1GPGCONF(1)                   GNU Privacy Guard 2.2                  GPGCONF(1)
2
3
4

NAME

6       gpgconf - Modify .gnupg home directories
7

SYNOPSIS

9       gpgconf [options] --list-components
10       gpgconf [options] --list-options component
11       gpgconf [options] --change-options component
12
13
14

DESCRIPTION

16       The  gpgconf  is a utility to automatically and reasonable safely query
17       and modify configuration files in the ‘.gnupg’ home directory.   It  is
18       designed  not  to be invoked manually by the user, but automatically by
19       graphical user interfaces (GUI). ([Please note that currently no  lock‐
20       ing  is  done,  so concurrent access should be avoided.  There are some
21       precautions to avoid corruption with concurrent usage, but results  may
22       be  inconsistent  and  some changes may get lost.  The stateless design
23       makes it difficult to provide more guarantees.])
24
25       gpgconf provides access to the configuration of one or more  components
26       of  the  GnuPG system.  These components correspond more or less to the
27       programs that exist in the GnuPG framework, like GPG,  GPGSM,  DirMngr,
28       etc.   But  this is not a strict one-to-one relationship.  Not all con‐
29       figuration options are available through gpgconf.  gpgconf  provides  a
30       generic  and abstract method to access the most important configuration
31       options that can feasibly be controlled via such a mechanism.
32
33       gpgconf can be used to gather and change the options available in  each
34       component,  and  can  also  provide their default values.  gpgconf will
35       give detailed type information that can be used to restrict the  user's
36       input without making an attempt to commit the changes.
37
38       gpgconf provides the backend of a configuration editor.  The configura‐
39       tion editor would usually be a graphical user  interface  program  that
40       displays the current options, their default values, and allows the user
41       to make changes to the options.  These changes can then be made  active
42       with  gpgconf again.  Such a program that uses gpgconf in this way will
43       be called GUI throughout this section.
44
45
46

COMMANDS

48       One of the following commands must be given:
49
50
51
52       --list-components
53              List all components.  This is the default command used  if  none
54              is specified.
55
56
57       --check-programs
58              List  all  available  backend programs and test whether they are
59              runnable.
60
61
62       --list-options component
63              List all options of the component component.
64
65
66       --change-options component
67              Change the options of the component component.
68
69
70       --check-options component
71              Check the options for the component component.
72
73
74       --apply-profile file
75              Apply the configuration settings listed in file to the  configu‐
76              ration  files.  If file has no suffix and no slashes the command
77              first tries to read a file with the suffix .prf  from  the  data
78              directory (gpgconf --list-dirs datadir) before it reads the file
79              verbatim.  A profile is divided into sections using  the  brack‐
80              eted   component name.  Each section then lists the option which
81              shall go into the respective configuration file.
82
83
84       --apply-defaults
85              Update all configuration files with values taken from the global
86              configuration file (usually ‘/etc/gnupg/gpgconf.conf’).
87
88
89       --list-dirs [names]
90              Lists  the directories used by gpgconf.  One directory is listed
91              per line, and each line consists of a colon-separated list where
92              the   first   field   names  the  directory  type  (for  example
93              sysconfdir) and the second field  contains  the  percent-escaped
94              directory.   Although  they are not directories, the socket file
95              names used by gpg-agent and dirmngr are printed as  well.   Note
96              that the socket file names and the homedir lines are the default
97              names and they may be overridden by command line  switches.   If
98              names  are given only the directories or file names specified by
99              the list names are printed without any escaping.
100
101
102       --list-config [filename]
103              List the global configuration file in a colon separated  format.
104              If filename is given, check that file instead.
105
106
107       --check-config [filename]
108              Run  a  syntax check on the global configuration file.  If file‐
109              name is given, check that file instead.
110
111
112
113       --query-swdb package_name [version_string]
114              Returns  the  current  version  for  package_name  and  if  ver‐
115              sion_string  is  given also an indicator on whether an update is
116              available.  The actual file with the software version  is  auto‐
117              matically  downloaded  and  checked  by dirmngr.  dirmngr uses a
118              thresholds to avoid download the file too often and it does this
119              by  default  only if it can be done via Tor.  To force an update
120              of that file this command can be used:
121
122                gpg-connect-agent --dirmngr 'loadswdb --force' /bye
123
124
125
126       --reload [component]
127              Reload all or the given component. This is basically the same as
128              sending  a SIGHUP to the component.  Components which don't sup‐
129              port reloading are ignored.  Without component or by using "all"
130              for component all components which are daemons are reloaded.
131
132
133       --launch [component]
134              If  the  component  is not already running, start it.  component
135              must be a daemon.  This is in general not required  because  the
136              system  starts these daemons as needed.  However, external soft‐
137              ware making direct use of gpg-agent or dirmngr may use this com‐
138              mand to ensure that they are started.  Using "all" for component
139              launches all components which are daemons.
140
141
142       --kill [component]
143              Kill the given component.  Components which support killing  are
144              gpg-agent  and scdaemon.  Components which don't support reload‐
145              ing are ignored.  Using "all" for component kills all components
146              running  as  daemons.   Note that as of now reload and kill have
147              the same effect for scdaemon.
148
149
150       --create-socketdir
151              Create a directory for sockets below /run/user or /var/run/user.
152              This is command is only required if a non default home directory
153              is used and the /run based  sockets  shall  be  used.   For  the
154              default home directory GnUPG creates a directory on the fly.
155
156
157       --remove-socketdir
158              Remove a directory created with command --create-socketdir.
159
160

OPTIONS

162       The following options may be used:
163
164
165
166       -o file
167       --output file
168              Write output to file.  Default is to write to stdout.
169
170
171       -v
172       --verbose
173              Outputs  additional  information  while  running.  Specifically,
174              this extends numerical field values by  human-readable  descrip‐
175              tions.
176
177
178       -q
179       --quiet
180              Try to be as quiet as possible.
181
182
183       -n
184       --dry-run
185              Do  not actually change anything.  This is currently only imple‐
186              mented for --change-options and can be  used  for  testing  pur‐
187              poses.
188
189
190       -r
191       --runtime
192              Only  used  together with --change-options.  If one of the modi‐
193              fied options can be changed in a running daemon process,  signal
194              the  running  daemon to ask it to reparse its configuration file
195              after changing.
196
197              This means that the changes will take effect at run-time, as far
198              as  this  is  possible.  Otherwise, they will take effect at the
199              next start of the respective backend programs.
200
201
202       --status-fd n
203              Write special status strings to the  file  descriptor  n.   This
204              program returns the status messages SUCCESS or FAILURE which are
205              helpful when the caller uses a double fork  approach  and  can't
206              easily get the return code of the process.
207
208

USAGE

210       The command --list-components will list all components that can be con‐
211       figured with gpgconf.  Usually, one component will  correspond  to  one
212       GnuPG-related program and contain the options of that program's config‐
213       uration file that can be modified using gpgconf.  However, this is  not
214       necessarily  the  case.   A component might also be a group of selected
215       options from several programs, or contain entirely virtual options that
216       have  a  special  effect rather than changing exactly one option in one
217       configuration file.
218
219       A component is a set of configuration options that semantically  belong
220       together.   Furthermore,  several changes to a component can be made in
221       an atomic way with a single operation.  The GUI could for example  pro‐
222       vide  a  menu  with  one entry for each component, or a window with one
223       tabulator sheet per component.
224
225       The command --list-components lists all available components,  one  per
226       line.  The format of each line is:
227
228       name:description:pgmname:
229
230
231       name   This  field  contains a name tag of the component.  The name tag
232              is used to specify the component in all communication with  gpg‐
233              conf.   The  name tag is to be used verbatim.  It is thus not in
234              any escaped format.
235
236
237       description
238              The string in this field contains a  human-readable  description
239              of  the  component.   It can be displayed to the user of the GUI
240              for informational purposes.  It is  percent-escaped  and  local‐
241              ized.
242
243
244       pgmname
245              The  string in this field contains the absolute name of the pro‐
246              gram's file.  It can be used to unambiguously invoke  that  pro‐
247              gram.  It is percent-escaped.
248
249       Example:
250         $ gpgconf --list-components
251         gpg:GPG for OpenPGP:/usr/local/bin/gpg2:
252         gpg-agent:GPG Agent:/usr/local/bin/gpg-agent:
253         scdaemon:Smartcard Daemon:/usr/local/bin/scdaemon:
254         gpgsm:GPG for S/MIME:/usr/local/bin/gpgsm:
255         dirmngr:Directory Manager:/usr/local/bin/dirmngr:
256
257
258
259
260
261   Checking programs
262
263
264       The  command --check-programs is similar to --list-components but works
265       on backend programs and not on components.  It  runs  each  program  to
266       test whether it is installed and runnable.  This also includes a syntax
267       check of all config file options of the program.
268
269       The command --check-programs lists  all  available  programs,  one  per
270       line.  The format of each line is:
271
272       name:description:pgmname:avail:okay:cfgfile:line:error:
273
274
275       name   This field contains a name tag of the program which is identical
276              to the name of the component.  The name tag is to be used verba‐
277              tim.   It  is thus not in any escaped format.  This field may be
278              empty to indicate a continuation of error descriptions  for  the
279              last  name.   The  description  and pgmname fields are then also
280              empty.
281
282
283       description
284              The string in this field contains a  human-readable  description
285              of  the  component.   It can be displayed to the user of the GUI
286              for informational purposes.  It is  percent-escaped  and  local‐
287              ized.
288
289
290       pgmname
291              The  string in this field contains the absolute name of the pro‐
292              gram's file.  It can be used to unambiguously invoke  that  pro‐
293              gram.  It is percent-escaped.
294
295
296       avail  The boolean value in this field indicates whether the program is
297              installed and runnable.
298
299
300       okay   The boolean value in this field indicates whether the  program's
301              config file is syntactically okay.
302
303
304       cfgfile
305              If  an error occurred in the configuration file (as indicated by
306              a false value in the field okay), this field has the name of the
307              failing configuration file.  It is percent-escaped.
308
309
310       line   If  an  error occurred in the configuration file, this field has
311              the line number of the failing statement  in  the  configuration
312              file.  It is an unsigned number.
313
314
315       error  If  an  error occurred in the configuration file, this field has
316              the error text of the failing  statement  in  the  configuration
317              file.  It is percent-escaped and localized.
318
319
320       In the following example the dirmngr is not runnable and the configura‐
321       tion file of scdaemon is not okay.
322
323         $ gpgconf --check-programs
324         gpg:GPG for OpenPGP:/usr/local/bin/gpg2:1:1:
325         gpg-agent:GPG Agent:/usr/local/bin/gpg-agent:1:1:
326         scdaemon:Smartcard Daemon:/usr/local/bin/scdaemon:1:0:
327         gpgsm:GPG for S/MIME:/usr/local/bin/gpgsm:1:1:
328         dirmngr:Directory Manager:/usr/local/bin/dirmngr:0:0:
329
330
331       The command configuration file in the same manner as  --check-programs,
332       but only for the component component.
333
334
335
336
337   Listing options
338
339
340       Every  component contains one or more options.  Options may be gathered
341       into option groups to allow the GUI to give visual hints  to  the  user
342       about which options are related.
343
344       The  command   lists all options (and the groups they belong to) in the
345       component component, one per line.  component must be the string in the
346       field name in the output of the --list-components command.
347
348       There  is  one  line  for  each  option and each group.  First come all
349       options that are not in any group.  Then  comes  a  line  describing  a
350       group.   Then come all options that belong into each group.  Then comes
351       the next group and so on.  There does not need to be any group (and  in
352       this case the output will stop after the last non-grouped option).
353
354       The format of each line is:
355
356       name:flags:level:description:type:alt-type:argname:default:argdef:value
357
358
359       name   This  field  contains  a  name tag for the group or option.  The
360              name tag is used to specify the group or option in all  communi‐
361              cation  with  gpgconf.  The name tag is to be used verbatim.  It
362              is thus not in any escaped format.
363
364
365       flags  The flags field contains an unsigned number.  Its value  is  the
366              OR-wise combination of the following flag values:
367
368
369              group (1)
370                     If  this  flag  is set, this is a line describing a group
371                     and not an option.
372
373       The following flag values are only defined for options (that is, if the
374       group flag is not used).
375
376
377              optional arg (2)
378                     If  this  flag is set, the argument is optional.  This is
379                     never set for type 0 (none) options.
380
381
382              list (4)
383                     If this flag is set, the option  can  be  given  multiple
384                     times.
385
386
387              runtime (8)
388                     If  this  flag  is set, the option can be changed at run‐
389                     time.
390
391
392              default (16)
393                     If this flag is set, a default value is available.
394
395
396              default desc (32)
397                     If this flag is set, a (runtime)  default  is  available.
398                     This and the default flag are mutually exclusive.
399
400
401              no arg desc (64)
402                     If  this  flag  is set, and the optional arg flag is set,
403                     then the option has a special meaning if no  argument  is
404                     given.
405
406
407              no change (128)
408                     If  this  flag is set, gpgconf ignores requests to change
409                     the value.  GUI frontends should grey  out  this  option.
410                     Note,  that manual changes of the configuration files are
411                     still possible.
412
413
414       level  This field is defined for options and for groups.   It  contains
415              an  unsigned  number that specifies the expert level under which
416              this group or option should be displayed.  The following  expert
417              levels  are defined for options (they have analogous meaning for
418              groups):
419
420
421              basic (0)
422                     This option should always be offered to the user.
423
424
425              advanced (1)
426                     This option may be offered to advanced users.
427
428
429              expert (2)
430                     This option should only be offered to expert users.
431
432
433              invisible (3)
434                     This option should normally never be displayed, not  even
435                     to expert users.
436
437
438              internal (4)
439                     This option is for internal use only.  Ignore it.
440
441       The  level of a group will always be the lowest level of all options it
442       contains.
443
444
445       description
446              This field is defined for options and  groups.   The  string  in
447              this  field  contains a human-readable description of the option
448              or group.  It can be displayed to the user of the GUI for infor‐
449              mational purposes.  It is percent-escaped and localized.
450
451
452       type   This field is only defined for options.  It contains an unsigned
453              number that specifies the type of the option's argument, if any.
454              The following types are defined:
455
456              Basic types:
457
458
459              none (0)
460                     No argument allowed.
461
462
463              string (1)
464                     An unformatted string.
465
466
467              int32 (2)
468                     A signed number.
469
470
471              uint32 (3)
472                     An unsigned number.
473
474       Complex types:
475
476
477              pathname (32)
478                     A string that describes the pathname of a file.  The file
479                     does not necessarily need to exist.
480
481
482              ldap server (33)
483                     A string that describes an LDAP server in the format:
484
485                     hostname:port:username:password:base_dn
486
487
488              key fingerprint (34)
489                     A string with a 40 digit fingerprint  specifying  a  cer‐
490                     tificate.
491
492
493              pub key (35)
494                     A  string that describes a certificate by user ID, key ID
495                     or fingerprint.
496
497
498              sec key (36)
499                     A string that describes a certificate with a key by  user
500                     ID, key ID or fingerprint.
501
502
503              alias list (37)
504                     A  string that describes an alias list, like the one used
505                     with gpg's group option.  The list consists of a key,  an
506                     equal sign and space separated values.
507
508       More  types will be added in the future.  Please see the alt-type field
509       for information on how to cope with unknown types.
510
511
512       alt-type
513              This field is identical to type, except that only the types 0 to
514              31  are  allowed.   The  GUI is expected to present the user the
515              option in the format specified by type.   But  if  the  argument
516              type  type is not supported by the GUI, it can still display the
517              option in the more generic basic type alt-type.   The  GUI  must
518              support  all  the  defined basic types to be able to display all
519              options.  More basic types may be added in future versions.   If
520              the  GUI  encounters  a basic type it doesn't support, it should
521              report an error and abort the operation.
522
523
524       argname
525              This field is only defined for options  with  an  argument  type
526              type  that  is  not  0.   In this case it may contain a percent-
527              escaped and localized string that gives a  short  name  for  the
528              argument.   The field may also be empty, though, in which case a
529              short name is not known.
530
531
532       default
533              This field is defined only for options for which the default  or
534              default  desc flag is set.  If the default flag is set, its for‐
535              mat is that of an option argument  (see:  [Format  conventions],
536              for details).  If the default value is empty, then no default is
537              known.  Otherwise, the value specifies  the  default  value  for
538              this  option.   If  the  default  desc flag is set, the field is
539              either empty or contains a description  of  the  effect  if  the
540              option is not given.
541
542
543       argdef This  field  is  defined only for options for which the optional
544              arg flag is set.  If the no arg desc flag is not set, its format
545              is  that  of  an option argument (see: [Format conventions], for
546              details).  If the default value is empty,  then  no  default  is
547              known.   Otherwise, the value specifies the default argument for
548              this option.  If the no arg desc  flag  is  set,  the  field  is
549              either  empty  or  contains  a description of the effect of this
550              option if no argument is given.
551
552
553       value  This field is defined only for options.  Its format is  that  of
554              an  option  argument.   If  it  is empty, then the option is not
555              explicitly set in the current  configuration,  and  the  default
556              applies  (if  any).  Otherwise, it contains the current value of
557              the option.  Note that this field  is  also  meaningful  if  the
558              option  itself  does  not take a real argument (in this case, it
559              contains the number of times the option appears).
560
561   Changing options
562
563
564       The command to change the options of the  component  component  to  the
565       specified  values.   component  must be the string in the field name in
566       the output of the --list-components command.  You have to  provide  the
567       options  that  shall  be  changed  in  the following format on standard
568       input:
569
570       name:flags:new-value
571
572
573       name   This is the name of the option to  change.   name  must  be  the
574              string  in  the  field  name in the output of the --list-options
575              command.
576
577
578       flags  The flags field contains an unsigned number.  Its value  is  the
579              OR-wise combination of the following flag values:
580
581
582              default (16)
583                     If  this  flag  is  set,  the  option  is deleted and the
584                     default value is used instead (if applicable).
585
586
587       new-value
588              The new value for the option.  This field is only defined if the
589              default  flag is not set.  The format is that of an option argu‐
590              ment.  If it is empty (or the field  is  omitted),  the  default
591              argument  is  used (only allowed if the argument is optional for
592              this option).  Otherwise, the option will be set to  the  speci‐
593              fied value.
594
595       The  output  of  the command is the same as that of --check-options for
596       the modified configuration file.
597
598       Examples:
599
600       To set the force option, which is of basic type none (0):
601
602         $ echo 'force:0:1' | gpgconf --change-options dirmngr
603
604       To delete the force option:
605
606         $ echo 'force:16:' | gpgconf --change-options dirmngr
607
608       The --runtime option can influence when the changes take effect.
609
610
611
612
613   Listing global options
614
615
616       Sometimes it is useful for applications to look at the  global  options
617       file ‘gpgconf.conf’.  The colon separated listing format is record ori‐
618       ented and uses the first field to identify the record type:
619
620
621       k      This describes a key record to start the  definition  of  a  new
622              ruleset for a user/group.  The format of a key record is:
623
624                k:user:group:
625
626
627              user   This  is  the  user  field  of  the  key.   It is percent
628                     escaped.  See the definition of the  gpgconf.conf  format
629                     for details.
630
631
632              group  This  is  the  group  field  of  the  key.  It is percent
633                     escaped.
634
635
636       r      This describes a rule record. All rule records up  to  the  next
637              key  record  make  up  a rule set for that key.  The format of a
638              rule record is:
639
640                r:::component:option:flag:value:
641
642
643              component
644                     This is the component part of a  rule.   It  is  a  plain
645                     string.
646
647
648              option This is the option part of a rule.  It is a plain string.
649
650
651              flag   This  is the flags part of a rule.  There may be only one
652                     flag per rule but by using the same component and option,
653                     several  flags  may  be  assigned  to an option.  It is a
654                     plain string.
655
656
657              value  This is the optional value for the option.  It is a  per‐
658                     cent escaped string with a single quotation mark to indi‐
659                     cate a string.  The quotation mark is  only  required  to
660                     distinguish  between  no  value  specified  and  an empty
661                     string.
662
663
664       Unknown record types should be ignored.  Note that there is  intention‐
665       ally no feature to change the global option file through gpgconf.
666
667
668
669
670   Get and compare software versions.
671
672
673       The  GnuPG  Project  operates a server to query the current versions of
674       software packages related to GnuPG.  gpgconf can be used to access this
675       online  database.   To allow for offline operations, this feature works
676       by having dirmngr  download  a  file  from  https://versions.gnupg.org,
677       checking  the  signature of that file and storing the file in the GnuPG
678       home directory.  If gpgconf is used and dirmngr is running, it may  ask
679       dirmngr to refresh that file before itself uses the file.
680
681       The command --query-swdb returns information for the given package in a
682       colon delimited format:
683
684
685
686       name   This is the name of the package as requested.  Note that "gnupg"
687              is a special name which is replaced by the actual package imple‐
688              menting this version of GnuPG.  For this name  it  is  also  not
689              required to specify a version because gpgconf takes its own ver‐
690              sion in this case.
691
692
693       iversion
694              The currently installed version or an empty string.   The  value
695              is  taken  from the command line argument but may be provided by
696              gpg if not given.
697
698
699       status The status of the software package according to this table:
700
701              -      No information available.  This is either because no cur‐
702                     rent version has been specified or due to an error.
703
704              ?      The given name is not known in the online database.
705
706              u      An update of the software is available.
707
708              c      The installed version of the software is current.
709
710              n      The  installed version is already newer than the released
711                     version.
712
713
714       urgency
715              If the value (the empty string should be considered as zero)  is
716              greater than zero an important update is available.
717
718
719       error  This returns an gpg-error error code to distinguish between var‐
720              ious failure modes.
721
722
723       filedate
724              This gives the date of the file  with  the  version  numbers  in
725              standard  ISO  format  (yyyymmddThhmmss).   The  date  has  been
726              extracted by dirmngr from the signature of the file.
727
728
729       verified
730              This gives the date in ISO format the file was downloaded.  This
731              value can be used to evaluate the freshness of the information.
732
733
734       version
735              This  returns the version string for the requested software from
736              the file.
737
738
739       reldate
740              This returns the release date in ISO format.
741
742
743       size   This returns the size of the package as decimal number of bytes.
744
745
746       hash   This returns a hexified SHA-2 hash of the package.
747
748
749       More fields may be added in future to the output.
750
751
752

FILES

754       /etc/gnupg/gpgconf.conf
755                If this file exists, it is processed as a global configuration
756              file.
757                A  commented  example can be found in the ‘examples’ directory
758              of
759                the distribution.
760
761
762       GNUPGHOME/swdb.lst
763                A file with current software versions.  dirmngr creates
764                this file on demand from an online resource.
765
766

SEE ALSO

768       gpg(1), gpgsm(1), gpg-agent(1), scdaemon(1), dirmngr(1)
769
770       The full documentation for this tool is maintained as a Texinfo manual.
771       If  GnuPG and the info program are properly installed at your site, the
772       command
773
774         info gnupg
775
776       should give you access to the complete manual including a  menu  struc‐
777       ture and an index.
778
779
780
781
782
783
784
785GnuPG 2.2.13                      2019-02-11                        GPGCONF(1)
Impressum