output is written via data + lines; this is the default. + +'with-validation' + If VALUE is true for each listed certificate the validation status + is printed. This may result in the download of a CRL or the user + being asked about the trustworthiness of a root certificate. The + default is given by a command line option (*note gpgsm-option + --with-validation::). + +'with-secret' + If VALUE is true certificates with a corresponding private key are + marked by the list commands. + +'validation-model' + This option overrides the command line option 'validation-model' + for the session. (*Note gpgsm-option --validation-model::.) + +'with-key-data' + This option globally enables the command line option + '--with-key-data'. (*Note gpgsm-option --with-key-data::.) + +'enable-audit-log' + If VALUE is true data to write an audit log is gathered. (*Note + gpgsm-cmd getauditlog::.) + +'allow-pinentry-notify' + If this option is used notifications about the launch of a Pinentry + are passed back to the client. + +'with-ephemeral-keys' + If VALUE is true ephemeral certificates are included in the output + of the list commands. + +'no-encrypt-to' + If this option is used all keys set by the command line option + '--encrypt-to' are ignored. + +'offline' + If VALUE is true or VALUE is not given all network access is + disabled for this session. This is the same as the command line + option '--disable-dirmngr'. + + +File: gnupg.info, Node: Invoking SCDAEMON, Next: Specify a User ID, Prev: Invoking GPGSM, Up: Top + +6 Invoking the SCDAEMON +*********************** + +The 'scdaemon' is a daemon to manage smartcards. It is usually invoked +by 'gpg-agent' and in general not used directly. + + *Note Option Index::, for an index to 'scdaemon''s commands and +options. + +* Menu: + +* Scdaemon Commands:: List of all commands. +* Scdaemon Options:: List of all options. +* Card applications:: Description of card applications. +* Scdaemon Configuration:: Configuration files. +* Scdaemon Examples:: Some usage examples. +* Scdaemon Protocol:: The protocol the daemon uses. + + +File: gnupg.info, Node: Scdaemon Commands, Next: Scdaemon Options, Up: Invoking SCDAEMON + +6.1 Commands +============ + +Commands are not distinguished from options except for the fact that +only one command is allowed. + +'--version' + Print the program version and licensing information. Note that you + cannot abbreviate this command. + +'--help, -h' + Print a usage message summarizing the most useful command-line + options. Note that you cannot abbreviate this command. + +'--dump-options' + Print a list of all available options and commands. Note that you + cannot abbreviate this command. + +'--server' + Run in server mode and wait for commands on the 'stdin'. The + default mode is to create a socket and listen for commands there. + +'--multi-server' + Run in server mode and wait for commands on the 'stdin' as well as + on an additional Unix Domain socket. The server command 'GETINFO' + may be used to get the name of that extra socket. + +'--daemon' + Run the program in the background. This option is required to + prevent it from being accidentally running in the background. + + +File: gnupg.info, Node: Scdaemon Options, Next: Card applications, Prev: Scdaemon Commands, Up: Invoking SCDAEMON + +6.2 Option Summary +================== + +'--options FILE' + Reads configuration from FILE instead of from the default per-user + configuration file. The default configuration file is named + 'scdaemon.conf' and expected in the '.gnupg' directory directly + below the home directory of the user. + +'--homedir DIR' + Set the name of the home directory to DIR. If this option is not + used, the home directory defaults to '~/.gnupg'. It is only + recognized when given on the command line. It also overrides any + home directory stated through the environment variable 'GNUPGHOME' + or (on Windows systems) by means of the Registry entry + HKCU\SOFTWARE\GNU\GNUPG:HOMEDIR. + + On Windows systems it is possible to install GnuPG as a portable + application. In this case only this command line option is + considered, all other ways to set a home directory are ignored. + + To install GnuPG as a portable application under Windows, create an + empty file named 'gpgconf.ctl' in the same directory as the tool + 'gpgconf.exe'. The root of the installation is then that + directory; or, if 'gpgconf.exe' has been installed directly below a + directory named 'bin', its parent directory. You also need to make + sure that the following directories exist and are writable: + 'ROOT/home' for the GnuPG home and 'ROOT/usr/local/var/cache/gnupg' + for internal cache files. + +'-v' +'--verbose' + Outputs additional information while running. You can increase the + verbosity by giving several verbose commands to 'gpgsm', such as + '-vv'. + +'--debug-level LEVEL' + Select the debug level for investigating problems. LEVEL may be a + numeric value or a keyword: + + 'none' + No debugging at all. A value of less than 1 may be used + instead of the keyword. + 'basic' + Some basic debug messages. A value between 1 and 2 may be + used instead of the keyword. + 'advanced' + More verbose debug messages. A value between 3 and 5 may be + used instead of the keyword. + 'expert' + Even more detailed messages. A value between 6 and 8 may be + used instead of the keyword. + 'guru' + All of the debug messages you can get. A value greater than 8 + may be used instead of the keyword. The creation of hash + tracing files is only enabled if the keyword is used. + + How these messages are mapped to the actual debugging flags is not + specified and may change with newer releases of this program. They + are however carefully selected to best aid in debugging. + + Note: All debugging options are subject to change and thus + should not be used by any application program. As the name + says, they are only used as helpers to debug problems. + +'--debug FLAGS' + This option is only useful for debugging and the behavior may + change at any time without notice. FLAGS are bit encoded and may + be given in usual C-Syntax. The currently defined bits are: + + '0 (1)' + command I/O + '1 (2)' + values of big number integers + '2 (4)' + low level crypto operations + '5 (32)' + memory allocation + '6 (64)' + caching + '7 (128)' + show memory statistics + '9 (512)' + write hashed data to files named 'dbgmd-000*' + '10 (1024)' + trace Assuan protocol. See also option + '--debug-assuan-log-cats'. + '11 (2048)' + trace APDU I/O to the card. This may reveal sensitive data. + '12 (4096)' + trace some card reader related function calls. + +'--debug-all' + Same as '--debug=0xffffffff' + +'--debug-wait N' + When running in server mode, wait N seconds before entering the + actual processing loop and print the pid. This gives time to + attach a debugger. + +'--debug-ccid-driver' + Enable debug output from the included CCID driver for smartcards. + Using this option twice will also enable some tracing of the T=1 + protocol. Note that this option may reveal sensitive data. + +'--debug-disable-ticker' + This option disables all ticker functions like checking for card + insertions. + +'--debug-allow-core-dump' + For security reasons we won't create a core dump when the process + aborts. For debugging purposes it is sometimes better to allow + core dump. This option enables it and also changes the working + directory to '/tmp' when running in '--server' mode. + +'--debug-log-tid' + This option appends a thread ID to the PID in the log output. + +'--debug-assuan-log-cats CATS' + Changes the active Libassuan logging categories to CATS. The value + for CATS is an unsigned integer given in usual C-Syntax. A value + of 0 switches to a default category. If this option is not used + the categories are taken from the environment variable + 'ASSUAN_DEBUG'. Note that this option has only an effect if the + Assuan debug flag has also been with the option '--debug'. For a + list of categories see the Libassuan manual. + +'--no-detach' + Don't detach the process from the console. This is mainly useful + for debugging. + +'--listen-backlog N' + Set the size of the queue for pending connections. The default is + 64. This option has an effect only if '--multi-server' is also + used. + +'--log-file FILE' + Append all logging output to FILE. This is very helpful in seeing + what the agent actually does. Use 'socket://' to log to socket. + +'--pcsc-shared' + Use shared mode to access the card via PC/SC. This is a somewhat + dangerous option because Scdaemon assumes exclusivbe access to teh + card and for example caches certain information from the card. Use + this option only if you know what you are doing. + +'--pcsc-driver LIBRARY' + Use LIBRARY to access the smartcard reader. The current default on + Unix is 'libpcsclite.so' and on Windows 'winscard.dll'. Instead of + using this option you might also want to install a symbolic link to + the default file name (e.g. from 'libpcsclite.so.1'). A Unicode + file name may not be used on Windows. + +'--ctapi-driver LIBRARY' + Use LIBRARY to access the smartcard reader. The current default is + 'libtowitoko.so'. Note that the use of this interface is + deprecated; it may be removed in future releases. + +'--disable-ccid' + Disable the integrated support for CCID compliant readers. This + allows falling back to one of the other drivers even if the + internal CCID driver can handle the reader. Note, that CCID + support is only available if libusb was available at build time. + +'--reader-port NUMBER_OR_STRING' + This option may be used to specify the port of the card terminal. + A value of 0 refers to the first serial device; add 32768 to access + USB devices. The default is 32768 (first USB device). PC/SC or + CCID readers might need a string here; run the program in verbose + mode to get a list of available readers. The default is then the + first reader found. + + To get a list of available CCID readers you may use this command: + echo scd getinfo reader_list \ + | gpg-connect-agent --decode | awk '/^D/ {print $2}' + +'--card-timeout N' + If N is not 0 and no client is actively using the card, the card + will be powered down after N seconds. Powering down the card + avoids a potential risk of damaging a card when used with certain + cheap readers. This also allows applications that are not aware of + Scdaemon to access the card. The disadvantage of using a card + timeout is that accessing the card takes longer and that the user + needs to enter the PIN again after the next power up. + + Note that with the current version of Scdaemon the card is powered + down immediately at the next timer tick for any value of N other + than 0. + +'--enable-pinpad-varlen' + Please specify this option when the card reader supports variable + length input for pinpad (default is no). For known readers (listed + in ccid-driver.c and apdu.c), this option is not needed. Note that + if your card reader doesn't supports variable length input but you + want to use it, you need to specify your pinpad request on your + card. + +'--disable-pinpad' + Even if a card reader features a pinpad, do not try to use it. + +'--deny-admin' + This option disables the use of admin class commands for card + applications where this is supported. Currently we support it for + the OpenPGP card. This option is useful to inhibit accidental + access to admin class command which could ultimately lock the card + through wrong PIN numbers. Note that GnuPG versions older than + 2.0.11 featured an '--allow-admin' option which was required to use + such admin commands. This option has no more effect today because + the default is now to allow admin commands. + +'--disable-application NAME' + This option disables the use of the card application named NAME. + This is mainly useful for debugging or if a application with lower + priority should be used by default. + + All the long options may also be given in the configuration file +after stripping off the two leading dashes. + + +File: gnupg.info, Node: Card applications, Next: Scdaemon Configuration, Prev: Scdaemon Options, Up: Invoking SCDAEMON + +6.3 Description of card applications +==================================== + +'scdaemon' supports the card applications as described below. + +* Menu: + +* OpenPGP Card:: The OpenPGP card application +* NKS Card:: The Telesec NetKey card application +* DINSIG Card:: The DINSIG card application +* PKCS#15 Card:: The PKCS#15 card application +* Geldkarte Card:: The Geldkarte application +* SmartCard-HSM:: The SmartCard-HSM application +* Undefined Card:: The Undefined stub application + + +File: gnupg.info, Node: OpenPGP Card, Next: NKS Card, Up: Card applications + +6.3.1 The OpenPGP card application "openpgp" +-------------------------------------------- + +This application is currently only used by 'gpg' but may in future also +be useful with 'gpgsm'. Version 1 and version 2 of the card is +supported. + +The specifications for these cards are available at +<http://g10code.com/docs/openpgp-card-1.0.pdf> and +<http://g10code.com/docs/openpgp-card-2.0.pdf>. + + +File: gnupg.info, Node: NKS Card, Next: DINSIG Card, Prev: OpenPGP Card, Up: Card applications + +6.3.2 The Telesec NetKey card "nks" +----------------------------------- + +This is the main application of the Telesec cards as available in +Germany. It is a superset of the German DINSIG card. The card is used +by 'gpgsm'. + + +File: gnupg.info, Node: DINSIG Card, Next: PKCS#15 Card, Prev: NKS Card, Up: Card applications + +6.3.3 The DINSIG card application "dinsig" +------------------------------------------ + +This is an application as described in the German draft standard _DIN V +66291-1_. It is intended to be used by cards supporting the German +signature law and its bylaws (SigG and SigV). + + +File: gnupg.info, Node: PKCS#15 Card, Next: Geldkarte Card, Prev: DINSIG Card, Up: Card applications + +6.3.4 The PKCS#15 card application "p15" +---------------------------------------- + +This is common framework for smart card applications. It is used by +'gpgsm'. + + +File: gnupg.info, Node: Geldkarte Card, Next: SmartCard-HSM, Prev: PKCS#15 Card, Up: Card applications + +6.3.5 The Geldkarte card application "geldkarte" +------------------------------------------------ + +This is a simple application to display information of a German +Geldkarte. The Geldkarte is a small amount debit card application which +comes with almost all German banking cards. + + +File: gnupg.info, Node: SmartCard-HSM, Next: Undefined Card, Prev: Geldkarte Card, Up: Card applications + +6.3.6 The SmartCard-HSM card application "sc-hsm" +------------------------------------------------- + +This application adds read-only support for keys and certificates stored +on a SmartCard-HSM (http://www.smartcard-hsm.com). + + To generate keys and store certificates you may use OpenSC +(https://github.com/OpenSC/OpenSC/wiki/SmartCardHSM) or the tools from +OpenSCDP (http://www.openscdp.org). + + The SmartCard-HSM cards requires a card reader that supports Extended +Length APDUs. + + +File: gnupg.info, Node: Undefined Card, Prev: SmartCard-HSM, Up: Card applications + +6.3.7 The Undefined card application "undefined" +------------------------------------------------ + +This is a stub application to allow the use of the APDU command even if +no supported application is found on the card. This application is not +used automatically but must be explicitly requested using the SERIALNO +command. + + +File: gnupg.info, Node: Scdaemon Configuration, Next: Scdaemon Examples, Prev: Card applications, Up: Invoking SCDAEMON + +6.4 Configuration files +======================= + +There are a few configuration files to control certain aspects of +'scdaemons''s operation. Unless noted, they are expected in the current +home directory (*note option --homedir::). + +'scdaemon.conf' + This is the standard configuration file read by 'scdaemon' on + startup. It may contain any valid long option; the leading two + dashes may not be entered and the option may not be abbreviated. + This default name may be changed on the command line (*note option + --options::). + +'scd-event' + If this file is present and executable, it will be called on every + card reader's status change. An example of this script is provided + with the distribution + +'reader_N.status' + This file is created by 'scdaemon' to let other applications now + about reader status changes. Its use is now deprecated in favor of + 'scd-event'. + + +File: gnupg.info, Node: Scdaemon Examples, Next: Scdaemon Protocol, Prev: Scdaemon Configuration, Up: Invoking SCDAEMON + +6.5 Examples +============ + + $ scdaemon --server -v + + +File: gnupg.info, Node: Scdaemon Protocol, Prev: Scdaemon Examples, Up: Invoking SCDAEMON + +6.6 Scdaemon's Assuan Protocol +============================== + +The SC-Daemon should be started by the system to provide access to +external tokens. Using Smartcards on a multi-user system does not make +much sense except for system services, but in this case no regular user +accounts are hosted on the machine. + + A client connects to the SC-Daemon by connecting to the socket named +'/usr/local/var/run/gnupg/scdaemon/socket', configuration information is +read from /ETC/GNUPG/SCDAEMON.CONF + + Each connection acts as one session, SC-Daemon takes care of +synchronizing access to a token between sessions. + +* Menu: + +* Scdaemon SERIALNO:: Return the serial number. +* Scdaemon LEARN:: Read all useful information from the card. +* Scdaemon READCERT:: Return a certificate. +* Scdaemon READKEY:: Return a public key. +* Scdaemon PKSIGN:: Signing data with a Smartcard. +* Scdaemon PKDECRYPT:: Decrypting data with a Smartcard. +* Scdaemon GETATTR:: Read an attribute's value. +* Scdaemon SETATTR:: Update an attribute's value. +* Scdaemon WRITEKEY:: Write a key to a card. +* Scdaemon GENKEY:: Generate a new key on-card. +* Scdaemon RANDOM:: Return random bytes generated on-card. +* Scdaemon PASSWD:: Change PINs. +* Scdaemon CHECKPIN:: Perform a VERIFY operation. +* Scdaemon RESTART:: Restart connection +* Scdaemon APDU:: Send a verbatim APDU to the card + + +File: gnupg.info, Node: Scdaemon SERIALNO, Next: Scdaemon LEARN, Up: Scdaemon Protocol + +6.6.1 Return the serial number +------------------------------ + +This command should be used to check for the presence of a card. It is +special in that it can be used to reset the card. Most other commands +will return an error when a card change has been detected and the use of +this function is therefore required. + + Background: We want to keep the client clear of handling card changes +between operations; i.e. the client can assume that all operations are +done on the same card unless he call this function. + + SERIALNO + + Return the serial number of the card using a status response like: + + S SERIALNO D27600000000000000000000 + + The serial number is the hex encoded value identified by the '0x5A' +tag in the GDO file (FIX=0x2F02). + + +File: gnupg.info, Node: Scdaemon LEARN, Next: Scdaemon READCERT, Prev: Scdaemon SERIALNO, Up: Scdaemon Protocol + +6.6.2 Read all useful information from the card +----------------------------------------------- + + LEARN [--force] + + Learn all useful information of the currently inserted card. When +used without the '--force' option, the command might do an INQUIRE like +this: + + INQUIRE KNOWNCARDP <hexstring_with_serialNumber> + + The client should just send an 'END' if the processing should go on +or a 'CANCEL' to force the function to terminate with a cancel error +message. The response of this command is a list of status lines +formatted as this: + + S KEYPAIRINFO HEXSTRING_WITH_KEYGRIP HEXSTRING_WITH_ID + + If there is no certificate yet stored on the card a single "X" is +returned in HEXSTRING_WITH_KEYGRIP. + + +File: gnupg.info, Node: Scdaemon READCERT, Next: Scdaemon READKEY, Prev: Scdaemon LEARN, Up: Scdaemon Protocol + +6.6.3 Return a certificate +-------------------------- + + READCERT HEXIFIED_CERTID|KEYID + + This function is used to read a certificate identified by +HEXIFIED_CERTID from the card. With OpenPGP cards the keyid 'OpenPGP.3' +may be used to read the certificate of version 2 cards. + + +File: gnupg.info, Node: Scdaemon READKEY, Next: Scdaemon PKSIGN, Prev: Scdaemon READCERT, Up: Scdaemon Protocol + +6.6.4 Return a public key +------------------------- + + READKEY HEXIFIED_CERTID + + Return the public key for the given cert or key ID as an standard +S-Expression. + + +File: gnupg.info, Node: Scdaemon PKSIGN, Next: Scdaemon PKDECRYPT, Prev: Scdaemon READKEY, Up: Scdaemon Protocol + +6.6.5 Signing data with a Smartcard +----------------------------------- + +To sign some data the caller should use the command + + SETDATA HEXSTRING + + to tell 'scdaemon' about the data to be signed. The data must be +given in hex notation. The actual signing is done using the command + + PKSIGN KEYID + + where KEYID is the hexified ID of the key to be used. The key id may +have been retrieved using the command 'LEARN'. If another hash +algorithm than SHA-1 is used, that algorithm may be given like: + + PKSIGN --hash=ALGONAME KEYID + + With ALGONAME are one of 'sha1', 'rmd160' or 'md5'. + + +File: gnupg.info, Node: Scdaemon PKDECRYPT, Next: Scdaemon GETATTR, Prev: Scdaemon PKSIGN, Up: Scdaemon Protocol + +6.6.6 Decrypting data with a Smartcard +-------------------------------------- + +To decrypt some data the caller should use the command + + SETDATA HEXSTRING + + to tell 'scdaemon' about the data to be decrypted. The data must be +given in hex notation. The actual decryption is then done using the +command + + PKDECRYPT KEYID + + where KEYID is the hexified ID of the key to be used. + + If the card is aware of the apdding format a status line with padding +information is send before the plaintext data. The key for this status +line is 'PADDING' with the only defined value being 0 and meaning +padding has been removed. + + +File: gnupg.info, Node: Scdaemon GETATTR, Next: Scdaemon SETATTR, Prev: Scdaemon PKDECRYPT, Up: Scdaemon Protocol + +6.6.7 Read an attribute's value +------------------------------- + +TO BE WRITTEN. + + +File: gnupg.info, Node: Scdaemon SETATTR, Next: Scdaemon WRITEKEY, Prev: Scdaemon GETATTR, Up: Scdaemon Protocol + +6.6.8 Update an attribute's value +--------------------------------- + +TO BE WRITTEN. + + +File: gnupg.info, Node: Scdaemon WRITEKEY, Next: Scdaemon GENKEY, Prev: Scdaemon SETATTR, Up: Scdaemon Protocol + +6.6.9 Write a key to a card +--------------------------- + + WRITEKEY [--force] KEYID + + This command is used to store a secret key on a smartcard. The +allowed keyids depend on the currently selected smartcard application. +The actual keydata is requested using the inquiry 'KEYDATA' and need to +be provided without any protection. With '--force' set an existing key +under this KEYID will get overwritten. The key data is expected to be +the usual canonical encoded S-expression. + + A PIN will be requested in most cases. This however depends on the +actual card application. + + +File: gnupg.info, Node: Scdaemon GENKEY, Next: Scdaemon RANDOM, Prev: Scdaemon WRITEKEY, Up: Scdaemon Protocol + +6.6.10 Generate a new key on-card +--------------------------------- + +TO BE WRITTEN. + + +File: gnupg.info, Node: Scdaemon RANDOM, Next: Scdaemon PASSWD, Prev: Scdaemon GENKEY, Up: Scdaemon Protocol + +6.6.11 Return random bytes generated on-card +-------------------------------------------- + +TO BE WRITTEN. + + +File: gnupg.info, Node: Scdaemon PASSWD, Next: Scdaemon CHECKPIN, Prev: Scdaemon RANDOM, Up: Scdaemon Protocol + +6.6.12 Change PINs +------------------ + + PASSWD [--reset] [--nullpin] CHVNO + + Change the PIN or reset the retry counter of the card holder +verification vector number CHVNO. The option '--nullpin' is used to +initialize the PIN of TCOS cards (6 byte NullPIN only). + + +File: gnupg.info, Node: Scdaemon CHECKPIN, Next: Scdaemon RESTART, Prev: Scdaemon PASSWD, Up: Scdaemon Protocol + +6.6.13 Perform a VERIFY operation +--------------------------------- + + CHECKPIN IDSTR + + Perform a VERIFY operation without doing anything else. This may be +used to initialize a the PIN cache earlier to long lasting operations. +Its use is highly application dependent: + +*OpenPGP* + + Perform a simple verify operation for CHV1 and CHV2, so that + further operations won't ask for CHV2 and it is possible to do a + cheap check on the PIN: If there is something wrong with the PIN + entry system, only the regular CHV will get blocked and not the + dangerous CHV3. IDSTR is the usual card's serial number in hex + notation; an optional fingerprint part will get ignored. + + There is however a special mode if IDSTR is suffixed with the + literal string '[CHV3]': In this case the Admin PIN is checked if + and only if the retry counter is still at 3. + + +File: gnupg.info, Node: Scdaemon RESTART, Next: Scdaemon APDU, Prev: Scdaemon CHECKPIN, Up: Scdaemon Protocol + +6.6.14 Perform a RESTART operation +---------------------------------- + + RESTART + + Restart the current connection; this is a kind of warm reset. It +deletes the context used by this connection but does not actually reset +the card. + + This is used by gpg-agent to reuse a primary pipe connection and may +be used by clients to backup from a conflict in the serial command; i.e. +to select another application. + + +File: gnupg.info, Node: Scdaemon APDU, Prev: Scdaemon RESTART, Up: Scdaemon Protocol + +6.6.15 Send a verbatim APDU to the card +--------------------------------------- + + APDU [--atr] [--more] [--exlen[=N]] [HEXSTRING] + + Send an APDU to the current reader. This command bypasses the high +level functions and sends the data directly to the card. HEXSTRING is +expected to be a proper APDU. If HEXSTRING is not given no commands are +send to the card; However the command will implicitly check whether the +card is ready for use. + + Using the option '--atr' returns the ATR of the card as a status +message before any data like this: + S CARD-ATR 3BFA1300FF813180450031C173C00100009000B1 + + Using the option '--more' handles the card status word MORE_DATA +(61xx) and concatenate all responses to one block. + + Using the option '--exlen' the returned APDU may use extended length +up to N bytes. If N is not given a default value is used (currently +4096). + + +File: gnupg.info, Node: Specify a User ID, Next: Trust Values, Prev: Invoking SCDAEMON, Up: Top + +7 How to Specify a User Id +************************** + +There are different ways to specify a user ID to GnuPG. Some of them are +only valid for 'gpg' others are only good for 'gpgsm'. Here is the +entire list of ways to specify a key: + + * By key Id. This format is deduced from the length of the string + and its content or '0x' prefix. The key Id of an X.509 certificate + are the low 64 bits of its SHA-1 fingerprint. The use of key Ids + is just a shortcut, for all automated processing the fingerprint + should be used. + + When using 'gpg' an exclamation mark (!) may be appended to force + using the specified primary or secondary key and not to try and + calculate which primary or secondary key to use. + + The last four lines of the example give the key ID in their long + form as internally used by the OpenPGP protocol. You can see the + long key ID using the option '--with-colons'. + + 234567C4 + 0F34E556E + 01347A56A + 0xAB123456 + + 234AABBCC34567C4 + 0F323456784E56EAB + 01AB3FED1347A5612 + 0x234AABBCC34567C4 + + * By fingerprint. This format is deduced from the length of the + string and its content or the '0x' prefix. Note, that only the 20 + byte version fingerprint is available with 'gpgsm' (i.e. the SHA-1 + hash of the certificate). + + When using 'gpg' an exclamation mark (!) may be appended to force + using the specified primary or secondary key and not to try and + calculate which primary or secondary key to use. + + The best way to specify a key Id is by using the fingerprint. This + avoids any ambiguities in case that there are duplicated key IDs. + + 1234343434343434C434343434343434 + 123434343434343C3434343434343734349A3434 + 0E12343434343434343434EAB3484343434343434 + 0xE12343434343434343434EAB3484343434343434 + + 'gpgsm' also accepts colons between each pair of hexadecimal digits + because this is the de-facto standard on how to present X.509 + fingerprints. 'gpg' also allows the use of the space separated + SHA-1 fingerprint as printed by the key listing commands. + + * By exact match on OpenPGP user ID. This is denoted by a leading + equal sign. It does not make sense for X.509 certificates. + + =Heinrich Heine <heinrichh@uni-duesseldorf.de> + + * By exact match on an email address. This is indicated by enclosing + the email address in the usual way with left and right angles. + + <heinrichh@uni-duesseldorf.de> + + * By partial match on an email address. This is indicated by + prefixing the search string with an '@'. This uses a substring + search but considers only the mail address (i.e. inside the angle + brackets). + + @heinrichh + + * By exact match on the subject's DN. This is indicated by a leading + slash, directly followed by the RFC-2253 encoded DN of the subject. + Note that you can't use the string printed by 'gpgsm --list-keys' + because that one has been reordered and modified for better + readability; use '--with-colons' to print the raw (but standard + escaped) RFC-2253 string. + + /CN=Heinrich Heine,O=Poets,L=Paris,C=FR + + * By exact match on the issuer's DN. This is indicated by a leading + hash mark, directly followed by a slash and then directly followed + by the RFC-2253 encoded DN of the issuer. This should return the + Root cert of the issuer. See note above. + + #/CN=Root Cert,O=Poets,L=Paris,C=FR + + * By exact match on serial number and issuer's DN. This is indicated + by a hash mark, followed by the hexadecimal representation of the + serial number, then followed by a slash and the RFC-2253 encoded DN + of the issuer. See note above. + + #4F03/CN=Root Cert,O=Poets,L=Paris,C=FR + + * By keygrip. This is indicated by an ampersand followed by the 40 + hex digits of a keygrip. 'gpgsm' prints the keygrip when using the + command '--dump-cert'. + + &D75F22C3F86E355877348498CDC92BD21010A480 + + * By substring match. This is the default mode but applications may + want to explicitly indicate this by putting the asterisk in front. + Match is not case sensitive. + + Heine + *Heine + + * . and + prefixes These prefixes are reserved for looking up mails + anchored at the end and for a word search mode. They are not yet + implemented and using them is undefined. + + Please note that we have reused the hash mark identifier which was +used in old GnuPG versions to indicate the so called local-id. It is +not anymore used and there should be no conflict when used with X.509 +stuff. + + Using the RFC-2253 format of DNs has the drawback that it is not +possible to map them back to the original encoding, however we don't +have to do this because our key database stores this encoding as meta +data. + + +File: gnupg.info, Node: Trust Values, Next: Helper Tools, Prev: Specify a User ID, Up: Top + +8 Trust Values +************** + +Trust values are used to indicate ownertrust and validity of keys and +user IDs. They are displayed with letters or strings: + +- +unknown + No ownertrust assigned / not yet calculated. + +e +expired + + Trust calculation has failed; probably due to an expired key. + +q +undefined, undef + Not enough information for calculation. + +n +never + Never trust this key. + +m +marginal + Marginally trusted. + +f +full + Fully trusted. + +u +ultimate + Ultimately trusted. + +r +revoked + For validity only: the key or the user ID has been revoked. + +? +err + The program encountered an unknown trust value. + + +File: gnupg.info, Node: Helper Tools, Next: Web Key Service, Prev: Trust Values, Up: Top + +9 Helper Tools +************** + +GnuPG comes with a couple of smaller tools: + +* Menu: + +* watchgnupg:: Read logs from a socket. +* gpgv:: Verify OpenPGP signatures. +* addgnupghome:: Create .gnupg home directories. +* gpgconf:: Modify .gnupg home directories. +* applygnupgdefaults:: Run gpgconf for all users. +* gpg-preset-passphrase:: Put a passphrase into the cache. +* gpg-connect-agent:: Communicate with a running agent. +* dirmngr-client:: How to use the Dirmngr client tool. +* gpgparsemail:: Parse a mail message into an annotated format +* gpgtar:: Encrypt or sign files into an archive. +* gpg-check-pattern:: Check a passphrase on stdin against the patternfile. + + +File: gnupg.info, Node: watchgnupg, Next: gpgv, Up: Helper Tools + +9.1 Read logs from a socket +=========================== + +Most of the main utilities are able to write their log files to a Unix +Domain socket if configured that way. 'watchgnupg' is a simple listener +for such a socket. It ameliorates the output with a time stamp and +makes sure that long lines are not interspersed with log output from +other utilities. This tool is not available for Windows. + +'watchgnupg' is commonly invoked as + + watchgnupg --force $(gpgconf --list-dirs socketdir)/S.log + +This starts it on the current terminal for listening on the standard +logging socket (which is either '~/.gnupg/S.log' or +'/var/run/user/UID/gnupg/S.log'). + +'watchgnupg' understands these options: + +'--force' + Delete an already existing socket file. + +'--tcp N' + Instead of reading from a local socket, listen for connects on TCP + port N. + +'--time-only' + Do not print the date part of the timestamp. + +'--verbose' + Enable extra informational output. + +'--version' + Print version of the program and exit. + +'--help' + Display a brief help page and exit. + + +Examples +******** + + $ watchgnupg --force --time-only $(gpgconf --list-dirs socketdir)/S.log + + This waits for connections on the local socket (e.g. +'/home/foo/.gnupg/S.log') and shows all log entries. To make this work +the option 'log-file' needs to be used with all modules which logs are +to be shown. The suggested entry for the configuration files is: + + log-file socket:// + + If the default socket as given above and returned by "echo $(gpgconf +-list-dirs socketdir)/S.log" is not desired an arbitrary socket name can +be specified, for example 'socket:///home/foo/bar/mysocket'. For +debugging purposes it is also possible to do remote logging. Take care +if you use this feature because the information is send in the clear +over the network. Use this syntax in the conf files: + + log-file tcp://192.168.1.1:4711 + + You may use any port and not just 4711 as shown above; only IP +addresses are supported (v4 and v6) and no host names. You need to +start 'watchgnupg' with the 'tcp' option. Note that under Windows the +registry entry HKCU\SOFTWARE\GNU\GNUPG:DEFAULTLOGFILE can be used to +change the default log output from 'stderr' to whatever is given by that +entry. However the only useful entry is a TCP name for remote +debugging. + + +File: gnupg.info, Node: gpgv, Next: addgnupghome, Prev: watchgnupg, Up: Helper Tools + +9.2 Verify OpenPGP signatures +============================= + +'gpgv' is an OpenPGP signature verification tool. + + This program is actually a stripped-down version of 'gpg' which is +only able to check signatures. It is somewhat smaller than the +fully-blown 'gpg' and uses a different (and simpler) way to check that +the public keys used to make the signature are valid. There are no +configuration files and only a few options are implemented. + + 'gpgv' assumes that all keys in the keyring are trustworthy. That +does also mean that it does not check for expired or revoked keys. + + If no '--keyring' option is given, 'gpgv' looks for a "default" +keyring named 'trustedkeys.kbx' (preferred) or 'trustedkeys.gpg' in the +home directory of GnuPG, either the default home directory or the one +set by the '--homedir' option or the 'GNUPGHOME' environment variable. +If any '--keyring' option is used, 'gpgv' will not look for the default +keyring. The '--keyring' option may be used multiple times and all +specified keyrings will be used together. + + + 'gpgv' recognizes these options: + +'--verbose' +'-v' + Gives more information during processing. If used twice, the input + data is listed in detail. + +'--quiet' +'-q' + Try to be as quiet as possible. + +'--keyring FILE' + Add FILE to the list of keyrings. If FILE begins with a tilde and + a slash, these are replaced by the HOME directory. If the filename + does not contain a slash, it is assumed to be in the home-directory + ("~/.gnupg" if -homedir is not used). + +'--output FILE' +'-o FILE' + Write output to FILE; to write to stdout use '-'. This option can + be used to get the signed text from a cleartext or binary + signature; it also works for detached signatures, but in that case + this option is in general not useful. Note that an existing file + will be overwritten. + +'--status-fd N' + Write special status strings to the file descriptor N. See the + file DETAILS in the documentation for a listing of them. + +'--logger-fd n' + Write log output to file descriptor 'n' and not to stderr. + +'--log-file file' + Same as '--logger-fd', except the logger data is written to file + 'file'. Use 'socket://' to log to socket. + +'--ignore-time-conflict' + GnuPG normally checks that the timestamps associated with keys and + signatures have plausible values. However, sometimes a signature + seems to be older than the key due to clock problems. This option + turns these checks into warnings. + +'--homedir DIR' + Set the name of the home directory to DIR. If this option is not + used, the home directory defaults to '~/.gnupg'. It is only + recognized when given on the command line. It also overrides any + home directory stated through the environment variable 'GNUPGHOME' + or (on Windows systems) by means of the Registry entry + HKCU\SOFTWARE\GNU\GNUPG:HOMEDIR. + + On Windows systems it is possible to install GnuPG as a portable + application. In this case only this command line option is + considered, all other ways to set a home directory are ignored. + + To install GnuPG as a portable application under Windows, create an + empty file named 'gpgconf.ctl' in the same directory as the tool + 'gpgconf.exe'. The root of the installation is then that + directory; or, if 'gpgconf.exe' has been installed directly below a + directory named 'bin', its parent directory. You also need to make + sure that the following directories exist and are writable: + 'ROOT/home' for the GnuPG home and 'ROOT/usr/local/var/cache/gnupg' + for internal cache files. + +'--weak-digest name' + Treat the specified digest algorithm as weak. Signatures made over + weak digests algorithms are normally rejected. This option can be + supplied multiple times if multiple algorithms should be considered + weak. MD5 is always considered weak, and does not need to be + listed explicitly. + +'--enable-special-filenames' + This option enables a mode in which filenames of the form '-&n', + where n is a non-negative decimal number, refer to the file + descriptor n and not to a file with that name. + + The program returns 0 if everything is fine, 1 if at least one +signature was bad, and other error codes for fatal errors. + +9.2.1 Examples +-------------- + +gpgv 'pgpfile' +gpgv 'sigfile' ['datafile'] + Verify the signature of the file. The second form is used for + detached signatures, where 'sigfile' is the detached signature + (either ASCII-armored or binary) and 'datafile' contains the signed + data; if 'datafile' is "-" the signed data is expected on 'stdin'; + if 'datafile' is not given the name of the file holding the signed + data is constructed by cutting off the extension (".asc", ".sig" or + ".sign") from 'sigfile'. + +9.2.2 Environment +----------------- + +HOME + Used to locate the default home directory. + +GNUPGHOME + If set directory used instead of "~/.gnupg". + +9.2.3 FILES +----------- + +~/.gnupg/trustedkeys.gpg + The default keyring with the allowed keys. + + 'gpg'(1) + + +File: gnupg.info, Node: addgnupghome, Next: gpgconf, Prev: gpgv, Up: Helper Tools + +9.3 Create .gnupg home directories +================================== + +If GnuPG is installed on a system with existing user accounts, it is +sometimes required to populate the GnuPG home directory with existing +files. Especially a 'trustlist.txt' and a keybox with some initial +certificates are often desired. This script helps to do this by copying +all files from '/etc/skel/.gnupg' to the home directories of the +accounts given on the command line. It takes care not to overwrite +existing GnuPG home directories. + +'addgnupghome' is invoked by root as: + + addgnupghome account1 account2 ... accountn + + +File: gnupg.info, Node: gpgconf, Next: applygnupgdefaults, Prev: addgnupghome, Up: Helper Tools + +9.4 Modify .gnupg home directories +================================== + +The 'gpgconf' is a utility to automatically and reasonable safely query +and modify configuration files in the '.gnupg' home directory. It is +designed not to be invoked manually by the user, but automatically by +graphical user interfaces (GUI).(1) + + 'gpgconf' provides access to the configuration of one or more +components of the GnuPG system. These components correspond more or +less to the programs that exist in the GnuPG framework, like GPG, GPGSM, +DirMngr, etc. But this is not a strict one-to-one relationship. Not +all configuration options are available through 'gpgconf'. 'gpgconf' +provides a generic and abstract method to access the most important +configuration options that can feasibly be controlled via such a +mechanism. + + 'gpgconf' can be used to gather and change the options available in +each component, and can also provide their default values. 'gpgconf' +will give detailed type information that can be used to restrict the +user's input without making an attempt to commit the changes. + + 'gpgconf' provides the backend of a configuration editor. The +configuration editor would usually be a graphical user interface program +that displays the current options, their default values, and allows the +user to make changes to the options. These changes can then be made +active with 'gpgconf' again. Such a program that uses 'gpgconf' in this +way will be called GUI throughout this section. + +* Menu: + +* Invoking gpgconf:: List of all commands and options. +* Format conventions:: Formatting conventions relevant for all commands. +* Listing components:: List all gpgconf components. +* Checking programs:: Check all programs known to gpgconf. +* Listing options:: List all options of a component. +* Changing options:: Changing options of a component. +* Listing global options:: List all global options. +* Querying versions:: Get and compare software versions. +* Files used by gpgconf:: What files are used by gpgconf. + + ---------- Footnotes ---------- + + (1) Please note that currently no locking is done, so concurrent +access should be avoided. There are some precautions to avoid +corruption with concurrent usage, but results may be inconsistent and +some changes may get lost. The stateless design makes it difficult to +provide more guarantees. + + +File: gnupg.info, Node: Invoking gpgconf, Next: Format conventions, Up: gpgconf + +9.4.1 Invoking gpgconf +---------------------- + +One of the following commands must be given: + +'--list-components' + List all components. This is the default command used if none is + specified. + +'--check-programs' + List all available backend programs and test whether they are + runnable. + +'--list-options COMPONENT' + List all options of the component COMPONENT. + +'--change-options COMPONENT' + Change the options of the component COMPONENT. + +'--check-options COMPONENT' + Check the options for the component COMPONENT. + +'--apply-profile FILE' + Apply the configuration settings listed in FILE to the + configuration files. If FILE has no suffix and no slashes the + command first tries to read a file with the suffix '.prf' from the + data directory ('gpgconf --list-dirs datadir') before it reads the + file verbatim. A profile is divided into sections using the + bracketed component name. Each section then lists the option which + shall go into the respective configuration file. + +'--apply-defaults' + Update all configuration files with values taken from the global + configuration file (usually '/etc/gnupg/gpgconf.conf'). Note: This + is a legacy mechanism. Please use global configuraion files + instead. + +'--list-dirs [NAMES]' +'-L' + Lists the directories used by 'gpgconf'. One directory is listed + per line, and each line consists of a colon-separated list where + the first field names the directory type (for example 'sysconfdir') + and the second field contains the percent-escaped directory. + Although they are not directories, the socket file names used by + 'gpg-agent' and 'dirmngr' are printed as well. Note that the + socket file names and the 'homedir' lines are the default names and + they may be overridden by command line switches. If NAMES are + given only the directories or file names specified by the list + names are printed without any escaping. + +'--list-config [FILENAME]' + List the global configuration file in a colon separated format. If + FILENAME is given, check that file instead. + +'--check-config [FILENAME]' + Run a syntax check on the global configuration file. If FILENAME + is given, check that file instead. + +'--query-swdb PACKAGE_NAME [VERSION_STRING]' + Returns the current version for PACKAGE_NAME and if VERSION_STRING + is given also an indicator on whether an update is available. The + actual file with the software version is automatically downloaded + and checked by 'dirmngr'. 'dirmngr' uses a thresholds to avoid + download the file too often and it does this by default only if it + can be done via Tor. To force an update of that file this command + can be used: + + gpg-connect-agent --dirmngr 'loadswdb --force' /bye + +'--reload [COMPONENT]' +'-R' + Reload all or the given component. This is basically the same as + sending a SIGHUP to the component. Components which don't support + reloading are ignored. Without COMPONENT or by using "all" for + COMPONENT all components which are daemons are reloaded. + +'--launch [COMPONENT]' + If the COMPONENT is not already running, start it. 'component' + must be a daemon. This is in general not required because the + system starts these daemons as needed. However, external software + making direct use of 'gpg-agent' or 'dirmngr' may use this command + to ensure that they are started. Using "all" for COMPONENT + launches all components which are daemons. + +'--kill [COMPONENT]' +'-K' + Kill the given component that runs as a daemon, including + 'gpg-agent', 'dirmngr', and 'scdaemon'. A 'component' which does + not run as a daemon will be ignored. Using "all" for COMPONENT + kills all components running as daemons. Note that as of now + reload and kill have the same effect for 'scdaemon'. + +'--create-socketdir' + Create a directory for sockets below /run/user or /var/run/user. + This is command is only required if a non default home directory is + used and the /run based sockets shall be used. For the default + home directory GnUPG creates a directory on the fly. + +'--remove-socketdir' + Remove a directory created with command '--create-socketdir'. + + The following options may be used: + +'-o FILE' +'--output FILE' + Write output to FILE. Default is to write to stdout. + +'-v' +'--verbose' + Outputs additional information while running. Specifically, this + extends numerical field values by human-readable descriptions. + +'-q' +'--quiet' + Try to be as quiet as possible. + +'--homedir DIR' + Set the name of the home directory to DIR. If this option is not + used, the home directory defaults to '~/.gnupg'. It is only + recognized when given on the command line. It also overrides any + home directory stated through the environment variable 'GNUPGHOME' + or (on Windows systems) by means of the Registry entry + HKCU\SOFTWARE\GNU\GNUPG:HOMEDIR. + + On Windows systems it is possible to install GnuPG as a portable + application. In this case only this command line option is + considered, all other ways to set a home directory are ignored. + + To install GnuPG as a portable application under Windows, create an + empty file named 'gpgconf.ctl' in the same directory as the tool + 'gpgconf.exe'. The root of the installation is then that + directory; or, if 'gpgconf.exe' has been installed directly below a + directory named 'bin', its parent directory. You also need to make + sure that the following directories exist and are writable: + 'ROOT/home' for the GnuPG home and 'ROOT/usr/local/var/cache/gnupg' + for internal cache files. + +'-n' +'--dry-run' + Do not actually change anything. This is currently only + implemented for '--change-options' and can be used for testing + purposes. + +'-r' +'--runtime' + Only used together with '--change-options'. If one of the modified + options can be changed in a running daemon process, signal the + running daemon to ask it to reparse its configuration file after + changing. + + This means that the changes will take effect at run-time, as far as + this is possible. Otherwise, they will take effect at the next + start of the respective backend programs. + +'--status-fd N' + Write special status strings to the file descriptor N. This + program returns the status messages SUCCESS or FAILURE which are + helpful when the caller uses a double fork approach and can't + easily get the return code of the process. + + +File: gnupg.info, Node: Format conventions, Next: Listing components, Prev: Invoking gpgconf, Up: gpgconf + +9.4.2 Format conventions +------------------------ + +Some lines in the output of 'gpgconf' contain a list of colon-separated +fields. The following conventions apply: + + * The GUI program is required to strip off trailing newline and/or + carriage return characters from the output. + + * 'gpgconf' will never leave out fields. If a certain version + provides a certain field, this field will always be present in all + 'gpgconf' versions from that time on. + + * Future versions of 'gpgconf' might append fields to the list. New + fields will always be separated from the previously last field by a + colon separator. The GUI should be prepared to parse the last + field it knows about up until a colon or end of line. + + * Not all fields are defined under all conditions. You are required + to ignore the content of undefined fields. + + There are several standard types for the content of a field: + +verbatim + Some fields contain strings that are not escaped in any way. Such + fields are described to be used _verbatim_. These fields will + never contain a colon character (for obvious reasons). No + de-escaping or other formatting is required to use the field + content. This is for easy parsing of the output, when it is known + that the content can never contain any special characters. + +percent-escaped + Some fields contain strings that are described to be + _percent-escaped_. Such strings need to be de-escaped before their + content can be presented to the user. A percent-escaped string is + de-escaped by replacing all occurrences of '%XY' by the byte that + has the hexadecimal value 'XY'. 'X' and 'Y' are from the set + '0-9a-f'. + +localized + Some fields contain strings that are described to be _localized_. + Such strings are translated to the active language and formatted in + the active character set. + +unsigned number + Some fields contain an _unsigned number_. This number will always + fit into a 32-bit unsigned integer variable. The number may be + followed by a space, followed by a human readable description of + that value (if the verbose option is used). You should ignore + everything in the field that follows the number. + +signed number + Some fields contain a _signed number_. This number will always fit + into a 32-bit signed integer variable. The number may be followed + by a space, followed by a human readable description of that value + (if the verbose option is used). You should ignore everything in + the field that follows the number. + +boolean value + Some fields contain a _boolean value_. This is a number with + either the value 0 or 1. The number may be followed by a space, + followed by a human readable description of that value (if the + verbose option is used). You should ignore everything in the field + that follows the number; checking just the first character is + sufficient in this case. + +option + Some fields contain an _option_ argument. The format of an option + argument depends on the type of the option and on some flags: + + no argument + The simplest case is that the option does not take an argument + at all (TYPE '0'). Then the option argument is an unsigned + number that specifies how often the option occurs. If the + 'list' flag is not set, then the only valid number is '1'. + Options that do not take an argument never have the 'default' + or 'optional arg' flag set. + + number + If the option takes a number argument (ALT-TYPE is '2' or + '3'), and it can only occur once ('list' flag is not set), + then the option argument is either empty (only allowed if the + argument is optional), or it is a number. A number is a + string that begins with an optional minus character, followed + by one or more digits. The number must fit into an integer + variable (unsigned or signed, depending on ALT-TYPE). + + number list + If the option takes a number argument and it can occur more + than once, then the option argument is either empty, or it is + a comma-separated list of numbers as described above. + + string + If the option takes a string argument (ALT-TYPE is 1), and it + can only occur once ('list' flag is not set) then the option + argument is either empty (only allowed if the argument is + optional), or it starts with a double quote character ('"') + followed by a percent-escaped string that is the argument + value. Note that there is only a leading double quote + character, no trailing one. The double quote character is + only needed to be able to differentiate between no value and + the empty string as value. + + string list + If the option takes a string argument and it can occur more + than once, then the option argument is either empty, or it is + a comma-separated list of string arguments as described above. + + The active language and character set are currently determined from +the locale environment of the 'gpgconf' program. + + +File: gnupg.info, Node: Listing components, Next: Checking programs, Prev: Format conventions, Up: gpgconf + +9.4.3 Listing components +------------------------ + +The command '--list-components' will list all components that can be +configured with 'gpgconf'. Usually, one component will correspond to +one GnuPG-related program and contain the options of that program's +configuration file that can be modified using 'gpgconf'. However, this +is not necessarily the case. A component might also be a group of +selected options from several programs, or contain entirely virtual +options that have a special effect rather than changing exactly one +option in one configuration file. + + A component is a set of configuration options that semantically +belong together. Furthermore, several changes to a component can be +made in an atomic way with a single operation. The GUI could for +example provide a menu with one entry for each component, or a window +with one tabulator sheet per component. + + The command '--list-components' lists all available components, one +per line. The format of each line is: + + 'NAME:DESCRIPTION:PGMNAME:' + +NAME + This field contains a name tag of the component. The name tag is + used to specify the component in all communication with 'gpgconf'. + The name tag is to be used _verbatim_. It is thus not in any + escaped format. + +DESCRIPTION + The _string_ in this field contains a human-readable description of + the component. It can be displayed to the user of the GUI for + informational purposes. It is _percent-escaped_ and _localized_. + +PGMNAME + The _string_ in this field contains the absolute name of the + program's file. It can be used to unambiguously invoke that + program. It is _percent-escaped_. + + Example: + $ gpgconf --list-components + gpg:GPG for OpenPGP:/usr/local/bin/gpg2: + gpg-agent:GPG Agent:/usr/local/bin/gpg-agent: + scdaemon:Smartcard Daemon:/usr/local/bin/scdaemon: + gpgsm:GPG for S/MIME:/usr/local/bin/gpgsm: + dirmngr:Directory Manager:/usr/local/bin/dirmngr: + + +File: gnupg.info, Node: Checking programs, Next: Listing options, Prev: Listing components, Up: gpgconf + +9.4.4 Checking programs +----------------------- + +The command '--check-programs' is similar to '--list-components' but +works on backend programs and not on components. It runs each program +to test whether it is installed and runnable. This also includes a +syntax check of all config file options of the program. + + The command '--check-programs' lists all available programs, one per +line. The format of each line is: + + 'NAME:DESCRIPTION:PGMNAME:AVAIL:OKAY:CFGFILE:LINE:ERROR:' + +NAME + This field contains a name tag of the program which is identical to + the name of the component. The name tag is to be used _verbatim_. + It is thus not in any escaped format. This field may be empty to + indicate a continuation of error descriptions for the last name. + The description and pgmname fields are then also empty. + +DESCRIPTION + The _string_ in this field contains a human-readable description of + the component. It can be displayed to the user of the GUI for + informational purposes. It is _percent-escaped_ and _localized_. + +PGMNAME + The _string_ in this field contains the absolute name of the + program's file. It can be used to unambiguously invoke that + program. It is _percent-escaped_. + +AVAIL + The _boolean value_ in this field indicates whether the program is + installed and runnable. + +OKAY + The _boolean value_ in this field indicates whether the program's + config file is syntactically okay. + +CFGFILE + If an error occurred in the configuration file (as indicated by a + false value in the field 'okay'), this field has the name of the + failing configuration file. It is _percent-escaped_. + +LINE + If an error occurred in the configuration file, this field has the + line number of the failing statement in the configuration file. It + is an _unsigned number_. + +ERROR + If an error occurred in the configuration file, this field has the + error text of the failing statement in the configuration file. It + is _percent-escaped_ and _localized_. + +In the following example the 'dirmngr' is not runnable and the +configuration file of 'scdaemon' is not okay. + + $ gpgconf --check-programs + gpg:GPG for OpenPGP:/usr/local/bin/gpg2:1:1: + gpg-agent:GPG Agent:/usr/local/bin/gpg-agent:1:1: + scdaemon:Smartcard Daemon:/usr/local/bin/scdaemon:1:0: + gpgsm:GPG for S/MIME:/usr/local/bin/gpgsm:1:1: + dirmngr:Directory Manager:/usr/local/bin/dirmngr:0:0: + +The command '--check-options COMPONENT' will verify the configuration +file in the same manner as '--check-programs', but only for the +component COMPONENT. + + +File: gnupg.info, Node: Listing options, Next: Changing options, Prev: Checking programs, Up: gpgconf + +9.4.5 Listing options +--------------------- + +Every component contains one or more options. Options may be gathered +into option groups to allow the GUI to give visual hints to the user +about which options are related. + + The command '--list-options COMPONENT' lists all options (and the +groups they belong to) in the component COMPONENT, one per line. +COMPONENT must be the string in the field NAME in the output of the +'--list-components' command. + + Take care if system-wide options are used: gpgconf may not be able to +properly show the options and the listed options may have no actual +effect in case the system-wide options enforced their own settings. + + There is one line for each option and each group. First come all +options that are not in any group. Then comes a line describing a +group. Then come all options that belong into each group. Then comes +the next group and so on. There does not need to be any group (and in +this case the output will stop after the last non-grouped option). + + The format of each line is: + + 'NAME:FLAGS:LEVEL:DESCRIPTION:TYPE:ALT-TYPE:ARGNAME:DEFAULT:ARGDEF:VALUE' + +NAME + This field contains a name tag for the group or option. The name + tag is used to specify the group or option in all communication + with 'gpgconf'. The name tag is to be used _verbatim_. It is thus + not in any escaped format. + +FLAGS + The flags field contains an _unsigned number_. Its value is the + OR-wise combination of the following flag values: + + 'group (1)' + If this flag is set, this is a line describing a group and not + an option. + + The following flag values are only defined for options (that is, if + the 'group' flag is not used). + + 'optional arg (2)' + If this flag is set, the argument is optional. This is never + set for TYPE '0' (none) options. + + 'list (4)' + If this flag is set, the option can be given multiple times. + + 'runtime (8)' + If this flag is set, the option can be changed at runtime. + + 'default (16)' + If this flag is set, a default value is available. + + 'default desc (32)' + If this flag is set, a (runtime) default is available. This + and the 'default' flag are mutually exclusive. + + 'no arg desc (64)' + If this flag is set, and the 'optional arg' flag is set, then + the option has a special meaning if no argument is given. + + 'no change (128)' + If this flag is set, 'gpgconf' ignores requests to change the + value. GUI frontends should grey out this option. Note, that + manual changes of the configuration files are still possible. + +LEVEL + This field is defined for options and for groups. It contains an + _unsigned number_ that specifies the expert level under which this + group or option should be displayed. The following expert levels + are defined for options (they have analogous meaning for groups): + + 'basic (0)' + This option should always be offered to the user. + + 'advanced (1)' + This option may be offered to advanced users. + + 'expert (2)' + This option should only be offered to expert users. + + 'invisible (3)' + This option should normally never be displayed, not even to + expert users. + + 'internal (4)' + This option is for internal use only. Ignore it. + + The level of a group will always be the lowest level of all options + it contains. + +DESCRIPTION + This field is defined for options and groups. The _string_ in this + field contains a human-readable description of the option or group. + It can be displayed to the user of the GUI for informational + purposes. It is _percent-escaped_ and _localized_. + +TYPE + This field is only defined for options. It contains an _unsigned + number_ that specifies the type of the option's argument, if any. + The following types are defined: + + Basic types: + + 'none (0)' + No argument allowed. + + 'string (1)' + An _unformatted string_. + + 'int32 (2)' + A _signed number_. + + 'uint32 (3)' + An _unsigned number_. + + Complex types: + + 'pathname (32)' + A _string_ that describes the pathname of a file. The file + does not necessarily need to exist. + + 'ldap server (33)' + A _string_ that describes an LDAP server in the format: + + 'HOSTNAME:PORT:USERNAME:PASSWORD:BASE_DN' + + 'key fingerprint (34)' + A _string_ with a 40 digit fingerprint specifying a + certificate. + + 'pub key (35)' + A _string_ that describes a certificate by user ID, key ID or + fingerprint. + + 'sec key (36)' + A _string_ that describes a certificate with a key by user ID, + key ID or fingerprint. + + 'alias list (37)' + A _string_ that describes an alias list, like the one used + with gpg's group option. The list consists of a key, an equal + sign and space separated values. + + More types will be added in the future. Please see the ALT-TYPE + field for information on how to cope with unknown types. + +ALT-TYPE + This field is identical to TYPE, except that only the types '0' to + '31' are allowed. The GUI is expected to present the user the + option in the format specified by TYPE. But if the argument type + TYPE is not supported by the GUI, it can still display the option + in the more generic basic type ALT-TYPE. The GUI must support all + the defined basic types to be able to display all options. More + basic types may be added in future versions. If the GUI encounters + a basic type it doesn't support, it should report an error and + abort the operation. + +ARGNAME + This field is only defined for options with an argument type TYPE + that is not '0'. In this case it may contain a _percent-escaped_ + and _localized string_ that gives a short name for the argument. + The field may also be empty, though, in which case a short name is + not known. + +DEFAULT + This field is defined only for options for which the 'default' or + 'default desc' flag is set. If the 'default' flag is set, its + format is that of an _option argument_ (*note Format conventions::, + for details). If the default value is empty, then no default is + known. Otherwise, the value specifies the default value for this + option. If the 'default desc' flag is set, the field is either + empty or contains a description of the effect if the option is not + given. + +ARGDEF + This field is defined only for options for which the 'optional arg' + flag is set. If the 'no arg desc' flag is not set, its format is + that of an _option argument_ (*note Format conventions::, for + details). If the default value is empty, then no default is known. + Otherwise, the value specifies the default argument for this + option. If the 'no arg desc' flag is set, the field is either + empty or contains a description of the effect of this option if no + argument is given. + +VALUE + This field is defined only for options. Its format is that of an + _option argument_. If it is empty, then the option is not + explicitly set in the current configuration, and the default + applies (if any). Otherwise, it contains the current value of the + option. Note that this field is also meaningful if the option + itself does not take a real argument (in this case, it contains the + number of times the option appears). + + +File: gnupg.info, Node: Changing options, Next: Listing global options, Prev: Listing options, Up: gpgconf + +9.4.6 Changing options +---------------------- + +The command '--change-options COMPONENT' will attempt to change the +options of the component COMPONENT to the specified values. COMPONENT +must be the string in the field NAME in the output of the +'--list-components' command. You have to provide the options that shall +be changed in the following format on standard input: + + 'NAME:FLAGS:NEW-VALUE' + +NAME + This is the name of the option to change. NAME must be the string + in the field NAME in the output of the '--list-options' command. + +FLAGS + The flags field contains an _unsigned number_. Its value is the + OR-wise combination of the following flag values: + + 'default (16)' + If this flag is set, the option is deleted and the default + value is used instead (if applicable). + +NEW-VALUE + The new value for the option. This field is only defined if the + 'default' flag is not set. The format is that of an _option + argument_. If it is empty (or the field is omitted), the default + argument is used (only allowed if the argument is optional for this + option). Otherwise, the option will be set to the specified value. + +The output of the command is the same as that of '--check-options' for +the modified configuration file. + + Examples: + + To set the force option, which is of basic type 'none (0)': + + $ echo 'force:0:1' | gpgconf --change-options dirmngr + + To delete the force option: + + $ echo 'force:16:' | gpgconf --change-options dirmngr + + The '--runtime' option can influence when the changes take effect. + + +File: gnupg.info, Node: Listing global options, Next: Querying versions, Prev: Changing options, Up: gpgconf + +9.4.7 Listing global options +---------------------------- + +Some legacy applications look at the global configuration file for the +gpgconf tool itself; this is the file 'gpgconf.conf'. Modern +applications should not use it but use per component global +configuration files which are more flexible than the 'gpgconf.conf'. +Using both files is not suggested. + + The colon separated listing format is record oriented and uses the +first field to identify the record type: + +'k' + This describes a key record to start the definition of a new + ruleset for a user/group. The format of a key record is: + + 'k:USER:GROUP:' + + USER + This is the user field of the key. It is percent escaped. + See the definition of the gpgconf.conf format for details. + + GROUP + This is the group field of the key. It is percent escaped. + +'r' + This describes a rule record. All rule records up to the next key + record make up a rule set for that key. The format of a rule + record is: + + 'r:::COMPONENT:OPTION:FLAG:VALUE:' + + COMPONENT + This is the component part of a rule. It is a plain string. + + OPTION + This is the option part of a rule. It is a plain string. + + FLAG + This is the flags part of a rule. There may be only one flag + per rule but by using the same component and option, several + flags may be assigned to an option. It is a plain string. + + VALUE + This is the optional value for the option. It is a percent + escaped string with a single quotation mark to indicate a + string. The quotation mark is only required to distinguish + between no value specified and an empty string. + +Unknown record types should be ignored. Note that there is +intentionally no feature to change the global option file through +'gpgconf'. + + +File: gnupg.info, Node: Querying versions, Next: Files used by gpgconf, Prev: Listing global options, Up: gpgconf + +9.4.8 Get and compare software versions. +---------------------------------------- + +The GnuPG Project operates a server to query the current versions of +software packages related to GnuPG. 'gpgconf' can be used to access this +online database. To allow for offline operations, this feature works by +having 'dirmngr' download a file from 'https://versions.gnupg.org', +checking the signature of that file and storing the file in the GnuPG +home directory. If 'gpgconf' is used and 'dirmngr' is running, it may +ask 'dirmngr' to refresh that file before itself uses the file. + + The command '--query-swdb' returns information for the given package +in a colon delimited format: + +NAME + This is the name of the package as requested. Note that "gnupg" is + a special name which is replaced by the actual package implementing + this version of GnuPG. For this name it is also not required to + specify a version because 'gpgconf' takes its own version in this + case. + +IVERSION + The currently installed version or an empty string. The value is + taken from the command line argument but may be provided by gpg if + not given. + +STATUS + The status of the software package according to this table: + '-' + No information available. This is either because no current + version has been specified or due to an error. + '?' + The given name is not known in the online database. + 'u' + An update of the software is available. + 'c' + The installed version of the software is current. + 'n' + The installed version is already newer than the released + version. + +URGENCY + If the value (the empty string should be considered as zero) is + greater than zero an important update is available. + +ERROR + This returns an 'gpg-error' error code to distinguish between + various failure modes. + +FILEDATE + This gives the date of the file with the version numbers in + standard ISO format ('yyyymmddThhmmss'). The date has been + extracted by 'dirmngr' from the signature of the file. + +VERIFIED + This gives the date in ISO format the file was downloaded. This + value can be used to evaluate the freshness of the information. + +VERSION + This returns the version string for the requested software from the + file. + +RELDATE + This returns the release date in ISO format. + +SIZE + This returns the size of the package as decimal number of bytes. + +HASH + This returns a hexified SHA-2 hash of the package. + +More fields may be added in future to the output. + + +File: gnupg.info, Node: Files used by gpgconf, Prev: Querying versions, Up: gpgconf + +9.4.9 Files used by gpgconf +--------------------------- + +'/etc/gnupg/gpgconf.conf' + If this file exists, it is processed as a global configuration + file. This is a legacy mechanism which should not be used tigether + with the modern global per component configuration files. A + commented example can be found in the 'examples' directory of the + distribution. + +'GNUPGHOME/swdb.lst' + A file with current software versions. 'dirmngr' creates this file + on demand from an online resource. + + +File: gnupg.info, Node: applygnupgdefaults, Next: gpg-preset-passphrase, Prev: gpgconf, Up: Helper Tools + +9.5 Run gpgconf for all users +============================= + +This is a legacy script. Modern application should use the per +component global configuration files under '/etc/gnupg/'. + + This script is a wrapper around 'gpgconf' to run it with the command +'--apply-defaults' for all real users with an existing GnuPG home +directory. Admins might want to use this script to update he GnuPG +configuration files for all users after '/etc/gnupg/gpgconf.conf' has +been changed. This allows enforcing certain policies for all users. +Note, that this is not a bulletproof way to force a user to use certain +options. A user may always directly edit the configuration files and +bypass gpgconf. + +'applygnupgdefaults' is invoked by root as: + + applygnupgdefaults + + +File: gnupg.info, Node: gpg-preset-passphrase, Next: gpg-connect-agent, Prev: applygnupgdefaults, Up: Helper Tools + +9.6 Put a passphrase into the cache +=================================== + +The 'gpg-preset-passphrase' is a utility to seed the internal cache of a +running 'gpg-agent' with passphrases. It is mainly useful for +unattended machines, where the usual 'pinentry' tool may not be used and +the passphrases for the to be used keys are given at machine startup. + + This program works with GnuPG 2 and later. GnuPG 1.x is not +supported. + + Passphrases set with this utility don't expire unless the '--forget' +option is used to explicitly clear them from the cache -- or 'gpg-agent' +is either restarted or reloaded (by sending a SIGHUP to it). Note that +the maximum cache time as set with '--max-cache-ttl' is still honored. +It is necessary to allow this passphrase presetting by starting +'gpg-agent' with the '--allow-preset-passphrase'. + +* Menu: + +* Invoking gpg-preset-passphrase:: List of all commands and options. + + +File: gnupg.info, Node: Invoking gpg-preset-passphrase, Up: gpg-preset-passphrase + +9.6.1 List of all commands and options +-------------------------------------- + +'gpg-preset-passphrase' is invoked this way: + + gpg-preset-passphrase [options] [command] CACHEID + + CACHEID is either a 40 character keygrip of hexadecimal characters +identifying the key for which the passphrase should be set or cleared. +The keygrip is listed along with the key when running the command: +'gpgsm --with-keygrip --list-secret-keys'. Alternatively an arbitrary +string may be used to identify a passphrase; it is suggested that such a +string is prefixed with the name of the application (e.g 'foo:12346'). +Scripts should always use the option '--with-colons', which provides the +keygrip in a "grp" line (cf. 'doc/DETAILS')/ + +One of the following command options must be given: + +'--preset' + Preset a passphrase. This is what you usually will use. + 'gpg-preset-passphrase' will then read the passphrase from 'stdin'. + +'--forget' + Flush the passphrase for the given cache ID from the cache. + +The following additional options may be used: + +'-v' +'--verbose' + Output additional information while running. + +'-P STRING' +'--passphrase STRING' + Instead of reading the passphrase from 'stdin', use the supplied + STRING as passphrase. Note that this makes the passphrase visible + for other users. + + +File: gnupg.info, Node: gpg-connect-agent, Next: dirmngr-client, Prev: gpg-preset-passphrase, Up: Helper Tools + +9.7 Communicate with a running agent +==================================== + +The 'gpg-connect-agent' is a utility to communicate with a running +'gpg-agent'. It is useful to check out the commands 'gpg-agent' +provides using the Assuan interface. It might also be useful for +scripting simple applications. Input is expected at stdin and output +gets printed to stdout. + + It is very similar to running 'gpg-agent' in server mode; but here we +connect to a running instance. + +* Menu: + +* Invoking gpg-connect-agent:: List of all options. +* Controlling gpg-connect-agent:: Control commands. + + +File: gnupg.info, Node: Invoking gpg-connect-agent, Next: Controlling gpg-connect-agent, Up: gpg-connect-agent + +9.7.1 List of all options +------------------------- + +'gpg-connect-agent' is invoked this way: + + gpg-connect-agent [options] [commands] + +The following options may be used: + +'-v' +'--verbose' + Output additional information while running. + +'-q' +'--quiet' + Try to be as quiet as possible. + +'--homedir DIR' + Set the name of the home directory to DIR. If this option is not + used, the home directory defaults to '~/.gnupg'. It is only + recognized when given on the command line. It also overrides any + home directory stated through the environment variable 'GNUPGHOME' + or (on Windows systems) by means of the Registry entry + HKCU\SOFTWARE\GNU\GNUPG:HOMEDIR. + + On Windows systems it is possible to install GnuPG as a portable + application. In this case only this command line option is + considered, all other ways to set a home directory are ignored. + + To install GnuPG as a portable application under Windows, create an + empty file named 'gpgconf.ctl' in the same directory as the tool + 'gpgconf.exe'. The root of the installation is then that + directory; or, if 'gpgconf.exe' has been installed directly below a + directory named 'bin', its parent directory. You also need to make + sure that the following directories exist and are writable: + 'ROOT/home' for the GnuPG home and 'ROOT/usr/local/var/cache/gnupg' + for internal cache files. + +'--agent-program FILE' + Specify the agent program to be started if none is running. The + default value is determined by running 'gpgconf' with the option + '--list-dirs'. Note that the pipe symbol ('|') is used for a + regression test suite hack and may thus not be used in the file + name. + +'--dirmngr-program FILE' + Specify the directory manager (keyserver client) program to be + started if none is running. This has only an effect if used + together with the option '--dirmngr'. + +'--dirmngr' + Connect to a running directory manager (keyserver client) instead + of to the gpg-agent. If a dirmngr is not running, start it. + +'-S' +'--raw-socket NAME' + Connect to socket NAME assuming this is an Assuan style server. Do + not run any special initializations or environment checks. This + may be used to directly connect to any Assuan style socket server. + +'-E' +'--exec' + Take the rest of the command line as a program and it's arguments + and execute it as an Assuan server. Here is how you would run + 'gpgsm': + gpg-connect-agent --exec gpgsm --server + Note that you may not use options on the command line in this case. + +'--no-ext-connect' + When using '-S' or '--exec', 'gpg-connect-agent' connects to the + Assuan server in extended mode to allow descriptor passing. This + option makes it use the old mode. + +'--no-autostart' + Do not start the gpg-agent or the dirmngr if it has not yet been + started. + +'-r FILE' +'--run FILE' + Run the commands from FILE at startup and then continue with the + regular input method. Note, that commands given on the command + line are executed after this file. + +'-s' +'--subst' + Run the command '/subst' at startup. + +'--hex' + Print data lines in a hex format and the ASCII representation of + non-control characters. + +'--decode' + Decode data lines. That is to remove percent escapes but make sure + that a new line always starts with a D and a space. + + +File: gnupg.info, Node: Controlling gpg-connect-agent, Prev: Invoking gpg-connect-agent, Up: gpg-connect-agent + +9.7.2 Control commands +---------------------- + +While reading Assuan commands, gpg-agent also allows a few special +commands to control its operation. These control commands all start +with a slash ('/'). + +'/echo ARGS' + Just print ARGS. + +'/let NAME VALUE' + Set the variable NAME to VALUE. Variables are only substituted on + the input if the '/subst' has been used. Variables are referenced + by prefixing the name with a dollar sign and optionally include the + name in curly braces. The rules for a valid name are identically + to those of the standard bourne shell. This is not yet enforced + but may be in the future. When used with curly braces no leading + or trailing white space is allowed. + + If a variable is not found, it is searched in the environment and + if found copied to the table of variables. + + Variable functions are available: The name of the function must be + followed by at least one space and the at least one argument. The + following functions are available: + + 'get' + Return a value described by the argument. Available arguments + are: + + 'cwd' + The current working directory. + 'homedir' + The gnupg homedir. + 'sysconfdir' + GnuPG's system configuration directory. + 'bindir' + GnuPG's binary directory. + 'libdir' + GnuPG's library directory. + 'libexecdir' + GnuPG's library directory for executable files. + 'datadir' + GnuPG's data directory. + 'serverpid' + The PID of the current server. Command '/serverpid' must + have been given to return a useful value. + + 'unescape ARGS' + Remove C-style escapes from ARGS. Note that '\0' and '\x00' + terminate the returned string implicitly. The string to be + converted are the entire arguments right behind the delimiting + space of the function name. + + 'unpercent ARGS' + 'unpercent+ ARGS' + Remove percent style escaping from ARGS. Note that '%00' + terminates the string implicitly. The string to be converted + are the entire arguments right behind the delimiting space of + the function name. 'unpercent+' also maps plus signs to a + spaces. + + 'percent ARGS' + 'percent+ ARGS' + Escape the ARGS using percent style escaping. Tabs, + formfeeds, linefeeds, carriage returns and colons are escaped. + 'percent+' also maps spaces to plus signs. + + 'errcode ARG' + 'errsource ARG' + 'errstring ARG' + Assume ARG is an integer and evaluate it using 'strtol'. + Return the gpg-error error code, error source or a formatted + string with the error code and error source. + + '+' + '-' + '*' + '/' + '%' + Evaluate all arguments as long integers using 'strtol' and + apply this operator. A division by zero yields an empty + string. + + '!' + '|' + '&' + Evaluate all arguments as long integers using 'strtol' and + apply the logical operators NOT, OR or AND. The NOT operator + works on the last argument only. + +'/definq NAME VAR' + Use content of the variable VAR for inquiries with NAME. NAME may + be an asterisk ('*') to match any inquiry. + +'/definqfile NAME FILE' + Use content of FILE for inquiries with NAME. NAME may be an + asterisk ('*') to match any inquiry. + +'/definqprog NAME PROG' + Run PROG for inquiries matching NAME and pass the entire line to it + as command line arguments. + +'/datafile NAME' + Write all data lines from the server to the file NAME. The file is + opened for writing and created if it does not exists. An existing + file is first truncated to 0. The data written to the file fully + decoded. Using a single dash for NAME writes to stdout. The file + is kept open until a new file is set using this command or this + command is used without an argument. + +'/showdef' + Print all definitions + +'/cleardef' + Delete all definitions + +'/sendfd FILE MODE' + Open FILE in MODE (which needs to be a valid 'fopen' mode string) + and send the file descriptor to the server. This is usually + followed by a command like 'INPUT FD' to set the input source for + other commands. + +'/recvfd' + Not yet implemented. + +'/open VAR FILE [MODE]' + Open FILE and assign the file descriptor to VAR. Warning: This + command is experimental and might change in future versions. + +'/close FD' + Close the file descriptor FD. Warning: This command is + experimental and might change in future versions. + +'/showopen' + Show a list of open files. + +'/serverpid' + Send the Assuan command 'GETINFO pid' to the server and store the + returned PID for internal purposes. + +'/sleep' + Sleep for a second. + +'/hex' +'/nohex' + Same as the command line option '--hex'. + +'/decode' +'/nodecode' + Same as the command line option '--decode'. + +'/subst' +'/nosubst' + Enable and disable variable substitution. It defaults to disabled + unless the command line option '--subst' has been used. If /subst + as been enabled once, leading whitespace is removed from input + lines which makes scripts easier to read. + +'/while CONDITION' +'/end' + These commands provide a way for executing loops. All lines + between the 'while' and the corresponding 'end' are executed as + long as the evaluation of CONDITION yields a non-zero value or is + the string 'true' or 'yes'. The evaluation is done by passing + CONDITION to the 'strtol' function. Example: + + /subst + /let i 3 + /while $i + /echo loop counter is $i + /let i ${- $i 1} + /end + +'/if CONDITION' +'/end' + These commands provide a way for conditional execution. All lines + between the 'if' and the corresponding 'end' are executed only if + the evaluation of CONDITION yields a non-zero value or is the + string 'true' or 'yes'. The evaluation is done by passing + CONDITION to the 'strtol' function. + +'/run FILE' + Run commands from FILE. + +'/bye' + Terminate the connection and the program. + +'/help' + Print a list of available control commands. + + +File: gnupg.info, Node: dirmngr-client, Next: gpgparsemail, Prev: gpg-connect-agent, Up: Helper Tools + +9.8 The Dirmngr Client Tool +=========================== + +The 'dirmngr-client' is a simple tool to contact a running dirmngr and +test whether a certificate has been revoked -- either by being listed in +the corresponding CRL or by running the OCSP protocol. If no dirmngr is +running, a new instances will be started but this is in general not a +good idea due to the huge performance overhead. + +The usual way to run this tool is either: + + dirmngr-client ACERT + +or + + dirmngr-client <ACERT + + Where ACERT is one DER encoded (binary) X.509 certificates to be +tested. The return value of this command is + +'0' + The certificate under question is valid; i.e. there is a valid CRL + available and it is not listed there or the OCSP request returned + that that certificate is valid. + +'1' + The certificate has been revoked + +'2 (and other values)' + There was a problem checking the revocation state of the + certificate. A message to stderr has given more detailed + information. Most likely this is due to a missing or expired CRL + or due to a network problem. + +'dirmngr-client' may be called with the following options: + +'--version' + Print the program version and licensing information. Note that you + cannot abbreviate this command. + +'--help, -h' + Print a usage message summarizing the most useful command-line + options. Note that you cannot abbreviate this command. + +'--quiet, -q' + Make the output extra brief by suppressing any informational + messages. + +'-v' +'--verbose' + Outputs additional information while running. You can increase the + verbosity by giving several verbose commands to DIRMNGR, such as + '-vv'. + +'--pem' + Assume that the given certificate is in PEM (armored) format. + +'--ocsp' + Do the check using the OCSP protocol and ignore any CRLs. + +'--force-default-responder' + When checking using the OCSP protocol, force the use of the default + OCSP responder. That is not to use the Reponder as given by the + certificate. + +'--ping' + Check whether the dirmngr daemon is up and running. + +'--cache-cert' + Put the given certificate into the cache of a running dirmngr. + This is mainly useful for debugging. + +'--validate' + Validate the given certificate using dirmngr's internal validation + code. This is mainly useful for debugging. + +'--load-crl' + This command expects a list of filenames with DER encoded CRL + files. With the option '--url' URLs are expected in place of + filenames and they are loaded directly from the given location. + All CRLs will be validated and then loaded into dirmngr's cache. + +'--lookup' + Take the remaining arguments and run a lookup command on each of + them. The results are Base-64 encoded outputs (without header + lines). This may be used to retrieve certificates from a server. + However the output format is not very well suited if more than one + certificate is returned. + +'--url' +'-u' + Modify the 'lookup' and 'load-crl' commands to take an URL. + +'--local' +'-l' + Let the 'lookup' command only search the local cache. + +'--squid-mode' + Run DIRMNGR-CLIENT in a mode suitable as a helper program for + Squid's 'external_acl_type' option. + + +File: gnupg.info, Node: gpgparsemail, Next: gpgtar, Prev: dirmngr-client, Up: Helper Tools + +9.9 Parse a mail message into an annotated format +================================================= + +The 'gpgparsemail' is a utility currently only useful for debugging. +Run it with '--help' for usage information. + + +File: gnupg.info, Node: gpgtar, Next: gpg-check-pattern, Prev: gpgparsemail, Up: Helper Tools + +9.10 Encrypt or sign files into an archive +========================================== + +'gpgtar' encrypts or signs files into an archive. It is an gpg-ized tar +using the same format as used by PGP's PGP Zip. + +'gpgtar' is invoked this way: + + gpgtar [options] FILENAME1 [FILENAME2, ...] DIRECTORY [DIRECTORY2, ...] + +'gpgtar' understands these options: + +'--create' + Put given files and directories into a vanilla "ustar" archive. + +'--extract' + Extract all files from a vanilla "ustar" archive. + +'--encrypt' +'-e' + Encrypt given files and directories into an archive. This option + may be combined with option '--symmetric' for an archive that may + be decrypted via a secret key or a passphrase. + +'--decrypt' +'-d' + Extract all files from an encrypted archive. + +'--sign' +'-s' + Make a signed archive from the given files and directories. This + can be combined with option '--encrypt' to create a signed and then + encrypted archive. + +'--list-archive' +'-t' + List the contents of the specified archive. + +'--symmetric' +'-c' + Encrypt with a symmetric cipher using a passphrase. The default + symmetric cipher used is AES-128, but may be chosen with the + '--cipher-algo' option to 'gpg'. + +'--recipient USER' +'-r USER' + Encrypt for user id USER. For details see 'gpg'. + +'--local-user USER' +'-u USER' + Use USER as the key to sign with. For details see 'gpg'. + +'--output FILE' +'-o FILE' + Write the archive to the specified file FILE. + +'--verbose' +'-v' + Enable extra informational output. + +'--quiet' +'-q' + Try to be as quiet as possible. + +'--skip-crypto' + Skip all crypto operations and create or extract vanilla "ustar" + archives. + +'--dry-run' + Do not actually output the extracted files. + +'--directory DIR' +'-C DIR' + Extract the files into the directory DIR. The default is to take + the directory name from the input filename. If no input filename + is known a directory named 'GPGARCH' is used. For tarball + creation, switch to directory DIR before performing any operations. + +'--files-from FILE' +'-T FILE' + Take the file names to work from the file FILE; one file per line. + +'--null' + Modify option '--files-from' to use a binary nul instead of a + linefeed to separate file names. + +'--utf8-strings' + Assume that the file names read by '--files-from' are UTF-8 + encoded. This option has an effect only on Windows where the + active code page is otherwise assumed. + +'--openpgp' + This option has no effect because OpenPGP encryption and signing is + the default. + +'--cms' + This option is reserved and shall not be used. It will eventually + be used to encrypt or sign using the CMS protocol; but that is not + yet implemented. + +'--batch' + Use batch mode. Never ask but use the default action. This option + is passed directly to 'gpg'. + +'--yes' + Assume "yes" on most questions. Often used together with '--batch' + to overwrite existing files. This option is passed directly to + 'gpg'. + +'--no' + Assume "no" on most questions. This option is passed directly to + 'gpg'. + +'--require-compliance' + This option is passed directly to 'gpg'. + +'--status-fd N' + Write special status strings to the file descriptor N. See the + file DETAILS in the documentation for a listing of them. + +'--with-log' + When extracting an encrypted tarball also write a log file with the + gpg output to a file named after the extraction directory with the + suffix ".log". + +'--set-filename FILE' + Use the last component of FILE as the output directory. The + default is to take the directory name from the input filename. If + no input filename is known a directory named 'GPGARCH' is used. + This option is deprecated in favor of option '--directory'. + +'--gpg GPGCMD' + Use the specified command GPGCMD instead of 'gpg'. + +'--gpg-args ARGS' + Pass the specified extra options to 'gpg'. + +'--tar-args ARGS' + Assume ARGS are standard options of the command 'tar' and parse + them. The only supported tar options are "-directory", + "-files-from", and "-null" This is an obsolete options because + those supported tar options can also be given directly. + +'--version' + Print version of the program and exit. + +'--help' + Display a brief help page and exit. + +The program returns 0 if everything was fine, 1 otherwise. + +Some examples: + +Encrypt the contents of directory 'mydocs' for user Bob to file 'test1': + + gpgtar --encrypt --output test1 -r Bob mydocs + +List the contents of archive 'test1': + + gpgtar --list-archive test1 + + +File: gnupg.info, Node: gpg-check-pattern, Prev: gpgtar, Up: Helper Tools + +9.11 Check a passphrase on stdin against the patternfile +======================================================== + +'gpg-check-pattern' checks a passphrase given on stdin against a +specified pattern file. + + The pattern file is line based with comment lines beginning on the +_first_ position with a '#'. Empty lines and lines with only white +spaces are ignored. The actual pattern lines may either be verbatim +string pattern and match as they are (trailing spaces are ignored) or +extended regular expressions indicated by a '/' or '!/' in the first +column and terminated by another '/' or end of line. If a regular +expression starts with '!/' the match result is reversed. By default +all comparisons are case insensitive. + + Tag lines may be used to further control the operation of this tool. +The currently defined tags are: + +'[icase]' + Switch to case insensitive comparison for all further patterns. + This is the default. + +'[case]' + Switch to case sensitive comparison for all further patterns. + +'[reject]' + Switch to reject mode. This is the default mode. + +'[accept]' + Switch to accept mode. + + In the future more tags may be introduced and thus it is advisable +not to start a plain pattern string with an open bracket. The tags must +be given verbatim on the line with no spaces to the left or any non +white space characters to the right. + + In reject mode the program exits on the first match with an exit code +of 1 (failure). If at the end of the pattern list the reject mode is +still active the program exits with code 0 (success). + + In accept mode blocks of patterns are used. A block starts at the +next pattern after an "accept" tag and ends with the last pattern before +the next "accept" or "reject" tag or at the end of the pattern list. If +all patterns in a block match the program exits with an exit code of 0 +(success). If any pattern in a block do not match the next pattern +block is evaluated. If at the end of the pattern list the accept mode +is still active the program exits with code 1 (failure). + + +'--verbose' + Enable extra informational output. + +'--check' + Run only a syntax check on the patternfile. + +'--null' + Input is expected to be null delimited. + + +File: gnupg.info, Node: Web Key Service, Next: Howtos, Prev: Helper Tools, Up: Top + +10 Web Key Service +****************** + +GnuPG comes with tools used to maintain and access a Web Key Directory. + +* Menu: + +* gpg-wks-client:: Send requests via WKS +* gpg-wks-server:: Server to provide the WKS. + + +File: gnupg.info, Node: gpg-wks-client, Next: gpg-wks-server, Up: Web Key Service + +10.1 Send requests via WKS +========================== + +The 'gpg-wks-client' is used to send requests to a Web Key Service +provider. This is usually done to upload a key into a Web Key +Directory. + + With the '--supported' command the caller can test whether a site +supports the Web Key Service. The argument is an arbitrary address in +the to be tested domain. For example 'foo@example.net'. The command +returns success if the Web Key Service is supported. The operation is +silent; to get diagnostic output use the option '--verbose'. See option +'--with-colons' for a variant of this command. + + With the '--check' command the caller can test whether a key exists +for a supplied mail address. The command returns success if a key is +available. + + The '--create' command is used to send a request for publication in +the Web Key Directory. The arguments are the fingerprint of the key and +the user id to publish. The output from the command is a properly +formatted mail with all standard headers. This mail can be fed to +'sendmail(8)' or any other tool to actually send that mail. If +'sendmail(8)' is installed the option '--send' can be used to directly +send the created request. If the provider request a 'mailbox-only' user +id and no such user id is found, 'gpg-wks-client' will try an additional +user id. + + The '--receive' and '--read' commands are used to process +confirmation mails as send from the service provider. The former +expects an encrypted MIME messages, the latter an already decrypted MIME +message. The result of these commands are another mail which can be +send in the same way as the mail created with '--create'. + + The command '--install-key' manually installs a key into a local +directory (see option '-C') reflecting the structure of a WKD. The +arguments are a file with the keyblock and the user-id to install. If +the first argument resembles a fingerprint the key is taken from the +current keyring; to force the use of a file, prefix the first argument +with "./". If no arguments are given the parameters are read from +stdin; the expected format are lines with the fingerprint and the +mailbox separated by a space. The command '--remove-key' removes a key +from that directory, its only argument is a user-id. + + The command '--mirror' is similar to '--install-key' but takes the +keys from the the LDAP server configured for Dirmngr. If no arguments +are given all keys and user ids are installed. If arguments are given +they are taken as domain names to limit the to be installed keys. The +option '--blacklist' may be used to further limit the to be installed +keys. + + The command '--print-wkd-hash' prints the WKD user-id identifiers and +the corresponding mailboxes from the user-ids given on the command line +or via stdin (one user-id per line). + + The command '--print-wkd-url' prints the URLs used to fetch the key +for the given user-ids from WKD. The meanwhile preferred format with +sub-domains is used here. + + 'gpg-wks-client' is not commonly invoked directly and thus it is not +installed in the bin directory. Here is an example how it can be +invoked manually to check for a Web Key Directory entry for +'foo@example.org': + + $(gpgconf --list-dirs libexecdir)/gpg-wks-client --check foo@example.net + +'gpg-wks-client' understands these options: + +'--send' + Directly send created mails using the 'sendmail' command. Requires + installation of that command. + +'--with-colons' + This option has currently only an effect on the '--supported' + command. If it is used all arguments on the command line are taken + as domain names and tested for WKD support. The output format is + one line per domain with colon delimited fields. The currently + specified fields are (future versions may specify additional + fields): + + 1 - domain + This is the domain name. Although quoting is not required for + valid domain names this field is specified to be quoted in + standard C manner. + + 2 - WKD + If the value is true the domain supports the Web Key + Directory. + + 3 - WKS + If the value is true the domain supports the Web Key Service + protocol to upload keys to the directory. + + 4 - error-code + This may contain an gpg-error code to describe certain + failures. Use 'gpg-error CODE' to explain the code. + + 5 - protocol-version + The minimum protocol version supported by the server. + + 6 - auth-submit + The auth-submit flag from the policy file of the server. + + 7 - mailbox-only + The mailbox-only flag from the policy file of the server. + +'--output FILE' +'-o' + Write the created mail to FILE instead of stdout. Note that the + value '-' for FILE is the same as writing to stdout. + +'--status-fd N' + Write special status strings to the file descriptor N. This + program returns only the status messages SUCCESS or FAILURE which + are helpful when the caller uses a double fork approach and can't + easily get the return code of the process. + +'-C DIR' +'--directory DIR' + Use DIR as top level directory for the commands '--mirror', + '--install-key' and '--remove-key'. The default is 'openpgpkey'. + +'--blacklist FILE' + This option is used to exclude certain mail addresses from a mirror + operation. The format of FILE is one mail address (just the + addrspec, e.g. "postel@isi.edu") per line. Empty lines and lines + starting with a '#' are ignored. + +'--verbose' + Enable extra informational output. + +'--quiet' + Disable almost all informational output. + +'--version' + Print version of the program and exit. + +'--help' + Display a brief help page and exit. + + +File: gnupg.info, Node: gpg-wks-server, Prev: gpg-wks-client, Up: Web Key Service + +10.2 Provide the Web Key Service +================================ + +The 'gpg-wks-server' is a server site implementation of the Web Key +Service. It receives requests for publication, sends confirmation +requests, receives confirmations, and published the key. It also has +features to ease the setup and maintenance of a Web Key Directory. + + When used with the command '--receive' a single Web Key Service mail +is processed. Commonly this command is used with the option '--send' to +directly send the crerated mails back. See below for an installation +example. + + The command '--cron' is used for regualr cleanup tasks. For example +non-confirmed requested should be removed after their expire time. It +is best to run this command once a day from a cronjob. + + The command '--list-domains' prints all configured domains. Further +it creates missing directories for the configuration and prints warnings +pertaining to problems in the configuration. + + The command '--check-key' (or just '--check') checks whether a key +with the given user-id is installed. The process returns success in +this case; to also print a diagnostic use the option '-v'. If the key +is not installed a diagnostic is printed and the process returns +failure; to suppress the diagnostic, use option '-q'. More than one +user-id can be given; see also option 'with-file'. + + The command '--install-key' manually installs a key into the WKD. The +arguments are a file with the keyblock and the user-id to install. If +the first argument resembles a fingerprint the key is taken from the +current keyring; to force the use of a file, prefix the first argument +with "./". If no arguments are given the parameters are read from +stdin; the expected format are lines with the fingerprint and the +mailbox separated by a space. + + The command '--remove-key' uninstalls a key from the WKD. The process +returns success in this case; to also print a diagnostic, use option +'-v'. If the key is not installed a diagnostic is printed and the +process returns failure; to suppress the diagnostic, use option '-q'. + + The command '--revoke-key' is not yet functional. + +'gpg-wks-server' understands these options: + +'-C DIR' +'--directory DIR' + Use DIR as top level directory for domains. The default is + '/var/lib/gnupg/wks'. + +'--from MAILADDR' + Use MAILADDR as the default sender address. + +'--header NAME=VALUE' + Add the mail header "NAME: VALUE" to all outgoing mails. + +'--send' + Directly send created mails using the 'sendmail' command. Requires + installation of that command. + +'-o FILE' +'--output FILE' + Write the created mail also to FILE. Note that the value '-' for + FILE would write it to stdout. + +'--with-dir' + When used with the command '--list-domains' print for each + installed domain the domain name and its directory name. + +'--with-file' + When used with the command '--check-key' print for each user-id, + the address, 'i' for installed key or 'n' for not installed key, + and the filename. + +'--verbose' + Enable extra informational output. + +'--quiet' + Disable almost all informational output. + +'--version' + Print version of the program and exit. + +'--help' + Display a brief help page and exit. + + +Examples +******** + +The Web Key Service requires a working directory to store keys pending +for publication. As root create a working directory: + + # mkdir /var/lib/gnupg/wks + # chown webkey:webkey /var/lib/gnupg/wks + # chmod 2750 /var/lib/gnupg/wks + + Then under your webkey account create directories for all your +domains. Here we do it for "example.net": + + $ mkdir /var/lib/gnupg/wks/example.net + + Finally run + + $ gpg-wks-server --list-domains + + to create the required sub-directories with the permissions set +correctly. For each domain a submission address needs to be configured. +All service mails are directed to that address. It can be the same +address for all configured domains, for example: + + $ cd /var/lib/gnupg/wks/example.net + $ echo key-submission@example.net >submission-address + + The protocol requires that the key to be published is send with an +encrypted mail to the service. Thus you need to create a key for the +submission address: + + $ gpg --batch --passphrase '' --quick-gen-key key-submission@example.net + $ gpg -K key-submission@example.net + + The output of the last command looks similar to this: + + sec rsa2048 2016-08-30 [SC] + C0FCF8642D830C53246211400346653590B3795B + uid [ultimate] key-submission@example.net + ssb rsa2048 2016-08-30 [E] + + Take the fingerprint from that output and manually publish the key: + + $ gpg-wks-server --install-key C0FCF8642D830C53246211400346653590B3795B \ + > key-submission@example.net + + Finally that submission address needs to be redirected to a script +running 'gpg-wks-server'. The 'procmail' command can be used for this: +Redirect the submission address to the user "webkey" and put this into +webkey's '.procmailrc': + + :0 + * !^From: webkey@example.net + * !^X-WKS-Loop: webkey.example.net + |gpg-wks-server -v --receive \ + --header X-WKS-Loop=webkey.example.net \ + --from webkey@example.net --send + + +File: gnupg.info, Node: Howtos, Next: System Notes, Prev: Web Key Service, Up: Top + +11 How to do certain things +*************************** + +This is a collection of small howto documents. + +* Menu: + +* Howto Create a Server Cert:: Creating a TLS server certificate. + + +File: gnupg.info, Node: Howto Create a Server Cert, Up: Howtos + +11.1 Creating a TLS server certificate +====================================== + +Here is a brief run up on how to create a server certificate. It has +actually been done this way to get a certificate from CAcert to be used +on a real server. It has only been tested with this CA, but there +shouldn't be any problem to run this against any other CA. + + We start by generating an X.509 certificate signing request. As +there is no need for a configuration file, you may simply enter: + + $ gpgsm --generate-key >example.com.cert-req.pem + Please select what kind of key you want: + (1) RSA + (2) Existing key + (3) Existing key from card + Your selection? 1 + + I opted for creating a new RSA key. The other option is to use an +already existing key, by selecting '2' and entering the so-called +keygrip. Running the command 'gpgsm --dump-secret-key USERID' shows you +this keygrip. Using '3' offers another menu to create a certificate +directly from a smart card based key. + + Let's continue: + + What keysize do you want? (3072) + Requested keysize is 3072 bits + + Hitting enter chooses the default RSA key size of 3072 bits. Keys +smaller than 2048 bits are too weak on the modern Internet. If you +choose a larger (stronger) key, your server will need to do more work. + + Possible actions for a RSA key: + (1) sign, encrypt + (2) sign + (3) encrypt + Your selection? 1 + + Selecting "sign" enables use of the key for Diffie-Hellman key +exchange mechanisms (DHE and ECDHE) in TLS, which are preferred because +they offer forward secrecy. Selecting "encrypt" enables RSA key +exchange mechanisms, which are still common in some places. Selecting +both enables both key exchange mechanisms. + + Now for some real data: + + Enter the X.509 subject name: CN=example.com + + This is the most important value for a server certificate. Enter +here the canonical name of your server machine. You may add other +virtual server names later. + + E-Mail addresses (end with an empty line): + > + + We don't need email addresses in a TLS server certificate and CAcert +would anyway ignore such a request. Thus just hit enter. + + If you want to create a client certificate for email encryption, this +would be the place to enter your mail address (e.g. <joe@example.org>). +You may enter as many addresses as you like, however the CA may not +accept them all or reject the entire request. + + Enter DNS names (optional; end with an empty line): + > example.com + > www.example.com + > + + Here I entered the names of the services which the machine actually +provides. You almost always want to include the canonical name here +too. The browser will accept a certificate for any of these names. As +usual the CA must approve all of these names. + + URIs (optional; end with an empty line): + > + + It is possible to insert arbitrary URIs into a certificate; for a +server certificate this does not make sense. + + Create self-signed certificate? (y/N) + + Since we are creating a certificate signing request, and not a full +certificate, we answer no here, or just hit enter for the default. + + We have now entered all required information and 'gpgsm' will display +what it has gathered and ask whether to create the certificate request: + + These parameters are used: + Key-Type: RSA + Key-Length: 3072 + Key-Usage: sign, encrypt + Name-DN: CN=example.com + Name-DNS: example.com + Name-DNS: www.example.com + + Proceed with creation? (y/N) y + + 'gpgsm' will now start working on creating the request. As this +includes the creation of an RSA key it may take a while. During this +time you will be asked 3 times for a passphrase to protect the created +private key on your system. A pop up window will appear to ask for it. +The first two prompts are for the new passphrase and for re-entering it; +the third one is required to actually create the certificate signing +request. + + When it is ready, you should see the final notice: + + Ready. You should now send this request to your CA. + + Now, you may look at the created request: + + $ cat example.com.cert-req.pem + -----BEGIN CERTIFICATE REQUEST----- + MIIClTCCAX0CAQAwFjEUMBIGA1UEAxMLZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3 + DQEBAQUAA4IBDwAwggEKAoIBAQDP1QEcbTvOLLCX4gAoOzH9AW7jNOMj7OSOL0uW + h2bCdkK5YVpnX212Z6COTC3ZG0pJiCeGt1TbbDJUlTa4syQ6JXavjK66N8ASZsyC + Rwcl0m6hbXp541t1dbgt2VgeGk25okWw3j+brw6zxLD2TnthJxOatID0lDIG47HW + GqzZmA6WHbIBIONmGnReIHTpPAPCDm92vUkpKG1xLPszuRmsQbwEl870W/FHrsvm + DPvVUUSdIvTV9NuRt7/WY6G4nPp9QlIuTf1ESPzIuIE91gKPdrRCAx0yuT708S1n + xCv3ETQ/bKPoAQ67eE3mPBqkcVwv9SE/2/36Lz06kAizRgs5AgMBAAGgOjA4Bgkq + hkiG9w0BCQ4xKzApMCcGA1UdEQQgMB6CC2V4YW1wbGUuY29tgg93d3cuZXhhbXBs + ZS5jb20wDQYJKoZIhvcNAQELBQADggEBAEWD0Qqz4OENLYp6yyO/KqF0ig9FDsLN + b5/R+qhms5qlhdB5+Dh+j693Sj0UgbcNKc6JT86IuBqEBZmRCJuXRoKoo5aMS1cJ + hXga7N9IA3qb4VBUzBWvlL92U2Iptr/cEbikFlYZF2Zv3PBv8RfopVlI3OLbKV9D + bJJTt/6kuoydXKo/Vx4G0DFzIKNdFdJk86o/Ziz8NOs9JjZxw9H9VY5sHKFM5LKk + VcLwnnLRlNjBGB+9VK/Tze575eG0cJomTp7UGIB+1xzIQVAhUZOizRDv9tHDeaK3 + k+tUhV0kuJcYHucpJycDSrP/uAY5zuVJ0rs2QSjdnav62YrRgEsxJrU= + -----END CERTIFICATE REQUEST----- + $ + + You may now proceed by logging into your account at the CAcert +website, choose 'Server Certificates - New', check 'sign by class 3 root +certificate', paste the above request block into the text field and +click on 'Submit'. + + If everything works out fine, a certificate will be shown. Now run + + $ gpgsm --import + + and paste the certificate from the CAcert page into your terminal +followed by a Ctrl-D + + -----BEGIN CERTIFICATE----- + MIIEIjCCAgqgAwIBAgIBTDANBgkqhkiG9w0BAQQFADBUMRQwEgYDVQQKEwtDQWNl + [...] + rUTFlNElRXCwIl0YcJkIaYYqWf7+A/aqYJCi8+51usZwMy3Jsq3hJ6MA3h1BgwZs + Rtct3tIX + -----END CERTIFICATE----- + gpgsm: issuer certificate (#/CN=CAcert Class 3 Ro[...]) not found + gpgsm: certificate imported + + gpgsm: total number processed: 1 + gpgsm: imported: 1 + + 'gpgsm' tells you that it has imported the certificate. It is now +associated with the key you used when creating the request. The root +certificate has not been found, so you may want to import it from the +CACert website. + + To see the content of your certificate, you may now enter: + + $ gpgsm -K example.com + /home/foo/.gnupg/pubring.kbx + --------------------------- + Serial number: 4C + Issuer: /CN=CAcert Class 3 Root/OU=http:\x2f\x2fwww.[...] + Subject: /CN=example.com + aka: (dns-name example.com) + aka: (dns-name www.example.com) + validity: 2015-07-01 16:20:51 through 2016-07-01 16:20:51 + key type: 3072 bit RSA + key usage: digitalSignature keyEncipherment + ext key usage: clientAuth (suggested), serverAuth (suggested), [...] + fingerprint: 0F:9C:27:B2:DA:05:5F:CB:33:D8:19:E9:65:B9:4F:BD:B1:98:CC:57 + + I used '-K' above because this will only list certificates for which +a private key is available. To see more details, you may use +'--dump-secret-keys' instead of '-K'. + + To make actual use of the certificate you need to install it on your +server. Server software usually expects a PKCS\#12 file with key and +certificate. To create such a file, run: + + $ gpgsm --export-secret-key-p12 -a >example.com-cert.pem + + You will be asked for the passphrase as well as for a new passphrase +to be used to protect the PKCS\#12 file. The file now contains the +certificate as well as the private key: + + $ cat example-cert.pem + Issuer ...: /CN=CAcert Class 3 Root/OU=http:\x2f\x2fwww.CA[...] + Serial ...: 4C + Subject ..: /CN=example.com + aka ..: (dns-name example.com) + aka ..: (dns-name www.example.com) + + -----BEGIN PKCS12----- + MIIHlwIBAzCCB5AGCSqGSIb37QdHAaCCB4EEggd9MIIHeTk1BJ8GCSqGSIb3DQEu + [...many more lines...] + -----END PKCS12----- + $ + + Copy this file in a secure way to the server, install it there and +delete the file then. You may export the file again at any time as long +as it is available in GnuPG's private key database. + + +File: gnupg.info, Node: System Notes, Next: Debugging, Prev: Howtos, Up: Top + +12 Notes pertaining to certain OSes +*********************************** + +GnuPG has been developed on GNU/Linux systems and is know to work on +almost all Free OSes. All modern POSIX systems should be supported +right now, however there are probably a lot of smaller glitches we need +to fix first. The major problem areas are: + + * We are planning to use file descriptor passing for interprocess + communication. This will allow us save a lot of resources and + improve performance of certain operations a lot. Systems not + supporting this won't gain these benefits but we try to keep them + working the standard way as it is done today. + + * We require more or less full POSIX compatibility. This has been + around for 15 years now and thus we don't believe it makes sense to + support non POSIX systems anymore. Well, we of course the usual + workarounds for near POSIX systems well be applied. + + There is one exception of this rule: Systems based the Microsoft + Windows API (called here _W32_) will be supported to some extend. + +* Menu: + +* W32 Notes:: Microsoft Windows Notes + + +File: gnupg.info, Node: W32 Notes, Up: System Notes + +12.1 Microsoft Windows Notes +============================ + +Current limitations are: + + * 'gpgconf' does not create backup files, so in case of trouble your + configuration file might get lost. + + * 'watchgnupg' is not available. Logging to sockets is not possible. + + * The periodical smartcard status checking done by 'scdaemon' is not + yet supported. + + +File: gnupg.info, Node: Debugging, Next: Copying, Prev: System Notes, Up: Top + +13 How to solve problems +************************ + +Everyone knows that software often does not do what it should do and +thus there is a need to track down problems. We call this debugging in +a reminiscent to the moth jamming a relay in a Mark II box back in 1947. + + Most of the problems a merely configuration and user problems but +nevertheless they are the most annoying ones and responsible for many +gray hairs. We try to give some guidelines here on how to identify and +solve the problem at hand. + +* Menu: + +* Debugging Tools:: Description of some useful tools. +* Debugging Hints:: Various hints on debugging. +* Common Problems:: Commonly seen problems. +* Architecture Details:: How the whole thing works internally. + + +File: gnupg.info, Node: Debugging Tools, Next: Debugging Hints, Up: Debugging + +13.1 Debugging Tools +==================== + +The GnuPG distribution comes with a couple of tools, useful to help find +and solving problems. + +* Menu: + +* kbxutil:: Scrutinizing a keybox file. + + +File: gnupg.info, Node: kbxutil, Up: Debugging Tools + +13.1.1 Scrutinizing a keybox file +--------------------------------- + +A keybox is a file format used to store public keys along with meta +information and indices. The commonly used one is the file +'pubring.kbx' in the '.gnupg' directory. It contains all X.509 +certificates as well as OpenPGP keys. + +When called the standard way, e.g.: + + 'kbxutil ~/.gnupg/pubring.kbx' + +it lists all records (called blobs) with there meta-information in a +human readable format. + +To see statistics on the keybox in question, run it using + + 'kbxutil --stats ~/.gnupg/pubring.kbx' + +and you get an output like: + + Total number of blobs: 99 + header: 1 + empty: 0 + openpgp: 0 + x509: 98 + non flagged: 81 + secret flagged: 0 + ephemeral flagged: 17 + + In this example you see that the keybox does not have any OpenPGP +keys but contains 98 X.509 certificates and a total of 17 keys or +certificates are flagged as ephemeral, meaning that they are only +temporary stored (cached) in the keybox and won't get listed using the +usual commands provided by 'gpgsm' or 'gpg'. 81 certificates are stored +in a standard way and directly available from 'gpgsm'. + +To find duplicated certificates and keyblocks in a keybox file (this +should not occur but sometimes things go wrong), run it using + + 'kbxutil --find-dups ~/.gnupg/pubring.kbx' + + +File: gnupg.info, Node: Debugging Hints, Next: Common Problems, Prev: Debugging Tools, Up: Debugging + +13.2 Various hints on debugging +=============================== + + * How to find the IP address of a keyserver + + If a round robin URL of is used for a keyserver (e.g. + subkeys.gnupg.org); it is not easy to see what server is actually + used. Using the keyserver debug option as in + + gpg --keyserver-options debug=1 -v --refresh-key 1E42B367 + + is thus often helpful. Note that the actual output depends on the + backend and may change from release to release. + + * Logging on WindowsCE + + For development, the best logging method on WindowsCE is the use of + remote debugging using a log file name of 'tcp://<ip-addr>:<port>'. + The command 'watchgnupg' may be used on the remote host to listen + on the given port (*note option watchgnupg --tcp::). For in the + field tests it is better to make use of the logging facility + provided by the 'gpgcedev' driver (part of libassuan); this is + enabled by using a log file name of 'GPG2:' (*note option + --log-file::). + + +File: gnupg.info, Node: Common Problems, Next: Architecture Details, Prev: Debugging Hints, Up: Debugging + +13.3 Commonly Seen Problems +=========================== + + * Error code 'Not supported' from Dirmngr + + Most likely the option 'enable-ocsp' is active for gpgsm but + Dirmngr's OCSP feature has not been enabled using 'allow-ocsp' in + 'dirmngr.conf'. + + * The Curses based Pinentry does not work + + The far most common reason for this is that the environment + variable 'GPG_TTY' has not been set correctly. Make sure that it + has been set to a real tty device and not just to '/dev/tty'; i.e. + 'GPG_TTY=tty' is plainly wrong; what you want is 'GPG_TTY=`tty`' -- + note the back ticks. Also make sure that this environment variable + gets exported, that is you should follow up the setting with an + 'export GPG_TTY' (assuming a Bourne style shell). Even for GUI + based Pinentries; you should have set 'GPG_TTY'. See the section + on installing the 'gpg-agent' on how to do it. + + * SSH hangs while a popping up pinentry was expected + + SSH has no way to tell the gpg-agent what terminal or X display it + is running on. So when remotely logging into a box where a + gpg-agent with SSH support is running, the pinentry will get popped + up on whatever display the gpg-agent has been started. To solve + this problem you may issue the command + + echo UPDATESTARTUPTTY | gpg-connect-agent + + and the next pinentry will pop up on your display or screen. + However, you need to kill the running pinentry first because only + one pinentry may be running at once. If you plan to use ssh on a + new display you should issue the above command before invoking ssh + or any other service making use of ssh. + + * Exporting a secret key without a certificate + + It may happen that you have created a certificate request using + 'gpgsm' but not yet received and imported the certificate from the + CA. However, you want to export the secret key to another machine + right now to import the certificate over there then. You can do + this with a little trick but it requires that you know the + approximate time you created the signing request. By running the + command + + ls -ltr ~/.gnupg/private-keys-v1.d + + you get a listing of all private keys under control of 'gpg-agent'. + Pick the key which best matches the creation time and run the + command + + /usr/local/libexec/gpg-protect-tool --p12-export \ + ~/.gnupg/private-keys-v1.d/FOO >FOO.p12 + + (Please adjust the path to 'gpg-protect-tool' to the appropriate + location). FOO is the name of the key file you picked (it should + have the suffix '.key'). A Pinentry box will pop up and ask you + for the current passphrase of the key and a new passphrase to + protect it in the pkcs#12 file. + + To import the created file on the machine you use this command: + + /usr/local/libexec/gpg-protect-tool --p12-import --store FOO.p12 + + You will be asked for the pkcs#12 passphrase and a new passphrase + to protect the imported private key at its new location. + + Note that there is no easy way to match existing certificates with + stored private keys because some private keys are used for Secure + Shell or other purposes and don't have a corresponding certificate. + + * A root certificate does not verify + + A common problem is that the root certificate misses the required + basicConstraints attribute and thus 'gpgsm' rejects this + certificate. An error message indicating "no value" is a sign for + such a certificate. You may use the 'relax' flag in + 'trustlist.txt' to accept the certificate anyway. Note that the + fingerprint and this flag may only be added manually to + 'trustlist.txt'. + + * Error message: "digest algorithm N has not been enabled" + + The signature is broken. You may try the option + '--extra-digest-algo SHA256' to workaround the problem. The number + N is the internal algorithm identifier; for example 8 refers to + SHA-256. + + * The Windows version does not work under Wine + + When running the W32 version of 'gpg' under Wine you may get an + error messages like: + + gpg: fatal: WriteConsole failed: Access denied + + The solution is to use the command 'wineconsole'. + + Some operations like '--generate-key' really want to talk to the + console directly for increased security (for example to prevent the + passphrase from appearing on the screen). So, you should use + 'wineconsole' instead of 'wine', which will launch a windows + console that implements those additional features. + + * Why does GPG's -search-key list weird keys? + + For performance reasons the keyservers do not check the keys the + same way 'gpg' does. It may happen that the listing of keys + available on the keyservers shows keys with wrong user IDs or with + user Ids from other keys. If you try to import this key, the bad + keys or bad user ids won't get imported, though. This is a bit + unfortunate but we can't do anything about it without actually + downloading the keys. + + +File: gnupg.info, Node: Architecture Details, Prev: Common Problems, Up: Debugging + +13.4 How the whole thing works internally +========================================= + +* Menu: + +* Component interaction:: How the components work together. +* GnuPG-1 and GnuPG-2:: Relationship between GnuPG 1.4 and 2.x. + + +File: gnupg.info, Node: Component interaction, Next: GnuPG-1 and GnuPG-2, Up: Architecture Details + +13.4.1 How the components work together +--------------------------------------- + + + +Figure 13.1: GnuPG module overview + + +File: gnupg.info, Node: GnuPG-1 and GnuPG-2, Prev: Component interaction, Up: Architecture Details + +13.4.2 Relationship between GnuPG 1.4 and 2.x +--------------------------------------------- + +Here is a little picture showing how the different GnuPG versions make +use of a smartcard: + + + +Figure 13.2: GnuPG card architecture + + +File: gnupg.info, Node: Copying, Next: Contributors, Prev: Debugging, Up: Top + +GNU General Public License +************************** + + Version 3, 29 June 2007 + + Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/> + + Everyone is permitted to copy and distribute verbatim copies of this + license document, but changing it is not allowed. + +Preamble +======== + +The GNU General Public License is a free, copyleft license for software +and other kinds of works. + + The licenses for most software and other practical works are designed +to take away your freedom to share and change the works. By contrast, +the GNU General Public License is intended to guarantee your freedom to +share and change all versions of a program-to make sure it remains free +software for all its users. We, the Free Software Foundation, use the +GNU General Public License for most of our software; it applies also to +any other work released this way by its authors. You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +them if you wish), that you receive source code or can get it if you +want it, that you can change the software or use pieces of it in new +free programs, and that you know you can do these things. + + To protect your rights, we need to prevent others from denying you +these rights or asking you to surrender the rights. Therefore, you have +certain responsibilities if you distribute copies of the software, or if +you modify it: responsibilities to respect the freedom of others. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must pass on to the recipients the same +freedoms that you received. You must make sure that they, too, receive +or can get the source code. And you must show them these terms so they +know their rights. + + Developers that use the GNU GPL protect your rights with two steps: +(1) assert copyright on the software, and (2) offer you this License +giving you legal permission to copy, distribute and/or modify it. + + For the developers' and authors' protection, the GPL clearly explains +that there is no warranty for this free software. For both users' and +authors' sake, the GPL requires that modified versions be marked as +changed, so that their problems will not be attributed erroneously to +authors of previous versions. + + Some devices are designed to deny users access to install or run +modified versions of the software inside them, although the manufacturer +can do so. This is fundamentally incompatible with the aim of +protecting users' freedom to change the software. The systematic +pattern of such abuse occurs in the area of products for individuals to +use, which is precisely where it is most unacceptable. Therefore, we +have designed this version of the GPL to prohibit the practice for those +products. If such problems arise substantially in other domains, we +stand ready to extend this provision to those domains in future versions +of the GPL, as needed to protect the freedom of users. + + Finally, every program is threatened constantly by software patents. +States should not allow patents to restrict development and use of +software on general-purpose computers, but in those that do, we wish to +avoid the special danger that patents applied to a free program could +make it effectively proprietary. To prevent this, the GPL assures that +patents cannot be used to render the program non-free. + + The precise terms and conditions for copying, distribution and +modification follow. + + TERMS AND CONDITIONS + + 0. Definitions. + + "This License" refers to version 3 of the GNU General Public + License. + + "Copyright" also means copyright-like laws that apply to other + kinds of works, such as semiconductor masks. + + "The Program" refers to any copyrightable work licensed under this + License. Each licensee is addressed as "you". "Licensees" and + "recipients" may be individuals or organizations. + + To "modify" a work means to copy from or adapt all or part of the + work in a fashion requiring copyright permission, other than the + making of an exact copy. The resulting work is called a "modified + version" of the earlier work or a work "based on" the earlier work. + + A "covered work" means either the unmodified Program or a work + based on the Program. + + To "propagate" a work means to do anything with it that, without + permission, would make you directly or secondarily liable for + infringement under applicable copyright law, except executing it on + a computer or modifying a private copy. Propagation includes + copying, distribution (with or without modification), making + available to the public, and in some countries other activities as + well. + + To "convey" a work means any kind of propagation that enables other + parties to make or receive copies. Mere interaction with a user + through a computer network, with no transfer of a copy, is not + conveying. + + An interactive user interface displays "Appropriate Legal Notices" + to the extent that it includes a convenient and prominently visible + feature that (1) displays an appropriate copyright notice, and (2) + tells the user that there is no warranty for the work (except to + the extent that warranties are provided), that licensees may convey + the work under this License, and how to view a copy of this + License. If the interface presents a list of user commands or + options, such as a menu, a prominent item in the list meets this + criterion. + + 1. Source Code. + + The "source code" for a work means the preferred form of the work + for making modifications to it. "Object code" means any non-source + form of a work. + + A "Standard Interface" means an interface that either is an + official standard defined by a recognized standards body, or, in + the case of interfaces specified for a particular programming + language, one that is widely used among developers working in that + language. + + The "System Libraries" of an executable work include anything, + other than the work as a whole, that (a) is included in the normal + form of packaging a Major Component, but which is not part of that + Major Component, and (b) serves only to enable use of the work with + that Major Component, or to implement a Standard Interface for + which an implementation is available to the public in source code + form. A "Major Component", in this context, means a major + essential component (kernel, window system, and so on) of the + specific operating system (if any) on which the executable work + runs, or a compiler used to produce the work, or an object code + interpreter used to run it. + + The "Corresponding Source" for a work in object code form means all + the source code needed to generate, install, and (for an executable + work) run the object code and to modify the work, including scripts + to control those activities. However, it does not include the + work's System Libraries, or general-purpose tools or generally + available free programs which are used unmodified in performing + those activities but which are not part of the work. For example, + Corresponding Source includes interface definition files associated + with source files for the work, and the source code for shared + libraries and dynamically linked subprograms that the work is + specifically designed to require, such as by intimate data + communication or control flow between those subprograms and other + parts of the work. + + The Corresponding Source need not include anything that users can + regenerate automatically from other parts of the Corresponding + Source. + + The Corresponding Source for a work in source code form is that + same work. + + 2. Basic Permissions. + + All rights granted under this License are granted for the term of + copyright on the Program, and are irrevocable provided the stated + conditions are met. This License explicitly affirms your unlimited + permission to run the unmodified Program. The output from running + a covered work is covered by this License only if the output, given + its content, constitutes a covered work. This License acknowledges + your rights of fair use or other equivalent, as provided by + copyright law. + + You may make, run and propagate covered works that you do not + convey, without conditions so long as your license otherwise + remains in force. You may convey covered works to others for the + sole purpose of having them make modifications exclusively for you, + or provide you with facilities for running those works, provided + that you comply with the terms of this License in conveying all + material for which you do not control copyright. Those thus making + or running the covered works for you must do so exclusively on your + behalf, under your direction and control, on terms that prohibit + them from making any copies of your copyrighted material outside + their relationship with you. + + Conveying under any other circumstances is permitted solely under + the conditions stated below. Sublicensing is not allowed; section + 10 makes it unnecessary. + + 3. Protecting Users' Legal Rights From Anti-Circumvention Law. + + No covered work shall be deemed part of an effective technological + measure under any applicable law fulfilling obligations under + article 11 of the WIPO copyright treaty adopted on 20 December + 1996, or similar laws prohibiting or restricting circumvention of + such measures. + + When you convey a covered work, you waive any legal power to forbid + circumvention of technological measures to the extent such + circumvention is effected by exercising rights under this License + with respect to the covered work, and you disclaim any intention to + limit operation or modification of the work as a means of + enforcing, against the work's users, your or third parties' legal + rights to forbid circumvention of technological measures. + + 4. Conveying Verbatim Copies. + + You may convey verbatim copies of the Program's source code as you + receive it, in any medium, provided that you conspicuously and + appropriately publish on each copy an appropriate copyright notice; + keep intact all notices stating that this License and any + non-permissive terms added in accord with section 7 apply to the + code; keep intact all notices of the absence of any warranty; and + give all recipients a copy of this License along with the Program. + + You may charge any price or no price for each copy that you convey, + and you may offer support or warranty protection for a fee. + + 5. Conveying Modified Source Versions. + + You may convey a work based on the Program, or the modifications to + produce it from the Program, in the form of source code under the + terms of section 4, provided that you also meet all of these + conditions: + + a. The work must carry prominent notices stating that you + modified it, and giving a relevant date. + + b. The work must carry prominent notices stating that it is + released under this License and any conditions added under + section 7. This requirement modifies the requirement in + section 4 to "keep intact all notices". + + c. You must license the entire work, as a whole, under this + License to anyone who comes into possession of a copy. This + License will therefore apply, along with any applicable + section 7 additional terms, to the whole of the work, and all + its parts, regardless of how they are packaged. This License + gives no permission to license the work in any other way, but + it does not invalidate such permission if you have separately + received it. + + d. If the work has interactive user interfaces, each must display + Appropriate Legal Notices; however, if the Program has + interactive interfaces that do not display Appropriate Legal + Notices, your work need not make them do so. + + A compilation of a covered work with other separate and independent + works, which are not by their nature extensions of the covered + work, and which are not combined with it such as to form a larger + program, in or on a volume of a storage or distribution medium, is + called an "aggregate" if the compilation and its resulting + copyright are not used to limit the access or legal rights of the + compilation's users beyond what the individual works permit. + Inclusion of a covered work in an aggregate does not cause this + License to apply to the other parts of the aggregate. + + 6. Conveying Non-Source Forms. + + You may convey a covered work in object code form under the terms + of sections 4 and 5, provided that you also convey the + machine-readable Corresponding Source under the terms of this + License, in one of these ways: + + a. Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by the + Corresponding Source fixed on a durable physical medium + customarily used for software interchange. + + b. Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by a + written offer, valid for at least three years and valid for as + long as you offer spare parts or customer support for that + product model, to give anyone who possesses the object code + either (1) a copy of the Corresponding Source for all the + software in the product that is covered by this License, on a + durable physical medium customarily used for software + interchange, for a price no more than your reasonable cost of + physically performing this conveying of source, or (2) access + to copy the Corresponding Source from a network server at no + charge. + + c. Convey individual copies of the object code with a copy of the + written offer to provide the Corresponding Source. This + alternative is allowed only occasionally and noncommercially, + and only if you received the object code with such an offer, + in accord with subsection 6b. + + d. Convey the object code by offering access from a designated + place (gratis or for a charge), and offer equivalent access to + the Corresponding Source in the same way through the same + place at no further charge. You need not require recipients + to copy the Corresponding Source along with the object code. + If the place to copy the object code is a network server, the + Corresponding Source may be on a different server (operated by + you or a third party) that supports equivalent copying + facilities, provided you maintain clear directions next to the + object code saying where to find the Corresponding Source. + Regardless of what server hosts the Corresponding Source, you + remain obligated to ensure that it is available for as long as + needed to satisfy these requirements. + + e. Convey the object code using peer-to-peer transmission, + provided you inform other peers where the object code and + Corresponding Source of the work are being offered to the + general public at no charge under subsection 6d. + + A separable portion of the object code, whose source code is + excluded from the Corresponding Source as a System Library, need + not be included in conveying the object code work. + + A "User Product" is either (1) a "consumer product", which means + any tangible personal property which is normally used for personal, + family, or household purposes, or (2) anything designed or sold for + incorporation into a dwelling. In determining whether a product is + a consumer product, doubtful cases shall be resolved in favor of + coverage. For a particular product received by a particular user, + "normally used" refers to a typical or common use of that class of + product, regardless of the status of the particular user or of the + way in which the particular user actually uses, or expects or is + expected to use, the product. A product is a consumer product + regardless of whether the product has substantial commercial, + industrial or non-consumer uses, unless such uses represent the + only significant mode of use of the product. + + "Installation Information" for a User Product means any methods, + procedures, authorization keys, or other information required to + install and execute modified versions of a covered work in that + User Product from a modified version of its Corresponding Source. + The information must suffice to ensure that the continued + functioning of the modified object code is in no case prevented or + interfered with solely because modification has been made. + + If you convey an object code work under this section in, or with, + or specifically for use in, a User Product, and the conveying + occurs as part of a transaction in which the right of possession + and use of the User Product is transferred to the recipient in + perpetuity or for a fixed term (regardless of how the transaction + is characterized), the Corresponding Source conveyed under this + section must be accompanied by the Installation Information. But + this requirement does not apply if neither you nor any third party + retains the ability to install modified object code on the User + Product (for example, the work has been installed in ROM). + + The requirement to provide Installation Information does not + include a requirement to continue to provide support service, + warranty, or updates for a work that has been modified or installed + by the recipient, or for the User Product in which it has been + modified or installed. Access to a network may be denied when the + modification itself materially and adversely affects the operation + of the network or violates the rules and protocols for + communication across the network. + + Corresponding Source conveyed, and Installation Information + provided, in accord with this section must be in a format that is + publicly documented (and with an implementation available to the + public in source code form), and must require no special password + or key for unpacking, reading or copying. + + 7. Additional Terms. + + "Additional permissions" are terms that supplement the terms of + this License by making exceptions from one or more of its + conditions. Additional permissions that are applicable to the + entire Program shall be treated as though they were included in + this License, to the extent that they are valid under applicable + law. If additional permissions apply only to part of the Program, + that part may be used separately under those permissions, but the + entire Program remains governed by this License without regard to + the additional permissions. + + When you convey a copy of a covered work, you may at your option + remove any additional permissions from that copy, or from any part + of it. (Additional permissions may be written to require their own + removal in certain cases when you modify the work.) You may place + additional permissions on material, added by you to a covered work, + for which you have or can give appropriate copyright permission. + + Notwithstanding any other provision of this License, for material + you add to a covered work, you may (if authorized by the copyright + holders of that material) supplement the terms of this License with + terms: + + a. Disclaiming warranty or limiting liability differently from + the terms of sections 15 and 16 of this License; or + + b. Requiring preservation of specified reasonable legal notices + or author attributions in that material or in the Appropriate + Legal Notices displayed by works containing it; or + + c. Prohibiting misrepresentation of the origin of that material, + or requiring that modified versions of such material be marked + in reasonable ways as different from the original version; or + + d. Limiting the use for publicity purposes of names of licensors + or authors of the material; or + + e. Declining to grant rights under trademark law for use of some + trade names, trademarks, or service marks; or + + f. Requiring indemnification of licensors and authors of that + material by anyone who conveys the material (or modified + versions of it) with contractual assumptions of liability to + the recipient, for any liability that these contractual + assumptions directly impose on those licensors and authors. + + All other non-permissive additional terms are considered "further + restrictions" within the meaning of section 10. If the Program as + you received it, or any part of it, contains a notice stating that + it is governed by this License along with a term that is a further + restriction, you may remove that term. If a license document + contains a further restriction but permits relicensing or conveying + under this License, you may add to a covered work material governed + by the terms of that license document, provided that the further + restriction does not survive such relicensing or conveying. + + If you add terms to a covered work in accord with this section, you + must place, in the relevant source files, a statement of the + additional terms that apply to those files, or a notice indicating + where to find the applicable terms. + + Additional terms, permissive or non-permissive, may be stated in + the form of a separately written license, or stated as exceptions; + the above requirements apply either way. + + 8. Termination. + + You may not propagate or modify a covered work except as expressly + provided under this License. Any attempt otherwise to propagate or + modify it is void, and will automatically terminate your rights + under this License (including any patent licenses granted under the + third paragraph of section 11). + + However, if you cease all violation of this License, then your + license from a particular copyright holder is reinstated (a) + provisionally, unless and until the copyright holder explicitly and + finally terminates your license, and (b) permanently, if the + copyright holder fails to notify you of the violation by some + reasonable means prior to 60 days after the cessation. + + Moreover, your license from a particular copyright holder is + reinstated permanently if the copyright holder notifies you of the + violation by some reasonable means, this is the first time you have + received notice of violation of this License (for any work) from + that copyright holder, and you cure the violation prior to 30 days + after your receipt of the notice. + + Termination of your rights under this section does not terminate + the licenses of parties who have received copies or rights from you + under this License. If your rights have been terminated and not + permanently reinstated, you do not qualify to receive new licenses + for the same material under section 10. + + 9. Acceptance Not Required for Having Copies. + + You are not required to accept this License in order to receive or + run a copy of the Program. Ancillary propagation of a covered work + occurring solely as a consequence of using peer-to-peer + transmission to receive a copy likewise does not require + acceptance. However, nothing other than this License grants you + permission to propagate or modify any covered work. These actions + infringe copyright if you do not accept this License. Therefore, + by modifying or propagating a covered work, you indicate your + acceptance of this License to do so. + + 10. Automatic Licensing of Downstream Recipients. + + Each time you convey a covered work, the recipient automatically + receives a license from the original licensors, to run, modify and + propagate that work, subject to this License. You are not + responsible for enforcing compliance by third parties with this + License. + + An "entity transaction" is a transaction transferring control of an + organization, or substantially all assets of one, or subdividing an + organization, or merging organizations. If propagation of a + covered work results from an entity transaction, each party to that + transaction who receives a copy of the work also receives whatever + licenses to the work the party's predecessor in interest had or + could give under the previous paragraph, plus a right to possession + of the Corresponding Source of the work from the predecessor in + interest, if the predecessor has it or can get it with reasonable + efforts. + + You may not impose any further restrictions on the exercise of the + rights granted or affirmed under this License. For example, you + may not impose a license fee, royalty, or other charge for exercise + of rights granted under this License, and you may not initiate + litigation (including a cross-claim or counterclaim in a lawsuit) + alleging that any patent claim is infringed by making, using, + selling, offering for sale, or importing the Program or any portion + of it. + + 11. Patents. + + A "contributor" is a copyright holder who authorizes use under this + License of the Program or a work on which the Program is based. + The work thus licensed is called the contributor's "contributor + version". + + A contributor's "essential patent claims" are all patent claims + owned or controlled by the contributor, whether already acquired or + hereafter acquired, that would be infringed by some manner, + permitted by this License, of making, using, or selling its + contributor version, but do not include claims that would be + infringed only as a consequence of further modification of the + contributor version. For purposes of this definition, "control" + includes the right to grant patent sublicenses in a manner + consistent with the requirements of this License. + + Each contributor grants you a non-exclusive, worldwide, + royalty-free patent license under the contributor's essential + patent claims, to make, use, sell, offer for sale, import and + otherwise run, modify and propagate the contents of its contributor + version. + + In the following three paragraphs, a "patent license" is any + express agreement or commitment, however denominated, not to + enforce a patent (such as an express permission to practice a + patent or covenant not to sue for patent infringement). To "grant" + such a patent license to a party means to make such an agreement or + commitment not to enforce a patent against the party. + + If you convey a covered work, knowingly relying on a patent + license, and the Corresponding Source of the work is not available + for anyone to copy, free of charge and under the terms of this + License, through a publicly available network server or other + readily accessible means, then you must either (1) cause the + Corresponding Source to be so available, or (2) arrange to deprive + yourself of the benefit of the patent license for this particular + work, or (3) arrange, in a manner consistent with the requirements + of this License, to extend the patent license to downstream + recipients. "Knowingly relying" means you have actual knowledge + that, but for the patent license, your conveying the covered work + in a country, or your recipient's use of the covered work in a + country, would infringe one or more identifiable patents in that + country that you have reason to believe are valid. + + If, pursuant to or in connection with a single transaction or + arrangement, you convey, or propagate by procuring conveyance of, a + covered work, and grant a patent license to some of the parties + receiving the covered work authorizing them to use, propagate, + modify or convey a specific copy of the covered work, then the + patent license you grant is automatically extended to all + recipients of the covered work and works based on it. + + A patent license is "discriminatory" if it does not include within + the scope of its coverage, prohibits the exercise of, or is + conditioned on the non-exercise of one or more of the rights that + are specifically granted under this License. You may not convey a + covered work if you are a party to an arrangement with a third + party that is in the business of distributing software, under which + you make payment to the third party based on the extent of your + activity of conveying the work, and under which the third party + grants, to any of the parties who would receive the covered work + from you, a discriminatory patent license (a) in connection with + copies of the covered work conveyed by you (or copies made from + those copies), or (b) primarily for and in connection with specific + products or compilations that contain the covered work, unless you + entered into that arrangement, or that patent license was granted, + prior to 28 March 2007. + + Nothing in this License shall be construed as excluding or limiting + any implied license or other defenses to infringement that may + otherwise be available to you under applicable patent law. + + 12. No Surrender of Others' Freedom. + + If conditions are imposed on you (whether by court order, agreement + or otherwise) that contradict the conditions of this License, they + do not excuse you from the conditions of this License. If you + cannot convey a covered work so as to satisfy simultaneously your + obligations under this License and any other pertinent obligations, + then as a consequence you may not convey it at all. For example, + if you agree to terms that obligate you to collect a royalty for + further conveying from those to whom you convey the Program, the + only way you could satisfy both those terms and this License would + be to refrain entirely from conveying the Program. + + 13. Use with the GNU Affero General Public License. + + Notwithstanding any other provision of this License, you have + permission to link or combine any covered work with a work licensed + under version 3 of the GNU Affero General Public License into a + single combined work, and to convey the resulting work. The terms + of this License will continue to apply to the part which is the + covered work, but the special requirements of the GNU Affero + General Public License, section 13, concerning interaction through + a network will apply to the combination as such. + + 14. Revised Versions of this License. + + The Free Software Foundation may publish revised and/or new + versions of the GNU General Public License from time to time. Such + new versions will be similar in spirit to the present version, but + may differ in detail to address new problems or concerns. + + Each version is given a distinguishing version number. If the + Program specifies that a certain numbered version of the GNU + General Public License "or any later version" applies to it, you + have the option of following the terms and conditions either of + that numbered version or of any later version published by the Free + Software Foundation. If the Program does not specify a version + number of the GNU General Public License, you may choose any + version ever published by the Free Software Foundation. + + If the Program specifies that a proxy can decide which future + versions of the GNU General Public License can be used, that + proxy's public statement of acceptance of a version permanently + authorizes you to choose that version for the Program. + + Later license versions may give you additional or different + permissions. However, no additional obligations are imposed on any + author or copyright holder as a result of your choosing to follow a + later version. + + 15. Disclaimer of Warranty. + + THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY + APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE + COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" + WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF + MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE + RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. + SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL + NECESSARY SERVICING, REPAIR OR CORRECTION. + + 16. Limitation of Liability. + + IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN + WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES + AND/OR CONVEYS THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR + DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR + CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE + THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA + BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD + PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER + PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF + THE POSSIBILITY OF SUCH DAMAGES. + + 17. Interpretation of Sections 15 and 16. + + If the disclaimer of warranty and limitation of liability provided + above cannot be given local legal effect according to their terms, + reviewing courts shall apply local law that most closely + approximates an absolute waiver of all civil liability in + connection with the Program, unless a warranty or assumption of + liability accompanies a copy of the Program in return for a fee. + + END OF TERMS AND CONDITIONS + +How to Apply These Terms to Your New Programs +============================================= + +If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these +terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +state the exclusion of warranty; and each file should have at least the +"copyright" line and a pointer to where the full notice is found. + + ONE LINE TO GIVE THE PROGRAM'S NAME AND A BRIEF IDEA OF WHAT IT DOES. + Copyright (C) YEAR NAME OF AUTHOR + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or (at + your option) any later version. + + This program is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <https://www.gnu.org/licenses/>. + +Also add information on how to contact you by electronic and paper mail. + +If the program does terminal interaction, make it output a short notice +like this when it starts in an interactive mode: + + PROGRAM Copyright (C) YEAR NAME OF AUTHOR + This program comes with ABSOLUTELY NO WARRANTY; for details + type 'show w'. This is free software, and you are + welcome to redistribute it under certain conditions; + type 'show c' for details. + + The hypothetical commands 'show w' and 'show c' should show the +appropriate parts of the General Public License. Of course, your +program's commands might be different; for a GUI interface, you would +use an "about box". + + You should also get your employer (if you work as a programmer) or +school, if any, to sign a "copyright disclaimer" for the program, if +necessary. For more information on this, and how to apply and follow +the GNU GPL, see <https://www.gnu.org/licenses/>. + + The GNU General Public License does not permit incorporating your +program into proprietary programs. If your program is a subroutine +library, you may consider it more useful to permit linking proprietary +applications with the library. If this is what you want to do, use the +GNU Lesser General Public License instead of this License. But first, +please read <https://www.gnu.org/philosophy/why-not-lgpl.html>. + + +File: gnupg.info, Node: Contributors, Next: Glossary, Prev: Copying, Up: Top + +Contributors to GnuPG +********************* + +The GnuPG project would like to thank its many contributors. Without +them the project would not have been nearly as successful as it has +been. Any omissions in this list are accidental. Feel free to contact +the maintainer if you have been left out or some of your contributions +are not listed. + + David Shaw, Matthew Skala, Michael Roth, Niklas Hernaeus, Nils +Ellmenreich, Rémi Guyomarch, Stefan Bellon, Timo Schulz and Werner Koch +wrote the code. Birger Langkjer, Daniel Resare, Dokianakis Theofanis, +Edmund GRIMLEY EVANS, Gaël Quéri, Gregory Steuck, Nagy Ferenc +László, Ivo Timmermans, Jacobo Tarri'o Barreiro, Janusz Aleksander +Urbanowicz, Jedi Lin, Jouni Hiltunen, Laurentiu Buzdugan, Magda +Procha'zkova', Michael Anckaert, Michal Majer, Marco d'Itri, Nilgun +Belma Buguner, Pedro Morais, Tedi Heriyanto, Thiago Jung Bauermann, +Rafael Caetano dos Santos, Toomas Soome, Urko Lusa, Walter Koch, Yosiaki +IIDA did the official translations. Mike Ashley wrote and maintains the +GNU Privacy Handbook. David Scribner is the current FAQ editor. +Lorenzo Cappelletti maintains the web site. + + The new modularized architecture of gnupg 1.9 as well as the +X.509/CMS part has been developed as part of the Ägypten project. +Direct contributors to this project are: Bernhard Herzog, who did +extensive testing and tracked down a lot of bugs. Bernhard Reiter, who +made sure that we met the specifications and the deadlines. He did +extensive testing and came up with a lot of suggestions. Jan-Oliver +Wagner made sure that we met the specifications and the deadlines. He +also did extensive testing and came up with a lot of suggestions. +Karl-Heinz Zimmer and Marc Mutz had to struggle with all the bugs and +misconceptions while working on KDE integration. Marcus Brinkman +extended GPGME, cleaned up the Assuan code and fixed bugs all over the +place. Moritz Schulte took over Libgcrypt maintenance and developed it +into a stable an useful library. Steffen Hansen had a hard time to +write the dirmngr due to underspecified interfaces. Thomas Koester did +extensive testing and tracked down a lot of bugs. Werner Koch designed +the system and wrote most of the code. + + The following people helped greatly by suggesting improvements, +testing, fixing bugs, providing resources and doing other important +tasks: Adam Mitchell, Albert Chin, Alec Habig, Allan Clark, Anand +Kumria, Andreas Haumer, Anthony Mulcahy, Ariel T Glenn, Bob Mathews, +Bodo Moeller, Brendan O'Dea, Brenno de Winter, Brian M. Carlson, Brian +Moore, Brian Warner, Bryan Fullerton, Caskey L. Dickson, Cees van de +Griend, Charles Levert, Chip Salzenberg, Chris Adams, Christian Biere, +Christian Kurz, Christian von Roques, Christopher Oliver, Christian +Recktenwald, Dan Winship, Daniel Eisenbud, Daniel Koening, Dave Dykstra, +David C Niemi, David Champion, David Ellement, David Hallinan, David +Hollenberg, David Mathog, David R. Bergstein, Detlef Lannert, Dimitri, +Dirk Lattermann, Dirk Meyer, Disastry, Douglas Calvert, Ed Boraas, +Edmund GRIMLEY EVANS, Edwin Woudt, Enzo Michelangeli, Ernst Molitor, +Fabio Coatti, Felix von Leitner, fish stiqz, Florian Weimer, Francesco +Potorti, Frank Donahoe, Frank Heckenbach, Frank Stajano, Frank Tobin, +Gabriel Rosenkoetter, Gaël Quéri, Gene Carter, Geoff Keating, Georg +Schwarz, Giampaolo Tomassoni, Gilbert Fernandes, Greg Louis, Greg +Troxel, Gregory Steuck, Gregery Barton, Harald Denker, Holger Baust, +Hendrik Buschkamp, Holger Schurig, Holger Smolinski, Holger Trapp, Hugh +Daniel, Huy Le, Ian McKellar, Ivo Timmermans, Jan Krueger, Jan +Niehusmann, Janusz A. Urbanowicz, James Troup, Jean-loup Gailly, Jeff +Long, Jeffery Von Ronne, Jens Bachem, Jeroen C. van Gelderen, J Horacio +MG, J. Michael Ashley, Jim Bauer, Jim Small, Joachim Backes, Joe Rhett, +John A. Martin, Johnny Teveßen, Jörg Schilling, Jos Backus, Joseph +Walton, Juan F. Codagnone, Jun Kuriyama, Kahil D. Jallad, Karl Fogel, +Karsten Thygesen, Katsuhiro Kondou, Kazu Yamamoto, Keith Clayton, Kevin +Ryde, Klaus Singvogel, Kurt Garloff, Lars Kellogg-Stedman, L. Sassaman, +M Taylor, Marcel Waldvogel, Marco d'Itri, Marco Parrone, Marcus +Brinkmann, Mark Adler, Mark Elbrecht, Mark Pettit, Markus Friedl, Martin +Kahlert, Martin Hamilton, Martin Schulte, Matt Kraai, Matthew Skala, +Matthew Wilcox, Matthias Urlichs, Max Valianskiy, Michael Engels, +Michael Fischer v. Mollard, Michael Roth, Michael Sobolev, Michael +Tokarev, Nicolas Graner, Mike McEwan, Neal H Walfield, Nelson H. F. +Beebe, NIIBE Yutaka, Niklas Hernaeus, Nimrod Zimerman, N J Doye, Oliver +Haakert, Oskari Jääskeläinen, Pascal Scheffers, Paul D. Smith, Per +Cederqvist, Phil Blundell, Philippe Laliberte, Peter Fales, Peter +Gutmann, Peter Marschall, Peter Valchev, Piotr Krukowiecki, QingLong, +Ralph Gillen, Rat, Reinhard Wobst, Rémi Guyomarch, Reuben Sumner, +Richard Outerbridge, Robert Joop, Roddy Strachan, Roger Sondermann, +Roland Rosenfeld, Roman Pavlik, Ross Golder, Ryan Malayter, Sam Roberts, +Sami Tolvanen, Sean MacLennan, Sebastian Klemke, Serge Munhoven, SL +Baur, Stefan Bellon, Dr.Stefan.Dalibor, Stefan Karrmann, Stefan Keller, +Steffen Ullrich, Steffen Zahn, Steven Bakker, Steven Murdoch, Susanne +Schultz, Ted Cabeen, Thiago Jung Bauermann, Thijmen Klok, Thomas +Roessler, Tim Mooney, Timo Schulz, Todd Vierling, TOGAWA Satoshi, Tom +Spindler, Tom Zerucha, Tomas Fasth, Tommi Komulainen, Thomas Klausner, +Tomasz Kozlowski, Thomas Mikkelsen, Ulf Möller, Urko Lusa, Vincent P. +Broman, Volker Quetschke, W Lewis, Walter Hofmann, Walter Koch, Wayne +Chapeskie, Wim Vandeputte, Winona Brown, Yosiaki IIDA, Yoshihiro Kajiki +and Gerlinde Klaes. + + This software has been made possible by the previous work of Chris +Wedgwood, Jean-loup Gailly, Jon Callas, Mark Adler, Martin Hellman, Paul +Kendall, Philip R. Zimmermann, Peter Gutmann, Philip A. Nelson, Taher +Elgamal, Torbjorn Granlund, Whitfield Diffie, some unknown NSA +mathematicians and all the folks who have worked hard to create complete +and free operating systems. + + And finally we'd like to thank everyone who uses these tools, submits +bug reports and generally reminds us why we're doing this work in the +first place. + + +File: gnupg.info, Node: Glossary, Next: Option Index, Prev: Contributors, Up: Top + +Glossary +******** + +'ARL' + The _Authority Revocation List_ is technical identical to a CRL but + used for CAs and not for end user certificates. + +'Chain model' + Verification model for X.509 which uses the creation date of a + signature as the date the validation starts and in turn checks that + each certificate has been issued within the time frame, the issuing + certificate was valid. This allows the verification of signatures + after the CA's certificate expired. The validation test also + required an online check of the certificate status. The chain + model is required by the German signature law. See also _Shell + model_. + +'CMS' + The _Cryptographic Message Standard_ describes a message format for + encryption and digital signing. It is closely related to the X.509 + certificate format. CMS was formerly known under the name 'PKCS#7' + and is described by 'RFC3369'. + +'CRL' + The _Certificate Revocation List_ is a list containing certificates + revoked by the issuer. + +'CSR' + The _Certificate Signing Request_ is a message send to a CA to ask + them to issue a new certificate. The data format of such a signing + request is called PCKS#10. + +'OpenPGP' + A data format used to build a PKI and to exchange encrypted or + signed messages. In contrast to X.509, OpenPGP also includes the + message format but does not explicitly demand a specific PKI. + However any kind of PKI may be build upon the OpenPGP protocol. + +'Keygrip' + This term is used by GnuPG to describe a 20 byte hash value used to + identify a certain key without referencing to a concrete protocol. + It is used internally to access a private key. Usually it is shown + and entered as a 40 character hexadecimal formatted string. + +'OCSP' + The _Online Certificate Status Protocol_ is used as an alternative + to a CRL. It is described in 'RFC 2560'. + +'PSE' + The _Personal Security Environment_ describes a database to store + private keys. This is either a smartcard or a collection of files + on a disk; the latter is often called a Soft-PSE. + +'Shell model' + The standard model for validation of certificates under X.509. At + the time of the verification all certificates must be valid and not + expired. See also _Chain model_. + +'X.509' + Description of a PKI used with CMS. It is for example defined by + 'RFC3280'. + + +File: gnupg.info, Node: Option Index, Next: Environment Index, Prev: Glossary, Up: Top + +Option Index +************ + + +* Menu: + +* --override-compliance-check: GPG Esoteric Options. + (line 424) +* add-servers: Dirmngr Options. (line 313) +* agent-program: GPG Configuration Options. + (line 755) +* agent-program <1>: Configuration Options. + (line 53) +* agent-program <2>: Invoking gpg-connect-agent. + (line 42) +* allow-admin: Scdaemon Options. (line 204) +* allow-emacs-pinentry: Agent Options. (line 206) +* allow-freeform-uid: GPG Esoteric Options. + (line 367) +* allow-loopback-pinentry: Agent Options. (line 188) +* allow-multiple-messages: GPG Esoteric Options. + (line 560) +* allow-non-selfsigned-uid: GPG Esoteric Options. + (line 362) +* allow-ocsp: Dirmngr Options. (line 330) +* allow-preset-passphrase: Agent Options. (line 183) +* allow-secret-key-import: GPG Esoteric Options. + (line 556) +* allow-version-check: Dirmngr Options. (line 138) +* allow-weak-digest-algos: GPG Esoteric Options. + (line 403) +* allow-weak-key-signatures: GPG Esoteric Options. + (line 419) +* always-trust: Deprecated Options. (line 21) +* armor: GPG Input and Output. + (line 8) +* armor <1>: Input and Output. (line 8) +* ask-cert-expire: GPG Esoteric Options. + (line 521) +* ask-cert-level: GPG Configuration Options. + (line 360) +* ask-sig-expire: GPG Esoteric Options. + (line 507) +* assume-armor: Input and Output. (line 14) +* assume-base64: Input and Output. (line 18) +* assume-binary: Input and Output. (line 21) +* attribute-fd: GPG Esoteric Options. + (line 92) +* attribute-file: GPG Esoteric Options. + (line 98) +* auto-check-trustdb: GPG Configuration Options. + (line 742) +* auto-expand-secmem: Agent Options. (line 456) +* auto-issuer-key-retrieve: Certificate Options. (line 62) +* auto-key-import: GPG Configuration Options. + (line 578) +* auto-key-locate: GPG Configuration Options. + (line 509) +* auto-key-retrieve: GPG Configuration Options. + (line 590) +* base64: Input and Output. (line 11) +* batch: Agent Options. (line 48) +* batch <1>: GPG Configuration Options. + (line 45) +* batch <2>: gpgtar. (line 104) +* blacklist: gpg-wks-client. (line 126) +* bzip2-compress-level: GPG Configuration Options. + (line 334) +* bzip2-decompress-lowmem: GPG Configuration Options. + (line 344) +* c: Dirmngr Options. (line 87) +* cache-cert: dirmngr-client. (line 72) +* call-dirmngr: Operational GPGSM Commands. + (line 27) +* call-protect-tool: Operational GPGSM Commands. + (line 41) +* card-edit: Operational GPG Commands. + (line 210) +* card-status: Operational GPG Commands. + (line 216) +* card-timeout: Scdaemon Options. (line 180) +* cert-digest-algo: GPG Esoteric Options. + (line 238) +* cert-notation: GPG Esoteric Options. + (line 124) +* cert-policy-url: GPG Esoteric Options. + (line 160) +* change-passphrase: OpenPGP Key Management. + (line 452) +* change-passphrase <1>: Certificate Management. + (line 109) +* change-pin: Operational GPG Commands. + (line 219) +* check: gpg-check-pattern. (line 56) +* check-passphrase-pattern: Agent Options. (line 260) +* check-signatures: Operational GPG Commands. + (line 140) +* check-sigs: Operational GPG Commands. + (line 141) +* check-sym-passphrase-pattern: Agent Options. (line 260) +* check-trustdb: Operational GPG Commands. + (line 349) +* cipher-algo: GPG Esoteric Options. + (line 199) +* cipher-algo <1>: CMS Options. (line 13) +* clear-sign: Operational GPG Commands. + (line 17) +* clearsign: Operational GPG Commands. + (line 18) +* cms: gpgtar. (line 99) +* command-fd: GPG Esoteric Options. + (line 350) +* command-file: GPG Esoteric Options. + (line 357) +* comment: GPG Esoteric Options. + (line 103) +* compatibility-flags: Esoteric Options. (line 57) +* compliance: Compliance Options. (line 67) +* compliance <1>: Esoteric Options. (line 18) +* compliant-needed: GPG Configuration Options. + (line 717) +* compress-algo: GPG Esoteric Options. + (line 215) +* compress-level: GPG Configuration Options. + (line 334) +* connect-quick-timeout: Dirmngr Options. (line 125) +* connect-timeout: Dirmngr Options. (line 125) +* create: gpgtar. (line 16) +* create-socketdir: Invoking gpgconf. (line 96) +* csh: Agent Options. (line 146) +* csh <1>: Dirmngr Options. (line 87) +* ctapi-driver: Scdaemon Options. (line 157) +* daemon: Agent Commands. (line 27) +* daemon <1>: Dirmngr Commands. (line 27) +* daemon <2>: Scdaemon Commands. (line 31) +* dearmor: Operational GPG Commands. + (line 403) +* debug: Agent Options. (line 82) +* debug <1>: Dirmngr Options. (line 59) +* debug <2>: GPG Esoteric Options. + (line 47) +* debug <3>: Esoteric Options. (line 90) +* debug <4>: Scdaemon Options. (line 69) +* debug-all: Agent Options. (line 106) +* debug-all <1>: Dirmngr Options. (line 66) +* debug-all <2>: GPG Esoteric Options. + (line 53) +* debug-all <3>: Esoteric Options. (line 117) +* debug-all <4>: Scdaemon Options. (line 96) +* debug-allow-core-dump: Esoteric Options. (line 120) +* debug-allow-core-dump <1>: Scdaemon Options. (line 113) +* debug-assuan-log-cats: Scdaemon Options. (line 122) +* debug-disable-ticker: Scdaemon Options. (line 109) +* debug-ignore-expiration: Esoteric Options. (line 131) +* debug-iolbf: GPG Esoteric Options. + (line 56) +* debug-level: Agent Options. (line 57) +* debug-level <1>: Dirmngr Options. (line 34) +* debug-level <2>: GPG Esoteric Options. + (line 22) +* debug-level <3>: Esoteric Options. (line 65) +* debug-level <4>: Scdaemon Options. (line 40) +* debug-log-tid: Scdaemon Options. (line 119) +* debug-no-chain-validation: Esoteric Options. (line 127) +* debug-pinentry: Agent Options. (line 126) +* debug-quick-random: Agent Options. (line 114) +* debug-wait: Agent Options. (line 109) +* debug-wait <1>: Dirmngr Options. (line 74) +* debug-wait <2>: Scdaemon Options. (line 99) +* debug-wait <3>: Scdaemon Options. (line 104) +* decode: Invoking gpg-connect-agent. + (line 95) +* decrypt: Operational GPG Commands. + (line 59) +* decrypt <1>: Operational GPGSM Commands. + (line 11) +* decrypt <2>: gpgtar. (line 29) +* decrypt-files: Operational GPG Commands. + (line 114) +* default-cache-ttl: Agent Options. (line 217) +* default-cache-ttl <1>: Agent Options. (line 226) +* default-cert-expire: GPG Esoteric Options. + (line 527) +* default-cert-level: GPG Configuration Options. + (line 368) +* default-key: GPG Configuration Options. + (line 10) +* default-key <1>: Input and Output. (line 34) +* default-keyserver-url: GPG Esoteric Options. + (line 589) +* default-new-key-algo STRING: GPG Esoteric Options. + (line 534) +* default-preference-list: GPG Esoteric Options. + (line 584) +* default-recipient: GPG Configuration Options. + (line 19) +* default-recipient-self: GPG Configuration Options. + (line 23) +* default-sig-expire: GPG Esoteric Options. + (line 513) +* delete-keys: Operational GPG Commands. + (line 224) +* delete-keys <1>: Certificate Management. + (line 60) +* delete-secret-and-public-key: Operational GPG Commands. + (line 244) +* delete-secret-keys: Operational GPG Commands. + (line 233) +* deny-admin: Scdaemon Options. (line 204) +* desig-revoke: OpenPGP Key Management. + (line 134) +* detach-sign: Operational GPG Commands. + (line 28) +* digest-algo: GPG Esoteric Options. + (line 208) +* directory: gpgtar. (line 76) +* directory <1>: gpg-wks-client. (line 122) +* directory <2>: gpg-wks-server. (line 50) +* dirmngr: Invoking gpg-connect-agent. + (line 54) +* dirmngr-program: GPG Configuration Options. + (line 762) +* dirmngr-program <1>: Configuration Options. + (line 59) +* dirmngr-program <2>: Invoking gpg-connect-agent. + (line 49) +* disable-application: Scdaemon Options. (line 214) +* disable-ccid: Scdaemon Options. (line 162) +* disable-check-own-socket: Agent Options. (line 342) +* disable-check-own-socket <1>: Dirmngr Options. (line 79) +* disable-cipher-algo: GPG Esoteric Options. + (line 246) +* disable-crl-checks: Certificate Options. (line 13) +* disable-dsa2: GPG Configuration Options. + (line 196) +* disable-extended-key-format: Agent Options. (line 388) +* disable-http: Dirmngr Options. (line 217) +* disable-ipv4: Dirmngr Options. (line 211) +* disable-ipv6: Dirmngr Options. (line 211) +* disable-large-rsa: GPG Configuration Options. + (line 187) +* disable-ldap: Dirmngr Options. (line 214) +* disable-mdc: OpenPGP Options. (line 25) +* disable-ocsp: Certificate Options. (line 53) +* disable-pinpad: Scdaemon Options. (line 201) +* disable-policy-checks: Certificate Options. (line 8) +* disable-pubkey-algo: GPG Esoteric Options. + (line 251) +* disable-scdaemon: Agent Options. (line 336) +* disable-signer-uid: OpenPGP Options. (line 31) +* disable-trusted-cert-crl-check: Certificate Options. (line 24) +* display: Agent Options. (line 360) +* display-charset: GPG Configuration Options. + (line 281) +* display-charset:iso-8859-1: GPG Configuration Options. + (line 291) +* display-charset:iso-8859-15: GPG Configuration Options. + (line 297) +* display-charset:iso-8859-2: GPG Configuration Options. + (line 294) +* display-charset:koi8-r: GPG Configuration Options. + (line 300) +* display-charset:utf-8: GPG Configuration Options. + (line 303) +* dry-run: GPG Esoteric Options. + (line 8) +* dry-run <1>: gpgtar. (line 72) +* dump-cert: Certificate Management. + (line 36) +* dump-chain: Certificate Management. + (line 40) +* dump-external-keys: Certificate Management. + (line 47) +* dump-keys: Certificate Management. + (line 36) +* dump-options: Agent Commands. (line 19) +* dump-options <1>: Dirmngr Commands. (line 18) +* dump-options <2>: General GPG Commands. + (line 20) +* dump-options <3>: General GPGSM Commands. + (line 19) +* dump-options <4>: Scdaemon Commands. (line 18) +* dump-secret-keys: Certificate Management. + (line 43) +* edit-card: Operational GPG Commands. + (line 209) +* edit-key: OpenPGP Key Management. + (line 139) +* emit-version: GPG Esoteric Options. + (line 114) +* enable-crl-checks: Certificate Options. (line 13) +* enable-dsa2: GPG Configuration Options. + (line 196) +* enable-extended-key-format: Agent Options. (line 388) +* enable-issuer-based-crl-check: Certificate Options. (line 45) +* enable-large-rsa: GPG Configuration Options. + (line 187) +* enable-ocsp: Certificate Options. (line 53) +* enable-passphrase-history: Agent Options. (line 283) +* enable-pinpad-varlen: Scdaemon Options. (line 193) +* enable-policy-checks: Certificate Options. (line 8) +* enable-progress-filter: GPG Esoteric Options. + (line 69) +* enable-putty-support: Agent Options. (line 402) +* enable-special-filenames: GPG Esoteric Options. + (line 571) +* enable-special-filenames <1>: gpgv. (line 97) +* enable-ssh-support: Agent Options. (line 402) +* enable-trusted-cert-crl-check: Certificate Options. (line 24) +* enarmor: Operational GPG Commands. + (line 403) +* encrypt: Operational GPG Commands. + (line 32) +* encrypt <1>: Operational GPGSM Commands. + (line 7) +* encrypt <2>: gpgtar. (line 23) +* encrypt-files: Operational GPG Commands. + (line 111) +* encrypt-to: GPG Key related Options. + (line 35) +* enforce-passphrase-constraints: Agent Options. (line 244) +* escape-from-lines: GPG Esoteric Options. + (line 276) +* exec: Invoking gpg-connect-agent. + (line 65) +* exec-path: GPG Configuration Options. + (line 225) +* exit-on-status-write-error: GPG Configuration Options. + (line 791) +* expert: GPG Configuration Options. + (line 846) +* export: Operational GPG Commands. + (line 250) +* export <1>: Certificate Management. + (line 69) +* export-filter: GPG Input and Output. + (line 131) +* export-options: GPG Input and Output. + (line 220) +* export-ownertrust: Operational GPG Commands. + (line 364) +* export-secret-key-p12: Certificate Management. + (line 82) +* export-secret-key-p8: Certificate Management. + (line 91) +* export-secret-key-raw: Certificate Management. + (line 91) +* export-secret-keys: Operational GPG Commands. + (line 268) +* export-secret-subkeys: Operational GPG Commands. + (line 268) +* export-ssh-key: Operational GPG Commands. + (line 290) +* extra-digest-algo: Esoteric Options. (line 7) +* extra-socket: Agent Options. (line 374) +* extract: gpgtar. (line 19) +* faked-system-time: Agent Options. (line 52) +* faked-system-time <1>: GPG Esoteric Options. + (line 60) +* faked-system-time <2>: Esoteric Options. (line 46) +* fast-list-mode: GPG Esoteric Options. + (line 462) +* fetch-crl: Dirmngr Commands. (line 52) +* fetch-keys: Operational GPG Commands. + (line 333) +* fingerprint: Operational GPG Commands. + (line 194) +* fixed-list-mode: GPG Input and Output. + (line 284) +* flush: Dirmngr Commands. (line 62) +* for-your-eyes-only: GPG Esoteric Options. + (line 185) +* forbid-gen-key: GPG Esoteric Options. + (line 551) +* force: Dirmngr Options. (line 93) +* force <1>: watchgnupg. (line 23) +* force-crl-refresh: Certificate Options. (line 35) +* force-default-responder: dirmngr-client. (line 64) +* force-mdc: OpenPGP Options. (line 25) +* force-sign-key: GPG Esoteric Options. + (line 545) +* forget: Invoking gpg-preset-passphrase. + (line 26) +* from: gpg-wks-server. (line 54) +* full-gen-key: OpenPGP Key Management. + (line 111) +* full-generate-key: OpenPGP Key Management. + (line 110) +* gen-key: OpenPGP Key Management. + (line 104) +* gen-key <1>: Certificate Management. + (line 8) +* gen-prime: Operational GPG Commands. + (line 398) +* gen-random: Operational GPG Commands. + (line 391) +* gen-revoke: OpenPGP Key Management. + (line 120) +* generate-designated-revocation: OpenPGP Key Management. + (line 133) +* generate-key: OpenPGP Key Management. + (line 103) +* generate-key <1>: Certificate Management. + (line 7) +* generate-revocation: OpenPGP Key Management. + (line 119) +* gnupg: Compliance Options. (line 12) +* gpg: gpgtar. (line 135) +* gpg-agent-info: GPG Configuration Options. + (line 752) +* gpg-args: gpgtar. (line 138) +* gpgconf-list: GPG Esoteric Options. + (line 605) +* gpgconf-test: GPG Esoteric Options. + (line 609) +* grab: Agent Options. (line 153) +* group: GPG Key related Options. + (line 55) +* header: gpg-wks-server. (line 57) +* help: Agent Commands. (line 15) +* help <1>: Dirmngr Commands. (line 14) +* help <2>: General GPG Commands. + (line 12) +* help <3>: General GPGSM Commands. + (line 11) +* help <4>: Scdaemon Commands. (line 14) +* help <5>: watchgnupg. (line 39) +* help <6>: dirmngr-client. (line 44) +* help <7>: gpgtar. (line 150) +* help <8>: gpg-wks-client. (line 141) +* help <9>: gpg-wks-server. (line 87) +* hex: Invoking gpg-connect-agent. + (line 91) +* hidden-encrypt-to: GPG Key related Options. + (line 43) +* hidden-recipient: GPG Key related Options. + (line 14) +* hidden-recipient-file: GPG Key related Options. + (line 29) +* homedir: Agent Options. (line 17) +* homedir <1>: GPG Configuration Options. + (line 260) +* homedir <2>: Configuration Options. + (line 16) +* homedir <3>: Scdaemon Options. (line 13) +* homedir <4>: gpgv. (line 69) +* homedir <5>: Invoking gpgconf. (line 120) +* homedir <6>: Invoking gpg-connect-agent. + (line 21) +* honor-http-proxy: Dirmngr Options. (line 236) +* http-proxy: Dirmngr Options. (line 240) +* ignore-cache-for-signing: Agent Options. (line 211) +* ignore-cert: Dirmngr Options. (line 389) +* ignore-cert-extension: Dirmngr Options. (line 379) +* ignore-cert-extension <1>: Certificate Options. (line 82) +* ignore-cert-with-oid: Esoteric Options. (line 37) +* ignore-crc-error: GPG Esoteric Options. + (line 387) +* ignore-http-dp: Dirmngr Options. (line 220) +* ignore-ldap-dp: Dirmngr Options. (line 227) +* ignore-mdc-error: GPG Esoteric Options. + (line 394) +* ignore-ocsp-service-url: Dirmngr Options. (line 232) +* ignore-time-conflict: GPG Esoteric Options. + (line 373) +* ignore-time-conflict <1>: gpgv. (line 63) +* ignore-valid-from: GPG Esoteric Options. + (line 380) +* import: Operational GPG Commands. + (line 304) +* import <1>: Certificate Management. + (line 99) +* import-filter: GPG Input and Output. + (line 131) +* import-options: GPG Input and Output. + (line 45) +* import-ownertrust: Operational GPG Commands. + (line 370) +* include-certs: CMS Options. (line 7) +* include-key-block: OpenPGP Options. (line 38) +* input-size-hint: GPG Input and Output. + (line 29) +* interactive: GPG Esoteric Options. + (line 19) +* keep-display: Agent Options. (line 365) +* keep-tty: Agent Options. (line 365) +* key-origin: GPG Input and Output. + (line 37) +* keydb-clear-some-cert-flags: Certificate Management. + (line 52) +* keyedit:addcardkey: OpenPGP Key Management. + (line 281) +* keyedit:addkey: OpenPGP Key Management. + (line 278) +* keyedit:addphoto: OpenPGP Key Management. + (line 201) +* keyedit:addrevoker: OpenPGP Key Management. + (line 330) +* keyedit:adduid: OpenPGP Key Management. + (line 198) +* keyedit:bkuptocard: OpenPGP Key Management. + (line 295) +* keyedit:change-usage: OpenPGP Key Management. + (line 357) +* keyedit:check: OpenPGP Key Management. + (line 194) +* keyedit:clean: OpenPGP Key Management. + (line 343) +* keyedit:cross-certify: OpenPGP Key Management. + (line 366) +* keyedit:delkey: OpenPGP Key Management. + (line 306) +* keyedit:delsig: OpenPGP Key Management. + (line 184) +* keyedit:deluid: OpenPGP Key Management. + (line 211) +* keyedit:disable: OpenPGP Key Management. + (line 326) +* keyedit:enable: OpenPGP Key Management. + (line 326) +* keyedit:expire: OpenPGP Key Management. + (line 315) +* keyedit:key: OpenPGP Key Management. + (line 148) +* keyedit:keyserver: OpenPGP Key Management. + (line 228) +* keyedit:keytocard: OpenPGP Key Management. + (line 284) +* keyedit:lsign: OpenPGP Key Management. + (line 159) +* keyedit:minimize: OpenPGP Key Management. + (line 352) +* keyedit:notation: OpenPGP Key Management. + (line 235) +* keyedit:nrsign: OpenPGP Key Management. + (line 164) +* keyedit:passwd: OpenPGP Key Management. + (line 336) +* keyedit:pref: OpenPGP Key Management. + (line 243) +* keyedit:primary: OpenPGP Key Management. + (line 220) +* keyedit:quit: OpenPGP Key Management. + (line 377) +* keyedit:revkey: OpenPGP Key Management. + (line 312) +* keyedit:revsig: OpenPGP Key Management. + (line 189) +* keyedit:revuid: OpenPGP Key Management. + (line 217) +* keyedit:save: OpenPGP Key Management. + (line 374) +* keyedit:setpref: OpenPGP Key Management. + (line 255) +* keyedit:showphoto: OpenPGP Key Management. + (line 208) +* keyedit:showpref: OpenPGP Key Management. + (line 247) +* keyedit:sign: OpenPGP Key Management. + (line 152) +* keyedit:toggle: OpenPGP Key Management. + (line 339) +* keyedit:trust: OpenPGP Key Management. + (line 321) +* keyedit:tsign: OpenPGP Key Management. + (line 168) +* keyedit:uid: OpenPGP Key Management. + (line 144) +* keyid-format: GPG Configuration Options. + (line 627) +* keyring: GPG Configuration Options. + (line 229) +* keyring <1>: gpgv. (line 38) +* keyserver: Dirmngr Options. (line 148) +* keyserver <1>: GPG Configuration Options. + (line 636) +* keyserver <2>: Configuration Options. + (line 43) +* keyserver-options: GPG Configuration Options. + (line 655) +* kill: Invoking gpgconf. (line 89) +* known-notation: GPG Esoteric Options. + (line 151) +* launch: Invoking gpgconf. (line 80) +* lc-ctype: Agent Options. (line 360) +* lc-messages: Agent Options. (line 360) +* ldap-proxy: Dirmngr Options. (line 245) +* ldapserver: Dirmngr Options. (line 275) +* ldapserverlist-file: Dirmngr Options. (line 256) +* ldaptimeout: Dirmngr Options. (line 309) +* learn-card: Certificate Management. + (line 104) +* legacy-list-mode: GPG Input and Output. + (line 290) +* limit-card-insert-tries: GPG Configuration Options. + (line 800) +* list-archive: gpgtar. (line 39) +* list-chain: Certificate Management. + (line 32) +* list-config: GPG Esoteric Options. + (line 594) +* list-crls: Dirmngr Commands. (line 40) +* list-gcrypt-config: GPG Esoteric Options. + (line 602) +* list-keys: Operational GPG Commands. + (line 119) +* list-keys <1>: Certificate Management. + (line 17) +* list-keys <2>: Certificate Management. + (line 28) +* list-only: GPG Esoteric Options. + (line 11) +* list-options: GPG Configuration Options. + (line 71) +* list-options:show-keyring: GPG Configuration Options. + (line 119) +* list-options:show-keyserver-urls: GPG Configuration Options. + (line 103) +* list-options:show-notations: GPG Configuration Options. + (line 99) +* list-options:show-only-fpr-mbox: GPG Configuration Options. + (line 134) +* list-options:show-photos: GPG Configuration Options. + (line 79) +* list-options:show-policy-urls: GPG Configuration Options. + (line 93) +* list-options:show-sig-expire: GPG Configuration Options. + (line 123) +* list-options:show-sig-subpackets: GPG Configuration Options. + (line 127) +* list-options:show-std-notations: GPG Configuration Options. + (line 99) +* list-options:show-uid-validity: GPG Configuration Options. + (line 107) +* list-options:show-unusable-subkeys: GPG Configuration Options. + (line 115) +* list-options:show-unusable-uids: GPG Configuration Options. + (line 111) +* list-options:show-usage: GPG Configuration Options. + (line 87) +* list-options:show-user-notations: GPG Configuration Options. + (line 99) +* list-packets: Operational GPG Commands. + (line 203) +* list-secret-keys: Operational GPG Commands. + (line 130) +* list-secret-keys <1>: Certificate Management. + (line 24) +* list-signatures: GPG Esoteric Options. + (line 450) +* list-sigs: GPG Esoteric Options. + (line 451) +* listen-backlog: Agent Options. (line 370) +* listen-backlog <1>: Dirmngr Options. (line 134) +* listen-backlog <2>: Scdaemon Options. (line 135) +* load-crl: Dirmngr Commands. (line 44) +* load-crl <1>: dirmngr-client. (line 80) +* local-user: GPG Key related Options. + (line 77) +* local-user <1>: Input and Output. (line 41) +* local-user <2>: gpgtar. (line 53) +* locate-external-keys: Operational GPG Commands. + (line 170) +* locate-keys: Operational GPG Commands. + (line 170) +* lock-multiple: GPG Configuration Options. + (line 780) +* lock-never: GPG Configuration Options. + (line 784) +* lock-once: GPG Configuration Options. + (line 776) +* log-file: Agent Options. (line 159) +* log-file <1>: Dirmngr Options. (line 30) +* log-file <2>: GPG Esoteric Options. + (line 86) +* log-file <3>: Configuration Options. + (line 80) +* log-file <4>: Scdaemon Options. (line 140) +* log-file <5>: gpgv. (line 59) +* logger-fd: GPG Esoteric Options. + (line 82) +* logger-fd <1>: gpgv. (line 56) +* lookup: dirmngr-client. (line 86) +* lsign-key: OpenPGP Key Management. + (line 392) +* mangle-dos-filenames: GPG Configuration Options. + (line 352) +* marginals-needed: GPG Configuration Options. + (line 721) +* max-cache-ttl: Agent Options. (line 232) +* max-cache-ttl-ssh: Agent Options. (line 238) +* max-cert-depth: GPG Configuration Options. + (line 729) +* max-output: GPG Input and Output. + (line 19) +* max-passphrase-days: Agent Options. (line 278) +* max-replies: Dirmngr Options. (line 376) +* min-cert-level: GPG Configuration Options. + (line 397) +* min-passphrase-len: Agent Options. (line 248) +* min-passphrase-nonalpha: Agent Options. (line 253) +* min-rsa-length: Compliance Options. (line 72) +* min-rsa-length <1>: Esoteric Options. (line 22) +* multi-server: Scdaemon Commands. (line 26) +* multifile: Operational GPG Commands. + (line 100) +* nameserver: Dirmngr Options. (line 203) +* no: GPG Configuration Options. + (line 67) +* no <1>: gpgtar. (line 113) +* no-allow-external-cache: Agent Options. (line 196) +* no-allow-loopback-pinentry: Agent Options. (line 188) +* no-allow-mark-trusted: Agent Options. (line 167) +* no-armor: GPG Input and Output. + (line 12) +* no-auto-key-import: GPG Configuration Options. + (line 578) +* no-auto-key-retrieve: GPG Configuration Options. + (line 590) +* no-autostart: GPG Configuration Options. + (line 769) +* no-autostart <1>: Configuration Options. + (line 69) +* no-autostart <2>: Invoking gpg-connect-agent. + (line 77) +* no-batch: GPG Configuration Options. + (line 45) +* no-common-certs-import: Esoteric Options. (line 168) +* no-default-keyring: GPG Esoteric Options. + (line 432) +* no-default-recipient: GPG Configuration Options. + (line 29) +* no-detach: Agent Options. (line 131) +* no-detach <1>: Scdaemon Options. (line 131) +* no-encrypt-to: GPG Key related Options. + (line 51) +* no-expensive-trust-checks: GPG Esoteric Options. + (line 576) +* no-ext-connect: Invoking gpg-connect-agent. + (line 72) +* no-grab: Agent Options. (line 153) +* no-greeting: GPG Configuration Options. + (line 814) +* no-groups: GPG Key related Options. + (line 73) +* no-keyring: GPG Esoteric Options. + (line 438) +* no-literal: GPG Esoteric Options. + (line 470) +* no-mangle-dos-filenames: GPG Configuration Options. + (line 352) +* no-options: GPG Configuration Options. + (line 327) +* no-random-seed-file: GPG Configuration Options. + (line 808) +* no-secmem-warning: GPG Configuration Options. + (line 817) +* no-secmem-warning <1>: Configuration Options. + (line 76) +* no-sig-cache: GPG Configuration Options. + (line 732) +* no-skip-hidden-recipients: GPG Key related Options. + (line 108) +* no-symkey-cache: GPG Esoteric Options. + (line 337) +* no-tty: GPG Configuration Options. + (line 58) +* no-use-standard-socket: Agent Options. (line 350) +* no-use-tor: Dirmngr Options. (line 98) +* no-user-trustlist: Agent Options. (line 172) +* no-verbose: GPG Configuration Options. + (line 37) +* not-dash-escaped: GPG Esoteric Options. + (line 266) +* null: gpgtar. (line 86) +* null <1>: gpg-check-pattern. (line 59) +* ocsp: dirmngr-client. (line 61) +* ocsp-current-period: Dirmngr Options. (line 371) +* ocsp-max-clock-skew: Dirmngr Options. (line 363) +* ocsp-max-period: Dirmngr Options. (line 367) +* ocsp-responder: Dirmngr Options. (line 337) +* ocsp-signer: Dirmngr Options. (line 342) +* only-ldap-proxy: Dirmngr Options. (line 251) +* openpgp: Compliance Options. (line 19) +* openpgp <1>: gpgtar. (line 95) +* options: Agent Options. (line 10) +* options <1>: Dirmngr Options. (line 11) +* options <2>: Dirmngr Options. (line 16) +* options <3>: GPG Configuration Options. + (line 322) +* options <4>: Configuration Options. + (line 10) +* options <5>: Scdaemon Options. (line 7) +* output: GPG Input and Output. + (line 16) +* output <1>: Input and Output. (line 51) +* output <2>: gpgv. (line 45) +* output <3>: gpgtar. (line 57) +* output <4>: gpg-wks-client. (line 111) +* output <5>: gpg-wks-server. (line 65) +* override-session-key: GPG Esoteric Options. + (line 494) +* p12-charset: Input and Output. (line 24) +* passphrase: GPG Esoteric Options. + (line 312) +* passphrase <1>: Invoking gpg-preset-passphrase. + (line 36) +* passphrase-fd: GPG Esoteric Options. + (line 291) +* passphrase-fd <1>: Esoteric Options. (line 136) +* passphrase-file: GPG Esoteric Options. + (line 301) +* passphrase-repeat: GPG Esoteric Options. + (line 283) +* passwd: OpenPGP Key Management. + (line 453) +* passwd <1>: Certificate Management. + (line 110) +* pcsc-driver: Scdaemon Options. (line 150) +* pcsc-shared: Scdaemon Options. (line 144) +* pem: dirmngr-client. (line 58) +* permission-warning: GPG Configuration Options. + (line 820) +* personal-cipher-preferences: OpenPGP Options. (line 46) +* personal-compress-preferences: OpenPGP Options. (line 64) +* personal-digest-preferences: OpenPGP Options. (line 55) +* pgp6: Compliance Options. (line 44) +* pgp7: Compliance Options. (line 54) +* pgp8: Compliance Options. (line 60) +* photo-viewer: GPG Configuration Options. + (line 202) +* pinentry-formatted-passphrase: Agent Options. (line 297) +* pinentry-invisible-char: Agent Options. (line 286) +* pinentry-mode: GPG Esoteric Options. + (line 322) +* pinentry-mode <1>: Esoteric Options. (line 145) +* pinentry-program: Agent Options. (line 310) +* pinentry-timeout: Agent Options. (line 291) +* pinentry-touch-file: Agent Options. (line 323) +* ping: dirmngr-client. (line 69) +* policy-file: Configuration Options. + (line 50) +* prefer-system-dirmngr: Configuration Options. + (line 63) +* preserve-permissions: GPG Esoteric Options. + (line 579) +* preset: Invoking gpg-preset-passphrase. + (line 22) +* primary-keyring: GPG Configuration Options. + (line 243) +* print-md: Operational GPG Commands. + (line 386) +* q: Invoking gpg-connect-agent. + (line 18) +* quick-add-key: OpenPGP Key Management. + (line 69) +* quick-add-uid: OpenPGP Key Management. + (line 420) +* quick-gen-key: OpenPGP Key Management. + (line 10) +* quick-generate-key: OpenPGP Key Management. + (line 10) +* quick-lsign-key: OpenPGP Key Management. + (line 398) +* quick-revoke-sig: OpenPGP Key Management. + (line 435) +* quick-revoke-uid: OpenPGP Key Management. + (line 427) +* quick-set-expire: OpenPGP Key Management. + (line 60) +* quick-set-primary-uid: OpenPGP Key Management. + (line 445) +* quick-sign-key: OpenPGP Key Management. + (line 398) +* quiet: Agent Options. (line 45) +* quiet <1>: GPG Configuration Options. + (line 40) +* quiet <2>: gpgv. (line 35) +* quiet <3>: Invoking gpgconf. (line 117) +* quiet <4>: Invoking gpg-connect-agent. + (line 18) +* quiet <5>: dirmngr-client. (line 48) +* quiet <6>: gpgtar. (line 65) +* quiet <7>: gpg-wks-client. (line 135) +* quiet <8>: gpg-wks-server. (line 81) +* raw-socket: Invoking gpg-connect-agent. + (line 59) +* reader-port: Scdaemon Options. (line 168) +* rebuild-keydb-caches: Operational GPG Commands. + (line 380) +* receive-keys: Operational GPG Commands. + (line 313) +* recipient: GPG Key related Options. + (line 8) +* recipient <1>: Input and Output. (line 46) +* recipient <2>: gpgtar. (line 49) +* recipient-file: GPG Key related Options. + (line 22) +* recursive-resolver: Dirmngr Options. (line 117) +* recv-keys: Operational GPG Commands. + (line 314) +* refresh-keys: Operational GPG Commands. + (line 317) +* reload: Invoking gpgconf. (line 74) +* remove-socketdir: Invoking gpgconf. (line 102) +* request-origin: GPG Esoteric Options. + (line 342) +* request-origin <1>: Esoteric Options. (line 160) +* require-compliance: Compliance Options. (line 77) +* require-compliance <1>: Esoteric Options. (line 27) +* require-compliance <2>: gpgtar. (line 117) +* require-cross-certification: GPG Configuration Options. + (line 839) +* require-secmem: GPG Configuration Options. + (line 834) +* resolver-timeout: Dirmngr Options. (line 120) +* rfc2440: Compliance Options. (line 37) +* rfc4880: Compliance Options. (line 25) +* rfc4880bis: Compliance Options. (line 30) +* run: Invoking gpg-connect-agent. + (line 82) +* s: Dirmngr Options. (line 87) +* s2k-calibration: Agent Options. (line 465) +* s2k-cipher-algo: OpenPGP Options. (line 74) +* s2k-count: Agent Options. (line 472) +* s2k-count <1>: OpenPGP Options. (line 90) +* s2k-digest-algo: OpenPGP Options. (line 79) +* s2k-mode: OpenPGP Options. (line 83) +* scdaemon-program: Agent Options. (line 332) +* search-keys: Operational GPG Commands. + (line 323) +* secret-keyring: GPG Configuration Options. + (line 248) +* send: gpg-wks-client. (line 72) +* send <1>: gpg-wks-server. (line 60) +* send-keys: Operational GPG Commands. + (line 257) +* sender: GPG Key related Options. + (line 81) +* server: Agent Commands. (line 23) +* server <1>: Dirmngr Commands. (line 22) +* server <2>: Operational GPGSM Commands. + (line 24) +* server <3>: Scdaemon Commands. (line 22) +* set-filename: GPG Esoteric Options. + (line 178) +* set-filename <1>: gpgtar. (line 129) +* set-filesize: GPG Esoteric Options. + (line 474) +* set-notation: GPG Esoteric Options. + (line 124) +* set-policy-url: GPG Esoteric Options. + (line 160) +* sh: Agent Options. (line 146) +* sh <1>: Dirmngr Options. (line 87) +* show-keyring: Deprecated Options. (line 16) +* show-keys: Operational GPG Commands. + (line 185) +* show-notation: Deprecated Options. (line 25) +* show-photos: Deprecated Options. (line 8) +* show-policy-url: Deprecated Options. (line 33) +* show-session-key: GPG Esoteric Options. + (line 478) +* shutdown: Dirmngr Commands. (line 58) +* sig-keyserver-url: GPG Esoteric Options. + (line 170) +* sig-notation: GPG Esoteric Options. + (line 124) +* sig-policy-url: GPG Esoteric Options. + (line 160) +* sign: Operational GPG Commands. + (line 8) +* sign <1>: Operational GPGSM Commands. + (line 16) +* sign-key: OpenPGP Key Management. + (line 388) +* skip-crypto: gpgtar. (line 68) +* skip-hidden-recipients: GPG Key related Options. + (line 108) +* skip-verify: GPG Esoteric Options. + (line 442) +* squid-mode: dirmngr-client. (line 101) +* ssh-fingerprint-digest: Agent Options. (line 450) +* standard-resolver: Dirmngr Options. (line 110) +* status-fd: GPG Esoteric Options. + (line 74) +* status-fd <1>: gpgv. (line 52) +* status-fd <2>: Invoking gpgconf. (line 158) +* status-fd <3>: gpgtar. (line 120) +* status-fd <4>: gpg-wks-client. (line 115) +* status-file: GPG Esoteric Options. + (line 78) +* steal-socket: Agent Options. (line 135) +* store: Operational GPG Commands. + (line 55) +* subst: Invoking gpg-connect-agent. + (line 88) +* supervised: Agent Commands. (line 36) +* supervised <1>: Dirmngr Commands. (line 33) +* symmetric: Operational GPG Commands. + (line 42) +* sys-trustlist-name: Agent Options. (line 177) +* tar-args: gpgtar. (line 141) +* textmode: OpenPGP Options. (line 8) +* throw-keyids: GPG Esoteric Options. + (line 257) +* time-only: watchgnupg. (line 30) +* tls-debug: Dirmngr Options. (line 69) +* tofu-default-policy: GPG Configuration Options. + (line 725) +* tofu-policy: Operational GPG Commands. + (line 408) +* trust-model: GPG Configuration Options. + (line 412) +* trust-model:always: GPG Configuration Options. + (line 493) +* trust-model:auto: GPG Configuration Options. + (line 502) +* trust-model:classic: GPG Configuration Options. + (line 420) +* trust-model:direct: GPG Configuration Options. + (line 485) +* trust-model:pgp: GPG Configuration Options. + (line 415) +* trust-model:tofu: GPG Configuration Options. + (line 423) +* trust-model:tofu+pgp: GPG Configuration Options. + (line 473) +* trustdb-name: GPG Configuration Options. + (line 253) +* trusted-key: GPG Configuration Options. + (line 403) +* try-all-secrets: GPG Key related Options. + (line 100) +* try-secret-key: GPG Key related Options. + (line 89) +* ttyname: Agent Options. (line 360) +* ttytype: Agent Options. (line 360) +* ungroup: GPG Key related Options. + (line 70) +* update-trustdb: Operational GPG Commands. + (line 339) +* url: dirmngr-client. (line 94) +* url <1>: dirmngr-client. (line 98) +* use-agent: GPG Configuration Options. + (line 749) +* use-embedded-filename: GPG Esoteric Options. + (line 194) +* use-standard-socket: Agent Options. (line 350) +* use-standard-socket-p: Agent Options. (line 350) +* use-tor: Dirmngr Options. (line 98) +* utf8-strings: GPG Configuration Options. + (line 308) +* utf8-strings <1>: gpgtar. (line 90) +* v: Dirmngr Options. (line 25) +* v <1>: Configuration Options. + (line 38) +* v <2>: Scdaemon Options. (line 35) +* v <3>: dirmngr-client. (line 53) +* validate: dirmngr-client. (line 76) +* validation-model: Certificate Options. (line 73) +* verbose: Agent Options. (line 39) +* verbose <1>: Dirmngr Options. (line 25) +* verbose <2>: GPG Configuration Options. + (line 33) +* verbose <3>: Configuration Options. + (line 38) +* verbose <4>: Scdaemon Options. (line 35) +* verbose <5>: watchgnupg. (line 33) +* verbose <6>: gpgv. (line 30) +* verbose <7>: Invoking gpg-preset-passphrase. + (line 32) +* verbose <8>: Invoking gpg-connect-agent. + (line 14) +* verbose <9>: dirmngr-client. (line 53) +* verbose <10>: gpgtar. (line 61) +* verbose <11>: gpg-check-pattern. (line 53) +* verbose <12>: gpg-wks-client. (line 132) +* verbose <13>: gpg-wks-server. (line 78) +* verify: Operational GPG Commands. + (line 67) +* verify <1>: Operational GPGSM Commands. + (line 20) +* verify-files: Operational GPG Commands. + (line 108) +* verify-options: GPG Configuration Options. + (line 138) +* verify-options:pka-lookups: GPG Configuration Options. + (line 174) +* verify-options:pka-trust-increase: GPG Configuration Options. + (line 181) +* verify-options:show-keyserver-urls: GPG Configuration Options. + (line 157) +* verify-options:show-notations: GPG Configuration Options. + (line 153) +* verify-options:show-photos: GPG Configuration Options. + (line 143) +* verify-options:show-policy-urls: GPG Configuration Options. + (line 147) +* verify-options:show-primary-uid-only: GPG Configuration Options. + (line 169) +* verify-options:show-std-notations: GPG Configuration Options. + (line 153) +* verify-options:show-uid-validity: GPG Configuration Options. + (line 161) +* verify-options:show-unusable-uids: GPG Configuration Options. + (line 165) +* verify-options:show-user-notations: GPG Configuration Options. + (line 153) +* version: Agent Commands. (line 10) +* version <1>: Dirmngr Commands. (line 10) +* version <2>: General GPG Commands. + (line 7) +* version <3>: General GPGSM Commands. + (line 7) +* version <4>: Scdaemon Commands. (line 10) +* version <5>: watchgnupg. (line 36) +* version <6>: dirmngr-client. (line 40) +* version <7>: gpgtar. (line 147) +* version <8>: gpg-wks-client. (line 138) +* version <9>: gpg-wks-server. (line 84) +* warranty: General GPG Commands. + (line 17) +* warranty <1>: General GPGSM Commands. + (line 15) +* weak-digest: GPG Esoteric Options. + (line 411) +* weak-digest <1>: gpgv. (line 90) +* with-colons: GPG Input and Output. + (line 276) +* with-colons <1>: gpg-wks-client. (line 76) +* with-dir: gpg-wks-server. (line 69) +* with-ephemeral-keys: Esoteric Options. (line 52) +* with-file: gpg-wks-server. (line 73) +* with-fingerprint: GPG Input and Output. + (line 296) +* with-icao-spelling: GPG Input and Output. + (line 307) +* with-key-data: GPG Esoteric Options. + (line 446) +* with-key-data <1>: Input and Output. (line 54) +* with-key-origin: GPG Input and Output. + (line 315) +* with-keygrip: GPG Input and Output. + (line 311) +* with-log: gpgtar. (line 124) +* with-secret: GPG Input and Output. + (line 326) +* with-secret <1>: Input and Output. (line 78) +* with-subkey-fingerprint: GPG Input and Output. + (line 300) +* with-validation: Input and Output. (line 60) +* with-wkd-hash: GPG Input and Output. + (line 321) +* xauthority: Agent Options. (line 360) +* yes: GPG Configuration Options. + (line 63) +* yes <1>: gpgtar. (line 108) + + +File: gnupg.info, Node: Environment Index, Next: Index, Prev: Option Index, Up: Top + +Environment Variable and File Index +*********************************** + + +* Menu: + +* .gpg-v21-migrated: GPG Configuration. (line 77) +* ~/.gnupg: GPG Configuration. (line 27) +* ASSUAN_DEBUG: Scdaemon Options. (line 122) +* COLUMNS: GPG Configuration. (line 118) +* com-certs.pem: GPGSM Configuration. (line 84) +* dirmngr.conf: Dirmngr Configuration. + (line 12) +* DISPLAY: GPGSM OPTION. (line 21) +* GNUPGHOME: Agent Options. (line 17) +* GNUPGHOME <1>: GPG Configuration Options. + (line 260) +* GNUPGHOME <2>: GPG Configuration. (line 106) +* GNUPGHOME <3>: Configuration Options. + (line 16) +* GNUPGHOME <4>: Scdaemon Options. (line 13) +* GNUPGHOME <5>: gpgv. (line 69) +* GNUPGHOME <6>: Invoking gpgconf. (line 120) +* GNUPGHOME <7>: Invoking gpg-connect-agent. + (line 21) +* GNUPG_BUILD_ROOT: GPG Configuration. (line 130) +* GNUPG_EXEC_DEBUG_FLAGS: GPG Configuration. (line 135) +* gpg-agent.conf: Agent Configuration. (line 11) +* gpg.conf: GPG Configuration. (line 11) +* gpgconf.ctl: Agent Options. (line 28) +* gpgconf.ctl <1>: GPG Configuration Options. + (line 271) +* gpgconf.ctl <2>: Configuration Options. + (line 27) +* gpgconf.ctl <3>: Scdaemon Options. (line 24) +* gpgconf.ctl <4>: gpgv. (line 80) +* gpgconf.ctl <5>: Invoking gpgconf. (line 131) +* gpgconf.ctl <6>: Invoking gpg-connect-agent. + (line 32) +* gpgsm.conf: GPGSM Configuration. (line 11) +* GPG_TTY: Invoking GPG-AGENT. (line 22) +* GPG_TTY <1>: GPGSM OPTION. (line 23) +* help.txt: GPGSM Configuration. (line 72) +* HKCU\Software\GNU\GnuPG:DefaultLogFile: Agent Options. (line 159) +* HKCU\Software\GNU\GnuPG:HomeDir: Agent Options. (line 17) +* HKCU\Software\GNU\GnuPG:HomeDir <1>: GPG Configuration Options. + (line 260) +* HKCU\Software\GNU\GnuPG:HomeDir <2>: Configuration Options. + (line 16) +* HKCU\Software\GNU\GnuPG:HomeDir <3>: Scdaemon Options. (line 13) +* HKCU\Software\GNU\GnuPG:HomeDir <4>: gpgv. (line 69) +* HKCU\Software\GNU\GnuPG:HomeDir <5>: Invoking gpgconf. (line 120) +* HKCU\Software\GNU\GnuPG:HomeDir <6>: Invoking gpg-connect-agent. + (line 21) +* HOME: GPG Configuration. (line 103) +* http_proxy: Dirmngr Options. (line 240) +* LANGUAGE: GPG Configuration. (line 121) +* LC_CTYPE: GPGSM OPTION. (line 27) +* LC_MESSAGES: GPGSM OPTION. (line 29) +* LINES: GPG Configuration. (line 118) +* openpgp-revocs.d: GPG Configuration. (line 91) +* PATH: GPG Configuration Options. + (line 225) +* PINENTRY_USER_DATA: GPG Configuration. (line 113) +* PINENTRY_USER_DATA <1>: GPGSM OPTION. (line 33) +* policies.txt: GPGSM Configuration. (line 18) +* private-keys-v1.d: Agent Configuration. (line 106) +* pubring.gpg: GPG Configuration. (line 32) +* pubring.kbx: GPG Configuration. (line 50) +* pubring.kbx <1>: GPGSM Configuration. (line 100) +* qualified.txt: GPGSM Configuration. (line 33) +* random_seed: GPG Configuration. (line 88) +* random_seed <1>: GPGSM Configuration. (line 106) +* S.gpg-agent: GPGSM Configuration. (line 111) +* secring.gpg: GPG Configuration. (line 69) +* SHELL: Agent Options. (line 146) +* sshcontrol: Agent Configuration. (line 76) +* TERM: GPGSM OPTION. (line 25) +* trustdb.gpg: GPG Configuration. (line 80) +* trustlist.txt: Agent Configuration. (line 20) +* XAUTHORITY: GPGSM OPTION. (line 31) + + +File: gnupg.info, Node: Index, Prev: Environment Index, Up: Top + +Index +***** + + +* Menu: + +* command options: Invoking GPG-AGENT. (line 6) +* command options <1>: Invoking DIRMNGR. (line 6) +* command options <2>: Invoking GPG. (line 6) +* command options <3>: Invoking GPGSM. (line 6) +* command options <4>: Invoking SCDAEMON. (line 6) +* contributors: Contributors. (line 6) +* DIRMNGR command options: Invoking DIRMNGR. (line 6) +* GPG command options: Invoking GPG. (line 6) +* GPG-AGENT command options: Invoking GPG-AGENT. (line 6) +* gpgconf.conf: Files used by gpgconf. + (line 7) +* GPGSM command options: Invoking GPGSM. (line 6) +* options, DIRMNGR command: Invoking DIRMNGR. (line 6) +* options, GPG command: Invoking GPG. (line 6) +* options, GPG-AGENT command: Invoking GPG-AGENT. (line 6) +* options, GPGSM command: Invoking GPGSM. (line 6) +* options, SCDAEMON command: Invoking SCDAEMON. (line 6) +* relax: Agent Configuration. (line 64) +* scd-event: Scdaemon Configuration. + (line 18) +* SCDAEMON command options: Invoking SCDAEMON. (line 6) +* scdaemon.conf: Scdaemon Configuration. + (line 11) +* SIGHUP: Agent Signals. (line 12) +* SIGHUP <1>: Dirmngr Signals. (line 12) +* SIGINT: Agent Signals. (line 31) +* SIGINT <1>: Dirmngr Signals. (line 26) +* SIGTERM: Agent Signals. (line 26) +* SIGTERM <1>: Dirmngr Signals. (line 19) +* SIGUSR1: Agent Signals. (line 34) +* SIGUSR1 <1>: Dirmngr Signals. (line 29) +* SIGUSR2: Agent Signals. (line 37) +* swdb.lst: Files used by gpgconf. + (line 14) +* trust values: Trust Values. (line 6) + |