1GPG(1)                         GNU Privacy Guard                        GPG(1)
2
3
4

NAME

6       gpg - OpenPGP encryption and signing tool
7

SYNOPSIS

9       gpg [--homedir dir] [--options file] [options] command [args]
10
11
12

DESCRIPTION

14       gpg  is the OpenPGP part of the GNU Privacy Guard (GnuPG). It is a tool
15       to provide digital encryption and signing services  using  the  OpenPGP
16       standard.  gpg features complete key management and all bells and whis‐
17       tles you can expect from a decent OpenPGP implementation.
18
19       This is the standalone version of gpg.  For desktop use you should con‐
20       sider  using gpg2  ([On some platforms gpg2 is installed under the name
21       gpg]).
22
23
24
25
26
27
28
29

RETURN VALUE

31       The program returns 0 if everything was fine, 1 if at least a signature
32       was bad, and other error codes for fatal errors.
33
34

WARNINGS

36       Use  a *good* password for your user account and a *good* passphrase to
37       protect your secret key. This passphrase is the  weakest  part  of  the
38       whole  system. Programs to do dictionary attacks on your secret keyring
39       are very easy to write and  so  you  should  protect  your  "~/.gnupg/"
40       directory very well.
41
42       Keep  in mind that, if this program is used over a network (telnet), it
43       is *very* easy to spy out your passphrase!
44
45       If you are going to verify detached signatures, make sure that the pro‐
46       gram  knows about it; either give both filenames on the command line or
47       use '-'' to specify STDIN.
48
49

INTEROPERABILITY

51       GnuPG tries to be a very flexible implementation of the  OpenPGP  stan‐
52       dard. In particular, GnuPG implements many of the optional parts of the
53       standard, such as the SHA-512 hash, and the ZLIB and BZIP2  compression
54       algorithms.  It  is important to be aware that not all OpenPGP programs
55       implement these optional algorithms and that by forcing their  use  via
56       the  --cipher-algo,  --digest-algo,  --cert-digest-algo, or --compress-
57       algo options in GnuPG, it is  possible  to  create  a  perfectly  valid
58       OpenPGP message, but one that cannot be read by the intended recipient.
59
60       There  are dozens of variations of OpenPGP programs available, and each
61       supports a slightly different subset of these optional algorithms.  For
62       example,  until  recently,  no  (unhacked) version of PGP supported the
63       BLOWFISH cipher algorithm. A message using BLOWFISH simply could not be
64       read by a PGP user. By default, GnuPG uses the standard OpenPGP prefer‐
65       ences system that will always do the right thing  and  create  messages
66       that  are usable by all recipients, regardless of which OpenPGP program
67       they use. Only override this safe default if you really know  what  you
68       are doing.
69
70       If you absolutely must override the safe default, or if the preferences
71       on a given key are invalid for some reason,  you  are  far  better  off
72       using  the --pgp6, --pgp7, or --pgp8 options. These options are safe as
73       they do not force any particular algorithms in  violation  of  OpenPGP,
74       but rather reduce the available algorithms to a "PGP-safe" list.
75
76

COMMANDS

78       Commands  are  not  distinguished from options except for the fact that
79       only one command is allowed.
80
81       gpg may be run with no commands, in which case it will perform  a  rea‐
82       sonable  action  depending on the type of file it is given as input (an
83       encrypted message is decrypted, a signature is verified,  a  file  con‐
84       taining keys is listed).
85
86       Please remember that option as well as command parsing stops as soon as
87       a non-option is encountered, you can explicitly stop parsing  by  using
88       the special option --.
89
90
91
92
93
94
95   Commands not specific to the function
96
97
98
99       --version
100              Print  the program version and licensing information.  Note that
101              you cannot abbreviate this command.
102
103
104       --help
105
106       -h     Print a usage message summarizing the most useful  command  line
107              options.  Note that you cannot abbreviate this command.
108
109
110       --warranty
111              Print warranty information.
112
113
114       --dump-options
115              Print  a  list of all available options and commands.  Note that
116              you cannot abbreviate this command.
117
118
119
120
121   Commands to select the type of operation
122
123
124
125
126
127       --sign
128
129       -s     Make a signature. This command may be  combined  with  --encrypt
130              (for  a signed and encrypted message), --symmetric (for a signed
131              and symmetrically encrypted message), or --encrypt and --symmet‐
132              ric  together  (for a signed message that may be decrypted via a
133              secret key or a passphrase).  The key to be used for signing  is
134              chosen  by  default  or  can  be  set  with the --local-user and
135              --default-key options.
136
137
138       --clearsign
139              Make a clear text signature.  The content in a clear text signa‐
140              ture  is readable without any special software. OpenPGP software
141              is only needed to verify the signature.  Clear  text  signatures
142              may  modify end-of-line whitespace for platform independence and
143              are not intended to be reversible.  The key to be used for sign‐
144              ing is chosen by default or can be set with the --local-user and
145              --default-key options.
146
147
148
149       --detach-sign
150
151       -b     Make a detached signature.
152
153
154       --encrypt
155
156       -e     Encrypt data. This option may be combined  with  --sign  (for  a
157              signed  and  encrypted message), --symmetric (for a message that
158              may be decrypted via a secret key or a  passphrase),  or  --sign
159              and  --symmetric  together  (for  a  signed  message that may be
160              decrypted via a secret key or a passphrase).
161
162
163       --symmetric
164
165       -c     Encrypt with a symmetric cipher using a passphrase. The  default
166              symmetric  cipher  used  is  CAST5,  but  may be chosen with the
167              --cipher-algo option. This option may be  combined  with  --sign
168              (for  a  signed  and symmetrically encrypted message), --encrypt
169              (for a message that may be decrypted  via  a  secret  key  or  a
170              passphrase), or --sign and --encrypt together (for a signed mes‐
171              sage that may be decrypted via a secret key or a passphrase).
172
173
174       --store
175              Store only (make a simple RFC1991 literal data packet).
176
177
178       --decrypt
179
180       -d     Decrypt the file given on the command line (or STDIN if no  file
181              is specified) and write it to STDOUT (or the file specified with
182              --output). If the decrypted file is  signed,  the  signature  is
183              also  verified. This command differs from the default operation,
184              as it never writes to the filename which is included in the file
185              and  it  rejects  files which don't begin with an encrypted mes‐
186              sage.
187
188
189       --verify
190              Assume that the first argument is a signed file  or  a  detached
191              signature  and  verify it without generating any output. With no
192              arguments, the signature packet is read from STDIN.  If  only  a
193              sigfile  is  given, it may be a complete signature or a detached
194              signature, in which case the signed stuff is expected in a  file
195              without  the ".sig" or ".asc" extension.  With more than 1 argu‐
196              ment, the first should be a detached signature and the remaining
197              files are the signed stuff. To read the signed stuff from STDIN,
198              use '-''  as  the  second  filename.   For  security  reasons  a
199              detached  signature  cannot  read the signed material from STDIN
200              without denoting it in the above way.
201
202
203       --multifile
204              This modifies certain other commands to  accept  multiple  files
205              for  processing on the command line or read from STDIN with each
206              filename on a separate line. This allows for many  files  to  be
207              processed  at once. --multifile may currently be used along with
208              --verify, --encrypt, and --decrypt. Note that --multifile --ver‐
209              ify may not be used with detached signatures.
210
211
212       --verify-files
213              Identical to --multifile --verify.
214
215
216       --encrypt-files
217              Identical to --multifile --encrypt.
218
219
220       --decrypt-files
221              Identical to --multifile --decrypt.
222
223
224       --list-keys
225
226       -k
227
228       --list-public-keys
229              List  all  keys from the public keyrings, or just the keys given
230              on the command line.  -k is slightly different from  --list-keys
231              in  that  it  allows  only for one argument and takes the second
232              argument as the keyring to search.  This  is  for  command  line
233              compatibility with PGP 2 and has been removed in gpg2.
234
235              Avoid  using the output of this command in scripts or other pro‐
236              grams as it is likely to change as GnuPG  changes.  See  --with-
237              colons  for  a  machine-parseable  key  listing  command that is
238              appropriate for use in scripts and other programs.
239
240
241       --list-secret-keys
242
243       -K     List all keys from the secret keyrings, or just the  ones  given
244              on  the  command  line. A # after the letters sec means that the
245              secret key is not usable (for example, if  it  was  created  via
246              --export-secret-subkeys).
247
248
249       --list-sigs
250              Same as --list-keys, but the signatures are listed too.
251
252              For  each  signature  listed, there are several flags in between
253              the "sig" tag and keyid. These flags give additional information
254              about  each  signature. From left to right, they are the numbers
255              1-3 for certificate check level (see --ask-cert-level), "L"  for
256              a local or non-exportable signature (see --lsign-key), "R" for a
257              nonRevocable signature (see the  --edit-key  command  "nrsign"),
258              "P"  for a signature that contains a policy URL (see --cert-pol‐
259              icy-url), "N" for a signature  that  contains  a  notation  (see
260              --cert-notation),  "X" for an eXpired signature (see --ask-cert-
261              expire), and the numbers 1-9 or "T" for 10 and above to indicate
262              trust signature levels (see the --edit-key command "tsign").
263
264
265       --check-sigs
266              Same as --list-sigs, but the signatures are verified.  Note that
267              for performance reasons the revocation status of a  signing  key
268              is not shown.
269
270              The  status  of the verification is indicated by a flag directly
271              following the "sig" tag (and thus  before  the  flags  described
272              above  for --list-sigs).  A "!" indicates that the signature has
273              been successfully verified, a "-" denotes a bad signature and  a
274              "%"  is  used  if an error occurred while checking the signature
275              (e.g. a non supported algorithm).
276
277
278
279
280       --fingerprint
281              List all keys (or the specified ones) along with  their  finger‐
282              prints.  This  is  the  same  output as --list-keys but with the
283              additional output of a line with the fingerprint.  May  also  be
284              combined  with  --list-sigs or --check-sigs.  If this command is
285              given twice, the fingerprints of all secondary keys  are  listed
286              too.
287
288
289       --list-packets
290              List  only  the  sequence  of packets. This is mainly useful for
291              debugging.
292
293
294
295       --card-edit
296              Present a menu to work with a smartcard. The  subcommand  "help"
297              provides  an  overview  on  available  commands.  For a detailed
298              description,    please     see     the     Card     HOWTO     at
299              http://www.gnupg.org/documentation/howtos.html#GnuPG-cardHOWTO .
300
301
302       --card-status
303              Show the content of the smart card.
304
305
306       --change-pin
307              Present  a  menu  to allow changing the PIN of a smartcard. This
308              functionality is also available as the subcommand "passwd"  with
309              the --card-edit command.
310
311
312       --delete-key name
313              Remove  key  from the public keyring. In batch mode either --yes
314              is required or the key must be specified by fingerprint. This is
315              a safeguard against accidental deletion of multiple keys.
316
317
318       --delete-secret-key name
319              Remove key from the secret and public keyring. In batch mode the
320              key must be specified by fingerprint.
321
322
323       --delete-secret-and-public-key name
324              Same as --delete-key, but if a secret key  exists,  it  will  be
325              removed  first.  In batch mode the key must be specified by fin‐
326              gerprint.
327
328
329       --export
330              Either export all keys from all keyrings (default  keyrings  and
331              those  registered via option --keyring), or if at least one name
332              is given, those of the given name. The new keyring is written to
333              STDOUT  or  to the file given with option --output. Use together
334              with --armor to mail those keys.
335
336
337       --send-keys key IDs
338              Similar to --export but sends the keys to a keyserver.   Finger‐
339              prints  may  be used instead of key IDs. Option --keyserver must
340              be used to give the name of this keyserver. Don't send your com‐
341              plete  keyring  to  a keyserver --- select only those keys which
342              are new or changed by you.  If no key IDs are  given,  gpg  does
343              nothing.
344
345
346       --export-secret-keys
347
348       --export-secret-subkeys
349              Same  as --export, but exports the secret keys instead.  This is
350              normally not very useful and a security risk.  The  second  form
351              of  the  command  has  the special property to render the secret
352              part of the primary key useless; this  is  a  GNU  extension  to
353              OpenPGP  and  other  implementations can not be expected to suc‐
354              cessfully import such a key.  See the option  --simple-sk-check‐
355              sum  if  you  want  to import such an exported key with an older
356              OpenPGP implementation.
357
358
359       --import
360
361       --fast-import
362              Import/merge keys. This adds the given keys to the keyring.  The
363              fast version is currently just a synonym.
364
365              There  are  a  few  other options which control how this command
366              works.  Most notable here  is  the  --import-options  merge-only
367              option  which does not insert new keys but does only the merging
368              of new signatures, user-IDs and subkeys.
369
370
371       --recv-keys key IDs
372              Import the keys with the given key IDs from a keyserver.  Option
373              --keyserver must be used to give the name of this keyserver.
374
375
376       --refresh-keys
377              Request  updates from a keyserver for keys that already exist on
378              the local keyring. This is useful for updating a  key  with  the
379              latest signatures, user IDs, etc. Calling this with no arguments
380              will refresh the entire keyring. Option --keyserver must be used
381              to  give the name of the keyserver for all keys that do not have
382              preferred keyservers  set  (see  --keyserver-options  honor-key‐
383              server-url).
384
385
386       --search-keys names
387              Search  the  keyserver for the given names. Multiple names given
388              here will be joined together to create the search string for the
389              keyserver.   Option --keyserver must be used to give the name of
390              this keyserver.  Keyservers that support different search  meth‐
391              ods  allow  using the syntax specified in "How to specify a user
392              ID" below. Note that different keyserver types support different
393              search methods. Currently only LDAP supports them all.
394
395
396       --fetch-keys URIs
397              Retrieve keys located at the specified URIs. Note that different
398              installations of GnuPG may support  different  protocols  (HTTP,
399              FTP, LDAP, etc.)
400
401
402       --update-trustdb
403              Do  trust  database  maintenance. This command iterates over all
404              keys and builds the Web of Trust. This is an interactive command
405              because it may have to ask for the "ownertrust" values for keys.
406              The user has to give an estimation of how  far  she  trusts  the
407              owner  of  the  displayed  key to correctly certify (sign) other
408              keys. GnuPG only asks for the ownertrust value if it has not yet
409              been  assigned to a key. Using the --edit-key menu, the assigned
410              value can be changed at any time.
411
412
413       --check-trustdb
414              Do trust database maintenance  without  user  interaction.  From
415              time  to time the trust database must be updated so that expired
416              keys or signatures and the resulting changes in the Web of Trust
417              can  be  tracked.  Normally,  GnuPG  will calculate when this is
418              required and do it automatically unless  --no-auto-check-trustdb
419              is set. This command can be used to force a trust database check
420              at any time. The processing is identical to  that  of  --update-
421              trustdb but it skips keys with a not yet defined "ownertrust".
422
423              For  use  with cron jobs, this command can be used together with
424              --batch in which case the trust database check is done only if a
425              check  is  needed.  To  force  a  run even in batch mode add the
426              option --yes.
427
428
429
430       --export-ownertrust
431              Send the ownertrust values to STDOUT. This is useful for  backup
432              purposes  as  these  values are the only ones which can't be re-
433              created from a corrupted trustdb.  Example:
434                  gpg --export-ownertrust > otrust.txt
435
436
437
438       --import-ownertrust
439              Update the trustdb with the ownertrust values  stored  in  files
440              (or  STDIN  if  not given); existing values will be overwritten.
441              In case of a severely damaged trustdb and if you have  a  recent
442              backup  of the ownertrust values (e.g. in the file `otrust.txt',
443              you may re-create the trustdb using these commands:
444                  cd ~/.gnupg
445                  rm trustdb.gpg
446                  gpg --import-ownertrust < otrust.txt
447
448
449
450       --rebuild-keydb-caches
451              When updating from version 1.0.6 to 1.0.7 this command should be
452              used  to  create  signature  caches  in the keyring. It might be
453              handy in other situations too.
454
455
456       --print-md algo
457
458       --print-mds
459              Print message digest of algorithm ALGO for all  given  files  or
460              STDIN.   With  the  second  form  (or  a deprecated "*" as algo)
461              digests for all available algorithms are printed.
462
463
464       --gen-random 0|1|2 count
465              Emit count random bytes of the given quality level 0, 1 or 2. If
466              count  is not given or zero, an endless sequence of random bytes
467              will be emitted.  If used with --armor the output will be base64
468              encoded.   PLEASE,  don't  use this command unless you know what
469              you are doing; it may remove precious entropy from the system!
470
471
472       --gen-prime mode bits
473              Use the source, Luke :-). The output format is still subject  to
474              change.
475
476
477
478       --enarmor
479
480       --dearmor
481              Pack  or  unpack  an  arbitrary input into/from an OpenPGP ASCII
482              armor.  This is a GnuPG extension to OpenPGP and in general  not
483              very useful.
484
485
486
487
488
489   How to manage your keys
490
491
492       This section explains the main commands for key management
493
494
495
496       --gen-key
497              Generate  a  new  key  pair.  This command is normally only used
498              interactively.
499
500              There is an experimental feature which allows you to create keys
501              in  batch mode. See the file `doc/DETAILS' in the source distri‐
502              bution on how to use this.
503
504
505       --gen-revoke name
506              Generate a revocation  certificate  for  the  complete  key.  To
507              revoke a subkey or a signature, use the --edit command.
508
509
510       --desig-revoke name
511              Generate  a  designated  revocation  certificate for a key. This
512              allows a user (with the permission of the keyholder)  to  revoke
513              someone else's key.
514
515
516
517       --edit-key
518              Present  a  menu which enables you to do most of the key manage‐
519              ment related tasks.  It expects the specification of  a  key  on
520              the command line.
521
522
523
524              uid n  Toggle  selection of user ID or photographic user ID with
525                     index n.  Use * to select all and 0 to deselect all.
526
527
528              key n  Toggle selection of subkey with index n.  Use * to select
529                     all and 0 to deselect all.
530
531
532              sign   Make  a  signature  on key of user name If the key is not
533                     yet signed by the default user (or the users  given  with
534                     -u),  the  program  displays  the  information of the key
535                     again, together with its fingerprint and asks whether  it
536                     should be signed. This question is repeated for all users
537                     specified with -u.
538
539
540              lsign  Same as "sign"  but  the  signature  is  marked  as  non-
541                     exportable  and  will  therefore never be used by others.
542                     This may be used to make keys valid  only  in  the  local
543                     environment.
544
545
546              nrsign Same as "sign" but the signature is marked as non-revoca‐
547                     ble and can therefore never be revoked.
548
549
550              tsign  Make a trust signature. This is a signature that combines
551                     the  notions of certification (like a regular signature),
552                     and trust (like the "trust"  command).  It  is  generally
553                     only useful in distinct communities or groups.
554
555              Note  that "l" (for local / non-exportable), "nr" (for non-revo‐
556              cable, and "t" (for trust) may be freely mixed and  prefixed  to
557              "sign" to create a signature of any type desired.
558
559
560
561              delsig Delete  a  signature.  Note  that  it  is not possible to
562                     retract a signature, once it has been send to the  public
563                     (i.e.  to  a  keyserver).   In  that  case you better use
564                     revsig.
565
566
567              revsig Revoke a signature. For every signature  which  has  been
568                     generated by one of the secret keys, GnuPG asks whether a
569                     revocation certificate should be generated.
570
571
572              check  Check the signatures on all selected user IDs.
573
574
575              adduid Create an additional user ID.
576
577
578              addphoto
579                     Create a photographic user ID. This  will  prompt  for  a
580                     JPEG  file  that  will be embedded into the user ID. Note
581                     that a very large JPEG will make for a  very  large  key.
582                     Also  note  that  some  programs  will  display your JPEG
583                     unchanged (GnuPG), and some programs will scale it to fit
584                     in a dialog box (PGP).
585
586
587              showphoto
588                     Display the selected photographic user ID.
589
590
591              deluid Delete  a  user ID or photographic user ID.  Note that it
592                     is not possible to retract a user id, once  it  has  been
593                     send  to  the public (i.e. to a keyserver).  In that case
594                     you better use revuid.
595
596
597              revuid Revoke a user ID or photographic user ID.
598
599
600              primary
601                     Flag the current user id as the primary one, removes  the
602                     primary user id flag from all other user ids and sets the
603                     timestamp of  all  affected  self-signatures  one  second
604                     ahead. Note that setting a photo user ID as primary makes
605                     it primary over other photo user IDs, and setting a regu‐
606                     lar  user ID as primary makes it primary over other regu‐
607                     lar user IDs.
608
609
610              keyserver
611                     Set a preferred keyserver for the specified  user  ID(s).
612                     This allows other users to know where you prefer they get
613                     your key from. See  --keyserver-options  honor-keyserver-
614                     url  for  more  on  how  this  works.  Setting a value of
615                     "none" removes an existing preferred keyserver.
616
617
618              notation
619                     Set a name=value notation for the specified  user  ID(s).
620                     See --cert-notation for more on how this works. Setting a
621                     value of "none" removes all notations, setting a notation
622                     prefixed with a minus sign (-) removes that notation, and
623                     setting a notation name  (without  the  =value)  prefixed
624                     with a minus sign removes all notations with that name.
625
626
627              pref   List  preferences  from  the selected user ID. This shows
628                     the actual preferences,  without  including  any  implied
629                     preferences.
630
631
632              showpref
633                     More  verbose  preferences  listing for the selected user
634                     ID. This shows the preferences in effect by including the
635                     implied preferences of 3DES (cipher), SHA-1 (digest), and
636                     Uncompressed  (compression)  if  they  are  not   already
637                     included  in  the  preference list. In addition, the pre‐
638                     ferred keyserver and signature  notations  (if  any)  are
639                     shown.
640
641
642              setpref string
643                     Set the list of user ID preferences to string for all (or
644                     just the selected) user  IDs.  Calling  setpref  with  no
645                     arguments sets the preference list to the default (either
646                     built-in or set via --default-preference-list), and call‐
647                     ing  setpref  with  "none"  as the argument sets an empty
648                     preference list. Use gpg  --version  to  get  a  list  of
649                     available  algorithms. Note that while you can change the
650                     preferences on an attribute user  ID  (aka  "photo  ID"),
651                     GnuPG  does  not  select  keys  via attribute user IDs so
652                     these preferences will not be used by GnuPG.
653
654                     When setting preferences, you should list the  algorithms
655                     in the order which you'd like to see them used by someone
656                     else when encrypting a message to your key.  If you don't
657                     include  3DES, it will be automatically added at the end.
658                     Note that there are many factors that go into choosing an
659                     algorithm  (for  example,  your  key  may not be the only
660                     recipient), and so the remote OpenPGP  application  being
661                     used to send to you may or may not follow your exact cho‐
662                     sen order for a given message.  It  will,  however,  only
663                     choose  an  algorithm  that  is present on the preference
664                     list of every recipient key.  See also the INTEROPERABIL‐
665                     ITY WITH OTHER OPENPGP PROGRAMS section below.
666
667
668              addkey Add a subkey to this key.
669
670
671              addcardkey
672                     Generate a subkey on a card and add it to this key.
673
674
675              keytocard
676                     Transfer  the  selected secret subkey (or the primary key
677                     if no subkey has  been  selected)  to  a  smartcard.  The
678                     secret  key  in the keyring will be replaced by a stub if
679                     the key could be stored successfully on the card and  you
680                     use the save command later. Only certain key types may be
681                     transferred to the card. A sub menu allows you to  select
682                     on what card to store the key. Note that it is not possi‐
683                     ble to get that key back from the card - if the card gets
684                     broken  your  secret  key  will be lost unless you have a
685                     backup somewhere.
686
687
688              bkuptocard file
689                     Restore the given file to a card.  This  command  may  be
690                     used  to  restore  a backup key (as generated during card
691                     initialization) to a new card. In almost all  cases  this
692                     will  be  the encryption key. You should use this command
693                     only with the corresponding public key and make sure that
694                     the  file  given  as  argument  is  indeed  the backup to
695                     restore. You should then select 2 to restore  as  encryp‐
696                     tion   key.   You  will  first  be  asked  to  enter  the
697                     passphrase of the backup key and then for the  Admin  PIN
698                     of the card.
699
700
701              delkey Remove a subkey (secondart key). Note that it is not pos‐
702                     sible to retract a subkey, once it has been send  to  the
703                     public  (i.e.  to  a keyserver).  In that case you better
704                     use revkey.
705
706
707              revkey Revoke a subkey.
708
709
710              expire Change the key or subkey expiration time. If a subkey  is
711                     selected,  the  expiration  time  of  this subkey will be
712                     changed. With no selection, the  key  expiration  of  the
713                     primary key is changed.
714
715
716              trust  Change  the  owner  trust value for the key. This updates
717                     the trust-db immediately and no save is required.
718
719
720              disable
721
722              enable Disable or enable an entire key. A disabled key  can  not
723                     normally be used for encryption.
724
725
726              addrevoker
727                     Add  a  designated  revoker  to  the  key. This takes one
728                     optional argument: "sensitive". If a  designated  revoker
729                     is  marked  as  sensitive,  it  will  not  be exported by
730                     default (see export-options).
731
732
733              passwd Change the passphrase of the secret key.
734
735
736              toggle Toggle between public and secret key listing.
737
738
739              clean  Compact (by removing all signatures except  the  selfsig)
740                     any  user  ID  that is no longer usable (e.g. revoked, or
741                     expired). Then, remove any signatures that are not usable
742                     by  the  trust  calculations.  Specifically, this removes
743                     any signature that does not validate, any signature  that
744                     is  superseded  by a later signature, revoked signatures,
745                     and signatures issued by keys that are not present on the
746                     keyring.
747
748
749              minimize
750                     Make  the key as small as possible. This removes all sig‐
751                     natures from each user ID  except  for  the  most  recent
752                     self-signature.
753
754
755              cross-certify
756                     Add  cross-certification  signatures  to  signing subkeys
757                     that may not  currently  have  them.  Cross-certification
758                     signatures  protect against a subtle attack against sign‐
759                     ing subkeys. See --require-cross-certification.  All  new
760                     keys  generated  have  this signature by default, so this
761                     option is only useful to bring older keys up to date.
762
763
764              save   Save all changes to the key rings and quit.
765
766
767              quit   Quit the program without updating the key rings.
768
769
770              The listing shows you the key with its secondary  keys  and  all
771              user  ids.   The  primary  user  id  is  indicated by a dot, and
772              selected keys or user ids are indicated  by  an  asterisk.   The
773              trust  value is displayed with the primary key: the first is the
774              assigned owner trust and the  second  is  the  calculated  trust
775              value. Letters are used for the values:
776
777
778
779              -      No ownertrust assigned / not yet calculated.
780
781
782              e      Trust  calculation has failed; probably due to an expired
783                     key.
784
785
786              q      Not enough information for calculation.
787
788
789              n      Never trust this key.
790
791
792              m      Marginally trusted.
793
794
795              f      Fully trusted.
796
797
798              u      Ultimately trusted.
799
800
801       --sign-key name
802              Signs a public key with your secret key. This is a shortcut ver‐
803              sion of the subcommand "sign" from --edit.
804
805
806       --lsign-key name
807              Signs  a  public  key  with your secret key but marks it as non-
808              exportable. This is a shortcut version of the subcommand "lsign"
809              from --edit-key.
810
811
812
813
814
815

OPTIONS

817       gpg  features  a bunch of options to control the exact behaviour and to
818       change the default configuration.
819
820
821       Long   options   can   be   put   in   an   options    file    (default
822       "~/.gnupg/gpg.conf").  Short  option names will not work - for example,
823       "armor" is a valid option for the options file, while "a"  is  not.  Do
824       not  write  the  2  dashes,  but  simply the name of the option and any
825       required arguments. Lines with a hash ('#')  as  the  first  non-white-
826       space  character are ignored. Commands may be put in this file too, but
827       that is not generally useful as the command will execute  automatically
828       with every execution of gpg.
829
830       Please  remember  that  option parsing stops as soon as a non-option is
831       encountered, you can explicitly  stop  parsing  by  using  the  special
832       option --.
833
834
835
836   How to change the configuration
837
838
839       These  options  are  used  to  change the configuration and are usually
840       found in the option file.
841
842
843
844       --default-key name
845              Use name as the default key to sign with. If this option is  not
846              used,  the  default  key  is  the  first key found in the secret
847              keyring.  Note that -u or --local-user overrides this option.
848
849
850       --default-recipient name
851              Use name as default recipient if option --recipient is not  used
852              and don't ask if this is a valid one. name must be non-empty.
853
854
855       --default-recipient-self
856              Use  the  default key as default recipient if option --recipient
857              is not used and don't ask if this is a valid  one.  The  default
858              key is the first one from the secret keyring or the one set with
859              --default-key.
860
861
862       --no-default-recipient
863              Reset --default-recipient and --default-recipient-self.
864
865
866       -v, --verbose
867              Give more information during  processing.  If  used  twice,  the
868              input data is listed in detail.
869
870
871       --no-verbose
872              Reset verbose level to 0.
873
874
875       -q, --quiet
876              Try to be as quiet as possible.
877
878
879       --batch
880
881       --no-batch
882              Use  batch  mode.  Never ask, do not allow interactive commands.
883              --no-batch disables this option.  Note that even with a filename
884              given  on  the  command  line, gpg might still need to read from
885              STDIN (in particular if gpg figures that the input is a detached
886              signature  and no data file has been specified).  Thus if you do
887              not want to feed data via STDIN, you  should  connect  STDIN  to
888              `/dev/null'.
889
890
891       --no-tty
892              Make  sure that the TTY (terminal) is never used for any output.
893              This option is needed in  some  cases  because  GnuPG  sometimes
894              prints warnings to the TTY even if --batch is used.
895
896
897       --yes  Assume "yes" on most questions.
898
899
900       --no   Assume "no" on most questions.
901
902
903
904       --list-options parameters
905              This  is  a  space  or comma delimited string that gives options
906              used when listing keys and  signatures  (that  is,  --list-keys,
907              --list-sigs,  --list-public-keys,  --list-secret-keys,  and  the
908              --edit-key functions).  Options can  be  prepended  with  a  no-
909              (after  the  two  dashes)  to  give  the  opposite meaning.  The
910              options are:
911
912
913
914              show-photos
915                     Causes --list-keys, --list-sigs, --list-public-keys,  and
916                     --list-secret-keys  to  display any photo IDs attached to
917                     the key.  Defaults to no. See also --photo-viewer.
918
919
920              show-policy-urls
921                     Show policy URLs in the --list-sigs or --check-sigs list‐
922                     ings.  Defaults to no.
923
924
925              show-notations
926
927              show-std-notations
928
929              show-user-notations
930                     Show  all, IETF standard, or user-defined signature nota‐
931                     tions  in  the  --list-sigs  or  --check-sigs   listings.
932                     Defaults to no.
933
934
935              show-keyserver-urls
936
937                     Show  any  preferred  keyserver URL in the --list-sigs or
938                     --check-sigs listings. Defaults to no.
939
940
941              show-uid-validity
942                     Display the calculated validity of user  IDs  during  key
943                     listings.  Defaults to no.
944
945
946              show-unusable-uids
947                     Show  revoked  and  expired  user  IDs  in  key listings.
948                     Defaults to no.
949
950
951              show-unusable-subkeys
952                     Show  revoked  and  expired  subkeys  in  key   listings.
953                     Defaults to no.
954
955
956              show-keyring
957                     Display  the  keyring name at the head of key listings to
958                     show which keyring a given key resides  on.  Defaults  to
959                     no.
960
961
962              show-sig-expire
963                     Show  signature  expiration dates (if any) during --list-
964                     sigs or --check-sigs listings. Defaults to no.
965
966
967              show-sig-subpackets
968                     Include signature subpackets in  the  key  listing.  This
969                     option can take an optional argument list of the subpack‐
970                     ets to list. If no argument is passed, list all  subpack‐
971                     ets.  Defaults to no. This option is only meaningful when
972                     using --with-colons along with  --list-sigs  or  --check-
973                     sigs.
974
975
976       --verify-options parameters
977              This  is  a  space  or comma delimited string that gives options
978              used when verifying signatures. Options can be prepended with  a
979              `no-' to give the opposite meaning. The options are:
980
981
982
983              show-photos
984                     Display  any photo IDs present on the key that issued the
985                     signature.  Defaults to no. See also --photo-viewer.
986
987
988              show-policy-urls
989                     Show  policy  URLs  in  the  signature  being   verified.
990                     Defaults to no.
991
992
993              show-notations
994
995              show-std-notations
996
997              show-user-notations
998                     Show  all, IETF standard, or user-defined signature nota‐
999                     tions in the signature being verified. Defaults  to  IETF
1000                     standard.
1001
1002
1003              show-keyserver-urls
1004                     Show  any  preferred keyserver URL in the signature being
1005                     verified.  Defaults to no.
1006
1007
1008              show-uid-validity
1009                     Display the calculated validity of the user  IDs  on  the
1010                     key that issued the signature. Defaults to no.
1011
1012
1013              show-unusable-uids
1014                     Show  revoked and expired user IDs during signature veri‐
1015                     fication.  Defaults to no.
1016
1017
1018              show-primary-uid-only
1019                     Show only the primary user ID during signature  verifica‐
1020                     tion.  That is all the AKA lines as well as photo Ids are
1021                     not shown with the signature verification status.
1022
1023
1024              pka-lookups
1025                     Enable PKA lookups to verify sender addresses. Note  that
1026                     PKA is based on DNS, and so enabling this option may dis‐
1027                     close information on when and what signatures  are  veri‐
1028                     fied or to whom data is encrypted. This is similar to the
1029                     "web bug" described for the auto-key-retrieve feature.
1030
1031
1032              pka-trust-increase
1033                     Raise the trust in a signature to full if  the  signature
1034                     passes  PKA validation. This option is only meaningful if
1035                     pka-lookups is set.
1036
1037
1038       --enable-dsa2
1039
1040       --disable-dsa2
1041              Enable hash truncation for all DSA keys even for old DSA Keys up
1042              to  1024  bit.   This  is also the default with --openpgp.  Note
1043              that older versions of GnuPG also required this  flag  to  allow
1044              the generation of DSA larger than 1024 bit.
1045
1046
1047       --photo-viewer string
1048              This  is the command line that should be run to view a photo ID.
1049              "%i" will be expanded to a filename containing the  photo.  "%I"
1050              does  the  same,  except  the  file will not be deleted once the
1051              viewer exits.  Other flags are "%k" for the key ID, "%K" for the
1052              long  key  ID, "%f" for the key fingerprint, "%t" for the exten‐
1053              sion of the image type (e.g. "jpg"), "%T" for the MIME  type  of
1054              the  image  (e.g.  "image/jpeg"),  "%v" for the single-character
1055              calculated validity of the image being viewed (e.g.  "f"),  "%V"
1056              for the calculated validity as a string (e.g.  "full"), and "%%"
1057              for an actual percent sign. If neither %i  or  %I  are  present,
1058              then the photo will be supplied to the viewer on standard input.
1059
1060              The  default  viewer  is  "xloadimage -fork -quiet -title 'KeyID
1061              0x%k' STDIN". Note that if your  image  viewer  program  is  not
1062              secure, then executing it from GnuPG does not make it secure.
1063
1064
1065       --exec-path string
1066              Sets  a list of directories to search for photo viewers and key‐
1067              server helpers. If not provided, keyserver helpers use the  com‐
1068              piled-in  default  directory,  and  photo  viewers use the $PATH
1069              environment variable.  Note, that on W32 system  this  value  is
1070              ignored when searching for keyserver helpers.
1071
1072
1073       --keyring file
1074              Add  file to the current list of keyrings. If file begins with a
1075              tilde and a slash, these are replaced by the $HOME directory. If
1076              the  filename  does  not contain a slash, it is assumed to be in
1077              the GnuPG home directory ("~/.gnupg" if --homedir or  $GNUPGHOME
1078              is not used).
1079
1080              Note that this adds a keyring to the current list. If the intent
1081              is to use the specified keyring alone, use --keyring along  with
1082              --no-default-keyring.
1083
1084
1085       --secret-keyring file
1086              Same as --keyring but for the secret keyrings.
1087
1088
1089       --primary-keyring file
1090              Designate  file  as  the primary public keyring. This means that
1091              newly imported keys (via --import or keyserver --recv-from) will
1092              go to this keyring.
1093
1094
1095       --trustdb-name file
1096              Use  file  instead of the default trustdb. If file begins with a
1097              tilde and a slash, these are replaced by the $HOME directory. If
1098              the  filename  does  not contain a slash, it is assumed to be in
1099              the GnuPG home directory (`~/.gnupg' if --homedir or  $GNUPGHOME
1100              is not used).
1101
1102
1103
1104       --homedir dir
1105              Set the name of the home directory to dir. If this option is not
1106              used, the home directory defaults to  `~/.gnupg'.   It  is  only
1107              recognized  when  given  on the command line.  It also overrides
1108              any home  directory  stated  through  the  environment  variable
1109              `GNUPGHOME'  or  (on W32 systems) by means of the Registry entry
1110              HKCU\Software\GNU\GnuPG:HomeDir.
1111
1112
1113
1114
1115       --pcsc-driver file
1116              Use file to access the smartcard reader. The current default  is
1117              `libpcsclite.so.1'    for    GLIBC    based    systems,   `/Sys‐
1118              tem/Library/Frameworks/PCSC.framework/PCSC' for MAC OS X,  `win‐
1119              scard.dll' for Windows and `libpcsclite.so' for other systems.
1120
1121
1122       --disable-ccid
1123              Disable  the integrated support for CCID compliant readers. This
1124              allows to fall back to one of the  other  drivers  even  if  the
1125              internal CCID driver can handle the reader. Note, that CCID sup‐
1126              port is only available if libusb was available at build time.
1127
1128
1129       --reader-port number_or_string
1130              This option may be used to specify the port of the  card  termi‐
1131              nal.  A  value of 0 refers to the first serial device; add 32768
1132              to access USB devices. The default is 32768 (first USB  device).
1133              PC/SC  or CCID readers might need a string here; run the program
1134              in verbose mode to get a list of available readers. The  default
1135              is then the first reader found.
1136
1137
1138       --display-charset name
1139              Set  the  name of the native character set. This is used to con‐
1140              vert some informational strings like  user  IDs  to  the  proper
1141              UTF-8 encoding.  Note that this has nothing to do with the char‐
1142              acter set of data to be encrypted  or  signed;  GnuPG  does  not
1143              recode  user-supplied  data.  If  this  option  is not used, the
1144              default character set is determined from the current  locale.  A
1145              verbosity  level  of  3  shows the chosen set.  Valid values for
1146              name are:
1147
1148
1149
1150              iso-8859-1
1151                     This is the Latin 1 set.
1152
1153
1154              iso-8859-2
1155                     The Latin 2 set.
1156
1157
1158              iso-8859-15
1159                     This is currently an alias for the Latin 1 set.
1160
1161
1162              koi8-r The usual Russian set (rfc1489).
1163
1164
1165              utf-8  Bypass all translations  and  assume  that  the  OS  uses
1166                     native UTF-8 encoding.
1167
1168
1169       --utf8-strings
1170
1171       --no-utf8-strings
1172              Assume  that  command  line arguments are given as UTF8 strings.
1173              The default (--no-utf8-strings) is to assume that arguments  are
1174              encoded  in the character set as specified by --display-charset.
1175              These options affect all following arguments. Both  options  may
1176              be used multiple times.
1177
1178
1179
1180       --options file
1181              Read  options  from  file  and  do not try to read them from the
1182              default options file in the homedir (see --homedir). This option
1183              is ignored if used in an options file.
1184
1185
1186       --no-options
1187              Shortcut for --options /dev/null. This option is detected before
1188              an attempt to open an option file.  Using this option will  also
1189              prevent the creation of a `~/.gnupg' homedir.
1190
1191
1192
1193
1194       -z n
1195
1196       --compress-level n
1197
1198       --bzip2-compress-level n
1199              Set  compression  level  to  n  for the ZIP and ZLIB compression
1200              algorithms. The default is to use the default compression  level
1201              of  zlib  (normally 6). --bzip2-compress-level sets the compres‐
1202              sion level for the BZIP2 compression algorithm (defaulting to  6
1203              as well). This is a different option from --compress-level since
1204              BZIP2 uses a significant amount of memory  for  each  additional
1205              compression  level.   -z  sets both. A value of 0 for n disables
1206              compression.
1207
1208
1209       --bzip2-decompress-lowmem
1210              Use a different decompression method for BZIP2 compressed files.
1211              This  alternate method uses a bit more than half the memory, but
1212              also runs at half the speed. This is useful  under  extreme  low
1213              memory  circumstances when the file was originally compressed at
1214              a high --bzip2-compress-level.
1215
1216
1217
1218       --mangle-dos-filenames
1219
1220       --no-mangle-dos-filenames
1221              Older version of Windows cannot handle filenames with more  than
1222              one  dot. --mangle-dos-filenames causes GnuPG to replace (rather
1223              than add to) the extension of an output filename to  avoid  this
1224              problem. This option is off by default and has no effect on non-
1225              Windows platforms.
1226
1227
1228       --ask-cert-level
1229
1230       --no-ask-cert-level
1231              When making a key signature, prompt for a  certification  level.
1232              If this option is not specified, the certification level used is
1233              set  via  --default-cert-level.  See  --default-cert-level   for
1234              information  on the specific levels and how they are used. --no-
1235              ask-cert-level disables this option. This option defaults to no.
1236
1237
1238       --default-cert-level n
1239              The default to use for the check level when signing a key.
1240
1241              0 means you make no particular claim as  to  how  carefully  you
1242              verified the key.
1243
1244              1 means you believe the key is owned by the person who claims to
1245              own it but you could not, or did not verify the key at all. This
1246              is  useful  for a "persona" verification, where you sign the key
1247              of a pseudonymous user.
1248
1249              2 means you did casual verification of  the  key.  For  example,
1250              this  could  mean that you verified that the key fingerprint and
1251              checked the user ID on the key against a photo ID.
1252
1253              3 means you did extensive verification of the key. For  example,
1254              this  could  mean that you verified the key fingerprint with the
1255              owner of the key in person, and that you checked, by means of  a
1256              hard to forge document with a photo ID (such as a passport) that
1257              the name of the key owner matches the name in the user ID on the
1258              key,  and  finally that you verified (by exchange of email) that
1259              the email address on the key belongs to the key owner.
1260
1261              Note that the examples given above for levels 2 and 3  are  just
1262              that:  examples. In the end, it is up to you to decide just what
1263              "casual" and "extensive" mean to you.
1264
1265              This option defaults to 0 (no particular claim).
1266
1267
1268       --min-cert-level
1269              When building the trust database, treat any  signatures  with  a
1270              certification  level below this as invalid. Defaults to 2, which
1271              disregards level 1 signatures. Note that level 0 "no  particular
1272              claim" signatures are always accepted.
1273
1274
1275       --trusted-key long key ID
1276              Assume  that  the specified key (which must be given as a full 8
1277              byte key ID) is as trustworthy as one of your own  secret  keys.
1278              This option is useful if you don't want to keep your secret keys
1279              (or one of them) online but still want to be able to  check  the
1280              validity of a given recipient's or signator's key.
1281
1282
1283       --trust-model pgp|classic|direct|always|auto
1284              Set what trust model GnuPG should follow. The models are:
1285
1286
1287
1288              pgp    This  is  the Web of Trust combined with trust signatures
1289                     as used in PGP 5.x and later. This is the  default  trust
1290                     model when creating a new trust database.
1291
1292
1293              classic
1294                     This  is the standard Web of Trust as used in PGP 2.x and
1295                     earlier.
1296
1297
1298              direct Key validity is set directly by the user and  not  calcu‐
1299                     lated via the Web of Trust.
1300
1301
1302              always Skip  key validation and assume that used keys are always
1303                     fully trusted. You generally won't use  this  unless  you
1304                     are  using  some  external validation scheme. This option
1305                     also suppresses the "[uncertain]" tag printed with signa‐
1306                     ture checks when there is no evidence that the user ID is
1307                     bound to the key.
1308
1309
1310              auto   Select the trust model depending on whatever the internal
1311                     trust  database says. This is the default model if such a
1312                     database already exists.
1313
1314
1315       --auto-key-locate parameters
1316
1317       --no-auto-key-locate
1318              GnuPG can automatically locate and retrieve keys as needed using
1319              this  option.  This  happens when encrypting to an email address
1320              (in the "user@example.com" form), and there  are  no  user@exam‐
1321              ple.com keys on the local keyring.  This option takes any number
1322              of the following mechanisms, in the order they are to be tried:
1323
1324
1325
1326              cert   Locate a key using DNS CERT, as specified in rfc4398.
1327
1328
1329              pka    Locate a key using DNS PKA.
1330
1331
1332              ldap   Using DNS Service Discovery, check the domain in question
1333                     for  any  LDAP keyservers to use.  If this fails, attempt
1334                     to locate the key  using  the  PGP  Universal  method  of
1335                     checking 'ldap://keys.(thedomain)''.
1336
1337
1338              keyserver
1339                     Locate  a  key  using whatever keyserver is defined using
1340                     the --keyserver option.
1341
1342
1343              keyserver-URL
1344                     In addition, a keyserver URL as used in  the  --keyserver
1345                     option  may  be  used  here to query that particular key‐
1346                     server.
1347
1348
1349              local  Locate the key using the local keyrings.  This  mechanism
1350                     allows  to  select  the order a local key lookup is done.
1351                     Thus using '--auto-key-locate  local''  is  identical  to
1352                     --no-auto-key-locate.
1353
1354
1355              nodefault
1356                     This  flag  disables  the standard local key lookup, done
1357                     before any of the mechanisms defined by  the  --auto-key-
1358                     locate  are tried.  The position of this mechanism in the
1359                     list does not matter.  It is not  required  if  local  is
1360                     also used.
1361
1362
1363
1364       --keyid-format short|0xshort|long|0xlong
1365              Select  how  to  display  key  IDs.  "short"  is the traditional
1366              8-character key ID. "long" is the more accurate (but less conve‐
1367              nient)  16-character key ID. Add an "0x" to either to include an
1368              "0x" at the beginning of the key ID, as in 0x99242560.
1369
1370
1371       --keyserver name
1372              Use name as your keyserver. This is the server that --recv-keys,
1373              --send-keys,  and --search-keys will communicate with to receive
1374              keys from, send keys to, and search for keys on. The  format  of
1375              the  name is a URI: `scheme:[//]keyservername[:port]' The scheme
1376              is the type of keyserver: "hkp" for  the  HTTP  (or  compatible)
1377              keyservers,  "ldap" for the LDAP keyservers, or "mailto" for the
1378              Graff email keyserver. Note that your particular installation of
1379              GnuPG  may  have  other  keyserver types available as well. Key‐
1380              server schemes are case-insensitive. After the  keyserver  name,
1381              optional  keyserver configuration options may be provided. These
1382              are the same as the global --keyserver-options from  below,  but
1383              apply only to this particular keyserver.
1384
1385              Most  keyservers synchronize with each other, so there is gener‐
1386              ally no need to send keys to more than one server. The keyserver
1387              hkp://keys.gnupg.net  uses  round  robin DNS to give a different
1388              keyserver each time you use it.
1389
1390
1391       --keyserver-options name=value1
1392              This is a space or comma delimited string that gives options for
1393              the  keyserver. Options can be prefixed with a `no-' to give the
1394              opposite meaning. Valid import-options or export-options may  be
1395              used  here as well to apply to importing (--recv-key) or export‐
1396              ing (--send-key) a key from a keyserver. While not  all  options
1397              are available for all keyserver types, some common options are:
1398
1399
1400
1401              include-revoked
1402                     When searching for a key with --search-keys, include keys
1403                     that are marked on the keyserver as  revoked.  Note  that
1404                     not  all  keyservers  differentiate  between  revoked and
1405                     unrevoked keys, and for such keyservers  this  option  is
1406                     meaningless.  Note  also that most keyservers do not have
1407                     cryptographic verification of  key  revocations,  and  so
1408                     turning  this option off may result in skipping keys that
1409                     are incorrectly marked as revoked.
1410
1411
1412              include-disabled
1413                     When searching for a key with --search-keys, include keys
1414                     that  are  marked on the keyserver as disabled. Note that
1415                     this option is not used with HKP keyservers.
1416
1417
1418              auto-key-retrieve
1419                     This option enables the automatic retrieving of keys from
1420                     a  keyserver  when verifying signatures made by keys that
1421                     are not on the local keyring.
1422
1423                     Note that this option makes a  "web  bug"  like  behavior
1424                     possible.   Keyserver  operators  can  see which keys you
1425                     request, so by sending you a message signed  by  a  brand
1426                     new  key (which you naturally will not have on your local
1427                     keyring), the operator can tell both your IP address  and
1428                     the time when you verified the signature.
1429
1430
1431              honor-keyserver-url
1432                     When  using  --refresh-keys, if the key in question has a
1433                     preferred keyserver URL, then  use  that  preferred  key‐
1434                     server to refresh the key from. In addition, if auto-key-
1435                     retrieve is set, and the signature being verified  has  a
1436                     preferred  keyserver  URL,  then  use that preferred key‐
1437                     server to fetch the key from. Defaults to yes.
1438
1439
1440              honor-pka-record
1441                     If auto-key-retrieve is set, and the signature being ver‐
1442                     ified  has  a PKA record, then use the PKA information to
1443                     fetch the key. Defaults to yes.
1444
1445
1446              include-subkeys
1447                     When receiving a key, include subkeys as  potential  tar‐
1448                     gets.  Note  that  this  option is not used with HKP key‐
1449                     servers, as they do not support retrieving keys by subkey
1450                     id.
1451
1452
1453              use-temp-files
1454                     On  most Unix-like platforms, GnuPG communicates with the
1455                     keyserver helper program via pipes,  which  is  the  most
1456                     efficient  method. This option forces GnuPG to use tempo‐
1457                     rary files to communicate. On  some  platforms  (such  as
1458                     Win32 and RISC OS), this option is always enabled.
1459
1460
1461              keep-temp-files
1462                     If  using  `use-temp-files', do not delete the temp files
1463                     after using them. This option is useful to learn the key‐
1464                     server  communication  protocol  by reading the temporary
1465                     files.
1466
1467
1468              verbose
1469                     Tell the keyserver helper program  to  be  more  verbose.
1470                     This  option  can  be repeated multiple times to increase
1471                     the verbosity level.
1472
1473
1474              timeout
1475                     Tell the keyserver helper program how long  (in  seconds)
1476                     to  try  and perform a keyserver action before giving up.
1477                     Note that performing multiple actions at  the  same  time
1478                     uses  this  timeout  value per action.  For example, when
1479                     retrieving multiple keys  via  --recv-keys,  the  timeout
1480                     applies  separately to each key retrieval, and not to the
1481                     --recv-keys command as a whole. Defaults to 30 seconds.
1482
1483
1484              http-proxy=value
1485                     Set the proxy to use for HTTP and HKP  keyservers.   This
1486                     overrides the "http_proxy" environment variable, if any.
1487
1488
1489              max-cert-size
1490                     When  retrieving  a key via DNS CERT, only accept keys up
1491                     to this size.  Defaults to 16384 bytes.
1492
1493
1494              debug  Turn on debug output in  the  keyserver  helper  program.
1495                     Note  that  the  details of debug output depends on which
1496                     keyserver helper program is being used, and in  turn,  on
1497                     any  libraries  that  the  keyserver  helper program uses
1498                     internally (libcurl, openldap, etc).
1499
1500
1501              check-cert
1502                     Enable certificate checking if the keyserver presents one
1503                     (for hkps or ldaps).  Defaults to on.
1504
1505
1506              ca-cert-file
1507                     Provide  a  certificate  store  to  override  the  system
1508                     default.  Only necessary if check-cert  is  enabled,  and
1509                     the  keyserver is using a certificate that is not present
1510                     in a system default certificate list.
1511
1512                     Note that depending on the SSL library that the keyserver
1513                     helper is built with, this may actually be a directory or
1514                     a file.
1515
1516
1517       --completes-needed n
1518              Number of completely trusted users to introduce a new key signer
1519              (defaults to 1).
1520
1521
1522       --marginals-needed n
1523              Number of marginally trusted users to introduce a new key signer
1524              (defaults to 3)
1525
1526
1527       --max-cert-depth n
1528              Maximum depth of a certification chain (default is 5).
1529
1530
1531       --simple-sk-checksum
1532              Secret keys are integrity protected by using a  SHA-1  checksum.
1533              This  method is part of the upcoming enhanced OpenPGP specifica‐
1534              tion but GnuPG already uses it as a countermeasure against  cer‐
1535              tain  attacks.   Old applications don't understand this new for‐
1536              mat, so this option may be used to switch back to the old behav‐
1537              iour.  Using  this option bears a security risk. Note that using
1538              this option only takes effect when the secret key is encrypted -
1539              the simplest way to make this happen is to change the passphrase
1540              on the key (even changing it to the same value is acceptable).
1541
1542
1543       --no-sig-cache
1544              Do not cache the verification status of key signatures.  Caching
1545              gives a much better performance in key listings. However, if you
1546              suspect that your public keyring is not save against write modi‐
1547              fications,  you  can  use this option to disable the caching. It
1548              probably does not make sense to disable it because all  kind  of
1549              damage can be done if someone else has write access to your pub‐
1550              lic keyring.
1551
1552
1553       --no-sig-create-check
1554              GnuPG normally verifies each signature right after  creation  to
1555              protect  against bugs and hardware malfunctions which could leak
1556              out bits from the secret key. This extra verification needs some
1557              time  (about  115% for DSA keys), and so this option can be used
1558              to disable it.  However, due to the fact that the signature cre‐
1559              ation  needs  manual  interaction, this performance penalty does
1560              not matter in most settings.
1561
1562
1563       --auto-check-trustdb
1564
1565       --no-auto-check-trustdb
1566              If GnuPG feels that its information about the Web of  Trust  has
1567              to be updated, it automatically runs the --check-trustdb command
1568              internally.  This may be a time  consuming  process.  --no-auto-
1569              check-trustdb disables this option.
1570
1571
1572       --use-agent
1573
1574       --no-use-agent
1575              Try to use the GnuPG-Agent.  With this option, GnuPG first tries
1576              to connect to the agent before it asks for a  passphrase.  --no-
1577              use-agent disables this option.
1578
1579
1580       --gpg-agent-info
1581              Override    the    value    of    the    environment    variable
1582              'GPG_AGENT_INFO''. This is only used when --use-agent  has  been
1583              given.   Given  that this option is not anymore used by gpg2, it
1584              should be avoided if possible.
1585
1586
1587       --lock-once
1588              Lock the databases the first time a lock is requested and do not
1589              release the lock until the process terminates.
1590
1591
1592       --lock-multiple
1593              Release  the  locks  every  time a lock is no longer needed. Use
1594              this to override a previous --lock-once from a config file.
1595
1596
1597       --lock-never
1598              Disable locking entirely. This option should  be  used  only  in
1599              very special environments, where it can be assured that only one
1600              process is accessing those  files.  A  bootable  floppy  with  a
1601              stand-alone  encryption  system will probably use this. Improper
1602              usage of this option may lead to data and key corruption.
1603
1604
1605       --exit-on-status-write-error
1606              This option will cause write errors on the status FD to  immedi‐
1607              ately  terminate the process. That should in fact be the default
1608              but it never worked this way and  thus  we  need  an  option  to
1609              enable  this,  so that the change won't break applications which
1610              close their end of a status fd connected pipe too  early.  Using
1611              this  option  along with --enable-progress-filter may be used to
1612              cleanly cancel long running gpg operations.
1613
1614
1615       --limit-card-insert-tries n
1616              With n greater than 0 the number of prompts asking to  insert  a
1617              smartcard  gets limited to N-1. Thus with a value of 1 gpg won't
1618              at all ask to insert  a  card  if  none  has  been  inserted  at
1619              startup. This option is useful in the configuration file in case
1620              an application does not know about  the  smartcard  support  and
1621              waits ad infinitum for an inserted card.
1622
1623
1624       --no-random-seed-file
1625              GnuPG uses a file to store its internal random pool over invoca‐
1626              tions.  This makes random generation faster;  however  sometimes
1627              write  operations  are  not  desired. This option can be used to
1628              achieve that with the cost of slower random generation.
1629
1630
1631       --no-greeting
1632              Suppress the initial copyright message.
1633
1634
1635       --no-secmem-warning
1636              Suppress the warning about "using insecure memory".
1637
1638
1639       --no-permission-warning
1640              Suppress the  warning  about  unsafe  file  and  home  directory
1641              (--homedir)  permissions.  Note  that the permission checks that
1642              GnuPG performs are not intended to be authoritative, but  rather
1643              they  simply  warn  about certain common permission problems. Do
1644              not assume that the lack of a warning means that your system  is
1645              secure.
1646
1647              Note that the warning for unsafe --homedir permissions cannot be
1648              suppressed in the gpg.conf file, as this would allow an attacker
1649              to  place an unsafe gpg.conf file in place, and use this file to
1650              suppress warnings about itself. The --homedir permissions  warn‐
1651              ing may only be suppressed on the command line.
1652
1653
1654       --no-mdc-warning
1655              Suppress the warning about missing MDC integrity protection.
1656
1657
1658       --require-secmem
1659
1660       --no-require-secmem
1661              Refuse  to run if GnuPG cannot get secure memory. Defaults to no
1662              (i.e. run, but give a warning).
1663
1664
1665
1666       --require-cross-certification
1667
1668       --no-require-cross-certification
1669              When verifying a signature made from a subkey, ensure  that  the
1670              cross  certification  "back  signature" on the subkey is present
1671              and valid.  This protects against a subtle attack  against  sub‐
1672              keys  that  can sign.  Defaults to --require-cross-certification
1673              for gpg.
1674
1675
1676       --expert
1677
1678       --no-expert
1679              Allow the user to do certain nonsensical or "silly" things  like
1680              signing an expired or revoked key, or certain potentially incom‐
1681              patible things like generating unusual key types. This also dis‐
1682              ables  certain  warning  messages about potentially incompatible
1683              actions. As the name implies, this option is for  experts  only.
1684              If you don't fully understand the implications of what it allows
1685              you to do, leave this off. --no-expert disables this option.
1686
1687
1688
1689
1690
1691
1692
1693
1694   Key related options
1695
1696
1697
1698
1699       --recipient name
1700
1701       -r     Encrypt for user id name. If this option  or  --hidden-recipient
1702              is  not  specified, GnuPG asks for the user-id unless --default-
1703              recipient is given.
1704
1705
1706       --hidden-recipient name
1707
1708       -R     Encrypt for user ID name, but hide the key  ID  of  this  user's
1709              key.  This  option helps to hide the receiver of the message and
1710              is a limited countermeasure against traffic  analysis.  If  this
1711              option  or --recipient is not specified, GnuPG asks for the user
1712              ID unless --default-recipient is given.
1713
1714
1715       --encrypt-to name
1716              Same as --recipient but this one is  intended  for  use  in  the
1717              options  file  and  may  be  used  with  your  own user-id as an
1718              "encrypt-to-self". These keys are only used when there are other
1719              recipients  given  either  by use of --recipient or by the asked
1720              user id.  No trust checking is performed for these user ids  and
1721              even disabled keys can be used.
1722
1723
1724       --hidden-encrypt-to name
1725              Same  as  --hidden-recipient but this one is intended for use in
1726              the options file and may be used with your own user-id as a hid‐
1727              den  "encrypt-to-self".  These keys are only used when there are
1728              other recipients given either by use of --recipient  or  by  the
1729              asked  user  id.   No trust checking is performed for these user
1730              ids and even disabled keys can be used.
1731
1732
1733       --no-encrypt-to
1734              Disable the use  of  all  --encrypt-to  and  --hidden-encrypt-to
1735              keys.
1736
1737
1738       --group name=value1
1739              Sets up a named group, which is similar to aliases in email pro‐
1740              grams.  Any time the group name is a recipient (-r or  --recipi‐
1741              ent),  it  will  be  expanded  to the values specified. Multiple
1742              groups with the same name are automatically merged into a single
1743              group.
1744
1745              The  values are key IDs or fingerprints, but any key description
1746              is accepted. Note that a value with spaces in it will be treated
1747              as  two  different  values. Note also there is only one level of
1748              expansion --- you cannot make an group that  points  to  another
1749              group.  When  used from the command line, it may be necessary to
1750              quote the argument to this option  to  prevent  the  shell  from
1751              treating it as multiple arguments.
1752
1753
1754       --ungroup name
1755              Remove a given entry from the --group list.
1756
1757
1758       --no-groups
1759              Remove all entries from the --group list.
1760
1761
1762       --local-user name
1763
1764       -u     Use  name  as  the key to sign with. Note that this option over‐
1765              rides --default-key.
1766
1767
1768       --try-secret-key name
1769              For hidden recipients GPG needs to know  the  keys  to  use  for
1770              trial  decryption.   The  key  set  with --default-key is always
1771              tried first, but this is  often  not  sufficient.   This  option
1772              allows  to  set  more  keys  to  be  used  for trial decryption.
1773              Although any valid user-id specification may be used for name it
1774              makes sense to use at least the long keyid to avoid ambiguities.
1775              Note that gpg-agent might pop up a pinentry for a lot keys to do
1776              the  trial  decryption.   If  you want to stop all further trial
1777              decryption you may use close-window button instead of the cancel
1778              button.
1779
1780
1781       --try-all-secrets
1782              Don't  look  at  the key ID as stored in the message but try all
1783              secret keys in turn to  find  the  right  decryption  key.  This
1784              option  forces  the  behaviour  as  used by anonymous recipients
1785              (created by  using  --throw-keyids  or  --hidden-recipient)  and
1786              might  come  handy in case where an encrypted message contains a
1787              bogus key ID.
1788
1789
1790       --skip-hidden-recipients
1791
1792       --no-skip-hidden-recipients
1793              During decryption skip all anonymous  recipients.   This  option
1794              helps  in the case that people use the hidden recipients feature
1795              to hide there own encrypt-to key from others.   If  oneself  has
1796              many  secret keys this may lead to a major annoyance because all
1797              keys are tried in turn to decrypt soemthing which was not really
1798              intended for it.  The drawback of this option is that it is cur‐
1799              rently not possible to decrypt a  message  which  includes  real
1800              anonymous recipients.
1801
1802
1803
1804
1805
1806   Input and Output
1807
1808
1809
1810
1811       --armor
1812
1813       -a     Create  ASCII  armored  output.   The  default  is to create the
1814              binary OpenPGP format.
1815
1816
1817       --no-armor
1818              Assume the input data is not in ASCII armored format.
1819
1820
1821       --output file
1822
1823       -o file
1824              Write output to file.
1825
1826
1827       --max-output n
1828              This option sets a limit on the number of  bytes  that  will  be
1829              generated when processing a file. Since OpenPGP supports various
1830              levels of compression, it is possible that the  plaintext  of  a
1831              given  message  may  be  significantly  larger than the original
1832              OpenPGP message. While GnuPG works properly with such  messages,
1833              there  is often a desire to set a maximum file size that will be
1834              generated before processing is forced to stop by the OS  limits.
1835              Defaults to 0, which means "no limit".
1836
1837
1838       --import-options parameters
1839              This is a space or comma delimited string that gives options for
1840              importing keys. Options can be prepended with a  `no-'  to  give
1841              the opposite meaning. The options are:
1842
1843
1844
1845              import-local-sigs
1846                     Allow importing key signatures marked as "local". This is
1847                     not generally useful unless a shared  keyring  scheme  is
1848                     being used.  Defaults to no.
1849
1850
1851              repair-pks-subkey-bug
1852                     During import, attempt to repair the damage caused by the
1853                     PKS keyserver bug (pre version 0.9.6) that  mangles  keys
1854                     with  multiple  subkeys. Note that this cannot completely
1855                     repair the damaged key as some crucial data is removed by
1856                     the  keyserver,  but  it  does at least give you back one
1857                     subkey. Defaults to no for regular --import  and  to  yes
1858                     for keyserver --recv-keys.
1859
1860
1861              merge-only
1862                     During import, allow key updates to existing keys, but do
1863                     not allow any new keys to be imported. Defaults to no.
1864
1865
1866              import-clean
1867                     After import, compact (remove all signatures  except  the
1868                     self-signature)  any  user  IDs from the new key that are
1869                     not usable.  Then, remove any signatures from the new key
1870                     that  are not usable.  This includes signatures that were
1871                     issued by keys that are not present on the keyring.  This
1872                     option  is  the  same  as  running the --edit-key command
1873                     "clean" after import. Defaults to no.
1874
1875
1876              import-minimal
1877                     Import the smallest key possible. This removes all signa‐
1878                     tures  except the most recent self-signature on each user
1879                     ID. This option is the same  as  running  the  --edit-key
1880                     command "minimize" after import.  Defaults to no.
1881
1882
1883       --export-options parameters
1884              This is a space or comma delimited string that gives options for
1885              exporting keys. Options can be prepended with a  `no-'  to  give
1886              the opposite meaning. The options are:
1887
1888
1889
1890              export-local-sigs
1891                     Allow exporting key signatures marked as "local". This is
1892                     not generally useful unless a shared  keyring  scheme  is
1893                     being used.  Defaults to no.
1894
1895
1896              export-attributes
1897                     Include  attribute  user IDs (photo IDs) while exporting.
1898                     This is useful to export keys if they  are  going  to  be
1899                     used by an OpenPGP program that does not accept attribute
1900                     user IDs. Defaults to yes.
1901
1902
1903              export-sensitive-revkeys
1904                     Include designated revoker information that was marked as
1905                     "sensitive". Defaults to no.
1906
1907
1908              export-reset-subkey-passwd
1909                     When  using  the  --export-secret-subkeys  command,  this
1910                     option resets the passphrases for all exported subkeys to
1911                     empty.  This  is useful when the exported subkey is to be
1912                     used on an unattended machine where a passphrase  doesn't
1913                     necessarily make sense. Defaults to no.
1914
1915
1916              export-clean
1917                     Compact  (remove all signatures from) user IDs on the key
1918                     being exported if the user IDs are not usable.  Also,  do
1919                     not  export  any  signatures  that  are  not usable. This
1920                     includes signatures that were issued by keys that are not
1921                     present  on  the keyring. This option is the same as run‐
1922                     ning the --edit-key command "clean" before export  except
1923                     that  the local copy of the key is not modified. Defaults
1924                     to no.
1925
1926
1927              export-minimal
1928                     Export the smallest key possible. This removes all signa‐
1929                     tures  except the most recent self-signature on each user
1930                     ID. This option is the same  as  running  the  --edit-key
1931                     command  "minimize"  before  export except that the local
1932                     copy of the key is not modified. Defaults to no.
1933
1934
1935       --with-colons
1936              Print key listings delimited by colons.  Note  that  the  output
1937              will  be  encoded  in  UTF-8 regardless of any --display-charset
1938              setting. This format is useful when GnuPG is called from scripts
1939              and  other  programs as it is easily machine parsed. The details
1940              of this format are documented in the file  `doc/DETAILS',  which
1941              is included in the GnuPG source distribution.
1942
1943
1944       --fixed-list-mode
1945              Do  not  merge  primary  user ID and primary key in --with-colon
1946              listing  mode  and  print  all  timestamps  as   seconds   since
1947              1970-01-01.
1948
1949
1950       --with-fingerprint
1951              Same as the command --fingerprint but changes only the format of
1952              the output and may be used together with another command.
1953
1954
1955       --with-keygrip
1956              Include the keygrip in the key listings.
1957
1958
1959
1960
1961   OpenPGP protocol specific options.
1962
1963
1964
1965
1966       -t, --textmode
1967
1968       --no-textmode
1969              Treat input files as text and store them in the OpenPGP  canoni‐
1970              cal  text form with standard "CRLF" line endings. This also sets
1971              the necessary flags to inform the recipient that  the  encrypted
1972              or  signed  data is text and may need its line endings converted
1973              back to whatever the local system uses. This  option  is  useful
1974              when  communicating  between  two  platforms that have different
1975              line ending conventions (UNIX-like to Mac, Mac to Windows, etc).
1976              --no-textmode disables this option, and is the default.
1977
1978              If  -t  (but  not --textmode) is used together with armoring and
1979              signing, this  enables  clearsigned  messages.  This  kludge  is
1980              needed for command-line compatibility with command-line versions
1981              of PGP; normally you would use --sign or --clearsign  to  select
1982              the type of the signature.
1983
1984
1985       --force-v3-sigs
1986
1987       --no-force-v3-sigs
1988              OpenPGP  states that an implementation should generate v4 signa‐
1989              tures but PGP versions 5 through 7 only recognize v4  signatures
1990              on key material. This option forces v3 signatures for signatures
1991              on data.  Note that this option implies --no-ask-sig-expire, and
1992              unsets  --sig-policy-url,  --sig-notation,  and --sig-keyserver-
1993              url, as these features cannot be used with v3 signatures.  --no-
1994              force-v3-sigs disables this option.  Defaults to no.
1995
1996
1997       --force-v4-certs
1998
1999       --no-force-v4-certs
2000              Always  use  v4 key signatures even on v3 keys. This option also
2001              changes the default hash algorithm for v3 RSA keys from  MD5  to
2002              SHA-1.  --no-force-v4-certs disables this option.
2003
2004
2005       --force-mdc
2006              Force  the use of encryption with a modification detection code.
2007              This is always used with the newer ciphers (those with a  block‐
2008              size  greater  than  64  bits),  or if all of the recipient keys
2009              indicate MDC support in their feature flags.
2010
2011
2012       --disable-mdc
2013              Disable the use of the modification detection code. Note that by
2014              using this option, the encrypted message becomes vulnerable to a
2015              message modification attack.
2016
2017
2018       --personal-cipher-preferences string
2019              Set the list of personal cipher preferences to string.  Use  gpg
2020              --version to get a list of available algorithms, and use none to
2021              set no preference at all.  This allows the user to safely  over‐
2022              ride  the  algorithm chosen by the recipient key preferences, as
2023              GPG will only select an algorithm that is usable by all  recipi‐
2024              ents.   The  most highly ranked cipher in this list is also used
2025              for the --symmetric encryption command.
2026
2027
2028       --personal-digest-preferences string
2029              Set the list of personal digest preferences to string.  Use  gpg
2030              --version to get a list of available algorithms, and use none to
2031              set no preference at all.  This allows the user to safely  over‐
2032              ride  the  algorithm chosen by the recipient key preferences, as
2033              GPG will only select an algorithm that is usable by all  recipi‐
2034              ents.   The  most highly ranked digest algorithm in this list is
2035              also used when signing without encryption (e.g.  --clearsign  or
2036              --sign). The default value is SHA-1.
2037
2038
2039       --personal-compress-preferences string
2040              Set the list of personal compression preferences to string.  Use
2041              gpg --version to get a list of  available  algorithms,  and  use
2042              none  to  set  no  preference  at  all.  This allows the user to
2043              safely override the algorithm chosen by the recipient key  pref‐
2044              erences,  as GPG will only select an algorithm that is usable by
2045              all recipients.  The most highly ranked compression algorithm in
2046              this  list is also used when there are no recipient keys to con‐
2047              sider (e.g. --symmetric).
2048
2049
2050       --s2k-cipher-algo name
2051              Use name as the cipher algorithm used to  protect  secret  keys.
2052              The  default  cipher is CAST5. This cipher is also used for con‐
2053              ventional  encryption   if   --personal-cipher-preferences   and
2054              --cipher-algo is not given.
2055
2056
2057       --s2k-digest-algo name
2058              Use name as the digest algorithm used to mangle the passphrases.
2059              The default algorithm is SHA-1.
2060
2061
2062       --s2k-mode n
2063              Selects  how  passphrases  are  mangled.  If  n  is  0  a  plain
2064              passphrase  (which  is not recommended) will be used, a 1 adds a
2065              salt to the passphrase and a 3 (the default) iterates the  whole
2066              process  a  number of times (see --s2k-count).  Unless --rfc1991
2067              is used, this mode is also used for conventional encryption.
2068
2069
2070       --s2k-count n
2071              Specify how many times  the  passphrase  mangling  is  repeated.
2072              This  value  may  range between 1024 and 65011712 inclusive, and
2073              the  default  is  65536.   Note  that  not  all  values  in  the
2074              1024-65011712  range  are  legal  and  if  an  illegal  value is
2075              selected, GnuPG will round up to the nearest legal value.   This
2076              option is only meaningful if --s2k-mode is 3.
2077
2078
2079
2080
2081
2082   Compliance options
2083
2084
2085       These  options  control  what  GnuPG is compliant to. Only one of these
2086       options may be active at a time. Note that the default setting of  this
2087       is  nearly  always the correct one. See the INTEROPERABILITY WITH OTHER
2088       OPENPGP PROGRAMS section below before using one of these options.
2089
2090
2091
2092       --gnupg
2093              Use standard GnuPG behavior. This is essentially OpenPGP  behav‐
2094              ior  (see  --openpgp),  but with some additional workarounds for
2095              common compatibility problems in different versions of PGP. This
2096              is the default option, so it is not generally needed, but it may
2097              be useful to override  a  different  compliance  option  in  the
2098              gpg.conf file.
2099
2100
2101       --openpgp
2102              Reset  all  packet,  cipher and digest options to strict OpenPGP
2103              behavior. Use this option to reset  all  previous  options  like
2104              --s2k-*,  --cipher-algo,  --digest-algo  and  --compress-algo to
2105              OpenPGP compliant values. All PGP workarounds are disabled.
2106
2107
2108       --rfc4880
2109              Reset all packet, cipher and digest options to  strict  RFC-4880
2110              behavior.  Note  that  this  is  currently  the  same  thing  as
2111              --openpgp.
2112
2113
2114       --rfc2440
2115              Reset all packet, cipher and digest options to  strict  RFC-2440
2116              behavior.
2117
2118
2119       --rfc1991
2120              Try to be more RFC-1991 (PGP 2.x) compliant.
2121
2122
2123       --pgp2 Set  up  all options to be as PGP 2.x compliant as possible, and
2124              warn if an action is taken (e.g. encrypting to  a  non-RSA  key)
2125              that will create a message that PGP 2.x will not be able to han‐
2126              dle. Note that `PGP 2.x' here means `MIT PGP 2.6.2'.  There  are
2127              other  versions  of  PGP 2.x available, but the MIT release is a
2128              good common baseline.
2129
2130              This option implies --rfc1991 --disable-mdc  --no-force-v4-certs
2131              --escape-from-lines --force-v3-sigs --cipher-algo IDEA --digest-
2132              algo MD5 --compress-algo ZIP. It also disables  --textmode  when
2133              encrypting.
2134
2135
2136       --pgp6 Set  up  all  options to be as PGP 6 compliant as possible. This
2137              restricts you to  the  ciphers  IDEA  (if  the  IDEA  plugin  is
2138              installed), 3DES, and CAST5, the hashes MD5, SHA1 and RIPEMD160,
2139              and the compression algorithms none and ZIP. This also  disables
2140              --throw-keyids,  and  making  signatures with signing subkeys as
2141              PGP 6 does not understand signatures made by signing subkeys.
2142
2143              This option implies --disable-mdc  --escape-from-lines  --force-
2144              v3-sigs.
2145
2146
2147       --pgp7 Set up all options to be as PGP 7 compliant as possible. This is
2148              identical to --pgp6 except that MDCs are not disabled,  and  the
2149              list  of  allowable  ciphers  is expanded to add AES128, AES192,
2150              AES256, and TWOFISH.
2151
2152
2153       --pgp8 Set up all options to be as PGP 8 compliant as possible.  PGP  8
2154              is  a  lot closer to the OpenPGP standard than previous versions
2155              of PGP, so all this  does  is  disable  --throw-keyids  and  set
2156              --escape-from-lines.   All algorithms are allowed except for the
2157              SHA224, SHA384, and SHA512 digests.
2158
2159
2160
2161
2162
2163   Doing things one usually doesn't want to do.
2164
2165
2166
2167
2168       -n
2169
2170       --dry-run
2171              Don't make any changes (this is not completely implemented).
2172
2173
2174       --list-only
2175              Changes the behaviour of some commands. This is  like  --dry-run
2176              but different in some cases. The semantic of this command may be
2177              extended in the future.  Currently  it  only  skips  the  actual
2178              decryption  pass  and  therefore  enables  a fast listing of the
2179              encryption keys.
2180
2181
2182       -i
2183
2184       --interactive
2185              Prompt before overwriting any files.
2186
2187
2188       --debug-level level
2189              Select the debug level for investigating problems. level may  be
2190              a numeric value or by a keyword:
2191
2192
2193              none   No  debugging at all.  A value of less than 1 may be used
2194                     instead of the keyword.
2195
2196              basic  Some basic debug messages.  A value between 1 and  2  may
2197                     be used instead of the keyword.
2198
2199              advanced
2200                     More verbose debug messages.  A value between 3 and 5 may
2201                     be used instead of the keyword.
2202
2203              expert Even more detailed messages.  A value between 6 and 8 may
2204                     be used instead of the keyword.
2205
2206              guru   All  of  the  debug messages you can get. A value greater
2207                     than 8 may be used instead of the keyword.  The  creation
2208                     of  hash  tracing files is only enabled if the keyword is
2209                     used.
2210
2211       How these messages are mapped to the  actual  debugging  flags  is  not
2212       specified  and may change with newer releases of this program. They are
2213       however carefully selected to best aid in debugging.
2214
2215
2216       --debug flags
2217              Set debugging flags. All flags are or-ed and flags may be  given
2218              in C syntax (e.g. 0x0042).
2219
2220
2221       --debug-all
2222              Set all useful debugging flags.
2223
2224
2225       --debug-ccid-driver
2226              Enable  debug  output  from  the included CCID driver for smart‐
2227              cards.  Note that this option is only available on some system.
2228
2229
2230       --faked-system-time epoch
2231              This option is only useful for testing; it sets the system  time
2232              back  or  forth  to epoch which is the number of seconds elapsed
2233              since the year 1970.  Alternatively epoch may be given as a full
2234              ISO time string (e.g. "20070924T154812").
2235
2236
2237       --enable-progress-filter
2238              Enable certain PROGRESS status outputs. This option allows fron‐
2239              tends to display a progress indicator while  gpg  is  processing
2240              larger files.  There is a slight performance overhead using it.
2241
2242
2243       --status-fd n
2244              Write  special status strings to the file descriptor n.  See the
2245              file DETAILS in the documentation for a listing of them.
2246
2247
2248       --status-file file
2249              Same as --status-fd, except the status data is written  to  file
2250              file.
2251
2252
2253       --logger-fd n
2254              Write log output to file descriptor n and not to STDERR.
2255
2256
2257       --log-file file
2258
2259       --logger-file file
2260              Same  as  --logger-fd, except the logger data is written to file
2261              file.  Note that --log-file is only implemented for GnuPG-2.
2262
2263
2264       --attribute-fd n
2265              Write attribute subpackets to the file  descriptor  n.  This  is
2266              most  useful for use with --status-fd, since the status messages
2267              are needed to separate  out  the  various  subpackets  from  the
2268              stream delivered to the file descriptor.
2269
2270
2271       --attribute-file file
2272              Same  as --attribute-fd, except the attribute data is written to
2273              file file.
2274
2275
2276       --comment string
2277
2278       --no-comments
2279              Use string as a comment string  in  clear  text  signatures  and
2280              ASCII armored messages or keys (see --armor). The default behav‐
2281              ior is not to use a comment string. --comment  may  be  repeated
2282              multiple  times  to  get multiple comment strings. --no-comments
2283              removes all comments.  It is a good idea to keep the length of a
2284              single  comment  below 60 characters to avoid problems with mail
2285              programs wrapping such lines.  Note that comment lines, like all
2286              other header lines, are not protected by the signature.
2287
2288
2289       --emit-version
2290
2291       --no-emit-version
2292              Force  inclusion  of the version string in ASCII armored output.
2293              --no-emit-version disables this option.
2294
2295
2296       --sig-notation name=value
2297
2298       --cert-notation name=value
2299
2300       -N, --set-notation name=value
2301              Put the name value pair into the  signature  as  notation  data.
2302              name  must  consist  only of printable characters or spaces, and
2303              must contain a '@' character in  the  form  keyname@domain.exam‐
2304              ple.com  (substituting  the appropriate keyname and domain name,
2305              of course).  This is to  help  prevent  pollution  of  the  IETF
2306              reserved notation namespace. The --expert flag overrides the '@'
2307              check. value may be any printable string; it will be encoded  in
2308              UTF8,  so  you  should  check that your --display-charset is set
2309              correctly. If you prefix name with an exclamation mark (!),  the
2310              notation  data  will  be flagged as critical (rfc2440:5.2.3.15).
2311              --sig-notation sets a notation for data signatures. --cert-nota‐
2312              tion sets a notation for key signatures (certifications). --set-
2313              notation sets both.
2314
2315              There are special codes that may be used in notation names. "%k"
2316              will  be  expanded into the key ID of the key being signed, "%K"
2317              into the long key ID of the key being signed, "%f" into the fin‐
2318              gerprint  of  the  key being signed, "%s" into the key ID of the
2319              key making the signature, "%S" into the long key ID of  the  key
2320              making  the signature, "%g" into the fingerprint of the key mak‐
2321              ing the signature (which might be a subkey), "%p" into the  fin‐
2322              gerprint  of  the  primary  key of the key making the signature,
2323              "%c" into the signature count from the  OpenPGP  smartcard,  and
2324              "%%" results in a single "%". %k, %K, and %f are only meaningful
2325              when making a key signature  (certification),  and  %c  is  only
2326              meaningful when using the OpenPGP smartcard.
2327
2328
2329       --sig-policy-url string
2330
2331       --cert-policy-url string
2332
2333       --set-policy-url string
2334              Use  string  as  a Policy URL for signatures (rfc2440:5.2.3.19).
2335              If you prefix it with an exclamation mark (!),  the  policy  URL
2336              packet will be flagged as critical. --sig-policy-url sets a pol‐
2337              icy url for data signatures. --cert-policy-url sets a policy url
2338              for key signatures (certifications). --set-policy-url sets both.
2339
2340              The same %-expandos used for notation data are available here as
2341              well.
2342
2343
2344       --sig-keyserver-url string
2345              Use string as a preferred keyserver URL for data signatures.  If
2346              you  prefix  it  with an exclamation mark (!), the keyserver URL
2347              packet will be flagged as critical.
2348
2349              The same %-expandos used for notation data are available here as
2350              well.
2351
2352
2353       --set-filename string
2354              Use  string  as  the  filename  which is stored inside messages.
2355              This overrides the default, which is to use the actual  filename
2356              of the file being encrypted.
2357
2358
2359       --for-your-eyes-only
2360
2361       --no-for-your-eyes-only
2362              Set  the  `for  your eyes only' flag in the message. This causes
2363              GnuPG to refuse to save the file unless the --output  option  is
2364              given,  and PGP to use a "secure viewer" with a claimed Tempest-
2365              resistant font to display the  message.  This  option  overrides
2366              --set-filename.  --no-for-your-eyes-only disables this option.
2367
2368
2369       --use-embedded-filename
2370
2371       --no-use-embedded-filename
2372              Try  to  create a file with a name as embedded in the data. This
2373              can be a dangerous option  as  it  allows  to  overwrite  files.
2374              Defaults to no.
2375
2376
2377       --cipher-algo name
2378              Use  name as cipher algorithm. Running the program with the com‐
2379              mand --version yields a list of supported algorithms. If this is
2380              not  used  the cipher algorithm is selected from the preferences
2381              stored with the key. In general, you do not  want  to  use  this
2382              option as it allows you to violate the OpenPGP standard.  --per‐
2383              sonal-cipher-preferences is the safe way to accomplish the  same
2384              thing.
2385
2386
2387       --digest-algo name
2388              Use  name  as  the message digest algorithm. Running the program
2389              with the command --version yields  a  list  of  supported  algo‐
2390              rithms.  In  general,  you  do not want to use this option as it
2391              allows you to violate the OpenPGP  standard.  --personal-digest-
2392              preferences is the safe way to accomplish the same thing.
2393
2394
2395       --compress-algo name
2396              Use compression algorithm name. "zlib" is RFC-1950 ZLIB compres‐
2397              sion. "zip" is RFC-1951 ZIP compression which is  used  by  PGP.
2398              "bzip2"  is  a  more modern compression scheme that can compress
2399              some things better than zip or zlib, but at  the  cost  of  more
2400              memory used during compression and decompression. "uncompressed"
2401              or "none" disables compression. If this option is not used,  the
2402              default  behavior is to examine the recipient key preferences to
2403              see which algorithms the recipient supports. If all else  fails,
2404              ZIP is used for maximum compatibility.
2405
2406              ZLIB  may  give better compression results than ZIP, as the com‐
2407              pression window size is not limited to 8k. BZIP2 may  give  even
2408              better  compression  results  than that, but will use a signifi‐
2409              cantly larger amount of memory while compressing and decompress‐
2410              ing.  This  may  be  significant in low memory situations. Note,
2411              however, that PGP (all versions) only supports ZIP  compression.
2412              Using  any algorithm other than ZIP or "none" will make the mes‐
2413              sage unreadable with PGP. In general, you do  not  want  to  use
2414              this  option  as  it allows you to violate the OpenPGP standard.
2415              --personal-compress-preferences is the safe  way  to  accomplish
2416              the same thing.
2417
2418
2419       --cert-digest-algo name
2420              Use  name  as  the  message digest algorithm used when signing a
2421              key. Running the program with the  command  --version  yields  a
2422              list  of  supported  algorithms.  Be aware that if you choose an
2423              algorithm that GnuPG supports but other OpenPGP  implementations
2424              do  not,  then some users will not be able to use the key signa‐
2425              tures you make, or quite possibly your entire key.
2426
2427
2428       --disable-cipher-algo name
2429              Never allow the use of name as cipher algorithm.  The given name
2430              will  not be checked so that a later loaded algorithm will still
2431              get disabled.
2432
2433
2434       --disable-pubkey-algo name
2435              Never allow the use of name as public key algorithm.  The  given
2436              name  will  not be checked so that a later loaded algorithm will
2437              still get disabled.
2438
2439
2440       --throw-keyids
2441
2442       --no-throw-keyids
2443              Do not put the recipient key IDs into encrypted  messages.  This
2444              helps  to  hide  the  receivers  of the message and is a limited
2445              countermeasure against traffic analysis. ([Using a little social
2446              engineering  anyone who is able to decrypt the message can check
2447              whether one of the other recipients is the  one  he  suspects.])
2448              On  the  receiving side, it may slow down the decryption process
2449              because all available secret keys must  be  tried.   --no-throw-
2450              keyids disables this option. This option is essentially the same
2451              as using --hidden-recipient for all recipients.
2452
2453
2454       --not-dash-escaped
2455              This option changes the behavior of cleartext signatures so that
2456              they  can  be  used for patch files. You should not send such an
2457              armored file via email because all spaces and line  endings  are
2458              hashed  too.  You  can  not use this option for data which has 5
2459              dashes at the beginning of a line, patch files don't have  this.
2460              A  special  armor  header  line tells GnuPG about this cleartext
2461              signature option.
2462
2463
2464       --escape-from-lines
2465
2466       --no-escape-from-lines
2467              Because some mailers change  lines  starting  with  "From  "  to
2468              ">From  "  it is good to handle such lines in a special way when
2469              creating cleartext signatures to prevent the  mail  system  from
2470              breaking  the  signature. Note that all other PGP versions do it
2471              this way too.  Enabled by default.  --no-escape-from-lines  dis‐
2472              ables this option.
2473
2474
2475       --passphrase-repeat n
2476              Specify  how  many  times  gpg  will request a new passphrase be
2477              repeated.  This is useful for  helping  memorize  a  passphrase.
2478              Defaults to 1 repetition.
2479
2480
2481       --passphrase-fd n
2482              Read  the passphrase from file descriptor n. Only the first line
2483              will be read from file descriptor n. If you use  0  for  n,  the
2484              passphrase  will  be  read  from STDIN. This can only be used if
2485              only one passphrase is supplied.
2486
2487
2488       --passphrase-file file
2489              Read the passphrase from file file. Only the first line will  be
2490              read  from  file  file.  This  can  only  be  used  if  only one
2491              passphrase is supplied. Obviously, a passphrase stored in a file
2492              is  of  questionable security if other users can read this file.
2493              Don't use this option if you can avoid it.
2494
2495
2496       --passphrase string
2497              Use string as the passphrase. This can only be used if only  one
2498              passphrase  is supplied. Obviously, this is of very questionable
2499              security on a multi-user system. Don't use this  option  if  you
2500              can avoid it.
2501
2502
2503       --command-fd n
2504              This is a replacement for the deprecated shared-memory IPC mode.
2505              If this option is  enabled,  user  input  on  questions  is  not
2506              expected  from  the  TTY  but from the given file descriptor. It
2507              should  be  used  together  with  --status-fd.  See   the   file
2508              doc/DETAILS in the source distribution for details on how to use
2509              it.
2510
2511
2512       --command-file file
2513              Same as --command-fd, except the commands are read out  of  file
2514              file
2515
2516
2517       --allow-non-selfsigned-uid
2518
2519       --no-allow-non-selfsigned-uid
2520              Allow  the  import  and  use of keys with user IDs which are not
2521              self-signed. This is not recommended, as a non self-signed  user
2522              ID is trivial to forge. --no-allow-non-selfsigned-uid disables.
2523
2524
2525       --allow-freeform-uid
2526              Disable all checks on the form of the user ID while generating a
2527              new one. This option should only be used in very  special  envi‐
2528              ronments  as  it does not ensure the de-facto standard format of
2529              user IDs.
2530
2531
2532       --ignore-time-conflict
2533              GnuPG normally checks that the timestamps associated  with  keys
2534              and  signatures have plausible values. However, sometimes a sig‐
2535              nature seems to be older than the key  due  to  clock  problems.
2536              This  option  makes  these  checks  just  a  warning.  See  also
2537              --ignore-valid-from for timestamp issues on subkeys.
2538
2539
2540       --ignore-valid-from
2541              GnuPG normally does not select and use subkeys  created  in  the
2542              future.   This  option  allows  the  use  of  such keys and thus
2543              exhibits the pre-1.0.7 behaviour. You should not use this option
2544              unless  you there is some clock problem. See also --ignore-time-
2545              conflict for timestamp issues with signatures.
2546
2547
2548       --ignore-crc-error
2549              The ASCII armor used by OpenPGP is protected by a  CRC  checksum
2550              against  transmission  errors. Occasionally the CRC gets mangled
2551              somewhere on the transmission channel  but  the  actual  content
2552              (which  is  protected  by  the OpenPGP protocol anyway) is still
2553              okay. This option allows GnuPG to ignore CRC errors.
2554
2555
2556       --ignore-mdc-error
2557              This option changes a MDC integrity protection  failure  into  a
2558              warning.   This can be useful if a message is partially corrupt,
2559              but it is necessary to get as much data as possible out  of  the
2560              corrupt  message.  However, be aware that a MDC protection fail‐
2561              ure may also mean that the message was tampered with  intention‐
2562              ally by an attacker.
2563
2564
2565       --no-default-keyring
2566              Do  not  add  the default keyrings to the list of keyrings. Note
2567              that GnuPG will not operate without any keyrings, so if you  use
2568              this  option and do not provide alternate keyrings via --keyring
2569              or --secret-keyring, then GnuPG will still use the default  pub‐
2570              lic or secret keyrings.
2571
2572
2573       --skip-verify
2574              Skip  the  signature verification step. This may be used to make
2575              the decryption faster  if  the  signature  verification  is  not
2576              needed.
2577
2578
2579       --with-key-data
2580              Print  key listings delimited by colons (like --with-colons) and
2581              print the public key data.
2582
2583
2584       --fast-list-mode
2585              Changes the output of the list commands to work faster; this  is
2586              achieved  by  leaving  some parts empty. Some applications don't
2587              need the user ID and the trust information given  in  the  list‐
2588              ings.  By  using this options they can get a faster listing. The
2589              exact behaviour of this option may change  in  future  versions.
2590              If you are missing some information, don't use this option.
2591
2592
2593       --no-literal
2594              This  is  not  for normal use. Use the source to see for what it
2595              might be useful.
2596
2597
2598       --set-filesize
2599              This is not for normal use. Use the source to see  for  what  it
2600              might be useful.
2601
2602
2603       --show-session-key
2604              Display  the  session  key used for one message. See --override-
2605              session-key for the counterpart of this option.
2606
2607              We think that Key Escrow is a Bad Thing; however the user should
2608              have  the freedom to decide whether to go to prison or to reveal
2609              the content of one specific  message  without  compromising  all
2610              messages  ever encrypted for one secret key. DON'T USE IT UNLESS
2611              YOU ARE REALLY FORCED TO DO SO.
2612
2613
2614       --override-session-key string
2615              Don't use the public key but the session key string. The  format
2616              of this string is the same as the one printed by --show-session-
2617              key. This option is normally not used but comes  handy  in  case
2618              someone  forces  you  to reveal the content of an encrypted mes‐
2619              sage; using this option you can do this without handing out  the
2620              secret key.
2621
2622
2623       --ask-sig-expire
2624
2625       --no-ask-sig-expire
2626              When  making a data signature, prompt for an expiration time. If
2627              this option is  not  specified,  the  expiration  time  set  via
2628              --default-sig-expire  is used. --no-ask-sig-expire disables this
2629              option.
2630
2631
2632       --default-sig-expire
2633              The default expiration time to  use  for  signature  expiration.
2634              Valid values are "0" for no expiration, a number followed by the
2635              letter d (for days), w (for weeks), m (for months),  or  y  (for
2636              years)  (for  example  "2m"  for  two  months,  or "5y" for five
2637              years), or an absolute date in the form YYYY-MM-DD. Defaults  to
2638              "0".
2639
2640
2641       --ask-cert-expire
2642
2643       --no-ask-cert-expire
2644              When  making  a key signature, prompt for an expiration time. If
2645              this option is  not  specified,  the  expiration  time  set  via
2646              --default-cert-expire  is  used.  --no-ask-cert-expire  disables
2647              this option.
2648
2649
2650       --default-cert-expire
2651              The default expiration time to use for key signature expiration.
2652              Valid values are "0" for no expiration, a number followed by the
2653              letter d (for days), w (for weeks), m (for months),  or  y  (for
2654              years)  (for  example  "2m"  for  two  months,  or "5y" for five
2655              years), or an absolute date in the form YYYY-MM-DD. Defaults  to
2656              "0".
2657
2658
2659       --allow-secret-key-import
2660              This is an obsolete option and is not used anywhere.
2661
2662
2663       --allow-multiple-messages
2664
2665       --no-allow-multiple-messages
2666              Allow  processing  of  multiple  OpenPGP messages contained in a
2667              single file or stream.  Some programs that call GPG are not pre‐
2668              pared  to  deal with multiple messages being processed together,
2669              so this option defaults to no.  Note that versions of GPG  prior
2670              to 1.4.7 always allowed multiple messages.
2671
2672              Warning:  Do  not use this option unless you need it as a tempo‐
2673              rary workaround!
2674
2675
2676
2677       --enable-special-filenames
2678              This options enables a mode  in  which  filenames  of  the  form
2679              `-&n',  where  n  is a non-negative decimal number, refer to the
2680              file descriptor n and not to a file with that name.
2681
2682
2683       --no-expensive-trust-checks
2684              Experimental use only.
2685
2686
2687       --preserve-permissions
2688              Don't change the permissions of a secret keyring  back  to  user
2689              read/write  only.  Use  this option only if you really know what
2690              you are doing.
2691
2692
2693       --default-preference-list string
2694              Set the list of default preferences to string.  This  preference
2695              list  is used for new keys and becomes the default for "setpref"
2696              in the edit menu.
2697
2698
2699       --default-keyserver-url name
2700              Set the default keyserver URL to name. This  keyserver  will  be
2701              used as the keyserver URL when writing a new self-signature on a
2702              key, which includes key generation and changing preferences.
2703
2704
2705       --list-config
2706              Display various internal configuration parameters of GnuPG. This
2707              option is intended for external programs that call GnuPG to per‐
2708              form tasks, and is thus  not  generally  useful.  See  the  file
2709              `doc/DETAILS'  in  the  source  distribution  for the details of
2710              which configuration items may be listed. --list-config  is  only
2711              usable with --with-colons set.
2712
2713
2714       --gpgconf-list
2715              This  command  is  similar  to --list-config but in general only
2716              internally used by the gpgconf tool.
2717
2718
2719       --gpgconf-test
2720              This is more or less dummy action.  However it parses  the  con‐
2721              figuration  file  and  returns with failure if the configuration
2722              file would prevent gpg from startup.  Thus it may be used to run
2723              a syntax check on the configuration file.
2724
2725
2726
2727
2728   Deprecated options
2729
2730
2731
2732
2733       --load-extension name
2734              Load an extension module. If name does not contain a slash it is
2735              searched for in the directory configured when  GnuPG  was  built
2736              (generally "/usr/local/lib/gnupg"). Extensions are not generally
2737              useful anymore, and the use of this option is deprecated.
2738
2739
2740       --show-photos
2741
2742       --no-show-photos
2743              Causes  --list-keys,  --list-sigs,  --list-public-keys,  --list-
2744              secret-keys, and verifying a signature to also display the photo
2745              ID attached to the key, if any. See also  --photo-viewer.  These
2746              options  are  deprecated.  Use  --list-options  [no-]show-photos
2747              and/or --verify-options [no-]show-photos instead.
2748
2749
2750       --show-keyring
2751              Display the keyring name at the head of  key  listings  to  show
2752              which keyring a given key resides on. This option is deprecated:
2753              use --list-options [no-]show-keyring instead.
2754
2755
2756       --ctapi-driver file
2757              Use file to access the smartcard reader. The current default  is
2758              `libtowitoko.so'.  Note that the use of this interface is depre‐
2759              cated; it may be removed in future releases.
2760
2761
2762       --always-trust
2763              Identical to --trust-model always. This option is deprecated.
2764
2765
2766       --show-notation
2767
2768       --no-show-notation
2769              Show signature notations  in  the  --list-sigs  or  --check-sigs
2770              listings  as  well as when verifying a signature with a notation
2771              in  it.  These  options  are  deprecated.   Use   --list-options
2772              [no-]show-notation  and/or  --verify-options  [no-]show-notation
2773              instead.
2774
2775
2776       --show-policy-url
2777
2778       --no-show-policy-url
2779              Show policy URLs in the --list-sigs or --check-sigs listings  as
2780              well  as  when  verifying  a  signature with a policy URL in it.
2781              These options are deprecated. Use --list-options  [no-]show-pol‐
2782              icy-url and/or --verify-options [no-]show-policy-url instead.
2783
2784
2785
2786
2787
2788

EXAMPLES

2790       gpg -se -r Bob file
2791              sign and encrypt for user Bob
2792
2793
2794       gpg --clearsign file
2795              make a clear text signature
2796
2797
2798       gpg -sb file
2799              make a detached signature
2800
2801
2802       gpg -u 0x12345678 -sb file
2803              make a detached signature with the key 0x12345678
2804
2805
2806       gpg --list-keys user_ID
2807              show keys
2808
2809
2810       gpg --fingerprint user_ID
2811              show fingerprint
2812
2813
2814       gpg --verify pgpfile
2815
2816       gpg --verify sigfile
2817              Verify the signature of the file but do not output the data. The
2818              second form is used for detached signatures,  where  sigfile  is
2819              the  detached signature (either ASCII armored or binary) and are
2820              the signed data; if this is not given,  the  name  of  the  file
2821              holding the signed data is constructed by cutting off the exten‐
2822              sion (".asc" or ".sig") of sigfile or by asking the user for the
2823              filename.
2824
2825
2826
2827

HOW TO SPECIFY A USER ID

2829       There  are  different ways to specify a user ID to GnuPG.  Some of them
2830       are only valid for gpg others are only good for  gpgsm.   Here  is  the
2831       entire list of ways to specify a key:
2832
2833
2834
2835       By key Id.
2836              This  format  is  deduced  from the length of the string and its
2837              content or 0x prefix. The key Id of an X.509 certificate are the
2838              low  64  bits  of  its SHA-1 fingerprint.  The use of key Ids is
2839              just a shortcut, for all automated  processing  the  fingerprint
2840              should be used.
2841
2842              When  using gpg an exclamation mark (!) may be appended to force
2843              using the specified primary or secondary key and not to try  and
2844              calculate which primary or secondary key to use.
2845
2846              The last four lines of the example give the key ID in their long
2847              form as internally used by the OpenPGP protocol. You can see the
2848              long key ID using the option --with-colons.
2849
2850         234567C4
2851         0F34E556E
2852         01347A56A
2853         0xAB123456
2854
2855         234AABBCC34567C4
2856         0F323456784E56EAB
2857         01AB3FED1347A5612
2858         0x234AABBCC34567C4
2859
2860
2861
2862
2863       By fingerprint.
2864              This  format  is  deduced  from the length of the string and its
2865              content or the 0x prefix.  Note, that only the 20  byte  version
2866              fingerprint  is available with gpgsm (i.e. the SHA-1 hash of the
2867              certificate).
2868
2869              When using gpg an exclamation mark (!) may be appended to  force
2870              using  the specified primary or secondary key and not to try and
2871              calculate which primary or secondary key to use.
2872
2873              The best way to specify a key Id is by  using  the  fingerprint.
2874              This  avoids  any  ambiguities in case that there are duplicated
2875              key IDs.
2876
2877         1234343434343434C434343434343434
2878         123434343434343C3434343434343734349A3434
2879         0E12343434343434343434EAB3484343434343434
2880         0xE12343434343434343434EAB3484343434343434
2881
2882
2883       (gpgsm also accepts colons between  each  pair  of  hexadecimal  digits
2884       because  this  is the de-facto standard on how to present X.509 finger‐
2885       prints.)
2886
2887
2888       By exact match on OpenPGP user ID.
2889              This is denoted by a leading equal sign. It does not make  sense
2890              for X.509 certificates.
2891
2892         =Heinrich Heine <heinrichh@uni-duesseldorf.de>
2893
2894
2895       By exact match on an email address.
2896              This  is  indicated  by enclosing the email address in the usual
2897              way with left and right angles.
2898
2899         <heinrichh@uni-duesseldorf.de>
2900
2901
2902
2903       By word match.
2904              All words must match exactly (not case sensitive) but can appear
2905              in  any  order in the user ID or a subjects name.  Words are any
2906              sequences of letters, digits, the underscore and all  characters
2907              with bit 7 set.
2908
2909         +Heinrich Heine duesseldorf
2910
2911
2912       By exact match on the subject's DN.
2913              This  is  indicated by a leading slash, directly followed by the
2914              RFC-2253 encoded DN of the subject.  Note that you can't use the
2915              string  printed  by "gpgsm --list-keys" because that one as been
2916              reordered and modified for better readability; use --with-colons
2917              to print the raw (but standard escaped) RFC-2253 string
2918
2919         /CN=Heinrich Heine,O=Poets,L=Paris,C=FR
2920
2921
2922       By exact match on the issuer's DN.
2923              This is indicated by a leading hash mark, directly followed by a
2924              slash and then directly followed by the rfc2253  encoded  DN  of
2925              the  issuer.   This  should  return the Root cert of the issuer.
2926              See note above.
2927
2928         #/CN=Root Cert,O=Poets,L=Paris,C=FR
2929
2930
2931
2932       By exact match on serial number and issuer's DN.
2933              This is indicated by a hash mark, followed  by  the  hexadecimal
2934              representation  of  the  serial number, then followed by a slash
2935              and the RFC-2253 encoded DN of the issuer. See note above.
2936
2937         #4F03/CN=Root Cert,O=Poets,L=Paris,C=FR
2938
2939
2940       By keygrip
2941              This is indicated by an ampersand followed by the 40 hex  digits
2942              of  a  keygrip.  gpgsm prints the keygrip when using the command
2943              --dump-cert.  It does not yet work for OpenPGP keys.
2944
2945         &D75F22C3F86E355877348498CDC92BD21010A480
2946
2947
2948
2949       By substring match.
2950              This is the default mode but applications may want to explicitly
2951              indicate  this  by  putting the asterisk in front.  Match is not
2952              case sensitive.
2953
2954         Heine
2955         *Heine
2956
2957
2958
2959       Please note that we have reused the hash mark identifier which was used
2960       in  old  GnuPG  versions to indicate the so called local-id.  It is not
2961       anymore used and there should be  no  conflict  when  used  with  X.509
2962       stuff.
2963
2964       Using the RFC-2253 format of DNs has the drawback that it is not possi‐
2965       ble to map them back to the original encoding, however we don't have to
2966       do this because our key database stores this encoding as meta data.
2967
2968
2969
2970
2971

FILES

2973       There are a few configuration files to control certain aspects of gpg's
2974       operation. Unless noted, they are expected in the current  home  direc‐
2975       tory (see: [option --homedir]).
2976
2977
2978
2979       gpg.conf
2980              This  is the standard configuration file read by gpg on startup.
2981              It may contain any valid long option; the leading two dashes may
2982              not  be  entered  and  the  option may not be abbreviated.  This
2983              default name may be changed on the command  line  (see:  [option
2984              --options]).  You should backup this file.
2985
2986
2987       Note that on larger installations, it is useful to put predefined files
2988       into the directory `/etc/skel/.gnupg/'  so  that  newly  created  users
2989       start up with a working configuration.
2990
2991       For internal purposes gpg creates and maintains a few other files; They
2992       all live in in the current home directory  (see:  [option  --homedir]).
2993       Only the gpg may modify these files.
2994
2995
2996
2997       ~/.gnupg/secring.gpg
2998              The secret keyring.  You should backup this file.
2999
3000
3001       ~/.gnupg/secring.gpg.lock
3002              The lock file for the secret keyring.
3003
3004
3005       ~/.gnupg/pubring.gpg
3006              The public keyring.  You should backup this file.
3007
3008
3009       ~/.gnupg/pubring.gpg.lock
3010              The lock file for the public keyring.
3011
3012
3013       ~/.gnupg/trustdb.gpg
3014              The trust database.  There is no need to backup this file; it is
3015              better to backup the ownertrust values (see:  [option  --export-
3016              ownertrust]).
3017
3018
3019       ~/.gnupg/trustdb.gpg.lock
3020              The lock file for the trust database.
3021
3022
3023       ~/.gnupg/random_seed
3024              A file used to preserve the state of the internal random pool.
3025
3026
3027       /usr[/local]/share/gnupg/options.skel
3028              The skeleton options file.
3029
3030
3031       /usr[/local]/lib/gnupg/
3032              Default location for extensions.
3033
3034
3035       Operation is further controlled by a few environment variables:
3036
3037
3038
3039       HOME   Used to locate the default home directory.
3040
3041
3042       GNUPGHOME
3043              If set directory used instead of "~/.gnupg".
3044
3045
3046       GPG_AGENT_INFO
3047              Used  to locate the gpg-agent.  This is only honored when --use-
3048              agent is set.  The value consists of 3 colon  delimited  fields:
3049              The  first is the path to the Unix Domain Socket, the second the
3050              PID of the gpg-agent and the protocol version  which  should  be
3051              set  to 1. When starting the gpg-agent as described in its docu‐
3052              mentation, this variable is set to the correct value. The option
3053              --gpg-agent-info can be used to override it.
3054
3055
3056       PINENTRY_USER_DATA
3057              This value is passed via gpg-agent to pinentry.  It is useful to
3058              convey extra information to a custom pinentry.
3059
3060
3061       COLUMNS
3062
3063       LINES  Used to size some displays to the full size of the screen.
3064
3065
3066
3067       LANGUAGE
3068              Apart from its use by GNU, it is used  in  the  W32  version  to
3069              override  the  language selection done through the Registry.  If
3070              used and set to a valid and available  language  name  (langid),
3071              the    file    with    the    translation    is    loaded   from
3072              gpgdir/gnupg.nls/langid.mo.  Here gpgdir is the directory out of
3073              which the gpg binary has been loaded.  If it can't be loaded the
3074              Registry is tried and as last resort the native  Windows  locale
3075              system is used.
3076
3077
3078
3079
3080

BUGS

3082       On older systems this program should be installed as setuid(root). This
3083       is necessary to lock memory pages. Locking memory  pages  prevents  the
3084       operating   system   from  writing  memory  pages  (which  may  contain
3085       passphrases or other sensitive material) to disk. If you get no warning
3086       message  about  insecure  memory your operating system supports locking
3087       without being root. The program drops root privileges as soon as locked
3088       memory is allocated.
3089
3090       Note  also  that  some systems (especially laptops) have the ability to
3091       ``suspend to disk'' (also known as ``safe  sleep''  or  ``hibernate'').
3092       This  writes  all  memory to disk before going into a low power or even
3093       powered off mode.  Unless measures are taken in the operating system to
3094       protect  the  saved memory, passphrases or other sensitive material may
3095       be recoverable from it later.
3096
3097       Before you report a bug you should first search the  mailing  list  ar‐
3098       chives  for  similar  problems  and second check whether such a bug has
3099       already been reported to our bug tracker at http://bugs.gnupg.org .
3100
3101

SEE ALSO

3103       gpgv(1),
3104
3105       The full documentation for this tool is maintained as a Texinfo manual.
3106       If  GnuPG and the info program are properly installed at your site, the
3107       command
3108
3109         info gnupg
3110
3111       should give you access to the complete manual including a  menu  struc‐
3112       ture and an index.
3113
3114
3115
3116GnuPG 1.4.11                      2010-10-21                            GPG(1)
Impressum