summaryrefslogtreecommitdiffstats
path: root/doc/specify-user-id.texi
blob: 64e354bdf0e5ef4a7a9b23083fbbea59d725ee70 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
@c Include file to allow for different placements in man pages and the manual

There are different ways to specify a user ID to GnuPG.  Some of them
are only valid for @command{gpg} others are only good for
@command{gpgsm}.  Here is the entire list of ways to specify a key:

@itemize @bullet

@item By key Id.
This format is deduced from the length of the string and its content or
@code{0x} prefix. The key Id of an X.509 certificate are the low 64 bits
of its SHA-1 fingerprint.  The use of key Ids is just a shortcut, for
all automated processing the fingerprint should be used.

When using @command{gpg} an exclamation mark (!) may be appended to
force using the specified primary or secondary key and not to try and
calculate which primary or secondary key to use.

The last four lines of the example give the key ID in their long form as
internally used by the OpenPGP protocol. You can see the long key ID
using the option @option{--with-colons}.

@cartouche
@example
234567C4
0F34E556E
01347A56A
0xAB123456

234AABBCC34567C4
0F323456784E56EAB
01AB3FED1347A5612
0x234AABBCC34567C4
@end example
@end cartouche



@item By fingerprint.
This format is deduced from the length of the string and its content or
the @code{0x} prefix.  Note, that only the 20 byte version fingerprint
is available with @command{gpgsm} (i.e. the SHA-1 hash of the
certificate).

When using @command{gpg} an exclamation mark (!) may be appended to
force using the specified primary or secondary key and not to try and
calculate which primary or secondary key to use.

The best way to specify a key Id is by using the fingerprint.  This
avoids any ambiguities in case that there are duplicated key IDs.

@cartouche
@example
1234343434343434C434343434343434
123434343434343C3434343434343734349A3434
0E12343434343434343434EAB3484343434343434
0xE12343434343434343434EAB3484343434343434
@end example
@end cartouche

@noindent
@command{gpgsm} also accepts colons between each pair of hexadecimal
digits because this is the de-facto standard on how to present X.509
fingerprints.  @command{gpg} also allows the use of the space
separated SHA-1 fingerprint as printed by the key listing commands.

@item By exact match on OpenPGP user ID.
This is denoted by a leading equal sign. It does not make sense for
X.509 certificates.

@cartouche
@example
=Heinrich Heine <heinrichh@@uni-duesseldorf.de>
@end example
@end cartouche

@item By exact match on an email address.
This is indicated by enclosing the email address in the usual way
with left and right angles.

@cartouche
@example
<heinrichh@@uni-duesseldorf.de>
@end example
@end cartouche


@item By partial match on an email address.
This is indicated by prefixing the search string with an @code{@@}.
This uses a substring search but considers only the mail address
(i.e. inside the angle brackets).

@cartouche
@example
@@heinrichh
@end example
@end cartouche

@item By exact match on the subject's DN.
This is indicated by a leading slash, directly followed by the RFC-2253
encoded DN of the subject.  Note that you can't use the string printed
by @code{gpgsm --list-keys} because that one has been reordered and modified
for better readability; use @option{--with-colons} to print the raw
(but standard escaped) RFC-2253 string.

@cartouche
@example
/CN=Heinrich Heine,O=Poets,L=Paris,C=FR
@end example
@end cartouche

@item By exact match on the issuer's DN.
This is indicated by a leading hash mark, directly followed by a slash
and then directly followed by the RFC-2253 encoded DN of the issuer.
This should return the Root cert of the issuer.  See note above.

@cartouche
@example
#/CN=Root Cert,O=Poets,L=Paris,C=FR
@end example
@end cartouche


@item By exact match on serial number and issuer's DN.
This is indicated by a hash mark, followed by the hexadecimal
representation of the serial number, then followed by a slash and the
RFC-2253 encoded DN of the issuer. See note above.

@cartouche
@example
#4F03/CN=Root Cert,O=Poets,L=Paris,C=FR
@end example
@end cartouche

@item By keygrip.
This is indicated by an ampersand followed by the 40 hex digits of a
keygrip.  @command{gpgsm} prints the keygrip when using the command
@option{--dump-cert}.

@cartouche
@example
&D75F22C3F86E355877348498CDC92BD21010A480
@end example
@end cartouche


@item By substring match.
This is the default mode but applications may want to explicitly
indicate this by putting the asterisk in front.  Match is not case
sensitive.

@cartouche
@example
Heine
*Heine
@end example
@end cartouche

@item . and + prefixes
These prefixes are reserved for looking up mails anchored at the end
and for a word search mode.  They are not yet implemented and using
them is undefined.

@end itemize

Please note that we have reused the hash mark identifier which was used
in old GnuPG versions to indicate the so called local-id.  It is not
anymore used and there should be no conflict when used with X.509 stuff.

Using the RFC-2253 format of DNs has the drawback that it is not
possible to map them back to the original encoding, however we don't
have to do this because our key database stores this encoding as meta
data.