diff options
Diffstat (limited to 'doc/gpg.texi')
| -rw-r--r-- | doc/gpg.texi | 92 |
1 files changed, 75 insertions, 17 deletions
diff --git a/doc/gpg.texi b/doc/gpg.texi index 39c996b..d1142a3 100644 --- a/doc/gpg.texi +++ b/doc/gpg.texi @@ -609,13 +609,14 @@ Print message digest of algorithm @var{algo} for all given files or STDIN. With the second form (or a deprecated "*" for @var{algo}) digests for all available algorithms are printed. -@item --gen-random @var{0|1|2} @var{count} +@item --gen-random @var{0|1|2|16|30} @var{count} @opindex gen-random Emit @var{count} random bytes of the given quality level 0, 1 or 2. If @var{count} is not given or zero, an endless sequence of random bytes will be emitted. If used with @option{--armor} the output will be -base64 encoded. PLEASE, don't use this command unless you know what -you are doing; it may remove precious entropy from the system! +base64 encoded. The special level 16 uses a quality level of 1 and +outputs and endless stream of hex-encoded octets. The special level +30 outputs random as 30 zBase-32 characters. @item --gen-prime @var{mode} @var{bits} @opindex gen-prime @@ -848,9 +849,10 @@ line. @opindex keyedit:tsign Make a trust signature. This is a signature that combines the notions of certification (like a regular signature), and trust (like the - "trust" command). It is generally only useful in distinct communities - or groups. For more information please read the sections - ``Trust Signature'' and ``Regular Expression'' in RFC-4880. + "trust" command). It is generally useful in distinct communities + or groups to implement the concept of a Trusted Introducer. For + more information please read the sections ``Trust Signature'' and + ``Regular Expression'' in RFC-4880. @end table @c man:.RS @@ -956,7 +958,8 @@ signing. --version} to get a list of available algorithms. Note that while you can change the preferences on an attribute user ID (aka "photo ID"), GnuPG does not select keys via attribute user IDs so these preferences - will not be used by GnuPG. + will not be used by GnuPG. Note that an unattended version of this + command is available as @option{--quick-update-pref}. When setting preferences, you should list the algorithms in the order which you'd like to see them used by someone else when encrypting a @@ -1164,6 +1167,16 @@ user ID which shall be flagged as the primary user ID. The primary user ID flag is removed from all other user ids and the timestamp of all affected self-signatures is set one second ahead. +@item --quick-update-pref @var{user-id} +@opindex quick-update-pref +This command updates the preference list of the key to the current +default value (either built-in or set via +@option{--default-preference-list}). This is the unattended version +of of using "setpref" in the @option{--key-edit} menu without giving a +list. Note that you can show the preferences in a key listing by +using @option{--list-options show-pref} or @option{--list-options +show-pref-verbose}. You should also re-distribute updated keys to +your peers. @item --change-passphrase @var{user-id} @opindex change-passphrase @@ -1599,15 +1612,30 @@ prevent the creation of a @file{~/.gnupg} homedir. @item -z @var{n} @itemx --compress-level @var{n} @itemx --bzip2-compress-level @var{n} +@itemx --no-compress @opindex compress-level @opindex bzip2-compress-level +@opindex no-compress Set compression level to @var{n} for the ZIP and ZLIB compression algorithms. The default is to use the default compression level of zlib (normally 6). @option{--bzip2-compress-level} sets the compression level for the BZIP2 compression algorithm (defaulting to 6 as well). This is a different option from @option{--compress-level} since BZIP2 uses a significant amount of memory for each additional compression level. -@option{-z} sets both. A value of 0 for @var{n} disables compression. + +Option @option{-z} sets both. A value of 0 for @var{n} disables +compression. A value of -1 forces compression using the default +level. Option @option{--no-compress} is identical to @option{-z0}. + +Except for the @option{--store} command compression is always used +unless @command{gpg} detects that the input is already compressed. To +inhibit the use of compression use @option{-z0} or +@option{--no-compress}; to force compression use @option{-z-1} or +option @option{z} with another compression level than the default as +indicated by -1. Note that this overriding of the default deection +works only with @option{z} and not with the long variant of this +option. + @item --bzip2-decompress-lowmem @opindex bzip2-decompress-lowmem @@ -1683,7 +1711,22 @@ useful if you don't want to keep your secret keys (or one of them) online but still want to be able to check the validity of a given recipient's or signator's key. If the given key is not locally available but an LDAP keyserver is configured the missing key is -imported from that server. +imported from that server. The value "none" is explicitly allowed to +distinguish between the use of any trusted-key option and no use of +this option at all (e.g. due to the @option{--no-options} option). + +@item --add-desig-revoker [sensitive:]@var{fingerprint} +@opindex add-desig-revoker +Add the key specified by @var{fingerprint} as a designated revoker to +newly created keys. If the fingerprint is prefixed with the keyword +``sensitive:'' that info is normally not exported wit the key. This +option may be given several time to add more than one designated +revoker. If the keyword ``clear'' is used instead of a fingerprint, +all designated options previously encountered are discarded. +Designated revokers are marked on the key as non-revocable. Note that +a designated revoker specified using a parameter file will also be +added to the key. + @item --trust-model @{pgp|classic|tofu|tofu+pgp|direct|always|auto@} @opindex trust-model @@ -2611,6 +2654,11 @@ opposite meaning. The options are: to put into DNS zone files. An ORIGIN line is printed before each record to allow diverting the records to the corresponding zone file. + @item export-revocs + Export only standalone revocation certificates of the key. This + option does not export revocations of 3rd party certificate + revocations. + @item export-dane Instead of outputting the key material output OpenPGP DANE records suitable to put into DNS zone files. An ORIGIN line is printed before @@ -2709,6 +2757,14 @@ is the default. @itemx --no-force-v4-certs These options are obsolete and have no effect since GnuPG 2.1. +@item --force-ocb +@opindex force-ocb +Force the use of OCB mode encryption instead of CFB+MDC encryption. +OCB is a modern and faster way to do authenticated encryption than the +older CFB+MDC method. This option is only useful for symmetric-only +encryption because the mode is automatically selected based on the +preferences of the recipients's public keys. + @item --force-mdc @itemx --disable-mdc @opindex force-mdc @@ -2928,6 +2984,14 @@ therefore enables a fast listing of the encryption keys. @opindex interactive Prompt before overwriting any files. +@item --compatibility-flags @var{flags} +@opindex compatibility-flags +Set compatibility flags to work around problems due to non-compliant +keys or data. The @var{flags} are given as a comma separated +list of flag names and are OR-ed together. The special flag "none" +clears the list and allows to start over with an empty list. To get a +list of available flags the sole word "help" can be used. + @item --debug-level @var{level} @opindex debug-level Select the debug level for investigating problems. @var{level} may be @@ -3381,13 +3445,7 @@ signatures made using SHA-1, those key signatures are considered invalid. This options allows to override this restriction. @item --override-compliance-check -@opindex --override-compliance-check -The signature verification only allows the use of keys suitable in the -current compliance mode. If the compliance mode has been forced by a -global option, there might be no way to check certain signature. This -option allows to override this and prints an extra warning in such a -case. This option is ignored in --batch mode so that no accidental -unattended verification may happen. +This was a temporary introduced option and has no more effect. @item --no-default-keyring @opindex no-default-keyring @@ -4032,7 +4090,7 @@ The program returns 0 if there are no severe errors, 1 if at least a signature was bad, and other error codes for fatal errors. Note that signature verification requires exact knowledge of what has -been signed and by whom it has beensigned. Using only the return code +been signed and by whom it has been signed. Using only the return code is thus not an appropriate way to verify a signature by a script. Either make proper use or the status codes or use the @command{gpgv} tool which has been designed to make signature verification easy for |