1GPGSM(1) GNU Privacy Guard GPGSM(1)
2
6 gpgsm - CMS encryption and signing tool
7
9 gpgsm [--homedir dir] [--options file] [options] command [args]
10
14 gpgsm is a tool similar to gpg to provide digital encryption and sign‐
15 ing services on X.509 certificates and the CMS protocol. It is mainly
16 used as a backend for S/MIME mail processing. gpgsm includes a full
17 featured certificate management and complies with all rules defined for
18 the German Sphinx project.
19
25 Commands are not distinguished from options except for the fact that
26 only one command is allowed.
27 Commands not specific to the function
33 --version
37 Print the program version and licensing information. Note that
38 you cannot abbreviate this command.
39 --help, -h
42 Print a usage message summarizing the most useful command-line
43 options. Note that you cannot abbreviate this command.
44 --warranty
47 Print warranty information. Note that you cannot abbreviate
48 this command.
49 --dump-options
52 Print a list of all available options and commands. Note that
53 you cannot abbreviate this command.
54 Commands to select the type of operation
59 --encrypt
63 Perform an encryption. The keys the data is encrypted too must
64 be set using the option --recipient.
65 --decrypt
68 Perform a decryption; the type of input is automatically deter‐
69 mined. It may either be in binary form or PEM encoded; auto‐
70 matic determination of base-64 encoding is not done.
71 --sign Create a digital signature. The key used is either the fist one
74 found in the keybox or those set with the --local-user option.
75 --verify
78 Check a signature file for validity. Depending on the arguments
79 a detached signature may also be checked.
80 --server
83 Run in server mode and wait for commands on the stdin.
84 --call-dirmngr command [args]
87 Behave as a Dirmngr client issuing the request command with the
88 optional list of args. The output of the Dirmngr is printed
89 stdout. Please note that file names given as arguments should
90 have an absolute file name (i.e. commencing with / because they
91 are passed verbatim to the Dirmngr and the working directory of
92 the Dirmngr might not be the same as the one of this client.
93 Currently it is not possible to pass data via stdin to the Dirm‐
94 ngr. command should not contain spaces.
95 This is command is required for certain maintaining tasks of the
97 dirmngr where a dirmngr must be able to call back to gpgsm. See
98 the Dirmngr manual for details.
99 --call-protect-tool arguments
102 Certain maintenance operations are done by an external program
103 call gpg-protect-tool; this is usually not installed in a direc‐
104 tory listed in the PATH variable. This command provides a sim‐
105 ple wrapper to access this tool. arguments are passed verbatim
106 to this command; use '--help' to get a list of supported opera‐
107 tions.
108 How to manage the certificates and keys
115 --gen-key
119 -This command allows the creation of a certificate signing
120 request. It -is commonly used along with the --output option to
121 save the -created CSR into a file. If used with the --batch a
122 parameter -file is used to create the CSR. This command allows
123 the creation of a certificate signing request or a self-signed
124 certificate. It is commonly used along with the --output option
125 to save the created CSR or certificate into a file. If used
126 with the --batch a parameter file is used to create the CSR or
127 certificate and it is further possible to create non-self-signed
128 certificates.
129 --list-keys
132 -k List all available certificates stored in the local key data‐
134 base. Note that the displayed data might be reformatted for
135 better human readability and illegal characters are replaced by
136 safe substitutes.
137 --list-secret-keys
140 -K List all available certificates for which a corresponding a
142 secret key is available.
143 --list-external-keys pattern
146 List certificates matching pattern using an external server.
147 This utilizes the dirmngr service.
148 --list-chain
151 Same as --list-keys but also prints all keys making up the
152 chain.
153 --dump-cert
157 --dump-keys
159 List all available certificates stored in the local key database
160 using a format useful mainly for debugging.
161 --dump-chain
164 Same as --dump-keys but also prints all keys making up the
165 chain.
166 --dump-secret-keys
169 List all available certificates for which a corresponding a
170 secret key is available using a format useful mainly for debug‐
171 ging.
172 --dump-external-keys pattern
175 List certificates matching pattern using an external server.
176 This utilizes the dirmngr service. It uses a format useful
177 mainly for debugging.
178 --keydb-clear-some-cert-flags
181 This is a debugging aid to reset certain flags in the key data‐
182 base which are used to cache certain certificate stati. It is
183 especially useful if a bad CRL or a weird running OCSP responder
184 did accidentally revoke certificate. There is no security issue
185 with this command because gpgsm always make sure that the valid‐
186 ity of a certificate is checked right before it is used.
187 --delete-keys pattern
190 Delete the keys matching pattern. Note that there is no command
191 to delete the secret part of the key directly. In case you need
192 to do this, you should run the command gpgsm --dump-secret-keys
193 KEYID before you delete the key, copy the string of hex-digits
194 in the ``keygrip'' line and delete the file consisting of these
195 hex-digits and the suffix .key from the ‘private-keys-v1.d’
196 directory below our GnuPG home directory (usually ‘~/.gnupg’).
197 --export [pattern]
200 Export all certificates stored in the Keybox or those specified
201 by the optional pattern. Those pattern consist of a list of user
202 ids (see: [how-to-specify-a-user-id]). When used along with the
203 --armor option a few informational lines are prepended before
204 each block. There is one limitation: As there is no commonly
205 agreed upon way to pack more than one certificate into an ASN.1
206 structure, the binary export (i.e. without using armor) works
207 only for the export of one certificate. Thus it is required to
208 specify a pattern which yields exactly one certificate.
209 Ephemeral certificate are only exported if all pattern are given
210 as fingerprints or keygrips.
211 --export-secret-key-p12 key-id
214 Export the private key and the certificate identified by key-id
215 in a PKCS#12 format. When using along with the --armor option a
216 few informational lines are prepended to the output. Note, that
217 the PKCS#12 format is not very secure and this command is only
218 provided if there is no other way to exchange the private key.
219 (see: [option --p12-charset])
220 --import [files]
223 Import the certificates from the PEM or binary encoded files as
224 well as from signed-only messages. This command may also be
225 used to import a secret key from a PKCS#12 file.
226 --learn-card
229 Read information about the private keys from the smartcard and
230 import the certificates from there. This command utilizes the
231 gpg-agent and in turn the scdaemon.
232 --passwd user_id
235 Change the passphrase of the private key belonging to the cer‐
236 tificate specified as user_id. Note, that changing the
237 passphrase/PIN of a smartcard is not yet supported.
238
244 GPGSM features a bunch of options to control the exact behaviour and to
245 change the default configuration.
246 How to change the configuration
252 These options are used to change the configuration and are usually
255 found in the option file.
256 --options file
260 Reads configuration from file instead of from the default per-
261 user configuration file. The default configuration file is
262 named ‘gpgsm.conf’ and expected in the ‘.gnupg’ directory
263 directly below the home directory of the user.
264 --homedir dir
267 Set the name of the home directory to dir. If this option is not
268 used, the home directory defaults to ‘~/.gnupg’. It is only
269 recognized when given on the command line. It also overrides
270 any home directory stated through the environment variable
271 ‘GNUPGHOME’ or (on W32 systems) by means of the Registry entry
272 HKCU\Software\GNU\GnuPG:HomeDir.
273 -v
278 --verbose
280 Outputs additional information while running. You can increase
281 the verbosity by giving several verbose commands to gpgsm, such
282 as '-vv'.
283 --policy-file filename
286 Change the default name of the policy file to filename.
287 --agent-program file
290 Specify an agent program to be used for secret key operations.
291 The default value is the ‘/usr/local/bin/gpg-agent’. This is
292 only used as a fallback when the environment variable
293 GPG_AGENT_INFO is not set or a running agent can't be connected.
294 --dirmngr-program file
297 Specify a dirmngr program to be used for CRL checks. The
298 default value is ‘/usr/sbin/dirmngr’. This is only used as a
299 fallback when the environment variable DIRMNGR_INFO is not set
300 or a running dirmngr can't be connected.
301 --prefer-system-dirmngr
304 If a system wide dirmngr is running in daemon mode, first try to
305 connect to this one. Fallback to a pipe based server if this
306 does not work. Under Windows this option is ignored because the
307 system dirmngr is always used.
308 --disable-dirmngr
311 Entirely disable the use of the Dirmngr.
312 --no-secmem-warning
315 Don't print a warning when the so called "secure memory" can't
316 be used.
317 --log-file file
320 When running in server mode, append all logging output to file.
321 Certificate related options
327 --enable-policy-checks
332 --disable-policy-checks
334 By default policy checks are enabled. These options may be used
335 to change it.
336 --enable-crl-checks
339 --disable-crl-checks
341 By default the CRL checks are enabled and the DirMngr is used to
342 check for revoked certificates. The disable option is most use‐
343 ful with an off-line network connection to suppress this check.
344 --enable-trusted-cert-crl-check
347 --disable-trusted-cert-crl-check
349 By default the CRL for trusted root certificates are checked
350 like for any other certificates. This allows a CA to revoke its
351 own certificates voluntary without the need of putting all ever
352 issued certificates into a CRL. The disable option may be used
353 to switch this extra check off. Due to the caching done by the
354 Dirmngr, there won't be any noticeable performance gain. Note,
355 that this also disables possible OCSP checks for trusted root
356 certificates. A more specific way of disabling this check is by
357 adding the ``relax'' keyword to the root CA line of the
358 ‘trustlist.txt’
359 --force-crl-refresh
363 Tell the dirmngr to reload the CRL for each request. For better
364 performance, the dirmngr will actually optimize this by sup‐
365 pressing the loading for short time intervals (e.g. 30 minutes).
366 This option is useful to make sure that a fresh CRL is available
367 for certificates hold in the keybox. The suggested way of doing
368 this is by using it along with the option --with-validation for
369 a key listing command. This option should not be used in a con‐
370 figuration file.
371 --enable-ocsp
374 --disable-ocsp
376 Be default OCSP checks are disabled. The enable option may be
377 used to enable OCSP checks via Dirmngr. If CRL checks are also
378 enabled, CRLs will be used as a fallback if for some reason an
379 OCSP request won't succeed. Note, that you have to allow OCSP
380 requests in Dirmngr's configuration too (option --allow-ocsp and
381 configure dirmngr properly. If you don't do so you will get the
382 error code 'Not supported'.
383 --auto-issuer-key-retrieve
386 If a required certificate is missing while validating the chain
387 of certificates, try to load that certificate from an external
388 location. This usually means that Dirmngr is employed to search
389 for the certificate. Note that this option makes a "web bug"
390 like behavior possible. LDAP server operators can see which
391 keys you request, so by sending you a message signed by a brand
392 new key (which you naturally will not have on your local key‐
393 box), the operator can tell both your IP address and the time
394 when you verified the signature.
395 --validation-model name
399 This option changes the default validation model. The only pos‐
400 sible values are "shell" (which is the default) and "chain"
401 which forces the use of the chain model. The chain model is
402 also used if an option in the ‘trustlist.txt’ or an attribute of
403 the certificate requests it. However the standard model (shell)
404 is in that case always tried first.
405 --ignore-cert-extension oid
408 Add oid to the list of ignored certificate extensions. The oid
409 is expected to be in dotted decimal form, like 2.5.29.3. This
410 option may be used more than once. Critical flagged certificate
411 extensions matching one of the OIDs in the list are treated as
412 if they are actually handled and thus the certificate won't be
413 rejected due to an unknown critical extension. Use this option
414 with care because extensions are usually flagged as critical for
415 a reason.
416 Input and Output
421 --armor
425 -a Create PEM encoded output. Default is binary output.
427 --base64
430 Create Base-64 encoded output; i.e. PEM without the header
431 lines.
432 --assume-armor
435 Assume the input data is PEM encoded. Default is to autodetect
436 the encoding but this is may fail.
437 --assume-base64
440 Assume the input data is plain base-64 encoded.
441 --assume-binary
444 Assume the input data is binary encoded.
445 --p12-charset name
449 gpgsm uses the UTF-8 encoding when encoding passphrases for
450 PKCS#12 files. This option may be used to force the passphrase
451 to be encoded in the specified encoding name. This is useful if
452 the application used to import the key uses a different encoding
453 and thus won't be able to import a file generated by gpgsm.
454 Commonly used values for name are Latin1 and CP850. Note that
455 gpgsm itself automagically imports any file with a passphrase
456 encoded to the most commonly used encodings.
457 --default-key user_id
461 Use user_id as the standard key for signing. This key is used
462 if no other key has been defined as a signing key. Note, that
463 the first --local-users option also sets this key if it has not
464 yet been set; however --default-key always overrides this.
465 --local-user user_id
469 -u user_id
471 Set the user(s) to be used for signing. The default is the
472 first secret key found in the database.
473 --recipient name
477 -r Encrypt to the user id name. There are several ways a user id
479 may be given (see: [how-to-specify-a-user-id]).
480 --output file
484 -o file
486 Write output to file. The default is to write it to stdout.
487 --with-key-data
491 Displays extra information with the --list-keys commands. Espe‐
492 cially a line tagged grp is printed which tells you the keygrip
493 of a key. This string is for example used as the file name of
494 the secret key.
495 --with-validation
498 When doing a key listing, do a full validation check for each
499 key and print the result. This is usually a slow operation
500 because it requires a CRL lookup and other operations.
501 When used along with --import, a validation of the certificate
503 to import is done and only imported if it succeeds the test.
504 Note that this does not affect an already available certificate
505 in the DB. This option is therefore useful to simply verify a
506 certificate.
507 --with-md5-fingerprint
511 For standard key listings, also print the MD5 fingerprint of the
512 certificate.
513 --with-keygrip
516 Include the keygrip in standard key listings. Note that the
517 keygrip is always listed in --with-colons mode.
518 How to change how the CMS is created.
523 --include-certs n
527 Using n of -2 includes all certificate except for the root cert,
528 -1 includes all certs, 0 does not include any certs, 1 includes
529 only the signers cert and all other positive values include up
530 to n certificates starting with the signer cert. The default is
531 -2.
532 --cipher-algo oid
535 Use the cipher algorithm with the ASN.1 object identifier oid
536 for encryption. For convenience the strings 3DES, AES and
537 AES256 may be used instead of their OIDs. The default is 3DES
538 (1.2.840.113549.3.7).
539 --digest-algo name
542 Use name as the message digest algorithm. Usually this algo‐
543 rithm is deduced from the respective signing certificate. This
544 option forces the use of the given algorithm and may lead to
545 severe interoperability problems.
546 Doing things one usually don't want to do.
553 --extra-digest-algo name
559 Sometimes signatures are broken in that they announce a differ‐
560 ent digest algorithm than actually used. gpgsm uses a one-pass
561 data processing model and thus needs to rely on the announced
562 digest algorithms to properly hash the data. As a workaround
563 this option may be used to tell gpg to also hash the data using
564 the algorithm name; this slows processing down a little bit but
565 allows to verify such broken signatures. If gpgsm prints an
566 error like ``digest algo 8 has not been enabled'' you may want
567 to try this option, with 'SHA256' for name.
568 --faked-system-time epoch
572 This option is only useful for testing; it sets the system time
573 back or forth to epoch which is the number of seconds elapsed
574 since the year 1970. Alternatively epoch may be given as a full
575 ISO time string (e.g. "20070924T154812").
576 --with-ephemeral-keys
579 Include ephemeral flagged keys in the output of key listings.
580 Note that they are included anyway if the key specification for
581 a listing is given as fingerprint or keygrip.
582 --debug-level level
585 Select the debug level for investigating problems. level may be
586 a numeric value or by a keyword:
587 none No debugging at all. A value of less than 1 may be used
590 instead of the keyword.
591 basic Some basic debug messages. A value between 1 and 2 may
593 be used instead of the keyword.
594 advanced
596 More verbose debug messages. A value between 3 and 5 may
597 be used instead of the keyword.
598 expert Even more detailed messages. A value between 6 and 8 may
600 be used instead of the keyword.
601 guru All of the debug messages you can get. A value greater
603 than 8 may be used instead of the keyword. The creation
604 of hash tracing files is only enabled if the keyword is
605 used.
606 How these messages are mapped to the actual debugging flags is not
608 specified and may change with newer releases of this program. They are
609 however carefully selected to best aid in debugging.
610 --debug flags
613 This option is only useful for debugging and the behaviour may
614 change at any time without notice; using --debug-levels is the
615 preferred method to select the debug verbosity. FLAGS are bit
616 encoded and may be given in usual C-Syntax. The currently
617 defined bits are:
618 0 (1) X.509 or OpenPGP protocol related data
621 1 (2) values of big number integers
623 2 (4) low level crypto operations
625 5 (32) memory allocation
627 6 (64) caching
629 7 (128)
631 show memory statistics.
632 9 (512)
634 write hashed data to files named dbgmd-000*
635 10 (1024)
637 trace Assuan protocol
638 Note, that all flags set using this option may get overridden by
640 --debug-level.
641 --debug-all
644 Same as --debug=0xffffffff
645 --debug-allow-core-dump
648 Usually gpgsm tries to avoid dumping core by well written code
649 and by disabling core dumps for security reasons. However, bugs
650 are pretty durable beasts and to squash them it is sometimes
651 useful to have a core dump. This option enables core dumps
652 unless the Bad Thing happened before the option parsing.
653 --debug-no-chain-validation
656 This is actually not a debugging option but only useful as such.
657 It lets gpgsm bypass all certificate chain validation checks.
658 --debug-ignore-expiration
661 This is actually not a debugging option but only useful as such.
662 It lets gpgsm ignore all notAfter dates, this is used by the
663 regression tests.
664 --fixed-passphrase string
667 Supply the passphrase string to the gpg-protect-tool. This
668 option is only useful for the regression tests included with
669 this package and may be revised or removed at any time without
670 notice.
671 --no-common-certs-import
674 Suppress the import of common certificates on keybox creation.
675 All the long options may also be given in the configuration file
678 after stripping off the two leading dashes.
679
683 There are different ways to specify a user ID to GnuPG. Some of them
684 are only valid for gpg others are only good for gpgsm. Here is the
685 entire list of ways to specify a key:
686 By key Id.
690 This format is deduced from the length of the string and its
691 content or 0x prefix. The key Id of an X.509 certificate are the
692 low 64 bits of its SHA-1 fingerprint. The use of key Ids is
693 just a shortcut, for all automated processing the fingerprint
694 should be used.
695 When using gpg an exclamation mark (!) may be appended to force
697 using the specified primary or secondary key and not to try and
698 calculate which primary or secondary key to use.
699 The last four lines of the example give the key ID in their long
701 form as internally used by the OpenPGP protocol. You can see the
702 long key ID using the option --with-colons.
703 234567C4
705 0F34E556E
706 01347A56A
707 0xAB123456
708 234AABBCC34567C4
710 0F323456784E56EAB
711 01AB3FED1347A5612
712 0x234AABBCC34567C4
713 By fingerprint.
718 This format is deduced from the length of the string and its
719 content or the 0x prefix. Note, that only the 20 byte version
720 fingerprint is available with gpgsm (i.e. the SHA-1 hash of the
721 certificate).
722 When using gpg an exclamation mark (!) may be appended to force
724 using the specified primary or secondary key and not to try and
725 calculate which primary or secondary key to use.
726 The best way to specify a key Id is by using the fingerprint.
728 This avoids any ambiguities in case that there are duplicated
729 key IDs.
730 1234343434343434C434343434343434
732 123434343434343C3434343434343734349A3434
733 0E12343434343434343434EAB3484343434343434
734 0xE12343434343434343434EAB3484343434343434
735 (gpgsm also accepts colons between each pair of hexadecimal digits
738 because this is the de-facto standard on how to present X.509 finger‐
739 prints.)
740 By exact match on OpenPGP user ID.
743 This is denoted by a leading equal sign. It does not make sense
744 for X.509 certificates.
745 =Heinrich Heine <heinrichh@uni-duesseldorf.de>
747 By exact match on an email address.
750 This is indicated by enclosing the email address in the usual
751 way with left and right angles.
752 <heinrichh@uni-duesseldorf.de>
754 By word match.
758 All words must match exactly (not case sensitive) but can appear
759 in any order in the user ID or a subjects name. Words are any
760 sequences of letters, digits, the underscore and all characters
761 with bit 7 set.
762 +Heinrich Heine duesseldorf
764 By exact match on the subject's DN.
767 This is indicated by a leading slash, directly followed by the
768 RFC-2253 encoded DN of the subject. Note that you can't use the
769 string printed by "gpgsm --list-keys" because that one as been
770 reordered and modified for better readability; use --with-colons
771 to print the raw (but standard escaped) RFC-2253 string
772 /CN=Heinrich Heine,O=Poets,L=Paris,C=FR
774 By exact match on the issuer's DN.
777 This is indicated by a leading hash mark, directly followed by a
778 slash and then directly followed by the rfc2253 encoded DN of
779 the issuer. This should return the Root cert of the issuer.
780 See note above.
781 #/CN=Root Cert,O=Poets,L=Paris,C=FR
783 By exact match on serial number and issuer's DN.
787 This is indicated by a hash mark, followed by the hexadecimal
788 representation of the serial number, then followed by a slash
789 and the RFC-2253 encoded DN of the issuer. See note above.
790 #4F03/CN=Root Cert,O=Poets,L=Paris,C=FR
792 By keygrip
795 This is indicated by an ampersand followed by the 40 hex digits
796 of a keygrip. gpgsm prints the keygrip when using the command
797 --dump-cert. It does not yet work for OpenPGP keys.
798 &D75F22C3F86E355877348498CDC92BD21010A480
800 By substring match.
804 This is the default mode but applications may want to explicitly
805 indicate this by putting the asterisk in front. Match is not
806 case sensitive.
807 Heine
809 *Heine
810 Please note that we have reused the hash mark identifier which was used
814 in old GnuPG versions to indicate the so called local-id. It is not
815 anymore used and there should be no conflict when used with X.509
816 stuff.
817 Using the RFC-2253 format of DNs has the drawback that it is not possi‐
819 ble to map them back to the original encoding, however we don't have to
820 do this because our key database stores this encoding as meta data.
821
828 $ gpgsm -er goo@bar.net <plaintext >ciphertext
829
834 There are a few configuration files to control certain aspects of
835 gpgsm's operation. Unless noted, they are expected in the current home
836 directory (see: [option --homedir]).
837 gpgsm.conf
841 This is the standard configuration file read by gpgsm on
842 startup. It may contain any valid long option; the leading two
843 dashes may not be entered and the option may not be abbreviated.
844 This default name may be changed on the command line (see:
845 [option
846 --options]). You should backup this file.
847 policies.txt
851 This is a list of allowed CA policies. This file should list
852 the object identifiers of the policies line by line. Empty
853 lines and lines starting with a hash mark are ignored. Policies
854 missing in this file and not marked as critical in the certifi‐
855 cate will print only a warning; certificates with policies
856 marked as critical and not listed in this file will fail the
857 signature verification. You should backup this file.
858 For example, to allow only the policy 2.289.9.9, the file should
860 look like this:
861 # Allowed policies
863 2.289.9.9
864 qualified.txt
867 This is the list of root certificates used for qualified cer‐
868 tificates. They are defined as certificates capable of creating
869 legally binding signatures in the same way as handwritten signa‐
870 tures are. Comments start with a hash mark and empty lines are
871 ignored. Lines do have a length limit but this is not a serious
872 limitation as the format of the entries is fixed and checked by
873 gpgsm: A non-comment line starts with optional whitespace, fol‐
874 lowed by exactly 40 hex character, white space and a lowercased
875 2 letter country code. Additional data delimited with by a
876 white space is current ignored but might late be used for other
877 purposes.
878 Note that even if a certificate is listed in this file, this
880 does not mean that the certificate is trusted; in general the
881 certificates listed in this file need to be listed also in
882 ‘trustlist.txt’.
883 This is a global file an installed in the data directory (e.g.
885 ‘/usr/share/gnupg/qualified.txt’). GnuPG installs a suitable
886 file with root certificates as used in Germany. As new Root-CA
887 certificates may be issued over time, these entries may need to
888 be updated; new distributions of this software should come with
889 an updated list but it is still the responsibility of the Admin‐
890 istrator to check that this list is correct.
891 Everytime gpgsm uses a certificate for signing or verification
893 this file will be consulted to check whether the certificate
894 under question has ultimately been issued by one of these CAs.
895 If this is the case the user will be informed that the verified
896 signature represents a legally binding (``qualified'') signa‐
897 ture. When creating a signature using such a certificate an
898 extra prompt will be issued to let the user confirm that such a
899 legally binding signature shall really be created.
900 Because this software has not yet been approved for use with
902 such certificates, appropriate notices will be shown to indicate
903 this fact.
904 help.txt
907 This is plain text file with a few help entries used with pinen‐
908 try as well as a large list of help items for gpg and gpgsm.
909 The standard file has English help texts; to install localized
910 versions use filenames like ‘help.LL.txt’ with LL denoting the
911 locale. GnuPG comes with a set of predefined help files in the
912 data directory (e.g. ‘/usr/share/gnupg/help.de.txt’) and allows
913 overriding of any help item by help files stored in the system
914 configuration directory (e.g. ‘/etc/gnupg/help.de.txt’). For a
915 reference of the help file's syntax, please see the installed
916 ‘help.txt’ file.
917 com-certs.pem
921 This file is a collection of common certificates used to popu‐
922 lated a newly created ‘pubring.kbx’. An administrator may
923 replace this file with a custom one. The format is a concatena‐
924 tion of PEM encoded X.509 certificates. This global file is
925 installed in the data directory (e.g. ‘/usr/share/gnupg/com-
926 certs.pem’).
927 Note that on larger installations, it is useful to put predefined files
930 into the directory ‘/etc/skel/.gnupg/’ so that newly created users
931 start up with a working configuration. For existing users a small
932 helper script is provided to create these files (see: [addgnupghome]).
933 For internal purposes gpgsm creates and maintains a few other files;
935 they all live in in the current home directory (see: [option --home‐
936 dir]). Only gpgsm may modify these files.
937 pubring.kbx
941 This a database file storing the certificates as well as meta
942 information. For debugging purposes the tool kbxutil may be
943 used to show the internal structure of this file. You should
944 backup this file.
945 random_seed
948 This content of this file is used to maintain the internal state
949 of the random number generator across invocations. The same
950 file is used by other programs of this software too.
951 S.gpg-agent
954 If this file exists and the environment variable
955 ‘GPG_AGENT_INFO’ is not set, gpgsm will first try to connect to
956 this socket for accessing gpg-agent before starting a new gpg-
957 agent instance. Under Windows this socket (which in reality be
958 a plain file describing a regular TCP listening port) is the
959 standard way of connecting the gpg-agent.
960
966 gpg2(1), gpg-agent(1)
967 The full documentation for this tool is maintained as a Texinfo manual.
969 If GnuPG and the info program are properly installed at your site, the
970 command
971 info gnupg
973 should give you access to the complete manual including a menu struc‐
975 ture and an index.
976GnuPG 2.0.18 2011-09-20 GPGSM(1)