1GPG2(1)                        GNU Privacy Guard                       GPG2(1)
2
3
4

NAME

6       gpg2 - OpenPGP encryption and signing tool
7

SYNOPSIS

9       gpg2 [--homedir dir] [--options file] [options] command [args]
10
11

DESCRIPTION

13       gpg2 is the OpenPGP part of the GNU Privacy Guard (GnuPG). It is a tool
14       to provide digital encryption and signing services  using  the  OpenPGP
15       standard. gpg2 features complete key management and all bells and whis‐
16       tles you can expect from a decent OpenPGP implementation.
17
18
19       In contrast to the standalone version gpg, which  is  more  suited  for
20       server and embedded platforms, this version is commonly installed under
21       the name gpg2 and more targeted to the desktop as it  requires  several
22       other  modules  to  be  installed.  The standalone version will be kept
23       maintained and it is possible to install both versions on the same sys‐
24       tem.  If you need to use different configuration files, you should make
25       use of something like ‘gpg.conf-2’ instead of just ‘gpg.conf’.
26
27
28
29
30
31
32

RETURN VALUE

34       The program returns 0 if everything was fine, 1 if at least a signature
35       was bad, and other error codes for fatal errors.
36
37

WARNINGS

39       Use  a *good* password for your user account and a *good* passphrase to
40       protect your secret key. This passphrase is the  weakest  part  of  the
41       whole  system. Programs to do dictionary attacks on your secret keyring
42       are very easy to write and  so  you  should  protect  your  "~/.gnupg/"
43       directory very well.
44
45       Keep  in mind that, if this program is used over a network (telnet), it
46       is *very* easy to spy out your passphrase!
47
48       If you are going to verify detached signatures, make sure that the pro‐
49       gram  knows about it; either give both filenames on the command line or
50       use '-' to specify STDIN.
51
52

INTEROPERABILITY

54       GnuPG tries to be a very flexible implementation of the  OpenPGP  stan‐
55       dard. In particular, GnuPG implements many of the optional parts of the
56       standard, such as the SHA-512 hash, and the ZLIB and BZIP2  compression
57       algorithms.  It  is important to be aware that not all OpenPGP programs
58       implement these optional algorithms and that by forcing their  use  via
59       the  --cipher-algo,  --digest-algo,  --cert-digest-algo, or --compress-
60       algo options in GnuPG, it is  possible  to  create  a  perfectly  valid
61       OpenPGP message, but one that cannot be read by the intended recipient.
62
63       There  are dozens of variations of OpenPGP programs available, and each
64       supports a slightly different subset of these optional algorithms.  For
65       example,  until  recently,  no  (unhacked) version of PGP supported the
66       BLOWFISH cipher algorithm. A message using BLOWFISH simply could not be
67       read by a PGP user. By default, GnuPG uses the standard OpenPGP prefer‐
68       ences system that will always do the right thing  and  create  messages
69       that  are usable by all recipients, regardless of which OpenPGP program
70       they use. Only override this safe default if you really know  what  you
71       are doing.
72
73       If you absolutely must override the safe default, or if the preferences
74       on a given key are invalid for some reason,  you  are  far  better  off
75       using  the --pgp6, --pgp7, or --pgp8 options. These options are safe as
76       they do not force any particular algorithms in  violation  of  OpenPGP,
77       but rather reduce the available algorithms to a "PGP-safe" list.
78
79

COMMANDS

81       Commands  are  not  distinguished from options except for the fact that
82       only one command is allowed.
83
84       gpg2 may be run with no commands, in which case it will perform a  rea‐
85       sonable  action  depending on the type of file it is given as input (an
86       encrypted message is decrypted, a signature is verified,  a  file  con‐
87       taining keys is listed).
88
89       Please remember that option as well as command parsing stops as soon as
90       a non-option is encountered, you can explicitly stop parsing  by  using
91       the special option --.
92
93
94
95
96
97
98   Commands not specific to the function
99
100
101
102       --version
103              Print  the program version and licensing information.  Note that
104              you cannot abbreviate this command.
105
106
107       --help
108
109       -h     Print a usage message summarizing the most useful  command  line
110              options.  Note that you cannot abbreviate this command.
111
112
113       --warranty
114              Print warranty information.
115
116
117       --dump-options
118              Print  a  list of all available options and commands.  Note that
119              you cannot abbreviate this command.
120
121
122
123
124   Commands to select the type of operation
125
126
127
128
129
130       --sign
131
132       -s     Make a signature. This command may be  combined  with  --encrypt
133              (for  a signed and encrypted message), --symmetric (for a signed
134              and symmetrically encrypted message), or --encrypt and --symmet‐
135              ric  together  (for a signed message that may be decrypted via a
136              secret key or a passphrase).  The key to be used for signing  is
137              chosen  by  default  or  can  be  set  with the --local-user and
138              --default-key options.
139
140
141       --clearsign
142              Make a clear text signature.  The content in a clear text signa‐
143              ture  is readable without any special software. OpenPGP software
144              is only needed to verify the signature.  Clear  text  signatures
145              may  modify end-of-line whitespace for platform independence and
146              are not intended to be reversible.  The key to be used for sign‐
147              ing is chosen by default or can be set with the --local-user and
148              --default-key options.
149
150
151
152       --detach-sign
153
154       -b     Make a detached signature.
155
156
157       --encrypt
158
159       -e     Encrypt data. This option may be combined  with  --sign  (for  a
160              signed  and  encrypted message), --symmetric (for a message that
161              may be decrypted via a secret key or a  passphrase),  or  --sign
162              and  --symmetric  together  (for  a  signed  message that may be
163              decrypted via a secret key or a passphrase).
164
165
166       --symmetric
167
168       -c     Encrypt with a symmetric cipher using a passphrase. The  default
169              symmetric  cipher  used  is  CAST5,  but  may be chosen with the
170              --cipher-algo option. This option may be  combined  with  --sign
171              (for  a  signed  and symmetrically encrypted message), --encrypt
172              (for a message that may be decrypted  via  a  secret  key  or  a
173              passphrase), or --sign and --encrypt together (for a signed mes‐
174              sage that may be decrypted via a secret key or a passphrase).
175
176
177       --store
178              Store only (make a simple RFC1991 literal data packet).
179
180
181       --decrypt
182
183       -d     Decrypt the file given on the command line (or STDIN if no  file
184              is specified) and write it to STDOUT (or the file specified with
185              --output). If the decrypted file is  signed,  the  signature  is
186              also  verified. This command differs from the default operation,
187              as it never writes to the filename which is included in the file
188              and  it  rejects  files which don't begin with an encrypted mes‐
189              sage.
190
191
192       --verify
193              Assume that the first argument is a signed file  or  a  detached
194              signature  and  verify it without generating any output. With no
195              arguments, the signature packet is read from STDIN.  If  only  a
196              sigfile  is  given, it may be a complete signature or a detached
197              signature, in which case the signed stuff is expected in a  file
198              without  the ".sig" or ".asc" extension.  With more than 1 argu‐
199              ment, the first should be a detached signature and the remaining
200              files are the signed stuff. To read the signed stuff from STDIN,
201              use '-' as the second filename.  For security reasons a detached
202              signature  cannot  read  the  signed material from STDIN without
203              denoting it in the above way.
204
205              Note: When verifying a cleartext signature,  gpg  verifies  only
206              what  makes  up the cleartext signed data and not any extra data
207              outside of the cleartext signature  or  header  lines  following
208              directly  the dash marker line.  The option --output may be used
209              to write out the actual signed data; but there  are  other  pit‐
210              falls with this format as well.  It is suggested to avoid clear‐
211              text signatures in favor of detached signatures.
212
213
214       --multifile
215              This modifies certain other commands to  accept  multiple  files
216              for  processing on the command line or read from STDIN with each
217              filename on a separate line. This allows for many  files  to  be
218              processed  at once. --multifile may currently be used along with
219              --verify, --encrypt, and --decrypt. Note that --multifile --ver‐
220              ify may not be used with detached signatures.
221
222
223       --verify-files
224              Identical to --multifile --verify.
225
226
227       --encrypt-files
228              Identical to --multifile --encrypt.
229
230
231       --decrypt-files
232              Identical to --multifile --decrypt.
233
234
235       --list-keys
236
237       -k
238
239       --list-public-keys
240              List  all  keys from the public keyrings, or just the keys given
241              on the command line.
242
243              Avoid using the output of this command in scripts or other  pro‐
244              grams  as  it  is likely to change as GnuPG changes. See --with-
245              colons for a  machine-parseable  key  listing  command  that  is
246              appropriate for use in scripts and other programs.
247
248
249       --list-secret-keys
250
251       -K     List  all  keys from the secret keyrings, or just the ones given
252              on the command line. A # after the letters sec  means  that  the
253              secret  key  is  not  usable (for example, if it was created via
254              --export-secret-subkeys).
255
256
257       --list-sigs
258              Same as --list-keys, but the signatures are  listed  too.   This
259              command  has  the  same effect as using --list-keys with --with-
260              sig-list.
261
262              For each signature listed, there are several  flags  in  between
263              the "sig" tag and keyid. These flags give additional information
264              about each signature. From left to right, they are  the  numbers
265              1-3  for certificate check level (see --ask-cert-level), "L" for
266              a local or non-exportable signature (see --lsign-key), "R" for a
267              nonRevocable  signature  (see  the --edit-key command "nrsign"),
268              "P" for a signature that contains a policy URL (see  --cert-pol‐
269              icy-url),  "N"  for  a  signature  that contains a notation (see
270              --cert-notation), "X" for an eXpired signature (see  --ask-cert-
271              expire), and the numbers 1-9 or "T" for 10 and above to indicate
272              trust signature levels (see the --edit-key command "tsign").
273
274
275       --check-sigs
276              Same as --list-sigs, but the signatures are verified.  Note that
277              for  performance  reasons the revocation status of a signing key
278              is not shown.  This command has the same effect as using --list-
279              keys with --with-sig-check.
280
281              The  status  of the verification is indicated by a flag directly
282              following the "sig" tag (and thus  before  the  flags  described
283              above  for --list-sigs).  A "!" indicates that the signature has
284              been successfully verified, a "-" denotes a bad signature and  a
285              "%"  is  used  if an error occurred while checking the signature
286              (e.g. a non supported algorithm).
287
288
289       --locate-keys
290              Locate the keys given as arguments.  This command basically uses
291              the  same algorithm as used when locating keys for encryption or
292              signing and may thus be used to see what keys  gpg2  might  use.
293              In  particular  external methods as defined by --auto-key-locate
294              may be used to locate a key.  Only public keys are listed.
295
296
297
298       --fingerprint
299              List all keys (or the specified ones) along with  their  finger‐
300              prints.  This  is  the  same  output as --list-keys but with the
301              additional output of a line with the fingerprint.  May  also  be
302              combined  with  --list-sigs or --check-sigs.  If this command is
303              given twice, the fingerprints of all secondary keys  are  listed
304              too.
305
306
307       --list-packets
308              List  only  the  sequence  of packets. This is mainly useful for
309              debugging.
310
311
312
313       --card-edit
314              Present a menu to work with a smartcard. The  subcommand  "help"
315              provides  an  overview  on  available  commands.  For a detailed
316              description,    please     see     the     Card     HOWTO     at
317              http://www.gnupg.org/documentation/howtos.html#GnuPG-cardHOWTO .
318
319
320       --card-status
321              Show the content of the smart card.
322
323
324       --change-pin
325              Present  a  menu  to allow changing the PIN of a smartcard. This
326              functionality is also available as the subcommand "passwd"  with
327              the --card-edit command.
328
329
330       --delete-key name
331              Remove  key  from the public keyring. In batch mode either --yes
332              is required or the key must be specified by fingerprint. This is
333              a safeguard against accidental deletion of multiple keys.
334
335
336       --delete-secret-key name
337              Remove  key  from the secret keyring. In batch mode the key must
338              be specified by fingerprint.
339
340
341       --delete-secret-and-public-key name
342              Same as --delete-key, but if a secret key  exists,  it  will  be
343              removed  first.  In batch mode the key must be specified by fin‐
344              gerprint.
345
346
347       --export
348              Either export all keys from all keyrings (default  keyrings  and
349              those  registered via option --keyring), or if at least one name
350              is given, those of the given name. The new keyring is written to
351              STDOUT  or  to the file given with option --output. Use together
352              with --armor to mail those keys.
353
354
355       --send-keys key IDs
356              Similar to --export but sends the keys to a keyserver.   Finger‐
357              prints  may  be used instead of key IDs. Option --keyserver must
358              be used to give the name of this keyserver. Don't send your com‐
359              plete  keyring  to  a keyserver --- select only those keys which
360              are new or changed by you.  If no key IDs are  given,  gpg  does
361              nothing.
362
363
364       --export-secret-keys
365
366       --export-secret-subkeys
367              Same  as --export, but exports the secret keys instead.  This is
368              normally not very useful and a security risk.  The  second  form
369              of  the  command  has  the special property to render the secret
370              part of the primary key useless; this  is  a  GNU  extension  to
371              OpenPGP  and  other  implementations can not be expected to suc‐
372              cessfully import such a key.  See the option  --simple-sk-check‐
373              sum  if  you  want  to import such an exported key with an older
374              OpenPGP implementation.
375
376
377       --import
378
379       --fast-import
380              Import/merge keys. This adds the given keys to the keyring.  The
381              fast version is currently just a synonym.
382
383              There  are  a  few  other options which control how this command
384              works.  Most notable here  is  the  --import-options  merge-only
385              option  which does not insert new keys but does only the merging
386              of new signatures, user-IDs and subkeys.
387
388
389       --recv-keys key IDs
390              Import the keys with the given key IDs from a keyserver.  Option
391              --keyserver must be used to give the name of this keyserver.
392
393
394       --refresh-keys
395              Request  updates from a keyserver for keys that already exist on
396              the local keyring. This is useful for updating a  key  with  the
397              latest signatures, user IDs, etc. Calling this with no arguments
398              will refresh the entire keyring. Option --keyserver must be used
399              to  give the name of the keyserver for all keys that do not have
400              preferred keyservers  set  (see  --keyserver-options  honor-key‐
401              server-url).
402
403
404       --search-keys names
405              Search  the  keyserver for the given names. Multiple names given
406              here will be joined together to create the search string for the
407              keyserver.   Option --keyserver must be used to give the name of
408              this keyserver.  Keyservers that support different search  meth‐
409              ods  allow  using the syntax specified in "How to specify a user
410              ID" below. Note that different keyserver types support different
411              search methods. Currently only LDAP supports them all.
412
413
414       --fetch-keys URIs
415              Retrieve keys located at the specified URIs. Note that different
416              installations of GnuPG may support  different  protocols  (HTTP,
417              FTP, LDAP, etc.)
418
419
420       --update-trustdb
421              Do  trust  database  maintenance. This command iterates over all
422              keys and builds the Web of Trust. This is an interactive command
423              because it may have to ask for the "ownertrust" values for keys.
424              The user has to give an estimation of how  far  she  trusts  the
425              owner  of  the  displayed  key to correctly certify (sign) other
426              keys. GnuPG only asks for the ownertrust value if it has not yet
427              been  assigned to a key. Using the --edit-key menu, the assigned
428              value can be changed at any time.
429
430
431       --check-trustdb
432              Do trust database maintenance  without  user  interaction.  From
433              time  to time the trust database must be updated so that expired
434              keys or signatures and the resulting changes in the Web of Trust
435              can  be  tracked.  Normally,  GnuPG  will calculate when this is
436              required and do it automatically unless  --no-auto-check-trustdb
437              is set. This command can be used to force a trust database check
438              at any time. The processing is identical to  that  of  --update-
439              trustdb but it skips keys with a not yet defined "ownertrust".
440
441              For  use  with cron jobs, this command can be used together with
442              --batch in which case the trust database check is done only if a
443              check  is  needed.  To  force  a  run even in batch mode add the
444              option --yes.
445
446
447
448       --export-ownertrust
449              Send the ownertrust values to STDOUT. This is useful for  backup
450              purposes  as  these  values are the only ones which can't be re-
451              created from a corrupted trustdb.  Example:
452                  gpg2 --export-ownertrust > otrust.txt
453
454
455
456       --import-ownertrust
457              Update the trustdb with the ownertrust values  stored  in  files
458              (or  STDIN  if  not given); existing values will be overwritten.
459              In case of a severely damaged trustdb and if you have  a  recent
460              backup  of the ownertrust values (e.g. in the file ‘otrust.txt’,
461              you may re-create the trustdb using these commands:
462                  cd ~/.gnupg
463                  rm trustdb.gpg
464                  gpg2 --import-ownertrust < otrust.txt
465
466
467
468       --rebuild-keydb-caches
469              When updating from version 1.0.6 to 1.0.7 this command should be
470              used  to  create  signature  caches  in the keyring. It might be
471              handy in other situations too.
472
473
474       --print-md algo
475
476       --print-mds
477              Print message digest of algorithm ALGO for all  given  files  or
478              STDIN.   With  the  second  form  (or  a deprecated "*" as algo)
479              digests for all available algorithms are printed.
480
481
482       --gen-random 0|1|2 count
483              Emit count random bytes of the given quality level 0, 1 or 2. If
484              count  is not given or zero, an endless sequence of random bytes
485              will be emitted.  If used with --armor the output will be base64
486              encoded.   PLEASE,  don't  use this command unless you know what
487              you are doing; it may remove precious entropy from the system!
488
489
490       --gen-prime mode bits
491              Use the source, Luke :-). The output format is still subject  to
492              change.
493
494
495
496       --enarmor
497
498       --dearmor
499              Pack  or  unpack  an  arbitrary input into/from an OpenPGP ASCII
500              armor.  This is a GnuPG extension to OpenPGP and in general  not
501              very useful.
502
503
504
505
506
507   How to manage your keys
508
509
510       This section explains the main commands for key management
511
512
513
514       --gen-key
515              Generate  a  new  key  pair.  This command is normally only used
516              interactively.
517
518              There is an experimental feature which allows you to create keys
519              in  batch mode. See the file ‘doc/DETAILS’ in the source distri‐
520              bution on how to use this.
521
522
523       --gen-revoke name
524              Generate a revocation  certificate  for  the  complete  key.  To
525              revoke a subkey or a signature, use the --edit command.
526
527
528       --desig-revoke name
529              Generate  a  designated  revocation  certificate for a key. This
530              allows a user (with the permission of the keyholder)  to  revoke
531              someone else's key.
532
533
534
535       --edit-key
536              Present  a  menu which enables you to do most of the key manage‐
537              ment related tasks.  It expects the specification of  a  key  on
538              the command line.
539
540
541
542              uid n  Toggle  selection of user ID or photographic user ID with
543                     index n.  Use * to select all and 0 to deselect all.
544
545
546              key n  Toggle selection of subkey with index n.  Use * to select
547                     all and 0 to deselect all.
548
549
550              sign   Make  a  signature  on key of user name If the key is not
551                     yet signed by the default user (or the users  given  with
552                     -u),  the  program  displays  the  information of the key
553                     again, together with its fingerprint and asks whether  it
554                     should be signed. This question is repeated for all users
555                     specified with -u.
556
557
558              lsign  Same as "sign"  but  the  signature  is  marked  as  non-
559                     exportable  and  will  therefore never be used by others.
560                     This may be used to make keys valid  only  in  the  local
561                     environment.
562
563
564              nrsign Same as "sign" but the signature is marked as non-revoca‐
565                     ble and can therefore never be revoked.
566
567
568              tsign  Make a trust signature. This is a signature that combines
569                     the  notions of certification (like a regular signature),
570                     and trust (like the "trust"  command).  It  is  generally
571                     only useful in distinct communities or groups.
572
573              Note  that "l" (for local / non-exportable), "nr" (for non-revo‐
574              cable, and "t" (for trust) may be freely mixed and  prefixed  to
575              "sign" to create a signature of any type desired.
576
577
578
579              delsig Delete  a  signature.  Note  that  it  is not possible to
580                     retract a signature, once it has been send to the  public
581                     (i.e.  to  a  keyserver).   In  that  case you better use
582                     revsig.
583
584
585              revsig Revoke a signature. For every signature  which  has  been
586                     generated by one of the secret keys, GnuPG asks whether a
587                     revocation certificate should be generated.
588
589
590              check  Check the signatures on all selected user IDs.
591
592
593              adduid Create an additional user ID.
594
595
596              addphoto
597                     Create a photographic user ID. This  will  prompt  for  a
598                     JPEG  file  that  will be embedded into the user ID. Note
599                     that a very large JPEG will make for a  very  large  key.
600                     Also  note  that  some  programs  will  display your JPEG
601                     unchanged (GnuPG), and some programs will scale it to fit
602                     in a dialog box (PGP).
603
604
605              showphoto
606                     Display the selected photographic user ID.
607
608
609              deluid Delete  a  user ID or photographic user ID.  Note that it
610                     is not possible to retract a user id, once  it  has  been
611                     send  to  the public (i.e. to a keyserver).  In that case
612                     you better use revuid.
613
614
615              revuid Revoke a user ID or photographic user ID.
616
617
618              primary
619                     Flag the current user id as the primary one, removes  the
620                     primary user id flag from all other user ids and sets the
621                     timestamp of  all  affected  self-signatures  one  second
622                     ahead. Note that setting a photo user ID as primary makes
623                     it primary over other photo user IDs, and setting a regu‐
624                     lar  user ID as primary makes it primary over other regu‐
625                     lar user IDs.
626
627
628              keyserver
629                     Set a preferred keyserver for the specified  user  ID(s).
630                     This allows other users to know where you prefer they get
631                     your key from. See  --keyserver-options  honor-keyserver-
632                     url  for  more  on  how  this  works.  Setting a value of
633                     "none" removes an existing preferred keyserver.
634
635
636              notation
637                     Set a name=value notation for the specified  user  ID(s).
638                     See --cert-notation for more on how this works. Setting a
639                     value of "none" removes all notations, setting a notation
640                     prefixed with a minus sign (-) removes that notation, and
641                     setting a notation name  (without  the  =value)  prefixed
642                     with a minus sign removes all notations with that name.
643
644
645              pref   List  preferences  from  the selected user ID. This shows
646                     the actual preferences,  without  including  any  implied
647                     preferences.
648
649
650              showpref
651                     More  verbose  preferences  listing for the selected user
652                     ID. This shows the preferences in effect by including the
653                     implied preferences of 3DES (cipher), SHA-1 (digest), and
654                     Uncompressed  (compression)  if  they  are  not   already
655                     included  in  the  preference list. In addition, the pre‐
656                     ferred keyserver and signature  notations  (if  any)  are
657                     shown.
658
659
660              setpref string
661                     Set the list of user ID preferences to string for all (or
662                     just the selected) user  IDs.  Calling  setpref  with  no
663                     arguments sets the preference list to the default (either
664                     built-in or set via --default-preference-list), and call‐
665                     ing  setpref  with  "none"  as the argument sets an empty
666                     preference list. Use gpg2 --version  to  get  a  list  of
667                     available  algorithms. Note that while you can change the
668                     preferences on an attribute user  ID  (aka  "photo  ID"),
669                     GnuPG  does  not  select  keys  via attribute user IDs so
670                     these preferences will not be used by GnuPG.
671
672                     When setting preferences, you should list the  algorithms
673                     in the order which you'd like to see them used by someone
674                     else when encrypting a message to your key.  If you don't
675                     include  3DES, it will be automatically added at the end.
676                     Note that there are many factors that go into choosing an
677                     algorithm  (for  example,  your  key  may not be the only
678                     recipient), and so the remote OpenPGP  application  being
679                     used to send to you may or may not follow your exact cho‐
680                     sen order for a given message.  It  will,  however,  only
681                     choose  an  algorithm  that  is present on the preference
682                     list of every recipient key.  See also the INTEROPERABIL‐
683                     ITY WITH OTHER OPENPGP PROGRAMS section below.
684
685
686              addkey Add a subkey to this key.
687
688
689              addcardkey
690                     Generate a subkey on a card and add it to this key.
691
692
693              keytocard
694                     Transfer  the  selected secret subkey (or the primary key
695                     if no subkey has  been  selected)  to  a  smartcard.  The
696                     secret  key  in the keyring will be replaced by a stub if
697                     the key could be stored successfully on the card and  you
698                     use the save command later. Only certain key types may be
699                     transferred to the card. A sub menu allows you to  select
700                     on what card to store the key. Note that it is not possi‐
701                     ble to get that key back from the card - if the card gets
702                     broken  your  secret  key  will be lost unless you have a
703                     backup somewhere.
704
705
706              bkuptocard file
707                     Restore the given file to a card.  This  command  may  be
708                     used  to  restore  a backup key (as generated during card
709                     initialization) to a new card. In almost all  cases  this
710                     will  be  the encryption key. You should use this command
711                     only with the corresponding public key and make sure that
712                     the  file  given  as  argument  is  indeed  the backup to
713                     restore. You should then select 2 to restore  as  encryp‐
714                     tion   key.   You  will  first  be  asked  to  enter  the
715                     passphrase of the backup key and then for the  Admin  PIN
716                     of the card.
717
718
719              delkey Remove a subkey (secondart key). Note that it is not pos‐
720                     sible to retract a subkey, once it has been send  to  the
721                     public  (i.e.  to  a keyserver).  In that case you better
722                     use revkey.
723
724
725              revkey Revoke a subkey.
726
727
728              expire Change the key or subkey expiration time. If a subkey  is
729                     selected,  the  expiration  time  of  this subkey will be
730                     changed. With no selection, the  key  expiration  of  the
731                     primary key is changed.
732
733
734              trust  Change  the  owner  trust value for the key. This updates
735                     the trust-db immediately and no save is required.
736
737
738              disable
739
740              enable Disable or enable an entire key. A disabled key  can  not
741                     normally be used for encryption.
742
743
744              addrevoker
745                     Add  a  designated  revoker  to  the  key. This takes one
746                     optional argument: "sensitive". If a  designated  revoker
747                     is  marked  as  sensitive,  it  will  not  be exported by
748                     default (see export-options).
749
750
751              passwd Change the passphrase of the secret key.
752
753
754              toggle Toggle between public and secret key listing.
755
756
757              clean  Compact (by removing all signatures except  the  selfsig)
758                     any  user  ID  that is no longer usable (e.g. revoked, or
759                     expired). Then, remove any signatures that are not usable
760                     by  the  trust  calculations.  Specifically, this removes
761                     any signature that does not validate, any signature  that
762                     is  superseded  by a later signature, revoked signatures,
763                     and signatures issued by keys that are not present on the
764                     keyring.
765
766
767              minimize
768                     Make  the key as small as possible. This removes all sig‐
769                     natures from each user ID  except  for  the  most  recent
770                     self-signature.
771
772
773              cross-certify
774                     Add  cross-certification  signatures  to  signing subkeys
775                     that may not  currently  have  them.  Cross-certification
776                     signatures  protect against a subtle attack against sign‐
777                     ing subkeys. See --require-cross-certification.  All  new
778                     keys  generated  have  this signature by default, so this
779                     option is only useful to bring older keys up to date.
780
781
782              save   Save all changes to the key rings and quit.
783
784
785              quit   Quit the program without updating the key rings.
786
787              The listing shows you the key with its secondary  keys  and  all
788              user  ids.   The  primary  user  id  is  indicated by a dot, and
789              selected keys or user ids are indicated  by  an  asterisk.   The
790              trust  value is displayed with the primary key: the first is the
791              assigned owner trust and the  second  is  the  calculated  trust
792              value. Letters are used for the values:
793
794
795
796              -      No ownertrust assigned / not yet calculated.
797
798
799              e      Trust  calculation has failed; probably due to an expired
800                     key.
801
802
803              q      Not enough information for calculation.
804
805
806              n      Never trust this key.
807
808
809              m      Marginally trusted.
810
811
812              f      Fully trusted.
813
814
815              u      Ultimately trusted.
816
817
818
819       --sign-key name
820              Signs a public key with your secret key. This is a shortcut ver‐
821              sion of the subcommand "sign" from --edit.
822
823
824       --lsign-key name
825              Signs  a  public  key  with your secret key but marks it as non-
826              exportable. This is a shortcut version of the subcommand "lsign"
827              from --edit-key.
828
829
830       --passwd user_id
831              Change  the  passphrase  of the secret key belonging to the cer‐
832              tificate specified as user_id.  This is a shortcut for the  sub-
833              command passwd of the edit key menu.
834
835
836
837
838

OPTIONS

840       gpg2  features a bunch of options to control the exact behaviour and to
841       change the default configuration.
842
843
844       Long   options   can   be   put   in   an   options    file    (default
845       "~/.gnupg/gpg.conf").  Short  option names will not work - for example,
846       "armor" is a valid option for the options file, while "a"  is  not.  Do
847       not  write  the  2  dashes,  but  simply the name of the option and any
848       required arguments. Lines with a hash ('#')  as  the  first  non-white-
849       space  character are ignored. Commands may be put in this file too, but
850       that is not generally useful as the command will execute  automatically
851       with every execution of gpg.
852
853       Please  remember  that  option parsing stops as soon as a non-option is
854       encountered, you can explicitly  stop  parsing  by  using  the  special
855       option --.
856
857
858
859   How to change the configuration
860
861
862       These  options  are  used  to  change the configuration and are usually
863       found in the option file.
864
865
866
867       --default-key name
868              Use name as the default key to sign with. If this option is  not
869              used,  the  default  key  is  the  first key found in the secret
870              keyring.  Note that -u or --local-user overrides this option.
871
872
873       --default-recipient name
874              Use name as default recipient if option --recipient is not  used
875              and don't ask if this is a valid one. name must be non-empty.
876
877
878       --default-recipient-self
879              Use  the  default key as default recipient if option --recipient
880              is not used and don't ask if this is a valid  one.  The  default
881              key is the first one from the secret keyring or the one set with
882              --default-key.
883
884
885       --no-default-recipient
886              Reset --default-recipient and --default-recipient-self.
887
888
889       -v, --verbose
890              Give more information during  processing.  If  used  twice,  the
891              input data is listed in detail.
892
893
894       --no-verbose
895              Reset verbose level to 0.
896
897
898       -q, --quiet
899              Try to be as quiet as possible.
900
901
902       --batch
903
904       --no-batch
905              Use  batch  mode.  Never ask, do not allow interactive commands.
906              --no-batch disables this option.  Note that even with a filename
907              given  on  the  command  line, gpg might still need to read from
908              STDIN (in particular if gpg figures that the input is a detached
909              signature  and no data file has been specified).  Thus if you do
910              not want to feed data via STDIN, you  should  connect  STDIN  to
911/dev/null’.
912
913
914       --no-tty
915              Make  sure that the TTY (terminal) is never used for any output.
916              This option is needed in  some  cases  because  GnuPG  sometimes
917              prints warnings to the TTY even if --batch is used.
918
919
920       --yes  Assume "yes" on most questions.
921
922
923       --no   Assume "no" on most questions.
924
925
926
927       --list-options parameters
928              This  is  a  space  or comma delimited string that gives options
929              used when listing keys and  signatures  (that  is,  --list-keys,
930              --list-sigs,  --list-public-keys,  --list-secret-keys,  and  the
931              --edit-key functions).  Options can  be  prepended  with  a  no-
932              (after  the  two  dashes)  to  give  the  opposite meaning.  The
933              options are:
934
935
936
937              show-photos
938                     Causes --list-keys, --list-sigs, --list-public-keys,  and
939                     --list-secret-keys  to  display any photo IDs attached to
940                     the key.  Defaults to no. See also --photo-viewer.   Does
941                     not  work  with --with-colons: see --attribute-fd for the
942                     appropriate way to get photo data for scripts  and  other
943                     frontends.
944
945
946              show-policy-urls
947                     Show policy URLs in the --list-sigs or --check-sigs list‐
948                     ings.  Defaults to no.
949
950
951              show-notations
952
953              show-std-notations
954
955              show-user-notations
956                     Show all, IETF standard, or user-defined signature  nota‐
957                     tions   in  the  --list-sigs  or  --check-sigs  listings.
958                     Defaults to no.
959
960
961              show-keyserver-urls
962                     Show any preferred keyserver URL in  the  --list-sigs  or
963                     --check-sigs listings. Defaults to no.
964
965
966              show-uid-validity
967                     Display  the  calculated  validity of user IDs during key
968                     listings.  Defaults to no.
969
970
971              show-unusable-uids
972                     Show revoked  and  expired  user  IDs  in  key  listings.
973                     Defaults to no.
974
975
976              show-unusable-subkeys
977                     Show   revoked  and  expired  subkeys  in  key  listings.
978                     Defaults to no.
979
980
981              show-keyring
982                     Display the keyring name at the head of key  listings  to
983                     show  which  keyring  a given key resides on. Defaults to
984                     no.
985
986
987              show-sig-expire
988                     Show signature expiration dates (if any)  during  --list-
989                     sigs or --check-sigs listings. Defaults to no.
990
991
992              show-sig-subpackets
993                     Include  signature  subpackets  in  the key listing. This
994                     option can take an optional argument list of the subpack‐
995                     ets  to list. If no argument is passed, list all subpack‐
996                     ets. Defaults to no. This option is only meaningful  when
997                     using  --with-colons  along  with --list-sigs or --check-
998                     sigs.
999
1000
1001
1002       --verify-options parameters
1003              This is a space or comma delimited  string  that  gives  options
1004              used  when verifying signatures. Options can be prepended with a
1005              `no-' to give the opposite meaning. The options are:
1006
1007
1008
1009              show-photos
1010                     Display any photo IDs present on the key that issued  the
1011                     signature.  Defaults to no. See also --photo-viewer.
1012
1013
1014              show-policy-urls
1015                     Show   policy  URLs  in  the  signature  being  verified.
1016                     Defaults to no.
1017
1018
1019              show-notations
1020
1021              show-std-notations
1022
1023              show-user-notations
1024                     Show all, IETF standard, or user-defined signature  nota‐
1025                     tions  in  the signature being verified. Defaults to IETF
1026                     standard.
1027
1028
1029              show-keyserver-urls
1030                     Show any preferred keyserver URL in the  signature  being
1031                     verified.  Defaults to no.
1032
1033
1034              show-uid-validity
1035                     Display  the  calculated  validity of the user IDs on the
1036                     key that issued the signature. Defaults to no.
1037
1038
1039              show-unusable-uids
1040                     Show revoked and expired user IDs during signature  veri‐
1041                     fication.  Defaults to no.
1042
1043
1044              show-primary-uid-only
1045                     Show  only the primary user ID during signature verifica‐
1046                     tion.  That is all the AKA lines as well as photo Ids are
1047                     not shown with the signature verification status.
1048
1049
1050              pka-lookups
1051                     Enable  PKA lookups to verify sender addresses. Note that
1052                     PKA is based on DNS, and so enabling this option may dis‐
1053                     close  information  on when and what signatures are veri‐
1054                     fied or to whom data is encrypted. This is similar to the
1055                     "web bug" described for the auto-key-retrieve feature.
1056
1057
1058              pka-trust-increase
1059                     Raise  the  trust in a signature to full if the signature
1060                     passes PKA validation. This option is only meaningful  if
1061                     pka-lookups is set.
1062
1063
1064       --enable-dsa2
1065
1066       --disable-dsa2
1067              Enable hash truncation for all DSA keys even for old DSA Keys up
1068              to 1024 bit.  This is also the  default  with  --openpgp.   Note
1069              that  older  versions  of GnuPG also required this flag to allow
1070              the generation of DSA larger than 1024 bit.
1071
1072
1073       --photo-viewer string
1074              This is the command line that should be run to view a photo  ID.
1075              "%i"  will  be expanded to a filename containing the photo. "%I"
1076              does the same, except the file will  not  be  deleted  once  the
1077              viewer exits.  Other flags are "%k" for the key ID, "%K" for the
1078              long key ID, "%f" for the key fingerprint, "%t" for  the  exten‐
1079              sion  of  the image type (e.g. "jpg"), "%T" for the MIME type of
1080              the image (e.g. "image/jpeg"),  "%v"  for  the  single-character
1081              calculated  validity  of the image being viewed (e.g. "f"), "%V"
1082              for the calculated validity as a string (e.g.  "full"), and "%%"
1083              for  an  actual  percent  sign. If neither %i or %I are present,
1084              then the photo will be supplied to the viewer on standard input.
1085
1086              The default viewer is "xloadimage  -fork  -quiet  -title  'KeyID
1087              0x%k'  STDIN".  Note  that  if  your image viewer program is not
1088              secure, then executing it from GnuPG does not make it secure.
1089
1090
1091       --exec-path string
1092              Sets a list of directories to search for photo viewers and  key‐
1093              server  helpers. If not provided, keyserver helpers use the com‐
1094              piled-in default directory, and  photo  viewers  use  the  $PATH
1095              environment  variable.   Note,  that on W32 system this value is
1096              ignored when searching for keyserver helpers.
1097
1098
1099       --keyring file
1100              Add file to the current list of keyrings. If file begins with  a
1101              tilde and a slash, these are replaced by the $HOME directory. If
1102              the filename does not contain a slash, it is assumed  to  be  in
1103              the  GnuPG home directory ("~/.gnupg" if --homedir or $GNUPGHOME
1104              is not used).
1105
1106              Note that this adds a keyring to the current list. If the intent
1107              is  to use the specified keyring alone, use --keyring along with
1108              --no-default-keyring.
1109
1110
1111       --secret-keyring file
1112              Same as --keyring but for the secret keyrings.
1113
1114
1115       --primary-keyring file
1116              Designate file as the primary public keyring.  This  means  that
1117              newly imported keys (via --import or keyserver --recv-from) will
1118              go to this keyring.
1119
1120
1121       --trustdb-name file
1122              Use file instead of the default trustdb. If file begins  with  a
1123              tilde and a slash, these are replaced by the $HOME directory. If
1124              the filename does not contain a slash, it is assumed  to  be  in
1125              the  GnuPG home directory (‘~/.gnupg’ if --homedir or $GNUPGHOME
1126              is not used).
1127
1128
1129       --homedir dir
1130              Set the name of the home directory to dir. If this option is not
1131              used,  the  home  directory  defaults to ‘~/.gnupg’.  It is only
1132              recognized when given on the command line.   It  also  overrides
1133              any  home  directory  stated  through  the  environment variable
1134GNUPGHOME’ or (on W32 systems) by means of the  Registry  entry
1135              HKCU\Software\GNU\GnuPG:HomeDir.
1136
1137
1138
1139
1140
1141
1142
1143       --display-charset name
1144              Set  the  name of the native character set. This is used to con‐
1145              vert some informational strings like  user  IDs  to  the  proper
1146              UTF-8 encoding.  Note that this has nothing to do with the char‐
1147              acter set of data to be encrypted  or  signed;  GnuPG  does  not
1148              recode  user-supplied  data.  If  this  option  is not used, the
1149              default character set is determined from the current  locale.  A
1150              verbosity  level  of  3  shows the chosen set.  Valid values for
1151              name are:
1152
1153
1154
1155              iso-8859-1
1156                     This is the Latin 1 set.
1157
1158
1159              iso-8859-2
1160                     The Latin 2 set.
1161
1162
1163              iso-8859-15
1164                     This is currently an alias for the Latin 1 set.
1165
1166
1167              koi8-r The usual Russian set (rfc1489).
1168
1169
1170              utf-8  Bypass all translations  and  assume  that  the  OS  uses
1171                     native UTF-8 encoding.
1172
1173
1174       --utf8-strings
1175
1176       --no-utf8-strings
1177              Assume  that  command  line arguments are given as UTF8 strings.
1178              The default (--no-utf8-strings) is to assume that arguments  are
1179              encoded  in the character set as specified by --display-charset.
1180              These options affect all following arguments. Both  options  may
1181              be used multiple times.
1182
1183
1184
1185       --options file
1186              Read  options  from  file  and  do not try to read them from the
1187              default options file in the homedir (see --homedir). This option
1188              is ignored if used in an options file.
1189
1190
1191       --no-options
1192              Shortcut for --options /dev/null. This option is detected before
1193              an attempt to open an option file.  Using this option will  also
1194              prevent the creation of a ‘~/.gnupg’ homedir.
1195
1196
1197       -z n
1198
1199       --compress-level n
1200
1201       --bzip2-compress-level n
1202              Set  compression  level  to  n  for the ZIP and ZLIB compression
1203              algorithms. The default is to use the default compression  level
1204              of  zlib  (normally 6). --bzip2-compress-level sets the compres‐
1205              sion level for the BZIP2 compression algorithm (defaulting to  6
1206              as well). This is a different option from --compress-level since
1207              BZIP2 uses a significant amount of memory  for  each  additional
1208              compression  level.   -z  sets both. A value of 0 for n disables
1209              compression.
1210
1211
1212       --bzip2-decompress-lowmem
1213              Use a different decompression method for BZIP2 compressed files.
1214              This  alternate method uses a bit more than half the memory, but
1215              also runs at half the speed. This is useful  under  extreme  low
1216              memory  circumstances when the file was originally compressed at
1217              a high --bzip2-compress-level.
1218
1219
1220
1221       --mangle-dos-filenames
1222
1223       --no-mangle-dos-filenames
1224              Older version of Windows cannot handle filenames with more  than
1225              one  dot. --mangle-dos-filenames causes GnuPG to replace (rather
1226              than add to) the extension of an output filename to  avoid  this
1227              problem. This option is off by default and has no effect on non-
1228              Windows platforms.
1229
1230
1231       --ask-cert-level
1232
1233       --no-ask-cert-level
1234              When making a key signature, prompt for a  certification  level.
1235              If this option is not specified, the certification level used is
1236              set  via  --default-cert-level.  See  --default-cert-level   for
1237              information  on the specific levels and how they are used. --no-
1238              ask-cert-level disables this option. This option defaults to no.
1239
1240
1241       --default-cert-level n
1242              The default to use for the check level when signing a key.
1243
1244              0 means you make no particular claim as  to  how  carefully  you
1245              verified the key.
1246
1247              1 means you believe the key is owned by the person who claims to
1248              own it but you could not, or did not verify the key at all. This
1249              is  useful  for a "persona" verification, where you sign the key
1250              of a pseudonymous user.
1251
1252              2 means you did casual verification of  the  key.  For  example,
1253              this  could  mean  that  you  verified  the  key fingerprint and
1254              checked the user ID on the key against a photo ID.
1255
1256              3 means you did extensive verification of the key. For  example,
1257              this  could  mean that you verified the key fingerprint with the
1258              owner of the key in person, and that you checked, by means of  a
1259              hard to forge document with a photo ID (such as a passport) that
1260              the name of the key owner matches the name in the user ID on the
1261              key,  and  finally that you verified (by exchange of email) that
1262              the email address on the key belongs to the key owner.
1263
1264              Note that the examples given above for levels 2 and 3  are  just
1265              that:  examples. In the end, it is up to you to decide just what
1266              "casual" and "extensive" mean to you.
1267
1268              This option defaults to 0 (no particular claim).
1269
1270
1271       --min-cert-level
1272              When building the trust database, treat any  signatures  with  a
1273              certification  level below this as invalid. Defaults to 2, which
1274              disregards level 1 signatures. Note that level 0 "no  particular
1275              claim" signatures are always accepted.
1276
1277
1278       --trusted-key long key ID
1279              Assume  that  the specified key (which must be given as a full 8
1280              byte key ID) is as trustworthy as one of your own  secret  keys.
1281              This option is useful if you don't want to keep your secret keys
1282              (or one of them) online but still want to be able to  check  the
1283              validity of a given recipient's or signator's key.
1284
1285
1286       --trust-model pgp|classic|direct|always|auto
1287              Set what trust model GnuPG should follow. The models are:
1288
1289
1290
1291              pgp    This  is  the Web of Trust combined with trust signatures
1292                     as used in PGP 5.x and later. This is the  default  trust
1293                     model when creating a new trust database.
1294
1295
1296              classic
1297                     This  is the standard Web of Trust as used in PGP 2.x and
1298                     earlier.
1299
1300
1301              direct Key validity is set directly by the user and  not  calcu‐
1302                     lated via the Web of Trust.
1303
1304
1305              always Skip  key validation and assume that used keys are always
1306                     fully trusted. You generally won't use  this  unless  you
1307                     are  using  some  external validation scheme. This option
1308                     also suppresses the "[uncertain]" tag printed with signa‐
1309                     ture checks when there is no evidence that the user ID is
1310                     bound to the key.
1311
1312
1313              auto   Select the trust model depending on whatever the internal
1314                     trust  database says. This is the default model if such a
1315                     database already exists.
1316
1317
1318       --auto-key-locate parameters
1319
1320       --no-auto-key-locate
1321              GnuPG can automatically locate and retrieve keys as needed using
1322              this  option.  This  happens when encrypting to an email address
1323              (in the "user@example.com" form), and there  are  no  user@exam‐
1324              ple.com keys on the local keyring.  This option takes any number
1325              of the following mechanisms, in the order they are to be tried:
1326
1327
1328
1329              cert   Locate a key using DNS CERT, as specified in rfc4398.
1330
1331
1332              pka    Locate a key using DNS PKA.
1333
1334
1335              ldap   Using DNS Service Discovery, check the domain in question
1336                     for  any  LDAP keyservers to use.  If this fails, attempt
1337                     to locate the key  using  the  PGP  Universal  method  of
1338                     checking 'ldap://keys.(thedomain)'.
1339
1340
1341              keyserver
1342                     Locate  a  key  using whatever keyserver is defined using
1343                     the --keyserver option.
1344
1345
1346              keyserver-URL
1347                     In addition, a keyserver URL as used in  the  --keyserver
1348                     option  may  be  used  here to query that particular key‐
1349                     server.
1350
1351
1352              local  Locate the key using the local keyrings.  This  mechanism
1353                     allows  to  select  the order a local key lookup is done.
1354                     Thus using  '--auto-key-locate  local'  is  identical  to
1355                     --no-auto-key-locate.
1356
1357
1358              nodefault
1359                     This  flag  disables  the standard local key lookup, done
1360                     before any of the mechanisms defined by  the  --auto-key-
1361                     locate  are tried.  The position of this mechanism in the
1362                     list does not matter.  It is not  required  if  local  is
1363                     also used.
1364
1365
1366
1367       --keyid-format short|0xshort|long|0xlong
1368              Select  how  to  display  key  IDs.  "short"  is the traditional
1369              8-character key ID. "long" is the more accurate (but less conve‐
1370              nient)  16-character key ID. Add an "0x" to either to include an
1371              "0x" at the beginning of the key ID,  as  in  0x99242560.   Note
1372              that this option is ignored if the option --with-colons is used.
1373
1374
1375       --keyserver name
1376              Use name as your keyserver. This is the server that --recv-keys,
1377              --send-keys, and --search-keys will communicate with to  receive
1378              keys  from,  send keys to, and search for keys on. The format of
1379              the name is a URI: `scheme:[//]keyservername[:port]' The  scheme
1380              is  the  type  of  keyserver: "hkp" for the HTTP (or compatible)
1381              keyservers, "ldap" for the LDAP keyservers, or "mailto" for  the
1382              Graff email keyserver. Note that your particular installation of
1383              GnuPG may have other keyserver types  available  as  well.  Key‐
1384              server  schemes  are case-insensitive. After the keyserver name,
1385              optional keyserver configuration options may be provided.  These
1386              are  the  same as the global --keyserver-options from below, but
1387              apply only to this particular keyserver.
1388
1389              Most keyservers synchronize with each other, so there is  gener‐
1390              ally no need to send keys to more than one server. The keyserver
1391              hkp://keys.gnupg.net uses round robin DNS to  give  a  different
1392              keyserver each time you use it.
1393
1394
1395       --keyserver-options name=value1
1396              This is a space or comma delimited string that gives options for
1397              the keyserver. Options can be prefixed with a `no-' to give  the
1398              opposite  meaning. Valid import-options or export-options may be
1399              used here as well to apply to importing (--recv-key) or  export‐
1400              ing  (--send-key)  a key from a keyserver. While not all options
1401              are available for all keyserver types, some common options are:
1402
1403
1404
1405              include-revoked
1406                     When searching for a key with --search-keys, include keys
1407                     that  are  marked  on the keyserver as revoked. Note that
1408                     not all  keyservers  differentiate  between  revoked  and
1409                     unrevoked  keys,  and  for such keyservers this option is
1410                     meaningless. Note also that most keyservers do  not  have
1411                     cryptographic  verification  of  key  revocations, and so
1412                     turning this option off may result in skipping keys  that
1413                     are incorrectly marked as revoked.
1414
1415
1416              include-disabled
1417                     When searching for a key with --search-keys, include keys
1418                     that are marked on the keyserver as disabled.  Note  that
1419                     this option is not used with HKP keyservers.
1420
1421
1422              auto-key-retrieve
1423                     This option enables the automatic retrieving of keys from
1424                     a keyserver when verifying signatures made by  keys  that
1425                     are not on the local keyring.
1426
1427                     Note  that  this  option  makes a "web bug" like behavior
1428                     possible.  Keyserver operators can  see  which  keys  you
1429                     request,  so  by  sending you a message signed by a brand
1430                     new key (which you naturally will not have on your  local
1431                     keyring),  the operator can tell both your IP address and
1432                     the time when you verified the signature.
1433
1434
1435              honor-keyserver-url
1436                     When using --refresh-keys, if the key in question  has  a
1437                     preferred  keyserver  URL,  then  use that preferred key‐
1438                     server to refresh the key from. In addition, if auto-key-
1439                     retrieve  is  set, and the signature being verified has a
1440                     preferred keyserver URL, then  use  that  preferred  key‐
1441                     server to fetch the key from. Defaults to yes.
1442
1443
1444              honor-pka-record
1445                     If auto-key-retrieve is set, and the signature being ver‐
1446                     ified has a PKA record, then use the PKA  information  to
1447                     fetch the key. Defaults to yes.
1448
1449
1450              include-subkeys
1451                     When  receiving  a key, include subkeys as potential tar‐
1452                     gets. Note that this option is not  used  with  HKP  key‐
1453                     servers, as they do not support retrieving keys by subkey
1454                     id.
1455
1456
1457              use-temp-files
1458                     On most Unix-like platforms, GnuPG communicates with  the
1459                     keyserver  helper  program  via  pipes, which is the most
1460                     efficient method. This option forces GnuPG to use  tempo‐
1461                     rary  files  to  communicate.  On some platforms (such as
1462                     Win32 and RISC OS), this option is always enabled.
1463
1464
1465              keep-temp-files
1466                     If using `use-temp-files', do not delete the  temp  files
1467                     after using them. This option is useful to learn the key‐
1468                     server communication protocol by  reading  the  temporary
1469                     files.
1470
1471
1472              verbose
1473                     Tell  the  keyserver  helper  program to be more verbose.
1474                     This option can be repeated multiple  times  to  increase
1475                     the verbosity level.
1476
1477
1478              timeout
1479                     Tell  the  keyserver helper program how long (in seconds)
1480                     to try and perform a keyserver action before  giving  up.
1481                     Note  that  performing  multiple actions at the same time
1482                     uses this timeout value per action.   For  example,  when
1483                     retrieving  multiple  keys  via  --recv-keys, the timeout
1484                     applies separately to each key retrieval, and not to  the
1485                     --recv-keys command as a whole. Defaults to 30 seconds.
1486
1487
1488              http-proxy=value
1489                     Set  the  proxy to use for HTTP and HKP keyservers.  This
1490                     overrides the "http_proxy" environment variable, if any.
1491
1492
1493
1494              max-cert-size
1495                     When retrieving a key via DNS CERT, only accept  keys  up
1496                     to this size.  Defaults to 16384 bytes.
1497
1498
1499              debug  Turn  on  debug  output  in the keyserver helper program.
1500                     Note that the details of debug output  depends  on  which
1501                     keyserver  helper  program is being used, and in turn, on
1502                     any libraries that  the  keyserver  helper  program  uses
1503                     internally (libcurl, openldap, etc).
1504
1505
1506              check-cert
1507                     Enable certificate checking if the keyserver presents one
1508                     (for hkps or ldaps).  Defaults to on.
1509
1510
1511              ca-cert-file
1512                     Provide  a  certificate  store  to  override  the  system
1513                     default.   Only  necessary  if check-cert is enabled, and
1514                     the keyserver is using a certificate that is not  present
1515                     in a system default certificate list.
1516
1517                     Note that depending on the SSL library that the keyserver
1518                     helper is built with, this may actually be a directory or
1519                     a file.
1520
1521
1522       --completes-needed n
1523              Number of completely trusted users to introduce a new key signer
1524              (defaults to 1).
1525
1526
1527       --marginals-needed n
1528              Number of marginally trusted users to introduce a new key signer
1529              (defaults to 3)
1530
1531
1532       --max-cert-depth n
1533              Maximum depth of a certification chain (default is 5).
1534
1535
1536       --simple-sk-checksum
1537              Secret  keys  are integrity protected by using a SHA-1 checksum.
1538              This method is part of the upcoming enhanced OpenPGP  specifica‐
1539              tion  but GnuPG already uses it as a countermeasure against cer‐
1540              tain attacks.  Old applications don't understand this  new  for‐
1541              mat, so this option may be used to switch back to the old behav‐
1542              iour. Using this option bears a security risk. Note  that  using
1543              this option only takes effect when the secret key is encrypted -
1544              the simplest way to make this happen is to change the passphrase
1545              on the key (even changing it to the same value is acceptable).
1546
1547
1548       --no-sig-cache
1549              Do not cache the verification status of key signatures.  Caching
1550              gives a much better performance in key listings. However, if you
1551              suspect that your public keyring is not save against write modi‐
1552              fications, you can use this option to disable  the  caching.  It
1553              probably  does  not make sense to disable it because all kind of
1554              damage can be done if someone else has write access to your pub‐
1555              lic keyring.
1556
1557
1558       --no-sig-create-check
1559              GnuPG  normally  verifies each signature right after creation to
1560              protect against bugs and hardware malfunctions which could  leak
1561              out bits from the secret key. This extra verification needs some
1562              time (about 115% for DSA keys), and so this option can  be  used
1563              to disable it.  However, due to the fact that the signature cre‐
1564              ation needs manual interaction, this  performance  penalty  does
1565              not matter in most settings.
1566
1567
1568       --auto-check-trustdb
1569
1570       --no-auto-check-trustdb
1571              If  GnuPG  feels that its information about the Web of Trust has
1572              to be updated, it automatically runs the --check-trustdb command
1573              internally.   This  may  be a time consuming process. --no-auto-
1574              check-trustdb disables this option.
1575
1576
1577       --use-agent
1578
1579       --no-use-agent
1580              This is dummy option. gpg2 always requires the agent.
1581
1582
1583       --gpg-agent-info
1584              This is dummy option. It has no effect when used with gpg2.
1585
1586
1587       --lock-once
1588              Lock the databases the first time a lock is requested and do not
1589              release the lock until the process terminates.
1590
1591
1592       --lock-multiple
1593              Release  the  locks  every  time a lock is no longer needed. Use
1594              this to override a previous --lock-once from a config file.
1595
1596
1597       --lock-never
1598              Disable locking entirely. This option should  be  used  only  in
1599              very special environments, where it can be assured that only one
1600              process is accessing those  files.  A  bootable  floppy  with  a
1601              stand-alone  encryption  system will probably use this. Improper
1602              usage of this option may lead to data and key corruption.
1603
1604
1605       --exit-on-status-write-error
1606              This option will cause write errors on the status FD to  immedi‐
1607              ately  terminate the process. That should in fact be the default
1608              but it never worked this way and  thus  we  need  an  option  to
1609              enable  this,  so that the change won't break applications which
1610              close their end of a status fd connected pipe too  early.  Using
1611              this  option  along with --enable-progress-filter may be used to
1612              cleanly cancel long running gpg operations.
1613
1614
1615       --limit-card-insert-tries n
1616              With n greater than 0 the number of prompts asking to  insert  a
1617              smartcard  gets limited to N-1. Thus with a value of 1 gpg won't
1618              at all ask to insert  a  card  if  none  has  been  inserted  at
1619              startup. This option is useful in the configuration file in case
1620              an application does not know about  the  smartcard  support  and
1621              waits ad infinitum for an inserted card.
1622
1623
1624       --no-random-seed-file
1625              GnuPG uses a file to store its internal random pool over invoca‐
1626              tions.  This makes random generation faster;  however  sometimes
1627              write  operations  are  not  desired. This option can be used to
1628              achieve that with the cost of slower random generation.
1629
1630
1631       --no-greeting
1632              Suppress the initial copyright message.
1633
1634
1635       --no-secmem-warning
1636              Suppress the warning about "using insecure memory".
1637
1638
1639       --no-permission-warning
1640              Suppress the  warning  about  unsafe  file  and  home  directory
1641              (--homedir)  permissions.  Note  that the permission checks that
1642              GnuPG performs are not intended to be authoritative, but  rather
1643              they  simply  warn  about certain common permission problems. Do
1644              not assume that the lack of a warning means that your system  is
1645              secure.
1646
1647              Note that the warning for unsafe --homedir permissions cannot be
1648              suppressed in the gpg.conf file, as this would allow an attacker
1649              to  place an unsafe gpg.conf file in place, and use this file to
1650              suppress warnings about itself. The --homedir permissions  warn‐
1651              ing may only be suppressed on the command line.
1652
1653
1654       --no-mdc-warning
1655              Suppress the warning about missing MDC integrity protection.
1656
1657
1658       --require-secmem
1659
1660       --no-require-secmem
1661              Refuse  to run if GnuPG cannot get secure memory. Defaults to no
1662              (i.e. run, but give a warning).
1663
1664
1665
1666       --require-cross-certification
1667
1668       --no-require-cross-certification
1669              When verifying a signature made from a subkey, ensure  that  the
1670              cross  certification  "back  signature" on the subkey is present
1671              and valid.  This protects against a subtle attack  against  sub‐
1672              keys  that  can sign.  Defaults to --require-cross-certification
1673              for gpg2.
1674
1675
1676       --expert
1677
1678       --no-expert
1679              Allow the user to do certain nonsensical or "silly" things  like
1680              signing an expired or revoked key, or certain potentially incom‐
1681              patible things like generating unusual key types. This also dis‐
1682              ables  certain  warning  messages about potentially incompatible
1683              actions. As the name implies, this option is for  experts  only.
1684              If you don't fully understand the implications of what it allows
1685              you to do, leave this off. --no-expert disables this option.
1686
1687
1688
1689
1690
1691   Key related options
1692
1693
1694
1695
1696       --recipient name
1697
1698       -r     Encrypt for user id name. If this option  or  --hidden-recipient
1699              is  not  specified, GnuPG asks for the user-id unless --default-
1700              recipient is given.
1701
1702
1703       --hidden-recipient name
1704
1705       -R     Encrypt for user ID name, but hide the key  ID  of  this  user's
1706              key.  This  option helps to hide the receiver of the message and
1707              is a limited countermeasure against traffic  analysis.  If  this
1708              option  or --recipient is not specified, GnuPG asks for the user
1709              ID unless --default-recipient is given.
1710
1711
1712       --encrypt-to name
1713              Same as --recipient but this one is  intended  for  use  in  the
1714              options  file  and  may  be  used  with  your  own user-id as an
1715              "encrypt-to-self". These keys are only used when there are other
1716              recipients  given  either  by use of --recipient or by the asked
1717              user id.  No trust checking is performed for these user ids  and
1718              even disabled keys can be used.
1719
1720
1721       --hidden-encrypt-to name
1722              Same  as  --hidden-recipient but this one is intended for use in
1723              the options file and may be used with your own user-id as a hid‐
1724              den  "encrypt-to-self".  These keys are only used when there are
1725              other recipients given either by use of --recipient  or  by  the
1726              asked  user  id.   No trust checking is performed for these user
1727              ids and even disabled keys can be used.
1728
1729
1730       --no-encrypt-to
1731              Disable the use  of  all  --encrypt-to  and  --hidden-encrypt-to
1732              keys.
1733
1734
1735       --group name=value1
1736              Sets up a named group, which is similar to aliases in email pro‐
1737              grams.  Any time the group name is a recipient (-r or  --recipi‐
1738              ent),  it  will  be  expanded  to the values specified. Multiple
1739              groups with the same name are automatically merged into a single
1740              group.
1741
1742              The  values are key IDs or fingerprints, but any key description
1743              is accepted. Note that a value with spaces in it will be treated
1744              as  two  different  values. Note also there is only one level of
1745              expansion --- you cannot make an group that  points  to  another
1746              group.  When  used from the command line, it may be necessary to
1747              quote the argument to this option  to  prevent  the  shell  from
1748              treating it as multiple arguments.
1749
1750
1751       --ungroup name
1752              Remove a given entry from the --group list.
1753
1754
1755       --no-groups
1756              Remove all entries from the --group list.
1757
1758
1759       --local-user name
1760
1761       -u     Use  name  as  the key to sign with. Note that this option over‐
1762              rides --default-key.
1763
1764
1765       --try-secret-key name
1766              For hidden recipients GPG needs to know  the  keys  to  use  for
1767              trial  decryption.   The  key  set  with --default-key is always
1768              tried first, but this is  often  not  sufficient.   This  option
1769              allows  to  set  more  keys  to  be  used  for trial decryption.
1770              Although any valid user-id specification may be used for name it
1771              makes sense to use at least the long keyid to avoid ambiguities.
1772              Note that gpg-agent might pop up a pinentry for a lot keys to do
1773              the  trial  decryption.   If  you want to stop all further trial
1774              decryption you may use close-window button instead of the cancel
1775              button.
1776
1777
1778       --try-all-secrets
1779              Don't  look  at  the key ID as stored in the message but try all
1780              secret keys in turn to  find  the  right  decryption  key.  This
1781              option  forces  the  behaviour  as  used by anonymous recipients
1782              (created by  using  --throw-keyids  or  --hidden-recipient)  and
1783              might  come  handy in case where an encrypted message contains a
1784              bogus key ID.
1785
1786
1787       --skip-hidden-recipients
1788
1789       --no-skip-hidden-recipients
1790              During decryption skip all anonymous  recipients.   This  option
1791              helps  in the case that people use the hidden recipients feature
1792              to hide there own encrypt-to key from others.   If  oneself  has
1793              many  secret keys this may lead to a major annoyance because all
1794              keys are tried in turn to decrypt soemthing which was not really
1795              intended for it.  The drawback of this option is that it is cur‐
1796              rently not possible to decrypt a  message  which  includes  real
1797              anonymous recipients.
1798
1799
1800
1801
1802
1803   Input and Output
1804
1805
1806
1807
1808       --armor
1809
1810       -a     Create  ASCII  armored  output.   The  default  is to create the
1811              binary OpenPGP format.
1812
1813
1814       --no-armor
1815              Assume the input data is not in ASCII armored format.
1816
1817
1818       --output file
1819
1820       -o file
1821              Write output to file.
1822
1823
1824       --max-output n
1825              This option sets a limit on the number of  bytes  that  will  be
1826              generated when processing a file. Since OpenPGP supports various
1827              levels of compression, it is possible that the  plaintext  of  a
1828              given  message  may  be  significantly  larger than the original
1829              OpenPGP message. While GnuPG works properly with such  messages,
1830              there  is often a desire to set a maximum file size that will be
1831              generated before processing is forced to stop by the OS  limits.
1832              Defaults to 0, which means "no limit".
1833
1834
1835       --import-options parameters
1836              This is a space or comma delimited string that gives options for
1837              importing keys. Options can be prepended with a  `no-'  to  give
1838              the opposite meaning. The options are:
1839
1840
1841
1842              import-local-sigs
1843                     Allow importing key signatures marked as "local". This is
1844                     not generally useful unless a shared  keyring  scheme  is
1845                     being used.  Defaults to no.
1846
1847
1848              repair-pks-subkey-bug
1849                     During import, attempt to repair the damage caused by the
1850                     PKS keyserver bug (pre version 0.9.6) that  mangles  keys
1851                     with  multiple  subkeys. Note that this cannot completely
1852                     repair the damaged key as some crucial data is removed by
1853                     the  keyserver,  but  it  does at least give you back one
1854                     subkey. Defaults to no for regular --import  and  to  yes
1855                     for keyserver --recv-keys.
1856
1857
1858              merge-only
1859                     During import, allow key updates to existing keys, but do
1860                     not allow any new keys to be imported. Defaults to no.
1861
1862
1863              import-clean
1864                     After import, compact (remove all signatures  except  the
1865                     self-signature)  any  user  IDs from the new key that are
1866                     not usable.  Then, remove any signatures from the new key
1867                     that  are not usable.  This includes signatures that were
1868                     issued by keys that are not present on the keyring.  This
1869                     option  is  the  same  as  running the --edit-key command
1870                     "clean" after import. Defaults to no.
1871
1872
1873              import-minimal
1874                     Import the smallest key possible. This removes all signa‐
1875                     tures  except the most recent self-signature on each user
1876                     ID. This option is the same  as  running  the  --edit-key
1877                     command "minimize" after import.  Defaults to no.
1878
1879
1880       --export-options parameters
1881              This is a space or comma delimited string that gives options for
1882              exporting keys. Options can be prepended with a  `no-'  to  give
1883              the opposite meaning. The options are:
1884
1885
1886
1887              export-local-sigs
1888                     Allow exporting key signatures marked as "local". This is
1889                     not generally useful unless a shared  keyring  scheme  is
1890                     being used.  Defaults to no.
1891
1892
1893              export-attributes
1894                     Include  attribute  user IDs (photo IDs) while exporting.
1895                     This is useful to export keys if they  are  going  to  be
1896                     used by an OpenPGP program that does not accept attribute
1897                     user IDs. Defaults to yes.
1898
1899
1900              export-sensitive-revkeys
1901                     Include designated revoker information that was marked as
1902                     "sensitive". Defaults to no.
1903
1904
1905              export-reset-subkey-passwd
1906                     When  using  the  --export-secret-subkeys  command,  this
1907                     option resets the passphrases for all exported subkeys to
1908                     empty.  This  is useful when the exported subkey is to be
1909                     used on an unattended machine where a passphrase  doesn't
1910                     necessarily make sense. Defaults to no.
1911
1912
1913              export-clean
1914                     Compact  (remove all signatures from) user IDs on the key
1915                     being exported if the user IDs are not usable.  Also,  do
1916                     not  export  any  signatures  that  are  not usable. This
1917                     includes signatures that were issued by keys that are not
1918                     present  on  the keyring. This option is the same as run‐
1919                     ning the --edit-key command "clean" before export  except
1920                     that  the local copy of the key is not modified. Defaults
1921                     to no.
1922
1923
1924              export-minimal
1925                     Export the smallest key possible. This removes all signa‐
1926                     tures  except the most recent self-signature on each user
1927                     ID. This option is the same  as  running  the  --edit-key
1928                     command  "minimize"  before  export except that the local
1929                     copy of the key is not modified. Defaults to no.
1930
1931
1932       --with-colons
1933              Print key listings delimited by colons.  Note  that  the  output
1934              will  be  encoded  in  UTF-8 regardless of any --display-charset
1935              setting. This format is useful when GnuPG is called from scripts
1936              and  other  programs as it is easily machine parsed. The details
1937              of this format are documented in the file  ‘doc/DETAILS’,  which
1938              is included in the GnuPG source distribution.
1939
1940
1941       --fixed-list-mode
1942              Do  not  merge  primary  user ID and primary key in --with-colon
1943              listing  mode  and  print  all  timestamps  as   seconds   since
1944              1970-01-01.   Since  GnuPG  2.0.10, this mode is always used and
1945              thus this option is obsolete; it does not harm to use it though.
1946
1947
1948       --with-fingerprint
1949              Same as the command --fingerprint but changes only the format of
1950              the output and may be used together with another command.
1951
1952
1953       --with-keygrip
1954              Include the keygrip in the key listings.
1955
1956
1957
1958
1959   OpenPGP protocol specific options.
1960
1961
1962
1963
1964       -t, --textmode
1965
1966       --no-textmode
1967              Treat  input files as text and store them in the OpenPGP canoni‐
1968              cal text form with standard "CRLF" line endings. This also  sets
1969              the  necessary  flags to inform the recipient that the encrypted
1970              or signed data is text and may need its line  endings  converted
1971              back  to  whatever  the local system uses. This option is useful
1972              when communicating between two  platforms  that  have  different
1973              line ending conventions (UNIX-like to Mac, Mac to Windows, etc).
1974              --no-textmode disables this option, and is the default.
1975
1976
1977
1978       --force-v3-sigs
1979
1980       --no-force-v3-sigs
1981              OpenPGP states that an implementation should generate v4  signa‐
1982              tures  but PGP versions 5 through 7 only recognize v4 signatures
1983              on key material. This option forces v3 signatures for signatures
1984              on data.  Note that this option implies --no-ask-sig-expire, and
1985              unsets --sig-policy-url,  --sig-notation,  and  --sig-keyserver-
1986              url, as these features cannot be used with v3 signatures.  --no-
1987              force-v3-sigs disables this option.  Defaults to no.
1988
1989
1990       --force-v4-certs
1991
1992       --no-force-v4-certs
1993              Always use v4 key signatures even on v3 keys. This  option  also
1994              changes  the  default hash algorithm for v3 RSA keys from MD5 to
1995              SHA-1.  --no-force-v4-certs disables this option.
1996
1997
1998       --force-mdc
1999              Force the use of encryption with a modification detection  code.
2000              This  is always used with the newer ciphers (those with a block‐
2001              size greater than 64 bits), or if  all  of  the  recipient  keys
2002              indicate MDC support in their feature flags.
2003
2004
2005       --disable-mdc
2006              Disable the use of the modification detection code. Note that by
2007              using this option, the encrypted message becomes vulnerable to a
2008              message modification attack.
2009
2010
2011       --personal-cipher-preferences string
2012              Set the list of personal cipher preferences to string.  Use gpg2
2013              --version to get a list of available algorithms, and use none to
2014              set  no preference at all.  This allows the user to safely over‐
2015              ride the algorithm chosen by the recipient key  preferences,  as
2016              GPG  will only select an algorithm that is usable by all recipi‐
2017              ents.  The most highly ranked cipher in this list is  also  used
2018              for the --symmetric encryption command.
2019
2020
2021       --personal-digest-preferences string
2022              Set the list of personal digest preferences to string.  Use gpg2
2023              --version to get a list of available algorithms, and use none to
2024              set  no preference at all.  This allows the user to safely over‐
2025              ride the algorithm chosen by the recipient key  preferences,  as
2026              GPG  will only select an algorithm that is usable by all recipi‐
2027              ents.  The most highly ranked digest algorithm in this  list  is
2028              also  used  when signing without encryption (e.g. --clearsign or
2029              --sign).
2030
2031
2032       --personal-compress-preferences string
2033              Set the list of personal compression preferences to string.  Use
2034              gpg2  --version  to  get a list of available algorithms, and use
2035              none to set no preference at  all.   This  allows  the  user  to
2036              safely  override the algorithm chosen by the recipient key pref‐
2037              erences, as GPG will only select an algorithm that is usable  by
2038              all recipients.  The most highly ranked compression algorithm in
2039              this list is also used when there are no recipient keys to  con‐
2040              sider (e.g. --symmetric).
2041
2042
2043       --s2k-cipher-algo name
2044              Use  name  as  the cipher algorithm used to protect secret keys.
2045              The default cipher is CAST5. This cipher is also used  for  con‐
2046              ventional   encryption   if   --personal-cipher-preferences  and
2047              --cipher-algo is not given.
2048
2049
2050       --s2k-digest-algo name
2051              Use name as the digest algorithm used to mangle the passphrases.
2052              The default algorithm is SHA-1.
2053
2054
2055       --s2k-mode n
2056              Selects  how  passphrases  are  mangled.  If  n  is  0  a  plain
2057              passphrase (which is not recommended) will be used, a 1  adds  a
2058              salt  to the passphrase and a 3 (the default) iterates the whole
2059              process a number of times (see --s2k-count).   Unless  --rfc1991
2060              is used, this mode is also used for conventional encryption.
2061
2062
2063       --s2k-count n
2064              Specify  how  many  times  the  passphrase mangling is repeated.
2065              This value may range between 1024 and 65011712  inclusive.   The
2066              default is inquired from gpg-agent.  Note that not all values in
2067              the 1024-65011712 range are legal and if  an  illegal  value  is
2068              selected,  GnuPG will round up to the nearest legal value.  This
2069              option is only meaningful if --s2k-mode is 3.
2070
2071
2072
2073
2074
2075   Compliance options
2076
2077
2078       These options control what GnuPG is compliant to.  Only  one  of  these
2079       options  may be active at a time. Note that the default setting of this
2080       is nearly always the correct one. See the INTEROPERABILITY  WITH  OTHER
2081       OPENPGP PROGRAMS section below before using one of these options.
2082
2083
2084
2085       --gnupg
2086              Use  standard GnuPG behavior. This is essentially OpenPGP behav‐
2087              ior (see --openpgp), but with some  additional  workarounds  for
2088              common compatibility problems in different versions of PGP. This
2089              is the default option, so it is not generally needed, but it may
2090              be  useful  to  override  a  different  compliance option in the
2091              gpg.conf file.
2092
2093
2094       --openpgp
2095              Reset all packet, cipher and digest options  to  strict  OpenPGP
2096              behavior.  Use  this  option  to reset all previous options like
2097              --s2k-*, --cipher-algo,  --digest-algo  and  --compress-algo  to
2098              OpenPGP compliant values. All PGP workarounds are disabled.
2099
2100
2101       --rfc4880
2102              Reset  all  packet, cipher and digest options to strict RFC-4880
2103              behavior.  Note  that  this  is  currently  the  same  thing  as
2104              --openpgp.
2105
2106
2107       --rfc2440
2108              Reset  all  packet, cipher and digest options to strict RFC-2440
2109              behavior.
2110
2111
2112       --rfc1991
2113              Try to be more RFC-1991 (PGP 2.x) compliant.
2114
2115
2116       --pgp2 Set up all options to be as PGP 2.x compliant as  possible,  and
2117              warn  if  an  action is taken (e.g. encrypting to a non-RSA key)
2118              that will create a message that PGP 2.x will not be able to han‐
2119              dle.  Note  that `PGP 2.x' here means `MIT PGP 2.6.2'. There are
2120              other versions of PGP 2.x available, but the MIT  release  is  a
2121              good common baseline.
2122
2123              This  option implies --rfc1991 --disable-mdc --no-force-v4-certs
2124              --escape-from-lines --force-v3-sigs --cipher-algo IDEA --digest-
2125              algo  MD5  --compress-algo ZIP. It also disables --textmode when
2126              encrypting.
2127
2128
2129       --pgp6 Set up all options to be as PGP 6 compliant  as  possible.  This
2130              restricts  you  to  the  ciphers  IDEA  (if  the  IDEA plugin is
2131              installed), 3DES, and CAST5, the hashes MD5, SHA1 and RIPEMD160,
2132              and  the compression algorithms none and ZIP. This also disables
2133              --throw-keyids, and making signatures with  signing  subkeys  as
2134              PGP 6 does not understand signatures made by signing subkeys.
2135
2136              This  option  implies --disable-mdc --escape-from-lines --force-
2137              v3-sigs.
2138
2139
2140       --pgp7 Set up all options to be as PGP 7 compliant as possible. This is
2141              identical  to  --pgp6 except that MDCs are not disabled, and the
2142              list of allowable ciphers is expanded  to  add  AES128,  AES192,
2143              AES256, and TWOFISH.
2144
2145
2146       --pgp8 Set  up  all options to be as PGP 8 compliant as possible. PGP 8
2147              is a lot closer to the OpenPGP standard than  previous  versions
2148              of  PGP,  so  all  this  does  is disable --throw-keyids and set
2149              --escape-from-lines.  All algorithms are allowed except for  the
2150              SHA224, SHA384, and SHA512 digests.
2151
2152
2153
2154
2155
2156   Doing things one usually doesn't want to do.
2157
2158
2159
2160
2161       -n
2162
2163       --dry-run
2164              Don't make any changes (this is not completely implemented).
2165
2166
2167       --list-only
2168              Changes  the  behaviour of some commands. This is like --dry-run
2169              but different in some cases. The semantic of this command may be
2170              extended  in  the  future.  Currently  it  only skips the actual
2171              decryption pass and therefore enables  a  fast  listing  of  the
2172              encryption keys.
2173
2174
2175       -i
2176
2177       --interactive
2178              Prompt before overwriting any files.
2179
2180
2181       --debug-level level
2182              Select  the debug level for investigating problems. level may be
2183              a numeric value or by a keyword:
2184
2185
2186              none   No debugging at all.  A value of less than 1 may be  used
2187                     instead of the keyword.
2188
2189              basic  Some  basic  debug messages.  A value between 1 and 2 may
2190                     be used instead of the keyword.
2191
2192              advanced
2193                     More verbose debug messages.  A value between 3 and 5 may
2194                     be used instead of the keyword.
2195
2196              expert Even more detailed messages.  A value between 6 and 8 may
2197                     be used instead of the keyword.
2198
2199              guru   All of the debug messages you can get.  A  value  greater
2200                     than  8 may be used instead of the keyword.  The creation
2201                     of hash tracing files is only enabled if the  keyword  is
2202                     used.
2203
2204       How  these  messages  are  mapped  to the actual debugging flags is not
2205       specified and may change with newer releases of this program. They  are
2206       however carefully selected to best aid in debugging.
2207
2208
2209       --debug flags
2210              Set  debugging flags. All flags are or-ed and flags may be given
2211              in C syntax (e.g. 0x0042).
2212
2213
2214       --debug-all
2215              Set all useful debugging flags.
2216
2217
2218
2219       --faked-system-time epoch
2220              This option is only useful for testing; it sets the system  time
2221              back  or  forth  to epoch which is the number of seconds elapsed
2222              since the year 1970.  Alternatively epoch may be given as a full
2223              ISO time string (e.g. "20070924T154812").
2224
2225
2226       --enable-progress-filter
2227              Enable certain PROGRESS status outputs. This option allows fron‐
2228              tends to display a progress indicator while  gpg  is  processing
2229              larger files.  There is a slight performance overhead using it.
2230
2231
2232       --status-fd n
2233              Write  special status strings to the file descriptor n.  See the
2234              file DETAILS in the documentation for a listing of them.
2235
2236
2237       --status-file file
2238              Same as --status-fd, except the status data is written  to  file
2239              file.
2240
2241
2242       --logger-fd n
2243              Write log output to file descriptor n and not to STDERR.
2244
2245
2246       --log-file file
2247
2248       --logger-file file
2249              Same  as  --logger-fd, except the logger data is written to file
2250              file.  Note that --log-file is only implemented for GnuPG-2.
2251
2252
2253       --attribute-fd n
2254              Write attribute subpackets to the file  descriptor  n.  This  is
2255              most  useful for use with --status-fd, since the status messages
2256              are needed to separate  out  the  various  subpackets  from  the
2257              stream delivered to the file descriptor.
2258
2259
2260       --attribute-file file
2261              Same  as --attribute-fd, except the attribute data is written to
2262              file file.
2263
2264
2265       --comment string
2266
2267       --no-comments
2268              Use string as a comment string  in  clear  text  signatures  and
2269              ASCII armored messages or keys (see --armor). The default behav‐
2270              ior is not to use a comment string. --comment  may  be  repeated
2271              multiple  times  to  get multiple comment strings. --no-comments
2272              removes all comments.  It is a good idea to keep the length of a
2273              single  comment  below 60 characters to avoid problems with mail
2274              programs wrapping such lines.  Note that comment lines, like all
2275              other header lines, are not protected by the signature.
2276
2277
2278       --emit-version
2279
2280       --no-emit-version
2281              Force  inclusion  of the version string in ASCII armored output.
2282              --no-emit-version disables this option.
2283
2284
2285       --sig-notation name=value
2286
2287       --cert-notation name=value
2288
2289       -N, --set-notation name=value
2290              Put the name value pair into the  signature  as  notation  data.
2291              name  must  consist  only of printable characters or spaces, and
2292              must contain a '@' character in  the  form  keyname@domain.exam‐
2293              ple.com  (substituting  the appropriate keyname and domain name,
2294              of course).  This is to  help  prevent  pollution  of  the  IETF
2295              reserved notation namespace. The --expert flag overrides the '@'
2296              check. value may be any printable string; it will be encoded  in
2297              UTF8,  so  you  should  check that your --display-charset is set
2298              correctly. If you prefix name with an exclamation mark (!),  the
2299              notation  data  will  be flagged as critical (rfc4880:5.2.3.16).
2300              --sig-notation sets a notation for data signatures. --cert-nota‐
2301              tion sets a notation for key signatures (certifications). --set-
2302              notation sets both.
2303
2304              There are special codes that may be used in notation names. "%k"
2305              will  be  expanded into the key ID of the key being signed, "%K"
2306              into the long key ID of the key being signed, "%f" into the fin‐
2307              gerprint  of  the  key being signed, "%s" into the key ID of the
2308              key making the signature, "%S" into the long key ID of  the  key
2309              making  the signature, "%g" into the fingerprint of the key mak‐
2310              ing the signature (which might be a subkey), "%p" into the  fin‐
2311              gerprint  of  the  primary  key of the key making the signature,
2312              "%c" into the signature count from the  OpenPGP  smartcard,  and
2313              "%%" results in a single "%". %k, %K, and %f are only meaningful
2314              when making a key signature  (certification),  and  %c  is  only
2315              meaningful when using the OpenPGP smartcard.
2316
2317
2318       --sig-policy-url string
2319
2320       --cert-policy-url string
2321
2322       --set-policy-url string
2323              Use  string  as  a Policy URL for signatures (rfc4880:5.2.3.20).
2324              If you prefix it with an exclamation mark (!),  the  policy  URL
2325              packet will be flagged as critical. --sig-policy-url sets a pol‐
2326              icy url for data signatures. --cert-policy-url sets a policy url
2327              for key signatures (certifications). --set-policy-url sets both.
2328
2329              The same %-expandos used for notation data are available here as
2330              well.
2331
2332
2333       --sig-keyserver-url string
2334              Use string as a preferred keyserver URL for data signatures.  If
2335              you  prefix  it  with an exclamation mark (!), the keyserver URL
2336              packet will be flagged as critical.
2337
2338              The same %-expandos used for notation data are available here as
2339              well.
2340
2341
2342       --set-filename string
2343              Use  string  as  the  filename  which is stored inside messages.
2344              This overrides the default, which is to use the actual  filename
2345              of the file being encrypted.
2346
2347
2348       --for-your-eyes-only
2349
2350       --no-for-your-eyes-only
2351              Set  the  `for  your eyes only' flag in the message. This causes
2352              GnuPG to refuse to save the file unless the --output  option  is
2353              given,  and PGP to use a "secure viewer" with a claimed Tempest-
2354              resistant font to display the  message.  This  option  overrides
2355              --set-filename.  --no-for-your-eyes-only disables this option.
2356
2357
2358       --use-embedded-filename
2359
2360       --no-use-embedded-filename
2361              Try  to  create a file with a name as embedded in the data. This
2362              can be a dangerous option  as  it  allows  to  overwrite  files.
2363              Defaults to no.
2364
2365
2366       --cipher-algo name
2367              Use  name as cipher algorithm. Running the program with the com‐
2368              mand --version yields a list of supported algorithms. If this is
2369              not  used  the cipher algorithm is selected from the preferences
2370              stored with the key. In general, you do not  want  to  use  this
2371              option as it allows you to violate the OpenPGP standard.  --per‐
2372              sonal-cipher-preferences is the safe way to accomplish the  same
2373              thing.
2374
2375
2376       --digest-algo name
2377              Use  name  as  the message digest algorithm. Running the program
2378              with the command --version yields  a  list  of  supported  algo‐
2379              rithms.  In  general,  you  do not want to use this option as it
2380              allows you to violate the OpenPGP  standard.  --personal-digest-
2381              preferences is the safe way to accomplish the same thing.
2382
2383
2384       --compress-algo name
2385              Use compression algorithm name. "zlib" is RFC-1950 ZLIB compres‐
2386              sion. "zip" is RFC-1951 ZIP compression which is  used  by  PGP.
2387              "bzip2"  is  a  more modern compression scheme that can compress
2388              some things better than zip or zlib, but at  the  cost  of  more
2389              memory used during compression and decompression. "uncompressed"
2390              or "none" disables compression. If this option is not used,  the
2391              default  behavior is to examine the recipient key preferences to
2392              see which algorithms the recipient supports. If all else  fails,
2393              ZIP is used for maximum compatibility.
2394
2395              ZLIB  may  give better compression results than ZIP, as the com‐
2396              pression window size is not limited to 8k. BZIP2 may  give  even
2397              better  compression  results  than that, but will use a signifi‐
2398              cantly larger amount of memory while compressing and decompress‐
2399              ing.  This  may  be  significant in low memory situations. Note,
2400              however, that PGP (all versions) only supports ZIP  compression.
2401              Using  any algorithm other than ZIP or "none" will make the mes‐
2402              sage unreadable with PGP. In general, you do  not  want  to  use
2403              this  option  as  it allows you to violate the OpenPGP standard.
2404              --personal-compress-preferences is the safe  way  to  accomplish
2405              the same thing.
2406
2407
2408       --cert-digest-algo name
2409              Use  name  as  the  message digest algorithm used when signing a
2410              key. Running the program with the  command  --version  yields  a
2411              list  of  supported  algorithms.  Be aware that if you choose an
2412              algorithm that GnuPG supports but other OpenPGP  implementations
2413              do  not,  then some users will not be able to use the key signa‐
2414              tures you make, or quite possibly your entire key.
2415
2416
2417       --disable-cipher-algo name
2418              Never allow the use of name as cipher algorithm.  The given name
2419              will  not be checked so that a later loaded algorithm will still
2420              get disabled.
2421
2422
2423       --disable-pubkey-algo name
2424              Never allow the use of name as public key algorithm.  The  given
2425              name  will  not be checked so that a later loaded algorithm will
2426              still get disabled.
2427
2428
2429       --throw-keyids
2430
2431       --no-throw-keyids
2432              Do not put the recipient key IDs into encrypted  messages.  This
2433              helps  to  hide  the  receivers  of the message and is a limited
2434              countermeasure against traffic analysis. ([Using a little social
2435              engineering  anyone who is able to decrypt the message can check
2436              whether one of the other recipients is the  one  he  suspects.])
2437              On  the  receiving side, it may slow down the decryption process
2438              because all available secret keys must  be  tried.   --no-throw-
2439              keyids disables this option. This option is essentially the same
2440              as using --hidden-recipient for all recipients.
2441
2442
2443       --not-dash-escaped
2444              This option changes the behavior of cleartext signatures so that
2445              they  can  be  used for patch files. You should not send such an
2446              armored file via email because all spaces and line  endings  are
2447              hashed  too.  You  can  not use this option for data which has 5
2448              dashes at the beginning of a line, patch files don't have  this.
2449              A  special  armor  header  line tells GnuPG about this cleartext
2450              signature option.
2451
2452
2453       --escape-from-lines
2454
2455       --no-escape-from-lines
2456              Because some mailers change  lines  starting  with  "From  "  to
2457              ">From  "  it is good to handle such lines in a special way when
2458              creating cleartext signatures to prevent the  mail  system  from
2459              breaking  the  signature. Note that all other PGP versions do it
2460              this way too.  Enabled by default.  --no-escape-from-lines  dis‐
2461              ables this option.
2462
2463
2464       --passphrase-repeat n
2465              Specify  how  many  times  gpg2 will request a new passphrase be
2466              repeated.  This is useful for  helping  memorize  a  passphrase.
2467              Defaults to 1 repetition.
2468
2469
2470       --passphrase-fd n
2471              Read  the passphrase from file descriptor n. Only the first line
2472              will be read from file descriptor n. If you use  0  for  n,  the
2473              passphrase  will  be  read  from STDIN. This can only be used if
2474              only one passphrase is supplied.  Note that this  passphrase  is
2475              only  used  if  the option --batch has also been given.  This is
2476              different from gpg.
2477
2478
2479       --passphrase-file file
2480              Read the passphrase from file file. Only the first line will  be
2481              read  from  file  file.  This  can  only  be  used  if  only one
2482              passphrase is supplied. Obviously, a passphrase stored in a file
2483              is  of  questionable security if other users can read this file.
2484              Don't use this option if you  can  avoid  it.   Note  that  this
2485              passphrase  is  only  used  if  the option --batch has also been
2486              given.  This is different from gpg.
2487
2488
2489       --passphrase string
2490              Use string as the passphrase. This can only be used if only  one
2491              passphrase  is supplied. Obviously, this is of very questionable
2492              security on a multi-user system. Don't use this  option  if  you
2493              can  avoid  it.   Note  that this passphrase is only used if the
2494              option --batch has also been given.  This is different from gpg.
2495
2496
2497       --pinentry-mode mode
2498              Set the pinentry mode to mode.  Allowed values for mode are:
2499
2500              default
2501                     Use the default of the agent, which is ask.
2502
2503              ask    Force the use of the Pinentry.
2504
2505              cancel Emulate use of Pinentry's cancel button.
2506
2507              error  Return a Pinentry error (``No Pinentry'').
2508
2509              loopback
2510                     Redirect Pinentry queries to the caller.   Note  that  in
2511                     contrast to Pinentry the user is not prompted again if he
2512                     enters a bad password.
2513
2514
2515       --command-fd n
2516              This is a replacement for the deprecated shared-memory IPC mode.
2517              If  this  option  is  enabled,  user  input  on questions is not
2518              expected from the TTY but from the  given  file  descriptor.  It
2519              should   be   used  together  with  --status-fd.  See  the  file
2520              doc/DETAILS in the source distribution for details on how to use
2521              it.
2522
2523
2524       --command-file file
2525              Same  as  --command-fd, except the commands are read out of file
2526              file
2527
2528
2529       --allow-non-selfsigned-uid
2530
2531       --no-allow-non-selfsigned-uid
2532              Allow the import and use of keys with user  IDs  which  are  not
2533              self-signed.  This is not recommended, as a non self-signed user
2534              ID is trivial to forge. --no-allow-non-selfsigned-uid disables.
2535
2536
2537       --allow-freeform-uid
2538              Disable all checks on the form of the user ID while generating a
2539              new  one.  This option should only be used in very special envi‐
2540              ronments as it does not ensure the de-facto standard  format  of
2541              user IDs.
2542
2543
2544       --ignore-time-conflict
2545              GnuPG  normally  checks that the timestamps associated with keys
2546              and signatures have plausible values. However, sometimes a  sig‐
2547              nature  seems  to  be  older than the key due to clock problems.
2548              This  option  makes  these  checks  just  a  warning.  See  also
2549              --ignore-valid-from for timestamp issues on subkeys.
2550
2551
2552       --ignore-valid-from
2553              GnuPG  normally  does  not select and use subkeys created in the
2554              future.  This option allows  the  use  of  such  keys  and  thus
2555              exhibits the pre-1.0.7 behaviour. You should not use this option
2556              unless there is some clock problem. See also  --ignore-time-con‐
2557              flict for timestamp issues with signatures.
2558
2559
2560       --ignore-crc-error
2561              The  ASCII  armor used by OpenPGP is protected by a CRC checksum
2562              against transmission errors. Occasionally the CRC  gets  mangled
2563              somewhere  on  the  transmission  channel but the actual content
2564              (which is protected by the OpenPGP  protocol  anyway)  is  still
2565              okay. This option allows GnuPG to ignore CRC errors.
2566
2567
2568       --ignore-mdc-error
2569              This  option  changes  a MDC integrity protection failure into a
2570              warning.  This can be useful if a message is partially  corrupt,
2571              but  it  is necessary to get as much data as possible out of the
2572              corrupt message.  However, be aware that a MDC protection  fail‐
2573              ure  may also mean that the message was tampered with intention‐
2574              ally by an attacker.
2575
2576
2577       --no-default-keyring
2578              Do not add the default keyrings to the list  of  keyrings.  Note
2579              that  GnuPG will not operate without any keyrings, so if you use
2580              this option and do not provide alternate keyrings via  --keyring
2581              or  --secret-keyring, then GnuPG will still use the default pub‐
2582              lic or secret keyrings.
2583
2584
2585       --skip-verify
2586              Skip the signature verification step. This may be used  to  make
2587              the  decryption  faster  if  the  signature  verification is not
2588              needed.
2589
2590
2591       --with-key-data
2592              Print key listings delimited by colons (like --with-colons)  and
2593              print the public key data.
2594
2595
2596       --fast-list-mode
2597              Changes  the output of the list commands to work faster; this is
2598              achieved by leaving some parts empty.  Some  applications  don't
2599              need  the  user  ID and the trust information given in the list‐
2600              ings. By using this options they can get a faster  listing.  The
2601              exact  behaviour  of  this option may change in future versions.
2602              If you are missing some information, don't use this option.
2603
2604
2605       --no-literal
2606              This is not for normal use. Use the source to see  for  what  it
2607              might be useful.
2608
2609
2610       --set-filesize
2611              This  is  not  for normal use. Use the source to see for what it
2612              might be useful.
2613
2614
2615       --show-session-key
2616              Display the session key used for one  message.  See  --override-
2617              session-key for the counterpart of this option.
2618
2619              We think that Key Escrow is a Bad Thing; however the user should
2620              have the freedom to decide whether to go to prison or to  reveal
2621              the  content  of  one  specific message without compromising all
2622              messages ever encrypted for one secret key. DON'T USE IT  UNLESS
2623              YOU ARE REALLY FORCED TO DO SO.
2624
2625
2626       --override-session-key string
2627              Don't  use the public key but the session key string. The format
2628              of this string is the same as the one printed by --show-session-
2629              key.  This  option  is normally not used but comes handy in case
2630              someone forces you to reveal the content of  an  encrypted  mes‐
2631              sage;  using this option you can do this without handing out the
2632              secret key.
2633
2634
2635       --ask-sig-expire
2636
2637       --no-ask-sig-expire
2638              When making a data signature, prompt for an expiration time.  If
2639              this  option  is  not  specified,  the  expiration  time set via
2640              --default-sig-expire is used. --no-ask-sig-expire disables  this
2641              option.
2642
2643
2644       --default-sig-expire
2645              The  default  expiration  time  to use for signature expiration.
2646              Valid values are "0" for no expiration, a number followed by the
2647              letter  d  (for  days), w (for weeks), m (for months), or y (for
2648              years) (for example "2m"  for  two  months,  or  "5y"  for  five
2649              years),  or an absolute date in the form YYYY-MM-DD. Defaults to
2650              "0".
2651
2652
2653       --ask-cert-expire
2654
2655       --no-ask-cert-expire
2656              When making a key signature, prompt for an expiration  time.  If
2657              this  option  is  not  specified,  the  expiration  time set via
2658              --default-cert-expire  is  used.  --no-ask-cert-expire  disables
2659              this option.
2660
2661
2662       --default-cert-expire
2663              The default expiration time to use for key signature expiration.
2664              Valid values are "0" for no expiration, a number followed by the
2665              letter  d  (for  days), w (for weeks), m (for months), or y (for
2666              years) (for example "2m"  for  two  months,  or  "5y"  for  five
2667              years),  or an absolute date in the form YYYY-MM-DD. Defaults to
2668              "0".
2669
2670
2671       --allow-secret-key-import
2672              This is an obsolete option and is not used anywhere.
2673
2674
2675       --allow-multiple-messages
2676
2677       --no-allow-multiple-messages
2678              Allow processing of multiple OpenPGP  messages  contained  in  a
2679              single file or stream.  Some programs that call GPG are not pre‐
2680              pared to deal with multiple messages being  processed  together,
2681              so  this option defaults to no.  Note that versions of GPG prior
2682              to 1.4.7 always allowed multiple messages.
2683
2684              Warning: Do not use this option unless you need it as  a  tempo‐
2685              rary workaround!
2686
2687
2688
2689       --enable-special-filenames
2690              This  options  enables  a  mode  in  which filenames of the form
2691-&n’, where n is a non-negative decimal number,  refer  to  the
2692              file descriptor n and not to a file with that name.
2693
2694
2695       --no-expensive-trust-checks
2696              Experimental use only.
2697
2698
2699       --preserve-permissions
2700              Don't  change  the  permissions of a secret keyring back to user
2701              read/write only. Use this option only if you  really  know  what
2702              you are doing.
2703
2704
2705       --default-preference-list string
2706              Set  the  list of default preferences to string. This preference
2707              list is used for new keys and becomes the default for  "setpref"
2708              in the edit menu.
2709
2710
2711       --default-keyserver-url name
2712              Set  the  default  keyserver URL to name. This keyserver will be
2713              used as the keyserver URL when writing a new self-signature on a
2714              key, which includes key generation and changing preferences.
2715
2716
2717       --list-config
2718              Display various internal configuration parameters of GnuPG. This
2719              option is intended for external programs that call GnuPG to per‐
2720              form  tasks,  and  is  thus  not  generally useful. See the file
2721doc/DETAILS’ in the source  distribution  for  the  details  of
2722              which  configuration  items may be listed. --list-config is only
2723              usable with --with-colons set.
2724
2725
2726       --gpgconf-list
2727              This command is similar to --list-config  but  in  general  only
2728              internally used by the gpgconf tool.
2729
2730
2731       --gpgconf-test
2732              This  is  more or less dummy action.  However it parses the con‐
2733              figuration file and returns with failure  if  the  configuration
2734              file would prevent gpg from startup.  Thus it may be used to run
2735              a syntax check on the configuration file.
2736
2737
2738
2739
2740   Deprecated options
2741
2742
2743
2744
2745
2746       --show-photos
2747
2748       --no-show-photos
2749              Causes  --list-keys,  --list-sigs,  --list-public-keys,  --list-
2750              secret-keys, and verifying a signature to also display the photo
2751              ID attached to the key, if any. See also  --photo-viewer.  These
2752              options  are  deprecated.  Use  --list-options  [no-]show-photos
2753              and/or --verify-options [no-]show-photos instead.
2754
2755
2756       --show-keyring
2757              Display the keyring name at the head of  key  listings  to  show
2758              which keyring a given key resides on. This option is deprecated:
2759              use --list-options [no-]show-keyring instead.
2760
2761
2762
2763       --always-trust
2764              Identical to --trust-model always. This option is deprecated.
2765
2766
2767       --show-notation
2768
2769       --no-show-notation
2770              Show signature notations  in  the  --list-sigs  or  --check-sigs
2771              listings  as  well as when verifying a signature with a notation
2772              in  it.  These  options  are  deprecated.   Use   --list-options
2773              [no-]show-notation  and/or  --verify-options  [no-]show-notation
2774              instead.
2775
2776
2777       --show-policy-url
2778
2779       --no-show-policy-url
2780              Show policy URLs in the --list-sigs or --check-sigs listings  as
2781              well  as  when  verifying  a  signature with a policy URL in it.
2782              These options are deprecated. Use --list-options  [no-]show-pol‐
2783              icy-url and/or --verify-options [no-]show-policy-url instead.
2784
2785
2786
2787
2788
2789

EXAMPLES

2791       gpg -se -r Bob file
2792              sign and encrypt for user Bob
2793
2794
2795       gpg --clearsign file
2796              make a clear text signature
2797
2798
2799       gpg -sb file
2800              make a detached signature
2801
2802
2803       gpg -u 0x12345678 -sb file
2804              make a detached signature with the key 0x12345678
2805
2806
2807       gpg --list-keys user_ID
2808              show keys
2809
2810
2811       gpg --fingerprint user_ID
2812              show fingerprint
2813
2814
2815       gpg --verify pgpfile
2816
2817       gpg --verify sigfile
2818              Verify the signature of the file but do not output the data. The
2819              second form is used for detached signatures,  where  sigfile  is
2820              the  detached signature (either ASCII armored or binary) and are
2821              the signed data; if this is not given,  the  name  of  the  file
2822              holding the signed data is constructed by cutting off the exten‐
2823              sion (".asc" or ".sig") of sigfile or by asking the user for the
2824              filename.
2825
2826
2827
2828

HOW TO SPECIFY A USER ID

2830       There  are  different ways to specify a user ID to GnuPG.  Some of them
2831       are only valid for gpg others are only good for  gpgsm.   Here  is  the
2832       entire list of ways to specify a key:
2833
2834
2835
2836       By key Id.
2837              This  format  is  deduced  from the length of the string and its
2838              content or 0x prefix. The key Id of an X.509 certificate are the
2839              low  64  bits  of  its SHA-1 fingerprint.  The use of key Ids is
2840              just a shortcut, for all automated  processing  the  fingerprint
2841              should be used.
2842
2843              When  using gpg an exclamation mark (!) may be appended to force
2844              using the specified primary or secondary key and not to try  and
2845              calculate which primary or secondary key to use.
2846
2847              The last four lines of the example give the key ID in their long
2848              form as internally used by the OpenPGP protocol. You can see the
2849              long key ID using the option --with-colons.
2850
2851         234567C4
2852         0F34E556E
2853         01347A56A
2854         0xAB123456
2855
2856         234AABBCC34567C4
2857         0F323456784E56EAB
2858         01AB3FED1347A5612
2859         0x234AABBCC34567C4
2860
2861
2862
2863
2864       By fingerprint.
2865              This  format  is  deduced  from the length of the string and its
2866              content or the 0x prefix.  Note, that only the 20  byte  version
2867              fingerprint  is available with gpgsm (i.e. the SHA-1 hash of the
2868              certificate).
2869
2870              When using gpg an exclamation mark (!) may be appended to  force
2871              using  the specified primary or secondary key and not to try and
2872              calculate which primary or secondary key to use.
2873
2874              The best way to specify a key Id is by  using  the  fingerprint.
2875              This  avoids  any  ambiguities in case that there are duplicated
2876              key IDs.
2877
2878         1234343434343434C434343434343434
2879         123434343434343C3434343434343734349A3434
2880         0E12343434343434343434EAB3484343434343434
2881         0xE12343434343434343434EAB3484343434343434
2882
2883
2884       (gpgsm also accepts colons between  each  pair  of  hexadecimal  digits
2885       because  this  is the de-facto standard on how to present X.509 finger‐
2886       prints.)
2887
2888
2889       By exact match on OpenPGP user ID.
2890              This is denoted by a leading equal sign. It does not make  sense
2891              for X.509 certificates.
2892
2893         =Heinrich Heine <heinrichh@uni-duesseldorf.de>
2894
2895
2896       By exact match on an email address.
2897              This  is  indicated  by enclosing the email address in the usual
2898              way with left and right angles.
2899
2900         <heinrichh@uni-duesseldorf.de>
2901
2902
2903
2904       By word match.
2905              All words must match exactly (not case sensitive) but can appear
2906              in  any  order in the user ID or a subjects name.  Words are any
2907              sequences of letters, digits, the underscore and all  characters
2908              with bit 7 set.
2909
2910         +Heinrich Heine duesseldorf
2911
2912
2913       By exact match on the subject's DN.
2914              This  is  indicated by a leading slash, directly followed by the
2915              RFC-2253 encoded DN of the subject.  Note that you can't use the
2916              string  printed  by "gpgsm --list-keys" because that one as been
2917              reordered and modified for better readability; use --with-colons
2918              to print the raw (but standard escaped) RFC-2253 string
2919
2920         /CN=Heinrich Heine,O=Poets,L=Paris,C=FR
2921
2922
2923       By exact match on the issuer's DN.
2924              This is indicated by a leading hash mark, directly followed by a
2925              slash and then directly followed by the rfc2253  encoded  DN  of
2926              the  issuer.   This  should  return the Root cert of the issuer.
2927              See note above.
2928
2929         #/CN=Root Cert,O=Poets,L=Paris,C=FR
2930
2931
2932
2933       By exact match on serial number and issuer's DN.
2934              This is indicated by a hash mark, followed  by  the  hexadecimal
2935              representation  of  the  serial number, then followed by a slash
2936              and the RFC-2253 encoded DN of the issuer. See note above.
2937
2938         #4F03/CN=Root Cert,O=Poets,L=Paris,C=FR
2939
2940
2941       By keygrip
2942              This is indicated by an ampersand followed by the 40 hex  digits
2943              of  a  keygrip.  gpgsm prints the keygrip when using the command
2944              --dump-cert.  It does not yet work for OpenPGP keys.
2945
2946         &D75F22C3F86E355877348498CDC92BD21010A480
2947
2948
2949
2950       By substring match.
2951              This is the default mode but applications may want to explicitly
2952              indicate  this  by  putting the asterisk in front.  Match is not
2953              case sensitive.
2954
2955         Heine
2956         *Heine
2957
2958
2959
2960       Please note that we have reused the hash mark identifier which was used
2961       in  old  GnuPG  versions to indicate the so called local-id.  It is not
2962       anymore used and there should be  no  conflict  when  used  with  X.509
2963       stuff.
2964
2965       Using the RFC-2253 format of DNs has the drawback that it is not possi‐
2966       ble to map them back to the original encoding, however we don't have to
2967       do this because our key database stores this encoding as meta data.
2968
2969
2970
2971
2972

FILES

2974       There  are  a  few  configuration  files  to control certain aspects of
2975       gpg2's operation. Unless noted, they are expected in the  current  home
2976       directory (see: [option --homedir]).
2977
2978
2979
2980       gpg.conf
2981              This is the standard configuration file read by gpg2 on startup.
2982              It may contain any valid long option; the leading two dashes may
2983              not  be  entered  and  the  option may not be abbreviated.  This
2984              default name may be changed on  the  command  line  (see:  [gpg-
2985              option --options]).  You should backup this file.
2986
2987
2988       Note that on larger installations, it is useful to put predefined files
2989       into the directory ‘/etc/skel/.gnupg/’  so  that  newly  created  users
2990       start  up with a working configuration.  For existing users the a small
2991       helper script is provided to create these files (see: [addgnupghome]).
2992
2993       For internal purposes gpg2 creates and maintains  a  few  other  files;
2994       They  all  live  in in the current home directory (see: [option --home‐
2995       dir]).  Only the gpg2 may modify these files.
2996
2997
2998
2999       ~/.gnupg/secring.gpg
3000              The secret keyring.  You should backup this file.
3001
3002
3003       ~/.gnupg/secring.gpg.lock
3004              The lock file for the secret keyring.
3005
3006
3007       ~/.gnupg/pubring.gpg
3008              The public keyring.  You should backup this file.
3009
3010
3011       ~/.gnupg/pubring.gpg.lock
3012              The lock file for the public keyring.
3013
3014
3015       ~/.gnupg/trustdb.gpg
3016              The trust database.  There is no need to backup this file; it is
3017              better  to  backup the ownertrust values (see: [option --export-
3018              ownertrust]).
3019
3020
3021       ~/.gnupg/trustdb.gpg.lock
3022              The lock file for the trust database.
3023
3024
3025       ~/.gnupg/random_seed
3026              A file used to preserve the state of the internal random pool.
3027
3028
3029       /usr[/local]/share/gnupg/options.skel
3030              The skeleton options file.
3031
3032
3033       /usr[/local]/lib/gnupg/
3034              Default location for extensions.
3035
3036
3037       Operation is further controlled by a few environment variables:
3038
3039
3040
3041       HOME   Used to locate the default home directory.
3042
3043
3044       GNUPGHOME
3045              If set directory used instead of "~/.gnupg".
3046
3047
3048       GPG_AGENT_INFO
3049              Used to locate the gpg-agent.
3050                The value consists of 3 colon delimited fields: The  first  is
3051              the path
3052                to the Unix Domain Socket, the second the PID of the gpg-agent
3053              and the
3054                protocol version which should be set to 1. When  starting  the
3055              gpg-agent
3056                as described in its documentation, this variable is set to the
3057              correct
3058                value. The option --gpg-agent-info can be used to override it.
3059
3060
3061       PINENTRY_USER_DATA
3062              This value is passed via gpg-agent to pinentry.  It is useful to
3063              convey extra information to a custom pinentry.
3064
3065
3066       COLUMNS
3067
3068       LINES  Used to size some displays to the full size of the screen.
3069
3070
3071
3072       LANGUAGE
3073              Apart  from  its  use  by  GNU, it is used in the W32 version to
3074              override the language selection done through the  Registry.   If
3075              used  and  set  to a valid and available language name (langid),
3076              the file with the translation is loaded from
3077
3078              gpgdir/gnupg.nls/langid.mo.  Here gpgdir is the directory out of
3079              which the gpg binary has been loaded.  If it can't be loaded the
3080              Registry is tried and as last resort the native  Windows  locale
3081              system is used.
3082
3083
3084
3085
3086

BUGS

3088       On older systems this program should be installed as setuid(root). This
3089       is necessary to lock memory pages. Locking memory  pages  prevents  the
3090       operating   system   from  writing  memory  pages  (which  may  contain
3091       passphrases or other sensitive material) to disk. If you get no warning
3092       message  about  insecure  memory your operating system supports locking
3093       without being root. The program drops root privileges as soon as locked
3094       memory is allocated.
3095
3096       Note  also  that  some systems (especially laptops) have the ability to
3097       ``suspend to disk'' (also known as ``safe  sleep''  or  ``hibernate'').
3098       This  writes  all  memory to disk before going into a low power or even
3099       powered off mode.  Unless measures are taken in the operating system to
3100       protect  the  saved memory, passphrases or other sensitive material may
3101       be recoverable from it later.
3102
3103       Before you report a bug you should first search the  mailing  list  ar‐
3104       chives  for  similar  problems  and second check whether such a bug has
3105       already been reported to our bug tracker at http://bugs.gnupg.org .
3106
3107
3108

SEE ALSO

3110       gpgv(1), gpgsm(1), gpg-agent(1)
3111
3112       The full documentation for this tool is maintained as a Texinfo manual.
3113       If  GnuPG and the info program are properly installed at your site, the
3114       command
3115
3116         info gnupg
3117
3118       should give you access to the complete manual including a  menu  struc‐
3119       ture and an index.
3120
3121
3122
3123GnuPG 2.0.22                      2018-07-13                           GPG2(1)
Impressum