1GPGCONF(1) GNU Privacy Guard GPGCONF(1)
2
6 gpgconf - Modify .gnupg home directories
7
9 gpgconf [options] --list-components
10 gpgconf [options] --list-options component
11 gpgconf [options] --change-options component
12
16 The gpgconf is a utility to automatically and reasonable safely query
17 and modify configuration files in the ‘.gnupg’ home directory. It is
18 designed not to be invoked manually by the user, but automatically by
19 graphical user interfaces (GUI). ([Please note that currently no lock‐
20 ing is done, so concurrent access should be avoided. There are some
21 precautions to avoid corruption with concurrent usage, but results may
22 be inconsistent and some changes may get lost. The stateless design
23 makes it difficult to provide more guarantees.])
24 gpgconf provides access to the configuration of one or more components
26 of the GnuPG system. These components correspond more or less to the
27 programs that exist in the GnuPG framework, like GnuPG, GPGSM, DirMngr,
28 etc. But this is not a strict one-to-one relationship. Not all con‐
29 figuration options are available through gpgconf. gpgconf provides a
30 generic and abstract method to access the most important configuration
31 options that can feasibly be controlled via such a mechanism.
32 gpgconf can be used to gather and change the options available in each
34 component, and can also provide their default values. gpgconf will
35 give detailed type information that can be used to restrict the user's
36 input without making an attempt to commit the changes.
37 gpgconf provides the backend of a configuration editor. The configura‐
39 tion editor would usually be a graphical user interface program, that
40 allows to display the current options, their default values, and allows
41 the user to make changes to the options. These changes can then be
42 made active with gpgconf again. Such a program that uses gpgconf in
43 this way will be called GUI throughout this section.
44
48 One of the following commands must be given:
49 --list-components
53 List all components. This is the default command used if none
54 is specified.
55 --check-programs
58 List all available backend programs and test whether they are
59 runnable.
60 --list-options component
63 List all options of the component component.
64 --change-options component
67 Change the options of the component component.
68 --check-options component
71 Check the options for the component component.
72 --apply-defaults
75 Update all configuration files with values taken from the global
76 configuration file (usually ‘/etc/gnupg/gpgconf.conf’).
77 --list-dirs
80 Lists the directories used by gpgconf. One directory is listed
81 per line, and each line consists of a colon-separated list where
82 the first field names the directory type (for example
83 sysconfdir) and the second field contains the percent-escaped
84 directory. Although they are not directories, the socket file
85 names used by gpg-agent and dirmngr are printed as well. Note
86 that the socket file names and the homedir lines are the default
87 names and they may be overridden by command line switches.
88 --list-config [filename]
91 List the global configuration file in a colon separated format.
92 If filename is given, check that file instead.
93 --check-config [filename]
96 Run a syntax check on the global configuration file. If file‐
97 name is given, check that file instead.
98
103 The following options may be used:
104 -v
108 --verbose
110 Outputs additional information while running. Specifically,
111 this extends numerical field values by human-readable descrip‐
112 tions.
113 -n
116 --dry-run
118 Do not actually change anything. This is currently only imple‐
119 mented for --change-options and can be used for testing pur‐
120 poses.
121 -r
124 --runtime
126 Only used together with --change-options. If one of the modi‐
127 fied options can be changed in a running daemon process, signal
128 the running daemon to ask it to reparse its configuration file
129 after changing.
130 This means that the changes will take effect at run-time, as far
132 as this is possible. Otherwise, they will take effect at the
133 next start of the respective backend programs.
134
136 The command --list-components will list all components that can be con‐
137 figured with gpgconf. Usually, one component will correspond to one
138 GnuPG-related program and contain the options of that programs configu‐
139 ration file that can be modified using gpgconf. However, this is not
140 necessarily the case. A component might also be a group of selected
141 options from several programs, or contain entirely virtual options that
142 have a special effect rather than changing exactly one option in one
143 configuration file.
144 A component is a set of configuration options that semantically belong
146 together. Furthermore, several changes to a component can be made in
147 an atomic way with a single operation. The GUI could for example pro‐
148 vide a menu with one entry for each component, or a window with one
149 tabulator sheet per component.
150 The command argument --list-components lists all available components,
152 one per line. The format of each line is:
153 name:description:pgmname:
155 name This field contains a name tag of the component. The name tag
158 is used to specify the component in all communication with gpg‐
159 conf. The name tag is to be used verbatim. It is thus not in
160 any escaped format.
161 description
164 The string in this field contains a human-readable description
165 of the component. It can be displayed to the user of the GUI
166 for informational purposes. It is percent-escaped and local‐
167 ized.
168 pgmname
171 The string in this field contains the absolute name of the pro‐
172 gram's file. It can be used to unambiguously invoke that pro‐
173 gram. It is percent-escaped.
174 Example:
176 $ gpgconf --list-components
177 gpg:GPG for OpenPGP:/usr/local/bin/gpg2:
178 gpg-agent:GPG Agent:/usr/local/bin/gpg-agent:
179 scdaemon:Smartcard Daemon:/usr/local/bin/scdaemon:
180 gpgsm:GPG for S/MIME:/usr/local/bin/gpgsm:
181 dirmngr:Directory Manager:/usr/local/bin/dirmngr:
182 Checking programs
188 The command --check-programs is similar to --list-components but works
191 on backend programs and not on components. It runs each program to
192 test whether it is installed and runnable. This also includes a syntax
193 check of all config file options of the program.
194 The command argument --check-programs lists all available programs, one
196 per line. The format of each line is:
197 name:description:pgmname:avail:okay:cfgfile:line:error:
199 name This field contains a name tag of the program which is identical
202 to the name of the component. The name tag is to be used verba‐
203 tim. It is thus not in any escaped format. This field may be
204 empty to indicate a continuation of error descriptions for the
205 last name. The description and pgmname fields are then also
206 empty.
207 description
210 The string in this field contains a human-readable description
211 of the component. It can be displayed to the user of the GUI
212 for informational purposes. It is percent-escaped and local‐
213 ized.
214 pgmname
217 The string in this field contains the absolute name of the pro‐
218 gram's file. It can be used to unambiguously invoke that pro‐
219 gram. It is percent-escaped.
220 avail The boolean value in this field indicates whether the program is
223 installed and runnable.
224 okay The boolean value in this field indicates whether the program's
227 config file is syntactically okay.
228 cfgfile
231 If an error occurred in the configuration file (as indicated by
232 a false value in the field okay), this field has the name of the
233 failing configuration file. It is percent-escaped.
234 line If an error occurred in the configuration file, this field has
237 the line number of the failing statement in the configuration
238 file. It is an unsigned number.
239 error If an error occurred in the configuration file, this field has
242 the error text of the failing statement in the configuration
243 file. It is percent-escaped and localized.
244 In the following example the dirmngr is not runnable and the
248 configuration file of scdaemon is not okay.
249 $ gpgconf --check-programs
251 gpg:GPG for OpenPGP:/usr/local/bin/gpg2:1:1:
252 gpg-agent:GPG Agent:/usr/local/bin/gpg-agent:1:1:
253 scdaemon:Smartcard Daemon:/usr/local/bin/scdaemon:1:0:
254 gpgsm:GPG for S/MIME:/usr/local/bin/gpgsm:1:1:
255 dirmngr:Directory Manager:/usr/local/bin/dirmngr:0:0:
256 The command configuration file in the same manner as --check-programs,
259 but only for the component component.
260 Listing options
265 Every component contains one or more options. Options may be gathered
268 into option groups to allow the GUI to give visual hints to the user
269 about which options are related.
270 The command argument lists all options (and the groups they belong to)
272 in the component component, one per line. component must be the string
273 in the field name in the output of the --list-components command.
274 There is one line for each option and each group. First come all
276 options that are not in any group. Then comes a line describing a
277 group. Then come all options that belong into each group. Then comes
278 the next group and so on. There does not need to be any group (and in
279 this case the output will stop after the last non-grouped option).
280 The format of each line is:
282 name:flags:level:description:type:alt-type:argname:default:argdef:value
284 name This field contains a name tag for the group or option. The
287 name tag is used to specify the group or option in all communi‐
288 cation with gpgconf. The name tag is to be used verbatim. It
289 is thus not in any escaped format.
290 flags The flags field contains an unsigned number. Its value is the
293 OR-wise combination of the following flag values:
294 group (1)
297 If this flag is set, this is a line describing a group
298 and not an option.
299 The following flag values are only defined for options (that is, if the
301 group flag is not used).
302 optional arg (2)
305 If this flag is set, the argument is optional. This is
306 never set for type 0 (none) options.
307 list (4)
310 If this flag is set, the option can be given multiple
311 times.
312 runtime (8)
315 If this flag is set, the option can be changed at run‐
316 time.
317 default (16)
320 If this flag is set, a default value is available.
321 default desc (32)
324 If this flag is set, a (runtime) default is available.
325 This and the default flag are mutually exclusive.
326 no arg desc (64)
329 If this flag is set, and the optional arg flag is set,
330 then the option has a special meaning if no argument is
331 given.
332 no change (128)
335 If this flag is set, gpgconf ignores requests to change
336 the value. GUI frontends should grey out this option.
337 Note, that manual changes of the configuration files are
338 still possible.
339 level This field is defined for options and for groups. It contains
342 an unsigned number that specifies the expert level under which
343 this group or option should be displayed. The following expert
344 levels are defined for options (they have analogous meaning for
345 groups):
346 basic (0)
349 This option should always be offered to the user.
350 advanced (1)
353 This option may be offered to advanced users.
354 expert (2)
357 This option should only be offered to expert users.
358 invisible (3)
361 This option should normally never be displayed, not even
362 to expert users.
363 internal (4)
366 This option is for internal use only. Ignore it.
367 The level of a group will always be the lowest level of all options it
369 contains.
370 description
373 This field is defined for options and groups. The string in
374 this field contains a human-readable description of the option
375 or group. It can be displayed to the user of the GUI for infor‐
376 mational purposes. It is percent-escaped and localized.
377 type This field is only defined for options. It contains an unsigned
380 number that specifies the type of the option's argument, if any.
381 The following types are defined:
382 Basic types:
384 none (0)
387 No argument allowed.
388 string (1)
391 An unformatted string.
392 int32 (2)
395 A signed number.
396 uint32 (3)
399 An unsigned number.
400 Complex types:
402 pathname (32)
405 A string that describes the pathname of a file. The file
406 does not necessarily need to exist.
407 ldap server (33)
410 A string that describes an LDAP server in the format:
411 hostname:port:username:password:base_dn
413 key fingerprint (34)
416 A string with a 40 digit fingerprint specifying a cer‐
417 tificate.
418 pub key (35)
421 A string that describes a certificate by user ID, key ID
422 or fingerprint.
423 sec key (36)
426 A string that describes a certificate with a key by user
427 ID, key ID or fingerprint.
428 alias list (37)
431 A string that describes an alias list, like the one used
432 with gpg's group option. The list consists of a key, an
433 equal sign and space separated values.
434 More types will be added in the future. Please see the alt-type field
436 for information on how to cope with unknown types.
437 alt-type
440 This field is identical to type, except that only the types 0 to
441 31 are allowed. The GUI is expected to present the user the
442 option in the format specified by type. But if the argument
443 type type is not supported by the GUI, it can still display the
444 option in the more generic basic type alt-type. The GUI must
445 support all the defined basic types to be able to display all
446 options. More basic types may be added in future versions. If
447 the GUI encounters a basic type it doesn't support, it should
448 report an error and abort the operation.
449 argname
452 This field is only defined for options with an argument type
453 type that is not 0. In this case it may contain a percent-
454 escaped and localised string that gives a short name for the
455 argument. The field may also be empty, though, in which case a
456 short name is not known.
457 default
460 This field is defined only for options for which the default or
461 default desc flag is set. If the default flag is set, its for‐
462 mat is that of an option argument (see: [Format conventions],
463 for details). If the default value is empty, then no default is
464 known. Otherwise, the value specifies the default value for
465 this option. If the default desc flag is set, the field is
466 either empty or contains a description of the effect if the
467 option is not given.
468 argdef This field is defined only for options for which the optional
471 arg flag is set. If the no arg desc flag is not set, its format
472 is that of an option argument (see: [Format conventions], for
473 details). If the default value is empty, then no default is
474 known. Otherwise, the value specifies the default argument for
475 this option. If the no arg desc flag is set, the field is
476 either empty or contains a description of the effect of this
477 option if no argument is given.
478 value This field is defined only for options. Its format is that of
481 an option argument. If it is empty, then the option is not
482 explicitly set in the current configuration, and the default
483 applies (if any). Otherwise, it contains the current value of
484 the option. Note that this field is also meaningful if the
485 option itself does not take a real argument (in this case, it
486 contains the number of times the option appears).
487 Changing options
492 The command to change the options of the component component to the
495 specified values. component must be the string in the field name in
496 the output of the --list-components command. You have to provide the
497 options that shall be changed in the following format on standard
498 input:
499 name:flags:new-value
501 name This is the name of the option to change. name must be the
504 string in the field name in the output of the --list-options
505 command.
506 flags The flags field contains an unsigned number. Its value is the
509 OR-wise combination of the following flag values:
510 default (16)
513 If this flag is set, the option is deleted and the
514 default value is used instead (if applicable).
515 new-value
518 The new value for the option. This field is only defined if the
519 default flag is not set. The format is that of an option argu‐
520 ment. If it is empty (or the field is omitted), the default
521 argument is used (only allowed if the argument is optional for
522 this option). Otherwise, the option will be set to the speci‐
523 fied value.
524 The output of the command is the same as that of --check-options
527 for the modified configuration file.
528 Examples:
530 To set the force option, which is of basic type none (0):
532 $ echo 'force:0:1' | gpgconf --change-options dirmngr
534 To delete the force option:
536 $ echo 'force:16:' | gpgconf --change-options dirmngr
538 The --runtime option can influence when the changes take effect.
540 Listing global options
545 Sometimes it is useful for applications to look at the global options
548 file ‘gpgconf.conf’. The colon separated listing format is record ori‐
549 ented and uses the first field to identify the record type:
550 k This describes a key record to start the definition of a new
553 ruleset for a user/group. The format of a key record is:
554 k:user:group:
556 user This is the user field of the key. It is percent
559 escaped. See the definition of the gpgconf.conf format
560 for details.
561 group This is the group field of the key. It is percent
564 escaped.
565 r This describes a rule record. All rule records up to the next
568 key record make up a rule set for that key. The format of a
569 rule record is:
570 r:::component:option:flags:value:
572 component
575 This is the component part of a rule. It is a plain
576 string.
577 option This is the option part of a rule. It is a plain string.
580 flag This is the flags part of a rule. There may be only one
583 flag per rule but by using the same component and option,
584 several flags may be assigned to an option. It is a
585 plain string.
586 value This is the optional value for the option. It is a per‐
589 cent escaped string with a single quotation mark to indi‐
590 cate a string. The quotation mark is only required to
591 distinguish between no value specified and an empty
592 string.
593 Unknown record types should be ignored. Note that there is intention‐
597 ally no feature to change the global option file through gpgconf.
598
603 /etc/gnupg/gpgconf.conf
604 If this file exists, it is processed as a global configuration
605 file.
606 A commented example can be found in the ‘examples’ directory
607 of
608 the distribution.
609
613 gpg(1), gpgsm(1), gpg-agent(1), scdaemon(1), dirmngr(1)
614 The full documentation for this tool is maintained as a Texinfo manual.
616 If GnuPG and the info program are properly installed at your site, the
617 command
618 info gnupg
620 should give you access to the complete manual including a menu struc‐
622 ture and an index.
623GnuPG 2.0.14 2018-07-13 GPGCONF(1)